| services.opengfw.rules | Rules passed to OpenGFW. Example rules
|
| security.audit.rules | The ordered audit rules, with each string appearing as one line of the audit.rules file.
|
| services.opensnitch.rules | Declarative configuration of firewall rules
|
| boot.initrd.services.udev.rules | udev rules to include in the initrd
only
|
| systemd.tmpfiles.rules | Rules for creation, deletion and cleaning of volatile and temporary files
automatically
|
| services.vmalert.rules | A list of the given alerting or recording rules against configured "datasource.url" compatible with
Prometheus HTTP API for vmalert to execute
|
| programs.rush.rules | The rule statement configures a GNU Rush rule
|
| systemd.user.tmpfiles.rules | Global user rules for creation, deletion and cleaning of volatile and
temporary files automatically
|
| services.opengfw.rulesFile | Path to file containing OpenGFW rules.
|
| services.opengfw.rules.*.log | Whether to enable logging for the rule.
|
| services.opengfw.rules.*.name | Name of the rule.
|
| services.prometheus.rules | Alerting and/or Recording rules to evaluate at runtime.
|
| services.opengfw.rules.*.expr | Expr Language expression using analyzers and functions.
|
| services.firewalld.zones.<name>.rules | Rich rules for the zone.
|
| systemd.user.tmpfiles.users.<name>.rules | Per-user rules for creation, deletion and cleaning of volatile and
temporary files automatically
|
| services.usbguard.rules | The USBGuard daemon will load this as the policy rule set
|
| services.xserver.imwheel.rules | Window class translation rules.
/etc/X11/imwheelrc is generated based on this config
which means this config is global for all users
|
| services.opengfw.rules.*.action | Action of the rule. Supported actions
|
| services.ananicy.rulesProvider | Which package to copy default rules,types,cgroups from.
|
| services.ndppd.proxies.<name>.rules | This is a rule that the target address is to match against
|
| services.ndppd.proxies.<name>.rules.<name>.network | This is the target address is to match against
|
| services.vmalert.instances.<name>.rules | A list of the given alerting or recording rules against configured "datasource.url" compatible with
Prometheus HTTP API for vmalert to execute
|
| services.opengfw.rules.*.modifier | Modification of specified packets when using the modify action. Available modifiers
|
| services.opengfw.rules.*.modifier.name | Name of the modifier.
|
| services.opengfw.rules.*.modifier.args | Arguments passed to the modifier.
|
| services.networkd-dispatcher.rules | Declarative configuration of networkd-dispatcher rules
|
| services.grafana.provision.alerting.rules.path | Path to YAML rules configuration
|
| services.ndppd.proxies.<name>.rules.<name>.interface | Interface to use when method is iface.
|
| services.ndppd.proxies.<name>.rules.<name>.method | static: Immediately answer any Neighbor Solicitation Messages
(if they match the IP rule).
iface: Forward the Neighbor Solicitation Message through the specified
interface and only respond if a matching Neighbor Advertisement
Message is received.
auto: Same as iface, but instead of manually specifying the outgoing
interface, check for a matching route in /proc/net/ipv6_route.
|
| services.grafana.provision.alerting.rules.settings | Grafana rules configuration in Nix
|
| services.networkd-dispatcher.rules.<name>.script | Shell commands executed on specified operational states.
|
| services.opengfw.settings.ruleset | The path to load specific local geoip/geosite db files
|
| services.networkd-dispatcher.rules.<name>.onState | List of names of the systemd-networkd operational states which
should trigger the script
|
| networking.nftables.rulesetFile | The ruleset file to be used with nftables
|
| services.grafana.provision.alerting.rules.settings.groups | List of rule groups to import or update.
|
| services.grafana.provision.alerting.rules.settings.groups.*.name | Name of the rule group
|
| services.grafana.provision.alerting.rules.settings.apiVersion | Config file version.
|
| services.grafana.provision.alerting.rules.settings.deleteRules | List of alert rule UIDs that should be deleted.
|
| services.grafana.provision.alerting.rules.settings.deleteRules.*.uid | Unique identifier for the rule
|
| services.grafana.provision.alerting.rules.settings.deleteRules.*.orgId | Organization ID, default = 1
|
| services.grafana.provision.alerting.rules.settings.groups.*.folder | Name of the folder the rule group will be stored in
|
| services.anubis.defaultOptions.policy.extraBots | Additional bot rules appended to the policy
|
| services.anubis.instances.<name>.policy.extraBots | Additional bot rules appended to the policy
|
| services.grafana.provision.alerting.rules.settings.groups.*.interval | Interval that the rule group should be evaluated at
|
| services.firewalld.settings.LogDenied | Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones for the configured link-layer packet type.
|
| services.udev.extraRules | Additional udev rules
|
| services.opengfw.settings.ruleset.geoip | Path to geoip.dat.
|
| networking.nftables.ruleset | The ruleset to be used with nftables
|
| services.opengfw.settings.ruleset.geosite | Path to geosite.dat.
|
| programs.pay-respects.runtimeRules | List of rules to be added to /etc/xdg/pay-respects/rules.
pay-respects will read the contents of these generated rules to recommend command corrections
|
| security.sudo.extraRules | Define specific rules to be in the sudoers file
|
| security.sudo-rs.extraRules | Define specific rules to be in the sudoers file
|
| services.mediatomb.openFirewall | If false (the default), this is up to the user to declare the firewall rules
|
| security.doas.extraRules | Define specific rules to be set in the
/etc/doas.conf file
|
| services.vmalert.instances.<name>.settings.rule | Path to the files with alerting and/or recording rules.
|
| services.vmalert.settings.rule | Path to the files with alerting and/or recording rules.
