| networking.firewall.extraReversePathFilterRules | Additional nftables rules to be appended to the rpfilter-allow
chain
|
| services.tt-rss.registration.enable | Allow users to register themselves
|
| services.firezone.server.openClusterFirewall | Opens up the erlang distribution port of all enabled components to
allow reaching the server cluster from the internet
|
| services.opensnitch.settings.DefaultAction | Default action whether to block or allow application internet
access.
|
| services.nextcloud.appstoreEnable | Allow the installation and updating of apps from the Nextcloud appstore
|
| services.yggdrasil.settings.AllowedPublicKeys | List of peer public keys to allow incoming peering connections from
|
| services.jupyterhub.jupyterhubEnv | Python environment to run jupyterhub
Customizing will affect the packages available in the hub and
proxy
|
| services.epgstation.settings.encodeProcessNum | The maximum number of processes that EPGStation would allow to run
at the same time for encoding or streaming videos.
|
| services.usbguard.presentControllerPolicy | How to treat USB controller devices that are already connected when
the daemon starts
|
| virtualisation.incus.softDaemonRestart | Allow for incus.service to be stopped without affecting running instances.
|
| services.chrony.initstepslew.enabled | DEPRECATED
|
| services.factorio.requireUserVerification | When set to true, the server will only allow clients that have a valid factorio.com account.
|
| services.pretix.settings.pretix.registration | Whether to allow registration of new admin users.
|
| services.wstunnel.servers.<name>.settings.restrict-to | Restrictions on the connections that the server will accept
|
| virtualisation.kvmgt.enable | Whether to enable KVMGT (iGVT-g) VGPU support
|
| services.beesd.filesystems.<name>.spec | Description of how to identify the filesystem to be duplicated by this
instance of bees
|
| services.home-assistant.lovelaceConfigWritable | Whether to make ui-lovelace.yaml writable
|
| networking.wireless.userControlled | Allow users of the wpa_supplicant group to control wpa_supplicant
through wpa_gui or wpa_cli
|
| networking.ipips.<name>.encapsulation.limit | For an IPv6-based tunnel, the maximum number of nested
encapsulation to allow. 0 means no nesting, "none" unlimited.
|
| services.nullmailer.config.adminaddr | If set, all recipients to users at either "localhost" (the literal string)
or the canonical host name (from the me control attribute) are remapped to this address
|
| services.resolved.dnsovertls | If set to
"true":
all DNS lookups will be encrypted
|
| services.firewalld.settings.StrictForwardPorts | If enabled, the generated destination NAT (DNAT) rules will NOT accept traffic that was DNAT'd by other entities, e.g. docker
|
| services.cloudflared.tunnels.<name>.originRequest.noTLSVerify | Disables TLS verification of the certificate presented by your origin
|
| services.plausible.server.disableRegistration | Whether to prohibit creating an account in plausible's UI or allow on invite_only.
|
| services.rutorrent.nginx.exposeInsecureRPC2mount | If you do not enable one of the rpc or httprpc plugins you need to expose an RPC mount through scgi using this option
|
| networking.wireless.userControlled.enable | Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli
|
| services.tarsnap.keyfile | The keyfile which associates this machine with your tarsnap
account
|
| services.resolved.dnssec | If set to
"true":
all DNS lookups are DNSSEC-validated locally (excluding
LLMNR and Multicast DNS)
|
| services.dendrite.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.pgbouncer.settings.pgbouncer.max_db_connections | Do not allow more than this many server connections per database (regardless of user)
|
| services.discourse.database.ignorePostgresqlVersion | Whether to allow other versions of PostgreSQL than the
recommended one
|
| services.wyoming.faster-whisper.servers.<name>.useTransformers | Whether to provide the dependencies to allow using transformer models.
|
| networking.supplicant.<name>.userControlled.enable | Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli
|
| documentation.man.mandoc.cachePath | Change the paths where mandoc makewhatis(8)generates the
manual page index caches. documentation.man.generateCaches
should be enabled to allow cache generation
|
| virtualisation.docker.daemon.settings.live-restore | Allow dockerd to be restarted without affecting running container
|
| services.mchprs.settings.block_in_hitbox | Allow placing blocks inside of players
(hitbox logic is simplified)
|
| security.agnos.settings.dns_listen_addr | Address for agnos to listen on
|
| services.hostapd.radios.<name>.networks.<name>.dynamicConfigScripts | All of these scripts will be executed in lexicographical order before hostapd
is started, right after the bss segment was generated and may dynamically
append bss options to the generated configuration file
|
| virtualisation.virtualbox.host.enableWebService | Build VirtualBox web service tool (vboxwebsrv) to allow managing VMs via other webpage frontend tools
|
| services.pgbouncer.settings.pgbouncer.max_user_connections | Do not allow more than this many server connections per user (regardless of database)
|
| services.kanidm.provision.systems.oauth2.<name>.enableLocalhostRedirects | Allow localhost redirects
|
| services.postgresql.systemCallFilter.<name>.priority | Set the priority of the system call filter setting
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.filters.*.ports | Either a single port or port range to allow
|
| services.hercules-ci-agent.settings.concurrentTasks | Number of tasks to perform simultaneously
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.filters.*.protocol | The protocol to allow
|
| services.postgresql.systemCallFilter | Configures the syscall filter for postgresql.service
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saeAddToMacAllow | If set, all sae password entries that have a non-wildcard MAC associated to
them will additionally be used to populate the MAC allow list
|
| virtualisation.oci-containers.containers.<name>.volumes | List of volumes to attach to this container
|
| services.grafana.provision.datasources.settings.datasources.*.editable | Allow users to edit datasources from the UI.
