| services.varnish.listen.*.address | If given an IP address, it can be a host name ("localhost"), an IPv4 dotted-quad
("127.0.0.1") or an IPv6 address enclosed in square brackets ("[::1]").
(VCL4.1 and higher) If given an absolute Path ("/path/to/listen.sock") or "@"
followed by the name of an abstract socket ("@myvarnishd") accept connections
on a Unix domain socket
|
| services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.basic_auth.username | HTTP username
|
| services.prometheus.scrapeConfigs.*.linode_sd_configs.*.basic_auth.username | HTTP username
|
| services.prometheus.scrapeConfigs.*.consul_sd_configs.*.basic_auth.username | HTTP username
|
| services.prometheus.scrapeConfigs.*.docker_sd_configs.*.basic_auth.username | HTTP username
|
| services.wstunnel.clients.<name>.httpProxy | Proxy to use to connect to the wstunnel server (USER:PASS@HOST:PORT).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing PROXY_PASSWORD=<your-password-here> and set
this option to <user>:$PROXY_PASSWORD@<host>:<port>
|
| services.discourse.secretKeyBaseFile | The path to a file containing the
secret_key_base secret
|
| services.discourse.database.passwordFile | File containing the Discourse database user password
|
| services.commafeed.environment | Extra environment variables passed to CommaFeed, refer to
https://github.com/Athou/commafeed/blob/master/commafeed-server/config.yml.example
for supported values
|
| services.mjolnir.pantalaimon.passwordFile | File containing the matrix password for the mjolnir user.
|
| services.szurubooru.server.settings.smtp.passFile | File containing the password associated to the given user for the SMTP server.
|
| services.hostapd.radios.<name>.wifi6.singleUserBeamformer | HE single user beamformer support
|
| services.jitsi-videobridge.xmppConfigs.<name>.domain | Domain part of JID of the XMPP user, if it is different from hostName.
|
| services.hostapd.radios.<name>.wifi6.singleUserBeamformee | HE single user beamformee support
|
| services.neo4j.ssl.policies.<name>.revokedDir | Path to directory of CRLs (Certificate Revocation Lists) in
PEM format
|
| services.borgbackup.repos.<name>.allowSubRepos | Allow clients to create repositories in subdirectories of the
specified path
|
| services.hostapd.radios.<name>.wifi7.singleUserBeamformee | EHT single user beamformee support
|
| services.hostapd.radios.<name>.wifi7.singleUserBeamformer | EHT single user beamformer support
|
| programs.gnupg.agent.pinentryPackage | Which pinentry package to use
|
| services.oauth2-proxy.setXauthrequest | Set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)
|
| services.wordpress.sites.<name>.database.createLocally | Create the database and database user locally.
|
| services.xserver.displayManager.startx.enable | Whether to enable the dummy "startx" pseudo-display manager, which
allows users to start X manually via the startx command from a
virtual terminal.
The X server will run under the current user, not as root.
|
| services.neo4j.directories.imports | The root directory for file URLs used with the Cypher
LOAD CSV clause
|
| services.prosody.muc.*.allowners_muc | Add module allowners, any user in chat is able to
kick other
|
| services.limesurvey.database.createLocally | Create the database and database user locally
|
| programs.firefox.preferencesStatus | The status of firefox.preferences.
status can assume the following values:
"default": Preferences appear as default."locked": Preferences appear as default and can't be changed."user": Preferences appear as changed."clear": Value has no effect
|
| services.prometheus.exporters.deluge.delugeUser | User to connect to deluge server.
|
| services.neo4j.directories.plugins | Path of the database plugin directory
|
| services.vdirsyncer.jobs.<name>.additionalGroups | additional groups to add the dynamic user to
|
| services.pgmanage.connections | pgmanage requires at least one PostgreSQL server be defined
|
| services.openssh.authorizedKeysFiles | Specify the rules for which files to read on the host
|
| services.bitmagnet.settings.postgres.password | Password for database user
|
| services.displayManager.dms-greeter.configFiles | List of DankMaterialShell configuration files to copy into the greeter
data directory at /var/lib/dms-greeter
|
| services.hercules-ci-agent.settings.labels | A key-value map of user data
|
| services.wasabibackend.rpc.passwordFile | File that contains the password of the RPC user.
