| services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| systemd.user.services.<name>.stopIfChanged | If set, a changed unit is restarted by calling
systemctl stop in the old configuration,
then systemctl start in the new one
|
| services.fedimintd.<name>.nginx.config.listen.*.addr | Listen address.
|
| networking.wg-quick.interfaces.<name>.preUp | Commands called at the start of the interface setup.
|
| services.v4l2-relayd.instances.<name>.input.height | The height to read from input-stream.
|
| services.jibri.xmppEnvironments.<name>.control.login.username | User part of the JID.
|
| services.akkoma.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.gancio.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.fluidd.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| services.gancio.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| services.fluidd.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.akkoma.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| services.monica.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| services.monica.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.matomo.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.matomo.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| services.fedimintd.<name>.nginx.config.default | Makes this vhost the default.
|
| services.athens.storage.s3.forcePathStyle | Force path style for the S3 storage backend.
|
| services.headphones.configFile | Path to config file.
|
| services.freeradius.configDir | The path of the freeradius server configuration directory.
|
| hardware.sensor.hddtemp.drives | List of drives to monitor
|
| services.nipap.nipap-www.xmlrpcURIFile | Path to file containing XMLRPC URI for use by web UI - this is a secret, since it contains auth credentials
|
| services.syncplay.saltFile | Path to the file that contains the server salt
|
| services.zitadel.settings.TLS.CertPath | Path to the TLS certificate.
|
| services.zitadel.settings.TLS.KeyPath | Path to the TLS certificate private key.
|
| boot.initrd.luks.devices.<name>.tryEmptyPassphrase | If keyFile fails then try an empty passphrase first before
prompting for password.
|
| services.kanata.keyboards.<name>.devices | Paths to keyboard devices
|
| services.wstunnel.servers.<name>.restrictTo.*.port | The port.
|
| services.wstunnel.servers.<name>.restrictTo.*.host | The hostname.
|
| services.firewalld.zones.<name>.protocols | Protocols to allow in the zone.
|
| services.blockbook-frontend.<name>.configFile | Location of the blockbook configuration file.
|
| services.zeronsd.servedNetworks.<name>.package | The zeronsd package to use.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.ca_id | Identity in CA certificate to accept for authentication
|
| services.httpd.virtualHosts.<name>.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.nginx.virtualHosts.<name>.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.nipap.settings.nipapd.db_name | Name of database to use on PostgreSQL server.
|
| services.netbird.clients.<name>.dns-resolver.port | A port to serve DNS entries on when dns-resolver.address is enabled.
|
| services.netbird.tunnels.<name>.dns-resolver.port | A port to serve DNS entries on when dns-resolver.address is enabled.
|
| services.tor.relay.onionServices.<name>.settings | Settings of the onion service
|
| services.blockbook-frontend.<name>.package | The blockbook package to use.
|
| programs.proxychains.proxies.<name>.port | Proxy port
|
| programs.proxychains.proxies.<name>.type | Proxy type.
|
| services.ghostunnel.servers.<name>.allowAll | If true, allow all clients, do not check client cert subject.
|
| networking.vswitches.<name>.openFlowRules | OpenFlow rules to insert into the Open vSwitch
|
| services.syncoid.commands.<name>.sendOptions | Advanced options to pass to zfs send
|
| services.syncoid.commands.<name>.recvOptions | Advanced options to pass to zfs recv
|
| systemd.network.networks.<name>.dhcpServerConfig | Each attribute in this set specifies an option in the
[DHCPServer] section of the unit
|
| systemd.network.networks.<name>.pfifoHeadDropConfig | Each attribute in this set specifies an option in the
[PFIFOHeadDrop] section of the unit
|
| documentation.man.mandoc.settings.output.includes | A string of relative path used as a template for the output path of
linked header files (usually via the In macro) in HTML output
|
| networking.wlanInterfaces.<name>.fourAddr | Whether to enable 4-address mode with type managed.
|
| services.snipe-it.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.v4l2-relayd.instances.<name>.input.format | The video-format to read from input-stream.
|
| services.borgbackup.jobs.<name>.extraPruneArgs | Additional arguments for borg prune
|
| networking.jool.nat64.<name>.framework | The framework to use for attaching Jool's translation to the exist
kernel packet processing rules
|
| services.spiped.config.<name>.weakHandshake | Use fast/weak handshaking: This reduces the CPU time spent
in the initial connection setup, at the expense of losing
perfect forward secrecy.
