| services.prometheus.exporters.wireguard.singleSubnetPerField | By default, all allowed IPs and subnets are comma-separated in the
allowed_ips field
|
| networking.tempAddresses | Whether to enable IPv6 Privacy Extensions for interfaces not
configured explicitly in
networking.interfaces._name_.tempAddress
|
| services.github-runners.<name>.ephemeral | If enabled, causes the following behavior:
- Passes the
--ephemeral flag to the runner configuration script
- De-registers and stops the runner with GitHub after it has processed one job
- On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option)
- Restarts the service after its successful exit
- On start, wipes the state directory and configures a new runner
You should only enable this option if tokenFile points to a file which contains a
personal access token (PAT)
|
| environment.memoryAllocator.provider | The system-wide memory allocator
|
| services.wyoming.faster-whisper.servers.<name>.model | Name of the voice model to use
|
| hardware.nvidia.modesetting.enable | Whether to enable kernel modesetting when using the NVIDIA proprietary driver
|
| virtualisation.podman.autoPrune.enable | Whether to periodically prune Podman resources
|
| virtualisation.docker.autoPrune.enable | Whether to periodically prune Docker resources
|
| programs.starship.transientPrompt.enable | Whether to enable Starship's transient prompt
feature in fish shells
|
| services.prometheus.exporters.chrony.disabledCollectors | Collectors to disable which are enabled by default
|
| virtualisation.docker.enableOnBoot | When enabled dockerd is started on boot
|
| virtualisation.oci-containers.containers.<name>.workdir | Override the default working directory for the container.
|
| virtualisation.graphics | Whether to run QEMU with a graphics window, or in nographic mode
|
| hardware.wirelessRegulatoryDatabase | Whether to enable loading the wireless regulatory database at boot.
|
| virtualisation.nixStore9pCache | Type of 9p cache to use when mounting host nix store. "none" provides
no caching. "loose" enables Linux's local VFS cache. "fscache" uses Linux's
fscache subsystem
|
| networking.wireless.athUserRegulatoryDomain | If enabled, sets the ATH_USER_REGD kernel config switch to true to
disable the enforcement of EEPROM regulatory restrictions for ath
drivers
|
| system.copySystemConfiguration | If enabled, copies the NixOS configuration file
(usually /etc/nixos/configuration.nix)
and symlinks it from the resulting system
(getting to /run/current-system/configuration.nix)
|
| fileSystems.<name>.overlay.useStage1BaseDirectories | If enabled, lowerdir, upperdir and workdir will be prefixed with /sysroot
|
| services.prometheus.alertmanagerGotify.dispatchErrors | When enabled, alerts will be tried to dispatch with an error message regarding faulty templating or missing fields to help debugging.
|
| services.prometheus.alertmanagerGotify.extendedDetails | When enabled, alerts are presented in HTML format and include colorized status (FIR|RES), alert start time, and a link to the generator of the alert.
|
| documentation.man.mandoc.cachePath | Change the paths where mandoc makewhatis(8)generates the
manual page index caches. documentation.man.generateCaches
should be enabled to allow cache generation
|
| services.bitwarden-directory-connector-cli.secrets.bitwarden.client_path_secret | Path to file that contains Client Secret.
|
| swapDevices.*.randomEncryption.enable | Encrypt swap device with a random key
|
| virtualisation.forwardPorts | When using the SLiRP user networking (default), this option allows to
forward ports to/from the host/guest.
If the NixOS firewall on the virtual machine is enabled, you also
have to open the guest ports to enable the traffic between host and
guest.
Currently QEMU supports only IPv4 forwarding.
|
| services.n8n.environment.N8N_VERSION_NOTIFICATIONS_ENABLED | When enabled, n8n sends notifications of new versions and security updates.
|
| services.postfix.settings.main.smtp_tls_security_level | The client TLS security level.
