| virtualisation.fileSystems.<name>.overlay.lowerdir | The list of path(s) to the lowerdir(s)
|
| security.agnos.settings.accounts.*.certificates.*.fullchain_output_file | Output path for the full chain including the acquired certificate
|
| services.keycloak.settings.hostname-backchannel-dynamic | Enables dynamic resolving of backchannel URLs,
including hostname, scheme, port and context path
|
| services.prometheus.globalConfig.query_log_file | Path to the file prometheus should write its query log to.
|
| virtualisation.xen.store.settings.xenstored.accessLog.file | Path to the Xen Store access log file.
|
| services.tlsrpt.reportd.settings.sendmail_script | Path to a sendmail-compatible executable for delivery reports.
|
| services.misskey.reverseProxy.webserver.nginx.sslTrustedCertificate | Path to root SSL certificate for stapling and client certificates.
|
| environment.profileRelativeSessionVariables | Attribute set of environment variable used in the global
environment
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.keystore | Path to keystore (combined PEM with cert/key, or PKCS12 keystore)
|
| services.pantalaimon-headless.instances.<name>.homeserver | The URI of the homeserver that the pantalaimon proxy should
forward requests to, without the matrix API path but including
the http(s) schema.
|
| services.prometheus.exporters.snmp.configurationPath | Path to a snmp exporter configuration file
|
| services.prometheus.alertmanager.webExternalUrl | The URL under which Alertmanager is externally reachable (for example, if Alertmanager is served via a reverse proxy)
|
| services.prometheus.exporters.unbound.unbound.certificate | Path to the Unbound control socket certificate
|
| services.gitlab.secrets.activeRecordDeterministicKeyFile | A file containing the secret used to encrypt some rails data in a deterministic way
in the DB
|
| services.prometheus.exporters.unpoller.controllers.*.pass | Path of a file containing the password for the unifi service user
|
| services.nextcloud-spreed-signaling.settings.https.certificate | Path to the certificate used for the HTTPS listener
|
| services.nextcloud-spreed-signaling.settings.sessions.hashkeyFile | The path to the file containing the value for sessions.hashkey
|
| services.prometheus.exporters.wireguard.wireguardConfig | Path to the Wireguard Config to
add the peer's name to the stats of a peer
|
| networking.networkmanager.dispatcherScripts.*.source | Path to the hook script.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.file | Absolute path to the certificate to load
|
| services.nextcloud-spreed-signaling.settings.sessions.blockkeyFile | The path to the file containing the value for sessions.blockkey
|
| services.warpgate.settings.http.sni_certificates.*.key | Path to private key.
|
| services.strongswan-swanctl.swanctl.connections.<name>.encap | To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the
NAT detection payloads
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.file | Absolute path to the certificate to load
|
| services.firewalld.settings.IPv6_rpfilter | Performs reverse path filtering (RPF) on IPv6 packets as per RFC 3704
|
| services.peertube-runner.instancesToRegister.<name>.registrationTokenFile | Path to a file containing a registration token for the PeerTube instance
|
| services.xserver.displayManager.lightdm.greeters.gtk.indicators | List of allowed indicator modules to use for the lightdm gtk
greeter panel
|
| services.rustus.storage.s3_secret_key_file | File path that contains the S3 secret key.
|
| services.rustus.storage.s3_access_key_file | File path that contains the S3 access key.
|
| services.wyoming.faster-whisper.servers.<name>.model | Name of the voice model to use
|
| virtualisation.virtualbox.host.enableHardening | Enable hardened VirtualBox, which ensures that only the binaries in the
system path get access to the devices exposed by the kernel modules
instead of all users in the vboxusers group.
Disabling this can put your system's security at risk, as local users
in the vboxusers group can tamper with the VirtualBox device files.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.file | Absolute path to the certificate to load
|
| services.bacula-sd.autochanger.<name>.changerCommand | The name-string specifies an external program to be called that will
automatically change volumes as required by Bacula
|
| virtualisation.oci-containers.containers.<name>.login.passwordFile | Path to file containing password.
|
| virtualisation.oci-containers.containers.<name>.imageFile | Path to an image file to load before running the image
|
| services.journaldriver.applicationCredentials | Path to the service account private key (in JSON-format) used
to forward log entries to Stackdriver Logging on non-GCP
instances
|
| services.amazon-cloudwatch-agent.configurationFile | Amazon CloudWatch Agent configuration file
|
| security.pam.rssh.settings.auth_key_file | Path to file with trusted public keys in OpenSSH's authorized_keys format
|
| services.prometheus.exporters.snmp.environmentFile | EnvironmentFile as defined in systemd.exec(5)
|
| services.amazon-cloudwatch-agent.commonConfigurationFile | Amazon CloudWatch Agent common configuration
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.copy_df | Whether to copy the DF bit to the outer IPv4 header in tunnel mode
|
| services.prometheus.exporters.dovecot.socketPath | Path under which the stats socket is placed
|
| services.github-runners.<name>.tokenFile | The full path to a file which contains either
- a fine-grained personal access token (PAT),
- a classic PAT
- or a runner registration token
Changing this option or the tokenFile’s content triggers a new runner registration
|
| services.prometheus.exporters.fritz.settings.devices.*.password_file | Path to a file which contains the password to authenticate with the target device
|
| services.borgmatic.settings.source_directories | List of source directories and files to backup
|
| services.mobilizon.settings.":mobilizon"."Mobilizon.Storage.Repo".socket_dir | Path to the postgres socket directory
|
| services.warpgate.settings.http.sni_certificates.*.certificate | Path to certificate.
