| services.fcron.allow | Users allowed to use fcrontab and fcrondyn (one name per
line, all for everyone).
|
| services.incron.allow | Users allowed to use incrontab
|
| nix.firewall.allowNonTCPUDP | Whether to allow traffic that is neither TCP nor UDP
|
| services.murmur.allowHtml | Allow HTML in client messages, comments, and channel
descriptions.
|
| services.ncps.cache.allowPutVerb | Whether to enable Whether to allow the PUT verb to push narinfo and nar files directly
to the cache.
.
|
| services.artalk.allowModify | allow Artalk store the settings to config file persistently
|
| services.printing.allowFrom | From which hosts to allow unconditional access.
|
| services.physlock.allowAnyUser | Whether to allow any user to lock the screen
|
| nix.firewall.allowLoopback | Whether to allow traffic on the loopback interface
|
| fonts.fontconfig.allowType1 | Allow Type-1 fonts
|
| services.hledger-web.allow | User's access level for changing data.
- view: view only permission.
- add: view and add permissions.
- edit: view, add, and edit permissions.
- sandstorm: permissions from the
X-Sandstorm-Permissions request header.
|
| services.ncps.cache.allowDeleteVerb | Whether to enable Whether to allow the DELETE verb to delete narinfo and nar files from
the cache.
.
|
| boot.zfs.allowHibernation | Allow hibernation support, this may be a unsafe option depending on your
setup
|
| fonts.fontconfig.allowBitmaps | Allow bitmap fonts
|
| networking.dhcpcd.allowSetuid | Whether to relax the security sandbox to allow running setuid
binaries (e.g. sudo) in the dhcpcd hooks.
|
| hardware.cpu.x86.msr.settings.allow-writes | Whether to allow writes to MSRs ("on") or not ("off").
|
| services.nsd.zones.<name>.allowAXFRFallback | If NSD as secondary server should be allowed to AXFR if the primary
server does not allow IXFR.
|
| users.allowNoPasswordLogin | Disable checking that at least the root user or a user in the wheel group can log in using
a password or an SSH key
|
| services.openssh.allowSFTP | Whether to enable the SFTP subsystem in the SSH daemon
|
| services.gollum.allowUploads | Enable uploads of external files
|
| services.ncps.cache.lock.allowDegradedMode | Allow falling back to local locks if Redis is unavailable (WARNING:
breaks HA guarantees).
|
| hardware.nvidia.prime.allowExternalGpu | Whether to enable configuring X to allow external NVIDIA GPUs when using Prime [Reverse] sync optimus
.
|
| services.deconz.allowSetSystemTime | Whether to enable setting the system time.
|
| services.bind.zones.<name>.allowQuery | List of address ranges allowed to query this zone
|
| nix.firewall.allowPrivateNetworks | Whether to allow traffic to local networks
|
| services.vsftpd.allowWriteableChroot | Allow the use of writeable root inside chroot().
|
| services.easytier.allowSystemForward | Whether to enable Allow the system to forward packets from easytier
|
| system.autoUpgrade.allowReboot | Reboot the system into the new generation instead of a switch
if the new generation uses a different kernel, kernel modules
or initrd than the booted system
|
| boot.initrd.luks.devices.<name>.allowDiscards | Whether to allow TRIM requests to the underlying device
|
| services.languagetool.allowOrigin | Set the Access-Control-Allow-Origin header in the HTTP response,
used for direct (non-proxy) JavaScript-based access from browsers.
"*" to allow access from all sites.
|
| services.avahi.allowPointToPoint | Whether to use POINTTOPOINT interfaces
|
| services.atd.allowEveryone | Whether to make /var/spool/at{jobs,spool}
writeable by everyone (and sticky)
|
| services.stargazer.allowCgiUser | When enabled, the stargazer process will be given CAP_SETGID
and CAP_SETUID so that it can run cgi processes as a different
user
|
| services.deconz.allowRebootSystem | Whether to enable rebooting the system.
|
| services.mirakurun.allowSmartCardAccess | Install polkit rules to allow Mirakurun to access smart card readers
which is commonly used along with tuner devices.
|
| services.boinc.allowRemoteGuiRpc | If set to true, any remote host can connect to and control this BOINC
client (subject to password authentication)
|
| services.pdns-recursor.api.allowFrom | IP address ranges of clients allowed to make API requests.
|
| services.pdns-recursor.dns.allowFrom | IP address ranges of clients allowed to make DNS queries.
|
| nix.firewall.allowedTCPPorts | TCP ports to which traffic is allowed
|
| nix.firewall.allowedUDPPorts | UDP ports to which traffic is allowed
|
| services.ghostunnel.servers.<name>.allowCN | Allow client if common name appears in the list.
|
| boot.initrd.unl0kr.allowVendorDrivers | Whether to load additional drivers for certain vendors (I
|
| services.ghostunnel.servers.<name>.allowOU | Allow client if organizational unit name appears in the list.
|
| services.ghostunnel.servers.<name>.allowAll | If true, allow all clients, do not check client cert subject.
|
| services.ghostunnel.servers.<name>.allowURI | Allow client if URI subject alternative name appears in the list.
|
| services.ghostunnel.servers.<name>.allowDNS | Allow client if DNS subject alternative name appears in the list.
|
| services.bird-lg.proxy.allowedIPs | List of IPs or networks to allow (default all allowed).
|
| services.gotenberg.downloadFrom.allowList | Allow these URLs to be used in the downloadFrom API field
|
| services.inadyn.settings.allow-ipv6 | Whether to get IPv6 addresses from interfaces.
