| services.xserver.desktopManager.surf-display.extraConfig | Extra configuration options to append to /etc/default/surf-display.
|
| services.authelia.instances.<name>.settings.default_2fa_method | Default 2FA method for new users and fallback for preferred but disabled methods.
|
| services.librespeed.frontend.servers.*.pingURL | URL path to latency/jitter test on this server
|
| security.acme.defaults.credentialFiles | Environment variables suffixed by "_FILE" to set for the cert's service
for your selected dnsProvider
|
| services.ocsinventory-agent.interval | How often we run the ocsinventory-agent service
|
| services.neo4j.directories.imports | The root directory for file URLs used with the Cypher
LOAD CSV clause
|
| services.mediawiki.httpd.virtualHost.forceSSL | Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS
|
| services.foldingathome.daemonNiceLevel | Daemon process priority for FAHClient.
0 is the default Unix process priority, 19 is the lowest.
|
| nix.daemonCPUSchedPolicy | Nix daemon process CPU scheduling policy
|
| security.apparmor.enable | Whether to enable the AppArmor Mandatory Access Control system
|
| services.neo4j.directories.plugins | Path of the database plugin directory
|
| services.strongswan-swanctl.swanctl.pools.<name>.p_cscf | Address or CIDR subnets
StrongSwan default: []
|
| services.strongswan-swanctl.swanctl.pools.<name>.server | Address or CIDR subnets
StrongSwan default: []
|
| services.strongswan-swanctl.swanctl.pools.<name>.subnet | Address or CIDR subnets
StrongSwan default: []
|
| services.thanos.query-frontend.tracing.config | Tracing configuration
|
| services.openafsClient.cache.chunksize | Size of each cache chunk given in powers of
2. 0 resets the chunk size to its default
values (13 (8 KB) for memcache, 18-20 (256 KB to 1 MB) for
diskcache)
|
| virtualisation.vswitch.resetOnStart | Whether to reset the Open vSwitch configuration database to a default
configuration on every start of the systemd ovsdb.service.
|
| services.jupyterhub.jupyterlabEnv | Python environment to run jupyterlab
Customizing will affect the packages available in the
jupyterlab server and the default kernel provided
|
| services.omnom.settings.activitypub.privkey | ActivityPub private key
|
| security.pam.u2f.settings.authfile | By default pam-u2f module reads the keys from
$XDG_CONFIG_HOME/Yubico/u2f_keys (or
$HOME/.config/Yubico/u2f_keys if XDG variable is
not set)
|
| hardware.fw-fanctrl.config.strategyOnDischarging | Default strategy on discharging
|
| services.prometheus.exporters.ecoflow.debug | Enable debug log messages
|
| services.mpdscribble.passwordFile | File containing the password for the mpd daemon
|
| services.misskey.reverseProxy.webserver.nginx.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.mattermost.mutableConfig | Whether the Mattermost config.json is writeable by Mattermost
|
| services.swapspace.settings.cooldown | Duration (roughly in seconds) of the moratorium on swap allocation that is instated if disk space runs out, or the cooldown time after a new swapfile is successfully allocated before swapspace will consider deallocating swap space again
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.copy_dscp | Whether to copy the DSCP (Differentiated Services Field Codepoint)
header field to/from the outer IP header in tunnel mode
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_out | Netfilter mark and mask for output traffic
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_in_sa | Whether to set mark_in on the inbound SA
|
| services.dolibarr.h2o.tls.recommendations | By default, H2O, without prejudice, will use as many TLS versions &
cipher suites as it & the TLS library (OpenSSL) can support
|
| services.meilisearch.logLevel | Defines how much detail should be present in MeiliSearch's logs
|
| services.nextcloud.phpExtraExtensions | Additional PHP extensions to use for Nextcloud
|
| services.wordpress.sites.<name>.virtualHost.forceSSL | Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS
|
| services.weblate.configurePostgresql | Whether to enable and configure a local PostgreSQL server by creating a user and database for weblate
|
| virtualisation.xen.boot.efi.path | Path to xen.efi. pkgs.xen is patched to install the xen.efi file
on $boot/boot/xen.efi, but an unpatched Xen build may install it
somewhere else, such as $out/boot/efi/efi/nixos/xen.efi
|
| virtualisation.writableStore | If enabled, the Nix store in the VM is made writable by
layering an overlay filesystem on top of the host's Nix
store
|
| services.anubis.instances.<name>.settings.SERVE_ROBOTS_TXT | Whether to serve a default robots.txt that denies access to common AI bots by name and all other
bots by wildcard.
