| networking.firewall.interfaces.<name>.allowedUDPPorts | List of open UDP ports.
|
| services.mjpg-streamer.group | mjpg-streamer group name.
|
| services.varnish.listen.*.user | User name who owns the socket file.
|
| services.strongswan-swanctl.swanctl.connections.<name>.dpd_delay | Interval to check the liveness of a peer actively using IKEv2
INFORMATIONAL exchanges or IKEv1 R_U_THERE messages
|
| services.misskey.reverseProxy.webserver.nginx.serverName | Name of this virtual host
|
| fileSystems.<name>.neededForBoot | If set, this file system will be mounted in the initial ramdisk
|
| containers.<name>.allowedDevices | A list of device nodes to which the containers has access to.
|
| services.wakapi.database.user | The name of the user to use for Wakapi.
|
| services.strongswan-swanctl.swanctl.connections.<name>.rand_time | Time range from which to choose a random value to subtract from
rekey/reauth times
|
| boot.initrd.systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.type | The type of operation to perform on the file
|
| services.openafsClient.cellName | Cell name.
|
| networking.firewall.interfaces.<name>.allowedTCPPorts | List of TCP ports on which incoming connections are
accepted.
|
| networking.openconnect.interfaces.<name>.user | Username to authenticate with.
|
| services.baikal.virtualHost | Name of the nginx virtualhost to use and setup
|
| networking.supplicant.<name>.userControlled.group | Members of this group can control wpa_supplicant.
|
| networking.wireguard.interfaces.<name>.peers.*.endpoint | Endpoint IP or hostname of the peer, followed by a colon,
and then a port number of the peer
|
| networking.wireguard.interfaces.<name>.mtu | Set the maximum transmission unit in bytes for the wireguard
interface
|
| services.tlsrpt.collectd.settings.socketname | Path at which the UNIX socket will be created.
|
| users.mysql.pam.updateTable | The name of the table used for password alteration
|
| services.dovecot2.group | Dovecot group name.
|
| services.opendkim.keyPath | The path that opendkim should put its generated private keys into
|
| services.bird-lg.frontend.domain | Server name domain suffixes.
|
| users.users.<name>.password | Specifies the (clear text) password for the user
|
| boot.loader.refind.additionalFiles | A set of files to be copied to /boot
|
| boot.loader.limine.additionalFiles | A set of files to be copied to /boot
|
| services.matrix-synapse.workers.<name>.worker_listeners | List of ports that this worker should listen on, their purpose and their configuration.
|
| networking.interfaces.<name>.ipv4.routes | List of extra IPv4 static routes that will be assigned to the interface.
If the route type is the default unicast, then the scope
is set differently depending on the value of networking.useNetworkd:
the script-based backend sets it to link, while networkd sets
it to global.
If you want consistency between the two implementations,
set the scope of the route manually with
networking.interfaces.eth0.ipv4.routes = [{ options.scope = "global"; }]
for example.
|
| services.strongswan-swanctl.swanctl.connections.<name>.send_cert | Send certificate payloads when using certificate authentication.
- With the default of
ifasked the daemon sends
certificate payloads only if certificate requests have been received.
never disables sending of certificate payloads
altogether,always causes certificate payloads to be sent
unconditionally whenever certificate authentication is used
|
| services.prometheus.exporters.dmarc.imap.username | Login username for the IMAP connection.
|
| services.powerdns.enable | Whether to enable PowerDNS domain name server.
|
| services.echoip.virtualHost | Name of the nginx virtual host to use and setup
|
| services.slskd.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.movim.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.davis.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| networking.interfaces.<name>.ipv4.routes.*.prefixLength | Subnet mask of the network, specified as the number of
bits in the prefix (24).
|
| networking.interfaces.<name>.ipv6.routes.*.prefixLength | Subnet mask of the network, specified as the number of
bits in the prefix (64).
|
| networking.ipips.<name>.encapsulation.limit | For an IPv6-based tunnel, the maximum number of nested
encapsulation to allow. 0 means no nesting, "none" unlimited.
|
| networking.wireguard.interfaces.<name>.peers.*.publicKey | The base64 public key of the peer.
|
| networking.vswitches.<name>.controllers | Specify the controller targets
|
| services.cachix-agent.profile | Profile name, defaults to 'system' (NixOS).
|
| services.weblate.localDomain | The domain name serving your Weblate instance.
|
| containers.<name>.timeoutStartSec | Time for the container to start
|
| services.postgresqlWalReceiver.receivers.<name>.synchronous | Flush the WAL data to disk immediately after it has been received
|
| services.kresd.enable | Whether to enable knot-resolver (version 5) domain name server
|
| security.tpm2.tssUser | Name of the tpm device-owner and service user, set if applyUdevRules is
set.
|
| networking.wireguard.interfaces.<name>.fwMark | Mark all wireguard packets originating from
this interface with the given firewall mark
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.esp_proposals | ESP proposals to offer for the CHILD_SA
|
| services.strongswan-swanctl.swanctl.connections.<name>.if_id_out | XFRM interface ID set on outbound policies/SA, can be overridden by child
config, see there for details
|
| services.prometheus.scrapeConfigs.*.tls_config.server_name | ServerName extension to indicate the name of the server.
