| security.run0.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via run0.
|
| security.sudo.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| boot.loader.grub.extraInstallCommands | Additional shell commands inserted in the bootloader installer
script after generating menu entries.
|
| security.doas.wheelNeedsPassword | Whether users of the wheel group must provide a password to
run commands as super user via doas.
|
| security.sudo-rs.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| boot.initrd.luks.devices.<name>.postOpenCommands | Commands that should be run right after we have mounted our LUKS device.
|
| boot.zfs.extraPools | Name or GUID of extra ZFS pools that you wish to import during boot
|
| services.monero.rpc.restricted | Whether to restrict RPC to view only commands.
|
| powerManagement.powertop.preStart | Shell commands executed before powertop is started.
|
| programs.neovim.configure | Generate your init file from your list of plugins and custom commands
|
| nixpkgs.flake.setNixPath | Whether to set NIX_PATH to include nixpkgs=flake:nixpkgs such that <nixpkgs>
lookups receive the version of nixpkgs that the system was built with, in concert with
nixpkgs.flake.setFlakeRegistry
|
| boot.iscsi-initiator.extraIscsiCommands | Extra iscsi commands to run in the initrd.
|
| powerManagement.resumeCommands | Commands executed after the system resumes from suspend-to-RAM.
|
| networking.nat.extraCommands | Additional shell commands executed as part of the nat
initialisation script
|
| services.borgbackup.jobs.<name>.postInit | Shell commands to run after borg init.
|
| powerManagement.powerUpCommands | Commands executed when the machine powers up
|
| programs.sway.extraSessionCommands | Shell commands executed just before Sway is started
|
| networking.localCommands | Shell commands to be executed at the end of the
network-setup systemd service
|
| programs.sway.wrapperFeatures.base | Whether to enable the base wrapper to execute extra session commands and prepend a
dbus-run-session to the sway command.
|
| services.borgbackup.jobs.<name>.preHook | Shell commands to run before the backup
|
| powerManagement.powerDownCommands | Commands executed when the machine powers down
|
| security.please.wheelNeedsPassword | Whether users of the wheel group must provide a password to run
commands or edit files with please and
pleaseedit respectively.
|
| programs.bash.undistractMe.enable | Whether to enable notifications when long-running terminal commands complete.
|
| programs.less.clearDefaultCommands | Clear all default commands
|
| services.biboumi.settings.admin | The bare JID of the gateway administrator
|
| services.borgbackup.jobs.<name>.postPrune | Shell commands to run after borg prune.
|
| programs.bash.undistractMe.playSound | Whether to enable notification sounds when long-running terminal commands complete.
|
| boot.initrd.luks.devices.<name>.preOpenCommands | Commands that should be run right before we try to mount our LUKS device
|
| networking.nat.extraStopCommands | Additional shell commands executed as part of the nat
teardown script
|
| security.pam.services.<name>.setLoginUid | Set the login uid of the process
(/proc/self/loginuid) for auditing
purposes
|
| services.cyrus-imap.cyrusSettings.START | This section lists the processes to run before any SERVICES are spawned
|
| services.softether.vpnclient.up | Shell commands executed when the Virtual Network Adapter(s) is/are starting.
|
| users.mutableUsers | If set to true, you are free to add new users and groups to the system
with the ordinary useradd and
groupadd commands
|
| services.distccd.allowedClients | Client IPs which are allowed to connect to distccd in CIDR notation
|
| services.envfs.extraFallbackPathCommands | Extra commands to run in the package that contains fallback executables in case not other executable is found
|
| services.borgbackup.jobs.<name>.postHook | Shell commands to run just before exit
|
| networking.hostId | The 32-bit host ID of the machine, formatted as 8 hexadecimal characters
|
| services.softether.vpnclient.down | Shell commands executed when the Virtual Network Adapter(s) is/are shutting down.
|
| services.borgbackup.jobs.<name>.postCreate | Shell commands to run after borg create
|
| services.xscreensaver.hooks | An attrset of events and commands to run upon each event
|
| networking.wg-quick.interfaces.<name>.preUp | Commands called at the start of the interface setup.
|
| systemd.services.<name>.stopIfChanged | If set, a changed unit is restarted by calling
systemctl stop in the old configuration,
then systemctl start in the new one
|
| networking.wg-quick.interfaces.<name>.postUp | Commands called after the interface setup.
|
| services.firezone.gateway.enable | Whether to enable the firezone gateway
|
| systemd.user.services.<name>.stopIfChanged | If set, a changed unit is restarted by calling
systemctl stop in the old configuration,
then systemctl start in the new one
|
| networking.nftables.extraDeletions | Extra deletion commands to be run on every firewall start, reload
and after stopping the firewall.
