| boot.initrd.luks.devices.<name>.bypassWorkqueues | Whether to bypass dm-crypt's internal read and write workqueues
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| services.authelia.instances.<name>.settings.telemetry.metrics.address | The address to listen on for metrics
|
| fileSystems.<name>.autoFormat | If the device does not currently contain a filesystem (as
determined by blkid), then automatically
format it with the filesystem type specified in
fsType
|
| services.postgresql.systemCallFilter.<name>.priority | Set the priority of the system call filter setting
|
| networking.wg-quick.interfaces.<name>.preDown | Command called before the interface is taken down.
|
| programs.proxychains.proxies.<name>.host | Proxy host or IP address.
|
| programs.xfs_quota.projects.<name>.sizeSoftLimit | Soft limit of the project size
|
| programs.xfs_quota.projects.<name>.sizeHardLimit | Hard limit of the project size.
|
| services.keter.bundle.appName | The name keter assigns to this bundle
|
| services.guix.publish.user | Name of the user to change once the server is up.
|
| services.woodpecker-agents.agents.<name>.environmentFile | File to load environment variables
from
|
| services.cloudflared.tunnels.<name>.originRequest.noHappyEyeballs | Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
|
| networking.wireguard.interfaces.<name>.listenPort | 16-bit port for listening
|
| networking.wg-quick.interfaces.<name>.peers | Peers linked to the interface.
|
| boot.zfs.devNodes | Name of directory from which to import ZFS device, this is passed to zpool import
as the value of the -d option
|
| services.simplesamlphp.<name>.configureNginx | Configure nginx as a reverse proxy for SimpleSAMLphp.
|
| containers.<name>.extraVeths.<name>.forwardPorts.*.protocol | The protocol specifier for port forwarding between host and container
|
| boot.initrd.systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.group | The group of the file
|
| services.invoiceplane.sites.<name>.invoiceTemplates | List of path(s) to respective template(s) which are copied from the 'invoice_templates/pdf' directory.
These templates need to be packaged before use, see example.
|
| services.keepalived.vrrpInstances.<name>.trackInterfaces | List of network interfaces to monitor for health tracking.
|
| programs.xfs_quota.projects.<name>.fileSystem | XFS filesystem hosting the xfs_quota project.
|
| services.sanoid.datasets.<name>.script_timeout | Time limit for pre/post/pruning script execution time (<=0 for infinite).
|
| services.avahi.domainName | Domain name for all advertisements.
|
| boot.initrd.luks.devices.<name>.fido2.credentials | List of FIDO2 credential IDs
|
| services.taskserver.organisations.<name>.groups | A list of group names that belong to the organization.
|
| systemd.network.networks.<name>.ipv6PREF64Prefixes | A list of IPv6PREF64Prefix sections to be added to the unit
|
| services.strongswan-swanctl.swanctl.authorities.<name>.file | Absolute path to the certificate to load
|
| services.syncthing.settings.folders.<name>.copyOwnershipFromParent | On Unix systems, tries to copy file/folder ownership from the parent directory (the directory it’s located in)
|
| openstack.zfs.datasets.<name>.properties | Properties to set on this dataset.
|
| services.baikal.pool | Name of existing phpfpm pool that is used to run web-application
|
| services.strongswan-swanctl.swanctl.connections.<name>.mediated_by | The name of the connection to mediate this connection through
|
| image.repart.partitions.<name>.nixStorePrefix | The prefix to use for store paths
|
| networking.wlanInterfaces.<name>.meshID | MeshID of interface with type mesh.
|
| services.patroni.scope | Cluster name.
|
| services.cyrus-imap.group | Cyrus IMAP group name
|
| services.mautrix-meta.instances.<name>.environmentFile | File containing environment variables to substitute when copying the configuration
out of Nix store to the services.mautrix-meta.dataDir
|
| services.vlagent.remoteWrite.basicAuthUsername | Basic Auth username used to connect to remote_write endpoint
|
| services.vmagent.remoteWrite.basicAuthUsername | Basic Auth username used to connect to remote_write endpoint
|
| services.nextjs-ollama-llm-ui.hostname | The hostname under which the Ollama UI interface should be accessible
|
| users.users.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| image.repart.partitions.<name>.stripNixStorePrefix | Whether to strip /nix/store/ from the store paths
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_packets | Number of packets processed before initiating CHILD_SA rekeying
|
| networking.wg-quick.interfaces.<name>.postDown | Command called after the interface is taken down.
|
| services.archisteamfarm.bots.<name>.passwordFile | Path to a file containing the password
|
| services.authelia.instances.<name>.secrets.storageEncryptionKeyFile | Path to your storage encryption key.
|
| services.tailscale.serve.services | Services to configure for Tailscale Serve
|
| security.pam.services.<name>.googleAuthenticator.forwardPass | The authentication provides a single field requiring
the user's password followed by the one-time password (OTP).
|
| services.angrr.settings.temporary-root-policies.<name>.ignore-prefixes-in-home | Path prefixes to ignore under home directory
|
| services.outline.smtp.host | Host name or IP address of the SMTP server.
