| boot.initrd.luks.devices.<name>.yubikey.storage.path | Absolute path of the salt on the unencrypted device with
that device's root directory as "/".
|
| systemd.user.sockets.<name>.restartTriggers | An arbitrary list of items such as derivations
|
| systemd.user.targets.<name>.restartTriggers | An arbitrary list of items such as derivations
|
| services.strongswan-swanctl.swanctl.secrets.ntlm.<name>.id | Identity the NTLM secret belongs to
|
| services.shorewall.configs | This option defines the Shorewall configs
|
| services.namecoind.wallet | Wallet file
|
| services.simplesamlphp.<name>.configureNginx | Configure nginx as a reverse proxy for SimpleSAMLphp.
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.writePermissions | The read permissions to include for this token
|
| services.tor.relay.onionServices.<name>.authorizedClients | Authorized clients for a v3 onion service,
as a list of public key, in the format:
descriptor:x25519:<base32-public-key>
See torrc manual.
|
| services.neo4j.ssl.policies.<name>.allowKeyGeneration | Allows the generation of a private key and associated self-signed
certificate
|
| services.strongswan-swanctl.swanctl.secrets.rsa.<name>.secret | Value of decryption passphrase for RSA key.
|
| boot.initrd.luks.devices.<name>.fido2.credential | The FIDO2 credential ID.
|
| networking.wireguard.interfaces.<name>.listenPort | 16-bit port for listening
|
| services.mpdscribble.endpoints.<name>.passwordFile | File containing the password, either as MD5SUM or cleartext.
|
| services.sabnzbd.settings.servers.<name>.connections | Number of parallel connections permitted by
the server.
|
| systemd.network.networks.<name>.ipv6SendRAConfig | Each attribute in this set specifies an option in the
[IPv6SendRA] section of the unit
|
| systemd.network.netdevs.<name>.l2tpSessions | Each item in this array specifies an option in the
[L2TPSession] section of the unit
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_bytes | Number of bytes processed before initiating CHILD_SA rekeying
|
| services.borgbackup.jobs.<name>.encryption.passCommand | A command which prints the passphrase to stdout
|
| services.angrr.settings.profile-policies.<name>.keep-current-system | Whether to keep the current system generation
|
| services.librenms.hostname | The hostname to serve LibreNMS on.
|
| networking.wlanInterfaces.<name>.meshID | MeshID of interface with type mesh.
|
| services.botamusique.settings.bot.username | Name the bot should appear with.
|
| networking.wireless.networks.<name>.pskRaw | Either the raw pre-shared key in hexadecimal format
or the name of the secret (as defined inside
networking.wireless.secretsFile and prefixed
with ext:) containing the network pre-shared key.
Be aware that this will be written to the Nix store
in plaintext! Always use an external reference.
The external secret can be either the plaintext
passphrase or the raw pre-shared key.
Mutually exclusive with psk and auth.
|
| services.limesurvey.nginx.virtualHost.locations.<name>.alias | Alias directory for requests.
|
| services.limesurvey.nginx.virtualHost.locations.<name>.index | Adds index directive.
|
| services.wstunnel.clients.<name>.tlsVerifyCertificate | Whether to verify the TLS certificate of the server
|
| services.wordpress.sites.<name>.virtualHost.listenAddresses | Listen addresses for this virtual host
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.close_action | Action to perform after a CHILD_SA gets closed by the peer.
- The default of
none does not take any action,
trap installs a trap policy for the CHILD_SA.start tries to re-create the CHILD_SA.
close_action does not provide any guarantee that the
CHILD_SA is kept alive
|
| users.mysql.pam.table | The name of table that maps unique login names to the passwords.
|
| system.nixos.codeName | The NixOS release code name (e.g. Emu).
|
| services.postgresqlWalReceiver.receivers.<name>.extraArgs | A list of extra arguments to pass to the pg_receivewal command.
|
| services.system76-scheduler.assignments.<name>.class | CPU scheduler class.
|
| containers.<name>.forwardPorts.*.protocol | The protocol specifier for port forwarding between host and container
|
| services.bookstack.nginx.serverName | Name of this virtual host
|
| services.wyoming.faster-whisper.servers.<name>.initialPrompt | Optional text to provide as a prompt for the first window
|
| boot.specialFileSystems.<name>.device | The device as passed to mount
|
| systemd.network.netdevs.<name>.macvlanConfig | Each attribute in this set specifies an option in the
[MACVLAN] section of the unit
|
| services.ncps.cache.redis.username | Redis username for authentication (for Redis ACL).
