| services.warpgate.settings.ssh.external_port | The SSH listener is reachable via this port externally.
|
| services.quicktun.<name>.remotePort | Remote UDP port
|
| services.fedimintd.<name>.nginx.path | Path to host the API on and forward to the daemon's api port
|
| services.pppd.peers.<name>.autostart | Whether the PPP session is automatically started at boot time.
|
| services.ndppd.proxies.<name>.timeout | Controls how long to wait for a Neighbor Advertisement Message before
invalidating the entry, in milliseconds.
|
| services.httpd.virtualHosts.<name>.acmeRoot | Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
|
| services.nginx.virtualHosts.<name>.acmeRoot | Directory for the ACME challenge, which is public
|
| services.homebridge.settings.platforms.*.platform | Platform type
|
| services.grafana.settings.users.password_hint | Text used as placeholder text on login page for password input.
|
| services.postsrsd.settings.unprivileged-user | Unprivileged user to drop privileges to.
Our systemd unit never runs postsrsd as a privileged process, so this option is read-only.
|
| services.ax25.axports.<name>.package | The ax25-tools package to use.
|
| services.nylon.<name>.verbosity | Enable verbose output, default is to not be verbose.
|
| services.drupal.sites.<name>.virtualHost.hostName | Canonical hostname for the server.
|
| systemd.user.paths.<name>.wantedBy | Units that want (i.e. depend on) this unit
|
| systemd.user.units.<name>.wantedBy | Units that want (i.e. depend on) this unit
|
| services.netbird.clients.<name>.ui.enable | Controls presence of netbird-ui wrapper for this NetBird client.
|
| services.netbird.tunnels.<name>.ui.enable | Controls presence of netbird-ui wrapper for this NetBird client.
|
| services.nextcloud-spreed-signaling.settings.turn.servers | A list of TURN servers to use
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.handle | Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.file | Absolute path to the certificate to load
|
| boot.initrd.luks.devices.<name>.preLVM | Whether the luksOpen will be attempted before LVM scan or after it.
|
| services.ghostunnel.servers.<name>.allowOU | Allow client if organizational unit name appears in the list.
|
| services.znapzend.zetup.<name>.destinations.<name>.host | Host to use for the destination dataset
|
| services.tuned.settings.reapply_sysctl | Whether to enable the reapplying of global sysctls after TuneD sysctls are applied.
|
| systemd.user.timers.<name>.partOf | If the specified units are stopped or restarted, then this
unit is stopped or restarted as well.
|
| systemd.user.slices.<name>.partOf | If the specified units are stopped or restarted, then this
unit is stopped or restarted as well.
|
| services.drupal.sites.<name>.virtualHost.servedFiles | This option provides a simple way to serve individual, static files.
This option has been deprecated and will be removed in a future
version of NixOS
|
| services.dokuwiki.sites.<name>.acl | Access Control Lists: see https://www.dokuwiki.org/acl
Mutually exclusive with services.dokuwiki.aclFile
Set this to a value other than null to take precedence over aclFile option
|
| services.grafana.settings.server.read_timeout | Sets the maximum time using a duration format (5s/5m/5ms)
before timing out read of an incoming request and closing idle connections.
0 means there is no timeout for reading the request.
|
| services.nylon.<name>.deniedIPRanges | Denied client IP ranges, these gets evaluated after the allowed IP ranges, defaults to all IPv4 addresses:
[ "0.0.0.0/0" ]
To block all other access than the allowed.
|
| services.grafana.settings.users.default_theme | Sets the default UI theme. system matches the user's system theme.
|
| systemd.services.<name>.scriptArgs | Arguments passed to the main process script
|
| services.autorandr.profiles.<name>.config.<name>.transform | Refer to
xrandr(1)
for the documentation of the transform matrix.
|
| security.pam.services.<name>.limits.*.value | Value of this limit
|
| services.k3s.manifests.<name>.enable | Whether this manifest file should be generated.
|
| services.k3s.manifests.<name>.source | Path of the source .yaml file.
|
| services.public-inbox.inboxes.<name>.newsgroup | NNTP group name for the inbox.
|
| services.firezone.server.provision.accounts.<name>.actors.<name>.email | The email address used to authenticate as this account
|
| services.sourcehut.settings."hg.sr.ht".changegroup-script | A changegroup script which is installed in every mercurial repo
|
| services.redis.servers.<name>.extraParams | Extra parameters to append to redis-server invocation
|
| services.epgstation.settings.concurrentEncodeNum | The maximum number of encoding jobs that EPGStation would run at the
same time.
|
| services.fedimintd.<name>.nginx.fqdn | Public domain of the API address of the reverse proxy/tls terminator.
|
| services.redis.servers.<name>.appendOnly | By default data is only periodically persisted to disk, enable this option to use an append-only file for improved persistence.
|
| services.spiped.config.<name>.timeout | Timeout, in seconds, after which an attempt to connect to
the target or a protocol handshake will be aborted (and the
connection dropped) if not completed
|
| systemd.user.timers.<name>.wants | Start the specified units when this unit is started.
|
| systemd.user.slices.<name>.wants | Start the specified units when this unit is started.
