| options/nixos/services.sourcehut.settings."sr.ht".network-key | An absolute file path (which should be outside the Nix-store)
to a secret key to encrypt internal messages with
|
| options/nixos/services.matrix-synapse.settings.media_store_path | Directory where uploaded images and attachments are stored.
|
| options/nixos/services.hostapd.radios.<name>.networks.<name>.macAllow | Specifies the MAC addresses to allow if macAcl is set to "allow" or "radius"
|
| options/nixos/services.mjolnir.pantalaimon.options.dataPath | The directory where pantalaimon should store its state such as the database file.
|
| options/nixos/services.kanidm.provision.idmAdminPasswordFile | Path to a file containing the idm admin password for kanidm
|
| options/nixos/services.keycloak.settings | Configuration options corresponding to parameters set in
conf/keycloak.conf
|
| options/nixos/networking.wireless.networks.<name>.psk | The network's pre-shared key in plaintext defaulting
to being a network without any authentication.
Be aware that this will be written to the Nix store
in plaintext! Use pskRaw with an external
reference to keep it safe.
Mutually exclusive with pskRaw.
|
| options/nixos/services.duplicati.parameters | This option can be used to store some or all of the options given to the
commandline client
|
| options/nixos/services.openssh.knownHosts.<name>.publicKeyFile | The path to the public key file for the host
|
| options/nixos/services.druid.historical.segmentLocations | Locations where the historical will store its data.
|
| options/nixos/services.snips-sh.environmentFile | Additional environment file as defined in systemd.exec(5)
|
| options/nixos/services.sourcehut.settings.objects.s3-secret-key | An absolute file path (which should be outside the Nix-store)
to the secret key of the S3-compatible object storage service.
|
| options/nixos/services.rustus.info_storage | Info storages are used to store information about file uploads
|
| options/nixos/security.pki.caCertificateBlacklist | A list of blacklisted CA certificate names that won't be imported from
the Mozilla Trust Store into
/etc/ssl/certs/ca-certificates.crt
|
| options/darwin/security.pki.caCertificateBlacklist | A list of blacklisted CA certificate names that won't be imported from
the Mozilla Trust Store into
/etc/ssl/certs/ca-certificates.crt
|
| options/nixos/services.limesurvey.encryptionKeyFile | 32-byte key used to encrypt variables in the database
|
| options/nixos/services.cockroachdb.maxSqlMemory | The maximum in-memory storage capacity available to store temporary
data for SQL queries
|
| options/nixos/services.hercules-ci-agent.settings.secretsJsonPath | Path to a JSON file containing secrets for effects
|
| options/darwin/services.hercules-ci-agent.settings.secretsJsonPath | Path to a JSON file containing secrets for effects
|
| options/nixos/services.thanos.query-frontend.tracing.config | Tracing configuration
|
| options/nixos/services.telegraf.environmentFiles | File to load as environment file
|
| options/nixos/services.wstunnel.clients.<name>.httpProxy | Proxy to use to connect to the wstunnel server (USER:PASS@HOST:PORT).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing PROXY_PASSWORD=<your-password-here> and set
this option to <user>:$PROXY_PASSWORD@<host>:<port>
|
| options/nixos/services.grafana.provision.alerting.rules.path | Path to YAML rules configuration
|
| options/nixos/services.munin-node.extraAutoPlugins | Additional Munin plugins to autoconfigure, using
munin-node-configure --suggest
|
| options/nixos/services.mediawiki.httpd.virtualHost.documentRoot | The path of Apache's document root directory
|
| options/nixos/services.limesurvey.virtualHost.documentRoot | The path of Apache's document root directory
|
| options/home-manager/programs.borgmatic.backups.<name>.location.excludeHomeManagerSymlinks | Whether to exclude Home Manager generated symbolic links from
the backups
|
| options/nixos/services.anubis.defaultOptions.policy.settings | Additional policy settings merged into the policy file
|
| options/nixos/services.glitchtip.environmentFiles | Files to load environment variables from in addition to services.glitchtip.settings
|
| options/nixos/services.caddy.environmentFile | Environment file as defined in systemd.exec(5)
|
| options/nixos/services.authelia.instances.<name>.secrets | It is recommended you keep your secrets separate from the configuration
|
| options/nixos/services.cadvisor.storageDriverPassword | Cadvisor storage driver password
|
| options/nixos/services.mailpit.instances.<name>.database | Specify the local database filename to store persistent data
|
| options/nixos/services.ocis.environment | Extra config options
|
| options/nixos/services.druid.historical.segmentLocations.*.path | the path to store the segments
|
| options/nixos/services.stash.settings.blobs_storage | Where to store blobs
|
| options/nixos/services.yggdrasil.settings.PrivateKeyPath | Path to the private key file on the host system
|
| options/nixos/services.thanos.query.query.auto-downsampling | Enable automatic adjustment (step / 5) to what source of data should
be used in store gateways if no
max_source_resolution param is specified.
