Additional user accounts to be created automatically by the system

Message of the day shown to users when they log in.

The user's home directory.

The account UID

The user's primary group.

The name of the user account

A file containing the message of the day shown to users when they log in.

The user's home directory mode in numeric format

The path to the user's shell

If set to false, the user account will not be created

Attributes for user's entry in pam_mount.conf.xml

Additional groups to be created automatically by the system.

The user's auxiliary groups.

Path to encrypted luks device that contains the user's home directory.

Users that can access upsd

Alias of users.users.

Whether to create the home directory and ensure ownership as well as permissions to match the user.

Settings for pam_mysql

The distinguished name of the search base.

The set of packages that should be made available to the user

Subordinate group ids that user is allowed to use

Subordinate user ids that user is allowed to use

Indicates if the user is a system user or not

Automatically allocate subordinate user and group ids for this user

Count of subordinate user ids

Count of subordinate group ids

Alias of users.groups.

Indicates whether this is an account for a “real” user

If true, the user's shell will be set to users.defaultUserShell.

The username to use when connecting to the database

The hostname of the MySQL/MariaDB server

Start of the range of subordinate user ids that user is allowed to use.

Start of the range of subordinate group ids that user is allowed to use.

The default home directory for normal users.

Set the date on which the user's account will no longer be accessible

Whether to enable or disable lingering for this user

Settings for libnss-mysql

Whether to include authentication against LDAP in login PAM.

The URL of the LDAP server.

If enabled, use TLS (encryption) over an LDAP (port 389) connection

Whether to enable authentication against an LDAP server.

Additional criteria for the query.

The group GID

Whether to enable authentication against a MySQL/MariaDB database.

The name of table that maps unique login names to the passwords.

The name of the database containing the users

The user's home directory.

The name of the group

Specifies the time limit (in seconds) to use when performing searches

The account UID

Whether to manage whether users linger or not.

By default, nixos will check that programs

The user's primary group.

Users to include in initrd.

A short description of the user account, typically the user's full name

The name of the user account

The group GID

Whether to include lookup against LDAP in NSS.

The name of the column that contains a unix login name.

Specifies the time limit (in seconds) to use when connecting to the directory server

The name of the group

To enable stylus and multi-touch support, the user you're going to use must be added to this list

A list of names of users (separated by whitespace) that are allowed to connect to the Nix daemon

This option defines the default shell assigned to user accounts

If enabled, produces logs with detailed messages that describes what pam_mysql is doing

Add the necessary actions for a upsmon process to work

Indicates if the user is a system user or not

Extra configuration options that will be added verbatim at the end of the ldap configuration file (ldap.conf(5))

If set to true, you are free to add new users and groups to the system with the ordinary useradd and groupadd commands

The user's home directory mode in numeric format

The path to the user's shell

The user names of the group members, added to the /etc/group file.

SQL query for the getpwnam syscall.

SQL query for the getgrgid syscall.

SQL query for the getgrnam syscall.

SQL query for the getspnam syscall.

SQL query for the getspent syscall.

SQL query for the getgrent syscall.

SQL query for the getpwuid syscall.

SQL query for the getpwent syscall.

The set of packages that should be made available to the user

The path to the file containing the password for the user

The name of the table used for password alteration

If set to false, the user account will not be created

Whether to require that no two users/groups share the same uid/gid.

Attributes for user's entry in pam_mount.conf.xml

User accounts for GRUB

Users that intend to use BenchExec

NNTP-Proxy user configuration

The default encryption method to use for passwordCrypt = 1.

The user's auxiliary groups.

Allow the user to do certain things with upsd

The name of the table to which logs are written.

Path to encrypted luks device that contains the user's home directory.

Maximum number of concurrent clients allowed.

Disable checking that at least the root user or a user in the wheel group can log in using a password or an SSH key

Whether to create the home directory and ensure ownership as well as permissions to match the user.

Indicates whether this is an account for a “real” user

Subordinate user ids that user is allowed to use

Subordinate group ids that user is allowed to use

The path to a file containing the credentials to use when binding to the LDAP server (if not binding anonymously).

The user names of the group members, added to the /etc/group file.

Load users and passwords from this file

SQL query for the memsbygid syscall.

SQL query for the gidsbymem syscall.

Extra configuration options that will be added verbatim at the end of the nslcd configuration file (nslcd.conf(5)).