|
| services.borgmatic.settings.repositories.*.path | Path to the repository
|
| services.xserver.xkb.extraLayouts.<name>.symbolsFile | The path to the xkb symbols file
|
| services.filesender.settings.admin_email | Email address of FileSender administrator(s)
|
| services.wyoming.piper.servers.<name>.piper | The piper-tts package to use.
|
| services.neo4j.ssl.policies.<name>.clientAuth | The client authentication stance for this policy.
|
| services.wyoming.piper.servers.<name>.useCUDA | Whether to accelerate the underlying onnxruntime library with CUDA.
|
| services.nginx.virtualHosts.<name>.kTLS | Whether to enable kTLS support
|
| services.syncthing.settings.options.localAnnounceEnabled | Whether to send announcements to the local LAN, also use such announcements to find other devices.
|
| power.ups.upsmon.monitor.<name>.type | The relationship with upsd
|
| services.tinc.networks.<name>.hostSettings.<name>.subnets.*.weight | Indicates the priority over identical Subnets owned by different nodes
|
| services.frp.instances.<name>.role | The frp consists of client and server
|
| services.nextcloud-spreed-signaling.settings.turn.apikeyFile | The path to the file containing the value for turn.apikey
|
| services.nextcloud-spreed-signaling.settings.turn.secretFile | The path to the file containing the value for turn.secret
|
| services.openvpn.servers | Each attribute of this option defines a systemd service that
runs an OpenVPN instance
|
| security.acme.certs.<name>.csrKey | Path to the private key to the matching certificate signing request.
|
| services.grafana.settings.database.ca_cert_path | The path to the CA certificate to use.
|
| services.readarr.settings.update.automatically | Automatically download and install updates.
|
| services.firewalld.zones.<name>.ports | Ports to allow in the zone.
|
| services.firewalld.zones.<name>.short | Short description for the zone.
|
| services.firewalld.zones.<name>.rules | Rich rules for the zone.
|
| services.restic.backups.<name>.package | The restic package to use.
|
| services.warpgate.settings.sso_providers | Configure OIDC single sign-on providers.
|
| services.firezone.server.provision.accounts.<name>.auth.<name>.adapter | The auth adapter type
|
| services.sabnzbd.settings.misc.bandwidth_max | Maximum bandwidth in bytes(!)/sec (supports prefixes)
|
| services.xserver.displayManager.lightdm.greeters.enso.iconTheme.name | Name of the icon theme to use for the lightdm-enso-os-greeter
|
| services.matrix-continuwuity.settings.global.port | The port(s) continuwuity will be running on
|
| services.rss2email.feeds.<name>.to | Email address to which to send feed items
|
| services.warpgate.settings.http.external_port | The HTTP listener is reachable via this port externally.
|
| services.redis.servers.<name>.appendFsync | How often to fsync the append-only log, options: no, always, everysec.
|
| security.pam.services.<name>.yubicoAuth | If set, users listed in
~/.yubico/authorized_yubikeys
are able to log in with the associated Yubikey tokens.
|
| systemd.paths.<name>.wantedBy | Units that want (i.e. depend on) this unit
|
| systemd.units.<name>.wantedBy | Units that want (i.e. depend on) this unit
|
| services.davis.nginx.locations.<name>.root | Root directory for requests.
|
| services.movim.nginx.locations.<name>.root | Root directory for requests.
|
| services.slskd.nginx.locations.<name>.root | Root directory for requests.
|
| services.bitcoind.<name>.package | The bitcoind package to use.
|
| services.fedimintd.<name>.nginx.config.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.nextcloud.settings.enabledPreviewProviders | The preview providers that should be explicitly enabled.
|
| systemd.user.services.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| services.taler.exchange.settings.exchangedb-postgres.CONFIG | Database connection URI.
|
| services.taler.merchant.settings.merchantdb-postgres.CONFIG | Database connection URI.
|
| services.restic.backups.<name>.paths | Which paths to backup, in addition to ones specified via
dynamicFilesFrom
|
| services.bitcoind.<name>.configFile | The configuration file path to supply bitcoind.
|
| services.suricata.settings.logging.stacktrace-on-signal | Requires libunwind to be available when Suricata is configured and built
|
| services.neo4j.ssl.policies.<name>.trustAll | Makes this policy trust all remote parties
|
| services.h2o.hosts.<name>.tls.redirectCode | HTTP status used by globalRedirect & forceSSL
|
| services.rspamd.overrides.<name>.text | Text of the file.
|
| security.pam.services.<name>.usshAuth | If set, users with an SSH certificate containing an authorized principal
in their SSH agent are able to log in
|
| services.jupyter.kernels.<name>.logo32 | Path to 32x32 logo png.
|
| services.jupyter.kernels.<name>.logo64 | Path to 64x64 logo png.
|
| services.nginx.virtualHosts.<name>.listen.*.ssl | Enable SSL.
|
| services.prometheus.exporters.script.settings | Free-form configuration for script_exporter, expressed as a Nix attrset and rendered to YAML.
Migration note:
The previous format using script = "sleep 5" is no longer supported
|
| services.blockbook-frontend.<name>.dataDir | Location of blockbook-frontend-‹name› data directory.
|
| users.extraUsers.<name>.shell | The path to the user's shell
|