| services.sftpgo.loadDataFile | Path to a json file containing users and folders to load (or update) on startup
|
| services.openssh.settings.DenyGroups | If specified, login is denied for all users part of the listed
groups
|
| services.prosody.modules.mam | Store messages in an archive and allow users to access it
|
| services.openssh.settings.AllowGroups | If specified, login is allowed only for users part of the
listed groups
|
| services.prosody.modules.motd | Send a message to users when they log in
|
| programs.minipro.enable | Whether to enable minipro and its udev rules
|
| services.dovecot2.mailGroup | Default group to store mail for virtual users.
|
| services.davfs2.davGroup | The group of the running mount.davfs daemon
|
| security.duosec.groups | If specified, Duo authentication is required only for users
whose primary group or supplementary group list matches one
of the space-separated pattern lists
|
| services.tt-rss.singleUserMode | Operate in single user mode, disables all functionality related to
multiple users and authentication
|
| services.prosody.modules.pep | Enables users to publish their mood, activity, playing music and more
|
| services.diod.allsquash | Remap all users to "nobody"
|
| services.drupal.sites.<name>.themesDir | The location for users to install Drupal themes.
|
| services.glitchtip.settings.ENABLE_USER_REGISTRATION | When true, any user will be able to register
|
| services.syncplay.motd | Text to display when users join
|
| services.prosody.modules.vcard | Allow users to set vCards
|
| services.timekpr.adminUsers | All listed users will become part of the timekpr group so they can manage timekpr settings without requiring sudo.
|
| services.kea.dhcp4.configFile | Kea DHCP4 configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/dhcp4-srv.html
|
| services.kea.dhcp6.configFile | Kea DHCP6 configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/dhcp6-srv.html
|
| services.kea.dhcp-ddns.configFile | Kea DHCP-DDNS configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/ddns.html
|
| virtualisation.incus.enable | Whether to enable incusd, a daemon that manages containers and virtual machines
|
| networking.wireless.userControlled | Allow users of the wpa_supplicant group to control wpa_supplicant
through wpa_gui or wpa_cli
|
| services.coturn.realm | The default realm to be used for the users when no explicit
origin/realm relationship was found in the database, or if the TURN
server is not using any database (just the commands-line settings
and the userdb file)
|
| services.coturn.no-auth | This option is opposite to lt-cred-mech.
(TURN Server with no-auth option allows anonymous access)
|
| programs.flashrom.enable | Installs flashrom and configures udev rules for programmers
used by flashrom
|
| services.bitlbee.authBackend | How users are authenticated
storage -- save passwords internally
pam -- Linux PAM authentication
|
| services.alerta.signupEnabled | Whether to prevent sign-up of new users via the web UI
|
| services.prosody.modules.roster | Allow users to have a roster
|
| security.doas.extraRules.*.runAs | Which user or group the specified command is allowed to run as
|
| services.hologram-server.ldapBaseDN | The base DN for your Hologram users
|
| services.sourcehut.settings."todo.sr.ht".notify-from | Outgoing email for notifications generated by users.
|
| services.cryptpad.settings.httpUnsafeOrigin | This is the URL that users will enter to load your instance
|
| services.drupal.sites.<name>.modulesDir | The location for users to install Drupal modules.
|
| services.vsftpd.userlistEnable | Whether users are included.
|
| networking.wireless.userControlled.enable | Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli
|
| services.kea.ctrl-agent.configFile | Kea Control Agent configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/agent.html
|
| services.tt-rss.forceArticlePurge | When this option is not 0, users ability to control feed purging
intervals is disabled and all articles (which are not starred)
older than this amount of days are purged.
|
| security.pam.krb5.enable | Enables Kerberos PAM modules (pam-krb5,
pam-ccreds)
|
| security.pam.yubico.enable | Enables Yubico PAM (yubico-pam) module
|
| security.loginDefs.chfnRestrict | Use chfn SUID to allow non-root users to change their account GECOS information.
|
| services.zeitgeist.enable | Whether to enable zeitgeist, a service which logs the users' activities and events.
|
| services.vsftpd.forceLocalDataSSL | Only applies if sslEnable is true
|
| services.aria2.enable | Whether or not to enable the headless Aria2 daemon service
|
| programs.mouse-actions.enable | Whether to install and set up mouse-actions and it's udev rules
|
| services.sourcehut.settings."lists.sr.ht".notify-from | Outgoing email for notifications generated by users.
|
| services.sourcehut.settings."builds.sr.ht".allow-free | Whether to enable nonpaying users to submit builds.
|
| services.sourcehut.settings."todo.sr.ht::mail".sock-group | The lmtp daemon will make the unix socket group-read/write
for users in this group.
|
| services.sourcehut.settings."pages.sr.ht".user-domain | Configures the user domain, if enabled
|
| security.pam.services.<name>.mysqlAuth | If set, the pam_mysql module will be used to
authenticate users against a MySQL/MariaDB database.
|
| hardware.acpilight.enable | Enable acpilight
|
| services.dawarich.smtp.fromAddress | "From" address used when sending emails to users.
|
| services.mastodon.smtp.fromAddress | "From" address used when sending Emails to users.
