| programs.nix-required-mounts.allowedPatterns.<name>.unsafeFollowSymlinks | Whether to enable Instructs the hook to mount the symlink targets as well, when any of
the paths contain symlinks
|
| services.hostapd.radios.<name>.networks.<name>.macAcl | Station MAC address -based authentication
|
| boot.loader.limine.enableEditor | Whether to allow editing the boot entries before booting them
|
| security.doas.extraRules.*.runAs | Which user or group the specified command is allowed to run as
|
| services.invidious.port | The port Invidious should listen on
|
| security.loginDefs.chfnRestrict | Use chfn SUID to allow non-root users to change their account GECOS information.
|
| security.duosec.failmode | On service or configuration errors that prevent Duo
authentication, fail "safe" (allow access) or "secure" (deny
access)
|
| boot.initrd.systemd.root | Controls how systemd will interpret the root FS in initrd
|
| services.prosody.extraConfig | Additional prosody configuration
The generated file is processed by envsubst to allow secrets to be passed securely via environment variables.
|
| services.prosody.modules.roster | Allow users to have a roster
|
| security.sudo.extraRules.*.runAs | Under which user/group the specified command is allowed to run
|
| services.cloud-init.network.enable | Allow the cloud-init service to configure network interfaces
through systemd-networkd.
|
| services.ntp.restrictSource | The restriction flags to be set on source
|
| security.sudo-rs.extraRules.*.runAs | Under which user/group the specified command is allowed to run
|
| services.nsd.zones.<name>.provideXFR | Allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
|
| boot.loader.systemd-boot.editor | Whether to allow editing the kernel command-line before
boot
|
| hardware.acpilight.enable | Enable acpilight
|
| boot.initrd.network.ssh.ignoreEmptyHostKeys | Allow leaving config.boot.initrd.network.ssh.hostKeys empty,
to deploy ssh host keys out of band.
|
| services.oink.settings.ttl | The TTL ("Time to Live") value to set for your DNS records
|
| xdg.portal.extraPortals | List of additional portals to add to path
|
| services.firewalld.zones.<name>.ports | Ports to allow in the zone.
|
| services.syncplay.salt | Salt to allow room operator passwords generated by this server
instance to still work when the server is restarted
|
| services.postgrey.retryWindow | Allow N days for the first retry
|
| services.prosody.modules.smacks | Allow a client to resume a disconnected session, and prevent message loss
|
| services.unifi.openFirewall | Whether or not to open the minimum required ports on the firewall
|
| services.paisa.mutableSettings | Allow changes made on the web interface to persist between service
restarts.
|
| services.soju.acceptProxyIP | Allow the specified IPs to act as a proxy
|
| services.quicktun.<name>.remoteFloat | Whether to allow the remote address and port to change when properly encrypted packets are received.
|
| services.nsd.ipTransparent | Allow binding to non local addresses.
|
| services.chrony.makestep.enable | Allow chronyd to step the system clock if the error is larger than
the specified threshold.
|
| services.thermald.ignoreCpuidCheck | Whether to ignore the cpuid check to allow running on unsupported platforms
|
| services.znc.mutable | Indicates whether to allow the contents of the
dataDir directory to be changed by the user at
run-time
|
| services.nebula.networks.<name>.relays | List of IPs of relays that this node should allow traffic from.
|
| services.pgmanage.loginGroup | This tells pgmanage to only allow users in a certain PostgreSQL group to
login to pgmanage
|
| services.kubo.localDiscovery | Whether to enable local discovery for the Kubo daemon
|
| services._3proxy.services.*.acl.*.rule | ACL rule
|
| services.bitlbee.authMode | The following authentication modes are available:
Open -- Accept connections from anyone, use NickServ for user authentication
|
| services.apcupsd.enable | Whether to enable the APC UPS daemon. apcupsd monitors your UPS and
permits orderly shutdown of your computer in the event of a power
failure
|
| services.displayManager.gdm.wayland | Allow GDM to run on Wayland instead of Xserver.
|
| hardware.graphics.enable | Whether to enable hardware accelerated graphics drivers
|
| services.geoclue2.appConfig.<name>.users | List of UIDs of all users for which this application is allowed location
info access, Defaults to an empty string to allow it for all users.
|
| services.prosody.muc.*.moderation | Allow rooms to be moderated
|
| services.pgmanage.superOnly | This tells pgmanage whether or not to only allow super users to
login
|
| services.gitDaemon.enable | Enable Git daemon, which allows public hosting of git repositories
without any access controls
|
| services.taskserver.trust | Determines how client certificates are validated
|
| services.tlsrpt.configurePostfix | Whether to configure permissions to allow integration with Postfix.
|
| services.firewalld.zones.<name>.sourcePorts | Source ports to allow in the zone.
|
| services.prosody.modules.register | Allow users to register on this server using a client and change passwords
|
| services.kubo.settings.Mounts.FuseAllowOther | Allow all users to access the FUSE mount points
|
| services.athens.storage.mongo.insecure | Allow insecure connections to the mongo database.
|
| services.convos.reverseProxy | Enables reverse proxy support
|
| services.openldap.mutableConfig | Whether to allow writable on-line configuration
|
| services.nextjs-ollama-llm-ui.ollamaUrl | The address (including host and port) under which we can access the Ollama backend server.
