| services.pgbackrest.stanzas.<name>.jobs | Backups jobs to schedule for this stanza as described in:
https://pgbackrest.org/user-guide.html#quickstart/schedule-backup
|
| services.v4l2-relayd.instances.<name>.input.format | The video-format to read from input-stream.
|
| users.extraGroups.<name>.gid | The group GID
|
| boot.initrd.luks.devices.<name>.header | The name of the file or block device that
should be used as header for the encrypted device.
|
| services.fedimintd.<name>.nginx.config.default | Makes this vhost the default.
|
| users.users.<name>.shell | The path to the user's shell
|
| services.namecoind.rpc.key | Key file for securing RPC connections.
|
| services.rke2.autoDeployCharts.<name>.enable | Whether to enable the installation of this Helm chart
|
| security.pam.services.<name>.ttyAudit.enablePattern | For each user matching one of comma-separated
glob patterns, enable TTY auditing
|
| services.rsnapshot.extraConfig | rsnapshot configuration option in addition to the defaults from
rsnapshot and this module
|
| services.firewalld.services.<name>.sourcePorts.*.port | |
| services.firewalld.zones.<name>.forward | Whether to enable intra-zone forwarding
|
| services.vmalert.instances.<name>.rules | A list of the given alerting or recording rules against configured "datasource.url" compatible with
Prometheus HTTP API for vmalert to execute
|
| services.rshim.device | Specify the device name to attach
|
| services.nebula.networks.<name>.staticHostMap | The static host map defines a set of hosts with fixed IP addresses on the internet (or any network)
|
| systemd.services.<name>.confinement.mode | The value full-apivfs (the default) sets up
private /dev, /proc,
/sys, /tmp and /var/tmp file systems
in a separate user name space
|
| services.wstunnel.clients.<name>.remoteToLocal | Listen on remote and forwards traffic from local
|
| security.pam.services.<name>.duoSecurity.enable | If set, use the Duo Security pam module
pam_duo for authentication
|
| services.quicktun.<name>.remoteAddress | IP address or hostname of the remote end (use 0.0.0.0 for a floating/dynamic remote endpoint).
|
| services.firewalld.zones.<name>.forwardPorts | Ports to forward in the zone.
|
| services.firewalld.zones.<name>.sources.*.ipset | An ipset.
|
| services.nginx.virtualHosts.<name>.locations | Declarative location config
|
| services.vault-agent.instances.<name>.package | The vault package to use.
|
| services.postfix.settings.master.<name>.wakeup | Automatically wake up the service after the specified number of
seconds
|
| services.firewalld.services.<name>.includes | Services to include for the service.
|
| services.neo4j.ssl.policies.<name>.revokedDir | Path to directory of CRLs (Certificate Revocation Lists) in
PEM format
|
| systemd.network.networks.<name>.ipv6SendRAConfig | Each attribute in this set specifies an option in the
[IPv6SendRA] section of the unit
|
| services.i2pd.proto.http.hostname | Expected hostname for WebUI.
|
| services.openafsServer.cellServDB.*.dnsname | DNS full-qualified domain name of a database server
|
| services.openafsClient.cellServDB.*.dnsname | DNS full-qualified domain name of a database server
|
| services.fedimintd.<name>.p2p.openFirewall | Opens port in firewall for fedimintd's p2p port (both TCP and UDP)
|
| services.caddy.virtualHosts.<name>.serverAliases | Additional names of virtual hosts served by this virtual host configuration.
|
| services.httpd.virtualHosts.<name>.serverAliases | Additional names of virtual hosts served by this virtual host configuration.
|
| services.ghostunnel.servers.<name>.cert | Path to certificate (PEM with certificate chain)
|
| services.httpd.virtualHosts.<name>.robotsEntries | Specification of pages to be ignored by web crawlers
|
| services.nginx.virtualHosts.<name>.serverAliases | Additional names of virtual hosts served by this virtual host configuration.
|
| services.awstats.configs.<name>.webService.urlPrefix | The URL prefix under which the awstats pages appear.
|
| services.kimai.sites.<name>.database.createLocally | Create the database and database user locally.
|
| services.kanata.keyboards.<name>.extraDefCfg | Configuration of defcfg other than linux-dev (generated
from the devices option) and
linux-continue-if-no-devs-found (hardcoded to be yes)
|
| services.openbao.settings.listener.<name>.type | The listener type to enable.
|
| services.public-inbox.settings.coderepo.<name>.dir | Path to a git repository
|
| services.wordpress.sites.<name>.virtualHost.hostName | Canonical hostname for the server.
|
| services.atalkd.interfaces.<name>.config | Optional configuration string for this interface.
