| services.gitlab.extraConfig | Extra options to be added under
production in
config/gitlab.yml, as a nix attribute
set
|
| services.xserver.xkb.extraLayouts.<name>.typesFile | The path to the xkb types file
|
| services.waagent.settings.Provisioning.Enable | Whether to enable provisioning functionality in the agent
|
| services.mastodon.activeRecordEncryptionKeyDerivationSaltFile | This key must be set to enable the Active Record Encryption feature within
Rails that Mastodon uses to encrypt and decrypt some database attributes
|
| services.fedimintd.<name>.bitcoin.rpc.secretFile | If set the URL specified in bitcoin.rpc.url will get the content of this file added
as an URL password, so http://user@example.com will turn into http://user:SOMESECRET@example.com
|
| services.chhoto-url.settings.hash_algorithm | The hash algorithm to use for passwords and API keys
|
| services.cloudflare-ddns.detectionTimeout | Timeout for detecting the public IP address.
|
| services.searx.environmentFile | Environment file (see systemd.exec(5) "EnvironmentFile=" section for the syntax) to define variables for Searx
|
| services.matrix-synapse.extraConfigFiles | Extra config files to include
|
| services.openssh.knownHosts.<name>.hostNames | A list of host names and/or IP numbers used for accessing
the host's ssh service
|
| services.dependency-track.oidc.teams.claim | Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint
|
| services.dawarich.configureNginx | Configure nginx as a reverse proxy for dawarich
|
| services.livekit.settings.rtc.use_external_ip | When set to true, attempts to discover the host's public IP via STUN
|
| services.maddy.tls.certificates | A list of attribute sets containing paths to TLS certificates and
keys
|
| security.googleOsLogin.enable | Whether to enable Google OS Login
|
| services.kerberos_server.settings.realms | The realm(s) to serve keys for.
|
| services.slurm.enableSrunX11 | If enabled srun will accept the option "--x11" to allow for X11 forwarding
from within an interactive session or a batch job
|
| services.datadog-agent.checks | Configuration for all Datadog checks
|
| boot.specialFileSystems.<name>.depends | List of paths that should be mounted before this one
|
| boot.initrd.luks.reusePassphrases | When opening a new LUKS device try reusing last successful
passphrase
|
| boot.initrd.luks.devices.<name>.fido2.credentials | List of FIDO2 credential IDs
|
| services.multipath.devices.*.all_tg_pt | Set the 'all targets ports' flag when registering keys with mpathpersist
|
| services.agorakit.config | Agorakit configuration options to set in the
.env file
|
| services.bookstack.config | BookStack configuration options to set in the
.env file
|
| services.karakeep.environmentFile | An optional path to an environment file that will be used in the web and workers
services
|
| services.nebula.networks.<name>.lighthouse.dns.host | IP address on which nebula lighthouse should serve DNS.
'localhost' is a good default to ensure the service does not listen on public interfaces;
use a Nebula address like 10.0.0.5 to make DNS resolution available to nebula hosts only.
|
| services.prometheus.exporters.postfix.group | Group under which the postfix exporter shall be run
|
| services.munin-node.extraPlugins | Additional Munin plugins to activate
|
| services.mastodon.activeRecordEncryptionDeterministicKeyFile | This key must be set to enable the Active Record Encryption feature within
Rails that Mastodon uses to encrypt and decrypt some database attributes
|
| services.kmonad.keyboards.<name>.defcfg.allowCommands | Whether to enable keys to run shell commands.
|
| services.gitlab.workhorse.config | Configuration options to add to Workhorse's configuration
file
|
| services.openssh.authorizedKeysInHomedir | Enables the use of the ~/.ssh/authorized_keys file
|
| services.openssh.authorizedKeysCommandUser | Specifies the user under whose account the AuthorizedKeysCommand
is run
|
| services.openssh.authorizedKeysFiles | Specify the rules for which files to read on the host
|
| services.libretranslate.enableApiKeys | Whether to enable the API keys database.
|
| services.prometheus.exporters.ecoflow.ecoflowEmailFile | Path to the file with your personal ecoflow app login email address
|
| services.livekit.ingress.settings.rtc_config.use_external_ip | When set to true, attempts to discover the host's public IP via STUN
|
| services.sssd.sshAuthorizedKeysIntegration | Whether to make sshd look up authorized keys from SSS
|
| services.prometheus.exporters.ecoflow.ecoflowAccessKeyFile | Path to the file with your personal api access string from the Ecoflow development website https://developer-eu.ecoflow.com
|
| services.prometheus.exporters.ecoflow.ecoflowSecretKeyFile | Path to the file with your personal api secret string from the Ecoflow development website https://developer-eu.ecoflow.com
|
| services.prometheus.exporters.pve.configFile | Path to the service's config file
|
| security.pam.sshAgentAuth.authorizedKeysFiles | A list of paths to files in OpenSSH's authorized_keys format, containing
the keys that will be trusted by the pam_ssh_agent_auth module
|
| services.prometheus.alertmanager-ntfy.settings.ntfy.notification.topic | Note: when using ntfy.sh and other public instances
it is recommended to set this option to an empty string and set the actual topic via
services.prometheus.alertmanager-ntfy.extraConfigFiles since
the topic in ntfy.sh is essentially a password
|
| boot.loader.systemd-boot.sortKey | The sort key used for the NixOS bootloader entries
|
| boot.zfs.requestEncryptionCredentials | If true on import encryption keys or passwords for all encrypted datasets
are requested
|
| services.tailscale.serve.services.<name>.endpoints | Map of incoming traffic patterns to local targets
|
| services.guix.substituters.authorizedKeys | A list of signing keys for each substitute server to be authorized as
a source of substitutes
|
| services.prometheus.exporters.ecoflow.ecoflowPasswordFile | Path to the file with your personal ecoflow app login email password
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKeyFile | File pointing to preshared key as generated by wg genpsk
|
| services.taskserver.organisations | An attribute set where the keys name the organisation and the values
are a set of lists of users and
groups.
