| security.acme.defaults | Default values inheritable by all configured certs
|
| security.acme.certs | Attribute set of certificates to get signed and renewed
|
| security.acme.certs.<name>.inheritDefaults | Whether to inherit values set in security.acme.defaults or not.
|
| services.reposilite.useACMEHost | Host of an existing Let's Encrypt certificate to use for SSL
|
| security.acme.certs.<name>.csr | Path to a certificate signing request to apply when fetching the certificate.
|
| security.acme.certs.<name>.csrKey | Path to the private key to the matching certificate signing request.
|
| security.acme.certs.<name>.group | Group running the ACME client.
|
| security.acme.certs.<name>.keyType | Key type to use for private keys
|
| security.acme.certs.<name>.postRun | Commands to run after new certificates go live
|
| security.acme.certs.<name>.email | Email address for account creation and correspondence from the CA
|
| security.acme.certs.<name>.domain | Domain to fetch certificate for (defaults to the entry name).
|
| security.acme.certs.<name>.validMinDays | Minimum remaining validity before renewal in days.
|
| security.acme.certs.<name>.s3Bucket | S3 bucket name to use for HTTP-01 based challenges
|
| security.acme.certs.<name>.server | ACME Directory Resource URI
|
| security.acme.certs.<name>.profile | The certificate profile to choose if the CA offers multiple profiles.
|
| security.acme.certs.<name>.listenHTTP | Interface and port to listen on to solve HTTP challenges
in the form [INTERFACE]:PORT
|
| security.acme.certs.<name>.extraLegoFlags | Additional global flags to pass to all lego commands.
|
| security.acme.certs.<name>.webroot | Where the webroot of the HTTP vhost is located.
.well-known/acme-challenge/ directory
will be created below the webroot if it doesn't exist.
http://example.org/.well-known/acme-challenge/ must also
be available (notice unencrypted HTTP).
|
| security.acme.certs.<name>.extraLegoRunFlags | Additional flags to pass to lego run.
|
| security.acme.certs.<name>.ocspMustStaple | Turns on the OCSP Must-Staple TLS extension
|
| security.acme.certs.<name>.enableDebugLogs | Whether to enable debug logging for this certificate.
|
| security.acme.certs.<name>.extraLegoRenewFlags | Additional flags to pass to lego renew.
|
| security.acme.certs.<name>.extraDomainNames | A list of extra domain names, which are included in the one certificate to be issued.
|
| security.acme.certs.<name>.dnsProvider | DNS Challenge provider
|
| security.acme.certs.<name>.dnsResolver | Set the resolver to use for performing recursive DNS queries
|
| security.acme.certs.<name>.directory | Directory where certificate and other state is stored.
|
| security.acme.certs.<name>.renewInterval | Systemd calendar expression when to check for renewal
|
| security.acme.certs.<name>.reloadServices | The list of systemd services to call systemctl try-reload-or-restart
on.
|
| security.acme.certs.<name>.credentialFiles | Environment variables suffixed by "_FILE" to set for the cert's service
for your selected dnsProvider
|
| security.acme.certs.<name>.environmentFile | Path to an EnvironmentFile for the cert's service containing any required and
optional environment variables for your selected dnsProvider
|
| security.acme.certs.<name>.dnsPropagationCheck | Toggles lego DNS propagation check, which is used alongside DNS-01
challenge to ensure the DNS entries required are available.
|
| services.etcd.certFile | Cert file to use for clients
|
| services.coturn.cert | Certificate file in PEM format.
|
| services.prosody.ssl.cert | Path to the certificate file.
|
| services.documize.cert | The cert.pem file used for https.
|
| services.pgmanage.tls.cert | TLS certificate
|
| services.flannel.etcd.certFile | Etcd cert file
|
| services.kubernetes.pki.certs | List of certificate specs to feed to cert generator.
|
| services.ttyd.certFile | SSL certificate file path.
|
| services.public-inbox.imap.cert | Path to TLS certificate to use for connections to public-inbox-imapd(1).
|
| services.public-inbox.nntp.cert | Path to TLS certificate to use for connections to public-inbox-nntpd(1).
|
| services.synergy.server.tls.cert | The TLS certificate to use for encryption.
|
| services.certspotter.startAtEnd | Whether to skip certificates issued before the first launch of Cert Spotter
|
| services.syncthing.cert | Path to the cert.pem file, which will be copied into Syncthing's
configDir.
