| security.pam.rssh.settings.auth_key_file | Path to file with trusted public keys in OpenSSH's authorized_keys format
|
| services.oink.secretApiKeyFile | Path to a file containing the secret API key to use when modifying DNS records.
|
| boot.initrd.luks.devices.<name>.yubikey.storage.device | An unencrypted device that will temporarily be mounted in stage-1
|
| services.matrix-synapse.settings.trusted_key_servers.*.server_name | Hostname of the trusted server.
|
| services.postfix.config | The main.cf configuration file as key value set.
|
| services.netbox.secretKeyFile | Path to a file containing the secret key.
|
| services.logind.suspendKey | Specifies what to do when the suspend key is pressed.
|
| services.munge.password | The path to a daemon's secret key.
|
| virtualisation.fileSystems.<name>.encrypted.keyFile | Path to a keyfile used to unlock the backing encrypted
device
|
| services.wastebin.settings.RUST_LOG | Influences logging
|
| services.misskey.database.passwordFile | The path to a file containing the database password
|
| services.gitea.captcha.siteKey | CAPTCHA site key to use for Gitea.
|
| services.sharkey.setupPostgresql | Whether to automatically set up a local PostgreSQL database and configure Sharkey to use it.
|
| services.flannel.etcd.prefix | Etcd key prefix
|
| services.misskey.reverseProxy.webserver.nginx.listen.*.extraParameters | Extra parameters of this listen directive.
|
| services.matrix-continuwuity.settings.global.trusted_servers | Servers listed here will be used to gather public keys of other servers
(notary trusted key servers)
|
| services.arsenik.enable | Whether to enable A 33-key layout that works with all keyboards..
|
| programs.yubikey-touch-detector.unixSocket | If set to true, yubikey-touch-detector will send notifications to a unix socket
|
| services.druid.commonConfig | (key=value) Configuration to be written to common.runtime.properties
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| services.evremap.settings.remap.*.output | The key sequence that should be output when the input sequence is entered
|
| boot.initrd.luks.devices.<name>.yubikey.iterationStep | How much the iteration count for PBKDF2 is increased at each successful authentication.
|
| services.strongswan-swanctl.swanctl.secrets.rsa | Private key decryption passphrase for a key in the rsa
folder.
|
| services.mpd.settings | Configuration for MPD
|
| services.gitea.minioAccessKeyId | Path to a file containing the Minio access key id.
|
| services.rosenpass.settings.peers.*.peer | WireGuard public key corresponding to the remote Rosenpass peer.
|
| services.discourse.mail.incoming.apiKeyFile | A file containing the Discourse API key used to add
posts and messages from mail
|
| services.snipe-it.appKeyFile | A file containing the Laravel APP_KEY - a 32 character long,
base64 encoded key used for encryption where needed
|
| services.keycloak.settings.hostname-backchannel-dynamic | Enables dynamic resolving of backchannel URLs,
including hostname, scheme, port and context path
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.priority | Order of this location block in relation to the others in the vhost
|
| services.traccar.settings | config.xml configuration as a Nix attribute set
|
| programs.pay-respects.aiIntegration | Whether to enable pay-respects' LLM integration
|
| services.misskey.database.createLocally | Create the PostgreSQL database locally
|
| services.logind.powerKeyLongPress | Specifies what to do when the power key is long-pressed.
|
| programs.tsmClient.servers | Server definitions ("stanzas")
for the client system-options file
|
| services.matrix-synapse.settings.tls_private_key_path | PEM encoded private key for TLS
|
| services.komodo-periphery.passkeys | Passkeys required to access the periphery API
|
| services.dovecot2.sslCACert | Path to the server's CA certificate key.
|
| services.nextcloud-spreed-signaling.settings.sessions.hashkeyFile | The path to the file containing the value for sessions.hashkey
|
| services.kanata.keyboards.<name>.devices | Paths to keyboard devices
|
| services.strongswan-swanctl.swanctl.secrets.ecdsa | Private key decryption passphrase for a key in the
ecdsa folder.
|
| services.strongswan-swanctl.swanctl.secrets.pkcs8 | Private key decryption passphrase for a key in the
pkcs8 folder.
|
| services.druid.broker.config | (key=value) Configuration to be written to runtime.properties of the druid Druid Broker
https://druid.apache.org/docs/latest/configuration/index.html
|
| services.druid.router.config | (key=value) Configuration to be written to runtime.properties of the druid Druid Router
https://druid.apache.org/docs/latest/configuration/index.html
|
| services.kanata.keyboards.<name>.extraDefCfg | Configuration of defcfg other than linux-dev (generated
from the devices option) and
linux-continue-if-no-devs-found (hardcoded to be yes)
|
| services.movim.h2o.tls.identity | Key / certificate pairs for the virtual host.
|
| services.cjdns.enable | Whether to enable the cjdns network encryption
and routing engine
|
| networking.wireguard.interfaces.<name>.peers.*.presharedKeyFile | File pointing to preshared key as generated by wg genpsk
|
| services.misskey.reverseProxy.webserver.nginx.sslTrustedCertificate | Path to root SSL certificate for stapling and client certificates.
