| boot.initrd.luks.devices.<name>.yubikey | The options to use for this LUKS device in YubiKey-PBA
|
| systemd.targets.<name>.startLimitBurst | Configure unit start rate limiting
|
| systemd.sockets.<name>.startLimitBurst | Configure unit start rate limiting
|
| services.strongswan-swanctl.swanctl.connections.<name>.encap | To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the
NAT detection payloads
|
| security.acme.certs.<name>.extraLegoRenewFlags | Additional flags to pass to lego renew.
|
| systemd.network.networks.<name>.DHCP | Whether to enable DHCP on the interfaces matched.
|
| services.dendrite.settings.global.server_name | The domain name of the server, with optional explicit port
|
| services.authelia.instances.<name>.environmentVariables | Additional environment variables to provide to authelia
|
| networking.fooOverUDP.<name>.local.address | Local address to bind to
|
| services.pantalaimon-headless.instances.<name>.homeserver | The URI of the homeserver that the pantalaimon proxy should
forward requests to, without the matrix API path but including
the http(s) schema.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local | Section for a local authentication round
|
| boot.specialFileSystems.<name>.mountPoint | Location where the file system will be mounted
|
| security.auditd.plugins.<name>.args | This allows you to pass arguments to the child program
|
| systemd.timers.<name>.requisite | Similar to requires
|
| systemd.slices.<name>.requisite | Similar to requires
|
| systemd.user.slices.<name>.startLimitBurst | Configure unit start rate limiting
|
| systemd.user.timers.<name>.startLimitBurst | Configure unit start rate limiting
|
| programs.neovim.runtime.<name>.source | Path of the source file.
|
| systemd.network.links.<name>.linkConfig | Each attribute in this set specifies an option in the
[Link] section of the unit
|
| services.kanidm.provision.systems.oauth2.<name>.enableLocalhostRedirects | Allow localhost redirects
|
| services.gitlab-runner.services.<name>.authenticationTokenConfigFile | Absolute path to a file containing environment variables used for
gitlab-runner registrations with runner authentication tokens
|
| services.postgresqlWalReceiver.receivers.<name>.environment | Environment variables passed to the service
|
| services.keycloak.settings.hostname | The hostname part of the public URL used as base for
all frontend requests
|
| services.kerberos_server.settings.realms.<name>.acl.*.target | The principals that 'access' applies to.
|
| services.matrix-tuwunel.settings.global.server_name | The server_name is the name of this server
|
| services.matrix-conduit.settings.global.server_name | The server_name is the name of this server
|
| boot.loader.systemd-boot.windows.<name>.title | The title of the boot menu entry.
|
| services.authelia.instances.<name>.settings.telemetry.metrics.address | The address to listen on for metrics
|
| containers.<name>.specialArgs | A set of special arguments to be passed to NixOS modules
|
| services.prometheus.exporters.imap-mailstat.accounts.<name>.starttls | set to true for using STARTTLS to start a TLS connection
|
| services.tor.client.onionServices.<name>.clientAuthorizations | Clients' authorizations for a v3 onion service,
as a list of files containing each one private key, in the format:
descriptor:x25519:<base32-private-key>
See torrc manual.
|
| security.acme.certs.<name>.webroot | Where the webroot of the HTTP vhost is located.
.well-known/acme-challenge/ directory
will be created below the webroot if it doesn't exist.
http://example.org/.well-known/acme-challenge/ must also
be available (notice unencrypted HTTP).
|
| systemd.sockets.<name>.listenStreams | For each item in this list, a ListenStream
option in the [Socket] section will be created.
|
| services.influxdb2.provision.organizations.<name>.buckets | Buckets to provision in this organization.
|
| services.strongswan-swanctl.swanctl.authorities.<name>.crl_uris | List of CRL distribution points (ldap, http, or file URI)
|
| hardware.alsa.controls.<name>.maxVolume | The maximum volume in dB.
|
| services.influxdb2.provision.organizations.<name>.present | Whether to ensure that this organization is present or absent.
|
| services.minidlna.settings.friendly_name | Name that the server presents to clients.
|
| networking.macvlans.<name>.mode | The mode of the macvlan device.
|
| services.peertube-runner.instancesToRegister.<name>.runnerDescription | Runner description declared to the PeerTube instance.
|
| security.auditd.plugins.<name>.active | Whether to enable Whether to enable this plugin.
|
| services.postgresqlWalReceiver.receivers.<name>.postgresqlPackage | The postgresql package to use.
|
| systemd.user.paths.<name>.requisite | Similar to requires
|
| security.acme.certs.<name>.extraDomainNames | A list of extra domain names, which are included in the one certificate to be issued.
|
| services.pretix.settings.pretix.instance_name | The name of this installation.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.esp_proposals | ESP proposals to offer for the CHILD_SA
|
| services.strongswan-swanctl.swanctl.connections.<name>.version | IKE major version to use for connection.
- 1 uses IKEv1 aka ISAKMP,
- 2 uses IKEv2.