|
| services.movim.h2o.acme.useHost | An existing Let’s Encrypt certificate to use for this virtual
host
|
| services.nebula.networks.<name>.cert | Path to the host certificate.
|
| services.galene.certFile | Path to the server's certificate
|
| services.h2o.hosts.<name>.acme.useHost | An existing Let’s Encrypt certificate to use for this virtual
host
|
| services.llama-swap.tls.certFile | Path to the TLS certificate file
|
| services.certspotter.enable | Whether to enable Cert Spotter, a Certificate Transparency log monitor.
|
| services.prosody.virtualHosts.<name>.ssl.cert | Path to the certificate file.
|
| security.tpm2.fapi.ekCertLess | A switch to disable Endorsement Key (EK) certificate verification
|
| services.certspotter.extraFlags | Extra command-line arguments to pass to Cert Spotter
|
| services.gns3-server.ssl.certFile | Path to the SSL certificate file
|
| services.syncplay.certDir | TLS certificates directory to use for encryption
|
| services.dolibarr.h2o.acme.useHost | An existing Let’s Encrypt certificate to use for this virtual
host
|
| services.journald.gateway.cert | The path to a file or AF_UNIX stream socket to read the server
certificate from
|
| services.molly-brown.certPath | Path to TLS certificate
|
| services.taskserver.pki.manual.ca.cert | Fully qualified path to the CA certificate.
Setting this option will prevent automatic CA creation and handling.
|
| services.stargazer.certOrg | The name of the organization responsible for the X.509
certificate's /O name.
|
| services.cockroachdb.certsDir | The path to the certificate directory.
|
| services.ghostunnel.servers.<name>.cert | Path to certificate (PEM with certificate chain)
|
| services.thanos.rule.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| services.maddy.tls.certificates.*.certPath | Path to the certificate used for TLS.
|
| services.thanos.query.grpc-client-tls-cert | TLS Certificates to use to identify this client to the server
|
| services.doh-server.useACMEHost | A host of an existing Let's Encrypt certificate to use.
Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.
|
| services.gitlab.registry.certFile | Path to GitLab container registry certificate.
|
| services.thanos.query.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| services.thanos.store.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| services.privoxy.certsLifetime | If inspectHttps is enabled, the time generated HTTPS
certificates will be stored in a temporary directory for reuse
|
| services.athens.storage.mongo.certPath | Path to the certificate file for the mongo database.
|
| services.taskserver.pki.manual.server.cert | Fully qualified path to the server certificate.
Setting this option will prevent automatic CA creation and handling.
|
| services.kubernetes.apiserver.etcd.certFile | Etcd cert file.
|
| services.komodo-periphery.ssl.certFile | Path to SSL certificate file.
|
| services.prometheus.exporters.node-cert.group | Group under which the node-cert exporter shall be run.
|
| services.thanos.sidecar.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| services.thanos.receive.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| services.prometheus.exporters.node-cert.enable | Whether to enable the prometheus node-cert exporter.
|
| services.prometheus.exporters.node-cert.extraFlags | Extra commandline options to pass to the node-cert exporter.
|
| services.certspotter.hooks | Scripts to run upon the detection of a new certificate
|
| services.davis.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.movim.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.slskd.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.sourcehut.settings."pages.sr.ht".gemini-certs | An absolute file path (which should be outside the Nix-store)
to Gemini certificates.
|
| security.ipa.certificate | IPA server CA certificate
|
| services.snipe-it.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| programs.ssh.knownHosts.<name>.certAuthority | This public key is an SSH certificate authority, rather than an
individual host's key.
|
| services.stargazer.certLifetime | How long certs generated by Stargazer should live for
|
| services.certspotter.package | The certspotter package to use.
|
| services.akkoma.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.gancio.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.fluidd.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.matomo.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.monica.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.librespeed.useACMEHost | Use a certificate generated by the NixOS ACME module for the given host
|
| services.portunus.ldap.tls | Whether to enable LDAPS protocol
|
| virtualisation.podman.networkSocket.tls.cert | Path to certificate describing the server.
|
| services.thanos.query-frontend.grpc-server-tls-cert | TLS Certificate for gRPC server, leave blank to disable TLS
|
| security.pki.certificates | A list of trusted root certificates in PEM format.
