| security.pam.u2f.settings.cue | By default pam-u2f module does not inform user
that he needs to use the u2f device, it just waits without a prompt
|
| security.acme.defaults.ocspMustStaple | Turns on the OCSP Must-Staple TLS extension
|
| hardware.graphics.enable | Whether to enable hardware accelerated graphics drivers
|
| services.lighthouse.network | The network to connect to
|
| services.bookstack.nginx.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.duplicati.dataDir | The directory where Duplicati stores its data files.
If left as the default value this directory will automatically be created
before the Duplicati server starts, otherwise you are responsible for ensuring
the directory exists with appropriate ownership and permissions.
|
| services.forgejo.dump.interval | Run a Forgejo dump at this interval
|
| networking.bonds.<name>.miimon | DEPRECATED, use driverOptions
|
| services.openafsClient.daemons | Number of daemons to serve user requests
|
| services.trickster.instance-id | Instance ID for when running multiple processes (default null).
|
| services.nylon.<name>.acceptInterface | Tell nylon which interface to listen for client requests on, default is "lo".
|
| services.selfoss.database.port | The database's port
|
| users.users.<name>.ignoreShellProgramCheck | By default, nixos will check that programs
|
| services.xserver.excludePackages | Which X11 packages to exclude from the default environment
|
| services.kanidm.server.settings.online_backup.versions | Number of backups to keep
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.unsafeTarget | If set, does not limit target to localhost, 127.0.0.1, [::1], or UNIX sockets
|
| services.postfix.networksStyle | Name of standard way of trusted network specification to use,
leave blank if you specify it explicitly or if you want to use
default (localhost-only).
|
| security.acme.defaults.server | ACME Directory Resource URI
|
| security.acme.defaults.listenHTTP | Interface and port to listen on to solve HTTP challenges
in the form [INTERFACE]:PORT
|
| programs.regreet.enable | Enable ReGreet, a clean and customizable greeter for greetd
|
| programs.rust-motd.order | The order of the sections in programs.rust-motd.settings
|
| services.unpoller.unifi.defaults.url | URL of the Unifi controller.
|
| services.shorewall.enable | Whether to enable Shorewall IPv4 Firewall.
Enabling this service WILL disable the existing NixOS
firewall! Default firewall rules provided by packages are not
considered at the moment.
|
| services.redis.servers.<name>.group | Group account under which this instance of redis-server runs.
If left as the default value this group will automatically be
created on system activation, otherwise you are responsible for
ensuring the group exists before the redis service starts.
|
| services.thinkfan.enable | Whether to enable thinkfan, a fan control program.
This module targets IBM/Lenovo thinkpads by default, for
other hardware you will have configure it more carefully.
|
| services.unpoller.unifi.dynamic | Let prometheus select which controller to poll when scraping
|
| systemd.user.targets.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| containers.<name>.forwardPorts | List of forwarded ports from host to container
|
| systemd.services.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| systemd.user.sockets.<name>.enable | If set to false, this unit will be a symlink to
/dev/null
|
| services.sourcehut.builds.group | Group for builds.sr.ht
|
| services.dnsmasq.alwaysKeepRunning | If enabled, systemd will always respawn dnsmasq even if shut down manually
|
| services.gancio.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.fluidd.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.akkoma.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.monica.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.mjpg-streamer.outputPlugin | Output plugin. @www@ is substituted for default mjpg-streamer www directory
|
| services.postfix.settings.main | The main.cf configuration file as key value set
|
| services.printing.cups-pdf.enable | Whether to enable the cups-pdf virtual pdf printer backend
|
| services.mattermost.socket.path | Default location for the Mattermost control socket used by mmctl.
|
| services.matomo.nginx.forceSSL | Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS
|
| services.hylafax.sendmailPath | Path to sendmail program
|
| containers.<name>.localAddress | The IPv4 address assigned to the interface in the container
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.keystore | Path to keystore (combined PEM with cert/key, or PKCS12 keystore)
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.extraArguments | Extra arguments to pass to ghostunnel server
|
| services.snapserver.sampleFormat | Default sample format.
|
| services.libvirtd.autoSnapshot.keep | Default number of snapshots to keep for VMs that don't specify a keep value.
|
| services.blendfarm.serverConfig.Port | Default port blendfarm server listens on.
|
| services.moodle.virtualHost.extraConfig | These lines go to httpd.conf verbatim
|
| services.nagios.virtualHost.extraConfig | These lines go to httpd.conf verbatim
|
| containers.<name>.localAddress6 | The IPv6 address assigned to the interface in the container
|
| services.postgresql.systemCallFilter.<name>.priority | Set the priority of the system call filter setting
|
| services.stalwart-mail.settings | Configuration options for the Stalwart email server
|
| environment.wvdial.pppDefaults | Default ppp settings for wvdial.
