| security.pam.services.<name>.ttyAudit.openOnly | Set the TTY audit flag when opening the session,
but do not restore it when closing the session
|
| security.pam.services.<name>.googleAuthenticator.enable | If set, users with enabled Google Authenticator (created
~/.google_authenticator) will be required
to provide Google Authenticator token to log in.
|
| boot.initrd.luks.devices.<name>.allowDiscards | Whether to allow TRIM requests to the underlying device
|
| services.postfix.tlsTrustedAuthorities | File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery
|
| services.irkerd.listenAddress | Specifies the bind address on which the irker daemon listens
|
| boot.initrd.systemd.emergencyAccess | Set to true for unauthenticated emergency access, and false or
null for no emergency access
|
| services.nitter.config.tokenCount | Minimum amount of usable tokens
|
| security.pam.services.<name>.usshAuth | If set, users with an SSH certificate containing an authorized principal
in their SSH agent are able to log in
|
| services.mysql.galeraCluster.sstMethod | Method for the initial state transfer (wsrep_sst_method) when a node joins the cluster
|
| services.cfdyndns.email | The email address to use to authenticate to CloudFlare.
|
| services.duckdns.tokenFile | The path to a file containing the token
used to authenticate with DuckDNS.
|
| services.tor.client.onionServices.<name>.clientAuthorizations | Clients' authorizations for a v3 onion service,
as a list of files containing each one private key, in the format:
descriptor:x25519:<base32-private-key>
See torrc manual.
|
| programs.ssh.knownHosts.<name>.certAuthority | This public key is an SSH certificate authority, rather than an
individual host's key.
|
| services.aesmd.settings.whitelistUrl | URL to retrieve authorized Intel SGX enclave signers.
|
| services.grafana-to-ntfy.settings.ntfyBAuthUser | The ntfy-sh user to use for authenticating with the ntfy-sh instance
|
| services.glusterfs.tlsSettings.caCert | Path certificate authority used to sign the cluster certificates.
|
| services.prometheus.scrapeConfigs.*.azure_sd_configs.*.client_id | Optional client ID
|
| services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tenant_id | Optional tenant ID
|
| services.prosody.c2sRequireEncryption | Force clients to use encrypted connections? This option will
prevent clients from authenticating unless they are using encryption.
|
| security.pam.services.<name>.rootOK | If set, root doesn't need to authenticate (e.g. for the
useradd service).
|
| services.cfdyndns.apiTokenFile | The path to a file containing the API Token
used to authenticate with CloudFlare.
|
| services.openssh.knownHosts.<name>.certAuthority | This public key is an SSH certificate authority, rather than an
individual host's key.
|
| services.cfdyndns.apikeyFile | The path to a file containing the API Key
used to authenticate with CloudFlare.
|
| services.aria2.rpcSecretFile | A file containing the RPC secret authorization token
|
| services.nbd.server.exports.<name>.allowAddresses | IPs and subnets that are authorized to connect for this device
|
| services.outline.smtp.username | Username to authenticate with.
|
| nix.buildMachines.*.sshKey | The path to the SSH private key with which to authenticate on
the build machine
|
| services.headscale.settings.oidc.pkce.enabled | Enable or disable PKCE (Proof Key for Code Exchange) support
|
| services.prometheus.scrapeConfigs.*.azure_sd_configs.*.client_secret | Optional client secret
|
| services.cjdns.UDPInterface.connectTo.<name>.password | Authorized password to the opposite end of the tunnel.
|
| services.cjdns.ETHInterface.connectTo.<name>.password | Authorized password to the opposite end of the tunnel.
|
| security.pam.services.<name>.mysqlAuth | If set, the pam_mysql module will be used to
authenticate users against a MySQL/MariaDB database.
|
| services.mastodon.elasticsearch.user | Used for optionally authenticating with Elasticsearch.
|
| services.mqtt2influxdb.mqtt.cafile | Certification Authority file for MQTT
|
| services.outline.smtp.passwordFile | File path containing the password to authenticate with.
|
| services.kubernetes.kubeconfig.caFile | Default kubeconfig certificate authority file used to connect to kube-apiserver.
|
| services.murmur.clientCertRequired | Whether to enable requiring clients to authenticate via certificates.
|
| services.lldap.enable | Whether to enable lldap, a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication.
|
| programs.light.brightnessKeys.minBrightness | The minimum authorized brightness value, e.g. to avoid the
display going dark.
|
| services.suwayomi-server.settings.server.basicAuthUsername | The username value that you have to provide when authenticating.
|
| services.isso.enable | Whether to enable isso, a commenting server similar to Disqus
|
| security.pam.services.<name>.rssh | If set, the calling user's SSH agent is used to authenticate
against the configured keys
|
| services.kubernetes.proxy.kubeconfig.caFile | Kubernetes proxy certificate authority file used to connect to kube-apiserver.
|
| services.suwayomi-server.settings.server.basicAuthPasswordFile | The password file containing the value that you have to provide when authenticating.
|
| services.sssd.sshAuthorizedKeysIntegration | Whether to make sshd look up authorized keys from SSS
|
| services.oncall.secretFile | A YAML file containing secrets such as database or user passwords
|
| services.headscale.settings.oidc.extra_params | Custom query parameters to send with the Authorize Endpoint request.
|
| services.kubernetes.kubelet.kubeconfig.caFile | Kubelet certificate authority file used to connect to kube-apiserver.
|
| services.tailscaleAuth.socketPath | Path of the socket listening to authorization requests.
|
| users.ldap.loginPam | Whether to include authentication against LDAP in login PAM.
|
| services.mastodon.elasticsearch.passwordFile | Path to file containing password for optionally authenticating with Elasticsearch.
|
| services.hickory-dns.settings.zones.*.zone_type | One of:
- "Primary" (the master, authority for the zone).