A list of verbatim OpenSSH public keys that should be added to the user's authorized keys

Automatically allocate subordinate user and group ids for this user

Enables logging of authentication attempts in the MySQL database.

Count of subordinate group ids

Count of subordinate user ids

A list of files each containing one OpenSSH public key that should be added to the user's authorized keys

ID of the user in initrd.

If true, the user's shell will be set to users.defaultUserShell.

The usernames / UIDs this rule should apply for.

The usernames / UIDs this rule should apply for.

Specifies the (clear text) password for the user

Specifies the clear text password for the account

List of UIDs of all users for which this application is allowed location info access, Defaults to an empty string to allow it for all users.

A list of names of users that have additional rights when connecting to the Nix daemon, such as the ability to specify additional binary caches, or to import unsigned NARs

The name of the column in the log table to which the description of the performed operation is stored.

Specifies the policy to use for reconnecting to an unavailable LDAP server

The usernames / UIDs this rule should apply for.

Whether to enable or disable lingering for this user

A list of verbatim principal names that should be added to the user's authorized principals.

The name of the column that contains a (encrypted) password string.

List of user-password pairs to provide to the sync server.

Start of the range of subordinate group ids that user is allowed to use.

Start of the range of subordinate user ids that user is allowed to use.

The name of the column in the log table to which the pid of the process utilising the pam_mysql authentication service is stored.

The name of the column in the log table to which the timestamp of the log entry is stored.

The name of the column in the log table to which the name of the user being authenticated is stored.

The name of the column in the log table to which the name of the user being authenticated is stored.

The path to the user's shell in initrd.

Group the user belongs to in initrd.

Set the date on which the user's account will no longer be accessible

List of users granted permission to use CrossMacro.

The full path to a file that contains the user's (clear text) password

Let the user initiate specific instant commands

Per-user rules for creation, deletion and cleaning of volatile and temporary files automatically.

Whether to let the nslcd daemon (nss-pam-ldapd) handle the LDAP lookups for NSS and PAM

List of users, use empty list for any.

The name of the column in the log table to which the name of the remote host that initiates the session is stored

Users to be added to the idevice group.

Specifies the password hash for the account, generated with grub-mkpasswd-pbkdf2

RPC user information for JSON-RPC connections.

Set the path to file where the user's credentials are stored

The full path to a file that contains the hash of the user's password

Specifies the hashed password for the user

Usernames to be added to the "openrazer" group, so that they can start and interact with the OpenRazer userspace daemon.

Location of the dokuwiki users file

The name of the column or an SQL expression that indicates the status of the user

Specifies the initial password for the user, i.e. the password assigned if the user does not already exist

Username

Password accepted by anki-sync-server for the associated username. WARNING: This option is not secure

Username for JSON-RPC connections.

If enabled, users are created with systemd-sysusers instead of with the custom update-users-groups.pl script

Users to provision.

Specifies the path to a file containing the clear text password for the account

A set of users and their passwords and ACLs.

Allowed users and their secrets

Per-user rules for creation, deletion and cleaning of volatile and temporary files automatically

The distinguished name to use to bind to the LDAP server when the root user tries to modify a user's password.

User name accepted by anki-sync-server.

By default, nixos will check that programs

A short description of the user account, typically the user's full name

SHA-512 password hash (can be generated by mkpasswd -m sha-512 <password>)

Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist

The path to a file containing the credentials with which to bind to the LDAP server if the root user tries to change a user's password.

This is a comma-separated list of usernames

File containing the password accepted by anki-sync-server for the associated username

Specifies the path to a file containing the password hash for the account, generated with grub-mkpasswd-pbkdf2

Optional

Path to a custom home page

Whether to periodically update the list of LoTW users

The method to encrypt the user's password:

• 0 (or "plain"): No encryption

The distinguished name to bind to the LDAP server with

List of users who are denied to login via Samba.

Maximum number of concurrent connections to the proxy for this user

Control client access to topics on the broker.

Set to false to prohibit users from being able to sign up / create user accounts

Sync users.

By default, pam_mysql keeps the connection to the MySQL database until the session is closed

Password HMAC-SHA-256 for JSON-RPC connections

Your users.yaml as a Nix attribute set

A list of verbatim OpenSSH public keys that should be added to the user's authorized keys

A list of files each containing one OpenSSH public key that should be added to the user's authorized keys

Per-user Pareto Security configuration.

