| services.hostapd.radios.<name>.wifi5.enable | Enables support for IEEE 802.11ac (WiFi 5, VHT)
|
| services.netbird.clients.<name>.ui.enable | Controls presence of netbird-ui wrapper for this NetBird client.
|
| services.netbird.tunnels.<name>.ui.enable | Controls presence of netbird-ui wrapper for this NetBird client.
|
| services.tarsnap.archives.<name>.maxbw | Abort archival if upstream bandwidth usage in bytes
exceeds this threshold.
|
| services.vdirsyncer.jobs.<name>.user | User account to run vdirsyncer as, otherwise as a systemd
dynamic user
|
| services.xserver.xkb.extraLayouts.<name>.symbolsFile | The path to the xkb symbols file
|
| services.fedimintd.<name>.api_ws.port | TCP Port to bind on for API connections relayed by the reverse proxy/tls terminator.
|
| systemd.services.<name>.requisite | Similar to requires
|
| services.fedimintd.<name>.nginx.config.locations.<name>.priority | Order of this location block in relation to the others in the vhost
|
| services.vdirsyncer.jobs.<name>.group | group to run vdirsyncer as
|
| services.nginx.virtualHosts.<name>.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.wyoming.piper.servers.<name>.piper | The piper-tts package to use.
|
| services.fedimintd.<name>.nginx.config | Overrides to the nginx vhost section for api
|
| services.tahoe.nodes.<name>.sftpd.accounts.url | URL of the accounts server.
|
| services.sympa.domains.<name>.webLocation | URL path part of the web interface.
|
| services.neo4j.ssl.policies.<name>.clientAuth | The client authentication stance for this policy.
|
| services.buildkite-agents.<name>.shell | Command that buildkite-agent 3 will execute when it spawns a shell.
|
| security.pam.services.<name>.limits.*.domain | Username, groupname, or wildcard this limit applies to
|
| services.nylon.<name>.acceptInterface | Tell nylon which interface to listen for client requests on, default is "lo".
|
| services.wyoming.piper.servers.<name>.useCUDA | Whether to accelerate the underlying onnxruntime library with CUDA.
|
| services.k3s.autoDeployCharts.<name>.extraDeploy | List of extra Kubernetes manifests to deploy with this Helm chart.
|
| services.tahoe.nodes.<name>.client.shares.happy | The number of distinct storage nodes required to store
a file.
|
| services.rspamd.workers.<name>.extraConfig | Additional entries to put verbatim into worker section of rspamd config file.
|
| services.dokuwiki.sites.<name>.poolConfig | Options for the DokuWiki PHP pool
|
| services.nntp-proxy.users.<name>.passwordHash | SHA-512 password hash (can be generated by
mkpasswd -m sha-512 <password>)
|
| services.wordpress.sites.<name>.virtualHost.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| boot.zfs.pools.<name>.devNodes | Name of directory from which to import ZFS device, this is passed to zpool import
as the value of the -d option
|
| services.i2pd.ifname4 | IPv4 interface to bind to.
|
| services.i2pd.ifname6 | IPv6 interface to bind to.
|
| services.ddclient.username | User name.
|
| services.davis.nginx.locations.<name>.root | Root directory for requests.
|
| services.pgbackrest.repos.<name>.host | Repository host when operating remotely
|
| services.movim.nginx.locations.<name>.root | Root directory for requests.
|
| services.slskd.nginx.locations.<name>.root | Root directory for requests.
|
| services.akkoma.initDb.username | Name of the database user to initialise the database with
|
| services.firezone.server.provision.accounts.<name>.actors.<name>.email | The email address used to authenticate as this account
|
| services.dokuwiki.sites.<name>.phpOptions | Options for PHP's php.ini file for this dokuwiki site.
|
| services.inadyn.settings.custom.<name>.ssl | Whether to use HTTPS for this DDNS provider.
|
| services.httpd.virtualHosts.<name>.enableUserDir | Whether to enable serving ~/public_html as
/~«username».
|
| services.rspamd.workers.<name>.bindSockets | List of sockets to listen, in format acceptable by rspamd
|
| services.tinc.networks.<name>.bindToAddress | The ip address to bind to (both listen on and send packets from).
|
| services.redis.servers.<name>.slowLogLogSlowerThan | Log queries whose execution take longer than X in milliseconds.
|
| services.netbird.clients | Attribute set of NetBird client daemons, by default each one will:
- be manageable using dedicated tooling:
netbird-<name> script,NetBird - netbird-<name> graphical interface when appropriate (see ui.enable),
- run as a
netbird-<name>.service,
- listen for incoming remote connections on the port
51820 (openFirewall by default),
- manage the
netbird-<name> wireguard interface,
- use the /var/lib/netbird-/config.json configuration file,
- override /var/lib/netbird-/config.json with values from /etc/netbird-/config.d/*.json,
- (
hardened) be locally manageable by netbird-<name> system group,
With following caveats:
- multiple daemons will interfere with each other's DNS resolution of
netbird.cloud, but
should remain fully operational otherwise
|
| services.k3s.autoDeployCharts.<name>.values | Override default chart values via Nix expressions
|
| services.dokuwiki.sites.<name>.usersFile | Location of the dokuwiki users file
|
| services.phpfpm.pools.<name>.settings | PHP-FPM pool directives
|
| services.errbot.instances.<name>.logLevel | Errbot log level
|
| services.sanoid.datasets.<name>.monthly | Number of monthly snapshots.
|
| services.nebula.networks.<name>.package | The nebula package to use.
|
| services.httpd.virtualHosts.<name>.listen | Listen addresses and ports for this virtual host.
