+3 -3

nixos/modules/config/i18n.nix

··· 71 )) 72 ''; 73 example = ["en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1"]; 74 - description = '' 75 List of locales that the system should support. The value 76 - <literal>"all"</literal> means that all locales supported by 77 Glibc will be installed. A full list of supported locales 78 - can be found at <link xlink:href="https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED"/>. 79 ''; 80 }; 81

··· 71 )) 72 ''; 73 example = ["en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1"]; 74 + description = lib.mdDoc '' 75 List of locales that the system should support. The value 76 + `"all"` means that all locales supported by 77 Glibc will be installed. A full list of supported locales 78 + can be found at <https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED>. 79 ''; 80 }; 81

+3 -3

nixos/modules/config/resolvconf.nix

··· 83 dnsExtensionMechanism = mkOption { 84 type = types.bool; 85 default = true; 86 - description = '' 87 - Enable the <literal>edns0</literal> option in <filename>resolv.conf</filename>. With 88 - that option set, <literal>glibc</literal> supports use of the extension mechanisms for 89 DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC, 90 which does not work without it. 91 '';

··· 83 dnsExtensionMechanism = mkOption { 84 type = types.bool; 85 default = true; 86 + description = lib.mdDoc '' 87 + Enable the `edns0` option in {file}`resolv.conf`. With 88 + that option set, `glibc` supports use of the extension mechanisms for 89 DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC, 90 which does not work without it. 91 '';

+2 -2

nixos/modules/config/shells-environment.nix

··· 109 110 environment.shellAliases = mkOption { 111 example = { l = null; ll = "ls -l"; }; 112 - description = '' 113 An attribute set that maps aliases (the top level attribute names in 114 this option) to command strings or directly to build outputs. The 115 aliases are added to all users' shells. 116 - Aliases mapped to <literal>null</literal> are ignored. 117 ''; 118 type = with types; attrsOf (nullOr (either str path)); 119 };

··· 109 110 environment.shellAliases = mkOption { 111 example = { l = null; ll = "ls -l"; }; 112 + description = lib.mdDoc '' 113 An attribute set that maps aliases (the top level attribute names in 114 this option) to command strings or directly to build outputs. The 115 aliases are added to all users' shells. 116 + Aliases mapped to `null` are ignored. 117 ''; 118 type = with types; attrsOf (nullOr (either str path)); 119 };

+4 -4

nixos/modules/config/system-environment.nix

··· 16 17 environment.sessionVariables = mkOption { 18 default = {}; 19 - description = '' 20 A set of environment variables used in the global environment. 21 These variables will be set by PAM early in the login process. 22 ··· 25 colon characters. 26 27 Note, due to limitations in the PAM format values may not 28 - contain the <literal>"</literal> character. 29 30 Also, these variables are merged into 31 - <xref linkend="opt-environment.variables"/> and it is 32 therefore not possible to use PAM style variables such as 33 - <literal>@{HOME}</literal>. 34 ''; 35 type = with types; attrsOf (either str (listOf str)); 36 apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v);

··· 16 17 environment.sessionVariables = mkOption { 18 default = {}; 19 + description = lib.mdDoc '' 20 A set of environment variables used in the global environment. 21 These variables will be set by PAM early in the login process. 22 ··· 25 colon characters. 26 27 Note, due to limitations in the PAM format values may not 28 + contain the `"` character. 29 30 Also, these variables are merged into 31 + [](#opt-environment.variables) and it is 32 therefore not possible to use PAM style variables such as 33 + `@{HOME}`. 34 ''; 35 type = with types; attrsOf (either str (listOf str)); 36 apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v);

+19 -19

nixos/modules/config/users-groups.nix

··· 100 isNormalUser = mkOption { 101 type = types.bool; 102 default = false; 103 - description = '' 104 Indicates whether this is an account for a “real” user. This 105 - automatically sets <option>group</option> to 106 - <literal>users</literal>, <option>createHome</option> to 107 - <literal>true</literal>, <option>home</option> to 108 - <filename>/home/«username»</filename>, 109 - <option>useDefaultShell</option> to <literal>true</literal>, 110 - and <option>isSystemUser</option> to 111 - <literal>false</literal>. 112 - Exactly one of <literal>isNormalUser</literal> and 113 - <literal>isSystemUser</literal> must be true. 114 ''; 115 }; 116 ··· 151 pamMount = mkOption { 152 type = with types; attrsOf str; 153 default = {}; 154 - description = '' 155 Attributes for user's entry in 156 - <filename>pam_mount.conf.xml</filename>. 157 - Useful attributes might include <literal>path</literal>, 158 - <literal>options</literal>, <literal>fstype</literal>, and <literal>server</literal>. 159 - See <link xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html"/> 160 for more information. 161 ''; 162 }; ··· 166 default = pkgs.shadow; 167 defaultText = literalExpression "pkgs.shadow"; 168 example = literalExpression "pkgs.bashInteractive"; 169 - description = '' 170 The path to the user's shell. Can use shell derivations, 171 - like <literal>pkgs.bashInteractive</literal>. Don’t 172 forget to enable your shell in 173 - <literal>programs</literal> if necessary, 174 - like <literal>programs.zsh.enable = true;</literal>. 175 ''; 176 }; 177

··· 100 isNormalUser = mkOption { 101 type = types.bool; 102 default = false; 103 + description = lib.mdDoc '' 104 Indicates whether this is an account for a “real” user. This 105 + automatically sets {option}`group` to 106 + `users`, {option}`createHome` to 107 + `true`, {option}`home` to 108 + {file}`/home/«username»`, 109 + {option}`useDefaultShell` to `true`, 110 + and {option}`isSystemUser` to 111 + `false`. 112 + Exactly one of `isNormalUser` and 113 + `isSystemUser` must be true. 114 ''; 115 }; 116 ··· 151 pamMount = mkOption { 152 type = with types; attrsOf str; 153 default = {}; 154 + description = lib.mdDoc '' 155 Attributes for user's entry in 156 + {file}`pam_mount.conf.xml`. 157 + Useful attributes might include `path`, 158 + `options`, `fstype`, and `server`. 159 + See <http://pam-mount.sourceforge.net/pam_mount.conf.5.html> 160 for more information. 161 ''; 162 }; ··· 166 default = pkgs.shadow; 167 defaultText = literalExpression "pkgs.shadow"; 168 example = literalExpression "pkgs.bashInteractive"; 169 + description = lib.mdDoc '' 170 The path to the user's shell. Can use shell derivations, 171 + like `pkgs.bashInteractive`. Don’t 172 forget to enable your shell in 173 + `programs` if necessary, 174 + like `programs.zsh.enable = true;`. 175 ''; 176 }; 177

+1 -1

nixos/modules/hardware/logitech.nix

··· 32 devices = mkOption { 33 type = types.listOf types.str; 34 default = [ "0a07" "c222" "c225" "c227" "c251" ]; 35 - description = '' 36 List of USB device ids supported by g15daemon. 37 38 You most likely do not need to change this.

··· 32 devices = mkOption { 33 type = types.listOf types.str; 34 default = [ "0a07" "c222" "c225" "c227" "c251" ]; 35 + description = lib.mdDoc '' 36 List of USB device ids supported by g15daemon. 37 38 You most likely do not need to change this.

+6 -6

nixos/modules/hardware/video/uvcvideo/default.nix

··· 34 packages = mkOption { 35 type = types.listOf types.path; 36 example = literalExpression "[ pkgs.tiscamera ]"; 37 - description = '' 38 - List of packages containing <command>uvcvideo</command> dynamic controls 39 rules. All files found in 40 - <filename>«pkg»/share/uvcdynctrl/data</filename> 41 will be included. 42 43 - Note that these will serve as input to the <command>libwebcam</command> 44 - package which through its own <command>udev</command> rule will register 45 - the dynamic controls from specified packages to the <command>uvcvideo</command> 46 driver. 47 ''; 48 apply = map getBin;

··· 34 packages = mkOption { 35 type = types.listOf types.path; 36 example = literalExpression "[ pkgs.tiscamera ]"; 37 + description = lib.mdDoc '' 38 + List of packages containing {command}`uvcvideo` dynamic controls 39 rules. All files found in 40 + {file}`«pkg»/share/uvcdynctrl/data` 41 will be included. 42 43 + Note that these will serve as input to the {command}`libwebcam` 44 + package which through its own {command}`udev` rule will register 45 + the dynamic controls from specified packages to the {command}`uvcvideo` 46 driver. 47 ''; 48 apply = map getBin;

+2 -2

nixos/modules/programs/adb.nix

··· 11 enable = mkOption { 12 default = false; 13 type = types.bool; 14 - description = '' 15 Whether to configure system to use Android Debug Bridge (adb). 16 To grant access to a user, it must be part of adbusers group: 17 - <literal>users.users.alice.extraGroups = ["adbusers"];</literal> 18 ''; 19 }; 20 };

··· 11 enable = mkOption { 12 default = false; 13 type = types.bool; 14 + description = lib.mdDoc '' 15 Whether to configure system to use Android Debug Bridge (adb). 16 To grant access to a user, it must be part of adbusers group: 17 + `users.users.alice.extraGroups = ["adbusers"];` 18 ''; 19 }; 20 };

+2 -2

nixos/modules/programs/firejail.nix

··· 69 }; 70 } 71 ''; 72 - description = '' 73 Wrap the binaries in firejail and place them in the global path. 74 75 You will get file collisions if you put the actual application binary in 76 the global environment (such as by adding the application package to 77 - <literal>environment.systemPackages</literal>), and applications started via 78 .desktop files are not wrapped if they specify the absolute path to the 79 binary. 80 '';

··· 69 }; 70 } 71 ''; 72 + description = lib.mdDoc '' 73 Wrap the binaries in firejail and place them in the global path. 74 75 You will get file collisions if you put the actual application binary in 76 the global environment (such as by adding the application package to 77 + `environment.systemPackages`), and applications started via 78 .desktop files are not wrapped if they specify the absolute path to the 79 binary. 80 '';

+2 -2

nixos/modules/programs/gphoto2.nix

··· 11 enable = mkOption { 12 default = false; 13 type = types.bool; 14 - description = '' 15 Whether to configure system to use gphoto2. 16 To grant digital camera access to a user, the user must 17 be part of the camera group: 18 - <literal>users.users.alice.extraGroups = ["camera"];</literal> 19 ''; 20 }; 21 };

··· 11 enable = mkOption { 12 default = false; 13 type = types.bool; 14 + description = lib.mdDoc '' 15 Whether to configure system to use gphoto2. 16 To grant digital camera access to a user, the user must 17 be part of the camera group: 18 + `users.users.alice.extraGroups = ["camera"];` 19 ''; 20 }; 21 };

+2 -2

nixos/modules/programs/neovim.nix

··· 72 }; 73 } 74 ''; 75 - description = '' 76 Generate your init file from your list of plugins and custom commands. 77 - Neovim will then be wrapped to load <command>nvim -u /nix/store/«hash»-vimrc</command> 78 ''; 79 }; 80

··· 72 }; 73 } 74 ''; 75 + description = lib.mdDoc '' 76 Generate your init file from your list of plugins and custom commands. 77 + Neovim will then be wrapped to load {command}`nvim -u /nix/store/«hash»-vimrc` 78 ''; 79 }; 80

+9 -9

nixos/modules/programs/nncp.nix

··· 33 secrets = mkOption { 34 type = with types; listOf str; 35 example = [ "/run/keys/nncp.hjson" ]; 36 - description = '' 37 A list of paths to NNCP configuration files that should not be 38 in the Nix store. These files are layered on top of the values at 39 - <xref linkend="opt-programs.nncp.settings"/>. 40 ''; 41 }; 42 43 settings = mkOption { 44 type = settingsFormat.type; 45 - description = '' 46 NNCP configuration, see 47 - <link xlink:href="http://www.nncpgo.org/Configuration.html"/>. 48 At runtime these settings will be overlayed by the contents of 49 - <xref linkend="opt-programs.nncp.secrets"/> into the file 50 - <literal>${nncpCfgFile}</literal>. Node keypairs go in 51 - <literal>secrets</literal>, do not specify them in 52 - <literal>settings</literal> as they will be leaked into 53 - <literal>/nix/store</literal>! 54 ''; 55 default = { }; 56 };

··· 33 secrets = mkOption { 34 type = with types; listOf str; 35 example = [ "/run/keys/nncp.hjson" ]; 36 + description = lib.mdDoc '' 37 A list of paths to NNCP configuration files that should not be 38 in the Nix store. These files are layered on top of the values at 39 + [](#opt-programs.nncp.settings). 40 ''; 41 }; 42 43 settings = mkOption { 44 type = settingsFormat.type; 45 + description = lib.mdDoc '' 46 NNCP configuration, see 47 + <http://www.nncpgo.org/Configuration.html>. 48 At runtime these settings will be overlayed by the contents of 49 + [](#opt-programs.nncp.secrets) into the file 50 + `${nncpCfgFile}`. Node keypairs go in 51 + `secrets`, do not specify them in 52 + `settings` as they will be leaked into 53 + `/nix/store`! 54 ''; 55 default = { }; 56 };

+3 -3

nixos/modules/programs/turbovnc.nix

··· 15 ensureHeadlessSoftwareOpenGL = mkOption { 16 type = types.bool; 17 default = false; 18 - description = '' 19 Whether to set up NixOS such that TurboVNC's built-in software OpenGL 20 implementation works. 21 22 - This will enable <option>hardware.opengl.enable</option> so that OpenGL 23 programs can find Mesa's llvmpipe drivers. 24 25 - Setting this option to <literal>false</literal> does not mean that software 26 OpenGL won't work; it may still work depending on your system 27 configuration. 28

··· 15 ensureHeadlessSoftwareOpenGL = mkOption { 16 type = types.bool; 17 default = false; 18 + description = lib.mdDoc '' 19 Whether to set up NixOS such that TurboVNC's built-in software OpenGL 20 implementation works. 21 22 + This will enable {option}`hardware.opengl.enable` so that OpenGL 23 programs can find Mesa's llvmpipe drivers. 24 25 + Setting this option to `false` does not mean that software 26 OpenGL won't work; it may still work depending on your system 27 configuration. 28

+2 -2

nixos/modules/security/acme/default.nix

··· 504 reloadServices = mkOption { 505 type = types.listOf types.str; 506 inherit (defaultAndText "reloadServices" []) default defaultText; 507 - description = '' 508 - The list of systemd services to call <literal>systemctl try-reload-or-restart</literal> 509 on. 510 ''; 511 };

··· 504 reloadServices = mkOption { 505 type = types.listOf types.str; 506 inherit (defaultAndText "reloadServices" []) default defaultText; 507 + description = lib.mdDoc '' 508 + The list of systemd services to call `systemctl try-reload-or-restart` 509 on. 510 ''; 511 };