|
| options/nixos/services.duplicati.parametersFile | This file can be used to store some or all of the options given to the
commandline client
|
| options/nixos/services.workout-tracker.environmentFile | An environment file as defined in systemd.exec(5)
|
| options/nixos/services.limesurvey.encryptionNonceFile | 24-byte used to encrypt variables in the database
|
| options/nixos/services.anubis.instances.<name>.policy.settings | Additional policy settings merged into the policy file
|
| options/nixos/services.hercules-ci-agent.settings.binaryCachesPath | Path to a JSON file containing binary cache secret keys
|
| options/darwin/services.hercules-ci-agent.settings.binaryCachesPath | Path to a JSON file containing binary cache secret keys
|
| options/nixos/services.libeufin.nexus.settings.nexus-ebics.BANK_PUBLIC_KEYS_FILE | Filesystem location where Nexus should store the bank public keys.
|
| options/nixos/virtualisation.nixStore9pCache | Type of 9p cache to use when mounting host nix store. "none" provides
no caching. "loose" enables Linux's local VFS cache. "fscache" uses Linux's
fscache subsystem
|
| options/nixos/services.traccar.environmentFile | File containing environment variables to substitute in the configuration before starting Traccar
|
| options/nixos/services.vault.extraSettingsPaths | Configuration files to load besides the immutable one defined by the NixOS module
|
| options/nixos/services.victoriatraces.stateDir | Directory below /var/lib to store VictoriaTraces data
|
| options/nixos/networking.wireless.networks.<name>.auth | Use this option to configure advanced authentication methods
like EAP
|
| options/nixos/services.wordpress.sites.<name>.virtualHost.documentRoot | The path of Apache's document root directory
|
| options/nixos/services.influxdb2.provision.initialSetup.tokenFile | API Token to set for the admin user
|
| options/nixos/services.mautrix-signal.environmentFile | File containing environment variables to be passed to the mautrix-signal service
|
| options/nixos/services.gitlab.secrets.activeRecordPrimaryKeyFile | A file containing the secret used to encrypt some rails data
in the DB
|
| options/nixos/services.xtreemfs.dir.replication.extraConfig | Configuration of XtreemFS DIR replication plugin
|
| options/nixos/services.xtreemfs.mrc.replication.extraConfig | Configuration of XtreemFS MRC replication plugin
|
| options/nixos/virtualisation.writableStoreUseTmpfs | Use a tmpfs for the writable store instead of writing to the VM's
own filesystem.
|
| options/nixos/services.reposilite.settings.keyPassword | Plaintext password used to unlock the Java KeyStore set in services.reposilite.settings.keyPath
|
| options/nixos/services.grafana.provision.dashboards.path | Path to YAML dashboard configuration
|
| options/nixos/system.forbiddenDependenciesRegexes | POSIX Extended Regular Expressions that match store paths that
should not appear in the system closure, with the exception of system.extraDependencies, which is not checked.
|
| options/nixos/services.nullmailer.config.remotes | A list of remote servers to which to send each message
|
| options/nixos/services.thanos.downsample.tracing.config | Tracing configuration
|
| options/nixos/services.murmur.environmentFile | Environment file as defined in systemd.exec(5)
|
| options/nixos/services.limesurvey.httpd.virtualHost.documentRoot | The path of Apache's document root directory
|
| options/nixos/services.matrix-hookshot.registrationFile | Appservice registration file
|
| options/nixos/services.sourcehut.settings.mail.pgp-privkey | An absolute file path (which should be outside the Nix-store)
to an OpenPGP private key
|
| options/nixos/services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.password | The password for this entry
|
| options/nixos/boot.initrd.network.openvpn.configuration | The configuration file for OpenVPN.
