| services.sonarr.dataDir | The Sonarr home directory used to store all data
|
| services.caddy.dataDir | The data directory for caddy.
If left as the default value this directory will automatically be created
before the Caddy server starts, otherwise you are responsible for ensuring
the directory exists with appropriate ownership and permissions
|
| services.galene.stateDir | The directory where Galene stores its internal state
|
| services.molly-brown.certPath | Path to TLS certificate
|
| services.tuned.settings.profile_dirs | Directories to search for profiles, separated by , or ;.
|
| services.umami.settings.APP_SECRET_FILE | A file containing a secure random string
|
| services.prosody.dataDir | The prosody home directory used to store all data
|
| services.owncast.dataDir | The directory where owncast stores its data files
|
| services.umami.settings.DATABASE_URL_FILE | A file containing a connection string for the database
|
| environment.profileRelativeSessionVariables | Attribute set of environment variable used in the global
environment
|
| services.traefik.dataDir | Location for any persistent data Traefik creates, such as the ACME certificate store.
If left as the default value, this directory will automatically be created
before the Traefik server starts, otherwise you are responsible for ensuring
the directory exists with appropriate ownership and permissions.
|
| services.mysql.initialScript | A file containing SQL statements to be executed on the first startup
|
| services.hledger-web.stateDir | Path the service has access to
|
| services.namecoind.wallet | Wallet file
|
| security.wrappers | This option effectively allows adding setuid/setgid bits, capabilities,
changing file ownership and permissions of a program without directly
modifying it
|
| services.goeland.stateDir | The data directory for goeland where the database will reside if using the unseen filter
|
| services.hardware.lcd.server.usbGroup | The group to use for settings permissions
|
| services.gitolite.dataDir | The gitolite home directory used to store all repositories
|
| services.redis.servers.<name>.unixSocketPerm | Change permissions for the socket
|
| services.usbguard.ruleFile | This tells the USBGuard daemon which file to load as policy rule set
|
| services.matrix-synapse.settings.listeners.*.mode | File permissions on the UNIX domain socket.
|
| services.psd.enable | Whether to enable the Profile Sync daemon.
|
| services.mpd.credentials | Credentials and permissions for accessing the mpd server.
|
| services.weblate.smtp.passwordFile | Location of a file containing the SMTP password
|
| services.tlsrpt.collectd.settings.socketmode | Permissions on the UNIX socket.
|
| security.apparmor.policies.<name>.path | A path of a profile file to include
|
| services.duplicati.dataDir | The directory where Duplicati stores its data files.
If left as the default value this directory will automatically be created
before the Duplicati server starts, otherwise you are responsible for ensuring
the directory exists with appropriate ownership and permissions.
|
| services.evremap.settings.device_name | The name of the device that should be remapped
|
| services.mediawiki.uploadsDir | This directory is used for uploads of pictures
|
| services.canaille.smtpPasswordFile | File containing the SMTP password
|
| services.trickster.profiler-port | Port that the /debug/pprof endpoint will listen on.
|
| services.canaille.secretKeyFile | File containing the Flask secret key
|
| services.borgbackup.repos.<name>.path | Where to store the backups
|
| services.mpd.musicDirectory | The directory or NFS/SMB network share where MPD reads music from
|
| services.tlsrpt.configurePostfix | Whether to configure permissions to allow integration with Postfix.
|
| services.weblate.djangoSecretKeyFile | Location of the Django secret key
|
| services.roundcube.database.host | Host of the postgresql server
|
| services.postgresql.dataDir | The data directory for PostgreSQL
|
| services.nominatim.database.apiUser | Postgresql database user with read-only permissions used for Nominatim
web API service.
|
| services.jmusicbot.stateDir | The directory where config.txt and serversettings.json is saved
|
| networking.networkmanager.ensureProfiles.profiles.<name>.connection.id | This is the name that will be displayed by NetworkManager and GUIs.
|
| services.snapper.configs.<name>.ALLOW_USERS | List of users allowed to operate with the config. "root" is always
implicitly included
|
| i18n.inputMethod.fcitx5.settings.inputMethod | The input method configure in profile file in ini format.
|
| services.nominatim.database.host | Host of the postgresql server
|
| services.snapper.configs.<name>.ALLOW_GROUPS | List of groups allowed to operate with the config
|
| networking.networkmanager.ensureProfiles.profiles.<name>.connection.type | The connection type defines the connection kind, like vpn, wireguard, gsm, wifi and more.
|
| services.canaille.jwtPrivateKeyFile | File containing the JWT private key
|
| services.immichframe.settings.Accounts.*.ApiKeyFile | File containing an API key to talk to the Immich server
|
| services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.profile | Named AWS profile used to connect to the API.
|
| services.immichframe.settings.Accounts.*.ApiKey | API key to talk to the Immich server
|
| services.wordpress.sites.<name>.uploadsDir | This directory is used for uploads of pictures
|
| services.reaction.runAsRoot | Whether to run reaction as root
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.readPermissions | The read permissions to include for this token
|
| services.neo4j.directories.certificates | Directory for storing certificates to be used by Neo4j for
TLS connections
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.writePermissions | The read permissions to include for this token
|
| services.mpd.playlistDirectory | The directory where MPD stores playlists
|
| services.pdfding.consume.enable | Bulk PDF import from consume directory
|
| services.neo4j.directories.data | Path of the data directory
|
| services.rtorrent.dataPermissions | Unix Permissions in octal on the rtorrent directory.
|
| services.patroni.postgresqlDataDir | The data directory for PostgreSQL
|
| services.tt-rss.auth.autoLogin | Automatically login user on remote or other kind of externally supplied
authentication, otherwise redirect to login form as normal
|
| services.snapper.configs.<name>.SUBVOLUME | Path of the subvolume or mount point
|
| services.healthchecks.dataDir | The directory used to store all data for healthchecks.
