| options/nixos/programs.ssh.knownHosts.<name>.certAuthority | This public key is an SSH certificate authority, rather than an
individual host's key.
|
| options/darwin/programs.ssh.knownHosts.<name>.certAuthority | This public key is an SSH certificate authority, rather than an
individual host's key.
|
| options/nixos/services.aesmd.settings.whitelistUrl | URL to retrieve authorized Intel SGX enclave signers.
|
| options/nixos/services.grafana-to-ntfy.settings.ntfyBAuthUser | The ntfy-sh user to use for authenticating with the ntfy-sh instance
|
| options/nixos/services.glusterfs.tlsSettings.caCert | Path certificate authority used to sign the cluster certificates.
|
| options/nixos/services.prometheus.scrapeConfigs.*.azure_sd_configs.*.client_id | Optional client ID
|
| options/nixos/services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tenant_id | Optional tenant ID
|
| options/home-manager/programs.sftpman.mounts.<name>.user | The username to authenticate with.
|
| options/nixos/services.prosody.c2sRequireEncryption | Force clients to use encrypted connections? This option will
prevent clients from authenticating unless they are using encryption.
|
| options/nixos/security.pam.services.<name>.rootOK | If set, root doesn't need to authenticate (e.g. for the
useradd service).
|
| options/nixos/services.cfdyndns.apiTokenFile | The path to a file containing the API Token
used to authenticate with CloudFlare.
|
| options/home-manager/services.ssh-agent.pkcs11Whitelist | Specify a list of approved path patterns for PKCS#11 and FIDO authenticator middleware libraries
|
| options/nixos/services.openssh.knownHosts.<name>.certAuthority | This public key is an SSH certificate authority, rather than an
individual host's key.
|
| options/nixos/services.cfdyndns.apikeyFile | The path to a file containing the API Key
used to authenticate with CloudFlare.
|
| options/nixos/services.aria2.rpcSecretFile | A file containing the RPC secret authorization token
|
| options/nixos/services.nbd.server.exports.<name>.allowAddresses | IPs and subnets that are authorized to connect for this device
|
| options/nixos/services.outline.smtp.username | Username to authenticate with.
|
| options/nixos/nix.buildMachines.*.sshKey | The path to the SSH private key with which to authenticate on
the build machine
|
| options/home-manager/nix.buildMachines.*.sshKey | The path to the SSH private key with which to authenticate on
the build machine
|
| options/darwin/nix.buildMachines.*.sshKey | The path to the SSH private key with which to authenticate on
the build machine
|
| options/nixos/services.headscale.settings.oidc.pkce.enabled | Enable or disable PKCE (Proof Key for Code Exchange) support
|
| options/nixos/services.prometheus.scrapeConfigs.*.azure_sd_configs.*.client_secret | Optional client secret
|
| options/nixos/services.cjdns.ETHInterface.connectTo.<name>.password | Authorized password to the opposite end of the tunnel.
|
| options/nixos/services.cjdns.UDPInterface.connectTo.<name>.password | Authorized password to the opposite end of the tunnel.
|
| options/home-manager/programs.git.signing.key | The default signing key fingerprint
|
| options/nixos/security.pam.services.<name>.mysqlAuth | If set, the pam_mysql module will be used to
authenticate users against a MySQL/MariaDB database.
|
| options/nixos/services.mastodon.elasticsearch.user | Used for optionally authenticating with Elasticsearch.
|
| options/nixos/services.mqtt2influxdb.mqtt.cafile | Certification Authority file for MQTT
|
| options/nixos/services.outline.smtp.passwordFile | File path containing the password to authenticate with.
|
| options/nixos/services.kubernetes.kubeconfig.caFile | Default kubeconfig certificate authority file used to connect to kube-apiserver.
|
| options/nixos/services.murmur.clientCertRequired | Whether to enable requiring clients to authenticate via certificates.
|
| options/nixos/services.lldap.enable | Whether to enable lldap, a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication.
|
| options/nixos/programs.light.brightnessKeys.minBrightness | The minimum authorized brightness value, e.g. to avoid the
display going dark.
|
| options/nixos/services.suwayomi-server.settings.server.basicAuthUsername | The username value that you have to provide when authenticating.
|
| options/home-manager/programs.sbt.credentials.*.user | The user you're using to authenticate.
|
| options/nixos/services.isso.enable | Whether to enable isso, a commenting server similar to Disqus
|
| options/nixos/security.pam.services.<name>.rssh | If set, the calling user's SSH agent is used to authenticate
against the configured keys
|
| options/nixos/services.kubernetes.proxy.kubeconfig.caFile | Kubernetes proxy certificate authority file used to connect to kube-apiserver.
