| security.pam.services.<name>.enableUMask | If enabled, the pam_umask module will be loaded.
|
| services.acpid.handlers.<name>.action | Shell commands to execute when the event is triggered.
|
| services.logcheck.ignore.<name>.regex | Regex specifying which log lines to ignore.
|
| services.netbird.clients | Attribute set of NetBird client daemons, by default each one will:
- be manageable using dedicated tooling:
netbird-<name> script,NetBird - netbird-<name> graphical interface when appropriate (see ui.enable),
- run as a
netbird-<name>.service,
- listen for incoming remote connections on the port
51820 (openFirewall by default),
- manage the
netbird-<name> wireguard interface,
- use the /var/lib/netbird-/config.json configuration file,
- override /var/lib/netbird-/config.json with values from /etc/netbird-/config.d/*.json,
- (
hardened) be locally manageable by netbird-<name> system group,
With following caveats:
- multiple daemons will interfere with each other's DNS resolution of
netbird.cloud, but
should remain fully operational otherwise
|
| boot.initrd.systemd.users.<name>.uid | ID of the user in initrd.
|
| services.quicktun.<name>.upScript | Run specified command or script after the tunnel device has been opened.
|
| services.tahoe.nodes.<name>.client.shares.needed | The number of shares required to reconstitute a file.
|
| services.nsd.zones.<name>.dnssecPolicy.ksk.rollPeriod | How frequently to change keys
|
| services.nsd.zones.<name>.dnssecPolicy.zsk.rollPeriod | How frequently to change keys
|
| services.prosody.virtualHosts.<name>.ssl.cert | Path to the certificate file.
|
| services.akkoma.initDb.username | Name of the database user to initialise the database with
|
| services.blockbook-frontend.<name>.user | The user as which to run blockbook-frontend-‹name›.
|
| security.pam.services.<name>.u2fAuth | If set, users listed in
$XDG_CONFIG_HOME/Yubico/u2f_keys (or
$HOME/.config/Yubico/u2f_keys if XDG variable is
not set) are able to log in with the associated U2F key
|
| services.netbird.tunnels.<name>.interface | Name of the network interface managed by this client.
|
| services.netbird.clients.<name>.interface | Name of the network interface managed by this client.
|
| services.nsd.zones.<name>.multiMasterCheck | If enabled, checks all masters for the last zone version
|
| services.postfix.masterConfig.<name>.type | The type of the service
|
| users.users.<name>.subUidRanges | Subordinate user ids that user is allowed to use
|
| users.users.<name>.subGidRanges | Subordinate group ids that user is allowed to use
|
| services.i2pd.outTunnels.<name>.outbound.quantity | Number of simultaneous ‹name› tunnels.
|
| services.kubernetes.kubelet.taints.<name>.key | Key of taint.
|
| services.netbird.tunnels.<name>.logLevel | Log level of the NetBird daemon.
|
| services.netbird.clients.<name>.logLevel | Log level of the NetBird daemon.
|
| security.pam.services.<name>.nodelay | Whether the delay after typing a wrong password should be disabled.
|
| security.pam.services.<name>.fprintAuth | If set, fingerprint reader will be used (if exists and
your fingerprints are enrolled).
|
| services.dokuwiki.sites.<name>.acl.*.level | Permission level to restrict the actor(s) to
|
| services.bepasty.servers.<name>.workDir | Path to the working directory (used for config and pidfile)
|
| services.spiped.config.<name>.encrypt | Take unencrypted connections from the
source socket and send encrypted
connections to the target socket.
|
| services.spiped.config.<name>.decrypt | Take encrypted connections from the
source socket and send unencrypted
connections to the target socket.
|
| services.xserver.displayManager.lightdm.greeters.gtk.iconTheme.name | Name of the icon theme to use for the lightdm-gtk-greeter.
|
| services.beesd.filesystems.<name>.workDir | Name (relative to the root of the filesystem) of the subvolume where
the hash table will be stored.
|
| services.netbird.tunnels.<name>.dir.state | A state directory used by NetBird client to store config.json, state.json & resolv.conf.
|
| services.netbird.clients.<name>.dir.state | A state directory used by NetBird client to store config.json, state.json & resolv.conf.
|
| security.pam.services.<name>.ttyAudit.enable | Enable or disable TTY auditing for specified users
|
| systemd.paths.<name>.bindsTo | Like ‘requires’, but in addition, if the specified units
unexpectedly disappear, this unit will be stopped as well.
|
| services.kanidm.provision.persons.<name>.legalName | Full legal name
|
| services.xserver.displayManager.lightdm.greeters.slick.theme.name | Name of the theme to use for the lightdm-slick-greeter.
|
| services.ghostunnel.servers.<name>.allowCN | Allow client if common name appears in the list.
|
| services.homebridge.settings.platforms.*.name | Name of the platform
|
| services.nginx.virtualHosts.<name>.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| services.akkoma.frontends.<name>.ref | Akkoma frontend reference.
|
| services.redis.servers.<name>.unixSocketPerm | Change permissions for the socket
|
| services.tinc.networks.<name>.package | The tinc_pre package to use.
|
| services.wordpress.sites.<name>.virtualHost.locations.<name>.proxyPass | Sets up a simple reverse proxy as described by https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple.
|
| services.httpd.virtualHosts.<name>.adminAddr | E-mail address of the server administrator.
|
| services.httpd.virtualHosts.<name>.onlySSL | Whether to enable HTTPS and reject plain HTTP connections
|
| services.nginx.virtualHosts.<name>.onlySSL | Whether to enable HTTPS and reject plain HTTP connections
|
| services.quicktun.<name>.remotePort | Remote UDP port
|
| services.fedimintd.<name>.nginx.path | Path to host the API on and forward to the daemon's api port
|
| services.pppd.peers.<name>.autostart | Whether the PPP session is automatically started at boot time.
