| services.kanidm.provision.groups.<name>.overwriteMembers | Whether the member list should be overwritten each time (true) or appended
(false)
|
| services.firezone.server.provision.accounts.<name>.groups.<name>.members | The members of this group
|
| users.users.<name>.subGidRanges.*.count | Count of subordinate group ids
|
| services.prometheus.exporters.dovecot.socketPath | Path under which the stats socket is placed
|
| users.users.<name>.subGidRanges | Subordinate group ids that user is allowed to use
|
| services.taskserver.organisations.<name>.groups | A list of group names that belong to the organization.
|
| systemd.enableCgroupAccounting | Whether to enable cgroup accounting; see cgroups(7).
|
| services.grafana.provision.alerting.rules.settings.groups.*.interval | Interval that the rule group should be evaluated at
|
| services.trafficserver.sslMulticert | Configure SSL server certificates to terminate the SSL sessions
|
| virtualisation.podman.networkSocket.tls.cacert | Path to CA certificate to use for client authentication.
|
| users.users.<name>.autoSubUidGidRange | Automatically allocate subordinate user and group ids for this user
|
| services.foundationdb.tls.certificate | Path to the TLS certificate file
|
| services.bacula-sd.director.<name>.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.bacula-fd.director.<name>.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.warpgate.settings.postgres.certificate | Path to PostgreSQL listener certificate.
|
| services.firezone.server.provision.accounts.<name>.groups.<name>.forceMembers | Ensure that only the given members are part of this group at every server start.
|
| services.diod.userdb | This option disables password/group lookups
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.keystore | Path to keystore (combined PEM with cert/key, or PKCS12 keystore)
|
| programs.light.enable | Whether to install Light backlight control command
and udev rules granting access to members of the "video" group.
|
| services.grafana.settings.database.ca_cert_path | The path to the CA certificate to use.
|
| security.pam.services.<name>.allowNullPassword | Whether to allow logging into accounts that have no password
set (i.e., have an empty password field in
/etc/passwd or
/etc/group)
|
| services.jack.jackd.enable | Whether to enable JACK Audio Connection Kit
|
| services.unbound.localControlSocketPath | When not set to null this option defines the path
at which the unbound remote control socket should be created at
|
| hardware.i2c.enable | Whether to enable i2c devices support
|
| services.headscale.settings.tls_cert_path | Path to already created certificate.
|
| hardware.brillo.enable | Whether to enable brillo in userspace
|
| users.users.<name>.subGidRanges.*.startGid | Start of the range of subordinate group ids that user is
allowed to use.
|
| services.kubernetes.pki.genCfsslAPICerts | Whether to automatically generate cfssl API webserver TLS cert and key,
if they don't exist.
|
| services.prometheus.scrapeConfigs.*.http_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.kubernetes.pki.cfsslAPIExtraSANs | Extra x509 Subject Alternative Names to be added to the cfssl API webserver TLS cert.
|
| hardware.bladeRF.enable | Enables udev rules for BladeRF devices
|
| users.extraUsers.<name>.subGidRanges.*.count | Count of subordinate group ids
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.cacert | Path to CA bundle file (PEM/X509)
|
| users.extraUsers.<name>.subGidRanges | Subordinate group ids that user is allowed to use
|
| services.kanidm.provision.persons.<name>.groups | List of groups this person should belong to.
|
| services.cloudflared.certificateFile | Account certificate file, necessary to create, delete and manage tunnels
|
| services.kmonad.keyboards.<name>.extraGroups | Extra permission groups to attach to the KMonad instance for
this keyboard
|
| services.dependency-track.oidc.teams.claim | Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint
|
| users.extraUsers.<name>.autoSubUidGidRange | Automatically allocate subordinate user and group ids for this user
|
| services.userdbd.enable | Whether to enable the systemd JSON user/group record lookup service
.
|
| services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.saned.enable | Enable saned network daemon for remote connection to scanners.
saned would be run from scanner user; to allow
access to hardware that doesn't have scanner group
you should add needed groups to this user.
|
| programs.tcpdump.enable | Whether to configure a setcap wrapper for tcpdump
|
| services.suricata.settings.vars.address-groups.HOME_NET | HOME_NET variable.
|
| services.ghostunnel.servers.<name>.allowAll | If true, allow all clients, do not check client cert subject.
|
| services.dnsdist.dnscrypt.providerName | The name that will be given to this DNSCrypt resolver.
