| containers.<name>.allowedDevices | A list of device nodes to which the containers has access to.
|
| services.bacula-fd.tls.allowedCN | Common name attribute of allowed peer certificates
|
| services.bacula-sd.tls.allowedCN | Common name attribute of allowed peer certificates
|
| services.cockpit.allowed-origins | List of allowed origins
|
| services.bacula-dir.tls.allowedCN | Common name attribute of allowed peer certificates
|
| boot.initrd.network.ifstate.allowIfstateToDrasticlyIncreaseInitrdSize | IfState in initrd drastically increases the size of initrd, your boot partition may be too small and/or you may have significantly fewer generations
|
| containers.<name>.allowedDevices.*.node | Path to device node
|
| services.vsftpd.userlistDeny | Specifies whether userlistFile is a list of user
names to allow or deny access
|
| services.grafana.settings.security.allow_embedding | When false, the HTTP header X-Frame-Options: deny will be set in Grafana HTTP responses
which will instruct browsers to not allow rendering Grafana in a <frame>, <iframe>, <embed> or <object>
|
| services.distccd.allowedClients | Client IPs which are allowed to connect to distccd in CIDR notation
|
| services.kanidm.provision.systems.oauth2.<name>.allowInsecureClientDisablePkce | Disable PKCE on this oauth2 resource server to work around insecure clients
that may not support it
|
| services.komodo-periphery.allowedIps | IP addresses or subnets allowed to call the periphery API
|
| services.prosody.muc.*.allowners_muc | Add module allowners, any user in chat is able to
kick other
|
| networking.firewall.allowedUDPPorts | List of open UDP ports.
|
| networking.firewall.allowedTCPPorts | List of TCP ports on which incoming connections are
accepted.
|
| services.morty.ipv6 | Allow IPv6 HTTP requests?
|
| services.firezone.gui-client.allowedUsers | All listed users will become part of the firezone-client group so
they can control the tunnel service
|
| services.omnom.settings.smtp.tls_allow_insecure | Whether to enable Whether to allow insecure TLS..
|
| services.nextcloud-spreed-signaling.settings.backend.allowall | Allow any hostname as backend endpoint
|
| services.jitsi-meet.prosody.allowners_muc | Add module allowners, any user in chat is able to
kick other
|
| networking.firewall.allowedUDPPortRanges | Range of open UDP ports.
|
| services.nextcloud-spreed-signaling.settings.stats.allowed_ips | List of IP addresses that are allowed to access the debug, stats and metrics endpoints
|
| networking.firewall.allowedTCPPortRanges | A range of TCP ports on which incoming connections are
accepted.
|
| services.nifi.proxyPort | Allow requests from a specific port.
|
| services.nifi.proxyHost | Allow requests from a specific host.
|
| services.taskserver.allowedClientIDs | A list of regular expressions that are matched against the reported
client id (such as task 2.3.0)
|
| programs.nix-required-mounts.allowedPatterns | The hook config, describing which paths to mount for which system features
|
| services.neo4j.readOnly | Only allow read operations from this Neo4j instance.
|
| services.matrix-continuwuity.settings.global.allow_announcements_check | If enabled, continuwuity will send a simple GET request periodically to
https://continuwuity.org/.well-known/continuwuity/announcements for any new announcements made.
|
| services.factorio.allowedPlayers | If non-empty, only these player names are allowed to connect
|
| services.bacula-sd.director.<name>.tls.allowedCN | Common name attribute of allowed peer certificates
|
| services.bacula-fd.director.<name>.tls.allowedCN | Common name attribute of allowed peer certificates
|
| services.doh-server.settings.ecs_allow_non_global_ip | By default, non global IP addresses are never forwarded to upstream servers
|
| services.grafana.settings.users.allow_org_create | Set to false to prohibit users from creating new organizations.
|
| services.homepage-dashboard.allowedHosts | Hosts that homepage-dashboard will be running under
|
| containers.<name>.allowedDevices.*.modifier | Device node access modifier
|
| services.headscale.settings.oidc.allowed_users | Users allowed to authenticate even if not in allowedDomains.
|
| services.crab-hole.settings.blocklist.allow_list | List of allowlists
|
| services.grafana.settings.users.allow_sign_up | Set to false to prohibit users from being able to sign up / create user accounts
|
| power.ups.users.<name>.actions | Allow the user to do certain things with upsd
|
| services.pihole-ftl.lists | Deny (or allow) domain lists to use
|
| programs.nix-required-mounts.allowedPatterns.<name>.paths | A list of glob patterns, indicating which paths to expose to the sandbox
|
| services.nixseparatedebuginfod.allowOldNix | Do not fail evaluation when services.nixseparatedebuginfod.nixPackage is older than nix 2.18.
|
| services.ttyd.checkOrigin | Whether to allow a websocket connection from a different origin.
|
| services.headscale.settings.oidc.allowed_domains | Allowed principal domains. if an authenticated user's domain
is not in this list authentication request will be rejected.
|
| services.matrix-conduit.settings.global.allow_federation | Whether this server federates with other servers.
|
| services.matrix-tuwunel.settings.global.allow_federation | Whether this server federates with other servers.
|
| services.matrix-conduit.settings.global.allow_registration | Whether new users can register on this server.
|
| services.mollysocket.settings.allowed_endpoints | List of UnifiedPush servers
|
| services.taskserver.disallowedClientIDs | A list of regular expressions that are matched against the reported
client id (such as task 2.3.0)
|
| services.matrix-tuwunel.settings.global.allow_encryption | Whether new encrypted rooms can be created
|
| services.matrix-conduit.settings.global.allow_encryption | Whether new encrypted rooms can be created
|
| services.veilid.settings.core.protected_store.allow_insecure_fallback | If we can't use system-provided secure storage, should we proceed anyway?
