| services.gancio.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.fluidd.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.miredo.interfaceName | Name of the network tunneling interface.
|
| services.dependency-track.settings."alpine.oidc.teams.claim" | Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint
|
| services.mattermost.siteName | Name of this Mattermost site.
|
| services.shairport-sync.group | Group account name under which to run shairport-sync
|
| services.rspamd.overrides | Overridden configuration files, written into /etc/rspamd/override.d/{name}.
|
| virtualisation.oci-containers.containers.<name>.environment | Environment variables to set for this container.
|
| services.cjdns.ETHInterface.bind | Bind to this device for native ethernet operation.
all is a pseudo-name which will try to connect to all devices.
|
| services.soju.acceptProxyIP | Allow the specified IPs to act as a proxy
|
| services.nix-serve.secretKeyFile | The path to the file used for signing derivation data
|
| services.gitea.settings.server.DOMAIN | Domain name of your server.
|
| services.spacecookie.settings.hostname | The hostname the service is reachable via
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.resources | List of HTTP resources to serve on this listener.
|
| networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshSeconds | Periodically re-execute the wg utility every
this many seconds in order to let WireGuard notice DNS / hostname
changes
|
| services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.basic_auth.username | HTTP username
|
| services.gitlab-runner.services.<name>.authenticationTokenConfigFile | Absolute path to a file containing environment variables used for
gitlab-runner registrations with runner authentication tokens
|
| services.cloudlog.virtualHost | Name of the nginx virtualhost to use and setup
|
| services.airsonic.virtualHost | Name of the nginx virtualhost to use and setup
|
| services.misskey.reverseProxy.host | The fully qualified domain name to bind to
|
| containers.<name>.privateUsers | Whether to give the container its own private UIDs/GIDs space (user namespacing)
|
| services.hatsu.settings.HATSU_DOMAIN | The domain name of your instance (eg 'hatsu.local').
|
| services.guacamole-server.host | The host name or IP address the server should listen to.
|
| services.wiki-js.stateDirectoryName | Name of the directory in /var/lib.
|
| services.syncplay.useACMEHost | If set, use NixOS-generated ACME certificate with the specified name for TLS
|
| services.supybot.plugins | Attribute set of additional plugins that will be symlinked to the
plugin subdirectory
|
| services.gammu-smsd.backend.sql.database | Database name to store sms data
|
| services.coder.database.database | Name of database.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local_addrs | Local address(es) to use for IKE communication
|
| services.youtrack.virtualHost | Name of the nginx virtual host to use and setup
|
| virtualisation.oci-containers.containers.<name>.imageStream | Path to a script that streams the desired image on standard output
|
| services.headscale.settings.dns.nameservers.global | List of nameservers to pass to Tailscale clients.
|
| services.pds.settings.PDS_HOSTNAME | Instance hostname (base domain name)
|
| virtualisation.oci-containers.containers.<name>.environmentFiles | Environment files for this container.
|
| networking.wireguard.interfaces.<name>.peers.*.persistentKeepalive | This is optional and is by default off, because most
users will not need it
|
| services.jibri.xmppEnvironments.<name>.disableCertificateVerification | Whether to skip validation of the server's certificate.
|
| services.victorialogs.basicAuthUsername | Basic Auth username used to protect VictoriaLogs instance by authorization
|
| image.repart.verityStore.partitionIds.store | Specify the attribute name of the store partition.
|
| services.strongswan-swanctl.swanctl.connections.<name>.send_certreq | Send certificate request payloads to offer trusted root CA certificates to
the peer
|
| services.livekit.keyFile | LiveKit key file holding one or multiple application secrets
|
| services.sanoid.datasets.<name>.pre_snapshot_script | Script to run before taking snapshot.
|
| specialisation.<name>.inheritParentConfig | Include the entire system's configuration
|
| services.restic.server.privateRepos | Enable private repos
|
| services.strongswan-swanctl.swanctl.connections.<name>.reauth_time | Time to schedule IKE reauthentication
|
| services.resolved.llmnr | Controls Link-Local Multicast Name Resolution support
(RFC 4795) on the local host
|
| networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshRestartSeconds | When the dynamic endpoint refresh that is configured via
dynamicEndpointRefreshSeconds exits (likely due to a failure),
restart that service after this many seconds
|
| services.stargazer.routes.*.route | Route section name
|
| nixpkgs.flake.source | The path to the nixpkgs sources used to build the system
|
| services.athens.storage.mongo.defaultDBName | Name of the mongo database.
|
| services.strongswan-swanctl.swanctl.authorities.<name>.cert_uri_base | Defines the base URI for the Hash and URL feature supported by
IKEv2
|
| services.tailscale.derper.domain | Domain name under which the derper server is reachable.
