| services.firewalld.services.<name>.helpers | Helpers for the service.
|
| services.firewalld.services.<name>.version | Version of the service.
|
| services.fedimintd.<name>.api_iroh.bind | Address to bind on for Iroh endpoint for API connections
|
| services.syncoid.commands.<name>.useCommonArgs | Whether to add the configured common arguments to this command.
|
| services.quicktun.<name>.localAddress | IP address or hostname of the local end.
|
| services.akkoma.frontends.<name>.package | Akkoma frontend package.
|
| services.sanoid.templates.<name>.monthly | Number of monthly snapshots.
|
| services.vdirsyncer.jobs.<name>.configFile | existing configuration file
|
| services.buildkite-agents.<name>.dataDir | The workdir for the agent
|
| services.bepasty.servers.<name>.secretKeyFile | A file that contains the server secret for safe session cookies, must be set.
secretKeyFile takes precedence over secretKey
|
| systemd.services.<name>.serviceConfig | Each attribute in this set specifies an option in the
[Service] section of the unit
|
| services.fedimintd.<name>.api_iroh.port | UDP Port to bind Iroh endpoint for API connections
|
| services.nebula.networks.<name>.settings | Nebula configuration
|
| services.jibri.xmppEnvironments.<name>.call.login.username | User part of the JID for the recorder.
|
| services.firewalld.zones.<name>.forward | Whether to enable intra-zone forwarding
|
| services.vmalert.instances.<name>.rules | A list of the given alerting or recording rules against configured "datasource.url" compatible with
Prometheus HTTP API for vmalert to execute
|
| services.blockbook-frontend.<name>.group | The group as which to run blockbook-frontend-‹name›.
|
| services.tarsnap.archives.<name>.keyfile | Set a specific keyfile for this archive
|
| services.kanata.keyboards.<name>.extraDefCfg | Configuration of defcfg other than linux-dev (generated
from the devices option) and
linux-continue-if-no-devs-found (hardcoded to be yes)
|
| services.keyd.keyboards.<name>.extraConfig | Extra configuration that is appended to the end of the file.
Do not write ids section here, use a separate option for it
|
| services.wstunnel.servers.<name>.enableHTTPS | Use HTTPS for the tunnel server.
|
| services.errbot.instances.<name>.plugins | List of errbot plugin derivations.
|
| services.restic.backups.<name>.inhibitsSleep | Prevents the system from sleeping while backing up.
|
| virtualisation.fileSystems.<name>.mountPoint | Location where the file system will be mounted
|
| services.kanidm.provision.systems.oauth2.<name>.displayName | Display name
|
| services.wordpress.sites.<name>.uploadsDir | This directory is used for uploads of pictures
|
| services.pingvin-share.hostname | The domain name of your instance
|
| systemd.user.paths.<name>.after | If the specified units are started at the same time as
this unit, delay this unit until they have started.
|
| services.hostapd.radios.<name>.networks.<name>.dynamicConfigScripts | All of these scripts will be executed in lexicographical order before hostapd
is started, right after the bss segment was generated and may dynamically
append bss options to the generated configuration file
|
| services.traefik.dynamic.files.<name>.settings | Dynamic configuration for Traefik, written in Nix.
This will be serialized to JSON (which is considered valid YAML) at build, and passed as part of the static file.
|
| services.dokuwiki.sites.<name>.pluginsConfig | List of the dokuwiki (un)loaded plugins.
|
| services.mailpit.instances.<name>.listen | HTTP bind interface and port for UI.
|
| services.public-inbox.inboxes.<name>.coderepo | Nicknames of a 'coderepo' section associated with the inbox.
|
| systemd.paths.<name>.wants | Start the specified units when this unit is started.
|
| boot.initrd.systemd.users.<name>.uid | ID of the user in initrd.
|
| services.rsync.jobs.<name>.destination | Destination directory.
|
| systemd.services.<name>.conflicts | If the specified units are started, then this unit is stopped
and vice versa.
|
| services.sabnzbd.settings.servers.<name>.enable | Enable this server by default
|
| services.dokuwiki.sites.<name>.settings | Structural DokuWiki configuration
|
| boot.initrd.luks.devices.<name>.preLVM | Whether the luksOpen will be attempted before LVM scan or after it.
|
| services.wyoming.piper.servers.<name>.zeroconf.enable | Whether to enable zeroconf discovery.
|
| services.fedimintd.<name>.ui.openFirewall | Opens TCP port in firewall for built-in UI
|
| services.klipper.firmwares.<name>.enable | Whether to enable building of firmware for manual flashing
.
|
| services.public-inbox.inboxes.<name>.inboxdir | The absolute path to the directory which hosts the public-inbox.
|
| services.snapserver.streams.<name>.type | The type of input stream.
|
| services.kmonad.keyboards.<name>.defcfg.enable | Whether to enable automatic generation of the defcfg block
|
| services.gitlab-runner.services.<name>.postBuildScript | Runner-specific command script executed after code is pulled
and just after build executes.
|
| users.users.<name>.cryptHomeLuks | Path to encrypted luks device that contains
the user's home directory.
