| services.netbird.tunnels.<name>.autoStart | Start the service with the system
|
| services.avahi.denyInterfaces | List of network interfaces that should be ignored by the
avahi-daemon
|
| services.cloudflared.enable | Whether to enable Cloudflare Tunnel client daemon (formerly Argo Tunnel).
|
| services.prometheus.exporters.rasdaemon.enabledCollectors | List of error types to collect from the event database.
|
| services.mpdscribble.verbose | Log level for the mpdscribble daemon.
|
| services.saunafs.metalogger.enable | Whether to enable Saunafs metalogger daemon.
|
| services.gnome.gnome-online-accounts.enable | Whether to enable GNOME Online Accounts daemon, a service that provides
a single sign-on framework for the GNOME desktop.
|
| services.avahi.allowInterfaces | List of network interfaces that should be used by the avahi-daemon
|
| services.quassel.interfaces | The interfaces the Quassel daemon will be listening to
|
| services.shairport-sync.arguments | Arguments to pass to the daemon
|
| services.spamassassin.debug | Whether to run the SpamAssassin daemon in debug mode
|
| services.endlessh-go.prometheus.port | Specifies on which port the endlessh-go daemon listens for Prometheus
queries.
|
| services.guix.substituters.urls | A list of substitute servers' URLs for the Guix daemon to download
substitutes from.
|
| services.postfix.masterConfig.<name>.command | A program name specifying a Postfix service/daemon process
|
| services.nylon.<name>.nrConnections | The number of allowed simultaneous connections to the daemon, default 10.
|
| services.watchdogd.settings.safe-exit | With safeExit enabled, the daemon will ask the driver to disable the WDT before exiting
|
| services.moosefs.metalogger.enable | Whether to enable MooseFS metalogger daemon that maintains a backup copy of the master's metadata.
|
| services.traefik.dynamic.files | Dynamic configuration files to write
|
| services.collabora-online.settings | Configuration for Collabora Online WebSocket Daemon, see
https://sdk.collaboraonline.com/docs/installation/Configuration.html, or
https://github.com/CollaboraOnline/online/blob/master/coolwsd.xml.in for the default
configuration.
|
| services.spamassassin.enable | Whether to enable the SpamAssassin daemon.
|
| services.neo4j.directories.home | Path of the Neo4j home directory
|
| services.gocd-agent.environment | Additional environment variables to be passed to the Go
|
| services.cron.systemCronJobs | A list of Cron jobs to be appended to the system-wide
crontab
|
| hardware.bumblebee.enable | Enable the bumblebee daemon to manage Optimus hybrid video cards
|
| services.triggerhappy.enable | Whether to enable the triggerhappy hotkey daemon.
|
| services.knot-resolver.settings.workers | The number of running kresd (Knot Resolver daemon) workers
|
| services.tailscale.derper.verifyClients | Whether to verify clients against a locally running tailscale daemon if they are allowed to connect to this node or not.
|
| services.bacula-sd.device.<name>.mediaType | The specified name-string names the type of media supported by this
device, for example, DLT7000
|
| services.xserver.displayManager.gdm.settings | Options passed to the gdm daemon
|
| services.saunafs.chunkserver.enable | Whether to enable Saunafs chunkserver daemon.
|
| services.cgit.<name>.gitHttpBackend.enable | Whether to bypass cgit and use git-http-backend for HTTP clones
|
| services.neo4j.directories.data | Path of the data directory
|
| services.gocd-server.environment | Additional environment variables to be passed to the gocd-server process
|
| services.fastnetmon-advanced.enable | Whether to enable the fastnetmon-advanced DDoS Protection daemon.
|
| services.usbguard.insertedDevicePolicy | How to treat USB devices that are already connected after the daemon
starts
|
| services.sourcehut.settings."todo.sr.ht::mail".sock-group | The lmtp daemon will make the unix socket group-read/write
for users in this group.
|
| services.transmission.home | The directory where Transmission will create .config/transmission-daemon.
as well as Downloads/ unless
services.transmission.settings.download-dir is changed,
and .incomplete/ unless
services.transmission.settings.incomplete-dir is changed.
|
| services.postfix.settings.master.<name>.command | A program name specifying a Postfix service/daemon process
|
| services.moosefs.chunkserver.enable | Whether to enable MooseFS chunkserver daemon that stores file data.
|
| services.icecream.scheduler.openFirewall | Whether to automatically open the daemon port in the firewall.
|
| services.pantheon.parental-controls.enable | Whether to enable Pantheon parental controls daemon.
|
| services.matrix-appservice-irc.needBindingCap | Whether the daemon needs to bind to ports below 1024 (e.g. for the ident service)
|
| services.hardware.deepcool-digital-linux.enable | Whether to enable DeepCool Digital monitoring daemon.
|
| services.localtimed.enable | Enable localtimed, a simple daemon for keeping the
system timezone up-to-date based on the current location
|
| services.usbguard.presentDevicePolicy | How to treat USB devices that are already connected when the daemon
starts
|
| services.hddfancontrol.enable | Whether to enable hddfancontrol daemon.
|
| services.torrentstream.enable | Whether to enable TorrentStream daemon.
|
| services.nullidentdmod.enable | Whether to enable the nullidentdmod identd daemon.
|
| services.hardware.deepcool-digital-linux.extraArgs | Extra command line arguments to be passed to the deepcool-digital-linux daemon.
