| services.postfix.headerChecks.*.action | The action to be executed when the pattern is matched
|
| security.duosec.groups | If specified, Duo authentication is required only for users
whose primary group or supplementary group list matches one
of the space-separated pattern lists
|
| xdg.terminal-exec.settings | Configuration options for the Default Terminal Execution Specification
|
| services.fail2ban.ignoreIP | "ignoreIP" can be a list of IP addresses, CIDR masks or DNS hosts
|
| services.redsocks.redsocks.*.doNotRedirect | Iptables filters that if matched will get the packet off of
redsocks.
|
| services.taskserver.allowedClientIDs | A list of regular expressions that are matched against the reported
client id (such as task 2.3.0)
|
| services.firefly-iii.settings.APP_URL | The APP_URL used by firefly-iii internally
|
| services.prometheus.exporters.rtl_433.ids | List of ID matchers to export.
|
| services.waagent.settings.OS.EnableRDMA | If enabled, the agent attempts to install and then load an RDMA kernel driver
that matches the version of the firmware on the underlying hardware.
|
| services.rkvm.client.settings.password | Shared secret token to authenticate the client
|
| services.rkvm.server.settings.password | Shared secret token to authenticate the client
|
| security.tpm2.fapi.ekFingerprint | The fingerprint of the endorsement key
|
| services.taskserver.disallowedClientIDs | A list of regular expressions that are matched against the reported
client id (such as task 2.3.0)
|
| system.replaceDependencies.cutoffPackages | Packages to which no replacements should be applied
|
| services.angrr.settings.temporary-root-policies.<name>.period | Retention period for the GC roots matched by this policy.
|
| services.angrr.settings.temporary-root-policies.<name>.filter | External filter program to further filter GC roots matched by this policy.
|
| services.prometheus.exporters.rtl_433.channels | List of channel matchers to export.
|
| networking.dhcpcd.denyInterfaces | Disable the DHCP client for any interface whose name matches
any of the shell glob patterns in this list
|
| services.cloudflared.tunnels.<name>.default | Catch-all service if no ingress matches
|
| fonts.fontconfig.defaultFonts.emoji | System-wide default emoji font(s)
|
| networking.wireless.networks.<name>.priority | By default, all networks will get same priority group (0)
|
| security.acme.certs.<name>.csrKey | Path to the private key to the matching certificate signing request.
|
| services.tinc.networks.<name>.hostSettings.<name>.subnets | The subnets which this tinc daemon will serve
|
| services.yggdrasil.denyDhcpcdInterfaces | Disable the DHCP client for any interface whose name matches
any of the shell glob patterns in this list
|
| services.redsocks.redsocks.*.redirectCondition | Conditions to make outbound packets go through this redsocks
instance
|
| services.ebusd.logs.bus | Only write log for matching AREAs (all|main|network|bus|device|update|other) below or equal to LEVEL (none|error|notice|info|debug)
|
| hardware.deviceTree.filter | Only include .dtb files matching glob expression.
|
| services.ebusd.logs.all | Only write log for matching AREAs (all|main|network|bus|device|update|other) below or equal to LEVEL (none|error|notice|info|debug)
|
| services.ebusd.logs.main | Only write log for matching AREAs (all|main|network|bus|device|update|other) below or equal to LEVEL (none|error|notice|info|debug)
|
| services.grafana.settings.users.default_theme | Sets the default UI theme. system matches the user's system theme.
|
| programs.dsearch.enable | Whether to enable dsearch, a fast filesystem search service with fuzzy matching.
|
| services.ebusd.logs.other | Only write log for matching AREAs (all|main|network|bus|device|update|other) below or equal to LEVEL (none|error|notice|info|debug)
|
| services.below.cgroupFilterOut | A regexp matching the full paths of cgroups whose data shouldn't be collected
|
| services.factorio.public | Game will be published on the official Factorio matching server.
