| networking.firewall.interfaces.<name>.allowedTCPPortRanges | A range of TCP ports on which incoming connections are
accepted.
|
| services.mastodon.user | User under which mastodon runs
|
| services.misskey.reverseProxy.host | The fully qualified domain name to bind to
|
| services.syncplay.useACMEHost | If set, use NixOS-generated ACME certificate with the specified name for TLS
|
| services.supybot.plugins | Attribute set of additional plugins that will be symlinked to the
plugin subdirectory
|
| services.cloudlog.database.user | MySQL user name.
|
| networking.wireguard.interfaces.<name>.extraOptions | Extra options to append to the interface section
|
| services.strongswan-swanctl.swanctl.connections.<name>.reauth_time | Time to schedule IKE reauthentication
|
| services.dovecot2.imapsieve.mailbox.*.from | Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot2.imapsieve.mailbox..name when the message originates from the indicated mailbox
|
| services.gammu-smsd.backend.sql.database | Database name to store sms data
|
| networking.wireguard.interfaces.<name>.privateKey | Base64 private key generated by wg genkey
|
| containers.<name>.forwardPorts.*.hostPort | Source port of the external interface on host
|
| services.bacula-sd.tls.allowedCN | Common name attribute of allowed peer certificates
|
| services.bacula-fd.tls.allowedCN | Common name attribute of allowed peer certificates
|
| services.resolved.llmnr | Controls Link-Local Multicast Name Resolution support
(RFC 4795) on the local host
|
| hardware.fw-fanctrl.config.strategies.<name>.movingAverageInterval | Interval (seconds) of the last temperatures to use to calculate the average temperature
|
| networking.interfaces.<name>.ipv6.routes.*.options | Other route options
|
| networking.interfaces.<name>.ipv4.routes.*.options | Other route options
|
| networking.openconnect.interfaces.<name>.autoStart | Whether this VPN connection should be started automatically.
|
| virtualisation.allInterfaces.<name>.vlan | VLAN to which the network interface is connected.
|
| services.strongswan-swanctl.swanctl.connections.<name>.send_certreq | Send certificate request payloads to offer trusted root CA certificates to
the peer
|
| security.tpm2.tssUser | Name of the tpm device-owner and service user, set if applyUdevRules is
set.
|
| services.strongswan-swanctl.swanctl.connections.<name>.proposals | A proposal is a set of algorithms
|
| virtualisation.fileSystems.<name>.encrypted.blkDev | Location of the backing encrypted device.
|
| virtualisation.fileSystems.<name>.autoFormat | If the device does not currently contain a filesystem (as
determined by blkid), then automatically
format it with the filesystem type specified in
fsType
|
| services.shairport-sync.group | Group account name under which to run shairport-sync
|
| services.rspamd.overrides | Overridden configuration files, written into /etc/rspamd/override.d/{name}.
|
| services.freshrss.virtualHost | Name of the caddy/nginx virtualhost to use and setup.
|
| services.usbrelayd.clientName | Name, your client connects as.
|
| services.radicle.httpd.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.hatsu.settings.HATSU_DOMAIN | The domain name of your instance (eg 'hatsu.local').
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.resources | List of HTTP resources to serve on this listener.
|
| systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.argument | An argument whose meaning depends on the type of operation
|
| services.bacula-dir.tls.allowedCN | Common name attribute of allowed peer certificates
|
| containers.<name>.timeoutStartSec | Time for the container to start
|
| boot.binfmt.registrations.<name>.recognitionType | Whether to recognize executables by magic number or extension.
|
| systemd.network.networks.<name>.genericRandomEarlyDetectionConfig | Each attribute in this set specifies an option in the
[GenericRandomEarlyDetection] section of the unit
|
| services.autossh.sessions.*.user | Name of the user the AutoSSH session should run as
|
| services.dovecot2.imapsieve.mailbox.*.causes | Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot2.imapsieve.mailbox..name when one of the listed IMAPSIEVE causes apply
|
| services.miredo.interfaceName | Name of the network tunneling interface.
|
| boot.initrd.systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.argument | An argument whose meaning depends on the type of operation
|
| services.prometheus.exporters.py-air-control.deviceHostname | The hostname of the air purification device from which to scrape the metrics.
|
| networking.sits.<name>.encapsulation.type | Select the encapsulation type:
-
6in4: the IPv6 packets are encapsulated using the
6in4 protocol (formerly known as SIT, RFC 4213);
-
gue: the IPv6 packets are encapsulated in UDP packets
using the Generic UDP Encapsulation (GUE) scheme;
-
foo: the IPv6 packets are encapsulated in UDP packets
using the Foo over UDP (FOU) scheme.
|
| services.mqtt2influxdb.influxdb.username | Username for InfluxDB login.
|
| services.restic.server.privateRepos | Enable private repos
|
| virtualisation.fileSystems.<name>.autoResize | If set, the filesystem is grown to its maximum size before
being mounted. (This is typically the size of the containing
partition.) This is currently only supported for ext2/3/4
filesystems that are mounted during early boot.
|
| services.mattermost.siteName | Name of this Mattermost site.
