| nix.settings.trusted-public-keys | List of public keys used to sign binary caches
|
| nix.settings.require-sigs | If enabled (the default), Nix will only download binaries from binary caches if
they are cryptographically signed with any of the keys listed in
nix.settings.trusted-public-keys
|
| nix.sshServe.keys | A list of SSH public keys allowed to access the binary cache via SSH.
|
| services.ncdns.dnssec.keys.public | Path to the file containing the KSK public key
|
| services.zeyple.keys | List of public key files that will be imported by gpg.
|
| users.users.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| services.ncps.upstream.publicKeys | A list of public keys of upstream caches in the format
host[-[0-9]*]:public-key
|
| programs.ssh.knownHosts.<name>.publicKeyFile | The path to the public key file for the host
|
| users.extraUsers.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| services.ncps.cache.upstream.publicKeys | A list of public keys of upstream caches in the format
host[-[0-9]*]:public-key
|
| services.openssh.knownHosts.<name>.publicKeyFile | The path to the public key file for the host
|
| services.ncdns.dnssec.keys.zonePublic | Path to the file containing the ZSK public key
|
| services.userdbd.enableSSHSupport | Whether to enable exposing OpenSSH public keys defined in userdb
|
| nix.sshServe.trusted | Whether to add nix-ssh to the nix.settings.trusted-users
|
| services.sourcehut.settings."meta.sr.ht::billing".stripe-public-key | Public key for Stripe
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.pubkeys | List of raw public key candidates to use for
authentication
|
| services.movim.h2o.acme.root | Directory for the ACME challenge, which is public
|
| services.davis.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.slskd.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.movim.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.snipe-it.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.h2o.hosts.<name>.acme.root | Directory for the ACME challenge, which is public
|
| services.akkoma.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.gancio.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.fluidd.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.matomo.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.monica.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.rosenpass.settings.public_key | Path to a file containing the public key of the local Rosenpass peer
|
| services.dolibarr.h2o.acme.root | Directory for the ACME challenge, which is public
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.pubkeys | List of raw public keys to accept for
authentication
|
| services.fediwall.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.kanboard.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.dolibarr.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.librenms.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.agorakit.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.pixelfed.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.mainsail.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.moodle.virtualHost.acmeRoot | Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
|
| services.nagios.virtualHost.acmeRoot | Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
|
| services.radicle.httpd.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.anuko-time-tracker.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.httpd.virtualHosts.<name>.acmeRoot | Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
|
| services.nginx.virtualHosts.<name>.acmeRoot | Directory for the ACME challenge, which is public
|
| services.bookstack.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| users.users.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| services.jirafeau.nginxConfig.acmeRoot | Directory for the ACME challenge, which is public
|
| services.cryptpad.settings.adminKeys | List of public signing keys of users that can access the admin panel
|
| users.extraUsers.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| services.zabbixWeb.httpd.virtualHost.acmeRoot | Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
|
| services.zabbixWeb.nginx.virtualHost.acmeRoot | Directory for the ACME challenge, which is public
|
| services.drupal.sites.<name>.virtualHost.acmeRoot | Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
|
| services.fwupd.extraTrustedKeys | Installing a public key allows firmware signed with a matching private key to be recognized as trusted, which may require less authentication to install than for untrusted files
|
| services.borgbackup.repos.<name>.authorizedKeys | Public SSH keys that are given full write access to this repository
|
| services.guix.publish.generateKeyPair | Whether to generate signing keys in /etc/guix which are
required to initialize a substitute server
|
| services.fedimintd.<name>.nginx.config.acmeRoot | Directory for the ACME challenge, which is public
|
| services.borgbackup.repos | Serve BorgBackup repositories to given public SSH keys,
restricting their access to the repository only
|
| services.neo4j.ssl.policies.<name>.allowKeyGeneration | Allows the generation of a private key and associated self-signed
certificate
|
| services.limesurvey.virtualHost.acmeRoot | Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
|
| services.kubernetes.pki.caCertPathPrefix | Path-prefrix for the CA-certificate to be used for cfssl signing
|
| services.mediawiki.httpd.virtualHost.acmeRoot | Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
|
| services.wordpress.sites.<name>.virtualHost.acmeRoot | Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
|
| services.limesurvey.httpd.virtualHost.acmeRoot | Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
|
| services.limesurvey.nginx.virtualHost.acmeRoot | Directory for the ACME challenge, which is public
|
| services.openssh.authorizedKeysCommand | Specifies a program to be used to look up the user's public
keys
|
| services.yggdrasil.settings.AllowedPublicKeys | List of peer public keys to allow incoming peering connections from
|
| services.kubernetes.apiserver.serviceAccountKeyFile | File containing PEM-encoded x509 RSA or ECDSA private or public keys,
used to verify ServiceAccount tokens
|
| services.libeufin.nexus.settings.nexus-ebics.BANK_PUBLIC_KEYS_FILE | Filesystem location where Nexus should store the bank public keys.
|
| services.misskey.reverseProxy.webserver.nginx.acmeRoot | Directory for the ACME challenge, which is public
|
| services.nsd.keys | Define your TSIG keys here.
|
| security.pam.rssh.settings.auth_key_file | Path to file with trusted public keys in OpenSSH's authorized_keys format
|
| nix.settings.allowed-users | A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon
|
| nix.buildMachines.*.sshUser | The username to log in as on the remote host
|
| services.matrix-tuwunel.settings.global.trusted_servers | Servers listed here will be used to gather public keys of other servers
(notary trusted key servers)
|
| services.borgbackup.repos.<name>.authorizedKeysAppendOnly | Public SSH keys that can only be used to append new data (archives) to the repository
|
| nix.buildMachines.*.publicHostKey | The (base64-encoded) public host key of this builder
|
| services.public-inbox.path | Additional packages to place in the path of public-inbox-mda,
public-inbox-watch, etc.
|
| services.matrix-continuwuity.settings.global.trusted_servers | Servers listed here will be used to gather public keys of other servers
(notary trusted key servers)
|
| services.public-inbox.settings | Settings for the public-inbox config file.
|
| programs.ssh.knownHosts.<name>.publicKey | The public key data for the host
|
| services.tox-node.keysFile | Path to the file where DHT keys are stored.
|
| services.i2pd.proto.httpProxy.keys | File to persist HTTPPROXY keys.