|
| services.dnsdist.dnscrypt.certLifetime | The lifetime (in minutes) of the resolver certificate
|
| services.wstunnel.servers.<name>.useACMEHost | Use a certificate generated by the NixOS ACME module for the given host
|
| services.librenms.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.kanboard.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.agorakit.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.dolibarr.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.fediwall.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.pixelfed.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.mainsail.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| security.pki.certificateFiles | A list of files containing trusted root certificates in PEM
format
|
| services.openssh.knownHosts.<name>.certAuthority | This public key is an SSH certificate authority, rather than an
individual host's key.
|
| services.caddy.virtualHosts.<name>.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.radicle.httpd.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.certspotter.sendmailPath | Path to the sendmail binary
|
| services.moodle.virtualHost.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.nagios.virtualHost.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.cert | Path to certificate (PEM with certificate chain)
|
| services.blockbook-frontend.<name>.certFile | To enable SSL, specify path to the name of certificate files without extension
|
| services.prometheus.exporters.node-cert.port | Port to listen on.
|
| services.certspotter.watchlist | Domain names to watch
|
| services.prometheus.exporters.node-cert.user | User owning the certs.
|
| services.anuko-time-tracker.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.httpd.virtualHosts.<name>.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.nginx.virtualHosts.<name>.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.bookstack.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.certmgr.enable | Whether to enable certmgr.
|
| services.certmgr.validMin | The interval before a certificate expires to start attempting to renew it.
|
| services.prometheus.exporters.node-cert.paths | List of paths to search for SSL certificates.
|
| services.grafana.settings.smtp.cert_file | File path to a cert file.
|
| services.jirafeau.nginxConfig.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.zabbixWeb.httpd.virtualHost.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.zabbixWeb.nginx.virtualHost.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.certmgr.specs | Certificate specs as described by:
https://github.com/cloudflare/certmgr#certificate-specs
These will be added to the Nix store, so they will be world readable.
|
| services.bcg.mqtt.certfile | Certificate file for MQTT server access.
|
| services.kubernetes.kubeconfig.certFile | Default kubeconfig client certificate file used to connect to kube-apiserver.
|
| services.prometheus.exporters.pve.server.certFile | Path to a SSL certificate file for the server
|
| services.drupal.sites.<name>.virtualHost.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.certspotter.emailRecipients | A list of email addresses to send certificate updates to.
|
| services.certmgr.package | The certmgr package to use.
|
| services.kubernetes.proxy.kubeconfig.certFile | Kubernetes proxy client certificate file used to connect to kube-apiserver.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert | Section for a certificate candidate to use for
authentication
|
| services.fedimintd.<name>.nginx.config.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.prometheus.exporters.node-cert.excludePaths | List of paths to exclute from searching for SSL certificates.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert | Section for a certificate candidate to use for
authentication
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.slot | Optional slot number of the token that stores the certificate.
|
| services.prometheus.exporters.node-cert.listenAddress | Address to listen on.
|
| services.certmgr.metricsPort | The port for the Prometheus HTTP endpoint.
|
| services.mediawiki.httpd.virtualHost.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.prometheus.exporters.node-cert.excludeGlobs | List files matching a pattern to include
|
| services.prometheus.exporters.node-cert.includeGlobs | List files matching a pattern to include
|
| services.prometheus.exporters.node-cert.openFirewall | Open port in firewall for incoming connections.
|
| services.kubernetes.kubelet.kubeconfig.certFile | Kubelet client certificate file used to connect to kube-apiserver.
|
| services.limesurvey.virtualHost.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.slot | Optional slot number of the token that stores the certificate.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.module | Optional PKCS#11 module name.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.file | Absolute path to the certificate to load
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.module | Optional PKCS#11 module name.
|
| services.wordpress.sites.<name>.virtualHost.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.file | Absolute path to the certificate to load
|
| services.prometheus.exporters.node-cert.firewallRules | Specify rules for nftables to add to the input chain
when services.prometheus.exporters.node-cert.openFirewall is true.
|
| services.limesurvey.nginx.virtualHost.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.limesurvey.httpd.virtualHost.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.handle | Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.handle | Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively
|
| services.certmgr.svcManager | This specifies the service manager to use for restarting or reloading services
|
| services.misskey.reverseProxy.webserver.caddy.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.certmgr.defaultRemote | The default CA host:port to use.
