| virtualisation.kvmgt.enable | Whether to enable KVMGT (iGVT-g) VGPU support
|
| services.postfixadmin.database.username | Username for the postgresql connection
|
| services.matrix-continuwuity.settings.global.unix_socket_path | Listen on a UNIX socket at the specified path
|
| networking.wireless.userControlled | Allow users of the wpa_supplicant group to control wpa_supplicant
through wpa_gui or wpa_cli
|
| virtualisation.libvirtd.enable | This option enables libvirtd, a daemon that manages
virtual machines
|
| services.firezone.server.provision.accounts.<name>.relayGroups | All relay groups to provision
|
| services.firezone.server.provision.accounts.<name>.relayGroups.<name>.name | The name of this relay group
|
| services.archisteamfarm.ipcPasswordFile | Path to a file containing the password
|
| services.multipath.devices.*.rr_min_io_rq | Number of I/O requests to route to a path before switching to the next in the
same path group
|
| services.netbird.clients | Attribute set of NetBird client daemons, by default each one will:
- be manageable using dedicated tooling:
netbird-<name> script,NetBird - netbird-<name> graphical interface when appropriate (see ui.enable),
- run as a
netbird-<name>.service,
- listen for incoming remote connections on the port
51820 (openFirewall by default),
- manage the
netbird-<name> wireguard interface,
- use the /var/lib/netbird-/config.json configuration file,
- override /var/lib/netbird-/config.json with values from /etc/netbird-/config.d/*.json,
- (
hardened) be locally manageable by netbird-<name> system group,
With following caveats:
- multiple daemons will interfere with each other's DNS resolution of
netbird.cloud, but
should remain fully operational otherwise
|
| virtualisation.virtualbox.host.enable | Whether to enable VirtualBox.
In order to pass USB devices from the host to the guests, the user
needs to be in the vboxusers group.
|
| services.prometheus.scrapeConfigs.*.triton_sd_configs.*.groups | A list of groups for which targets are retrieved, only supported when targeting the container role
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.firezone.server.provision.accounts.<name>.gatewayGroups | All gateway groups (sites) to provision
|
| services.firezone.server.provision.accounts.<name>.gatewayGroups.<name>.name | The name of this gateway group
|
| services.bitwarden-directory-connector-cli.sync.removeDisabled | Remove users from bitwarden groups if no longer in the ldap group.
|
| services.multipath.devices.*.path_grouping_policy | The default path grouping policy to apply to unspecified multipaths
|
| services.keepalived.vrrpInstances.<name>.unicastPeers | Do not send VRRP adverts over VRRP multicast group
|
| services.archisteamfarm.bots.<name>.passwordFile | Path to a file containing the password
|
| services.prometheus.scrapeConfigs.*.http_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.bitwarden-directory-connector-cli.sync.memberAttribute | Attribute that lists members in a LDAP group.
|
| services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.triton_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.docker_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.librenms.distributedPoller.distributedBilling | Enable distributed billing on this poller
|
| services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.kanidm.unix.settings.kanidm.pam_allowed_login_groups | Kanidm groups that are allowed to login using PAM.
|
| services.prometheus.scrapeConfigs.*.static_configs.*.targets | The targets specified by the target group.
|
| services.kanidm.unixSettings.pam_allowed_login_groups | Kanidm groups that are allowed to login using PAM.
|
| services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.matrix-tuwunel.settings.global.unix_socket_path | Listen on a UNIX socket at the specified path
|
| services.transmission.downloadDirPermissions | If not null, is used as the permissions
set by system.activationScripts.transmission-daemon
on the directories services.transmission.settings.download-dir,
services.transmission.settings.incomplete-dir.
and services.transmission.settings.watch-dir
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.separator | The string by which Uyuni group names are joined into the groups label
Defaults to , in prometheus
when set to null.
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_time | Time to schedule CHILD_SA rekeying
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_bytes | Number of bytes processed before initiating CHILD_SA rekeying
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_packets | Number of packets processed before initiating CHILD_SA rekeying
|