| services.etcd.peerCertFile | Cert file to use for peer to peer communication
|
| services.certmgr.renewInterval | How often to check certificate expirations and how often to update the cert_next_expires metric.
|
| services.certmgr.metricsAddress | The address for the Prometheus HTTP endpoint.
|
| security.agnos.settings.accounts.*.certificates.*.domains | Domains the certificate represents
|
| security.sudo.keepTerminfo | Whether to preserve the TERMINFO and TERMINFO_DIRS
environment variables, for root and the wheel group.
|
| services.misskey.reverseProxy.webserver.nginx.useACMEHost | A host of an existing Let's Encrypt certificate to use
|
| services.galene.groupsDir | Web server directory.
|
| services.suricata.settings.vars.port-groups | The port group variables for suricata.
|
| services.davfs2.davGroup | The group of the running mount.davfs daemon
|
| services.kubernetes.controllerManager.kubeconfig.certFile | Kubernetes controller manager client certificate file used to connect to kube-apiserver.
|
| services.icingaweb2.groupBackends | groups.ini contents
|
| services.prometheus.remoteRead.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.firezone.server.provision.accounts.<name>.groups | All groups to provision
|
| services.public-inbox.inboxes.<name>.newsgroup | NNTP group name for the inbox.
|
| services.postfix.setgidGroup | How to call postfix setgid group (for postdrop)
|
| services.prometheus.remoteWrite.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacerts | List of CA certificates to accept for
authentication
|
| security.loginDefs.settings.GID_MAX | Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.
|
| security.loginDefs.settings.GID_MIN | Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.
|
| security.sudo.defaultOptions | Options used for the default rules, granting root and the
wheel group permission to run any command as any user.
|
| services.kanidm.provision.groups.<name>.present | Whether to ensure that this group is present or absent.
|
| services.quassel.dataDir | The directory holding configuration files, the SQlite database and the SSL Cert.
|
| security.sudo-rs.defaultOptions | Options used for the default rules, granting root and the
wheel group permission to run any command as any user.
|
| services.kanidm.provision.groups.<name>.members | List of kanidm entities (persons, groups, ...) which are part of this group.
|
| services.bitwarden-directory-connector-cli.sync.groupNameAttribute | Attribute for a name of group.
|
| security.loginDefs.settings.SYS_GID_MAX | Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers
|
| security.loginDefs.settings.SYS_GID_MIN | Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers
|
| services.prometheus.scrapeConfigs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| services.ircdHybrid.certificate | IRCD server SSL certificate
|
| services.oauth2-proxy.tls.certificate | Path to certificate file.
|
| services.agate.certificatesDir | Root of the certificate directory.
|
| hardware.hackrf.enable | Enables hackrf udev rules and ensures 'plugdev' group exists
|
| services.minio.certificatesDir | The directory where TLS certificates are stored.
|
| services.below.cgroupFilterOut | A regexp matching the full paths of cgroups whose data shouldn't be collected
|
| security.sudo.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| security.doas.wheelNeedsPassword | Whether users of the wheel group must provide a password to
run commands as super user via doas.
|
| security.sudo-rs.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| services.quassel.certificateFile | Path to the certificate used for SSL connections with clients.
|
| services.suricata.settings.vars.address-groups | The address group variables for suricata, if not defined the
default value of suricata (see example) will be used
|
| services.onlyoffice.securityNonceFile | File holding nginx configuration that sets the nonce used to create secret links
|
| security.run0.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via run0.
|
| services.hardware.lcd.server.usbGroup | The group to use for settings permissions
|
| services.grafana.settings.server.cert_key | Path to the certificate key file (if protocol is set to https or h2).
|
| services.hitch.frontend | The port and interface of the listen endpoint in the
form [HOST]:PORT[+CERT].
|
| hardware.ckb-next.gid | Limit access to the ckb daemon to a particular group.
|
| services.maddy.tls.certificates | A list of attribute sets containing paths to TLS certificates and
keys
|
| services.maddy.tls.certificates.*.keyPath | Path to the private key used for TLS.
|
| services.ghostunnel.servers.<name>.keystore | Path to keystore (combined PEM with cert/key, or PKCS12 keystore)
|
| services.nsd.zones.<name>.zoneStats | When set to something distinct to null NSD is able to collect
statistics per zone
|
| services.pgmanage.loginGroup | This tells pgmanage to only allow users in a certain PostgreSQL group to
login to pgmanage
|
| security.loginDefs.settings.TTYPERM | The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM
|
| services.oauth2-proxy.google.groups | Restrict logins to members of these Google groups.