- A connection using the default of 0 accepts both IKEv1 and IKEv2 as
responder, and initiates the connection actively with IKEv2
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote | Section for a remote authentication round
|
| services.prometheus.exporters.imap-mailstat.accounts.<name>.serveraddress | mailserver name or address
|
| systemd.sockets.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| systemd.targets.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| ec2.zfs.datasets.<name>.properties | Properties to set on this dataset.
|
| systemd.network.networks.<name>.dns | A list of dns servers to be added to the network section of the
unit
|
| systemd.network.networks.<name>.vrf | A list of vrf interfaces to be added to the network section of the
unit
|
| systemd.network.networks.<name>.ntp | A list of ntp servers to be added to the network section of the
unit
|
| systemd.targets.<name>.conflicts | If the specified units are started, then this unit is stopped
and vice versa.
|
| systemd.sockets.<name>.conflicts | If the specified units are started, then this unit is stopped
and vice versa.
|
| boot.initrd.luks.devices.<name>.keyFileTimeout | The amount of time in seconds for a keyFile to appear before
timing out and trying passwords.
|
| networking.greTunnels.<name>.type | Whether the tunnel routes layer 2 (tap) or layer 3 (tun) traffic.
|
| environment.etc.<name>.enable | Whether this /etc file should be generated
|
| boot.initrd.luks.devices.<name>.keyFileSize | The size of the key file
|
| services.strongswan-swanctl.swanctl.pools.<name>.split_include | Address or CIDR subnets
StrongSwan default: []
|
| services.strongswan-swanctl.swanctl.pools.<name>.split_exclude | Address or CIDR subnets
StrongSwan default: []
|
| security.dhparams.params.<name>.bits | The bit size for the prime that is used during a Diffie-Hellman
key exchange.
|
| services.discourse.database.username | Discourse database user.
|
| systemd.user.timers.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| systemd.user.slices.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| security.acme.certs.<name>.directory | Directory where certificate and other state is stored.
|
| systemd.user.slices.<name>.conflicts | If the specified units are started, then this unit is stopped
and vice versa.
|
| systemd.user.timers.<name>.conflicts | If the specified units are started, then this unit is stopped
and vice versa.
|
| services.strongswan-swanctl.swanctl.authorities.<name>.ocsp_uris | List of OCSP URIs
|
| services.strongswan-swanctl.swanctl.connections.<name>.mobike | Enables MOBIKE on IKEv2 connections
|
| services.keycloak.database.username | Username to use when connecting to an external or manually
provisioned database; has no effect when a local database is
automatically provisioned
|
| services.cloudflared.tunnels.<name>.originRequest.disableChunkedEncoding | Disables chunked transfer encoding
|
| networking.wlanInterfaces.<name>.device | The name of the underlying hardware WLAN device as assigned by udev.
|
| networking.greTunnels.<name>.local | The address of the local endpoint which the remote
side should send packets to.
|
| containers.<name>.macvlans | The list of host interfaces from which macvlans will be
created
|
| fileSystems.<name>.encrypted.enable | The block device is backed by an encrypted one, adds this device as a initrd luks entry.
|
| services.rshim.device | Specify the device name to attach
|
| hardware.display.outputs.<name>.edid | An EDID filename to be used for configured display, as in edid/<filename>
|
| systemd.user.sockets.<name>.requires | Start the specified units when this unit is started, and stop
this unit when the specified units are stopped or fail.
|
| systemd.user.targets.<name>.requires | Start the specified units when this unit is started, and stop
this unit when the specified units are stopped or fail.
|
| systemd.user.sockets.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| systemd.user.targets.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| security.auditd.plugins.<name>.type | This tells the dispatcher how the plugin wants to be run
|
| security.acme.certs.<name>.dnsProvider | DNS Challenge provider
|
| boot.initrd.luks.devices.<name>.gpgCard.gracePeriod | Time in seconds to wait for the GPG Smartcard.
|
| boot.initrd.luks.devices.<name>.fido2.gracePeriod | Time in seconds to wait for the FIDO2 key.
|
| services.postgresqlWalReceiver.receivers.<name>.synchronous | Flush the WAL data to disk immediately after it has been received
|
| programs.ssh.knownHosts.<name>.publicKey | The public key data for the host
|
| systemd.network.networks.<name>.bond | A list of bond interfaces to be added to the network section of the
unit
|
| systemd.user.sockets.<name>.socketConfig | Each attribute in this set specifies an option in the
[Socket] section of the unit
|
| systemd.network.networks.<name>.xfrm | A list of xfrm interfaces to be added to the network section of the
unit
|
| systemd.network.networks.<name>.vlan | A list of vlan interfaces to be added to the network section of the
unit
|
| services.zfs.autoReplication.username | Username used by SSH to login to remote host.
|
| services.anubis.instances | An attribute set of Anubis instances
|
| services.echoip.enableReverseHostnameLookups | Whether to enable reverse hostname lookups.
|
| services.kubernetes.kubelet.hostname | Kubernetes kubelet hostname override.
|
| services.ghostunnel.servers.<name>.disableAuthentication | Disable client authentication, no client certificate will be required.
|
| hardware.sane.brscan5.netDevices.<name>.ip | The ip address of the device
|