|
| services.neo4j.ssl.policies.<name>.revokedDir | Path to directory of CRLs (Certificate Revocation Lists) in
PEM format
|
| security.auditd.plugins.<name>.format | Binary passes the data exactly as the audit event dispatcher gets it from
the audit daemon
|
| services.jenkins.environment | Additional environment variables to be passed to the jenkins process
|
| services.mjolnir.pantalaimon.options.logLevel | Set the log level of the daemon.
|
| services.sourcehut.settings."lists.sr.ht::worker".sock-group | The lmtp daemon will make the unix socket group-read/write
for users in this group.
|
| hardware.nvidia.dynamicBoost.enable | Whether to enable dynamic Boost balances power between the CPU and the GPU for improved
performance on supported laptops using the nvidia-powerd daemon
|
| services.neo4j.directories.imports | The root directory for file URLs used with the Cypher
LOAD CSV clause
|
| services.neo4j.ssl.policies.<name>.trustedDir | Path to directory of X.509 certificates in PEM format for
trusted parties
|
| services.neo4j.directories.plugins | Path of the database plugin directory
|
| services.beesd.filesystems.<name>.extraOptions | Extra command-line options passed to the daemon
|
| services.endlessh-go.prometheus.listenAddress | Interface address to bind the endlessh-go daemon to answer Prometheus
queries.
|
| services.nixseparatedebuginfod.nixPackage | The version of nix that nixseparatedebuginfod should use as client for the nix daemon
|
| services.transmission.settings | Settings whose options overwrite fields in
.config/transmission-daemon/settings.json
(each time the service starts)
|
| services.neo4j.ssl.policies.<name>.baseDirectory | The mandatory base directory for cryptographic objects of this
policy
|
| services.mpdscribble.passwordFile | File containing the password for the mpd daemon
|
| services.gitea-actions-runner.instances.<name>.settings | Configuration for act_runner daemon
|
| services.torrentstream.openFirewall | Open ports in the firewall for TorrentStream daemon.
|
| services.evdevremapkeys.enable | Whether to enable evdevremapkeys, a daemon to remap events on linux input devices.
|
| services.cyrus-imap.imapdSettings.notifysocket | Unix domain socket that the mail notification daemon listens on.
|
| services.usbguard.presentControllerPolicy | How to treat USB controller devices that are already connected when
the daemon starts
|
| services.mjolnir.pantalaimon.options.listenPort | The port where the daemon will listen to client connections for
this homeserver
|
| programs.ssh.forwardX11 | Whether to request X11 forwarding on outgoing connections by default
|
| security.auditd.settings.admin_space_left | This is a numeric value in mebibytes (MiB) that tells the audit daemon when to perform a configurable action because the system is running
low on disk space
|
| services.bacula-sd.device.<name>.archiveDevice | The specified name-string gives the system file name of the storage
device managed by this storage daemon
|
| services.mjolnir.pantalaimon.options.listenAddress | The address where the daemon will listen to client connections
for this homeserver.
|
| services.dbus.implementation | The implementation to use for the message bus defined by the D-Bus specification
|
| networking.dhcpcd.persistent | Whether to leave interfaces configured on dhcpcd daemon
shutdown
|
| services.automatic-timezoned.enable | Enable automatic-timezoned, simple daemon for keeping the system
timezone up-to-date based on the current location
|
| services.firewalld.settings.IndividualCalls | Whether to use individual -restore calls to apply changes to the firewall
|
| services.tuned.settings.sleep_interval | Interval in which the TuneD daemon is waken up and checks for events (in seconds).
|
| services.gotosocial.environmentFile | File path containing environment variables for configuring the GoToSocial service
in the format of an EnvironmentFile as described by systemd.exec(5)
|
| users.users.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| users.users.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| services.pantalaimon-headless.instances.<name>.logLevel | Set the log level of the daemon.
|
| services.mpd.settings.bind_to_address | The address for the daemon to listen on
|
| virtualisation.vswitch.enable | Whether to enable Open vSwitch
|
| users.extraUsers.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| virtualisation.xen.store.settings.pidFile | Path to the Xen Store Daemon PID file.
|
| virtualisation.xen.store.settings | The OCaml-based Xen Store Daemon configuration
|
| users.extraUsers.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| services.glusterfs.enableGlustereventsd | Whether to enable the GlusterFS Events Daemon
|
| virtualisation.docker.extraOptions | The extra command-line options to pass to
docker daemon.
|
| virtualisation.docker.extraPackages | Extra packages to add to PATH for the docker daemon process.
|
| services.pantalaimon-headless.instances.<name>.listenPort | The port where the daemon will listen to client connections for
this homeserver
|
| services.strongswan-swanctl.swanctl.authorities.<name>.file | Absolute path to the certificate to load
|
| services.pantalaimon-headless.instances.<name>.listenAddress | The address where the daemon will listen to client connections
for this homeserver.
|
| networking.wireless.enableHardening | Whether to apply security hardening measures to wpa_supplicant
|
| services.pipewire.wireplumber.extraConfig | Additional configuration for the WirePlumber daemon when run in
single-instance mode (the default in nixpkgs and currently the only
supported way to run WirePlumber configured via extraConfig)
|
| services.strongswan-swanctl.swanctl.connections.<name>.encap | To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the
NAT detection payloads
|