| services.below.dirs.store | Where to store below's data
|
| boot.loader.grub.storePath | Path to the Nix store when looking for kernels at boot
|
| services.guix.storeDir | The store directory where the Guix service will serve to/from
|
| services.pict-rs.storePath | The directory where to store the uploaded images
|
| services.thanos.store.enable | Whether to enable the Thanos store node giving access to blocks in a bucket provider.
|
| services.thanos.store.objstore.config | Object store configuration
|
| services.stargazer.store | Path to the certificate store on disk
|
| boot.initrd.systemd.storePaths | Store paths to copy into the initrd as well.
|
| services.thanos.query.store.sd-files | Path to files that contain addresses of store API servers
|
| services.thanos.store.objstore.config-file | Path to YAML file that contains object store configuration
|
| boot.nixStoreMountOpts | Defines the mount options used on a bind mount for the /nix/store
|
| services.cachix-watch-store.jobs | Number of threads used for pushing store paths
|
| services.thanos.store.store.limits.request-samples | The maximum samples allowed for a single Series request
|
| services.thanos.store.stateDir | Data directory relative to /var/lib
in which to cache remote blocks.
|
| services.thanos.store.log.level | Log filtering level
|
| services.thanos.store.log.format | Log format to use.
|
| services.thanos.store.store.grpc.series-max-concurrency | Maximum number of concurrent Series calls
|
| virtualisation.xen.store.path | Path to the Xen Store Daemon
|
| services.thanos.store.max-time | End of time range limit to serve
|
| services.thanos.store.min-time | Start of time range limit to serve
|
| image.repart.verityStore.partitionIds.store | Specify the attribute name of the store partition.
|
| nix.settings.auto-optimise-store | If set to true, Nix automatically detects files in the store that have
identical contents, and replaces them with hard links to a single copy
|
| boot.readOnlyNixStore | If set, NixOS will enforce the immutability of the Nix store
by making /nix/store a read-only bind
mount
|
| services.cachix-watch-store.enable | Whether to enable Cachix Watch Store: https://docs.cachix.org.
|
| systemd.shutdownRamfs.storePaths | Store paths to copy into the shutdown ramfs as well.
|
| services.thanos.store.chunk-pool-size | Maximum size of concurrently allocatable bytes for chunks
|
| services.thanos.query.store.unhealthy-timeout | Timeout before an unhealthy store is cleaned from the store UI page
|
| services.thanos.query.store.response-timeout | If a Store doesn't send any data in this specified duration then a
Store will be ignored and partial data will be returned if it's
enabled. 0 disables timeout
|
| services.thanos.store.grpc-server-tls-key | TLS Key for the gRPC server, leave blank to disable TLS
|
| services.thanos.store.index-cache-size | Maximum size of items held in the index cache
|
| services.thanos.store.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| services.thanos.store.http-address | Listen host:port for HTTP endpoints
|
| services.thanos.store.arguments | Arguments to the thanos store command
|
| services.thanos.store.tracing.config | Tracing configuration
|
| services.nix-store-gcs-proxy | An attribute set describing an HTTP to GCS proxy that allows us to use GCS
bucket via HTTP protocol.
|
| services.thanos.store.grpc-address | Listen ip:port address for gRPC endpoints (StoreAPI)
|
| security.pam.services.<name>.gnupg.storeOnly | Don't send the password immediately after login, but store for PAM
session.
|
| nix.sshServe.enable | Whether to enable serving the Nix store as a remote store via SSH.
|
| services.cachix-watch-store.host | Cachix host to connect to
|
| image.repart.partitions.<name>.nixStorePrefix | The prefix to use for store paths
|
| services.cachix-watch-store.signingKeyFile | Optional file containing a self-managed signing key to sign uploaded store paths.
|
| image.repart.partitions.<name>.storePaths | The store paths to include in the partition.
|
| services.thanos.store.grpc-server-tls-client-ca | TLS CA to verify clients against
|
| services.thanos.query.store.sd-dns-interval | Interval between DNS resolutions
|
| services.thanos.store.tracing.config-file | Path to YAML file that contains tracing configuration
|
| services.thanos.store.sync-block-duration | Repeat interval for syncing the blocks between local and remote view
|
| services.thanos.query.store.sd-interval | Refresh interval to re-read file SD files
|
| services.nix-store-gcs-proxy.<name>.enable | Whether to enable proxy for this bucket
|
| boot.initrd.systemd.storePaths.*.target | Path of the symlink.
|
| boot.initrd.nix-store-veritysetup.enable | Whether to enable nix-store-veritysetup.
|
| boot.initrd.systemd.storePaths.*.source | Path of the source file.
|
| services.cachix-watch-store.cacheName | Cachix binary cache name
|
| boot.initrd.systemd.storePaths.*.enable | Whether to enable copying of this file and symlinking it.
|
| services.nix-store-gcs-proxy.<name>.address | The address of the proxy.
|
| services.nix-store-gcs-proxy.<name>.bucketName | Name of Google storage bucket
|
| virtualisation.xen.store.settings.xenstored.log.file | Path to the Xen Store log file.
|
| virtualisation.xen.store.settings.xenstored.log.level | Logging level for the Xen Store.
|
| virtualisation.xen.store.settings | The OCaml-based Xen Store Daemon configuration
|
| services.cachix-watch-store.package | The cachix package to use.
|
| services.cachix-watch-store.verbose | Enable verbose output
|
| virtualisation.xen.store.settings.pidFile | Path to the Xen Store Daemon PID file.
|
| virtualisation.xen.store.settings.xenstored.accessLog.file | Path to the Xen Store access log file.
|
| systemd.shutdownRamfs.storePaths.*.target | Path of the symlink.
|
| systemd.shutdownRamfs.storePaths.*.source | Path of the source file.
|
| services.cachix-watch-store.cachixTokenFile | Required file that needs to contain the cachix auth token.
|
| services.thanos.rule.objstore.config | Object store configuration
|
| systemd.shutdownRamfs.storePaths.*.enable | Whether to enable copying of this file and symlinking it.
|
| services.thanos.store.block-sync-concurrency | Number of goroutines to use when syncing blocks from object storage
|
| image.repart.partitions.<name>.stripNixStorePrefix | Whether to strip /nix/store/ from the store paths
|
| services.pleroma.configs | Pleroma public configuration
|
| services.dae.config | WARNING: This option will expose store your config unencrypted world-readable in the nix store
|
| services.thanos.sidecar.objstore.config | Object store configuration
|
| services.thanos.compact.objstore.config | Object store configuration
|
| services.thanos.receive.objstore.config | Object store configuration
|
| services.kasmweb.datastorePath | The directory used to store all data for kasmweb.
|
| nix.sshServe.write | Whether to enable writing to the Nix store as a remote store via SSH
|
| nixpkgs.flake.source | The path to the nixpkgs sources used to build the system
|
| virtualisation.xen.store.settings.quota.maxSize | Size limit for transactions.
|
| virtualisation.xen.store.settings.quota.maxPath | Path limit for the quota system.
|
| boot.initrd.systemd.storePaths.*.dlopen.features | Features to enable via dlopen ELF notes
|
| image.repart.verityStore.partitionIds.store-verity | Specify the attribute name of the store's dm-verity hash partition.
|
| services.redis.servers.<name>.requirePass | Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
|
| virtualisation.xen.store.settings.quota.maxWatch | Maximum number of watches by the Xenstore Watchdog.
|
| boot.initrd.systemd.storePaths.*.dlopen.usePriority | Priority of dlopen ELF notes to include. "required" is
minimal, "recommended" includes "required", and
"suggested" includes "recommended"
|
| virtualisation.xen.store.settings.quota.enable | Whether to enable the quota system.
|
| virtualisation.xen.store.settings.enableMerge | Whether to enable transaction merge support.
|
| users.defaultUserShell | This option defines the default shell assigned to user
accounts
|
| virtualisation.xen.store.settings.perms.enable | Whether to enable the node permission system.
|
| virtualisation.xen.store.settings.quota.maxEntity | Entity limit for transactions.