Whether to ensure that this user is present or absent.

Text used as placeholder text on login page for login/username input.

A list of verbatim principal names that should be added to the user's authorized principals.

Specifies the (clear text) password for the user

Specifies the (clear text) password for the MQTT User.

Set to true to automatically add new users to the main organization (id 1)

Password for the user

If enabled, virtual users will use the same privileges as local users

Specification (in the format described by systemd.time(7)) of the time at which the LoTW user update will occur.

Ensures that the specified users exist and have at least the ensured permissions

Specifies the path to a file containing the clear text password for the MQTT user

A unique ID that links the agent to Pareto Cloud

Specifies the hashed password for the MQTT User

The full path to a file that contains the hash of the user's password

Specifies the hashed password for the user

A list of user names that belong to the organization.

Text used as placeholder text on login page for password input.

Sets the default UI theme. system matches the user's system theme.

Set to false to prohibit users from creating new organizations.

Specifies the initial password for the user, i.e. the password assigned if the user does not already exist

Whether to enable new users to login if auth is enabled.

Specifies the path to a file containing the hashed password for the MQTT user

Name of the group members of which will be allowed to create usershares

This tells pgmanage whether or not to only allow super users to login

Whether to enable user-configurable Samba shares.

Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist

Set this value to automatically add new users to the provided org

This setting configures the default UI language, which must be a supported IETF language tag, such as en-US.

Viewers can access and use Explore and perform temporary edits on panels in dashboards they have access to

Users allowed to use incrontab

The role new users will be assigned for the main organization (if the auto_assign_org setting is set to true).

Whether to add nix-ssh to the nix.settings.trusted-users

Ensures that the specified users exist

Number of nixbld user accounts created to perform secure concurrent builds

List of plugins to load automatically for all users

Choose users database file to use for authentication

Require email validation before sign up completes.

Users allowed to authenticate even if not in allowedDomains.

Users forbidden from using fcron.

Maximum number of concurrent clients allowed.

Grant access to i2c devices (/dev/i2c-*) to users in this group.

Whether to add Wireshark to the global environment and create a 'wireshark' group

Whether the config should be checked at build time

Users forbidden from using incrontab.

Allow users to block communications with other users

Group that users must be in to use cdemu.

Specifies which users are considered “administrators”, for those actions that require the user to authenticate as an administrator (i.e. have an auth_admin value)

Whether to allow users in the 'wireshark' group to capture USB traffic

Whether to allow users in the 'wireshark' group to capture network traffic

Your role in Tor network

Set the maximum number of FUSE mounts allowed to non-root users.

The Google Admin to impersonate for API calls

Defines the mapping from system users to database users

Users allowed to use fcrontab and fcrondyn (one name per line, all for everyone).

Number of Guix build users to be used in the build pool.

Whether to enable the sudo command, which allows non-root users to execute commands as root.

Whether to enable the doas command, which allows non-root users to execute commands as root.

Only applies if enableVirtualUsers is true

List of shells which binaries should be installed to /bin/

Group which users must be in to use ydotool.

Chat with users in the same room.

The resolved shell path that users can inherit to set rush as their login shell

Whether to enable FTP for local users.

A list of users allowed to access the ifp dbus interface.

Whether to enable a memory-safe implementation of the sudo command, which allows non-root users to execute commands as root .

Enable support for SANE scanners.

Check readiness of users.

SMTP port used when sending emails to users.

SMTP host used when sending emails to users.

Whether to enable brillo in userspace

Allow non-root users to specify the allow_other or allow_root mount options, see mount.fuse3(8).

Whether to enable i2c devices support

Enables P11 PAM (pam_p11) module

User to use when no root privileges are required

Whether any write activity is permitted to users.

Defines how users authenticate themselves to the server

Enables udev rules for BladeRF devices

Default user to store mail for virtual users.

Whether to enable please, a Sudo clone which allows a users to execute a command or edit a file as another user .

Whether to enable Ombi, a web application that automatically gives your shared Plex or Emby users the ability to request content by themselves!

Optionally see https://docs.ombi.app/info/reverse-proxy on how to set up a reverse proxy .

Whether to enable pmount, a tool that allows normal users to mount removable devices without requiring root privileges .

Allow authentication modules to auto-create users in tt-rss internal database when authenticated successfully.