|
| services.warpgate.settings.ssh.keys | Path to store SSH host & client keys.
|
| services.i2pd.proto.socksProxy.keys | File to persist SOCKSPROXY keys.
|
| services.openssh.knownHosts.<name>.publicKey | The public key data for the host
|
| services.public-inbox.mda.args | Command-line arguments to pass to public-inbox-mda(1).
|
| services.public-inbox.enable | Whether to enable the public-inbox mail archiver.
|
| services.public-inbox.settings.publicinbox | public inboxes
|
| services.public-inbox.nntp.key | Path to TLS key to use for connections to public-inbox-nntpd(1).
|
| services.public-inbox.imap.key | Path to TLS key to use for connections to public-inbox-imapd(1).
|
| services.public-inbox.nntp.args | Command-line arguments to pass to public-inbox-nntpd(1).
|
| services.public-inbox.http.args | Command-line arguments to pass to public-inbox-httpd(1).
|
| services.public-inbox.imap.args | Command-line arguments to pass to public-inbox-imapd(1).
|
| services.public-inbox.imap.cert | Path to TLS certificate to use for connections to public-inbox-imapd(1).
|
| services.public-inbox.nntp.cert | Path to TLS certificate to use for connections to public-inbox-nntpd(1).
|
| services.public-inbox.package | The public-inbox package to use.
|
| services.public-inbox.mda.enable | Whether to enable the public-inbox Mail Delivery Agent.
|
| services.factorio.public | Game will be published on the official Factorio matching server.
|
| services.dragonflydb.keysOutputLimit | Maximum number of returned keys in keys command.
keys is a dangerous command
|
| services.radicle.publicKey | An SSH public key (as an absolute file path or directly as a string),
usually generated by rad auth.
|
| services.public-inbox.nntp.enable | Whether to enable the public-inbox NNTP server.
|
| services.public-inbox.http.enable | Whether to enable the public-inbox HTTP server.
|
| services.public-inbox.imap.enable | Whether to enable the public-inbox IMAP server.
|
| services.tmate-ssh-server.keysDir | Directory containing ssh keys, defaulting to auto-generation
|
| services.ente.api.settings.apps.public-albums | If you're running a self hosted instance and wish to serve public links,
set this to the URL where your albums web app is running.
|
| services.i2pd.inTunnels.<name>.keys | Keyset used for tunnel identity.
|
| boot.initrd.luks.devices.<name>.gpgCard.publicKey | Path to the Public Key.
|
| services.thelounge.public | Make your The Lounge instance public
|
| services.immich-public-proxy.enable | Whether to enable Immich Public Proxy.
|
| services.i2pd.outTunnels.<name>.keys | Keyset used for tunnel identity.
|
| services.nsd.keys.<name>.keyFile | Path to the file which contains the actual base64 encoded
key
|
| services.public-inbox.http.mounts | Root paths or URLs that public-inbox will be served on
|
| services.public-inbox.nntp.port | Listening port
|
| services.public-inbox.imap.port | Listening port
|
| services.blockbook-frontend.<name>.public | Public http server binding [address]:port.
|
| services.firezone.relay.publicIpv4 | The public ipv4 address of this relay
|
| services.firezone.relay.publicIpv6 | The public ipv6 address of this relay
|
| services.immich-public-proxy.package | The immich-public-proxy package to use.
|
| services.keter.bundle.publicScript | Allows loading of public environment variables,
these are emitted to the log so it shouldn't contain secrets.
|
| services.quicktun.<name>.publicKey | Remote public key in hexadecimal form.
Not needed when services.quicktun..protocol is set to raw.
|
| services.actkbd.bindings.*.keys | List of keycodes to match.
|
| services.ceph.global.publicNetwork | A comma-separated list of subnets that will be used as public networks in the cluster.
|
| services.immich-public-proxy.settings | Configuration for IPP
|
| services.nsd.keys.<name>.algorithm | Authentication algorithm for this key.
|
| services.public-inbox.inboxes.<name>.watch | Paths for public-inbox-watch(1) to monitor for new mail.
|
| services.public-inbox.settings.publicinbox.css | The local path name of a CSS file for the PSGI web interface.
|
| services.public-inbox.spamAssassinRules | SpamAssassin configuration specific to public-inbox.
|
| services.public-inbox.settings.publicinbox.nntpserver | NNTP URLs to this public-inbox instance
|
| services.public-inbox.settings.publicinbox.pop3server | POP3 URLs to this public-inbox instance
|
| services.public-inbox.settings.publicinbox.imapserver | IMAP URLs to this public-inbox instance
|
| services.public-inbox.settings.publicinbox.wwwlisting | Controls which lists (if any) are listed for when the root
public-inbox URL is accessed over HTTP.
|
| services.ncdns.dnssec.keys.private | Path to the file containing the KSK private key.
|
| services.public-inbox.inboxes.<name>.address | The email addresses of the public-inbox.
|
| services.outline.publicUrl | The fully qualified, publicly accessible URL
|
| services.public-inbox.settings.coderepo | code repositories
|
| services.ncdns.dnssec.keys.zonePrivate | Path to the file containing the ZSK private key.
|
| boot.initrd.network.ssh.hostKeys | Specify SSH host keys to import into the initrd
|
| services.immich-public-proxy.port | The port that IPP will listen on.
|
| services.flannel.publicIp | IP accessible by other nodes for inter-host communication
|
| services.kanidm.provision.systems.oauth2.<name>.public | Whether this is a public client (enforces PKCE, doesn't use a basic secret)
|
| services.public-inbox.inboxes.<name>.inboxdir | The absolute path to the directory which hosts the public-inbox.
|
| services.public-inbox.inboxes | Inboxes to configure, where attribute names are inbox names.
|
| services.public-inbox.settings.coderepo.<name>.dir | Path to a git repository
|
| services.public-inbox.settings.publicinboxmda.spamcheck | If set to spamc, public-inbox-watch(1) will filter spam
using SpamAssassin.
|
| services.languagetool.public | Whether to enable access from anywhere (rather than just localhost).
|
| services.rkvm.server.settings.switch-keys | A key list specifying a host switch combination.
