| system.stateVersion | This option defines the first version of NixOS you have installed on this particular machine,
and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions
|
| services.earlyoom.enableNotifications | Send notifications about killed processes via the system d-bus
|
| services.firezone.server.smtp.configureManually | Outbound email configuration is mandatory for Firezone and supports
many different delivery adapters
|
| services.bitwarden-directory-connector-cli.sync.emailPrefixAttribute | The attribute that contains the users username.
|
| security.pam.services.<name>.googleOsLoginAuthentication | If set, will use the pam_oslogin_login's user
authentication methods to authenticate users using 2FA
|
| security.pam.services.<name>.googleOsLoginAccountVerification | If set, will use the Google OS Login PAM modules
(pam_oslogin_login,
pam_oslogin_admin) to verify possible OS Login
users and set sudoers configuration accordingly
|
| services.warpgate.settings.config_provider | Source of truth of users
|
| services.sourcehut.settings."meta.sr.ht::settings".onboarding-redirect | Where to redirect new users upon registration.
|
| services.bitwarden-directory-connector-cli.sync.overwriteExisting | Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.
|
| services.vaultwarden.environmentFile | Additional environment file or files as defined in systemd.exec(5)
|
| virtualisation.lxc.unprivilegedContainers | Whether to enable support for unprivileged users to launch containers.
|
| services.vaultwarden.config | The configuration of vaultwarden is done through environment variables,
therefore it is recommended to use upper snake case (e.g. DISABLE_2FA_REMEMBER)
|
| services.smartd.notifications.systembus-notify.enable | Whenever to send systembus-notify notifications
|
| services.healthchecks.settings.REGISTRATION_OPEN | A boolean that controls whether site visitors can create new accounts
|
| services.bacula-sd.autochanger.<name>.changerCommand | The name-string specifies an external program to be called that will
automatically change volumes as required by Bacula
|
| services.transmission.downloadDirPermissions | If not null, is used as the permissions
set by system.activationScripts.transmission-daemon
on the directories services.transmission.settings.download-dir,
services.transmission.settings.incomplete-dir.
and services.transmission.settings.watch-dir
|
| services.nextcloud.settings.skeletondirectory | The directory where the skeleton files are located
|
| services.grafana.provision.datasources.settings.datasources.*.editable | Allow users to edit datasources from the UI.
|
| services.matrix-conduit.settings.global.allow_registration | Whether new users can register on this server.
|
| services.matrix-synapse.settings.enable_registration | Enable registration for new users.
|
| services.authelia.instances.<name>.settings.default_2fa_method | Default 2FA method for new users and fallback for preferred but disabled methods.
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.readPermissions | The read permissions to include for this token
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.writePermissions | The read permissions to include for this token
|
| services.biboumi.settings.realname_customization | Whether the users will be able to use
the ad-hoc commands that lets them configure
their realname and username.
|
| services.pgbouncer.settings.pgbouncer.max_user_connections | Do not allow more than this many server connections per user (regardless of database)
|
| programs.zsh.enable | Whether to configure zsh as an interactive shell
|
| services.memos.group | The group to run Memos as.
If changing the default value, you are responsible of creating the corresponding group with users.groups.
|
| services.memos.user | The user to run Memos as.
If changing the default value, you are responsible of creating the corresponding user with users.users.
|
| programs.gphoto2.enable | Whether to configure system to use gphoto2
|
| programs.bash.enable | Whenever to configure Bash as an interactive shell
|
| programs.rust-motd.enableMotdInSSHD | Whether to let openssh print the
result when entering a new ssh-session
|
| services.reaction.runAsRoot | Whether to run reaction as root
|
| services.vault.extraSettingsPaths | Configuration files to load besides the immutable one defined by the NixOS module
|
| services.kubo.settings.Addresses.API | Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on
|
| services.openssh.authorizedKeysFiles | Specify the rules for which files to read on the host
|
| services.pdfding.enable | Whether to enable PdfDing service
|
| services.openssh.authorizedKeysInHomedir | Enables the use of the ~/.ssh/authorized_keys file
|
| services.gvfs.enable | Whether to enable GVfs, a userspace virtual filesystem.
|
| services.iptsd.enable | Whether to enable the userspace daemon for Intel Precise Touch & Stylus.
|
| services.ulogd.enable | Whether to enable ulogd, a userspace logging daemon for netfilter/iptables related logging.
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| security.tpm2.abrmd.enable | Whether to enable Trusted Platform 2 userspace resource manager daemon
.
|
| services.scx.enable | Whether to enable SCX service, a daemon to run schedulers from userspace.
This service requires a kernel with the Sched-ext feature
|
| networking.ucarp.enable | Whether to enable ucarp, userspace implementation of CARP.
|
| hardware.openrazer.enable | Whether to enable OpenRazer drivers and userspace daemon
.
|
| services.kmscon.enable | Whether to enable kmscon as the virtual console instead of gettys.
kmscon is a kms/dri-based userspace virtual terminal implementation
|
| services.tee-supplicant.enable | Whether to enable OP-TEE userspace supplicant.
|
| services.hardware.bolt.enable | Whether to enable Bolt, a userspace daemon to enable
security levels for Thunderbolt 3 on GNU/Linux
|
| services.esdm.enableLinuxCompatServices | Enable /dev/random, /dev/urandom and /proc/sys/kernel/random/* userspace wrapper.
|
| services.tailscale.interfaceName | The interface name for tunnel traffic
|
| programs.ryzen-monitor-ng.enable | Whether to enable ryzen_monitor_ng, a userspace application for setting and getting Ryzen SMU (System Management Unit) parameters via the ryzen_smu kernel driver
|
| programs.nix-required-mounts.presets.nvidia-gpu.enable | Whether to enable Declare the support for derivations that require an Nvidia GPU to be
available, e.g. derivations with requiredSystemFeatures = [ "cuda" ]
|
| virtualisation.qemu.networkingOptions | Networking-related command-line options that should be passed to qemu
|
| services.suricata.settings.dpdk | Data Plane Development Kit is a framework for fast packet processing in data plane applications running on a wide variety of CPU architectures
|
| networking.wireguard.interfaces.<name>.peers.*.endpoint | Endpoint IP or hostname of the peer, followed by a colon,
and then a port number of the peer
|