| services.dependency-track.oidc.userProvisioning | Specifies if mapped OpenID Connect accounts are automatically created upon successful
authentication
|
| services.userdbd.enableSSHSupport | Whether to enable exposing OpenSSH public keys defined in userdb
|
| services.gitlab.secrets.jwsFile | A file containing the secret used to encrypt session
keys
|
| services.pipewire.systemWide | If true, a system-wide PipeWire service and socket is enabled
allowing all users in the "pipewire" group to use it simultaneously
|
| services.pretix.settings.pretix.registration | Whether to allow registration of new admin users.
|
| services.vsftpd.chrootlocalUser | Whether local users are confined to their home directory.
|
| services.vsftpd.anonymousUploadEnable | Whether any uploads are permitted to anonymous users.
|
| services.transmission.settings.umask | Sets transmission's file mode creation mask
|
| services.thelounge.public | Make your The Lounge instance public
|
| services.grafana.settings.users.user_invite_max_lifetime_duration | The duration in time a user invitation remains valid before expiring
|
| services.gitlab.secrets.otpFile | A file containing the secret used to encrypt secrets for OTP
tokens
|
| services.movim.minifyStaticFiles | Do minification on public static files which reduces the size of
assets — saving data for the server & users as well as offering a
performance improvement
|
| environment.shellAliases | An attribute set that maps aliases (the top level attribute names in
this option) to command strings or directly to build outputs
|
| security.pam.u2f.enable | Enables U2F PAM (pam-u2f) module
|
| services.matrix-tuwunel.settings.global.allow_registration | Whether new users can register on this server
|
| services.firezone.gui-client.allowedUsers | All listed users will become part of the firezone-client group so
they can control the tunnel service
|
| services.buildbot-master.reporters | List of reporter objects used to present build status to various users.
|
| services.systembus-notify.enable | Whether to enable System bus notification support
WARNING: enabling this option (while convenient) should not be done on a
machine where you do not trust the other users as it allows any other
local user to DoS your session by spamming notifications
.
|
| services.grafana.settings.server.enable_gzip | Set this option to true to enable HTTP compression, this can improve transfer speed and bandwidth utilization
|
| services.iperf3.authorizedUsersFile | Path to the configuration file containing authorized users credentials to run iperf tests.
|
| services.dependency-track.settings."alpine.oidc.team.synchronization" | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| virtualisation.virtualbox.host.enableHardening | Enable hardened VirtualBox, which ensures that only the binaries in the
system path get access to the devices exposed by the kernel modules
instead of all users in the vboxusers group.
Disabling this can put your system's security at risk, as local users
in the vboxusers group can tamper with the VirtualBox device files.
|
| fonts.fontconfig.hinting.enable | Enable font hinting
|
| services.anubis.defaultOptions.settings.WEBMASTER_EMAIL | If set, shows a contact email address when rendering error pages
|
| services.pgbouncer.settings.pgbouncer.max_client_conn | Maximum number of client connections allowed
|
| services.tt-rss.registration.maxUsers | Maximum amount of users which will be allowed to register on this
system. 0 - no limit.
|
| services.hylafax.userAccessFile | The hosts.hfaxd
file entry in the spooling area
will be symlinked to the location given here
|
| services.nextcloud.settings."profile.enabled" | Makes user-profiles globally available under nextcloud.tld/u/user.name
|
| services.angrr.settings.profile-policies.<name>.profile-paths | Paths to the Nix profile
|
| system.extraDependencies | A list of paths that should be included in the system
closure but generally not visible to users
|
| services.anubis.instances.<name>.settings.WEBMASTER_EMAIL | If set, shows a contact email address when rendering error pages
|
| services.userborn.static | Whether to generate the password files at build time and store them directly
in the system closure, without requiring any services at boot time
|
| services.dependency-track.settings."alpine.oidc.teams.default" | Defines one or more team names that auto-provisioned OIDC users shall be added to
|
| services.mtprotoproxy.secureOnly | Don't allow users to connect in non-secure mode (without random padding).
|
| services.ntfy-sh.environmentFile | Path to a file containing extra ntfy environment variables in the systemd EnvironmentFile
format
|
| services.akkoma.config.":pleroma".":frontends" | Frontend configuration
|
| services.prometheus.remoteRead.*.name | Name of the remote read config, which if specified must be unique among remote read configs
|
| boot.initrd.network.ssh.hostKeys | Specify SSH host keys to import into the initrd
|
| networking.wg-quick.interfaces.<name>.peers.*.persistentKeepalive | This is optional and is by default off, because most
users will not need it
|
| services.sourcehut.settings."meta.sr.ht::settings".onboarding-redirect | Where to redirect new users upon registration.
|
| programs._1password-gui.polkitPolicyOwners | A list of users who should be able to integrate 1Password with polkit-based authentication mechanisms.
|
| services.prometheus.remoteWrite.*.name | Name of the remote write config, which if specified must be unique among remote write configs
|
| services.pgbackrest.repos.<name>.sftp-private-key-file | SFTP private key file
|
| services.matrix-continuwuity.settings.global.allow_registration | Whether new users can register on this server
|
| services.zwave-js.secretsConfigFile | JSON file containing secret keys
|
| services.unbound.localControlSocketPath | When not set to null this option defines the path
at which the unbound remote control socket should be created at
|
| fonts.fontconfig.subpixel.lcdfilter | FreeType LCD filter
|
| environment.systemPackages | The set of packages that appear in
/run/current-system/sw
|
| services.syncthing.openDefaultPorts | Whether to open the default ports in the firewall: TCP/UDP 22000 for transfers
and UDP 21027 for discovery
|
| services.dependency-track.oidc.teamSynchronization | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| services.umurmur.settings.default_channel | The channel in which users will appear in when connecting.
|
| services.nginx.tailscaleAuth.expectedTailnet | If you want to prevent node sharing from allowing users to access services
across tailnets, declare your expected tailnets domain here.
|
| services.pulseaudio.systemWide | If false, a PulseAudio server is launched automatically for
each user that tries to use the sound system
|
| services.tt-rss.registration.enable | Allow users to register themselves
|
| services.xserver.displayManager.startx.enable | Whether to enable the dummy "startx" pseudo-display manager, which
allows users to start X manually via the startx command from a
virtual terminal.
