Stack Options
The nps.stacks options allow enabling and configuring various stacks.
Most stacks just require the enable option set to true. Some stacks can optionally be configured to adjust settings or pass environment files (e.g. for secrets).
If you want to make changes that are not possible through the exposed stack options directly, aliases to the services.podman.container options are provided, which let you override or modify any attribute that the stack modules set.
For instance, accessing nps.stacks.streaming.containers.jellyfin is an alias to services.podman.containers.jellyfin and allows editing any of the known services.podman.containers options, such as networks, volumes and environment files. Usually this should not be necessary though.
The following list contains the options for all available stacks.
nps.stacks.adguard.enable
Whether to enable adguard.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.adguard.containers.adguard
Alias of services.podman.containers.adguard.
Type: submodule
Declared by:
nps.stacks.aiostreams.enable
Whether to enable aiostreams.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.aiostreams.containers.aiostreams
Alias of services.podman.containers.aiostreams.
Type: submodule
Declared by:
nps.stacks.aiostreams.envFile
Path to the environment file for AIOStreams. Can be used to pass secrets.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.audiobookshelf.enable
Whether to enable audiobookshelf.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.audiobookshelf.authelia.clientSecretHash
The hashed client_secret. For examples on how to generate a client secret, see
https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret
Type: string
Declared by:
nps.stacks.audiobookshelf.authelia.registerClient
Whether to register a Audiobookshelf OIDC client in Authelia.
If enabled you need to provide a hashed secret in the client_secret option.
To enable OIDC Login for Audiobookshelf, you will have to enable it in the Web UI.
For details, see:
- https://www.authelia.com/integration/openid-connect/clients/audiobookshelf/
- https://www.audiobookshelf.org/guides/oidc_authentication/#configuring-audiobookshelf-for-sso
Type: boolean
Default:
false
Declared by:
nps.stacks.audiobookshelf.containers.audiobookshelf
Alias of services.podman.containers.audiobookshelf.
Type: submodule
Declared by:
nps.stacks.authelia.enable
Whether to enable authelia.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.authelia.enableTraefikMiddleware
Wheter to setup an authelia middleware for Traefik.
The middleware will utilize the ForwardAuth Authz implementation.
See https://www.authelia.com/integration/proxies/traefik/#implementation
Type: boolean
Default:
config.nps.stacks.traefik.enable
Declared by:
nps.stacks.authelia.authenticationBackend.ldap.passwordFile
The password for the LDAP user that is used when connecting to the LDAP backend.
Type: absolute path
Default:
config.nps.stacks.lldap.adminPasswordFile
Declared by:
nps.stacks.authelia.authenticationBackend.ldap.user
The username that will be used when binding to the LDAP backend.
Type: string
Default:
config.nps.stacks.lldap.adminUsername
Declared by:
nps.stacks.authelia.authenticationBackend.type
The authentication backend that will be used.
If set to ldap the option ldapPasswordFile has to be set.
If set to file either the users or the usersFile option has to be set.
Type: one of “file”, “ldap”
Default:
if config.nps.stacks.lldap.enable then "ldap" else "file"
Declared by:
nps.stacks.authelia.authenticationBackend.users
User configuration. Besides the defined options, any value can be defined here. See https://www.authelia.com/reference/guides/passwords/#yaml-format
Note: Configuring the users through this option file result in a read-only file being mounted into the container. Because the file isn’t writable, users won’t be able to reset or change their passwords themselves.
If you want to mount a writable file, use the usersFile option instead.
Type: attribute set of (YAML 1.1 value)
Default:
{ }
Declared by:
nps.stacks.authelia.authenticationBackend.users.<name>.disabled
The disabled status for the user
Type: boolean
Default:
false
Declared by:
nps.stacks.authelia.authenticationBackend.users.<name>.displayname
The display name for the user
Type: string
Default:
"key of the attribute set"
Declared by:
nps.stacks.authelia.authenticationBackend.users.<name>.email
The email for the user
Type: string
Default:
""
Declared by:
nps.stacks.authelia.authenticationBackend.users.<name>.groups
The groups list for the user
Type: list of string
Default:
[ ]
Declared by:
nps.stacks.authelia.authenticationBackend.users.<name>.password
The hashed password for the user
Type: string
Declared by:
nps.stacks.authelia.authenticationBackend.usersFile
Path to a file containing the user configuration. See https://www.authelia.com/reference/guides/passwords/#yaml-format
If this option is defined, the users option will be ignored.
Type: null or absolute path not in the Nix store
Default:
null
Declared by:
nps.stacks.authelia.containers.authelia
Alias of services.podman.containers.authelia.
Type: submodule
Declared by:
nps.stacks.authelia.env
Additional environment variables passed to the Authelia container
Type: attribute set of (null or boolean or signed integer or string or absolute path or list of (null or boolean or signed integer or string or absolute path))
Default:
{ }
Declared by:
nps.stacks.authelia.envFile
Path to the environment file containing addiotional variables. Can be used to pass secrets etc.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.authelia.jwtSecretFile
Path to the file containing the JWT secret. See https://www.authelia.com/configuration/identity-validation/reset-password/#jwt_secret
Type: absolute path
Declared by:
nps.stacks.authelia.oidc.enable
Whether to enable OIDC Support.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.authelia.oidc.clients
OIDC client configuration. See https://www.authelia.com/configuration/identity-providers/openid-connect/clients/
Type: attribute set of (YAML 1.1 value)
Default:
[ ]
Declared by:
nps.stacks.authelia.oidc.clients.<name>.client_id
This option has no description.
Type: string
Default:
"‹name›"
Declared by:
nps.stacks.authelia.oidc.hmacSecretFile
Path to the file containing the HMAC secret. See https://www.authelia.com/configuration/identity-providers/openid-connect/provider/#hmac_secret
Type: absolute path
Declared by:
nps.stacks.authelia.oidc.jwksRsaKeyFile
Path to the file containing the JWKS RSA (RS256) private key.
For example, a keypair can be generated and printed out like this:
podman run --rm authelia/authelia sh -c "authelia crypto certificate rsa generate --common-name authelia.example.com && cat public.crt && cat private.pem"
See https://www.authelia.com/configuration/identity-providers/openid-connect/provider/#key
Type: absolute path
Declared by:
nps.stacks.authelia.sessionSecretFile
Path to the file containing the session secret. See https://www.authelia.com/configuration/session/introduction/#secret
Type: absolute path
Declared by:
nps.stacks.authelia.settings
Additional Authelia settings. Will be provided in the configuration.yml.
