| services.kea.dhcp6.configFile | Kea DHCP6 configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/dhcp6-srv.html
|
| services.kea.dhcp4.configFile | Kea DHCP4 configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/dhcp4-srv.html
|
| services.coturn.no-auth | This option is opposite to lt-cred-mech.
(TURN Server with no-auth option allows anonymous access)
|
| services.hologram-server.ldapBaseDN | The base DN for your Hologram users
|
| services.bitlbee.authBackend | How users are authenticated
storage -- save passwords internally
pam -- Linux PAM authentication
|
| services.alerta.signupEnabled | Whether to prevent sign-up of new users via the web UI
|
| programs.flashrom.enable | Installs flashrom and configures udev rules for programmers
used by flashrom
|
| networking.wireless.userControlled.enable | Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli
|
| services.drupal.sites.<name>.modulesDir | The location for users to install Drupal modules.
|
| services.coturn.realm | The default realm to be used for the users when no explicit
origin/realm relationship was found in the database, or if the TURN
server is not using any database (just the commands-line settings
and the userdb file)
|
| security.pam.services.<name>.unixAuth | Whether users can log in with passwords defined in
/etc/shadow.
|
| services.aria2.enable | Whether or not to enable the headless Aria2 daemon service
|
| services.vsftpd.userlistEnable | Whether users are included.
|
| security.doas.extraRules.*.runAs | Which user or group the specified command is allowed to run as
|
| security.loginDefs.chfnRestrict | Use chfn SUID to allow non-root users to change their account GECOS information.
|
| services.prosody.modules.roster | Allow users to have a roster
|
| services.tt-rss.forceArticlePurge | When this option is not 0, users ability to control feed purging
intervals is disabled and all articles (which are not starred)
older than this amount of days are purged.
|
| services.zeitgeist.enable | Whether to enable zeitgeist, a service which logs the users' activities and events.
|
| services.kea.dhcp-ddns.configFile | Kea DHCP-DDNS configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/ddns.html
|
| security.loginDefs.settings.UID_MAX | Range of user IDs used for the creation of regular users by useradd or newusers.
|
| security.loginDefs.settings.UID_MIN | Range of user IDs used for the creation of regular users by useradd or newusers.
|
| programs.mouse-actions.enable | Whether to install and set up mouse-actions and it's udev rules
|
| services.vsftpd.forceLocalDataSSL | Only applies if sslEnable is true
|
| security.pam.krb5.enable | Enables Kerberos PAM modules (pam-krb5,
pam-ccreds)
|
| hardware.acpilight.enable | Enable acpilight
|
| security.pam.services.<name>.mysqlAuth | If set, the pam_mysql module will be used to
authenticate users against a MySQL/MariaDB database.
|
| services.kea.ctrl-agent.configFile | Kea Control Agent configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/agent.html
|
| networking.supplicant.<name>.userControlled.enable | Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli
|
| security.pam.yubico.enable | Enables Yubico PAM (yubico-pam) module
|
| security.loginDefs.settings.SYS_UID_MAX | Range of user IDs used for the creation of system users by useradd or newusers.
|
| security.loginDefs.settings.SYS_UID_MIN | Range of user IDs used for the creation of system users by useradd or newusers.
|
| services.tailscaleAuth.enable | Whether to enable tailscale.nginx-auth, to authenticate users via tailscale.
|
| services.dawarich.smtp.fromAddress | "From" address used when sending emails to users.
|
| security.run0.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via run0.
|
| security.pam.services.<name>.makeHomeDir | Whether to try to create home directories for users
with $HOMEs pointing to nonexistent
locations on session login.
|
| services.mastodon.smtp.fromAddress | "From" address used when sending Emails to users.
|
| services.vsftpd.forceLocalLoginsSSL | Only applies if sslEnable is true
|
| security.sudo.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| services.bepasty.servers.<name>.workDir | Path to the working directory (used for config and pidfile)
|
| security.doas.wheelNeedsPassword | Whether users of the wheel group must provide a password to
run commands as super user via doas.
|
| services.prosody.modules.welcome | Welcome users who register accounts
|
| security.sudo-rs.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| services.displayManager.hiddenUsers | A list of users which will not be shown in the display manager.
|
| security.pam.dp9ik.authserver | This controls the hostname for the 9front authentication server
that users will be authenticated against.
|
| security.pam.services.<name>.yubicoAuth | If set, users listed in
~/.yubico/authorized_yubikeys
are able to log in with the associated Yubikey tokens.
|
| services.portunus.seedSettings | Seed settings for users and groups
|
| services.pgmanage.loginGroup | This tells pgmanage to only allow users in a certain PostgreSQL group to
login to pgmanage
|
| services.terraria.enable | If enabled, starts a Terraria server
|
| services.upower.ignoreLid | Do we ignore the lid state
Some laptops are broken
|
| services.bitlbee.authMode | The following authentication modes are available:
Open -- Accept connections from anyone, use NickServ for user authentication
|
| security.pam.services.<name>.ttyAudit.enable | Enable or disable TTY auditing for specified users
|
| services.freshrss.api.enable | Whether to enable API access for mobile apps and third-party clients (Google Reader API and Fever API)
|
| programs.soundmodem.enable | Whether to add Soundmodem to the global environment and configure a
wrapper for 'soundmodemconfig' for users in the 'soundmodem' group.
|
| services.openafsClient.daemons | Number of daemons to serve user requests
|
| virtualisation.spiceUSBRedirection.enable | Install the SPICE USB redirection helper with setuid
privileges
|
| security.pam.loginLimits | Define resource limits that should apply to users or groups
|
| services.prosody.modules.announce | Send announcement to all online users
|
| services.glitchtip.settings.ENABLE_USER_REGISTRATION | When true, any user will be able to register
|
| programs.steam.fontPackages | Font packages to use in Steam
|
| services.kanidm.provision.enable | Whether to enable provisioning of groups, users and oauth2 resource servers.
|
| services.xserver.imwheel.rules | Window class translation rules.