+30 -30

nixos/modules/security/doas.nix

··· 62 wheelNeedsPassword = mkOption { 63 type = with types; bool; 64 default = true; 65 - description = '' 66 - Whether users of the <literal>wheel</literal> group must provide a password to 67 - run commands as super user via <command>doas</command>. 68 ''; 69 }; 70 71 extraRules = mkOption { 72 default = []; 73 - description = '' 74 Define specific rules to be set in the 75 - <filename>/etc/doas.conf</filename> file. More specific rules should 76 come after more general ones in order to yield the expected behavior. 77 - You can use <literal>mkBefore</literal> and/or <literal>mkAfter</literal> to ensure 78 this is the case when configuration options are merged. 79 ''; 80 example = literalExpression '' ··· 113 noPass = mkOption { 114 type = with types; bool; 115 default = false; 116 - description = '' 117 - If <literal>true</literal>, the user is not required to enter a 118 password. 119 ''; 120 }; ··· 122 noLog = mkOption { 123 type = with types; bool; 124 default = false; 125 - description = '' 126 - If <literal>true</literal>, successful executions will not be logged 127 to 128 - <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>. 129 ''; 130 }; 131 132 persist = mkOption { 133 type = with types; bool; 134 default = false; 135 - description = '' 136 - If <literal>true</literal>, do not ask for a password again for some 137 time after the user successfully authenticates. 138 ''; 139 }; ··· 141 keepEnv = mkOption { 142 type = with types; bool; 143 default = false; 144 - description = '' 145 - If <literal>true</literal>, environment variables other than those 146 listed in 147 - <citerefentry><refentrytitle>doas</refentrytitle><manvolnum>1</manvolnum></citerefentry> 148 are kept when creating the environment for the new process. 149 ''; 150 }; ··· 152 setEnv = mkOption { 153 type = with types; listOf str; 154 default = []; 155 - description = '' 156 Keep or set the specified variables. Variables may also be 157 removed with a leading '-' or set using 158 - <literal>variable=value</literal>. If the first character of 159 - <literal>value</literal> is a '$', the value to be set is taken from 160 the existing environment variable of the indicated name. This 161 option is processed after the default environment has been 162 created. 163 164 - NOTE: All rules have <literal>setenv { SSH_AUTH_SOCK }</literal> by 165 - default. To prevent <literal>SSH_AUTH_SOCK</literal> from being 166 - inherited, add <literal>"-SSH_AUTH_SOCK"</literal> anywhere in this 167 list. 168 ''; 169 }; ··· 183 runAs = mkOption { 184 type = with types; nullOr str; 185 default = null; 186 - description = '' 187 Which user or group the specified command is allowed to run as. 188 - When set to <literal>null</literal> (the default), all users are 189 allowed. 190 191 A user can be specified using just the username: 192 - <literal>"foo"</literal>. It is also possible to only allow running as 193 - a specific group with <literal>":bar"</literal>. 194 ''; 195 }; 196 197 cmd = mkOption { 198 type = with types; nullOr str; 199 default = null; 200 - description = '' 201 The command the user is allowed to run. When set to 202 - <literal>null</literal> (the default), all commands are allowed. 203 204 NOTE: It is best practice to specify absolute paths. If a 205 relative path is specified, only a restricted PATH will be ··· 210 args = mkOption { 211 type = with types; nullOr (listOf str); 212 default = null; 213 - description = '' 214 Arguments that must be provided to the command. When set to 215 - <literal>[]</literal>, the command must be run without any arguments. 216 ''; 217 }; 218 };

··· 62 wheelNeedsPassword = mkOption { 63 type = with types; bool; 64 default = true; 65 + description = lib.mdDoc '' 66 + Whether users of the `wheel` group must provide a password to 67 + run commands as super user via {command}`doas`. 68 ''; 69 }; 70 71 extraRules = mkOption { 72 default = []; 73 + description = lib.mdDoc '' 74 Define specific rules to be set in the 75 + {file}`/etc/doas.conf` file. More specific rules should 76 come after more general ones in order to yield the expected behavior. 77 + You can use `mkBefore` and/or `mkAfter` to ensure 78 this is the case when configuration options are merged. 79 ''; 80 example = literalExpression '' ··· 113 noPass = mkOption { 114 type = with types; bool; 115 default = false; 116 + description = lib.mdDoc '' 117 + If `true`, the user is not required to enter a 118 password. 119 ''; 120 }; ··· 122 noLog = mkOption { 123 type = with types; bool; 124 default = false; 125 + description = lib.mdDoc '' 126 + If `true`, successful executions will not be logged 127 to 128 + {manpage}`syslogd(8)`. 129 ''; 130 }; 131 132 persist = mkOption { 133 type = with types; bool; 134 default = false; 135 + description = lib.mdDoc '' 136 + If `true`, do not ask for a password again for some 137 time after the user successfully authenticates. 138 ''; 139 }; ··· 141 keepEnv = mkOption { 142 type = with types; bool; 143 default = false; 144 + description = lib.mdDoc '' 145 + If `true`, environment variables other than those 146 listed in 147 + {manpage}`doas(1)` 148 are kept when creating the environment for the new process. 149 ''; 150 }; ··· 152 setEnv = mkOption { 153 type = with types; listOf str; 154 default = []; 155 + description = lib.mdDoc '' 156 Keep or set the specified variables. Variables may also be 157 removed with a leading '-' or set using 158 + `variable=value`. If the first character of 159 + `value` is a '$', the value to be set is taken from 160 the existing environment variable of the indicated name. This 161 option is processed after the default environment has been 162 created. 163 164 + NOTE: All rules have `setenv { SSH_AUTH_SOCK }` by 165 + default. To prevent `SSH_AUTH_SOCK` from being 166 + inherited, add `"-SSH_AUTH_SOCK"` anywhere in this 167 list. 168 ''; 169 }; ··· 183 runAs = mkOption { 184 type = with types; nullOr str; 185 default = null; 186 + description = lib.mdDoc '' 187 Which user or group the specified command is allowed to run as. 188 + When set to `null` (the default), all users are 189 allowed. 190 191 A user can be specified using just the username: 192 + `"foo"`. It is also possible to only allow running as 193 + a specific group with `":bar"`. 194 ''; 195 }; 196 197 cmd = mkOption { 198 type = with types; nullOr str; 199 default = null; 200 + description = lib.mdDoc '' 201 The command the user is allowed to run. When set to 202 + `null` (the default), all commands are allowed. 203 204 NOTE: It is best practice to specify absolute paths. If a 205 relative path is specified, only a restricted PATH will be ··· 210 args = mkOption { 211 type = with types; nullOr (listOf str); 212 default = null; 213 + description = lib.mdDoc '' 214 Arguments that must be provided to the command. When set to 215 + `[]`, the command must be run without any arguments. 216 ''; 217 }; 218 };

+2 -2

nixos/modules/security/misc.nix

··· 52 security.allowSimultaneousMultithreading = mkOption { 53 type = types.bool; 54 default = true; 55 - description = '' 56 Whether to allow SMT/hyperthreading. Disabling SMT means that only 57 physical CPU cores will be usable at runtime, potentially at 58 significant performance cost. ··· 62 e.g., shared caches). This attack vector is unproven. 63 64 Disabling SMT is a supplement to the L1 data cache flushing mitigation 65 - (see <xref linkend="opt-security.virtualisation.flushL1DataCache"/>) 66 versus malicious VM guests (SMT could "bring back" previously flushed 67 data). 68 '';

··· 52 security.allowSimultaneousMultithreading = mkOption { 53 type = types.bool; 54 default = true; 55 + description = lib.mdDoc '' 56 Whether to allow SMT/hyperthreading. Disabling SMT means that only 57 physical CPU cores will be usable at runtime, potentially at 58 significant performance cost. ··· 62 e.g., shared caches). This attack vector is unproven. 63 64 Disabling SMT is a supplement to the L1 data cache flushing mitigation 65 + (see [](#opt-security.virtualisation.flushL1DataCache)) 66 versus malicious VM guests (SMT could "bring back" previously flushed 67 data). 68 '';

+50 -50

nixos/modules/security/pam.nix

··· 807 default = config.krb5.enable; 808 defaultText = literalExpression "config.krb5.enable"; 809 type = types.bool; 810 - description = '' 811 - Enables Kerberos PAM modules (<literal>pam-krb5</literal>, 812 - <literal>pam-ccreds</literal>). 813 814 If set, users can authenticate with their Kerberos password. 815 This requires a valid Kerberos configuration 816 - (<literal>config.krb5.enable</literal> should be set to 817 - <literal>true</literal>). 818 819 Note that the Kerberos PAM modules are not necessary when using SSS 820 to handle Kerberos authentication. ··· 826 enable = mkOption { 827 default = false; 828 type = types.bool; 829 - description = '' 830 - Enables P11 PAM (<literal>pam_p11</literal>) module. 831 832 If set, users can log in with SSH keys and PKCS#11 tokens. 833 834 - More information can be found <link xlink:href="https://github.com/OpenSC/pam_p11">here</link>. 835 ''; 836 }; 837 ··· 858 enable = mkOption { 859 default = false; 860 type = types.bool; 861 - description = '' 862 - Enables U2F PAM (<literal>pam-u2f</literal>) module. 863 864 If set, users listed in 865 - <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or 866 - <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is 867 not set) are able to log in with the associated U2F key. The path can 868 - be changed using <option>security.pam.u2f.authFile</option> option. 869 870 File format is: 871 - <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> 872 - This file can be generated using <command>pamu2fcfg</command> command. 873 874 - More information can be found <link xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. 875 ''; 876 }; 877 878 authFile = mkOption { 879 default = null; 880 type = with types; nullOr path; 881 - description = '' 882 - By default <literal>pam-u2f</literal> module reads the keys from 883 - <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or 884 - <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is 885 not set). 886 887 If you want to change auth file locations or centralize database (for 888 - example use <filename>/etc/u2f-mappings</filename>) you can set this 889 option. 890 891 File format is: 892 - <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> 893 - This file can be generated using <command>pamu2fcfg</command> command. 894 895 - More information can be found <link xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. 896 ''; 897 }; 898 899 appId = mkOption { 900 default = null; 901 type = with types; nullOr str; 902 - description = '' 903 - By default <literal>pam-u2f</literal> module sets the application 904 - ID to <literal>pam://$HOSTNAME</literal>. 905 906 - When using <command>pamu2fcfg</command>, you can specify your 907 - application ID with the <literal>-i</literal> flag. 908 909 - More information can be found <link xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html">here</link> 910 ''; 911 }; 912 913 origin = mkOption { 914 default = null; 915 type = with types; nullOr str; 916 - description = '' 917 - By default <literal>pam-u2f</literal> module sets the origin 918 - to <literal>pam://$HOSTNAME</literal>. 919 Setting origin to an host independent value will allow you to 920 reuse credentials across machines 921 922 - When using <command>pamu2fcfg</command>, you can specify your 923 - application ID with the <literal>-o</literal> flag. 924 925 - More information can be found <link xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html">here</link> 926 ''; 927 }; 928 ··· 978 enable = mkOption { 979 default = false; 980 type = types.bool; 981 - description = '' 982 - Enables Uber's USSH PAM (<literal>pam-ussh</literal>) module. 983 984 - This is similar to <literal>pam-ssh-agent</literal>, except that 985 the presence of a CA-signed SSH key with a valid principal is checked 986 instead. 987 988 Note that this module must both be enabled using this option and on a 989 - per-PAM-service level as well (using <literal>usshAuth</literal>). 990 991 - More information can be found <link xlink:href="https://github.com/uber/pam-ussh">here</link>. 992 ''; 993 }; 994 ··· 1067 enable = mkOption { 1068 default = false; 1069 type = types.bool; 1070 - description = '' 1071 - Enables Yubico PAM (<literal>yubico-pam</literal>) module. 1072 1073 If set, users listed in 1074 - <filename>~/.yubico/authorized_yubikeys</filename> 1075 are able to log in with the associated Yubikey tokens. 1076 1077 The file must have only one line: 1078 - <literal>username:yubikey_token_id1:yubikey_token_id2</literal> 1079 - More information can be found <link xlink:href="https://developers.yubico.com/yubico-pam/">here</link>. 1080 ''; 1081 }; 1082 control = mkOption { ··· 1111 mode = mkOption { 1112 default = "client"; 1113 type = types.enum [ "client" "challenge-response" ]; 1114 - description = '' 1115 Mode of operation. 1116 1117 Use "client" for online validation with a YubiKey validation service such as ··· 1121 Challenge-Response configurations. See the man-page ykpamcfg(1) for further 1122 details on how to configure offline Challenge-Response validation. 1123 1124 - More information can be found <link xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. 1125 ''; 1126 }; 1127 challengeResponsePath = mkOption { 1128 default = null; 1129 type = types.nullOr types.path; 1130 - description = '' 1131 If not null, set the path used by yubico pam module where the challenge expected response is stored. 1132 1133 - More information can be found <link xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. 1134 ''; 1135 }; 1136 };

··· 807 default = config.krb5.enable; 808 defaultText = literalExpression "config.krb5.enable"; 809 type = types.bool; 810 + description = lib.mdDoc '' 811 + Enables Kerberos PAM modules (`pam-krb5`, 812 + `pam-ccreds`). 813 814 If set, users can authenticate with their Kerberos password. 815 This requires a valid Kerberos configuration 816 + (`config.krb5.enable` should be set to 817 + `true`). 818 819 Note that the Kerberos PAM modules are not necessary when using SSS 820 to handle Kerberos authentication. ··· 826 enable = mkOption { 827 default = false; 828 type = types.bool; 829 + description = lib.mdDoc '' 830 + Enables P11 PAM (`pam_p11`) module. 831 832 If set, users can log in with SSH keys and PKCS#11 tokens. 833 834 + More information can be found [here](https://github.com/OpenSC/pam_p11). 835 ''; 836 }; 837 ··· 858 enable = mkOption { 859 default = false; 860 type = types.bool; 861 + description = lib.mdDoc '' 862 + Enables U2F PAM (`pam-u2f`) module. 863 864 If set, users listed in 865 + {file}`$XDG_CONFIG_HOME/Yubico/u2f_keys` (or 866 + {file}`$HOME/.config/Yubico/u2f_keys` if XDG variable is 867 not set) are able to log in with the associated U2F key. The path can 868 + be changed using {option}`security.pam.u2f.authFile` option. 869 870 File format is: 871 + `username:first_keyHandle,first_public_key: second_keyHandle,second_public_key` 872 + This file can be generated using {command}`pamu2fcfg` command. 873 874 + More information can be found [here](https://developers.yubico.com/pam-u2f/). 875 ''; 876 }; 877 878 authFile = mkOption { 879 default = null; 880 type = with types; nullOr path; 881 + description = lib.mdDoc '' 882 + By default `pam-u2f` module reads the keys from 883 + {file}`$XDG_CONFIG_HOME/Yubico/u2f_keys` (or 884 + {file}`$HOME/.config/Yubico/u2f_keys` if XDG variable is 885 not set). 886 887 If you want to change auth file locations or centralize database (for 888 + example use {file}`/etc/u2f-mappings`) you can set this 889 option. 890 891 File format is: 892 + `username:first_keyHandle,first_public_key: second_keyHandle,second_public_key` 893 + This file can be generated using {command}`pamu2fcfg` command. 894 895 + More information can be found [here](https://developers.yubico.com/pam-u2f/). 896 ''; 897 }; 898 899 appId = mkOption { 900 default = null; 901 type = with types; nullOr str; 902 + description = lib.mdDoc '' 903 + By default `pam-u2f` module sets the application 904 + ID to `pam://$HOSTNAME`. 905 906 + When using {command}`pamu2fcfg`, you can specify your 907 + application ID with the `-i` flag. 908 909 + More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html) 910 ''; 911 }; 912 913 origin = mkOption { 914 default = null; 915 type = with types; nullOr str; 916 + description = lib.mdDoc '' 917 + By default `pam-u2f` module sets the origin 918 + to `pam://$HOSTNAME`. 919 Setting origin to an host independent value will allow you to 920 reuse credentials across machines 921 922 + When using {command}`pamu2fcfg`, you can specify your 923 + application ID with the `-o` flag. 924 925 + More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html) 926 ''; 927 }; 928 ··· 978 enable = mkOption { 979 default = false; 980 type = types.bool; 981 + description = lib.mdDoc '' 982 + Enables Uber's USSH PAM (`pam-ussh`) module. 983 984 + This is similar to `pam-ssh-agent`, except that 985 the presence of a CA-signed SSH key with a valid principal is checked 986 instead. 987 988 Note that this module must both be enabled using this option and on a 989 + per-PAM-service level as well (using `usshAuth`). 990 991 + More information can be found [here](https://github.com/uber/pam-ussh). 992 ''; 993 }; 994 ··· 1067 enable = mkOption { 1068 default = false; 1069 type = types.bool; 1070 + description = lib.mdDoc '' 1071 + Enables Yubico PAM (`yubico-pam`) module. 1072 1073 If set, users listed in 1074 + {file}`~/.yubico/authorized_yubikeys` 1075 are able to log in with the associated Yubikey tokens. 1076 1077 The file must have only one line: 1078 + `username:yubikey_token_id1:yubikey_token_id2` 1079 + More information can be found [here](https://developers.yubico.com/yubico-pam/). 1080 ''; 1081 }; 1082 control = mkOption { ··· 1111 mode = mkOption { 1112 default = "client"; 1113 type = types.enum [ "client" "challenge-response" ]; 1114 + description = lib.mdDoc '' 1115 Mode of operation. 1116 1117 Use "client" for online validation with a YubiKey validation service such as ··· 1121 Challenge-Response configurations. See the man-page ykpamcfg(1) for further 1122 details on how to configure offline Challenge-Response validation. 1123 1124 + More information can be found [here](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html). 1125 ''; 1126 }; 1127 challengeResponsePath = mkOption { 1128 default = null; 1129 type = types.nullOr types.path; 1130 + description = lib.mdDoc '' 1131 If not null, set the path used by yubico pam module where the challenge expected response is stored. 1132 1133 + More information can be found [here](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html). 1134 ''; 1135 }; 1136 };

