| services.scrutiny.influxdb.enable | Enables InfluxDB on the host system using the services.influxdb2 NixOS module
with default options
|
| services.opensnitch.settings.Rules.Path | Path to the directory where firewall rules can be found and will
get stored by the NixOS module.
|
| security.pam.services.<name>.kwallet.forceRun | The force_run option is used to tell the PAM module for KWallet
to forcefully run even if no graphical session (such as a GUI
display manager) is detected
|
| services.x2goserver.enable | Enables the x2goserver module
|
| services.librespeed.useACMEHost | Use a certificate generated by the NixOS ACME module for the given host
|
| services.ethercalc.enable | ethercalc, an online collaborative spreadsheet server
|
| services.mediatomb.customCfg | Allow the service to create and use its own config file inside the dataDir as
configured by services.mediatomb.dataDir
|
| services.stalwart-mail.settings | Configuration options for the Stalwart email server
|
| services.home-assistant.config | Your configuration.yaml as a Nix attribute set
|
| services.zwave-js.secretsConfigFile | JSON file containing secret keys
|
| services.postgrest.settings.db-config | Enables the in-database configuration.
https://docs.postgrest.org/en/stable/references/configuration.html#in-database-configuration
This is enabled by default upstream, but disabled by default in this module.
|
| services.anubis.instances.<name>.user | The user under which Anubis is run
|
| security.pam.services.<name>.duoSecurity.enable | If set, use the Duo Security pam module
pam_duo for authentication
|
| services.mediawiki.finalPackage | The final package used by the module
|
| services.nextcloud.finalPackage | Package to the finalized Nextcloud package, including all installed apps
|
| security.lockKernelModules | Disable kernel module loading once the system is fully initialised
|
| services.lighttpd.enableModules | List of lighttpd modules to enable
|
| services.rsnapshot.extraConfig | rsnapshot configuration option in addition to the defaults from
rsnapshot and this module
|
| services.anubis.instances.<name>.group | The group under which Anubis is run
|
| services.wstunnel.servers.<name>.useACMEHost | Use a certificate generated by the NixOS ACME module for the given host
|
| services.pulseaudio.extraConfig | Literal string to append to configFile
and the config file generated by the pulseaudio module.
|
| services.komodo-periphery.configFile | Path to the periphery configuration file
|
| services.airsonic.listenAddress | The host name or IP address on which to bind Airsonic
|
| services.vault.extraSettingsPaths | Configuration files to load besides the immutable one defined by the NixOS module
|
| services.matrix-synapse.package | Reference to the matrix-synapse wrapper with all extras
(e.g. for oidc or saml2) added to the PYTHONPATH of all executables
|
| services.openafsClient.packages.programs | OpenAFS programs package
|
| services.canaille.settings.CANAILLE_LDAP | Configuration for the LDAP backend
|
| services.dependency-track.database.type | h2 database is not recommended for a production setup.
postgresql this settings it recommended for production setups.
manual the module doesn't handle database settings.
|
| security.pam.u2f.settings.cue | By default pam-u2f module does not inform user
that he needs to use the u2f device, it just waits without a prompt
|
| services.nullmailer.config.helohost | Sets the environment variable $HELOHOST which is used by the
SMTP protocol module to set the parameter given to the HELO command
|
| services.rabbitmq.listenAddress | IP address on which RabbitMQ will listen for AMQP
connections
|
| security.pam.ussh.enable | Enables Uber's USSH PAM (pam-ussh) module
|
| services.nextcloud.caching.memcached | Whether to load the Memcached module into PHP
|
| services.jupyterhub.extraConfig | Extra contents appended to the jupyterhub configuration
Jupyterhub configuration is a normal python file using
Traitlets. https://jupyterhub.readthedocs.io/en/stable/getting-started/config-basics.html
|
| services.handheld-daemon.adjustor.loadAcpiCallModule | Whether to load the acpi_call kernel module
|
| meta.maintainers | List of maintainers of each module
|
| security.pam.ussh.group | If set, then the authenticating user must be a member of this group
to use this module.
|
| zramSwap.enable | Enable in-memory compressed devices and swap space provided by the zram
kernel module
|
| services.canaille.settings.CANAILLE_SQL.DATABASE_URI | The SQL server URI
|
| services.listmonk.database.mutableSettings | Database settings will be reset to the value set in this module if this is not enabled
|
| security.pam.oath.enable | Enable the OATH (one-time password) PAM module.
|
| programs.river.package | The river package to use
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.open-web-calendar.calendarSettings | Configure the default calendar
|
| services.prosody.xmppComplianceSuite | The XEP-0423 defines a set of recommended XEPs to implement
for a server
|
| programs.sway.package | The sway package to use
|
| services.jitsi-meet.prosody.allowners_muc | Add module allowners, any user in chat is able to
kick other
|
| services.vaultwarden.config | The configuration of vaultwarden is done through environment variables,
therefore it is recommended to use upper snake case (e.g. DISABLE_2FA_REMEMBER)
|
| services.rsnapshot.enableManualRsnapshot | Whether to enable manual usage of the rsnapshot command with this module.
