| services.mysql.ensureUsers | Ensures that the specified users exist and have at least the ensured permissions
|
| services.httpd.customLogFormat | Defines a custom Apache HTTPD access log format string
|
| services.agorakit.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.kanboard.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.librenms.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.fediwall.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.dolibarr.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.pixelfed.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.mainsail.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| networking.networkmanager.ensureProfiles.profiles.<name>.connection.id | This is the name that will be displayed by NetworkManager and GUIs.
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKeyFile | File pointing to preshared key as generated by wg genpsk
|
| services.privoxy.inspectHttps | Whether to configure Privoxy to inspect HTTPS requests, meaning all
encrypted traffic will be filtered as well
|
| systemd.network.networks.<name>.fairQueueingControlledDelayConfig | Each attribute in this set specifies an option in the
[FairQueueingControlledDelay] section of the unit
|
| networking.openconnect.interfaces.<name>.protocol | Protocol to use.
|
| services.knot-resolver.enable | Whether to enable knot-resolver (version 6) domain name server
|
| services.minetest-server.world | Name of the world to use
|
| services.rathole.credentialsFile | Path to a TOML file to be merged with the settings
|
| services.stargazer.routes.*.route | Route section name
|
| containers.<name>.localAddress6 | The IPv6 address assigned to the interface in the container
|
| boot.zfs.forceImportAll | Forcibly import all ZFS pool(s)
|
| services.firezone.server.provision.accounts.<name>.features.internet_resource | Whether to enable the internet_resource feature for this account.
|
| services.firezone.server.provision.accounts.<name>.features.policy_conditions | Whether to enable the policy_conditions feature for this account.
|
| services.jitsi-videobridge.xmppConfigs.<name>.disableCertificateVerification | Whether to skip validation of the server's certificate.
|
| services.slurm.controlMachine | The short hostname of the machine where SLURM control functions are
executed (i.e. the name returned by the command "hostname -s", use "tux001"
rather than "tux001.my.com").
|
| virtualisation.interfaces.<name>.assignIP | Automatically assign an IP address to the network interface using the same scheme as
virtualisation.vlans.
|
| services.gitlab.registry.serviceName | GitLab container registry service name.
|
| networking.vswitches | This option allows you to define Open vSwitches that connect
physical networks together
|
| services.sanoid.templates.<name>.pre_snapshot_script | Script to run before taking snapshot.
|
| virtualisation.fileSystems.<name>.encrypted.enable | The block device is backed by an encrypted one, adds this device as a initrd luks entry.
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKey | Base64 preshared key generated by wg genpsk
|
| services.tailscale.authKeyFile | A file containing the auth key
|
| services.radicle.privateKeyFile | Absolute file path to an SSH private key,
usually generated by rad auth
|
| users.mysql.pam.logging.msgColumn | The name of the column in the log table to which the description
of the performed operation is stored.
|
| boot.binfmt.registrations.<name>.wrapInterpreterInShell | Whether to wrap the interpreter in a shell script
|
| virtualisation.allInterfaces.<name>.assignIP | Automatically assign an IP address to the network interface using the same scheme as
virtualisation.vlans.
|
| services.strongswan-swanctl.swanctl.connections.<name>.mediation_peer | Identity under which the peer is registered at the mediation server, that
is, the IKE identity the other end of this connection uses as its local
identity on its connection to the mediation server
|
| services.nominatim.enable | Whether to enable nominatim
|
| users.users.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|
| services.akkoma.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.gancio.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.fluidd.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.matomo.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| services.monica.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| hardware.cpu.amd.ryzen-smu.enable | Whether to enable ryzen_smu, a linux kernel driver that exposes access to the SMU (System Management Unit) for certain AMD Ryzen Processors
|
| networking.interfaces.<name>.ipv6.addresses.*.prefixLength | Subnet mask of the interface, specified as the number of
bits in the prefix (64).
|
| networking.interfaces.<name>.ipv4.addresses.*.prefixLength | Subnet mask of the interface, specified as the number of
bits in the prefix (24).
|
| services.postfix-tlspol.configurePostfix | Whether to configure the required settings to use postfix-tlspol in the local Postfix instance.
|
| programs.tsmClient.servers | Server definitions ("stanzas")
for the client system-options file
|
| services.thinkfan.fans.*.query | The query string used to match one or more fans: can be
a fullpath to the temperature file (single fan) or a fullpath
to a driver directory (multiple fans).