Type: YAML 1.1 value
Declared by:
nps.stacks.authelia.storageEncryptionKeyFile
Path to the file containing the storage encryption key. See https://www.authelia.com/configuration/storage/introduction/#encryption_key
Type: absolute path
Declared by:
nps.stacks.beszel.enable
Whether to enable beszel.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.beszel.authelia.clientSecretHash
The hashed client_secret. For examples on how to generate a client secret, see
https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret
Type: string
Declared by:
nps.stacks.beszel.authelia.registerClient
Whether to register a Beszel OIDC client in Authelia.
If enabled you need to provide a hashed secret in the client_secret option.
To enable OIDC Login for Beszel, you will have to set it up in Beszels Web-UI. For details, see:
Type: boolean
Default:
false
Declared by:
nps.stacks.beszel.containers.beszel
Alias of services.podman.containers.beszel.
Type: submodule
Declared by:
nps.stacks.beszel.containers.beszel-agent
Alias of services.podman.containers.beszel-agent.
Type: submodule
Declared by:
nps.stacks.beszel.ed25519PrivateKeyFile
Path to private SSH key that will be used by the hub to authenticate against agent If not provided, the hub will generate a new key pair when starting.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.beszel.ed25519PublicKeyFile
Path to public SSH key of the hub that will be considered authorized by agent
If not provided, the KEY environment variable should be set to the public key of the hub,
in order for the connection from hub to agent to work.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.beszel.settings
System configuration (optional). If provided, on each restart, systems in the database will be updated to match the systems defined in the settings. To see your current configuration, refer to settings -> YAML Config -> Export configuration
Type: null or YAML 1.1 value
Default:
null
Example:
{
systems = [
{
host = "/beszel_socket/beszel.sock";
name = "Local";
port = 45876;
users = [
"admin@example.com"
];
}
];
}
Declared by:
nps.stacks.beszel.useSocketProxy
Whether to access the Podman socket through the read-only proxy for the beszel stack. Will be enabled by default if the ‘docker-socket-proxy’ stack is enabled.
Type: boolean
Default:
config.nps.stacks.docker-socket-proxy.enable
Declared by:
nps.stacks.blocky.enable
Whether to enable blocky.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.blocky.enableGrafanaDashboard
Whether to enable Grafana Dashboard.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.blocky.enablePrometheusExport
Whether to enable Prometheus Export.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.blocky.containers.blocky
Alias of services.podman.containers.blocky.
Type: submodule
Declared by:
nps.stacks.blocky.settings
Blocky configuration. Will be converted to the config.yml.
For a full list of options, refer to the Blocky documentation
By default, if Traefik is enabled, the module will automatically setup a DNS override pointing the Traefik domain to your host IP.
Type: YAML 1.1 value
Declared by:
nps.stacks.bytestash.enable
Whether to enable bytestash.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.bytestash.containers.bytestash
Alias of services.podman.containers.bytestash.
Type: submodule
Declared by:
nps.stacks.bytestash.env
Additional environment variables passed to the ByteStash container. Can be used to override the preset.
See https://docs.romm.app/latest/Getting-Started/Environment-Variables/
Type: attribute set of (null or boolean or signed integer or string or absolute path or list of (null or boolean or signed integer or string or absolute path))
Default:
{ }
Declared by:
nps.stacks.bytestash.envFile
Path to the environment file containing atleast the ‘JWT_SECRET’ variable.
See https://github.com/jordan-dalby/ByteStash/wiki/FAQ#environment-variables
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.calibre.enable
Whether to enable calibre.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.calibre.containers.calibre
Alias of services.podman.containers.calibre.
Type: submodule
Declared by:
nps.stacks.calibre.containers.calibre-downloader
Alias of services.podman.containers.calibre-downloader.
Type: submodule
Declared by:
nps.stacks.changedetection.enable
Whether to enable changedetection.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.changedetection.containers.changedetection
Alias of services.podman.containers.changedetection.
Type: submodule
Declared by:
nps.stacks.changedetection.containers.sockpuppetbrowser
Alias of services.podman.containers.sockpuppetbrowser.
Type: submodule
Declared by:
nps.stacks.crowdsec.enable
Whether to enable crowdsec.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.crowdsec.acquisSettings
Acquisitions settings for Crowdsec. If Traefik is enabled, the module will automatically setup acquisition for Traefik.
Type: YAML 1.1 value
Default:
{ }
Declared by:
nps.stacks.crowdsec.containers.crowdsec
Alias of services.podman.containers.crowdsec.
Type: submodule
Declared by:
nps.stacks.crowdsec.envFile
Path to the env file containing secrets, e.g. the ‘ENROLL_INSTANCE_NAME’ and ‘ENROLL_KEY’ variables.
To automatically monitor Traefik logs and add a Traefik middleware, make sure to configure the traefikIntegration options
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.crowdsec.traefikIntegration.enable
Wheter to configure aquis settings for Traefik. If enabled, Traefik access logs will be automatically collected.
To also setup a Traefik middleware that makes use of the CrowdSec decisions to block requests, make sure to configure
the bouncerEnvFile option.
Type: boolean
Default:
config.nps.stacks.traefik.enable
Declared by:
nps.stacks.crowdsec.traefikIntegration.bouncerEnvFile
Path to env file containing the BOUNCER_KEY_TRAEFIK environment variable.
If this is set, a Bouncer will be setup in CrowdSec. Also a new crowdsec middleware will be registered in Traefik and added to the ‘public’ chain.
This will block requests to exposed services that are detected as malicious by Crowdsec.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.crowdsec.traefikIntegration.useSocketProxy
Whether to access the Podman socket through the read-only proxy for the crowdsec stack. Will be enabled by default if the ‘docker-socket-proxy’ stack is enabled.
Type: boolean
Default:
config.nps.stacks.docker-socket-proxy.enable
Declared by:
nps.stacks.dockdns.enable
Whether to enable DockDNS. This will run a Cloudflare DNS client that updates DNS records based on Docker labels. The module contains an extension that will automatically create DNS records for services with the ‘public’ Traefik middleware, so they are accessible from the internet. It will also automatically delete DNS records for services, that are no longer exposed (e.g. ‘private’ middleware)
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.dockdns.containers.dockdns
Alias of services.podman.containers.dockdns.
Type: submodule
Declared by:
nps.stacks.dockdns.envFile
Path to a file containing environment variables for the API token for the domain. E.g. for a domain ‘test.example.com’, the file should contain ‘TEST_EXAMPLE_COM_API_TOKEN=your_api_token’.
