| services.logrotate.checkConfig | Whether the config should be checked at build time
|
| virtualisation.rosetta.enable | Whether to enable Rosetta support
|
| virtualisation.containers.policy | Signature verification policy file
|
| services.archisteamfarm.bots.<name>.username | Name of the user to log in
|
| services.strongswan-swanctl.swanctl.connections.<name>.fragmentation | Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
fragmentation)
|
| services.jitsi-videobridge.xmppConfigs.<name>.mucNickname | Videobridges use the same XMPP account and need to be distinguished by the
nickname (aka resource part of the JID)
|
| services.canaille.settings.CANAILLE_SQL.DATABASE_URI | The SQL server URI
|
| services.movim.podConfig.xmppdescription | The default XMPP server description
|
| services.netbird.server.dashboard.settings | An attribute set that will be used to substitute variables when building the dashboard
|
| services.openssh.listenAddresses | List of addresses and ports to listen on (ListenAddress directive
in config)
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.esp_proposals | ESP proposals to offer for the CHILD_SA
|
| services.lldap.settings.ldap_user_pass | Password for default admin password
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_out | Netfilter mark applied to packets after the outbound IPsec SA processed
them
|
| networking.wireguard.interfaces.<name>.mtu | Set the maximum transmission unit in bytes for the wireguard
interface
|
| services.grafana.settings.server.enable_gzip | Set this option to true to enable HTTP compression, this can improve transfer speed and bandwidth utilization
|
| services.i2pd.precomputation.elgamal | Whenever to use precomputated tables for ElGamal.
i2pd defaults to false
to save 64M of memory (and looses some performance)
|
| services.ollama.acceleration | What interface to use for hardware acceleration
|
| services.hostapd.radios.<name>.wifi4.capabilities | HT (High Throughput) capabilities given as a list of flags
|
| hardware.tuxedo-drivers.settings.charging-priority | These options manage the trade-off between battery charging and CPU performance when the USB-C power supply cannot provide sufficient power for both simultaneously:
charge_battery prioritizes battery charging (driver default)performance prioritizes maximum CPU performance
|
| services.syncthing.settings.options.urAccepted | Whether the user has accepted to submit anonymous usage data
|
| services.usbguard.restoreControllerDeviceState | The USBGuard daemon modifies some attributes of controller
devices like the default authorization state of new child device
instances
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.start_action | Action to perform after loading the configuration.
- The default of
none loads the connection only, which
then can be manually initiated or used as a responder configuration.
- The value
trap installs a trap policy, which triggers
the tunnel as soon as matching traffic has been detected.
- The value
start initiates the connection actively.
- Since version 5.9.6 two modes above can be combined with
trap|start,
to immediately initiate a connection for which trap policies have been installed
|
| services.athens.storage.s3.useDefaultConfiguration | Use default configuration for the S3 storage backend.
|
| services.hostapd.radios.<name>.networks.<name>.macAcl | Station MAC address -based authentication
|
| networking.getaddrinfo.precedence | Similar to networking.getaddrinfo.label, but this option
defines entries for the precedence table instead
|
| services.journalwatch.filterBlocks | filterBlocks can be defined to blacklist journal messages which are not errors
|
| hardware.tuxedo-drivers.settings.charging-profile | The maximum charge level to help reduce battery wear:
high_capacity charges to 100% (driver default)balanced charges to 90%stationary charges to 80% (maximum lifespan)
Note: Regardless of the configured charging profile, the operating system will always report the battery as being charged to 100%.
|
| services.misskey.reverseProxy.webserver.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.archisteamfarm.enable | If enabled, starts the ArchisSteamFarm service
|
| services.foundationdb.extraReadWritePaths | An extra set of filesystem paths that FoundationDB can read to
and write from
|
| services.multipath.devices.*.path_selector | The default path selector algorithm to use; they are offered by the kernel multipath target
|
| services.tarsnap.keyfile | The keyfile which associates this machine with your tarsnap
account
|
| services.crowdsec.localConfig.notifications | A list of notifications to enable and use in your profiles
|
| services.tabby.acceleration | Specifies the device to use for hardware acceleration.
cpu: no acceleration just use the CPUrocm: supported by modern AMD GPUscuda: supported by modern NVIDIA GPUsmetal: supported on darwin aarch64 machines
Tabby will try and determine what type of acceleration that is
already enabled in your configuration when acceleration = null.
