| services.oauth2-proxy.cookie.secure | Set secure (HTTPS) cookie flag.
|
| services.oauth2-proxy.skipAuthRegexes | Skip authentication for requests matching any of these regular
expressions.
|
| services.oauth2-proxy.email.domains | Authenticate emails with the specified domains
|
| services.saslauthd.package | The bin package to use.
|
| services.oauth2-proxy.passAccessToken | Pass OAuth access_token to upstream via X-Forwarded-Access-Token header.
|
| services.oauth2-proxy.clientSecretFile | The path to a file containing the OAuth Client Secret.
|
| services.oauth2-proxy.httpAddress | HTTPS listening address
|
| services.oauth2-proxy.upstream | The http url(s) of the upstream endpoint or file://
paths for static files
|
| services.iperf3.authorizedUsersFile | Path to the configuration file containing authorized users credentials to run iperf tests.
|
| services.nipap.nipap-www.xmlrpcURIFile | Path to file containing XMLRPC URI for use by web UI - this is a secret, since it contains auth credentials
|
| services.oauth2-proxy.azure.resource | The resource that is protected.
|
| services.oauth2-proxy.cookie.refresh | Refresh the cookie after this duration; 0 to disable.
|
| services.oauth2-proxy.cookie.secretFile | The path to a file containing the seed string for secure cookies.
|
| services.geth.<name>.authrpc.jwtsecret | Path to a JWT secret for authenticated RPC endpoint.
|
| services.oauth2-proxy.requestLogging | Log requests to stdout.
|
| services.oauth2-proxy.approvalPrompt | OAuth approval_prompt.
|
| services.oauth2-proxy.signatureKey | GAP-Signature request signature key.
|
| services.oauth2-proxy.htpasswd.file | Additionally authenticate against a htpasswd file
|
| services.oauth2-proxy.tls.httpsAddress | addr:port to listen on for HTTPS clients
|
| services.oauth2-proxy.cookie.domain | Optional cookie domains to force cookies to (ie: .yourcompany.com)
|
| services.oauth2-proxy.nginx.domain | The domain under which the oauth2-proxy will be accesible and the path of cookies are set to
|
| services.prometheus.exporters.collectd.collectdBinary.authFile | File mapping user names to pre-shared keys (passwords).
|
| services.authelia.instances | Multi-domain protection currently requires multiple instances of Authelia
|
| services.oauth2-proxy.validateURL | Access token validation endpoint
|
| services.authelia.instances.<name>.user | The name of the user for this authelia instance.
|
| services.opkssh.authorizations | User authorization mappings
|
| services.opkssh.authorizations.*.user | Linux user to authorize
|
| services.sftpgo.settings.smtp.auth_type |
0: Plain1: Login2: CRAM-MD5
|
| services.oauth2-proxy.reverseProxy | In case when running behind a reverse proxy, controls whether headers
like X-Real-Ip are accepted
|
| services.oauth2-proxy.email.addresses | Line-separated email addresses that are allowed to authenticate.
|
| services.authelia.instances.<name>.group | The name of the group for this authelia instance.
|
| services.openssh.authorizedKeysInHomedir | Enables the use of the ~/.ssh/authorized_keys file
|
| services.oauth2-proxy.nginx.virtualHosts | Nginx virtual hosts to put behind the oauth2 proxy
|
| services.prosody.modules.saslauth | Authentication for clients and servers
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.auth | Authentication to perform locally.
- The default
pubkey uses public key authentication
using a private key associated to a usable certificate.
psk uses pre-shared key authentication.- The IKEv1 specific
xauth is used for XAuth or Hybrid
authentication,
- while the IKEv2 specific
eap keyword defines EAP
authentication.
- For
xauth, a specific backend name may be appended,
separated by a dash
|
| services.grafana-to-ntfy.settings.bauthPass | The path to the password you will use in the Grafana webhook settings.
|
| services.firezone.server.provision.accounts.<name>.auth.<name>.adapter_config.clientSecretFile | A file containing a the client secret for an openid_connect adapter
|
| services.oauth2-proxy.customTemplatesDir | Path to custom HTML templates.
|
| services.authelia.instances.<name>.enable | Whether to enable Authelia instance.
|
| services.cjdns.authorizedPasswords | Any remote cjdns nodes that offer these passwords on
connection will be allowed to route through this node.
|
| users.users.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| users.users.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| services.authelia.instances.<name>.name | Name is used as a suffix for the service name, user, and group
|
| services.oauth2-proxy.google.adminEmail | The Google Admin to impersonate for API calls
|
| services.openssh.authorizedKeysCommandUser | Specifies the user under whose account the AuthorizedKeysCommand
is run
|
| services.prosody.authentication | Authentication mechanism used for logins.
|
| services.grafana-to-ntfy.settings.bauthUser | The user that you will authenticate with in the Grafana webhook settings
|
| services.mastodon.smtp.authenticate | Authenticate with the SMTP server using username and password.
|
| services.gitlab.smtp.authentication | Authentication type to use, see http://api.rubyonrails.org/classes/ActionMailer/Base.html
|
| services.authelia.instances.<name>.package | The authelia package to use.
|
| services.opkssh.authorizations.*.issuer | Issuer URI
|
| services.openssh.authorizedKeysCommand | Specifies a program to be used to look up the user's public
keys
|
| services.openssh.authorizedKeysFiles | Specify the rules for which files to read on the host
|
| services.oauth2-proxy.htpasswd.displayForm | Display username / password login form if an htpasswd file is provided.