Type: absolute path
Default:
null
Declared by:
nps.stacks.dockdns.settings
Settings for DockDNS. For details, refer to the DockDNS documentation The module will provide a default configuration, that updates DNS records every 10 minutes. DockDNS labels will be automatically added to services with the ‘public’ Traefik middleware.
Type: YAML 1.1 value
Declared by:
nps.stacks.dockdns.useSocketProxy
Whether to access the Podman socket through the read-only proxy for the dockdns stack. Will be enabled by default if the ‘docker-socket-proxy’ stack is enabled.
Type: boolean
Default:
config.nps.stacks.docker-socket-proxy.enable
Declared by:
nps.stacks.docker-socket-proxy.enable
Whether to enable docker-socket-proxy.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.docker-socket-proxy.containers.docker-socket-proxy
Alias of services.podman.containers.docker-socket-proxy.
Type: submodule
Declared by:
nps.stacks.dozzle.enable
Whether to enable Dozzle.
The module contains an extension that will automatically add all containers to Dozzle groups,
if they stack attribute is set.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.dozzle.containers.dozzle
Alias of services.podman.containers.dozzle.
Type: submodule
Declared by:
nps.stacks.dozzle.useSocketProxy
Whether to access the Podman socket through the read-only proxy for the dozzle stack. Will be enabled by default if the ‘docker-socket-proxy’ stack is enabled.
Type: boolean
Default:
config.nps.stacks.docker-socket-proxy.enable
Declared by:
nps.stacks.filebrowser.enable
Whether to enable filebrowser.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.filebrowser.containers.filebrowser
Alias of services.podman.containers.filebrowser.
Type: submodule
Declared by:
nps.stacks.filebrowser.mounts
Mount points for the file browser.
Format: { 'hostPath' = 'containerPath' }
By default, the users home directory and the external storage directory (config.nps.externalStorageBaseDir)
are configured as mounts.
Type: attribute set of string
Example:
{
"/home/foo/media" = "/media";
"/mnt/ext/data" = "/data";
}
Declared by:
nps.stacks.forgejo.enable
Whether to enable forgejo.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.forgejo.containers.forgejo
Alias of services.podman.containers.forgejo.
Type: submodule
Declared by:
nps.stacks.forgejo.settings
Optional app settings for Forgejo. For a full list of options, refer to the Forgejo documentation.
Type: null or (attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string)))
Default:
null
Declared by:
nps.stacks.freshrss.enable
Whether to enable freshrss.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.freshrss.containers.freshrss
Alias of services.podman.containers.freshrss.
Type: submodule
Declared by:
nps.stacks.freshrss.envFile
Path to the env file containing admin user secrets. The file should contain the variables ‘ADMIN_USERNAME’, ‘ADMIN_EMAIL’, ‘ADMIN_PASSWORD’ and ‘ADMIN_API_PASSWORD’. If the file is not set, automatic user creation will not be triggered. This only effects the first run. For details see https://github.com/FreshRSS/FreshRSS/tree/edge/Docker#environment-variables
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.gatus.enable
Whether to enable Gatus. The module also provides an extension that will add Gatus options to a container. This allows services to be added to Gatus by settings container options.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.gatus.authelia.enable
Whether to enable OIDC login with Authelia. This will register an OIDC client in Authelia and setup the necessary configuration.
For details, see:
- https://www.authelia.com/integration/openid-connect/clients/gatus/
- https://github.com/TwiN/gatus?tab=readme-ov-file#oidc
Type: boolean
Default:
false
Declared by:
nps.stacks.gatus.authelia.allowedSubjects
List of allowed subjects. If not set, all subjects will be allowed.
Type: list of string
Default:
[ ]
Declared by:
nps.stacks.gatus.authelia.clientSecretEnvName
Name of the environment variable that contains the client_secret.
You will have to provide a variable with the given name in the env_file option.
E.g. when setting clientSecretEnvName = AUTHELIA_CLIENT_SECRET, then the envFile should be a file containing the variable:
AUTHELIA_CLIENT_SECRET=some_secret
Type: string
Declared by:
nps.stacks.gatus.authelia.clientSecretHash
The hashed client_secret. Will be set in the Authelia client config. For examples on how to generate a client secret, see
https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret
Type: string
Declared by:
nps.stacks.gatus.containers.gatus
Alias of services.podman.containers.gatus.
Type: submodule
Declared by:
nps.stacks.gatus.containers.gatus-db
Alias of services.podman.containers.gatus-db.
Type: submodule
Declared by:
nps.stacks.gatus.db.envFile
Path to the environment file for the database. Required if db.type is set to “postgres”. Must contain the environment variables ‘POSTGRES_USER’, and ‘POSTGRES_PASSWORD’.
Type: absolute path
Declared by:
nps.stacks.gatus.db.type
Type of the database to use. Can be set to “sqlite” or “postgres”. If set to “postgres”, the envFile option must be set.
Type: one of “sqlite”, “postgres”
Declared by:
nps.stacks.gatus.defaultEndpoint
Default endpoint settings. Will merged with each provided endpoint. Only applies if endpoint does not override the default endpoint settings.
Type: YAML 1.1 value
Default:
{
client = {
insecure = true;
timeout = "10s";
};
conditions = [
"[STATUS] >= 200"
"[STATUS] < 300"
];
group = "core";
interval = "5m";
}
Declared by:
nps.stacks.gatus.envFile
Path to the environment file for the container. Can be used to e.g. pass secrets that are referenced in the settings.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.gatus.extraSettingsFiles
List of additional YAML files to include in the settings. These files will be mounted as is. Can be used to directly provide YAML files containing secrets, e.g. from sops
Type: list of absolute path
Default:
[ ]
Declared by:
nps.stacks.gatus.settings
Settings for the Gatus container. Will be converted to YAML and passed to the container. To see all valid settings, refer to the projects documentation: https://github.com/TwiN/gatus
Type: YAML 1.1 value
Declared by:
nps.stacks.healthchecks.enable
Whether to enable healthchecks.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.healthchecks.containers.healthchecks
Alias of services.podman.containers.healthchecks.
Type: submodule
Declared by:
nps.stacks.healthchecks.envFile
Path to the environment file for Healthchecks. Should contain SECRET_KEY, SUPERUSER_EMAIL and SUPERUSER_PASSWORD envionment variables
Type: absolute path
Declared by:
nps.stacks.homeassistant.enable
Whether to enable homeassistant.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.homeassistant.containers.homeassistant
Alias of services.podman.containers.homeassistant.
