| services.openssh.authorizedKeysInHomedir | Enables the use of the ~/.ssh/authorized_keys file
|
| programs.nano.enable | Whether to enable nano, a small user-friendly console text editor.
|
| services.filebeat.modules | Filebeat modules provide a quick way to get started
processing common log formats
|
| services.wastebin.settings.WASTEBIN_MAX_BODY_SIZE | Number of bytes to accept for POST requests
|
| services.syncthing.overrideFolders | Whether to delete the folders which are not configured via the
folders option
|
| services.snapper.configs.<name>.TIMELINE_LIMIT_QUARTERLY | Limits for timeline cleanup.
|
| services.anubis.instances.<name>.settings.SERVE_ROBOTS_TXT | Whether to serve a default robots.txt that denies access to common AI bots by name and all other
bots by wildcard.
|
| services.nncp.daemon.socketActivation.listenStreams | TCP sockets to bind to
|
| security.loginDefs.settings.SYS_UID_MAX | Range of user IDs used for the creation of system users by useradd or newusers.
|
| security.loginDefs.settings.SYS_UID_MIN | Range of user IDs used for the creation of system users by useradd or newusers.
|
| services.pds.settings.PDS_BLOBSTORE_DISK_LOCATION | Store blobs at this location, set to null to use e.g
|
| security.loginDefs.settings.SYS_GID_MAX | Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers
|
| security.loginDefs.settings.SYS_GID_MIN | Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers
|
| programs.xonsh.config | Extra text added to the end of /etc/xonsh/xonshrc,
the system-wide control file for xonsh.
|
| services.limesurvey.nginx.virtualHost.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.pocket-id.settings.PUBLIC_APP_URL | The URL where you will access the app.
|
| services.monado.defaultRuntime | Whether to enable Monado as the default OpenXR runtime on the system
|
| services.libeufin.nexus.settings.nexus-ebics.BANK_PUBLIC_KEYS_FILE | Filesystem location where Nexus should store the bank public keys.
|
| services.hatsu.settings.HATSU_LISTEN_HOST | Host where hatsu should listen for incoming requests.
|
| services.hatsu.settings.HATSU_LISTEN_PORT | Port where hatsu should listen for incoming requests.
|
| virtualisation.rosetta.mountTag | The VirtioFS mount tag for the Rosetta runtime, exposed by the host's virtualisation software
|
| programs.ssh.extraConfig | Extra configuration text prepended to ssh_config
|
| services.wivrn.defaultRuntime | Whether to enable WiVRn as the default OpenXR runtime on the system
|
| services.anubis.instances.<name>.settings.METRICS_BIND_NETWORK | The network family that the metrics server should bind to
|
| services.misskey.reverseProxy.webserver.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.traefik.dynamic.dir | Path to the directory Traefik should watch for configuration files.
Files in this directory matching the glob _nixos-* (reserved for Nix-managed dynamic configurations) will be deleted as part of
systemd-tmpfiles-resetup.service, regardless of their origin..
|
| services.bluesky-pds.settings.PDS_BLOBSTORE_DISK_LOCATION | Store blobs at this location, set to null to use e.g
|
| programs.tsmClient.dsmSysText | This configuration key contains the effective text
of the client system-options file "dsm.sys"
|
| services.pds.settings.PDS_DATA_DIRECTORY | Directory to store state
|
| services.hatsu.settings.HATSU_DATABASE_URL | Database URL.
|
| services.lasuite-meet.settings.DJANGO_DATA_DIR | Path to the data directory
|
| services.snapper.configs.<name>.ALLOW_USERS | List of users allowed to operate with the config. "root" is always
implicitly included
|
| services.libeufin.nexus.settings.nexus-ebics.CLIENT_PRIVATE_KEYS_FILE | Filesystem location where Nexus should store the subscriber private keys.
|
| services.snapper.configs.<name>.ALLOW_GROUPS | List of groups allowed to operate with the config
|
| services.postsrsd.settings.chroot-dir | Path to chroot into at runtime as an additional layer of protection.