A list of key names is available in https://github.com/htrefil/rkvm/blob/master/switch-keys.md.
|
| services.public-inbox.settings.coderepo.<name>.cgitUrl | URL of a cgit instance
|
| services.immich-public-proxy.immichUrl | URL of the Immich instance
|
| services.triggerhappy.bindings.*.keys | List of keys to match
|
| services.public-inbox.inboxes.<name>.url | URL where this inbox can be accessed over HTTP.
|
| services.public-inbox.http.port | Listening port or systemd's ListenStream= entry
to be used as a reverse proxy, eg. in nginx:
locations."/inbox".proxyPass = "http://unix:${config.services.public-inbox.http.port}:/inbox";
Set to null and use systemd.sockets.public-inbox-httpd.listenStreams
if you need a more advanced listening.
|
| services.cjdns.UDPInterface.connectTo.<name>.publicKey | Public key at the opposite end of the tunnel.
|
| services.cjdns.ETHInterface.connectTo.<name>.publicKey | Public key at the opposite end of the tunnel.
|
| services.public-inbox.openFirewall | Whether to enable opening the firewall when using a port option.
|
| services.public-inbox.postfix.enable | Whether to enable the integration into Postfix.
|
| services.public-inbox.settings.publicinboxwatch.spamcheck | If set to spamc, public-inbox-watch(1) will filter spam
using SpamAssassin.
|
| services.jitsi-videobridge.nat.publicAddress | Public address to assume when running behind NAT.
|
| services.neo4j.ssl.policies.<name>.publicCertificate | The name of public X.509 certificate (chain) file in PEM format
for this policy to be found in the baseDirectory,
or the absolute path to the certificate file
|
| networking.wg-quick.interfaces.<name>.peers.*.publicKey | The base64 public key to the peer.
|
| boot.loader.limine.secureBoot.enable | Whether to use sign the limine binary with sbctl.
This requires you to already have generated the keys and enrolled them with sbctl
|
| services.nginx.proxyCachePath.<name>.keysZoneName | Set name to shared memory zone.
|
| services.nginx.proxyCachePath.<name>.keysZoneSize | Set size to shared memory zone.
|
| services.public-inbox.inboxes.<name>.watchheader | If specified, public-inbox-watch(1) will only process
mail containing a matching header.
|
| services.chhoto-url.settings.public_mode | Whether to enable public mode.
|
| services.immich-public-proxy.openFirewall | Whether to open the IPP port in the firewall
|
| services.maubot.settings.server.public_url | Public base URL where the server is visible.
|
| services.toxBootstrapd.keysFile | Node key file.
|
| services.public-inbox.inboxes.<name>.coderepo | Nicknames of a 'coderepo' section associated with the inbox.
|
| networking.wireguard.interfaces.<name>.peers.*.publicKey | The base64 public key of the peer.
|
| services.public-inbox.settings.publicinboxwatch.watchspam | If set, mail in this maildir will be trained as spam and
deleted from all watched inboxes
|
| services.public-inbox.inboxes.<name>.newsgroup | NNTP group name for the inbox.
|
| services.rosenpass.settings.peers.*.public_key | Path to a file containing the public key of the remote Rosenpass peer.
|
| services.matrix-appservice-irc.settings.ircService.mediaProxy.publicUrl | URL under which the media proxy is publicly acccessible.
|
| services.h2o.hosts | The hosts config to be merged with the settings
|
| services.schleuder.settings.keyserver | Key server from which to fetch and update keys
|
| services.gitlab.pages.settings | Configuration options to set in the GitLab Pages config
file
|
| services.go-neb.baseUrl | Public-facing endpoint that can receive webhooks.
|
| services.gitolite.adminPubkey | Initial administrative public key for Gitolite
|
| services.public-inbox.inboxes.<name>.description | User-visible description for the repository.
|
| services.foundationdb.publicAddress | Publicly visible IP address of the process
|
| services.matrix-synapse.settings.public_baseurl | The public-facing base URL for the client API (not including _matrix/...)
|
| services.evremap.settings.remap.*.input | The key sequence that should be remapped
|
| services.xonotic.settings.sv_public | Controls whether the server will be publicly listed.
|
| security.pam.services.<name>.rssh | If set, the calling user's SSH agent is used to authenticate
against the configured keys
|
| services.maubot.extraConfigFile | A file for storing secrets
|
| services.tor.relay.role | Your role in Tor network
|
| services.openssh.generateHostKeys | Whether to generate SSH host keys
|
| services.evremap.settings.remap.*.output | The key sequence that should be output when the input sequence is entered
|
| services.logkeys.enable | Whether to enable logkeys, a keylogger service.
|
| services.frp.role | The frp consists of client and server
|
| services.yggdrasil.settings | Configuration for yggdrasil, as a structured Nix attribute set
|
| programs.light.brightnessKeys.enable | Whether to enable brightness control with keyboard keys
|
| security.agnos.generateKeys.enable | Enable automatic generation of account keys
|
| services.forgejo.secrets | This is a small wrapper over systemd's LoadCredential
|
| services.i2pd.dataDir | Alternative path to storage of i2pd data (RI, keys, peer profiles, ...)
|
| services.dkimproxy-out.selector | The selector to use for DKIM key identification
|
| services.skydns.etcd.tlsPem | Skydns path of TLS client certificate - public key.
|
| services.confd.prefix | The string to prefix to keys.
|
| services.logkeys.device | Use the given device as keyboard input event device instead of /dev/input/eventX default.
|
| services.skydns.etcd.caCert | Skydns path of TLS certificate authority public key.
|
| services.evremap.settings.dual_role.*.tap | The key sequence that should be output when the input key is tapped
|
| services.nsd.zones.<name>.dnssecPolicy.coverage | The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time.
|
| services.evremap.settings.dual_role.*.input | The key that should be remapped
|
| services.evremap.settings.dual_role.*.hold | The key sequence that should be output when the input key is held
|
| services.yggdrasil.persistentKeys | Whether to enable automatic generation and persistence of keys
|
| services.gokapi.enable | Whether to enable Lightweight selfhosted Firefox Send alternative without public upload.
|
| programs.nncp.group | The group under which NNCP files shall be owned
|
| services.nix-serve.secretKeyFile | The path to the file used for signing derivation data
|
| services.minio.configDir | The config directory, for the access keys and other settings.
|
| services.btrbk.sshAccess.*.key | SSH public key allowed to login as user btrbk to run remote backups.
