| services.jitsi-videobridge.xmppConfigs.<name>.mucNickname | Videobridges use the same XMPP account and need to be distinguished by the
nickname (aka resource part of the JID)
|
| containers.<name>.config | A specification of the desired configuration of this
container, as a NixOS module.
|
| containers.<name>.autoStart | Whether the container is automatically started at boot-time.
|
| services.znc.confOptions.networks.<name>.channels | IRC channels to join.
|
| services.nginx.virtualHosts.<name>.reuseport | Create an individual listening socket
|
| services.grafana.provision.alerting.templates.settings.templates.*.name | Name of the template, must be unique
|
| systemd.services.<name>.stopIfChanged | If set, a changed unit is restarted by calling
systemctl stop in the old configuration,
then systemctl start in the new one
|
| services.authelia.instances.<name>.enable | Whether to enable Authelia instance.
|
| services.autorandr.profiles.<name>.config | Per output profile configuration.
|
| services.sanoid.templates.<name>.autosnap | Whether to automatically take snapshots.
|
| systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.group | The group of the file
|
| services.tahoe.nodes.<name>.client.introducer | The furl for a Tahoe introducer node
|
| services.blockbook-frontend.<name>.sync | Synchronizes until tip, if together with zeromq, keeps index synchronized.
|
| services.dovecot2.mailboxes.<name>.auto | Whether to automatically create or create and subscribe to the mailbox or not.
|
| services.xserver.cmt.models | Which models to enable cmt for
|
| security.pam.services.<name>.kwallet.enable | If enabled, pam_wallet will attempt to automatically unlock the
user's default KDE wallet upon login
|
| services.snapserver.streams.<name>.query | Key-value pairs that convey additional parameters about a stream.
|
| services.klipper.firmwares.<name>.configFile | Path to firmware config which is generated using klipper-genconf
|
| systemd.user.targets.<name>.description | Description of this unit used in systemd messages and progress indicators.
|
| systemd.user.sockets.<name>.description | Description of this unit used in systemd messages and progress indicators.
|
| services.hylafax.modems.<name>.config | Attribute set of values for the given modem
|
| services.fluidd.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.gancio.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.akkoma.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.fedimintd.<name>.nginx.config.extraConfig | These lines go to the end of the vhost verbatim.
|
| services.matomo.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.monica.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| systemd.network.networks.<name>.ipv6Prefixes | A list of ipv6Prefix sections to be added to the unit
|
| services.postfix.masterConfig.<name>.private | Whether the service's sockets and storage directory is restricted to
be only available via the mail system
|
| services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.updown | Updown script to invoke on CHILD_SA up and down events.
|
| services.restic.backups.<name>.repository | repository to backup to.
|
| services.strongswan-swanctl.swanctl.secrets.private.<name>.file | File name in the private folder for which this passphrase should be used.
|
| services.gitlab-runner.services.<name>.buildsDir | Absolute path to a directory where builds will be stored
in context of selected executor (Locally, Docker, SSH).
|
| services.postfix.settings.master.<name>.chroot | Whether the service is chrooted to have only access to the
services.postfix.queueDir and the closure of
store paths specified by the program option.
|
| services.sanoid.datasets.<name>.autoprune | Whether to automatically prune old snapshots.
|
| services.kmonad.keyboards.<name>.defcfg.compose.key | The (optional) compose key to use.
|
| services.mautrix-meta.instances.<name>.dataDir | Path to the directory with database, registration, and other data for the bridge service
|
| services.fediwall.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.dolibarr.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.anuko-time-tracker.nginx.locations.<name>.root | Root directory for requests.
|
| services.agorakit.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.kanboard.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.librenms.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.mainsail.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.pixelfed.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.vdirsyncer.jobs.<name>.config.statusPath | vdirsyncer's status path
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| systemd.user.services.<name>.restartTriggers | An arbitrary list of items such as derivations
|
| services.borgbackup.jobs.<name>.prune.prefix | Only consider archive names starting with this prefix for pruning
|
| systemd.user.services.<name>.reloadIfChanged | Whether the service should be reloaded during a NixOS
configuration switch if its definition has changed
|
| services.kanata.keyboards.<name>.devices | Paths to keyboard devices
|
| services.httpd.virtualHosts.<name>.documentRoot | The path of Apache's document root directory
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.certs | List of certificate candidates to use for
authentication
|
| services.orangefs.server.fileSystems.<name>.troveSyncData | Sync data.