|
| services.prometheus.remoteRead.*.basic_auth.username | HTTP username
|
| networking.wireguard.interfaces.<name>.allowedIPsAsRoutes | Determines whether to add allowed IPs as routes or not.
|
| boot.loader.systemd-boot.extraEntries | Any additional entries you want added to the systemd-boot menu
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.filters.*.name | Name of the filter
|
| services.pds.settings.PDS_HOSTNAME | Instance hostname (base domain name)
|
| services.cloudlog.virtualHost | Name of the nginx virtualhost to use and setup
|
| services.airsonic.virtualHost | Name of the nginx virtualhost to use and setup
|
| networking.vswitches.<name>.supportedOpenFlowVersions | Supported versions to enable on this switch.
|
| services.coder.database.database | Name of database.
|
| virtualisation.oci-containers.containers.<name>.imageFile | Path to an image file to load before running the image
|
| networking.openconnect.interfaces.<name>.gateway | Gateway server to connect to.
|
| services.strongswan-swanctl.swanctl.authorities.<name>.cert_uri_base | Defines the base URI for the Hash and URL feature supported by
IKEv2
|
| services.samba.winbindd.enable | Whether to enable Samba's winbindd, which provides a number of services
to the Name Service Switch capability found in most modern C libraries,
to arbitrary applications via PAM and ntlm_auth and to Samba itself.
|
| services.athens.storage.mongo.defaultDBName | Name of the mongo database.
|
| services.dependency-track.settings."alpine.database.username" | Specifies the username to use when authenticating to the database.
|
| networking.interfaces.<name>.tempAddress | When IPv6 is enabled with SLAAC, this option controls the use of
temporary address (aka privacy extensions) on this
interface
|
| services.prometheus.exporters.nextcloud.username | Username for connecting to Nextcloud
|
| services.youtrack.virtualHost | Name of the nginx virtual host to use and setup
|
| containers.<name>.restartIfChanged | Whether the container should be restarted during a NixOS
configuration switch if its definition has changed.
|
| networking.ipips.<name>.encapsulation.type | Select the encapsulation type:
-
ipip to create an IPv4 within IPv4 tunnel (RFC 2003).
-
4in6 to create a 4in6 tunnel (RFC 2473);
-
ip6ip6 to create an IPv6 within IPv6 tunnel (RFC 2473);
For encapsulating IPv6 within IPv4 packets, see
the ad-hoc networking.sits option.
|
| services.guacamole-server.host | The host name or IP address the server should listen to.
|
| services.caddy.adapter | Name of the config adapter to use
|
| services.portunus.ldap.searchUserName | The login name of the search user
|
| systemd.network.networks.<name>.deficitRoundRobinSchedulerClassConfig | Each attribute in this set specifies an option in the
[DeficitRoundRobinSchedulerClass] section of the unit
|
| services.nullmailer.config.defaulthost | The content of this attribute is appended to any address that
is missing a host name
|
| containers.<name>.allowedDevices.*.node | Path to device node
|
| services.acme-dns.settings.general.domain | Domain name to serve the requests off of.
|
| services.unpoller.unifi.defaults.user | Unifi service user name.
|
| containers.<name>.interfaces | The list of interfaces to be moved into the container.
|
| services.wiki-js.stateDirectoryName | Name of the directory in /var/lib.
|
| services.slskd.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.movim.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.davis.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.jibri.xmppEnvironments.<name>.disableCertificateVerification | Whether to skip validation of the server's certificate.
|
| networking.openconnect.interfaces.<name>.privateKey | Private key to authenticate with.
|
| services.gancio.settings.db.database | Name of the PostgreSQL database
|
| services.prometheus.remoteWrite.*.basic_auth.username | HTTP username
|
| services.bitwarden-directory-connector-cli.ldap.username | The user to authenticate as.
|
| containers.<name>.forwardPorts | List of forwarded ports from host to container
|
| services.sanoid.datasets.<name>.pre_snapshot_script | Script to run before taking snapshot.
|
| services.bitwarden-directory-connector-cli.ldap.hostname | The host the LDAP is accessible on.
|
| services.dependency-track.settings."alpine.oidc.teams.claim" | Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint
|
| virtualisation.fileSystems.<name>.overlay.workdir | The path to the workdir
|
| services.tailscale.derper.domain | Domain name under which the derper server is reachable.
|
| networking.supplicant.<name>.userControlled.enable | Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli
|
| services.borgmatic.configurations.<name>.repositories | A required list of local or remote repositories with paths and
optional labels (which can be used with the --repository flag to
select a repository)
|
| networking.interfaces.<name>.ipv6.addresses.*.address | IPv6 address of the interface
|
| networking.interfaces.<name>.ipv4.addresses.*.address | IPv4 address of the interface
|
| services.snipe-it.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| containers.<name>.localAddress | The IPv4 address assigned to the interface in the container
|
| services.matrix-synapse.settings.listeners.*.resources.*.names | List of resources to host on this listener.
|
| services.mysql.ensureUsers | Ensures that the specified users exist and have at least the ensured permissions
|
| services.httpd.customLogFormat | Defines a custom Apache HTTPD access log format string
|