| services.broadcast-box.web.host | Host address the HTTP server listens on
|
| services.galene.insecure | Whether Galene should listen in http or in https
|
| services.pixelfed.user | User account under which pixelfed runs.
If left as the default value this user will automatically be created
on system activation, otherwise you are responsible for
ensuring the user exists before the pixelfed application starts.
|
| services.nginx.mapHashBucketSize | Sets the bucket size for the map variables hash tables
|
| services.syncthing.user | The user to run Syncthing as
|
| services.snowflake-proxy.relay | websocket relay URL (default "wss://snowflake.bamsoftware.com/")
|
| services.xinetd.extraDefaults | Additional configuration lines added to the default section of xinetd's configuration.
|
| services.varnish.listen.*.proto | PROTO can be 'HTTP' (the default) or 'PROXY'
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowCN | Allow client if common name appears in the list.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowOU | Allow client if organizational unit name appears in the list.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowAll | If true, allow all clients, do not check client cert subject.
|
| security.acme.defaults.email | Email address for account creation and correspondence from the CA
|
| services.keyd.keyboards | Configuration for one or more device IDs
|
| programs.ssh.knownHosts | The set of system-wide known SSH hosts
|
| services.kresd.enable | Whether to enable knot-resolver (version 5) domain name server
|
| security.acme.defaults.postRun | Commands to run after new certificates go live
|
| services.stunnel.clients | Define the client configurations
|
| services.traefik.dataDir | Location for any persistent data Traefik creates, such as the ACME certificate store.
If left as the default value, this directory will automatically be created
before the Traefik server starts, otherwise you are responsible for ensuring
the directory exists with appropriate ownership and permissions.
|
| services.opensearch.user | The user OpenSearch runs as
|
| services.ntp.restrictSource | The restriction flags to be set on source
|
| services.lighttpd.configText | Overridable config file contents to use for lighttpd
|
| systemd.nspawn.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| systemd.timers.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| systemd.slices.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| services.libinput.touchpad.accelProfile | Sets the pointer acceleration profile to the given profile
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowDNS | Allow client if DNS subject alternative name appears in the list.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.target | Address to forward connections to (can be HOST:PORT or unix:PATH).
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.listen | Address and port to listen on (can be HOST:PORT, unix:PATH).
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowURI | Allow client if URI subject alternative name appears in the list.
|
| services.xserver.displayManager.lightdm.greeters.mini.enable | Whether to enable lightdm-mini-greeter as the lightdm greeter
|
| services.xserver.displayManager.lightdm.greeters.tiny.enable | Whether to enable lightdm-tiny-greeter as the lightdm greeter
|
| services.bacula-dir.port | Specify the port (a positive integer) on which the Director daemon
will listen for Bacula Console connections
|
| services.gitea.dump.interval | Run a gitea dump at this interval
|
| services.cassandra.jmxPort | Specifies the default port over which Cassandra will be available for
JMX connections
|
| services.hledger-web.stateDir | Path the service has access to
|
| boot.initrd.luks.devices.<name>.yubikey | The options to use for this LUKS device in YubiKey-PBA
|
| services.mediawiki.skins | Attribute set of paths whose content is copied to the skins
subdirectory of the MediaWiki installation in addition to the default skins.
|
| services.smokeping.imgUrl | Base url for images generated in the cgi
|
| systemd.sysupdate.timerConfig | The timer configuration for performing the update
|
| system.activatable | Whether to add the activation script to the system profile
|
| services.fedimintd.<name>.nginx.config.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| services.matrix-synapse.log | Default configuration for the loggers used by matrix-synapse and its workers
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.package | Package to use for ghostunnel
|
| virtualisation.docker.storageDriver | This option determines which Docker
storage driver
to use
|
| services.sourcehut.hg.group | Group for hg.sr.ht
|
| services.dolibarr.group | Group account under which dolibarr runs.
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the dolibarr application starts.
|
| services.ananicy.rulesProvider | Which package to copy default rules,types,cgroups from.
|
| boot.loader.systemd-boot.editor | Whether to allow editing the kernel command-line before
boot
|
| security.acme.defaults.profile | The certificate profile to choose if the CA offers multiple profiles.
|
| programs.rust-motd.enableMotdInSSHD | Whether to let openssh print the
result when entering a new ssh-session
|
| services.bitlbee.extraDefaults | Will be inserted in the Default section of the config file.
|
| networking.bonds.<name>.mode | DEPRECATED, use driverOptions
|
| services.collectd.extraConfig | Extra configuration for collectd
|
| networking.fqdn | The fully qualified domain name (FQDN) of this host
|
| services.trickster.origin-url | URL to the Origin
|
| services.nginx.resolver.ipv4 | By default, nginx will look up both IPv4 and IPv6 addresses while resolving
|
| services.oauth2-proxy.redeemURL | Token redemption endpoint
|
| services.pixelfed.group | Group account under which pixelfed runs.