|
| services.btrbk.sshAccess.*.roles | What actions can be performed with this SSH key
|
| services.dsnet.settings | The settings to use for dsnet
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.fastcgiParams | FastCGI parameters to override
|
| programs.ssh.startAgent | Whether to start the OpenSSH agent when you log in
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.auth | Authentication to expect from remote
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.esp_proposals | ESP proposals to offer for the CHILD_SA
|
| services.ncps.cache.secretKeyPath | The path to load the secretKey for signing narinfos
|
| services.kmonad.keyboards.<name>.defcfg.enable | Whether to enable automatic generation of the defcfg block
|
| services.filebeat.settings | Configuration for filebeat
|
| programs.tsmClient.dsmSysText | This configuration key contains the effective text
of the client system-options file "dsm.sys"
|
| services.xserver.xkb.extraLayouts.<name>.typesFile | The path to the xkb types file
|
| services.mastodon.vapidPublicKeyFile | Path to file containing the public key used for Web Push
Voluntary Application Server Identification
|
| services.keycloak.sslCertificate | The path to a PEM formatted certificate to use for TLS/SSL
connections.
|
| services.outline.sslKeyFile | File path that contains the Base64-encoded private key for HTTPS
termination
|
| networking.wg-quick.interfaces.<name>.privateKey | Base64 private key generated by wg genkey
|
| image.repart.partitions | Specify partitions as a set of the names of the partitions with their
configuration as the key.
|
| services.monica.appKeyFile | A file containing the Laravel APP_KEY - a 32 character long,
base64 encoded key used for encryption where needed
|
| boot.initrd.luks.devices.<name>.gpgCard.publicKey | Path to the Public Key.
|
| services.logind.rebootKeyLongPress | Specifies what to do when the reboot key is long-pressed.
|
| services.radicle.publicKey | An SSH public key (as an absolute file path or directly as a string),
usually generated by rad auth.
|
| services.tinc.networks.<name>.hostSettings.<name>.rsaPublicKey | Legacy RSA public key of the host in PEM format, including start and
end markers
|
| services.nsd.zones.<name>.requestXFR | Format: [AXFR|UDP] <ip-address> <key-name | NOKEY>
|
| services.lasuite-docs.settings.DJANGO_SECRET_KEY_FILE | The path to the file containing Django's secret key
|
| services.lasuite-meet.settings.DJANGO_SECRET_KEY_FILE | The path to the file containing Django's secret key
|
| services.strongswan-swanctl.swanctl.secrets.private | Private key decryption passphrase for a key in the
private folder.
|
| services.keycloak.database.createLocally | Whether a database should be automatically created on the
local host
|
| services.harmonia.signKeyPath | DEPRECATED: Use services.harmonia.signKeyPaths instead
|
| services.keycloak.database.username | Username to use when connecting to an external or manually
provisioned database; has no effect when a local database is
automatically provisioned
|
| services.snapserver.streams.<name>.query | Key-value pairs that convey additional parameters about a stream.
|
| services.kanata.keyboards.<name>.configFile | The config file
|
| services.nsd.dnssecInterval | How often to check whether dnssec key rollover is required
|
| services.molly-brown.certPath | Path to TLS certificate
|
| services.keycloak.database.passwordFile | The path to a file containing the database password
|
| services.dragonflydb.keysOutputLimit | Maximum number of returned keys in keys command.
keys is a dangerous command
|
| services.misskey.reverseProxy.webserver.nginx.locations.<name>.proxyWebsockets | Whether to support proxying websocket connections with HTTP/1.1.
|
| services.keycloak.initialAdminPassword | Initial password set for the temporary admin user
|
| services.dendrite.tlsCert | The path to the TLS certificate.
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
|
| services.h2o.hosts.<name>.tls.identity | Key / certificate pairs for the virtual host.
|
| services.nsd.zones.<name>.dnssecPolicy.zsk | Key policy for zone signing keys
|
| services.gitea.captcha.secretFile | Path to a file containing the CAPTCHA secret key.
|
| services.openssh.hostKeys | NixOS can automatically generate SSH host keys
|
| programs.yubikey-touch-detector.libnotify | If set to true, yubikey-touch-detctor will send notifications using libnotify
|
| users.allowNoPasswordLogin | Disable checking that at least the root user or a user in the wheel group can log in using
a password or an SSH key
|
| services.dovecot2.sslServerKey | Path to the server's private key.
|
| services.hostapd.radios.<name>.settings | Extra configuration options to put at the end of global initialization, before defining BSSs
|
| services.sshwifty.sharedKeyFile | Path to a file containing the shared key.
|
| services.evremap.settings.dual_role.*.input | The key that should be remapped
|
| services.iperf3.rsaPrivateKey | Path to the RSA private key (not password-protected) used to decrypt authentication credentials from the client.
|
| hardware.facter.detected.boot.keyboard.kernelModules | List of kernel modules to include in the initrd to support the keyboard.
|
| services.tor.relay.onionServices.<name>.authorizedClients | Authorized clients for a v3 onion service,
as a list of public key, in the format:
descriptor:x25519:<base32-public-key>
See torrc manual.
|
| services.dovecot2.enableDHE | Whether to enable ssl_dh and generation of primes for the key exchange.
|