| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_emails | List of emails to allow access to this vhost, or null to allow all.
|
| services.mautrix-meta.instances.<name>.environmentFile | File containing environment variables to substitute when copying the configuration
out of Nix store to the services.mautrix-meta.dataDir
|
| services.bacula-dir.tls.verifyPeer | Verify peer certificate
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKey | Base64 preshared key generated by wg genpsk
|
| boot.binfmt.registrations.<name>.wrapInterpreterInShell | Whether to wrap the interpreter in a shell script
|
| services.parsedmarc.provision.localMail.recipientName | The DMARC mail recipient name, i.e. the name part of the
email address which receives DMARC reports
|
| services.bacula-sd.autochanger.<name>.extraAutochangerConfig | Extra configuration to be passed in Autochanger directive.
|
| services.kismet.serverName | The name of the server.
|
| services.kanidm.provision.systems.oauth2.<name>.allowInsecureClientDisablePkce | Disable PKCE on this oauth2 resource server to work around insecure clients
that may not support it
|
| xdg.portal.config | Sets which portal backend should be used to provide the implementation
for the requested interface
|
| services.syncplay.maxUsernameLength | Maximum number of characters in a username.
|
| services.icingaweb2.modules.monitoring.transports.<name>.type | Type of this transport
|
| services.gdomap.enable | Whether to enable GNUstep Distributed Objects name server.
|
| services.sanoid.templates.<name>.script_timeout | Time limit for pre/post/pruning script execution time (<=0 for infinite).
|
| services.icingaweb2.libraryPaths | Libraries to add to the Icingaweb2 library path
|
| services.kanidm.provision.systems.oauth2.<name>.enableLocalhostRedirects | Allow localhost redirects
|
| services.freshrss.webserver | Whether to use nginx or caddy for virtual host management
|
| services.dokuwiki.webserver | Whether to use nginx or caddy for virtual host management
|
| services.postgresql.systemCallFilter.<name>.priority | Set the priority of the system call filter setting
|
| services.tarsnap.archives.<name>.aggressiveNetworking | Upload data over multiple TCP connections, potentially
increasing tarsnap's bandwidth utilisation at the cost
of slowing down all other network traffic
|
| services.mautrix-meta.instances.<name>.serviceDependencies | List of Systemd services to require and wait for when starting the application service.
|
| services.wiki-js.settings.db.db | Name of the database to use.
|
| services.zoneminder.hostname | The hostname on which to listen.
|
| services.icingaweb2.modules.monitoring.transports.<name>.host | Host for the api or remote transport
|
| services.hadoop.hdfs.namenode.formatOnInit | Format HDFS namenode on first start
|
| services.prometheus.exporters.imap-mailstat.accounts.<name>.starttls | set to true for using STARTTLS to start a TLS connection
|
| boot.binfmt.registrations.<name>.matchCredentials | Whether to launch with the credentials and security
token of the binary, not the interpreter (e.g. setuid
bit)
|
| virtualisation.fileSystems.<name>.device | The device as passed to mount
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.ah_proposals | AH proposals to offer for the CHILD_SA
|
| services.icingaweb2.modules.monitoring.transports.<name>.path | Path to the socket for local or remote transports
|
| services.icingaweb2.modules.monitoring.transports.<name>.port | Port to connect to for the api or remote transport
|
| services.strongswan-swanctl.swanctl.connections.<name>.dscp | Differentiated Services Field Codepoint to set on outgoing IKE packets for
this connection
|
| networking.wireguard.interfaces.<name>.peers.*.allowedIPs | List of IP (v4 or v6) addresses with CIDR masks from
which this peer is allowed to send incoming traffic and to which
outgoing traffic for this peer is directed
|
| virtualisation.credentials.<name>.source | Source file on the host containing the credential data.
|
| services.forgejo.dump.file | Filename to be used for the dump
|
| services.prometheus.exporters.exportarr-radarr.user | User name under which the exportarr-radarr exporter shall be run.
|
| services.prometheus.exporters.exportarr-lidarr.user | User name under which the exportarr-lidarr exporter shall be run.
|
| services.prometheus.exporters.exportarr-bazarr.user | User name under which the exportarr-bazarr exporter shall be run.
|
| services.prometheus.exporters.exportarr-sonarr.user | User name under which the exportarr-sonarr exporter shall be run.
|
| containers.<name>.forwardPorts.*.protocol | The protocol specifier for port forwarding between host and container
|
| services.strongswan-swanctl.swanctl.authorities.<name>.handle | Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively
|
| services.limesurvey.nginx.virtualHost.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.onlyoffice.hostname | FQDN for the OnlyOffice instance.