This option overrides addSSL, forceSSL and onlySSL
|
| services.neo4j.ssl.policies.<name>.trustAll | Makes this policy trust all remote parties
|
| services.fedimintd.<name>.nginx.config.http3 | Whether to enable the HTTP/3 protocol
|
| services.firezone.server.provision.accounts.<name>.auth.<name>.adapter | The auth adapter type
|
| services.nginx.virtualHosts.<name>.extraConfig | These lines go to the end of the vhost verbatim.
|
| security.pam.services.<name>.requireWheel | Whether to permit root access only to members of group wheel.
|
| services.rke2.autoDeployCharts.<name>.extraDeploy | List of extra Kubernetes manifests to deploy with this Helm chart.
|
| services.restic.backups.<name>.command | Command to pass to --stdin-from-command
|
| services.h2o.hosts.<name>.tls.redirectCode | HTTP status used by globalRedirect & forceSSL
|
| services.wordpress.sites.<name>.fontsDir | This directory is used to download fonts from a remote location, e.g.
to host google fonts locally.
|
| services.spiped.config.<name>.source | Address on which spiped should listen for incoming
connections
|
| services.nginx.virtualHosts.<name>.acmeFallbackHost | Host which to proxy requests to if ACME challenge is not found
|
| services.netbird.clients.<name>.config | Additional configuration that exists before the first start and
later overrides the existing values in config.json
|
| services.netbird.tunnels.<name>.config | Additional configuration that exists before the first start and
later overrides the existing values in config.json
|
| services.rspamd.workers.<name>.includes | List of files to include in configuration
|
| services.tarsnap.archives.<name>.nodump | Exclude files with the nodump flag.
|
| services.syncoid.commands.<name>.extraArgs | Extra syncoid arguments for this command.
|
| services.snipe-it.nginx.locations.<name>.root | Root directory for requests.
|
| services.nebula.networks.<name>.listen.host | IP address to listen on.
|
| services.mailpit.instances.<name>.smtp | SMTP bind interface and port.
|
| services.nebula.networks.<name>.listen.port | Port number to listen on.
|
| services.wstunnel.servers.<name>.enable | Whether to enable this wstunnel instance.
|
| services.znc.confOptions.networks.<name>.port | IRC server port.
|
| services.wstunnel.clients.<name>.enable | Whether to enable this wstunnel instance.
|
| services.hostapd.radios.<name>.driver | The driver hostapd will use.
nl80211 is used with all Linux mac80211 drivers.
none is used if building a standalone RADIUS server that does
not control any wireless/wired driver
|
| services.redis.servers.<name>.masterAuth | If the master is password protected (using the requirePass configuration)
it is possible to tell the slave to authenticate before starting the replication synchronization
process, otherwise the master will refuse the slave request.
(STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
|
| services.tahoe.nodes.<name>.sftpd.hostPrivateKeyFile | Path to the SSH host private key.
|
| systemd.user.services.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| services.cjdns.ETHInterface.connectTo.<name>.hostname | Optional hostname to add to /etc/hosts; prevents reverse lookup failures.
|
| services.cjdns.UDPInterface.connectTo.<name>.hostname | Optional hostname to add to /etc/hosts; prevents reverse lookup failures.
|
| programs.regreet.iconTheme.name | Name of the icon theme to use for regreet.
|
| security.pam.services.<name>.forwardXAuth | Whether X authentication keys should be passed from the
calling user to the target user (e.g. for
su)
|
| services.borgbackup.jobs.<name>.user | The user borg is run as
|
| services.nginx.virtualHosts.<name>.listen.*.port | Port number to listen on
|
| services.sympa.domains.<name>.settings | The robot.conf configuration file as key value set
|
| systemd.services.<name>.stopIfChanged | If set, a changed unit is restarted by calling
systemctl stop in the old configuration,
then systemctl start in the new one
|
| services.icecast.hostname | DNS name or IP address that will be used for the stream directory lookups or possibly the playlist generation if a Host header is not provided.
|
| services.rke2.autoDeployCharts.<name>.values | Override default chart values via Nix expressions
|
| services.bitcoind.<name>.prune | Reduce storage requirements by enabling pruning (deleting) of old
blocks
|
| services.buildkite-agents.<name>.enable | Whether to enable this buildkite agent
|
| services.vault-agent.instances.<name>.group | Group under which this instance runs.
|
| security.pam.services.<name>.ttyAudit.openOnly | Set the TTY audit flag when opening the session,
but do not restore it when closing the session
|
| services.tahoe.nodes.<name>.sftpd.accounts.file | Path to the accounts file.
|
| services.restic.backups.<name>.extraBackupArgs | Extra arguments passed to restic backup.
|
| services.redis.servers.<name>.openFirewall | Whether to open ports in the firewall for the server.
|
| services.wstunnel.clients.<name>.soMark | Mark network packets with the SO_MARK sockoption with the specified value
|
| services.udp-over-tcp.tcp2udp.<name>.sendBufferSize | If given, sets the SO_SNDBUF option on the TCP socket to the given number of bytes
|
| services.redis.servers.<name>.requirePass | Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
|
| services.udp-over-tcp.udp2tcp.<name>.sendBufferSize | If given, sets the SO_SNDBUF option on the TCP socket to the given number of bytes
|
| services.udp-over-tcp.tcp2udp.<name>.recvBufferSize | If given, sets the SO_RCVBUF option on the TCP socket to the given number of bytes
|
| services.udp-over-tcp.udp2tcp.<name>.recvBufferSize | If given, sets the SO_RCVBUF option on the TCP socket to the given number of bytes
|