| services.fedimintd.<name>.nginx.config.listen.*.addr | Listen address.
|
| services.v4l2-relayd.instances.<name>.input.height | The height to read from input-stream.
|
| users.extraUsers.<name>.expires | Set the date on which the user's account will no longer be
accessible
|
| users.ldap.base | The distinguished name of the search base.
|
| services.klipper.firmwares.<name>.package | Path to the built firmware package.
|
| fileSystems.<name>.mountPoint | Location where the file system will be mounted
|
| services.firewalld.zones.<name>.forward | Whether to enable intra-zone forwarding
|
| services.vmalert.instances.<name>.rules | A list of the given alerting or recording rules against configured "datasource.url" compatible with
Prometheus HTTP API for vmalert to execute
|
| services.bitcoind.<name>.prune | Reduce storage requirements by enabling pruning (deleting) of old
blocks
|
| services.fedimintd.<name>.nginx.config.default | Makes this vhost the default.
|
| services.gitlab-runner.services.<name>.preBuildScript | Runner-specific command script executed after code is pulled,
just before build executes.
|
| systemd.network.networks.<name>.deficitRoundRobinSchedulerClassConfig | Each attribute in this set specifies an option in the
[DeficitRoundRobinSchedulerClass] section of the unit
|
| services.errbot.instances.<name>.identity | Errbot identity configuration
|
| services.redis.servers.<name>.maxclients | Set the max number of connected clients at the same time.
|
| services.buildkite-agents.<name>.extraConfig | Extra lines to be added verbatim to the configuration file.
|
| services.znapzend.zetup.<name>.mbuffer.port | Port to use for mbuffer
|
| boot.loader.systemd-boot.extraEntries | Any additional entries you want added to the systemd-boot menu
|
| services.snipe-it.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.v4l2-relayd.instances.<name>.input.format | The video-format to read from input-stream.
|
| services.strongswan-swanctl.swanctl.secrets.ecdsa.<name>.file | File name in the ecdsa folder for which this
passphrase should be used.
|
| services.strongswan-swanctl.swanctl.secrets.pkcs8.<name>.file | File name in the pkcs8 folder for which this
passphrase should be used.
|
| security.wrappers.<name>.source | The absolute path to the program to be wrapped.
|
| services.firewalld.zones.<name>.forwardPorts.*.port | |
| services.nginx.virtualHosts.<name>.reuseport | Create an individual listening socket
|
| services.tor.relay.onionServices.<name>.secretKey | Secret key of the onion service
|
| services.wstunnel.servers.<name>.restrictTo | Accepted traffic will be forwarded only to this service.
|
| services.keepalived.vrrpScripts.<name>.rise | Required number of successes for OK transition.
|
| services.keepalived.vrrpScripts.<name>.fall | Required number of failures for KO transition.
|
| services.drupal.sites.<name>.virtualHost.forceSSL | Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS
|
| services.blockbook-frontend.<name>.cssDir | Location of the dir with main.css CSS file
|
| power.ups.ups.<name>.description | Description of the UPS.
|
| services.firewalld.services.<name>.sourcePorts | Source ports for the service.
|
| services.postfix.masterConfig.<name>.private | Whether the service's sockets and storage directory is restricted to
be only available via the mail system
|
| services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| services.matomo.webServerUser | Name of the web server user that forwards requests to services.phpfpm.pools.<name>.socket the fastcgi socket for Matomo if the nginx
option is not used
|
| networking.fooOverUDP.<name>.local | Local address (and optionally device) to bind to using the given port.
|
| services.gancio.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.akkoma.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.fluidd.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.fedimintd.<name>.nginx.config.basicAuth | Basic Auth protection for a vhost
|
| services.matomo.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.monica.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.authelia.instances.<name>.enable | Whether to enable Authelia instance.
|
| services.autorandr.profiles.<name>.config | Per output profile configuration.
|
| services.sanoid.templates.<name>.autosnap | Whether to automatically take snapshots.
|
| services.snapserver.streams.<name>.query | Key-value pairs that convey additional parameters about a stream.
|
| services.klipper.firmwares.<name>.configFile | Path to firmware config which is generated using klipper-genconf
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.filters.*.ports.*.from | The start of the port range, inclusive.
