| services.bitcoind.<name>.rpc.users.<name>.name | Username for JSON-RPC connections.
|
| services.crossmacro.users | List of users granted permission to use CrossMacro.
|
| services.mosquitto.listeners.*.users.<name>.password | Specifies the (clear text) password for the MQTT User.
|
| programs.benchexec.users | Users that intend to use BenchExec
|
| services.dependency-track.database.username | Username to use when connecting to an external or manually
provisioned database; has no effect when a local database is
automatically provisioned
|
| services.coder.database.username | Username for accessing the database.
|
| services.mailman.ldap.attrMap.username | LDAP-attribute that corresponds to the username-attribute in mailman.
|
| services.userdbd.enableSSHSupport | Whether to enable exposing OpenSSH public keys defined in userdb
|
| services.offlineimap.install | Whether to install a user service for Offlineimap
|
| security.doas.extraRules.*.runAs | Which user or group the specified command is allowed to run as
|
| services.postgresql.ensureUsers.*.ensureClauses.login | Grants the user, created by the ensureUser attr, login permissions
|
| services._3proxy.services.*.acl.*.users | List of users, use empty list for any.
|
| services.postfixadmin.database.username | Username for the postgresql connection
|
| services.multipath.devices.*.user_friendly_names | If set to "yes", using the bindings file /etc/multipath/bindings
to assign a persistent and unique alias to the multipath, in the
form of mpath
|
| services.jibri.xmppEnvironments.<name>.call.login.username | User part of the JID for the recorder.
|
| services.pdfding.consume.enable | Bulk PDF import from consume directory
|
| services.bitwarden-directory-connector-cli.sync.userEmailAttribute | Attribute for a users email.
|
| services.archisteamfarm.bots.<name>.username | Name of the user to log in
|
| services.geoclue2.appConfig.<name>.users | List of UIDs of all users for which this application is allowed location
info access, Defaults to an empty string to allow it for all users.
|
| boot.loader.grub.users.<name>.hashedPassword | Specifies the password hash for the account,
generated with grub-mkpasswd-pbkdf2
|
| programs.idescriptor.users | Users to be added to the idevice group.
|
| services.pgadmin.emailServer.username | SMTP server username for email delivery
|
| services.longview.mysqlUser | The user for connecting to the MySQL database
|
| services.bitwarden-directory-connector-cli.ldap.username | The user to authenticate as.
|
| services.pulseaudio.systemWide | If false, a PulseAudio server is launched automatically for
each user that tries to use the sound system
|
| services.nntp-proxy.users.<name>.passwordHash | SHA-512 password hash (can be generated by
mkpasswd -m sha-512 <password>)
|
| services.dokuwiki.sites.<name>.usersFile | Location of the dokuwiki users file
|
| services.cassandra.jmxRoles.*.username | Username for JMX
|
| services.mosquitto.listeners.*.users.<name>.passwordFile | Specifies the path to a file containing the
clear text password for the MQTT user
|
| services.clickhouse.usersConfig | Your users.yaml as a Nix attribute set
|
| nix.nrBuildUsers | Number of nixbld user accounts created to
perform secure concurrent builds
|
| services.jibri.xmppEnvironments.<name>.control.login.username | User part of the JID.
|
| services.printing.cups-pdf.instances.<name>.settings.Anonuser | User for anonymous PDF creation
|
| services.firezone.server.smtp.username | Username to authenticate against the SMTP relay
|
| services.znc.mutable | Indicates whether to allow the contents of the
dataDir directory to be changed by the user at
run-time
|
| services.hqplayerd.auth.username | Username used for HQPlayer's WebUI
|
| services.mosquitto.listeners.*.users.<name>.hashedPassword | Specifies the hashed password for the MQTT User
|
| services.tailscale.permitCertUid | Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node.
|
| services.taskserver.organisations.<name>.users | A list of user names that belong to the organization.
|
| services.anki-sync-server.users.*.passwordFile | File containing the password accepted by anki-sync-server for
the associated username
|
| services.postgresql.ensureUsers.*.ensureClauses | An attrset of clauses to grant to the user
|
| users.mysql.pam.passwordCrypt | The method to encrypt the user's password:
0 (or "plain"):
No encryption
|
| services.prometheus.exporters.dovecot.socketPath | Path under which the stats socket is placed
|
| services.anki-sync-server.users.*.password | Password accepted by anki-sync-server for the associated username.
