| services.anubis.instances.<name>.policy | Anubis policy configuration
|
| services.anubis.instances.<name>.policy.extraBots | Additional bot rules appended to the policy
|
| services.anubis.instances.<name>.policy.settings | Additional policy settings merged into the policy file
|
| services.anubis.instances.<name>.settings.POLICY_FNAME | The policy file to use
|
| services.anubis.instances.<name>.policy.useDefaultBotRules | Whether to include Anubis's default bot detection rules via the
(data)/meta/default-config.yaml import
|
| services.anubis.defaultOptions.settings.POLICY_FNAME | The policy file to use
|
| services.anubis.instances | An attribute set of Anubis instances
|
| services.h2o.hosts.<name>.tls.policy | add will additionally listen for TLS connections. only will
disable TLS connections. force will redirect non-TLS traffic
to the TLS connection.
|
| services.anubis.instances.<name>.botPolicy | Anubis policy configuration in Nix syntax
|
| networking.interfaces.<name>.wakeOnLan.policy | The Wake-on-LAN policy
to set for the device
|
| services.neo4j.ssl.policies | Defines the SSL policies for use with Neo4j connectors
|
| services.anubis.defaultOptions.policy | Anubis policy configuration
|
| services.nsd.zones.<name>.dnssecPolicy.zsk | Key policy for zone signing keys
|
| services.nsd.zones.<name>.dnssecPolicy.ksk | Key policy for key signing keys
|
| services.anubis.defaultOptions.policy.extraBots | Additional bot rules appended to the policy
|
| services.anubis.defaultOptions.policy.settings | Additional policy settings merged into the policy file
|
| services.neo4j.ssl.policies.<name>.baseDirectory | The mandatory base directory for cryptographic objects of this
policy
|
| services.neo4j.ssl.policies.<name>.clientAuth | The client authentication stance for this policy.
|
| services.neo4j.ssl.policies.<name>.privateKey | The name of private PKCS #8 key file for this policy to be found
in the baseDirectory, or the absolute path to
the key file
|
| services.neo4j.ssl.policies.<name>.ciphers | Restrict the allowed ciphers of this policy to those defined
here
|
| services.neo4j.ssl.policies.<name>.trustAll | Makes this policy trust all remote parties
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert_policy | List of certificate policy OIDs the peer's certificate
must have
|
| services.strongswan-swanctl.swanctl.connections.<name>.unique | Connection uniqueness policy to enforce
|
| services.neo4j.ssl.policies.<name>.tlsVersions | Restrict the TLS protocol versions of this policy to those
defined here.
|
| security.apparmor.policies.<name>.state | How strictly this policy should be enforced
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.revocation | Certificate revocation policy for CRL or OCSP revocation.
- A
strict revocation policy fails if no revocation information is
available, i.e. the certificate is not known to be unrevoked.
ifuri fails only if a CRL/OCSP URI is available, but certificate
revocation checking fails, i.e. there should be revocation information
available, but it could not be obtained.- The default revocation policy
relaxed fails only if a certificate is
revoked, i.e. it is explicitly known that it is bad
|
| networking.bonds.<name>.xmit_hash_policy | DEPRECATED, use driverOptions
|
| services.prefect.workerPools.<name>.installPolicy | install policy for the worker (always, if-not-present, never, prompt)
|
| services.gitlab-runner.services.<name>.dockerPullPolicy | Default pull-policy for Docker images
|
| services.anubis.defaultOptions.policy.useDefaultBotRules | Whether to include Anubis's default bot detection rules via the
(data)/meta/default-config.yaml import
|
| services.movim.h2o.tls.policy | add will additionally listen for TLS connections. only will
disable TLS connections. force will redirect non-TLS traffic
to the TLS connection.
|
| users.ldap.bind.policy | Specifies the policy to use for reconnecting to an unavailable
LDAP server
|
| services.angrr.settings.profile-policies.<name>.enable | Whether to enable this angrr policy.
|
| systemd.network.networks.<name>.routingPolicyRules | A list of routing policy rules sections to be added to the unit
|
| services.libreswan.policies | A set of policies to apply to the IPsec connections.
The policy name must match the one of connection it needs to apply to.
|
| services.firezone.server.provision.accounts.<name>.policies | All policies to provision
|
| services.angrr.settings.temporary-root-policies.<name>.enable | Whether to enable this angrr policy.
|
| services.neo4j.ssl.policies.<name>.publicCertificate | The name of public X.509 certificate (chain) file in PEM format
for this policy to be found in the baseDirectory,
or the absolute path to the certificate file
|
| services.angrr.settings.temporary-root-policies.<name>.period | Retention period for the GC roots matched by this policy.
|
| services.anubis.instances.<name>.user | The user under which Anubis is run
|
| services.angrr.settings.temporary-root-policies.<name>.filter | External filter program to further filter GC roots matched by this policy.
|
| services.dolibarr.h2o.tls.policy | add will additionally listen for TLS connections. only will
disable TLS connections. force will redirect non-TLS traffic
to the TLS connection.
|
| services.anubis.instances.<name>.group | The group under which Anubis is run
|
| networking.wg-quick.interfaces.<name>.table | The kernel routing table to add this interface's
associated routes to
|
| services.neo4j.ssl.policies.<name>.allowKeyGeneration | Allows the generation of a private key and associated self-signed
certificate
|
| services.anubis.instances.<name>.enable | Whether to enable this instance of Anubis.
