| services.matrix-hookshot.registrationFile | Appservice registration file
|
| boot.initrd.network.openvpn.configuration | The configuration file for OpenVPN.
Unless your bootloader supports initrd secrets, this configuration
is stored insecurely in the global Nix store.
|
| services.pinchflat.secretsFile | Secrets like SECRET_KEY_BASE and BASIC_AUTH_PASSWORD
should be passed to the service without adding them to the world-readable Nix store
|
| services.prometheus.pushgateway.stateDir | Directory below /var/lib to store metrics
|
| services.bluesky-pds.settings.PDS_BLOBSTORE_DISK_LOCATION | Store blobs at this location, set to null to use e.g
|
| services.prometheus.exporters.py-air-control.stateDir | Directory below /var/lib to store runtime data
|
| services.archisteamfarm.dataDir | The ASF home directory used to store all data
|
| services.sourcehut.settings."meta.sr.ht::billing".stripe-secret-key | An absolute file path (which should be outside the Nix-store)
to a secret key for Stripe
|
| services.restic.backups.<name>.rcloneConfig | Configuration for the rclone remote being used for backup
|
| services.grafana.provision.alerting.muteTimings.path | Path to YAML mute timings configuration
|
| services.chatgpt-retrieval-plugin.qdrantCollection | name of the qdrant collection used to store documents.
|
| services.kanidm.provision.systems.oauth2.<name>.basicSecretFile | The basic secret to use for this service
|
| services.step-ca.intermediatePasswordFile | Path to the file containing the password for the intermediate
certificate private key.
Make sure to use a quoted absolute path instead of a path literal
to prevent it from being copied to the globally readable Nix
store.
|
| services.sourcehut.settings."sr.ht".service-key | An absolute file path (which should be outside the Nix-store)
to a key used for encrypting session cookies
|
| services.paperless.environmentFile | Path to a file containing extra paperless config options in the systemd EnvironmentFile
format
|
| services.libeufin.nexus.settings.nexus-ebics.CLIENT_PRIVATE_KEYS_FILE | Filesystem location where Nexus should store the subscriber private keys.
|
| services.grafana.provision.alerting.policies.path | Path to YAML notification policies configuration
|
| services.grafana.provision.datasources.path | Path to YAML datasource configuration
|
| services.hercules-ci-agent.settings.clusterJoinTokenPath | Location of the cluster-join-token.key file
|
| services.mautrix-whatsapp.environmentFile | File containing environment variables to be passed to the mautrix-whatsapp service
|
| systemd.services.<name>.confinement.fullUnit | Whether to include the full closure of the systemd unit file into the
chroot, instead of just the dependencies for the executables.
While it may be tempting to just enable this option to
make things work quickly, please be aware that this might add paths
to the closure of the chroot that you didn't anticipate
|
| networking.wireless.secretsFile | File consisting of lines of the form varname=value
to define variables for the wireless configuration
|
| services.victoriametrics.stateDir | Directory below /var/lib to store VictoriaMetrics metrics data
|
| networking.wireless.networks.<name>.pskRaw | Either the raw pre-shared key in hexadecimal format
or the name of the secret (as defined inside
networking.wireless.secretsFile and prefixed
with ext:) containing the network pre-shared key.
Be aware that this will be written to the Nix store
in plaintext! Always use an external reference.
The external secret can be either the plaintext
passphrase or the raw pre-shared key.
Mutually exclusive with psk and auth.
|
| services.suricata.settings.outputs | Configure the type of alert (and other) logging you would like
|
| services.grafana.provision.alerting.contactPoints.path | Path to YAML contact points configuration
|
| services.pantalaimon-headless.instances.<name>.dataPath | The directory where pantalaimon should store its state such as the database file.
|
| virtualisation.podman.networkSocket.tls.key | Path to the private key corresponding to the server certificate
|
| services.immichframe.settings.Accounts.*.ApiKey | API key to talk to the Immich server
|
| services.grafana.provision.alerting.templates.path | Path to YAML templates configuration
|
| services.tarsnap.keyfile | The keyfile which associates this machine with your tarsnap
account
|
| services.tarsnap.archives.<name>.keyfile | Set a specific keyfile for this archive
|
| services.veilid.settings.core.capabilities.disable | A list of capabilities to disable (for example, DHTV to say you cannot store DHT information).
