| services.wordpress.sites.<name>.settings | Structural Wordpress configuration
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert | Section for a certificate candidate to use for
authentication
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.id | IKE identity to expect for authentication round
|
| services.borgbackup.jobs.<name>.prune.prefix | Only consider archive names starting with this prefix for pruning
|
| services.fedimintd.<name>.bitcoin.network | Bitcoin network to participate in.
|
| users.users.<name>.linger | Whether to enable or disable lingering for this user
|
| services.kmonad.keyboards.<name>.defcfg.compose.key | The (optional) compose key to use.
|
| boot.initrd.luks.devices.<name>.keyFileSize | The size of the key file
|
| services.firezone.server.provision.accounts.<name>.actors | All actors (users) to provision
|
| services.biboumi.settings.db_name | The name of the database to use
|
| services.tarsnap.archives.<name>.excludes | Exclude files and directories matching these patterns.
|
| systemd.network.links.<name>.extraConfig | Extra configuration append to unit
|
| security.pam.services.<name>.kwallet.forceRun | The force_run option is used to tell the PAM module for KWallet
to forcefully run even if no graphical session (such as a GUI
display manager) is detected
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.eap_id | Client EAP-Identity to use in EAP-Identity exchange and the EAP method.
|
| services.grafana.provision.dashboards.settings.providers.*.name | A unique provider name.
|
| environment.etc.<name>.uid | UID of created file
|
| environment.etc.<name>.gid | GID of created file
|
| services.geoclue2.appConfig.<name>.isAllowed | Whether the application will be allowed access to location information.
|
| boot.initrd.luks.devices.<name>.keyFileTimeout | The amount of time in seconds for a keyFile to appear before
timing out and trying passwords.
|
| services.postfix.masterConfig.<name>.private | Whether the service's sockets and storage directory is restricted to
be only available via the mail system
|
| services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| services.easytier.instances.<name>.enable | Enable the instance.
|
| services.opkssh.providers.<name>.lifetime | Token lifetime
|
| services.firewalld.services.<name>.helpers | Helpers for the service.
|
| services.firewalld.services.<name>.version | Version of the service.
|
| users.extraUsers.<name>.isNormalUser | Indicates whether this is an account for a “real” user
|
| services.fluidd.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.gancio.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.akkoma.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.fedimintd.<name>.nginx.config.extraConfig | These lines go to the end of the vhost verbatim.
|
| services.matomo.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.monica.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.kanata.keyboards.<name>.extraDefCfg | Configuration of defcfg other than linux-dev (generated
from the devices option) and
linux-continue-if-no-devs-found (hardcoded to be yes)
|
| services.keyd.keyboards.<name>.extraConfig | Extra configuration that is appended to the end of the file.
Do not write ids section here, use a separate option for it
|
| services.klipper.firmwares.<name>.package | Path to the built firmware package.
|
| security.acme.certs.<name>.ocspMustStaple | Turns on the OCSP Must-Staple TLS extension
|
| programs.dms-shell.plugins.<name>.enable | Whether to enable this plugin
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.filters.*.ports.*.from | The start of the port range, inclusive.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.round | Optional numeric identifier by which authentication rounds are
sorted
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.redis.servers.<name>.maxclients | Set the max number of connected clients at the same time.
|
| systemd.user.timers.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| systemd.user.slices.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| systemd.timers.<name>.requires | Start the specified units when this unit is started, and stop
this unit when the specified units are stopped or fail.
|
| systemd.slices.<name>.requires | Start the specified units when this unit is started, and stop
this unit when the specified units are stopped or fail.
|
| services.mautrix-meta.instances.<name>.dataDir | Path to the directory with database, registration, and other data for the bridge service
|
| networking.jool.siit | Definitions of SIIT instances of Jool
|
| services.openvpn.servers.<name>.authUserPass | This option can be used to store the username / password credentials
with the "auth-user-pass" authentication method
|
| services.nginx.virtualHosts.<name>.reuseport | Create an individual listening socket
|
| services.davis.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.movim.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.slskd.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.errbot.instances.<name>.identity | Errbot identity configuration
|
| services.rke2.autoDeployCharts.<name>.enable | Whether to enable the installation of this Helm chart
|
| systemd.user.slices.<name>.requires | Start the specified units when this unit is started, and stop
this unit when the specified units are stopped or fail.
|
| systemd.user.timers.<name>.requires | Start the specified units when this unit is started, and stop
this unit when the specified units are stopped or fail.
|
| systemd.slices.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| systemd.nspawn.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| systemd.timers.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| systemd.paths.<name>.conflicts | If the specified units are started, then this unit is stopped
and vice versa.
|
| services.akkoma.config.":pleroma"."Pleroma.Web.Endpoint".url.host | Domain name of the instance.
|
| services.roundcube.database.dbname | Name of the postgresql database
|
| services.nominatim.database.dbname | Name of the postgresql database.
|
| services.wstunnel.servers.<name>.restrictTo | Accepted traffic will be forwarded only to this service.
|
| services.keepalived.vrrpScripts.<name>.fall | Required number of failures for KO transition.
|
| services.keepalived.vrrpScripts.<name>.rise | Required number of successes for OK transition.
|
| containers.<name>.flake | The Flake URI of the NixOS configuration to use for the container
|
| services.anubis.instances | An attribute set of Anubis instances
|
| services.bitcoind.<name>.prune | Reduce storage requirements by enabling pruning (deleting) of old
blocks
|
| systemd.paths.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| systemd.units.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| services.fediwall.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.dolibarr.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.anuko-time-tracker.nginx.locations.<name>.root | Root directory for requests.
|
| services.agorakit.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.kanboard.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.librenms.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.mainsail.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.pixelfed.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.vdirsyncer.jobs.<name>.config.statusPath | vdirsyncer's status path
|
| services.fedimintd.<name>.nginx.config.listen.*.port | Port number to listen on
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.gatewayGroups | A list of gateway groups (sites) which can reach the resource and may be used to connect to it.
|
| users.extraUsers.<name>.isSystemUser | Indicates if the user is a system user or not
|
| services.kanata.keyboards.<name>.devices | Paths to keyboard devices
|
| services.httpd.virtualHosts.<name>.documentRoot | The path of Apache's document root directory
|
| fileSystems.<name>.enable | Whether to enable the filesystem mount.
|
| systemd.user.units.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| systemd.user.paths.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| services.snapserver.streams.<name>.query | Key-value pairs that convey additional parameters about a stream.
|
| services.klipper.firmwares.<name>.configFile | Path to firmware config which is generated using klipper-genconf
|
| security.pam.services.<name>.gnupg.noAutostart | Don't start gpg-agent if it is not running
|
| security.wrappers.<name>.enable | Whether to enable the wrapper.
|
| services.openvpn.servers.<name>.authUserPass.password | The password to store inside the credentials file.
|
| services.fcgiwrap.instances.<name>.socket.type | Socket type: 'unix', 'tcp' or 'tcp6'.
|
| services.fcgiwrap.instances.<name>.socket.user | User to be set as owner of the UNIX socket.
|
| services.v4l2-relayd.instances.<name>.output.format | The video-format to write to output-stream.
|
| services.firewalld.zones.<name>.forwardPorts.*.port | |
| services.spiped.config.<name>.weakHandshake | Use fast/weak handshaking: This reduces the CPU time spent
in the initial connection setup, at the expense of losing
perfect forward secrecy.
|
| services.radicle.httpd.nginx.locations.<name>.return | Adds a return directive, for e.g. redirections.
|