| users.extraUsers.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| users.extraUsers.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| services.clickhouse.usersConfig | Your users.yaml as a Nix attribute set
|
| services.mosquitto.listeners.*.users.<name>.password | Specifies the (clear text) password for the MQTT User.
|
| services.pgmanage.superOnly | This tells pgmanage whether or not to only allow super users to
login
|
| users.extraUsers.<name>.openssh.authorizedPrincipals | A list of verbatim principal names that should be added to the user's
authorized principals.
|
| services.grafana.settings.users.auto_assign_org_id | Set this value to automatically add new users to the provided org
|
| services.influxdb2.provision.users.<name>.passwordFile | Password for the user
|
| services.grafana.settings.users.default_language | This setting configures the default UI language, which must be a supported IETF language tag, such as en-US.
|
| services.grafana.settings.users.viewers_can_edit | Viewers can access and use Explore and perform temporary edits on panels in dashboards they have access to
|
| services.cloudlog.update-lotw-users.interval | Specification (in the format described by systemd.time(7)) of the
time at which the LoTW user update will occur.
|
| services.mosquitto.listeners.*.users.<name>.passwordFile | Specifies the path to a file containing the
clear text password for the MQTT user
|
| services.incron.allow | Users allowed to use incrontab
|
| services.paretosecurity.users.<name>.inviteId | A unique ID that links the agent to Pareto Cloud
|
| services.mosquitto.listeners.*.users.<name>.hashedPassword | Specifies the hashed password for the MQTT User
|
| services.taskserver.organisations.<name>.users | A list of user names that belong to the organization.
|
| services.grafana.settings.users.auto_assign_org_role | The role new users will be assigned for the main organization (if the auto_assign_org setting is set to true).
|
| users.extraUsers.<name>.password | Specifies the (clear text) password for the user
|
| services.mosquitto.listeners.*.users.<name>.hashedPasswordFile | Specifies the path to a file containing the
hashed password for the MQTT user
|
| services.headscale.settings.oidc.allowed_users | Users allowed to authenticate even if not in allowedDomains.
|
| services.umurmur.settings.max_users | Maximum number of concurrent clients allowed.
|
| services.postgresql.ensureUsers | Ensures that the specified users exist
|
| services.tt-rss.plugins | List of plugins to load automatically for all users
|
| services.calibre-server.auth.userDb | Choose users database file to use for authentication
|
| services.fcron.deny | Users forbidden from using fcron.
|
| services.grafana.settings.users.verify_email_enabled | Require email validation before sign up completes.
|
| users.extraUsers.<name>.hashedPasswordFile | The full path to a file that contains the hash of the user's
password
|
| hardware.i2c.group | Grant access to i2c devices (/dev/i2c-*) to users in this group.
|
| users.extraUsers.<name>.initialPassword | Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist
|
| users.extraUsers.<name>.hashedPassword | Specifies the hashed password for the user
|
| services.incron.deny | Users forbidden from using incrontab.
|
| programs.wireshark.enable | Whether to add Wireshark to the global environment and create a 'wireshark'
group
|
| programs.cdemu.group | Group that users must be in to use cdemu.
|
| services.tor.relay.role | Your role in Tor network
|
| services.prosody.modules.blocklist | Allow users to block communications with other users
|
| services.logrotate.checkConfig | Whether the config should be checked at build time
|
| programs.fuse.mountMax | Set the maximum number of FUSE mounts allowed to non-root users.
|
| programs.wireshark.usbmon.enable | Whether to allow users in the 'wireshark' group to capture USB traffic
|
| services.oauth2-proxy.google.adminEmail | The Google Admin to impersonate for API calls
|
| programs.wireshark.dumpcap.enable | Whether to allow users in the 'wireshark' group to capture network traffic
|
| security.polkit.adminIdentities | Specifies which users are considered “administrators”, for those
actions that require the user to authenticate as an
administrator (i.e. have an auth_admin
value)
|
| security.pam.services.<name>.unixAuth | Whether users can log in with passwords defined in
/etc/shadow.
|
| services.fcron.allow | Users allowed to use fcrontab and fcrondyn (one name per
line, all for everyone).
|
| services.matrix-synapse.settings.presence.enabled | Whether to enable presence tracking
|
| services.postgresql.identMap | Defines the mapping from system users to database users
|
| security.loginDefs.settings.UID_MIN | Range of user IDs used for the creation of regular users by useradd or newusers.
|
| security.loginDefs.settings.UID_MAX | Range of user IDs used for the creation of regular users by useradd or newusers.
|
| services.guix.nrBuildUsers | Number of Guix build users to be used in the build pool.
|
| services.samba.usershares.group | Name of the group members of which will be allowed to create usershares
|
| security.sudo.enable | Whether to enable the sudo command, which
allows non-root users to execute commands as root.