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the pixelfed application starts.
|
| services.nylon.<name>.bindInterface | Tell nylon which interface to use as an uplink, default is "enp3s0f0".
|
| services.snowflake-proxy.broker | Broker URL (default "https://snowflake-broker.torproject.net/")
|
| services.multipath.extraConfig | Lines to append to default multipath.conf
|
| services.openiscsi.extraConfig | Lines to append to default iscsid.conf
|
| services.resilio.downloadLimit | Download speed limit. 0 is unlimited (default).
|
| services.nginx.resolver.ipv6 | By default, nginx will look up both IPv4 and IPv6 addresses while resolving
|
| services.nginx.resolver.valid | By default, nginx caches answers using the TTL value of a response
|
| services.logcheck.timeOfDay | Time of day to run logcheck
|
| systemd.user.paths.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| systemd.user.units.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| services.powerdns-admin.saltFile | The salt used for serialization
|
| services.anubis.defaultOptions.settings.OG_PASSTHROUGH | Whether to enable Open Graph tag passthrough
|
| services.netbird.clients | Attribute set of NetBird client daemons, by default each one will:
- be manageable using dedicated tooling:
netbird-<name> script,NetBird - netbird-<name> graphical interface when appropriate (see ui.enable),
- run as a
netbird-<name>.service,
- listen for incoming remote connections on the port
51820 (openFirewall by default),
- manage the
netbird-<name> wireguard interface,
- use the /var/lib/netbird-/config.json configuration file,
- override /var/lib/netbird-/config.json with values from /etc/netbird-/config.d/*.json,
- (
hardened) be locally manageable by netbird-<name> system group,
With following caveats:
- multiple daemons will interfere with each other's DNS resolution of
netbird.cloud, but
should remain fully operational otherwise
|
| services.sourcehut.man.group | Group for man.sr.ht
|
| services.sourcehut.git.group | Group for git.sr.ht
|
| services.sourcehut.hub.group | Group for hub.sr.ht
|
| services.diod.exportopts | Establish a default set of export options
|
| services.kanboard.nginx.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.librenms.nginx.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.dolibarr.nginx.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.goeland.stateDir | The data directory for goeland where the database will reside if using the unseen filter
|
| services._3proxy.services.*.bindPort | Override default port used for service.
|
| services.kanboard.settings | Customize the default settings, refer to https://github.com/kanboard/kanboard/blob/main/config.default.php
for details on supported values.
|
| security.acme.defaults.extraLegoFlags | Additional global flags to pass to all lego commands.
|
| boot.initrd.includeDefaultModules | This option, if set, adds a collection of default kernel modules
to boot.initrd.availableKernelModules and
boot.initrd.kernelModules.
|
| services.devpi-server.openFirewall | Whether to enable opening the default ports in the firewall for Devpi Server.
|
| services.agorakit.nginx.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| boot.loader.grub.users | User accounts for GRUB
|
| services.beszel.agent.openFirewall | Whether to open the firewall port (default 45876).
|
| services.airsonic.contextPath | The context path, i.e., the last part of the Airsonic
URL
|
| services.fediwall.nginx.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.oncall.settings | Extra configuration options to append or override
|
| services.subsonic.contextPath | The context path, i.e., the last part of the Subsonic
URL
|
| services.opensearch.group | The group OpenSearch runs as
|
| services.mailman.webHosts | The list of hostnames and/or IP addresses from which the Mailman Web
UI will accept requests
|
| services.mainsail.nginx.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.pixelfed.nginx.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.thanos.rule.eval-interval | The default evaluation interval to use
|
| services.vwifi.module.macPrefix | The prefix for MAC addresses to use, without the trailing ':'
|
| services.vsftpd.userlistDeny | Specifies whether userlistFile is a list of user
names to allow or deny access
|
| services.nipap.settings.auth.default_backend | Name of auth backend to use by default.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.cacert | Path to CA bundle file (PEM/X509)
|