| services.firewalld.zones.<name>.forward | Whether to enable intra-zone forwarding
|
| services.vmalert.instances.<name>.rules | A list of the given alerting or recording rules against configured "datasource.url" compatible with
Prometheus HTTP API for vmalert to execute
|
| services.tor.relay.onionServices.<name>.settings | Settings of the onion service
|
| services.netbird.clients.<name>.dns-resolver.port | A port to serve DNS entries on when dns-resolver.address is enabled.
|
| services.netbird.tunnels.<name>.dns-resolver.port | A port to serve DNS entries on when dns-resolver.address is enabled.
|
| services.honk.username | The admin account username.
|
| services.anubis.instances.<name>.settings.METRICS_BIND | The address Anubis' metrics server listens to
|
| networking.sits.<name>.dev | The underlying network device on which the tunnel resides.
|
| systemd.user.timers.<name>.before | If the specified units are started at the same time as
this unit, delay them until this unit has started.
|
| systemd.user.slices.<name>.before | If the specified units are started at the same time as
this unit, delay them until this unit has started.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert | Section for a certificate candidate to use for
authentication
|
| services.anubis.instances.<name>.settings.SERVE_ROBOTS_TXT | Whether to serve a default robots.txt that denies access to common AI bots by name and all other
bots by wildcard.
|
| users.extraGroups.<name>.members | The user names of the group members, added to the
/etc/group file.
|
| security.pam.services.<name>.kwallet.enable | If enabled, pam_wallet will attempt to automatically unlock the
user's default KDE wallet upon login
|
| systemd.slices.<name>.upheldBy | Keep this unit running as long as the listed units are running
|
| systemd.timers.<name>.upheldBy | Keep this unit running as long as the listed units are running
|
| services.firewalld.services.<name>.sourcePorts | Source ports for the service.
|
| services.btrbk.instances.<name>.settings | configuration options for btrbk
|
| services.fedimintd.<name>.nginx.config.acmeFallbackHost | Host which to proxy requests to if ACME challenge is not found
|
| services.fedimintd.<name>.nginx.config.listen.*.addr | Listen address.
|
| services.v4l2-relayd.instances.<name>.input.height | The height to read from input-stream.
|
| services.ytdl-sub.instances.<name>.schedule | How often to run ytdl-sub
|
| services.gancio.settings.hostname | The domain name under which the server is reachable.
|
| services.nebula.networks.<name>.staticHostMap | The static host map defines a set of hosts with fixed IP addresses on the internet (or any network)
|
| services.hostapd.radios.<name>.networks.<name>.ignoreBroadcastSsid | Send empty SSID in beacons and ignore probe request frames that do not
specify full SSID, i.e., require stations to know SSID
|
| services.borgbackup.jobs.<name>.extraInitArgs | Additional arguments for borg init
|
| services.mosquitto.bridges.<name>.topics | Topic patterns to be shared between the two brokers
|
| services.nipap.settings.nipapd.db_name | Name of database to use on PostgreSQL server.
|
| services.sabnzbd.settings.servers.<name>.displayname | Human-friendly description of the server
|
| networking.networkmanager.dispatcherScripts.*.type | Dispatcher hook type
|
| services.gancio.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.akkoma.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.fluidd.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.fedimintd.<name>.nginx.config.basicAuth | Basic Auth protection for a vhost
|
| services.matomo.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.monica.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.openvpn.servers.<name>.authUserPass | This option can be used to store the username / password credentials
with the "auth-user-pass" authentication method
|
| services.snapserver.streams.<name>.codec | Default audio compression method.
|
| services.dovecot2.mailboxes.<name>.auto | Whether to automatically create or create and subscribe to the mailbox or not.
|
| services.blockbook-frontend.<name>.sync | Synchronizes until tip, if together with zeromq, keeps index synchronized.
|
| services.httpd.virtualHosts.<name>.locations | Declarative location config
|
| services.tinc.networks.<name>.interfaceType | The type of virtual interface used for the network connection.
|
| services.fedimintd.<name>.nginx.config.default | Makes this vhost the default.
|
| users.extraUsers.<name>.autoSubUidGidRange | Automatically allocate subordinate user and group ids for this user
|
| services.ttyd.username | Username for basic http authentication.
|
| services.wordpress.sites.<name>.settings | Structural Wordpress configuration
|
| services.gitlab-runner.services.<name>.postBuildScript | Runner-specific command script executed after code is pulled
and just after build executes.
|
| services.snipe-it.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.v4l2-relayd.instances.<name>.input.format | The video-format to read from input-stream.
|
| services.keyd.keyboards.<name>.extraConfig | Extra configuration that is appended to the end of the file.