The list of the email addresses of the listmasters (users authorized to perform global server commands).

The username to log in as on the remote host

Default group to store mail for virtual users.

SMTP host used when sending emails to users.

SMTP port used when sending emails to users.

SMTP host used when sending emails to users.

SMTP port used when sending emails to users.

Whether to enable presence tracking

Whether to enable the dp9ik pam module provided by tlsclient

Name of the group used to run the jupyter service

Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly

Whether to enable the Howdy PAM module

The group of the running mount.davfs daemon

Path to text to display when users join

Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly

Path to a json file containing users and folders to load (or update) on startup

Whether to enable minipro and its udev rules

If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists

The location for users to install Drupal themes.

Remap all users to "nobody"

Store messages in an archive and allow users to access it

Send a message to users when they log in

Automatically login user on remote or other kind of externally supplied authentication, otherwise redirect to login form as normal

Operate in single user mode, disables all functionality related to multiple users and authentication

Allow users of the wpa_supplicant group to control wpa_supplicant through wpa_gui or wpa_cli

Whether to enable incusd, a daemon that manages containers and virtual machines

Enables users to publish their mood, activity, playing music and more

All listed users will become part of the timekpr group so they can manage timekpr settings without requiring sudo.

Text to display when users join

Allow users to set vCards

Kea DHCP6 configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/dhcp6-srv.html

Kea DHCP4 configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/dhcp4-srv.html

This option is opposite to lt-cred-mech. (TURN Server with no-auth option allows anonymous access)

The base DN for your Hologram users

How users are authenticated storage -- save passwords internally pam -- Linux PAM authentication

Whether to prevent sign-up of new users via the web UI

Installs flashrom and configures udev rules for programmers used by flashrom

Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli

The location for users to install Drupal modules.

The default realm to be used for the users when no explicit origin/realm relationship was found in the database, or if the TURN server is not using any database (just the commands-line settings and the userdb file)

Whether users can log in with passwords defined in /etc/shadow.

Whether or not to enable the headless Aria2 daemon service

Whether users are included.

Which user or group the specified command is allowed to run as

Use chfn SUID to allow non-root users to change their account GECOS information.

Allow users to have a roster

When this option is not 0, users ability to control feed purging intervals is disabled and all articles (which are not starred) older than this amount of days are purged.

Whether to enable zeitgeist, a service which logs the users' activities and events.

Kea DHCP-DDNS configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/ddns.html

Range of user IDs used for the creation of regular users by useradd or newusers.

Range of user IDs used for the creation of regular users by useradd or newusers.

Whether to install and set up mouse-actions and it's udev rules

Only applies if sslEnable is true

Enables Kerberos PAM modules (pam-krb5, pam-ccreds)

Enable acpilight

If set, the pam_mysql module will be used to authenticate users against a MySQL/MariaDB database.

Kea Control Agent configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/agent.html

Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli

Enables Yubico PAM (yubico-pam) module

Range of user IDs used for the creation of system users by useradd or newusers.

Range of user IDs used for the creation of system users by useradd or newusers.

Whether to enable tailscale.nginx-auth, to authenticate users via tailscale.

"From" address used when sending emails to users.

Whether users of the wheel group must provide a password to run commands as super user via run0.

Whether to try to create home directories for users with $HOMEs pointing to nonexistent locations on session login.

"From" address used when sending Emails to users.

Only applies if sslEnable is true

Whether users of the wheel group must provide a password to run commands as super user via sudo.

Path to the working directory (used for config and pidfile)

Whether users of the wheel group must provide a password to run commands as super user via doas.

Welcome users who register accounts

Whether users of the wheel group must provide a password to run commands as super user via sudo.

A list of users which will not be shown in the display manager.

This controls the hostname for the 9front authentication server that users will be authenticated against.

If set, users listed in ~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens.

Seed settings for users and groups

This tells pgmanage to only allow users in a certain PostgreSQL group to login to pgmanage

If enabled, starts a Terraria server

Do we ignore the lid state

Some laptops are broken

The following authentication modes are available: Open -- Accept connections from anyone, use NickServ for user authentication

Enable or disable TTY auditing for specified users

Whether to enable API access for mobile apps and third-party clients (Google Reader API and Fever API)

Whether to add Soundmodem to the global environment and configure a wrapper for 'soundmodemconfig' for users in the 'soundmodem' group.