WARNING: This option is not secure
|
| services.outline.oidcAuthentication.usernameClaim | Specify which claims to derive user information from
|
| services.nscd.group | User group under which nscd runs.
|
| programs.firefox.autoConfig | AutoConfig files can be used to set and lock preferences that are not covered
by the policies.json for Mac and Linux
|
| services.physlock.allowAnyUser | Whether to allow any user to lock the screen
|
| services.portunus.ldap.searchUserName | The login name of the search user
|
| services.freeciv.settings.Newusers | Whether to enable new users to login if auth is enabled.
|
| services.influxdb2.provision.users | Users to provision.
|
| services.cloudlog.update-lotw-users.enable | Whether to periodically update the list of LoTW users
|
| services.guix.group | The group of the Guix build user pool.
|
| users.ldap.bind.distinguishedName | The distinguished name to bind to the LDAP server with
|
| security.pam.services.<name>.forwardXAuth | Whether X authentication keys should be passed from the
calling user to the target user (e.g. for
su)
|
| services.mosquitto.listeners.*.users.<name>.hashedPasswordFile | Specifies the path to a file containing the
hashed password for the MQTT user
|
| services.inadyn.settings.custom.<name>.username | Username for this DDNS provider.
|
| services.mtprotoproxy.users | Allowed users and their secrets
|
| services.mosquitto.listeners.*.users | A set of users and their passwords and ACLs.
|
| services.coder.homeDir | Home directory for coder user.
|
| services.ntfy-sh.group | Primary group of ntfy-sh user.
|
| services.samba.settings.global."invalid users" | List of users who are denied to login via Samba.
|
| systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.group | The group of the file
|
| containers.<name>.privateUsers | Whether to give the container its own private UIDs/GIDs space (user namespacing)
|
| services.openvpn.servers.<name>.authUserPass.username | The username to store inside the credentials file.
|
| security.tpm2.tssUser | Name of the tpm device-owner and service user, set if applyUdevRules is
set.
|
| services.movim.logDir | Log directory of the movim user which holds the application’s logs.
|
| services.umurmur.settings.max_users | Maximum number of concurrent clients allowed.
|
| services.matomo.webServerUser | Name of the web server user that forwards requests to services.phpfpm.pools.<name>.socket the fastcgi socket for Matomo if the nginx
option is not used
|
| services.xrdp.defaultWindowManager | The script to run when user log in, usually a window manager, e.g. "icewm", "xfce4-session"
This is per-user overridable, if file ~/startwm.sh exists it will be used instead.
|
| services.openafsServer.roles.backup.buserverArgs | Arguments to the buserver process
|
| services.zfs.autoReplication.username | Username used by SSH to login to remote host.
|
| services.spiped.config.<name>.keyfile | Name of a file containing the spiped key
|
| services.dependency-track.oidc.usernameClaim | Defines the name of the claim that contains the username in the provider's userinfo endpoint
|
| services.pipewire.systemWide | If true, a system-wide PipeWire service and socket is enabled
allowing all users in the "pipewire" group to use it simultaneously
|
| services.grafana-to-ntfy.settings.bauthUser | The user that you will authenticate with in the Grafana webhook settings
|
| services.grocy.dataDir | Home directory of the grocy user which contains
the application's state.
|
| programs.rush.enable | Whether to enable Restricted User Shell..
|
| services.discourse.mail.outgoing.username | The username of the SMTP server.
|
| programs.firefox.autoConfigFiles | AutoConfig files can be used to set and lock preferences that are not covered
by the policies.json for Mac and Linux
|
| services.userborn.passwordFilesLocation | The location of the original password files
|
| services.mosquitto.listeners.*.users.<name>.acl | Control client access to topics on the broker.
|
| services.movim.dataDir | State directory of the movim user which holds the application’s state & data.
|
| services.unpoller.unifi.defaults.pass | Path of a file containing the password for the unifi service user
|
| services.zoneminder.database.username | Username for accessing the database.
|
| services.lldap.settings.ldap_user_dn | Admin username
|
| services.nifi.initUser | Initial user account for Apache NiFi
|
| services.inadyn.settings.provider.<name>.username | Username for this DDNS provider.
|
| services.mobilizon.settings.":mobilizon"."Mobilizon.Storage.Repo".username | User used to connect to the database
|
| users.mysql.pam.disconnectEveryOperation | By default, pam_mysql keeps the connection to the MySQL
database until the session is closed
|
| services.mjolnir.pantalaimon.username | The username to login with.
|
| services.displayManager.sddm.autoLogin.minimumUid | Minimum user ID for auto-login user.
|
| systemd.units.<name>.wantedBy | Units that want (i.e. depend on) this unit
|
| systemd.mounts.*.wantedBy | Units that want (i.e. depend on) this unit
|
| systemd.paths.<name>.wantedBy | Units that want (i.e. depend on) this unit
|
| services.bitcoind.<name>.rpc.users.<name>.passwordHMAC | Password HMAC-SHA-256 for JSON-RPC connections
|
| users.extraUsers.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.syncoid.localTargetAllow | Permissions granted for the services.syncoid.user user
for local target datasets
|