| systemd.user.sockets.<name>.reloadTriggers | An arbitrary list of items such as derivations
|
| systemd.user.sockets.<name>.startLimitIntervalSec | Configure unit start rate limiting
|
| services.epmd.enable | Whether to enable socket activation for Erlang Port Mapper Daemon (epmd),
which acts as a name server on all hosts involved in distributed
Erlang computations.
|
| systemd.user.sockets.<name>.description | Description of this unit used in systemd messages and progress indicators.
|
| services.nginx.virtualHosts.<name>.listen.*.port | Port number to listen on
|
| services.spiped.config.<name>.resolveRefresh | Resolution refresh time for the target socket, in seconds.
|
| services.fedimintd.<name>.nginx.config.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.davis.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.slskd.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.movim.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.snipe-it.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.varnish.listen.*.user | User name who owns the socket file.
|
| services.spiped.config.<name>.waitForDNS | Wait for DNS
|
| services.gancio.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.fluidd.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.akkoma.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.monica.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.matomo.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.spiped.config.<name>.source | Address on which spiped should listen for incoming
connections
|
| services.nginx.virtualHosts.<name>.reuseport | Create an individual listening socket
|
| services.wstunnel.servers.<name>.websocketPingInterval | Frequency at which the client will send websocket ping to the server.
|
| services.wstunnel.clients.<name>.websocketPingInterval | Frequency at which the client will send websocket ping to the server.
|
| services.varnish.listen.*.group | Group name who owns the socket file.
|
| systemd.sockets.<name>.documentation | A list of URIs referencing documentation for this unit or its configuration.
|
| services.librenms.database.username | Name of the user on the MySQL/MariaDB server
|
| systemd.sockets.<name>.overrideStrategy | Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf
|
| systemd.user.sockets.<name>.documentation | A list of URIs referencing documentation for this unit or its configuration.
|
| services.code-server.socket | Path to a socket (bind-addr will be ignored).
|
| services.fediwall.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.dolibarr.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.agorakit.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.librenms.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.kanboard.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.pixelfed.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.mainsail.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.fedimintd.<name>.nginx.config.listen.*.port | Port number to listen on
|
| services.radicle.httpd.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| systemd.user.sockets.<name>.overrideStrategy | Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf
|
| services.anuko-time-tracker.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.bookstack.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.zabbixWeb.nginx.virtualHost.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local_port | Local UDP port for IKE communication
|
| services.postgrey.socket | Socket to bind to
|
| services.jirafeau.nginxConfig.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.openbao.settings.listener.<name>.address | The TCP address or UNIX socket path to listen on.
|
| services.suricata.settings.unix-command | Unix command socket that can be used to pass commands to Suricata
|
| services.opendkim.socket | Socket which is used for communication with OpenDKIM.
|
| services.fedimintd.<name>.nginx.config.reuseport | Create an individual listening socket
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| boot.zfs.pools.<name>.devNodes | Name of directory from which to import ZFS device, this is passed to zpool import
as the value of the -d option
|
| services.gitea.database.socket | Path to the unix socket file to use for authentication.
|
| services.limesurvey.nginx.virtualHost.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.mysql.ensureUsers | Ensures that the specified users exist and have at least the ensured permissions
|
| services.code-server.socketMode | File mode of the socket.
|
| services.moodle.database.socket | Path to the unix socket file to use for authentication.
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.zabbixWeb.database.socket | Path to the unix socket file to use for authentication.
|
| services.keepalived.vrrpInstances.<name>.virtualRouterId | Arbitrary unique number 1..255
|
| services.misskey.settings.socket | The UNIX socket your Misskey server should listen on.
|
| services.forgejo.database.socket | Path to the unix socket file to use for authentication.
|
| services.redmine.database.socket | Path to the unix socket file to use for authentication.
|
| services.grafana.settings.server.socket | Path where the socket should be created when protocol=socket
|
| services.suricata.settings.unix-command.filename | Filename for unix-command socket.
|
| services.sharkey.settings.socket | If specified, creates a UNIX socket at the given path that Sharkey listens on.
|
| services.zabbixProxy.database.socket | Path to the unix socket file to use for authentication.
|
| services.mattermost.socket.path | Default location for the Mattermost control socket used by mmctl.
|
| services.gancio.settings.server.socket | The unix socket for the gancio server to listen on.
|
| services.zabbixServer.database.socket | Path to the unix socket file to use for authentication.
|
| services.librenms.database.socket | A unix socket to mysql, accessible by the librenms user
|
| services.postsrsd.socketPath | Path to the Unix socket for connecting to postsrsd
|
| services.mattermost.socket.enable | Whether to enable Mattermost control socket.
|
| services.prometheus.exporters.frr.user | User name under which the frr exporter shall be run
|
| services.mattermost.socket.export | Whether to enable Export socket control to system environment variables.
|
| services.keepalived.snmp.socket | Socket to use for connecting to SNMP master agent
|
| services.icingaweb2.modules.monitoring.transports.<name>.path | Path to the socket for local or remote transports
|
| services.mediawiki.database.socket | Path to the unix socket file to use for authentication.
|
| services.tailscaleAuth.socketPath | Path of the socket listening to authorization requests.
|
| services.limesurvey.database.socket | Path to the unix socket file to use for authentication.
|
| boot.uki.name | Name of the UKI
|
| services.rsyncd.socketActivated | If enabled Rsync will be socket-activated rather than run persistently.
|
| systemd.sockets | Definition of systemd socket units; see systemd.socket(5).
|
| services.prometheus.exporters.chrony.user | User name under which the chrony exporter shall be run
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.mode | File permissions on the UNIX domain socket.
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.tls | Whether to enable TLS on the listener socket.
This option will be ignored for UNIX domain sockets.
|
| systemd.user.sockets | Definition of systemd per-user socket units.
|
| services.plausible.database.postgres.socket | Path to the UNIX domain-socket to communicate with postgres.
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.path | Unix domain socket path to bind this listener to.
|
| services.openvscode-server.socketPath | The path to a socket file for the server to listen to.
|
| users.users.<name>.name | The name of the user account
|
| services.pipewire.socketActivation | Automatically run PipeWire when connections are made to the PipeWire socket.
|
| services.nncp.daemon.socketActivation.enable | Whether to enable socket activation for nncp-daemon.
|
| services.mattermost.database.socketPath | The database (Postgres or MySQL) socket path.
|
| boot.initrd.systemd.sockets | Definition of systemd socket units.
|
| services.postgrest.settings.server-unix-socket | Unix domain socket where to bind the PostgREST web server.
|
| services.athens.unixSocket | Path to the unix socket file
|
| services.nginx.tailscaleAuth.socketPath | Alias of services.tailscaleAuth.socketPath.
|
| users.groups.<name>.name | The name of the group
|
| services.nylon.<name>.name | The name of this nylon instance.
|
| services.pgbouncer.settings.pgbouncer.listen_addr | Specifies a list (comma-separated) of addresses where to listen for TCP connections
|