| services.bookstack.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.bookstack.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| services.limesurvey.nginx.virtualHost.http2 | Whether to enable the HTTP/2 protocol
|
| boot.loader.limine.secureBoot.enable | Whether to use sign the limine binary with sbctl.
This requires you to already have generated the keys and enrolled them with sbctl
|
| services.firezone.server.openClusterFirewall | Opens up the erlang distribution port of all enabled components to
allow reaching the server cluster from the internet
|
| services.kanidm.provision.idmAdminPasswordFile | Path to a file containing the idm admin password for kanidm
|
| containers.<name>.privateUsers | Whether to give the container its own private UIDs/GIDs space (user namespacing)
|
| services.blockbook-frontend.<name>.cssDir | Location of the dir with main.css CSS file
|
| services.xserver.displayManager.lightdm.greeter.enable | If set to false, run lightdm in greeterless mode
|
| networking.bonds.<name>.miimon | DEPRECATED, use driverOptions
|
| systemd.network.wait-online.enable | Whether to enable the systemd-networkd-wait-online service.
systemd-networkd-wait-online can timeout and fail if there are no network interfaces
available for it to manage
|
| services.mediagoblin.pluginPackages | Plugins to add to the environment of MediaGoblin
|
| services.postgresqlBackup.pgdumpOptions | Command line options for pg_dump
|
| services.jirafeau.nginxConfig.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.jirafeau.nginxConfig.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| services.listmonk.database.mutableSettings | Database settings will be reset to the value set in this module if this is not enabled
|
| services.resilio.sharedFolders | Shared folder list
|
| services.misskey.reverseProxy.webserver.nginx.http2 | Whether to enable the HTTP/2 protocol
|
| services.nginx.virtualHosts.<name>.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.nginx.virtualHosts.<name>.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| programs.hyprland.systemd.setPath.enable | Set environment path of systemd to include the current system's bin directory
|
| services.libinput.touchpad.middleEmulation | Enables middle button emulation
|
| services.borgbackup.repos.<name>.allowSubRepos | Allow clients to create repositories in subdirectories of the
specified path
|
| systemd.network.wait-online.anyInterface | Whether to consider the network online when any interface is online, as opposed to all of them
|
| services.minecraft-server.whitelist | Whitelisted players, only has an effect when
services.minecraft-server.declarative is
true and the whitelist is enabled
via services.minecraft-server.serverProperties by
setting white-list to true
|
| services.prometheus.exporters.postfix.group | Group under which the postfix exporter shall be run
|
| services.bacula-sd.tls.caCertificateFile | The path specifying a PEM encoded TLS CA certificate(s)
|
| services.bacula-fd.tls.caCertificateFile | The path specifying a PEM encoded TLS CA certificate(s)
|
| services.firewalld.zones.<name>.icmpBlockInversion | Whether to invert the icmp block handling
|
| services.mattermost.mutableConfig | Whether the Mattermost config.json is writeable by Mattermost
|
| services.mastodon.elasticsearch.host | Elasticsearch host
|
| boot.initrd.systemd.network.wait-online.enable | Whether to enable the systemd-networkd-wait-online service.
systemd-networkd-wait-online can timeout and fail if there are no network interfaces
available for it to manage
|
| virtualisation.fileSystems.<name>.encrypted.keyFile | Path to a keyfile used to unlock the backing encrypted
device
|
| services.logrotate.checkConfig | Whether the config should be checked at build time
|
| services.nextcloud.phpExtraExtensions | Additional PHP extensions to use for Nextcloud
|
| systemd.user.services.<name>.enableStrictShellChecks | Enable running shellcheck on the generated scripts for this unit
|
| services.chhoto-url.settings.custom_landing_directory | The path of a directory which contains a custom landing page.
|
| hardware.sane.disabledDefaultBackends | Names of backends which are enabled by default but should be disabled
|
| services.prometheus.pushgateway.stateDir | Directory below /var/lib to store metrics
|
| services.synapse-auto-compressor.postgresUrl | Connection string to postgresql in the
[rust postgres crate config format](https://docs.rs/postgres/latest/postgres/config/struct
|
| services.fedimintd.<name>.nginx.config.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.fedimintd.<name>.nginx.config.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.sha256_96 | HMAC-SHA-256 is used with 128-bit truncation with IPsec
|
| boot.initrd.systemd.network.wait-online.anyInterface | Whether to consider the network online when any interface is online, as opposed to all of them
|
| networking.firewall.logReversePathDrops | Logs dropped packets failing the reverse path filter test if
the option networking.firewall.checkReversePath is enabled.
|
| services.displayManager.dms-greeter.quickshell.package | The Quickshell package to use for the greeter
|
| services.prometheus.exporters.mongodb.collector | Enabled collectors
|
| boot.initrd.systemd.additionalUpstreamUnits | Additional units shipped with systemd that shall be enabled.
|
| programs.fish.extraCompletionPackages | Additional packages to generate completions from, if programs.fish.generateCompletions is enabled.
|
| services.displayManager.dms-greeter.compositor.name | The Wayland compositor to run the greeter in
|
| services.nextcloud.config.objectstore.s3.usePathStyle | Required for some non-Amazon S3 implementations
|
| security.dhparams.stateful | Whether generation of Diffie-Hellman parameters should be stateful or
not
|
| services.tailscale.useRoutingFeatures | Enables settings required for Tailscale's routing features like subnet routers and exit nodes
|
| services.paperless.consumptionDirIsPublic | Whether all users can write to the consumption dir.
