| services.gitlab-runner.services.<name>.dockerPullPolicy | Default pull-policy for Docker images
|
| services.dashy.settings | Settings serialized into user-data/conf.yml before build
|
| services.dovecot2.pluginSettings | Plugin settings for dovecot in general, e.g. sieve, sieve_default, etc
|
| programs.hyprland.systemd.setPath.enable | Set environment path of systemd to include the current system's bin directory
|
| security.pam.services.<name>.startSession | If set, the service will register a new session with
systemd's login manager
|
| services.mediawiki.httpd.virtualHost.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.patroni.postgresqlDataDir | The data directory for PostgreSQL
|
| services.umami.settings.COLLECT_API_ENDPOINT | Allows you to send metrics to a location different than the default /api/send.
|
| containers.<name>.extraVeths.<name>.localAddress | The IPv4 address assigned to the interface in the container
|
| services.zfs.autoSnapshot.flags | Flags to pass to the zfs-auto-snapshot command
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote_port | Remote UDP port for IKE communication
|
| environment.plasma5.excludePackages | List of default packages to exclude from the configuration
|
| services.akkoma.config.":pleroma".":frontends" | Frontend configuration
|
| environment.plasma6.excludePackages | List of default packages to exclude from the configuration
|
| services.borgbackup.jobs.<name>.prune.prefix | Only consider archive names starting with this prefix for pruning
|
| services.libinput.touchpad.clickMethod | Enables a click method
|
| services.healthchecks.user | User account under which healthchecks runs.
If left as the default value this user will automatically be created
on system activation, otherwise you are responsible for
ensuring the user exists before the healthchecks service starts.
|
| services.mysql.galeraCluster.nodeAddresses | IP addresses or hostnames of all nodes in the cluster, including this node
|
| services.thanos.rule.objstore.config | Object store configuration
|
| services.nghttpx.frontends.*.params.api | Enable API access for this frontend
|
| systemd.tmpfiles.packages | List of packages containing systemd-tmpfiles rules
|
| services.webhook.hooksTemplated | Same as hooks, but these hooks are specified as literal strings instead of Nix values,
and hence can include template syntax
which might not be representable as JSON
|
| swapDevices.*.randomEncryption.sectorSize | Set the sector size for the plain encrypted device type
|
| containers.<name>.extraVeths.<name>.localAddress6 | The IPv6 address assigned to the interface in the container
|
| services.certspotter.sendmailPath | Path to the sendmail binary
|
| security.duosec.prompts | If a user fails to authenticate with a second factor, Duo
Unix will prompt the user to authenticate again
|
| services.grafana.settings.server.domain | The public facing domain name used to access grafana from a browser
|
| services.nebula.networks.<name>.enableReload | Enable automatic config reload on config change
|
| services.munin-node.disabledPlugins | Munin plugins to disable, even if
munin-node-configure --suggest tries to enable
them
|
| services.jirafeau.nginxConfig.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.zabbixWeb.httpd.virtualHost.forceSSL | Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.priority | Optional fixed priority for IPsec policies
|
| services.snapserver.streams.<name>.sampleFormat | Default sample format.
|
| boot.loader.systemd-boot.consoleMode | The resolution of the console
|
| boot.loader.grub.mirroredBoots.*.efiBootloaderId | The id of the bootloader to store in efi nvram
|
| services.clamav.fangfrisch.settings | fangfrisch configuration
|
| services.adguardhome.allowDHCP | Allows AdGuard Home to open raw sockets (CAP_NET_RAW), which is
required for the integrated DHCP server
|
| services.mediatomb.openFirewall | If false (the default), this is up to the user to declare the firewall rules
|
| services.postfix.settings.master.<name>.command | A program name specifying a Postfix service/daemon process
|
| services.strongswan-swanctl.swanctl.connections.<name>.dpd_timeout | Charon by default uses the normal retransmission mechanism and timeouts to
check the liveness of a peer, as all messages are used for liveness
checking
|
| programs.proxychains.remoteDNSSubnet | Set the class A subnet number to use for the internal remote DNS mapping, uses the reserved 224.x.x.x range by default.
|
| services.healthchecks.group | Group account under which healthchecks runs.
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the healthchecks service starts.
|
| services._3proxy.resolution.nserver | List of nameservers to use
|
| services.borgbackup.jobs.<name>.readWritePaths | By default, borg cannot write anywhere on the system but
$HOME/.config/borg and $HOME/.cache/borg
|
| networking.getaddrinfo.label | Adds entries to the label table, as described in section 2.1 of RFC 3484
|
| services.drupal.sites.<name>.virtualHost.forceSSL | Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS
|
| security.pam.services.<name>.kwallet.enable | If enabled, pam_wallet will attempt to automatically unlock the
user's default KDE wallet upon login
|
| services.homer.settings | Settings serialized into config.yml before build
|
| services.networking.websockify.portMap | Ports to map by default.
|
| services.thanos.store.objstore.config | Object store configuration
|
| services.neo4j.directories.data | Path of the data directory
|
| services.offlineimap.onCalendar | How often is offlineimap started
|
| services.hylafax.modems.<name>.config | Attribute set of values for the given modem
|
| services.unpoller.unifi.defaults.save_ids | Collect and save data from the intrusion detection system to influxdb and Loki.
|
| services.wordpress.sites.<name>.virtualHost.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.zabbixWeb.nginx.virtualHost.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.healthchecks.dataDir | The directory used to store all data for healthchecks.