Type: submodule
Declared by:
nps.stacks.homeassistant.settings
Settings that will be written to the ‘configuration.yaml’ file.
If you want to configure settings through the UI, set this option to null.
In that case, no managed configuration.yaml will be provided.
Type: null or YAML 1.1 value
Declared by:
nps.stacks.homepage.enable
Whether to enable the Homepage stack.
The services of enabled stacks will be automatically added to Homepage. The module will also automatically configure the docker integration for the local host and setup some widgets.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.homepage.bookmarks
Homepage bookmarks configuration.
See https://gethomepage.dev/configs/bookmarks/.
Type: YAML 1.1 value
Default:
[ ]
Example:
[
{
Developer = [
{
Github = [
{
abbr = "GH";
href = "https://github.com/";
}
];
}
];
}
{
Entertainment = [
{
YouTube = [
{
abbr = "YT";
href = "https://youtube.com/";
}
];
}
];
}
]
Declared by:
nps.stacks.homepage.containers.homepage
Alias of services.podman.containers.homepage.
Type: submodule
Declared by:
nps.stacks.homepage.docker
Homepage docker configuration.
See https://gethomepage.dev/configs/docker/.
Type: YAML 1.1 value
Default:
{ }
Declared by:
nps.stacks.homepage.services
Homepage services configuration.
See https://gethomepage.dev/configs/services/.
Type: YAML 1.1 value
Default:
[ ]
Example:
[
{
"My First Group" = [
{
"My First Service" = {
description = "Homepage is awesome";
href = "http://localhost/";
};
}
];
}
{
"My Second Group" = [
{
"My Second Service" = {
description = "Homepage is the best";
href = "http://localhost/";
};
}
];
}
]
Declared by:
nps.stacks.homepage.settings
Homepage settings.
See https://gethomepage.dev/configs/settings/.
Type: YAML 1.1 value
Default:
{ }
Declared by:
nps.stacks.homepage.useSocketProxy
Whether to access the Podman socket through the read-only proxy for the homepage stack. Will be enabled by default if the ‘docker-socket-proxy’ stack is enabled.
Type: boolean
Default:
config.nps.stacks.docker-socket-proxy.enable
Declared by:
nps.stacks.homepage.widgets
Homepage widgets configuration.
See https://gethomepage.dev/widgets/.
Type: YAML 1.1 value
Default:
[ ]
Example:
[
{
resources = {
cpu = true;
disk = "/";
memory = true;
};
}
{
search = {
provider = "duckduckgo";
target = "_blank";
};
}
]
Declared by:
nps.stacks.immich.enable
Whether to enable immich.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.immich.authelia.enable
Whether to enable OIDC login with Authelia. This will register an OIDC client in Authelia and setup the necessary configuration in Immich.
For details, see:
- https://www.authelia.com/integration/openid-connect/clients/immich/
- https://immich.app/docs/administration/oauth/
Type: boolean
Default:
false
Declared by:
nps.stacks.immich.authelia.clientSecretFile
Path to the file containing that client secret that will be used to authenticate against Authelia.
Type: absolute path
Declared by:
nps.stacks.immich.authelia.clientSecretHash
The hashed client_secret. Will be set in the Authelia client config. For examples on how to generate a client secret, see
https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret
Type: string
Declared by:
nps.stacks.immich.containers.immich
Alias of services.podman.containers.immich.
Type: submodule
Declared by:
nps.stacks.immich.containers.immich-db
Alias of services.podman.containers.immich-db.
Type: submodule
Declared by:
nps.stacks.immich.containers.immich-machine-learning
Alias of services.podman.containers.immich-machine-learning.
Type: submodule
Declared by:
nps.stacks.immich.containers.immich-redis
Alias of services.podman.containers.immich-redis.
Type: submodule
Declared by:
nps.stacks.immich.db.envFile
Path to the env file containing the ‘POSTGRES_PASSWORD’ variable
Type: absolute path
Declared by:
nps.stacks.immich.envFile
Path to the env file containing the ‘DB_PASSWORD’ variable
Type: absolute path
Declared by:
nps.stacks.immich.settings
Settings that will be written to the ‘config.json’ file.
If you want to configure settings through the UI, set this option to null.
In that case, no managed config.json will be provided.
For details to the config file see https://immich.app/docs/install/config-file/
Type: null or JSON value
Declared by:
nps.stacks.ittools.enable
Whether to enable ittools.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.ittools.containers.ittools
Alias of services.podman.containers.ittools.
Type: submodule
Declared by:
nps.stacks.karakeep.enable
Whether to enable karakeep.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.karakeep.containers.karakeep
Alias of services.podman.containers.karakeep.
Type: submodule
Declared by:
nps.stacks.karakeep.containers.karakeep-chrome
Alias of services.podman.containers.karakeep-chrome.
Type: submodule
Declared by:
nps.stacks.karakeep.containers.karakeep-meilisearch
Alias of services.podman.containers.karakeep-meilisearch.
Type: submodule
Declared by:
nps.stacks.karakeep.envFile
Path to env file containing atleast ‘NEXTAUTH_SECRET’ and ‘MEILI_MASTER_KEY’
Type: absolute path
Declared by:
nps.stacks.kimai.enable
Whether to enable kimai.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.kimai.containers.kimai
Alias of services.podman.containers.kimai.
Type: submodule
Declared by:
nps.stacks.kimai.containers.kimai-db
Alias of services.podman.containers.kimai-db.
Type: submodule
Declared by:
nps.stacks.kimai.db.envFile
Path to env file containing the MYSQL_DATABASE, MYSQL_USER, MYSQL_PASSWORD and
MYSQL_ROOT_PASSWORD variables.
Type: absolute path
Declared by:
nps.stacks.kimai.envFile
Path to env file containing the ADMINMAIL, ADMINPASS and
DATABASE_URL variables. The ADMINPASS should have at least 8 characters for the
provisioning to succeed.
The DATABASE_URL variable should be in the format DATABASE_URL=mysql://<<DATABASE_USER>>:<<DATABASE_PASSWORD>>@kimai-db/<<DATABASE_NAME>>?charset=utf8mb4
with the variables matching the ones passed in the db.envFile option.
Type: absolute path
Declared by:
nps.stacks.lldap.enable
Whether to enable lldap.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.lldap.adminPasswordFile
Path to the file containing the admin password.
