| services.evdevremapkeys.settings | config.yaml for evdevremapkeys
|
| security.agnos.generateKeys.enable | Enable automatic generation of account keys
|
| services.skydns.etcd.tlsPem | Skydns path of TLS client certificate - public key.
|
| programs.light.brightnessKeys.enable | Whether to enable brightness control with keyboard keys
|
| services.forgejo.secrets | This is a small wrapper over systemd's LoadCredential
|
| services.skydns.etcd.caCert | Skydns path of TLS certificate authority public key.
|
| services.gitea.settings.server.ROOT_URL | Full public URL of gitea server.
|
| services.stubby.settings | Content of the Stubby configuration file
|
| services.veilid.settings | Build veilid-server.conf with nix expression
|
| services.confd.prefix | The string to prefix to keys.
|
| services.dkimproxy-out.selector | The selector to use for DKIM key identification
|
| services.unclutter.keystroke | Wait for a keystroke before hiding the cursor
|
| services.marytts.settings | Settings for MaryTTS
|
| programs.nncp.group | The group under which NNCP files shall be owned
|
| services.nsd.zones.<name>.dnssecPolicy.coverage | The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time.
|
| services.lldap.settings.http_url | The public URL of the server, for password reset links.
|
| services.matrix-conduit.settings.global.trusted_servers | Servers trusted with signing server keys.
|
| services.gokapi.enable | Whether to enable Lightweight selfhosted Firefox Send alternative without public upload.
|
| services.minio.configDir | The config directory, for the access keys and other settings.
|
| services.ntfy-sh.settings.base-url | Public facing base URL of the service
This setting is required for any of the following features:
- attachments (to return a download URL)
- e-mail sending (for the topic URL in the email footer)
- iOS push notifications for self-hosted servers
(to calculate the Firebase poll_request topic)
- Matrix Push Gateway (to validate that the pushkey is correct)
|
| services.forgejo.settings.server.ROOT_URL | Full public URL of Forgejo server.
|
| security.pam.ussh.caFile | By default pam-ussh reads the trusted user CA keys
from /etc/ssh/trusted_user_ca
|
| services.btrbk.sshAccess.*.key | SSH public key allowed to login as user btrbk to run remote backups.
|
| services.tsidp.settings.enableFunnel | Use Tailscale Funnel to make tsidp available on the public internet so it works with SaaS products.
|
| services.yggdrasil.persistentKeys | Whether to enable automatic generation and persistence of keys
|
| xdg.terminal-exec.settings | Configuration options for the Default Terminal Execution Specification
|
| services.fediwall.settings.loadPublic | Load public posts
|
| services.pgpkeyserver-lite.hkpPort | Which port the sks-keyserver is listening on.
|
| services.komodo-periphery.passkeys | Passkeys required to access the periphery API
|
| services.btrbk.sshAccess | SSH keys that should be able to make or push snapshots on this system remotely with btrbk
|
| services.gitlab.pages.settings.gitlab-server | Public GitLab server URL.
|
| services.tcsd.stateDir | The location of the system persistent storage file
|
| security.pam.services.<name>.gnupg.enable | If enabled, pam_gnupg will attempt to automatically unlock the
user's GPG keys with the login password via
gpg-agent
|
| programs.less.commands | Defines new command keys.
|
| services.rathole.role | Select whether rathole needs to be run as a client or a server
|
| services.ncps.cache.secretKeyPath | The path to load the secretKey for signing narinfos
|
| services.tinc.networks.<name>.hostSettings.<name>.rsaPublicKey | Legacy RSA public key of the host in PEM format, including start and
end markers
|
| services.zwave-js.secretsConfigFile | JSON file containing secret keys
|
| services.sympa.domains | Email domains handled by this instance
|
| services.rosenpass.settings.peers.*.peer | WireGuard public key corresponding to the remote Rosenpass peer.
|
| services.sourcehut.settings.mail.pgp-pubkey | OpenPGP public key.
|
| services.pgpkeyserver-lite.enable | Whether to enable pgpkeyserver-lite on a nginx vHost proxying to a gpg keyserver.
|
| services.opencloud.url | Web interface root public URL, including scheme and port (if non-default).
|
| services.searx.runInUwsgi | Whether to run searx in uWSGI as a "vassal", instead of using its
built-in HTTP server
|
| security.pam.p11.enable | Enables P11 PAM (pam_p11) module
|
| programs.less.lineEditingKeys | Defines new line-editing keys.
|
| services.apache-kafka.settings | Kafka broker configuration
server.properties
|
| services.pgpkeyserver-lite.package | The pgpkeyserver-lite package to use.
|
| services.rosenpass.settings.peers | List of peers to exchange keys with.
|
| services.siproxd.ifOutbound | Public network interface
|
| programs.ssh.agentTimeout | How long to keep the private keys in memory
|
| services.grafana.settings.server.domain | The public facing domain name used to access grafana from a browser
|
| services.firewalld.settings.RFC3964_IPv4 | Whether to filter IPv6 traffic with 6to4 destination addresses that correspond to IPv4 addresses that should not be routed over the public internet.
