| services.misskey.reverseProxy.webserver.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.artalk.group | Artalk group name.
|
| services.zammad.group | Name of the Zammad group.
|
| services.prometheus.exporters.chrony.user | User name under which the chrony exporter shall be run
|
| services.anuko-time-tracker.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.armagetronad.servers.<name>.settings | Armagetron Advanced server rules configuration
|
| containers.<name>.timeoutStartSec | Time for the container to start
|
| services.postgresqlWalReceiver.receivers.<name>.extraArgs | A list of extra arguments to pass to the pg_receivewal command.
|
| services.sabnzbd.settings.servers.<name>.expire_date | If Notifications are enabled and an expiry date is
set, warn 5 days before expiry
|
| services.system76-scheduler.assignments.<name>.class | CPU scheduler class.
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.readPermissions | The read permissions to include for this token
|
| services.ytdl-sub.instances.<name>.subscriptions | Subscriptions for ytdl-sub
|
| services.prometheus.exporters.rtl_433.user | User name under which the rtl_433 exporter shall be run.
|
| security.tpm2.tssUser | Name of the tpm device-owner and service user, set if applyUdevRules is
set.
|
| networking.wireguard.interfaces.<name>.fwMark | Mark all wireguard packets originating from
this interface with the given firewall mark
|
| services.wstunnel.clients.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.wstunnel.servers.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.zabbixWeb.nginx.virtualHost.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.tor.relay.onionServices.<name>.settings.HiddenServiceExportCircuitID | See torrc manual.
|
| services.kanidm.provision.groups.<name>.overwriteMembers | Whether the member list should be overwritten each time (true) or appended
(false)
|
| networking.wg-quick.interfaces.<name>.peers.*.allowedIPs | List of IP (v4 or v6) addresses with CIDR masks from
which this peer is allowed to send incoming traffic and to which
outgoing traffic for this peer is directed
|
| services.syncthing.settings.folders.<name>.versioning | How to keep changed/deleted files with Syncthing
|
| virtualisation.oci-containers.containers.<name>.serviceName | Systemd service name that manages the container
|
| services.strongswan-swanctl.swanctl.secrets.ntlm.<name>.secret | Value of the NTLM secret, which is the NT Hash of the actual secret,
that is, MD4(UTF-16LE(secret))
|
| services.strongswan-swanctl.swanctl.pools.<name>.addrs | Addresses allocated in pool
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.system76-scheduler.assignments.<name>.ioClass | IO scheduler class.
|
| services.hostapd.radios.<name>.wifi4.capabilities | HT (High Throughput) capabilities given as a list of flags
|
| virtualisation.fileSystems.<name>.label | Label of the device
|
| services.prometheus.exporters.graphite.user | User name under which the graphite exporter shall be run.
|
| services.prometheus.exporters.postgres.user | User name under which the postgres exporter shall be run.
|
| services.prometheus.exporters.smartctl.user | User name under which the smartctl exporter shall be run.
|
| services.prometheus.exporters.keylight.user | User name under which the keylight exporter shall be run.
|
| services.prometheus.exporters.mikrotik.user | User name under which the mikrotik exporter shall be run.
|
| services.prometheus.exporters.opnsense.user | User name under which the opensense exporter shall be run.
|
| services.prometheus.exporters.influxdb.user | User name under which the influxdb exporter shall be run.
|
| services.prometheus.exporters.fritzbox.user | User name under which the fritzbox exporter shall be run.
|
| services.prometheus.exporters.unpoller.user | User name under which the unpoller exporter shall be run.
|
| services.prometheus.exporters.collectd.user | User name under which the collectd exporter shall be run.
|
| services.prometheus.exporters.blackbox.user | User name under which the blackbox exporter shall be run.
|
| services.prometheus.exporters.nginxlog.user | User name under which the nginxlog exporter shall be run.
|
| services.cloudflared.tunnels.<name>.originRequest.httpHostHeader | Sets the HTTP Host header on requests sent to the local service.
|
| virtualisation.fileSystems.<name>.stratis.poolUuid | UUID of the stratis pool that the fs is located in
This is only relevant if you are using stratis.
|
| services.jibri.xmppEnvironments.<name>.control.login.passwordFile | File containing the password for the user.
|
| networking.interfaces.<name>.proxyARP | Turn on proxy_arp for this device
|
| services.dendrite.settings.global.server_name | The domain name of the server, with optional explicit port
|
| services.bookstack.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.writePermissions | The read permissions to include for this token
|
| services.sftpgo.group | Group name under which SFTPGo runs.
|
| services.keepalived.vrrpInstances.<name>.virtualRouterId | Arbitrary unique number 1..255
|
| services.matrix-tuwunel.settings.global.server_name | The server_name is the name of this server
|
| services.matrix-conduit.settings.global.server_name | The server_name is the name of this server
|
| networking.wireguard.interfaces.<name>.preShutdown | Commands called before shutting down the interface.
|
| services.archisteamfarm.bots.<name>.settings | Additional settings that are documented here.
|
| networking.wireguard.interfaces.<name>.privateKeyFile | Private key file as generated by wg genkey.
|
| services.easytier.instances.<name>.settings.listeners | Listener addresses to accept connections from other peers
|
| networking.sits.<name>.encapsulation.sourcePort | Source port when using UDP encapsulation
|
| services.cloudflared.tunnels.<name>.originRequest.tlsTimeout | Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.
|
| services.tor.relay.onionServices.<name>.settings.HiddenServiceAllowUnknownPorts | See torrc manual.
|
| services.hostapd.radios.<name>.wifi6.operatingChannelWidth | Determines the operating channel width for HE.
