| services.firezone.gui-client.allowedUsers | All listed users will become part of the firezone-client group so
they can control the tunnel service
|
| system.extraDependencies | A list of paths that should be included in the system
closure but generally not visible to users
|
| services.gitlab.secrets.otpFile | A file containing the secret used to encrypt secrets for OTP
tokens
|
| services.cryptpad.settings.httpUnsafeOrigin | This is the URL that users will enter to load your instance
|
| fonts.fontconfig.hinting.enable | Enable font hinting
|
| services.tt-rss.registration.maxUsers | Maximum amount of users which will be allowed to register on this
system. 0 - no limit.
|
| networking.wg-quick.interfaces.<name>.peers.*.persistentKeepalive | This is optional and is by default off, because most
users will not need it
|
| programs._1password-gui.polkitPolicyOwners | A list of users who should be able to integrate 1Password with polkit-based authentication mechanisms.
|
| services.mtprotoproxy.secureOnly | Don't allow users to connect in non-secure mode (without random padding).
|
| services.hylafax.userAccessFile | The hosts.hfaxd
file entry in the spooling area
will be symlinked to the location given here
|
| services.sourcehut.settings."todo.sr.ht".notify-from | Outgoing email for notifications generated by users.
|
| security.pam.u2f.enable | Enables U2F PAM (pam-u2f) module
|
| services.akkoma.config.":pleroma".":frontends" | Frontend configuration
|
| services.ntfy-sh.environmentFile | Path to a file containing extra ntfy environment variables in the systemd EnvironmentFile
format
|
| services.userborn.static | Whether to generate the password files at build time and store them directly
in the system closure, without requiring any services at boot time
|
| services.prometheus.remoteRead.*.name | Name of the remote read config, which if specified must be unique among remote read configs
|
| services.dependency-track.settings."alpine.oidc.user.provisioning" | Specifies if mapped OpenID Connect accounts are automatically created upon successful
authentication
|
| services.sourcehut.settings."lists.sr.ht".notify-from | Outgoing email for notifications generated by users.
|
| services.sourcehut.settings."builds.sr.ht".allow-free | Whether to enable nonpaying users to submit builds.
|
| environment.systemPackages | The set of packages that appear in
/run/current-system/sw
|
| services.pgbackrest.repos.<name>.sftp-private-key-file | SFTP private key file
|
| services.prometheus.remoteWrite.*.name | Name of the remote write config, which if specified must be unique among remote write configs
|
| services.sourcehut.settings."pages.sr.ht".user-domain | Configures the user domain, if enabled
|
| services.sourcehut.settings."todo.sr.ht::mail".sock-group | The lmtp daemon will make the unix socket group-read/write
for users in this group.
|
| services.dependency-track.oidc.teamSynchronization | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| services.aria2.downloadDirPermission | The permission for settings.dir
|
| security.unprivilegedUsernsClone | When disabled, unprivileged users will not be able to create new namespaces
|
| networking.wireguard.interfaces.<name>.peers.*.persistentKeepalive | This is optional and is by default off, because most
users will not need it
|
| services.unbound.localControlSocketPath | When not set to null this option defines the path
at which the unbound remote control socket should be created at
|
| services.syncthing.openDefaultPorts | Whether to open the default ports in the firewall: TCP/UDP 22000 for transfers
and UDP 21027 for discovery
|
| services.zwave-js.secretsConfigFile | JSON file containing secret keys
|
| services.meilisearch.noAnalytics | Deactivates analytics
|
| fonts.fontconfig.subpixel.lcdfilter | FreeType LCD filter
|
| services.spacecookie.settings.log.hide-ips | If enabled, spacecookie will hide personal
information of users like IP addresses from
log output.
|
| services.pulseaudio.systemWide | If false, a PulseAudio server is launched automatically for
each user that tries to use the sound system
|
| services.anuko-time-tracker.settings.multiorgMode | Defines whether users see the Register option in the menu of Time Tracker that allows them
to self-register and create new organizations (top groups).
|
| nix.settings.trusted-substituters | List of binary cache URLs that non-root users can use (in
addition to those specified using
nix.settings.substituters) by passing
--option binary-caches to Nix commands.
|
| services.nginx.tailscaleAuth.expectedTailnet | If you want to prevent node sharing from allowing users to access services
across tailnets, declare your expected tailnets domain here.
|
| services.paperless.consumptionDirIsPublic | Whether all users can write to the consumption dir.
|
| services.postfix.localRecipients | List of accepted local users
|
| services.tt-rss.registration.enable | Allow users to register themselves
|
| services.sourcehut.settings."lists.sr.ht::worker".sock-group | The lmtp daemon will make the unix socket group-read/write
for users in this group.
|
| services.hydra.useSubstitutes | Whether to use binary caches for downloading store paths
|
| services._3proxy.services.*.auth | Authentication type
|
| services.prosody.modules.vcard_legacy | Converts users profiles and Avatars between old and new formats
|
| services.matrix-tuwunel.settings.global.allow_registration | Whether new users can register on this server
|
| services.xserver.displayManager.startx.enable | Whether to enable the dummy "startx" pseudo-display manager, which
allows users to start X manually via the startx command from a
virtual terminal.