http://tools.ietf.org/html/rfc4366#section-3.1
|
| networking.wg-quick.interfaces.<name>.peers.*.allowedIPs | List of IP (v4 or v6) addresses with CIDR masks from
which this peer is allowed to send incoming traffic and to which
outgoing traffic for this peer is directed
|
| services.snipe-it.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.samba.nsswins | Whether to enable WINS NSS (Name Service Switch) plug-in
|
| virtualisation.fileSystems.<name>.label | Label of the device
|
| virtualisation.fileSystems.<name>.stratis.poolUuid | UUID of the stratis pool that the fs is located in
This is only relevant if you are using stratis.
|
| networking.interfaces.<name>.proxyARP | Turn on proxy_arp for this device
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.type | The type of the listener, usually http.
|
| services.bookstack.mail.fromName | Mail "from" name.
|
| services.openafsServer.cellName | Cell name, this server will serve.
|
| services.oidentd.enable | Whether to enable ‘oidentd’, an implementation of the Ident
protocol (RFC 1413)
|
| networking.wireguard.interfaces.<name>.preShutdown | Commands called before shutting down the interface.
|
| networking.wireguard.interfaces.<name>.privateKeyFile | Private key file as generated by wg genkey.
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.port | The port to listen for HTTP(S) requests on.
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.mode | File permissions on the UNIX domain socket.
|
| networking.sits.<name>.encapsulation.sourcePort | Source port when using UDP encapsulation
|
| services.strongswan-swanctl.swanctl.pools | Section defining named pools
|
| services.smokeping.owner | Real name of the owner of the instance
|
| services.cachix-watch-store.cacheName | Cachix binary cache name
|
| services.weechat.sessionName | Name of the screen session for weechat.
|
| services.kapacitor.defaultDatabase.username | The username to connect to the remote InfluxDB server
|
| services.varnish.listen.*.group | Group name who owns the socket file.
|
| networking.wireguard.interfaces.<name>.table | The kernel routing table to add this interface's
associated routes to
|
| services.prometheus.exporters.mqtt.mqttUsername | Username which should be used to authenticate against the MQTT broker.
|
| containers.<name>.restartIfChanged | Whether the container should be restarted during a NixOS
configuration switch if its definition has changed.
|
| services.gitlab.databaseName | GitLab database name.
|
| networking.supplicant.<name>.userControlled.socketDir | Directory of sockets for controlling wpa_supplicant.
|
| containers.<name>.allowedDevices.*.node | Path to device node
|
| services.athens.storage.s3.bucket | Bucket name for the S3 storage backend.
|
| containers.<name>.interfaces | The list of interfaces to be moved into the container.
|
| virtualisation.oci-containers.containers.<name>.dependsOn | Define which other containers this one depends on
|
| services.netbird.enable | Enables backward-compatible NetBird client service
|
| services.rss-bridge.virtualHost | Name of the nginx or caddy virtualhost to use and setup
|
| services.netatalk.extmap | File name extension mappings
|
| virtualisation.interfaces.<name>.vlan | VLAN to which the network interface is connected.
|
| services.peertube-runner.instancesToRegister.<name>.registrationTokenFile | Path to a file containing a registration token for the PeerTube instance
|
| virtualisation.fileSystems.<name>.mountPoint | Location where the file system will be mounted
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.tls | Whether to enable TLS on the listener socket.
This option will be ignored for UNIX domain sockets.
|
| networking.wireguard.interfaces.<name>.postShutdown | Commands called after shutting down the interface.
|
| networking.firewall.interfaces.<name>.allowedUDPPortRanges | Range of open UDP ports.
|
| containers.<name>.forwardPorts | List of forwarded ports from host to container
|
| users.extraUsers.<name>.hashedPassword | Specifies the hashed password for the user
|
| services.alerta.databaseName | Name of the database instance to connect to
|
| services.shellhub-agent.preferredHostname | Set the device preferred hostname
|
| services.strongswan-swanctl.swanctl.connections.<name>.over_time | Hard IKE_SA lifetime if rekey/reauth does not complete, as time
|
| networking.wg-quick.interfaces.<name>.generatePrivateKeyFile | Automatically generate a private key with
wg genkey, at the privateKeyFile location.
|
| boot.loader.systemd-boot.extraEntries | Any additional entries you want added to the systemd-boot menu
|
| services.strongswan-swanctl.swanctl.connections.<name>.aggressive | Enables Aggressive Mode instead of Main Mode with Identity
Protection
|
| services.smokeping.user | User that runs smokeping and (optionally) thttpd
|
| services.prometheus.exporters.sql.configuration.jobs.<name>.connections | A list of connection strings of the SQL servers to scrape metrics from
|
| services.postgresql.ensureUsers.*.ensureClauses.login | Grants the user, created by the ensureUser attr, login permissions
|
| hardware.fw-fanctrl.config.strategies.<name>.fanSpeedUpdateFrequency | How often the fan speed should be updated in seconds
|