|
| services.gitlab-runner.services.<name>.maximumTimeout | What is the maximum timeout (in seconds) that will be set for
job when using this Runner. 0 (default) simply means don't limit
|
| services.dysnomia.extraContainerProperties | An attribute set providing additional container settings in addition to the default properties
|
| services.grafana.settings.security.admin_user | Default admin username.
|
| services.prometheus.pushgateway.log.level | Only log messages with the given severity or above.
null will default to info.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.replay_window | IPsec replay window to configure for this CHILD_SA
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.tfc_padding | Pads ESP packets with additional data to have a consistent ESP packet
size for improved Traffic Flow Confidentiality
|
| services.activemq.configurationDir | The base directory for ActiveMQ's configuration
|
| services.strongswan-swanctl.swanctl.pools.<name>.netmask | Address or CIDR subnets
StrongSwan default: []
|
| services.gitlab.pages.settings.internal-gitlab-server | Internal GitLab server used for API requests, useful
if you want to send that traffic over an internal load
balancer
|
| services.hostapd.radios | This option allows you to define APs for one or multiple physical radios
|
| virtualisation.bootPartition | The path (inside the VM) to the device containing the EFI System Partition (ESP)
|
| services.xserver.xrandrHeads | Multiple monitor configuration, just specify a list of XRandR
outputs
|
| services.tigerbeetle.addresses | The addresses of all replicas in the cluster
|
| services.limesurvey.httpd.virtualHost.forceSSL | Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS
|
| services.znapzend.features.zfsGetType | Whether to enable using zfsGetType if your zfs get supports a
-t argument for filtering by dataset type at all AND
lists properties for snapshots by default when recursing, so that there
is too much data to process while searching for backup plans
|
| system.replaceDependencies.cutoffPackages | Packages to which no replacements should be applied
|
| networking.getaddrinfo.enable | Enables custom address sorting configuration for getaddrinfo(3) according to RFC 3484
|
| networking.networkmanager.logLevel | Set the default logging verbosity level.
|
| services.borgbackup.jobs.<name>.createCommand | Borg command to use for archive creation
|
| services.tinc.networks.<name>.hostSettings.<name>.addresses.*.port | The port where the host can be reached
|
| services.prometheus.pushgateway.log.format | Set the log target and format.
null will default to logger:stderr.
|
| services.thanos.downsample.tracing.config | Tracing configuration
|
| services.unpoller.unifi.defaults.save_alarms | Collect and save data from UniFi alarms to influxdb and Loki.
|
| services.unpoller.unifi.defaults.save_events | Collect and save data from UniFi events to influxdb and Loki.
|
| services.matrix-synapse.settings.listeners | List of ports that Synapse should listen on, their purpose and their configuration
|
| services.strongswan-swanctl.swanctl.connections.<name>.childless | Use childless IKE_SA initiation (allow, prefer, force or never)
|
| programs.captive-browser.browser | The shell (/bin/sh) command executed once the proxy starts
|
| services.nsd.ratelimit.whitelistRatelimit | Max qps allowed from whitelisted sources.
0 means unlimited
|
| services.paperless.passwordFile | A file containing the superuser password
|
| services.multipath.devices.*.path_checker | The default method used to determine the paths state
|
| services.limesurvey.nginx.virtualHost.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| virtualisation.forwardPorts | When using the SLiRP user networking (default), this option allows to
forward ports to/from the host/guest.
If the NixOS firewall on the virtual machine is enabled, you also
have to open the guest ports to enable the traffic between host and
guest.