Number of daemons to serve user requests

Install the SPICE USB redirection helper with setuid privileges

Define resource limits that should apply to users or groups

Send announcement to all online users

When true, any user will be able to register

Font packages to use in Steam

Whether to enable provisioning of groups, users and oauth2 resource servers.

Window class translation rules. /etc/X11/imwheelrc is generated based on this config which means this config is global for all users

Whether to enable udev rules for devices supported by libjaylink

Whether to enable tailscale.nginx-auth, to authenticate nginx users via tailscale.

If set, users listed in $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key

Whether users of the wheel group must provide a password to run commands or edit files with please and pleaseedit respectively.

Whether to enable non-root access to the firmware of UHK keyboards

Whether any uploads are permitted to anonymous users.

The bare JID of the gateway administrator

Users and proxy configuration

Refer to the Tuliprox documentation for available attributes

If specified, login is allowed only for the listed users

Allow users to register on this server using a client and change passwords

If set, users with an SSH certificate containing an authorized principal in their SSH agent are able to log in

Allow all users to access the FUSE mount points

Gives the verbosity level that is used when logging messages from sshd(8)

If specified, login is denied for all listed users

Newline separated list of names to be allowed/denied if userlistEnable is true

List of public signing keys of users that can access the admin panel

Specifies if mapped OpenID Connect accounts are automatically created upon successful authentication

The duration in time a user invitation remains valid before expiring

An attribute set that maps aliases (the top level attribute names in this option) to command strings or directly to build outputs

Enable font antialiasing

Initial preferences are used to configure the browser for the first run

Whether to enable the Howdy PAM module

List of administrator users

List of users allowed to operate with the config. "root" is always implicitly included

Whether any uploads are permitted to anonymous users.

Whether local users are confined to their home directory.

Launch Hyprland with the UWSM (Universal Wayland Session Manager) session manager

Path to the configuration file containing authorized users credentials to run iperf tests.

Only monitors owned symbolic link target of GC roots.

• "auto": behaves like true for normal users, false for root.
• "true": only monitor GC roots owned by the current user.
• "false": monitor all GC roots.

Whether to enable exposing OpenSSH public keys defined in userdb

If true, a system-wide PipeWire service and socket is enabled allowing all users in the "pipewire" group to use it simultaneously

If specified, login is allowed only for users part of the listed groups

Make your The Lounge instance public

List of reporter objects used to present build status to various users.

If specified, login is denied for all users part of the listed groups

Enable hardened VirtualBox, which ensures that only the binaries in the system path get access to the devices exposed by the kernel modules instead of all users in the vboxusers group.

Whether to enable System bus notification support

WARNING: enabling this option (while convenient) should not be done on a machine where you do not trust the other users as it allows any other local user to DoS your session by spamming notifications .

Do minification on public static files which reduces the size of assets — saving data for the server & users as well as offering a performance improvement

A file containing the secret used to encrypt session keys

All listed users will become part of the firezone-client group so they can control the tunnel service

A list of paths that should be included in the system closure but generally not visible to users

A file containing the secret used to encrypt secrets for OTP tokens

This is the URL that users will enter to load your instance

Enable font hinting

Maximum amount of users which will be allowed to register on this system. 0 - no limit.

This is optional and is by default off, because most users will not need it

A list of users who should be able to integrate 1Password with polkit-based authentication mechanisms.

Don't allow users to connect in non-secure mode (without random padding).

The hosts.hfaxd file entry in the spooling area will be symlinked to the location given here

Outgoing email for notifications generated by users.

Enables U2F PAM (pam-u2f) module

Frontend configuration

Path to a file containing extra ntfy environment variables in the systemd EnvironmentFile format

Whether to generate the password files at build time and store them directly in the system closure, without requiring any services at boot time

Name of the remote read config, which if specified must be unique among remote read configs

Specifies if mapped OpenID Connect accounts are automatically created upon successful authentication

Outgoing email for notifications generated by users.

Whether to enable nonpaying users to submit builds.

The set of packages that appear in /run/current-system/sw

SFTP private key file

Name of the remote write config, which if specified must be unique among remote write configs

Configures the user domain, if enabled

The lmtp daemon will make the unix socket group-read/write for users in this group.

