| hardware.fw-fanctrl.config.strategies.<name>.speedCurve | How should the speed curve look like
|
| virtualisation.kvmgt.vgpus.<name>.uuid | UUID(s) of VGPU device
|
| services.mautrix-meta.instances.<name>.serviceDependencies | List of Systemd services to require and wait for when starting the application service.
|
| services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers | Additionally enable the recommended set of pairwise ciphers
|
| services.mail.sendmailSetuidWrapper.program | The name of the wrapper program
|
| networking.interfaces.<name>.virtual | Whether this interface is virtual and should be created by tunctl
|
| programs.uwsm.waylandCompositors.<name>.extraArgs | Extra command-line arguments pass to to the compsitor.
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.priority | Order of this location block in relation to the others in the vhost
|
| services.hqplayerd.auth.username | Username used for HQPlayer's WebUI
|
| security.pam.services.<name>.googleAuthenticator.forwardPass | The authentication provides a single field requiring
the user's password followed by the one-time password (OTP).
|
| services.angrr.settings.temporary-root-policies.<name>.ignore-prefixes-in-home | Path prefixes to ignore under home directory
|
| services.syncthing.settings.folders.<name>.copyOwnershipFromParent | On Unix systems, tries to copy file/folder ownership from the parent directory (the directory it’s located in)
|
| boot.binfmt.registrations.<name>.openBinary | Whether to pass the binary to the interpreter as an open
file descriptor, instead of a path.
|
| services.kismet.serverName | The name of the server.
|
| services.vikunja.frontendHostname | The Hostname under which the frontend is running.
|
| services.gdomap.enable | Whether to enable GNUstep Distributed Objects name server.
|
| services.skydns.nameservers | Skydns list of nameservers to forward DNS requests to when not authoritative for a domain.
|
| services.strongswan-swanctl.swanctl.connections.<name>.ppk_id | String identifying the Postquantum Preshared Key (PPK) to be used.
|
| services.dnsdist.dnscrypt.providerName | The name that will be given to this DNSCrypt resolver.
The provider name must start with 2.dnscrypt-cert..
|
| services.cloudflared.tunnels.<name>.originRequest.connectTimeout | Timeout for establishing a new TCP connection to your origin server
|
| services.authelia.instances.<name>.settings.telemetry.metrics.enabled | Enable Metrics.
|
| security.ipa.ipaHostname | Fully-qualified hostname used to identify this host in the IPA domain.
|
| networking.vswitches.<name>.extraOvsctlCmds | Commands to manipulate the Open vSwitch database
|
| networking.wireless.networks.<name>.psk | The network's pre-shared key in plaintext defaulting
to being a network without any authentication.
Be aware that this will be written to the Nix store
in plaintext! Use pskRaw with an external
reference to keep it safe.
Mutually exclusive with pskRaw.
|
| networking.supplicant.<name>.configFile.path | External wpa_supplicant.conf configuration file
|
| services.cassandra.jmxRoles.*.username | Username for JMX
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_groups | List of groups to allow access to this vhost, or null to allow all.
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_emails | List of emails to allow access to this vhost, or null to allow all.
|
| services.pantalaimon-headless.instances.<name>.listenAddress | The address where the daemon will listen to client connections
for this homeserver.
|
| networking.wireless.networks.<name>.ssid | You could use this field to override the network's ssid
|
| services.hadoop.hdfs.namenode.openFirewall | Open firewall ports for HDFS NameNode.
|
| services.postgresqlWalReceiver.receivers.<name>.compress | Enables gzip compression of write-ahead logs, and specifies the compression level
(0 through 9, 0 being no compression and 9 being best compression)
|
| services.epmd.enable | Whether to enable socket activation for Erlang Port Mapper Daemon (epmd),
which acts as a name server on all hosts involved in distributed
Erlang computations.
|
| services.wstunnel.clients.<name>.upgradeCredentials | Use these credentials to authenticate during the HTTP upgrade request
(Basic authorization type, USER:[PASS]).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing HTTP_PASSWORD=<your-password-here> and set this
option to <user>:$HTTP_PASSWORD
|
| networking.supplicant.<name>.extraConf | Configuration options for wpa_supplicant.conf
|
| services.librenms.user | Name of the LibreNMS user.
|
| services.dokuwiki.webserver | Whether to use nginx or caddy for virtual host management
|
| services.freshrss.webserver | Whether to use nginx or caddy for virtual host management
|
| services.bacula-fd.tls.verifyPeer | Verify peer certificate
|
| services.bacula-sd.tls.verifyPeer | Verify peer certificate
|
| services.icingaweb2.modules.monitoring.transports.<name>.type | Type of this transport
|
| services.outline.smtp.host | Host name or IP address of the SMTP server.