+6 -6

nixos/modules/security/pam_mount.nix

··· 31 extraVolumes = mkOption { 32 type = types.listOf types.str; 33 default = []; 34 - description = '' 35 List of volume definitions for pam_mount. 36 - For more information, visit <link xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html"/>. 37 ''; 38 }; 39 ··· 63 type = types.int; 64 default = 0; 65 example = 1; 66 - description = '' 67 Sets the Debug-Level. 0 disables debugging, 1 enables pam_mount tracing, 68 and 2 additionally enables tracing in mount.crypt. The default is 0. 69 - For more information, visit <link xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html"/>. 70 ''; 71 }; 72 73 logoutWait = mkOption { 74 type = types.int; 75 default = 0; 76 - description = '' 77 Amount of microseconds to wait until killing remaining processes after 78 final logout. 79 - For more information, visit <link xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html"/>. 80 ''; 81 }; 82

··· 31 extraVolumes = mkOption { 32 type = types.listOf types.str; 33 default = []; 34 + description = lib.mdDoc '' 35 List of volume definitions for pam_mount. 36 + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. 37 ''; 38 }; 39 ··· 63 type = types.int; 64 default = 0; 65 example = 1; 66 + description = lib.mdDoc '' 67 Sets the Debug-Level. 0 disables debugging, 1 enables pam_mount tracing, 68 and 2 additionally enables tracing in mount.crypt. The default is 0. 69 + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. 70 ''; 71 }; 72 73 logoutWait = mkOption { 74 type = types.int; 75 default = 0; 76 + description = lib.mdDoc '' 77 Amount of microseconds to wait until killing remaining processes after 78 final logout. 79 + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. 80 ''; 81 }; 82

+2 -2

nixos/modules/security/pam_usb.nix

··· 17 enable = mkOption { 18 type = types.bool; 19 default = false; 20 - description = '' 21 Enable USB login for all login systems that support it. For 22 - more information, visit <link xlink:href="https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users"/>. 23 ''; 24 }; 25

··· 17 enable = mkOption { 18 type = types.bool; 19 default = false; 20 + description = lib.mdDoc '' 21 Enable USB login for all login systems that support it. For 22 + more information, visit <https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users>. 23 ''; 24 }; 25

+10 -10

nixos/modules/security/sudo.nix

··· 55 type = types.bool; 56 default = true; 57 description = 58 - '' 59 - Whether users of the <literal>wheel</literal> group must 60 - provide a password to run commands as super user via <command>sudo</command>. 61 ''; 62 }; 63 64 security.sudo.execWheelOnly = mkOption { 65 type = types.bool; 66 default = false; 67 - description = '' 68 - Only allow members of the <literal>wheel</literal> group to execute sudo by 69 setting the executable's permissions accordingly. 70 - This prevents users that are not members of <literal>wheel</literal> from 71 exploiting vulnerabilities in sudo such as CVE-2021-3156. 72 ''; 73 }; ··· 139 runAs = mkOption { 140 type = with types; str; 141 default = "ALL:ALL"; 142 - description = '' 143 Under which user/group the specified command is allowed to run. 144 145 - A user can be specified using just the username: <literal>"foo"</literal>. 146 - It is also possible to specify a user/group combination using <literal>"foo:bar"</literal> 147 - or to only allow running as a specific group with <literal>":bar"</literal>. 148 ''; 149 }; 150

··· 55 type = types.bool; 56 default = true; 57 description = 58 + lib.mdDoc '' 59 + Whether users of the `wheel` group must 60 + provide a password to run commands as super user via {command}`sudo`. 61 ''; 62 }; 63 64 security.sudo.execWheelOnly = mkOption { 65 type = types.bool; 66 default = false; 67 + description = lib.mdDoc '' 68 + Only allow members of the `wheel` group to execute sudo by 69 setting the executable's permissions accordingly. 70 + This prevents users that are not members of `wheel` from 71 exploiting vulnerabilities in sudo such as CVE-2021-3156. 72 ''; 73 }; ··· 139 runAs = mkOption { 140 type = with types; str; 141 default = "ALL:ALL"; 142 + description = lib.mdDoc '' 143 Under which user/group the specified command is allowed to run. 144 145 + A user can be specified using just the username: `"foo"`. 146 + It is also possible to specify a user/group combination using `"foo:bar"` 147 + or to only allow running as a specific group with `":bar"`. 148 ''; 149 }; 150

+1 -1

nixos/modules/services/backup/restic.nix

··· 227 type = types.package; 228 default = pkgs.restic; 229 defaultText = literalExpression "pkgs.restic"; 230 - description = '' 231 Restic package to use. 232 ''; 233 };

··· 227 type = types.package; 228 default = pkgs.restic; 229 defaultText = literalExpression "pkgs.restic"; 230 + description = lib.mdDoc '' 231 Restic package to use. 232 ''; 233 };

+1 -1

nixos/modules/services/backup/syncoid.nix

··· 192 target = mkOption { 193 type = types.str; 194 example = "user@server:pool/dataset"; 195 - description = '' 196 Target ZFS dataset. Can be either local 197 («pool/dataset») or remote 198 («user@server:pool/dataset»).

··· 192 target = mkOption { 193 type = types.str; 194 example = "user@server:pool/dataset"; 195 + description = lib.mdDoc '' 196 Target ZFS dataset. Can be either local 197 («pool/dataset») or remote 198 («user@server:pool/dataset»).

+2 -2

nixos/modules/services/backup/zrepl.nix

··· 22 23 settings = mkOption { 24 default = { }; 25 - description = '' 26 - Configuration for zrepl. See <link xlink:href="https://zrepl.github.io/configuration.html"/> 27 for more information. 28 ''; 29 type = types.submodule {

··· 22 23 settings = mkOption { 24 default = { }; 25 + description = lib.mdDoc '' 26 + Configuration for zrepl. See <https://zrepl.github.io/configuration.html> 27 for more information. 28 ''; 29 type = types.submodule {

+2 -2

nixos/modules/services/continuous-integration/github-runner.nix

··· 18 enable = mkOption { 19 default = false; 20 example = true; 21 - description = '' 22 Whether to enable GitHub Actions runner. 23 24 Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: 25 - <link xlink:href="https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners">About self-hosted runners</link>. 26 ''; 27 type = lib.types.bool; 28 };

··· 18 enable = mkOption { 19 default = false; 20 example = true; 21 + description = lib.mdDoc '' 22 Whether to enable GitHub Actions runner. 23 24 Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: 25 + [About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). 26 ''; 27 type = lib.types.bool; 28 };

+47 -47

nixos/modules/services/continuous-integration/gitlab-runner.nix

··· 113 configFile = mkOption { 114 type = types.nullOr types.path; 115 default = null; 116 - description = '' 117 Configuration file for gitlab-runner. 118 119 - <option>configFile</option> takes precedence over <option>services</option>. 120 - <option>checkInterval</option> and <option>concurrent</option> will be ignored too. 121 122 - This option is deprecated, please use <option>services</option> instead. 123 - You can use <option>registrationConfigFile</option> and 124 - <option>registrationFlags</option> 125 for settings not covered by this module. 126 ''; 127 }; ··· 130 freeformType = (pkgs.formats.json { }).type; 131 }; 132 default = { }; 133 - description = '' 134 Global gitlab-runner configuration. See 135 - <link xlink:href="https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section"/> 136 for supported values. 137 ''; 138 }; 139 gracefulTermination = mkOption { 140 type = types.bool; 141 default = false; 142 - description = '' 143 Finish all remaining jobs before stopping. 144 If not set gitlab-runner will stop immediatly without waiting 145 for jobs to finish, which will lead to failed builds. ··· 149 type = types.str; 150 default = "infinity"; 151 example = "5min 20s"; 152 - description = '' 153 Time to wait until a graceful shutdown is turned into a forceful one. 154 ''; 155 }; ··· 158 default = pkgs.gitlab-runner; 159 defaultText = literalExpression "pkgs.gitlab-runner"; 160 example = literalExpression "pkgs.gitlab-runner_1_11"; 161 - description = "Gitlab Runner package to use."; 162 }; 163 extraPackages = mkOption { 164 type = types.listOf types.package; 165 default = [ ]; 166 - description = '' 167 Extra packages to add to PATH for the gitlab-runner process. 168 ''; 169 }; 170 services = mkOption { 171 - description = "GitLab Runner services."; 172 default = { }; 173 example = literalExpression '' 174 { ··· 250 options = { 251 registrationConfigFile = mkOption { 252 type = types.path; 253 - description = '' 254 Absolute path to a file with environment variables 255 used for gitlab-runner registration. 256 A list of all supported environment variables can be found in 257 - <literal>gitlab-runner register --help</literal>. 258 259 Ones that you probably want to set is 260 261 - <literal>CI_SERVER_URL=&lt;CI server URL&gt;</literal> 262 263 - <literal>REGISTRATION_TOKEN=&lt;registration secret&gt;</literal> 264 265 WARNING: make sure to use quoted absolute path, 266 or it is going to be copied to Nix Store. ··· 270 type = types.listOf types.str; 271 default = [ ]; 272 example = [ "--docker-helper-image my/gitlab-runner-helper" ]; 273 - description = '' 274 Extra command-line flags passed to 275 - <literal>gitlab-runner register</literal>. 276 - Execute <literal>gitlab-runner register --help</literal> 277 for a list of supported flags. 278 ''; 279 }; ··· 281 type = types.attrsOf types.str; 282 default = { }; 283 example = { NAME = "value"; }; 284 - description = '' 285 Custom environment variables injected to build environment. 286 - For secrets you can use <option>registrationConfigFile</option> 287 - with <literal>RUNNER_ENV</literal> variable set. 288 ''; 289 }; 290 description = mkOption { 291 type = types.nullOr types.str; 292 default = null; 293 - description = '' 294 Name/description of the runner. 295 ''; 296 }; 297 executor = mkOption { 298 type = types.str; 299 default = "docker"; 300 - description = '' 301 Select executor, eg. shell, docker, etc. 302 - See <link xlink:href="https://docs.gitlab.com/runner/executors/README.html">runner documentation</link> for more information. 303 ''; 304 }; 305 buildsDir = mkOption { 306 type = types.nullOr types.path; 307 default = null; 308 example = "/var/lib/gitlab-runner/builds"; 309 - description = '' 310 Absolute path to a directory where builds will be stored 311 in context of selected executor (Locally, Docker, SSH). 312 ''; ··· 315 type = types.nullOr types.str; 316 default = null; 317 example = "http://gitlab.example.local"; 318 - description = '' 319 Overwrite the URL for the GitLab instance. Used if the Runner can’t connect to GitLab on the URL GitLab exposes itself. 320 ''; 321 }; 322 dockerImage = mkOption { 323 type = types.nullOr types.str; 324 default = null; 325 - description = '' 326 Docker image to be used. 327 ''; 328 }; ··· 330 type = types.listOf types.str; 331 default = [ ]; 332 example = [ "/var/run/docker.sock:/var/run/docker.sock" ]; 333 - description = '' 334 Bind-mount a volume and create it 335 if it doesn't exist prior to mounting. 336 ''; ··· 338 dockerDisableCache = mkOption { 339 type = types.bool; 340 default = false; 341 - description = '' 342 Disable all container caching. 343 ''; 344 }; 345 dockerPrivileged = mkOption { 346 type = types.bool; 347 default = false; 348 - description = '' 349 Give extended privileges to container. 350 ''; 351 }; ··· 353 type = types.listOf types.str; 354 default = [ ]; 355 example = [ "other-host:127.0.0.1" ]; 356 - description = '' 357 Add a custom host-to-IP mapping. 358 ''; 359 }; ··· 361 type = types.listOf types.str; 362 default = [ ]; 363 example = [ "ruby:*" "python:*" "php:*" "my.registry.tld:5000/*:*" ]; 364 - description = '' 365 Whitelist allowed images. 366 ''; 367 }; ··· 369 type = types.listOf types.str; 370 default = [ ]; 371 example = [ "postgres:9" "redis:*" "mysql:*" ]; 372 - description = '' 373 Whitelist allowed services. 374 ''; 375 }; 376 preCloneScript = mkOption { 377 type = types.nullOr types.path; 378 default = null; 379 - description = '' 380 Runner-specific command script executed before code is pulled. 381 ''; 382 }; 383 preBuildScript = mkOption { 384 type = types.nullOr types.path; 385 default = null; 386 - description = '' 387 Runner-specific command script executed after code is pulled, 388 just before build executes. 389 ''; ··· 391 postBuildScript = mkOption { 392 type = types.nullOr types.path; 393 default = null; 394 - description = '' 395 Runner-specific command script executed after code is pulled 396 and just after build executes. 397 ''; ··· 399 tagList = mkOption { 400 type = types.listOf types.str; 401 default = [ ]; 402 - description = '' 403 Tag list. 404 ''; 405 }; 406 runUntagged = mkOption { 407 type = types.bool; 408 default = false; 409 - description = '' 410 Register to run untagged builds; defaults to 411 - <literal>true</literal> when <option>tagList</option> is empty. 412 ''; 413 }; 414 limit = mkOption { 415 type = types.int; 416 default = 0; 417 - description = '' 418 Limit how many jobs can be handled concurrently by this service. 419 0 (default) simply means don't limit. 420 ''; ··· 422 requestConcurrency = mkOption { 423 type = types.int; 424 default = 0; 425 - description = '' 426 Limit number of concurrent requests for new jobs from GitLab. 427 ''; 428 }; 429 maximumTimeout = mkOption { 430 type = types.int; 431 default = 0; 432 - description = '' 433 What is the maximum timeout (in seconds) that will be set for 434 job when using this Runner. 0 (default) simply means don't limit. 435 ''; ··· 437 protected = mkOption { 438 type = types.bool; 439 default = false; 440 - description = '' 441 When set to true Runner will only run on pipelines 442 triggered on protected branches. 443 ''; ··· 445 debugTraceDisabled = mkOption { 446 type = types.bool; 447 default = false; 448 - description = '' 449 When set to true Runner will disable the possibility of 450 - using the <literal>CI_DEBUG_TRACE</literal> feature. 451 ''; 452 }; 453 };