|
| services.slurm.extraCgroupConfig | Extra configuration for cgroup.conf
|
| services.ghostunnel.servers.<name>.cacert | Path to CA bundle file (PEM/X509)
|
| services.ananicy.extraCgroups | Cgroups to write in 'nixCgroups.cgroups'
|
| services.namecoind.rpc.certificate | Certificate file for securing RPC connections.
|
| services.samba-wsdd.workgroup | Set workgroup name (default WORKGROUP).
|
| security.pam.services.<name>.requireWheel | Whether to permit root access only to members of group wheel.
|
| services.prosody.modules.groups | Shared roster support
|
| services.grafana.settings.server.cert_file | Path to the certificate file (if protocol is set to https or h2).
|
| security.please.wheelNeedsPassword | Whether users of the wheel group must provide a password to run
commands or edit files with please and
pleaseedit respectively.
|
| services.bacula-sd.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.bacula-fd.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.dendrite.tlsKey | The path to the TLS key.
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
|
| services.bacula-dir.tls.certificate | The full path to the PEM encoded TLS certificate
|
| services.bitwarden-directory-connector-cli.sync.groupFilter | LDAP filter for groups.
|
| security.pam.services.<name>.enableAppArmor | Enable support for attaching AppArmor profiles at the
user/group level, e.g., as part of a role based access
control scheme.
|
| services.infinoted.certificateFile | Server certificate to use for TLS
|
| security.googleOsLogin.enable | Whether to enable Google OS Login
|
| services.jibri.ignoreCert | Whether to enable the flag "--ignore-certificate-errors" for the Chromium browser opened by Jibri
|
| services.dendrite.tlsCert | The path to the TLS certificate.
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
|
| services.movim.h2o.tls.identity.*.certificate-file | Path to certificate file
|
| security.loginDefs.settings.TTYGROUP | The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM
|
| services.sabnzbd.settings.misc.https_cert | Path to the TLS certificate for the web UI
|
| services.grafana.settings.database.client_cert_path | The path to the client cert
|
| services.rkvm.server.settings.certificate | TLS certificate path.
This should be generated with rkvm-certificate-gen.
|
| services.rkvm.client.settings.certificate | TLS ceritficate path.
This should be generated with rkvm-certificate-gen.
|
| users.extraGroups.<name>.gid | The group GID
|
| services.bitwarden-directory-connector-cli.sync.groupObjectClass | A class that groups will have.
|
| services.infinoted.certificateChain | Chain of CA-certificates to which our certificateFile is relative
|
| services.umurmur.settings.certificate | Path to your SSL certificate
|
| programs.wireshark.enable | Whether to add Wireshark to the global environment and create a 'wireshark'
group
|
| services.warpgate.settings.http.sni_certificates.*.certificate | Path to certificate.
|
| security.polkit.adminIdentities | Specifies which users are considered “administrators”, for those
actions that require the user to authenticate as an
administrator (i.e. have an auth_admin
value)
|
| users.extraGroups.<name>.name | The name of the group
|
| services.github-runners.<name>.runnerGroup | Name of the runner group to add this runner to (defaults to the default runner group)
|
| services.kanidm.provision.groups | Provisioning of kanidm groups
|
| services.firezone.server.provision.accounts.<name>.groups.<name>.name | The name of this group
|
| services.h2o.hosts.<name>.tls.identity.*.certificate-file | Path to certificate file
|
| users.mutableUsers | If set to true, you are free to add new users and groups to the system
with the ordinary useradd and
groupadd commands
|
| services.grafana.provision.alerting.rules.settings.groups.*.name | Name of the rule group
|
| services.warpgate.settings.http.certificate | Path to HTTPS listener certificate.
|
| services.mqtt2influxdb.mqtt.certfile | Certificate file for MQTT
|
| programs.wireshark.usbmon.enable | Whether to allow users in the 'wireshark' group to capture USB traffic
|
| security.agnos.settings.accounts.*.certificates.*.key_output_file | Output path for the certificate private key
|
| programs.wireshark.dumpcap.enable | Whether to allow users in the 'wireshark' group to capture network traffic
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.groups | Authorization group memberships to require
|
| services.warpgate.settings.mysql.certificate | Path to MySQL listener certificate.
|
| services.dolibarr.h2o.tls.identity.*.certificate-file | Path to certificate file
|
| services.grafana.provision.alerting.rules.settings.groups.*.folder | Name of the folder the rule group will be stored in
|