| services.pipewire.systemWide | If true, a system-wide PipeWire service and socket is enabled
allowing all users in the "pipewire" group to use it simultaneously
|
| security.polkit.adminIdentities | Specifies which users are considered “administrators”, for those
actions that require the user to authenticate as an
administrator (i.e. have an auth_admin
value)
|
| services.displayManager.lemurs.enable | Whether to enable lemurs, a customizable TUI display/login manager.
For Wayland compositors, your user must be in the "seat" group.
|
| virtualisation.virtualbox.host.enableHardening | Enable hardened VirtualBox, which ensures that only the binaries in the
system path get access to the devices exposed by the kernel modules
instead of all users in the vboxusers group.
Disabling this can put your system's security at risk, as local users
in the vboxusers group can tamper with the VirtualBox device files.
|
| services.firezone.gui-client.allowedUsers | All listed users will become part of the firezone-client group so
they can control the tunnel service
|
| services.nebula-lighthouse-service.user | The user and group to run nebula-lighthouse-service as.
|
| services.authelia.instances.<name>.name | Name is used as a suffix for the service name, user, and group
|
| services.multipath.devices.*.failback | Tell multipathd how to manage path group failback
|
| services.glusterfs.killMode | The systemd KillMode to use for glusterd.
glusterd spawns other daemons like gsyncd
|
| services.nominatim.database.superUser | Postgresql database superuser used to create Nominatim database and
import data
|
| security.googleOsLogin.enable | Whether to enable Google OS Login
|
| programs.firefox.policies | Group policies to install
|
| services.dnsdist.dnscrypt.providerKey | The filepath to the provider secret key
|
| services.lifecycled.cloudwatchGroup | Write logs to a specific Cloudwatch Logs group.
|
| programs.thunderbird.policies | Group policies to install
|
| services.roundcube.database.username | Username for the postgresql connection
|
| services.aria2.downloadDirPermission | The permission for settings.dir
|
| services.openssh.authorizedKeysCommand | Specifies a program to be used to look up the user's public
keys
|
| services.prometheus.scrapeConfigs.*.triton_sd_configs.*.groups | A list of groups for which targets are retrieved, only supported when targeting the container role
|
| services.pulseaudio.systemWide | If false, a PulseAudio server is launched automatically for
each user that tries to use the sound system
|
| services.kubo.settings.Addresses.API | Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on
|
| services.multipath.devices.*.rr_min_io | Number of I/O requests to route to a path before switching to the next in the
same path group
|
| services.varnish.listen.*.address | If given an IP address, it can be a host name ("localhost"), an IPv4 dotted-quad
("127.0.0.1") or an IPv6 address enclosed in square brackets ("[::1]").
(VCL4.1 and higher) If given an absolute Path ("/path/to/listen.sock") or "@"
followed by the name of an abstract socket ("@myvarnishd") accept connections
on a Unix domain socket
|
| security.pam.services.<name>.allowNullPassword | Whether to allow logging into accounts that have no password
set (i.e., have an empty password field in
/etc/passwd or
/etc/group)
|
| services.transmission.enable | Whether to enable the headless Transmission BitTorrent daemon
|
| virtualisation.docker.enable | This option enables docker, a daemon that manages
linux containers
|
| virtualisation.lxd.enable | This option enables lxd, a daemon that manages
containers
|
| virtualisation.kvmgt.enable | Whether to enable KVMGT (iGVT-g) VGPU support
|
| services.matrix-continuwuity.settings.global.unix_socket_path | Listen on a UNIX socket at the specified path
|
| services.anuko-time-tracker.settings.defaultLanguage | Defines Anuko Time Tracker default language
|
| services.journald.upload.settings.Upload.ServerKeyFile | SSL key in PEM format
|
| services.postfixadmin.database.username | Username for the postgresql connection
|
| networking.wireless.userControlled | Allow users of the wpa_supplicant group to control wpa_supplicant
through wpa_gui or wpa_cli
|
| virtualisation.libvirtd.enable | This option enables libvirtd, a daemon that manages
virtual machines
|
| services.archisteamfarm.ipcPasswordFile | Path to a file containing the password
|
| services.multipath.devices.*.rr_min_io_rq | Number of I/O requests to route to a path before switching to the next in the
same path group
|
| services.firezone.server.provision.accounts.<name>.relayGroups | All relay groups to provision
|
| services.firezone.server.provision.accounts.<name>.relayGroups.<name>.name | The name of this relay group
|
| virtualisation.virtualbox.host.enable | Whether to enable VirtualBox.
In order to pass USB devices from the host to the guests, the user
needs to be in the vboxusers group.
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.firezone.server.provision.accounts.<name>.gatewayGroups | All gateway groups (sites) to provision
|
| services.bitwarden-directory-connector-cli.sync.removeDisabled | Remove users from bitwarden groups if no longer in the ldap group.
|
| services.keepalived.vrrpInstances.<name>.unicastPeers | Do not send VRRP adverts over VRRP multicast group
|
| services.netbird.clients | Attribute set of NetBird client daemons, by default each one will:
- be manageable using dedicated tooling:
netbird-<name> script,NetBird - netbird-<name> graphical interface when appropriate (see ui.enable),
- run as a
netbird-<name>.service,
- listen for incoming remote connections on the port
51820 (openFirewall by default),
- manage the
netbird-<name> wireguard interface,
- use the /var/lib/netbird-/config.json configuration file,
- override /var/lib/netbird-/config.json with values from /etc/netbird-/config.d/*.json,
- (
hardened) be locally manageable by netbird-<name> system group,
With following caveats:
- multiple daemons will interfere with each other's DNS resolution of
netbird.cloud, but
should remain fully operational otherwise
|
| services.firezone.server.provision.accounts.<name>.gatewayGroups.<name>.name | The name of this gateway group
|
| services.archisteamfarm.bots.<name>.passwordFile | Path to a file containing the password
|
| services.kanidm.unixSettings.pam_allowed_login_groups | Kanidm groups that are allowed to login using PAM.