If left as the default value this directory will automatically be created before
the healthchecks server starts, otherwise you are responsible for ensuring the
directory exists with appropriate ownership and permissions.
|
| services.transmission.downloadDirPermissions | If not null, is used as the permissions
set by system.activationScripts.transmission-daemon
on the directories services.transmission.settings.download-dir,
services.transmission.settings.incomplete-dir.
and services.transmission.settings.watch-dir
|
| services.mpd.settings.music_directory | The directory or URI where MPD reads music from
|
| services.osquery.flags.logger_path | Base directory used for logging.
If left as the default value, this directory will be automatically created before the
service starts, otherwise you are responsible for ensuring the directory exists with
the appropriate ownership and permissions.
|
| services.neo4j.ssl.policies.<name>.revokedDir | Path to directory of CRLs (Certificate Revocation Lists) in
PEM format
|
| services.geoipupdate.settings.DatabaseDirectory | The directory to store the database files in
|
| services.varnish.listen.*.address | If given an IP address, it can be a host name ("localhost"), an IPv4 dotted-quad
("127.0.0.1") or an IPv6 address enclosed in square brackets ("[::1]").
(VCL4.1 and higher) If given an absolute Path ("/path/to/listen.sock") or "@"
followed by the name of an abstract socket ("@myvarnishd") accept connections
on a Unix domain socket
|
| services.postfixadmin.database.host | Host of the postgresql server
|
| services.invoiceplane.sites.<name>.stateDir | This directory is used for uploads of attachments and cache
|
| services.kmonad.keyboards.<name>.extraGroups | Extra permission groups to attach to the KMonad instance for
this keyboard
|
| services.neo4j.ssl.policies.<name>.trustedDir | Path to directory of X.509 certificates in PEM format for
trusted parties
|
| services.hedgedoc.settings.allowGravatar | Whether to enable Libravatar as
profile picture source on your instance
|
| services.neo4j.ssl.policies.<name>.baseDirectory | The mandatory base directory for cryptographic objects of this
policy
|
| services.uwsgi.capabilities | Grant capabilities to the uWSGI instance
|
| services.bepasty.servers.<name>.defaultPermissions | default permissions for all unauthenticated accesses.
|
| services.osquery.flags.database_path | Path used for the database file.
If left as the default value, this directory will be automatically created before the
service starts, otherwise you are responsible for ensuring the directory exists with
the appropriate ownership and permissions.
|
| services.tuned.ppdSettings.main.default | Default PPD profile.
|
| services.archisteamfarm.dataDir | The ASF home directory used to store all data
|
| services.libinput.mouse.accelSpeed | Cursor acceleration (how fast speed increases from minSpeed to maxSpeed)
|
| services.freshrss.api.enable | Whether to enable API access for mobile apps and third-party clients (Google Reader API and Fever API)
|
| virtualisation.incus.enable | Whether to enable incusd, a daemon that manages containers and virtual machines
|
| services.prometheus.exporters.sabnzbd.servers.*.apiKeyFile | The path to a file containing the API key
|
| services.mpd.settings.playlist_directory | The directory where MPD stores playlists
|
| services.matrix-tuwunel.settings.global.unix_socket_perms | The default permissions (in octal) to create the UNIX socket with.
|
| services.outline.slackAuthentication | To configure Slack auth, you'll need to create an Application at
https://api.slack.com/apps
When configuring the Client ID, add a redirect URL under "OAuth & Permissions"
to https://[publicUrl]/auth/slack.callback.
|
| services.mobilizon.settings.":mobilizon"."Mobilizon.Storage.Repo".socket_dir | Path to the postgres socket directory
|
| services.mosquitto.listeners.*.users.<name>.passwordFile | Specifies the path to a file containing the
clear text password for the MQTT user
|
| virtualisation.xen.store.settings.conflict.rateLimitIsAggregate | If the conflict.rateLimitIsAggregate option is true, then after each
tick one point of conflict-credit is given to just one domain: the
one at the front of the queue
|
| services.cloudflare-ddns.credentialsFile | Path to a file containing the Cloudflare API authentication token
|
| system.activatable | Whether to add the activation script to the system profile
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.traefik.supplementaryGroups | Additional groups under which Traefik runs
|
| containers.<name>.path | As an alternative to specifying
config, you can specify the path to
the evaluated NixOS system configuration, typically a
symlink to a system profile.
|
| services.libinput.mouse.accelStepScroll | Sets the step between the points of the scroll acceleration function
|
| services.cloudflared.certificateFile | Account certificate file, necessary to create, delete and manage tunnels
|
| services.postgresql.ensureUsers.*.ensureClauses.inherit | Grants the user created inherit permissions
|
| services.libinput.mouse.accelStepMotion | Sets the step between the points of the (pointer) motion acceleration function
|