| services.dependency-track.oidc.teams.claim | Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint
|
| services.saned.enable | Enable saned network daemon for remote connection to scanners.
saned would be run from scanner user; to allow
access to hardware that doesn't have scanner group
you should add needed groups to this user.
|
| programs.tcpdump.enable | Whether to configure a setcap wrapper for tcpdump
|
| users.extraUsers.<name>.subGidRanges.*.startGid | Start of the range of subordinate group ids that user is
allowed to use.
|
| services.suricata.settings.vars.address-groups.SMTP_SERVERS | SMTP_SERVERS variable.
|
| services.suricata.settings.vars.address-groups.HTTP_SERVERS | HTTP_SERVERS variable.
|
| services.dovecot2.mailGroup | Default group to store mail for virtual users.
|
| security.isolate.cgRoot | Control group which subgroups are placed under
|
| services.suricata.settings.vars.address-groups.MODBUS_CLIENT | MODBUS_CLIENT variable
|
| services.suricata.settings.vars.address-groups.MODBUS_SERVER | MODBUS_SERVER variable.
|
| security.sudo.execWheelOnly | Only allow members of the wheel group to execute sudo by
setting the executable's permissions accordingly
|
| security.sudo.keepTerminfo | Whether to preserve the TERMINFO and TERMINFO_DIRS
environment variables, for root and the wheel group.
|
| systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.user | The user of the file
|
| services.suricata.settings.vars.address-groups.EXTERNAL_NET | EXTERNAL_NET variable.
|
| security.sudo-rs.execWheelOnly | Only allow members of the wheel group to execute sudo by
setting the executable's permissions accordingly
|
| hardware.glasgow.enable | Enables Glasgow udev rules and ensures 'plugdev' group exists
|
| services.bitwarden-directory-connector-cli.sync.groups | Whether to sync ldap groups into BitWarden.
|
| programs.minipro.enable | Whether to enable minipro and its udev rules
|
| users.allowNoPasswordLogin | Disable checking that at least the root user or a user in the wheel group can log in using
a password or an SSH key
|
| services.suricata.settings.vars.address-groups.TELNET_SERVERS | TELNET_SERVERS variable.
|
| programs.sedutil.enable | Whether to enable sedutil, to manage self encrypting drives that conform to the Trusted Computing Group OPAL 2.0 SSC specification.
|
| services.nginx.upstreams | Defines a group of servers to use as proxy target.
|
| users.users.<name>.isNormalUser | Indicates whether this is an account for a “real” user
|
| virtualisation.incus.enable | Whether to enable incusd, a daemon that manages containers and virtual machines
|
| programs.gphoto2.enable | Whether to configure system to use gphoto2
|
| services.couchdb.configFile | Configuration file for persisting runtime changes
|
| services.pdfding.enable | Whether to enable PdfDing service
|
| services.smokeping.user | User that runs smokeping and (optionally) thttpd
|
| services.onlyoffice.securityNonceFile | File holding nginx configuration that sets the nonce used to create secret links
|
| security.loginDefs.settings.GID_MAX | Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.
|
| security.loginDefs.settings.GID_MIN | Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.
|
| services.molly-brown.certPath | Path to TLS certificate
|
| services.timekpr.adminUsers | All listed users will become part of the timekpr group so they can manage timekpr settings without requiring sudo.
|
| services.portunus.enable | Whether to enable Portunus, a self-contained user/group management and authentication service for LDAP.
|
| services.grafana.settings.server.socket_gid | GID where the socket should be set when protocol=socket
|
| services.grafana.provision.alerting.rules.settings.groups | List of rule groups to import or update.
|
| hardware.rtl-sdr.enable | Enables rtl-sdr udev rules, ensures 'plugdev' group exists, and blacklists DVB kernel modules
|
| services.nomad.enableDocker | Enable Docker support
|
| services.traefik.supplementaryGroups | Additional groups under which Traefik runs
|
| programs.flashrom.enable | Installs flashrom and configures udev rules for programmers
used by flashrom
|
| hardware.openrazer.users | Usernames to be added to the "openrazer" group, so that they
can start and interact with the OpenRazer userspace daemon.
|
| security.loginDefs.settings.SYS_GID_MAX | Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers
|
| security.loginDefs.settings.SYS_GID_MIN | Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers
|
| services.aria2.enable | Whether or not to enable the headless Aria2 daemon service
|
| services.mailman.ldap.superUserGroup | Group where a user must be a member of to gain superuser rights.
|
| services.dependency-track.oidc.teamSynchronization | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| services.hologram-server.roleAttr | Which LDAP group attribute to search for authorized role ARNs
|
| security.sudo.defaultOptions | Options used for the default rules, granting root and the
wheel group permission to run any command as any user.
|
| networking.networkmanager.enable | Whether to use NetworkManager to obtain an IP address and other
configuration for all network interfaces that are not manually
configured
|
| boot.initrd.systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.user | The user of the file
|
| security.sudo-rs.defaultOptions | Options used for the default rules, granting root and the
wheel group permission to run any command as any user.
