| users.users | Additional user accounts to be created automatically by the system
|
| services.memos.user | The user to run Memos as.
If changing the default value, you are responsible of creating the corresponding user with users.users.
|
| users.extraUsers | Alias of users.users.
|
| users.mutableUsers | If set to true, you are free to add new users and groups to the system
with the ordinary useradd and
groupadd commands
|
| users.users.<name>.homeMode | The user's home directory mode in numeric format
|
| users.extraUsers.<name>.homeMode | The user's home directory mode in numeric format
|
| programs.zsh.enable | Whether to configure zsh as an interactive shell
|
| services.openssh.authorizedKeysFiles | Specify the rules for which files to read on the host
|
| services.pdfding.enable | Whether to enable PdfDing service
|
| programs.benchexec.users | Users that intend to use BenchExec
|
| services.openssh.authorizedKeysInHomedir | Enables the use of the ~/.ssh/authorized_keys file
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| users.users.<name>.hashedPassword | Specifies the hashed password for the user
|
| users.users.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|
| users.extraUsers.<name>.hashedPassword | Specifies the hashed password for the user
|
| users.extraUsers.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|
| users.users.<name>.uid | The account UID
|
| users.users.<name>.home | The user's home directory.
|
| users.users.<name>.name | The name of the user account
|
| users.users.<name>.group | The user's primary group.
|
| users.users.<name>.shell | The path to the user's shell
|
| users.users.<name>.pamMount | Attributes for user's entry in
pam_mount.conf.xml
|
| users.users.<name>.enable | If set to false, the user account will not be created
|
| users.users.<name>.subUidRanges.*.count | Count of subordinate user ids
|
| users.users.<name>.subGidRanges.*.count | Count of subordinate group ids
|
| users.users.<name>.cryptHomeLuks | Path to encrypted luks device that contains
the user's home directory.
|
| users.users.<name>.extraGroups | The user's auxiliary groups.
|
| users.users.<name>.subGidRanges | Subordinate group ids that user is allowed to use
|
| users.users.<name>.subUidRanges | Subordinate user ids that user is allowed to use
|
| users.users.<name>.subUidRanges.*.startUid | Start of the range of subordinate user ids that user is
allowed to use.
|
| users.users.<name>.subGidRanges.*.startGid | Start of the range of subordinate group ids that user is
allowed to use.
|
| users.users.<name>.createHome | Whether to create the home directory and ensure ownership as well as
permissions to match the user.
|
| users.users.<name>.autoSubUidGidRange | Automatically allocate subordinate user and group ids for this user
|
| users.users.<name>.linger | Whether to enable or disable lingering for this user
|
| users.users.<name>.expires | Set the date on which the user's account will no longer be
accessible
|
| users.users.<name>.isNormalUser | Indicates whether this is an account for a “real” user
|
| users.users.<name>.isSystemUser | Indicates if the user is a system user or not
|
| users.users.<name>.useDefaultShell | If true, the user's shell will be set to
users.defaultUserShell.
|
| users.users.<name>.packages | The set of packages that should be made available to the user
|
| users.users.<name>.password | Specifies the (clear text) password for the user
|
| users.users.<name>.ignoreShellProgramCheck | By default, nixos will check that programs
|
| users.users.<name>.description | A short description of the user account, typically the
user's full name
|
| users.users.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| users.users.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| users.users.<name>.openssh.authorizedPrincipals | A list of verbatim principal names that should be added to the user's
authorized principals.
|
| users.users.<name>.hashedPasswordFile | The full path to a file that contains the hash of the user's
password
|
| users.users.<name>.initialPassword | Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist
|
| programs.rush.shell | The resolved shell path that users can inherit to set rush as their login shell
|
| programs.gphoto2.enable | Whether to configure system to use gphoto2
|
| services.reaction.runAsRoot | Whether to run reaction as root
|
| services.vault.extraSettingsPaths | Configuration files to load besides the immutable one defined by the NixOS module
|
| services.kubo.settings.Addresses.API | Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on
|