The X server will run under the current user, not as root.
|
| boot.initrd.network.ssh.hostKeys | Specify SSH host keys to import into the initrd
|
| documentation.man.man-db.manualPages | The manual pages to generate caches for if documentation.man.generateCaches
is enabled
|
| services.transmission.enable | Whether to enable the headless Transmission BitTorrent daemon
|
| services.szurubooru.server.settings.secretFile | File containing a secret used to salt the users' password hashes and generate filenames for static content.
|
| services.dependency-track.oidc.teams.default | Defines one or more team names that auto-provisioned OIDC users shall be added to
|
| services.smartd.notifications.wall.enable | Whenever to send wall notifications to all users.
|
| services.prosody.modules.cloud_notify | Push notifications to inform users of new messages or other pertinent information even when they have no XMPP clients online
|
| virtualisation.docker.enable | This option enables docker, a daemon that manages
linux containers
|
| environment.defaultPackages | Set of default packages that aren't strictly necessary
for a running system, entries can be removed for a more
minimal NixOS installation
|
| services.dependency-track.frontend.baseUrl | The base URL of the API server
|
| virtualisation.lxd.enable | This option enables lxd, a daemon that manages
containers
|
| services.dependency-track.settings."alpine.oidc.team.synchronization" | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| virtualisation.kvmgt.enable | Whether to enable KVMGT (iGVT-g) VGPU support
|
| security.dhparams.params | Diffie-Hellman parameters to generate
|
| services.pgbouncer.settings.pgbouncer.max_client_conn | Maximum number of client connections allowed
|
| services.linkwarden.enableRegistration | Whether to enable registration for new users.
|
| services.pretix.settings.pretix.registration | Whether to allow registration of new admin users.
|
| services.transmission.settings.umask | Sets transmission's file mode creation mask
|
| services.bitwarden-directory-connector-cli.sync.userFilter | LDAP filter for users.
|
| environment.corePackages | Set of core packages for a normal interactive system
|
| services.strongswan-swanctl.swanctl.secrets.eap.<name>.id | Identity the EAP/XAuth secret belongs to
|
| services.strongswan-swanctl.swanctl.secrets.ntlm.<name>.id | Identity the NTLM secret belongs to
|
| virtualisation.libvirtd.enable | This option enables libvirtd, a daemon that manages
virtual machines
|
| services.firezone.server.provision.accounts.<name>.actors | All actors (users) to provision
|
| services.taskserver.organisations | An attribute set where the keys name the organisation and the values
are a set of lists of users and
groups.
|
| hardware.display.edid.linuxhw | Exposes EDID files from users-sourced database at https://github.com/linuxhw/EDID
Attribute names will be mapped to EDID filenames <NAME>.bin
|
| services.nullmailer.config.adminaddr | If set, all recipients to users at either "localhost" (the literal string)
or the canonical host name (from the me control attribute) are remapped to this address
|
| services.matrix-continuwuity.settings.global.allow_registration | Whether new users can register on this server
|
| services.bitwarden-directory-connector-cli.sync.largeImport | Enable if you are syncing more than 2000 users/groups.
|
| services.prosody.xmppComplianceSuite | The XEP-0423 defines a set of recommended XEPs to implement
for a server
|
| services.xserver.displayManager.sx.enable | Whether to enable the "sx" pseudo-display manager, which allows users
to start manually via the "sx" command from a vt shell
|
| services.strongswan-swanctl.swanctl.secrets.xauth.<name>.id | Identity the EAP/XAuth secret belongs to
|
| services.bitwarden-directory-connector-cli.sync.userObjectClass | Class that users must have.
|
| services.grafana.settings.server.enable_gzip | Set this option to true to enable HTTP compression, this can improve transfer speed and bandwidth utilization
|
| services.i2pd.precomputation.elgamal | Whenever to use precomputated tables for ElGamal.
i2pd defaults to false
to save 64M of memory (and looses some performance)
|
| programs.opengamepadui.fontPackages | Font packages to use in OpenGamepadUI
|
| services.wstunnel.clients.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.wstunnel.servers.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.alerta.authenticationRequired | Whether users must authenticate when using the web UI or command-line tool
|
| services.anubis.defaultOptions.settings.WEBMASTER_EMAIL | If set, shows a contact email address when rendering error pages
|
| services.anubis.instances.<name>.settings.WEBMASTER_EMAIL | If set, shows a contact email address when rendering error pages
|
| services.angrr.settings.profile-policies.<name>.profile-paths | Paths to the Nix profile
|
| services.netbird.server.management.singleAccountModeDomain | Enables single account mode
|
| services.gitea.captcha.requireForExternalRegistration | Displays a CAPTCHA challenge for users that register externally.
|
| networking.networkmanager.enable | Whether to use NetworkManager to obtain an IP address and other
configuration for all network interfaces that are not manually
configured
|
| services.nextcloud.settings."profile.enabled" | Makes user-profiles globally available under nextcloud.tld/u/user.name
|
| virtualisation.podman.dockerSocket.enable | Make the Podman socket available in place of the Docker socket, so
Docker tools can find the Podman socket
|
| services.dependency-track.settings."alpine.oidc.teams.default" | Defines one or more team names that auto-provisioned OIDC users shall be added to
|
| services.bitwarden-directory-connector-cli.sync.removeDisabled | Remove users from bitwarden groups if no longer in the ldap group.
|
| security.pam.services.<name>.googleAuthenticator.enable | If set, users with enabled Google Authenticator (created
~/.google_authenticator) will be required
to provide Google Authenticator token to log in.
|
| virtualisation.docker.rootless.setSocketVariable | Point DOCKER_HOST to rootless Docker instance for
normal users by default.
|
| services.umurmur.settings.default_channel | The channel in which users will appear in when connecting.
|
| services.bitwarden-directory-connector-cli.sync.userEmailAttribute | Attribute for a users email.
|