| services.rustus.storage.force_sync | calls fsync system call after every write to disk in local storage
|
| services.openafsServer.roles.backup.cellServDB | Definition of all cell-local backup database server machines
|
| services.postsrsd.configurePostfix | Whether to configure the required settings to use postsrsd in the local Postfix instance.
|
| services.yggdrasil.settings.Listen | Listen addresses for incoming connections
|
| services.dawarich.redis.createLocally | Whether to configure a local Redis server for Dawarich
|
| services.ostinato.rpcServer.address | By default, the Drone RPC server will listen on all interfaces and
local IPv4 addresses for incoming connections from clients
|
| services.postgresql.identMap | Defines the mapping from system users to database users
|
| services.coturn.relay-ips | Relay address (the local IP address that will be used to relay the
packets to the peer)
|
| services.librenms.database.createLocally | Whether to create a local database automatically.
|
| services.librenms.enableLocalBilling | Enable billing Cron-Jobs on the local instance
|
| services.forgejo.database.createDatabase | Whether to create a local database automatically.
|
| services.libeufin.nexus.createLocalDatabase | Whether to enable automatic creation of a local postgres database.
|
| services.thanos.receive.tsdb.retention | How long to retain raw samples on local storage.
0d - disables this retention
Defaults to 15d in Thanos
when set to null.
|
| services.mirakurun.openFirewall | Open ports in the firewall for Mirakurun.
Exposing Mirakurun to the open internet is generally advised
against
|
| services.zabbixServer.database.createLocally | Whether to create a local database automatically.
|
| services.woodpecker-agents.agents.<name>.path | Additional packages that should be added to the agent's PATH
|
| services.windmill.database.createLocally | Whether to create a local database automatically.
|
| services.avahi.publish.workstation | Whether to register a service of type "_workstation._tcp" on the local LAN.
|
| services.rosenpass.settings.peers.*.device | Name of the local WireGuard interface to use for this peer.
|
| services.mattermost.database.create | Create a local PostgreSQL or MySQL database for Mattermost automatically.
|
| services.mastodon.database.createLocally | Configure local PostgreSQL database server for Mastodon.
|
| services.pretalx.database.createLocally | Whether to automatically set up the database on the local DBMS instance
|
| services.peertube.database.createLocally | Configure local PostgreSQL database server for PeerTube.
|
| services.forgejo.settings.server.SSH_PORT | SSH port displayed in clone URL
|
| services.your_spotify.enableLocalDB | Whether to enable a local mongodb instance.
|
| security.duosec.fallbackLocalIP | Duo Unix reports the IP address of the authorizing user, for
the purposes of authorization and whitelisting
|
| security.pam.services.<name>.startSession | If set, the service will register a new session with
systemd's login manager
|
| services.pixelfed.database.createLocally | Whether to enable a local database using UNIX socket authentication.
|
| services.zfs.autoReplication.followDelete | Remove remote snapshots that don't have a local correspondent.
|
| programs.tsmClient.servers.<name>.servername | Local name of the IBM TSM server,
must not contain space or more than 64 chars.
|
| services.tsidp.settings.useLocalTailscaled | Use local tailscaled instead of tsnet.
|
| services.postfix-tlspol.configurePostfix | Whether to configure the required settings to use postfix-tlspol in the local Postfix instance.
|
| services.self-deploy.repository | The repository to fetch from
|
| services.certspotter.sendmailPath | Path to the sendmail binary
|
| services.sourcehut.postgresql.enable | Whether to enable local postgresql integration.
|
| services.thanos.sidecar.prometheus.url | URL at which to reach Prometheus's API
|
| services.ncps.cache.lock.backend | Lock backend to use: 'local' (single instance), 'redis'
(distributed), 'postgres' (distributed, requires PostgreSQL)
|
| services.miniflux.createDatabaseLocally | Whether a PostgreSQL database should be automatically created and
configured on the local host
|
| services.invidious.database.createLocally | Whether to create a local database with PostgreSQL.
|
| services.dawarich.database.createLocally | Whether to configure a local PostgreSQL server and database for Dawarich
|
| services.paperless.database.createLocally | Configure local PostgreSQL database server for Paperless.
|
| services.glitchtip.database.createLocally | Whether to enable and configure a local PostgreSQL database server.
|
| services.matrix-synapse.configureRedisLocally | Whether to automatically configure a local redis server for matrix-synapse.
|
| services.epgstation.openFirewall | Open ports in the firewall for the EPGStation web interface.