|
| services.firewalld.zones.<name>.forwardPorts.*.to-addr | Destination IP address.
|
| networking.supplicant.<name>.extraCmdArgs | Command line arguments to add when executing wpa_supplicant.
|
| services.tinc.networks.<name>.chroot | Change process root directory to the directory where the config file is located (/etc/tinc/netname/), for added security
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.ipcomp | Enable IPComp compression before encryption
|
| services.vmalert.instances.<name>.enable | Wether to enable VictoriaMetrics's vmalert.
vmalert evaluates alerting and recording rules against a data source, sends notifications via Alertmanager.
|
| networking.macvlans.<name>.interface | The interface the macvlan will transmit packets through.
|
| networking.wg-quick.interfaces.<name>.postUp | Commands called after the interface setup.
|
| services.ax25.axports.<name>.description | Free format description of this interface.
|
| services.openbao.settings.listener.<name>.type | The listener type to enable.
|
| services.wordpress.sites.<name>.virtualHost.hostName | Canonical hostname for the server.
|
| services.i2pd.ifname6 | IPv6 interface to bind to.
|
| services.i2pd.ifname4 | IPv4 interface to bind to.
|
| services.consul-template.instances.<name>.user | User under which this instance runs.
|
| services.nebula.networks.<name>.staticHostMap | The static host map defines a set of hosts with fixed IP addresses on the internet (or any network)
|
| services.traefik.dynamicConfigFile | Path to traefik's dynamic configuration to use.
(Using that option has precedence over dynamicConfigOptions)
|
| hardware.deviceTree.overlays.*.dtsFile | Path to .dts overlay file, overlay is applied to
each .dtb file matching "compatible" of the overlay.
|
| services.komodo-periphery.ssl.certFile | Path to SSL certificate file.
|
| services.immich-kiosk.settings | Configuration for immich-kiosk
|
| services.soju.tlsCertificate | Path to server TLS certificate.
|
| services.phylactery.library | Path to CBZ library
|
| services.outline.storage.forcePathStyle | Force S3 path style.
|
| services.rustus.storage.data_dir | path to the local directory where all files are stored
|
| services.pomerium.secretsFile | Path to file containing secrets for Pomerium, in systemd
EnvironmentFile format
|
| services.stash.settings.database | Path to the SQLite database
|
| services.firewalld.services.<name>.helpers | Helpers for the service.
|
| services.firewalld.services.<name>.version | Version of the service.
|
| services.kanata.keyboards.<name>.extraDefCfg | Configuration of defcfg other than linux-dev (generated
from the devices option) and
linux-continue-if-no-devs-found (hardcoded to be yes)
|
| services.keyd.keyboards.<name>.extraConfig | Extra configuration that is appended to the end of the file.
Do not write ids section here, use a separate option for it
|
| services.grafana.provision.alerting.contactPoints.settings.contactPoints.*.name | Name of the contact point
|
| services.kimai.sites.<name>.database.passwordFile | A file containing the password corresponding to
database.user.
|
| services.httpd.virtualHosts.<name>.globalRedirect | If set, all requests for this host are redirected permanently to
the given URL.
|
| services.borgbackup.jobs.<name>.privateTmp | Set the PrivateTmp option for
the systemd-service
|
| systemd.network.networks.<name>.networkConfig | Each attribute in this set specifies an option in the
[Network] section of the unit
|
| systemd.network.networks.<name>.ipv6AcceptRAConfig | Each attribute in this set specifies an option in the
[IPv6AcceptRA] section of the unit
|
| systemd.user.services.<name>.reloadIfChanged | Whether the service should be reloaded during a NixOS
configuration switch if its definition has changed
|
| services.cgit.<name>.gitHttpBackend.enable | Whether to bypass cgit and use git-http-backend for HTTP clones
|
| services.ghostunnel.servers.<name>.listen | Address and port to listen on (can be HOST:PORT, unix:PATH).
|
| services.awstats.configs.<name>.webService.urlPrefix | The URL prefix under which the awstats pages appear.
|
| networking.wg-quick.interfaces.<name>.type | The type of the interface
|
| services.kimai.sites.<name>.database.createLocally | Create the database and database user locally.
|
| services.ghostunnel.servers.<name>.target | Address to forward connections to (can be HOST:PORT or unix:PATH).
|
| boot.binfmt.registrations.<name>.mask | A mask to be ANDed with the byte sequence of the file before matching
|
| services.bitcoind.<name>.extraCmdlineOptions | Extra command line options to pass to bitcoind
|