| users.users.<name>.createHome | Whether to create the home directory and ensure ownership as well as
permissions to match the user.
|
| users.users.<name>.homeMode | The user's home directory mode in numeric format
|
| users.extraUsers.<name>.homeMode | The user's home directory mode in numeric format
|
| users.users.<name>.isNormalUser | Indicates whether this is an account for a “real” user
|
| users.extraUsers.<name>.isNormalUser | Indicates whether this is an account for a “real” user
|
| users.extraUsers.<name>.createHome | Whether to create the home directory and ensure ownership as well as
permissions to match the user.
|
| users.users | Additional user accounts to be created automatically by the system
|
| users.users.<name>.cryptHomeLuks | Path to encrypted luks device that contains
the user's home directory.
|
| programs.zsh.enable | Whether to configure zsh as an interactive shell
|
| users.users.<name>.hashedPassword | Specifies the hashed password for the user
|
| users.extraUsers | Alias of users.users.
|
| users.users.<name>.name | The name of the user account
|
| users.users.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|
| users.mutableUsers | If set to true, you are free to add new users and groups to the system
with the ordinary useradd and
groupadd commands
|
| users.extraUsers.<name>.cryptHomeLuks | Path to encrypted luks device that contains
the user's home directory.
|
| users.extraUsers.<name>.hashedPassword | Specifies the hashed password for the user
|
| users.users.<name>.uid | The account UID
|
| users.users.<name>.home | The user's home directory.
|
| users.extraUsers.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| users.users.<name>.group | The user's primary group.
|
| users.groups.<name>.name | The name of the group
|
| users.users.<name>.shell | The path to the user's shell
|
| users.users.<name>.pamMount | Attributes for user's entry in
pam_mount.conf.xml
|
| users.extraUsers.<name>.name | The name of the user account
|
| users.users.<name>.enable | If set to false, the user account will not be created
|
| services.memos.user | The user to run Memos as.
If changing the default value, you are responsible of creating the corresponding user with users.users.
|
| users.extraGroups.<name>.name | The name of the group
|
| users.users.<name>.linger | Whether to enable or disable lingering for this user
|
| users.users.<name>.subGidRanges | Subordinate group ids that user is allowed to use
|
| users.users.<name>.subUidRanges | Subordinate user ids that user is allowed to use
|
| users.users.<name>.extraGroups | The user's auxiliary groups.
|
| users.users.<name>.autoSubUidGidRange | Automatically allocate subordinate user and group ids for this user
|
| users.users.<name>.expires | Set the date on which the user's account will no longer be
accessible
|
| users.users.<name>.isSystemUser | Indicates if the user is a system user or not
|
| users.users.<name>.subUidRanges.*.count | Count of subordinate user ids
|
| users.users.<name>.subGidRanges.*.count | Count of subordinate group ids
|
| users.groups.<name>.gid | The group GID
|
| users.users.<name>.packages | The set of packages that should be made available to the user
|
| users.users.<name>.subUidRanges.*.startUid | Start of the range of subordinate user ids that user is
allowed to use.
|
| users.users.<name>.subGidRanges.*.startGid | Start of the range of subordinate group ids that user is
allowed to use.
|
| users.users.<name>.useDefaultShell | If true, the user's shell will be set to
users.defaultUserShell.
|
| users.extraUsers.<name>.uid | The account UID
|
| programs.benchexec.users | Users that intend to use BenchExec
|
| users.extraUsers.<name>.home | The user's home directory.
|
| users.users.<name>.password | Specifies the (clear text) password for the user
|
| users.extraUsers.<name>.group | The user's primary group.
|
| users.extraGroups.<name>.gid | The group GID
|
| power.ups.users.<name>.upsmon | Add the necessary actions for a upsmon process to work
|
| users.extraUsers.<name>.shell | The path to the user's shell
|
| users.extraUsers.<name>.pamMount | Attributes for user's entry in
pam_mount.conf.xml
|
| services.bitcoind.<name>.rpc.users.<name>.name | Username for JSON-RPC connections.
