| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert | Section for a CA certificate to accept for authentication
|
| services.suricata.settings.vars.address-groups.EXTERNAL_NET | EXTERNAL_NET variable.
|
| services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.hologram-server.roleAttr | Which LDAP group attribute to search for authorized role ARNs
|
| programs.mouse-actions.enable | Whether to install and set up mouse-actions and it's udev rules
|
| services.aria2.enable | Whether or not to enable the headless Aria2 daemon service
|
| boot.initrd.systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.user | The user of the file
|
| services.dokuwiki.sites.<name>.acl.*.actor | User or group to restrict
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.slot | Optional slot number of the token that stores the certificate.
|
| services.suricata.settings.vars.address-groups.TELNET_SERVERS | TELNET_SERVERS variable.
|
| services.quickwit.dataDir | Data directory for Quickwit
|
| services.temporal.dataDir | Data directory for Temporal
|
| nix.settings.trusted-users | A list of names of users that have additional rights when
connecting to the Nix daemon, such as the ability to specify
additional binary caches, or to import unsigned NARs
|
| services.traefik.supplementaryGroups | Additional groups under which Traefik runs
|
| services.dependency-track.settings."alpine.oidc.teams.claim" | Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint
|
| users.extraUsers.<name>.isNormalUser | Indicates whether this is an account for a “real” user
|
| hardware.acpilight.enable | Enable acpilight
|
| programs.corectrl.enable | Whether to enable CoreCtrl, a tool to overclock amd graphics cards and processors
|
| services.privoxy.inspectHttps | Whether to configure Privoxy to inspect HTTPS requests, meaning all
encrypted traffic will be filtered as well
|
| services.grafana.provision.alerting.rules.settings.groups | List of rule groups to import or update.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.file | Absolute path to the certificate to load
|
| services.fastnetmon-advanced.hostgroups | Hostgroups to declaratively load into FastNetMon Advanced
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.module | Optional PKCS#11 module name.
|
| services.dependency-track.oidc.teamSynchronization | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| hardware.sheep_net.enable | Enables sheep_net udev rules, ensures 'sheep_net' group exists, and adds
sheep-net to boot.kernelModules and boot.extraModulePackages
|
| networking.networkmanager.enable | Whether to use NetworkManager to obtain an IP address and other
configuration for all network interfaces that are not manually
configured
|
| virtualisation.podman.dockerSocket.enable | Make the Podman socket available in place of the Docker socket, so
Docker tools can find the Podman socket
|
| programs.mosh.withUtempter | Whether to enable libutempter for mosh
|
| programs.tmux.withUtempter | Whether to enable libutempter for tmux
|
| services.grafana.settings.database.server_cert_name | The common name field of the certificate used by the mysql or postgres server
|
| programs.feedbackd.enable | Whether to enable the feedbackd D-BUS service and udev rules
|
| services.strongswan-swanctl.swanctl.connections.<name>.send_cert | Send certificate payloads when using certificate authentication.
- With the default of
ifasked the daemon sends
certificate payloads only if certificate requests have been received.
never disables sending of certificate payloads
altogether,always causes certificate payloads to be sent
unconditionally whenever certificate authentication is used
|
| services.bitwarden-directory-connector-cli.sync.groups | Whether to sync ldap groups into BitWarden.
|
| hardware.kryoflux.enable | Enables kryoflux udev rules, ensures 'floppy' group exists
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.handle | Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively
|
| networking.wireless.networks.<name>.priority | By default, all networks will get same priority group (0)
|
| services.netbird.clients.<name>.bin.suffix | A system group name for this client instance.
|
| services.netbird.tunnels.<name>.bin.suffix | A system group name for this client instance.
|
| services.mx-puppet-discord.enable | Whether to enable mx-puppet-discord is a discord puppeting bridge for matrix
|
| services.terraria.enable | If enabled, starts a Terraria server
|
| services.dovecot2.createMailUser | Whether to enable automatically creating the user
given in services.dovecot.user and the group
given in services.dovecot.group.
|
| services.kubernetes.apiserver.kubeletClientCaFile | Path to a cert file for connecting to kubelet.
|
| services.hardware.lcd.server.usbPermissions | Set group-write permissions on a USB device
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| hardware.keyboard.uhk.enable | Whether to enable non-root access to the firmware of UHK keyboards
|
| programs.idescriptor.users | Users to be added to the idevice group.
|
| programs.soundmodem.enable | Whether to add Soundmodem to the global environment and configure a
wrapper for 'soundmodemconfig' for users in the 'soundmodem' group.