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.username | username is required if using Identity V2 API
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.userid | username is required if using Identity V2 API
|
| services.dovecot2.imapsieve.mailbox.*.causes | Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot2.imapsieve.mailbox..name when one of the listed IMAPSIEVE causes apply
|
| programs.firefox.preferences | Preferences to set from about:config
|
| services.mattermost.database.password | Password for local Mattermost database user
|
| services.nominatim.database.passwordFile | Password file used for Nominatim database connection
|
| services.weblate.configurePostgresql | Whether to enable and configure a local PostgreSQL server by creating a user and database for weblate
|
| services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.basic_auth.username | HTTP username
|
| services.influxdb2.provision.initialSetup.tokenFile | API Token to set for the admin user
|
| services.maddy.ensureCredentials.<name>.passwordFile | Specifies the path to a file containing the
clear text password for the user.
|
| services.roundcube.database.passwordFile | Password file for the postgresql connection
|
| services.slskd.settings.soulseek.description | The user description for the Soulseek network.
|
| services.ayatana-indicators.packages | List of packages containing Ayatana Indicator services
that should be brought up by a SystemD "ayatana-indicators" user target
|
| services.neo4j.ssl.policies.<name>.trustedDir | Path to directory of X.509 certificates in PEM format for
trusted parties
|
| documentation.nixos.options.splitBuild | Whether to split the option docs build into a cacheable and an uncacheable part
|
| services.resilio.sharedFolders | Shared folder list
|
| services.misskey.reverseProxy.webserver.nginx.kTLS | Whether to enable kTLS support
|
| services.mosquitto.listeners.*.omitPasswordAuth | Omits password checking, allowing anyone to log in with any user name unless
other mandatory authentication methods (eg TLS client certificates) are configured.
|
| services.jitsi-meet.prosody.allowners_muc | Add module allowners, any user in chat is able to
kick other
|
| nixpkgs.pkgs | If set, the pkgs argument to all NixOS modules is the value of
this option, extended with nixpkgs.overlays, if
that is also set
|
| services.jitsi-videobridge.xmppConfigs.<name>.passwordFile | File containing the password for the user.
|
| services.postgresql.ensureUsers.*.ensureDBOwnership | Grants the user ownership to a database with the same name
|
| virtualisation.forwardPorts | When using the SLiRP user networking (default), this option allows to
forward ports to/from the host/guest.
If the NixOS firewall on the virtual machine is enabled, you also
have to open the guest ports to enable the traffic between host and
guest.
Currently QEMU supports only IPv4 forwarding.