|
| services.ebusd.logs.device | Only write log for matching AREAs (all|main|network|bus|device|update|other) below or equal to LEVEL (none|error|notice|info|debug)
|
| services.ebusd.logs.update | Only write log for matching AREAs (all|main|network|bus|device|update|other) below or equal to LEVEL (none|error|notice|info|debug)
|
| services.prometheus.scrapeConfigs.*.relabel_configs.*.regex | Regular expression against which the extracted value is matched
|
| services.ebusd.logs.network | Only write log for matching AREAs (all|main|network|bus|device|update|other) below or equal to LEVEL (none|error|notice|info|debug)
|
| networking.wg-quick.interfaces.<name>.peers.*.allowedIPs | List of IP (v4 or v6) addresses with CIDR masks from
which this peer is allowed to send incoming traffic and to which
outgoing traffic for this peer is directed
|
| services.oauth2-proxy.skipAuthRegexes | Skip authentication for requests matching any of these regular
expressions.
|
| hardware.deviceTree.overlays.*.dtsText | Literal DTS contents, overlay is applied to
each .dtb file matching "compatible" of the overlay.
|
| hardware.deviceTree.overlays.*.dtsFile | Path to .dts overlay file, overlay is applied to
each .dtb file matching "compatible" of the overlay.
|
| hardware.deviceTree.overlays.*.filter | Only apply to .dtb files matching glob expression.
|
| networking.wireguard.interfaces.<name>.peers.*.allowedIPs | List of IP (v4 or v6) addresses with CIDR masks from
which this peer is allowed to send incoming traffic and to which
outgoing traffic for this peer is directed
|
| services.postfix.headerChecks.*.pattern | A regexp pattern matching the header
|
| services.traefik.dynamic.dir | Path to the directory Traefik should watch for configuration files.
Files in this directory matching the glob _nixos-* (reserved for Nix-managed dynamic configurations) will be deleted as part of
systemd-tmpfiles-resetup.service, regardless of their origin..
|
| services.prometheus.scrapeConfigs.*.relabel_configs.*.source_labels | The source labels select values from existing labels
|
| services.cross-seed.settings.dataDirs | Paths to be searched for matching data
|
| hardware.block.defaultScheduler | Default block I/O scheduler
|
| services.fwupd.extraTrustedKeys | Installing a public key allows firmware signed with a matching private key to be recognized as trusted, which may require less authentication to install than for untrusted files
|
| power.ups.mode | The MODE determines which part of the NUT is to be started, and
which configuration files must be modified
|
| services.kubernetes.kubelet.tlsKeyFile | File containing x509 private key matching tlsCertFile.
|
| services.tarsnap.archives.<name>.excludes | Exclude files and directories matching these patterns.
|
| services.prometheus.remoteWrite.*.write_relabel_configs.*.regex | Regular expression against which the extracted value is matched
|
| services.prometheus.scrapeConfigs.*.relabel_configs.*.replacement | Replacement value against which a regex replace is performed if the
regular expression matches
|
| services.borgbackup.jobs.<name>.prune.keep | Prune a repository by deleting all archives not matching any of the
specified retention options
|
| boot.binfmt.registrations.<name>.mask | A mask to be ANDed with the byte sequence of the file before matching
|
| security.pam.services.<name>.ttyAudit.enablePattern | For each user matching one of comma-separated
glob patterns, enable TTY auditing
|
| services.tarsnap.archives.<name>.includes | Include only files and directories matching these
patterns (the empty list includes everything)
|
| programs.command-not-found.enable | Whether interactive shells should show which Nix package (if
any) provides a missing command
|
| boot.kernel.sysfs | sysfs attributes to be set as soon as they become available
|
| services.borgbackup.jobs.<name>.exclude | Exclude paths matching any of the given patterns
|
| services.prometheus.scrapeConfigs.*.metric_relabel_configs.*.regex | Regular expression against which the extracted value is matched
|
| security.pam.services.<name>.ttyAudit.disablePattern | For each user matching one of comma-separated
glob patterns, disable TTY auditing
|
| services.ebusd.scanconfig | Pick CSV config files matching initial scan ("none" or empty for no initial scan message, "full" for full scan, or a single hex address to scan, default is to send a broadcast ident message)