The provider name must start with 2.dnscrypt-cert..
|
| hardware.glasgow.enable | Enables Glasgow udev rules and ensures 'plugdev' group exists
|
| services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.triton_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.docker_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| users.extraUsers.<name>.subGidRanges.*.startGid | Start of the range of subordinate group ids that user is
allowed to use.
|
| programs.minipro.enable | Whether to enable minipro and its udev rules
|
| services.unbound.checkconf | Whether to check the resulting config file with unbound checkconf for syntax errors
|
| services.prometheus.exporters.unbound.unbound.certificate | Path to the Unbound control socket certificate
|
| programs.sedutil.enable | Whether to enable sedutil, to manage self encrypting drives that conform to the Trusted Computing Group OPAL 2.0 SSC specification.
|
| services.suricata.settings.vars.address-groups.DNP3_SERVER | DNP3_SERVER variable.
|
| services.suricata.settings.vars.address-groups.DNP3_CLIENT | DNP3_CLIENT variable.
|
| services.dovecot2.mailGroup | Default group to store mail for virtual users.
|
| hardware.rtl-sdr.enable | Enables rtl-sdr udev rules, ensures 'plugdev' group exists, and blacklists DVB kernel modules
|
| services.pdfding.enable | Whether to enable PdfDing service
|
| services.nginx.upstreams | Defines a group of servers to use as proxy target.
|
| services.suricata.settings.vars.address-groups.ENIP_CLIENT | ENIP_CLIENT variable.
|
| services.suricata.settings.vars.address-groups.ENIP_SERVER | ENIP_SERVER variable.
|
| services.couchdb.configFile | Configuration file for persisting runtime changes
|
| services.strongswan-swanctl.swanctl.authorities.<name>.cacert | The certificates may use a relative path from the swanctl
x509ca directory or an absolute path
|
| services.smokeping.user | User that runs smokeping and (optionally) thttpd
|
| systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.user | The user of the file
|
| users.users.<name>.isNormalUser | Indicates whether this is an account for a “real” user
|
| services.timekpr.adminUsers | All listed users will become part of the timekpr group so they can manage timekpr settings without requiring sudo.
|
| users.allowNoPasswordLogin | Disable checking that at least the root user or a user in the wheel group can log in using
a password or an SSH key
|
| services.grafana.settings.server.socket_gid | GID where the socket should be set when protocol=socket
|
| services.suricata.settings.vars.address-groups.DC_SERVERS | DC_SERVERS variable.
|
| services.portunus.enable | Whether to enable Portunus, a self-contained user/group management and authentication service for LDAP.
|
| services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.nextcloud-spreed-signaling.settings.https.certificate | Path to the certificate used for the HTTPS listener
|
| services.nomad.enableDocker | Enable Docker support
|
| services.cloudflared.tunnels.<name>.certificateFile | Account certificate file, necessary to create, delete and manage tunnels
|
| services.suricata.settings.vars.address-groups.AIM_SERVERS | AIM_SERVERS variable.
|
| services.suricata.settings.vars.address-groups.DNS_SERVERS | DNS_SERVERS variable.
|
| services.suricata.settings.vars.address-groups.SQL_SERVERS | SQL_SERVERS variable.
|
| services.mailman.ldap.superUserGroup | Group where a user must be a member of to gain superuser rights.
|
| services.kubernetes.apiserver.extraSANs | Extra x509 Subject Alternative Names to be added to the kubernetes apiserver tls cert.
|
| security.agnos.settings.accounts.*.certificates.*.fullchain_output_file | Output path for the full chain including the acquired certificate
|
| services.neo4j.directories.certificates | Directory for storing certificates to be used by Neo4j for
TLS connections
|
| virtualisation.incus.enable | Whether to enable incusd, a daemon that manages containers and virtual machines
|
| services.suricata.settings.vars.address-groups.SMTP_SERVERS | SMTP_SERVERS variable.
|
| services.suricata.settings.vars.address-groups.HTTP_SERVERS | HTTP_SERVERS variable.
|
| programs.flashrom.enable | Installs flashrom and configures udev rules for programmers
used by flashrom
|
| services.warpgate.settings.http.sni_certificates | Certificates for additional domains.
|
| hardware.openrazer.users | Usernames to be added to the "openrazer" group, so that they
can start and interact with the OpenRazer userspace daemon.
|
| programs.gphoto2.enable | Whether to configure system to use gphoto2
|
| services.suricata.settings.vars.address-groups.MODBUS_CLIENT | MODBUS_CLIENT variable
|
| services.suricata.settings.vars.address-groups.MODBUS_SERVER | MODBUS_SERVER variable.
|
| networking.openconnect.interfaces.<name>.certificate | Certificate to authenticate with.
|
| services.warpgate.settings.http.sni_certificates.*.key | Path to private key.
|
| services.parsedmarc.settings.elasticsearch.cert_path | The path to a TLS certificate bundle used to verify
the server's certificate.
|