|
| containers | A set of NixOS system configurations to be run as lightweight
containers
|
| services.strongswan-swanctl.swanctl.connections.<name>.childless | Use childless IKE_SA initiation (allow, prefer, force or never)
|
| services.heisenbridge.namespaces | Configure the 'namespaces' section of the registration.yml for the bridge and the server
|
| services.portunus.ldap.searchUserName | The login name of the search user
|
| services.acme-dns.settings.general.domain | Domain name to serve the requests off of.
|
| services.jitsi-videobridge.xmppConfigs.<name>.disableCertificateVerification | Whether to skip validation of the server's certificate.
|
| services.gancio.settings.db.database | Name of the PostgreSQL database
|
| services.nextcloud.config.objectstore.s3.hostname | Required for some non-Amazon implementations.
|
| swapDevices.*.encrypted.label | Label of the unlocked encrypted device
|
| services.prometheus.scrapeConfigs.*.docker_sd_configs.*.basic_auth.username | HTTP username
|
| services.prometheus.scrapeConfigs.*.linode_sd_configs.*.basic_auth.username | HTTP username
|
| services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.basic_auth.username | HTTP username
|
| services.prometheus.scrapeConfigs.*.consul_sd_configs.*.basic_auth.username | HTTP username
|
| virtualisation.oci-containers.containers.<name>.ports | Network ports to publish from the container to the outer host
|
| virtualisation.sharedDirectories.<name>.securityModel | The security model to use for this share:
passthrough: files are stored using the same credentials as they are created on the guest (this requires QEMU to run as root)mapped-xattr: some of the file attributes like uid, gid, mode bits and link target are stored as file attributesmapped-file: the attributes are stored in the hidden .virtfs_metadata directory
|
| services.sanoid.templates.<name>.pre_snapshot_script | Script to run before taking snapshot.
|
| services.minetest-server.world | Name of the world to use
|
| services.samba.winbindd.enable | Whether to enable Samba's winbindd, which provides a number of services
to the Name Service Switch capability found in most modern C libraries,
to arbitrary applications via PAM and ntlm_auth and to Samba itself.
|
| services.writefreely.host | The public host name to serve.
|
| services.prometheus.exporters.pihole.piholeHostname | Hostname or address where to find the Pi-Hole webinterface
|
| services.borgmatic.configurations.<name>.repositories | A required list of local or remote repositories with paths and
optional labels (which can be used with the --repository flag to
select a repository)
|
| services.gitlab.registry.serviceName | GitLab container registry service name.
|
| services.bacula-sd.tls.allowedCN | Common name attribute of allowed peer certificates
|
| services.bacula-fd.tls.allowedCN | Common name attribute of allowed peer certificates
|
| services.strongswan-swanctl.swanctl.connections.<name>.proposals | A proposal is a set of algorithms
|
| services.slurm.controlMachine | The short hostname of the machine where SLURM control functions are
executed (i.e. the name returned by the command "hostname -s", use "tux001"
rather than "tux001.my.com").
|
| containers.<name>.networkNamespace | Takes the path to a file representing a kernel network namespace that the container
shall run in
|
| services.multipath.devices.*.prio | The name of the path priority routine
|
| services.cadvisor.storageDriverDb | Cadvisord storage driver database name.
|
| services.knot-resolver.enable | Whether to enable knot-resolver (version 6) domain name server
|
| services.nextcloud-spreed-signaling.backends | A list of backends from which clients are allowed to connect from
|
| services.firezone.server.provision.accounts.<name>.features.internet_resource | Whether to enable the internet_resource feature for this account.
|
| services.firezone.server.provision.accounts.<name>.features.policy_conditions | Whether to enable the policy_conditions feature for this account.
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.namespaces.names | Namespace name.
|
| services.bacula-dir.tls.allowedCN | Common name attribute of allowed peer certificates
|
| virtualisation.oci-containers.containers.<name>.capabilities | Capabilities to configure for the container
|
| services.hickory-dns.settings.zones.*.zone | Zone name, like "example.com", "localhost", or "0.0.127.in-addr.arpa".
|
| networking.ucarp.upscript | Command to run after become master, the interface name, virtual address
and optional extra parameters are passed as arguments.
|
| services.slurm.dbdserver.storageUser | Database user name.
|
| services.rustus.storage.s3_region | S3 region name.
|
| services.xserver.xrandrHeads.*.output | The output name of the monitor, as shown by
xrandr(1) invoked without arguments.
|
| services.multipath.pathGroups.*.alias | The name of the multipath device
|
| services.nullmailer.config.defaultdomain | The content of this attribute is appended to any host name that
does not contain a period (except localhost), including defaulthost
and idhost
|
| services.radicle.httpd.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.x_forwarded | Use the X-Forwarded-For (XFF) header as the client IP and not the
actual client IP.
|
| services.vault-agent.instances | Attribute set of vault-agent instances
|
| services.tailscale.authKeyFile | A file containing the auth key
|
| services.nominatim.enable | Whether to enable nominatim
|
| security.doas.extraRules.*.setEnv | Keep or set the specified variables
|