When multiple fans match, the query can be restricted using the
name or indices options.
|
| security.ipa.shells | List of shells which binaries should be installed to /bin/
|
| services.samba.usershares.group | Name of the group members of which will be allowed to create usershares
|
| services.slurm.dbdserver.storageUser | Database user name.
|
| services.rustus.storage.s3_region | S3 region name.
|
| _module.args | Additional arguments passed to each module in addition to ones
like lib, config,
and pkgs, modulesPath
|
| boot.initrd.luks.devices | The encrypted disk that should be opened before the root
filesystem is mounted
|
| services.writefreely.host | The public host name to serve.
|
| services.vault-agent.instances | Attribute set of vault-agent instances
|
| services.roundcube.enable | Whether to enable roundcube
|
| users.users.<name>.hashedPasswordFile | The full path to a file that contains the hash of the user's
password
|
| services.nginx.recommendedTlsSettings | Enable recommended TLS settings.
|
| services.xserver.xrandrHeads.*.output | The output name of the monitor, as shown by
xrandr(1) invoked without arguments.
|
| services.multipath.devices.*.prio | The name of the path priority routine
|
| services.stash.settings.create_image_clip_from_videos | Create Image Clips from Video extensions when Videos are disabled in Library
|
| services.foundationdb.locality | FoundationDB locality settings.
|
| networking.wireguard.interfaces.<name>.peers.*.allowedIPs | List of IP (v4 or v6) addresses with CIDR masks from
which this peer is allowed to send incoming traffic and to which
outgoing traffic for this peer is directed
|
| boot.binfmt.registrations.<name>.matchCredentials | Whether to launch with the credentials and security
token of the binary, not the interpreter (e.g. setuid
bit)
|
| services.xserver.displayManager.sx.enable | Whether to enable the "sx" pseudo-display manager, which allows users
to start manually via the "sx" command from a vt shell
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.x_forwarded | Use the X-Forwarded-For (XFF) header as the client IP and not the
actual client IP.
|
| services.windmill.database.urlPath | Path to the file containing the database url windmill should connect to
|
| services.cntlm.netbios_hostname | The hostname of your machine.
|
| services.cadvisor.storageDriverDb | Cadvisord storage driver database name.
|
| virtualisation.fileSystems.<name>.device | The device as passed to mount
|
| services.prometheus.scrapeConfigs.*.basic_auth.username | HTTP username
|
| services.davis.nginx.acmeFallbackHost | Host which to proxy requests to if ACME challenge is not found
|
| services.movim.nginx.acmeFallbackHost | Host which to proxy requests to if ACME challenge is not found
|
| services.slskd.nginx.acmeFallbackHost | Host which to proxy requests to if ACME challenge is not found
|
| services.portunus.dex.oidcClients | List of OIDC clients
|
| programs.nix-required-mounts.allowedPatterns.<name>.unsafeFollowSymlinks | Whether to enable Instructs the hook to mount the symlink targets as well, when any of
the paths contain symlinks
|
| security.wrappers.<name>.capabilities | A comma-separated list of capability clauses to be given to the
wrapper program
|
| services.librenms.environmentFile | File containing env-vars to be substituted into the final config
|
| services.zfs.autoSnapshot.flags | Flags to pass to the zfs-auto-snapshot command
|
| virtualisation.credentials.<name>.source | Source file on the host containing the credential data.
|
| services.ntopng.redis.createInstance | Local Redis instance name
|
| xdg.portal.config | Sets which portal backend should be used to provide the implementation
for the requested interface
|
| services.athens.index.postgres.database | Database name for the Postgres database.
|
| services.nextcloud.autoUpdateApps.startAt | When to run the update
|
| services.strongswan-swanctl.swanctl.connections.<name>.fragmentation | Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
fragmentation)
|
| services.multipath.pathGroups.*.alias | The name of the multipath device
|
| services.snipe-it.nginx.acmeFallbackHost | Host which to proxy requests to if ACME challenge is not found
|
| systemd.mounts.*.wantedBy | Units that want (i.e. depend on) this unit
|
| services.avahi.nssmdns6 | Whether to enable the mDNS NSS (Name Service Switch) plug-in for IPv6
|
| services.victoriatraces.basicAuthUsername | Basic Auth username used to protect VictoriaTraces instance by authorization
|
| users.mysql.pam.logging.timeColumn | The name of the column in the log table to which the timestamp of the
log entry is stored.
|
| services.anuko-time-tracker.nginx.http3 | Whether to enable the HTTP/3 protocol
|
| services.displayManager.dms-greeter.configFiles | List of DankMaterialShell configuration files to copy into the greeter
data directory at /var/lib/dms-greeter
|
| services.postfix.networksStyle | Name of standard way of trusted network specification to use,
leave blank if you specify it explicitly or if you want to use
default (localhost-only).
|
| users.mysql.pam.logging.pidColumn | The name of the column in the log table to which the pid of the
process utilising the pam_mysql authentication
service is stored.
|
| virtualisation.fileSystems.<name>.overlay.upperdir | The path to the upperdir
|
| containers.<name>.nixpkgs | A path to the nixpkgs that provide the modules, pkgs and lib for evaluating the container
|
| services.outline.storage.uploadBucketName | Name of the bucket where uploads should be stored.
|