We confine the runtime environment through systemd hardening instead, so this option is read-only.
|
| services.snips-sh.settings.SNIPS_SSH_INTERNAL | The internal SSH address of the service
|
| services.lasuite-meet.settings.LIVEKIT_API_URL | URL to the livekit server
|
| services.borgbackup.jobs.<name>.extraInitArgs | Additional arguments for borg init
|
| services.matrix-synapse.log | Default configuration for the loggers used by matrix-synapse and its workers
|
| services.gitea.settings.server.STATIC_ROOT_PATH | Upper level of template and static files path.
|
| services.snips-sh.settings.SNIPS_HTTP_INTERNAL | The internal HTTP address of the service
|
| services.borgbackup.jobs.<name>.extraPruneArgs | Additional arguments for borg prune
|
| services.umami.settings.TRACKER_SCRIPT_NAME | Allows you to assign a custom name to the tracker script different from the default script.js.
|
| services.lasuite-meet.settings.CELERY_BROKER_URL | URL of the redis backend for celery
|
| services.lasuite-docs.settings.CELERY_BROKER_URL | URL of the redis backend for celery
|
| services.firefly-iii.settings.APP_KEY_FILE | The path to your appkey
|
| services.corteza.settings.HTTP_WEBAPP_ENABLED | Whether to enable webapps.
|
| services.borgbackup.jobs.<name>.extraCreateArgs | Additional arguments for borg create
|
| services.hatsu.settings.HATSU_PRIMARY_ACCOUNT | The primary account of your instance (eg 'example.com').
|
| services.firezone.server.settingsSecret.LIVE_VIEW_SIGNING_SALT | A file containing a unique base64 encoded secret for the
LIVE_VIEW_SIGNING_SALT
|
| services.snapper.configs.<name>.TIMELINE_CREATE | Defines whether hourly snapshots should be created.
|
| services.forgejo.settings.server.STATIC_ROOT_PATH | Upper level of template and static files path.
|
| services.galene.keyFile | Path to the server's private key
|
| services.gokapi.environment.GOKAPI_DATA_DIR | Sets the directory for the data.
|
| services.umami.settings.COLLECT_API_ENDPOINT | Allows you to send metrics to a location different than the default /api/send.
|
| services.borgbackup.jobs.<name>.extraCompactArgs | Additional arguments for borg compact
|
| services.bluesky-pds.settings.PDS_DATA_DIRECTORY | Directory to store state
|
| services.wstunnel.clients.<name>.httpProxy | Proxy to use to connect to the wstunnel server (USER:PASS@HOST:PORT).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing PROXY_PASSWORD=<your-password-here> and set
this option to <user>:$PROXY_PASSWORD@<host>:<port>
|
| services.galene.certFile | Path to the server's certificate
|
| power.ups.users.<name>.passwordFile | The full path to a file that contains the user's (clear text)
password
|
| services.airsonic.contextPath | The context path, i.e., the last part of the Airsonic
URL
|
| services.subsonic.contextPath | The context path, i.e., the last part of the Subsonic
URL
|
| services.node-red.withNpmAndGcc | Give Node-RED access to NPM and GCC at runtime, so 'Nodes' can be
downloaded and managed imperatively via the 'Palette Manager'.
|
| services.traefik.dynamic.files | Dynamic configuration files to write
|
| services.taler.settings.taler.CURRENCY_ROUND_UNIT | Smallest amount in this currency that can be transferred using the underlying RTGS
|
| services.umami.settings.DATABASE_URL_FILE | A file containing a connection string for the database
|
| services.bookstack.settings.APP_KEY_FILE | The path to your appkey
|
| services.libeufin.nexus.settings.nexus-ebics.HOST_BASE_URL | URL of the EBICS server.
|
| services.n8n.environment.N8N_USER_FOLDER | Provide the path where n8n will create the .n8n folder
|
| services.scx.extraArgs | Parameters passed to the chosen scheduler at runtime.