|
| services.thanos.rule.objstore.config-file | Path to YAML file that contains object store configuration
|
| virtualisation.useNixStoreImage | Build and use a disk image for the Nix store, instead of
accessing the host's one through 9p
|
| services.rustus.storage | Storages are used to actually store your files
|
| services.davis.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.movim.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.slskd.nginx.basicAuth | Basic Auth protection for a vhost
|
| nix.buildMachines | This option lists the machines to be used if distributed builds are
enabled (see nix.distributedBuilds)
|
| services.honk.passwordFile | Password for admin account
|
| services.snipe-it.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.thanos.downsample.objstore.config | Object store configuration
|
| services.inadyn.settings.custom.<name>.password | Password for this DDNS provider
|
| virtualisation.xen.store.settings.quota.maxWatchEvents | Maximum number of outstanding watch events per watch.
|
| virtualisation.xen.store.settings.quota.maxRequests | Maximum number of requests per transaction.
|
| systemd.shutdownRamfs.storePaths.*.dlopen.features | Features to enable via dlopen ELF notes
|
| boot.loader.grub.users.<name>.password | Specifies the clear text password for the account
|
| services.gancio.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.fluidd.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.akkoma.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.monica.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.matomo.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.cachix-watch-store.compressionLevel | The compression level for ZSTD compression (between 0 and 16)
|
| services.ttyd.passwordFile | File containing the password to use for basic http authentication
|
| virtualisation.xen.store.settings.ringScanInterval | Perodic scanning for all the rings as a safenet for lazy clients
|
| systemd.shutdownRamfs.storePaths.*.dlopen.usePriority | Priority of dlopen ELF notes to include. "required" is
minimal, "recommended" includes "required", and
"suggested" includes "recommended"
|
| virtualisation.xen.store.settings.persistent | Whether to activate the filed base backend.
|
| services.yandex-disk.password | Your yandex.com password
|
| services.thanos.compact.objstore.config-file | Path to YAML file that contains object store configuration
|
| services.thanos.receive.objstore.config-file | Path to YAML file that contains object store configuration
|
| services.thanos.sidecar.objstore.config-file | Path to YAML file that contains object store configuration
|
| programs.zsh.ohMyZsh.cacheDir | Cache directory to be used by oh-my-zsh
|
| services.veilid.settings.core.table_store.directory | The filesystem directory to store your table store within.
|
| services.veilid.settings.core.block_store.directory | The filesystem directory to store blocks for the block store.
|
| services.inadyn.settings.provider.<name>.password | Password for this DDNS provider
|
| virtualisation.xen.store.settings.quota.transaction | Maximum number of transactions.
|
| virtualisation.xen.store.settings.perms.enableWatch | Whether to enable the watch permission system
|
| services.nix-serve.secretKeyFile | The path to the file used for signing derivation data
|
| virtualisation.xen.store.settings.quota.maxOutstanding | Maximum outstanding requests, i.e. in-flight requests / domain.
|
| services.librenms.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.agorakit.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.dolibarr.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.kanboard.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.fediwall.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.mainsail.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.pixelfed.nginx.basicAuth | Basic Auth protection for a vhost
|
| programs.nncp.secrets | A list of paths to NNCP configuration files that should not be
in the Nix store
|
| services.gitlab.smtp.passwordFile | File containing the password of the SMTP server for GitLab
|
| services.nextcloud.appstoreEnable | Allow the installation and updating of apps from the Nextcloud appstore
|
| services.radicle.httpd.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.weblate.smtp.passwordFile | Location of a file containing the SMTP password
|
| virtualisation.xen.store.settings.conflict.burstLimit | Limits applied to domains whose writes cause other domains' transaction
commits to fail
|
| services.chatgpt-retrieval-plugin.datastore | This specifies the vector database provider you want to use to store and query embeddings.
|
| services.pleroma.secretConfigFile | Path to the file containing your secret pleroma configuration.
DO NOT POINT THIS OPTION TO THE NIX
STORE, the store being world-readable, it'll
compromise all your secrets.
|
| services.anuko-time-tracker.nginx.basicAuth | Basic Auth protection for a vhost
|
| programs.tmux.secureSocket | Store tmux socket under /run, which is more secure than /tmp, but as a
downside it doesn't survive user logout.
|
| services.nginx.virtualHosts.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.thanos.downsample.objstore.config-file | Path to YAML file that contains object store configuration
|
| services.gns3-server.auth.passwordFile | A file containing the password to access the GNS3 Server.
This should be a string, not a nix path, since nix paths
are copied into the world-readable nix store.
|
| services.bookstack.nginx.basicAuth | Basic Auth protection for a vhost
|
| virtualisation.writableStore | If enabled, the Nix store in the VM is made writable by
layering an overlay filesystem on top of the host's Nix
store
|
| services.pict-rs.dataDir | The directory where to store the uploaded images & database.
|
| boot.iscsi-initiator.extraConfigFile | Append an additional file's contents to /etc/iscsid.conf
|
| virtualisation.xen.store.settings.conflict.maxHistorySeconds | Limits applied to domains whose writes cause other domains' transaction
commits to fail
|
| services.gitea.database.password | The password corresponding to database.user
|
| system.checks | Packages that are added as dependencies of the system's build, usually
for the purpose of validating some part of the configuration
|
| services.below.dirs.log | Where to store below's logs
|
| services.dokuwiki.sites.<name>.acl | Access Control Lists: see https://www.dokuwiki.org/acl
Mutually exclusive with services.dokuwiki.aclFile
Set this to a value other than null to take precedence over aclFile option
|
| services.openiscsi.extraConfigFile | Append an additional file's contents to /etc/iscsid.conf
|
| services.jirafeau.nginxConfig.basicAuth | Basic Auth protection for a vhost
|
| services.cfssl.tlsKey | Other endpoint's CA private key
|
| programs.chromium.extensions | List of chromium extensions to install
|
| services.zabbixWeb.nginx.virtualHost.basicAuth | Basic Auth protection for a vhost
|
| services.webdav.settings | Attrset that is converted and passed as config file
|
| services.boinc.dataDir | The directory in which to store BOINC's configuration and data files.
|
| virtualisation.oci-containers.containers.<name>.imageStream | Path to a script that streams the desired image on standard output
|
| services.veilid.settings.core.protected_store.directory | The filesystem directory to store your protected store in.
|
| services.pict-rs.repoPath | The directory where to store the database
|
| services.metabase.ssl.keystore | Java KeyStore file containing the certificates.
|
| services.pgadmin.emailServer.passwordFile | Password for SMTP email account
|
| services.netbird.server.coturn.password | The password of the user used by netbird to connect to the coturn server
|
| services.gitea.dump.type | Archive format used to store the dump file.
|
| services.davis.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.slskd.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.movim.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| programs.nncp.settings | NNCP configuration, see
http://www.nncpgo.org/Configuration.html
|
| services.firezone.server.smtp.passwordFile | File containing the password for the given username
|
| services.snipe-it.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.cfssl.caBundle | Path to root certificate store.
|
| services.discourse.redis.passwordFile | File containing the Redis password
|
| services.ttyd.keyFile | SSL key file path
|
| services.mchprs.dataDir | Directory to store MCHPRS database and other state/data files.
|
| services.discourse.admin.passwordFile | A path to a file containing the admin user's password
|
| services.cfssl.intBundle | Path to intermediate certificate store.
|
| services.murmur.stateDir | Directory to store data for the server.
|
| services.zammad.secretKeyBaseFile | The path to a file containing the
secret_key_base secret
|
| services.gancio.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.fedimintd.<name>.nginx.config.basicAuth | Basic Auth protection for a vhost
|
| services.fluidd.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.akkoma.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.matomo.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.monica.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.openvpn.servers.<name>.authUserPass.password | The password to store inside the credentials file.
|
| virtualisation.xen.store.settings.conflict.rateLimitIsAggregate | If the conflict.rateLimitIsAggregate option is true, then after each
tick one point of conflict-credit is given to just one domain: the
one at the front of the queue
|
| services.tsidp.environmentFile | Path to an environment file loaded for the tsidp service
|
| services.redsocks.redsocks.*.password | Password to send to proxy
|
| services.dashy.settings | Settings serialized into user-data/conf.yml before build
|
| services.seafile.dataDir | Path in which to store user data
|
| services.invidious.extraSettingsFile | A file including Invidious settings
|
| services.biboumi.settings.password | The password used to authenticate the XMPP component to your XMPP server
|
| services.pocket-id.dataDir | The directory where Pocket ID will store its data, such as the database when using SQLite.
|
| security.dhparams.stateful | Whether generation of Diffie-Hellman parameters should be stateful or
not
|
| services.ncps.cache.dataPath | The local directory for storing configuration and cached store paths
|
| virtualisation.additionalPaths | A list of paths whose closure should be made available to
the VM
|
| services.homer.settings | Settings serialized into config.yml before build
|
| services.graylog.dataDir | Directory used to store Graylog server state.
|
| services.k3s.token | The k3s token to use when connecting to a server.