- "20or40": 20 or 40 MHz operating channel width
- "80": 80 MHz channel width
- "160": 160 MHz channel width
- "80+80": 80+80 MHz channel width
|
| networking.wireguard.interfaces.<name>.table | The kernel routing table to add this interface's
associated routes to
|
| containers.<name>.restartIfChanged | Whether the container should be restarted during a NixOS
configuration switch if its definition has changed.
|
| services.gitlab.host | GitLab host name
|
| services.pretix.settings.pretix.instance_name | The name of this installation.
|
| services.radicle.ci.adapters.native.instances.<name>.settings.base_url | Base URL for build logs (mandatory for access from CI broker page).
|
| services.pantalaimon-headless.instances.<name>.logLevel | Set the log level of the daemon.
|
| services.invoiceplane.sites.<name>.database.passwordFile | A file containing the password corresponding to
database.user.
|
| containers.<name>.allowedDevices.*.node | Path to device node
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_out | Netfilter mark applied to packets after the outbound IPsec SA processed
them
|
| services.hostapd.radios.<name>.wifi5.operatingChannelWidth | Determines the operating channel width for VHT.
- "20or40": 20 or 40 MHz operating channel width
- "80": 80 MHz channel width
- "160": 160 MHz channel width
- "80+80": 80+80 MHz channel width
|
| services.hostapd.radios.<name>.wifi7.operatingChannelWidth | Determines the operating channel width for EHT.
- "20or40": 20 or 40 MHz operating channel width
- "80": 80 MHz channel width
- "160": 160 MHz channel width
- "80+80": 80+80 MHz channel width
|
| containers.<name>.interfaces | The list of interfaces to be moved into the container.
|
| services.limesurvey.nginx.virtualHost.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| virtualisation.oci-containers.containers.<name>.dependsOn | Define which other containers this one depends on
|
| services.cloudflared.tunnels.<name>.originRequest.proxyPort | cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP
|
| services.invoiceplane.sites.<name>.database.createLocally | Create the database and database user locally.
|
| services.tor.relay.onionServices.<name>.settings.HiddenServiceDirGroupReadable | See torrc manual.
|
| services.pantalaimon-headless.instances.<name>.dataPath | The directory where pantalaimon should store its state such as the database file.
|
| virtualisation.interfaces.<name>.vlan | VLAN to which the network interface is connected.
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.namecoind.rpc.password | Password for RPC connections.
|
| services.drupal.webserver | Whether to use nginx or caddy for virtual host management
|
| services.github-runners.<name>.ephemeral | If enabled, causes the following behavior:
- Passes the
--ephemeral flag to the runner configuration script
- De-registers and stops the runner with GitHub after it has processed one job
- On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option)
- Restarts the service after its successful exit
- On start, wipes the state directory and configures a new runner
You should only enable this option if tokenFile points to a file which contains a
personal access token (PAT)
|
| services.fedimintd.<name>.nginx.config.sslTrustedCertificate | Path to root SSL certificate for stapling and client certificates.
|
| virtualisation.fileSystems.<name>.mountPoint | Location where the file system will be mounted
|
| networking.wireguard.interfaces.<name>.postShutdown | Commands called after shutting down the interface.
|
| networking.firewall.interfaces.<name>.allowedUDPPortRanges | Range of open UDP ports.
|
| services.limesurvey.virtualHost.locations.<name>.priority | Order of this location block in relation to the others in the vhost
|
| services.patroni.namespace | Path within the configuration store where Patroni will keep information about the cluster.
|
| services.keepalived.vrrpInstances.<name>.noPreempt | VRRP will normally preempt a lower priority machine when a higher
priority machine comes online. "nopreempt" allows the lower priority
machine to maintain the master role, even when a higher priority machine
comes back online
|
| containers.<name>.forwardPorts | List of forwarded ports from host to container
|
| services.cntlm.domain | Proxy account domain/workgroup name.
|
| services.bcg.automaticRenameNodes | Automatically rename all nodes.
|
| services.fcron.allow | Users allowed to use fcrontab and fcrondyn (one name per
line, all for everyone).
|
| networking.wg-quick.interfaces.<name>.generatePrivateKeyFile | Automatically generate a private key with
wg genkey, at the privateKeyFile location.
|
| services.easytier.instances.<name>.environmentFiles | Environment files for this instance
|
| systemd.network.networks.<name>.deficitRoundRobinSchedulerConfig | Each attribute in this set specifies an option in the
[DeficitRoundRobinScheduler] section of the unit
|
| boot.loader.systemd-boot.extraEntries | Any additional entries you want added to the systemd-boot menu
|
| services.angrr.settings.temporary-root-policies.<name>.priority | Priority of this policy
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.start_action | Action to perform after loading the configuration.
- The default of
none loads the connection only, which
then can be manually initiated or used as a responder configuration.
- The value
trap installs a trap policy, which triggers
the tunnel as soon as matching traffic has been detected.
- The value
start initiates the connection actively.
- Since version 5.9.6 two modes above can be combined with
trap|start,
to immediately initiate a connection for which trap policies have been installed
|