|
| services.cockroachdb.openPorts | Open firewall ports for cluster communication by default
|
| programs.less.clearDefaultCommands | Clear all default commands
|
| services.prosody.muc.*.roomDefaultPublicJids | If set, the MUC rooms will display the public JIDs by default.
|
| services.tt-rss.updateDaemon.commandFlags | Command-line flags passed to the update daemon
|
| services.oauth2-proxy.validateURL | Access token validation endpoint
|
| services.movim.podConfig.xmppdomain | The default XMPP server domain
|
| services.teeworlds.register | Whether the server registers as a public server in the global server list
|
| services.openvscode-server.user | The user to run openvscode-server as
|
| services.github-runners.<name>.extraLabels | Extra labels in addition to the default (unless disabled through the noDefaultLabels option)
|
| systemd.sysupdate.reboot.timerConfig | The timer configuration for rebooting after an update
|
| services.rke2.cisHardening | Enable CIS Hardening for RKE2
|
| services.unpoller.unifi.defaults.user | Unifi service user name.
|
| services.kubernetes.secretsPath | Default location for kubernetes secrets
|
| services.jirafeau.nginxConfig.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| nixpkgs.flake.source | The path to the nixpkgs sources used to build the system
|
| services.hbase-standalone.dataDir | Specifies location of HBase database files
|
| services.stargazer.certLifetime | How long certs generated by Stargazer should live for
|
| services.rstudio-server.serverWorkingDir | Default working directory for server (server-working-dir in rserver.conf).
|
| services.neo4j.ssl.policies.<name>.ciphers | Restrict the allowed ciphers of this policy to those defined
here
|
| services.onlyoffice.loglevel | Default loglevel to use for documentserver and converter
|
| services.smartd.autodetect | Whenever smartd should monitor all devices connected to the
machine at the time it's being started (the default)
|
| services.github-runners.<name>.runnerGroup | Name of the runner group to add this runner to (defaults to the default runner group)
|
| systemd.services.<name>.enableDefaultPath | Whether to append a minimal default PATH environment variable to the service, containing common system utilities.
|
| services.prometheus.exporters.unpoller.controllers.*.sites | List of site names for which statistics should be exported
|
| programs.pay-respects.aiIntegration | Whether to enable pay-respects' LLM integration
|
| services.matrix-continuwuity.settings.global.unix_socket_path | Listen on a UNIX socket at the specified path
|
| services.logind.lidSwitchExternalPower | Specifies what to do when the laptop lid is closed
and the system is on external power
|
| services.quorum.blockperiod | Default minimum difference between two consecutive block's timestamps in seconds.
|
| services.mpd.musicDirectory | The directory or NFS/SMB network share where MPD reads music from
|
| services.apcupsd.configText | Contents of the runtime configuration file, apcupsd.conf
|
| nix.settings.auto-optimise-store | If set to true, Nix automatically detects files in the store that have
identical contents, and replaces them with hard links to a single copy
|
| security.acme.defaults.dnsProvider | DNS Challenge provider
|
| security.acme.defaults.webroot | Where the webroot of the HTTP vhost is located.
.well-known/acme-challenge/ directory
will be created below the webroot if it doesn't exist.
http://example.org/.well-known/acme-challenge/ must also
be available (notice unencrypted HTTP).
|
| services.httpd.virtualHosts.<name>.extraConfig | These lines go to httpd.conf verbatim
|
| services.invidious.database.port | The port of the database Invidious should use
|
| services.nylon.<name>.nrConnections | The number of allowed simultaneous connections to the daemon, default 10.
|
| services.nextcloud.datadir | Nextcloud's data storage path
|
| services.prosody.muc.*.roomDefaultLanguage | Default room language.
|
| services.postgresql.dataDir | The data directory for PostgreSQL
|
| services.zabbixWeb.nginx.virtualHost.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.zabbixWeb.httpd.virtualHost.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| services.vsftpd.userlistFile | Newline separated list of names to be allowed/denied if userlistEnable
is true
|
| services.vsftpd.virtualUseLocalPrivs | If enabled, virtual users will use the same privileges as local
users
|
| programs.ssh.knownHosts.<name>.hostNames | A list of host names and/or IP numbers used for accessing
the host's ssh service
|
| networking.fooOverUDP.<name>.protocol | Protocol number of the encapsulated packets
|