WARNING: This option will expose your token unencrypted in the world-readable nix store
|
| services.roundcube.database.password | Password for the postgresql connection
|
| services.grafana.settings.smtp.password | Password used for authentication
|
| services.changedetection-io.datastorePath | The directory used to store all data for changedetection-io.
|
| services.openvpn.servers.<name>.authUserPass | This option can be used to store the username / password credentials
with the "auth-user-pass" authentication method
|
| programs.neovim.configure | Generate your init file from your list of plugins and custom commands
|
| services.fediwall.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.kanboard.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.librenms.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.dolibarr.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.agorakit.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.mainsail.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.pixelfed.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.mjolnir.dataPath | The directory the bot should store various bits of information in.
|
| services.limesurvey.nginx.virtualHost.basicAuth | Basic Auth protection for a vhost
|
| services.rke2.token | The rke2 token to use when connecting to a server.
WARNING: This option will expose your token unencrypted in the world-readable nix store
|
| services.murmur.logDays | How long to store RPC logs for in the database
|
| services.pocket-id.credentials | Environment variables which are loaded from the contents of the specified file paths
|
| services.cfssl.configFile | Path to configuration file
|
| services.radicle.httpd.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.forgejo.dump.type | Archive format used to store the dump file.
|
| services.gitea.lfs.contentDir | Where to store LFS files.
|
| services.memos.dataDir | Specifies the directory where Memos will store its data.
|
| services.discourse.database.passwordFile | File containing the Discourse database user password
|
| services.ncps.cache.hostName | The hostname of the cache server. This is used to generate the
private key used for signing store paths (.narinfo)
|
| services.guix.stateDir | The state directory where Guix service will store its data such as its
user-specific profiles, cache, and state files.
Changing it to something other than the default will rebuild the
package.
|
| services.anuko-time-tracker.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| system.build.toplevel | This option contains the store path that typically represents a NixOS system
|
| services.blockbook-frontend.<name>.rpc.password | RPC password for JSON-RPC connections
|
| services.nginx.virtualHosts.<name>.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.bookstack.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.discourse.secretKeyBaseFile | The path to a file containing the
secret_key_base secret
|
| services.ncps.cache.maxSize | The maximum size of the store
|
| services.certmgr.specs | Certificate specs as described by:
https://github.com/cloudflare/certmgr#certificate-specs
These will be added to the Nix store, so they will be world readable.
|
| services.discourse.mail.outgoing.passwordFile | A file containing the password of the SMTP server account
|
| services.hydra.useSubstitutes | Whether to use binary caches for downloading store paths
|
| services.pocket-id.environmentFile | Path to an environment file to be loaded
|
| users.users.<name>.password | Specifies the (clear text) password for the user
|
| services.mattermost.database.password | Password for local Mattermost database user
|
| image.repart.verityStore.enable | Whether to enable building images with a dm-verity protected nix store.
|
| services.jirafeau.nginxConfig.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.artalk.allowModify | allow Artalk store the settings to config file persistently
|
| services.zabbixWeb.nginx.virtualHost.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.aria2.settings.dir | Directory to store downloaded files.
|
| services.mailhog.storage | Store mails on disk or in memory.
|
| services.dovecot2.mailUser | Default user to store mail for virtual users.
|
| services.tt-rss.database.type | Database to store feeds
|
| programs.msmtp.accounts | Named accounts and their respective configurations
|
| services.misskey.reverseProxy.webserver.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.pingvin-share.dataDir | The path to the data directory in which Pingvin Share will store its data.
|
| services.bitlbee.configDir | Specify an alternative directory to store all the per-user configuration
files.
|
| networking.wg-quick.interfaces.<name>.privateKey | Base64 private key generated by wg genkey
|
| services.wasabibackend.rpc.password | RPC password for the bitcoin endpoint
|
| nix.optimise.automatic | Automatically run the nix store optimiser at a specific time.
|
| services.etebase-server.dataDir | Directory to store the Etebase server data.
|
| services.prometheus.exporters.nut.passwordPath | A run-time path to the nutUser password file, which should be
provisioned outside of Nix store.
|
| services.grafana.settings.database.password | The database user's password (not applicable for sqlite3)
|
| services.mqtt2influxdb.mqtt.password | MQTT password
|
| services.froide-govplan.dataDir | Directory to store the Froide-Govplan server data.
|
| services.guix.publish.enable | Whether to enable substitute server for your Guix store directory.
|
| services.paperless.dataDir | Directory to store the Paperless data.
|
| services.sickbeard.dataDir | Path where to store data files.
|
| services.dovecot2.mailGroup | Default group to store mail for virtual users.
|
| services.nar-serve.domain | When set, enables the feature of serving .
on top of /nix/store/-
|
| services.logstash.dataDir | A path to directory writable by logstash that it uses to store data
|
| services.node-red.userDir | The directory to store all user data, such as flow and credential files and all library data
|
| services.forgejo.lfs.contentDir | Where to store LFS files.
|
| services.sonarr.dataDir | The Sonarr home directory used to store all data
|
| users.extraUsers.<name>.password | Specifies the (clear text) password for the user
|
| services.alloy.configPath | Alloy configuration file/directory path
|
| services.vlagent.enable | Whether to enable VictoriaMetrics's vlagent.
vlagent is a tiny agent which helps you collect logs from various sources and store them in VictoriaLogs .
|
| services.prosody.modules.mam | Store messages in an archive and allow users to access it
|
| programs.ssh.knownHosts.<name>.publicKeyFile | The path to the public key file for the host
|
| services.influxdb2.provision.users.<name>.passwordFile | Password for the user
|
| services.stash.sessionStoreKeyFile | Path to file containing a secret for session store.
|
| services.fedimintd.<name>.nginx.config.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.paperless.mediaDir | Directory to store the Paperless documents.
|
| services.go-neb.secretFile | Environment variables from this file will be interpolated into the
final config file using envsubst with this syntax: $ENVIRONMENT
or ${VARIABLE}
|
| services.cadvisor.storageDriverPasswordFile | File that contains the cadvisor storage driver password.
storageDriverPasswordFile takes precedence over storageDriverPassword
Warning: when storageDriverPassword is non-empty this defaults to a file in the
world-readable Nix store that contains the value of storageDriverPassword
|
| services.prometheus.exporters.mysqld.configFile | Path to the services config file
|
| services.atuin.maxHistoryLength | The max length of each history item the atuin server should store.
|
| services.syncplay.motd | Text to display when users join
|
| services.knot.keyFiles | A list of files containing additional configuration
to be included using the include directive
|
| services.k3s.agentToken | The k3s token agents can use to connect to the server
|
| services.turn-rs.secretFile | Environment variables from this file will be interpolated into the
final config file using envsubst with this syntax: $ENVIRONMENT or
${VARIABLE}
|
| services.influxdb2.provision.initialSetup.passwordFile | Password for primary user
|
| services.thanos.rule.enable | Whether to enable the Thanos ruler service which evaluates Prometheus rules against given Query nodes, exposing Store API and storing old blocks in bucket.
|
| services.thanos.query.enable | Whether to enable the Thanos query node exposing PromQL enabled Query API with data retrieved from multiple store nodes.