|
| services.kubernetes.scheduler.kubeconfig.certFile | Kubernetes scheduler client certificate file used to connect to kube-apiserver.
|
| services.etcd.peerCertFile | Cert file to use for peer to peer communication
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.certs | List of certificates to accept for authentication
|
| services.prometheus.exporters.node-cert.firewallFilter | Specify a filter for iptables to use when
services.prometheus.exporters.node-cert.openFirewall
is true
|
| security.agnos.settings.accounts.*.certificates | Certificates for agnos to issue or renew.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.certs | List of certificate candidates to use for
authentication
|
| services.misskey.reverseProxy.webserver.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.certmgr.renewInterval | How often to check certificate expirations and how often to update the cert_next_expires metric.
|
| services.certmgr.metricsAddress | The address for the Prometheus HTTP endpoint.
|
| security.agnos.settings.accounts.*.certificates.*.domains | Domains the certificate represents
|
| services.prometheus.remoteRead.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.quassel.dataDir | The directory holding configuration files, the SQlite database and the SSL Cert.
|
| services.kubernetes.controllerManager.kubeconfig.certFile | Kubernetes controller manager client certificate file used to connect to kube-apiserver.
|
| services.prometheus.remoteWrite.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.ircdHybrid.certificate | IRCD server SSL certificate
|
| services.oauth2-proxy.tls.certificate | Path to certificate file.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacerts | List of CA certificates to accept for
authentication
|
| services.agate.certificatesDir | Root of the certificate directory.
|
| services.minio.certificatesDir | The directory where TLS certificates are stored.
|
| services.hitch.frontend | The port and interface of the listen endpoint in the
form [HOST]:PORT[+CERT].
|
| services.ghostunnel.servers.<name>.keystore | Path to keystore (combined PEM with cert/key, or PKCS12 keystore)
|
| services.quassel.certificateFile | Path to the certificate used for SSL connections with clients.
|
| services.grafana.settings.server.cert_key | Path to the certificate key file (if protocol is set to https or h2).
|
| services.maddy.tls.certificates | A list of attribute sets containing paths to TLS certificates and
keys
|
| services.maddy.tls.certificates.*.keyPath | Path to the private key used for TLS.
|
| services.dendrite.tlsKey | The path to the TLS key.
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
|
| services.jibri.ignoreCert | Whether to enable the flag "--ignore-certificate-errors" for the Chromium browser opened by Jibri
|
| services.ghostunnel.servers.<name>.cacert | Path to CA bundle file (PEM/X509)
|
| services.dendrite.tlsCert | The path to the TLS certificate.
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
|
| services.namecoind.rpc.certificate | Certificate file for securing RPC connections.
|
| services.grafana.settings.server.cert_file | Path to the certificate file (if protocol is set to https or h2).
|
| services.bacula-sd.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.bacula-fd.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.bacula-dir.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.infinoted.certificateFile | Server certificate to use for TLS
|
| services.grafana.settings.database.client_cert_path | The path to the client cert
|
| services.movim.h2o.tls.identity.*.certificate-file | Path to certificate file
|
| services.sabnzbd.settings.misc.https_cert | Path to the TLS certificate for the web UI
|
| services.rkvm.server.settings.certificate | TLS certificate path.
This should be generated with rkvm-certificate-gen.
|
| services.rkvm.client.settings.certificate | TLS ceritficate path.
This should be generated with rkvm-certificate-gen.
|
| services.infinoted.certificateChain | Chain of CA-certificates to which our certificateFile is relative
|
| services.umurmur.settings.certificate | Path to your SSL certificate
|
| services.warpgate.settings.http.sni_certificates.*.certificate | Path to certificate.
|
| services.h2o.hosts.<name>.tls.identity.*.certificate-file | Path to certificate file
|
| services.mqtt2influxdb.mqtt.certfile | Certificate file for MQTT
|
| services.warpgate.settings.http.certificate | Path to HTTPS listener certificate.
|
| services.warpgate.settings.mysql.certificate | Path to MySQL listener certificate.
|
| services.dolibarr.h2o.tls.identity.*.certificate-file | Path to certificate file
|
| security.agnos.settings.accounts.*.certificates.*.key_output_file | Output path for the certificate private key
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.keystore | Path to keystore (combined PEM with cert/key, or PKCS12 keystore)
|
| services.trafficserver.sslMulticert | Configure SSL server certificates to terminate the SSL sessions
|
| virtualisation.podman.networkSocket.tls.cacert | Path to CA certificate to use for client authentication.