|
| services.mainsail.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.pixelfed.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.mainsail.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.pixelfed.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.fediwall.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.dolibarr.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.agorakit.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.librenms.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.librenms.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.agorakit.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.kanboard.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.dolibarr.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.fediwall.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.kanboard.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.icingaweb2.modules.monitoring.backends.<name>.disabled | Disable this backend
|
| services.epmd.enable | Whether to enable socket activation for Erlang Port Mapper Daemon (epmd),
which acts as a name server on all hosts involved in distributed
Erlang computations.
|
| services.gitlab-runner.services.<name>.environmentVariables | Custom environment variables injected to build environment
|
| services.pantalaimon-headless.instances.<name>.listenAddress | The address where the daemon will listen to client connections
for this homeserver.
|
| security.wrappers.<name>.capabilities | A comma-separated list of capability clauses to be given to the
wrapper program
|
| services.biboumi.settings.hostname | The hostname served by the XMPP gateway
|
| services.postgresqlWalReceiver.receivers.<name>.compress | Enables gzip compression of write-ahead logs, and specifies the compression level
(0 through 9, 0 being no compression and 9 being best compression)
|
| services.vikunja.frontendHostname | The Hostname under which the frontend is running.
|
| services.castopod.database.hostname | Database hostname.
|
| services.rspamd.locals | Local configuration files, written into /etc/rspamd/local.d/{name}.
|
| services.skydns.nameservers | Skydns list of nameservers to forward DNS requests to when not authoritative for a domain.
|
| services.syncthing.settings.folders.<name>.ignorePatterns | Syncthing can be configured to ignore certain files in a folder using ignore patterns
|
| services.wstunnel.clients.<name>.upgradeCredentials | Use these credentials to authenticate during the HTTP upgrade request
(Basic authorization type, USER:[PASS]).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing HTTP_PASSWORD=<your-password-here> and set this
option to <user>:$HTTP_PASSWORD
|
| services.strongswan-swanctl.swanctl.connections.<name>.vips | List of virtual IPs to request in IKEv2 configuration payloads or IKEv1
Mode Config
|
| virtualisation.fileSystems.<name>.overlay.upperdir | The path to the upperdir
|
| networking.openconnect.interfaces.<name>.passwordFile | File containing the password to authenticate with
|
| services.hddfancontrol.settings.<drive-bay-name>.logVerbosity | Verbosity of the log level
|
| services.tt-rss.virtualHost | Name of the nginx virtualhost to use and setup
|
| services.limesurvey.nginx.virtualHost.serverName | Name of this virtual host
|
| networking.wireguard.interfaces.<name>.generatePrivateKeyFile | Automatically generate a private key with
wg genkey, at the privateKeyFile location.
|
| virtualisation.credentials.<name>.text | Text content of the credential
|
| virtualisation.fileSystems.<name>.overlay.lowerdir | The list of path(s) to the lowerdir(s)
|
| virtualisation.fileSystems.<name>.options | Options used to mount the file system
|
| virtualisation.fileSystems.<name>.depends | List of paths that should be mounted before this one
|
| services.strongswan-swanctl.swanctl.authorities.<name>.cacert | The certificates may use a relative path from the swanctl
x509ca directory or an absolute path
|
| security.pam.services.<name>.googleOsLoginAccountVerification | If set, will use the Google OS Login PAM modules
(pam_oslogin_login,
pam_oslogin_admin) to verify possible OS Login
users and set sudoers configuration accordingly
|
| services.pantalaimon-headless.instances.<name>.extraSettings | Extra configuration options
|
| systemd.network.networks.<name>.stochasticFairnessQueueingConfig | Each attribute in this set specifies an option in the
[StochasticFairnessQueueing] section of the unit
|
| services.kubernetes.proxy.hostname | Kubernetes proxy hostname override.
|
| services.zabbixWeb.nginx.virtualHost.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.zabbixWeb.nginx.virtualHost.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| virtualisation.fileSystems.<name>.neededForBoot | If set, this file system will be mounted in the initial ramdisk
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.anuko-time-tracker.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.anuko-time-tracker.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| console.font | The font used for the virtual consoles
|
| services.prometheus.exporters.exportarr-readarr.user | User name under which the exportarr-readarr exporter shall be run.
|
| services.kerberos_server.settings.realms.<name>.acl.*.target | The principals that 'access' applies to.
|
| services.grav.virtualHost | Name of the nginx virtualhost to use and setup
|
| services.prometheus.exporters.artifactory.user | User name under which the artifactory exporter shall be run.
|
| services.rss-bridge.pool | Name of phpfpm pool that is used to run web-application
|
| security.pam.services.<name>.googleOsLoginAuthentication | If set, will use the pam_oslogin_login's user
authentication methods to authenticate users using 2FA
|
| services.pretix.nginx.domain | The domain name under which to set up the virtual host.
|