|
| services.namecoind.rpc.allowFrom | List of IP address ranges allowed to use the RPC API
|
| services.nbd.server.exports.<name>.allowAddresses | IPs and subnets that are authorized to connect for this device
|
| services.mediamtx.allowVideoAccess | Whether to enable access to video devices like cameras on the system
.
|
| services.moonraker.allowSystemControl | Whether to allow Moonraker to perform system-level operations
|
| services.deconz.allowRestartService | Whether to enable killing/restarting processes.
|
| services.prosody.allowRegistration | Allow account creation
|
| security.allowUserNamespaces | Whether to allow creation of user namespaces
|
| swapDevices.*.randomEncryption.allowDiscards | Whether to allow TRIM requests to the underlying device
|
| boot.initrd.allowMissingModules | Whether the initrd can be built even though modules listed in
boot.initrd.kernelModules or
boot.initrd.availableKernelModules are missing from
the kernel
|
| nix.settings.allowed-users | A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon
|
| security.pam.services.<name>.allowNullPassword | Whether to allow logging into accounts that have no password
set (i.e., have an empty password field in
/etc/passwd or
/etc/group)
|
| services.tor.torsocks.allowInbound | Set Torsocks to accept inbound connections
|
| services.sabnzbd.allowConfigWrite | By default we create the sabnzbd configuration read-only,
which keeps the nixos configuration as the single source
of truth
|
| services.borgbackup.repos.<name>.allowSubRepos | Allow clients to create repositories in subdirectories of the
specified path
|
| networking.firewall.allowPing | Whether to respond to incoming ICMPv4 echo requests
("pings")
|
| services.pgmanage.allowCustomConnections | This tells pgmanage whether or not to allow anyone to use a custom
connection from the login screen.
|
| services.avahi.allowInterfaces | List of network interfaces that should be used by the avahi-daemon
|
| services.taskchampion-sync-server.allowClientIds | Client IDs to allow (can be repeated; if not specified, all clients are allowed)
|
| services.hedgedoc.settings.allowOrigin | List of domains to whitelist.
|
| services.nsd.zones.<name>.allowNotify | Listed primary servers are allowed to notify this secondary server
|
| services.cassandra.allowClients | Enables or disables the native transport server (CQL binary protocol)
|
| services.upower.allowRiskyCriticalPowerAction | Enable the risky critical power actions "Suspend" and "Ignore".
|
| security.duosec.allowTcpForwarding | By default, when SSH forwarding, enabling Duo Security will
disable TCP forwarding
|
| services.adguardhome.allowDHCP | Allows AdGuard Home to open raw sockets (CAP_NET_RAW), which is
required for the integrated DHCP server
|
| services.logrotate.allowNetworking | Whether to enable network access for logrotate.
|
| services.kubernetes.apiserver.allowPrivileged | Whether to allow privileged containers on Kubernetes.
|
| services.sourcehut.settings."builds.sr.ht".allow-free | Whether to enable nonpaying users to submit builds.
|
| services.sourcehut.settings."lists.sr.ht".allow-new-lists | Whether to enable creation of new lists.
|
| networking.dhcpcd.allowInterfaces | Enable the DHCP client for any interface whose name matches
any of the shell glob patterns in this list
|
| services.esphome.allowedDevices | A list of device nodes to which esphome has access to
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowCN | Allow client if common name appears in the list.
|
| services.hedgedoc.settings.allowGravatar | Whether to enable Libravatar as
profile picture source on your instance
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowOU | Allow client if organizational unit name appears in the list.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowAll | If true, allow all clients, do not check client cert subject.
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_groups | List of groups to allow access to this vhost, or null to allow all.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowDNS | Allow client if DNS subject alternative name appears in the list.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowURI | Allow client if URI subject alternative name appears in the list.
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_emails | List of emails to allow access to this vhost, or null to allow all.
|
| services.kmonad.keyboards.<name>.defcfg.allowCommands | Whether to enable keys to run shell commands.
|
| security.pam.services.<name>.googleAuthenticator.allowNullOTP | Whether to allow login for accounts that have no OTP set
(i.e., accounts with no OTP configured or no existing
~/.google_authenticator).
|
| networking.wireless.allowAuxiliaryImperativeNetworks | Whether to allow configuring networks "imperatively" (e.g. via
wpa_supplicant_gui) and declaratively via
networking.wireless.networks.
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_email_domains | List of email domains to allow access to this vhost, or null to allow all.
|
| services.pulseaudio.tcp.anonymousClients.allowAll | Whether to enable all anonymous clients to stream to the server.
|
| services.neo4j.ssl.policies.<name>.allowKeyGeneration | Allows the generation of a private key and associated self-signed
certificate
|
| services.pdfding.allowedHosts | Domains where PdfDing is allowed to run
|
| services.chhoto-url.settings.allow_capital_letters | Whether to allow capital letters in slugs.
|
| services.polipo.allowedClients | List of IP addresses or network addresses that may connect to Polipo.
|
| services.nylon.<name>.allowedIPRanges | Allowed client IP ranges are evaluated first, defaults to ARIN IPv4 private ranges:
[ "192.168.0.0/16" "127.0.0.0/8" "172.16.0.0/12" "10.0.0.0/8" ]
|
| services.matrix-conduit.settings.global.allow_check_for_updates | Whether to allow Conduit to automatically contact
https://conduit.rs hourly to check for important Conduit news
|
| services.etebase-server.settings.allowed_hosts.allowed_host1 | The main host that is allowed access.
|
| security.allowSimultaneousMultithreading | Whether to allow SMT/hyperthreading
|