|
| services.prosody.modules.welcome | Welcome users who register accounts
|
| services.tailscaleAuth.enable | Whether to enable tailscale.nginx-auth, to authenticate users via tailscale.
|
| security.pam.services.<name>.makeHomeDir | Whether to try to create home directories for users
with $HOMEs pointing to nonexistent
locations on session login.
|
| services.vsftpd.forceLocalLoginsSSL | Only applies if sslEnable is true
|
| services.spacecookie.settings.log.hide-ips | If enabled, spacecookie will hide personal
information of users like IP addresses from
log output.
|
| security.sudo.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| security.doas.wheelNeedsPassword | Whether users of the wheel group must provide a password to
run commands as super user via doas.
|
| security.pam.dp9ik.authserver | This controls the hostname for the 9front authentication server
that users will be authenticated against.
|
| services.bepasty.servers.<name>.workDir | Path to the working directory (used for config and pidfile)
|
| networking.supplicant.<name>.userControlled.enable | Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli
|
| security.sudo-rs.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| services.upower.ignoreLid | Do we ignore the lid state
Some laptops are broken
|
| services.pgmanage.loginGroup | This tells pgmanage to only allow users in a certain PostgreSQL group to
login to pgmanage
|
| services.freshrss.api.enable | Whether to enable API access for mobile apps and third-party clients (Google Reader API and Fever API)
|
| services.dependency-track.settings."alpine.oidc.user.provisioning" | Specifies if mapped OpenID Connect accounts are automatically created upon successful
authentication
|
| services.bitlbee.authMode | The following authentication modes are available:
Open -- Accept connections from anyone, use NickServ for user authentication
|
| security.pam.services.<name>.ttyAudit.enable | Enable or disable TTY auditing for specified users
|
| security.pam.services.<name>.yubicoAuth | If set, users listed in
~/.yubico/authorized_yubikeys
are able to log in with the associated Yubikey tokens.
|
| services.terraria.enable | If enabled, starts a Terraria server
|
| security.run0.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via run0.
|
| services.portunus.seedSettings | Seed settings for users and groups
|
| services.displayManager.hiddenUsers | A list of users which will not be shown in the display manager.
|
| services.anuko-time-tracker.settings.multiorgMode | Defines whether users see the Register option in the menu of Time Tracker that allows them
to self-register and create new organizations (top groups).
|
| security.pam.loginLimits | Define resource limits that should apply to users or groups
|
| services.sourcehut.settings."lists.sr.ht::worker".sock-group | The lmtp daemon will make the unix socket group-read/write
for users in this group.
|
| services.xserver.imwheel.rules | Window class translation rules.
/etc/X11/imwheelrc is generated based on this config
which means this config is global for all users
|
| services.prosody.modules.announce | Send announcement to all online users
|
| services.openafsClient.daemons | Number of daemons to serve user requests
|
| services.kanidm.provision.enable | Whether to enable provisioning of groups, users and oauth2 resource servers.
|
| hardware.keyboard.uhk.enable | Whether to enable non-root access to the firmware of UHK keyboards
|
| programs.soundmodem.enable | Whether to add Soundmodem to the global environment and configure a
wrapper for 'soundmodemconfig' for users in the 'soundmodem' group.
|
| programs.steam.fontPackages | Font packages to use in Steam
|
| services.nginx.tailscaleAuth.enable | Whether to enable tailscale.nginx-auth, to authenticate nginx users via tailscale.
|
| services.szurubooru.server.settings.secretFile | File containing a secret used to salt the users' password hashes and generate filenames for static content.
|
| security.pam.services.<name>.u2fAuth | If set, users listed in
$XDG_CONFIG_HOME/Yubico/u2f_keys (or
$HOME/.config/Yubico/u2f_keys if XDG variable is
not set) are able to log in with the associated U2F key
|
| services.prosody.modules.register | Allow users to register on this server using a client and change passwords
|
| hardware.libjaylink.enable | Whether to enable udev rules for devices supported by libjaylink
|
| security.please.wheelNeedsPassword | Whether users of the wheel group must provide a password to run
commands or edit files with please and
pleaseedit respectively.
|
| virtualisation.spiceUSBRedirection.enable | Install the SPICE USB redirection helper with setuid
privileges
|
| security.pam.services.<name>.usshAuth | If set, users with an SSH certificate containing an authorized principal
in their SSH agent are able to log in
|
| services.vsftpd.anonymousMkdirEnable | Whether any uploads are permitted to anonymous users.
|
| services.vsftpd.userlistFile | Newline separated list of names to be allowed/denied if userlistEnable
is true
|
| security.pam.services.<name>.howdy.enable | Whether to enable the Howdy PAM module
|
| services.tuliprox.apiProxySettings | Users and proxy configuration
Refer to the Tuliprox documentation for available attributes
|
| programs.hyprland.withUWSM | Launch Hyprland with the UWSM (Universal Wayland Session Manager) session manager
|
| programs.chromium.initialPrefs | Initial preferences are used to configure the browser for the first run
|
| fonts.fontconfig.antialias | Enable font antialiasing
|
| services.snapper.configs.<name>.ALLOW_USERS | List of users allowed to operate with the config. "root" is always
implicitly included
|