If left as the default value this directory will automatically be created before
the healthchecks server starts, otherwise you are responsible for ensuring the
directory exists with appropriate ownership and permissions.
|
| services.datadog-agent.checks | Configuration for all Datadog checks
|
| services.anubis.instances.<name>.policy.extraBots | Additional bot rules appended to the policy
|
| services.nextjs-ollama-llm-ui.hostname | The hostname under which the Ollama UI interface should be accessible
|
| services.reposilite.settings.idleTimeout | Default idle timeout used by Jetty.
|
| services.jitsi-meet.prosody.lockdown | Whether to disable Prosody features not needed by Jitsi Meet
|
| networking.interfaces.<name>.virtualType | The type of interface to create
|
| services.blockbook-frontend.<name>.templateDir | Location of the HTML templates
|
| programs.ssh.forwardX11 | Whether to request X11 forwarding on outgoing connections by default
|
| services.https-dns-proxy.provider.kind | The upstream provider to use or custom in case you do not trust any of
the predefined providers or just want to use your own
|
| hardware.graphics.extraPackages | Additional packages to add to the default graphics driver lookup path
|
| services.thanos.receive.tracing.config | Tracing configuration
|
| services.postfix.settings.master.<name>.maxproc | The maximum number of processes to spawn for this service
|
| services.offlineimap.timeoutStartSec | How long waiting for offlineimap before killing it
|
| services.thanos.compact.tracing.config | Tracing configuration
|
| services.thanos.sidecar.tracing.config | Tracing configuration
|
| virtualisation.cri-o.pauseCommand | Override the default pause command
|
| system.nixos.label | NixOS version name to be used in the names of generated
outputs and boot labels
|
| services.github-runners.<name>.group | Group under which to run the service
|
| services.wg-access-server.settings.dns.enabled | Enable/disable the embedded DNS proxy server
|
| services.strongswan-swanctl.swanctl.connections.<name>.keyingtries | Number of retransmission sequences to perform during initial
connect
|
| services.strongswan-swanctl.swanctl.connections.<name>.rekey_time | IKE rekeying refreshes key material using a Diffie-Hellman exchange, but
does not re-check associated credentials
|
| services.limesurvey.virtualHost.extraConfig | These lines go to httpd.conf verbatim
|
| security.pam.services.<name>.enableGnomeKeyring | If enabled, pam_gnome_keyring will attempt to automatically unlock the
user's default Gnome keyring upon login
|
| programs.uwsm.enable | Whether to enable uwsm, which wraps standalone Wayland compositors with a set
of Systemd units on the fly
|
| services.gmediarender.initialVolume | A default volume attenuation (in dB) for the endpoint.
|
| services.kanata.keyboards.<name>.configFile | The config file
|
| services.prometheus.exporters.zfs.pools | Name of the pool(s) to collect, repeat for multiple pools (default: all pools).
|
| services.slurm.enableSrunX11 | If enabled srun will accept the option "--x11" to allow for X11 forwarding
from within an interactive session or a batch job
|
| services.tsmBackup.servername | Create a systemd system service
tsm-backup.service that starts
a backup based on the given servername's stanza
|
| services.xserver.desktopManager.lxqt.iconThemePackage | The package that provides a default icon theme.
|
| services.postsrsd.settings.separator | SRS tag separator used in generated sender addresses
|
| services.unpoller.unifi.defaults.hash_pii | Hash, with md5, client names and MAC addresses
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.ah_proposals | AH proposals to offer for the CHILD_SA
|
| environment.cinnamon.excludePackages | Which packages cinnamon should exclude from the default environment
|
| services.aria2.downloadDirPermission | The permission for settings.dir
|
| networking.jool.siit | Definitions of SIIT instances of Jool
|
| security.unprivilegedUsernsClone | When disabled, unprivileged users will not be able to create new namespaces
|
| environment.pantheon.excludePackages | Which packages pantheon should exclude from the default environment
|
| services.ebusd.scanconfig | Pick CSV config files matching initial scan ("none" or empty for no initial scan message, "full" for full scan, or a single hex address to scan, default is to send a broadcast ident message)
|
| services.foldingathome.team | The team ID associated with the reported computation results
|
| services.flarum.createDatabaseLocally | Create the database and database user locally, and run installation
|
| services.linkwarden.storageLocation | Directory used to store media files
|
| services.ollama.package | The ollama package to use
|