| services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.oauth2.endpoint_params | Optional parameters to append to the token URL.
|
| services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.basic_auth.password_file | HTTP password file
|
| services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.basic_auth.password_file | HTTP password file
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.authorization.credentials_file | Sets the credentials to the credentials read from the configured file
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.oauth2.client_secret | OAuth client secret.
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.basic_auth | Optional HTTP basic authentication information.
|
| services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.oauth2.client_secret_file | Read the client secret from a file
|
| services.prometheus.scrapeConfigs.*.linode_sd_configs.*.oauth2.client_secret_file | Read the client secret from a file
|
| services.prometheus.scrapeConfigs.*.consul_sd_configs.*.oauth2.client_secret_file | Read the client secret from a file
|
| services.prometheus.scrapeConfigs.*.docker_sd_configs.*.oauth2.client_secret_file | Read the client secret from a file
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2.client_id | OAuth client ID.
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2.token_url | The URL to fetch the token from.
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.basic_auth.username | HTTP username
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.basic_auth.password | HTTP password
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.authorization.credentials_file | Sets the credentials to the credentials read from the configured file
|
| services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.oauth2.client_secret_file | Read the client secret from a file
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.oauth2.client_secret | OAuth client secret.
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.basic_auth.password | HTTP password
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.basic_auth.username | HTTP username
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.oauth2.endpoint_params | Optional parameters to append to the token URL.
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.basic_auth.password_file | HTTP password file
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.authorization.credentials_file | Sets the credentials to the credentials read from the configured file
|
| services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.oauth2.client_secret_file | Read the client secret from a file
|
| services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.oauth2.client_secret_file | Read the client secret from a file
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2.client_secret | OAuth client secret.
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.oauth2.endpoint_params | Optional parameters to append to the token URL.
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.basic_auth.password_file | HTTP password file
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2.endpoint_params | Optional parameters to append to the token URL.
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.basic_auth.password_file | HTTP password file
|
| services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.oauth2.client_secret_file | Read the client secret from a file
|
| services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.oauth2.client_secret_file | Read the client secret from a file
|
| services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2.client_secret_file | Read the client secret from a file
|
| services.stash.settings.dangerous_allow_public_without_auth | Learn more at https://docs.stashapp.cc/networking/authentication-required-when-accessing-stash-from-the-internet/
|
| services.tt-rss.plugins | List of plugins to load automatically for all users
|
| security.googleOsLogin.enable | Whether to enable Google OS Login
|
| security.pam.services.<name>.p11Auth | If set, keys listed in
~/.ssh/authorized_keys and
~/.eid/authorized_certificates
can be used to log in with the associated PKCS#11 tokens.
|
| security.polkit.adminIdentities | Specifies which users are considered “administrators”, for those
actions that require the user to authenticate as an
administrator (i.e. have an auth_admin
value)
|
| services.hostapd.enable | Whether to enable hostapd, a user space daemon for access point and
authentication servers
|
| security.duosec.fallbackLocalIP | Duo Unix reports the IP address of the authorizing user, for
the purposes of authorization and whitelisting
|
| services.prometheus.exporters.pgbouncer.connectionString | Connection string for accessing pgBouncer
|
| security.pam.services.<name>.sshAgentAuth | If set, the calling user's SSH agent is used to authenticate
against the keys in the calling user's
~/.ssh/authorized_keys
|
| security.pam.dp9ik.enable | Whether to enable the dp9ik pam module provided by tlsclient
|
| security.pam.howdy.enable | Whether to enable the Howdy PAM module
|
| services.mysql.ensureUsers | Ensures that the specified users exist and have at least the ensured permissions
|
| services.prosody.s2sInsecureDomains | Some servers have invalid or self-signed certificates
|
| services.postgresql.ensureUsers | Ensures that the specified users exist
|
| services.cntlm.proxy | A list of NTLM/NTLMv2 authenticating HTTP proxies
|
| services.gitlab-runner.services.<name>.registrationConfigFile | Absolute path to a file with environment variables
used for gitlab-runner registration with runner registration
tokens
|
| security.pam.services.<name>.howdy.enable | Whether to enable the Howdy PAM module
|
| services.crowdsec-firewall-bouncer.secrets.apiKeyPath | Path to the API key to authenticate with a local CrowdSec API
|
| security.pam.krb5.enable | Enables Kerberos PAM modules (pam-krb5,
pam-ccreds)
|
| services.prosody.s2sRequireEncryption | Force servers to use encrypted connections? This option will
prevent servers from authenticating unless they are using encryption
|
| services.postgrest.pgpassFile | The password to authenticate to PostgreSQL with
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote | Section for a remote authentication round
|
| services.postgres-websockets.pgpassFile | The password to authenticate to PostgreSQL with
|
| services.wstunnel.clients.<name>.upgradeCredentials | Use these credentials to authenticate during the HTTP upgrade request
(Basic authorization type, USER:[PASS]).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing HTTP_PASSWORD=<your-password-here> and set this
option to <user>:$HTTP_PASSWORD
|
| services.dependency-track.oidc.userProvisioning | Specifies if mapped OpenID Connect accounts are automatically created upon successful
authentication
|
| services.headscale.settings.oidc.allowed_domains | Allowed principal domains. if an authenticated user's domain
is not in this list authentication request will be rejected.