Consider using the services.vmalert.rules option as a convenient alternative for declaring rules
directly in the nix language.
|
| services.thanos.query.query.replica-labels | Labels to treat as a replica indicator along which data is
deduplicated
|
| systemd.tmpfiles.packages | List of packages containing systemd-tmpfiles rules
|
| hardware.uni-sync.enable | Whether to enable udev rules and software for Lian Li Uni Controllers.
|
| services.udev.path | Packages added to the PATH environment variable when
executing programs from Udev rules.
coreutils, gnu{sed,grep}, util-linux and config.systemd.package are
automatically included.
|
| hardware.ledger.enable | Whether to enable udev rules for Ledger devices.
|
| power.ups.schedulerRules | File which contains the rules to handle UPS events.
|
| services.crowdsec.hub | Hub collections, parsers, AppSec rules, etc.
|
| services.lvm.enable | Whether to enable lvm2.
The lvm2 package contains device-mapper udev rules and without those tools like cryptsetup do not fully function!
|
| services.cloudflared.tunnels.<name>.ingress | Ingress rules
|
| programs.light.enable | Whether to install Light backlight control command
and udev rules granting access to members of the "video" group.
|
| hardware.nfc-nci.enable | Whether to enable PN5xx kernel module with udev rules, libnfc-nci userland, and optional ifdnfc-nci PC/SC driver.
|
| services.picom.wintypes | Rules for specific window types.
|
| services.ndppd.network | Network that we proxy.
(Legacy option, use services.ndppd.proxies.<interface>.rules.<network> instead)
|
| hardware.libftdi.enable | Whether to enable udev rules for devices supported by libftdi.
|
| services.ferm.enable | Whether to enable Ferm Firewall.
Warning: Enabling this service WILL disable the existing NixOS
firewall! Default firewall rules provided by packages are not
considered at the moment.
|
| services.ndppd.proxies | This sets up a listener, that will listen for any Neighbor Solicitation
messages, and respond to them according to a set of rules.
|
| services.miredo.bindPort | Depending on the local firewall/NAT rules, you might need to force
Miredo to use a fixed UDP port and or IPv4 address.
|
| services.udev.packages | List of packages containing udev rules
|
| services.postgresql.authentication | Defines how users authenticate themselves to the server
|
| hardware.bladeRF.enable | Enables udev rules for BladeRF devices
|
| hardware.saleae-logic.enable | Whether to enable udev rules for Saleae Logic devices.
|
| services.ananicy.extraRules | Rules to write in 'nixRules.rules'
|
| hardware.cpu.x86.msr.enable | Whether to enable the msr (Model-Specific Registers) kernel module and configure udev rules for its devices (usually /dev/cpu/*/msr).
|
| security.polkit.extraConfig | Any polkit rules to be added to config (in JavaScript ;-)
|
| services.picom.opacityRules | Rules that control the opacity of windows, in format PERCENT:PATTERN.
|
| services.openssh.authorizedKeysFiles | Specify the rules for which files to read on the host
|
| hardware.nitrokey.enable | Enables udev rules for Nitrokey devices.
|
| services.rspamd.localLuaRules | Path of file to link to /etc/rspamd/rspamd.local.lua for local
rules written in Lua
|
| services.logcheck.ignore | This option defines extra ignore rules.
|
| services.anubis.defaultOptions.policy.useDefaultBotRules | Whether to include Anubis's default bot detection rules via the
(data)/meta/default-config.yaml import
|
| services.anubis.instances.<name>.policy.useDefaultBotRules | Whether to include Anubis's default bot detection rules via the
(data)/meta/default-config.yaml import
|
| programs.regreet.extraCss | Extra CSS rules to apply on top of the GTK theme
|
| systemd.user.tmpfiles.users | Per-user rules for creation, deletion and cleaning of volatile and
temporary files automatically.
|
| hardware.ubertooth.group | Group for Ubertooth's udev rules.
|
| hardware.glasgow.enable | Enables Glasgow udev rules and ensures 'plugdev' group exists
|
| programs.minipro.enable | Whether to enable minipro and its udev rules
|
| services.vmalert.enable | Wether to enable VictoriaMetrics's vmalert.
vmalert evaluates alerting and recording rules against a data source, sends notifications via Alertmanager.
|
| services.crowdsec.hub.appSecRules | List of hub appsec rules to install
|
| nix.firewall.allowLoopback | Whether to allow traffic on the loopback interface
|
| services.logcheck.ignoreCron | This option defines extra ignore rules for cronjobs.
|
| services.logcheck.extraRulesDirs | Directories with extra rules.
|
| nix.firewall.extraNftablesRules | Extra nftables rules to prepend to the generated ones
|
| services.opengfw.pcapReplay | Path to PCAP replay file
|
| hardware.rtl-sdr.enable | Enables rtl-sdr udev rules, ensures 'plugdev' group exists, and blacklists DVB kernel modules
|