|
| services.foundationdb.tls.allowedPeers | "Peer verification string"
|
| services.mollysocket.settings.allowed_uuids | UUIDs of Signal accounts that may use this server
|
| programs.fuse.userAllowOther | Allow non-root users to specify the allow_other or allow_root mount
options, see mount.fuse3(8).
|
| programs.nix-required-mounts.allowedPatterns.<name>.onFeatures | Which requiredSystemFeatures should trigger relaxation of the sandbox
|
| services.hostapd.radios.<name>.networks.<name>.macAllow | Specifies the MAC addresses to allow if macAcl is set to "allow" or "radius"
|
| services.matrix-tuwunel.settings.global.allow_registration | Whether new users can register on this server
|
| hardware.brillo.enable | Whether to enable brillo in userspace
|
| services.cloud-init.xfs.enable | Allow the cloud-init service to operate xfs filesystem.
|
| networking.firewall.interfaces.<name>.allowedUDPPorts | List of open UDP ports.
|
| services._3proxy.services.*.auth | Authentication type
|
| networking.firewall.interfaces.<name>.allowedTCPPorts | List of TCP ports on which incoming connections are
accepted.
|
| services.deluge.openFilesLimit | Number of files to allow deluged to open.
|
| services.cloud-init.ext4.enable | Allow the cloud-init service to operate ext4 filesystem.
|
| networking.wg-quick.interfaces.<name>.peers.*.allowedIPs | List of IP (v4 or v6) addresses with CIDR masks from
which this peer is allowed to send incoming traffic and to which
outgoing traffic for this peer is directed
|
| services.peertube.dataDirs | Allow access to custom data locations.
|
| services.tt-rss.auth.autoCreate | Allow authentication modules to auto-create users in tt-rss internal
database when authenticated successfully.
|
| services.xserver.enableTCP | Whether to allow the X server to accept TCP connections.
|
| virtualisation.libvirtd.allowedBridges | List of bridge devices that can be used by qemu:///session
|
| networking.firewall.interfaces.<name>.allowedUDPPortRanges | Range of open UDP ports.
|
| services.knot.enableXDP | Extends the systemd unit with permissions to allow for the use of
the eXpress Data Path (XDP).
Make sure to read up on functional limitations
when running in XDP mode.
|
| services.ttyd.writeable | Allow clients to write to the TTY.
|
| services.prometheus.scrapeConfigs.*.consul_sd_configs.*.allow_stale | Allow stale Consul results
(see https://www.consul.io/api/index.html#consistency-modes)
|
| networking.firewall.interfaces.<name>.allowedTCPPortRanges | A range of TCP ports on which incoming connections are
accepted.
|
| services.cloud-init.btrfs.enable | Allow the cloud-init service to operate btrfs filesystem.
|
| services.saned.enable | Enable saned network daemon for remote connection to scanners.
saned would be run from scanner user; to allow
access to hardware that doesn't have scanner group
you should add needed groups to this user.
|
| services.pulseaudio.tcp.anonymousClients.allowedIpRanges | A list of IP subnets that are allowed to stream to the server.
|
| security.sudo.execWheelOnly | Only allow members of the wheel group to execute sudo by
setting the executable's permissions accordingly
|
| services.chisel-server.socks5 | Allow clients access to internal SOCKS5 proxy
|
| networking.wireguard.interfaces.<name>.allowedIPsAsRoutes | Determines whether to add allowed IPs as routes or not.
|
| services.ethercalc.host | Address to listen on (use 0.0.0.0 to allow access from any address).
|
| services.diod.authRequired | Allow clients to connect without authentication, i.e. without a valid MUNGE credential.
|
| security.sudo-rs.execWheelOnly | Only allow members of the wheel group to execute sudo by
setting the executable's permissions accordingly
|
| services.avahi.publish.enable | Whether to allow publishing in general.
|
| services.matrix-continuwuity.settings.global.allow_federation | Whether this server federates with other servers.
|
| services.kanidm.unixSettings.pam_allowed_login_groups | Kanidm groups that are allowed to login using PAM.
|
| services.stash.settings.dangerous_allow_public_without_auth | Learn more at https://docs.stashapp.cc/networking/authentication-required-when-accessing-stash-from-the-internet/
|
| services.prosody.modules.mam | Store messages in an archive and allow users to access it
|
| services.matrix-continuwuity.settings.global.allow_encryption | Whether new encrypted rooms can be created
|
| services.matrix-continuwuity.settings.global.allow_registration | Whether new users can register on this server
|
| services.chisel-server.reverse | Allow clients reverse port forwarding
|
| services.gnome.rygel.enable | Whether to enable Rygel UPnP Mediaserver
|
| services.hostapd.radios.<name>.networks.<name>.macAllowFile | Specifies a file containing the MAC addresses to allow if macAcl is set to "allow" or "radius"
|
| services.kanidm.unix.settings.kanidm.pam_allowed_login_groups | Kanidm groups that are allowed to login using PAM.
|
| services.mediagoblin.settings.mediagoblin.allow_registration | Whether to enable user self registration
|
| services.sabnzbd.settings.servers.<name>.ssl_verify | Level of TLS verification
|
| networking.wireguard.interfaces.<name>.peers.*.allowedIPs | List of IP (v4 or v6) addresses with CIDR masks from
which this peer is allowed to send incoming traffic and to which
outgoing traffic for this peer is directed
|
| services.prosody.modules.vcard | Allow users to set vCards
|