|
| options/nixos/services.suwayomi-server.settings.server.basicAuthPasswordFile | The password file containing the value that you have to provide when authenticating.
|
| options/nixos/services.sssd.sshAuthorizedKeysIntegration | Whether to make sshd look up authorized keys from SSS
|
| options/nixos/services.oncall.secretFile | A YAML file containing secrets such as database or user passwords
|
| options/nixos/services.headscale.settings.oidc.extra_params | Custom query parameters to send with the Authorize Endpoint request.
|
| options/nixos/services.kubernetes.kubelet.kubeconfig.caFile | Kubelet certificate authority file used to connect to kube-apiserver.
|
| options/nixos/services.tailscaleAuth.socketPath | Path of the socket listening to authorization requests.
|
| options/nixos/users.ldap.loginPam | Whether to include authentication against LDAP in login PAM.
|
| options/nixos/services.mastodon.elasticsearch.passwordFile | Path to file containing password for optionally authenticating with Elasticsearch.
|
| options/nixos/services.meme-bingo-web.enable | Whether to enable a web app for the meme bingo, rendered entirely on the web server and made interactive with forms
|
| options/nixos/services.hickory-dns.settings.zones.*.zone_type | One of:
- "Primary" (the master, authority for the zone).
- "Secondary" (the slave, replicated from the primary).
- "External" (a cached zone that queries other nameservers)
|
| options/nixos/services.prometheus.exporters.unbound.unbound.ca | Path to the Unbound server certificate authority
|
| options/nixos/services.firezone.server.smtp.username | Username to authenticate against the SMTP relay
|
| options/nixos/services.matrix-appservice-irc.settings.ircService.mediaProxy.signingKeyPath | Path to the signing key file for authenticated media.
|
| options/nixos/services.kubernetes.controllerManager.rootCaFile | Kubernetes controller manager certificate authority file included in
service account's token secret.
|
| options/nixos/services.nextcloud.settings.mail_smtpname | This depends on mail_smtpauth
|
| options/nixos/services.cloudflared.tunnels.<name>.originRequest.caPool | Path to the certificate authority (CA) for the certificate of your origin
|
| options/nixos/services.murmur.registerPassword | Public server registry password, used authenticate your
server to the registry to prevent impersonation; required for
subsequent registry updates.
|
| options/nixos/users.ldap.enable | Whether to enable authentication against an LDAP server.
|
| options/nixos/services.dependency-track.settings."alpine.database.username" | Specifies the username to use when authenticating to the database.
|
| options/nixos/services.redis.servers.<name>.masterAuth | If the master is password protected (using the requirePass configuration)
it is possible to tell the slave to authenticate before starting the replication synchronization
process, otherwise the master will refuse the slave request.
(STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
|
| options/nixos/services.crowdsec-firewall-bouncer.registerBouncer.enable | Whether to automatically register the bouncer to the locally running
crowdsec service
|
| options/nixos/services.rkvm.client.settings.password | Shared secret token to authenticate the client
|
| options/nixos/services.rkvm.server.settings.password | Shared secret token to authenticate the client
|
| options/nixos/services.bacula-fd.director.<name>.password | Specifies the password that must be supplied for the default Bacula
Console to be authorized
|
| options/nixos/services.bacula-sd.director.<name>.password | Specifies the password that must be supplied for the default Bacula
Console to be authorized
|
| options/nixos/services.kubernetes.scheduler.kubeconfig.caFile | Kubernetes scheduler certificate authority file used to connect to kube-apiserver.
|
| options/nixos/services.neo4j.ssl.policies.<name>.allowKeyGeneration | Allows the generation of a private key and associated self-signed
certificate
|
| options/nixos/users.mysql.enable | Whether to enable authentication against a MySQL/MariaDB database.
|
| options/nixos/security.soteria.enable | Whether to enable Soteria, a Polkit authentication agent
for any desktop environment.
You should only enable this if you are on a Desktop Environment that
does not provide a graphical polkit authentication agent, or you are on
a standalone window manager or Wayland compositor.