|
| services.dokuwiki.sites.<name>.acl.*.actor | User or group to restrict
|
| programs.mouse-actions.enable | Whether to install and set up mouse-actions and it's udev rules
|
| users.extraUsers.<name>.isNormalUser | Indicates whether this is an account for a “real” user
|
| services.sourcehut.settings."hg.sr.ht".changegroup-script | A changegroup script which is installed in every mercurial repo
|
| networking.wireless.networks.<name>.priority | By default, all networks will get same priority group (0)
|
| nix.settings.trusted-users | A list of names of users that have additional rights when
connecting to the Nix daemon, such as the ability to specify
additional binary caches, or to import unsigned NARs
|
| hardware.acpilight.enable | Enable acpilight
|
| services.quickwit.dataDir | Data directory for Quickwit
|
| services.temporal.dataDir | Data directory for Temporal
|
| virtualisation.podman.dockerSocket.enable | Make the Podman socket available in place of the Docker socket, so
Docker tools can find the Podman socket
|
| services.dovecot2.createMailUser | Whether to enable automatically creating the user
given in services.dovecot.user and the group
given in services.dovecot.group.
|
| programs.corectrl.enable | Whether to enable CoreCtrl, a tool to overclock amd graphics cards and processors
|
| hardware.sheep_net.enable | Enables sheep_net udev rules, ensures 'sheep_net' group exists, and adds
sheep-net to boot.kernelModules and boot.extraModulePackages
|
| security.run0.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via run0.
|
| services.dependency-track.settings."alpine.oidc.teams.claim" | Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint
|
| security.sudo.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| security.doas.wheelNeedsPassword | Whether users of the wheel group must provide a password to
run commands as super user via doas.
|
| programs.feedbackd.enable | Whether to enable the feedbackd D-BUS service and udev rules
|
| security.sudo-rs.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| programs.mosh.withUtempter | Whether to enable libutempter for mosh
|
| programs.tmux.withUtempter | Whether to enable libutempter for tmux
|
| services.mx-puppet-discord.enable | Whether to enable mx-puppet-discord is a discord puppeting bridge for matrix
|
| hardware.kryoflux.enable | Enables kryoflux udev rules, ensures 'floppy' group exists
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_groups | List of groups to allow access to this vhost, or null to allow all.
|
| programs.idescriptor.users | Users to be added to the idevice group.
|
| services.terraria.enable | If enabled, starts a Terraria server
|
| services.netbird.clients.<name>.bin.suffix | A system group name for this client instance.
|
| services.netbird.tunnels.<name>.bin.suffix | A system group name for this client instance.
|
| services.hardware.lcd.server.usbPermissions | Set group-write permissions on a USB device
|
| programs.soundmodem.enable | Whether to add Soundmodem to the global environment and configure a
wrapper for 'soundmodemconfig' for users in the 'soundmodem' group.
|
| services.dependency-track.settings."alpine.oidc.team.synchronization" | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| security.pam.services.<name>.requireWheel | Whether to permit root access only to members of group wheel.
|
| services.netbird.tunnels.<name>.name | Primary name for use (as a suffix) in:
- systemd service name,
- hardened user name and group,
- systemd
*Directory= names,
- desktop application identification,
|
| services.netbird.clients.<name>.name | Primary name for use (as a suffix) in:
- systemd service name,
- hardened user name and group,
- systemd
*Directory= names,
- desktop application identification,
|
| programs.benchexec.users | Users that intend to use BenchExec
|
| services.aria2.serviceUMask | The file mode creation mask for Aria2 service
|
| hardware.libjaylink.enable | Whether to enable udev rules for devices supported by libjaylink
|
| security.loginDefs.settings.TTYPERM | The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM
|
| security.please.wheelNeedsPassword | Whether users of the wheel group must provide a password to run
commands or edit files with please and
pleaseedit respectively.
|
| hardware.keyboard.uhk.enable | Whether to enable non-root access to the firmware of UHK keyboards
|
| services.borgbackup.jobs.<name>.user | The user borg is run as
|
| services.rke2.cisHardening | Enable CIS Hardening for RKE2
|
| services.hologram-server.enableLdapRoles | Whether to assign user roles based on the user's LDAP group memberships
|
| security.pam.services.<name>.enableAppArmor | Enable support for attaching AppArmor profiles at the
user/group level, e.g., as part of a role based access
control scheme.
|
| services.beszel.agent.smartmon.enable | Include services.beszel.agent.smartmon.package in the Beszel agent path for disk monitoring and add the agent to the disk group.
|
| services.opensearch.dataDir | Data directory for OpenSearch
|
| services.borgbackup.repos.<name>.user | The user borg serve is run as
|
| services.smartdns.settings | A set that will be generated into configuration file, see the SmartDNS README for details of configuration parameters
|
| security.loginDefs.settings.TTYGROUP | The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM
|