|
| services.dependency-track.settings."alpine.oidc.user.provisioning" | Specifies if mapped OpenID Connect accounts are automatically created upon successful
authentication
|
| security.pam.services.<name>.googleOsLoginAuthentication | If set, will use the pam_oslogin_login's user
authentication methods to authenticate users using 2FA
|
| security.pam.yubico.enable | Enables Yubico PAM (yubico-pam) module
|
| services.nsd.enable | Whether to enable NSD authoritative DNS server.
|
| services.knot.enable | Whether to enable Knot authoritative-only DNS server.
|
| security.pam.services.<name>.yubicoAuth | If set, users listed in
~/.yubico/authorized_yubikeys
are able to log in with the associated Yubikey tokens.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.groups | Authorization group memberships to require
|
| security.pki.caBundle | (Read-only) the path to the final bundle of certificate authorities as a single file.
|
| security.doas.extraRules.*.persist | If true, do not ask for a password again for some
time after the user successfully authenticates.
|
| security.duosec.prompts | If a user fails to authenticate with a second factor, Duo
Unix will prompt the user to authenticate again
|
| services.bind.zones | List of zones we claim authority over.
|
| services.netbird.server.dashboard.settings | An attribute set that will be used to substitute variables when building the dashboard
|
| boot.initrd.luks.gpgSupport | Enables support for authenticating with a GPG encrypted password.
|
| security.pam.ussh.group | If set, then the authenticating user must be a member of this group
to use this module.
|
| services.pdns-recursor.forwardZones | DNS zones to be forwarded to other authoritative servers.
|
| services.step-ca.port | The port the certificate authority should listen on
|
| security.pam.rssh.enable | Whether to enable authenticating using a signature performed by the ssh-agent.
|
| boot.initrd.luks.fido2Support | Enables support for authenticating with FIDO2 devices.
|
| services.step-ca.enable | Whether to enable the smallstep certificate authority server.
|
| services.strongswan.ca | A set of CAs (certification authorities) and their options for
the ‘ca xxx’ sections of the ipsec.conf
file.
|
| services.rutorrent.nginx.exposeInsecureRPC2mount | If you do not enable one of the rpc or httprpc plugins you need to expose an RPC mount through scgi using this option
|
| services.bcg.mqtt.cafile | Certificate Authority file for MQTT server access.
|
| services.dnscache.domainServers | Table of {hostname: server} pairs to use as authoritative servers for hosts (and subhosts)
|
| services.skydns.nameservers | Skydns list of nameservers to forward DNS requests to when not authoritative for a domain.
|
| users.mysql.pam.logging.userColumn | The name of the column in the log table to which the name of the
user being authenticated is stored.
|
| users.mysql.pam.logging.hostColumn | The name of the column in the log table to which the name of the user
being authenticated is stored.
|
| services.skydns.etcd.caCert | Skydns path of TLS certificate authority public key.
|
| services.etcd.trustedCaFile | Certificate authority file to use for clients
|
| services.flannel.etcd.caFile | Etcd certificate authority file
|
| services.prometheus.alertmanagerGotify.environmentFile | File containing additional config environment variables for alertmanager-gotify-bridge
|
| services.pomerium.enable | Whether to enable the Pomerium authenticating reverse proxy.
|
| services.openssh.settings.UseDns | Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for
the remote IP address maps back to the very same IP address
|
| services.sympa.listMasters | The list of the email addresses of the listmasters
(users authorized to perform global server commands).
|
| services.step-ca.address | The address (without port) the certificate authority should listen at
|
| services.etcd.peerTrustedCaFile | Certificate authority file to use for peer to peer communication
|
| services.jitsi-meet.secureDomain.enable | Whether to enable Authenticated room creation.
|
| services.step-ca.openFirewall | Whether to enable opening the certificate authority server port.
|
| security.pam.sshAgentAuth.enable | Whether to enable authenticating using a signature performed by the ssh-agent
|
| boot.initrd.luks.yubikeySupport | Enables support for authenticating with a YubiKey on LUKS devices
|
| services.nebula.networks.<name>.ca | Path to the certificate authority certificate.
|
| services.hologram-server.roleAttr | Which LDAP group attribute to search for authorized role ARNs
|
| services.kubernetes.caFile | Default kubernetes certificate authority
|