| options/nixos/security.acme.defaults | Default values inheritable by all configured certs
|
| options/nixos/security.acme.certs | Attribute set of certificates to get signed and renewed
|
| options/nixos/security.acme.certs.<name>.inheritDefaults | Whether to inherit values set in security.acme.defaults or not.
|
| options/nixos/services.reposilite.useACMEHost | Host of an existing Let's Encrypt certificate to use for SSL
|
| options/nixos/security.acme.certs.<name>.csr | Path to a certificate signing request to apply when fetching the certificate.
|
| options/nixos/security.acme.certs.<name>.csrKey | Path to the private key to the matching certificate signing request.
|
| options/nixos/security.acme.certs.<name>.group | Group running the ACME client.
|
| options/nixos/security.acme.certs.<name>.keyType | Key type to use for private keys
|
| options/nixos/security.acme.certs.<name>.postRun | Commands to run after new certificates go live
|
| options/nixos/security.acme.certs.<name>.email | Email address for account creation and correspondence from the CA
|
| options/nixos/security.acme.certs.<name>.domain | Domain to fetch certificate for (defaults to the entry name).
|
| options/nixos/security.acme.certs.<name>.validMinDays | Minimum remaining validity before renewal in days.
|
| options/nixos/security.acme.certs.<name>.s3Bucket | S3 bucket name to use for HTTP-01 based challenges
|
| options/nixos/security.acme.certs.<name>.server | ACME Directory Resource URI
|
| options/nixos/security.acme.certs.<name>.profile | The certificate profile to choose if the CA offers multiple profiles.
|
| options/nixos/security.acme.certs.<name>.listenHTTP | Interface and port to listen on to solve HTTP challenges
in the form [INTERFACE]:PORT
|
| options/nixos/security.acme.certs.<name>.extraLegoFlags | Additional global flags to pass to all lego commands.
|
| options/nixos/security.acme.certs.<name>.webroot | Where the webroot of the HTTP vhost is located.
.well-known/acme-challenge/ directory
will be created below the webroot if it doesn't exist.
http://example.org/.well-known/acme-challenge/ must also
be available (notice unencrypted HTTP).
|
| options/nixos/security.acme.certs.<name>.extraLegoRunFlags | Additional flags to pass to lego run.
|
| options/nixos/security.acme.certs.<name>.ocspMustStaple | Turns on the OCSP Must-Staple TLS extension
|
| options/nixos/security.acme.certs.<name>.enableDebugLogs | Whether to enable debug logging for this certificate.
|
| options/nixos/security.acme.certs.<name>.extraLegoRenewFlags | Additional flags to pass to lego renew.
|
| options/nixos/security.acme.certs.<name>.extraDomainNames | A list of extra domain names, which are included in the one certificate to be issued.
|
| options/nixos/security.acme.certs.<name>.dnsProvider | DNS Challenge provider
|
| options/nixos/security.acme.certs.<name>.dnsResolver | Set the resolver to use for performing recursive DNS queries
|
| options/nixos/security.acme.certs.<name>.directory | Directory where certificate and other state is stored.
|
| options/nixos/security.acme.certs.<name>.renewInterval | Systemd calendar expression when to check for renewal
|
| options/nixos/security.acme.certs.<name>.reloadServices | The list of systemd services to call systemctl try-reload-or-restart
on.
|
| options/nixos/security.acme.certs.<name>.credentialFiles | Environment variables suffixed by "_FILE" to set for the cert's service
for your selected dnsProvider
|
| options/nixos/security.acme.certs.<name>.environmentFile | Path to an EnvironmentFile for the cert's service containing any required and
optional environment variables for your selected dnsProvider
|
| options/nixos/security.acme.certs.<name>.dnsPropagationCheck | Toggles lego DNS propagation check, which is used alongside DNS-01
challenge to ensure the DNS entries required are available.
|
| options/nixos/services.etcd.certFile | Cert file to use for clients
|
| options/nixos/services.coturn.cert | Certificate file in PEM format.
|
| options/nixos/services.prosody.ssl.cert | Path to the certificate file.
|
| options/nixos/services.documize.cert | The cert.pem file used for https.
|
| options/nixos/services.pgmanage.tls.cert | TLS certificate
|
| options/nixos/services.flannel.etcd.certFile | Etcd cert file
|
| options/nixos/services.ttyd.certFile | SSL certificate file path.
|
| options/nixos/services.kubernetes.pki.certs | List of certificate specs to feed to cert generator.
|
| options/nixos/services.public-inbox.imap.cert | Path to TLS certificate to use for connections to public-inbox-imapd(1).
|
| options/nixos/services.public-inbox.nntp.cert | Path to TLS certificate to use for connections to public-inbox-nntpd(1).
|
| options/nixos/services.synergy.server.tls.cert | The TLS certificate to use for encryption.
|
| options/darwin/services.synergy.client.tls.cert | The TLS certificate to use for encryption.
|
| options/darwin/services.synergy.server.tls.cert | The TLS certificate to use for encryption.
|
| options/nixos/services.certspotter.startAtEnd | Whether to skip certificates issued before the first launch of Cert Spotter
|
| options/home-manager/services.syncthing.cert | Path to the cert.pem file, which will be copied into Syncthing's
config directory.