!Note that if the the UI service is running under a domain "https://ui.example.org",
the Ollama backend service must allow "CORS" requests from this domain, e.g. by adding
"services.ollama.environment
|
| services.firewalld.zones.<name>.services | Services to allow in the zone.
|
| services.collabora-online.aliasGroups.*.host | Hostname to allow or deny.
|
| services.prosody.modules.blocklist | Allow users to block communications with other users
|
| services.wivrn.steam.importOXRRuntimes | Whether to enable Sets PRESSURE_VESSEL_IMPORT_OPENXR_1_RUNTIMES system-wide to allow Steam to automatically discover the WiVRn server
|
| networking.firewall.extraInputRules | Additional nftables rules to be appended to the input-allow
chain
|
| services.keepalived.openFirewall | Whether to automatically allow VRRP and AH packets in the firewall.
|
| environment.freetds | Configure freetds database entries
|
| services.quorum.permissioned | Allow only a defined list of nodes to connect.
|
| services.gokapi.mutableSettings | Allow changes to the program config made by the program to persist between restarts
|
| security.pam.u2f.settings.origin | By default pam-u2f module sets the origin
to pam://$HOSTNAME
|
| services.teeworlds.game.enablePowerups | Whether to allow powerups such as the ninja.
|
| programs.wireshark.usbmon.enable | Whether to allow users in the 'wireshark' group to capture USB traffic
|
| services.atuin.openRegistration | Allow new user registrations with the atuin server.
|
| programs.wireshark.dumpcap.enable | Whether to allow users in the 'wireshark' group to capture network traffic
|
| services.teeworlds.game.enableTeamDamage | Whether to enable team damage; whether to allow team mates to inflict damage on one another.
|
| services.firewalld.zones.<name>.protocols | Protocols to allow in the zone.
|
| services.xserver.displayManager.gdm.wayland | Allow GDM to run on Wayland instead of Xserver.
|
| services.postgresql.identMap | Defines the mapping from system users to database users
|
| services.beszel.agent.smartmon.deviceAllow | List of device paths to allow access to for SMART monitoring
|
| boot.initrd.systemd.emergencyAccess | Set to true for unauthenticated emergency access, and false or
null for no emergency access
|
| services.mediatomb.customCfg | Allow the service to create and use its own config file inside the dataDir as
configured by services.mediatomb.dataDir
|
| networking.firewall.extraForwardRules | Additional nftables rules to be appended to the forward-allow
chain
|
| services.mtprotoproxy.secureOnly | Don't allow users to connect in non-secure mode (without random padding).
|
| services.whitebophir.listenAddress | Address to listen on (use 0.0.0.0 to allow access from any address).
|
| services.chrony.enableRTCTrimming | Enable tracking of the RTC offset to the system clock and automatic trimming
|
| services.pretalx.environmentFiles | Environment files that allow passing secret configuration values
|
| services.usbguard.implicitPolicyTarget | How to treat USB devices that don't match any rule in the policy
|
| services.openafsServer.dottedPrincipals | If enabled, allow principal names containing (.) dots
|
| services.openssh.settings.X11Forwarding | Whether to allow X11 connections to be forwarded.
|
| programs.uwsm.waylandCompositors | Configuration for UWSM-managed Wayland Compositors
|
| services.usbguard.presentDevicePolicy | How to treat USB devices that are already connected when the daemon
starts
|
| services.calibre-web.options.enableBookUploading | Allow books to be uploaded via Calibre-Web UI.
|
| services.slurm.enableSrunX11 | If enabled srun will accept the option "--x11" to allow for X11 forwarding
from within an interactive session or a batch job
|
| services.bitcoind.<name>.prune | Reduce storage requirements by enabling pruning (deleting) of old
blocks
|
| services.dendrite.openRegistration | Allow open registration without secondary verification (reCAPTCHA).
|
| services.wivrn.config.json | Configuration for WiVRn
|
| security.pam.services.<name>.gnupg.enable | If enabled, pam_gnupg will attempt to automatically unlock the
user's GPG keys with the login password via
gpg-agent
|
| services.rabbitmq.listenAddress | IP address on which RabbitMQ will listen for AMQP
connections
|
| services.home-assistant.configWritable | Whether to make configuration.yaml writable
|
| services.kanidm.provision.acceptInvalidCerts | Whether to allow invalid certificates when provisioning the target instance
|
| services.meilisearch.noAnalytics | Deactivates analytics
|
| security.acme.maxConcurrentRenewals | Maximum number of concurrent certificate generation or renewal jobs
|
| networking.firewall.extraCommands | Additional shell commands executed as part of the firewall
initialisation script
|
| services.minidlna.settings.wide_links | Set this to yes to allow symlinks that point outside user-defined media_dir.
|
| services.plex.accelerationDevices | A list of device paths to hardware acceleration devices that Plex should
have access to
|
| services.kubo.settings.Addresses.API | Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on
|
| services.adguardhome.mutableSettings | Allow changes made on the AdGuard Home web interface to persist between
service restarts.
|