|
| services.xserver.windowManager.xmonad.config | Configuration from which XMonad gets compiled
|
| services.pgbouncer.settings.pgbouncer.default_pool_size | How many server connections to allow per user/database pair
|
| services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword | Sets the password for WPA-PSK that will be converted to the pre-shared key
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.copy_dscp | Whether to copy the DSCP (Differentiated Services Field Codepoint)
header field to/from the outer IP header in tunnel mode
|
| services.strongswan-swanctl.swanctl.connections.<name>.childless | Use childless IKE_SA initiation (allow, prefer, force or never)
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.project_id | The project_id and project_name fields are optional for the Identity V2 API
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.project_name | The project_id and project_name fields are optional for the Identity V2 API
|
| services.pgbouncer.settings.pgbouncer.ignore_startup_parameters | By default, PgBouncer allows only parameters it can keep track of in startup packets:
client_encoding, datestyle, timezone and standard_conforming_strings
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.application_credential_id | The application_credential_id or application_credential_name fields are
required if using an application credential to authenticate
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.application_credential_name | The application_credential_id or application_credential_name fields are
required if using an application credential to authenticate
|
| services.prometheus.exporters.wireguard.singleSubnetPerField | By default, all allowed IPs and subnets are comma-separated in the
allowed_ips field
|
| system.autoUpgrade.rebootWindow | Define a lower and upper time value (in HH:MM format) which
constitute a time window during which reboots are allowed after an upgrade
|
| services.bind.cacheNetworks | What networks are allowed to use us as a resolver
|
| services.prometheus.exporters.mail.configuration.servers | List of servers that should be probed.
Note: if your mailserver has rspamd(8) configured,
it can happen that emails from this exporter are marked as spam
|
| services.quicktun.<name>.timeWindow | Allowed time window for first received packet in seconds (positive number allows packets from history)
|
| services.avahi.denyInterfaces | List of network interfaces that should be ignored by the
avahi-daemon
|
| networking.firewall.pingLimit | If pings are allowed, this allows setting rate limits on them
|
| services.rauc.bundleFormats | Allowable formats for the RAUC bundle.
|
| services.oauth2-proxy.tls.httpsAddress | addr:port to listen on for HTTPS clients
|
| services.borgbackup.repos.<name>.quota | Storage quota for the repository
|
| services.artalk.settings | The artalk configuration
|
| services.movim.podConfig.xmppwhitelist | The allowlisted XMPP servers
|
| services.hostapd.radios.<name>.networks.<name>.authentication.pairwiseCiphers | Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets)
|
| services.yggdrasil.openMulticastPort | Whether to open the UDP port used for multicast peer discovery
|
| lib | This option allows modules to define helper functions, constants, etc.
|
| nix.sshServe.keys | A list of SSH public keys allowed to access the binary cache via SSH.
|
| services.grafana.settings.users.auto_assign_org | Set to true to automatically add new users to the main organization (id 1)
|
| security.doas.extraRules.*.cmd | The command the user is allowed to run
|
| services.nylon.<name>.deniedIPRanges | Denied client IP ranges, these gets evaluated after the allowed IP ranges, defaults to all IPv4 addresses:
[ "0.0.0.0/0" ]
To block all other access than the allowed.
|
| services.rustus.cors | list of origins allowed to upload
|
| nix.sshServe.write | Whether to enable writing to the Nix store as a remote store via SSH
|
| containers | A set of NixOS system configurations to be run as lightweight
containers
|
| programs.fuse.mountMax | Set the maximum number of FUSE mounts allowed to non-root users.
|
| services.uptimed.enable | Enable uptimed, allowing you to track
your highest uptimes.
|
| programs.ssh.ciphers | Specifies the ciphers allowed and their order of preference.
|
| services.murmur.users | Maximum number of concurrent clients allowed.
|
| users.users.<name>.subGidRanges | Subordinate group ids that user is allowed to use
|
| users.users.<name>.subUidRanges | Subordinate user ids that user is allowed to use
|
| security.doas.extraConfig | Extra configuration text appended to doas.conf
|
| services.cfssl.mutualTlsCn | Mutual TLS - regex for whitelist of allowed client CNs.
|
| services.sanoid.extraArgs | Extra arguments to pass to sanoid
|
| users.users.<name>.subUidRanges.*.startUid | Start of the range of subordinate user ids that user is
allowed to use.
|
| users.users.<name>.subGidRanges.*.startGid | Start of the range of subordinate group ids that user is
allowed to use.
|
| security.ipa.ifpAllowedUids | A list of users allowed to access the ifp dbus interface.
|
| services.molly-brown.certPath | Path to TLS certificate
|
| services.pihole-ftl.lists.*.type | Whether domains on this list should be explicitly allowed, or blocked
|
| users.extraUsers.<name>.subUidRanges | Subordinate user ids that user is allowed to use
|
| users.extraUsers.<name>.subGidRanges | Subordinate group ids that user is allowed to use
|
| services.openssh.banner | Message to display to the remote user before authentication is allowed.
|
| services.btrbk.sshAccess.*.key | SSH public key allowed to login as user btrbk to run remote backups.
|
| services.maddy.localDomains | Define list of allowed domains.
|