|
| services.syncplay.statsDBFile | Path to SQLite database file to store stats
|
| services.prosody.dataDir | The prosody home directory used to store all data
|
| services.athens.downloadMode | Defines how Athens behaves when a module@version
is not found in storage
|
| services.prometheus.exporters.snmp.enableConfigCheck | Whether to run a correctness check for the configuration file
|
| services.longview.apiKey | Longview API key
|
| services.prometheus.exporters.pve.configFile | Path to the service's config file
|
| services.cfssl.mutualTlsClientKey | Mutual TLS - client key to call remote instance requiring client certs
|
| services.syncplay.roomsDBFile | Path to SQLite database file to store room states
|
| services.ncps.cache.storage.local | The local directory for storing configuration and cached store
paths
|
| services.cfssl.responderKey | Private key for OCSP responder certificate
|
| services.postgrey.privacy | Store data using one-way hash functions (SHA1)
|
| services.mautrix-discord.environmentFile | File containing environment variables to substitute when copying the configuration
out of Nix store to the services.mautrix-discord.dataDir
|
| services.ncps.cache.lru.schedule | The cron spec for cleaning the store to keep it under
config.ncps.cache.maxSize
|
| services.rke2.agentToken | The rke2 token agents can use to connect to the server
|
| services.journald.storage | Controls where to store journal data
|
| virtualisation.docker.liveRestore | Alias of virtualisation.docker.daemon.settings.live-restore.
|
| services.headphones.dataDir | Path where to store data files.
|
| services.rss-bridge.config.FileCache.path | Directory where to store cache files (if cache.type = "file").
|
| services.rmfakecloud.environmentFile | Path to an environment file loaded for the rmfakecloud service
|
| services.teamspeak3.logPath | Directory to store log files in.
|
| services.nextcloud.config.objectstore.s3.key | The access key for the S3 bucket.
|
| services.pixelfed.secretFile | A secret file to be sourced for the .env settings
|
| services.mautrix-discord.dataDir | Directory to store the bridge's configuration and database files
|
| services.pgbackrest.commands.restore | Options for the 'restore' command
|
| services.limesurvey.nginx.virtualHost.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| boot.loader.grub.users | User accounts for GRUB
|
| services.traefik.dataDir | Location for any persistent data Traefik creates, such as the ACME certificate store.
If left as the default value, this directory will automatically be created
before the Traefik server starts, otherwise you are responsible for ensuring
the directory exists with appropriate ownership and permissions.
|
| nix.buildMachines.*.sshKey | The path to the SSH private key with which to authenticate on
the build machine
|
| networking.wireguard.interfaces.<name>.privateKey | Base64 private key generated by wg genkey
|
| services.mqtt2influxdb.influxdb.password | Password for InfluxDB login
|
| services.slurm.extraConfigPaths | Slurm expects config files for plugins in the same path
as slurm.conf
|
| services.librechat.dataDir | Absolute path for where the LibreChat server will use as its data directory to store logs, user uploads, and generated images.
|
| services.nextcloud.config.objectstore.s3.useSsl | Use SSL for objectstore access.
|
| services.nextcloud.config.objectstore.s3.port | Required for some non-Amazon implementations.
|
| services.thanos.compact.enable | Whether to enable the Thanos compactor which continuously compacts blocks in an object store bucket.
|
| services.gammu-smsd.backend.service | Service to use to store sms data.
|
| services.ghostunnel.servers.<name>.keystore | Path to keystore (combined PEM with cert/key, or PKCS12 keystore)
|
| services.outline.redisUrl | Connection to a redis server
|
| services.selfoss.database.type | Database to store feeds
|
| services.szurubooru.dataDir | The path to the data directory in which Szurubooru will store its data.
|
| services.teamspeak3.dataDir | Directory to store TS3 database and other state/data files.
|
| services.hebbot.botPasswordFile | A path to the password file for your bot
|
| services.syncplay.salt | Salt to allow room operator passwords generated by this server
instance to still work when the server is restarted
|
| services.resilio.storagePath | Where BitTorrent Sync will store it's database files (containing
things like username info and licenses)
|
| services.snmpd.configText | The contents of the snmpd.conf
|
| security.ipa.offlinePasswords | Whether to store offline passwords when the server is down.
|
| services.podgrab.dataDirectory | Directory to store downloads.
|
| services.gitolite.dataDir | The gitolite home directory used to store all repositories
|
| services.cfssl.metadata | Metadata file for root certificate presence
|
| services.nextcloud.config.objectstore.s3.bucket | The name of the S3 bucket.
|
| services.cross-seed.settingsFile | Path to a JSON file containing settings that will be merged with the
settings option
|
| services.crowdsec-firewall-bouncer.settings.api_key | API key to authenticate with a local crowdsec API
|
| services.minecraft-server.dataDir | Directory to store Minecraft database and other state/data files.
|
| services.shellhub-agent.privateKey | Location where to store the ShellHub Agent private
key.
|
| services.nextcloud.config.objectstore.s3.region | Required for some non-Amazon implementations.
|
| services.lidarr.settings | Attribute set of arbitrary config options
|
| services.cross-seed.settings | Configuration options for cross-seed
|
| services.sonarr.settings | Attribute set of arbitrary config options
|
| services.radarr.settings | Attribute set of arbitrary config options
|
| services.immich.mediaLocation | Directory used to store media files
|
| services.patroni.namespace | Path within the configuration store where Patroni will keep information about the cluster.
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| services.prometheus.exporters.blackbox.enableConfigCheck | Whether to run a correctness check for the configuration file
|
| services.vault.storageConfig | HCL configuration to insert in the storageBackend section
|
| services.typesense.apiKeyFile | Sets the admin api key for typesense
|
| services.zitadel.extraStepsPaths | A list of paths to extra steps files
|
| services.xtreemfs.dir.extraConfig | Configuration of XtreemFS DIR service
|
| services.xtreemfs.osd.extraConfig | Configuration of XtreemFS OSD service
|
| services.xtreemfs.mrc.extraConfig | Configuration of XtreemFS MRC service
|
| services.couchdb.extraConfigFiles | Extra configuration files
|
| services.tahoe.nodes.<name>.client.shares.total | The number of shares required to store a file.
|
| services.scollector.bosunHost | Host and port of the bosun server that will store the collected
data.
|
| services.nextcloud.config.objectstore.s3.secretFile | The full path to a file that contains the access secret.
|
| services.gokapi.settingsFile | Path to config file to parse and append to settings
|
| services.mautrix-meta.instances.<name>.environmentFile | File containing environment variables to substitute when copying the configuration
out of Nix store to the services.mautrix-meta.dataDir
|
| services.icecream.daemon.cacheLimit | Maximum size in Megabytes of cache used to store compile environments of compile clients.
|
| services.stalwart.settings | Configuration options for the Stalwart server
|
| services.tahoe.nodes.<name>.client.shares.happy | The number of distinct storage nodes required to store
a file.
|
| services.fider.database.url | URI to use for the main PostgreSQL database
|
| services.godns.loadCredential | This can be used to pass secrets to the systemd service without adding
them to the nix store.
|
| services.warpgate.settings.ssh.keys | Path to store SSH host & client keys.
|
| services.gammu-smsd.backend.sql.database | Database name to store sms data
|
| services.buildbot-worker.workerPassFile | File used to store the Buildbot Worker password
|
| services.fedimintd.<name>.dataDir | Path to the data dir fedimintd will use to store its data
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKey | Base64 preshared key generated by wg genpsk
|
| services.immich.secretsFile | Path of a file with extra environment variables to be loaded from disk
|
| services.readarr.settings | Attribute set of arbitrary config options
|
| services.prometheus.exporters.pve.environmentFile | Path to the service's environment file
|
| services.netbird.clients.<name>.dir.state | A state directory used by NetBird client to store config.json, state.json & resolv.conf.
|
| services.netbird.tunnels.<name>.dir.state | A state directory used by NetBird client to store config.json, state.json & resolv.conf.
