| services.gitlab.secrets.activeRecordSaltFile | A file containing the salt for active record encryption in the DB
|
| services.dbus.packages | Packages whose D-Bus configuration files should be included in
the configuration of the D-Bus system-wide or session-wide
message bus
|
| environment.wordlist.lists | A set with the key names being the environment variable you'd like to
set and the values being a list of paths to text documents containing
lists of words
|
| services.sharkey.environmentFiles | List of paths to files containing environment variables for Sharkey to use at runtime
|
| services.pocket-id.credentials | Environment variables which are loaded from the contents of the specified file paths
|
| services.linkwarden.secretFiles | Attribute set containing paths to files to add to the environment of linkwarden
|
| services.hylafax.commonModemConfig | Attribute set of default values for
modem config files etc/config.*
|
| networking.nftables.checkRuleset | Run nft check on the ruleset to spot syntax errors during build
|
| services.centrifugo.credentials | Environment variables with absolute paths to credentials files to load
on service startup.
|
| systemd.services.<name>.confinement.enable | If set, all the required runtime store paths for this service are
bind-mounted into a tmpfs-based
chroot(2).
|
| services.prometheus.exporters.kea.targets | Paths or URLs to the Kea control socket.
|
| services.plex.accelerationDevices | A list of device paths to hardware acceleration devices that Plex should
have access to
|
| services.tarsnap.archives.<name>.directories | List of filesystem paths to archive.
|
| services.dawarich.configureNginx | Configure nginx as a reverse proxy for dawarich
|
| programs.singularity.systemBinPaths | (Extra) system-wide /**/bin paths
for Apptainer/Singularity to find command-line utilities in.
"/run/wrappers/bin" is included by default to make
utilities with SUID bit set available to Apptainer/Singularity
|
| documentation.nixos.extraModuleSources | Which extra NixOS module paths the generated NixOS's documentation should strip
from options.
|
| services.borgmatic.configurations.<name>.repositories | A required list of local or remote repositories with paths and
optional labels (which can be used with the --repository flag to
select a repository)
|
| services.discourse.mail.incoming.apiKeyFile | A file containing the Discourse API key used to add
posts and messages from mail
|
| services.discourse.secretKeyBaseFile | The path to a file containing the
secret_key_base secret
|
| services.discourse.database.passwordFile | File containing the Discourse database user password
|
| networking.nftables.checkRulesetRedirects | Set of paths that should be intercepted and rewritten while checking the ruleset
using pkgs.buildPackages.libredirect.
|
| services.librechat.credentials | Environment variables which are loaded from the contents of files at a file paths, mainly used for secrets
|
| services.slskd.settings.shares.directories | Paths to shared directories
|
| services.grafana.settings.server.cdn_url | Specify a full HTTP URL address to the root of your Grafana CDN assets
|
| services.munin-node.extraAutoPlugins | Additional Munin plugins to autoconfigure, using
munin-node-configure --suggest
|
| services.discourse.mail.outgoing.passwordFile | A file containing the password of the SMTP server account
|
| system.forbiddenDependenciesRegexes | POSIX Extended Regular Expressions that match store paths that
should not appear in the system closure, with the exception of system.extraDependencies, which is not checked.
|
| services.borgbackup.jobs.<name>.patterns | Include/exclude paths matching the given patterns
|
| security.allowUserNamespaces | Whether to allow creation of user namespaces
|
| boot.loader.generic-extlinux-compatible.mirroredBoots | Mirror the boot configuration to multiple paths.
|
| services.openssh.authorizedKeysFiles | Specify the rules for which files to read on the host
|
| services.gitlab.secrets.activeRecordPrimaryKeyFile | A file containing the secret used to encrypt some rails data
in the DB
|
| services.immich.accelerationDevices | A list of device paths to hardware acceleration devices that immich should
have access to
|
| services.multipath.devices.*.ghost_delay | Sets the number of seconds that multipath will wait after creating a device with only ghost paths before marking it ready for use in systemd
|
| services.prometheus.exporters.node-cert.excludePaths | List of paths to exclute from searching for SSL certificates.
|
| services.frp.instances.<name>.environmentFiles | List of paths files that follows systemd environmentfile structure
|
| services.multipath.devices.*.path_checker | The default method used to determine the paths state
|
| services.neo4j.ssl.policies.<name>.baseDirectory | The mandatory base directory for cryptographic objects of this
policy
|
| services.beesd.filesystems.<name>.spec | Description of how to identify the filesystem to be duplicated by this
instance of bees
|
| programs.nix-required-mounts.presets.nvidia-gpu.enable | Whether to enable Declare the support for derivations that require an Nvidia GPU to be
available, e.g. derivations with requiredSystemFeatures = [ "cuda" ]
|
| documentation.man.mandoc.manPath | Change the paths included in the MANPATH environment variable,
i. e. the directories where man(1)
looks for section-specific directories of man pages
|
| services.mastodon.configureNginx | Configure nginx as a reverse proxy for mastodon
|
| services.prometheus.exporters.smartctl.devices | Paths to the disks that will be monitored
|
| services.multipath.devices.*.no_path_retry | Specify what to do when all paths are down
|
| services.athens.downloadMode | Defines how Athens behaves when a module@version
is not found in storage
|
| security.pam.sshAgentAuth.authorizedKeysFiles | A list of paths to files in OpenSSH's authorized_keys format, containing
the keys that will be trusted by the pam_ssh_agent_auth module
|
| services.prometheus.exporters.snmp.enableConfigCheck | Whether to run a correctness check for the configuration file
|
| services.tee-supplicant.trustedApplications | A list of full paths to trusted applications that will be loaded at
runtime by tee-supplicant.
|
| services.akkoma.config.":pleroma".":instance".static_dir | Directory of static files
|
| programs.nix-required-mounts.allowedPatterns.<name>.unsafeFollowSymlinks | Whether to enable Instructs the hook to mount the symlink targets as well, when any of
the paths contain symlinks
|
| documentation.man.mandoc.settings.manpath | Override the default search path for man(1),
apropos(1), and makewhatis(8)
|
| services.prometheus.exporters.blackbox.enableConfigCheck | Whether to run a correctness check for the configuration file
|
| security.apparmor.killUnconfinedConfinables | Whether to enable killing of processes which have an AppArmor profile enabled
(in security.apparmor.policies)
but are not confined (because AppArmor can only confine new processes)
|
| services.wyoming.openwakeword.customModelsDirectories | Paths to directories with custom wake word models (*.tflite model files).
|
| systemd.services.<name>.confinement.mode | The value full-apivfs (the default) sets up
private /dev, /proc,
/sys, /tmp and /var/tmp file systems
in a separate user name space
|
| environment.profileRelativeSessionVariables | Attribute set of environment variable used in the global
environment
|
| security.virtualisation.flushL1DataCache | Whether the hypervisor should flush the L1 data cache before
entering guests
|
| services.gitlab.secrets.activeRecordDeterministicKeyFile | A file containing the secret used to encrypt some rails data in a deterministic way
in the DB
|
| services.maubot.settings.plugin_directories | Plugin directory paths
|
| virtualisation.oci-containers.containers.<name>.volumes | List of volumes to attach to this container
|
| services.postfix.settings.main.smtpd_tls_chain_files | List of paths to the server private keys and certificates.
The order of items matters and a private key must always be followed by the corresponding certificate.
https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files
|
| services.multipath.devices.*.san_path_err_threshold | If set to a value greater than 0, multipathd will watch paths and check
how many times a path has been failed due to errors
|