Run chosen-scx-scheduler --help to see the available options
|
| services.snapper.configs.<name>.TIMELINE_CLEANUP | Defines whether the timeline cleanup algorithm should be run for the config.
|
| services.lasuite-meet.settings.DJANGO_ALLOWED_HOSTS | Comma-separated list of hosts that are able to connect to the server
|
| services.lasuite-docs.settings.DJANGO_ALLOWED_HOSTS | Comma-separated list of hosts that are able to connect to the server
|
| systemd.services.<name>.confinement.enable | If set, all the required runtime store paths for this service are
bind-mounted into a tmpfs-based
chroot(2).
|
| services.bookstack.settings.DB_PASSWORD_FILE | The file containing your mysql/mariadb database password.
|
| services.ferretdb.settings.FERRETDB_SQLITE_URL | SQLite URI (directory) for 'sqlite' handler
|
| services.canaille.settings.CANAILLE_LDAP.BIND_PW | The LDAP bind password
|
| services.umami.settings.APP_SECRET_FILE | A file containing a secure random string
|
| services.borgbackup.jobs.<name>.archiveBaseName | How to name the created archives
|
| services.gokapi.environment.GOKAPI_CONFIG_DIR | Sets the directory for the config file.
|
| services.wastebin.settings.WASTEBIN_BASE_URL | Base URL for the QR code display
|
| boot.kernel.sysctl | Runtime parameters of the Linux kernel, as set by
sysctl(8)
|
| services.authelia.instances.<name>.secrets | It is recommended you keep your secrets separate from the configuration
|
| services.gokapi.environment.GOKAPI_CONFIG_FILE | Sets the filename for the config file.
|
| services.wastebin.settings.WASTEBIN_CACHE_SIZE | Number of rendered syntax highlight items to cache
|
| services.wastebin.settings.WASTEBIN_ADDRESS_PORT | Address and port to bind to
|
| services.canaille.settings.PREFERRED_URL_SCHEME | The url scheme by which canaille will be served.
|
| services.gitea-actions-runner.instances.<name>.labels | Labels used to map jobs to their runtime environment
|
| services.linyaps.enable | Whether to enable linyaps, a cross-distribution package manager with sandboxed apps and shared runtime.
|
| services.n8n.environment.N8N_VERSION_NOTIFICATIONS_ENABLED | When enabled, n8n sends notifications of new versions and security updates.
|
| services.wastebin.settings.WASTEBIN_HTTP_TIMEOUT | Maximum number of seconds a request can be processed until wastebin responds with 408
|
| boot.loader.grub.users.<name>.password | Specifies the clear text password for the account
|
| services.pds.settings.PDS_PORT | Port to listen on
|
| services.znapzend.zetup.<name>.timestampFormat | The timestamp format to use for constructing snapshot names
|
| services.murmur.welcometext | Welcome message for connected clients.
|
| services.anubis.instances.<name>.settings.POLICY_FNAME | The policy file to use
|
| services.anubis.defaultOptions.settings.SERVE_ROBOTS_TXT | Whether to serve a default robots.txt that denies access to common AI bots by name and all other
bots by wildcard.
|
| services.github-runners.<name>.ephemeral | If enabled, causes the following behavior:
- Passes the
--ephemeral flag to the runner configuration script
- De-registers and stops the runner with GitHub after it has processed one job
- On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option)
- Restarts the service after its successful exit
- On start, wipes the state directory and configures a new runner
You should only enable this option if tokenFile points to a file which contains a
personal access token (PAT)
|
| services.healthchecks.settings.SECRET_KEY_FILE | Path to a file containing the secret key.
|
| services.wastebin.settings.WASTEBIN_DATABASE_PATH | Path to the sqlite3 database file
|