| services.strongswan-swanctl.swanctl.connections.<name>.ppk_id | String identifying the Postquantum Preshared Key (PPK) to be used.
|
| security.pam.services.<name>.googleAuthenticator.forwardPass | The authentication provides a single field requiring
the user's password followed by the one-time password (OTP).
|
| systemd.network.networks.<name>.stochasticFairnessQueueingConfig | Each attribute in this set specifies an option in the
[StochasticFairnessQueueing] section of the unit
|
| services.coder.database.username | Username for accessing the database.
|
| services.angrr.settings.temporary-root-policies.<name>.filter.arguments | Extra command-line arguments pass to the external filter program.
|
| virtualisation.credentials.<name>.mechanism | The mechanism used to pass the credential to the VM.
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_groups | List of groups to allow access to this vhost, or null to allow all.
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_emails | List of emails to allow access to this vhost, or null to allow all.
|
| services.sftpgo.settings.webdavd.bindings.*.address | Network listen address
|
| services.prometheus.exporters.unbound.unbound.key | Path to the Unbound control socket key.
|
| virtualisation.xen.store.settings.quota.maxPath | Path limit for the quota system.
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.refresh_interval | The time after which the containers are refreshed
|
| services.tt-rss.virtualHost | Name of the nginx virtualhost to use and setup
|
| services.rspamd.locals | Local configuration files, written into /etc/rspamd/local.d/{name}.
|
| services.tt-rss.email.fromName | Name for sending outgoing mail
|
| boot.zfs.forceImportAll | Forcibly import all ZFS pool(s)
|
| services.dovecot2.group | Dovecot group name.
|
| services.bacula-dir.tls.verifyPeer | Verify peer certificate
|
| services.tor.relay.onionServices.<name>.settings.HiddenServiceMaxStreamsCloseCircuit | See torrc manual.
|
| services.limesurvey.nginx.virtualHost.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| services.cloudflared.tunnels.<name>.originRequest.connectTimeout | Timeout for establishing a new TCP connection to your origin server
|
| services.icingaweb2.modules.monitoring.transports.<name>.type | Type of this transport
|
| services.postgresql.systemCallFilter.<name>.priority | Set the priority of the system call filter setting
|
| security.pam.services.<name>.googleOsLoginAccountVerification | If set, will use the Google OS Login PAM modules
(pam_oslogin_login,
pam_oslogin_admin) to verify possible OS Login
users and set sudoers configuration accordingly
|
| users.users.<name>.initialHashedPassword | Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist
|
| services.syncthing.settings.folders.<name>.copyOwnershipFromParent | On Unix systems, tries to copy file/folder ownership from the parent directory (the directory it’s located in)
|
| services.paperless.environmentFile | Path to a file containing extra paperless config options in the systemd EnvironmentFile
format
|
| services.prometheus.exporters.varnish.varnishStatPath | Path to varnishstat.
|
| services.tailscale.useRoutingFeatures | Enables settings required for Tailscale's routing features like subnet routers and exit nodes
|
| services.sourcehut.settings."builds.sr.ht::worker".buildlogs | Path to write build logs.
|
| services.mailman.ldap.attrMap.username | LDAP-attribute that corresponds to the username-attribute in mailman.
|
| security.pam.services.<name>.googleOsLoginAuthentication | If set, will use the pam_oslogin_login's user
authentication methods to authenticate users using 2FA
|
| specialisation.<name>.configuration | Arbitrary NixOS configuration
|
| services.influxdb2.provision.organizations.<name>.auths | API tokens to provision for the user in this organization.
|
| services.icingaweb2.modules.monitoring.transports.<name>.host | Host for the api or remote transport
|
| services.prometheus.exporters.nextcloud.url | URL to the Nextcloud serverinfo page
|
| services.nextcloud.config.objectstore.s3.secretFile | The full path to a file that contains the access secret.
|
| services.prometheus.exporters.nginx.telemetryPath | Path under which to expose metrics.
|
| services.prometheus.exporters.unpoller.loki.pass | Path of a file containing the password for Loki
|
| services.xserver.desktopManager.pantheon.sessionPath | Additional list of packages to be added to the session search path
|
| services.sourcehut.settings."meta.sr.ht::billing".stripe-secret-key | An absolute file path (which should be outside the Nix-store)
to a secret key for Stripe
|
| services.cadvisor.storageDriverPasswordFile | File that contains the cadvisor storage driver password.
storageDriverPasswordFile takes precedence over storageDriverPassword
Warning: when storageDriverPassword is non-empty this defaults to a file in the
world-readable Nix store that contains the value of storageDriverPassword
|
| services.xserver.desktopManager.cinnamon.sessionPath | Additional list of packages to be added to the session search path
|
| services.jirafeau.nginxConfig.sslTrustedCertificate | Path to root SSL certificate for stapling and client certificates.
|
| services.wstunnel.clients.<name>.upgradeCredentials | Use these credentials to authenticate during the HTTP upgrade request
(Basic authorization type, USER:[PASS]).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing HTTP_PASSWORD=<your-password-here> and set this
option to <user>:$HTTP_PASSWORD
|
| services.firezone.server.provision.accounts.<name>.features.idp_sync | Whether to enable the idp_sync feature for this account.
|
| services.firezone.server.provision.accounts.<name>.features.rest_api | Whether to enable the rest_api feature for this account.
|
| services.outline.smtp.host | Host name or IP address of the SMTP server.
|
| services.grav.virtualHost | Name of the nginx virtualhost to use and setup
|
| services.epmd.enable | Whether to enable socket activation for Erlang Port Mapper Daemon (epmd),
which acts as a name server on all hosts involved in distributed
Erlang computations.
|
| services.librenms.group | Name of the LibreNMS group.
|
| services.radicle.ci.adapters.native.instances.<name>.settings.base_url | Base URL for build logs (mandatory for access from CI broker page).
|
| services.icingaweb2.modules.monitoring.transports.<name>.port | Port to connect to for the api or remote transport
|
| services.elasticsearch.cluster_name | Elasticsearch name that identifies your cluster for auto-discovery.
|
| services.namecoind.rpc.password | Password for RPC connections.
|
| services.mainsail.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.pixelfed.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.mainsail.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.pixelfed.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.fediwall.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.dolibarr.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.agorakit.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.librenms.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.librenms.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.agorakit.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.kanboard.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.dolibarr.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.fediwall.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.kanboard.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.sourcehut.settings."sr.ht".service-key | An absolute file path (which should be outside the Nix-store)
to a key used for encrypting session cookies
|
| security.pam.ussh.authorizedPrincipalsFile | Path to a list of principals; if the user presents a certificate with
one of these principals, then they will be authorized
|
| services.icingaweb2.modules.monitoring.backends.<name>.disabled | Disable this backend
|
| services.gitlab.databaseUsername | GitLab database user.
|
| networking.bonds.<name>.xmit_hash_policy | DEPRECATED, use driverOptions
|
| hardware.nvidia-container-toolkit.enable-hooks | List of hooks to enable when generating the CDI specification
|
| services.strongswan-swanctl.swanctl.authorities.<name>.handle | Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively
|
| services.thanos.downsample.objstore.config | Object store configuration
|
| services.prometheus.exporters.postfix.logfilePath | Path where Postfix writes log entries
|
| services.gotosocial.environmentFile | File path containing environment variables for configuring the GoToSocial service
in the format of an EnvironmentFile as described by systemd.exec(5)
|
| networking.firewall.checkReversePath | Performs a reverse path filter test on a packet
|
| documentation.man.mandoc.settings.output.style | Path to the file used for an external style-sheet
|
| services.zabbixWeb.nginx.virtualHost.sslTrustedCertificate | Path to root SSL certificate for stapling and client certificates.
|
| services.prometheus.exporters.imap-mailstat.accounts.<name>.password | |
| networking.wireguard.interfaces.<name>.socketNamespace | The pre-existing network namespace in which the
WireGuard interface is created, and which retains the socket even if the
interface is moved via interfaceNamespace
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.actual.settings.hostname | The address to listen on
|
| services.unbound.enable | Whether to enable Unbound domain name server.
|
| services.dnsdist.enable | Whether to enable dnsdist domain name server.
|
| services.ircdHybrid.serverName | IRCD server name.
|
| boot.iscsi-initiator.target | Name of the iSCSI target to boot from.
|
| services.strongswan-swanctl.swanctl.connections.<name>.dscp | Differentiated Services Field Codepoint to set on outgoing IKE packets for
this connection
|
| services.logrotate.checkConfig | Whether the config should be checked at build time
|
| services.prometheus.exporters.mysqld.configFile | Path to the services config file
|
| services.nextcloud-spreed-signaling.settings.https.key | Path to the private key used for the HTTPS listener
|
| services.foundationdb.tls.certificate | Path to the TLS certificate file
|
| services.radicle.httpd.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| services.radicle.httpd.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| services.authelia.instances.<name>.settings.telemetry.metrics.enabled | Enable Metrics.
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.priority | Order of this location block in relation to the others in the vhost
|
| services.prometheus.pushgateway.web.route-prefix | Prefix for the internal routes of web endpoints
|