|
| services.hadoop.hdfs.datanode.dataDirs.*.path | Determines where on the local filesystem a data node should store its blocks.
|
| services.nextcloud.config.objectstore.s3.hostname | Required for some non-Amazon implementations.
|
| services.nextcloud.config.objectstore.s3.usePathStyle | Required for some non-Amazon S3 implementations
|
| boot.loader.grub.users.<name>.hashedPassword | Specifies the password hash for the account,
generated with grub-mkpasswd-pbkdf2
|
| security.dhparams.params.<name>.path | The resulting path of the generated Diffie-Hellman parameters
file for other services to reference
|
| services.prometheus.stateDir | Directory below /var/lib to store Prometheus metrics data
|
| services.sourcehut.builds.images | Images for builds.sr.ht
|
| services.ncps.upstream.publicKeys | A list of public keys of upstream caches in the format
host[-[0-9]*]:public-key
|
| services.powerdns.secretFile | Environment variables from this file will be interpolated into the
final config file using envsubst with this syntax: $ENVIRONMENT
or ${VARIABLE}
|
| services.usbguard.restoreControllerDeviceState | The USBGuard daemon modifies some attributes of controller
devices like the default authorization state of new child device
instances
|
| services.borgbackup.repos.<name>.path | Where to store the backups
|
| services.nextcloud.config.objectstore.s3.enable | Whether to enable S3 object storage as primary storage
|
| services.olivetin.extraConfigFiles | Config files to merge into the settings defined in services.olivetin.settings
|
| services.stalwart-mail.settings | Configuration options for the Stalwart email server
|
| services.minidlna.settings.db_dir | Specify the directory to store database and album art cache.
|
| services.kubernetes.secretsPath | Default location for kubernetes secrets
|
| services.firezone.relay.tokenFile | A file containing the firezone relay token
|
| fileSystems.<name>.neededForBoot | If set, this file system will be mounted in the initial ramdisk
|
| services.weblate.djangoSecretKeyFile | Location of the Django secret key
|
| services.longview.mysqlPassword | The password corresponding to mysqlUser
|
| services.prowlarr.settings | Attribute set of arbitrary config options
|
| services.whisparr.settings | Attribute set of arbitrary config options
|
| services.quake3-server.baseq3 | Path to the baseq3 files (pak*.pk3)
|
| services.pds.settings.PDS_DATA_DIRECTORY | Directory to store state
|
| services.pyload.downloadDirectory | Directory to store downloads.
|
| security.apparmor.enableCache | Whether to enable caching of AppArmor policies
in /var/cache/apparmor/
|
| services.nextcloud.config.objectstore.s3.sseCKeyFile | If provided this is the full path to a file that contains the key
to enable [server-side encryption with customer-provided keys][1]
(SSE-C)
|
| services.searx.settingsFile | The path of the Searx server settings.yml file
|
| services.cassandra.jmxRoles | Roles that are allowed to access the JMX (e.g. nodetool)
BEWARE: The passwords will be stored world readable in the nix store
|
| services.outline.databaseUrl | URI to use for the main PostgreSQL database
|
| services.cross-seed.settings.torrentDir | Directory containing torrent files, or if you're using a torrent
client integration and injection - your torrent client's .torrent
file store/cache.
|
| services.moodle.initialPassword | Specifies the initial password for the admin, i.e. the password assigned if the user does not already exist
|
| services.graylog.messageJournalDir | The directory which will be used to store the message journal
|
| services.zitadel.settings.TLS.Key | The TLS certificate private key, as a base64-encoded string
|
| boot.initrd.systemd.suppressedStorePaths | Store paths specified in the storePaths option that
should not be copied.
|
| services.zitadel.settings.TLS.Cert | The TLS certificate, as a base64-encoded string
|
| services.k3s.autoDeployCharts.<name>.values | Override default chart values via Nix expressions
|
| services.postfix.masterConfig.<name>.chroot | Whether the service is chrooted to have only access to the
services.postfix.queueDir and the closure of
store paths specified by the program option.
|
| services.homebridge.userStoragePath | Path to store homebridge user files (needs to be writeable).
|
| services.tor.relay.onionServices.<name>.path | Path where to store the data files of the hidden service
|
| services.nextcloud.autoUpdateApps.enable | Run a regular auto-update of all apps installed from the Nextcloud app store.
|
| networking.wireguard.interfaces.<name>.peers.*.presharedKey | Base64 preshared key generated by wg genpsk
|
| services.ncps.cache.upstream.publicKeys | A list of public keys of upstream caches in the format
host[-[0-9]*]:public-key
|
| services.draupnir.settings.dataPath | The path Draupnir will store its state/data in.
This option is read-only.
If you want to customize where this data is stored, use a bind mount.
|
| services.biboumi.settings.db_name | The name of the database to use
|
| services.thanos.downsample.enable | Whether to enable the Thanos downsampler which continuously downsamples blocks in an object store bucket.
|
| services.artalk.settings | The artalk configuration
|
| services.journalbeat.stateDir | Directory below /var/lib/ to store journalbeat's
own logs and other data
|
| services.gitlab.secrets.dbFile | A file containing the secret used to encrypt variables in
the DB
|
| virtualisation.docker.daemon.settings.live-restore | Allow dockerd to be restarted without affecting running container
|
| services.gitlab.secrets.jwsFile | A file containing the secret used to encrypt session
keys
|
| services.rke2.autoDeployCharts.<name>.values | Override default chart values via Nix expressions
|
| services.redis.servers.<name>.masterAuth | If the master is password protected (using the requirePass configuration)
it is possible to tell the slave to authenticate before starting the replication synchronization
process, otherwise the master will refuse the slave request.
(STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
|
| services.healthchecks.settings | Environment variables which are read by healthchecks (local)_settings.py
|
| services.buildkite-agents.<name>.tokenPath | The token from your Buildkite "Agents" page
|
| services.zitadel.extraSettingsPaths | A list of paths to extra settings files
|
| services.thanos.rule.tracing.config | Tracing configuration
|
| services.zwave-js.settings | Configuration settings for the generated config file
|
| services.moodle.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.nagios.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.firezone.gateway.tokenFile | A file containing the firezone gateway token
|
| services.jenkins.jobBuilder.accessToken | User token in Jenkins used to reload config
|
| programs.singularity.enableExternalLocalStateDir | Whether to use top-level directories as LOCALSTATEDIR
instead of the store path ones
|
| services.bepasty.servers.<name>.secretKey | server secret for safe session cookies, must be set
|
| services.healthchecks.settingsFile | Environment variables which are read by healthchecks (local)_settings.py
|
| boot.loader.generationsDir.copyKernels | Whether to copy the necessary boot files into /boot, so
/nix/store is not needed by the boot loader.
|
| services.gitlab.secrets.otpFile | A file containing the secret used to encrypt secrets for OTP
tokens
|
| services.rustus.info_storage.dir | directory to store info about uploads
|
| services.komodo-periphery.passkeys | Passkeys required to access the periphery API
|
| services.nginx.logError | Configures logging
|
| services.thanos.query.tracing.config | Tracing configuration
|
| services.prometheus.exporters.idrac.configurationPath | Path to the service's config file
|
| services.open-webui.environmentFile | Environment file to be passed to the systemd service
|
| services.matrix-synapse.settings.pid_file | The file to store the PID in.
|
| services.silverbullet.spaceDir | Folder to store Silverbullet's space/workspace
|
| services.crossfire-server.stateDir | Where to store runtime data (save files, persistent items, etc)
|
| services.gatus.environmentFile | File to load as environment file
|
| services.gitlab.initialRootPasswordFile | File containing the initial password of the root account if
this is a new install
|
| services.gitlab.databasePasswordFile | File containing the GitLab database user password
|
| services.httpd.virtualHosts.<name>.documentRoot | The path of Apache's document root directory
|
| services.rabbitmq.unsafeCookie | Erlang cookie is a string of arbitrary length which must
be the same for several nodes to be allowed to communicate
|
| services.linyaps.webStoreInstallerPackage | The linyaps-web-store-installer package to use.
