| networking.firewall.interfaces.<name>.allowedUDPPorts | List of open UDP ports.
|
| services.mailman.enablePostfix | Enable Postfix integration
|
| networking.bridges | This option allows you to define Ethernet bridge devices
that connect physical networks together
|
| containers.<name>.specialArgs | A set of special arguments to be passed to NixOS modules
|
| services.mjpg-streamer.group | mjpg-streamer group name.
|
| services.varnish.listen.*.user | User name who owns the socket file.
|
| services.mattermost.environmentFile | Environment file (see systemd.exec(5)
"EnvironmentFile=" section for the syntax) which sets config options
for mattermost (see the Mattermost documentation)
|
| services.davis.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.slskd.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.movim.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.misskey.reverseProxy.webserver.nginx.serverName | Name of this virtual host
|
| services.olivetin.extraConfigFiles | Config files to merge into the settings defined in services.olivetin.settings
|
| services.buffyboard.settings.quirks.ignore_unused_terminals | If true, buffyboard won't automatically update the layout of a new terminal and
draw the keyboard, if the terminal is not opened by any process
|
| services.gitlab.registry.host | GitLab container registry host name.
|
| networking.firewall.interfaces.<name>.allowedTCPPorts | List of TCP ports on which incoming connections are
accepted.
|
| networking.wireguard.interfaces.<name>.mtu | Set the maximum transmission unit in bytes for the wireguard
interface
|
| services.prometheus.scrapeConfigs.*.tls_config.server_name | ServerName extension to indicate the name of the server.
http://tools.ietf.org/html/rfc4366#section-3.1
|
| networking.openconnect.interfaces.<name>.user | Username to authenticate with.
|
| networking.supplicant.<name>.userControlled.group | Members of this group can control wpa_supplicant.
|
| services.gitlab-runner.configFile | Configuration file for gitlab-runner.
configFile takes precedence over services.
checkInterval and concurrent will be ignored too
|
| services.pgpkeyserver-lite.hostname | Which hostname to set the vHost to that is proxying to sks.
|
| security.dhparams.params | Diffie-Hellman parameters to generate
|
| services.openafsClient.cellName | Cell name.
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.type | The type of the listener, usually http.
|
| services.bird-lg.frontend.domain | Server name domain suffixes.
|
| services.baikal.virtualHost | Name of the nginx virtualhost to use and setup
|
| networking.wireguard.interfaces.<name>.peers.*.endpoint | Endpoint IP or hostname of the peer, followed by a colon,
and then a port number of the peer
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.port | The port to listen for HTTP(S) requests on.
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.mode | File permissions on the UNIX domain socket.
|
| services.shellhub-agent.preferredHostname | Set the device preferred hostname
|
| networking.interfaces.<name>.ipv4.routes | List of extra IPv4 static routes that will be assigned to the interface.
If the route type is the default unicast, then the scope
is set differently depending on the value of networking.useNetworkd:
the script-based backend sets it to link, while networkd sets
it to global.
If you want consistency between the two implementations,
set the scope of the route manually with
networking.interfaces.eth0.ipv4.routes = [{ options.scope = "global"; }]
for example.
|
| services.grafana.settings.analytics.check_for_plugin_updates | When set to false, disables checking for new versions of installed plugins from https://grafana.com
|
| services.snipe-it.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.strongswan-swanctl.swanctl.connections.<name>.over_time | Hard IKE_SA lifetime if rekey/reauth does not complete, as time
|
| networking.ipips.<name>.encapsulation.limit | For an IPv6-based tunnel, the maximum number of nested
encapsulation to allow. 0 means no nesting, "none" unlimited.
|
| services.kresd.enable | Whether to enable knot-resolver (version 5) domain name server
|
| services.prometheus.exporters.sql.configuration.jobs.<name>.connections | A list of connection strings of the SQL servers to scrape metrics from
|
| services.strongswan-swanctl.swanctl.connections.<name>.aggressive | Enables Aggressive Mode instead of Main Mode with Identity
Protection
|
| networking.wireguard.interfaces.<name>.peers.*.publicKey | The base64 public key of the peer.
|
| services.echoip.virtualHost | Name of the nginx virtual host to use and setup
|
| services.powerdns.enable | Whether to enable PowerDNS domain name server.
|
| services.peertube-runner.instancesToRegister.<name>.registrationTokenFile | Path to a file containing a registration token for the PeerTube instance
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.tls | Whether to enable TLS on the listener socket.