|
| services.tinc.networks.<name>.hostSettings.<name>.rsaPublicKey | Legacy RSA public key of the host in PEM format, including start and
end markers
|
| security.pam.ussh.caFile | By default pam-ussh reads the trusted user CA keys
from /etc/ssh/trusted_user_ca
|
| services.btrbk.sshAccess | SSH keys that should be able to make or push snapshots on this system remotely with btrbk
|
| programs.wshowkeys.package | The wshowkeys package to use.
|
| programs.less.commands | Defines new command keys.
|
| services.tcsd.stateDir | The location of the system persistent storage file
|
| security.pam.services.<name>.gnupg.enable | If enabled, pam_gnupg will attempt to automatically unlock the
user's GPG keys with the login password via
gpg-agent
|
| services.zwave-js.secretsConfigFile | JSON file containing secret keys
|
| services.rathole.role | Select whether rathole needs to be run as a client or a server
|
| services.opencloud.url | Web interface root public URL, including scheme and port (if non-default).
|
| services.sympa.domains | Email domains handled by this instance
|
| services.siproxd.ifOutbound | Public network interface
|
| services.dovecot2.sslServerCert | Path to the server's public key.
|
| services.ncps.cache.secretKeyPath | The path to load the secretKey for signing narinfos
|
| services.stubby.settings | Content of the Stubby configuration file
|
| services.veilid.settings | Build veilid-server.conf with nix expression
|
| programs.less.lineEditingKeys | Defines new line-editing keys.
|
| services.metabase.ssl.keystore | Java KeyStore file containing the certificates.
|
| services.searx.runInUwsgi | Whether to run searx in uWSGI as a "vassal", instead of using its
built-in HTTP server
|
| services.tor.relay.onionServices.<name>.authorizedClients | Authorized clients for a v3 onion service,
as a list of public key, in the format:
descriptor:x25519:<base32-public-key>
See torrc manual.
|
| services.evdevremapkeys.settings | config.yaml for evdevremapkeys
|
| services.mastodon.configureNginx | Configure nginx as a reverse proxy for mastodon
|
| security.pam.p11.enable | Enables P11 PAM (pam_p11) module
|
| programs.ssh.agentTimeout | How long to keep the private keys in memory
|
| services.gitea.settings.server.ROOT_URL | Full public URL of gitea server.
|
| services.neo4j.ssl.policies.<name>.trustedDir | Path to directory of X.509 certificates in PEM format for
trusted parties
|
| programs.wshowkeys.enable | Whether to enable wshowkeys (displays keypresses on screen on supported Wayland
compositors)
|
| services.marytts.settings | Settings for MaryTTS
|
| services.fedimintd.<name>.p2p.url | Public address for p2p connections from peers (if TCP is used)
|
| services.mycelium.peers | List of peers to connect to, in the formats:
quic://[2001:0db8::1]:9651quic://192.0.2.1:9651tcp://[2001:0db8::1]:9651tcp://192.0.2.1:9651
If addHostedPublicNodes is set to true, the hosted public nodes will also be added.
|
| services.outline.cdnUrl | If using a Cloudfront/Cloudflare distribution or similar it can be set
using this option
|
| services.lldap.settings.http_url | The public URL of the server, for password reset links.
|
| services.vault.extraSettingsPaths | Configuration files to load besides the immutable one defined by the NixOS module
|
| security.acme.certs.<name>.keyType | Key type to use for private keys
|
| services.part-db.enableNginx | Whether to enable nginx or not
|
| services.lk-jwt-service.livekitUrl | The public websocket URL for livekit
|
| services.fedimintd.<name>.api.url | Public URL of the API address of the reverse proxy/tls terminator
|
| services.unclutter.keystroke | Wait for a keystroke before hiding the cursor
|
| programs.ssh.knownHostsFiles | Files containing SSH host keys to set as global known hosts.
/etc/ssh/ssh_known_hosts (which is
generated by programs.ssh.knownHosts) is
always included.
|
| programs.ssh.startAgent | Whether to start the OpenSSH agent when you log in
|
| services.tsidp.settings.enableFunnel | Use Tailscale Funnel to make tsidp available on the public internet so it works with SaaS products.
|
| services.fediwall.settings.loadPublic | Load public posts
|
| services.harmonia.signKeyPaths | Paths to the signing keys to use for signing the cache
|
| services.opendkim.keyPath | The path that opendkim should put its generated private keys into
|
| programs.ssh.pubkeyAcceptedKeyTypes | Specifies the key lib.types that will be used for public key authentication.
|
| services.forgejo.settings.server.ROOT_URL | Full public URL of Forgejo server.
|
| services.dendrite.tlsKey | The path to the TLS key.
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
|
| services.murmur.registerName | Public server registration name, and also the name of the
Root channel
|
| services.fedimintd.<name>.nginx.fqdn | Public domain of the API address of the reverse proxy/tls terminator.
|
| services.peertube.listenWeb | The public-facing port that PeerTube will be accessible at (likely 80 or 443 if running behind a reverse proxy)
|
| services.writefreely.host | The public host name to serve.
|
| services.ntfy-sh.settings.base-url | Public facing base URL of the service
This setting is required for any of the following features:
- attachments (to return a download URL)
- e-mail sending (for the topic URL in the email footer)
- iOS push notifications for self-hosted servers
(to calculate the Firebase poll_request topic)
- Matrix Push Gateway (to validate that the pushkey is correct)
|
| xdg.terminal-exec.settings | Configuration options for the Default Terminal Execution Specification
|
| services.tahoe.nodes.<name>.sftpd.hostPublicKeyFile | Path to the SSH host public key.
|
| programs.seahorse.enable | Whether to enable Seahorse, a GNOME application for managing encryption keys and passwords in the GNOME Keyring.
|
| services.dendrite.tlsCert | The path to the TLS certificate.