|
| services.prometheus.exporters.imap-mailstat.accounts.<name>.password | |
| containers.<name>.nixpkgs | A path to the nixpkgs that provide the modules, pkgs and lib for evaluating the container
|
| networking.wg-quick.interfaces.<name>.peers.*.publicKey | The base64 public key to the peer.
|
| services.hddfancontrol.settings.<drive-bay-name>.logVerbosity | Verbosity of the log level
|
| services.maubot.settings.server.hostname | The IP to listen on
|
| services.radicle.httpd.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.radicle.httpd.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.icingaweb2.modules.monitoring.transports.<name>.host | Host for the api or remote transport
|
| services.davfs2.davUser | When invoked by root the mount.davfs daemon will run as this user
|
| services.bacula-dir.tls.verifyPeer | Verify peer certificate
|
| security.pam.services.<name>.googleOsLoginAccountVerification | If set, will use the Google OS Login PAM modules
(pam_oslogin_login,
pam_oslogin_admin) to verify possible OS Login
users and set sudoers configuration accordingly
|
| networking.wireguard.interfaces.<name>.ips | The IP addresses of the interface.
|
| services.strongswan-swanctl.swanctl.connections.<name>.dscp | Differentiated Services Field Codepoint to set on outgoing IKE packets for
this connection
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.ah_proposals | AH proposals to offer for the CHILD_SA
|
| services.authelia.instances.<name>.settings.telemetry.metrics.address | The address to listen on for metrics
|
| services.icingaweb2.modules.monitoring.transports.<name>.path | Path to the socket for local or remote transports
|
| services.icingaweb2.modules.monitoring.transports.<name>.port | Port to connect to for the api or remote transport
|
| programs.nix-required-mounts.allowedPatterns.<name>.paths | A list of glob patterns, indicating which paths to expose to the sandbox
|
| services.rspamd.locals | Local configuration files, written into /etc/rspamd/local.d/{name}.
|
| services.pantalaimon-headless.instances.<name>.extraSettings | Extra configuration options
|
| services.strongswan-swanctl.swanctl.authorities.<name>.handle | Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively
|
| programs.uwsm.waylandCompositors.<name>.comment | The comment field of the desktop entry file.
|
| services.librenms.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.agorakit.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.agorakit.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.librenms.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.dolibarr.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.dolibarr.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.kanboard.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.fediwall.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.kanboard.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.fediwall.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.pixelfed.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.pixelfed.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.mainsail.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.mainsail.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.tt-rss.virtualHost | Name of the nginx virtualhost to use and setup
|
| services.biboumi.settings.hostname | The hostname served by the XMPP gateway
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| services.icingaweb2.modules.monitoring.backends.<name>.disabled | Disable this backend
|
| networking.interfaces.<name>.virtualOwner | In case of a virtual device, the user who owns it.
null will not set owner, allowing access to any user.
|
| services.kanidm.provision.systems.oauth2.<name>.allowInsecureClientDisablePkce | Disable PKCE on this oauth2 resource server to work around insecure clients
that may not support it
|
| networking.wireless.networks.<name>.extraConfig | Extra configuration lines appended to the network block
|
| services.castopod.database.hostname | Database hostname.
|
| networking.vswitches.<name>.interfaces | The physical network interfaces connected by the vSwitch.
|
| services.kanidm.provision.systems.oauth2.<name>.enableLocalhostRedirects | Allow localhost redirects
|
| services.microsocks.authUsername | Optional username to use for authentication.
|
| services.syncthing.settings.folders.<name>.ignorePatterns | Syncthing can be configured to ignore certain files in a folder using ignore patterns
|
| security.pam.services.<name>.googleOsLoginAuthentication | If set, will use the pam_oslogin_login's user
authentication methods to authenticate users using 2FA
|
| services.dovecot2.user | Dovecot user name.
|
| users.extraUsers.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| users.extraUsers.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| services.forgejo.dump.file | Filename to be used for the dump
|
| hardware.fw-fanctrl.config.strategies.<name>.speedCurve.*.temp | Temperature in °C at which the fan speed should be changed
|
| networking.wg-quick.interfaces.<name>.privateKeyFile | Private key file as generated by wg genkey.
|
| services.strongswan-swanctl.swanctl.connections.<name>.vips | List of virtual IPs to request in IKEv2 configuration payloads or IKEv1
Mode Config
|
| services.hadoop.hdfs.namenode.formatOnInit | Format HDFS namenode on first start
|
| services.prometheus.exporters.imap-mailstat.accounts.<name>.starttls | set to true for using STARTTLS to start a TLS connection
|