|
| services.keepalived.secretFile | Environment variables from this file will be interpolated into the
final config file using envsubst with this syntax: $ENVIRONMENT
or ${VARIABLE}
|
| services.bcg.environmentFiles | File to load as environment file
|
| services.hadoop.yarn.nodemanager.localDir | List of directories to store localized files in.
|
| services.scrutiny.settings.web.influxdb.org | InfluxDB organisation under which to store data.
|
| boot.loader.systemd-boot.xbootldrMountPoint | Where the XBOOTLDR partition is mounted
|
| services.writefreely.database.name | The name of the database to store data in.
|
| services.prefect.databasePasswordFile | path to a file containing e.g.:
DBPASSWORD=supersecret
stored outside the nix store, read by systemd as EnvironmentFile.
|
| services.garage.settings.data_dir | The directory in which Garage will store the data blocks of objects
|
| services.pgadmin.initialPasswordFile | Initial password file for the pgAdmin account
|
| services.openvpn.servers.<name>.authUserPass.username | The username to store inside the credentials file.
|
| services.actual.settings.serverFiles | The server will put an account.sqlite file in this directory, which will contain the (hashed) server password, a list of all the budget files the server knows about, and the active session token (along with anything else the server may want to store in the future).
|
| services.matrix-synapse.extraConfigFiles | Extra config files to include
|
| services.victorialogs.stateDir | Directory below /var/lib to store VictoriaLogs data
|
| services.postfix.settings.master.<name>.chroot | Whether the service is chrooted to have only access to the
services.postfix.queueDir and the closure of
store paths specified by the program option.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.keystore | Path to keystore (combined PEM with cert/key, or PKCS12 keystore)
|
| services.litellm.environmentFile | Environment file to be passed to the systemd service
|
| services.orthanc.environmentFile | Environment file to be passed to the systemd service
|
| services.gitlab.secrets.secretFile | A file containing the secret used to encrypt variables in
the DB
|
| services.userborn.static | Whether to generate the password files at build time and store them directly
in the system closure, without requiring any services at boot time
|
| services.taskchampion-sync-server.dataDir | Directory in which to store data
|
| services.bluesky-pds.settings.PDS_DATA_DIRECTORY | Directory to store state
|
| services.rathole.credentialsFile | Path to a TOML file to be merged with the settings
|
| services.ghostunnel.servers.<name>.cacert | Path to CA bundle file (PEM/X509)
|
| services.zabbixWeb.httpd.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.beszel.hub.environmentFile | Environment file to be passed to the systemd service
|
| services.ntfy-sh.environmentFile | Path to a file containing extra ntfy environment variables in the systemd EnvironmentFile
format
|
| boot.loader.grub.mirroredBoots.*.efiBootloaderId | The id of the bootloader to store in efi nvram
|
| services.buildkite-agents.<name>.privateSshKeyPath | OpenSSH private key
A run-time path to the key file, which is supposed to be provisioned
outside of Nix store.
|
| virtualisation.mountHostNixStore | Mount the host Nix store as a 9p mount.
|
| services.thanos.compact.tracing.config | Tracing configuration
|
| services.thanos.sidecar.tracing.config | Tracing configuration
|
| services.thanos.receive.tracing.config | Tracing configuration
|
| services.kanidm.provision.adminPasswordFile | Path to a file containing the admin password for kanidm
|
| services.chhoto-url.environmentFiles | Files to load environment variables from in addition to services.chhoto-url.settings
|
| services.paperless.exporter.directory | Directory to store export.
|
| services.bepasty.servers.<name>.secretKeyFile | A file that contains the server secret for safe session cookies, must be set.
secretKeyFile takes precedence over secretKey
|
| services.drupal.sites.<name>.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.gemstash.settings.base_path | Path to store the gem files and the sqlite database
|
| services.grafana.settings.security.admin_password | Default admin password
|
| networking.dhcpcd.persistent | Whether to leave interfaces configured on dhcpcd daemon
shutdown
|
| services.zipline.environmentFiles | Files to load environment variables from (in addition to services.zipline.settings)
|
| services.beszel.agent.environment | Environment variables for configuring the beszel-agent service
|
| services.umami.settings.APP_SECRET_FILE | A file containing a secure random string
|
| services.scrutiny.settings.web.influxdb.bucket | InfluxDB bucket in which to store data.
|
| services.healthchecks.dataDir | The directory used to store all data for healthchecks.
If left as the default value this directory will automatically be created before
the healthchecks server starts, otherwise you are responsible for ensuring the
directory exists with appropriate ownership and permissions.
|
| services.dendrite.loadCredential | This can be used to pass secrets to the systemd service without adding them to
the nix store
|
| services.gitlab.secrets.activeRecordSaltFile | A file containing the salt for active record encryption in the DB
|
| services.docling-serve.environmentFile | Environment file to be passed to the systemd service
|
| services.sourcehut.settings."pages.sr.ht".gemini-certs | An absolute file path (which should be outside the Nix-store)
to Gemini certificates.
|
| systemd.network.netdevs.<name>.wireguardPeers | Each item in this array specifies an option in the
[WireGuardPeer] section of the unit
|
| nixpkgs.flake.setFlakeRegistry | Whether to pin nixpkgs in the system-wide flake registry (/etc/nix/registry.json) to the
store path of the sources of nixpkgs used to build the NixOS system
|
| services.trilium-server.environmentFile | File to load as the environment file
|
| nix.settings.sandbox | If set, Nix will perform builds in a sandboxed environment that it
will set up automatically for each build
|
| services.strongswan-swanctl.includes | Extra configuration files to include in the swanctl configuration
|
| services.linkwarden.storageLocation | Directory used to store media files
|
| services.firezone.headless-client.tokenFile | A file containing the firezone client token
|
| services.linkwarden.secretFiles | Attribute set containing paths to files to add to the environment of linkwarden
|
| services.zwave-js.secretsConfigFile | JSON file containing secret keys
|
| services.slskd.environmentFile | Path to the environment file sourced on startup
|
| services.matrix-synapse.settings.media_store_path | Directory where uploaded images and attachments are stored.
|
| services.sharkey.environmentFiles | List of paths to files containing environment variables for Sharkey to use at runtime
|
| services.hostapd.radios.<name>.networks.<name>.macDeny | Specifies the MAC addresses to deny if macAcl is set to "deny" or "radius"
|
| services.warpgate.settings.recordings.path | Path to store session recordings.
|
| services.matterbridge.configFile | WARNING: THIS IS INSECURE, as your password will end up in
/nix/store, thus publicly readable
|
| networking.nftables.checkRuleset | Run nft check on the ruleset to spot syntax errors during build
|
| services.biboumi.credentialsFile | Path to a configuration file to be merged with the settings
|
| boot.initrd.network.ssh.hostKeys | Specify SSH host keys to import into the initrd
|
| services.munin-node.extraPlugins | Additional Munin plugins to activate
|
| systemd.network.netdevs.<name>.wireguardConfig | Each attribute in this set specifies an option in the
[WireGuard] section of the unit
|
| services.icingaweb2.resources | resources.ini contents
|
| systemd.services.<name>.confinement.enable | If set, all the required runtime store paths for this service are
bind-mounted into a tmpfs-based
chroot(2).
|
| services.discourse.mail.incoming.apiKeyFile | A file containing the Discourse API key used to add
posts and messages from mail
|
| services.pds.settings.PDS_BLOBSTORE_DISK_LOCATION | Store blobs at this location, set to null to use e.g
|
| networking.supplicant.<name>.extraConf | Configuration options for wpa_supplicant.conf
|
| services.nextjs-ollama-llm-ui.enable | Whether to enable Simple Ollama web UI service; an easy to use web frontend for a Ollama backend service
|
| services.sssd.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.sourcehut.settings."sr.ht".network-key | An absolute file path (which should be outside the Nix-store)
to a secret key to encrypt internal messages with
|
| services.mjolnir.pantalaimon.options.dataPath | The directory where pantalaimon should store its state such as the database file.
|
| services.hostapd.radios.<name>.networks.<name>.macAllow | Specifies the MAC addresses to allow if macAcl is set to "allow" or "radius"
|
| services.kanidm.provision.idmAdminPasswordFile | Path to a file containing the idm admin password for kanidm
|
| services.keycloak.settings | Configuration options corresponding to parameters set in
conf/keycloak.conf
|
| networking.wireless.networks.<name>.psk | The network's pre-shared key in plaintext defaulting
to being a network without any authentication.