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
|
| services.molly-brown.certPath | Path to TLS certificate
|
| services.jitsi-videobridge.nat.harvesterAddresses | Addresses of public STUN services to use to automatically find
the public and local addresses of this Jitsi-Videobridge instance
without the need for manual configuration
|
| services.factorio.password | Your factorio.com login credentials
|
| services.factorio.username | Your factorio.com login credentials
|
| services.knot.keyFiles | A list of files containing additional configuration
to be included using the include directive
|
| services.openssh.hostKeys | NixOS can automatically generate SSH host keys
|
| services.gitlab.pages.settings.gitlab-server | Public GitLab server URL.
|
| services.tarsnap.archives.<name>.keyfile | Set a specific keyfile for this archive
|
| services.prosody.muc.*.roomDefaultPublic | If set, the MUC rooms will be public by default.
|
| security.pam.sshAgentAuth.enable | Whether to enable authenticating using a signature performed by the ssh-agent
|
| services.ncps.cache.lock.redisKeyPrefix | Prefix for all Redis lock keys (only used when Redis is
configured).
|
| services.nsd.zones.<name>.dnssecPolicy.zsk | Key policy for zone signing keys
|
| services.nsd.zones.<name>.dnssecPolicy.ksk | Key policy for key signing keys
|
| services.pgpkeyserver-lite.hkpPort | Which port the sks-keyserver is listening on.
|
| services.plausible.server.baseUrl | Public URL where plausible is available
|
| services.matrix-conduit.settings.global.trusted_servers | Servers trusted with signing server keys.
|
| services.rosenpass.settings.peers.*.peer | WireGuard public key corresponding to the remote Rosenpass peer.
|
| services.fedimintd.<name>.api_ws.url | Public URL of the API address of the reverse proxy/tls terminator
|
| security.acme.defaults.keyType | Key type to use for private keys
|
| security.agnos.generateKeys.keySize | Key size in bits to use when generating new keys.
|
| services.komodo-periphery.passkeys | Passkeys required to access the periphery API
|
| services.frp.instances.<name>.role | The frp consists of client and server
|
| services.keyd.keyboards | Configuration for one or more device IDs
|
| services.sourcehut.settings.mail.pgp-pubkey | OpenPGP public key.
|
| services.gitDaemon.enable | Enable Git daemon, which allows public hosting of git repositories
without any access controls
|
| services.apache-kafka.settings | Kafka broker configuration
server.properties
|
| services.rosenpass.settings.peers | List of peers to exchange keys with.
|
| services.firewalld.settings.RFC3964_IPv4 | Whether to filter IPv6 traffic with 6to4 destination addresses that correspond to IPv4 addresses that should not be routed over the public internet.
|
| services.teeworlds.register | Whether the server registers as a public server in the global server list
|
| services.prosody.muc.*.roomDefaultPublicJids | If set, the MUC rooms will display the public JIDs by default.
|
| boot.initrd.network.ssh.ignoreEmptyHostKeys | Allow leaving config.boot.initrd.network.ssh.hostKeys empty,
to deploy ssh host keys out of band.
|
| programs.ssh.knownHosts.<name>.certAuthority | This public key is an SSH certificate authority, rather than an
individual host's key.
|
| security.pam.services.<name>.p11Auth | If set, keys listed in
~/.ssh/authorized_keys and
~/.eid/authorized_certificates
can be used to log in with the associated PKCS#11 tokens.
|
| services.keycloak.settings.hostname | The hostname part of the public URL used as base for
all frontend requests
|
| services.broadcast-box.settings | Attribute set of environment variables.
https://github.com/Glimesh/broadcast-box#environment-variables
The status API exposes stream keys so DISABLE_STATUS is enabled
by default.
|
| services.pgpkeyserver-lite.enable | Whether to enable pgpkeyserver-lite on a nginx vHost proxying to a gpg keyserver.
|
| networking.nat.externalIP | The public IP address to which packets from the local
network are to be rewritten
|
| services.pgpkeyserver-lite.package | The pgpkeyserver-lite package to use.
|
| services.syncthing.configDir | The path where the settings and keys will exist.
|
| services.postsrsd.secretsFile | Secret keys used for signing and verification.
The secret will be generated, if it does not exist at the given path.
|
| services.grafana.settings.server.domain | The public facing domain name used to access grafana from a browser
|
| services.chhoto-url.settings.public_mode_expiry_delay | The maximum expiry delay in seconds to force in public mode.
|
| services.kanidm.unix.sshIntegration | Whether to enable Kanidm SSH keys login.
|
| programs.captive-browser.interface | your public network interface (wlp3s0, wlan0, eth0, ...)
|
| services.kubernetes.easyCerts | Automatically setup x509 certificates and keys for the entire cluster.
|
| networking.nat.externalIPv6 | The public IPv6 address to which packets from the local
network are to be rewritten
|
| services.pgpkeyserver-lite.hkpAddress | Which IP address the sks-keyserver is listening on.
|
| services.murmur.registerPassword | Public server registry password, used authenticate your
server to the registry to prevent impersonation; required for
subsequent registry updates.
|
| services.searx.configureUwsgi | Whether to run searx in uWSGI as a "vassal", instead of using its
built-in HTTP server
|
| services.wgautomesh.settings.peers.*.pubkey | Wireguard public key of this peer.
|
| fileSystems.<name>.depends | List of paths that should be mounted before this one
|
| services.matrix-synapse.settings.turn_uris | The public URIs of the TURN server to give to clients
|
| services.mastodon.activeRecordEncryptionPrimaryKeyFile | This key must be set to enable the Active Record Encryption feature within
Rails that Mastodon uses to encrypt and decrypt some database attributes
|
| services.schleuder.lists | List of list addresses that should be handled by Schleuder
|
| services.livekit.keyFile | LiveKit key file holding one or multiple application secrets
|
| services.wastebin.settings.RUST_LOG | Influences logging
|
| services.movim.minifyStaticFiles | Do minification on public static files which reduces the size of
assets — saving data for the server & users as well as offering a
performance improvement
|
| boot.loader.systemd-boot.edk2-uefi-shell.sortKey | systemd-boot orders the menu entries by their sort keys,
so if you want something to appear after all the NixOS entries,
it should start with o or onwards
|
| services.pgpkeyserver-lite.hostname | Which hostname to set the vHost to that is proxying to sks.
|
| services.postgrest.settings.server-host | Where to bind the PostgREST web server.
