| services.jitsi-meet.interfaceConfig | Client-side web-app interface settings that override the defaults in interface_config.js
|
| programs.wireshark.enable | Whether to add Wireshark to the global environment and create a 'wireshark'
group
|
| security.acme.defaults.renewInterval | Systemd calendar expression when to check for renewal
|
| services.input-remapper.enableUdevRules | Whether to enable udev rules added by input-remapper to handle hotplugged devices
|
| programs.dsearch.systemd.target | The systemd target that will automatically start the dsearch service
|
| boot.initrd.network.flushBeforeStage2 | Whether to clear the configuration of the interfaces that were set up in
the initrd right before stage 2 takes over
|
| services.openvscode-server.group | The group to run openvscode-server under
|
| services.schleuder.listDefaults | Default settings for lists (list-defaults.yml)
|
| services.tt-rss.sessionCookieLifetime | Default lifetime of a session (e.g. login) cookie
|
| systemd.user.services.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| users.extraUsers.<name>.ignoreShellProgramCheck | By default, nixos will check that programs
|
| services.strongswan-swanctl.swanctl.connections.<name>.proposals | A proposal is a set of algorithms
|
| services.postgresql.ensureUsers.*.ensureClauses.login | Grants the user, created by the ensureUser attr, login permissions
|
| services.strongswan-swanctl.swanctl.connections.<name>.pull | If the default of yes is used, Mode Config works in pull mode, where the
initiator actively requests a virtual IP
|
| services.earlyoom.killHook | An absolute path to an executable to be run for each process killed
|
| networking.interfaces.<name>.mtu | MTU size for packets leaving the interface
|
| services.drupal.sites.<name>.virtualHost.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.icecream.scheduler.netName | Network name for the icecream scheduler
|
| services.hostapd.radios.<name>.wifi4.enable | Enables support for IEEE 802.11n (WiFi 4, HT)
|
| services.bind.cacheNetworks | What networks are allowed to use us as a resolver
|
| services.libinput.mouse.clickMethod | Enables a click method
|
| services.suricata.settings.rule-files | Files to load suricata-update managed rules, relative to 'default-rule-path'.
|
| services.syncoid.interval | Run syncoid at this interval
|
| services.opensnitch.rules | Declarative configuration of firewall rules
|
| services.shorewall6.enable | Whether to enable Shorewall IPv6 Firewall.
Enabling this service WILL disable the existing NixOS
firewall! Default firewall rules provided by packages are not
considered at the moment.
|
| services.prosody.muc.*.roomDefaultMembersOnly | If set, the MUC rooms will only be accessible to the members by default.
|
| services.biboumi.settings.persistent_by_default | Whether all rooms will be persistent by default:
the value of the “persistent” option in the global configuration of each
user will be “true”, but the value of each individual room will still
default to false
|
| boot.initrd.luks.devices.<name>.fido2.passwordLess | Defines whatever to use an empty string as a default salt
|
| services.jmusicbot.stateDir | The directory where config.txt and serversettings.json is saved
|
| services.jellyfin.openFirewall | Open the default ports in the firewall for the media server
|
| services.broadcast-box.settings | Attribute set of environment variables.
https://github.com/Glimesh/broadcast-box#environment-variables
The status API exposes stream keys so DISABLE_STATUS is enabled
by default.
|
| services.sabnzbd.allowConfigWrite | By default we create the sabnzbd configuration read-only,
which keeps the nixos configuration as the single source
of truth
|
| services.neo4j.bolt.sslPolicy | Neo4j SSL policy for BOLT traffic
|
| services.powerdns-admin.secretKeyFile | The secret used to create cookies
|
| services.k3s.autoDeployCharts.<name>.values | Override default chart values via Nix expressions
|
| services.grafana.settings.users.default_language | This setting configures the default UI language, which must be a supported IETF language tag, such as en-US.
|
| services.strongswan-swanctl.swanctl.connections.<name>.version | IKE major version to use for connection.
- 1 uses IKEv1 aka ISAKMP,
- 2 uses IKEv2.
- A connection using the default of 0 accepts both IKEv1 and IKEv2 as
responder, and initiates the connection actively with IKEv2
|
| services.eris-server.listenCoap | Server CoAP listen address
|
| security.acme.defaults.reloadServices | The list of systemd services to call systemctl try-reload-or-restart
on.
|
| services.howdy.enable | Whether to enable Howdy and its PAM module for face recognition
|
| programs.nh.flake | The string that will be used for the NH_FLAKE environment variable.
NH_FLAKE is used by nh as the default flake for performing actions, such as
nh os switch
|
| services.gitlab-runner.services.<name>.limit | Limit how many jobs can be handled concurrently by this service.
0 (default) simply means don't limit.
|
| programs.chromium.homepageLocation | Chromium default homepage
|
| services.searx.configureUwsgi | Whether to run searx in uWSGI as a "vassal", instead of using its
built-in HTTP server
|
| services.pipewire.systemWide | If true, a system-wide PipeWire service and socket is enabled
allowing all users in the "pipewire" group to use it simultaneously
|
| services.xserver.wacom.enable | Whether to enable the Wacom touchscreen/digitizer/tablet
|
| services.rke2.autoDeployCharts.<name>.values | Override default chart values via Nix expressions
|
| services.snapserver.streams.<name>.codec | Default audio compression method.
|
| hardware.sata.timeout.deciSeconds | Set SCT Error Recovery Control timeout in deciseconds for use in RAID configurations
|
| security.loginDefs.settings.ENCRYPT_METHOD | This defines the system default encryption algorithm for encrypting passwords.
|
| services.klipper.firmwares.<name>.serial | Path to serial port this printer is connected to
|
| services.clamav.scanner.interval | How often clamdscan is invoked
|
| services.blockbook-frontend.<name>.cssDir | Location of the dir with main.css CSS file
|
| services.memos.environmentFile | The environment file to use when starting Memos.