|
| services.netbird.tunnels.<name>.name | Primary name for use (as a suffix) in:
- systemd service name,
- hardened user name and group,
- systemd
*Directory= names,
- desktop application identification,
|
| services.netbird.clients.<name>.name | Primary name for use (as a suffix) in:
- systemd service name,
- hardened user name and group,
- systemd
*Directory= names,
- desktop application identification,
|
| services.sourcehut.settings."hg.sr.ht".changegroup-script | A changegroup script which is installed in every mercurial repo
|
| services.beszel.agent.smartmon.enable | Include services.beszel.agent.smartmon.package in the Beszel agent path for disk monitoring and add the agent to the disk group.
|
| programs.benchexec.users | Users that intend to use BenchExec
|
| services.dependency-track.settings."alpine.oidc.team.synchronization" | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| hardware.libjaylink.enable | Whether to enable udev rules for devices supported by libjaylink
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert_policy | List of certificate policy OIDs the peer's certificate
must have
|
| services.borgbackup.jobs.<name>.user | The user borg is run as
|
| services.hologram-server.enableLdapRoles | Whether to assign user roles based on the user's LDAP group memberships
|
| services.aria2.serviceUMask | The file mode creation mask for Aria2 service
|
| services.opensearch.dataDir | Data directory for OpenSearch
|
| services.smartdns.settings | A set that will be generated into configuration file, see the SmartDNS README for details of configuration parameters
|
| services.rke2.cisHardening | Enable CIS Hardening for RKE2
|
| services.prometheus.remoteRead.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.pipewire.systemWide | If true, a system-wide PipeWire service and socket is enabled
allowing all users in the "pipewire" group to use it simultaneously
|
| services.borgbackup.repos.<name>.user | The user borg serve is run as
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.displayManager.lemurs.enable | Whether to enable lemurs, a customizable TUI display/login manager.
For Wayland compositors, your user must be in the "seat" group.
|
| services.strongswan-swanctl.swanctl.connections.<name>.send_certreq | Send certificate request payloads to offer trusted root CA certificates to
the peer
|
| services.prometheus.remoteWrite.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowAll | If true, allow all clients, do not check client cert subject.
|
| services.strongswan-swanctl.swanctl.authorities.<name>.cert_uri_base | Defines the base URI for the Hash and URL feature supported by
IKEv2
|
| services.firezone.gui-client.allowedUsers | All listed users will become part of the firezone-client group so
they can control the tunnel service
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_groups | List of groups to allow access to this vhost, or null to allow all.
|
| virtualisation.virtualbox.host.enableHardening | Enable hardened VirtualBox, which ensures that only the binaries in the
system path get access to the devices exposed by the kernel modules
instead of all users in the vboxusers group.
Disabling this can put your system's security at risk, as local users
in the vboxusers group can tamper with the VirtualBox device files.
|
| services.prometheus.scrapeConfigs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.nebula-lighthouse-service.user | The user and group to run nebula-lighthouse-service as.
|
| services.authelia.instances.<name>.name | Name is used as a suffix for the service name, user, and group
|
| services.glusterfs.killMode | The systemd KillMode to use for glusterd.
glusterd spawns other daemons like gsyncd
|
| services.nominatim.database.superUser | Postgresql database superuser used to create Nominatim database and
import data
|
| services.multipath.devices.*.failback | Tell multipathd how to manage path group failback
|
| programs.firefox.policies | Group policies to install
|
| services.dnsdist.dnscrypt.providerKey | The filepath to the provider secret key
|
| services.matrix-synapse.settings.tls_certificate_path | PEM encoded X509 certificate for TLS
|
| services.kubo.settings.Addresses.API | Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on
|
| services.roundcube.database.username | Username for the postgresql connection
|
| programs.thunderbird.policies | Group policies to install
|
| services.lifecycled.cloudwatchGroup | Write logs to a specific Cloudwatch Logs group.
|
| services.openssh.authorizedKeysCommand | Specifies a program to be used to look up the user's public
keys
|
| services.pulseaudio.systemWide | If false, a PulseAudio server is launched automatically for
each user that tries to use the sound system
|
| services.varnish.listen.*.address | If given an IP address, it can be a host name ("localhost"), an IPv4 dotted-quad
("127.0.0.1") or an IPv6 address enclosed in square brackets ("[::1]").
(VCL4.1 and higher) If given an absolute Path ("/path/to/listen.sock") or "@"
followed by the name of an abstract socket ("@myvarnishd") accept connections
on a Unix domain socket
|
| services.multipath.devices.*.rr_min_io | Number of I/O requests to route to a path before switching to the next in the
same path group
|
| services.aria2.downloadDirPermission | The permission for settings.dir
|
| services.transmission.enable | Whether to enable the headless Transmission BitTorrent daemon
|
| services.journald.upload.settings.Upload.ServerKeyFile | SSL key in PEM format
|
| virtualisation.docker.enable | This option enables docker, a daemon that manages
linux containers
|
| virtualisation.lxd.enable | This option enables lxd, a daemon that manages
containers
|
| services.anuko-time-tracker.settings.defaultLanguage | Defines Anuko Time Tracker default language
|