| services.openssh.authorizedKeysFiles | Specify the rules for which files to read on the host
|
| users.users | Additional user accounts to be created automatically by the system
|
| services.openssh.authorizedKeysInHomedir | Enables the use of the ~/.ssh/authorized_keys file
|
| users.users.<name>.homeMode | The user's home directory mode in numeric format
|
| users.extraUsers | Alias of users.users.
|
| users.mutableUsers | If set to true, you are free to add new users and groups to the system
with the ordinary useradd and
groupadd commands
|
| users.extraUsers.<name>.homeMode | The user's home directory mode in numeric format
|
| users.users.<name>.hashedPassword | Specifies the hashed password for the user
|
| programs.benchexec.users | Users that intend to use BenchExec
|
| users.users.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|
| users.extraUsers.<name>.hashedPassword | Specifies the hashed password for the user
|
| users.extraUsers.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|
| services.memos.user | The user to run Memos as.
If changing the default value, you are responsible of creating the corresponding user with users.users.
|
| programs.zsh.enable | Whether to configure zsh as an interactive shell
|
| services.pdfding.enable | Whether to enable PdfDing service
|
| services.misskey.reverseProxy.webserver.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.davis.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.slskd.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.movim.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.snipe-it.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.bacula-sd.director.<name>.tls.require | Require TLS or TLS-PSK encryption
|
| services.bacula-fd.director.<name>.tls.require | Require TLS or TLS-PSK encryption
|
| services.prometheus.scrapeConfigs.*.label_name_length_limit | Per-scrape limit on length of labels name that will be accepted for a sample
|
| services.bacula-sd.director.<name>.tls.verifyPeer | Verify peer certificate
|
| services.bacula-fd.director.<name>.tls.verifyPeer | Verify peer certificate
|
| services.akkoma.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.fluidd.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.gancio.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.monica.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.matomo.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.radicle.httpd.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.kanboard.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.dolibarr.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.librenms.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.agorakit.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.fediwall.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.pixelfed.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.mainsail.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.zabbixWeb.nginx.virtualHost.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.anuko-time-tracker.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.bacula-sd.director.<name>.tls.enable | Specifies if TLS should be enabled
|
| services.bacula-fd.director.<name>.tls.enable | Specifies if TLS should be enabled
|
| services.bookstack.nginx.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.filebeat.inputs | Inputs specify how Filebeat locates and processes input data
|
| services.jirafeau.nginxConfig.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.nginx.virtualHosts.<name>.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.postgresql.systemCallFilter | Configures the syscall filter for postgresql.service
|
| services.fedimintd.<name>.nginx.config.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.bacula-sd.director.<name>.tls.allowedCN | Common name attribute of allowed peer certificates
|
| services.bacula-fd.director.<name>.tls.allowedCN | Common name attribute of allowed peer certificates
|
| services.filebeat.modules | Filebeat modules provide a quick way to get started
processing common log formats
|
| services.limesurvey.nginx.virtualHost.rejectSSL | Whether to listen for and reject all HTTPS connections to this vhost
|
| services.nncp.daemon.socketActivation.listenStreams | TCP sockets to bind to
|
| services.metricbeat.modules | Metricbeat modules are responsible for reading metrics from the various sources
|
| services.syncthing.overrideFolders | Whether to delete the folders which are not configured via the
folders option
|
| services.matrix-synapse.log | Default configuration for the loggers used by matrix-synapse and its workers
|
| networking.tempAddresses | Whether to enable IPv6 Privacy Extensions for interfaces not
configured explicitly in
networking.interfaces._name_.tempAddress
|
| services.pgbackrest.stanzas.<name>.settings | An attribute set of options as described in:
https://pgbackrest.org/configuration.html
All options can be used
|
| services.bacula-sd.director.<name>.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.bacula-fd.director.<name>.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.bacula-sd.director.<name>.tls.caCertificateFile | The path specifying a PEM encoded TLS CA certificate(s)
|
| services.bacula-fd.director.<name>.tls.caCertificateFile | The path specifying a PEM encoded TLS CA certificate(s)
|