|
| boot.loader.systemd-boot.extraInstallCommands | Additional shell commands inserted in the bootloader installer
script after generating menu entries
|
| programs.steam.protontricks.enable | Whether to enable protontricks, a simple wrapper for running Winetricks commands for Proton-enabled games.
|
| services.networkd-dispatcher.rules.<name>.script | Shell commands executed on specified operational states.
|
| services.prosody.modules.admin_adhoc | Allows administration via an XMPP client that supports ad-hoc commands
|
| nixpkgs.flake.setFlakeRegistry | Whether to pin nixpkgs in the system-wide flake registry (/etc/nix/registry.json) to the
store path of the sources of nixpkgs used to build the NixOS system
|
| networking.firewall.extraCommands | Additional shell commands executed as part of the firewall
initialisation script
|
| networking.firewall.extraStopCommands | Additional shell commands executed as part of the firewall
shutdown script
|
| services.openssh.authorizedKeysCommandUser | Specifies the user under whose account the AuthorizedKeysCommand
is run
|
| nix.settings.trusted-substituters | List of binary cache URLs that non-root users can use (in
addition to those specified using
nix.settings.substituters) by passing
--option binary-caches to Nix commands.
|
| services.kmonad.keyboards.<name>.defcfg.allowCommands | Whether to enable keys to run shell commands.
|
| services.dsnet.settings | The settings to use for dsnet
|
| services.reaction.stopForFirewall | Whether to stop reaction when reloading the firewall
|
| services.xserver.displayManager.setupCommands | Shell commands executed just after the X server has started
|
| systemd.services.<name>.confinement.binSh | The program to make available as /bin/sh inside
the chroot
|
| services.taskserver.confirmation | Determines whether certain commands are confirmed.
|
| services.xserver.windowManager.i3.extraSessionCommands | Shell commands executed just before i3 is started.
|
| services.xserver.displayManager.startx.extraCommands | Shell commands to be added to the system-wide xinitrc script.
|
| services.kmonad.keyboards.<name>.enableHardening | Whether to enable systemd hardening.
If KMonad is used to execute shell commands, hardening may make some of them fail.
|
| services.xserver.windowManager.dwm.extraSessionCommands | Shell commands executed just before dwm is started.
|
| networking.wireguard.interfaces.<name>.preSetup | Commands called at the start of the interface setup.
|
| powerManagement.powertop.postStart | Shell commands executed after powertop is started
|
| networking.wireguard.interfaces.<name>.postSetup | Commands called at the end of the interface setup.
|
| services.suricata.settings.unix-command | Unix command socket that can be used to pass commands to Suricata
|
| virtualisation.podman.extraRuntimes | Extra runtime packages to be installed in the Podman wrapper
|
| programs.starship.transientPrompt.enable | Whether to enable Starship's transient prompt
feature in fish shells
|
| networking.wireguard.interfaces.<name>.preShutdown | Commands called before shutting down the interface.
|
| networking.wireguard.interfaces.<name>.postShutdown | Commands called after shutting down the interface.
|
| services.xserver.displayManager.sx.enable | Whether to enable the "sx" pseudo-display manager, which allows users
to start manually via the "sx" command from a vt shell
|
| services.rutorrent.nginx.exposeInsecureRPC2mount | If you do not enable one of the rpc or httprpc plugins you need to expose an RPC mount through scgi using this option
|
| services.prometheus.exporters.wireguard.prependSudo | Whether or no to prepend sudo to wg commands.
|
| services.xserver.windowManager.wmderland.extraSessionCommands | Shell commands executed just before wmderland is started.
|
| users.users.<name>.password | Specifies the (clear text) password for the user
|
| users.extraUsers.<name>.password | Specifies the (clear text) password for the user
|
| users.users.<name>.hashedPasswordFile | The full path to a file that contains the hash of the user's
password
|
| users.extraUsers.<name>.hashedPasswordFile | The full path to a file that contains the hash of the user's
password
|
| users.users.<name>.initialPassword | Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist
|
| users.extraUsers.<name>.initialPassword | Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist
|
| users.users.<name>.hashedPassword | Specifies the hashed password for the user
|
| users.extraUsers.<name>.hashedPassword | Specifies the hashed password for the user
|
| services.biboumi.settings.realname_customization | Whether the users will be able to use
the ad-hoc commands that lets them configure
their realname and username.
|
| users.users.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|
| users.extraUsers.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|