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.local | Section for a local authentication round
|
| options/nixos/services.blackfire-agent.settings.server-id | Sets the server id used to authenticate with Blackfire
You can find your personal server-id at https://blackfire.io/my/settings/credentials
|
| options/nixos/services.prometheus.remoteWrite.*.sigv4.profile | The named AWS profile used to authenticate.
|
| options/nixos/services.vsftpd.userDbPath | Only applies if enableVirtualUsers is true
|
| options/nixos/services.blackfire-agent.settings.server-token | Sets the server token used to authenticate with Blackfire
You can find your personal server-token at https://blackfire.io/my/settings/credentials
|
| options/nixos/services.biboumi.settings.password | The password used to authenticate the XMPP component to your XMPP server
|
| options/nixos/services.kubernetes.controllerManager.kubeconfig.caFile | Kubernetes controller manager certificate authority file used to connect to kube-apiserver.
|
| options/home-manager/programs.floorp.profiles.<name>.extensions.exactPermissions | When enabled,
programs.floorp.profiles.<profile>.extensions.settings.<extensionID>.permissions
must specify the exact set of permissions that the
extension will request
|
| options/nixos/networking.wg-quick.interfaces.<name>.peers.*.persistentKeepalive | This is optional and is by default off, because most
users will not need it
|
| options/home-manager/programs.firefox.profiles.<name>.extensions.exactPermissions | When enabled,
programs.firefox.profiles.<profile>.extensions.settings.<extensionID>.permissions
must specify the exact set of permissions that the
extension will request
|
| options/home-manager/programs.floorp.profiles.<name>.extensions.exhaustivePermissions | When enabled, the user must authorize requested
permissions for all extensions from
programs.floorp.profiles.<profile>.extensions.packages
in
programs.floorp.profiles.<profile>.extensions.settings.<extensionID>.permissions
|
| options/home-manager/programs.firefox.profiles.<name>.extensions.exhaustivePermissions | When enabled, the user must authorize requested
permissions for all extensions from
programs.firefox.profiles.<profile>.extensions.packages
in
programs.firefox.profiles.<profile>.extensions.settings.<extensionID>.permissions
|
| options/nixos/services.prometheus.exporters.mqtt.mqttUsername | Username which should be used to authenticate against the MQTT broker.
|
| options/home-manager/programs.librewolf.profiles.<name>.extensions.exactPermissions | When enabled,
programs.librewolf.profiles.<profile>.extensions.settings.<extensionID>.permissions
must specify the exact set of permissions that the
extension will request
|
| options/nixos/networking.wireguard.interfaces.<name>.peers.*.persistentKeepalive | This is optional and is by default off, because most
users will not need it
|
| options/nixos/networking.openconnect.interfaces.<name>.user | Username to authenticate with.
|
| options/nixos/services.howdy.enable | Whether to enable Howdy and its PAM module for face recognition
|
| options/nixos/users.mysql.pam.statusColumn | The name of the column or an SQL expression that indicates the status of
the user
|
| options/home-manager/programs.librewolf.profiles.<name>.extensions.exhaustivePermissions | When enabled, the user must authorize requested
permissions for all extensions from
programs.librewolf.profiles.<profile>.extensions.packages
in
programs.librewolf.profiles.<profile>.extensions.settings.<extensionID>.permissions
|
| options/nixos/programs.ssh.macs | Specifies the MAC (message authentication code) algorithms in order of preference
|
| options/nixos/services.postgrest.jwtSecretFile | The secret or JSON Web Key (JWK) (or set) used to decode JWT tokens clients provide for authentication
|
| options/nixos/services.bitwarden-directory-connector-cli.ldap.username | The user to authenticate as.
|
| options/nixos/networking.supplicant | Interfaces for which to start wpa_supplicant
|
| options/nixos/services.db-rest.redis.user | Optional username used for authentication with redis.
|
| options/nixos/services.firezone.server.provision.accounts.<name>.actors.<name>.email | The email address used to authenticate as this account
|
| options/nixos/networking.openconnect.interfaces.<name>.privateKey | Private key to authenticate with.
|
| options/nixos/services.tt-rss.email.login | SMTP authentication login used when sending outgoing mail.
|
| options/nixos/services.ncps.netrcFile | The path to netrc file for upstream authentication
|
| options/nixos/services.headscale.settings.oidc.allowed_users | Users allowed to authenticate even if not in allowedDomains.
|
| options/nixos/services.prometheus.exporters.klipper.moonrakerApiKey | API Key to authenticate with the Moonraker APIs
|
| options/nixos/services.etcd.clientCertAuth | Whether to use certs for client authentication
|
| options/nixos/services.opkssh.enable | Whether to enable OpenID Connect SSH authentication.
|
| options/nixos/services.crowdsec-firewall-bouncer.settings.api_key | API key to authenticate with a local crowdsec API
|