|
| services.bitwarden-directory-connector-cli.sync.memberAttribute | Attribute that lists members in a LDAP group.
|
| services.kanidm.unix.settings.kanidm.pam_allowed_login_groups | Kanidm groups that are allowed to login using PAM.
|
| services.librenms.distributedPoller.distributedBilling | Enable distributed billing on this poller
|
| services.prometheus.scrapeConfigs.*.static_configs.*.targets | The targets specified by the target group.
|
| services.transmission.downloadDirPermissions | If not null, is used as the permissions
set by system.activationScripts.transmission-daemon
on the directories services.transmission.settings.download-dir,
services.transmission.settings.incomplete-dir.
and services.transmission.settings.watch-dir
|
| services.matrix-tuwunel.settings.global.unix_socket_path | Listen on a UNIX socket at the specified path
|
| services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.separator | The string by which Uyuni group names are joined into the groups label
Defaults to , in prometheus
when set to null.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_time | Time to schedule CHILD_SA rekeying
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_bytes | Number of bytes processed before initiating CHILD_SA rekeying
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_packets | Number of packets processed before initiating CHILD_SA rekeying
|
| services.sogo.enable | Whether to enable SOGo groupware.
|
| systemd.sysusers.enable | If enabled, users are created with systemd-sysusers instead of with
the custom update-users-groups.pl script
|
| services.usbguard.IPCAllowedGroups | A list of groupnames that the daemon will accept IPC connections
from.
|
| security.pam.loginLimits.*.domain | Username, groupname, or wildcard this limit applies to
|
| security.pam.services.<name>.limits.*.domain | Username, groupname, or wildcard this limit applies to
|
| services.nsd.ratelimit.ipv4PrefixLength | IPv4 prefix length
|
| services.nsd.ratelimit.ipv6PrefixLength | IPv6 prefix length
|
| virtualisation.oci-containers.containers.<name>.user | Override the username or UID (and optionally groupname or GID) used
in the container.
|
| services.netbird.server.management.singleAccountModeDomain | Enables single account mode
|
| users.users.<name>.extraGroups | The user's auxiliary groups.
|
| users.extraUsers.<name>.extraGroups | The user's auxiliary groups.
|
| services.mympd.extraGroups | Additional groups for the systemd service.
|
| services.postgresql.systemCallFilter.<name>.priority | Set the priority of the system call filter setting
|
| services.pghero.extraGroups | Additional groups for the systemd service.
|
| services.tomcat.extraGroups | Defines extra groups to which the tomcat user belongs.
|
| services.gocd-agent.extraGroups | List of extra groups that the "gocd-agent" user should be a part of.
|
| services.postgresql.systemCallFilter | Configures the syscall filter for postgresql.service
|
| services.polaris.extraGroups | Polaris' auxiliary groups.
|
| services.code-server.extraGroups | An array of additional groups for the code-server user.
|
| services.jenkins.extraGroups | List of extra groups that the "jenkins" user should be a part of.
|
| services.gocd-server.extraGroups | List of extra groups that the "gocd-server" user should be a part of.
|
| services.nagios.objectDefs | A list of Nagios object configuration files that must define
the hosts, host groups, services and contacts for the
network that you want Nagios to monitor.
|
| users.enforceIdUniqueness | Whether to require that no two users/groups share the same uid/gid.
|
| services.multipath.pathGroups | This option allows you to define multipath groups as described
in http://christophe.varoqui.free.fr/usage.html.
|
| services.logcheck.extraGroups | Extra groups for the logcheck user, for example to be able to use sendmail,
or to access certain log files.
|
| services.multipath.devices | This option allows you to define arrays for use in multipath
groups.
|
| nix.settings.allowed-users | A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon
|
| services.portunus.seedSettings | Seed settings for users and groups
|
| services.buildbot-master.extraGroups | List of extra groups that the buildbot user should be a part of.
|
| services.buildbot-worker.extraGroups | List of extra groups that the Buildbot Worker user should be a part of.
|
| services.centrifugo.extraGroups | Additional groups for the systemd service.
|
| security.pam.loginLimits | Define resource limits that should apply to users or groups
|
| services.collabora-online.aliasGroups | Alias groups to use.
|
| services.kanidm.provision.enable | Whether to enable provisioning of groups, users and oauth2 resource servers.
|
| services.synapse-auto-compressor.settings.chunk_size | The number of state groups to work on at once
|
| services.buildkite-agents.<name>.extraGroups | Groups the user for this buildkite agent should belong to
|
| services.snapper.configs.<name>.ALLOW_GROUPS | List of groups allowed to operate with the config
|
| services.pufferpanel.extraGroups | Additional groups for the systemd service.
|
| services.openssh.settings.AllowGroups | If specified, login is allowed only for users part of the
listed groups
|
| services.openssh.settings.DenyGroups | If specified, login is denied for all users part of the listed
groups
|
| services.openvscode-server.extraGroups | An array of additional groups for the openvscode-server user.
|
| services.kanidm.provision.extraJsonFile | A JSON file for provisioning persons, groups & systems
|