|
| services.ghostunnel.servers.<name>.key | Path to certificate private key (PEM with private key)
|
| services.postfix.masterConfig.<name>.maxproc | The maximum number of processes to spawn for this service
|
| services.anubis.instances.<name>.policy.extraBots | Additional bot rules appended to the policy
|
| nix.registry.<name>.from | The flake reference to be rewritten
|
| services.blockbook-frontend.<name>.rpc.user | Username for JSON-RPC connections.
|
| services.blockbook-frontend.<name>.rpc.port | Port for JSON-RPC connections.
|
| services.jupyterhub.kernels.<name>.argv | Command and arguments to start the kernel.
|
| services.sanoid.datasets.<name>.useTemplate | Names of the templates to use for this dataset.
|
| virtualisation.fileSystems.<name>.autoFormat | If the device does not currently contain a filesystem (as
determined by blkid), then automatically
format it with the filesystem type specified in
fsType
|
| services.klipper.firmwares.<name>.serial | Path to serial port this printer is connected to
|
| services.gitlab-runner.services.<name>.executor | Select executor, eg. shell, docker, etc
|
| services.hostapd.radios.<name>.settings | Extra configuration options to put at the end of global initialization, before defining BSSs
|
| security.acme.certs.<name>.csr | Path to a certificate signing request to apply when fetching the certificate.
|
| services.wstunnel.clients.<name>.localToRemote | Listen on local and forwards traffic from remote.
|
| services.znc.confOptions.networks.<name>.channels | IRC channels to join.
|
| services.rke2.autoDeployCharts.<name>.values | Override default chart values via Nix expressions
|
| services.firewalld.zones.<name>.sourcePorts.*.port | |
| services.gancio.settings.hostname | The domain name under which the server is reachable.
|
| services.postfix.masterConfig.<name>.private | Whether the service's sockets and storage directory is restricted to
be only available via the mail system
|
| services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| services.bacula-fd.director.<name>.monitor | If Monitor is set to no, this director will have
full access to this Storage daemon
|
| services.bacula-sd.director.<name>.monitor | If Monitor is set to no, this director will have
full access to this Storage daemon
|
| virtualisation.fileSystems.<name>.autoResize | If set, the filesystem is grown to its maximum size before
being mounted. (This is typically the size of the containing
partition.) This is currently only supported for ext2/3/4
filesystems that are mounted during early boot.
|
| nix.registry.<name>.flake | The flake input from is rewritten to.
|
| services.fedimintd.<name>.api.openFirewall | Opens port in firewall for fedimintd's api port
|
| services.pgbackrest.stanzas.<name>.jobs | Backups jobs to schedule for this stanza as described in:
https://pgbackrest.org/user-guide.html#quickstart/schedule-backup
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| power.ups.upsmon.monitor.<name>.type | The relationship with upsd
|
| services.firewalld.services.<name>.sourcePorts | Source ports for the service.
|
| services.autorandr.profiles.<name>.hooks | Profile hook scripts.
|
| services.znapzend.zetup.<name>.recursive | Whether to do recursive snapshots.
|
| systemd.user.services.<name>.reloadTriggers | An arbitrary list of items such as derivations
|
| systemd.services.<name>.requisite | Similar to requires
|
| services.openvpn.servers.<name>.authUserPass.password | The password to store inside the credentials file.
|
| services.fcgiwrap.instances.<name>.socket.type | Socket type: 'unix', 'tcp' or 'tcp6'.
|
| services.fcgiwrap.instances.<name>.socket.user | User to be set as owner of the UNIX socket.
|
| services.v4l2-relayd.instances.<name>.output.format | The video-format to write to output-stream.
|
| services.znc.confOptions.networks.<name>.password | IRC server password, such as for a Slack gateway.
|
| services.wstunnel.clients.<name>.remoteToLocal | Listen on remote and forwards traffic from local
|
| services.monica.hostname | The hostname to serve monica on.
|
| services.misskey.reverseProxy.webserver.nginx.acmeFallbackHost | Host which to proxy requests to if ACME challenge is not found
|
| virtualisation.fileSystems.<name>.encrypted.blkDev | Location of the backing encrypted device.
|
| services.geoclue2.appConfig.<name>.isSystem | Whether the application is a system component or not.
|
| services.errbot.instances.<name>.extraConfig | String to be appended to the config verbatim
|
| services.wordpress.sites.<name>.mergedConfig | Read only representation of the final configuration.
|
| services.borgbackup.jobs.<name>.extraInitArgs | Additional arguments for borg init
|
| services.mosquitto.bridges.<name>.topics | Topic patterns to be shared between the two brokers
|
| services.kimai.sites.<name>.database.serverVersion | MySQL exact version string
|
| services.drupal.sites.<name>.database.passwordFile | A file containing the password corresponding to
database.user.
|
| services.prometheus.exporters.fritz.settings.devices.*.name | Name to use for the device.
|
| services.mautrix-meta.instances.<name>.dataDir | Path to the directory with database, registration, and other data for the bridge service
|