··· 113 configFile = mkOption { 114 type = types.nullOr types.path; 115 default = null; 116 + description = lib.mdDoc '' 117 Configuration file for gitlab-runner. 118 119 + {option}`configFile` takes precedence over {option}`services`. 120 + {option}`checkInterval` and {option}`concurrent` will be ignored too. 121 122 + This option is deprecated, please use {option}`services` instead. 123 + You can use {option}`registrationConfigFile` and 124 + {option}`registrationFlags` 125 for settings not covered by this module. 126 ''; 127 }; ··· 130 freeformType = (pkgs.formats.json { }).type; 131 }; 132 default = { }; 133 + description = lib.mdDoc '' 134 Global gitlab-runner configuration. See 135 + <https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section> 136 for supported values. 137 ''; 138 }; 139 gracefulTermination = mkOption { 140 type = types.bool; 141 default = false; 142 + description = lib.mdDoc '' 143 Finish all remaining jobs before stopping. 144 If not set gitlab-runner will stop immediatly without waiting 145 for jobs to finish, which will lead to failed builds. ··· 149 type = types.str; 150 default = "infinity"; 151 example = "5min 20s"; 152 + description = lib.mdDoc '' 153 Time to wait until a graceful shutdown is turned into a forceful one. 154 ''; 155 }; ··· 158 default = pkgs.gitlab-runner; 159 defaultText = literalExpression "pkgs.gitlab-runner"; 160 example = literalExpression "pkgs.gitlab-runner_1_11"; 161 + description = lib.mdDoc "Gitlab Runner package to use."; 162 }; 163 extraPackages = mkOption { 164 type = types.listOf types.package; 165 default = [ ]; 166 + description = lib.mdDoc '' 167 Extra packages to add to PATH for the gitlab-runner process. 168 ''; 169 }; 170 services = mkOption { 171 + description = lib.mdDoc "GitLab Runner services."; 172 default = { }; 173 example = literalExpression '' 174 { ··· 250 options = { 251 registrationConfigFile = mkOption { 252 type = types.path; 253 + description = lib.mdDoc '' 254 Absolute path to a file with environment variables 255 used for gitlab-runner registration. 256 A list of all supported environment variables can be found in 257 + `gitlab-runner register --help`. 258 259 Ones that you probably want to set is 260 261 + `CI_SERVER_URL=<CI server URL>` 262 263 + `REGISTRATION_TOKEN=<registration secret>` 264 265 WARNING: make sure to use quoted absolute path, 266 or it is going to be copied to Nix Store. ··· 270 type = types.listOf types.str; 271 default = [ ]; 272 example = [ "--docker-helper-image my/gitlab-runner-helper" ]; 273 + description = lib.mdDoc '' 274 Extra command-line flags passed to 275 + `gitlab-runner register`. 276 + Execute `gitlab-runner register --help` 277 for a list of supported flags. 278 ''; 279 }; ··· 281 type = types.attrsOf types.str; 282 default = { }; 283 example = { NAME = "value"; }; 284 + description = lib.mdDoc '' 285 Custom environment variables injected to build environment. 286 + For secrets you can use {option}`registrationConfigFile` 287 + with `RUNNER_ENV` variable set. 288 ''; 289 }; 290 description = mkOption { 291 type = types.nullOr types.str; 292 default = null; 293 + description = lib.mdDoc '' 294 Name/description of the runner. 295 ''; 296 }; 297 executor = mkOption { 298 type = types.str; 299 default = "docker"; 300 + description = lib.mdDoc '' 301 Select executor, eg. shell, docker, etc. 302 + See [runner documentation](https://docs.gitlab.com/runner/executors/README.html) for more information. 303 ''; 304 }; 305 buildsDir = mkOption { 306 type = types.nullOr types.path; 307 default = null; 308 example = "/var/lib/gitlab-runner/builds"; 309 + description = lib.mdDoc '' 310 Absolute path to a directory where builds will be stored 311 in context of selected executor (Locally, Docker, SSH). 312 ''; ··· 315 type = types.nullOr types.str; 316 default = null; 317 example = "http://gitlab.example.local"; 318 + description = lib.mdDoc '' 319 Overwrite the URL for the GitLab instance. Used if the Runner can’t connect to GitLab on the URL GitLab exposes itself. 320 ''; 321 }; 322 dockerImage = mkOption { 323 type = types.nullOr types.str; 324 default = null; 325 + description = lib.mdDoc '' 326 Docker image to be used. 327 ''; 328 }; ··· 330 type = types.listOf types.str; 331 default = [ ]; 332 example = [ "/var/run/docker.sock:/var/run/docker.sock" ]; 333 + description = lib.mdDoc '' 334 Bind-mount a volume and create it 335 if it doesn't exist prior to mounting. 336 ''; ··· 338 dockerDisableCache = mkOption { 339 type = types.bool; 340 default = false; 341 + description = lib.mdDoc '' 342 Disable all container caching. 343 ''; 344 }; 345 dockerPrivileged = mkOption { 346 type = types.bool; 347 default = false; 348 + description = lib.mdDoc '' 349 Give extended privileges to container. 350 ''; 351 }; ··· 353 type = types.listOf types.str; 354 default = [ ]; 355 example = [ "other-host:127.0.0.1" ]; 356 + description = lib.mdDoc '' 357 Add a custom host-to-IP mapping. 358 ''; 359 }; ··· 361 type = types.listOf types.str; 362 default = [ ]; 363 example = [ "ruby:*" "python:*" "php:*" "my.registry.tld:5000/*:*" ]; 364 + description = lib.mdDoc '' 365 Whitelist allowed images. 366 ''; 367 }; ··· 369 type = types.listOf types.str; 370 default = [ ]; 371 example = [ "postgres:9" "redis:*" "mysql:*" ]; 372 + description = lib.mdDoc '' 373 Whitelist allowed services. 374 ''; 375 }; 376 preCloneScript = mkOption { 377 type = types.nullOr types.path; 378 default = null; 379 + description = lib.mdDoc '' 380 Runner-specific command script executed before code is pulled. 381 ''; 382 }; 383 preBuildScript = mkOption { 384 type = types.nullOr types.path; 385 default = null; 386 + description = lib.mdDoc '' 387 Runner-specific command script executed after code is pulled, 388 just before build executes. 389 ''; ··· 391 postBuildScript = mkOption { 392 type = types.nullOr types.path; 393 default = null; 394 + description = lib.mdDoc '' 395 Runner-specific command script executed after code is pulled 396 and just after build executes. 397 ''; ··· 399 tagList = mkOption { 400 type = types.listOf types.str; 401 default = [ ]; 402 + description = lib.mdDoc '' 403 Tag list. 404 ''; 405 }; 406 runUntagged = mkOption { 407 type = types.bool; 408 default = false; 409 + description = lib.mdDoc '' 410 Register to run untagged builds; defaults to 411 + `true` when {option}`tagList` is empty. 412 ''; 413 }; 414 limit = mkOption { 415 type = types.int; 416 default = 0; 417 + description = lib.mdDoc '' 418 Limit how many jobs can be handled concurrently by this service. 419 0 (default) simply means don't limit. 420 ''; ··· 422 requestConcurrency = mkOption { 423 type = types.int; 424 default = 0; 425 + description = lib.mdDoc '' 426 Limit number of concurrent requests for new jobs from GitLab. 427 ''; 428 }; 429 maximumTimeout = mkOption { 430 type = types.int; 431 default = 0; 432 + description = lib.mdDoc '' 433 What is the maximum timeout (in seconds) that will be set for 434 job when using this Runner. 0 (default) simply means don't limit. 435 ''; ··· 437 protected = mkOption { 438 type = types.bool; 439 default = false; 440 + description = lib.mdDoc '' 441 When set to true Runner will only run on pipelines 442 triggered on protected branches. 443 ''; ··· 445 debugTraceDisabled = mkOption { 446 type = types.bool; 447 default = false; 448 + description = lib.mdDoc '' 449 When set to true Runner will disable the possibility of 450 + using the `CI_DEBUG_TRACE` feature. 451 ''; 452 }; 453 };

+3 -3

nixos/modules/services/databases/firebird.nix

··· 47 defaultText = literalExpression "pkgs.firebird"; 48 type = types.package; 49 example = literalExpression "pkgs.firebird_3"; 50 - description = '' 51 - Which Firebird package to be installed: <literal>pkgs.firebird_3</literal> 52 - For SuperServer use override: <literal>pkgs.firebird_3.override { superServer = true; };</literal> 53 ''; 54 }; 55

··· 47 defaultText = literalExpression "pkgs.firebird"; 48 type = types.package; 49 example = literalExpression "pkgs.firebird_3"; 50 + description = lib.mdDoc '' 51 + Which Firebird package to be installed: `pkgs.firebird_3` 52 + For SuperServer use override: `pkgs.firebird_3.override { superServer = true; };` 53 ''; 54 }; 55

+3 -3

nixos/modules/services/databases/mysql.nix

··· 201 ensurePermissions = mkOption { 202 type = types.attrsOf types.str; 203 default = {}; 204 - description = '' 205 Permissions to ensure for the user, specified as attribute set. 206 The attribute names specify the database and tables to grant the permissions for, 207 separated by a dot. You may use wildcards here. ··· 210 211 For more information on how to specify the target 212 and on which privileges exist, see the 213 - <link xlink:href="https://mariadb.com/kb/en/library/grant/">GRANT syntax</link>. 214 - The attributes are used as <literal>GRANT ''${attrName} ON ''${attrValue}</literal>. 215 ''; 216 example = literalExpression '' 217 {

··· 201 ensurePermissions = mkOption { 202 type = types.attrsOf types.str; 203 default = {}; 204 + description = lib.mdDoc '' 205 Permissions to ensure for the user, specified as attribute set. 206 The attribute names specify the database and tables to grant the permissions for, 207 separated by a dot. You may use wildcards here. ··· 210 211 For more information on how to specify the target 212 and on which privileges exist, see the 213 + [GRANT syntax](https://mariadb.com/kb/en/library/grant/). 214 + The attributes are used as `GRANT ''${attrName} ON ''${attrValue}`. 215 ''; 216 example = literalExpression '' 217 {

+43 -43

nixos/modules/services/databases/neo4j.nix

··· 139 constrainLoadCsv = mkOption { 140 type = types.bool; 141 default = true; 142 - description = '' 143 Sets the root directory for file URLs used with the Cypher 144 - <literal>LOAD CSV</literal> clause to be that defined by 145 - <option>directories.imports</option>. It restricts 146 access to only those files within that directory and its 147 subdirectories. 148 149 - Setting this option to <literal>false</literal> introduces 150 possible security problems. 151 ''; 152 }; ··· 154 defaultListenAddress = mkOption { 155 type = types.str; 156 default = "127.0.0.1"; 157 - description = '' 158 Default network interface to listen for incoming connections. To 159 listen for connections on all interfaces, use "0.0.0.0". 160 161 Specifies the default IP address and address part of connector 162 - specific <option>listenAddress</option> options. To bind specific 163 connectors to a specific network interfaces, specify the entire 164 - <option>listenAddress</option> option for that connector. 165 ''; 166 }; 167 ··· 225 sslPolicy = mkOption { 226 type = types.str; 227 default = "legacy"; 228 - description = '' 229 Neo4j SSL policy for BOLT traffic. 230 231 The legacy policy is a special policy which is not defined in 232 the policy configuration section, but rather derives from 233 - <option>directories.certificates</option> and 234 - associated files (by default: <filename>neo4j.key</filename> and 235 - <filename>neo4j.cert</filename>). Its use will be deprecated. 236 237 Note: This connector must be configured to support/require 238 SSL/TLS for the legacy policy to actually be utilized. See 239 - <option>bolt.tlsLevel</option>. 240 ''; 241 }; 242 ··· 254 type = types.path; 255 default = "${cfg.directories.home}/certificates"; 256 defaultText = literalExpression ''"''${config.${opt.directories.home}}/certificates"''; 257 - description = '' 258 Directory for storing certificates to be used by Neo4j for 259 TLS connections. 260 261 When setting this directory to something other than its default, 262 ensure the directory's existence, and that read/write permissions are 263 - given to the Neo4j daemon user <literal>neo4j</literal>. 264 265 Note that changing this directory from its default will prevent 266 the directory structure required for each SSL policy from being 267 automatically generated. A policy's directory structure as defined by 268 - its <option>baseDirectory</option>,<option>revokedDir</option> and 269 - <option>trustedDir</option> must then be setup manually. The 270 existence of these directories is mandatory, as well as the presence 271 of the certificate file and the private key. Ensure the correct 272 permissions are set on these directories and files. ··· 277 type = types.path; 278 default = "${cfg.directories.home}/data"; 279 defaultText = literalExpression ''"''${config.${opt.directories.home}}/data"''; 280 - description = '' 281 Path of the data directory. You must not configure more than one 282 Neo4j installation to use the same data directory. 283 284 When setting this directory to something other than its default, 285 ensure the directory's existence, and that read/write permissions are 286 - given to the Neo4j daemon user <literal>neo4j</literal>. 287 ''; 288 }; 289 ··· 302 type = types.path; 303 default = "${cfg.directories.home}/import"; 304 defaultText = literalExpression ''"''${config.${opt.directories.home}}/import"''; 305 - description = '' 306 The root directory for file URLs used with the Cypher 307 - <literal>LOAD CSV</literal> clause. Only meaningful when 308 - <option>constrainLoadCvs</option> is set to 309 - <literal>true</literal>. 310 311 When setting this directory to something other than its default, 312 ensure the directory's existence, and that read permission is 313 - given to the Neo4j daemon user <literal>neo4j</literal>. 314 ''; 315 }; 316 ··· 318 type = types.path; 319 default = "${cfg.directories.home}/plugins"; 320 defaultText = literalExpression ''"''${config.${opt.directories.home}}/plugins"''; 321 - description = '' 322 Path of the database plugin directory. Compiled Java JAR files that 323 contain database procedures will be loaded if they are placed in 324 this directory. 325 326 When setting this directory to something other than its default, 327 ensure the directory's existence, and that read permission is 328 - given to the Neo4j daemon user <literal>neo4j</literal>. 329 ''; 330 }; 331 }; ··· 377 sslPolicy = mkOption { 378 type = types.str; 379 default = "legacy"; 380 - description = '' 381 Neo4j SSL policy for HTTPS traffic. 382 383 The legacy policy is a special policy which is not defined in the 384 policy configuration section, but rather derives from 385 - <option>directories.certificates</option> and 386 - associated files (by default: <filename>neo4j.key</filename> and 387 - <filename>neo4j.cert</filename>). Its use will be deprecated. 388 ''; 389 }; 390 }; ··· 407 allowKeyGeneration = mkOption { 408 type = types.bool; 409 default = false; 410 - description = '' 411 Allows the generation of a private key and associated self-signed 412 certificate. Only performed when both objects cannot be found for 413 this policy. It is recommended to turn this off again after keys ··· 415 416 The public certificate is required to be duplicated to the 417 directory holding trusted certificates as defined by the 418 - <option>trustedDir</option> option. 419 420 Keys should in general be generated and distributed offline by a 421 trusted certificate authority and not by utilizing this mode. ··· 426 type = types.path; 427 default = "${cfg.directories.certificates}/${name}"; 428 defaultText = literalExpression ''"''${config.${opt.directories.certificates}}/''${name}"''; 429 - description = '' 430 The mandatory base directory for cryptographic objects of this 431 policy. This path is only automatically generated when this 432 - option as well as <option>directories.certificates</option> are 433 left at their default. Ensure read/write permissions are given 434 - to the Neo4j daemon user <literal>neo4j</literal>. 435 436 It is also possible to override each individual 437 configuration with absolute paths. See the 438 - <option>privateKey</option> and <option>publicCertificate</option> 439 policy options. 440 ''; 441 }; ··· 470 publicCertificate = mkOption { 471 type = types.str; 472 default = "public.crt"; 473 - description = '' 474 The name of public X.509 certificate (chain) file in PEM format 475 - for this policy to be found in the <option>baseDirectory</option>, 476 or the absolute path to the certificate file. It is mandatory 477 that a certificate can be found or generated. 478 479 The public certificate is required to be duplicated to the 480 directory holding trusted certificates as defined by the 481 - <option>trustedDir</option> option. 482 ''; 483 }; 484 ··· 522 type = types.path; 523 default = "${config.baseDirectory}/trusted"; 524 defaultText = literalExpression ''"''${config.${options.baseDirectory}}/trusted"''; 525 - description = '' 526 Path to directory of X.509 certificates in PEM format for 527 trusted parties. Must be an absolute path. The existence of this 528 directory is mandatory and will need to be created manually when: 529 setting this option to something other than its default; setting 530 - either this policy's <option>baseDirectory</option> or 531 - <option>directories.certificates</option> to something other than 532 their default. Ensure read/write permissions are given to the 533 - Neo4j daemon user <literal>neo4j</literal>. 534 535 The public certificate as defined by 536 - <option>publicCertificate</option> is required to be duplicated 537 to this directory. 538 ''; 539 };