|
| virtualisation.fileSystems.<name>.overlay.workdir | The path to the workdir
|
| services.limesurvey.nginx.virtualHost.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.limesurvey.nginx.virtualHost.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| systemd.services.<name>.enableStrictShellChecks | Enable running shellcheck on the generated scripts for this unit
|
| programs.steam.protontricks.enable | Whether to enable protontricks, a simple wrapper for running Winetricks commands for Proton-enabled games.
|
| programs.tsmClient.servers.<name>.genPasswd | Whether to enable automatic client password generation
|
| services.sssd.sshAuthorizedKeysIntegration | Whether to make sshd look up authorized keys from SSS
|
| hardware.nvidia.videoAcceleration | Whether to enable Whether video acceleration (VA-API) should be enabled.
.
|
| services.firefox-syncserver.enable | Whether to enable the Firefox Sync storage service
|
| virtualisation.useEFIBoot | If enabled, the virtual machine will provide a EFI boot
manager.
useEFIBoot is ignored if useBootLoader == false.
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| systemd.additionalUpstreamSystemUnits | Additional units shipped with systemd that shall be enabled.
|
| programs.gnupg.agent.pinentryPackage | Which pinentry package to use
|
| services.prometheus.exporters.chrony.chronyServerAddress | ChronyServerAddress of the chrony server side command port. (Not enabled by default.)
Defaults to the local unix socket.
|
| services.pantalaimon-headless.instances.<name>.ssl | Whether or not SSL verification should be enabled for outgoing
connections to the homeserver.
|
| virtualisation.useHostCerts | If enabled, when NIX_SSL_CERT_FILE is set on the host,
pass the CA certificates from the host to the VM.
|
| virtualisation.fileSystems.<name>.overlay.upperdir | The path to the upperdir
|
| virtualisation.fileSystems.<name>.overlay.lowerdir | The list of path(s) to the lowerdir(s)
|
| services.grafana.settings.analytics.check_for_updates | When set to false, disables checking for new versions of Grafana from Grafana's GitHub repository
|
| services.postgresqlBackup.compressionLevel | The compression level used when compression is enabled.
gzip accepts levels 1 to 9. zstd accepts levels 1 to 19.
|
| services.magnetico.web.credentials | The credentials to access the web interface, in case authentication is
enabled, in the format username:hash
|
| services.yggdrasil.persistentKeys | Whether to enable automatic generation and persistence of keys
|
| virtualisation.useBIOSBoot | If enabled for legacy MBR VMs, the VM image will have a separate boot
partition mounted at /boot.
useBIOSBoot is ignored if useEFIBoot == true.
|
| services.bitwarden-directory-connector-cli.secrets.bitwarden.client_path_id | Path to file that contains Client ID.
|
| boot.loader.generationsDir.enable | Whether to create symlinks to the system generations under
/boot
|
| documentation.man.man-db.manualPages | The manual pages to generate caches for if documentation.man.generateCaches
is enabled
|
| services.discourse.database.ignorePostgresqlVersion | Whether to allow other versions of PostgreSQL than the
recommended one
|
| services.parsedmarc.provision.grafana.datasource | Whether the automatically provisioned Elasticsearch
instance should be added as a grafana datasource
|
| virtualisation.lxd.zfsSupport | Enables lxd to use zfs as a storage for containers
|
| virtualisation.spiceUSBRedirection.enable | Install the SPICE USB redirection helper with setuid
privileges
|
| networking.resolvconf.package | The package that provides the system-wide resolvconf command
|
| services.prometheus.exporters.frr.disabledCollectors | Collectors to disable which are enabled by default.
|
| services.jellyfin.forceEncodingConfig | Whether to overwrite Jellyfin's encoding.xml configuration file on each service start
|
| hardware.nvidia-container-toolkit.mount-nvidia-docker-1-directories | Mount nvidia-docker-1 directories on containers: /usr/local/nvidia/lib and
/usr/local/nvidia/lib64.
|
| services.prometheus.exporters.node.disabledCollectors | Collectors to disable which are enabled by default.
|
| networking.getaddrinfo.reload | Determines whether a process should detect changes to the configuration file since it was last read
|
| services.nextcloud-spreed-signaling.configureNginx | Whether to set up and configure an nginx virtual host according to upstream's recommendations
|
| networking.firewall.logRefusedUnicastsOnly | If networking.firewall.logRefusedPackets
and this option are enabled, then only log packets
specifically directed at this machine, i.e., not broadcasts
or multicasts.
|
| networking.interfaces.<name>.useDHCP | Whether this interface should be configured with DHCP
|
| services.jellyfin.transcoding.hardwareEncodingCodecs | Which codecs to enable for hardware encoding. h264 is always enabled.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.per_cpu_sas | Enable per-CPU CHILD_SAs
|
| services.prometheus.exporters.opnsense.disabledExporter | Collectors to enable or disable
|
| security.pam.services.<name>.googleAuthenticator.enable | If set, users with enabled Google Authenticator (created
~/.google_authenticator) will be required
to provide Google Authenticator token to log in.
|
| services.prometheus.pushgateway.persistMetrics | Whether to persist metrics to a file
|
| programs.singularity.enableFakeroot | Whether to enable the --fakeroot support of Singularity/Apptainer
|