The admin server will also bind here, but potentially exposes sensitive information
|
| programs.rust-motd.order | The order of the sections in programs.rust-motd.settings
|
| services.writefreely.stateDir | The state directory where keys and data are stored.
|
| services.prosody.muc.*.roomDefaultChangeSubject | If set, the rooms will display the public JIDs by default.
|
| services.nsd.zones.<name>.dnssecPolicy.zsk.rollPeriod | How frequently to change keys
|
| services.nsd.zones.<name>.dnssecPolicy.ksk.rollPeriod | How frequently to change keys
|
| hardware.tuxedo-drivers.settings.fn-lock | Enables or disables the laptop keyboard's Function (Fn) lock at boot
|
| networking.nat.forwardPorts.*.loopbackIPs | Public IPs for NAT reflection; for connections to loopbackip:sourcePort from the host itself and from other hosts behind NAT
|
| services.kerberos_server.settings.realms.<name>.acl.*.access | The changes the principal is allowed to make.
The "all" permission does not imply the "get-keys" permission
|
| security.pam.services.<name>.sshAgentAuth | If set, the calling user's SSH agent is used to authenticate
against the keys in the calling user's
~/.ssh/authorized_keys
|
| security.pam.services.<name>.forwardXAuth | Whether X authentication keys should be passed from the
calling user to the target user (e.g. for
su)
|
| services.homer.settings | Settings serialized into config.yml before build
|
| services.actkbd.enable | Whether to enable the actkbd key mapping daemon
|
| boot.initrd.luks.devices.<name>.preOpenCommands | Commands that should be run right before we try to mount our LUKS device
|
| boot.loader.systemd-boot.windows.<name>.sortKey | systemd-boot orders the menu entries by their sort keys,
so if you want something to appear after all the NixOS entries,
it should start with o or onwards
|
| services.ncps.cache.lock.postgresKeyPrefix | Prefix for all PostgreSQL advisory lock keys (only used when
PostgreSQL is configured as lock backend).
|
| services.openssh.knownHosts.<name>.certAuthority | This public key is an SSH certificate authority, rather than an
individual host's key.
|
| services.omnom.settings.activitypub.pubkey | ActivityPub public key
|
| services.mysql.galeraCluster.sstMethod | Method for the initial state transfer (wsrep_sst_method) when a node joins the cluster
|
| services.cloud-init.enable | Enable the cloud-init service
|
| boot.initrd.network.ssh.authorizedKeys | Authorized keys for the root user on initrd
|
| programs.ssh.knownHosts.<name>.hostNames | A list of host names and/or IP numbers used for accessing
the host's ssh service
|
| services.nsd.zones.<name>.dnssecPolicy.ksk.prePublish | How long in advance to publish new keys
|
| services.nsd.zones.<name>.dnssecPolicy.zsk.prePublish | How long in advance to publish new keys
|
| services.taskserver.pki.auto.bits | The bit size for generated keys.
|
| services.filebeat.settings | Configuration for filebeat
|
| services.netbird.tunnels.<name>.openFirewall | Opens up firewall port for communication between NetBird peers directly over LAN or public IP,
without using (internet-hosted) TURN servers as intermediaries.
|
| services.netbird.clients.<name>.openFirewall | Opens up firewall port for communication between NetBird peers directly over LAN or public IP,
without using (internet-hosted) TURN servers as intermediaries.
|
| services.postsrsd.settings.secrets-file | Path to the file containing the secret keys.
Secrets are passed using LoadCredential= on the systemd unit,
so this options is read-only
|
| services.snipe-it.config | Snipe-IT configuration options to set in the
.env file
|
| services.ghostunnel.servers.<name>.keystore | Path to keystore (combined PEM with cert/key, or PKCS12 keystore)
|
| services.tor.relay.onionServices.<name>.secretKey | Secret key of the onion service
|
| services.matrix-synapse.settings.trusted_key_servers | The trusted servers to download signing keys from.
|
| services.evdevremapkeys.enable | Whether to enable evdevremapkeys, a daemon to remap events on linux input devices.
|
| services.mastodon.vapidPublicKeyFile | Path to file containing the public key used for Web Push
Voluntary Application Server Identification
|
| services.stargazer.routes | Routes that Stargazer should server
|
| services.keyd.keyboards.<name>.settings | Configuration, except ids section, that is written to /etc/keyd/.conf
|
| services.draupnir.settings.homeserverUrl | Base URL of the Matrix homeserver that provides the Client-Server API.
|
| services.mastodon.activeRecordEncryptionKeyDerivationSaltFile | This key must be set to enable the Active Record Encryption feature within
Rails that Mastodon uses to encrypt and decrypt some database attributes
|
| services.pleroma.configs | Pleroma public configuration
|
| hardware.tuxedo-drivers.enable | Whether to enable The tuxedo-drivers driver enables access to the following on TUXEDO notebooks:
- Driver for Fn-keys
- SysFS control of brightness/color/mode for most TUXEDO keyboards
- Hardware I/O driver for TUXEDO Control Center
For more inforation it is best to check at the source code description: https://gitlab.com/tuxedocomputers/development/packages/tuxedo-drivers
.
|
| services.seafile.ccnetSettings.General.SERVICE_URL | Seahub public URL.
|
| services.beszel.agent.environment | Environment variables for configuring the beszel-agent service
|
| boot.loader.systemd-boot.memtest86.sortKey | systemd-boot orders the menu entries by their sort keys,
so if you want something to appear after all the NixOS entries,
it should start with o or onwards
|
| services.ecs-agent.extra-environment | The environment the ECS agent should run with
|
| boot.initrd.luks.mitigateDMAAttacks | Unless enabled, encryption keys can be easily recovered by an attacker with physical
access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port
|
| services.gitlab.secrets.jwsFile | A file containing the secret used to encrypt session
keys
|
| boot.initrd.network.ssh.authorizedKeyFiles | Authorized keys taken from files for the root user on initrd
|
| services.schleuder.extraSettingsFile | YAML file to merge into the schleuder config at runtime
|
| services.dex.environmentFile | Environment file (see systemd.exec(5)
"EnvironmentFile=" section for the syntax) to define variables for dex
|
| services.draupnir.settings.rawHomeserverUrl | Public base URL of the Matrix homeserver that provides the Client-Server API when using the Draupnir's
Report forwarding feature.