/etc/X11/imwheelrc is generated based on this config
which means this config is global for all users
|
| hardware.libjaylink.enable | Whether to enable udev rules for devices supported by libjaylink
|
| services.nginx.tailscaleAuth.enable | Whether to enable tailscale.nginx-auth, to authenticate nginx users via tailscale.
|
| security.pam.services.<name>.u2fAuth | If set, users listed in
$XDG_CONFIG_HOME/Yubico/u2f_keys (or
$HOME/.config/Yubico/u2f_keys if XDG variable is
not set) are able to log in with the associated U2F key
|
| security.please.wheelNeedsPassword | Whether users of the wheel group must provide a password to run
commands or edit files with please and
pleaseedit respectively.
|
| hardware.keyboard.uhk.enable | Whether to enable non-root access to the firmware of UHK keyboards
|
| services.vsftpd.anonymousMkdirEnable | Whether any uploads are permitted to anonymous users.
|
| services.biboumi.settings.admin | The bare JID of the gateway administrator
|
| services.tuliprox.apiProxySettings | Users and proxy configuration
Refer to the Tuliprox documentation for available attributes
|
| services.openssh.settings.AllowUsers | If specified, login is allowed only for the listed users
|
| services.prosody.modules.register | Allow users to register on this server using a client and change passwords
|
| security.pam.services.<name>.usshAuth | If set, users with an SSH certificate containing an authorized principal
in their SSH agent are able to log in
|
| services.kubo.settings.Mounts.FuseAllowOther | Allow all users to access the FUSE mount points
|
| services.openssh.settings.LogLevel | Gives the verbosity level that is used when logging messages from sshd(8)
|
| services.openssh.settings.DenyUsers | If specified, login is denied for all listed users
|
| services.vsftpd.userlistFile | Newline separated list of names to be allowed/denied if userlistEnable
is true
|
| services.cryptpad.settings.adminKeys | List of public signing keys of users that can access the admin panel
|
| services.dependency-track.oidc.userProvisioning | Specifies if mapped OpenID Connect accounts are automatically created upon successful
authentication
|
| services.grafana.settings.users.user_invite_max_lifetime_duration | The duration in time a user invitation remains valid before expiring
|
| environment.shellAliases | An attribute set that maps aliases (the top level attribute names in
this option) to command strings or directly to build outputs
|
| fonts.fontconfig.antialias | Enable font antialiasing
|
| programs.chromium.initialPrefs | Initial preferences are used to configure the browser for the first run
|
| security.pam.services.<name>.howdy.enable | Whether to enable the Howdy PAM module
|
| services.maubot.settings.admins | List of administrator users
|
| services.snapper.configs.<name>.ALLOW_USERS | List of users allowed to operate with the config. "root" is always
implicitly included
|
| services.vsftpd.anonymousUploadEnable | Whether any uploads are permitted to anonymous users.
|
| services.vsftpd.chrootlocalUser | Whether local users are confined to their home directory.
|
| programs.hyprland.withUWSM | Launch Hyprland with the UWSM (Universal Wayland Session Manager) session manager
|
| services.iperf3.authorizedUsersFile | Path to the configuration file containing authorized users credentials to run iperf tests.
|
| services.angrr.settings.owned-only | Only monitors owned symbolic link target of GC roots.
- "auto": behaves like true for normal users, false for root.
- "true": only monitor GC roots owned by the current user.
- "false": monitor all GC roots.
|
| services.userdbd.enableSSHSupport | Whether to enable exposing OpenSSH public keys defined in userdb
|
| services.pipewire.systemWide | If true, a system-wide PipeWire service and socket is enabled
allowing all users in the "pipewire" group to use it simultaneously
|
| services.openssh.settings.AllowGroups | If specified, login is allowed only for users part of the
listed groups
|
| services.thelounge.public | Make your The Lounge instance public
|
| services.buildbot-master.reporters | List of reporter objects used to present build status to various users.
|
| services.openssh.settings.DenyGroups | If specified, login is denied for all users part of the listed
groups
|
| virtualisation.virtualbox.host.enableHardening | Enable hardened VirtualBox, which ensures that only the binaries in the
system path get access to the devices exposed by the kernel modules
instead of all users in the vboxusers group.
Disabling this can put your system's security at risk, as local users
in the vboxusers group can tamper with the VirtualBox device files.
|
| services.systembus-notify.enable | Whether to enable System bus notification support
WARNING: enabling this option (while convenient) should not be done on a
machine where you do not trust the other users as it allows any other
local user to DoS your session by spamming notifications
.
|
| services.movim.minifyStaticFiles | Do minification on public static files which reduces the size of
assets — saving data for the server & users as well as offering a
performance improvement
|
| services.gitlab.secrets.jwsFile | A file containing the secret used to encrypt session
keys
|