| services.postfix.settings.master.<name>.chroot | Whether the service is chrooted to have only access to the
services.postfix.queueDir and the closure of
store paths specified by the program option.
|
| services.tahoe.nodes.<name>.client.introducer | The furl for a Tahoe introducer node
|
| services.gitlab-runner.services.<name>.preBuildScript | Runner-specific command script executed after code is pulled,
just before build executes.
|
| services.openvpn.servers.<name>.authUserPass | This option can be used to store the username / password credentials
with the "auth-user-pass" authentication method
|
| services.borgbackup.jobs.<name>.extraInitArgs | Additional arguments for borg init
|
| services.mosquitto.bridges.<name>.topics | Topic patterns to be shared between the two brokers
|
| systemd.user.targets.<name>.aliases | Aliases of that unit.
|
| systemd.user.sockets.<name>.aliases | Aliases of that unit.
|
| services.openafsServer.cellServDB.*.dnsname | DNS full-qualified domain name of a database server
|
| services.openafsClient.cellServDB.*.dnsname | DNS full-qualified domain name of a database server
|
| services.kmonad.keyboards.<name>.defcfg.compose.key | The (optional) compose key to use.
|
| systemd.timers.<name>.unitConfig | Each attribute in this set specifies an option in the
[Unit] section of the unit
|
| systemd.slices.<name>.unitConfig | Each attribute in this set specifies an option in the
[Unit] section of the unit
|
| systemd.nspawn.<name>.execConfig | Each attribute in this set specifies an option in the
[Exec] section of this unit
|
| services.snapserver.streams.<name>.codec | Default audio compression method.
|
| fileSystems.<name>.stratis.poolUuid | UUID of the stratis pool that the fs is located in
This is only relevant if you are using stratis.
|
| security.acme.certs.<name>.profile | The certificate profile to choose if the CA offers multiple profiles.
|
| networking.ipips.<name>.ttl | The time-to-live of the connection to the remote tunnel endpoint.
|
| services.httpd.virtualHosts.<name>.locations | Declarative location config
|
| services.tinc.networks.<name>.interfaceType | The type of virtual interface used for the network connection.
|
| services.keyd.keyboards.<name>.extraConfig | Extra configuration that is appended to the end of the file.
Do not write ids section here, use a separate option for it
|
| services.kanata.keyboards.<name>.extraDefCfg | Configuration of defcfg other than linux-dev (generated
from the devices option) and
linux-continue-if-no-devs-found (hardcoded to be yes)
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert | Section for a certificate candidate to use for
authentication
|
| services.wordpress.sites.<name>.settings | Structural Wordpress configuration
|
| systemd.user.slices.<name>.unitConfig | Each attribute in this set specifies an option in the
[Unit] section of the unit
|
| systemd.user.timers.<name>.unitConfig | Each attribute in this set specifies an option in the
[Unit] section of the unit
|
| services.postfix.masterConfig.<name>.private | Whether the service's sockets and storage directory is restricted to
be only available via the mail system
|
| services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| services.biboumi.settings.db_name | The name of the database to use
|
| services.github-runners.<name>.nodeRuntimes | List of Node.js runtimes the runner should support.
|
| services.neo4j.ssl.policies.<name>.revokedDir | Path to directory of CRLs (Certificate Revocation Lists) in
PEM format
|
| services.davis.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.movim.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.slskd.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.strongswan-swanctl.swanctl.secrets.ecdsa.<name>.file | File name in the ecdsa folder for which this
passphrase should be used.
|
| services.strongswan-swanctl.swanctl.secrets.pkcs8.<name>.file | File name in the pkcs8 folder for which this
passphrase should be used.
|
| services.znc.confOptions.networks.<name>.channels | IRC channels to join.
|
| services.fedimintd.<name>.bitcoin.network | Bitcoin network to participate in.
|
| users.extraUsers.<name>.packages | The set of packages that should be made available to the user
|
| services.fluidd.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.fedimintd.<name>.nginx.config.extraConfig | These lines go to the end of the vhost verbatim.
|
| services.gancio.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.akkoma.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.monica.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.matomo.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.rke2.autoDeployCharts.<name>.enable | Whether to enable the installation of this Helm chart
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.tarsnap.archives.<name>.excludes | Exclude files and directories matching these patterns.
|
| services.jibri.xmppEnvironments.<name>.control.muc.nickname | The nickname for this Jibri instance in the MUC.