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles

The permission for settings.dir

When disabled, unprivileged users will not be able to create new namespaces

This is optional and is by default off, because most users will not need it

When not set to null this option defines the path at which the unbound remote control socket should be created at

Whether to open the default ports in the firewall: TCP/UDP 22000 for transfers and UDP 21027 for discovery

JSON file containing secret keys

Deactivates analytics

FreeType LCD filter

If enabled, spacecookie will hide personal information of users like IP addresses from log output.

If false, a PulseAudio server is launched automatically for each user that tries to use the sound system

Defines whether users see the Register option in the menu of Time Tracker that allows them to self-register and create new organizations (top groups).

List of binary cache URLs that non-root users can use (in addition to those specified using nix.settings.substituters) by passing --option binary-caches to Nix commands.

If you want to prevent node sharing from allowing users to access services across tailnets, declare your expected tailnets domain here.

Whether all users can write to the consumption dir.

List of accepted local users

Allow users to register themselves

The lmtp daemon will make the unix socket group-read/write for users in this group.

Whether to use binary caches for downloading store paths

Authentication type

Converts users profiles and Avatars between old and new formats

Whether new users can register on this server

Whether to enable the dummy "startx" pseudo-display manager, which allows users to start X manually via the startx command from a virtual terminal.

Specify SSH host keys to import into the initrd

The manual pages to generate caches for if documentation.man.generateCaches is enabled

Whether to enable the headless Transmission BitTorrent daemon

File containing a secret used to salt the users' password hashes and generate filenames for static content.

Defines one or more team names that auto-provisioned OIDC users shall be added to

Whenever to send wall notifications to all users.

Push notifications to inform users of new messages or other pertinent information even when they have no XMPP clients online

This option enables docker, a daemon that manages linux containers

Set of default packages that aren't strictly necessary for a running system, entries can be removed for a more minimal NixOS installation

The base URL of the API server

This option enables lxd, a daemon that manages containers

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles

Whether to enable KVMGT (iGVT-g) VGPU support

Diffie-Hellman parameters to generate

Maximum number of client connections allowed

Whether to enable registration for new users.

Whether to allow registration of new admin users.

Sets transmission's file mode creation mask

LDAP filter for users.

Set of core packages for a normal interactive system

Identity the EAP/XAuth secret belongs to

Identity the NTLM secret belongs to

This option enables libvirtd, a daemon that manages virtual machines

All actors (users) to provision

An attribute set where the keys name the organisation and the values are a set of lists of users and groups.

Exposes EDID files from users-sourced database at https://github.com/linuxhw/EDID

Attribute names will be mapped to EDID filenames <NAME>.bin

If set, all recipients to users at either "localhost" (the literal string) or the canonical host name (from the me control attribute) are remapped to this address

Whether new users can register on this server

Enable if you are syncing more than 2000 users/groups.

The XEP-0423 defines a set of recommended XEPs to implement for a server

Whether to enable the "sx" pseudo-display manager, which allows users to start manually via the "sx" command from a vt shell

Identity the EAP/XAuth secret belongs to

Class that users must have.

Set this option to true to enable HTTP compression, this can improve transfer speed and bandwidth utilization

Whenever to use precomputated tables for ElGamal. i2pd defaults to false to save 64M of memory (and looses some performance)

Font packages to use in OpenGamepadUI

Environment file to be passed to the systemd service

Environment file to be passed to the systemd service

Whether users must authenticate when using the web UI or command-line tool

If set, shows a contact email address when rendering error pages

If set, shows a contact email address when rendering error pages

Paths to the Nix profile

Enables single account mode

Displays a CAPTCHA challenge for users that register externally.

Whether to use NetworkManager to obtain an IP address and other configuration for all network interfaces that are not manually configured

Makes user-profiles globally available under nextcloud.tld/u/user.name

Make the Podman socket available in place of the Docker socket, so Docker tools can find the Podman socket

Defines one or more team names that auto-provisioned OIDC users shall be added to

Remove users from bitwarden groups if no longer in the ldap group.

If set, users with enabled Google Authenticator (created ~/.google_authenticator) will be required to provide Google Authenticator token to log in.

Point DOCKER_HOST to rootless Docker instance for normal users by default.

The channel in which users will appear in when connecting.

Attribute for a users email.

This option defines the first version of NixOS you have installed on this particular machine, and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions

Send notifications about killed processes via the system d-bus

Outbound email configuration is mandatory for Firezone and supports many different delivery adapters

The attribute that contains the users username.