··· 139 constrainLoadCsv = mkOption { 140 type = types.bool; 141 default = true; 142 + description = lib.mdDoc '' 143 Sets the root directory for file URLs used with the Cypher 144 + `LOAD CSV` clause to be that defined by 145 + {option}`directories.imports`. It restricts 146 access to only those files within that directory and its 147 subdirectories. 148 149 + Setting this option to `false` introduces 150 possible security problems. 151 ''; 152 }; ··· 154 defaultListenAddress = mkOption { 155 type = types.str; 156 default = "127.0.0.1"; 157 + description = lib.mdDoc '' 158 Default network interface to listen for incoming connections. To 159 listen for connections on all interfaces, use "0.0.0.0". 160 161 Specifies the default IP address and address part of connector 162 + specific {option}`listenAddress` options. To bind specific 163 connectors to a specific network interfaces, specify the entire 164 + {option}`listenAddress` option for that connector. 165 ''; 166 }; 167 ··· 225 sslPolicy = mkOption { 226 type = types.str; 227 default = "legacy"; 228 + description = lib.mdDoc '' 229 Neo4j SSL policy for BOLT traffic. 230 231 The legacy policy is a special policy which is not defined in 232 the policy configuration section, but rather derives from 233 + {option}`directories.certificates` and 234 + associated files (by default: {file}`neo4j.key` and 235 + {file}`neo4j.cert`). Its use will be deprecated. 236 237 Note: This connector must be configured to support/require 238 SSL/TLS for the legacy policy to actually be utilized. See 239 + {option}`bolt.tlsLevel`. 240 ''; 241 }; 242 ··· 254 type = types.path; 255 default = "${cfg.directories.home}/certificates"; 256 defaultText = literalExpression ''"''${config.${opt.directories.home}}/certificates"''; 257 + description = lib.mdDoc '' 258 Directory for storing certificates to be used by Neo4j for 259 TLS connections. 260 261 When setting this directory to something other than its default, 262 ensure the directory's existence, and that read/write permissions are 263 + given to the Neo4j daemon user `neo4j`. 264 265 Note that changing this directory from its default will prevent 266 the directory structure required for each SSL policy from being 267 automatically generated. A policy's directory structure as defined by 268 + its {option}`baseDirectory`,{option}`revokedDir` and 269 + {option}`trustedDir` must then be setup manually. The 270 existence of these directories is mandatory, as well as the presence 271 of the certificate file and the private key. Ensure the correct 272 permissions are set on these directories and files. ··· 277 type = types.path; 278 default = "${cfg.directories.home}/data"; 279 defaultText = literalExpression ''"''${config.${opt.directories.home}}/data"''; 280 + description = lib.mdDoc '' 281 Path of the data directory. You must not configure more than one 282 Neo4j installation to use the same data directory. 283 284 When setting this directory to something other than its default, 285 ensure the directory's existence, and that read/write permissions are 286 + given to the Neo4j daemon user `neo4j`. 287 ''; 288 }; 289 ··· 302 type = types.path; 303 default = "${cfg.directories.home}/import"; 304 defaultText = literalExpression ''"''${config.${opt.directories.home}}/import"''; 305 + description = lib.mdDoc '' 306 The root directory for file URLs used with the Cypher 307 + `LOAD CSV` clause. Only meaningful when 308 + {option}`constrainLoadCvs` is set to 309 + `true`. 310 311 When setting this directory to something other than its default, 312 ensure the directory's existence, and that read permission is 313 + given to the Neo4j daemon user `neo4j`. 314 ''; 315 }; 316 ··· 318 type = types.path; 319 default = "${cfg.directories.home}/plugins"; 320 defaultText = literalExpression ''"''${config.${opt.directories.home}}/plugins"''; 321 + description = lib.mdDoc '' 322 Path of the database plugin directory. Compiled Java JAR files that 323 contain database procedures will be loaded if they are placed in 324 this directory. 325 326 When setting this directory to something other than its default, 327 ensure the directory's existence, and that read permission is 328 + given to the Neo4j daemon user `neo4j`. 329 ''; 330 }; 331 }; ··· 377 sslPolicy = mkOption { 378 type = types.str; 379 default = "legacy"; 380 + description = lib.mdDoc '' 381 Neo4j SSL policy for HTTPS traffic. 382 383 The legacy policy is a special policy which is not defined in the 384 policy configuration section, but rather derives from 385 + {option}`directories.certificates` and 386 + associated files (by default: {file}`neo4j.key` and 387 + {file}`neo4j.cert`). Its use will be deprecated. 388 ''; 389 }; 390 }; ··· 407 allowKeyGeneration = mkOption { 408 type = types.bool; 409 default = false; 410 + description = lib.mdDoc '' 411 Allows the generation of a private key and associated self-signed 412 certificate. Only performed when both objects cannot be found for 413 this policy. It is recommended to turn this off again after keys ··· 415 416 The public certificate is required to be duplicated to the 417 directory holding trusted certificates as defined by the 418 + {option}`trustedDir` option. 419 420 Keys should in general be generated and distributed offline by a 421 trusted certificate authority and not by utilizing this mode. ··· 426 type = types.path; 427 default = "${cfg.directories.certificates}/${name}"; 428 defaultText = literalExpression ''"''${config.${opt.directories.certificates}}/''${name}"''; 429 + description = lib.mdDoc '' 430 The mandatory base directory for cryptographic objects of this 431 policy. This path is only automatically generated when this 432 + option as well as {option}`directories.certificates` are 433 left at their default. Ensure read/write permissions are given 434 + to the Neo4j daemon user `neo4j`. 435 436 It is also possible to override each individual 437 configuration with absolute paths. See the 438 + {option}`privateKey` and {option}`publicCertificate` 439 policy options. 440 ''; 441 }; ··· 470 publicCertificate = mkOption { 471 type = types.str; 472 default = "public.crt"; 473 + description = lib.mdDoc '' 474 The name of public X.509 certificate (chain) file in PEM format 475 + for this policy to be found in the {option}`baseDirectory`, 476 or the absolute path to the certificate file. It is mandatory 477 that a certificate can be found or generated. 478 479 The public certificate is required to be duplicated to the 480 directory holding trusted certificates as defined by the 481 + {option}`trustedDir` option. 482 ''; 483 }; 484 ··· 522 type = types.path; 523 default = "${config.baseDirectory}/trusted"; 524 defaultText = literalExpression ''"''${config.${options.baseDirectory}}/trusted"''; 525 + description = lib.mdDoc '' 526 Path to directory of X.509 certificates in PEM format for 527 trusted parties. Must be an absolute path. The existence of this 528 directory is mandatory and will need to be created manually when: 529 setting this option to something other than its default; setting 530 + either this policy's {option}`baseDirectory` or 531 + {option}`directories.certificates` to something other than 532 their default. Ensure read/write permissions are given to the 533 + Neo4j daemon user `neo4j`. 534 535 The public certificate as defined by 536 + {option}`publicCertificate` is required to be duplicated 537 to this directory. 538 ''; 539 };

+5 -5

nixos/modules/services/databases/openldap.nix

··· 88 enable = mkOption { 89 type = types.bool; 90 default = false; 91 - description = "Whether to enable the ldap server."; 92 }; 93 94 package = mkOption { ··· 173 configDir = mkOption { 174 type = types.nullOr types.path; 175 default = null; 176 - description = '' 177 Use this config directory instead of generating one from the 178 - <literal>settings</literal> option. Overrides all NixOS settings. 179 ''; 180 example = "/var/lib/openldap/slapd.d"; 181 }; ··· 183 mutableConfig = mkOption { 184 type = types.bool; 185 default = false; 186 - description = '' 187 Whether to allow writable on-line configuration. If 188 - <literal>true</literal>, the NixOS settings will only be used to 189 initialize the OpenLDAP configuration if it does not exist, and are 190 subsequently ignored. 191 '';

··· 88 enable = mkOption { 89 type = types.bool; 90 default = false; 91 + description = lib.mdDoc "Whether to enable the ldap server."; 92 }; 93 94 package = mkOption { ··· 173 configDir = mkOption { 174 type = types.nullOr types.path; 175 default = null; 176 + description = lib.mdDoc '' 177 Use this config directory instead of generating one from the 178 + `settings` option. Overrides all NixOS settings. 179 ''; 180 example = "/var/lib/openldap/slapd.d"; 181 }; ··· 183 mutableConfig = mkOption { 184 type = types.bool; 185 default = false; 186 + description = lib.mdDoc '' 187 Whether to allow writable on-line configuration. If 188 + `true`, the NixOS settings will only be used to 189 initialize the OpenLDAP configuration if it does not exist, and are 190 subsequently ignored. 191 '';

+2 -2

nixos/modules/services/databases/pgmanage.nix

··· 62 nuc-server = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; 63 mini-server = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; 64 }; 65 - description = '' 66 pgmanage requires at least one PostgreSQL server be defined. 67 68 Detailed information about PostgreSQL connection strings is available at: 69 - <link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/> 70 71 Note that you should not specify your user name or password. That 72 information will be entered on the login screen. If you specify a

··· 62 nuc-server = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; 63 mini-server = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; 64 }; 65 + description = lib.mdDoc '' 66 pgmanage requires at least one PostgreSQL server be defined. 67 68 Detailed information about PostgreSQL connection strings is available at: 69 + <http://www.postgresql.org/docs/current/static/libpq-connect.html> 70 71 Note that you should not specify your user name or password. That 72 information will be entered on the login screen. If you specify a

+3 -3

nixos/modules/services/databases/postgresql.nix

··· 149 ensurePermissions = mkOption { 150 type = types.attrsOf types.str; 151 default = {}; 152 - description = '' 153 Permissions to ensure for the user, specified as an attribute set. 154 The attribute names specify the database and tables to grant the permissions for. 155 The attribute values specify the permissions to grant. You may specify one or ··· 157 158 For more information on how to specify the target 159 and on which privileges exist, see the 160 - <link xlink:href="https://www.postgresql.org/docs/current/sql-grant.html">GRANT syntax</link>. 161 - The attributes are used as <literal>GRANT ''${attrValue} ON ''${attrName}</literal>. 162 ''; 163 example = literalExpression '' 164 {

··· 149 ensurePermissions = mkOption { 150 type = types.attrsOf types.str; 151 default = {}; 152 + description = lib.mdDoc '' 153 Permissions to ensure for the user, specified as an attribute set. 154 The attribute names specify the database and tables to grant the permissions for. 155 The attribute values specify the permissions to grant. You may specify one or ··· 157 158 For more information on how to specify the target 159 and on which privileges exist, see the 160 + [GRANT syntax](https://www.postgresql.org/docs/current/sql-grant.html). 161 + The attributes are used as `GRANT ''${attrValue} ON ''${attrName}`. 162 ''; 163 example = literalExpression '' 164 {

+3 -3

nixos/modules/services/databases/victoriametrics.nix

··· 28 extraOptions = mkOption { 29 type = types.listOf types.str; 30 default = []; 31 - description = '' 32 Extra options to pass to VictoriaMetrics. See the README: 33 - <link xlink:href="https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/README.md"/> 34 - or <command>victoriametrics -help</command> for more 35 information. 36 ''; 37 };

··· 28 extraOptions = mkOption { 29 type = types.listOf types.str; 30 default = []; 31 + description = lib.mdDoc '' 32 Extra options to pass to VictoriaMetrics. See the README: 33 + <https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/README.md> 34 + or {command}`victoriametrics -help` for more 35 information. 36 ''; 37 };

+2 -2

nixos/modules/services/games/asf.nix

··· 136 }; 137 settings = mkOption { 138 type = types.attrs; 139 - description = '' 140 - Additional settings that are documented <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config">here</link>. 141 ''; 142 default = { }; 143 };

··· 136 }; 137 settings = mkOption { 138 type = types.attrs; 139 + description = lib.mdDoc '' 140 + Additional settings that are documented [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config). 141 ''; 142 default = { }; 143 };

+7 -7

nixos/modules/services/hardware/kanata.nix

··· 10 device = mkOption { 11 type = types.str; 12 example = "/dev/input/by-id/usb-0000_0000-event-kbd"; 13 - description = "Path to the keyboard device."; 14 }; 15 config = mkOption { 16 type = types.lines; ··· 33 ;; tap within 100ms for capslk, hold more than 100ms for lctl 34 cap (tap-hold 100 100 caps lctl)) 35 ''; 36 - description = '' 37 Configuration other than defcfg. 38 - See <link xlink:href="https://github.com/jtroo/kanata"/> for more information. 39 ''; 40 }; 41 extraDefCfg = mkOption { 42 type = types.lines; 43 default = ""; 44 example = "danger-enable-cmd yes"; 45 - description = '' 46 Configuration of defcfg other than linux-dev. 47 - See <link xlink:href="https://github.com/jtroo/kanata"/> for more information. 48 ''; 49 }; 50 }; ··· 131 default = pkgs.kanata; 132 defaultText = lib.literalExpression "pkgs.kanata"; 133 example = lib.literalExpression "pkgs.kanata-with-cmd"; 134 - description = '' 135 kanata package to use. 136 If you enable danger-enable-cmd, pkgs.kanata-with-cmd should be used. 137 ''; ··· 139 keyboards = mkOption { 140 type = types.attrsOf (types.submodule keyboard); 141 default = { }; 142 - description = "Keyboard configurations."; 143 }; 144 }; 145