|
| services.anubis.instances.<name>.extraFlags | A list of extra flags to be passed to Anubis.
|
| services.firezone.server.provision.accounts.<name>.policies.<name>.description | The description of this policy
|
| services.angrr.settings.temporary-root-policies.<name>.priority | Priority of this policy
|
| services.anubis.instances.<name>.settings.BIND | The address that Anubis listens to
|
| networking.wireguard.interfaces.<name>.fwMark | Mark all wireguard packets originating from
this interface with the given firewall mark
|
| networking.wireguard.interfaces.<name>.table | The kernel routing table to add this interface's
associated routes to
|
| services.anubis.instances.<name>.settings | Freeform configuration via environment variables for Anubis
|
| services.neo4j.bolt.sslPolicy | Neo4j SSL policy for BOLT traffic
|
| networking.wireless.networks.<name>.priority | By default, all networks will get same priority group (0)
|
| services.headscale.settings.policy.mode | The mode can be "file" or "database" that defines
where the ACL policies are stored and read from.
|
| services.headscale.settings.policy.path | If the mode is set to "file", the path to a
HuJSON file containing ACL policies.
|
| nix.daemonCPUSchedPolicy | Nix daemon process CPU scheduling policy
|
| services.anubis.instances.<name>.settings.TARGET | The reverse proxy target that Anubis is protecting
|
| services.neo4j.https.sslPolicy | Neo4j SSL policy for HTTPS traffic
|
| services.anubis.instances.<name>.settings.METRICS_BIND | The address Anubis' metrics server listens to
|
| services.anubis.instances.<name>.settings.SERVE_ROBOTS_TXT | Whether to serve a default robots.txt that denies access to common AI bots by name and all other
bots by wildcard.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.dpd_action | Action to perform for this CHILD_SA on DPD timeout
|
| services.firezone.server.provision.accounts.<name>.features.policy_conditions | Whether to enable the policy_conditions feature for this account.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_out | Netfilter mark and mask for output traffic
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_in | Netfilter mark and mask for input traffic
|
| virtualisation.oci-containers.containers.<name>.pull | Image pull policy for the container
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_in_sa | Whether to set mark_in on the inbound SA
|
| services.suricata.settings.app-layer.error-policy | The error-policy setting applies to all app-layer parsers
|
| services.anubis.instances.<name>.settings.BIND_NETWORK | The network family that Anubis should bind to
|
| virtualisation.containers.policy | Signature verification policy file
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.close_action | Action to perform after a CHILD_SA gets closed by the peer.
- The default of
none does not take any action,
trap installs a trap policy for the CHILD_SA.start tries to re-create the CHILD_SA.
close_action does not provide any guarantee that the
CHILD_SA is kept alive
|
| services.anubis.defaultOptions.botPolicy | Anubis policy configuration in Nix syntax
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_in | Netfilter mark applied to packets after the inbound IPsec SA processed
them
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_out | Netfilter mark applied to packets after the outbound IPsec SA processed
them
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.start_action | Action to perform after loading the configuration.
- The default of
none loads the connection only, which
then can be manually initiated or used as a responder configuration.
- The value
trap installs a trap policy, which triggers
the tunnel as soon as matching traffic has been detected.
- The value
start initiates the connection actively.
- Since version 5.9.6 two modes above can be combined with
trap|start,
to immediately initiate a connection for which trap policies have been installed
|
| services.anubis.instances.<name>.settings.DIFFICULTY | The difficulty required for clients to solve the challenge
|
| services.anubis.instances.<name>.settings.WEBMASTER_EMAIL | If set, shows a contact email address when rendering error pages
|
| services.anubis.instances.<name>.settings.METRICS_BIND_NETWORK | The network family that the metrics server should bind to
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.policies_fwd_out | Whether to install outbound FWD IPsec policies or not
|
| services.anubis.instances.<name>.settings.OG_PASSTHROUGH | Whether to enable Open Graph tag passthrough
|
| services.postgresql.ensureUsers.*.ensureClauses.bypassrls | Grants the user, created by the ensureUser attr, replication permissions
|
| services.grafana.settings.smtp.startTLS_policy | StartTLS policy when connecting to server.
|
| services.suricata.settings.exception-policy | Define a common behavior for all exception policies
|
| boot.uki.name | Name of the UKI
|
| services.v4l2-relayd.instances.<name>.name | The name of the instance.
|
| services.usbguard.rules | The USBGuard daemon will load this as the policy rule set
|
| services.authelia.instances.<name>.name | Name is used as a suffix for the service name, user, and group
|
| users.users.<name>.name | The name of the user account
|
| services.gitea-actions-runner.instances.<name>.name | The name identifying the runner instance towards the Gitea/Forgejo instance.
|
| services.radicle.ci.adapters.native.instances.<name>.name | Adapter name that is used in the radicle-ci-broker configuration
|
| users.groups.<name>.name | The name of the group
|
| services.nylon.<name>.name | The name of this nylon instance.
|
| services.bind.zones.<name>.name | Name of the zone.
|
| services.pppd.peers.<name>.name | Name of the PPP peer.
|
| programs.chromium.extraOpts | Extra chromium policy options
|
| system.name | The name of the system used in the system.build.toplevel derivation
|
| users.extraUsers.<name>.name | The name of the user account
|
| services.frp.instances.<name>.role | The frp consists of client and server
|
| services.angrr.timer.dates | How often or when the retention policy is performed.
|