| networking.ipips.<name>.remote | The address of the remote endpoint to forward traffic over.
|
| programs.neovim.runtime.<name>.source | Path of the source file.
|
| systemd.user.slices.<name>.startLimitBurst | Configure unit start rate limiting
|
| systemd.user.timers.<name>.startLimitBurst | Configure unit start rate limiting
|
| services.invoiceplane.sites.<name>.invoiceTemplates | List of path(s) to respective template(s) which are copied from the 'invoice_templates/pdf' directory.
These templates need to be packaged before use, see example.
|
| services.dawarich.smtp.user | SMTP login name.
|
| services.mastodon.smtp.user | SMTP login name.
|
| services.factorio.loadLatestSave | Load the latest savegame on startup
|
| services.pretix.nginx.domain | The domain name under which to set up the virtual host.
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| systemd.network.networks.<name>.genericRandomEarlyDetectionConfig | Each attribute in this set specifies an option in the
[GenericRandomEarlyDetection] section of the unit
|
| services.cloudflared.tunnels.<name>.originRequest.noHappyEyeballs | Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
|
| services.authelia.instances.<name>.settings.telemetry.metrics.address | The address to listen on for metrics
|
| services.sanoid.datasets.<name>.script_timeout | Time limit for pre/post/pruning script execution time (<=0 for infinite).
|
| services.keepalived.vrrpInstances.<name>.trackInterfaces | List of network interfaces to monitor for health tracking.
|
| services.deye-dummycloud.mqttUsername | MQTT username
|
| services.syncthing.settings.folders.<name>.ignorePatterns | Syncthing can be configured to ignore certain files in a folder using ignore patterns
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKeyFile | File pointing to preshared key as generated by wg genpsk
|
| services.vsmartcard-vpcd.hostname | Hostname of a waiting vpicc server vpcd will be connecting to
|
| services.discourse.database.username | Discourse database user.
|
| services.taskserver.organisations.<name>.groups | A list of group names that belong to the organization.
|
| services.syncthing.settings.folders.<name>.copyOwnershipFromParent | On Unix systems, tries to copy file/folder ownership from the parent directory (the directory it’s located in)
|
| services.strongswan-swanctl.swanctl.authorities.<name>.file | Absolute path to the certificate to load
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.readPermissions | The read permissions to include for this token
|
| security.acme.certs.<name>.webroot | Where the webroot of the HTTP vhost is located.
.well-known/acme-challenge/ directory
will be created below the webroot if it doesn't exist.
http://example.org/.well-known/acme-challenge/ must also
be available (notice unencrypted HTTP).
|
| containers.<name>.extraVeths.<name>.hostBridge | Put the host-side of the veth-pair into the named bridge
|
| security.wrappers.<name>.setgid | Whether to add the setgid bit the wrapper program.
|
| security.wrappers.<name>.setuid | Whether to add the setuid bit the wrapper program.
|
| services.matrix-synapse.workers.<name>.worker_log_config | The file for log configuration
|
| boot.initrd.systemd.contents.<name>.target | Path of the symlink.
|
| services.journald.upload.settings.Upload.ServerCertificateFile | SSL CA certificate in PEM format
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.namespaces.names | Namespace name.
|
| services.davfs2.davUser | When invoked by root the mount.davfs daemon will run as this user
|
| services.keycloak.database.username | Username to use when connecting to an external or manually
provisioned database; has no effect when a local database is
automatically provisioned
|
| hardware.alsa.controls.<name>.maxVolume | The maximum volume in dB.
|
| services.hddfancontrol.settings.<drive-bay-name>.pwmPaths | PWM filepath(s) to control fan speed (under /sys), followed by initial and fan-stop PWM values
Can also use command substitution to ensure the correct hwmonX is selected on every boot
|
| services.spiped.config | Configuration for a secure pipe daemon
|
| services.flannel.iface | Interface to use (IP or name) for inter-host communication
|
| environment.etc.<name>.mode | If set to something else than symlink,
the file is copied instead of symlinked, with the given
file mode.
|
| systemd.paths.<name>.requisite | Similar to requires
|
| security.auditd.plugins.<name>.active | Whether to enable Whether to enable this plugin.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_out | Netfilter mark applied to packets after the outbound IPsec SA processed
them
|
| systemd.user.paths.<name>.requisite | Similar to requires
|
| security.acme.certs.<name>.extraDomainNames | A list of extra domain names, which are included in the one certificate to be issued.
|
| boot.initrd.systemd.contents.<name>.source | Path of the source file.
|
| services.gammu-smsd.backend.sql.user | User name used for connection to the database
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.writePermissions | The read permissions to include for this token
|
| security.pam.services.<name>.googleAuthenticator.forwardPass | The authentication provides a single field requiring
the user's password followed by the one-time password (OTP).
|
| services.angrr.settings.temporary-root-policies.<name>.ignore-prefixes-in-home | Path prefixes to ignore under home directory
|
| systemd.network.networks.<name>.deficitRoundRobinSchedulerClassConfig | Each attribute in this set specifies an option in the
[DeficitRoundRobinSchedulerClass] section of the unit
|
| services.pantalaimon-headless.instances.<name>.listenPort | The port where the daemon will listen to client connections for
this homeserver
|
| containers.<name>.extraVeths.<name>.hostAddress | The IPv4 address assigned to the host interface.