If set, will use the pam_oslogin_login's user authentication methods to authenticate users using 2FA

If set, will use the Google OS Login PAM modules (pam_oslogin_login, pam_oslogin_admin) to verify possible OS Login users and set sudoers configuration accordingly

Source of truth of users

Where to redirect new users upon registration.

Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.

Additional environment file or files as defined in systemd.exec(5)

Whether to enable support for unprivileged users to launch containers.

The configuration of vaultwarden is done through environment variables, therefore it is recommended to use upper snake case (e.g. DISABLE_2FA_REMEMBER)

Whenever to send systembus-notify notifications

A boolean that controls whether site visitors can create new accounts

The name-string specifies an external program to be called that will automatically change volumes as required by Bacula

If not null, is used as the permissions set by system.activationScripts.transmission-daemon on the directories services.transmission.settings.download-dir, services.transmission.settings.incomplete-dir. and services.transmission.settings.watch-dir

The directory where the skeleton files are located

Allow users to edit datasources from the UI.

Whether new users can register on this server.

Enable registration for new users.

Default 2FA method for new users and fallback for preferred but disabled methods.

The read permissions to include for this token

The read permissions to include for this token

Whether the users will be able to use the ad-hoc commands that lets them configure their realname and username.

Do not allow more than this many server connections per user (regardless of database)

Whether to configure zsh as an interactive shell

The group to run Memos as.

The user to run Memos as.

Whether to configure system to use gphoto2

Whenever to configure Bash as an interactive shell

Whether to let openssh print the result when entering a new ssh-session

Whether to run reaction as root

Configuration files to load besides the immutable one defined by the NixOS module

Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on

Specify the rules for which files to read on the host

Whether to enable PdfDing service

Enables the use of the ~/.ssh/authorized_keys file

Whether to enable GVfs, a userspace virtual filesystem.

Whether to enable the userspace daemon for Intel Precise Touch & Stylus.

Whether to enable ulogd, a userspace logging daemon for netfilter/iptables related logging.

Hardened service:

• runs as a dedicated user with minimal set of permissions (see caveats),
• restricts daemon configuration socket access to dedicated user group (you can grant access to it with users.users."<user>".extraGroups = [ netbird-‹name› ]),

Even though the local system resources access is restricted:

• CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,
• older kernels don't have CAP_BPF and use CAP_SYS_ADMIN instead,

Known security features that are not (yet) integrated into the module:

• 2024-02-14: rosenpass is an experimental feature configurable solely through --enable-rosenpass flag on the netbird up command, see the docs

Hardened service:

• runs as a dedicated user with minimal set of permissions (see caveats),
• restricts daemon configuration socket access to dedicated user group (you can grant access to it with users.users."<user>".extraGroups = [ netbird-‹name› ]),

Even though the local system resources access is restricted:

• CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,
• older kernels don't have CAP_BPF and use CAP_SYS_ADMIN instead,

Known security features that are not (yet) integrated into the module:

• 2024-02-14: rosenpass is an experimental feature configurable solely through --enable-rosenpass flag on the netbird up command, see the docs

Whether to enable Trusted Platform 2 userspace resource manager daemon .

Whether to enable SCX service, a daemon to run schedulers from userspace.

Whether to enable ucarp, userspace implementation of CARP.

Whether to enable OpenRazer drivers and userspace daemon .

Whether to enable kmscon as the virtual console instead of gettys. kmscon is a kms/dri-based userspace virtual terminal implementation

Whether to enable OP-TEE userspace supplicant.

Whether to enable Bolt, a userspace daemon to enable security levels for Thunderbolt 3 on GNU/Linux

Enable /dev/random, /dev/urandom and /proc/sys/kernel/random/* userspace wrapper.

The interface name for tunnel traffic

Whether to enable ryzen_monitor_ng, a userspace application for setting and getting Ryzen SMU (System Management Unit) parameters via the ryzen_smu kernel driver

Whether to enable Declare the support for derivations that require an Nvidia GPU to be available, e.g. derivations with requiredSystemFeatures = [ "cuda" ]

Networking-related command-line options that should be passed to qemu

Data Plane Development Kit is a framework for fast packet processing in data plane applications running on a wide variety of CPU architectures

Endpoint IP or hostname of the peer, followed by a colon, and then a port number of the peer