| security.please.enable | Whether to enable please, a Sudo clone which allows a users to execute a command or edit a
file as another user
.
|
| nix.buildMachines.*.maxJobs | The number of concurrent jobs the build machine supports
|
| services.nsd.ratelimit.whitelistRatelimit | Max qps allowed from whitelisted sources.
0 means unlimited
|
| programs.pmount.enable | Whether to enable pmount, a tool that allows normal users to mount removable devices
without requiring root privileges
.
|
| networking.fooOverUDP | This option allows you to configure Foo Over UDP and Generic UDP Encapsulation
endpoints
|
| services.prometheus.exporters.postfix.group | Group under which the postfix exporter shall be run
|
| services.firefox-syncserver.singleNode.capacity | How many sync accounts are allowed on this server
|
| services.udisks2.enable | Whether to enable udisks2, a DBus service that allows applications to query and manipulate storage devices.
|
| services.openssh.enable | Whether to enable the OpenSSH secure shell daemon, which
allows secure remote logins.
|
| services.swapspace.settings.max_swapsize | Greatest allowed size for individual swapfiles
|
| services.swapspace.settings.min_swapsize | Smallest allowed size for individual swapfiles
|
| services.hostapd.radios.<name>.wifi5.capabilities | VHT (Very High Throughput) capabilities given as a list of flags
|
| services.siproxd.sipDscp | DSCP (differentiated services) value to be assigned
to SIP packets
|
| services.siproxd.rtpDscp | DSCP (differentiated services) value to be assigned
to RTP packets
|
| networking.greTunnels | This option allows you to define Generic Routing Encapsulation (GRE) tunnels.
|
| services.murmur.bonjour | Whether to enable Bonjour auto-discovery, which allows clients over your LAN to automatically discover Mumble servers.
|
| services.hostapd.radios.<name>.wifi4.capabilities | HT (High Throughput) capabilities given as a list of flags
|
| services.nextcloud-spreed-signaling.settings.app.debug | Set to "true" to install pprof debug handlers
|
| networking.macvlans | This option allows you to define macvlan interfaces which should
be automatically created.
|
| networking.vlans | This option allows you to define vlan devices that tag packets
on top of a physical interface
|
| services.oauth2-proxy.keyFile | oauth2-proxy allows passing sensitive configuration via environment variables
|
| services.hostapd.radios.<name>.countryCode | Country code (ISO/IEC 3166-1)
|
| services.oidentd.enable | Whether to enable ‘oidentd’, an implementation of the Ident
protocol (RFC 1413)
|
| containers.<name>.enableTun | Allows the container to create and setup tunnel interfaces
by granting the NET_ADMIN capability and
enabling access to /dev/net/tun.
|
| networking.bonds | This option allows you to define bond devices that aggregate multiple,
underlying networking interfaces together
|
| services.kismet.extraConfig | Literal Kismet config lines appended to the site config
|
| security.wrappers | This option effectively allows adding setuid/setgid bits, capabilities,
changing file ownership and permissions of a program without directly
modifying it
|
| services.knot.keyFiles | A list of files containing additional configuration
to be included using the include directive
|
| services.weechat.headless | Allows specifying if weechat should run in TUI or headless mode.
|
| services.nextcloud-spreed-signaling.backends | A list of backends from which clients are allowed to connect from
|
| security.pam.sshAgentAuth.enable | Whether to enable authenticating using a signature performed by the ssh-agent
|
| services.bitlbee.enable | Whether to run the BitlBee IRC to other chat network gateway
|
| services.nixops-dns.dnsmasq | Enable dnsmasq forwarding to nixops-dns
|
| services.prosody.modules.csi | Implements the CSI protocol that allows clients to report their active/inactive state to the server
|
| services.taler.includes | Files to include into the config file using Taler's @inline@ directive
|
| services.samba.nsswins | Whether to enable WINS NSS (Name Service Switch) plug-in
|
| services.webhook.enable | Whether to enable Webhook, a server written in Go that allows you to create HTTP endpoints (hooks),
which execute configured commands for any person or service that knows the URL
.
|
| services.sabnzbd.settings.misc.bandwidth_perc | Percentage of bandwidth_max that sabnzbd is allowed to use.
0 means no limit.
|
| services.keter.bundle.secretScript | Allows loading of private environment variables
|
| services.firezone.server.provision.accounts.<name>.policies.<name>.group | The group which should be allowed access to the given resource.
|
| services.coturn.no-auth | This option is opposite to lt-cred-mech.
