| services.borgbackup.jobs.<name>.extraCompactArgs | Additional arguments for borg compact
|
| services.cjdns.ETHInterface.connectTo.<name>.password | Authorized password to the opposite end of the tunnel.
|
| services.cjdns.UDPInterface.connectTo.<name>.password | Authorized password to the opposite end of the tunnel.
|
| services.wordpress.sites.<name>.virtualHost.forceSSL | Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS
|
| services.prometheus.exporters.buildkite-agent.firewallRules | Specify rules for nftables to add to the input chain
when services.prometheus.exporters.buildkite-agent.openFirewall is true.
|
| services.bacula-sd.autochanger.<name>.devices | |
| services.netbird.tunnels.<name>.dns-resolver.address | An explicit address that NetBird will serve *.netbird.cloud. (usually) entries on
|
| services.netbird.clients.<name>.dns-resolver.address | An explicit address that NetBird will serve *.netbird.cloud. (usually) entries on
|
| services.autorandr.profiles.<name>.fingerprint | Output name to EDID mapping
|
| services.wordpress.sites.<name>.virtualHost.extraConfig | These lines go to httpd.conf verbatim
|
| users.ldap.base | The distinguished name of the search base.
|
| boot.loader.grub.users.<name>.passwordFile | Specifies the path to a file containing the
clear text password for the account
|
| services.zabbixWeb.nginx.virtualHost.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| services.zabbixWeb.nginx.virtualHost.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.kanidm.provision.systems.oauth2.<name>.originUrl | The redirect URL of the service
|
| services.firewalld.zones.<name>.interfaces | Interfaces to bind.
|
| services.prometheus.exporters.storagebox.firewallRules | Specify rules for nftables to add to the input chain
when services.prometheus.exporters.storagebox.openFirewall is true.
|
| services.prometheus.exporters.scaphandre.firewallRules | Specify rules for nftables to add to the input chain
when services.prometheus.exporters.scaphandre.openFirewall is true.
|
| services.zabbixWeb.hostname | Hostname for either nginx or httpd.
|
| systemd.network.links.<name>.linkConfig | Each attribute in this set specifies an option in the
[Link] section of the unit
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saeAddToMacAllow | If set, all sae password entries that have a non-wildcard MAC associated to
them will additionally be used to populate the MAC allow list
|
| services.i2pd.outTunnels.<name>.destinationPort | Connect to particular port at destination.
|
| security.wrappers.<name>.source | The absolute path to the program to be wrapped.
|
| services.angrr.settings.profile-policies.<name>.enable | Whether to enable this angrr policy.
|
| services.tor.relay.onionServices.<name>.authorizeClient | See torrc manual.
|
| services.fedimintd.<name>.nginx.config.reuseport | Create an individual listening socket
|
| services.anuko-time-tracker.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.aaa_id | Server side EAP-Identity to expect in the EAP method
|
| networking.fooOverUDP.<name>.local.address | Local address to bind to
|
| programs.neovim.runtime.<name>.source | Path of the source file.
|
| security.acme.certs.<name>.webroot | Where the webroot of the HTTP vhost is located.
.well-known/acme-challenge/ directory
will be created below the webroot if it doesn't exist.
http://example.org/.well-known/acme-challenge/ must also
be available (notice unencrypted HTTP).
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.allAccess | Grants all permissions in the associated organization.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.reqid | Fixed reqid to use for this CHILD_SA
|
| systemd.slices.<name>.startLimitBurst | Configure unit start rate limiting
|
| systemd.timers.<name>.startLimitBurst | Configure unit start rate limiting
|
| services.radicle.ci.broker.settings.adapters.<name>.command | Adapter command to run.
|
| services.snapper.configs.<name>.TIMELINE_CLEANUP | Defines whether the timeline cleanup algorithm should be run for the config.
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.tokenFile | The token value
|
| security.pam.services.<name>.allowNullPassword | Whether to allow logging into accounts that have no password
set (i.e., have an empty password field in
/etc/passwd or
/etc/group)
|
| services.angrr.settings.profile-policies.<name>.keep-since | Retention period for the GC roots in this profile.
|
| services.moodle.virtualHost.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.strongswan-swanctl.swanctl.pools.<name>.dns | Address or CIDR subnets
StrongSwan default: []
|
| services.nagios.virtualHost.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.kanidm.provision.systems.oauth2.<name>.claimMaps | Adds additional claims (and values) based on which kanidm groups an authenticating party belongs to
|
| services.tahoe.introducers.<name>.tub.location | The external location that the introducer should listen on
|
| services.bookstack.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.bookstack.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| services.nebula.networks.<name>.lighthouse.dns.enable | Whether this lighthouse node should serve DNS.
|
| services.frigate.settings.cameras.<name>.ffmpeg.inputs.*.roles | List of roles for this stream
|
| services.postfix.masterConfig.<name>.privileged | |
| boot.initrd.systemd.contents.<name>.target | Path of the symlink.