|
| programs.schroot.profiles.<name>.copyfiles | A list of files to copy into the chroot from the host system.
|
| services.prometheus.exporters.imap-mailstat.accounts.<name>.password | |
| services.kerberos_server.settings.realms.<name>.acl | The privileges granted to a user.
|
| services.hddfancontrol.settings.<drive-bay-name>.pwmPaths | PWM filepath(s) to control fan speed (under /sys), followed by initial and fan-stop PWM values
Can also use command substitution to ensure the correct hwmonX is selected on every boot
|
| services.syncthing.settings.folders.<name>.ignorePatterns | Syncthing can be configured to ignore certain files in a folder using ignore patterns
|
| services.radicle.httpd.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.radicle.httpd.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.kanidm.provision.systems.oauth2.<name>.allowInsecureClientDisablePkce | Disable PKCE on this oauth2 resource server to work around insecure clients
that may not support it
|
| services.system76-scheduler.assignments.<name>.matchers | Process matchers.
|
| services.cloudflared.tunnels.<name>.originRequest.connectTimeout | Timeout for establishing a new TCP connection to your origin server
|
| services.mosquitto.listeners.*.users.<name>.hashedPasswordFile | Specifies the path to a file containing the
hashed password for the MQTT user
|
| services.murmur.group | The name of an existing group to use to run the service
|
| services.buildkite-agents | Attribute set of buildkite agents
|
| users.users.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| services.postgresqlWalReceiver.receivers.<name>.directory | Directory to write the output to.
|
| services.microsocks.authUsername | Optional username to use for authentication.
|
| systemd.network.networks.<name>.ipv6RoutePrefixes | A list of ipv6RoutePrefix sections to be added to the unit
|
| services.pantalaimon-headless.instances.<name>.listenPort | The port where the daemon will listen to client connections for
this homeserver
|
| services.drupal.webserver | Whether to use nginx or caddy for virtual host management
|
| services.openssh.settings.UseDns | Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for
the remote IP address maps back to the very same IP address
|
| services.strongswan-swanctl.swanctl.connections.<name>.ppk_id | String identifying the Postquantum Preshared Key (PPK) to be used.
|
| networking.wireless.networks.<name>.bssid | If set, this network block is used only when associating with
the AP using the configured BSSID.
|
| services.sanoid.templates.<name>.pruning_script | Script to run after pruning snapshot.
|
| services.wiki-js.settings.db.db | Name of the database to use.
|
| services.prometheus.exporters.imap-mailstat.accounts.<name>.serveraddress | mailserver name or address
|
| security.auditd.plugins.<name>.direction | The option is dictated by the plugin
|
| services.samba-wsdd.domain | Set domain name (disables workgroup).
|
| services.keycloak.settings.hostname | The hostname part of the public URL used as base for
all frontend requests
|
| networking.wlanInterfaces.<name>.type | The type of the WLAN interface
|
| security.acme.certs.<name>.credentialFiles | Environment variables suffixed by "_FILE" to set for the cert's service
for your selected dnsProvider
|
| services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.filters.*.name | See this list
for the available filters.
|
| networking.wlanInterfaces.<name>.flags | Flags for interface of type monitor.
|
| networking.supplicant.<name>.driver | Force a specific wpa_supplicant driver.
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_groups | List of groups to allow access to this vhost, or null to allow all.
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_emails | List of emails to allow access to this vhost, or null to allow all.
|
| security.ipa.ipaHostname | Fully-qualified hostname used to identify this host in the IPA domain.
|
| users.mysql.pam.logging.rHostColumn | The name of the column in the log table to which the name of the remote
host that initiates the session is stored
|
| services.kanidm.provision.systems.oauth2.<name>.enableLocalhostRedirects | Allow localhost redirects
|
| networking.interfaces.<name>.wakeOnLan.enable | Whether to enable wol on this interface.
|
| services.bacula-fd.tls.verifyPeer | Verify peer certificate
|
| services.bacula-sd.tls.verifyPeer | Verify peer certificate
|
| services.vault.address | The name of the ip interface to listen to
|
| services.discourse.mail.outgoing.username | The username of the SMTP server.
|
| services.strongswan-swanctl.swanctl.connections.<name>.dscp | Differentiated Services Field Codepoint to set on outgoing IKE packets for
this connection
|
| fileSystems.<name>.autoResize | If set, the filesystem is grown to its maximum size before
being mounted. (This is typically the size of the containing
partition.) This is currently only supported for ext2/3/4
filesystems that are mounted during early boot.
|
| systemd.user.paths.<name>.overrideStrategy | Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf
|
| systemd.user.units.<name>.overrideStrategy | Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf
|
| services.forgejo.dump.file | Filename to be used for the dump
|
| services.prometheus.exporters.ebpf.names | List of eBPF programs to load
|
| services.prometheus.exporters.imap-mailstat.accounts.<name>.starttls | set to true for using STARTTLS to start a TLS connection
|