|
| services.ndppd.proxies.<name>.timeout | Controls how long to wait for a Neighbor Advertisement Message before
invalidating the entry, in milliseconds.
|
| services.httpd.virtualHosts.<name>.acmeRoot | Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
|
| services.nginx.virtualHosts.<name>.acmeRoot | Directory for the ACME challenge, which is public
|
| nix.firewall.allowPrivateNetworks | Whether to allow traffic to local networks
|
| services.ax25.axports.<name>.package | The ax25-tools package to use.
|
| services.nylon.<name>.verbosity | Enable verbose output, default is to not be verbose.
|
| services.uvcvideo.dynctrl.packages | List of packages containing uvcvideo dynamic controls
rules
|
| services.drupal.sites.<name>.virtualHost.hostName | Canonical hostname for the server.
|
| systemd.user.units.<name>.wantedBy | Units that want (i.e. depend on) this unit
|
| systemd.user.paths.<name>.wantedBy | Units that want (i.e. depend on) this unit
|
| services.netbird.clients.<name>.ui.enable | Controls presence of netbird-ui wrapper for this NetBird client.
|
| services.netbird.tunnels.<name>.ui.enable | Controls presence of netbird-ui wrapper for this NetBird client.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.handle | Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.file | Absolute path to the certificate to load
|
| services.authelia.instances.<name>.settings.default_2fa_method | Default 2FA method for new users and fallback for preferred but disabled methods.
|
| boot.initrd.luks.devices.<name>.preLVM | Whether the luksOpen will be attempted before LVM scan or after it.
|
| services.ghostunnel.servers.<name>.allowOU | Allow client if organizational unit name appears in the list.
|
| services.znapzend.zetup.<name>.destinations.<name>.host | Host to use for the destination dataset
|
| systemd.user.slices.<name>.partOf | If the specified units are stopped or restarted, then this
unit is stopped or restarted as well.
|
| systemd.user.timers.<name>.partOf | If the specified units are stopped or restarted, then this
unit is stopped or restarted as well.
|
| services.drupal.sites.<name>.virtualHost.servedFiles | This option provides a simple way to serve individual, static files.
This option has been deprecated and will be removed in a future
version of NixOS
|
| services.dokuwiki.sites.<name>.acl | Access Control Lists: see https://www.dokuwiki.org/acl
Mutually exclusive with services.dokuwiki.aclFile
Set this to a value other than null to take precedence over aclFile option
|
| services.nylon.<name>.deniedIPRanges | Denied client IP ranges, these gets evaluated after the allowed IP ranges, defaults to all IPv4 addresses:
[ "0.0.0.0/0" ]
To block all other access than the allowed.
|
| systemd.services.<name>.scriptArgs | Arguments passed to the main process script
|
| services.autorandr.profiles.<name>.config.<name>.transform | Refer to
xrandr(1)
for the documentation of the transform matrix.
|
| security.pam.services.<name>.limits.*.value | Value of this limit
|
| services.k3s.manifests.<name>.source | Path of the source .yaml file.
|
| services.k3s.manifests.<name>.enable | Whether this manifest file should be generated.
|
| services.public-inbox.inboxes.<name>.newsgroup | NNTP group name for the inbox.
|
| services.firezone.server.provision.accounts.<name>.actors.<name>.email | The email address used to authenticate as this account
|
| services.redis.servers.<name>.extraParams | Extra parameters to append to redis-server invocation
|
| services.fedimintd.<name>.nginx.fqdn | Public domain of the API address of the reverse proxy/tls terminator.
|
| services.spiped.config.<name>.timeout | Timeout, in seconds, after which an attempt to connect to
the target or a protocol handshake will be aborted (and the
connection dropped) if not completed
|
| services.redis.servers.<name>.appendOnly | By default data is only periodically persisted to disk, enable this option to use an append-only file for improved persistence.
|
| systemd.user.slices.<name>.wants | Start the specified units when this unit is started.
|
| systemd.user.timers.<name>.wants | Start the specified units when this unit is started.
|
| services.xserver.xkb.extraLayouts.<name>.symbolsFile | The path to the xkb symbols file
|
| services.wyoming.piper.servers.<name>.piper | The piper-tts package to use.
|
| services.neo4j.ssl.policies.<name>.clientAuth | The client authentication stance for this policy.
|
| services.wyoming.piper.servers.<name>.useCUDA | Whether to accelerate the underlying onnxruntime library with CUDA.
|
| services.nginx.virtualHosts.<name>.kTLS | Whether to enable kTLS support
|
| power.ups.upsmon.monitor.<name>.type | The relationship with upsd
|
| services.tinc.networks.<name>.hostSettings.<name>.subnets.*.weight | Indicates the priority over identical Subnets owned by different nodes
|
| services.openvpn.servers | Each attribute of this option defines a systemd service that
runs an OpenVPN instance
|
| security.acme.certs.<name>.csrKey | Path to the private key to the matching certificate signing request.
|
| services.firewalld.zones.<name>.short | Short description for the zone.
|
| services.firewalld.zones.<name>.ports | Ports to allow in the zone.
|
| services.restic.backups.<name>.package | The restic package to use.
|
| services.firezone.server.provision.accounts.<name>.auth.<name>.adapter | The auth adapter type
|
| services.xserver.displayManager.lightdm.greeters.enso.iconTheme.name | Name of the icon theme to use for the lightdm-enso-os-greeter
|