- "Secondary" (the slave, replicated from the primary).
- "External" (a cached zone that queries other nameservers)
|
| services.prometheus.exporters.unbound.unbound.ca | Path to the Unbound server certificate authority
|
| services.meme-bingo-web.enable | Whether to enable a web app for the meme bingo, rendered entirely on the web server and made interactive with forms
|
| services.firezone.server.smtp.username | Username to authenticate against the SMTP relay
|
| services.matrix-appservice-irc.settings.ircService.mediaProxy.signingKeyPath | Path to the signing key file for authenticated media.
|
| services.kubernetes.controllerManager.rootCaFile | Kubernetes controller manager certificate authority file included in
service account's token secret.
|
| services.nextcloud.settings.mail_smtpname | This depends on mail_smtpauth
|
| services.cloudflared.tunnels.<name>.originRequest.caPool | Path to the certificate authority (CA) for the certificate of your origin
|
| services.murmur.registerPassword | Public server registry password, used authenticate your
server to the registry to prevent impersonation; required for
subsequent registry updates.
|
| users.ldap.enable | Whether to enable authentication against an LDAP server.
|
| services.dependency-track.settings."alpine.database.username" | Specifies the username to use when authenticating to the database.
|
| services.redis.servers.<name>.masterAuth | If the master is password protected (using the requirePass configuration)
it is possible to tell the slave to authenticate before starting the replication synchronization
process, otherwise the master will refuse the slave request.
(STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
|
| services.crowdsec-firewall-bouncer.registerBouncer.enable | Whether to automatically register the bouncer to the locally running
crowdsec service
|
| services.rkvm.client.settings.password | Shared secret token to authenticate the client
|
| services.rkvm.server.settings.password | Shared secret token to authenticate the client
|
| services.bacula-sd.director.<name>.password | Specifies the password that must be supplied for the default Bacula
Console to be authorized
|
| services.bacula-fd.director.<name>.password | Specifies the password that must be supplied for the default Bacula
Console to be authorized
|
| services.kubernetes.scheduler.kubeconfig.caFile | Kubernetes scheduler certificate authority file used to connect to kube-apiserver.
|
| services.neo4j.ssl.policies.<name>.allowKeyGeneration | Allows the generation of a private key and associated self-signed
certificate
|
| users.mysql.enable | Whether to enable authentication against a MySQL/MariaDB database.
|
| security.soteria.enable | Whether to enable Soteria, a Polkit authentication agent
for any desktop environment.
You should only enable this if you are on a Desktop Environment that
does not provide a graphical polkit authentication agent, or you are on
a standalone window manager or Wayland compositor.
|
| services.strongswan-swanctl.swanctl.connections.<name>.local | Section for a local authentication round
|
| services.blackfire-agent.settings.server-id | Sets the server id used to authenticate with Blackfire
You can find your personal server-id at https://blackfire.io/my/settings/credentials
|
| services.prometheus.remoteWrite.*.sigv4.profile | The named AWS profile used to authenticate.
|
| services.vsftpd.userDbPath | Only applies if enableVirtualUsers is true
|
| services.blackfire-agent.settings.server-token | Sets the server token used to authenticate with Blackfire
You can find your personal server-token at https://blackfire.io/my/settings/credentials
|
| services.biboumi.settings.password | The password used to authenticate the XMPP component to your XMPP server
|
| services.kubernetes.controllerManager.kubeconfig.caFile | Kubernetes controller manager certificate authority file used to connect to kube-apiserver.
|
| networking.wg-quick.interfaces.<name>.peers.*.persistentKeepalive | This is optional and is by default off, because most
users will not need it
|
| services.prometheus.exporters.mqtt.mqttUsername | Username which should be used to authenticate against the MQTT broker.
|
| networking.wireguard.interfaces.<name>.peers.*.persistentKeepalive | This is optional and is by default off, because most
users will not need it
|
| networking.openconnect.interfaces.<name>.user | Username to authenticate with.
|
| services.howdy.enable | Whether to enable Howdy and its PAM module for face recognition
|
| users.mysql.pam.statusColumn | The name of the column or an SQL expression that indicates the status of
the user
|
| programs.ssh.macs | Specifies the MAC (message authentication code) algorithms in order of preference
|
| services.postgrest.jwtSecretFile | The secret or JSON Web Key (JWK) (or set) used to decode JWT tokens clients provide for authentication
|
| services.bitwarden-directory-connector-cli.ldap.username | The user to authenticate as.
|
| networking.supplicant | Interfaces for which to start wpa_supplicant
|
| services.db-rest.redis.user | Optional username used for authentication with redis.
|
| services.firezone.server.provision.accounts.<name>.actors.<name>.email | The email address used to authenticate as this account
|
| networking.openconnect.interfaces.<name>.privateKey | Private key to authenticate with.
|
| services.tt-rss.email.login | SMTP authentication login used when sending outgoing mail.
|
| services.ncps.netrcFile | The path to netrc file for upstream authentication
|
| services.headscale.settings.oidc.allowed_users | Users allowed to authenticate even if not in allowedDomains.
|
| services.prometheus.exporters.klipper.moonrakerApiKey | API Key to authenticate with the Moonraker APIs
|
| services.etcd.clientCertAuth | Whether to use certs for client authentication
|
| services.opkssh.enable | Whether to enable OpenID Connect SSH authentication.
|
| services.crowdsec-firewall-bouncer.settings.api_key | API key to authenticate with a local crowdsec API
|
| services.foundationdb.tls.allowedPeers | "Peer verification string"
|