··· 10 device = mkOption { 11 type = types.str; 12 example = "/dev/input/by-id/usb-0000_0000-event-kbd"; 13 + description = lib.mdDoc "Path to the keyboard device."; 14 }; 15 config = mkOption { 16 type = types.lines; ··· 33 ;; tap within 100ms for capslk, hold more than 100ms for lctl 34 cap (tap-hold 100 100 caps lctl)) 35 ''; 36 + description = lib.mdDoc '' 37 Configuration other than defcfg. 38 + See <https://github.com/jtroo/kanata> for more information. 39 ''; 40 }; 41 extraDefCfg = mkOption { 42 type = types.lines; 43 default = ""; 44 example = "danger-enable-cmd yes"; 45 + description = lib.mdDoc '' 46 Configuration of defcfg other than linux-dev. 47 + See <https://github.com/jtroo/kanata> for more information. 48 ''; 49 }; 50 }; ··· 131 default = pkgs.kanata; 132 defaultText = lib.literalExpression "pkgs.kanata"; 133 example = lib.literalExpression "pkgs.kanata-with-cmd"; 134 + description = lib.mdDoc '' 135 kanata package to use. 136 If you enable danger-enable-cmd, pkgs.kanata-with-cmd should be used. 137 ''; ··· 139 keyboards = mkOption { 140 type = types.attrsOf (types.submodule keyboard); 141 default = { }; 142 + description = lib.mdDoc "Keyboard configurations."; 143 }; 144 }; 145

+8 -8

nixos/modules/services/hardware/udev.nix

··· 209 packages = mkOption { 210 type = types.listOf types.path; 211 default = []; 212 - description = '' 213 - List of packages containing <command>udev</command> rules. 214 All files found in 215 - <filename>«pkg»/etc/udev/rules.d</filename> and 216 - <filename>«pkg»/lib/udev/rules.d</filename> 217 will be included. 218 ''; 219 apply = map getBin; ··· 281 networking.usePredictableInterfaceNames = mkOption { 282 default = true; 283 type = types.bool; 284 - description = '' 285 - Whether to assign <link xlink:href="http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames">predictable names to network interfaces</link>. 286 If enabled, interfaces 287 are assigned names that contain topology information 288 - (e.g. <literal>wlp3s0</literal>) and thus should be stable 289 across reboots. If disabled, names depend on the order in 290 which interfaces are discovered by the kernel, which may 291 change randomly across reboots; for instance, you may find 292 - <literal>eth0</literal> and <literal>eth1</literal> flipping 293 unpredictably. 294 ''; 295 };

··· 209 packages = mkOption { 210 type = types.listOf types.path; 211 default = []; 212 + description = lib.mdDoc '' 213 + List of packages containing {command}`udev` rules. 214 All files found in 215 + {file}`«pkg»/etc/udev/rules.d` and 216 + {file}`«pkg»/lib/udev/rules.d` 217 will be included. 218 ''; 219 apply = map getBin; ··· 281 networking.usePredictableInterfaceNames = mkOption { 282 default = true; 283 type = types.bool; 284 + description = lib.mdDoc '' 285 + Whether to assign [predictable names to network interfaces](http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames). 286 If enabled, interfaces 287 are assigned names that contain topology information 288 + (e.g. `wlp3s0`) and thus should be stable 289 across reboots. If disabled, names depend on the order in 290 which interfaces are discovered by the kernel, which may 291 change randomly across reboots; for instance, you may find 292 + `eth0` and `eth1` flipping 293 unpredictably. 294 ''; 295 };

+10 -10

nixos/modules/services/logging/filebeat.nix

··· 31 }; 32 33 inputs = mkOption { 34 - description = '' 35 Inputs specify how Filebeat locates and processes input data. 36 37 - This is like <literal>services.filebeat.settings.filebeat.inputs</literal>, 38 but structured as an attribute set. This has the benefit 39 that multiple NixOS modules can contribute settings to a 40 single filebeat input. 41 42 An input type can be specified multiple times by choosing a 43 - different <literal>&lt;name></literal> for each, but setting 44 - <xref linkend="opt-services.filebeat.inputs._name_.type"/> 45 to the same value. 46 47 - See <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html"/>. 48 ''; 49 default = {}; 50 type = types.attrsOf (types.submodule ({ name, ... }: { ··· 77 }; 78 79 modules = mkOption { 80 - description = '' 81 Filebeat modules provide a quick way to get started 82 processing common log formats. They contain default 83 configurations, Elasticsearch ingest pipeline definitions, 84 and Kibana dashboards to help you implement and deploy a log 85 monitoring solution. 86 87 - This is like <literal>services.filebeat.settings.filebeat.modules</literal>, 88 but structured as an attribute set. This has the benefit 89 that multiple NixOS modules can contribute settings to a 90 single filebeat module. 91 92 A module can be specified multiple times by choosing a 93 - different <literal>&lt;name></literal> for each, but setting 94 - <xref linkend="opt-services.filebeat.modules._name_.module"/> 95 to the same value. 96 97 - See <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html"/>. 98 ''; 99 default = {}; 100 type = types.attrsOf (types.submodule ({ name, ... }: {

··· 31 }; 32 33 inputs = mkOption { 34 + description = lib.mdDoc '' 35 Inputs specify how Filebeat locates and processes input data. 36 37 + This is like `services.filebeat.settings.filebeat.inputs`, 38 but structured as an attribute set. This has the benefit 39 that multiple NixOS modules can contribute settings to a 40 single filebeat input. 41 42 An input type can be specified multiple times by choosing a 43 + different `<name>` for each, but setting 44 + [](#opt-services.filebeat.inputs._name_.type) 45 to the same value. 46 47 + See <https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html>. 48 ''; 49 default = {}; 50 type = types.attrsOf (types.submodule ({ name, ... }: { ··· 77 }; 78 79 modules = mkOption { 80 + description = lib.mdDoc '' 81 Filebeat modules provide a quick way to get started 82 processing common log formats. They contain default 83 configurations, Elasticsearch ingest pipeline definitions, 84 and Kibana dashboards to help you implement and deploy a log 85 monitoring solution. 86 87 + This is like `services.filebeat.settings.filebeat.modules`, 88 but structured as an attribute set. This has the benefit 89 that multiple NixOS modules can contribute settings to a 90 single filebeat module. 91 92 A module can be specified multiple times by choosing a 93 + different `<name>` for each, but setting 94 + [](#opt-services.filebeat.modules._name_.module) 95 to the same value. 96 97 + See <https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html>. 98 ''; 99 default = {}; 100 type = types.attrsOf (types.submodule ({ name, ... }: {

+5 -5

nixos/modules/services/logging/logrotate.nix

··· 276 defaultText = '' 277 A configuration file automatically generated by NixOS. 278 ''; 279 - description = '' 280 Override the configuration file used by MySQL. By default, 281 - NixOS generates one automatically from <xref linkend="opt-services.logrotate.settings"/>. 282 ''; 283 example = literalExpression '' 284 pkgs.writeText "logrotate.conf" ''' ··· 346 extraConfig = mkOption { 347 default = ""; 348 type = types.lines; 349 - description = '' 350 Extra contents to append to the logrotate configuration file. Refer to 351 - <link xlink:href="https://linux.die.net/man/8/logrotate"/> for details. 352 This setting has been deprecated in favor of 353 - <link linkend="opt-services.logrotate.settings">logrotate settings</link>. 354 ''; 355 }; 356 };

··· 276 defaultText = '' 277 A configuration file automatically generated by NixOS. 278 ''; 279 + description = lib.mdDoc '' 280 Override the configuration file used by MySQL. By default, 281 + NixOS generates one automatically from [](#opt-services.logrotate.settings). 282 ''; 283 example = literalExpression '' 284 pkgs.writeText "logrotate.conf" ''' ··· 346 extraConfig = mkOption { 347 default = ""; 348 type = types.lines; 349 + description = lib.mdDoc '' 350 Extra contents to append to the logrotate configuration file. Refer to 351 + <https://linux.die.net/man/8/logrotate> for details. 352 This setting has been deprecated in favor of 353 + [logrotate settings](#opt-services.logrotate.settings). 354 ''; 355 }; 356 };

+2 -2

nixos/modules/services/mail/mailman.nix

··· 112 bindPasswordFile = mkOption { 113 type = types.str; 114 example = "/run/secrets/ldap-bind"; 115 - description = '' 116 Path to the file containing the bind password of the servie account 117 - defined by <xref linkend="opt-services.mailman.ldap.bindDn"/>. 118 ''; 119 }; 120 superUserGroup = mkOption {

··· 112 bindPasswordFile = mkOption { 113 type = types.str; 114 example = "/run/secrets/ldap-bind"; 115 + description = lib.mdDoc '' 116 Path to the file containing the bind password of the servie account 117 + defined by [](#opt-services.mailman.ldap.bindDn). 118 ''; 119 }; 120 superUserGroup = mkOption {

+6 -6

nixos/modules/services/mail/nullmailer.nix

··· 38 remotesFile = mkOption { 39 type = types.nullOr types.str; 40 default = null; 41 - description = '' 42 - Path to the <literal>remotes</literal> control file. This file contains a 43 list of remote servers to which to send each message. 44 45 - See <literal>man 8 nullmailer-send</literal> for syntax and available 46 options. 47 ''; 48 }; ··· 153 remotes = mkOption { 154 type = types.nullOr types.str; 155 default = null; 156 - description = '' 157 A list of remote servers to which to send each message. Each line 158 contains a remote host name or address followed by an optional 159 protocol string, separated by white space. 160 161 - See <literal>man 8 nullmailer-send</literal> for syntax and available 162 options. 163 164 WARNING: This is stored world-readable in the nix store. If you need 165 to specify any secret credentials here, consider using the 166 - <literal>remotesFile</literal> option instead. 167 ''; 168 }; 169

··· 38 remotesFile = mkOption { 39 type = types.nullOr types.str; 40 default = null; 41 + description = lib.mdDoc '' 42 + Path to the `remotes` control file. This file contains a 43 list of remote servers to which to send each message. 44 45 + See `man 8 nullmailer-send` for syntax and available 46 options. 47 ''; 48 }; ··· 153 remotes = mkOption { 154 type = types.nullOr types.str; 155 default = null; 156 + description = lib.mdDoc '' 157 A list of remote servers to which to send each message. Each line 158 contains a remote host name or address followed by an optional 159 protocol string, separated by white space. 160 161 + See `man 8 nullmailer-send` for syntax and available 162 options. 163 164 WARNING: This is stored world-readable in the nix store. If you need 165 to specify any secret credentials here, consider using the 166 + `remotesFile` option instead. 167 ''; 168 }; 169

+3 -3

nixos/modules/services/mail/postfixadmin.nix

··· 13 enable = mkOption { 14 type = types.bool; 15 default = false; 16 - description = '' 17 Whether to enable postfixadmin. 18 19 Also enables nginx virtual host management. 20 - Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.&lt;name&gt;</literal>. 21 - See <xref linkend="opt-services.nginx.virtualHosts"/> for further information. 22 ''; 23 }; 24

··· 13 enable = mkOption { 14 type = types.bool; 15 default = false; 16 + description = lib.mdDoc '' 17 Whether to enable postfixadmin. 18 19 Also enables nginx virtual host management. 20 + Further nginx configuration can be done by adapting `services.nginx.virtualHosts.<name>`. 21 + See [](#opt-services.nginx.virtualHosts) for further information. 22 ''; 23 }; 24

+5 -5

nixos/modules/services/mail/public-inbox.nix

··· 23 port = mkOption { 24 type = with types; nullOr (either str port); 25 default = defaultPort; 26 - description = '' 27 Listening port. 28 Beware that public-inbox uses well-known ports number to decide whether to enable TLS or not. 29 - Set to null and use <literal>systemd.sockets.public-inbox-${proto}d.listenStreams</literal> 30 if you need a more advanced listening. 31 ''; 32 }; ··· 239 type = with types; nullOr (either str port); 240 default = 80; 241 example = "/run/public-inbox-httpd.sock"; 242 - description = '' 243 Listening port or systemd's ListenStream= entry 244 to be used as a reverse proxy, eg. in nginx: 245 - <literal>locations."/inbox".proxyPass = "http://unix:''${config.services.public-inbox.http.port}:/inbox";</literal> 246 - Set to null and use <literal>systemd.sockets.public-inbox-httpd.listenStreams</literal> 247 if you need a more advanced listening. 248 ''; 249 };

··· 23 port = mkOption { 24 type = with types; nullOr (either str port); 25 default = defaultPort; 26 + description = lib.mdDoc '' 27 Listening port. 28 Beware that public-inbox uses well-known ports number to decide whether to enable TLS or not. 29 + Set to null and use `systemd.sockets.public-inbox-${proto}d.listenStreams` 30 if you need a more advanced listening. 31 ''; 32 }; ··· 239 type = with types; nullOr (either str port); 240 default = 80; 241 example = "/run/public-inbox-httpd.sock"; 242 + description = lib.mdDoc '' 243 Listening port or systemd's ListenStream= entry 244 to be used as a reverse proxy, eg. in nginx: 245 + `locations."/inbox".proxyPass = "http://unix:''${config.services.public-inbox.http.port}:/inbox";` 246 + Set to null and use `systemd.sockets.public-inbox-httpd.listenStreams` 247 if you need a more advanced listening. 248 ''; 249 };

+5 -5

nixos/modules/services/mail/roundcube.nix

··· 14 enable = mkOption { 15 type = types.bool; 16 default = false; 17 - description = '' 18 Whether to enable roundcube. 19 20 Also enables nginx virtual host management. 21 - Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.&lt;name&gt;</literal>. 22 - See <xref linkend="opt-services.nginx.virtualHosts"/> for further information. 23 ''; 24 }; 25 ··· 99 maxAttachmentSize = mkOption { 100 type = types.int; 101 default = 18; 102 - description = '' 103 The maximum attachment size in MB. 104 105 Note: Since roundcube only uses 70% of max upload values configured in php 106 - 30% is added automatically to <xref linkend="opt-services.roundcube.maxAttachmentSize"/>. 107 ''; 108 apply = configuredMaxAttachmentSize: "${toString (configuredMaxAttachmentSize * 1.3)}M"; 109 };

··· 14 enable = mkOption { 15 type = types.bool; 16 default = false; 17 + description = lib.mdDoc '' 18 Whether to enable roundcube. 19 20 Also enables nginx virtual host management. 21 + Further nginx configuration can be done by adapting `services.nginx.virtualHosts.<name>`. 22 + See [](#opt-services.nginx.virtualHosts) for further information. 23 ''; 24 }; 25 ··· 99 maxAttachmentSize = mkOption { 100 type = types.int; 101 default = 18; 102 + description = lib.mdDoc '' 103 The maximum attachment size in MB. 104 105 Note: Since roundcube only uses 70% of max upload values configured in php 106 + 30% is added automatically to [](#opt-services.roundcube.maxAttachmentSize). 107 ''; 108 apply = configuredMaxAttachmentSize: "${toString (configuredMaxAttachmentSize * 1.3)}M"; 109 };

+8 -8

nixos/modules/services/mail/sympa.nix

··· 86 type = str; 87 default = "en_US"; 88 example = "cs"; 89 - description = '' 90 Default Sympa language. 91 - See <link xlink:href="https://github.com/sympa-community/sympa/tree/sympa-6.2/po/sympa"/> 92 for available options. 93 ''; 94 }; ··· 136 example = { 137 default_max_list_members = 3; 138 }; 139 - description = '' 140 - The <filename>robot.conf</filename> configuration file as key value set. 141 - See <link xlink:href="https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html"/> 142 for list of configuration parameters. 143 ''; 144 }; ··· 285 viewlogs_page_size = 50; 286 } 287 ''; 288 - description = '' 289 - The <filename>sympa.conf</filename> configuration file as key value set. 290 - See <link xlink:href="https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html"/> 291 for list of configuration parameters. 292 ''; 293 };