When using Pantalaimon, do not set this to the Pantalaimon URL!
|
| services.keycloak.settings | Configuration options corresponding to parameters set in
conf/keycloak.conf
|
| services.maddy.tls.loader | TLS certificates are obtained by modules called "certificate
loaders"
|
| services.cloudflare-ddns.detectionTimeout | Timeout for detecting the public IP address.
|
| services.suwayomi-server.settings.server.basicAuthEnabled | Whether to enable basic access authentication for Suwayomi-Server
|
| services.gitlab.extraConfig | Extra options to be added under
production in
config/gitlab.yml, as a nix attribute
set
|
| services.searx.environmentFile | Environment file (see systemd.exec(5) "EnvironmentFile=" section for the syntax) to define variables for Searx
|
| services.monica.config | monica configuration options to set in the
.env file
|
| services.xserver.xkb.extraLayouts.<name>.typesFile | The path to the xkb types file
|
| services.dawarich.configureNginx | Configure nginx as a reverse proxy for dawarich
|
| security.pam.u2f.settings.authfile | By default pam-u2f module reads the keys from
$XDG_CONFIG_HOME/Yubico/u2f_keys (or
$HOME/.config/Yubico/u2f_keys if XDG variable is
not set)
|
| boot.specialFileSystems.<name>.depends | List of paths that should be mounted before this one
|
| services.matrix-synapse.extraConfigFiles | Extra config files to include
|
| services.netbird.server.dashboard.settings | An attribute set that will be used to substitute variables when building the dashboard
|
| services.fedimintd.<name>.bitcoin.rpc.secretFile | If set the URL specified in bitcoin.rpc.url will get the content of this file added
as an URL password, so http://user@example.com will turn into http://user:SOMESECRET@example.com
|
| services.openssh.knownHosts.<name>.hostNames | A list of host names and/or IP numbers used for accessing
the host's ssh service
|
| services.lasuite-meet.livekit.keyFile | LiveKit key file holding one or multiple application secrets
|
| services.yggdrasil.settings.PrivateKeyPath | Path to the private key file on the host system
|
| boot.loader.systemd-boot.netbootxyz.sortKey | systemd-boot orders the menu entries by their sort keys,
so if you want something to appear after all the NixOS entries,
it should start with o or onwards
|
| services.your_spotify.settings.SPOTIFY_PUBLIC | The public client ID of your Spotify application
|
| services.hercules-ci-agent.settings.binaryCachesPath | Path to a JSON file containing binary cache secret keys
|
| services.maddy.tls.certificates | A list of attribute sets containing paths to TLS certificates and
keys
|
| services.parsedmarc.settings | Configuration parameters to set in
parsedmarc.ini
|
| services.multipath.devices.*.all_tg_pt | Set the 'all targets ports' flag when registering keys with mpathpersist
|
| services.matrix-appservice-discord.settings | config.yaml configuration as a Nix attribute set
|
| services.mastodon.activeRecordEncryptionDeterministicKeyFile | This key must be set to enable the Active Record Encryption feature within
Rails that Mastodon uses to encrypt and decrypt some database attributes
|
| security.googleOsLogin.enable | Whether to enable Google OS Login
|
| services.rosenpass.settings.secret_key | Path to a file containing the secret key of the local Rosenpass peer
|
| services.akkoma.config.":web_push_encryption".":vapid_details".public_key | base64-encoded public ECDH key.
|
| services.karakeep.environmentFile | An optional path to an environment file that will be used in the web and workers
services
|
| services.dependency-track.oidc.teams.claim | Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint
|
| services.datadog-agent.checks | Configuration for all Datadog checks
|
| boot.initrd.luks.devices.<name>.fido2.credentials | List of FIDO2 credential IDs
|
| services.bookstack.config | BookStack configuration options to set in the
.env file
|
| services.slurm.enableSrunX11 | If enabled srun will accept the option "--x11" to allow for X11 forwarding
from within an interactive session or a batch job
|
| boot.initrd.luks.reusePassphrases | When opening a new LUKS device try reusing last successful
passphrase
|
| services.agorakit.config | Agorakit configuration options to set in the
.env file
|
| services.geoipupdate.settings | geoipupdate configuration options
|
| services.sourcehut.settings."sr.ht".service-key | An absolute file path (which should be outside the Nix-store)
to a key used for encrypting session cookies
|
| services.sourcehut.settings."meta.sr.ht::billing".stripe-secret-key | An absolute file path (which should be outside the Nix-store)
to a secret key for Stripe
|
| services.nebula.networks.<name>.lighthouse.dns.host | IP address on which nebula lighthouse should serve DNS.
'localhost' is a good default to ensure the service does not listen on public interfaces;
use a Nebula address like 10.0.0.5 to make DNS resolution available to nebula hosts only.
|
| services.prometheus.exporters.postfix.group | Group under which the postfix exporter shall be run
|
| services.openssh.authorizedKeysCommandUser | Specifies the user under whose account the AuthorizedKeysCommand
is run
|
| services.openssh.authorizedKeysInHomedir | Enables the use of the ~/.ssh/authorized_keys file
|
| services.dependency-track.settings."alpine.oidc.teams.claim" | Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint
|
| services.sourcehut.settings."meta.sr.ht::settings".registration | Whether to enable public registration.
|
| services.kmonad.keyboards.<name>.defcfg.allowCommands | Whether to enable keys to run shell commands.
|
| services.munin-node.extraPlugins | Additional Munin plugins to activate
|
| services.libeufin.nexus.settings.nexus-ebics.CLIENT_PRIVATE_KEYS_FILE | Filesystem location where Nexus should store the subscriber private keys.
|
| services.engelsystem.settings | Options to be added to config.php, as a nix attribute set
|
| services.libretranslate.enableApiKeys | Whether to enable the API keys database.
|
| services.gitlab.workhorse.config | Configuration options to add to Workhorse's configuration
file
|
| services.dendrite.settings.global.private_key | The path to the signing private key file, used to sign
requests and events.
nix-shell -p dendrite --command "generate-keys --private-key matrix_key.pem"
|
| services.openssh.authorizedKeysFiles | Specify the rules for which files to read on the host
|
| services.chhoto-url.settings.hash_algorithm | The hash algorithm to use for passwords and API keys
|
| services.dependency-track.settings."alpine.data.directory" | Defines the path to the data directory
|
| services.veilid.settings.core.network.routing_table.node_id | Base64-encoded public key for the node, used as the node's ID.