|
| services.pid-fan-controller.settings.fans.*.wildcardPath | Wildcard path of the hwmon pwm file
|
| hardware.cpu.x86.msr.enable | Whether to enable the msr (Model-Specific Registers) kernel module and configure udev rules for its devices (usually /dev/cpu/*/msr).
|
| services.nullmailer.config.sendtimeout | The time to wait for a remote module listed above to complete sending
a message before killing it and trying again, in seconds
|
| services.prometheus.exporters.dovecot.socketPath | Path under which the stats socket is placed
|
| services.transmission.settings | Settings whose options overwrite fields in
.config/transmission-daemon/settings.json
(each time the service starts)
|
| hardware.nvidia.open | Whether to enable the open source NVIDIA kernel module.
|
| services.dovecot2.pluginSettings | Plugin settings for dovecot in general, e.g. sieve, sieve_default, etc
|
| services.synapse-auto-compressor.postgresUrl | Connection string to postgresql in the
[rust postgres crate config format](https://docs.rs/postgres/latest/postgres/config/struct
|
| security.pam.dp9ik.enable | Whether to enable the dp9ik pam module provided by tlsclient
|
| security.pam.howdy.enable | Whether to enable the Howdy PAM module
|
| services.prosody.muc.*.allowners_muc | Add module allowners, any user in chat is able to
kick other
|
| security.pam.dp9ik.control | This option sets the pam "control" used for this module.
|
| security.pam.howdy.control | This option sets the PAM "control" used for this module.
|
| security.pam.enableUMask | Whether to enable the umask PAM module.
|
| security.pam.enableOTPW | Whether to enable the OTPW (one-time password) PAM module.
|
| services.nginx.experimentalZstdSettings | Enable alpha quality zstd module with recommended settings
|
| hardware.cpu.x86.msr.settings | Parameters for the msr kernel module.
|
| services.simplesamlphp | Instances of SimpleSAMLphp
|
| services.nextcloud.enableImagemagick | Whether to enable the ImageMagick module for PHP
|
| hardware.nfc-nci.enable | Whether to enable PN5xx kernel module with udev rules, libnfc-nci userland, and optional ifdnfc-nci PC/SC driver.
|
| services.draupnir.secrets.web.synapseHTTPAntispam.authorization | File containing the secret token when using the Synapse HTTP Antispam module
to be used in place of
services.draupnir.settings.web.synapseHTTPAntispam.authorization
|
| services.crowdsec-firewall-bouncer.createRulesets | Whether to have the module create the appropriate firewall configuration
based on the bouncer settings
|
| boot.initrd.availableKernelModules | The set of kernel modules in the initial ramdisk used during the
boot process
|
| security.pam.p11.enable | Enables P11 PAM (pam_p11) module
|
| services.icingaweb2.generalConfig | config.ini contents
|
| services.syncthing.settings.folders.<name>.ignorePatterns | Syncthing can be configured to ignore certain files in a folder using ignore patterns
|
| services.archisteamfarm.package | The archisteamfarm package to use. ::: {.warning}
Should always be the latest version, for security reasons,
since this module uses very new features and to not get out of sync with the Steam API.
:::
|
| security.pam.u2f.settings.appid | By default pam-u2f module sets the application
ID to pam://$HOSTNAME
|
| programs.river-classic.package | The river-classic package to use
|
| services.pantalaimon-headless.instances | Declarative instance config
|
| security.pam.u2f.settings | Options to pass to the PAM module
|
| boot.plymouth.extraConfig | Literal string to append to configFile
and the config file generated by the plymouth module.
|
| security.pam.yubico.enable | Enables Yubico PAM (yubico-pam) module
|
| boot.bcachefs.package | The bcachefs-tools package to use
|
| programs.usbtop.enable | Whether to enable usbtop and required kernel module, to show estimated USB bandwidth.
|
| boot.initrd.network.enable | Add network connectivity support to initrd
|
| security.googleOsLogin.enable | Whether to enable Google OS Login
|
| networking.nftables.enable | Whether to enable nftables and use nftables based firewall if enabled.
nftables is a Linux-based packet filtering framework intended to
replace frameworks like iptables
|
| security.pam.u2f.enable | Enables U2F PAM (pam-u2f) module
|
| programs.atop.netatop.enable | Whether to install and enable the netatop kernel module
|
| security.pam.rssh.settings | Options to pass to the pam_rssh module
|
| programs.throne.tunMode.setuid | Whether to enable setting suid bit for throne-core to run as root, which is less
secure than default setcap method but closer to upstream assumptions
|
| security.tpm2.enable | Whether to enable Trusted Platform Module 2 support.
|
| security.pam.u2f.settings.origin | By default pam-u2f module sets the origin
to pam://$HOSTNAME
|
| hardware.facter.detected.dhcp.enable | Whether to enable Facter dhcp module.
|
| hardware.new-lg4ff.enable | Enables improved Linux module drivers for Logitech driving wheels
|
| services.litellm.settings.litellm_settings | LiteLLM Module settings
|
| programs.neovim.enable | Whether to enable Neovim
|
| boot.initrd.kernelModules | Set of modules that are always loaded by the initrd
|
| security.apparmor.enable | Whether to enable the AppArmor Mandatory Access Control system
|