|
| services.prometheus.remoteWrite.*.write_relabel_configs.*.source_labels | The source labels select values from existing labels
|
| programs.gnupg.agent.pinentryPackage | Which pinentry package to use
|
| services.public-inbox.inboxes.<name>.watchheader | If specified, public-inbox-watch(1) will only process
mail containing a matching header.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.local_ts | List of local traffic selectors to include in CHILD_SA
|
| services.mpdscribble.passwordFile | File containing the password for the mpd daemon
|
| services.prometheus.scrapeConfigs.*.metric_relabel_configs.*.source_labels | The source labels select values from existing labels
|
| services.dovecot2.imapsieve.mailbox.*.name | This setting configures the name of a mailbox for which administrator scripts are configured
|
| services.prometheus.exporters.node-cert.excludeGlobs | List files matching a pattern to include
|
| services.prometheus.exporters.node-cert.includeGlobs | List files matching a pattern to include
|
| services.prometheus.remoteWrite.*.write_relabel_configs.*.replacement | Replacement value against which a regex replace is performed if the
regular expression matches
|
| hardware.block.defaultSchedulerRotational | Default block I/O scheduler for rotational drives (e.g. hard disks)
|
| security.pam.ussh.authorizedPrincipals | Comma-separated list of authorized principals to permit; if the user
presents a certificate with one of these principals, then they will be
authorized
|
| security.pam.ussh.authorizedPrincipalsFile | Path to a list of principals; if the user presents a certificate with
one of these principals, then they will be authorized
|
| services.xserver.displayManager.lightdm.greeter.package | The LightDM greeter to login via
|
| services.matrix-synapse.settings.url_preview_url_blacklist | Optional list of URL matches that the URL preview spider is
denied from accessing.
|
| services.prometheus.scrapeConfigs.*.metric_relabel_configs.*.replacement | Replacement value against which a regex replace is performed if the
regular expression matches
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.auth | Authentication to perform locally.
- The default
pubkey uses public key authentication
using a private key associated to a usable certificate.
psk uses pre-shared key authentication.- The IKEv1 specific
xauth is used for XAuth or Hybrid
authentication,
- while the IKEv2 specific
eap keyword defines EAP
authentication.
- For
xauth, a specific backend name may be appended,
separated by a dash
|
| services.hddfancontrol.settings.<drive-bay-name>.disks | Drive(s) to get temperature from
Can also use command substitution to automatically grab all matching drives; such as all scsi (sas) drives
|
| services.multipath.devices.*.product_blacklist | Products with the given vendor matching this string are blacklisted
|
| services.prometheus.scrapeConfigs.*.relabel_configs.*.action | Action to perform based on regex matching
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords | Sets allowed passwords for WPA3-SAE
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.dpd_action | Action to perform for this CHILD_SA on DPD timeout
|
| services.hostapd.radios.<name>.networks.<name>.authentication.wpaPskFile | Sets the password(s) for WPA-PSK
|
| services.prometheus.remoteWrite.*.write_relabel_configs.*.action | Action to perform based on regex matching
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.start_action | Action to perform after loading the configuration.
- The default of
none loads the connection only, which
then can be manually initiated or used as a responder configuration.
- The value
trap installs a trap policy, which triggers
the tunnel as soon as matching traffic has been detected.
- The value
start initiates the connection actively.
- Since version 5.9.6 two modes above can be combined with
trap|start,
to immediately initiate a connection for which trap policies have been installed
|
| services.prometheus.scrapeConfigs.*.metric_relabel_configs.*.action | Action to perform based on regex matching
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.selectors | Optional label and field selectors to limit the discovery process to a subset of available resources
|