|
| services.sssd.sshAuthorizedKeysIntegration | Whether to make sshd look up authorized keys from SSS
|
| services.kerberos_server.settings.realms | The realm(s) to serve keys for.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.keystore | Path to keystore (combined PEM with cert/key, or PKCS12 keystore)
|
| services.waagent.settings.Provisioning.Enable | Whether to enable provisioning functionality in the agent
|
| services.prometheus.exporters.ecoflow.ecoflowEmailFile | Path to the file with your personal ecoflow app login email address
|
| services.livekit.settings.rtc.use_external_ip | When set to true, attempts to discover the host's public IP via STUN
|
| boot.zfs.requestEncryptionCredentials | If true on import encryption keys or passwords for all encrypted datasets
are requested
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKeyFile | File pointing to preshared key as generated by wg genpsk
|
| services.taskserver.organisations | An attribute set where the keys name the organisation and the values
are a set of lists of users and
groups.
|
| services.prometheus.exporters.ecoflow.ecoflowSecretKeyFile | Path to the file with your personal api secret string from the Ecoflow development website https://developer-eu.ecoflow.com
|
| services.prometheus.exporters.ecoflow.ecoflowAccessKeyFile | Path to the file with your personal api access string from the Ecoflow development website https://developer-eu.ecoflow.com
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.availability | The availability of the endpoint to connect to
|
| services.guix.substituters.authorizedKeys | A list of signing keys for each substitute server to be authorized as
a source of substitutes
|
| services.tailscale.serve.services.<name>.endpoints | Map of incoming traffic patterns to local targets
|
| security.pam.sshAgentAuth.authorizedKeysFiles | A list of paths to files in OpenSSH's authorized_keys format, containing
the keys that will be trusted by the pam_ssh_agent_auth module
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKey | Base64 preshared key generated by wg genpsk
|
| services.prometheus.exporters.pve.configFile | Path to the service's config file
|
| services.prometheus.exporters.ecoflow.ecoflowPasswordFile | Path to the file with your personal ecoflow app login email password
|
| services.kanidm.provision.systems.oauth2.<name>.enableLocalhostRedirects | Allow localhost redirects
|
| services.discourse.siteSettings | Discourse site settings
|
| services.kanidm.provision.systems.oauth2.<name>.allowInsecureClientDisablePkce | Disable PKCE on this oauth2 resource server to work around insecure clients
that may not support it
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.auth | Authentication to perform locally.
- The default
pubkey uses public key authentication
using a private key associated to a usable certificate.
psk uses pre-shared key authentication.- The IKEv1 specific
xauth is used for XAuth or Hybrid
authentication,
- while the IKEv2 specific
eap keyword defines EAP
authentication.
- For
xauth, a specific backend name may be appended,
separated by a dash
|
| networking.wireguard.interfaces.<name>.peers.*.presharedKeyFile | File pointing to preshared key as generated by wg genpsk
|
| services.nextcloud.config.objectstore.s3.sseCKeyFile | If provided this is the full path to a file that contains the key
to enable [server-side encryption with customer-provided keys][1]
(SSE-C)
|
| services.prometheus.exporters.ecoflow.ecoflowDevicesFile | File must contain one line, example: R3300000,R3400000,NC430000,...
|
| boot.loader.systemd-boot.sortKey | The sort key used for the NixOS bootloader entries
|
| virtualisation.fileSystems.<name>.depends | List of paths that should be mounted before this one
|
| networking.wireguard.interfaces.<name>.peers.*.presharedKey | Base64 preshared key generated by wg genpsk
|
| services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.port | The port to scrape metrics from
|
| services.prometheus.scrapeConfigs.*.gce_sd_configs.*.port | The port to scrape metrics from
|
| services.prometheus.exporters.collectd.collectdBinary.authFile | File mapping user names to pre-shared keys (passwords).
|
| services.arsenik.long_hold_timeout | Slightly higher value for typing keys, to prevent unexpected hold effect.
|
| services.prometheus.exporters.pve.environmentFile | Path to the service's environment file
|
| services.livekit.ingress.settings.rtc_config.use_external_ip | When set to true, attempts to discover the host's public IP via STUN
|
| services.prometheus.exporters.ecoflow.ecoflowDevicesPrettyNamesFile | File must contain one line, example: {"R3300000":"Delta 2","R3400000":"Delta Pro",...}
The key/value map of custom names for your devices
|
| services.prometheus.alertmanager-ntfy.settings.ntfy.notification.topic | Note: when using ntfy.sh and other public instances
it is recommended to set this option to an empty string and set the actual topic via
services.prometheus.alertmanager-ntfy.extraConfigFiles since
the topic in ntfy.sh is essentially a password
|
| users.users.<name>.password | Specifies the (clear text) password for the user
|
| security.agnos.settings.accounts.*.private_key_path | Path of the PEM-encoded private key for this account
|
| services.prometheus.scrapeConfigs.*.azure_sd_configs.*.port | The port to scrape metrics from
|
| users.extraUsers.<name>.password | Specifies the (clear text) password for the user
|
| services.postgresql.systemCallFilter | Configures the syscall filter for postgresql.service
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.pk | If this attribute is given, SAE-PK will be enabled for this connection
|
| services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.role_arn | AWS Role ARN, an alternative to using AWS API keys.
|
| services.prometheus.exporters.idrac.configurationPath | Path to the service's config file
|
| services.akkoma.config.":web_push_encryption" | Web Push Notifications configuration
|
| services.postfix.settings.main.smtpd_tls_chain_files | List of paths to the server private keys and certificates.
The order of items matters and a private key must always be followed by the corresponding certificate.
https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files
|
| services.stash.settings.dangerous_allow_public_without_auth | Learn more at https://docs.stashapp.cc/networking/authentication-required-when-accessing-stash-from-the-internet/
|
| services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.port | The port to scrape metrics from
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.port | The port to scrape metrics from
|
| services.hostapd.radios.<name>.networks.<name>.authentication.pairwiseCiphers | Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets)
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.auth | Authentication to expect from remote
|
| services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.role_arn | AWS Role ARN, an alternative to using AWS API keys.
|
| services.wgautomesh.settings.upnp_forward_external_port | Public port number to try to redirect to this machine's Wireguard
daemon using UPnP IGD.
|
| services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.access_key | The AWS API keys
|
| services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.secret_key | The AWS API keys
|
| services.stash.settings.security_tripwire_accessed_from_public_internet | Learn more at https://docs.stashapp.cc/networking/authentication-required-when-accessing-stash-from-the-internet/
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.esp_proposals | ESP proposals to offer for the CHILD_SA
|