Exposing EPGStation to the open internet is generally advised
against
|
| networking.resolvconf.useLocalResolver | Use local DNS server for resolving.
|
| services.cloudflare-ddns.provider.ipv4 | IP detection provider for IPv4
|
| services.cloudflare-ddns.provider.ipv6 | IP detection provider for IPv6
|
| services.tandoor-recipes.database.createLocally | Configure local PostgreSQL database server for Tandoor Recipes.
|
| services.engelsystem.createDatabase | Whether to create a local database automatically
|
| services.gotosocial.setupPostgresqlDB | Whether to setup a local postgres database and populate the
db-type fields in services.gotosocial.settings.
|
| services.lasuite-docs.postgresql.createLocally | Configure local PostgreSQL database server for docs.
|
| services.borgbackup.jobs.<name>.removableDevice | Whether the repo (which must be local) is a removable device.
|
| services.openafsServer.roles.fileserver.enable | Fileserver role, serves files and volumes from its local storage.
|
| services.firefox-syncserver.database.host | Database host name. localhost is treated specially and inserts
systemd dependencies, other hostnames or IP addresses of the local machine do not.
|
| services.kubo.settings.Addresses.API | Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on
|
| services.lasuite-meet.postgresql.createLocally | Whether to enable Configure local PostgreSQL database server for meet.
|
| services.rke2.environmentVars | Environment variables for configuring the rke2 service/agent
|
| services.borgmatic.configurations.<name>.repositories | A required list of local or remote repositories with paths and
optional labels (which can be used with the --repository flag to
select a repository)
|
| services.grafana.settings.smtp.password | Password used for authentication
|
| services.pulseaudio.zeroconf.publish.enable | Whether to enable publishing the pulseaudio sink in the local network.
|
| services.cjdns.ETHInterface.beacon | Auto-connect to other cjdns nodes on the same network
|
| services.mailpit.instances.<name>.database | Specify the local database filename to store persistent data
|
| virtualisation.nixStore9pCache | Type of 9p cache to use when mounting host nix store. "none" provides
no caching. "loose" enables Linux's local VFS cache. "fscache" uses Linux's
fscache subsystem
|
| services.public-inbox.settings.publicinbox.css | The local path name of a CSS file for the PSGI web interface.
|
| services.misskey.meilisearch.createLocally | Create and use a local Meilisearch instance
|
| services.mediagoblin.createDatabaseLocally | Whether to configure a local postgres database and connect to it.
|
| services.vaultwarden.configurePostgres | Whether to configure a local PostgreSQL server.
|
| services.crowdsec-firewall-bouncer.settings.api_url | URL of the local API.
|
| services.displayManager.dms-greeter.configHome | Path to a user's home directory from which to copy DankMaterialShell
configuration files
|
| services.synapse-auto-compressor.postgresUrl | Connection string to postgresql in the
[rust postgres crate config format](https://docs.rs/postgres/latest/postgres/config/struct
|
| services.mattermost.database.password | Password for local Mattermost database user
|
| services.weblate.configurePostgresql | Whether to enable and configure a local PostgreSQL server by creating a user and database for weblate
|
| services.rosenpass.settings.public_key | Path to a file containing the public key of the local Rosenpass peer
|
| services.rosenpass.settings.secret_key | Path to a file containing the secret key of the local Rosenpass peer
|
| services.sourcehut.settings."builds.sr.ht::worker".bind-address | HTTP bind address for serving local build information/monitoring.
|
| services.matrix-synapse.settings.presence.enabled | Whether to enable presence tracking
|
| services.sharkey.setupMeilisearch | Whether to automatically set up a local Meilisearch instance and configure Sharkey to use it
|
| services.pulseaudio.zeroconf.discovery.enable | Whether to enable discovery of pulseaudio sinks in the local network.
|
| services.prometheus.remoteRead.*.read_recent | Whether reads should be made for queries for time ranges that
the local storage should have complete data for.
|
| services.prometheus.exporters.chrony.user | User name under which the chrony exporter shall be run
|
| services.prometheus.alertmanagerGotify.port | The local port the bridge is listening on.
|
| services.prometheus.exporters.chrony.group | Group under which the chrony exporter shall be run
|
| services.nullmailer.config.adminaddr | If set, all recipients to users at either "localhost" (the literal string)
or the canonical host name (from the me control attribute) are remapped to this address
|
| services.grafana.settings.database.password | The database user's password (not applicable for sqlite3)
|
| services.glance.environmentFile | Path to an environment file as defined in systemd.exec(5)
|
| services.crowdsec-firewall-bouncer.secrets.apiKeyPath | Path to the API key to authenticate with a local CrowdSec API
|
| services.canaille.settings.CANAILLE_SQL.DATABASE_URI | The SQL server URI
|
| services.openssh.listenAddresses | List of addresses and ports to listen on (ListenAddress directive
in config)
|
| services.firefox-syncserver.database.createLocally | Whether to create database and user on the local machine if they do not exist
|
| services.syncthing.settings.options.limitBandwidthInLan | Whether to apply bandwidth limits to devices in the same broadcast domain as the local device.
|
| services.tailscale.serve.services.<name>.endpoints | Map of incoming traffic patterns to local targets
|
| services.prometheus.exporters.postgres.runAsLocalSuperUser | Whether to run the exporter as the local 'postgres' super user.
|
| services.prometheus.exporters.pve.configFile | Path to the service's config file
|
| services.foundationdb.extraReadWritePaths | An extra set of filesystem paths that FoundationDB can read to
and write from
|
| services.cloudflared.tunnels.<name>.originRequest.httpHostHeader | Sets the HTTP Host header on requests sent to the local service.
|
| services.parsedmarc.provision.grafana.dashboard | Whether the official parsedmarc grafana dashboard should
be provisioned to the local grafana instance.
|
| services.nixseparatedebuginfod2.substituters | nix substituter to fetch debuginfo from
|
| services.grafana.settings.security.secret_key | Secret key used for signing
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|