|
| services.foundationdb.tls.certificate | Path to the TLS certificate file
|
| services.warpgate.settings.postgres.certificate | Path to PostgreSQL listener certificate.
|
| services.bacula-sd.director.<name>.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.bacula-fd.director.<name>.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.kubernetes.pki.genCfsslAPICerts | Whether to automatically generate cfssl API webserver TLS cert and key,
if they don't exist.
|
| services.kubernetes.pki.cfsslAPIExtraSANs | Extra x509 Subject Alternative Names to be added to the cfssl API webserver TLS cert.
|
| services.grafana.settings.database.ca_cert_path | The path to the CA certificate to use.
|
| services.prometheus.scrapeConfigs.*.http_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.headscale.settings.tls_cert_path | Path to already created certificate.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.cacert | Path to CA bundle file (PEM/X509)
|
| services.cloudflared.certificateFile | Account certificate file, necessary to create, delete and manage tunnels
|
| services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.ghostunnel.servers.<name>.allowAll | If true, allow all clients, do not check client cert subject.
|
| services.dnsdist.dnscrypt.providerName | The name that will be given to this DNSCrypt resolver.
The provider name must start with 2.dnscrypt-cert..
|
| services.unbound.checkconf | Whether to check the resulting config file with unbound checkconf for syntax errors
|
| services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.triton_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.docker_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.kubernetes.apiserver.extraSANs | Extra x509 Subject Alternative Names to be added to the kubernetes apiserver tls cert.
|
| services.prometheus.exporters.unbound.unbound.certificate | Path to the Unbound control socket certificate
|
| services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.strongswan-swanctl.swanctl.authorities.<name>.cacert | The certificates may use a relative path from the swanctl
x509ca directory or an absolute path
|
| services.nextcloud-spreed-signaling.settings.https.certificate | Path to the certificate used for the HTTPS listener
|
| services.cloudflared.tunnels.<name>.certificateFile | Account certificate file, necessary to create, delete and manage tunnels
|
| services.neo4j.directories.certificates | Directory for storing certificates to be used by Neo4j for
TLS connections
|
| services.warpgate.settings.http.sni_certificates | Certificates for additional domains.
|
| networking.openconnect.interfaces.<name>.certificate | Certificate to authenticate with.
|
| services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.warpgate.settings.http.sni_certificates.*.key | Path to private key.
|
| services.privoxy.inspectHttps | Whether to configure Privoxy to inspect HTTPS requests, meaning all
encrypted traffic will be filtered as well
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert | Section for a CA certificate to accept for authentication
|
| services.parsedmarc.settings.elasticsearch.cert_path | The path to a TLS certificate bundle used to verify
the server's certificate.
|
| security.agnos.settings.accounts.*.certificates.*.fullchain_output_file | Output path for the full chain including the acquired certificate
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.slot | Optional slot number of the token that stores the certificate.
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.file | Absolute path to the certificate to load
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.module | Optional PKCS#11 module name.
|
| services.kubernetes.apiserver.kubeletClientCaFile | Path to a cert file for connecting to kubelet.
|
| services.grafana.settings.database.server_cert_name | The common name field of the certificate used by the mysql or postgres server
|
| services.strongswan-swanctl.swanctl.connections.<name>.send_cert | Send certificate payloads when using certificate authentication.
- With the default of
ifasked the daemon sends
certificate payloads only if certificate requests have been received.
never disables sending of certificate payloads
altogether,always causes certificate payloads to be sent
unconditionally whenever certificate authentication is used
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.handle | Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.prometheus.remoteRead.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert_policy | List of certificate policy OIDs the peer's certificate
must have
|
| services.prometheus.remoteWrite.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowAll | If true, allow all clients, do not check client cert subject.
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.strongswan-swanctl.swanctl.connections.<name>.send_certreq | Send certificate request payloads to offer trusted root CA certificates to
the peer
|
| services.prometheus.scrapeConfigs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.strongswan-swanctl.swanctl.authorities.<name>.cert_uri_base | Defines the base URI for the Hash and URL feature supported by
IKEv2
|
| services.matrix-synapse.settings.tls_certificate_path | PEM encoded X509 certificate for TLS
|
| services.prometheus.scrapeConfigs.*.http_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.triton_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.docker_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|