This option will be ignored for UNIX domain sockets.
|
| services.matrix-synapse.settings.url_preview_url_blacklist | Optional list of URL matches that the URL preview spider is
denied from accessing.
|
| networking.wireguard.interfaces.<name>.fwMark | Mark all wireguard packets originating from
this interface with the given firewall mark
|
| services.pfix-srsd.configurePostfix | Whether to configure the required settings to use pfix-srsd in the local Postfix instance.
|
| networking.wg-quick.interfaces.<name>.peers.*.allowedIPs | List of IP (v4 or v6) addresses with CIDR masks from
which this peer is allowed to send incoming traffic and to which
outgoing traffic for this peer is directed
|
| services.cachix-agent.profile | Profile name, defaults to 'system' (NixOS).
|
| services.weblate.localDomain | The domain name serving your Weblate instance.
|
| networking.interfaces.<name>.ipv6.routes.*.prefixLength | Subnet mask of the network, specified as the number of
bits in the prefix (64).
|
| networking.interfaces.<name>.ipv4.routes.*.prefixLength | Subnet mask of the network, specified as the number of
bits in the prefix (24).
|
| services.openldap.mutableConfig | Whether to allow writable on-line configuration
|
| services.mqtt2influxdb.mqtt.username | Username used to connect to the MQTT server.
|
| networking.vswitches.<name>.controllers | Specify the controller targets
|
| services.dovecot2.group | Dovecot group name.
|
| services.samba.nsswins | Whether to enable WINS NSS (Name Service Switch) plug-in
|
| services.strongswan-swanctl.swanctl.connections.<name>.unique | Connection uniqueness policy to enforce
|
| networking.interfaces.<name>.proxyARP | Turn on proxy_arp for this device
|
| users.extraUsers.<name>.hashedPassword | Specifies the hashed password for the user
|
| services.bookstack.mail.fromName | Mail "from" name.
|
| virtualisation.fileSystems.<name>.stratis.poolUuid | UUID of the stratis pool that the fs is located in
This is only relevant if you are using stratis.
|
| containers.<name>.macvlans | The list of host interfaces from which macvlans will be
created
|
| services.oidentd.enable | Whether to enable ‘oidentd’, an implementation of the Ident
protocol (RFC 1413)
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote_port | Remote UDP port for IKE communication
|
| networking.wireguard.interfaces.<name>.table | The kernel routing table to add this interface's
associated routes to
|
| users.mysql.pam.updateTable | The name of the table used for password alteration
|
| fileSystems.<name>.depends | List of paths that should be mounted before this one
|
| fileSystems.<name>.options | Options used to mount the file system
|
| networking.wireguard.interfaces.<name>.preShutdown | Commands called before shutting down the interface.
|
| virtualisation.fileSystems.<name>.label | Label of the device
|
| networking.wireguard.interfaces.<name>.privateKeyFile | Private key file as generated by wg genkey.
|
| networking.sits.<name>.encapsulation.sourcePort | Source port when using UDP encapsulation
|
| services.strongswan-swanctl.swanctl.connections.<name>.local_port | Local UDP port for IKE communication
|
| services.jitsi-meet.interfaceConfig | Client-side web-app interface settings that override the defaults in interface_config.js
|
| services.openafsServer.cellName | Cell name, this server will serve.
|
| services.athens.storage.s3.bucket | Bucket name for the S3 storage backend.
|
| services.yarr.environmentFile | Environment file for specifying additional settings such as secrets
|
| services.veilid.settings.core.protected_store.allow_insecure_fallback | If we can't use system-provided secure storage, should we proceed anyway?
|
| services.cachix-watch-store.cacheName | Cachix binary cache name
|
| services.smokeping.owner | Real name of the owner of the instance
|
| services.weechat.sessionName | Name of the screen session for weechat.
|
| services.netbird.enable | Enables backward-compatible NetBird client service
|
| services.varnish.listen.*.group | Group name who owns the socket file.
|
| networking.supplicant.<name>.userControlled.socketDir | Directory of sockets for controlling wpa_supplicant.
|
| services.foundationdb.tls | FoundationDB Transport Security Layer (TLS) settings.
|
| services.strongswan-swanctl.swanctl.connections.<name>.rekey_time | IKE rekeying refreshes key material using a Diffie-Hellman exchange, but
does not re-check associated credentials
|
| services.gitlab-runner.services.<name>.authenticationTokenConfigFile | Absolute path to a file containing environment variables used for
gitlab-runner registrations with runner authentication tokens
|
| services.gitlab.databaseName | GitLab database name.
|
| services.netatalk.extmap | File name extension mappings
|
| services.rss-bridge.virtualHost | Name of the nginx or caddy virtualhost to use and setup
|
| fileSystems.<name>.neededForBoot | If set, this file system will be mounted in the initial ramdisk
|
| services.strongswan-swanctl.swanctl.connections.<name>.ppk_required | Whether a Postquantum Preshared Key (PPK) is required for this connection
|
| services.strongswan-swanctl.swanctl.connections.<name>.dpd_timeout | Charon by default uses the normal retransmission mechanism and timeouts to
check the liveness of a peer, as all messages are used for liveness
checking
|
| fonts.fontconfig.localConf | System-wide customization file contents, has higher priority than
defaultFonts settings.
|
| services.strongswan-swanctl.swanctl.pools | Section defining named pools
|
| networking.wireguard.interfaces.<name>.postShutdown | Commands called after shutting down the interface.
|
| networking.firewall.interfaces.<name>.allowedUDPPortRanges | Range of open UDP ports.
|
| services.grafana.settings.security.strict_transport_security | Set to true if you want to enable HTTP Strict-Transport-Security (HSTS) response header
|
| services.schleuder.listDefaults | Default settings for lists (list-defaults.yml)
|
| services.dependency-track.database.username | Username to use when connecting to an external or manually
provisioned database; has no effect when a local database is
automatically provisioned
|