|
| security.pam.ussh.authorizedPrincipals | Comma-separated list of authorized principals to permit; if the user
presents a certificate with one of these principals, then they will be
authorized
|
| services.neo4j.ssl.policies.<name>.baseDirectory | The mandatory base directory for cryptographic objects of this
policy
|
| services.uwsgi.capabilities | Grant capabilities to the uWSGI instance
|
| services.writefreely.admin.initialPasswordFile | Path to a file containing the initial password for the admin user
|
| services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.basic_auth.username | HTTP username
|
| services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.basic_auth.username | HTTP username
|
| security.pam.ussh.authorizedPrincipalsFile | Path to a list of principals; if the user presents a certificate with
one of these principals, then they will be authorized
|
| services.dependency-track.settings."alpine.ldap.enabled" | Defines if LDAP will be used for user authentication
|
| services.parsedmarc.provision.localMail.enable | Whether Postfix and Dovecot should be set up to receive
mail locally. parsedmarc will be configured to watch the
local inbox as the automatically created user specified in
services.parsedmarc.provision.localMail.recipientName
|
| services.alloy.configPath | Alloy configuration file/directory path
|
| services.dependency-track.settings."alpine.oidc.enabled" | Defines if OpenID Connect will be used for user authentication
|
| services.authelia.instances.<name>.secrets.manual | Configuring authelia's secret files via the secrets attribute set
is intended to be convenient and help catch cases where values are required
to run at all
|
| services.prometheus.exporters.unpoller.loki.pass | Path of a file containing the password for Loki
|
| services.postfixadmin.database.passwordFile | Password file for the postgresql connection
|
| services.libinput.mouse.accelProfile | Sets the pointer acceleration profile to the given profile
|
| services.foundationdb.tls.allowedPeers | "Peer verification string"
|
| services.xserver.displayManager.sx.enable | Whether to enable the "sx" pseudo-display manager, which allows users
to start manually via the "sx" command from a vt shell
|
| services.biboumi.settings.persistent_by_default | Whether all rooms will be persistent by default:
the value of the “persistent” option in the global configuration of each
user will be “true”, but the value of each individual room will still
default to false
|
| services.influxdb2.provision.initialSetup.passwordFile | Password for primary user
|
| services.archisteamfarm.ipcPasswordFile | Path to a file containing the password
|
| security.pam.sshAgentAuth.authorizedKeysFiles | A list of paths to files in OpenSSH's authorized_keys format, containing
the keys that will be trusted by the pam_ssh_agent_auth module
|
| services.dependency-track.database.databaseName | Database name to use when connecting to an external or
manually provisioned database; has no effect when a local
database is automatically provisioned
|
| services.grafana.settings.server.socket_gid | GID where the socket should be set when protocol=socket
|
| services.jibri.xmppEnvironments.<name>.call.login.passwordFile | File containing the password for the user.
|
| services.matrix-conduit.settings.global.server_name | The server_name is the name of this server
|
| services.matrix-tuwunel.settings.global.server_name | The server_name is the name of this server
|
| services.strongswan-swanctl.swanctl.secrets.token.<name>.pin | Optional PIN required to access the key on the token
|
| services.bitwarden-directory-connector-cli.secrets.ldap | Path to file that contains LDAP password for user in {option}`ldap.username
|
| services.omnom.settings.app.disable_signup | Whether to enable restricting user creation.
|
| services.prometheus.exporters.postgres.runAsLocalSuperUser | Whether to run the exporter as the local 'postgres' super user.
|
| services.xserver.displayManager.session | List of sessions supported with the command used to start each
session
|
| programs.opengamepadui.fontPackages | Font packages to use in OpenGamepadUI
|
| services.prometheus.exporters.nextcloud.tokenFile | File containing the token for connecting to Nextcloud
|
| services.cloudflare-ddns.credentialsFile | Path to a file containing the Cloudflare API authentication token
|
| services.rutorrent.nginx.exposeInsecureRPC2mount | If you do not enable one of the rpc or httprpc plugins you need to expose an RPC mount through scgi using this option
|
| virtualisation.libvirtd.qemu.vhostUserPackages | Packages containing out-of-tree vhost-user drivers.
|
| services.angrr.settings.profile-policies.<name>.profile-paths | Paths to the Nix profile
|
| services.invoiceplane.sites.<name>.database.createLocally | Create the database and database user locally.
|
| services.engelsystem.settings | Options to be added to config.php, as a nix attribute set
|
| virtualisation.virtualbox.host.enable | Whether to enable VirtualBox.
In order to pass USB devices from the host to the guests, the user
needs to be in the vboxusers group.
|
| services.nextcloud.settings.loglevel | Log level value between 0 (DEBUG) and 4 (FATAL).
-
0 (debug): Log all activity.
-
1 (info): Log activity such as user logins and file activities, plus warnings, errors, and fatal errors.
-
2 (warn): Log successful operations, as well as warnings of potential problems, errors and fatal errors.
-
3 (error): Log failed operations and fatal errors.
-
4 (fatal): Log only fatal errors that cause the server to stop.
|
| virtualisation.libvirtd.qemu.runAsRoot | If true, libvirtd runs qemu as root
|