··· 86 type = str; 87 default = "en_US"; 88 example = "cs"; 89 + description = lib.mdDoc '' 90 Default Sympa language. 91 + See <https://github.com/sympa-community/sympa/tree/sympa-6.2/po/sympa> 92 for available options. 93 ''; 94 }; ··· 136 example = { 137 default_max_list_members = 3; 138 }; 139 + description = lib.mdDoc '' 140 + The {file}`robot.conf` configuration file as key value set. 141 + See <https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html> 142 for list of configuration parameters. 143 ''; 144 }; ··· 285 viewlogs_page_size = 50; 286 } 287 ''; 288 + description = lib.mdDoc '' 289 + The {file}`sympa.conf` configuration file as key value set. 290 + See <https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html> 291 for list of configuration parameters. 292 ''; 293 };

+5 -5

nixos/modules/services/matrix/appservice-discord.nix

··· 40 }; 41 } 42 ''; 43 - description = '' 44 - <filename>config.yaml</filename> configuration as a Nix attribute set. 45 46 Configuration options should match those described in 47 - <link xlink:href="https://github.com/Half-Shot/matrix-appservice-discord/blob/master/config/config.sample.yaml">config.sample.yaml</link>. 48 49 - <option>config.bridge.domain</option> and <option>config.bridge.homeserverUrl</option> 50 should be set to match the public host name of the Matrix homeserver for webhooks and avatars to work. 51 52 - Secret tokens should be specified using <option>environmentFile</option> 53 instead of this world-readable attribute set. 54 ''; 55 };

··· 40 }; 41 } 42 ''; 43 + description = lib.mdDoc '' 44 + {file}`config.yaml` configuration as a Nix attribute set. 45 46 Configuration options should match those described in 47 + [config.sample.yaml](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/config/config.sample.yaml). 48 49 + {option}`config.bridge.domain` and {option}`config.bridge.homeserverUrl` 50 should be set to match the public host name of the Matrix homeserver for webhooks and avatars to work. 51 52 + Secret tokens should be specified using {option}`environmentFile` 53 instead of this world-readable attribute set. 54 ''; 55 };

+4 -4

nixos/modules/services/matrix/mautrix-facebook.nix

··· 75 }; 76 } 77 ''; 78 - description = '' 79 - <filename>config.yaml</filename> configuration as a Nix attribute set. 80 Configuration options should match those described in 81 - <link xlink:href="https://github.com/mautrix/facebook/blob/master/mautrix_facebook/example-config.yaml">example-config.yaml</link>. 82 83 - Secret tokens should be specified using <option>environmentFile</option> 84 instead of this world-readable attribute set. 85 ''; 86 };

··· 75 }; 76 } 77 ''; 78 + description = lib.mdDoc '' 79 + {file}`config.yaml` configuration as a Nix attribute set. 80 Configuration options should match those described in 81 + [example-config.yaml](https://github.com/mautrix/facebook/blob/master/mautrix_facebook/example-config.yaml). 82 83 + Secret tokens should be specified using {option}`environmentFile` 84 instead of this world-readable attribute set. 85 ''; 86 };

+4 -4

nixos/modules/services/matrix/mautrix-telegram.nix

··· 78 }; 79 } 80 ''; 81 - description = '' 82 - <filename>config.yaml</filename> configuration as a Nix attribute set. 83 Configuration options should match those described in 84 - <link xlink:href="https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml">example-config.yaml</link>. 85 86 - Secret tokens should be specified using <option>environmentFile</option> 87 instead of this world-readable attribute set. 88 ''; 89 };

··· 78 }; 79 } 80 ''; 81 + description = lib.mdDoc '' 82 + {file}`config.yaml` configuration as a Nix attribute set. 83 Configuration options should match those described in 84 + [example-config.yaml](https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml). 85 86 + Secret tokens should be specified using {option}`environmentFile` 87 instead of this world-readable attribute set. 88 ''; 89 };

+2 -2

nixos/modules/services/misc/autorandr.nix

··· 27 options = { 28 fingerprint = mkOption { 29 type = types.attrsOf types.str; 30 - description = '' 31 Output name to EDID mapping. 32 - Use <literal>autorandr --fingerprint</literal> to get current setup values. 33 ''; 34 default = { }; 35 };

··· 27 options = { 28 fingerprint = mkOption { 29 type = types.attrsOf types.str; 30 + description = lib.mdDoc '' 31 Output name to EDID mapping. 32 + Use `autorandr --fingerprint` to get current setup values. 33 ''; 34 default = { }; 35 };

+2 -2

nixos/modules/services/misc/bees.nix

··· 11 fsOptions = with types; { 12 options.spec = mkOption { 13 type = str; 14 - description = '' 15 Description of how to identify the filesystem to be duplicated by this 16 instance of bees. Note that deduplication crosses subvolumes; one must 17 not configure multiple instances for subvolumes of the same filesystem ··· 28 options.hashTableSizeMB = mkOption { 29 type = types.addCheck types.int (n: mod n 16 == 0); 30 default = 1024; # 1GB; default from upstream beesd script 31 - description = '' 32 Hash table size in MB; must be a multiple of 16. 33 34 A larger ratio of index size to storage size means smaller blocks of

··· 11 fsOptions = with types; { 12 options.spec = mkOption { 13 type = str; 14 + description = lib.mdDoc '' 15 Description of how to identify the filesystem to be duplicated by this 16 instance of bees. Note that deduplication crosses subvolumes; one must 17 not configure multiple instances for subvolumes of the same filesystem ··· 28 options.hashTableSizeMB = mkOption { 29 type = types.addCheck types.int (n: mod n 16 == 0); 30 default = 1024; # 1GB; default from upstream beesd script 31 + description = lib.mdDoc '' 32 Hash table size in MB; must be a multiple of 16. 33 34 A larger ratio of index size to storage size means smaller blocks of

+2 -2

nixos/modules/services/misc/etcd.nix

··· 125 }; 126 127 extraConf = mkOption { 128 - description = '' 129 Etcd extra configuration. See 130 - <link xlink:href="https://github.com/coreos/etcd/blob/master/Documentation/op-guide/configuration.md#configuration-flags"/> 131 ''; 132 type = types.attrsOf types.str; 133 default = {};

··· 125 }; 126 127 extraConf = mkOption { 128 + description = lib.mdDoc '' 129 Etcd extra configuration. See 130 + <https://github.com/coreos/etcd/blob/master/Documentation/op-guide/configuration.md#configuration-flags> 131 ''; 132 type = types.attrsOf types.str; 133 default = {};

+1 -1

nixos/modules/services/misc/klipper.nix

··· 71 }; 72 73 firmwares = mkOption { 74 - description = "Firmwares klipper should manage"; 75 default = { }; 76 type = with types; attrsOf 77 (submodule {

··· 71 }; 72 73 firmwares = mkOption { 74 + description = lib.mdDoc "Firmwares klipper should manage"; 75 default = { }; 76 type = with types; attrsOf 77 (submodule {

+1 -1

nixos/modules/services/misc/sssd.nix

··· 42 kcm = mkOption { 43 type = types.bool; 44 default = false; 45 - description = '' 46 Whether to use SSS as a Kerberos Cache Manager (KCM). 47 Kerberos will be configured to cache credentials in SSS. 48 '';

··· 42 kcm = mkOption { 43 type = types.bool; 44 default = false; 45 + description = lib.mdDoc '' 46 Whether to use SSS as a Kerberos Cache Manager (KCM). 47 Kerberos will be configured to cache credentials in SSS. 48 '';

+7 -7

nixos/modules/services/monitoring/cadvisor.nix

··· 66 67 storageDriverPasswordFile = mkOption { 68 type = types.str; 69 - description = '' 70 File that contains the cadvisor storage driver password. 71 72 - <option>storageDriverPasswordFile</option> takes precedence over <option>storageDriverPassword</option> 73 74 - Warning: when <option>storageDriverPassword</option> is non-empty this defaults to a file in the 75 - world-readable Nix store that contains the value of <option>storageDriverPassword</option>. 76 77 It's recommended to override this with a path not in the Nix store. 78 - Tip: use <link xlink:href="https://nixos.org/nixops/manual/#idm140737318306400">nixops key management</link> 79 ''; 80 }; 81 ··· 88 extraOptions = mkOption { 89 type = types.listOf types.str; 90 default = []; 91 - description = '' 92 Additional cadvisor options. 93 94 - See <link xlink:href="https://github.com/google/cadvisor/blob/master/docs/runtime_options.md"/> for available options. 95 ''; 96 }; 97 };

··· 66 67 storageDriverPasswordFile = mkOption { 68 type = types.str; 69 + description = lib.mdDoc '' 70 File that contains the cadvisor storage driver password. 71 72 + {option}`storageDriverPasswordFile` takes precedence over {option}`storageDriverPassword` 73 74 + Warning: when {option}`storageDriverPassword` is non-empty this defaults to a file in the 75 + world-readable Nix store that contains the value of {option}`storageDriverPassword`. 76 77 It's recommended to override this with a path not in the Nix store. 78 + Tip: use [nixops key management](https://nixos.org/nixops/manual/#idm140737318306400) 79 ''; 80 }; 81 ··· 88 extraOptions = mkOption { 89 type = types.listOf types.str; 90 default = []; 91 + description = lib.mdDoc '' 92 Additional cadvisor options. 93 94 + See <https://github.com/google/cadvisor/blob/master/docs/runtime_options.md> for available options. 95 ''; 96 }; 97 };

+2 -2

nixos/modules/services/monitoring/graphite.nix

··· 251 252 extraConfig = mkOption { 253 default = {}; 254 - description = '' 255 Extra seyren configuration. See 256 - <link xlink:href="https://github.com/scobal/seyren#config"/> 257 ''; 258 type = types.attrsOf types.str; 259 example = literalExpression ''

··· 251 252 extraConfig = mkOption { 253 default = {}; 254 + description = lib.mdDoc '' 255 Extra seyren configuration. See 256 + <https://github.com/scobal/seyren#config> 257 ''; 258 type = types.attrsOf types.str; 259 example = literalExpression ''

+5 -5

nixos/modules/services/monitoring/metricbeat.nix

··· 32 }; 33 34 modules = mkOption { 35 - description = '' 36 Metricbeat modules are responsible for reading metrics from the various sources. 37 38 - This is like <literal>services.metricbeat.settings.metricbeat.modules</literal>, 39 but structured as an attribute set. This has the benefit that multiple 40 NixOS modules can contribute settings to a single metricbeat module. 41 42 - A module can be specified multiple times by choosing a different <literal>&lt;name></literal> 43 - for each, but setting <xref linkend="opt-services.metricbeat.modules._name_.module"/> to the same value. 44 45 - See <link xlink:href="https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-modules.html"/>. 46 ''; 47 default = {}; 48 type = types.attrsOf (types.submodule ({ name, ... }: {

··· 32 }; 33 34 modules = mkOption { 35 + description = lib.mdDoc '' 36 Metricbeat modules are responsible for reading metrics from the various sources. 37 38 + This is like `services.metricbeat.settings.metricbeat.modules`, 39 but structured as an attribute set. This has the benefit that multiple 40 NixOS modules can contribute settings to a single metricbeat module. 41 42 + A module can be specified multiple times by choosing a different `<name>` 43 + for each, but setting [](#opt-services.metricbeat.modules._name_.module) to the same value. 44 45 + See <https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-modules.html>. 46 ''; 47 default = {}; 48 type = types.attrsOf (types.submodule ({ name, ... }: {

+14 -14

nixos/modules/services/monitoring/munin.nix

··· 138 enable = mkOption { 139 default = false; 140 type = types.bool; 141 - description = '' 142 Enable Munin Node agent. Munin node listens on 0.0.0.0 and 143 by default accepts connections only from 127.0.0.1 for security reasons. 144 145 - See <link xlink:href="http://guide.munin-monitoring.org/en/latest/architecture/index.html"/>. 146 ''; 147 }; 148 149 extraConfig = mkOption { 150 default = ""; 151 type = types.lines; 152 - description = '' 153 - <filename>munin-node.conf</filename> extra configuration. See 154 - <link xlink:href="http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html"/> 155 ''; 156 }; 157 158 extraPluginConfig = mkOption { 159 default = ""; 160 type = types.lines; 161 - description = '' 162 - <filename>plugin-conf.d</filename> extra plugin configuration. See 163 - <link xlink:href="http://guide.munin-monitoring.org/en/latest/plugin/use.html"/> 164 ''; 165 example = '' 166 [fail2ban_*] ··· 266 extraGlobalConfig = mkOption { 267 default = ""; 268 type = types.lines; 269 - description = '' 270 - <filename>munin.conf</filename> extra global configuration. 271 - See <link xlink:href="http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html"/>. 272 Useful to setup notifications, see 273 - <link xlink:href="http://guide.munin-monitoring.org/en/latest/tutorial/alert.html"/> 274 ''; 275 example = '' 276 contact.email.command mail -s "Munin notification for ''${var:host}" someone@example.com ··· 280 hosts = mkOption { 281 default = ""; 282 type = types.lines; 283 - description = '' 284 Definitions of hosts of nodes to collect data from. Needs at least one 285 host for cron to succeed. See 286 - <link xlink:href="http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html"/> 287 ''; 288 example = literalExpression '' 289 '''

··· 138 enable = mkOption { 139 default = false; 140 type = types.bool; 141 + description = lib.mdDoc '' 142 Enable Munin Node agent. Munin node listens on 0.0.0.0 and 143 by default accepts connections only from 127.0.0.1 for security reasons. 144 145 + See <http://guide.munin-monitoring.org/en/latest/architecture/index.html>. 146 ''; 147 }; 148 149 extraConfig = mkOption { 150 default = ""; 151 type = types.lines; 152 + description = lib.mdDoc '' 153 + {file}`munin-node.conf` extra configuration. See 154 + <http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html> 155 ''; 156 }; 157 158 extraPluginConfig = mkOption { 159 default = ""; 160 type = types.lines; 161 + description = lib.mdDoc '' 162 + {file}`plugin-conf.d` extra plugin configuration. See 163 + <http://guide.munin-monitoring.org/en/latest/plugin/use.html> 164 ''; 165 example = '' 166 [fail2ban_*] ··· 266 extraGlobalConfig = mkOption { 267 default = ""; 268 type = types.lines; 269 + description = lib.mdDoc '' 270 + {file}`munin.conf` extra global configuration. 271 + See <http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html>. 272 Useful to setup notifications, see 273 + <http://guide.munin-monitoring.org/en/latest/tutorial/alert.html> 274 ''; 275 example = '' 276 contact.email.command mail -s "Munin notification for ''${var:host}" someone@example.com ··· 280 hosts = mkOption { 281 default = ""; 282 type = types.lines; 283 + description = lib.mdDoc '' 284 Definitions of hosts of nodes to collect data from. Needs at least one 285 host for cron to succeed. See 286 + <http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html> 287 ''; 288 example = literalExpression '' 289 '''

+2 -2

nixos/modules/services/monitoring/netdata.nix

··· 114 example = literalExpression '' 115 [ "/path/to/plugins.d" ] 116 ''; 117 - description = '' 118 Extra paths to add to the netdata global "plugins directory" 119 option. Useful for when you want to include your own 120 collection scripts. 121 122 Details about writing a custom netdata plugin are available at: 123 - <link xlink:href="https://docs.netdata.cloud/collectors/plugins.d/"/> 124 125 Cannot be combined with configText. 126 '';

··· 114 example = literalExpression '' 115 [ "/path/to/plugins.d" ] 116 ''; 117 + description = lib.mdDoc '' 118 Extra paths to add to the netdata global "plugins directory" 119 option. Useful for when you want to include your own 120 collection scripts. 121 122 Details about writing a custom netdata plugin are available at: 123 + <https://docs.netdata.cloud/collectors/plugins.d/> 124 125 Cannot be combined with configText. 126 '';