|
| services.easytier.instances.<name>.extraSettings | Extra settings to add to easytier-‹name›.toml.
|
| services.stash.username | Username for login.
|
| services.jibri.xmppEnvironments.<name>.call.login.username | User part of the JID for the recorder.
|
| services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.filters.*.name | See this list
for the available filters.
|
| virtualisation.emptyDiskImages.*.driveConfig.name | A name for the drive
|
| nix.registry.<name>.to | The flake reference from is rewritten to
|
| users.users.<name>.enable | If set to false, the user account will not be created
|
| services.borgbackup.jobs.<name>.extraInitArgs | Additional arguments for borg init
|
| services.mosquitto.bridges.<name>.topics | Topic patterns to be shared between the two brokers
|
| services.borgbackup.jobs.<name>.prune.prefix | Only consider archive names starting with this prefix for pruning
|
| services.biboumi.settings.db_name | The name of the database to use
|
| services.firezone.server.provision.accounts.<name>.auth | All authentication providers to provision
|
| security.wrappers.<name>.program | The name of the wrapper program
|
| services.ytdl-sub.instances.<name>.schedule | How often to run ytdl-sub
|
| systemd.network.networks.<name>.matchConfig | Each attribute in this set specifies an option in the
[Match] section of the unit
|
| services.fedimintd.<name>.nginx.config.acmeFallbackHost | Host which to proxy requests to if ACME challenge is not found
|
| services.grafana.provision.alerting.muteTimings.settings.muteTimes.*.name | Name of the mute time interval, must be unique
|
| services.postfix.settings.master.<name>.chroot | Whether the service is chrooted to have only access to the
services.postfix.queueDir and the closure of
store paths specified by the program option.
|
| services.prosody.virtualHosts.<name>.ssl.extraOptions | Extra SSL configuration options.
|
| services.btrbk.instances.<name>.settings | configuration options for btrbk
|
| services.easytier.instances.<name>.settings.hostname | Hostname shown in peer list and web console.
|
| services.slurm.nodeName | Name that SLURM uses to refer to a node (or base partition for BlueGene
systems)
|
| services.fedimintd.<name>.nginx.config.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.tahoe.nodes.<name>.client.introducer | The furl for a Tahoe introducer node
|
| services.strongswan-swanctl.swanctl.secrets.rsa.<name>.file | File name in the rsa folder for which this passphrase
should be used.
|
| services.anubis.instances.<name>.settings.METRICS_BIND | The address Anubis' metrics server listens to
|
| services.mobilizon.settings.":mobilizon".":instance".name | The fallback instance name if not configured into the admin UI
|
| services.movim.h2o.serverName | Server name to be used for this virtual host
|
| systemd.network.netdevs.<name>.macvlanConfig | Each attribute in this set specifies an option in the
[MACVLAN] section of the unit
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.dokuwiki.sites.<name>.settings | Structural DokuWiki configuration
|
| services.wordpress.sites.<name>.settings | Structural Wordpress configuration
|
| services.dolibarr.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.kanboard.nginx.locations.<name>.index | Adds index directive.
|
| services.fediwall.nginx.locations.<name>.index | Adds index directive.
|
| services.agorakit.nginx.locations.<name>.index | Adds index directive.
|
| services.librenms.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.kanboard.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.dolibarr.nginx.locations.<name>.index | Adds index directive.
|
| services.agorakit.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.librenms.nginx.locations.<name>.index | Adds index directive.
|
| services.fediwall.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.pixelfed.nginx.locations.<name>.index | Adds index directive.
|
| services.sabnzbd.settings.servers.<name>.enable | Enable this server by default
|
| services.mainsail.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.mainsail.nginx.locations.<name>.index | Adds index directive.
|
| services.pixelfed.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.firezone.server.provision.accounts.<name>.policies.<name>.resource | The resource to which access should be allowed.
|
| services.httpd.virtualHosts.<name>.locations | Declarative location config
|
| services.tinc.networks.<name>.interfaceType | The type of virtual interface used for the network connection.
|
| services.anubis.instances.<name>.settings.SERVE_ROBOTS_TXT | Whether to serve a default robots.txt that denies access to common AI bots by name and all other
bots by wildcard.
|
| services.snapserver.streams.<name>.codec | Default audio compression method.
|
| services.mautrix-meta.instances.<name>.dataDir | Path to the directory with database, registration, and other data for the bridge service
|
| environment.etc.<name>.target | Name of symlink (relative to
/etc)
|
| users.users.<name>.pamMount | Attributes for user's entry in
pam_mount.conf.xml
|
| systemd.paths.<name>.wants | Start the specified units when this unit is started.
|