| services.fediwall.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.librenms.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.kanboard.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.agorakit.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.pixelfed.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.mainsail.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.maubot.settings.homeservers | Known homeservers
|
| services.thanos.query-frontend.arguments | Arguments to the thanos query-frontend command
|
| virtualisation.fileSystems.<name>.fsType | Type of the file system
|
| users.extraUsers.<name>.initialPassword | Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist
|
| services.elasticsearch.extraCmdLineOptions | Extra command line options for the elasticsearch launcher.
|
| services.limesurvey.nginx.virtualHost.basicAuthFile | Basic Auth password file for a vhost
|
| systemd.services.<name>.enableStrictShellChecks | Enable running shellcheck on the generated scripts for this unit
|
| services.borgbackup.jobs.<name>.patterns | Include/exclude paths matching the given patterns
|
| networking.wg-quick.interfaces.<name>.privateKey | Base64 private key generated by wg genkey
|
| services.dovecot2.imapsieve.mailbox.*.from | Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot2.imapsieve.mailbox..name when the message originates from the indicated mailbox
|
| services.borgbackup.jobs.<name>.compression | Compression method to use
|
| services.radicle.httpd.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.rosenpass.settings.public_key | Path to a file containing the public key of the local Rosenpass peer
|
| services.rosenpass.settings.secret_key | Path to a file containing the secret key of the local Rosenpass peer
|
| services.znapzend.features.lowmemRecurse | Whether to enable use lowmemRecurse on systems where you have too many datasets, so a
recursive listing of attributes to find backup plans exhausts the
memory available to znapzend: instead, go the slower
way to first list all impacted dataset names, and then query their
configs one by one
.
|
| boot.loader.generationsDir.enable | Whether to create symlinks to the system generations under
/boot
|
| services.anuko-time-tracker.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.nginx.virtualHosts.<name>.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.dovecot2.imapsieve.mailbox.*.name | This setting configures the name of a mailbox for which administrator scripts are configured
|
| services.hostapd.radios | This option allows you to define APs for one or multiple physical radios
|
| services.thanos.downsample.arguments | Arguments to the thanos downsample command
|
| services.bookstack.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.cassandra.incrementalRepairOptions | Options passed through to the incremental repair command.
|
| services.znapzend.features.zfsGetType | Whether to enable using zfsGetType if your zfs get supports a
-t argument for filtering by dataset type at all AND
lists properties for snapshots by default when recursing, so that there
is too much data to process while searching for backup plans
|
| services.waagent.settings.ResourceDisk.MountOptions | This option specifies disk mount options to be passed to the mount -o command
|
| services.borgbackup.jobs.<name>.createCommand | Borg command to use for archive creation
|
| systemd.user.services.<name>.enableStrictShellChecks | Enable running shellcheck on the generated scripts for this unit
|
| programs.starship.transientPrompt.enable | Whether to enable Starship's transient prompt
feature in fish shells
|
| programs.captive-browser.browser | The shell (/bin/sh) command executed once the proxy starts
|
| virtualisation.libvirtd.extraOptions | Extra command line arguments passed to libvirtd on startup.
|
| services.sourcehut.settings.mail.pgp-privkey | An absolute file path (which should be outside the Nix-store)
to an OpenPGP private key
|
| boot.loader.generic-extlinux-compatible.populateCmd | Contains the builder command used to populate an image,
honoring all options except the -c <path-to-default-configuration>
argument
|
| services.elasticsearch-curator.actionYAML | curator action.yaml file contents, alternatively use curator-cli which takes a simple action command
|
| services.kubernetes.controllerManager.extraOpts | Kubernetes controller manager extra command line options.
|
| services.autossh.sessions.*.extraArguments | Arguments to be passed to AutoSSH and retransmitted to SSH
process
|
| services.jirafeau.nginxConfig.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| virtualisation.qemu.consoles | The output console devices to pass to the kernel command line via the
console parameter, the primary console is the last
item of this list
|
| services.mail.sendmailSetuidWrapper.permissions | The permissions of the wrapper program
|
| virtualisation.fileSystems.<name>.autoFormat | If the device does not currently contain a filesystem (as
determined by blkid), then automatically
format it with the filesystem type specified in
fsType
|
| services.xserver.displayManager.sx.enable | Whether to enable the "sx" pseudo-display manager, which allows users
to start manually via the "sx" command from a vt shell
|
| services.victoriatraces.extraOptions | Extra options to pass to VictoriaTraces
|
| services.zabbixWeb.nginx.virtualHost.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.borgbackup.jobs.<name>.encryption.passCommand | A command which prints the passphrase to stdout
|
| services.misskey.reverseProxy.webserver.nginx.basicAuthFile | Basic Auth password file for a vhost
|
| services.borgbackup.repos.<name>.authorizedKeys | Public SSH keys that are given full write access to this repository
|
| networking.wireguard.interfaces.<name>.privateKeyFile | Private key file as generated by wg genkey.
|
| networking.wg-quick.interfaces.<name>.generatePrivateKeyFile | Automatically generate a private key with
wg genkey, at the privateKeyFile location.
|
| services.easytier.instances.<name>.environmentFiles | Environment files for this instance
|
| services.i2pd.precomputation.elgamal | Whenever to use precomputated tables for ElGamal.