- nixpkgs.config.cudaSupport
- nixpkgs.config.rocmSupport
- if stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64
IFF multiple acceleration methods are found to be enabled or if you
haven't set either cudaSupport or rocmSupport you will have to
specify the device type manually here otherwise it will default to
the first from the list above or to cpu.
|
| services.resolved.dnssec | If set to
"true":
all DNS lookups are DNSSEC-validated locally (excluding
LLMNR and Multicast DNS)
|
| services.foundationdb.storageMemory | Maximum memory used for data storage
|
| services.engelsystem.settings | Options to be added to config.php, as a nix attribute set
|
| services.bacula-fd.director.<name>.password | Specifies the password that must be supplied for the default Bacula
Console to be authorized
|
| services.bacula-sd.director.<name>.password | Specifies the password that must be supplied for the default Bacula
Console to be authorized
|
| services.prometheus.pushgateway.web.listen-address | Address to listen on for the web interface, API and telemetry.
null will default to :9091.
|
| services.hercules-ci-agent.settings.staticSecretsDirectory | This is the default directory to look for statically configured secrets like cluster-join-token.key
|
| services.journald.rateLimitBurst | Configures the rate limiting burst limit (number of messages per
interval) that is applied to all messages generated on the system
|
| systemd.enableStrictShellChecks | Whether to run shellcheck on the generated scripts for systemd
units
|
| services.discourse.siteSettings | Discourse site settings
|
| networking.interfaces.<name>.tempAddress | When IPv6 is enabled with SLAAC, this option controls the use of
temporary address (aka privacy extensions) on this
interface
|
| services.prometheus.pushgateway.web.telemetry-path | Path under which to expose metrics.
null will default to /metrics.
|
| services.xserver.windowManager.herbstluftwm.configFile | Path to the herbstluftwm configuration file
|
| services.grafana.provision.alerting.rules.settings.deleteRules.*.orgId | Organization ID, default = 1
|
| services.prometheus.exporters.chrony.chronyServerAddress | ChronyServerAddress of the chrony server side command port. (Not enabled by default.)
Defaults to the local unix socket.
|
| services.logind.settings.Login.KillUserProcesses | Specifies whether the processes of a user should be killed
when the user logs out
|
| services.heisenbridge.registrationUrl | The URL where the application service is listening for HS requests, from the Matrix HS perspective.#
The default value assumes the bridge runs on the same host as the home server, in the same network.
|
| services.openssh.settings.AuthorizedPrincipalsFile | Specifies a file that lists principal names that are accepted for certificate authentication
|
| services.xserver.desktopManager.runXdgAutostartIfNone | Whether to run XDG autostart files for sessions without a desktop manager
(with only a window manager), these sessions usually don't handle XDG
autostart files by default
|
| networking.wireless.networks.<name>.priority | By default, all networks will get same priority group (0)
|
| services.prometheus.exporters.frr.enabledCollectors | Collectors to enable
|
| services.xserver.displayManager.lightdm.greeters.gtk.clock-format | Clock format string (as expected by strftime, e.g. "%H:%M")
to use with the lightdm gtk greeter panel
|
| environment.enlightenment.excludePackages | Which packages Enlightenment should exclude from the default environment
|
| systemd.services.<name>.confinement.packages | Additional packages or strings with context to add to the closure of
the chroot
|
| services.yggdrasil.settings | Configuration for yggdrasil, as a structured Nix attribute set
|
| services.akkoma.config.":joken".":default_signer" | JWT signing secret
|
| services.prometheus.exporters.node.enabledCollectors | Collectors to enable
|
| services.prometheus.exporters.frr.disabledCollectors | Collectors to disable which are enabled by default.
|
| services.prometheus.exporters.opnsense.enabledExporter | Collectors to enable or disable
|
| virtualisation.docker.rootless.setSocketVariable | Point DOCKER_HOST to rootless Docker instance for
normal users by default.