Unless your bootloader supports initrd secrets, this configuration
is stored insecurely in the global Nix store.
|
| options/nixos/services.pinchflat.secretsFile | Secrets like SECRET_KEY_BASE and BASIC_AUTH_PASSWORD
should be passed to the service without adding them to the world-readable Nix store
|
| options/home-manager/accounts.email.accounts.<name>.mujmap.settings.cache_dir | The cache directory in which to store mail files while they are being
downloaded
|
| options/nixos/services.prometheus.pushgateway.stateDir | Directory below /var/lib to store metrics
|
| options/nixos/services.bluesky-pds.settings.PDS_BLOBSTORE_DISK_LOCATION | Store blobs at this location, set to null to use e.g
|
| options/nixos/services.prometheus.exporters.py-air-control.stateDir | Directory below /var/lib to store runtime data
|
| options/nixos/services.archisteamfarm.dataDir | The ASF home directory used to store all data
|
| options/nixos/services.sourcehut.settings."meta.sr.ht::billing".stripe-secret-key | An absolute file path (which should be outside the Nix-store)
to a secret key for Stripe
|
| options/nixos/services.restic.backups.<name>.rcloneConfig | Configuration for the rclone remote being used for backup
|
| options/nixos/services.chatgpt-retrieval-plugin.qdrantCollection | name of the qdrant collection used to store documents.
|
| options/nixos/services.grafana.provision.alerting.muteTimings.path | Path to YAML mute timings configuration
|
| options/nixos/services.step-ca.intermediatePasswordFile | Path to the file containing the password for the intermediate
certificate private key.
Make sure to use a quoted absolute path instead of a path literal
to prevent it from being copied to the globally readable Nix
store.
|
| options/nixos/services.kanidm.provision.systems.oauth2.<name>.basicSecretFile | The basic secret to use for this service
|
| options/nixos/services.sourcehut.settings."sr.ht".service-key | An absolute file path (which should be outside the Nix-store)
to a key used for encrypting session cookies
|
| options/nixos/services.paperless.environmentFile | Path to a file containing extra paperless config options in the systemd EnvironmentFile
format
|
| options/nixos/services.libeufin.nexus.settings.nexus-ebics.CLIENT_PRIVATE_KEYS_FILE | Filesystem location where Nexus should store the subscriber private keys.
|
| options/nixos/services.grafana.provision.alerting.policies.path | Path to YAML notification policies configuration
|
| options/nixos/services.grafana.provision.datasources.path | Path to YAML datasource configuration
|
| options/nixos/services.hercules-ci-agent.settings.clusterJoinTokenPath | Location of the cluster-join-token.key file
|
| options/darwin/services.hercules-ci-agent.settings.clusterJoinTokenPath | Location of the cluster-join-token.key file
|
| options/nixos/services.mautrix-whatsapp.environmentFile | File containing environment variables to be passed to the mautrix-whatsapp service
|
| options/nixos/systemd.services.<name>.confinement.fullUnit | Whether to include the full closure of the systemd unit file into the
chroot, instead of just the dependencies for the executables.
While it may be tempting to just enable this option to
make things work quickly, please be aware that this might add paths
to the closure of the chroot that you didn't anticipate
|
| options/nixos/services.victoriametrics.stateDir | Directory below /var/lib to store VictoriaMetrics metrics data
|
| options/nixos/networking.wireless.secretsFile | File consisting of lines of the form varname=value
to define variables for the wireless configuration
|
| options/nixos/networking.wireless.networks.<name>.pskRaw | Either the raw pre-shared key in hexadecimal format
or the name of the secret (as defined inside
networking.wireless.secretsFile and prefixed
with ext:) containing the network pre-shared key.
Be aware that this will be written to the Nix store
in plaintext! Always use an external reference.
The external secret can be either the plaintext
passphrase or the raw pre-shared key.
Mutually exclusive with psk and auth.
|
| options/nixos/services.suricata.settings.outputs | Configure the type of alert (and other) logging you would like
|
| options/nixos/services.pantalaimon-headless.instances.<name>.dataPath | The directory where pantalaimon should store its state such as the database file.
|
| options/nixos/services.grafana.provision.alerting.contactPoints.path | Path to YAML contact points configuration
|
| options/nixos/virtualisation.podman.networkSocket.tls.key | Path to the private key corresponding to the server certificate
|
| options/nixos/services.immichframe.settings.Accounts.*.ApiKey | API key to talk to the Immich server
|
| options/nixos/services.grafana.provision.alerting.templates.path | Path to YAML templates configuration
|
| options/nixos/services.tarsnap.keyfile | The keyfile which associates this machine with your tarsnap
account
|
| options/nixos/services.tarsnap.archives.<name>.keyfile | Set a specific keyfile for this archive
|