|
| services.prometheus.exporters.sql.configuration.jobs.<name>.queries.<name>.values | A set of columns that will be used as values of this metric.
|
| services.prometheus.exporters.sql.configuration.jobs.<name>.queries.<name>.labels | A set of columns that will be used as Prometheus labels.
|
| services.autosuspend.checks.<name>.enabled | Whether to enable this activity check.
|
| services.keepalived.vrrpScripts.<name>.timeout | Seconds after which script is considered to have failed.
|
| services.firewalld.zones.<name>.masquerade | Whether to enable masquerading in the zone.
|
| services.gitlab-runner.services.<name>.dockerAllowedImages | Whitelist allowed images.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.pubkeys | List of raw public key candidates to use for
authentication
|
| services.zabbixWeb.nginx.virtualHost.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.pgbackrest.repos.<name>.sftp-private-key-file | SFTP private key file
|
| services.bitcoind.<name>.extraCmdlineOptions | Extra command line options to pass to bitcoind
|
| services.sabnzbd.settings.servers.<name>.required | In case of connection failures, wait for the
server to come back online instead of skipping
it.
|
| services.sabnzbd.settings.servers.<name>.priority | Priority of this servers
|
| services.akkoma.nginx.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| services.fluidd.nginx.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| services.gancio.nginx.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| services.matomo.nginx.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| services.monica.nginx.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| networking.ipips.<name>.remote | The address of the remote endpoint to forward traffic over.
|
| services.wyoming.faster-whisper.servers.<name>.model | Name of the voice model to use
|
| services.snapper.configs.<name>.TIMELINE_LIMIT_HOURLY | Limits for timeline cleanup.
|
| services.snapper.configs.<name>.TIMELINE_LIMIT_YEARLY | Limits for timeline cleanup.
|
| services.snapper.configs.<name>.TIMELINE_LIMIT_WEEKLY | Limits for timeline cleanup.
|
| services.mosquitto.bridges.<name>.addresses | Remote endpoints for the bridge.
|
| services.tarsnap.archives.<name>.cachedir | The cache allows tarsnap to identify previously stored data
blocks, reducing archival time and bandwidth usage
|
| containers.<name>.bindMounts.<name>.mountPoint | Mount point on the container file system.
|
| services.zeronsd.servedNetworks.<name>.settings.token | Path to a file containing the API Token for ZeroTier Central.
|
| services.kanidm.provision.systems.oauth2.<name>.present | Whether to ensure that this oauth2 resource server is present or absent.
|
| services.firezone.server.provision.accounts.<name>.gatewayGroups | All gateway groups (sites) to provision
|
| services.sabnzbd.settings.servers.<name>.optional | In case of connection failures, temporarily
disable this server. (See sabnzbd's documentation
for usage guides).
|
| boot.initrd.luks.devices.<name>.yubikey.keyLength | Length of the LUKS slot key derived with PBKDF2 in byte.
|
| boot.initrd.luks.devices.<name>.yubikey.twoFactor | Whether to use a passphrase and a YubiKey (true), or only a YubiKey (false).
|
| boot.initrd.systemd.contents.<name>.source | Path of the source file.
|
| services.httpd.virtualHosts.<name>.listenAddresses | Listen addresses for this virtual host
|
| services.borgbackup.jobs.<name>.failOnWarnings | Fail the whole backup job if any borg command returns a warning
(exit code 1), for example because a file changed during backup.
|
| services.blockbook-frontend.<name>.configFile | Location of the blockbook configuration file.
|
| hardware.alsa.controls.<name>.maxVolume | The maximum volume in dB.
|
| services.firezone.server.provision.accounts.<name>.resources | All resources to provision
|
| services.borgbackup.repos.<name>.allowSubRepos | Allow clients to create repositories in subdirectories of the
specified path
|
| systemd.user.paths.<name>.requisite | Similar to requires
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.ipcomp | Enable IPComp compression before encryption
|
| services.gitlab-runner.services.<name>.debugTraceDisabled | When set to true Runner will disable the possibility of
using the CI_DEBUG_TRACE feature.
|
| services.radicle.httpd.nginx.locations.<name>.priority | Order of this location block in relation to the others in the vhost
|
| services.neo4j.ssl.policies.<name>.baseDirectory | The mandatory base directory for cryptographic objects of this
policy
|
| boot.initrd.clevis.devices.<name>.secretFile | Clevis JWE file used to decrypt the device at boot, in concert with the chosen pin (one of TPM2, Tang server, or SSS).
|
| services.warpgate.settings.sso_providers.*.name | Internal identifier of SSO provider.
|
| security.acme.certs.<name>.extraDomainNames | A list of extra domain names, which are included in the one certificate to be issued.
|
| services.bookstack.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.blockbook-frontend.<name>.package | The blockbook package to use.
|
| security.auditd.plugins.<name>.active | Whether to enable Whether to enable this plugin.
|