|
| boot.loader.grub.users.<name>.password | Specifies the clear text password for the account
|
| services.grafana.provision.alerting.muteTimings.settings.deleteMuteTimes.*.name | Name of the mute time interval, must be unique
|
| services.opkssh.providers.<name>.lifetime | Token lifetime
|
| services.mpdscribble.endpoints.<name>.username | Username for the scrobble service.
|
| services.firewalld.services.<name>.sourcePorts | Source ports for the service.
|
| security.pam.services.<name>.gnupg.noAutostart | Don't start gpg-agent if it is not running
|
| services.geoclue2.appConfig.<name>.isAllowed | Whether the application will be allowed access to location information.
|
| services.fedimintd.<name>.nginx.config.listen.*.port | Port number to listen on
|
| services.klipper.firmwares.<name>.package | Path to the built firmware package.
|
| services.dokuwiki.sites.<name>.settings | Structural DokuWiki configuration
|
| services.redis.servers.<name>.maxclients | Set the max number of connected clients at the same time.
|
| users.extraUsers.<name>.useDefaultShell | If true, the user's shell will be set to
users.defaultUserShell.
|
| services.nginx.virtualHosts.<name>.reuseport | Create an individual listening socket
|
| services.maddy.hostname | Hostname to use
|
| programs.neovim.runtime.<name>.text | Text of the file.
|
| services.radicle.httpd.nginx.locations.<name>.return | Adds a return directive, for e.g. redirections.
|
| services.spiped.config.<name>.weakHandshake | Use fast/weak handshaking: This reduces the CPU time spent
in the initial connection setup, at the expense of losing
perfect forward secrecy.
|
| services.httpd.virtualHosts.<name>.documentRoot | The path of Apache's document root directory
|
| services.kanata.keyboards.<name>.devices | Paths to keyboard devices
|
| services.drupal.sites.<name>.database.tablePrefix | The $table_prefix is the value placed in the front of your database tables
|
| services.snipe-it.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.filters.*.ports.*.to | The end of the port range, inclusive.
|
| services.wordpress.sites.<name>.virtualHost.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.fediwall.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.anuko-time-tracker.nginx.locations.<name>.root | Root directory for requests.
|
| services.kanboard.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.dolibarr.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.librenms.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.agorakit.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.pixelfed.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.mainsail.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.vdirsyncer.jobs.<name>.config.statusPath | vdirsyncer's status path
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.filters.*.ports | Either a single port or port range to allow
|
| services.openvpn.servers.<name>.authUserPass.password | The password to store inside the credentials file.
|
| services.znc.confOptions.networks.<name>.password | IRC server password, such as for a Slack gateway.
|
| services.fedimintd.<name>.nginx.config.enableACME | Whether to ask Let's Encrypt to sign a certificate for this vhost
|
| services.radicle.ci.broker.settings.adapters.<name>.env | Environment variables to add when running the adapter.
|
| services.gitlab-runner.services.<name>.postBuildScript | Runner-specific command script executed after code is pulled
and just after build executes.
|
| services.wstunnel.servers.<name>.restrictTo | Accepted traffic will be forwarded only to this service.
|
| services.keepalived.vrrpScripts.<name>.rise | Required number of successes for OK transition.
|
| services.keepalived.vrrpScripts.<name>.fall | Required number of failures for KO transition.
|
| services.snapserver.streams.<name>.query | Key-value pairs that convey additional parameters about a stream.
|
| services.klipper.firmwares.<name>.configFile | Path to firmware config which is generated using klipper-genconf
|
| services.firezone.server.provision.accounts.<name>.actors | All actors (users) to provision
|
| systemd.user.services.<name>.reloadTriggers | An arbitrary list of items such as derivations
|
| systemd.user.services.<name>.restartTriggers | An arbitrary list of items such as derivations
|
| services.prometheus.exporters.py-air-control.firewallRules | Specify rules for nftables to add to the input chain
when services.prometheus.exporters.py-air-control.openFirewall is true.
|
| services.bepasty.servers.<name>.secretKeyFile | A file that contains the server secret for safe session cookies, must be set.
secretKeyFile takes precedence over secretKey
|
| services.orangefs.server.fileSystems.<name>.troveSyncData | Sync data.
|
| services.vdirsyncer.jobs.<name>.config.general | general configuration
|