|
| users.extraUsers.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| services.alerta.authenticationRequired | Whether users must authenticate when using the web UI or command-line tool
|
| services.wg-access-server.secretsFile | yaml file containing all secrets. this needs to be in the same structure as the configuration
|
| users.extraUsers.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| services.oauth2-proxy.tls.certificate | Path to certificate file.
|
| services.oauth2-proxy.google.serviceAccountJSON | The path to the service account JSON credentials.
|
| security.pam.sshAgentAuth.authorizedKeysFiles | A list of paths to files in OpenSSH's authorized_keys format, containing
the keys that will be trusted by the pam_ssh_agent_auth module
|
| services.kanidm.provision.systems.oauth2 | Provisioning of oauth2 resource servers
|
| users.users.<name>.openssh.authorizedPrincipals | A list of verbatim principal names that should be added to the user's
authorized principals.
|
| services.icingaweb2.authentications | authentication.ini contents
|
| services.tor.relay.onionServices.<name>.authorizeClient | See torrc manual.
|
| security.pam.rssh.settings.auth_key_file | Path to file with trusted public keys in OpenSSH's authorized_keys format
|
| services.prosody.modules.legacyauth | Legacy authentication
|
| security.pam.ussh.authorizedPrincipals | Comma-separated list of authorized principals to permit; if the user
presents a certificate with one of these principals, then they will be
authorized
|
| services.jupyterhub.authentication | Jupyterhub authentication to use
There are many authenticators available including: oauth, pam,
ldap, kerberos, etc.
|
| security.pam.ussh.authorizedPrincipalsFile | Path to a list of principals; if the user presents a certificate with
one of these principals, then they will be authorized
|
| services.jitsi-meet.secureDomain.authentication | The authentication type to be used by jitsi
|
| users.extraUsers.<name>.openssh.authorizedPrincipals | A list of verbatim principal names that should be added to the user's
authorized principals.
|
| services.authelia.instances.<name>.settings.theme | The theme to display.
|
| services.athens.basicAuthUser | Username for basic auth.
|
| services.sourcehut.settings."hg.sr.ht".oauth-client-id | hg.sr.ht's OAuth client id for meta.sr.ht.
|
| services.authelia.instances.<name>.settings | Your Authelia config.yml as a Nix attribute set
|
| services.sourcehut.settings."man.sr.ht".oauth-client-id | man.sr.ht's OAuth client id for meta.sr.ht.
|
| services.sourcehut.settings."git.sr.ht".oauth-client-id | git.sr.ht's OAuth client id for meta.sr.ht.
|
| services.sourcehut.settings."hub.sr.ht".oauth-client-id | hub.sr.ht's OAuth client id for meta.sr.ht.
|
| services.opkssh.authorizations.*.principal | Principal identifier (email, repo, etc.)
|
| services.authelia.instances.<name>.secrets | It is recommended you keep your secrets separate from the configuration
|
| services.sourcehut.settings."todo.sr.ht".oauth-client-id | todo.sr.ht's OAuth client id for meta.sr.ht.
|
| services.authelia.instances.<name>.settings.log.level | Level of verbosity for logs.
|
| services.authelia.instances.<name>.secrets.jwtSecretFile | Path to your JWT secret used during identity verificaton.
|
| services.sourcehut.settings."lists.sr.ht".oauth-client-id | lists.sr.ht's OAuth client id for meta.sr.ht.
|
| services.sourcehut.settings."pages.sr.ht".oauth-client-id | pages.sr.ht's OAuth client id for meta.sr.ht.
|
| services.sourcehut.settings."paste.sr.ht".oauth-client-id | paste.sr.ht's OAuth client id for meta.sr.ht.
|
| services.borgbackup.repos.<name>.authorizedKeys | Public SSH keys that are given full write access to this repository
|
| services.tor.relay.onionServices.<name>.authorizedClients | Authorized clients for a v3 onion service,
as a list of public key, in the format:
descriptor:x25519:<base32-public-key>
See torrc manual.
|
| services.authelia.instances.<name>.settings.log.format | Format the logs are written as.
|
| services.authelia.instances.<name>.secrets.manual | Configuring authelia's secret files via the secrets attribute set
is intended to be convenient and help catch cases where values are required
to run at all
|
| services.sourcehut.settings."builds.sr.ht".oauth-client-id | builds.sr.ht's OAuth client id for meta.sr.ht.
|
| services.sourcehut.settings."hg.sr.ht".oauth-client-secret | hg.sr.ht's OAuth client secret for meta.sr.ht.
|
| services.authelia.instances.<name>.settingsFiles | Here you can provide authelia with configuration files or directories
|
| services.athens.basicAuthPass | Password for basic auth
|
| services.sourcehut.settings."git.sr.ht".oauth-client-secret | git.sr.ht's OAuth client secret for meta.sr.ht.
|
| services.sourcehut.settings."hub.sr.ht".oauth-client-secret | hub.sr.ht's OAuth client secret for meta.sr.ht.
|
| services.sourcehut.settings."man.sr.ht".oauth-client-secret | man.sr.ht's OAuth client secret for meta.sr.ht.
|
| services.guix.substituters.authorizedKeys | A list of signing keys for each substitute server to be authorized as
a source of substitutes
|
| services.kanidm.provision.systems.oauth2.<name>.public | Whether this is a public client (enforces PKCE, doesn't use a basic secret)
|