|
| boot.loader.systemd-boot.sortKey | The sort key used for the NixOS bootloader entries
|
| hardware.amdgpu.overdrive.ppfeaturemask | Sets the amdgpu.ppfeaturemask kernel option
|
| services.umurmur.settings.default_channel | The channel in which users will appear in when connecting.
|
| services.prometheus.exporters.node.disabledCollectors | Collectors to disable which are enabled by default.
|
| services.nullmailer.config.defaultdomain | The content of this attribute is appended to any host name that
does not contain a period (except localhost), including defaulthost
and idhost
|
| services.prometheus.exporters.nginxlog.settings.consul | Consul integration options
|
| services.maubot.settings.crypto_database | Separate database URL for the crypto database
|
| services.grafana-image-renderer.settings.rendering.mode | Rendering mode of grafana-image-renderer:
default: Creates on browser-instance
per rendering request.reusable: One browser instance
will be started and reused for each rendering request.clustered: allows to precisely
configure how many browser-instances are supposed to be used
|
| services.jellyfin.forceEncodingConfig | Whether to overwrite Jellyfin's encoding.xml configuration file on each service start
|
| documentation.man.mandoc.settings.manpath | Override the default search path for man(1),
apropos(1), and makewhatis(8)
|
| services.displayManager.dms-greeter.compositor.customConfig | Custom compositor configuration to use for the greeter session
|
| services.multipath.devices.*.getuid_callout | (Superseded by uid_attribute) The default program and args to callout
to obtain a unique path identifier
|
| services.nghttpx.backends.*.params.redirect-if-not-tls | If true, a backend match requires the frontend connection be
TLS encrypted
|
| services.prometheus.exporters.chrony.enabledCollectors | Collectors to enable
|
| services.tuned.settings.default_instance_priority | Default instance (unit) priority.
|
| documentation.man.mandoc.settings.output.man | A template for linked manuals (usually via the Xr macro) in HTML
output
|
| services.headscale.settings.prefixes.allocation | Strategy used for allocation of IPs to nodes, available options:
- sequential (default): assigns the next free IP from the previous given IP.
- random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
|
| documentation.man.mandoc.settings.output.includes | A string of relative path used as a template for the output path of
linked header files (usually via the In macro) in HTML output
|
| services.unpoller.unifi.defaults.save_anomalies | Collect and save data from UniFi anomalies to influxdb and Loki.
|
| services.prometheus.exporters.opnsense.disabledExporter | Collectors to enable or disable
|
| services.mpd.settings.music_directory | The directory or URI where MPD reads music from
|
| services.epgstation.usePreconfiguredStreaming | Use preconfigured default streaming options
|
| services.fail2ban.bantime-increment.overalljails | "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
cross over all jails, if false (default), only current jail of the ban IP will be searched.
|
| virtualisation.useDefaultFilesystems | If enabled, the boot disk of the virtual machine will be
formatted and mounted with the default filesystems for
testing
|
| services.firezone.server.smtp.configureManually | Outbound email configuration is mandatory for Firezone and supports
many different delivery adapters
|
| services.gitea.settings.service.DISABLE_REGISTRATION | By default any user can create an account on this gitea instance
|
| services.prometheus.exporters.ecoflow.exporterType | The type of exporter you'd like to use
|
| services.suricata.settings.exception-policy | Define a common behavior for all exception policies
|
| services.paperless.openMPThreadingWorkaround | Whether to enable a workaround for document classifier timeouts
|
| services.pgbouncer.settings.pgbouncer.pool_mode | Specifies when a server connection can be reused by other clients.
session
Server is released back to pool after client disconnects
|
| services.matrix-synapse.workers | Options for configuring workers
|
| services.grafana.provision.alerting.muteTimings.settings.deleteMuteTimes.*.orgId | Organization ID, default = 1.
|
| services.prometheus.exporters.wireguard.interfaces | Specifies the interface(s) passed to the wg show dump parameter
|
| services.anubis.instances.<name>.settings.METRICS_BIND | The address Anubis' metrics server listens to
|
| services.prometheus.exporters.wireguard.singleSubnetPerField | By default, all allowed IPs and subnets are comma-separated in the
allowed_ips field
|
| networking.firewall.connectionTrackingModules | List of connection-tracking helpers that are auto-loaded
|