The X server will run under the current user, not as root.
|
| services.meilisearch.noAnalytics | Deactivates analytics
|
| services.aria2.downloadDirPermission | The permission for settings.dir
|
| services.postfix.localRecipients | List of accepted local users
|
| security.unprivilegedUsernsClone | When disabled, unprivileged users will not be able to create new namespaces
|
| networking.wireguard.interfaces.<name>.peers.*.persistentKeepalive | This is optional and is by default off, because most
users will not need it
|
| services.dependency-track.oidc.teams.default | Defines one or more team names that auto-provisioned OIDC users shall be added to
|
| services.prosody.modules.vcard_legacy | Converts users profiles and Avatars between old and new formats
|
| services.hydra.useSubstitutes | Whether to use binary caches for downloading store paths
|
| documentation.man.man-db.manualPages | The manual pages to generate caches for if documentation.man.generateCaches
is enabled
|
| services.paperless.consumptionDirIsPublic | Whether all users can write to the consumption dir.
|
| services.warpgate.settings.config_provider | Source of truth of users
|
| services.smartd.notifications.wall.enable | Whenever to send wall notifications to all users.
|
| services.transmission.enable | Whether to enable the headless Transmission BitTorrent daemon
|
| services._3proxy.services.*.auth | Authentication type
|
| services.prosody.modules.cloud_notify | Push notifications to inform users of new messages or other pertinent information even when they have no XMPP clients online
|
| services.dependency-track.frontend.baseUrl | The base URL of the API server
|
| security.dhparams.params | Diffie-Hellman parameters to generate
|
| virtualisation.docker.enable | This option enables docker, a daemon that manages
linux containers
|
| virtualisation.lxd.enable | This option enables lxd, a daemon that manages
containers
|
| hardware.display.edid.linuxhw | Exposes EDID files from users-sourced database at https://github.com/linuxhw/EDID
Attribute names will be mapped to EDID filenames <NAME>.bin
|
| services.xserver.displayManager.sx.enable | Whether to enable the "sx" pseudo-display manager, which allows users
to start manually via the "sx" command from a vt shell
|
| environment.defaultPackages | Set of default packages that aren't strictly necessary
for a running system, entries can be removed for a more
minimal NixOS installation
|
| services.strongswan-swanctl.swanctl.secrets.eap.<name>.id | Identity the EAP/XAuth secret belongs to
|
| services.strongswan-swanctl.swanctl.secrets.ntlm.<name>.id | Identity the NTLM secret belongs to
|
| services.firezone.server.provision.accounts.<name>.actors | All actors (users) to provision
|
| virtualisation.kvmgt.enable | Whether to enable KVMGT (iGVT-g) VGPU support
|
| services.linkwarden.enableRegistration | Whether to enable registration for new users.
|
| services.bitwarden-directory-connector-cli.sync.userFilter | LDAP filter for users.
|
| services.nullmailer.config.adminaddr | If set, all recipients to users at either "localhost" (the literal string)
or the canonical host name (from the me control attribute) are remapped to this address
|
| services.strongswan-swanctl.swanctl.secrets.xauth.<name>.id | Identity the EAP/XAuth secret belongs to
|
| services.healthchecks.settings.REGISTRATION_OPEN | A boolean that controls whether site visitors can create new accounts
|
| virtualisation.libvirtd.enable | This option enables libvirtd, a daemon that manages
virtual machines
|
| services.prosody.xmppComplianceSuite | The XEP-0423 defines a set of recommended XEPs to implement
for a server
|
| services.bitwarden-directory-connector-cli.sync.largeImport | Enable if you are syncing more than 2000 users/groups.
|
| environment.corePackages | Set of core packages for a normal interactive system
|
| services.i2pd.precomputation.elgamal | Whenever to use precomputated tables for ElGamal.
i2pd defaults to false
to save 64M of memory (and looses some performance)
|
| services.taskserver.organisations | An attribute set where the keys name the organisation and the values
are a set of lists of users and
groups.
|
| services.bitwarden-directory-connector-cli.sync.userObjectClass | Class that users must have.
|
| services.netbird.server.management.singleAccountModeDomain | Enables single account mode
|
| services.wstunnel.clients.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.wstunnel.servers.<name>.environmentFile | Environment file to be passed to the systemd service
|
| programs.opengamepadui.fontPackages | Font packages to use in OpenGamepadUI
|
| services.alerta.authenticationRequired | Whether users must authenticate when using the web UI or command-line tool
|
| services.grafana.provision.datasources.settings.datasources.*.editable | Allow users to edit datasources from the UI.
|
| services.gitea.captcha.requireForExternalRegistration | Displays a CAPTCHA challenge for users that register externally.
|