Do not write ids section here, use a separate option for it
|
| services.kanata.keyboards.<name>.extraDefCfg | Configuration of defcfg other than linux-dev (generated
from the devices option) and
linux-continue-if-no-devs-found (hardcoded to be yes)
|
| services.postfix.masterConfig.<name>.private | Whether the service's sockets and storage directory is restricted to
be only available via the mail system
|
| services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| services.fedimintd.<name>.bitcoin.network | Bitcoin network to participate in.
|
| services.firezone.server.provision.accounts.<name>.auth | All authentication providers to provision
|
| services.drupal.sites.<name>.virtualHost.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.grafana.provision.alerting.muteTimings.settings.muteTimes.*.name | Name of the mute time interval, must be unique
|
| services.tarsnap.archives.<name>.excludes | Exclude files and directories matching these patterns.
|
| services.strongswan-swanctl.swanctl.secrets.rsa.<name>.file | File name in the rsa folder for which this passphrase
should be used.
|
| networking.sits.<name>.ttl | The time-to-live of the connection to the remote tunnel endpoint.
|
| users.extraUsers.<name>.subUidRanges.*.count | Count of subordinate user ids
|
| users.extraUsers.<name>.subGidRanges.*.count | Count of subordinate group ids
|
| services.gitlab-runner.services.<name>.dockerExtraHosts | Add a custom host-to-IP mapping.
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.kimai.sites.<name>.database.passwordFile | A file containing the password corresponding to
database.user.
|
| security.pam.services.<name>.ttyAudit.enablePattern | For each user matching one of comma-separated
glob patterns, enable TTY auditing
|
| services.mautrix-meta.instances.<name>.dataDir | Path to the directory with database, registration, and other data for the bridge service
|
| security.acme.certs.<name>.keyType | Key type to use for private keys
|
| services.easytier.instances.<name>.enable | Enable the instance.
|
| services.opkssh.providers.<name>.lifetime | Token lifetime
|
| systemd.user.timers.<name>.aliases | Aliases of that unit.
|
| systemd.user.slices.<name>.aliases | Aliases of that unit.
|
| services.easytier.instances.<name>.settings.network_name | EasyTier network name.
|
| users.users.<name>.expires | Set the date on which the user's account will no longer be
accessible
|
| services.bcg.mqtt.username | MQTT server access username.
|
| services.klipper.firmwares.<name>.package | Path to the built firmware package.
|
| systemd.user.sockets.<name>.after | If the specified units are started at the same time as
this unit, delay this unit until they have started.
|
| systemd.user.paths.<name>.upholds | Keeps the specified running while this unit is running
|
| systemd.user.targets.<name>.after | If the specified units are started at the same time as
this unit, delay this unit until they have started.
|
| services.redis.servers.<name>.maxclients | Set the max number of connected clients at the same time.
|
| services.openbao.settings.listener.<name>.type | The listener type to enable.
|
| services.public-inbox.settings.coderepo.<name>.dir | Path to a git repository
|
| services.wordpress.sites.<name>.virtualHost.hostName | Canonical hostname for the server.
|
| services.gitlab-runner.services.<name>.executor | Select executor, eg. shell, docker, etc
|
| services.nginx.virtualHosts.<name>.reuseport | Create an individual listening socket
|
| services.awstats.configs.<name>.webService.urlPrefix | The URL prefix under which the awstats pages appear.
|
| services.kimai.sites.<name>.database.createLocally | Create the database and database user locally.
|
| services.dokuwiki.sites.<name>.settings | Structural DokuWiki configuration
|
| services.radicle.httpd.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.radicle.httpd.nginx.locations.<name>.index | Adds index directive.
|
| systemd.services.<name>.restartTriggers | An arbitrary list of items such as derivations
|
| systemd.targets.<name>.bindsTo | Like ‘requires’, but in addition, if the specified units
unexpectedly disappear, this unit will be stopped as well.
|
| systemd.sockets.<name>.bindsTo | Like ‘requires’, but in addition, if the specified units
unexpectedly disappear, this unit will be stopped as well.
|
| services.postfix.settings.master.<name>.wakeup | Automatically wake up the service after the specified number of
seconds
|
| services.httpd.virtualHosts.<name>.documentRoot | The path of Apache's document root directory
|
| services.kanata.keyboards.<name>.devices | Paths to keyboard devices
|
| security.pam.services.<name>.duoSecurity.enable | If set, use the Duo Security pam module
pam_duo for authentication
|
| services.spiped.config.<name>.weakHandshake | Use fast/weak handshaking: This reduces the CPU time spent
in the initial connection setup, at the expense of losing
perfect forward secrecy.
|
| services.headscale.settings.dns.extra_records.*.name | DNS record name.
|