i2pd defaults to false
to save 64M of memory (and looses some performance)
|
| services.xserver.displayManager.session | List of sessions supported with the command used to start each
session
|
| virtualisation.docker.rootless.enable | This option enables docker in a rootless mode, a daemon that manages
linux containers
|
| services.suricata.settings.outputs | Configure the type of alert (and other) logging you would like
|
| services.wstunnel.clients.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.wstunnel.servers.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.alerta.authenticationRequired | Whether users must authenticate when using the web UI or command-line tool
|
| services.tarsnap.keyfile | The keyfile which associates this machine with your tarsnap
account
|
| services.dendrite.settings.global.private_key | The path to the signing private key file, used to sign
requests and events.
nix-shell -p dendrite --command "generate-keys --private-key matrix_key.pem"
|
| services.fedimintd.<name>.nginx.config.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| networking.wireguard.interfaces.<name>.privateKey | Base64 private key generated by wg genkey
|
| services.paretosecurity.users.<name>.inviteId | A unique ID that links the agent to Pareto Cloud
|
| services.sourcehut.settings.webhooks.private-key | An absolute file path (which should be outside the Nix-store)
to a base64-encoded Ed25519 key for signing webhook payloads
|
| services.prometheus.alertmanagerIrcRelay.extraFlags | Extra command line options to pass to alertmanager-irc-relay.
|
| services.victoriametrics.extraOptions | Extra options to pass to VictoriaMetrics
|
| services.cassandra.incrementalRepairInterval | Set the interval how often incremental repairs are run, i.e.
nodetool repair is executed
|
| services.hddfancontrol.settings.<drive-bay-name>.disks | Drive(s) to get temperature from
Can also use command substitution to automatically grab all matching drives; such as all scsi (sas) drives
|
| systemd.enableStrictShellChecks | Whether to run shellcheck on the generated scripts for systemd
units
|
| services.gitlab-runner.services.<name>.registrationFlags | Extra command-line flags passed to
gitlab-runner register
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.hadoop.yarn.resourcemanager.extraFlags | Extra command line flags to pass to the service
|
| services.prometheus.exporters.chrony.chronyServerAddress | ChronyServerAddress of the chrony server side command port. (Not enabled by default.)
Defaults to the local unix socket.
|
| services.icingaweb2.modules.monitoring.transports | Command transports to define
|
| boot.binfmt.registrations.<name>.wrapInterpreterInShell | Whether to wrap the interpreter in a shell script
|
| services.taler.exchange.denominationConfig | This option configures the cash denomination for the coins that the exchange offers
|
| services.yggdrasil.settings | Configuration for yggdrasil, as a structured Nix attribute set
|
| services.nextcloud.config.objectstore.s3.sseCKeyFile | If provided this is the full path to a file that contains the key
to enable [server-side encryption with customer-provided keys][1]
(SSE-C)
|
| virtualisation.docker.rootless.setSocketVariable | Point DOCKER_HOST to rootless Docker instance for
normal users by default.
|
| services.hddfancontrol.settings.<drive-bay-name>.pwmPaths | PWM filepath(s) to control fan speed (under /sys), followed by initial and fan-stop PWM values
Can also use command substitution to ensure the correct hwmonX is selected on every boot
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKeyFile | File pointing to preshared key as generated by wg genpsk
|
| services.limesurvey.nginx.virtualHost.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.autosuspend.settings.wakeup_cmd | The command to execute for scheduling a wake up of the system
|
| networking.wireguard.interfaces.<name>.generatePrivateKeyFile | Automatically generate a private key with
wg genkey, at the privateKeyFile location.
|
| services.angrr.settings.temporary-root-policies.<name>.filter.arguments | Extra command-line arguments pass to the external filter program.
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKey | Base64 preshared key generated by wg genpsk
|
| services.prometheus.alertmanagerWebhookLogger.extraFlags | Extra command line options to pass to alertmanager-webhook-logger.
|
| virtualisation.qemu.networkingOptions | Networking-related command-line options that should be passed to qemu
|
| services.anubis.instances.<name>.settings.METRICS_BIND | The address Anubis' metrics server listens to
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.auto-epp.settings.Settings.epp_state_for_AC | energy_performance_preference when on plugged in
See available epp states by running:
cat /sys/devices/system/cpu/cpu0/cpufreq/energy_performance_available_preferences
|
| services.auto-epp.settings.Settings.epp_state_for_BAT | energy_performance_preference when on battery
See available epp states by running:
cat /sys/devices/system/cpu/cpu0/cpufreq/energy_performance_available_preferences
|
| networking.openconnect.interfaces.<name>.extraOptions | Extra config to be appended to the interface config
|
| services.xserver.desktopManager.xfce.waylandSessionCompositor | Command line to run a Wayland compositor, defaults to labwc --startup
if not specified
|
| networking.wireguard.interfaces.<name>.peers.*.presharedKeyFile | File pointing to preshared key as generated by wg genpsk
|
| services.bacula-sd.autochanger.<name>.changerDevice | The specified name-string must be the generic SCSI device name of the
autochanger that corresponds to the normal read/write Archive Device
specified in the Device resource
|