|
| security.doas.enable | Whether to enable the doas command, which allows
non-root users to execute commands as root.
|
| services.samba.usershares.enable | Whether to enable user-configurable Samba shares.
|
| users.extraUsers.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|
| security.loginDefs.settings.SYS_UID_MAX | Range of user IDs used for the creation of system users by useradd or newusers.
|
| security.loginDefs.settings.SYS_UID_MIN | Range of user IDs used for the creation of system users by useradd or newusers.
|
| services.vsftpd.userDbPath | Only applies if enableVirtualUsers is true
|
| security.ipa.shells | List of shells which binaries should be installed to /bin/
|
| programs.ydotool.group | Group which users must be in to use ydotool.
|
| services.syncplay.chat | Chat with users in the same room.
|
| programs.rush.shell | The resolved shell path that users can inherit to set rush as their login shell
|
| services.vsftpd.localUsers | Whether to enable FTP for local users.
|
| hardware.sane.enable | Enable support for SANE scanners.
Users in the "scanner" group will gain access to the scanner, or the "lp" group if it's also a printer.
|
| services.weblate.smtp.host | SMTP host used when sending emails to users.
|
| services.weblate.smtp.port | SMTP port used when sending emails to users.
|
| security.sudo-rs.enable | Whether to enable a memory-safe implementation of the sudo command,
which allows non-root users to execute commands as root
.
|
| security.ipa.ifpAllowedUids | A list of users allowed to access the ifp dbus interface.
|
| services.exim.user | User to use when no root privileges are required
|
| services.syncplay.ready | Check readiness of users.
|
| hardware.i2c.enable | Whether to enable i2c devices support
|
| hardware.brillo.enable | Whether to enable brillo in userspace
|
| security.pam.p11.enable | Enables P11 PAM (pam_p11) module
|
| programs.fuse.userAllowOther | Allow non-root users to specify the allow_other or allow_root mount
options, see mount.fuse3(8).
|
| services.tt-rss.auth.autoCreate | Allow authentication modules to auto-create users in tt-rss internal
database when authenticated successfully.
|
| services.ombi.enable | Whether to enable Ombi, a web application that automatically gives your shared Plex or
Emby users the ability to request content by themselves!
Optionally see https://docs.ombi.app/info/reverse-proxy
on how to set up a reverse proxy
.
|
| services.vsftpd.writeEnable | Whether any write activity is permitted to users.
|
| hardware.bladeRF.enable | Enables udev rules for BladeRF devices
|
| security.please.enable | Whether to enable please, a Sudo clone which allows a users to execute a command or edit a
file as another user
.
|
| services.biboumi.settings.admin | The bare JID of the gateway administrator
|
| services.kubo.settings.Mounts.FuseAllowOther | Allow all users to access the FUSE mount points
|
| programs.pmount.enable | Whether to enable pmount, a tool that allows normal users to mount removable devices
without requiring root privileges
.
|
| services.openssh.settings.LogLevel | Gives the verbosity level that is used when logging messages from sshd(8)
|
| services.angrr.settings.owned-only | Only monitors owned symbolic link target of GC roots.
- "auto": behaves like true for normal users, false for root.
- "true": only monitor GC roots owned by the current user.
- "false": monitor all GC roots.
|
| security.pam.howdy.enable | Whether to enable the Howdy PAM module
|
| security.pam.dp9ik.enable | Whether to enable the dp9ik pam module provided by tlsclient
|
| services.openssh.settings.DenyUsers | If specified, login is denied for all listed users
|
| services.openssh.settings.AllowUsers | If specified, login is allowed only for the listed users
|
| services.maubot.settings.admins | List of administrator users
|
| services.dawarich.smtp.host | SMTP host used when sending emails to users.
|
| services.dawarich.smtp.port | SMTP port used when sending emails to users.
|
| services.mastodon.smtp.host | SMTP host used when sending emails to users.
|
| services.mastodon.smtp.port | SMTP port used when sending emails to users.
|
| services.sympa.listMasters | The list of the email addresses of the listmasters
(users authorized to perform global server commands).
|
| services.dovecot2.mailUser | Default user to store mail for virtual users.
|
| services.cryptpad.settings.adminKeys | List of public signing keys of users that can access the admin panel
|
| security.sudo.execWheelOnly | Only allow members of the wheel group to execute sudo by
setting the executable's permissions accordingly
|
| services.postgresql.authentication | Defines how users authenticate themselves to the server
|
| services.jupyter.group | Name of the group used to run the jupyter service
|
| services.tt-rss.auth.autoLogin | Automatically login user on remote or other kind of externally supplied
authentication, otherwise redirect to login form as normal
|
| security.sudo-rs.execWheelOnly | Only allow members of the wheel group to execute sudo by
setting the executable's permissions accordingly
|
| services.syncplay.motdFile | Path to text to display when users join
|