| services.grafana.settings.security.data_source_proxy_whitelist | Define a whitelist of allowed IP addresses or domains, with ports,
to be used in data source URLs with the Grafana data source proxy
|
| services.bluemap.webserverSettings | Settings for the webserver.conf file, usually not required.
See upstream docs.
|
| services.postsrsd.configurePostfix | Whether to configure the required settings to use postsrsd in the local Postfix instance.
|
| services.athens.storage.mongo.defaultDBName | Name of the mongo database.
|
| services.packagekit.vendorSettings | Additional settings passed straight through to Vendor.conf
|
| networking.wireguard.interfaces.<name>.peers.*.allowedIPs | List of IP (v4 or v6) addresses with CIDR masks from
which this peer is allowed to send incoming traffic and to which
outgoing traffic for this peer is directed
|
| boot.binfmt.registrations.<name>.matchCredentials | Whether to launch with the credentials and security
token of the binary, not the interpreter (e.g. setuid
bit)
|
| services.cloudlog.virtualHost | Name of the nginx virtualhost to use and setup
|
| services.airsonic.virtualHost | Name of the nginx virtualhost to use and setup
|
| services.prometheus.exporters.nextcloud.username | Username for connecting to Nextcloud
|
| services.sanoid.datasets.<name>.pre_snapshot_script | Script to run before taking snapshot.
|
| virtualisation.fileSystems.<name>.device | The device as passed to mount
|
| programs.nix-required-mounts.allowedPatterns.<name>.unsafeFollowSymlinks | Whether to enable Instructs the hook to mount the symlink targets as well, when any of
the paths contain symlinks
|
| services.samba.winbindd.enable | Whether to enable Samba's winbindd, which provides a number of services
to the Name Service Switch capability found in most modern C libraries,
to arbitrary applications via PAM and ntlm_auth and to Samba itself.
|
| services.unpoller.unifi.defaults.user | Unifi service user name.
|
| services.cryptpad.configureNginx | Configure Nginx as a reverse proxy for Cryptpad
|
| security.wrappers.<name>.capabilities | A comma-separated list of capability clauses to be given to the
wrapper program
|
| services.portunus.ldap.searchUserName | The login name of the search user
|
| services.guacamole-server.host | The host name or IP address the server should listen to.
|
| services.youtrack.virtualHost | Name of the nginx virtual host to use and setup
|
| services.borgmatic.configurations.<name>.repositories | A required list of local or remote repositories with paths and
optional labels (which can be used with the --repository flag to
select a repository)
|
| services.bitwarden-directory-connector-cli.ldap.username | The user to authenticate as.
|
| services.prometheus.remoteWrite.*.basic_auth.username | HTTP username
|
| virtualisation.credentials.<name>.source | Source file on the host containing the credential data.
|
| services.wiki-js.stateDirectoryName | Name of the directory in /var/lib.
|
| xdg.portal.config | Sets which portal backend should be used to provide the implementation
for the requested interface
|
| services.bitwarden-directory-connector-cli.ldap.hostname | The host the LDAP is accessible on.
|
| systemd.mounts.*.wantedBy | Units that want (i.e. depend on) this unit
|
| users.mysql.pam.logging.timeColumn | The name of the column in the log table to which the timestamp of the
log entry is stored.
|
| services.davis.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.movim.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.slskd.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.firezone.server.provision.accounts.<name>.features.internet_resource | Whether to enable the internet_resource feature for this account.
|
| services.firezone.server.provision.accounts.<name>.features.policy_conditions | Whether to enable the policy_conditions feature for this account.
|
| services.netbird.useRoutingFeatures | Enables settings required for NetBird's routing features: Network Resources, Network Routes & Exit Nodes
|
| services.tailscale.derper.domain | Domain name under which the derper server is reachable.
|
| users.mysql.pam.logging.pidColumn | The name of the column in the log table to which the pid of the
process utilising the pam_mysql authentication
service is stored.
|
| virtualisation.fileSystems.<name>.overlay.upperdir | The path to the upperdir
|
| containers.<name>.nixpkgs | A path to the nixpkgs that provide the modules, pkgs and lib for evaluating the container
|
| services.jitsi-videobridge.xmppConfigs.<name>.disableCertificateVerification | Whether to skip validation of the server's certificate.
|
| networking.openconnect.interfaces.<name>.passwordFile | File containing the password to authenticate with
|
| services.caddy.adapter | Name of the config adapter to use
|
| virtualisation.fileSystems.<name>.overlay.lowerdir | The list of path(s) to the lowerdir(s)
|
| hardware.nvidia.nvidiaSettings | Whether to enable nvidia-settings, NVIDIA's GUI configuration tool
.
