| systemd.targets.<name>.upholds | Keeps the specified running while this unit is running
|
| systemd.sockets.<name>.upholds | Keeps the specified running while this unit is running
|
| services.mosquitto.bridges.<name>.topics | Topic patterns to be shared between the two brokers
|
| services.borgbackup.jobs.<name>.extraInitArgs | Additional arguments for borg init
|
| systemd.user.targets.<name>.upholds | Keeps the specified running while this unit is running
|
| systemd.user.sockets.<name>.upholds | Keeps the specified running while this unit is running
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.filters.*.ports.*.to | The end of the port range, inclusive.
|
| services.quicktun.<name>.remoteAddress | IP address or hostname of the remote end (use 0.0.0.0 for a floating/dynamic remote endpoint).
|
| services.system76-scheduler.settings.processScheduler.pipewireBoost.enable | Boost Pipewire client priorities.
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.filters.*.ports | Either a single port or port range to allow
|
| services.grafana.settings.users.allow_org_create | Set to false to prohibit users from creating new organizations.
|
| services.public-inbox.settings.publicinboxmda.spamcheck | If set to spamc, public-inbox-watch(1) will filter spam
using SpamAssassin.
|
| services.snapserver.settings.tcp.bind_to_address | Address to listen on for snapclient connections.
|
| services.snapserver.streams.<name>.codec | Default audio compression method.
|
| boot.initrd.luks.devices.<name>.gpgCard.gracePeriod | Time in seconds to wait for the GPG Smartcard.
|
| services.maubot.settings.server.plugin_base_path | The base path for plugin endpoints
|
| services.mpdscribble.endpoints.<name>.username | Username for the scrobble service.
|
| virtualisation.docker.daemon.settings | Configuration for docker daemon
|
| services.httpd.virtualHosts.<name>.locations | Declarative location config
|
| services.veilid.settings.core.protected_store.directory | The filesystem directory to store your protected store in.
|
| services.grafana.settings.security.admin_password | Default admin password
|
| services.warpgate.settings.http.sni_certificates | Certificates for additional domains.
|
| services.openafsServer.cellServDB.*.dnsname | DNS full-qualified domain name of a database server
|
| services.openafsClient.cellServDB.*.dnsname | DNS full-qualified domain name of a database server
|
| services.openvpn.servers.<name>.authUserPass | This option can be used to store the username / password credentials
with the "auth-user-pass" authentication method
|
| systemd.user.paths.<name>.startLimitBurst | Configure unit start rate limiting
|
| boot.specialFileSystems.<name>.enable | Whether to enable the filesystem mount.
|
| services.mobilizon.settings.":mobilizon".":instance".email_from | The email for the From: header in emails
|
| services.matomo.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.monica.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.fedimintd.<name>.nginx.config.extraConfig | These lines go to the end of the vhost verbatim.
|
| services.gancio.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.fluidd.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.akkoma.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| services.grafana.provision.datasources.settings.datasources | List of datasources to insert/update.
|
| services.mbpfan.settings.general.polling_interval | The polling interval.
|
| services.kanata.keyboards.<name>.extraDefCfg | Configuration of defcfg other than linux-dev (generated
from the devices option) and
linux-continue-if-no-devs-found (hardcoded to be yes)
|
| services.keyd.keyboards.<name>.extraConfig | Extra configuration that is appended to the end of the file.
Do not write ids section here, use a separate option for it
|
| services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| services.postfix.masterConfig.<name>.private | Whether the service's sockets and storage directory is restricted to
be only available via the mail system
|
| services.movim.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.slskd.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.davis.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.grafana.settings.database.client_key_path | The path to the client key
|
| services.bitcoind.<name>.prune | Reduce storage requirements by enabling pruning (deleting) of old
blocks
|
| services.fedimintd.<name>.bitcoin.network | Bitcoin network to participate in.
|
| users.extraUsers.<name>.expires | Set the date on which the user's account will no longer be
accessible
|
| services.github-runners.<name>.nodeRuntimes | List of Node.js runtimes the runner should support.
|
| services.firewalld.services.<name>.version | Version of the service.
|
| services.firewalld.services.<name>.helpers | Helpers for the service.