|
| security.pam.services.<name>.startSession | If set, the service will register a new session with
systemd's login manager
|
| security.pam.services.<name>.gnupg.enable | If enabled, pam_gnupg will attempt to automatically unlock the
user's GPG keys with the login password via
gpg-agent
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.certs | List of certificates to accept for authentication
|
| services.nebula.networks.<name>.staticHostMap | The static host map defines a set of hosts with fixed IP addresses on the internet (or any network)
|
| services.kimai.sites.<name>.database.passwordFile | A file containing the password corresponding to
database.user.
|
| services.openbao.settings.listener.<name>.type | The listener type to enable.
|
| services.public-inbox.settings.coderepo.<name>.dir | Path to a git repository
|
| services.wordpress.sites.<name>.virtualHost.hostName | Canonical hostname for the server.
|
| services.mautrix-meta.instances.<name>.dataDir | Path to the directory with database, registration, and other data for the bridge service
|
| boot.loader.grub.users.<name>.password | Specifies the clear text password for the account
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.grafana.provision.dashboards.settings.providers.*.name | A unique provider name.
|
| services.grafana.provision.alerting.muteTimings.settings.deleteMuteTimes.*.name | Name of the mute time interval, must be unique
|
| security.acme.certs.<name>.enableDebugLogs | Whether to enable debug logging for this certificate.
|
| services.jibri.xmppEnvironments.<name>.control.muc.nickname | The nickname for this Jibri instance in the MUC.
|
| services.awstats.configs.<name>.webService.urlPrefix | The URL prefix under which the awstats pages appear.
|
| services.kimai.sites.<name>.database.createLocally | Create the database and database user locally.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.round | Optional numeric identifier by which authentication rounds are
sorted
|
| services.keyd.keyboards.<name>.extraConfig | Extra configuration that is appended to the end of the file.
Do not write ids section here, use a separate option for it
|
| services.kanata.keyboards.<name>.extraDefCfg | Configuration of defcfg other than linux-dev (generated
from the devices option) and
linux-continue-if-no-devs-found (hardcoded to be yes)
|
| services.httpd.virtualHosts.<name>.documentRoot | The path of Apache's document root directory
|
| services.kanata.keyboards.<name>.devices | Paths to keyboard devices
|
| services.firewalld.zones.<name>.forwardPorts.*.to-port | |
| services.restic.backups.<name>.repository | repository to backup to.
|
| services.sanoid.datasets.<name>.autoprune | Whether to automatically prune old snapshots.
|
| security.pam.services.<name>.ttyAudit.enablePattern | For each user matching one of comma-separated
glob patterns, enable TTY auditing
|
| services.jitsi-videobridge.xmppConfigs.<name>.mucNickname | Videobridges use the same XMPP account and need to be distinguished by the
nickname (aka resource part of the JID)
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.gatewayGroups | A list of gateway groups (sites) which can reach the resource and may be used to connect to it.
|
| services.blockbook-frontend.<name>.debug | Debug mode, return more verbose errors, reload templates on each request.
|
| services.prosody.virtualHosts.<name>.ssl.extraOptions | Extra SSL configuration options.
|
| networking.ipips.<name>.remote | The address of the remote endpoint to forward traffic over.
|
| services.spiped.config.<name>.weakHandshake | Use fast/weak handshaking: This reduces the CPU time spent
in the initial connection setup, at the expense of losing
perfect forward secrecy.
|
| services.github-runners.<name>.group | Group under which to run the service
|
| services.prefect.workerPools.<name>.installPolicy | install policy for the worker (always, if-not-present, never, prompt)
|
| services.gitlab-runner.services.<name>.dockerExtraHosts | Add a custom host-to-IP mapping.
|
| services.dolibarr.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.kanboard.nginx.locations.<name>.index | Adds index directive.
|
| services.fediwall.nginx.locations.<name>.index | Adds index directive.
|
| services.agorakit.nginx.locations.<name>.index | Adds index directive.
|
| services.librenms.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.kanboard.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.dolibarr.nginx.locations.<name>.index | Adds index directive.
|
| services.agorakit.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.librenms.nginx.locations.<name>.index | Adds index directive.
|
| services.fediwall.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.pixelfed.nginx.locations.<name>.index | Adds index directive.
|
| services.sabnzbd.settings.servers.<name>.enable | Enable this server by default
|
| services.mainsail.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.mainsail.nginx.locations.<name>.index | Adds index directive.
|
| services.pixelfed.nginx.locations.<name>.alias | Alias directory for requests.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert | Section for a CA certificate to accept for authentication
|