Type: absolute path
Declared by:
nps.stacks.lldap.adminUsername
Admin username for LDAP as well as the web interface.
Type: string
Default:
"admin"
Declared by:
nps.stacks.lldap.baseDn
The starting point in the LDAP directory tree from which searches begin.
Type: string
Default:
"DC=example,DC=com"
Example:
"DC=mydomain,DC=net"
Declared by:
nps.stacks.lldap.bootstrap.cleanUp
Whether to delete groups and users not specified in the config, also remove users from groups that they do not belong to
Type: boolean
Default:
false
Declared by:
nps.stacks.lldap.bootstrap.groupSchemas
Group schemas. Can be used to create custom group attributes.
Type: attribute set of (submodule)
Default:
{ }
Declared by:
nps.stacks.lldap.bootstrap.groupSchemas.<name>.attributeType
Type of the attribute
Type: one of “STRING”, “INTEGER”, “JPGEG”, “DATE_TIME”
Declared by:
nps.stacks.lldap.bootstrap.groupSchemas.<name>.isEditable
Whether the attribute is editable by users
Type: boolean
Default:
false
Declared by:
nps.stacks.lldap.bootstrap.groupSchemas.<name>.isList
Whether the attribute can have multiple values
Type: boolean
Default:
false
Declared by:
nps.stacks.lldap.bootstrap.groupSchemas.<name>.isVisible
Whether the attribute is visible by users
Type: boolean
Default:
true
Declared by:
nps.stacks.lldap.bootstrap.groupSchemas.<name>.name
Name of field, case insensitve - you should use lowercase
Type: string matching the pattern ^[a-zA-Z0-9-]+$
Default:
<name>
Declared by:
nps.stacks.lldap.bootstrap.groups
Groups that will be created.
Besides the name, you can also specify custom attributes for the group, if they are defined in the groupSchemas option.
Type: attribute set of (string or signed integer or boolean)
Default:
{ }
Declared by:
nps.stacks.lldap.bootstrap.groups.<name>.name
Name of the group. Defaults to the name of the attribute.
Type: string
Default:
<name>
Declared by:
nps.stacks.lldap.bootstrap.userSchemas
User schema. Can be used to create custom user attributes.
Type: attribute set of (submodule)
Default:
{ }
Declared by:
nps.stacks.lldap.bootstrap.userSchemas.<name>.attributeType
Type of the attribute
Type: one of “STRING”, “INTEGER”, “JPGEG”, “DATE_TIME”
Declared by:
nps.stacks.lldap.bootstrap.userSchemas.<name>.isEditable
Whether the attribute is editable by users
Type: boolean
Default:
false
Declared by:
nps.stacks.lldap.bootstrap.userSchemas.<name>.isList
Whether the attribute can have multiple values
Type: boolean
Default:
false
Declared by:
nps.stacks.lldap.bootstrap.userSchemas.<name>.isVisible
Whether the attribute is visible by users
Type: boolean
Default:
true
Declared by:
nps.stacks.lldap.bootstrap.userSchemas.<name>.name
Name of field, case insensitve - you should use lowercase
Type: string matching the pattern ^[a-zA-Z0-9-]+$
Default:
<name>
Declared by:
nps.stacks.lldap.bootstrap.users
LLDAP users that will be provisioned at startup.
You can also specify custom attributes for the user, if they are defined in the useSchemas option.
Type: attribute set of (string or signed integer or boolean)
Default:
[ ]
Declared by:
nps.stacks.lldap.bootstrap.users.<name>.avatar_url
Must be a valid URL to jpeg file. (ignored if gravatar_avatar specified)
Type: null or string
Default:
null
Declared by:
nps.stacks.lldap.bootstrap.users.<name>.displayName
Display name of the user
Type: null or string
Default:
null
Declared by:
nps.stacks.lldap.bootstrap.users.<name>.email
E-Mail of the user
Type: string
Declared by:
nps.stacks.lldap.bootstrap.users.<name>.firstName
First name of the user
Type: null or string
Default:
null
Declared by:
nps.stacks.lldap.bootstrap.users.<name>.gravatar_avatar
the script will try to get an avatar from gravatar by previously specified email
Type: boolean
Default:
false
Declared by:
nps.stacks.lldap.bootstrap.users.<name>.groups
An array of groups the user would be a member of (all the groups must be specified in the group option)
Type: list of string
Default:
[ ]
Declared by:
nps.stacks.lldap.bootstrap.users.<name>.id
ID of the user. Defaults to the name of the attribute.
Type: string
Default:
<name>
Declared by:
nps.stacks.lldap.bootstrap.users.<name>.lastName
Last name of the user
Type: null or string
Default:
null
Declared by:
nps.stacks.lldap.bootstrap.users.<name>.password_file
Path to the file containing the user password
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.lldap.containers.lldap
Alias of services.podman.containers.lldap.
Type: submodule
Declared by:
nps.stacks.lldap.envFile
Path to the environment file for LLDAP. Can be used to pass additional variables or secrets.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.lldap.jwtSecretFile
Path to the file containing the JWT secret
Type: absolute path
Declared by:
nps.stacks.lldap.keySeedFile
Path to the file containing the key seed
Type: absolute path
Declared by:
nps.stacks.lldap.settings
Additional lldap configuration.
If provided, will be mounted as lldap_config.toml;
See https://github.com/lldap/lldap/blob/main/lldap_config.docker_template.toml
Type: null or TOML value
Declared by:
nps.stacks.mealie.enable
Whether to enable mealie.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.mealie.containers.mealie
Alias of services.podman.containers.mealie.
Type: submodule
Declared by:
nps.stacks.microbin.enable
Whether to enable microbin.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.microbin.containers.microbin
Alias of services.podman.containers.microbin.
Type: submodule
Declared by:
nps.stacks.microbin.envFile
Path to env file passed to the container. Can be used to optionally pass secrets such as ‘MICROBIN_ADMIN_USERNAME’, ‘MICROBIN_ADMIN_PASSWORD’, ‘MICROBIN_BASIC_AUTH_USERNAME’, ‘MICROBIN_BASIC_AUTH_PASSWORD’ & ‘MICROBIN_UPLOADER_PASSWORD’.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.monitoring.enable
Enable the monitoring stack. This stack provides monitoring services including Grafana, Loki, Alloy, and Prometheus. Configuration files for each service will be provided automatically to work out of the box.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.monitoring.alloy.enable
Whether to enable Alloy.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.monitoring.alloy.config
Configuration for Alloy.
