| services.tinyproxy.settings.Anonymous | If an Anonymous keyword is present, then anonymous proxying is enabled
|
| users.extraUsers.<name>.subGidRanges.*.startGid | Start of the range of subordinate group ids that user is
allowed to use.
|
| users.extraUsers.<name>.subUidRanges.*.startUid | Start of the range of subordinate user ids that user is
allowed to use.
|
| services.soju.httpOrigins | List of allowed HTTP origins for WebSocket listeners
|
| services.sftpgo.extraReadWriteDirs | Extra directories where SFTPGo is allowed to write to.
|
| services.coturn.secure-stun | Require authentication of the STUN Binding request
|
| security.doas.extraRules | Define specific rules to be set in the
/etc/doas.conf file
|
| services.rustdesk-server.enable | Whether to enable RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices.
|
| services.spiped.config.<name>.maxConns | Limit on the number of simultaneous connections allowed.
|
| services.nginx.sslProtocols | Allowed TLS protocol versions.
|
| services.avahi.reflector | Reflect incoming mDNS requests to all allowed network interfaces.
|
| security.audit.backlogLimit | The maximum number of outstanding audit buffers allowed; exceeding this is
considered a failure and handled in a manner specified by failureMode.
|
| services.httpd.sslProtocols | Allowed SSL/TLS protocol versions.
|
| services.sanoid.settings | Free-form settings written directly to the config file
|
| services.tt-rss.email.security | Used to select a secure SMTP connection
|
| boot.loader.efi.canTouchEfiVariables | Whether the installation process is allowed to modify EFI boot variables.
|
| services.blendfarm.openFirewall | Whether to enable allowing blendfarm network access through the firewall.
|
| services.avahi.enable | Whether to run the Avahi daemon, which allows Avahi clients
to use Avahi's service discovery facilities and also allows
the local machine to advertise its presence and services
(through the mDNS responder implemented by avahi-daemon).
|
| services.i2pd.inTunnels.<name>.accessList | I2P nodes that are allowed to connect to this service.
|
| hardware.enableAllFirmware | Whether to enable all firmware, including unfree packages that must be explictly allowed
|
| networking.ipips | This option allows you to define interfaces encapsulating IP
packets within IP packets; which should be automatically created
|
| services.openssh.settings.Macs | Allowed MACs
Defaults to recommended settings from both
https://stribika.github.io/2015/01/04/secure-secure-shell.html
and
https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
|
| boot.binfmt.addEmulatedSystemsToNixSandbox | Whether to add the boot.binfmt.emulatedSystems to nix.settings.extra-platforms
|
| services.pipewire.systemWide | If true, a system-wide PipeWire service and socket is enabled
allowing all users in the "pipewire" group to use it simultaneously
|
| services.kbfs.enableRedirector | Whether to enable the Keybase root redirector service, allowing
any user to access KBFS files via /keybase,
which will show different contents depending on the requester.
|
| services.postfix.networks | Net masks for trusted - allowed to relay mail to third parties -
hosts
|
| services.tailscale.permitCertUid | Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node.
|
| services.murmur.autobanAttempts | Number of attempts a client is allowed to make in
autobanTimeframe seconds, before being
banned for autobanTime.
|
| services.ostinato.portList.include | For a port to pass the filter and appear on the port list managed
by drone, it be allowed by this include list.
|
| hardware.tuxedo-drivers.settings.fn-lock | Enables or disables the laptop keyboard's Function (Fn) lock at boot
|
| security.loginDefs.settings.DEFAULT_HOME | Indicate if login is allowed if we can't cd to the home directory.
|
| services.oauth2-proxy.email.addresses | Line-separated email addresses that are allowed to authenticate.
|
| boot.kernel.sysfs | sysfs attributes to be set as soon as they become available
|
| services.coturn.listening-port | TURN listener port for UDP and TCP
|
| services.openssh.settings.Ciphers | Allowed ciphers
Defaults to recommended settings from both
https://stribika.github.io/2015/01/04/secure-secure-shell.html
and
https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
|
| services.geoclue2.appConfig.<name>.isAllowed | Whether the application will be allowed access to location information.
|
| services.samba.usershares.group | Name of the group members of which will be allowed to create usershares
|
| services.neo4j.ssl.policies.<name>.ciphers | Restrict the allowed ciphers of this policy to those defined
here
|
| services.snowflake-proxy.capacity | Limits the amount of maximum concurrent clients allowed.
|
| services.openssh.settings.AllowUsers | If specified, login is allowed only for the listed users
|
| security.googleOsLogin.enable | Whether to enable Google OS Login
|
| services.nylon.<name>.nrConnections | The number of allowed simultaneous connections to the daemon, default 10.
|
| services.vsftpd.userlistFile | Newline separated list of names to be allowed/denied if userlistEnable
is true
|
| services.traefik.dynamic.files | Dynamic configuration files to write
|
| programs.wireshark.enable | Whether to add Wireshark to the global environment and create a 'wireshark'
group
|
| services.gotenberg.chromium.disableRoutes | Disable all routes allowing Chromium-based conversion.
|
| services.cassandra.jmxRoles | Roles that are allowed to access the JMX (e.g. nodetool)
BEWARE: The passwords will be stored world readable in the nix store
|
| services.snapper.configs.<name>.ALLOW_USERS | List of users allowed to operate with the config. "root" is always
implicitly included
|
| services.snapper.configs.<name>.ALLOW_GROUPS | List of groups allowed to operate with the config
|
| services.pdfding.consume.enable | Bulk PDF import from consume directory
|
| services.gnome.gnome-browser-connector.enable | Whether to enable native host connector for the GNOME Shell browser extension, a DBus service
allowing to install GNOME Shell extensions from a web browser
.