|
| users.users.<name>.description | A short description of the user account, typically the
user's full name
|
| power.ups.users.<name>.actions | Allow the user to do certain things with upsd
|
| users.extraUsers.<name>.enable | If set to false, the user account will not be created
|
| users.users.<name>.ignoreShellProgramCheck | By default, nixos will check that programs
|
| users.groups.<name>.members | The user names of the group members, added to the
/etc/group file.
|
| users.ldap.base | The distinguished name of the search base.
|
| users.extraUsers.<name>.subUidRanges | Subordinate user ids that user is allowed to use
|
| users.extraUsers.<name>.subGidRanges | Subordinate group ids that user is allowed to use
|
| users.extraUsers.<name>.extraGroups | The user's auxiliary groups.
|
| users.users.<name>.hashedPasswordFile | The full path to a file that contains the hash of the user's
password
|
| users.extraUsers.<name>.linger | Whether to enable or disable lingering for this user
|
| users.extraUsers.<name>.autoSubUidGidRange | Automatically allocate subordinate user and group ids for this user
|
| users.users.<name>.initialPassword | Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist
|
| boot.initrd.systemd.users.<name>.uid | ID of the user in initrd.
|
| users.extraUsers.<name>.expires | Set the date on which the user's account will no longer be
accessible
|
| power.ups.users.<name>.instcmds | Let the user initiate specific instant commands
|
| users.extraUsers.<name>.isSystemUser | Indicates if the user is a system user or not
|
| users.extraGroups.<name>.members | The user names of the group members, added to the
/etc/group file.
|
| users.extraUsers.<name>.subGidRanges.*.count | Count of subordinate group ids
|
| users.extraUsers.<name>.subUidRanges.*.count | Count of subordinate user ids
|
| power.ups.users.<name>.passwordFile | The full path to a file that contains the user's (clear text)
password
|
| users.extraUsers.<name>.packages | The set of packages that should be made available to the user
|
| services.openssh.authorizedKeysFiles | Specify the rules for which files to read on the host
|
| boot.initrd.systemd.users.<name>.shell | The path to the user's shell in initrd.
|
| boot.initrd.systemd.users.<name>.group | Group the user belongs to in initrd.
|
| users.extraUsers.<name>.subGidRanges.*.startGid | Start of the range of subordinate group ids that user is
allowed to use.
|
| users.extraUsers.<name>.subUidRanges.*.startUid | Start of the range of subordinate user ids that user is
allowed to use.
|
| users.extraUsers.<name>.useDefaultShell | If true, the user's shell will be set to
users.defaultUserShell.
|
| users.users.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| services.pdfding.enable | Whether to enable PdfDing service
|
| boot.loader.grub.users.<name>.password | Specifies the clear text password for the account
|
| services.nntp-proxy.users.<name>.username | Username
|
| users.users.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| services.bitcoind.<name>.rpc.users | RPC user information for JSON-RPC connections.
|
| boot.loader.grub.users.<name>.passwordFile | Specifies the path to a file containing the
clear text password for the account
|
| users.mysql.pam.table | The name of table that maps unique login names to the passwords.
|
| systemd.user.tmpfiles.users.<name>.rules | Per-user rules for creation, deletion and cleaning of volatile and
temporary files automatically
|
| users.mysql.pam.userColumn | The name of the column that contains a unix login name.
|
| users.extraUsers.<name>.password | Specifies the (clear text) password for the user
|
| boot.loader.grub.users.<name>.hashedPassword | Specifies the password hash for the account,
generated with grub-mkpasswd-pbkdf2
|
| users.extraUsers.<name>.description | A short description of the user account, typically the
user's full name
|
| services.openssh.authorizedKeysInHomedir | Enables the use of the ~/.ssh/authorized_keys file
|
| services.bitcoind.<name>.rpc.users.<name>.passwordHMAC | Password HMAC-SHA-256 for JSON-RPC connections
|
| users.users.<name>.openssh.authorizedPrincipals | A list of verbatim principal names that should be added to the user's
authorized principals.
|
| services.dokuwiki.sites.<name>.usersFile | Location of the dokuwiki users file
|
| users.extraUsers.<name>.ignoreShellProgramCheck | By default, nixos will check that programs
|
| services.geoclue2.appConfig.<name>.users | List of UIDs of all users for which this application is allowed location
info access, Defaults to an empty string to allow it for all users.
|