|
| systemd.paths.<name>.startLimitBurst | Configure unit start rate limiting
|
| services.firezone.server.settingsSecret.COOKIE_SIGNING_SALT | A file containing a unique base64 encoded secret for the
COOKIE_SIGNING_SALT
|
| services.ergochat.configFile | Path to configuration file
|
| services.swapspace.settings.lower_freelimit | Lower free-space threshold: if the percentage of free space drops below this number, additional swapspace is allocated
|
| services.tarsnap.archives.<name>.excludes | Exclude files and directories matching these patterns.
|
| services.glitchtip.settings.ENABLE_ORGANIZATION_CREATION | When false, only superusers will be able to create new organizations after the first
|
| services.neo4j.ssl.policies.<name>.revokedDir | Path to directory of CRLs (Certificate Revocation Lists) in
PEM format
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| boot.loader.systemd-boot.windows.<name>.title | The title of the boot menu entry.
|
| services.firezone.server.provision.accounts.<name>.actors | All actors (users) to provision
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.id | IKE identity to expect for authentication round
|
| services.opkssh.providers.<name>.lifetime | Token lifetime
|
| services.easytier.instances.<name>.enable | Enable the instance.
|
| services.radicle.httpd.nginx.locations.<name>.return | Adds a return directive, for e.g. redirections.
|
| services.mautrix-meta.instances.<name>.dataDir | Path to the directory with database, registration, and other data for the bridge service
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert | Section for a certificate candidate to use for
authentication
|
| services.fedimintd.<name>.nginx.config.listen.*.port | Port number to listen on
|
| security.pam.services.<name>.gnupg.noAutostart | Don't start gpg-agent if it is not running
|
| services.klipper.firmwares.<name>.package | Path to the built firmware package.
|
| services.adguardhome.settings.schema_version | Schema version for the configuration
|
| services.snapserver.settings.http.bind_to_address | Address to listen on for snapclient connections.
|
| services.grafana.settings.server.static_root_path | Root path for static assets.
|
| services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.nice | Niceness.
|
| services.redis.servers.<name>.maxclients | Set the max number of connected clients at the same time.
|
| services.parsedmarc.settings.general.save_aggregate | Save aggregate report data to Elasticsearch and/or Splunk.
|
| services.mainsail.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.pixelfed.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.dolibarr.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.kanboard.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.anuko-time-tracker.nginx.locations.<name>.root | Root directory for requests.
|
| services.librenms.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.fediwall.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.agorakit.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| services.vdirsyncer.jobs.<name>.config.statusPath | vdirsyncer's status path
|
| services.swapspace.settings.upper_freelimit | Upper free-space threshold: if the percentage of free space exceeds this number, swapspace will attempt to free up swapspace
|
| services.nginx.virtualHosts.<name>.reuseport | Create an individual listening socket
|
| systemd.user.sockets.<name>.onSuccess | A list of one or more units that are activated when
this unit enters the "inactive" state.
|
| systemd.user.sockets.<name>.onFailure | A list of one or more units that are activated when
this unit enters the "failed" state.
|
| systemd.user.targets.<name>.onFailure | A list of one or more units that are activated when
this unit enters the "failed" state.
|
| systemd.user.targets.<name>.onSuccess | A list of one or more units that are activated when
this unit enters the "inactive" state.
|
| services.openvpn.servers.<name>.authUserPass.password | The password to store inside the credentials file.
|
| services.fcgiwrap.instances.<name>.socket.user | User to be set as owner of the UNIX socket.
|
| services.fcgiwrap.instances.<name>.socket.type | Socket type: 'unix', 'tcp' or 'tcp6'.
|
| services.v4l2-relayd.instances.<name>.output.format | The video-format to write to output-stream.
|
| hardware.tuxedo-drivers.settings.charging-profile | The maximum charge level to help reduce battery wear:
high_capacity charges to 100% (driver default)balanced charges to 90%stationary charges to 80% (maximum lifespan)
Note: Regardless of the configured charging profile, the operating system will always report the battery as being charged to 100%.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.eap_id | Client EAP-Identity to use in EAP-Identity exchange and the EAP method.
|
| services.rke2.autoDeployCharts.<name>.enable | Whether to enable the installation of this Helm chart
|
| systemd.targets.<name>.onFailure | A list of one or more units that are activated when
this unit enters the "failed" state.
|
| systemd.sockets.<name>.onFailure | A list of one or more units that are activated when
this unit enters the "failed" state.
|