|
| services.pgpkeyserver-lite.hkpAddress | Which IP address the sks-keyserver is listening on.
|
| services.kanidm.unix.sshIntegration | Whether to enable Kanidm SSH keys login.
|
| services.outline.cdnUrl | If using a Cloudfront/Cloudflare distribution or similar it can be set
using this option
|
| services.tor.relay.onionServices.<name>.authorizedClients | Authorized clients for a v3 onion service,
as a list of public key, in the format:
descriptor:x25519:<base32-public-key>
See torrc manual.
|
| services.mastodon.configureNginx | Configure nginx as a reverse proxy for mastodon
|
| security.acme.certs.<name>.keyType | Key type to use for private keys
|
| services.mycelium.peers | List of peers to connect to, in the formats:
quic://[2001:0db8::1]:9651quic://192.0.2.1:9651tcp://[2001:0db8::1]:9651tcp://192.0.2.1:9651
If addHostedPublicNodes is set to true, the hosted public nodes will also be added.
|
| services.dovecot2.sslServerCert | Path to the server's public key.
|
| services.keycloak.settings.hostname | The hostname part of the public URL used as base for
all frontend requests
|
| services.part-db.enableNginx | Whether to enable nginx or not
|
| services.fedimintd.<name>.p2p.url | Public address for p2p connections from peers (if TCP is used)
|
| services.broadcast-box.settings | Attribute set of environment variables.
https://github.com/Glimesh/broadcast-box#environment-variables
The status API exposes stream keys so DISABLE_STATUS is enabled
by default.
|
| services.pgpkeyserver-lite.hostname | Which hostname to set the vHost to that is proxying to sks.
|
| services.wastebin.settings.RUST_LOG | Influences logging
|
| services.vault.extraSettingsPaths | Configuration files to load besides the immutable one defined by the NixOS module
|
| programs.ssh.startAgent | Whether to start the OpenSSH agent when you log in
|
| services.lk-jwt-service.livekitUrl | The public websocket URL for livekit
|
| services.homer.settings | Settings serialized into config.yml before build
|
| programs.ssh.knownHostsFiles | Files containing SSH host keys to set as global known hosts.
/etc/ssh/ssh_known_hosts (which is
generated by programs.ssh.knownHosts) is
always included.
|
| services.chhoto-url.settings.public_mode_expiry_delay | The maximum expiry delay in seconds to force in public mode.
|
| hardware.tuxedo-drivers.settings.fn-lock | Enables or disables the laptop keyboard's Function (Fn) lock at boot
|
| services.wgautomesh.settings.peers.*.pubkey | Wireguard public key of this peer.
|
| services.fedimintd.<name>.api.url | Public URL of the API address of the reverse proxy/tls terminator
|
| services.postgrest.settings.server-host | Where to bind the PostgREST web server.
The admin server will also bind here, but potentially exposes sensitive information
|
| services.matrix-synapse.settings.trusted_key_servers | The trusted servers to download signing keys from.
|
| services.matrix-synapse.settings.turn_uris | The public URIs of the TURN server to give to clients
|
| services.opendkim.keyPath | The path that opendkim should put its generated private keys into
|
| services.harmonia.signKeyPaths | Paths to the signing keys to use for signing the cache
|
| services.dendrite.tlsKey | The path to the TLS key.
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
|
| services.ncps.cache.lock.redisKeyPrefix | Prefix for all Redis lock keys (only used when Redis is
configured).
|
| services.ghostunnel.servers.<name>.keystore | Path to keystore (combined PEM with cert/key, or PKCS12 keystore)
|
| services.knot.keyFiles | A list of files containing additional configuration
to be included using the include directive
|
| programs.ssh.pubkeyAcceptedKeyTypes | Specifies the key lib.types that will be used for public key authentication.
|
| security.pam.sshAgentAuth.enable | Whether to enable authenticating using a signature performed by the ssh-agent
|
| services.murmur.registerName | Public server registration name, and also the name of the
Root channel
|
| services.molly-brown.certPath | Path to TLS certificate
|
| services.tahoe.nodes.<name>.sftpd.hostPublicKeyFile | Path to the SSH host public key.
|
| services.peertube.listenWeb | The public-facing port that PeerTube will be accessible at (likely 80 or 443 if running behind a reverse proxy)
|
| services.dendrite.tlsCert | The path to the TLS certificate.
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
|
| services.evdevremapkeys.enable | Whether to enable evdevremapkeys, a daemon to remap events on linux input devices.
|
| services.nsd.zones.<name>.dnssecPolicy.zsk | Key policy for zone signing keys
|
| services.nsd.zones.<name>.dnssecPolicy.ksk | Key policy for key signing keys
|
| services.openssh.hostKeys | NixOS can automatically generate SSH host keys
|
| programs.seahorse.enable | Whether to enable Seahorse, a GNOME application for managing encryption keys and passwords in the GNOME Keyring.
|
| services.filebeat.settings | Configuration for filebeat
|
| services.fedimintd.<name>.nginx.fqdn | Public domain of the API address of the reverse proxy/tls terminator.
|
| services.omnom.settings.activitypub.pubkey | ActivityPub public key
|