Currently QEMU supports only IPv4 forwarding.
|
| boot.loader.generic-extlinux-compatible.populateCmd | Contains the builder command used to populate an image,
honoring all options except the -c <path-to-default-configuration>
argument
|
| services.neo4j.ssl.policies.<name>.baseDirectory | The mandatory base directory for cryptographic objects of this
policy
|
| services.home-assistant.config.http.server_host | Only listen to incoming requests on specific IP/host
|
| services.archisteamfarm.dataDir | The ASF home directory used to store all data
|
| services.writefreely.admin.initialPasswordFile | Path to a file containing the initial password for the admin user
|
| services.nextcloud.settings.default_phone_region | An ISO 3166-1
country code which replaces automatic phone-number detection
without a country code
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.close_action | Action to perform after a CHILD_SA gets closed by the peer.
- The default of
none does not take any action,
trap installs a trap policy for the CHILD_SA.start tries to re-create the CHILD_SA.
close_action does not provide any guarantee that the
CHILD_SA is kept alive
|
| hardware.trackpoint.drift_time | This parameter controls the period of time to test for a 'hands off' condition (i.e. when no force is applied) before a drift (noise) calibration occurs
|
| services.prometheus.exporters.chrony.user | User name under which the chrony exporter shall be run
|
| services.multipath.devices.*.alias_prefix | The user_friendly_names prefix to use for this device type, instead of the default mpath
|
| services.nebula.networks.<name>.lighthouse.dns.host | IP address on which nebula lighthouse should serve DNS.
'localhost' is a good default to ensure the service does not listen on public interfaces;
use a Nebula address like 10.0.0.5 to make DNS resolution available to nebula hosts only.
|
| virtualisation.qemu.consoles | The output console devices to pass to the kernel command line via the
console parameter, the primary console is the last
item of this list
|
| services.alloy.configPath | Alloy configuration file/directory path
|
| services.keepalived.vrrpInstances.<name>.unicastSrcIp | Default IP for binding vrrpd is the primary IP on interface
|
| services.smokeping.presentationTemplate | Default page layout for the web UI.
|
| services.nullmailer.config.defaulthost | The content of this attribute is appended to any address that
is missing a host name
|
| containers.<name>.privateUsers | Whether to give the container its own private UIDs/GIDs space (user namespacing)
|
| networking.interfaces.<name>.ipv4.routes | List of extra IPv4 static routes that will be assigned to the interface.
If the route type is the default unicast, then the scope
is set differently depending on the value of networking.useNetworkd:
the script-based backend sets it to link, while networkd sets
it to global.
If you want consistency between the two implementations,
set the scope of the route manually with
networking.interfaces.eth0.ipv4.routes = [{ options.scope = "global"; }]
for example.
|
| hardware.nvidia.modesetting.enable | Whether to enable kernel modesetting when using the NVIDIA proprietary driver
|
| services.osquery.flags.database_path | Path used for the database file.
If left as the default value, this directory will be automatically created before the
service starts, otherwise you are responsible for ensuring the directory exists with
the appropriate ownership and permissions.
|
| services.prometheus.exporters.chrony.group | Group under which the chrony exporter shall be run
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_in | Netfilter mark applied to packets after the inbound IPsec SA processed
them
|
| services.foundationdb.locality.machineId | Machine identifier key
|
| services.datadog-agent.extraIntegrations | Extra integrations from the Datadog core-integrations
repository that should be built and included
|
| programs.light.brightnessKeys.enable | Whether to enable brightness control with keyboard keys
|
| services.thanos.downsample.objstore.config | Object store configuration
|
| services.grafana.settings.security.admin_email | The email of the default Grafana Admin, created on startup.
|
| services.automatic-timezoned.enable | Enable automatic-timezoned, simple daemon for keeping the system
timezone up-to-date based on the current location
|
| services.suricata.settings.pcap-file.checksum-checks | Possible values are:
- yes: checksum validation is forced
- no: checksum validation is disabled
- auto: Suricata uses a statistical approach to detect when
checksum off-loading is used. (default)
Warning: 'checksum-validation' must be set to yes to have checksum tested.
|
| services.syncthing.settings.devices.<name>.autoAcceptFolders | Automatically create or share folders that this device advertises at the default path
|
| services.prometheus.exporters.rtl_433.rtl433Flags | Flags passed verbatim to rtl_433 binary
|