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_in | Netfilter mark applied to packets after the inbound IPsec SA processed
them
|
| services.syncthing.settings.devices.<name>.autoAcceptFolders | Automatically create or share folders that this device advertises at the default path
|
| services.sabnzbd.settings.servers.<name>.ssl_verify | Level of TLS verification
|
| services.limesurvey.httpd.virtualHost.locations.<name>.index | Adds DirectoryIndex directive
|
| services.limesurvey.httpd.virtualHost.locations.<name>.alias | Alias directory for requests
|
| boot.loader.grub.users.<name>.hashedPasswordFile | Specifies the path to a file containing the password hash
for the account, generated with grub-mkpasswd-pbkdf2
|
| services.wstunnel.clients.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.wstunnel.servers.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.system76-scheduler.assignments.<name>.ioClass | IO scheduler class.
|
| boot.initrd.luks.devices.<name>.allowDiscards | Whether to allow TRIM requests to the underlying device
|
| services.nitter.server.hostname | Hostname of the instance.
|
| services.mosquitto.listeners.*.users.<name>.passwordFile | Specifies the path to a file containing the
clear text password for the MQTT user
|
| services.strongswan-swanctl.swanctl.secrets.token.<name>.pin | Optional PIN required to access the key on the token
|
| services.namecoind.extraNodes | List of additional peer IP addresses to connect to.
|
| services.limesurvey.nginx.virtualHost.locations.<name>.tryFiles | Adds try_files directive.
|
| networking.fqdn | The fully qualified domain name (FQDN) of this host
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.auth | Authentication to expect from remote
|
| services.hostapd.radios.<name>.wifi4.capabilities | HT (High Throughput) capabilities given as a list of flags
|
| services.jirafeau.nginxConfig.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| services.nullmailer.config.me | The fully-qualifiled host name of the computer running nullmailer
|
| services.archisteamfarm.bots.<name>.settings | Additional settings that are documented here.
|
| services.strongswan-swanctl.swanctl.secrets.xauth.<name>.id | Identity the EAP/XAuth secret belongs to
|
| services.fedimintd.<name>.nginx.config.listen.*.extraParameters | Extra parameters of this listen directive.
|
| services.jibri.xmppEnvironments.<name>.control.login.domain | The domain part of the JID for this Jibri instance.
|
| security.apparmor.policies.<name>.profile | The profile file contents
|
| services.keepalived.vrrpInstances.<name>.virtualRouterId | Arbitrary unique number 1..255
|
| services.gitlab-runner.services.<name>.registrationFlags | Extra command-line flags passed to
gitlab-runner register
|
| systemd.network.networks.<name>.pfifoFastConfig | Each attribute in this set specifies an option in the
[PFIFOFast] section of the unit
|
| systemd.network.networks.<name>.bridgeConfig | Each attribute in this set specifies an option in the
[Bridge] section of the unit
|
| networking.wlanInterfaces.<name>.flags | Flags for interface of type monitor.
|
| networking.supplicant.<name>.driver | Force a specific wpa_supplicant driver.
|
| services.bcg.device | Device name to configure gateway to use.
|
| services.gitlab-runner.services.<name>.registrationConfigFile | Absolute path to a file with environment variables
used for gitlab-runner registration with runner registration
tokens
|
| services.znc.user | The name of an existing user account to use to own the ZNC server
process
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.per_cpu_sas | Enable per-CPU CHILD_SAs
|
| services.librenms.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.kanboard.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.agorakit.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.dolibarr.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.fediwall.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.mainsail.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.pixelfed.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.kanidm.provision.systems.oauth2.<name>.originLanding | When redirecting from the Kanidm Apps Listing page, some linked applications may need to land on a specific page to trigger oauth2/oidc interactions.
|
| programs.tsmClient.servers.<name>.inclexcl | Text lines with include.* and exclude.* directives
to be used when sending files to the IBM TSM server,
or an absolute path pointing to a file with such lines.
|
| services.artalk.user | Artalk user name.
|
| services.sogo.vhostName | Name of the nginx vhost
|
| services.zammad.user | Name of the Zammad user.
|
| services.cloudflared.tunnels.<name>.warp-routing.enabled | Enable warp routing
|
| services.hostapd.radios.<name>.wifi6.operatingChannelWidth | Determines the operating channel width for HE.
- "20or40": 20 or 40 MHz operating channel width
- "80": 80 MHz channel width
- "160": 160 MHz channel width
- "80+80": 80+80 MHz channel width
|
| systemd.user.targets.<name>.startLimitIntervalSec | Configure unit start rate limiting
|
| systemd.user.sockets.<name>.startLimitIntervalSec | Configure unit start rate limiting
|
| networking.wlanInterfaces.<name>.type | The type of the WLAN interface
|
| services.limesurvey.virtualHost.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| systemd.user.sockets.<name>.reloadTriggers | An arbitrary list of items such as derivations
|
| systemd.user.targets.<name>.reloadTriggers | An arbitrary list of items such as derivations
|
| boot.zfs.devNodes | Name of directory from which to import ZFS device, this is passed to zpool import
as the value of the -d option
|
| services.zabbixWeb.nginx.virtualHost.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| image.repart.partitions.<name>.repartConfig | Specify the repart options for a partiton as a structural setting
|
| services.hostapd.radios.<name>.wifi5.operatingChannelWidth | Determines the operating channel width for VHT.
- "20or40": 20 or 40 MHz operating channel width
- "80": 80 MHz channel width
- "160": 160 MHz channel width
- "80+80": 80+80 MHz channel width
|
| services.hostapd.radios.<name>.wifi7.operatingChannelWidth | Determines the operating channel width for EHT.
- "20or40": 20 or 40 MHz operating channel width
- "80": 80 MHz channel width
- "160": 160 MHz channel width
- "80+80": 80+80 MHz channel width
|
| services.datadog-agent.hostname | The hostname to show in the Datadog dashboard (optional)
|