|
| services.nextcloud-spreed-signaling.settings.clients.internalsecretFile | The path to the file containing the value for clients.internalsecret
|
| virtualisation.oci-containers.containers.<name>.imageStream | Path to a script that streams the desired image on standard output
|
| services.lldap.settings.ldap_user_pass_file | Path to a file containing the default admin password
|
| services.matrix-synapse.workers.<name>.worker_log_config | The file for log configuration
|
| users.users.<name>.hashedPasswordFile | The full path to a file that contains the hash of the user's
password
|
| users.extraUsers.<name>.hashedPasswordFile | The full path to a file that contains the hash of the user's
password
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.tfc_padding | Pads ESP packets with additional data to have a consistent ESP packet
size for improved Traffic Flow Confidentiality
|
| services.borgmatic.configurations.<name>.source_directories | List of source directories and files to backup
|
| services.chhoto-url.settings.custom_landing_directory | The path of a directory which contains a custom landing page.
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.kubeconfig_file | Optional path to a kubeconfig file
|
| services.cyrus-imap.imapdSettings.configdirectory | The pathname of the IMAP configuration directory.
|
| users.mysql.nss | Settings for libnss-mysql
|
| security.apparmor.includes | List of paths to be added to AppArmor's searched paths
when resolving include directives.
|
| documentation.man.mandoc.cachePath | Change the paths where mandoc makewhatis(8)generates the
manual page index caches. documentation.man.generateCaches
should be enabled to allow cache generation
|
| services.plex.extraPlugins | A list of paths to extra plugin bundles to install in Plex's plugin
directory
|
| services.plex.extraScanners | A list of paths to extra scanners to install in Plex's scanners
directory
|
| system.checks | Packages that are added as dependencies of the system's build, usually
for the purpose of validating some part of the configuration
|
| security.apparmor.enableCache | Whether to enable caching of AppArmor policies
in /var/cache/apparmor/
|
| services.librespeed.secrets | Attribute set of filesystem paths
|
| services.strongswan.secrets | A list of paths to IPSec secret files
|
| services.prosody.ssl | Paths to SSL files
|
| services.foundationdb.extraReadWritePaths | An extra set of filesystem paths that FoundationDB can read to
and write from
|
| services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| services.borgbackup.jobs.<name>.dumpCommand | Backup the stdout of this program instead of filesystem paths
|
| image.repart.partitions.<name>.stripNixStorePrefix | Whether to strip /nix/store/ from the store paths
|
| boot.extraSystemdUnitPaths | Additional paths that get appended to the SYSTEMD_UNIT_PATH environment variable
that can contain mutable unit files.
|
| services.ncps.cache.dataPath | The local directory for storing configuration and cached store paths
|
| services.locate.prunePaths | Which paths to exclude from indexing
|
| boot.initrd.systemd.storePaths | Store paths to copy into the initrd as well.
|
| services.gitDaemon.repositories | A whitelist of paths of git repositories, or directories containing repositories
all of which would be published
|
| services.privoxy.settings.filterfile | List of paths to Privoxy filter files
|
| programs.nncp.secrets | A list of paths to NNCP configuration files that should not be
in the Nix store
|
| services.ncps.cache.hostName | The hostname of the cache server. This is used to generate the
private key used for signing store paths (.narinfo)
|
| services.nghttpx.tls | TLS certificate and key paths
|
| services.zenohd.plugins | Plugin packages to add to zenohd search paths.
|
| services.hydra.useSubstitutes | Whether to use binary caches for downloading store paths
|
| services.gancio.plugins | Paths of gancio plugins to activate (linked under $WorkingDirectory/plugins/).
|
| services.privoxy.settings.actionsfile | List of paths to Privoxy action files
|
| services.cachix-watch-store.jobs | Number of threads used for pushing store paths
|
| services.ersatztv.baseUrl | Base URL to support reverse proxies that use paths (e.g. /ersatztv)
|
| networking.search | The list of domain search paths that are considered for resolving
hostnames with fewer dots than configured in the ndots option,
which defaults to 1 if unset.
|
| services.below.cgroupFilterOut | A regexp matching the full paths of cgroups whose data shouldn't be collected
|
| services.nar-serve.domain | When set, enables the feature of serving .
on top of /nix/store/-
|
| services.zenohd.backends | Storage backend packages to add to zenohd search paths.
|
| services.harmonia.signKeyPaths | Paths to the signing keys to use for signing the cache
|
| services.collectd.include | Additional paths to load config from.
|
| programs.tsmClient.package | The tsm-client package to use
|
| services.locate.pruneNames | Directory components which should exclude paths containing them from indexing
|
| services.logstash.plugins | The paths to find other logstash plugins in.
|
| systemd.shutdownRamfs.storePaths | Store paths to copy into the shutdown ramfs as well.
|
| systemd.services.<name>.confinement.fullUnit | Whether to include the full closure of the systemd unit file into the
chroot, instead of just the dependencies for the executables.
While it may be tempting to just enable this option to
make things work quickly, please be aware that this might add paths
to the closure of the chroot that you didn't anticipate
|
| services.freefall.devices | Device paths to all internal spinning hard drives.
|
| services.akkoma.extraStatic | Attribute set of extra paths to add to the static files directory
|