By default, generated from .
|
| services.protonmail-bridge.logLevel | Log level of the Proton Mail Bridge service
|
| services.postgresqlBackup.startAt | This option defines (see systemd.time for format) when the
databases should be dumped
|
| services.sympa.database.host | Database host address
|
| systemd.user.services.<name>.enableDefaultPath | Whether to append a minimal default PATH environment variable to the service, containing common system utilities.
|
| services.hylafax.faxqConfig | Attribute set of lines for the global
faxq config file etc/config
|
| services.xserver.upscaleDefaultCursor | Upscale the default X cursor to be more visible on high-density displays
|
| services.postfix.masterConfig.<name>.command | A program name specifying a Postfix service/daemon process
|
| environment.lxqt.excludePackages | Which LXQt packages to exclude from the default environment
|
| networking.wireguard.enable | Whether to enable WireGuard.
By default, this module is powered by a script-based backend
|
| environment.mate.excludePackages | Which MATE packages to exclude from the default environment
|
| environment.xfce.excludePackages | Which packages XFCE should exclude from the default environment
|
| security.polkit.adminIdentities | Specifies which users are considered “administrators”, for those
actions that require the user to authenticate as an
administrator (i.e. have an auth_admin
value)
|
| services.hostapd.radios.<name>.driver | The driver hostapd will use.
nl80211 is used with all Linux mac80211 drivers.
none is used if building a standalone RADIUS server that does
not control any wireless/wired driver
|
| documentation.man.man-db.enable | Whether to enable man-db as the default man page viewer.
|
| services.jitsi-videobridge.config | Videobridge configuration
|
| services.synergy.client.serverAddress | The server address is of the form: [hostname][:port]
|
| services.onlyoffice.jwtSecretFile | Path to a file that contains the secret to sign web requests using JSON Web Tokens
|
| systemd.automounts.*.enable | If set to false, this unit will be a symlink to
/dev/null
|
| services.zoneminder.storageDir | ZoneMinder can generate quite a lot of data, so in case you don't want
to use the default /var/lib/zoneminder, you can override the path here.
|
| virtualisation.xen.boot.builderVerbosity | The boot entry builder script should be called with exactly one of the following arguments in order to specify its verbosity:
-
quiet supresses all messages.
-
default adds a simple "Installing Xen Project Hypervisor boot entries...done." message to the script.
-
info is the same as default, but it also prints a diff with information on which generations were altered.
- This option adds two extra dependencies to the script:
diffutils and bat.
-
debug prints information messages for every single step of the script
|
| services.neo4j.directories.certificates | Directory for storing certificates to be used by Neo4j for
TLS connections
|
| services.postfix.destination | Full (!) list of domains we deliver locally
|
| systemd.watchdog.rebootTime | The amount of time which can elapse after a reboot has been triggered
before a watchdog hardware device will automatically reboot the system
|
| networking.dhcpcd.runHook | Shell code that will be run after all other hooks
|
| nix.daemonIOSchedClass | Nix daemon process I/O scheduling class
|
| nix.settings.substituters | List of binary cache URLs used to obtain pre-built binaries
of Nix packages
|
| services.collabora-online.settings | Configuration for Collabora Online WebSocket Daemon, see
https://sdk.collaboraonline.com/docs/installation/Configuration.html, or
https://github.com/CollaboraOnline/online/blob/master/coolwsd.xml.in for the default
configuration.
|
| services.cloudflare-warp.udpPort | The UDP port to open in the firewall
|
| services.dolibarr.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| powerManagement.cpuFreqGovernor | Configure the governor used to regulate the frequency of the
available CPUs
|
| services.fediwall.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| security.pam.u2f.settings.origin | By default pam-u2f module sets the origin
to pam://$HOSTNAME
|
| services.librenms.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.jitsi-meet.nginx.enable | Whether to enable nginx virtual host that will serve the javascript application and act as
a proxy for the XMPP server
|
| services.kanboard.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.agorakit.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.moodle.virtualHost.forceSSL | Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS
|
| services.subsonic.listenAddress | The host name or IP address on which to bind Subsonic
|
| services.nomad.settings | Configuration for Nomad
|
| services.pixelfed.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.thinkfan.levels | [LEVEL LOW HIGH]
LEVEL is the fan level to use: it can be an integer (0-7 with thinkpad_acpi),
"level auto" (to keep the default firmware behavior), "level full-speed" or
"level disengaged" (to run the fan as fast as possible)
|
| services.movim.minifyStaticFiles | Do minification on public static files which reduces the size of
assets — saving data for the server & users as well as offering a
performance improvement
|
| services.mainsail.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.unpoller.unifi.defaults.pass | Path of a file containing the password for the unifi service user
|
| services.silverbullet.group | The group to run Silverbullet under
|
| services.nagios.virtualHost.forceSSL | Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS
|