(TURN Server with no-auth option allows anonymous access)
|
| services.avahi.nssmdns4 | Whether to enable the mDNS NSS (Name Service Switch) plug-in for IPv4
|
| services.consul.leaveOnStop | If enabled, causes a leave action to be sent when closing consul
|
| services.rspamd.locals.<name>.enable | Whether this file locals should be generated
|
| nixpkgs.overlays | List of overlays to apply to Nixpkgs
|
| security.auditd.plugins.<name>.args | This allows you to pass arguments to the child program
|
| environment.etc.<name>.enable | Whether this /etc file should be generated
|
| services.keter.bundle.publicScript | Allows loading of public environment variables,
these are emitted to the log so it shouldn't contain secrets.
|
| services.nginx.resolver.valid | By default, nginx caches answers using the TTL value of a response
|
| services.thanos.rule.alert.label-drop | Labels by name to drop before sending to alertmanager
|
| services.multipath.pathGroups | This option allows you to define multipath groups as described
in http://christophe.varoqui.free.fr/usage.html.
|
| boot.initrd.systemd.dmVerity.enable | Mount verity-protected block devices in the initrd
|
| services.multipath.devices | This option allows you to define arrays for use in multipath
groups.
|
| services.openssh.settings.PasswordAuthentication | Specifies whether password authentication is allowed.
|
| networking.bridges | This option allows you to define Ethernet bridge devices
that connect physical networks together
|
| services.firezone.server.provision.accounts.<name>.policies.<name>.resource | The resource to which access should be allowed.
|
| services.matrix-synapse.settings.max_upload_size | The largest allowed upload size in bytes
|
| programs.neovim.runtime.<name>.enable | Whether this runtime directory should be generated
|
| services.umami.settings.BASE_PATH | Allows you to host Umami under a subdirectory
|
| services.thanos.rule.web.route-prefix | Prefix for API and UI endpoints
|
| services.bitlbee.protocols | This option allows to remove the support of protocol, even if compiled
in
|
| security.dhparams.defaultBitSize | This allows to override the default bit size for all of the
Diffie-Hellman parameters set in
security.dhparams.params.
|
| services.syncplay.saltFile | Path to the file that contains the server salt
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.filters | A list of filter to restrict traffic
|
| services.nginx.enableQuicBPF | Enables routing of QUIC packets using eBPF
|
| services.restic.server.appendOnly | Enable append only mode
|
| services.thanos.query.web.route-prefix | Prefix for API and UI endpoints
|
| services.sympa.settingsFile.<name>.enable | Whether this file should be generated
|
| virtualisation.spiceUSBRedirection.enable | Install the SPICE USB redirection helper with setuid
privileges
|
| programs.tuxclocker.useUnfree | Whether to use components requiring unfree dependencies
|
| programs.zsh.vteIntegration | Whether to enable Zsh integration for VTE terminals
|
| services.immich.settings | Configuration for Immich
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.readBuckets | The organization's buckets which should be allowed to be read
|
| services.actkbd.enable | Whether to enable the actkbd key mapping daemon
|
| services.xserver.logFile | Controls the file Xorg logs to
|
| services.xserver.displayManager.lightdm.greeters.gtk.indicators | List of allowed indicator modules to use for the lightdm gtk
greeter panel
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.writeBuckets | The organization's buckets which should be allowed to be written
|
| services.sabnzbd.settings.misc.inet_exposure | Restrictions for access from non-local IP addresses
|
| programs.bash.vteIntegration | Whether to enable Bash integration for VTE terminals
|
| networking.vswitches | This option allows you to define Open vSwitches that connect
physical networks together
|
| services.fwupd.extraTrustedKeys | Installing a public key allows firmware signed with a matching private key to be recognized as trusted, which may require less authentication to install than for untrusted files
|
| services.openssh.settings.KbdInteractiveAuthentication | Specifies whether keyboard-interactive authentication is allowed.
|
| services.caddy.adapter | Name of the config adapter to use
|
| services.rspamd.overrides.<name>.enable | Whether this file overrides should be generated
|
| services.power-profiles-daemon.enable | Whether to enable power-profiles-daemon, a DBus daemon that allows
changing system behavior based upon user-selected power profiles.
|
| services.upower.noPollBatteries | Don't poll the kernel for battery level changes
|
| programs.atop.atopacctService.enable | Whether to enable the atopacct service which manages process accounting
|
| services.keter.globalKeterConfig.ip-from-header | You want that ip-from-header in the nginx setup case
|
| services.systembus-notify.enable | Whether to enable System bus notification support
WARNING: enabling this option (while convenient) should not be done on a
machine where you do not trust the other users as it allows any other
local user to DoS your session by spamming notifications
.
|
| services.pgmanage.tls | These options tell pgmanage where the TLS Certificate and Key files
reside
|
| services.avahi.nssmdns6 | Whether to enable the mDNS NSS (Name Service Switch) plug-in for IPv6
|
| services.umami.settings.TRACKER_SCRIPT_NAME | Allows you to assign a custom name to the tracker script different from the default script.js.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_in_sa | Whether to set mark_in on the inbound SA
|
| systemd.services.<name>.reloadIfChanged | Whether the service should be reloaded during a NixOS
configuration switch if its definition has changed
|
| services.ejabberd.imagemagick | Add ImageMagick to server's path; allows for image thumbnailing
|
| services.spiped.config.<name>.waitForDNS | Wait for DNS
|
| services.mullvad-vpn.enableExcludeWrapper | This option activates the wrapper that allows the use of mullvad-exclude
|
| programs.msmtp.accounts | Named accounts and their respective configurations
|
| services.prosody.modules.bookmarks | Allows interop between older clients that use XEP-0048: Bookmarks in its 1.0 version and recent clients which use it in PEP
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.mac | If this attribute is not included, or if is set to the wildcard address (ff:ff:ff:ff:ff:ff),
the entry is available for any station (client) to use
|