|
| services.hedgedoc.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.linkwarden.environmentFile | Path of a file with extra environment variables to be loaded from disk
|
| services.gitolite.extraGitoliteRc | Extra configuration to append to the default ~/.gitolite.rc
|
| services.wstunnel.clients.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.wstunnel.servers.<name>.environmentFile | Environment file to be passed to the systemd service
|
| services.sourcehut.settings.webhooks.private-key | An absolute file path (which should be outside the Nix-store)
to a base64-encoded Ed25519 key for signing webhook payloads
|
| services.lubelogger.environmentFile | Path to a file containing extra LubeLogger config options in the systemd EnvironmentFile format
|
| services.journald.remote.settings.Remote.ServerKeyFile | A path to a SSL secret key file in PEM format
|
| services.teeworlds.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.journald.rateLimitBurst | Configures the rate limiting burst limit (number of messages per
interval) that is applied to all messages generated on the system
|
| services.dendrite.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.transmission.credentialsFile | Path to a JSON file to be merged with the settings
|
| services.grafana.settings.security.secret_key | Secret key used for signing
|
| services.mattermost.database.fromEnvironment | Use services.mattermost.environmentFile to configure the database instead of writing the database URI
to the Nix store
|
| services.prometheus.exporters.deluge.delugePassword | Password to connect to deluge server
|
| services.prometheus.exporters.buildkite-agent.tokenPath | The token from your Buildkite "Agents" page
|
| services.peering-manager.environmentFile | Environment file as defined in systemd.exec(5)
|
| <imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.cacert | Path to CA bundle file (PEM/X509)
|
| services.mattermost.environmentFile | Environment file (see systemd.exec(5)
"EnvironmentFile=" section for the syntax) which sets config options
for mattermost (see the Mattermost documentation)
|
| systemd.services.<name>.confinement.packages | Additional packages or strings with context to add to the closure of
the chroot
|
| services.prometheus.exporters.mqtt.environmentFile | File to load as environment file
|
| virtualisation.credentials.<name>.text | Text content of the credential
|
| services.fluent-bit.configurationFile | Fluent Bit configuration
|
| services.magnetico.web.credentials | The credentials to access the web interface, in case authentication is
enabled, in the format username:hash
|
| services.borgbackup.jobs.<name>.encryption.passphrase | The passphrase the backups are encrypted with
|
| services.prometheus.alertmanager-ntfy.extraConfigFiles | Config files to merge into the settings defined in services.prometheus.alertmanager-ntfy.settings
|
| virtualisation.fileSystems.<name>.neededForBoot | If set, this file system will be mounted in the initial ramdisk
|
| services.mqtt2influxdb.environmentFiles | File to load as environment file
|
| services.opentelemetry-collector.validateConfigFile | Whether to enable Validate configuration file.
|
| services.geoipupdate.settings.DatabaseDirectory | The directory to store the database files in
|
| services.wstunnel.clients.<name>.upgradeCredentials | Use these credentials to authenticate during the HTTP upgrade request
(Basic authorization type, USER:[PASS]).
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing HTTP_PASSWORD=<your-password-here> and set this
option to <user>:$HTTP_PASSWORD
|
| services.nextcloud.config.objectstore.s3.verify_bucket_exists | Create the objectstore bucket if it does not exist.
|
| services.vaultwarden.environmentFile | Additional environment file or files as defined in systemd.exec(5)
|
| services.litestream.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.prometheus.exporters.restic.rcloneConfig | Configuration for the rclone remote being used for backup
|
| services.gitlab.secrets.activeRecordDeterministicKeyFile | A file containing the secret used to encrypt some rails data in a deterministic way
in the DB
|
| services.fastnetmon-advanced.enableAdvancedTrafficPersistence | Store historical flow data in clickhouse
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.id | A unique identifier for this authentication token
|
| services.authelia.instances.<name>.environmentVariables | Additional environment variables to provide to authelia
|
| services.nipap.settings.auth.auth_cache_timeout | Seconds to store cached auth entries for.
|
| services.prometheus.exporters.snmp.environmentFile | EnvironmentFile as defined in systemd.exec(5)
|
| services.prometheus.exporters.pgbouncer.connectionString | Connection string for accessing pgBouncer
|
| services.prometheus.exporters.php-fpm.environmentFile | Environment file as defined in systemd.exec(5)
|
| virtualisation.oci-containers.containers.<name>.volumes | List of volumes to attach to this container
|
| services.amazon-cloudwatch-agent.configurationFile | Amazon CloudWatch Agent configuration file
|
| services.amazon-cloudwatch-agent.commonConfigurationFile | Amazon CloudWatch Agent common configuration
|
| services.hostapd.radios.<name>.networks.<name>.authentication.wpaPasswordFile | Sets the password for WPA-PSK
|
| services.prometheus.exporters.postgres.environmentFile | Environment file as defined in systemd.exec(5)
|
| services.gitlab-runner.services.<name>.registrationConfigFile | Absolute path to a file with environment variables
used for gitlab-runner registration with runner registration
tokens
|
| services.grafana.provision.datasources.settings.datasources.*.secureJsonData | Datasource specific secure configuration
|
| services.gitlab-runner.services.<name>.authenticationTokenConfigFile | Absolute path to a file containing environment variables used for
gitlab-runner registrations with runner authentication tokens
|
| services.veilid.settings.core.protected_store.allow_insecure_fallback | If we can't use system-provided secure storage, should we proceed anyway?
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords | Sets allowed passwords for WPA3-SAE
|
| services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword | Sets the password for WPA-PSK that will be converted to the pre-shared key
|
| users.users.<name>.initialPassword | Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswordsFile | Sets the password for WPA3-SAE
|
| users.extraUsers.<name>.initialPassword | Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist
|
| services.veilid.settings.core.protected_store.always_use_insecure_storage | Should we bypass any attempt to use system-provided secure storage?
|
| services.sourcehut.settings."hg.sr.ht".clone_bundle_threshold | .hg/store size (in MB) past which the nightly job generates clone bundles.
|
| services.nixseparatedebuginfod2.substituters | nix substituter to fetch debuginfo from
|