Use dane with a local DNSSEC validating DNS resolver enabled.
https://www.postfix.org/postconf.5.html#smtp_tls_security_level
|
| services.borgmatic.configurations.<name>.source_directories | List of source directories and files to backup
|
| virtualisation.restrictNetwork | If this option is enabled, the guest will be isolated, i.e. it will
not be able to contact the host and no guest IP packets will be
routed over the host to the outside
|
| networking.networkmanager.enable | Whether to use NetworkManager to obtain an IP address and other
configuration for all network interfaces that are not manually
configured
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.ipcomp | Enable IPComp compression before encryption
|
| system.includeBuildDependencies | Whether to include the build closure of the whole system in
its runtime closure
|
| services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.prometheus.scrapeConfigs.*.http_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.strongswan-swanctl.swanctl.connections.<name>.mediated_by | The name of the connection to mediate this connection through
|
| services.strongswan-swanctl.swanctl.connections.<name>.if_id_in | XFRM interface ID set on inbound policies/SA, can be overridden by child
config, see there for details
|
| boot.loader.generic-extlinux-compatible.useGenerationDeviceTree | Whether to generate Device Tree-related directives in the
extlinux configuration
|
| security.apparmor.killUnconfinedConfinables | Whether to enable killing of processes which have an AppArmor profile enabled
(in security.apparmor.policies)
but are not confined (because AppArmor can only confine new processes)
|
| services.prometheus.scrapeConfigs.*.azure_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.strongswan-swanctl.swanctl.connections.<name>.if_id_out | XFRM interface ID set on outbound policies/SA, can be overridden by child
config, see there for details
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.pk | If this attribute is given, SAE-PK will be enabled for this connection
|
| virtualisation.libvirtd.shutdownTimeout | Number of seconds we're willing to wait for a guest to shut down
|
| networking.usePredictableInterfaceNames | Whether to assign predictable names to network interfaces
|
| containers.<name>.ephemeral | Runs container in ephemeral mode with the empty root filesystem at boot
|
| services.prometheus.scrapeConfigs.*.linode_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.prometheus.scrapeConfigs.*.docker_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.prometheus.scrapeConfigs.*.consul_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| swapDevices.*.randomEncryption | Encrypt swap device with a random key
|
| services.grafana.settings.analytics.check_for_plugin_updates | When set to false, disables checking for new versions of installed plugins from https://grafana.com
|
| virtualisation.useDefaultFilesystems | If enabled, the boot disk of the virtual machine will be
formatted and mounted with the default filesystems for
testing
|
| services.strongswan-swanctl.swanctl.connections.<name>.send_certreq | Send certificate request payloads to offer trusted root CA certificates to
the peer
|
| services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.if_id_in | XFRM interface ID set on inbound policies/SA
|
| services.grafana.settings.security.strict_transport_security | Set to true if you want to enable HTTP Strict-Transport-Security (HSTS) response header
|
| virtualisation.oci-containers.containers.<name>.autoStart | When enabled, the container is automatically started on boot
|
| services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.if_id_out | XFRM interface ID set on outbound policies/SA
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_out | Netfilter mark and mask for output traffic
|
| services.matrix-continuwuity.settings.global.allow_announcements_check | If enabled, continuwuity will send a simple GET request periodically to
https://continuwuity.org/.well-known/continuwuity/announcements for any new announcements made.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.auth | Authentication to expect from remote
|
| virtualisation.fileSystems.<name>.overlay.useStage1BaseDirectories | If enabled, lowerdir, upperdir and workdir will be prefixed with /sysroot
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_in | Netfilter mark applied to packets after the inbound IPsec SA processed
them
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshSeconds | Periodically re-execute the wg utility every
this many seconds in order to let WireGuard notice DNS / hostname
changes
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_out | Netfilter mark applied to packets after the outbound IPsec SA processed
them
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.auth | Authentication to perform locally.
- The default
pubkey uses public key authentication
using a private key associated to a usable certificate.
psk uses pre-shared key authentication.- The IKEv1 specific
xauth is used for XAuth or Hybrid
authentication,
- while the IKEv2 specific
eap keyword defines EAP
authentication.
- For
xauth, a specific backend name may be appended,
separated by a dash
|
| services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers | Additionally enable the recommended set of pairwise ciphers
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.follow_redirects | Configure whether HTTP requests follow HTTP 3xx redirects
|
| networking.networkmanager.ensureProfiles.profiles | Declaratively define NetworkManager profiles
|
| services.grafana.settings.security.strict_transport_security_preload | Set to true to enable HSTS preloading option
|
| services.grafana.settings.security.strict_transport_security_subdomains | Set to true to enable HSTS includeSubDomains option
|
| services.grafana.settings.security.strict_transport_security_max_age_seconds | Sets how long a browser should cache HSTS in seconds
|