|
| networking.wireguard.interfaces.<name>.generatePrivateKeyFile | Automatically generate a private key with
wg genkey, at the privateKeyFile location.
|
| virtualisation.fileSystems.<name>.depends | List of paths that should be mounted before this one
|
| virtualisation.fileSystems.<name>.options | Options used to mount the file system
|
| services.snipe-it.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.rathole.credentialsFile | Path to a TOML file to be merged with the settings
|
| virtualisation.credentials.<name>.text | Text content of the credential
|
| networking.supplicant | Interfaces for which to start wpa_supplicant
|
| services.sanoid.templates.<name>.pre_snapshot_script | Script to run before taking snapshot.
|
| virtualisation.fileSystems.<name>.neededForBoot | If set, this file system will be mounted in the initial ramdisk
|
| networking.dhcpcd.setHostname | Whether to set the machine hostname based on the information
received from the DHCP server.
The hostname will be changed only if the current one is
the empty string, localhost or nixos
|
| services.agorakit.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.kanboard.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.librenms.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.fediwall.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.dolibarr.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.pixelfed.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.mainsail.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.stargazer.routes.*.route | Route section name
|
| users.extraUsers.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|
| services.stash.settings.create_image_clip_from_videos | Create Image Clips from Video extensions when Videos are disabled in Library
|
| services.privoxy.inspectHttps | Whether to configure Privoxy to inspect HTTPS requests, meaning all
encrypted traffic will be filtered as well
|
| services.httpd.customLogFormat | Defines a custom Apache HTTPD access log format string
|
| services.minetest-server.world | Name of the world to use
|
| services.strongswan-swanctl.swanctl.connections.<name>.mediation_peer | Identity under which the peer is registered at the mediation server, that
is, the IKE identity the other end of this connection uses as its local
identity on its connection to the mediation server
|
| services.knot-resolver.enable | Whether to enable knot-resolver (version 6) domain name server
|
| services.mysql.ensureUsers | Ensures that the specified users exist and have at least the ensured permissions
|
| services.slurm.controlMachine | The short hostname of the machine where SLURM control functions are
executed (i.e. the name returned by the command "hostname -s", use "tux001"
rather than "tux001.my.com").
|
| users.users.<name>.initialPassword | Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist
|
| services.postfix-tlspol.configurePostfix | Whether to configure the required settings to use postfix-tlspol in the local Postfix instance.
|
| i18n.inputMethod.fcitx5.plasma6Support | Use qt6 versions of fcitx5 packages
|
| networking.wireguard.interfaces.<name>.socketNamespace | The pre-existing network namespace in which the
WireGuard interface is created, and which retains the socket even if the
interface is moved via interfaceNamespace
|
| users.mysql.pam.passwordColumn | The name of the column that contains a (encrypted) password string.
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.x_forwarded | Use the X-Forwarded-For (XFF) header as the client IP and not the
actual client IP.
|
| services.nginx.recommendedTlsSettings | Enable recommended TLS settings.
|
| users.extraUsers.<name>.hashedPasswordFile | The full path to a file that contains the hash of the user's
password
|
| services.tailscale.authKeyFile | A file containing the auth key
|
| services.foundationdb.locality | FoundationDB locality settings.
|
| services.slurm.dbdserver.storageUser | Database user name.
|
| services.rustus.storage.s3_region | S3 region name.
|
| services.radicle.privateKeyFile | Absolute file path to an SSH private key,
usually generated by rad auth
|
| containers.<name>.forwardPorts.*.protocol | The protocol specifier for port forwarding between host and container
|
| services.samba.usershares.group | Name of the group members of which will be allowed to create usershares
|
| security.agnos.settings.accounts.*.certificates.*.fullchain_output_file | Output path for the full chain including the acquired certificate
|
| services.nominatim.enable | Whether to enable nominatim
|
| services.akkoma.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.gancio.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.fluidd.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.matomo.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.monica.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.writefreely.host | The public host name to serve.
|
| services.xserver.displayManager.sx.enable | Whether to enable the "sx" pseudo-display manager, which allows users
to start manually via the "sx" command from a vt shell
|
| virtualisation.oci-containers.containers.<name>.cmd | Commandline arguments to pass to the image's entrypoint.
|
| console.font | The font used for the virtual consoles
|
| services.vault-agent.instances | Attribute set of vault-agent instances
|
| services.multipath.devices.*.prio | The name of the path priority routine
|
| services.xserver.xrandrHeads.*.output | The output name of the monitor, as shown by
xrandr(1) invoked without arguments.
|