| networking.wireless.dbusControlled | Whether to enable the DBus control interface
|
| security.forcePageTableIsolation | Whether to force-enable the Page Table Isolation (PTI) Linux kernel
feature even on CPU models that claim to be safe from Meltdown
|
| services.discourse.sslCertificateKey | The path to the server SSL certificate key
|
| security.pam.services.<name>.allowNullPassword | Whether to allow logging into accounts that have no password
set (i.e., have an empty password field in
/etc/passwd or
/etc/group)
|
| services.nginx.recommendedGzipSettings | Enable recommended gzip settings
|
| services.jitsi-videobridge.colibriRestApi | Whether to enable the private rest API for the COLIBRI control interface
|
| services.omnom.settings.app.disable_signup | Whether to enable restricting user creation.
|
| services.ferretdb.settings.FERRETDB_TELEMETRY | Enable or disable basic telemetry
|
| services.reposilite.settings.defaultFrontend | Whether to enable the default included frontend with a dashboard.
|
| services.writefreely.database.createLocally | When services.writefreely.database.type is set to
"mysql", this option will enable the MySQL service locally.
|
| services.nginx.recommendedZstdSettings | Enable recommended zstd settings
|
| services.buffyboard.settings.input.touchscreen | Enable or disable the use of the touchscreen.
|
| services.nginx.recommendedUwsgiSettings | Whether to enable recommended uwsgi settings if a vhost does not specify the option manually.
|
| services.nginx.recommendedProxySettings | Whether to enable recommended proxy settings if a vhost does not specify the option manually.
|
| services.redmine.components.ghostscript | Whether to enable exporting Gant diagrams as PDF..
|
| services.redmine.components.imagemagick | Whether to enable exporting Gant diagrams as PNG..
|
| services.prometheus.exporters.wireguard.verbose | Whether to enable verbose logging mode for prometheus-wireguard-exporter.
|
| services.prometheus.exporters.pgbouncer.webConfigFile | Path to configuration file that can enable TLS or authentication.
|
| services.nextcloud.config.objectstore.s3.sseCKeyFile | If provided this is the full path to a file that contains the key
to enable [server-side encryption with customer-provided keys][1]
(SSE-C)
|
| services.outline.slackIntegration.messageActions | Whether to enable message actions.
|
| services.firezone.server.smtp.configureManually | Outbound email configuration is mandatory for Firezone and supports
many different delivery adapters
|
| hardware.nvidia.nvidiaPersistenced | Whether to enable nvidia-persistenced a update for NVIDIA GPU headless mode, i.e
|
| services.rutorrent.nginx.exposeInsecureRPC2mount | If you do not enable one of the rpc or httprpc plugins you need to expose an RPC mount through scgi using this option
|
| programs.chromium.defaultSearchProviderEnabled | Enable the default search provider.
|
| systemd.services.<name>.wantedBy | Units that want (i.e. depend on) this unit
|
| services.nextcloud.nginx.recommendedHttpHeaders | Enable additional recommended HTTP response headers
|
| services.waagent.settings.Provisioning.Enable | Whether to enable provisioning functionality in the agent
|
| services.kmonad.keyboards.<name>.defcfg.fallthrough | Whether to enable re-emitting unhandled key events.
|
| services.znapzend.features.compressed | Whether to enable compressed feature which adds the options -Lce to
the zfs send command
|
| programs.firefox.nativeMessagingHosts.ugetIntegrator | Whether to enable Uget Integrator support.
|
| services.prometheus.exporters.imap-mailstat.oldestUnseenDate | Enable metric with timestamp of oldest unseen mail
|
| services.openssh.listenAddresses | List of addresses and ports to listen on (ListenAddress directive
in config)
|
| services.printing.cups-pdf.instances.<name>.installPrinter | Whether to enable a CUPS printer queue for this instance
|
| networking.wireless.autoDetectInterfaces | Whether to enable automatic detection of wireless interfaces.
|
| services.anubis.defaultOptions.settings.OG_PASSTHROUGH | Whether to enable Open Graph tag passthrough
|
| networking.wlanInterfaces.<name>.fourAddr | Whether to enable 4-address mode with type managed.
|
| services.hostapd.radios.<name>.countryCode | Country code (ISO/IEC 3166-1)
|
| services.blockbook-frontend.<name>.certFile | To enable SSL, specify path to the name of certificate files without extension
|
| services.nginx.recommendedBrotliSettings | Enable recommended brotli settings
|
| services.firezone.server.provision.accounts.<name>.features.idp_sync | Whether to enable the idp_sync feature for this account.
|
| services.firezone.server.provision.accounts.<name>.features.rest_api | Whether to enable the rest_api feature for this account.
|
| services.grafana-image-renderer.provisionGrafana | Whether to enable Grafana configuration for grafana-image-renderer.
|
| services.tuned.settings.dynamic_tuning | Whether to enable dynamic tuning.
|
| services.draupnir.settings.managementRoom | The room ID or alias where moderators can use the bot's functionality
|
| services.opensearch.settings."plugins.security.disabled" | Whether to enable the security plugin,
plugins.security.ssl.transport.keystore_filepath or
plugins.security.ssl.transport.server.pemcert_filepath and
plugins.security.ssl.transport.client.pemcert_filepath
must be set for this plugin to be enabled.
|
| services.xserver.displayManager.lightdm.greeters.slick.draw-user-backgrounds | Whether to enable draw user backgrounds.
|
| programs.firefox.nativeMessagingHosts.browserpass | Whether to enable Browserpass support.