|
| services.vdirsyncer.jobs.<name>.config.general | general configuration
|
| services.nebula.networks.<name>.staticHostMap | The static host map defines a set of hosts with fixed IP addresses on the internet (or any network)
|
| systemd.sockets.<name>.description | Description of this unit used in systemd messages and progress indicators.
|
| systemd.targets.<name>.description | Description of this unit used in systemd messages and progress indicators.
|
| services.prefect.workerPools.<name>.installPolicy | install policy for the worker (always, if-not-present, never, prompt)
|
| services.openvpn.servers.<name>.authUserPass.password | The password to store inside the credentials file.
|
| services.fcgiwrap.instances.<name>.socket.type | Socket type: 'unix', 'tcp' or 'tcp6'.
|
| services.fcgiwrap.instances.<name>.socket.user | User to be set as owner of the UNIX socket.
|
| services.v4l2-relayd.instances.<name>.output.format | The video-format to write to output-stream.
|
| services.znc.confOptions.networks.<name>.password | IRC server password, such as for a Slack gateway.
|
| services.buildkite-agents.<name>.tokenPath | The token from your Buildkite "Agents" page
|
| services.restic.backups.<name>.initialize | Create the repository if it doesn't exist.
|
| security.pam.services.<name>.startSession | If set, the service will register a new session with
systemd's login manager
|
| services.spiped.config.<name>.weakHandshake | Use fast/weak handshaking: This reduces the CPU time spent
in the initial connection setup, at the expense of losing
perfect forward secrecy.
|
| services.easytier.instances.<name>.extraArgs | Extra args append to the easytier command-line.
|
| services.logrotate.settings.<name>.enable | Whether to enable setting individual kill switch.
|
| services.kanata.keyboards.<name>.extraDefCfg | Configuration of defcfg other than linux-dev (generated
from the devices option) and
linux-continue-if-no-devs-found (hardcoded to be yes)
|
| services.keyd.keyboards.<name>.extraConfig | Extra configuration that is appended to the end of the file.
Do not write ids section here, use a separate option for it
|
| services.wstunnel.servers.<name>.listen.enableHTTPS | Use HTTPS for the tunnel server.
|
| services.kanidm.provision.persons.<name>.groups | List of groups this person should belong to.
|
| services.firezone.server.provision.accounts.<name>.relayGroups | All relay groups to provision
|
| services.rke2.autoDeployCharts.<name>.enable | Whether to enable the installation of this Helm chart
|
| services.fedimintd.<name>.nginx.config.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.fedimintd.<name>.nginx.config.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| users.mysql.pam.logging.rHostColumn | The name of the column in the log table to which the name of the remote
host that initiates the session is stored
|
| services.prometheus.exporters.sql.configuration.jobs.<name>.queries.<name>.help | A human-readable description of this metric.
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.allAccess | Grants all permissions in the associated organization.
|
| services.buildkite-agents.<name>.extraGroups | Groups the user for this buildkite agent should belong to
|
| services.syncoid.commands.<name>.sendOptions | Advanced options to pass to zfs send
|
| services.syncoid.commands.<name>.recvOptions | Advanced options to pass to zfs recv
|
| systemd.network.networks.<name>.dhcpServerConfig | Each attribute in this set specifies an option in the
[DHCPServer] section of the unit
|
| systemd.network.networks.<name>.pfifoHeadDropConfig | Each attribute in this set specifies an option in the
[PFIFOHeadDrop] section of the unit
|
| services.vmalert.instances.<name>.enable | Wether to enable VictoriaMetrics's vmalert.
vmalert evaluates alerting and recording rules against a data source, sends notifications via Alertmanager.
|
| services.orangefs.server.fileSystems.<name>.troveSyncMeta | Sync meta data.
|
| services.public-inbox.settings.coderepo.<name>.cgitUrl | URL of a cgit instance
|
| services.xonotic.settings.hostname | The name that will appear in the server list. $g_xonoticversion
gets replaced with the current version.
|
| containers.<name>.path | As an alternative to specifying
config, you can specify the path to
the evaluated NixOS system configuration, typically a
symlink to a system profile.
|
| services.drupal.sites.<name>.database.passwordFile | A file containing the password corresponding to
database.user.
|
| services.bacula-fd.director.<name>.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.bacula-sd.director.<name>.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.github-runners.<name>.extraPackages | Extra packages to add to PATH of the service to make them available to workflows.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacerts | List of CA certificates to accept for
authentication
|
| services.fedimintd.<name>.nginx.config.listen.*.port | Port number to listen on
|
| services.borgbackup.jobs.<name>.extraPruneArgs | Additional arguments for borg prune
|