(Not used when hostBridge is set.)
|
| systemd.user.tmpfiles.users.<name>.rules | Per-user rules for creation, deletion and cleaning of volatile and
temporary files automatically
|
| services.cloudflared.tunnels.<name>.originRequest.connectTimeout | Timeout for establishing a new TCP connection to your origin server
|
| services.system76-scheduler.assignments.<name>.matchers | Process matchers.
|
| services.kanidm.provision.systems.oauth2.<name>.allowInsecureClientDisablePkce | Disable PKCE on this oauth2 resource server to work around insecure clients
that may not support it
|
| services.hadoop.hdfs.namenode.restartIfChanged | Automatically restart the service on config change
|
| boot.initrd.luks.devices.<name>.yubikey.keyLength | Length of the LUKS slot key derived with PBKDF2 in byte.
|
| boot.initrd.luks.devices.<name>.yubikey.twoFactor | Whether to use a passphrase and a YubiKey (true), or only a YubiKey (false).
|
| services.kerberos_server.settings.realms.<name>.acl | The privileges granted to a user.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.start_action | Action to perform after loading the configuration.
- The default of
none loads the connection only, which
then can be manually initiated or used as a responder configuration.
- The value
trap installs a trap policy, which triggers
the tunnel as soon as matching traffic has been detected.
- The value
start initiates the connection actively.
- Since version 5.9.6 two modes above can be combined with
trap|start,
to immediately initiate a connection for which trap policies have been installed
|
| systemd.network.networks.<name>.dns | A list of dns servers to be added to the network section of the
unit
|
| systemd.network.networks.<name>.vrf | A list of vrf interfaces to be added to the network section of the
unit
|
| systemd.network.networks.<name>.ntp | A list of ntp servers to be added to the network section of the
unit
|
| networking.bridges.<name>.rstp | Whether the bridge interface should enable rstp.
|
| networking.greTunnels.<name>.dev | The underlying network device on which the tunnel resides.
|
| services.postgresqlWalReceiver.receivers.<name>.directory | Directory to write the output to.
|
| services.zfs.autoReplication.username | Username used by SSH to login to remote host.
|
| services.wstunnel.clients.<name>.upgradeCredentials | Use these credentials to authenticate during the HTTP upgrade request
(Basic authorization type, USER:[PASS]).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing HTTP_PASSWORD=<your-password-here> and set this
option to <user>:$HTTP_PASSWORD
|
| services.radicle.httpd.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.radicle.httpd.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.prometheus.exporters.imap-mailstat.accounts.<name>.password | |
| services.kubernetes.kubelet.hostname | Kubernetes kubelet hostname override.
|
| services.sanoid.templates.<name>.pruning_script | Script to run after pruning snapshot.
|
| security.dhparams.params.<name>.bits | The bit size for the prime that is used during a Diffie-Hellman
key exchange.
|
| services.strongswan-swanctl.swanctl.connections.<name>.ppk_id | String identifying the Postquantum Preshared Key (PPK) to be used.
|
| services.dnsdist.enable | Whether to enable dnsdist domain name server.
|
| services.slurm.controlAddr | Name that ControlMachine should be referred to in establishing a
communications path.
|
| services.unbound.enable | Whether to enable Unbound domain name server.
|
| systemd.timers.<name>.conflicts | If the specified units are started, then this unit is stopped
and vice versa.
|
| systemd.slices.<name>.conflicts | If the specified units are started, then this unit is stopped
and vice versa.
|
| services.calibre-web.dataDir | Where Calibre-Web stores its data
|
| services.nixops-dns.domain | Fake domain name to resolve to NixOps virtual machines
|
| containers.<name>.extraVeths.<name>.hostAddress6 | The IPv6 address assigned to the host interface.
(Not used when hostBridge is set.)
|
| systemd.user.timers.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| systemd.user.slices.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| security.acme.certs.<name>.directory | Directory where certificate and other state is stored.
|
| environment.etc.<name>.source | Path of the source file.
|
| boot.initrd.systemd.contents.<name>.enable | Whether to enable copying of this file and symlinking it.
|
| systemd.user.slices.<name>.conflicts | If the specified units are started, then this unit is stopped
and vice versa.
|
| systemd.user.timers.<name>.conflicts | If the specified units are started, then this unit is stopped
and vice versa.
|
| services.strongswan-swanctl.swanctl.connections.<name>.dscp | Differentiated Services Field Codepoint to set on outgoing IKE packets for
this connection
|
| services.jupyter.user | Name of the user used to run the jupyter service
|
| systemd.timers.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| systemd.slices.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| services.zfs.autoReplication.localFilesystem | Local ZFS filesystem from which snapshots should be sent
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_groups | List of groups to allow access to this vhost, or null to allow all.
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_emails | List of emails to allow access to this vhost, or null to allow all.
|
| services.strongswan-swanctl.swanctl.connections.<name>.mediated_by | The name of the connection to mediate this connection through
|
| services.tarsnap.archives.<name>.aggressiveNetworking | Upload data over multiple TCP connections, potentially
increasing tarsnap's bandwidth utilisation at the cost
of slowing down all other network traffic
|