|
| services.openssh.settings.AllowGroups | If specified, login is allowed only for users part of the
listed groups
|
| networking.interfaces.<name>.virtualOwner | In case of a virtual device, the user who owns it.
null will not set owner, allowing access to any user.
|
| services.paperless.exporter.onCalendar | When to run the exporter
|
| services.portunus.dex.oidcClients | List of OIDC clients
|
| services.mtprotoproxy.users | Allowed users and their secrets
|
| networking.defaultGatewayWindowSize | The window size of the default gateway
|
| services.nginx.tailscaleAuth.expectedTailnet | If you want to prevent node sharing from allowing users to access services
across tailnets, declare your expected tailnets domain here.
|
| services.kerberos_server.settings.realms.<name>.acl.*.access | The changes the principal is allowed to make.
The "all" permission does not imply the "get-keys" permission
|
| services.umurmur.settings.max_users | Maximum number of concurrent clients allowed.
|
| services.gitlab.sidekiq.memoryKiller.maxMemory | The maximum amount of memory, in MiB, a Sidekiq worker is
allowed to consume before being killed.
|
| services.openssh.settings.GatewayPorts | Specifies whether remote hosts are allowed to connect to
ports forwarded for the client
|
| services.rabbitmq.unsafeCookie | Erlang cookie is a string of arbitrary length which must
be the same for several nodes to be allowed to communicate
|
| services.nsd.ratelimit.ratelimit | Max qps allowed from any query source.
0 means unlimited
|
| services.tailscale.derper.verifyClients | Whether to verify clients against a locally running tailscale daemon if they are allowed to connect to this node or not.
|
| services.tt-rss.registration.maxUsers | Maximum amount of users which will be allowed to register on this
system. 0 - no limit.
|
| services.ferm.config | Verbatim ferm.conf configuration.
|
| services.agate.onlyTls_1_3 | Only use TLSv1.3 (default also allows TLSv1.2).
|
| services.cjdns.authorizedPasswords | Any remote cjdns nodes that offer these passwords on
connection will be allowed to route through this node.
|
| services.mosquitto.listeners.*.omitPasswordAuth | Omits password checking, allowing anyone to log in with any user name unless
other mandatory authentication methods (eg TLS client certificates) are configured.
|
| services.reaction.runAsRoot | Whether to run reaction as root
|
| services.diod.exports | List the file systems that clients will be allowed to mount
|
| services.gitlab.sidekiq.memoryKiller.shutdownWait | The time allowed for all jobs to finish before Sidekiq is
killed forcefully.
|
| services.gotenberg.libreoffice.disableRoutes | Disable all routes allowing LibreOffice-based conversion.
|
| services.nntp-proxy.upstreamMaxConnections | Upstream server maximum allowed concurrent connections
|
| services.cron.systemCronJobs | A list of Cron jobs to be appended to the system-wide
crontab
|
| services.openssh.settings.KexAlgorithms | Allowed key exchange algorithms
Uses the lower bound recommended in both
https://stribika.github.io/2015/01/04/secure-secure-shell.html
and
https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
|
| services.gitlab-runner.services.<name>.dockerAllowedImages | Whitelist allowed images.
|
| security.sudo.enable | Whether to enable the sudo command, which
allows non-root users to execute commands as root.
|
| services.fwupd.enable | Whether to enable fwupd, a DBus service that allows
applications to update firmware.
|
| security.doas.enable | Whether to enable the doas command, which allows
non-root users to execute commands as root.
|
| virtualisation.libvirtd.qemu.package | The qemu package to use. pkgs.qemu can emulate alien architectures (e.g. aarch64 on x86)
pkgs.qemu_kvm saves disk space allowing to emulate only host architectures.
|
| hardware.wirelessRegulatoryDatabase | Whether to enable loading the wireless regulatory database at boot.
|
| services.syncthing.settings.folders.<name>.path | The path to the folder which should be shared
|
| networking.sits | This option allows you to define interfaces encapsulating IPv6
packets within IPv4 packets; which should be automatically created.
|
| services.foundationdb.extraReadWritePaths | An extra set of filesystem paths that FoundationDB can read to
and write from
|
| services.nix-store-gcs-proxy | An attribute set describing an HTTP to GCS proxy that allows us to use GCS
bucket via HTTP protocol.
|
| services.diod.userdb | This option disables password/group lookups
|
| security.sudo-rs.enable | Whether to enable a memory-safe implementation of the sudo command,
which allows non-root users to execute commands as root
.
|
| boot.kernelPatches | A list of additional patches to apply to the kernel
|
| services.gitlab-runner.services.<name>.dockerAllowedServices | Whitelist allowed services.
|
| services.postfix.settings.main.mynetworks | List of trusted remote SMTP clients, that are allowed to relay mail
|
| hardware.enableRedistributableFirmware | Whether to enable firmware with a license allowing redistribution.
|
| programs.firefox.preferences | Preferences to set from about:config
|
| networking.vswitches.<name>.controllers | Specify the controller targets
|
| services.thanos.store.store.limits.request-samples | The maximum samples allowed for a single Series request
|
| services.znapzend.zetup.<name>.timestampFormat | The timestamp format to use for constructing snapshot names
|
| services.xserver.xrandrHeads | Multiple monitor configuration, just specify a list of XRandR
outputs
|
| services.fediwall.nginx | Allows customizing the nginx virtualHost settings
|
| services.coturn.tls-listening-port | TURN listener port for TLS
|