|
| security.agnos.settings.accounts.*.private_key_path | Path of the PEM-encoded private key for this account
|
| networking.wg-quick.interfaces.<name>.peers.*.presharedKey | Base64 preshared key generated by wg genpsk
|
| services.kanidm.provision.systems.oauth2.<name>.enableLocalhostRedirects | Allow localhost redirects
|
| services.discourse.siteSettings | Discourse site settings
|
| services.kanidm.provision.systems.oauth2.<name>.allowInsecureClientDisablePkce | Disable PKCE on this oauth2 resource server to work around insecure clients
that may not support it
|
| services.nextcloud.config.objectstore.s3.sseCKeyFile | If provided this is the full path to a file that contains the key
to enable [server-side encryption with customer-provided keys][1]
(SSE-C)
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.availability | The availability of the endpoint to connect to
|
| services.prometheus.exporters.ecoflow.ecoflowDevicesFile | File must contain one line, example: R3300000,R3400000,NC430000,...
|
| services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.auth | Authentication to perform locally.
- The default
pubkey uses public key authentication
using a private key associated to a usable certificate.
psk uses pre-shared key authentication.- The IKEv1 specific
xauth is used for XAuth or Hybrid
authentication,
- while the IKEv2 specific
eap keyword defines EAP
authentication.
- For
xauth, a specific backend name may be appended,
separated by a dash
|
| services.prometheus.exporters.collectd.collectdBinary.authFile | File mapping user names to pre-shared keys (passwords).
|
| networking.wireguard.interfaces.<name>.peers.*.presharedKeyFile | File pointing to preshared key as generated by wg genpsk
|
| services.prometheus.exporters.pve.environmentFile | Path to the service's environment file
|
| networking.wireguard.interfaces.<name>.peers.*.presharedKey | Base64 preshared key generated by wg genpsk
|
| virtualisation.fileSystems.<name>.depends | List of paths that should be mounted before this one
|
| services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.port | The port to scrape metrics from
|
| services.prometheus.scrapeConfigs.*.gce_sd_configs.*.port | The port to scrape metrics from
|
| services.arsenik.long_hold_timeout | Slightly higher value for typing keys, to prevent unexpected hold effect.
|
| services.prometheus.exporters.ecoflow.ecoflowDevicesPrettyNamesFile | File must contain one line, example: {"R3300000":"Delta 2","R3400000":"Delta Pro",...}
The key/value map of custom names for your devices
|
| users.users.<name>.password | Specifies the (clear text) password for the user
|
| services.stash.settings.dangerous_allow_public_without_auth | Learn more at https://docs.stashapp.cc/networking/authentication-required-when-accessing-stash-from-the-internet/
|
| services.postfix.settings.main.smtpd_tls_chain_files | List of paths to the server private keys and certificates.
The order of items matters and a private key must always be followed by the corresponding certificate.
https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files
|
| services.postgresql.systemCallFilter | Configures the syscall filter for postgresql.service
|
| users.extraUsers.<name>.password | Specifies the (clear text) password for the user
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.pk | If this attribute is given, SAE-PK will be enabled for this connection
|
| services.prometheus.exporters.idrac.configurationPath | Path to the service's config file
|
| services.prometheus.scrapeConfigs.*.azure_sd_configs.*.port | The port to scrape metrics from
|
| services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.role_arn | AWS Role ARN, an alternative to using AWS API keys.
|
| services.akkoma.config.":web_push_encryption" | Web Push Notifications configuration
|
| services.wgautomesh.settings.upnp_forward_external_port | Public port number to try to redirect to this machine's Wireguard
daemon using UPnP IGD.
|
| services.hostapd.radios.<name>.networks.<name>.authentication.pairwiseCiphers | Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets)
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.port | The port to scrape metrics from
|
| services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.port | The port to scrape metrics from
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.auth | Authentication to expect from remote
|
| services.stash.settings.security_tripwire_accessed_from_public_internet | Learn more at https://docs.stashapp.cc/networking/authentication-required-when-accessing-stash-from-the-internet/
|
| services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.role_arn | AWS Role ARN, an alternative to using AWS API keys.
|
| services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.secret_key | The AWS API keys
|
| services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.access_key | The AWS API keys
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.esp_proposals | ESP proposals to offer for the CHILD_SA
|