A default configuration will be automatically provided by this monitoring module.
The default configuration will ship logs of all containers that set the alloy.enable=true option to Loki.
Multiple definitions of this option will be merged together into a single file.
See https://grafana.com/docs/alloy/latest/get-started/configuration-syntax/
Type: strings concatenated with “\n”
Declared by:
nps.stacks.monitoring.alloy.useSocketProxy
Whether to access the Podman socket through the read-only proxy for the monitoring stack. Will be enabled by default if the ‘docker-socket-proxy’ stack is enabled.
Type: boolean
Default:
config.nps.stacks.docker-socket-proxy.enable
Declared by:
nps.stacks.monitoring.containers.alloy
Alias of services.podman.containers.alloy.
Type: submodule
Declared by:
nps.stacks.monitoring.containers.grafana
Alias of services.podman.containers.grafana.
Type: submodule
Declared by:
nps.stacks.monitoring.containers.loki
Alias of services.podman.containers.loki.
Type: submodule
Declared by:
nps.stacks.monitoring.containers.podman-exporter
Alias of services.podman.containers.podman-exporter.
Type: submodule
Declared by:
nps.stacks.monitoring.containers.prometheus
Alias of services.podman.containers.prometheus.
Type: submodule
Declared by:
nps.stacks.monitoring.grafana.enable
Whether to enable Grafana.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.monitoring.grafana.dashboards
List of paths to Grafana dashboard JSON files.
Type: list of absolute path
Default:
[ ]
Declared by:
nps.stacks.monitoring.grafana.datasources
Datasource configuration for Grafana. Loki and Prometheus datasources will be automatically configured.
Type: YAML 1.1 value
Declared by:
nps.stacks.monitoring.grafana.settings
Settings for Grafana. Will be written to the ‘grafana.ini’ file. See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#configure-grafana
Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))
Default:
{ }
Declared by:
nps.stacks.monitoring.loki.enable
Whether to enable Loki.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.monitoring.loki.config
Configuration for Loki. A default configuration will be automatically provided by this monitoring module.
See https://grafana.com/docs/loki/latest/configuration/
Type: YAML 1.1 value
Default:
{ }
Declared by:
nps.stacks.monitoring.podmanExporter.enable
Whether to enable Podman Metrics Exporter.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.monitoring.prometheus.enable
Whether to enable Prometheus.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.monitoring.prometheus.config
Configuration for Prometheus. A default configuration will be automatically provided by this monitoring module.
See https://prometheus.io/docs/prometheus/latest/configuration/configuration/
Type: YAML 1.1 value
Default:
{ }
Declared by:
nps.stacks.n8n.enable
Whether to enable n8n.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.n8n.containers.n8n
Alias of services.podman.containers.n8n.
Type: submodule
Declared by:
nps.stacks.ntfy.enable
Whether to enable ntfy.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.ntfy.enableGrafanaDashboard
Whether to enable Grafana Dashboard.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.ntfy.enablePrometheusExport
Whether to enable Prometheus Export.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.ntfy.containers.ntfy
Alias of services.podman.containers.ntfy.
Type: submodule
Declared by:
nps.stacks.ntfy.env
Additional environment variables passed to the container
Type: attribute set of (null or boolean or signed integer or string or absolute path or list of (null or boolean or signed integer or string or absolute path))
Default:
{ }
Declared by:
nps.stacks.ntfy.envFile
Environment file passed to the container. Can be used to pass secrets such as Webpush Keys.
In order to enable web push support, make sure the env file contains ‘NTFY_WEB_PUSH_PUBLIC_KEY’,
‘NTFY_WEB_PUSH_PRIVATE_KEY’ & ‘NTFY_WEB_PUSH_EMAIL_ADDRESS’ variables.
Keys can be generated by running podman run --rm docker.io/binwiederhier/ntfy:latest webpush keys
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.omnitools.enable
Whether to enable omnitools.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.omnitools.containers.omnitools
Alias of services.podman.containers.omnitools.
Type: submodule
Declared by:
nps.stacks.paperless.enable
Whether to enable paperless.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.paperless.authelia.clientSecretHash
The hashed client_secret. For examples on how to generate a client secret, see
https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret
Type: string
Declared by:
nps.stacks.paperless.authelia.registerClient
Whether to register a Paperless OIDC client in Authelia.
If enabled you need to provide a hashed secret in the client_secret option.
To enable OIDC Login for Paperless, you will have to provide the environment variables PAPERLESS_APPS and PAPERLESS_SOCIALACCOUNT_PROVIDERS,
e.g. in the envFile option.
For details, see:
- https://www.authelia.com/integration/openid-connect/clients/paperless/
- https://docs.paperless-ngx.com/advanced_usage/#openid-connect-and-social-authentication
Type: boolean
Default:
false
Declared by:
nps.stacks.paperless.containers.paperless
Alias of services.podman.containers.paperless.
Type: submodule
Declared by:
nps.stacks.paperless.containers.paperless-broker
Alias of services.podman.containers.paperless-broker.
Type: submodule
Declared by:
nps.stacks.paperless.containers.paperless-db
Alias of services.podman.containers.paperless-db.
Type: submodule
Declared by:
nps.stacks.paperless.containers.paperless-ftp
Alias of services.podman.containers.paperless-ftp.
Type: submodule
Declared by:
nps.stacks.paperless.db.envFile
Path to the env file containing the ‘POSTGRES_USER’ and ‘POSTGRES_PASSWORD’ variables
Type: absolute path
Declared by:
nps.stacks.paperless.env
Additional environment variables passed to the Paperless container
Type: attribute set of (null or boolean or signed integer or string or absolute path or list of (null or boolean or signed integer or string or absolute path))
Default:
{ }
Declared by:
nps.stacks.paperless.envFile
Path to the environment file containing the ‘PAPERLESS_DBUSER’ ‘PAPERLESS_DBPASS’ and ‘PAPERLESS_SECRET_KEY’ variables.
Type: absolute path
Declared by:
nps.stacks.paperless.ftp.enable
Whether to enable FTP server.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.paperless.ftp.envFile
Path to the env file containing the ‘FTP_PASS’ variable. Uploads to the FTP will be placed in the ‘consume’ directory to be ingested by Paperless.
Type: absolute path
Declared by:
nps.stacks.pocketid.enable
Whether to enable pocketid.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.pocketid.containers.pocketid
Alias of services.podman.containers.pocketid.