Be aware that this will be written to the Nix store
in plaintext! Use pskRaw with an external
reference to keep it safe.
Mutually exclusive with pskRaw.
|
| services.duplicati.parameters | This option can be used to store some or all of the options given to the
commandline client
|
| services.openssh.knownHosts.<name>.publicKeyFile | The path to the public key file for the host
|
| services.druid.historical.segmentLocations | Locations where the historical will store its data.
|
| services.sourcehut.settings.objects.s3-secret-key | An absolute file path (which should be outside the Nix-store)
to the secret key of the S3-compatible object storage service.
|
| services.snips-sh.environmentFile | Additional environment file as defined in systemd.exec(5)
|
| services.rustus.info_storage | Info storages are used to store information about file uploads
|
| security.pki.caCertificateBlacklist | A list of blacklisted CA certificate names that won't be imported from
the Mozilla Trust Store into
/etc/ssl/certs/ca-certificates.crt
|
| services.limesurvey.encryptionKeyFile | 32-byte key used to encrypt variables in the database
|
| services.hercules-ci-agent.settings.secretsJsonPath | Path to a JSON file containing secrets for effects
|
| services.cockroachdb.maxSqlMemory | The maximum in-memory storage capacity available to store temporary
data for SQL queries
|
| services.thanos.query-frontend.tracing.config | Tracing configuration
|
| services.grafana.provision.alerting.rules.path | Path to YAML rules configuration
|
| services.wstunnel.clients.<name>.httpProxy | Proxy to use to connect to the wstunnel server (USER:PASS@HOST:PORT).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing PROXY_PASSWORD=<your-password-here> and set
this option to <user>:$PROXY_PASSWORD@<host>:<port>
|
| services.munin-node.extraAutoPlugins | Additional Munin plugins to autoconfigure, using
munin-node-configure --suggest
|
| services.telegraf.environmentFiles | File to load as environment file
|
| services.mediawiki.httpd.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.limesurvey.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.anubis.defaultOptions.policy.settings | Additional policy settings merged into the policy file
|
| services.caddy.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.glitchtip.environmentFiles | Files to load environment variables from in addition to services.glitchtip.settings
|
| services.ocis.environment | Extra config options
|
| services.authelia.instances.<name>.secrets | It is recommended you keep your secrets separate from the configuration
|
| services.cadvisor.storageDriverPassword | Cadvisor storage driver password
|
| services.mailpit.instances.<name>.database | Specify the local database filename to store persistent data
|
| services.druid.historical.segmentLocations.*.path | the path to store the segments
|
| services.stash.settings.blobs_storage | Where to store blobs
|
| services.yggdrasil.settings.PrivateKeyPath | Path to the private key file on the host system
|
| services.thanos.query.query.auto-downsampling | Enable automatic adjustment (step / 5) to what source of data should
be used in store gateways if no
max_source_resolution param is specified.
|
| services.duplicati.parametersFile | This file can be used to store some or all of the options given to the
commandline client
|
| services.workout-tracker.environmentFile | An environment file as defined in systemd.exec(5)
|
| services.libeufin.nexus.settings.nexus-ebics.BANK_PUBLIC_KEYS_FILE | Filesystem location where Nexus should store the bank public keys.
|
| services.anubis.instances.<name>.policy.settings | Additional policy settings merged into the policy file
|
| services.limesurvey.encryptionNonceFile | 24-byte used to encrypt variables in the database
|
| services.hercules-ci-agent.settings.binaryCachesPath | Path to a JSON file containing binary cache secret keys
|
| virtualisation.nixStore9pCache | Type of 9p cache to use when mounting host nix store. "none" provides
no caching. "loose" enables Linux's local VFS cache. "fscache" uses Linux's
fscache subsystem
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.password | The password for this entry
|
| services.traccar.environmentFile | File containing environment variables to substitute in the configuration before starting Traccar
|
| services.vault.extraSettingsPaths | Configuration files to load besides the immutable one defined by the NixOS module
|
| services.victoriatraces.stateDir | Directory below /var/lib to store VictoriaTraces data
|
| networking.wireless.networks.<name>.auth | Use this option to configure advanced authentication methods
like EAP
|
| services.wordpress.sites.<name>.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.influxdb2.provision.initialSetup.tokenFile | API Token to set for the admin user
|
| services.gitlab.secrets.activeRecordPrimaryKeyFile | A file containing the secret used to encrypt some rails data
in the DB
|
| services.mautrix-signal.environmentFile | File containing environment variables to be passed to the mautrix-signal service
|
| services.xtreemfs.dir.replication.extraConfig | Configuration of XtreemFS DIR replication plugin
|
| services.xtreemfs.mrc.replication.extraConfig | Configuration of XtreemFS MRC replication plugin
|
| services.reposilite.settings.keyPassword | Plaintext password used to unlock the Java KeyStore set in services.reposilite.settings.keyPath
|
| virtualisation.writableStoreUseTmpfs | Use a tmpfs for the writable store instead of writing to the VM's
own filesystem.
|
| services.grafana.provision.dashboards.path | Path to YAML dashboard configuration
|
| services.nullmailer.config.remotes | A list of remote servers to which to send each message
|
| services.thanos.downsample.tracing.config | Tracing configuration
|
| system.forbiddenDependenciesRegexes | POSIX Extended Regular Expressions that match store paths that
should not appear in the system closure, with the exception of system.extraDependencies, which is not checked.
|
| services.murmur.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.limesurvey.httpd.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.sourcehut.settings.mail.pgp-privkey | An absolute file path (which should be outside the Nix-store)
to an OpenPGP private key
|
| services.matrix-hookshot.registrationFile | Appservice registration file
|
| boot.initrd.network.openvpn.configuration | The configuration file for OpenVPN.
Unless your bootloader supports initrd secrets, this configuration
is stored insecurely in the global Nix store.
|
| services.pinchflat.secretsFile | Secrets like SECRET_KEY_BASE and BASIC_AUTH_PASSWORD
should be passed to the service without adding them to the world-readable Nix store
|
| services.prometheus.pushgateway.stateDir | Directory below /var/lib to store metrics
|
| services.bluesky-pds.settings.PDS_BLOBSTORE_DISK_LOCATION | Store blobs at this location, set to null to use e.g
|
| services.prometheus.exporters.py-air-control.stateDir | Directory below /var/lib to store runtime data
|
| services.archisteamfarm.dataDir | The ASF home directory used to store all data
|
| services.sourcehut.settings."meta.sr.ht::billing".stripe-secret-key | An absolute file path (which should be outside the Nix-store)
to a secret key for Stripe
|
| services.restic.backups.<name>.rcloneConfig | Configuration for the rclone remote being used for backup
|
| services.grafana.provision.alerting.muteTimings.path | Path to YAML mute timings configuration
|
| services.chatgpt-retrieval-plugin.qdrantCollection | name of the qdrant collection used to store documents.
|
| services.kanidm.provision.systems.oauth2.<name>.basicSecretFile | The basic secret to use for this service
|
| services.step-ca.intermediatePasswordFile | Path to the file containing the password for the intermediate
certificate private key.
Make sure to use a quoted absolute path instead of a path literal
to prevent it from being copied to the globally readable Nix
store.
|
| services.sourcehut.settings."sr.ht".service-key | An absolute file path (which should be outside the Nix-store)
to a key used for encrypting session cookies
|
| services.paperless.environmentFile | Path to a file containing extra paperless config options in the systemd EnvironmentFile
format
|
| services.libeufin.nexus.settings.nexus-ebics.CLIENT_PRIVATE_KEYS_FILE | Filesystem location where Nexus should store the subscriber private keys.
|
| services.grafana.provision.alerting.policies.path | Path to YAML notification policies configuration
|
| services.grafana.provision.datasources.path | Path to YAML datasource configuration
|
| services.hercules-ci-agent.settings.clusterJoinTokenPath | Location of the cluster-join-token.key file
|
| services.mautrix-whatsapp.environmentFile | File containing environment variables to be passed to the mautrix-whatsapp service
|
| systemd.services.<name>.confinement.fullUnit | Whether to include the full closure of the systemd unit file into the
chroot, instead of just the dependencies for the executables.