|
| services.weblate.configurePostgresql | Whether to enable and configure a local PostgreSQL server by creating a user and database for weblate
|
| services.meilisearch.dumplessUpgrade | Whether to enable (experimental) dumpless upgrade
|
| services.netdata.python.recommendedPythonPackages | Whether to enable a set of recommended Python plugins
by installing extra Python packages.
|
| programs.coolercontrol.nvidiaSupport | Enable support for Nvidia GPUs.
|
| virtualisation.qemu.virtioKeyboard | Enable the virtio-keyboard device.
|
| services.tuned.settings.reapply_sysctl | Whether to enable the reapplying of global sysctls after TuneD sysctls are applied.
|
| hardware.nvidia.powerManagement.finegrained | Whether to enable experimental power management of PRIME offload
|
| services.autossh.sessions.*.extraArguments | Arguments to be passed to AutoSSH and retransmitted to SSH
process
|
| services.prometheus.exporters.unpoller.log.prometheusErrors | Whether to enable emitting errors to prometheus.
|
| services.jellyfin.transcoding.hardwareDecodingCodecs.av1 | Enable hardware decoding for av1 codec.
|
| services.jellyfin.transcoding.hardwareDecodingCodecs.vp9 | Enable hardware decoding for vp9 codec.
|
| services.jellyfin.transcoding.hardwareDecodingCodecs.vp8 | Enable hardware decoding for vp8 codec.
|
| services.jellyfin.transcoding.hardwareDecodingCodecs.vc1 | Enable hardware decoding for vc1 codec.
|
| services.jellyfin.transcoding.hardwareEncodingCodecs.av1 | Enable hardware encoding for av1 codec.
|
| virtualisation.useSecureBoot | Enable Secure Boot support in the EFI firmware.
|
| services.bitwarden-directory-connector-cli.sync.largeImport | Enable if you are syncing more than 2000 users/groups.
|
| virtualisation.virtualbox.guest.dragAndDrop | Whether to enable drag and drop support.
|
| services.pixelfed.database.automaticMigrations | Whether to enable automatic migrations for database schema and data.
|
| services.nginx.experimentalZstdSettings | Enable alpha quality zstd module with recommended settings
|
| services.jellyfin.transcoding.hardwareDecodingCodecs.h264 | Enable hardware decoding for h264 codec.
|
| services.jellyfin.transcoding.hardwareDecodingCodecs.hevc | Enable hardware decoding for hevc codec.
|
| services.jellyfin.transcoding.hardwareEncodingCodecs.hevc | Enable hardware encoding for hevc codec.
|
| services.crowdsec.localConfig.notifications | A list of notifications to enable and use in your profiles
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| networking.tempAddresses | Whether to enable IPv6 Privacy Extensions for interfaces not
configured explicitly in
networking.interfaces._name_.tempAddress
|
| services.prometheus.exporters.deluge.exportPerTorrentMetrics | Enable per-torrent metrics
|
| systemd.services.<name>.confinement.fullUnit | Whether to include the full closure of the systemd unit file into the
chroot, instead of just the dependencies for the executables.
While it may be tempting to just enable this option to
make things work quickly, please be aware that this might add paths
to the closure of the chroot that you didn't anticipate
|
| services.navidrome.settings.EnableInsightsCollector | Enable anonymous usage data collection, see https://www.navidrome.org/docs/getting-started/insights/ for details.
|
| services.jellyfin.transcoding.hardwareDecodingCodecs.mpeg2 | Enable hardware decoding for mpeg2 codec.
|
| services.taskchampion-sync-server.openFirewall | Whether to enable Open firewall port for taskchampion-sync-server.
|
| services.prometheus.exporters.fritz.settings.devices.*.host_info | Enable extended host info for this device. Warning: This will heavily increase scrape time.
|
| services.librenms.useDistributedPollers | Enables distributed pollers
for this LibreNMS instance
|
| services.prometheus.exporters.opnsense.disabledExporter | Collectors to enable or disable
|
| systemd.automounts.*.wantedBy | Units that want (i.e. depend on) this unit
|
| services.mediagoblin.settings.mediagoblin.plugins | Plugins to enable
|
| services.sourcehut.settings."meta.sr.ht::settings".registration | Whether to enable public registration.
|
| networking.modemmanager.fccUnlockScripts | List of FCC unlock scripts to enable on the system, behaving as described in
https://modemmanager.org/docs/modemmanager/fcc-unlock/#integration-with-third-party-fcc-unlock-tools.
|
| services.yggdrasil.persistentKeys | Whether to enable automatic generation and persistence of keys
|
| services.n8n.environment.N8N_DIAGNOSTICS_ENABLED | Whether to share selected, anonymous telemetry with n8n
|
| hardware.amdgpu.overdrive.ppfeaturemask | Sets the amdgpu.ppfeaturemask kernel option
|
| services.jellyfin.transcoding.hardwareDecodingCodecs.hevcRExt10bit | Enable hardware decoding for hevcRExt10bit codec.
|
| services.jellyfin.transcoding.hardwareDecodingCodecs.hevcRExt12bit | Enable hardware decoding for hevcRExt12bit codec.
|
| services.anubis.instances.<name>.settings.OG_PASSTHROUGH | Whether to enable Open Graph tag passthrough
|
| services.jellyfin.transcoding.hardwareDecodingCodecs | Which codecs to enable for hardware decoding.
|
| security.allowUserNamespaces | Whether to allow creation of user namespaces
|
| hardware.nvidia.forceFullCompositionPipeline | Whether to enable forcefully the full composition pipeline
|
| services.slskd.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.movim.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.movim.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.slskd.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.davis.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.davis.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|