Type: submodule
Declared by:
nps.stacks.pocketid.env
Additional environment variables passed to the Pocket ID container See https://pocket-id.org/docs/configuration/environment-variables
Type: attribute set of (null or boolean or signed integer or string or absolute path or list of (null or boolean or signed integer or string or absolute path))
Default:
{ }
Declared by:
nps.stacks.pocketid.envFile
Environment file being passed to the container. Can be used to pass additional variables such as ‘MAXMIND_LICENSE_KEY’. Refer to https://pocket-id.org/docs/configuration/environment-variables/ for a full list of available variables
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.pocketid.ldap.enableSynchronisation
Whether to sync users and groups from an the LDAP server. Requires the LLDAP stack to be enabled.
Type: boolean
Default:
config.nps.stacks.lldap.enable
Declared by:
nps.stacks.pocketid.ldap.passwordFile
The password for the LDAP user that is used when connecting to the LDAP backend.
Type: absolute path
Default:
config.nps.stacks.lldap.adminPasswordFile
Declared by:
nps.stacks.pocketid.ldap.user
The username that will be used when binding to the LDAP backend.
Type: string
Default:
config.nps.stacks.lldap.adminUsername
Declared by:
nps.stacks.pocketid.traefikIntegration.envFile
Environment file being passed to the Traefik container.
If this is set, a new pocketid middleware will be registered in Traefik.
In order to work, the environment file should contain the secrets
‘POCKET_ID_CLIENT_ID’, ‘POCKET_ID_CLIENT_SECRET’ & ‘OIDC_MIDDLEWARE_SECRET’
‘POCKET_ID_CLIENT_ID’ and ‘POCKET_ID_CLIENT_SECRET’ are the credentials generated within PocketID for the Traefik client. ‘OIDC_MIDDLEWARE_SECRET’ should be a random secret.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.romm.enable
Whether to enable romm.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.romm.authelia.enable
Whether to enable OIDC login with Authelia. This will register an OIDC client in Authelia and setup the necessary environment variables in RomM.
For details, see:
- https://www.authelia.com/integration/openid-connect/clients/romm/
- https://docs.romm.app/latest/OIDC-Guides/OIDC-Setup-With-Authelia/
Type: boolean
Default:
false
Declared by:
nps.stacks.romm.authelia.clientSecretFile
Path to the file containing that client secret that will be used by RomM to authenticate against Authelia.
Type: absolute path
Declared by:
nps.stacks.romm.authelia.clientSecretHash
The hashed client_secret. Will be set in the Authelia client config. For examples on how to generate a client secret, see
https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret
Type: string
Declared by:
nps.stacks.romm.containers.romm
Alias of services.podman.containers.romm.
Type: submodule
Declared by:
nps.stacks.romm.containers.romm-db
Alias of services.podman.containers.romm-db.
Type: submodule
Declared by:
nps.stacks.romm.db.envFile
Path to the env file containing the ‘MARIADB_ROOT_PASSWORD’ and ‘MARIADB_PASSWORD’ variables.
Type: absolute path
Declared by:
nps.stacks.romm.env
Additional environment variables passed to the RomM container
See https://docs.romm.app/latest/Getting-Started/Environment-Variables/
Type: attribute set of (null or boolean or signed integer or string or absolute path or list of (null or boolean or signed integer or string or absolute path))
Default:
{ }
Declared by:
nps.stacks.romm.envFile
Path to env file containing the DB_PASSWD and the ROMM_AUTH_SECRET_KEY variables.
The DB_PASSWD should match the MARIA_DB password passed in the db.envFile option.
Can optionally include more secrets and other variables, such as API_KEYS, e.g.
RETROACHIEVEMENTS_API_KEY or STEAMGRIDDB_API_KEY.
See https://docs.romm.app/latest/Getting-Started/Environment-Variables/
Type: absolute path
Declared by:
nps.stacks.romm.romLibraryPath
Base path on the host where the rom library is stored.
Type: absolute path not in the Nix store
Default:
"${config.nps.storageBaseDir}/romm/library"
Example:
"${config.nps.externalStorageBaseDir}/romm/library"
Declared by:
nps.stacks.romm.settings
RomM settings. If set, will be mounted as the config.yml.
If unset, configuration through UI is possible.
See https://docs.romm.app/latest/Getting-Started/Configuration-File/
Type: null or YAML 1.1 value
Default:
null
Example:
{
platforms = {
gc = "ngc";
psx = "ps";
};
}
Declared by:
nps.stacks.romm.setupAdminUser
Whether to enable automated admin user provisioning. If enabled, an admin user will be created automatically on startup.
Make sure the file provided in the envFile option contains the variables ADMIN_USERNAME (default ‘admin’),
ADMIN_PASSWORD (default ‘admin’) and ADMIN_EMAIL (default ‘admin@admin.com’).
When disabled, you will be prompted for admin user creation when visiting the RomM UI the first time.
Type: boolean
Default:
false
Declared by:
nps.stacks.stirling-pdf.enable
Whether to enable stirling-pdf.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.stirling-pdf.containers.stirling-pdf
Alias of services.podman.containers.stirling-pdf.
Type: submodule
Declared by:
nps.stacks.streaming.enable
Whether to enable streaming.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.streaming.bazarr.enable
Whether to enable bazarr.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.streaming.bazarr.envFile
Path to the environment file for bazarr.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.streaming.containers.bazarr
Alias of services.podman.containers.bazarr.
Type: submodule
Declared by:
nps.stacks.streaming.containers.gluetun
Alias of services.podman.containers.gluetun.
Type: submodule
Declared by:
nps.stacks.streaming.containers.jellyfin
Alias of services.podman.containers.jellyfin.
Type: submodule
Declared by:
nps.stacks.streaming.containers.prowlarr
Alias of services.podman.containers.prowlarr.
Type: submodule
Declared by:
nps.stacks.streaming.containers.qbittorrent
Alias of services.podman.containers.qbittorrent.
Type: submodule
Declared by:
nps.stacks.streaming.containers.radarr
Alias of services.podman.containers.radarr.
Type: submodule
Declared by:
nps.stacks.streaming.containers.sonarr
Alias of services.podman.containers.sonarr.
Type: submodule
Declared by:
nps.stacks.streaming.flaresolverr.enable
Whether to enable Flaresolverr.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.streaming.gluetun.enable
Whether to enable Gluetun.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.streaming.gluetun.envFile
Path to the environment file for Gluetun. Should contain Wireguard credentials such as ‘WIREGUARD_PRIVATE_KEY’, ‘WIREGUARD_ADDRESSES’ and ‘WIREGUARD_PRESHARED_KEY’
Type: absolute path
Declared by:
nps.stacks.streaming.gluetun.settings
Additional Gluetun configuration settings.