|
| options/home-manager/services.podman.images.<name>.certDir | Path of certificates (*.{crt,cert,key}) used to connect to registry.
|
| options/nixos/services.syncthing.cert | Path to the cert.pem file, which will be copied into Syncthing's
configDir.
|
| options/nixos/services.nebula.networks.<name>.cert | Path to the host certificate.
|
| options/nixos/services.movim.h2o.acme.useHost | An existing Let’s Encrypt certificate to use for this virtual
host
|
| options/nixos/services.galene.certFile | Path to the server's certificate
|
| options/nixos/services.h2o.hosts.<name>.acme.useHost | An existing Let’s Encrypt certificate to use for this virtual
host
|
| options/nixos/services.llama-swap.tls.certFile | Path to the TLS certificate file
|
| options/nixos/services.prosody.virtualHosts.<name>.ssl.cert | Path to the certificate file.
|
| options/nixos/security.tpm2.fapi.ekCertLess | A switch to disable Endorsement Key (EK) certificate verification
|
| options/nixos/services.certspotter.enable | Whether to enable Cert Spotter, a Certificate Transparency log monitor.
|
| options/nixos/services.gns3-server.ssl.certFile | Path to the SSL certificate file
|
| options/nixos/services.certspotter.extraFlags | Extra command-line arguments to pass to Cert Spotter
|
| options/nixos/services.syncplay.certDir | TLS certificates directory to use for encryption
|
| options/nixos/services.dolibarr.h2o.acme.useHost | An existing Let’s Encrypt certificate to use for this virtual
host
|
| options/nixos/services.journald.gateway.cert | The path to a file or AF_UNIX stream socket to read the server
certificate from
|
| options/nixos/services.molly-brown.certPath | Path to TLS certificate
|
| options/nixos/services.taskserver.pki.manual.ca.cert | Fully qualified path to the CA certificate.
Setting this option will prevent automatic CA creation and handling.
|
| options/nixos/services.stargazer.certOrg | The name of the organization responsible for the X.509
certificate's /O name.
|
| options/nixos/services.ghostunnel.servers.<name>.cert | Path to certificate (PEM with certificate chain)
|
| options/nixos/services.doh-server.useACMEHost | A host of an existing Let's Encrypt certificate to use.
Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.
|
| options/nixos/services.thanos.rule.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| options/nixos/services.maddy.tls.certificates.*.certPath | Path to the certificate used for TLS.
|
| options/nixos/services.thanos.query.grpc-client-tls-cert | TLS Certificates to use to identify this client to the server
|
| options/nixos/services.cockroachdb.certsDir | The path to the certificate directory.
|
| options/nixos/services.gitlab.registry.certFile | Path to GitLab container registry certificate.
|
| options/nixos/services.thanos.query.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| options/nixos/services.thanos.store.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| options/nixos/services.athens.storage.mongo.certPath | Path to the certificate file for the mongo database.
|
| options/nixos/services.taskserver.pki.manual.server.cert | Fully qualified path to the server certificate.
Setting this option will prevent automatic CA creation and handling.
|
| options/nixos/services.kubernetes.apiserver.etcd.certFile | Etcd cert file.
|
| options/nixos/services.privoxy.certsLifetime | If inspectHttps is enabled, the time generated HTTPS
certificates will be stored in a temporary directory for reuse
|
| options/nixos/services.komodo-periphery.ssl.certFile | Path to SSL certificate file.
|
| options/nixos/services.prometheus.exporters.node-cert.group | Group under which the node-cert exporter shall be run.
|
| options/nixos/services.thanos.sidecar.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| options/nixos/services.thanos.receive.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| options/nixos/services.prometheus.exporters.node-cert.enable | Whether to enable the prometheus node-cert exporter.
|
| options/nixos/services.davis.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| options/nixos/services.movim.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| options/nixos/services.slskd.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| options/nixos/services.snipe-it.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| options/nixos/services.prometheus.exporters.node-cert.extraFlags | Extra commandline options to pass to the node-cert exporter.
|
| options/nixos/services.akkoma.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| options/nixos/services.gancio.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| options/nixos/services.fluidd.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| options/nixos/services.matomo.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| options/nixos/services.monica.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| options/nixos/programs.ssh.knownHosts.<name>.certAuthority | This public key is an SSH certificate authority, rather than an
individual host's key.
|
| options/darwin/programs.ssh.knownHosts.<name>.certAuthority | This public key is an SSH certificate authority, rather than an
individual host's key.
|
| options/nixos/services.librespeed.useACMEHost | Use a certificate generated by the NixOS ACME module for the given host
|
| options/nixos/services.stargazer.certLifetime | How long certs generated by Stargazer should live for
|
| options/nixos/services.portunus.ldap.tls | Whether to enable LDAPS protocol
|
| options/nixos/services.certspotter.hooks | Scripts to run upon the detection of a new certificate
|
| options/nixos/security.ipa.certificate | IPA server CA certificate
|
| options/nixos/services.sourcehut.settings."pages.sr.ht".gemini-certs | An absolute file path (which should be outside the Nix-store)
to Gemini certificates.
|