While it may be tempting to just enable this option to
make things work quickly, please be aware that this might add paths
to the closure of the chroot that you didn't anticipate
|
| networking.wireless.secretsFile | File consisting of lines of the form varname=value
to define variables for the wireless configuration
|
| services.victoriametrics.stateDir | Directory below /var/lib to store VictoriaMetrics metrics data
|
| networking.wireless.networks.<name>.pskRaw | Either the raw pre-shared key in hexadecimal format
or the name of the secret (as defined inside
networking.wireless.secretsFile and prefixed
with ext:) containing the network pre-shared key.
Be aware that this will be written to the Nix store
in plaintext! Always use an external reference.
The external secret can be either the plaintext
passphrase or the raw pre-shared key.
Mutually exclusive with psk and auth.
|
| services.suricata.settings.outputs | Configure the type of alert (and other) logging you would like
|
| services.grafana.provision.alerting.contactPoints.path | Path to YAML contact points configuration
|
| services.pantalaimon-headless.instances.<name>.dataPath | The directory where pantalaimon should store its state such as the database file.
|
| virtualisation.podman.networkSocket.tls.key | Path to the private key corresponding to the server certificate
|
| services.immichframe.settings.Accounts.*.ApiKey | API key to talk to the Immich server
|
| services.grafana.provision.alerting.templates.path | Path to YAML templates configuration
|
| services.tarsnap.keyfile | The keyfile which associates this machine with your tarsnap
account
|
| services.tarsnap.archives.<name>.keyfile | Set a specific keyfile for this archive
|
| services.veilid.settings.core.capabilities.disable | A list of capabilities to disable (for example, DHTV to say you cannot store DHT information).
|
| services.hedgedoc.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.linkwarden.environmentFile | Path of a file with extra environment variables to be loaded from disk
|
| services.gitolite.extraGitoliteRc | Extra configuration to append to the default ~/.gitolite.rc
|
| services.wstunnel.clients.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.wstunnel.servers.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.sourcehut.settings.webhooks.private-key | An absolute file path (which should be outside the Nix-store)
to a base64-encoded Ed25519 key for signing webhook payloads
|
| services.lubelogger.environmentFile | Path to a file containing extra LubeLogger config options in the systemd EnvironmentFile format
|
| services.journald.remote.settings.Remote.ServerKeyFile | A path to a SSL secret key file in PEM format
|
| services.teeworlds.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.journald.rateLimitBurst | Configures the rate limiting burst limit (number of messages per
interval) that is applied to all messages generated on the system
|
| services.dendrite.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.transmission.credentialsFile | Path to a JSON file to be merged with the settings
|
| services.grafana.settings.security.secret_key | Secret key used for signing
|
| services.mattermost.database.fromEnvironment | Use services.mattermost.environmentFile to configure the database instead of writing the database URI
to the Nix store
|
| services.prometheus.exporters.deluge.delugePassword | Password to connect to deluge server
|
| services.prometheus.exporters.buildkite-agent.tokenPath | The token from your Buildkite "Agents" page
|
| services.peering-manager.environmentFile | Environment file as defined in systemd.exec(5)
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.cacert | Path to CA bundle file (PEM/X509)
|
| services.mattermost.environmentFile | Environment file (see systemd.exec(5)
"EnvironmentFile=" section for the syntax) which sets config options
for mattermost (see the Mattermost documentation)
|
| systemd.services.<name>.confinement.packages | Additional packages or strings with context to add to the closure of
the chroot
|
| services.prometheus.exporters.mqtt.environmentFile | File to load as environment file
|
| virtualisation.credentials.<name>.text | Text content of the credential
|
| services.fluent-bit.configurationFile | Fluent Bit configuration
|
| services.magnetico.web.credentials | The credentials to access the web interface, in case authentication is
enabled, in the format username:hash
|
| services.borgbackup.jobs.<name>.encryption.passphrase | The passphrase the backups are encrypted with
|
| services.prometheus.alertmanager-ntfy.extraConfigFiles | Config files to merge into the settings defined in services.prometheus.alertmanager-ntfy.settings
|
| virtualisation.fileSystems.<name>.neededForBoot | If set, this file system will be mounted in the initial ramdisk
|
| services.mqtt2influxdb.environmentFiles | File to load as environment file
|
| services.opentelemetry-collector.validateConfigFile | Whether to enable Validate configuration file.
|
| services.geoipupdate.settings.DatabaseDirectory | The directory to store the database files in
|
| services.wstunnel.clients.<name>.upgradeCredentials | Use these credentials to authenticate during the HTTP upgrade request
(Basic authorization type, USER:[PASS]).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing HTTP_PASSWORD=<your-password-here> and set this
option to <user>:$HTTP_PASSWORD
|
| services.nextcloud.config.objectstore.s3.verify_bucket_exists | Create the objectstore bucket if it does not exist.
|
| services.vaultwarden.environmentFile | Additional environment file or files as defined in systemd.exec(5)
|
| services.litestream.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.prometheus.exporters.restic.rcloneConfig | Configuration for the rclone remote being used for backup
|
| services.gitlab.secrets.activeRecordDeterministicKeyFile | A file containing the secret used to encrypt some rails data in a deterministic way
in the DB
|
| services.fastnetmon-advanced.enableAdvancedTrafficPersistence | Store historical flow data in clickhouse
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.id | A unique identifier for this authentication token
|
| services.authelia.instances.<name>.environmentVariables | Additional environment variables to provide to authelia
|
| services.nipap.settings.auth.auth_cache_timeout | Seconds to store cached auth entries for.
|
| services.prometheus.exporters.snmp.environmentFile | EnvironmentFile as defined in systemd.exec(5)
|
| services.prometheus.exporters.pgbouncer.connectionString | Connection string for accessing pgBouncer
|
| services.prometheus.exporters.php-fpm.environmentFile | Environment file as defined in systemd.exec(5)
|
| virtualisation.oci-containers.containers.<name>.volumes | List of volumes to attach to this container
|
| services.amazon-cloudwatch-agent.configurationFile | Amazon CloudWatch Agent configuration file
|
| services.amazon-cloudwatch-agent.commonConfigurationFile | Amazon CloudWatch Agent common configuration
|
| services.hostapd.radios.<name>.networks.<name>.authentication.wpaPasswordFile | Sets the password for WPA-PSK
|
| services.prometheus.exporters.postgres.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.gitlab-runner.services.<name>.registrationConfigFile | Absolute path to a file with environment variables
used for gitlab-runner registration with runner registration
tokens
|
| services.grafana.provision.datasources.settings.datasources.*.secureJsonData | Datasource specific secure configuration
|
| services.gitlab-runner.services.<name>.authenticationTokenConfigFile | Absolute path to a file containing environment variables used for
gitlab-runner registrations with runner authentication tokens
|
| services.veilid.settings.core.protected_store.allow_insecure_fallback | If we can't use system-provided secure storage, should we proceed anyway?
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords | Sets allowed passwords for WPA3-SAE
|
| services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword | Sets the password for WPA-PSK that will be converted to the pre-shared key
|
| users.users.<name>.initialPassword | Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswordsFile | Sets the password for WPA3-SAE
|
| users.extraUsers.<name>.initialPassword | Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist
|
| services.veilid.settings.core.protected_store.always_use_insecure_storage | Should we bypass any attempt to use system-provided secure storage?
|
| services.sourcehut.settings."hg.sr.ht".clone_bundle_threshold | .hg/store size (in MB) past which the nightly job generates clone bundles.
|
| services.nixseparatedebuginfod2.substituters | nix substituter to fetch debuginfo from
|