Type: TOML value
Declared by:
nps.stacks.streaming.gluetun.vpnProvider
The VPN provider to use with Gluetun.
Type: string
Declared by:
nps.stacks.streaming.jellyfin.enable
Whether to enable Jellyfin.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.streaming.prowlarr.enable
Whether to enable prowlarr.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.streaming.prowlarr.envFile
Path to the environment file for prowlarr.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.streaming.qbittorrent.enable
Whether to enable qBittorrent.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.streaming.qbittorrent.envFile
Path to the environment file for qBittorrent.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.streaming.radarr.enable
Whether to enable radarr.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.streaming.radarr.envFile
Path to the environment file for radarr.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.streaming.sonarr.enable
Whether to enable sonarr.
Type: boolean
Default:
true
Example:
true
Declared by:
nps.stacks.streaming.sonarr.envFile
Path to the environment file for sonarr.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.traefik.enable
Wheter to enable Traefik. The Traefik stack ships preconfigured with a dynamic and static configuration.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.traefik.enableGrafanaAccessLogDashboard
Whether to enable Grafana Access Log Dashboard.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.traefik.enableGrafanaMetricsDashboard
Whether to enable Grafana Metrics Dashboard.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.traefik.enablePrometheusExport
Whether to enable Prometheus Export.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.traefik.containers.traefik
Alias of services.podman.containers.traefik.
Type: submodule
Declared by:
nps.stacks.traefik.domain
Base domain handled by Traefik
Type: string
Declared by:
nps.stacks.traefik.dynamicConfig
Dynamic configuration for Traefik. By default, the module will setup two middlewares: private & public. The private middleware (applied by default to all services) will only allow access from internal networks. The public middleware (applied by default to all services) will allow access from the internet. It will be configured with a rate limit, security headers and a geoblock plugin (if enabled).
Type: YAML 1.1 value
Default:
{ }
Declared by:
nps.stacks.traefik.envFile
Path to the environment file for Traefik. Can be used to pass secrets, e.g. the API tokens for the DNS provider.
Type: absolute path
Declared by:
nps.stacks.traefik.geoblock.enable
Enable the geoblock plugin for Traefik. This will block access to the services based on the country code of the request. The plugin uses the IP2Location database to determine the country code. If enabled, the geoblock will be used in the ‘public’ middleware, allowing only requests from the allowed countries.
Type: boolean
Default:
true
Declared by:
nps.stacks.traefik.geoblock.allowedCountries
List of allowed country codes (ISO 3166-1 alpha-2 format) See https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
Type: list of string
Default:
[ ]
Declared by:
nps.stacks.traefik.network.name
Network name for Podman bridge network. Will be used by the Traefik Docker provider
Type: string
Default:
"traefik-proxy"
Declared by:
nps.stacks.traefik.staticConfig
Static configuration for Traefik.
By default, for the configured domain, a wildcard certificate will be requested from letsencrypt
and used for all services that are registered with Traefik.
By default Cloudflare with DNS challenge will be used to request the certificate.
This requires the ‘CF_DNS_API_TOKEN’ environment variable to be set in the envFile option file.
The DNS provider as well as any other settings can be overwritten. For an example see https://github.com/Tarow/nix-podman-stacks/blob/main/examples/traefik-dns-provider.nix
Type: YAML 1.1 value
Declared by:
nps.stacks.traefik.useSocketProxy
Whether to access the Podman socket through the read-only proxy for the traefik stack. Will be enabled by default if the ‘docker-socket-proxy’ stack is enabled.
Type: boolean
Default:
config.nps.stacks.docker-socket-proxy.enable
Declared by:
nps.stacks.uptime-kuma.enable
Whether to enable uptime-kuma.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.uptime-kuma.containers.uptime-kuma
Alias of services.podman.containers.uptime-kuma.
Type: submodule
Declared by:
nps.stacks.vaultwarden.enable
Whether to enable vaultwarden.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.vaultwarden.containers.vaultwarden
Alias of services.podman.containers.vaultwarden.
Type: submodule
Declared by:
nps.stacks.vaultwarden.env
Additional environment variables passed to the container
Type: attribute set of (null or boolean or signed integer or string or absolute path or list of (null or boolean or signed integer or string or absolute path))
Default:
{ }
Declared by:
nps.stacks.vaultwarden.envFile
Environment file passed to the container. Can be used to pass secrets such as 'ADMIN_TOKEN; For a list of all environment variables refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.wg-easy.enable
Whether to enable wg-easy.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.wg-easy.containers.wg-easy
Alias of services.podman.containers.wg-easy.
Type: submodule
Declared by:
nps.stacks.wg-easy.envFile
Path to the environment file. Can be used to pass secrets, e.g. ‘INIT_PASSWORD’.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.wg-easy.host
The external domain or IP address of the Wireguard server. Will be used as the ‘endpoint’ when generating client configurations.
Only has an effect during initial setup. See https://wg-easy.github.io/wg-easy/v15.1/advanced/config/unattended-setup/
Type: string
Default:
"vpn.${config.nps.stacks.traefik.domain}"
Declared by:
nps.stacks.wg-easy.port
The port on which the Wireguard server will listen. Will be passed as INIT_PORT during initial setup. Only has an effect during initial setup. See https://wg-easy.github.io/wg-easy/v15.1/advanced/config/unattended-setup/
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
51820
Declared by:
nps.stacks.wg-portal.enable
Whether to enable wg-portal.
Type: boolean
Default:
false
Example:
true
Declared by:
nps.stacks.wg-portal.containers.wg-portal
Alias of services.podman.containers.wg-portal.
Type: submodule
Declared by:
nps.stacks.wg-portal.envFile
Path to the environment file. Can be used to pass env variables such as secrets, that are used in the settings.
Type: null or absolute path
Default:
null
Declared by:
nps.stacks.wg-portal.port
The default port for the first Wireguard interface that will be set up in the UI. Will be exposed and passed as the ‘start_listen_port’ setting in the configuration.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
51820
Declared by:
nps.stacks.wg-portal.settings
Settings for the wg-portal container. Will be converted to YAML and passed to the container. See https://wgportal.org/latest/documentation/configuration/overview/
Type: YAML 1.1 value
Declared by: