| services.gemstash.settings.base_path | Path to store the gem files and the sqlite database
|
| services.grafana.settings.security.admin_password | Default admin password
|
| networking.dhcpcd.persistent | Whether to leave interfaces configured on dhcpcd daemon
shutdown
|
| services.zipline.environmentFiles | Files to load environment variables from (in addition to services.zipline.settings)
|
| services.beszel.agent.environment | Environment variables for configuring the beszel-agent service
|
| services.umami.settings.APP_SECRET_FILE | A file containing a secure random string
|
| services.scrutiny.settings.web.influxdb.bucket | InfluxDB bucket in which to store data.
|
| services.healthchecks.dataDir | The directory used to store all data for healthchecks.
If left as the default value this directory will automatically be created before
the healthchecks server starts, otherwise you are responsible for ensuring the
directory exists with appropriate ownership and permissions.
|
| services.dendrite.loadCredential | This can be used to pass secrets to the systemd service without adding them to
the nix store
|
| services.gitlab.secrets.activeRecordSaltFile | A file containing the salt for active record encryption in the DB
|
| services.docling-serve.environmentFile | Environment file to be passed to the systemd service
|
| services.sourcehut.settings."pages.sr.ht".gemini-certs | An absolute file path (which should be outside the Nix-store)
to Gemini certificates.
|
| systemd.network.netdevs.<name>.wireguardPeers | Each item in this array specifies an option in the
[WireGuardPeer] section of the unit
|
| nixpkgs.flake.setFlakeRegistry | Whether to pin nixpkgs in the system-wide flake registry (/etc/nix/registry.json) to the
store path of the sources of nixpkgs used to build the NixOS system
|
| services.trilium-server.environmentFile | File to load as the environment file
|
| nix.settings.sandbox | If set, Nix will perform builds in a sandboxed environment that it
will set up automatically for each build
|
| services.strongswan-swanctl.includes | Extra configuration files to include in the swanctl configuration
|
| services.linkwarden.storageLocation | Directory used to store media files
|
| services.firezone.headless-client.tokenFile | A file containing the firezone client token
|
| services.linkwarden.secretFiles | Attribute set containing paths to files to add to the environment of linkwarden
|
| services.zwave-js.secretsConfigFile | JSON file containing secret keys
|
| services.slskd.environmentFile | Path to the environment file sourced on startup
|
| services.matrix-synapse.settings.media_store_path | Directory where uploaded images and attachments are stored.
|
| services.sharkey.environmentFiles | List of paths to files containing environment variables for Sharkey to use at runtime
|
| services.hostapd.radios.<name>.networks.<name>.macDeny | Specifies the MAC addresses to deny if macAcl is set to "deny" or "radius"
|
| services.warpgate.settings.recordings.path | Path to store session recordings.
|
| services.matterbridge.configFile | WARNING: THIS IS INSECURE, as your password will end up in
/nix/store, thus publicly readable
|
| networking.nftables.checkRuleset | Run nft check on the ruleset to spot syntax errors during build
|
| services.biboumi.credentialsFile | Path to a configuration file to be merged with the settings
|
| boot.initrd.network.ssh.hostKeys | Specify SSH host keys to import into the initrd
|
| services.munin-node.extraPlugins | Additional Munin plugins to activate
|
| systemd.network.netdevs.<name>.wireguardConfig | Each attribute in this set specifies an option in the
[WireGuard] section of the unit
|
| services.icingaweb2.resources | resources.ini contents
|
| systemd.services.<name>.confinement.enable | If set, all the required runtime store paths for this service are
bind-mounted into a tmpfs-based
chroot(2).
|
| services.discourse.mail.incoming.apiKeyFile | A file containing the Discourse API key used to add
posts and messages from mail
|
| services.pds.settings.PDS_BLOBSTORE_DISK_LOCATION | Store blobs at this location, set to null to use e.g
|
| networking.supplicant.<name>.extraConf | Configuration options for wpa_supplicant.conf
|
| services.nextjs-ollama-llm-ui.enable | Whether to enable Simple Ollama web UI service; an easy to use web frontend for a Ollama backend service
|
| services.sssd.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.sourcehut.settings."sr.ht".network-key | An absolute file path (which should be outside the Nix-store)
to a secret key to encrypt internal messages with
|
| services.mjolnir.pantalaimon.options.dataPath | The directory where pantalaimon should store its state such as the database file.
|
| services.hostapd.radios.<name>.networks.<name>.macAllow | Specifies the MAC addresses to allow if macAcl is set to "allow" or "radius"
|
| services.kanidm.provision.idmAdminPasswordFile | Path to a file containing the idm admin password for kanidm
|
| services.keycloak.settings | Configuration options corresponding to parameters set in
conf/keycloak.conf
|
| networking.wireless.networks.<name>.psk | The network's pre-shared key in plaintext defaulting
to being a network without any authentication.
Be aware that this will be written to the Nix store
in plaintext! Use pskRaw with an external
reference to keep it safe.
Mutually exclusive with pskRaw.
|
| services.duplicati.parameters | This option can be used to store some or all of the options given to the
commandline client
|
| services.openssh.knownHosts.<name>.publicKeyFile | The path to the public key file for the host
|
| services.druid.historical.segmentLocations | Locations where the historical will store its data.
|
| services.sourcehut.settings.objects.s3-secret-key | An absolute file path (which should be outside the Nix-store)
to the secret key of the S3-compatible object storage service.
|
| services.snips-sh.environmentFile | Additional environment file as defined in systemd.exec(5)
|
| services.rustus.info_storage | Info storages are used to store information about file uploads
|
| security.pki.caCertificateBlacklist | A list of blacklisted CA certificate names that won't be imported from
the Mozilla Trust Store into
/etc/ssl/certs/ca-certificates.crt
|
| services.limesurvey.encryptionKeyFile | 32-byte key used to encrypt variables in the database
|
| services.hercules-ci-agent.settings.secretsJsonPath | Path to a JSON file containing secrets for effects
|
| services.cockroachdb.maxSqlMemory | The maximum in-memory storage capacity available to store temporary
data for SQL queries
|
| services.thanos.query-frontend.tracing.config | Tracing configuration
|
| services.grafana.provision.alerting.rules.path | Path to YAML rules configuration
|
| services.wstunnel.clients.<name>.httpProxy | Proxy to use to connect to the wstunnel server (USER:PASS@HOST:PORT).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing PROXY_PASSWORD=<your-password-here> and set
this option to <user>:$PROXY_PASSWORD@<host>:<port>
|
| services.munin-node.extraAutoPlugins | Additional Munin plugins to autoconfigure, using
munin-node-configure --suggest
|
| services.telegraf.environmentFiles | File to load as environment file
|
| services.mediawiki.httpd.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.limesurvey.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.anubis.defaultOptions.policy.settings | Additional policy settings merged into the policy file
|
| services.caddy.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.glitchtip.environmentFiles | Files to load environment variables from in addition to services.glitchtip.settings
|
| services.ocis.environment | Extra config options
|
| services.authelia.instances.<name>.secrets | It is recommended you keep your secrets separate from the configuration
|
| services.cadvisor.storageDriverPassword | Cadvisor storage driver password
|
| services.mailpit.instances.<name>.database | Specify the local database filename to store persistent data
|
| services.druid.historical.segmentLocations.*.path | the path to store the segments
|
| services.stash.settings.blobs_storage | Where to store blobs
|
| services.yggdrasil.settings.PrivateKeyPath | Path to the private key file on the host system
|
| services.thanos.query.query.auto-downsampling | Enable automatic adjustment (step / 5) to what source of data should
be used in store gateways if no
max_source_resolution param is specified.
|
| services.duplicati.parametersFile | This file can be used to store some or all of the options given to the
commandline client
|
| services.workout-tracker.environmentFile | An environment file as defined in systemd.exec(5)
|
| services.libeufin.nexus.settings.nexus-ebics.BANK_PUBLIC_KEYS_FILE | Filesystem location where Nexus should store the bank public keys.
|
| services.anubis.instances.<name>.policy.settings | Additional policy settings merged into the policy file
|
| services.limesurvey.encryptionNonceFile | 24-byte used to encrypt variables in the database
|
| services.hercules-ci-agent.settings.binaryCachesPath | Path to a JSON file containing binary cache secret keys
|
| virtualisation.nixStore9pCache | Type of 9p cache to use when mounting host nix store. "none" provides
no caching. "loose" enables Linux's local VFS cache. "fscache" uses Linux's
fscache subsystem
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.password | The password for this entry
|
| services.traccar.environmentFile | File containing environment variables to substitute in the configuration before starting Traccar
|
| services.vault.extraSettingsPaths | Configuration files to load besides the immutable one defined by the NixOS module
|
| services.victoriatraces.stateDir | Directory below /var/lib to store VictoriaTraces data
|
| networking.wireless.networks.<name>.auth | Use this option to configure advanced authentication methods
like EAP
|
| services.wordpress.sites.<name>.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.influxdb2.provision.initialSetup.tokenFile | API Token to set for the admin user
|
| services.gitlab.secrets.activeRecordPrimaryKeyFile | A file containing the secret used to encrypt some rails data
in the DB
|
| services.mautrix-signal.environmentFile | File containing environment variables to be passed to the mautrix-signal service
|
| services.xtreemfs.dir.replication.extraConfig | Configuration of XtreemFS DIR replication plugin
|
| services.xtreemfs.mrc.replication.extraConfig | Configuration of XtreemFS MRC replication plugin
|
| services.reposilite.settings.keyPassword | Plaintext password used to unlock the Java KeyStore set in services.reposilite.settings.keyPath
|
| virtualisation.writableStoreUseTmpfs | Use a tmpfs for the writable store instead of writing to the VM's
own filesystem.
|
| services.grafana.provision.dashboards.path | Path to YAML dashboard configuration
|
| services.nullmailer.config.remotes | A list of remote servers to which to send each message
|
| services.thanos.downsample.tracing.config | Tracing configuration
|
| system.forbiddenDependenciesRegexes | POSIX Extended Regular Expressions that match store paths that
should not appear in the system closure, with the exception of system.extraDependencies, which is not checked.
|
| services.murmur.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.limesurvey.httpd.virtualHost.documentRoot | The path of Apache's document root directory
|
| services.sourcehut.settings.mail.pgp-privkey | An absolute file path (which should be outside the Nix-store)
to an OpenPGP private key
|