+17 -17

nixos/modules/services/monitoring/parsedmarc.nix

··· 29 enable = lib.mkOption { 30 type = lib.types.bool; 31 default = false; 32 - description = '' 33 Whether Postfix and Dovecot should be set up to receive 34 mail locally. parsedmarc will be configured to watch the 35 local inbox as the automatically created user specified in 36 - <xref linkend="opt-services.parsedmarc.provision.localMail.recipientName" /> 37 ''; 38 }; 39 ··· 68 geoIp = lib.mkOption { 69 type = lib.types.bool; 70 default = true; 71 - description = '' 72 - Whether to enable and configure the <link linkend="opt-services.geoipupdate.enable">geoipupdate</link> 73 service to automatically fetch GeoIP databases. Not crucial, 74 but recommended for full functionality. 75 76 - To finish the setup, you need to manually set the <xref linkend="opt-services.geoipupdate.settings.AccountID"/> and 77 - <xref linkend="opt-services.geoipupdate.settings.LicenseKey"/> 78 options. 79 ''; 80 }; ··· 95 config.${opt.provision.elasticsearch} && config.${options.services.grafana.enable} 96 ''; 97 apply = x: x && cfg.provision.elasticsearch; 98 - description = '' 99 Whether the automatically provisioned Elasticsearch 100 instance should be added as a grafana datasource. Has no 101 effect unless 102 - <xref linkend="opt-services.parsedmarc.provision.elasticsearch"/> 103 is also enabled. 104 ''; 105 }; ··· 206 password = lib.mkOption { 207 type = with lib.types; nullOr (either path (attrsOf path)); 208 default = null; 209 - description = '' 210 The IMAP server password. 211 212 Always handled as a secret whether the value is 213 - wrapped in a <literal>{ _secret = ...; }</literal> 214 - attrset or not (refer to <xref linkend="opt-services.parsedmarc.settings"/> for 215 details). 216 ''; 217 apply = x: if isAttrs x || x == null then x else { _secret = x; }; ··· 270 password = lib.mkOption { 271 type = with lib.types; nullOr (either path (attrsOf path)); 272 default = null; 273 - description = '' 274 The SMTP server password. 275 276 Always handled as a secret whether the value is 277 - wrapped in a <literal>{ _secret = ...; }</literal> 278 - attrset or not (refer to <xref linkend="opt-services.parsedmarc.settings"/> for 279 details). 280 ''; 281 apply = x: if isAttrs x || x == null then x else { _secret = x; }; ··· 322 password = lib.mkOption { 323 type = with lib.types; nullOr (either path (attrsOf path)); 324 default = null; 325 - description = '' 326 The password to use when connecting to Elasticsearch, 327 if required. 328 329 Always handled as a secret whether the value is 330 - wrapped in a <literal>{ _secret = ...; }</literal> 331 - attrset or not (refer to <xref linkend="opt-services.parsedmarc.settings"/> for 332 details). 333 ''; 334 apply = x: if isAttrs x || x == null then x else { _secret = x; };

··· 29 enable = lib.mkOption { 30 type = lib.types.bool; 31 default = false; 32 + description = lib.mdDoc '' 33 Whether Postfix and Dovecot should be set up to receive 34 mail locally. parsedmarc will be configured to watch the 35 local inbox as the automatically created user specified in 36 + [](#opt-services.parsedmarc.provision.localMail.recipientName) 37 ''; 38 }; 39 ··· 68 geoIp = lib.mkOption { 69 type = lib.types.bool; 70 default = true; 71 + description = lib.mdDoc '' 72 + Whether to enable and configure the [geoipupdate](#opt-services.geoipupdate.enable) 73 service to automatically fetch GeoIP databases. Not crucial, 74 but recommended for full functionality. 75 76 + To finish the setup, you need to manually set the [](#opt-services.geoipupdate.settings.AccountID) and 77 + [](#opt-services.geoipupdate.settings.LicenseKey) 78 options. 79 ''; 80 }; ··· 95 config.${opt.provision.elasticsearch} && config.${options.services.grafana.enable} 96 ''; 97 apply = x: x && cfg.provision.elasticsearch; 98 + description = lib.mdDoc '' 99 Whether the automatically provisioned Elasticsearch 100 instance should be added as a grafana datasource. Has no 101 effect unless 102 + [](#opt-services.parsedmarc.provision.elasticsearch) 103 is also enabled. 104 ''; 105 }; ··· 206 password = lib.mkOption { 207 type = with lib.types; nullOr (either path (attrsOf path)); 208 default = null; 209 + description = lib.mdDoc '' 210 The IMAP server password. 211 212 Always handled as a secret whether the value is 213 + wrapped in a `{ _secret = ...; }` 214 + attrset or not (refer to [](#opt-services.parsedmarc.settings) for 215 details). 216 ''; 217 apply = x: if isAttrs x || x == null then x else { _secret = x; }; ··· 270 password = lib.mkOption { 271 type = with lib.types; nullOr (either path (attrsOf path)); 272 default = null; 273 + description = lib.mdDoc '' 274 The SMTP server password. 275 276 Always handled as a secret whether the value is 277 + wrapped in a `{ _secret = ...; }` 278 + attrset or not (refer to [](#opt-services.parsedmarc.settings) for 279 details). 280 ''; 281 apply = x: if isAttrs x || x == null then x else { _secret = x; }; ··· 322 password = lib.mkOption { 323 type = with lib.types; nullOr (either path (attrsOf path)); 324 default = null; 325 + description = lib.mdDoc '' 326 The password to use when connecting to Elasticsearch, 327 if required. 328 329 Always handled as a secret whether the value is 330 + wrapped in a `{ _secret = ...; }` 331 + attrset or not (refer to [](#opt-services.parsedmarc.settings) for 332 details). 333 ''; 334 apply = x: if isAttrs x || x == null then x else { _secret = x; };

+5 -5

nixos/modules/services/networking/biboumi.nix

··· 83 }; 84 options.password = mkOption { 85 type = with types; nullOr str; 86 - description = '' 87 The password used to authenticate the XMPP component to your XMPP server. 88 This password must be configured in the XMPP server, 89 associated with the external component on 90 - <link linkend="opt-services.biboumi.settings.hostname">hostname</link>. 91 92 - Set it to null and use <link linkend="opt-services.biboumi.credentialsFile">credentialsFile</link> 93 if you do not want this password to go into the Nix store. 94 ''; 95 }; ··· 155 156 credentialsFile = mkOption { 157 type = types.path; 158 - description = '' 159 Path to a configuration file to be merged with the settings. 160 Beware not to surround "=" with spaces when setting biboumi's options in this file. 161 Useful to merge a file which is better kept out of the Nix store 162 because it contains sensible data like 163 - <link linkend="opt-services.biboumi.settings.password">password</link>. 164 ''; 165 default = "/dev/null"; 166 example = "/run/keys/biboumi.cfg";

··· 83 }; 84 options.password = mkOption { 85 type = with types; nullOr str; 86 + description = lib.mdDoc '' 87 The password used to authenticate the XMPP component to your XMPP server. 88 This password must be configured in the XMPP server, 89 associated with the external component on 90 + [hostname](#opt-services.biboumi.settings.hostname). 91 92 + Set it to null and use [credentialsFile](#opt-services.biboumi.credentialsFile) 93 if you do not want this password to go into the Nix store. 94 ''; 95 }; ··· 155 156 credentialsFile = mkOption { 157 type = types.path; 158 + description = lib.mdDoc '' 159 Path to a configuration file to be merged with the settings. 160 Beware not to surround "=" with spaces when setting biboumi's options in this file. 161 Useful to merge a file which is better kept out of the Nix store 162 because it contains sensible data like 163 + [password](#opt-services.biboumi.settings.password). 164 ''; 165 default = "/dev/null"; 166 example = "/run/keys/biboumi.cfg";

+4 -4

nixos/modules/services/networking/bird-lg.nix

··· 136 extraArgs = mkOption { 137 type = types.lines; 138 default = ""; 139 - description = '' 140 - Extra parameters documented <link xlink:href="https://github.com/xddxdd/bird-lg-go#frontend">here</link>. 141 ''; 142 }; 143 }; ··· 183 extraArgs = mkOption { 184 type = types.lines; 185 default = ""; 186 - description = '' 187 - Extra parameters documented <link xlink:href="https://github.com/xddxdd/bird-lg-go#proxy">here</link>. 188 ''; 189 }; 190 };

··· 136 extraArgs = mkOption { 137 type = types.lines; 138 default = ""; 139 + description = lib.mdDoc '' 140 + Extra parameters documented [here](https://github.com/xddxdd/bird-lg-go#frontend). 141 ''; 142 }; 143 }; ··· 183 extraArgs = mkOption { 184 type = types.lines; 185 default = ""; 186 + description = lib.mdDoc '' 187 + Extra parameters documented [here](https://github.com/xddxdd/bird-lg-go#proxy). 188 ''; 189 }; 190 };

+6 -6

nixos/modules/services/networking/bird.nix

··· 13 enable = mkEnableOption "BIRD Internet Routing Daemon"; 14 config = mkOption { 15 type = types.lines; 16 - description = '' 17 BIRD Internet Routing Daemon configuration file. 18 - <link xlink:href="http://bird.network.cz/"/> 19 ''; 20 }; 21 checkConfig = mkOption { 22 type = types.bool; 23 default = true; 24 - description = '' 25 Whether the config should be checked at build time. 26 When the config can't be checked during build time, for example when it includes 27 - other files, either disable this option or use <literal>preCheckConfig</literal> to create 28 the included files before checking. 29 ''; 30 }; ··· 34 example = '' 35 echo "cost 100;" > include.conf 36 ''; 37 - description = '' 38 Commands to execute before the config file check. The file to be checked will be 39 - available as <literal>bird2.conf</literal> in the current directory. 40 41 Files created with this option will not be available at service runtime, only during 42 build time checking.

··· 13 enable = mkEnableOption "BIRD Internet Routing Daemon"; 14 config = mkOption { 15 type = types.lines; 16 + description = lib.mdDoc '' 17 BIRD Internet Routing Daemon configuration file. 18 + <http://bird.network.cz/> 19 ''; 20 }; 21 checkConfig = mkOption { 22 type = types.bool; 23 default = true; 24 + description = lib.mdDoc '' 25 Whether the config should be checked at build time. 26 When the config can't be checked during build time, for example when it includes 27 + other files, either disable this option or use `preCheckConfig` to create 28 the included files before checking. 29 ''; 30 }; ··· 34 example = '' 35 echo "cost 100;" > include.conf 36 ''; 37 + description = lib.mdDoc '' 38 Commands to execute before the config file check. The file to be checked will be 39 + available as `bird2.conf` in the current directory. 40 41 Files created with this option will not be available at service runtime, only during 42 build time checking.

+2 -2

nixos/modules/services/networking/coredns.nix

··· 17 } 18 ''; 19 type = types.lines; 20 - description = '' 21 Verbatim Corefile to use. 22 - See <link xlink:href="https://coredns.io/manual/toc/#configuration"/> for details. 23 ''; 24 }; 25

··· 17 } 18 ''; 19 type = types.lines; 20 + description = lib.mdDoc '' 21 Verbatim Corefile to use. 22 + See <https://coredns.io/manual/toc/#configuration> for details. 23 ''; 24 }; 25

+7 -7

nixos/modules/services/networking/ghostunnel.nix

··· 49 }; 50 51 cert = mkOption { 52 - description = '' 53 Path to certificate (PEM with certificate chain). 54 55 - Not required if <literal>keystore</literal> is set. 56 ''; 57 type = types.nullOr types.str; 58 default = null; 59 }; 60 61 key = mkOption { 62 - description = '' 63 Path to certificate private key (PEM with private key). 64 65 - Not required if <literal>keystore</literal> is set. 66 ''; 67 type = types.nullOr types.str; 68 default = null; 69 }; 70 71 cacert = mkOption { 72 - description = '' 73 - Path to CA bundle file (PEM/X509). Uses system trust store if <literal>null</literal>. 74 ''; 75 type = types.nullOr types.str; 76 }; ··· 124 }; 125 126 extraArguments = mkOption { 127 - description = "Extra arguments to pass to <literal>ghostunnel server</literal>"; 128 type = types.separatedString " "; 129 default = ""; 130 };

··· 49 }; 50 51 cert = mkOption { 52 + description = lib.mdDoc '' 53 Path to certificate (PEM with certificate chain). 54 55 + Not required if `keystore` is set. 56 ''; 57 type = types.nullOr types.str; 58 default = null; 59 }; 60 61 key = mkOption { 62 + description = lib.mdDoc '' 63 Path to certificate private key (PEM with private key). 64 65 + Not required if `keystore` is set. 66 ''; 67 type = types.nullOr types.str; 68 default = null; 69 }; 70 71 cacert = mkOption { 72 + description = lib.mdDoc '' 73 + Path to CA bundle file (PEM/X509). Uses system trust store if `null`. 74 ''; 75 type = types.nullOr types.str; 76 }; ··· 124 }; 125 126 extraArguments = mkOption { 127 + description = lib.mdDoc "Extra arguments to pass to `ghostunnel server`"; 128 type = types.separatedString " "; 129 default = ""; 130 };

+2 -2

nixos/modules/services/networking/hans.nix

··· 19 services.hans = { 20 clients = mkOption { 21 default = {}; 22 - description = '' 23 Each attribute of this option defines a systemd service that 24 runs hans. Many or none may be defined. 25 The name of each service is 26 - <literal>hans-«name»</literal> 27 where «name» is the name of the 28 corresponding attribute name. 29 '';

··· 19 services.hans = { 20 clients = mkOption { 21 default = {}; 22 + description = lib.mdDoc '' 23 Each attribute of this option defines a systemd service that 24 runs hans. Many or none may be defined. 25 The name of each service is 26 + `hans-«name»` 27 where «name» is the name of the 28 corresponding attribute name. 29 '';

+2 -2

nixos/modules/services/networking/iodine.nix

··· 28 services.iodine = { 29 clients = mkOption { 30 default = {}; 31 - description = '' 32 Each attribute of this option defines a systemd service that 33 runs iodine. Many or none may be defined. 34 The name of each service is 35 - <literal>iodine-«name»</literal> 36 where «name» is the name of the 37 corresponding attribute name. 38 '';

··· 28 services.iodine = { 29 clients = mkOption { 30 default = {}; 31 + description = lib.mdDoc '' 32 Each attribute of this option defines a systemd service that 33 runs iodine. Many or none may be defined. 34 The name of each service is 35 + `iodine-«name»` 36 where «name» is the name of the 37 corresponding attribute name. 38 '';

+16 -16

nixos/modules/services/networking/kea.nix

··· 54 configFile = mkOption { 55 type = nullOr path; 56 default = null; 57 - description = '' 58 - Kea Control Agent configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html"/>. 59 60 - Takes preference over <link linkend="opt-services.kea.ctrl-agent.settings">settings</link>. 61 - Most users should prefer using <link linkend="opt-services.kea.ctrl-agent.settings">settings</link> instead. 62 ''; 63 }; 64 ··· 93 configFile = mkOption { 94 type = nullOr path; 95 default = null; 96 - description = '' 97 - Kea DHCP4 configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html"/>. 98 99 - Takes preference over <link linkend="opt-services.kea.dhcp4.settings">settings</link>. 100 - Most users should prefer using <link linkend="opt-services.kea.dhcp4.settings">settings</link> instead. 101 ''; 102 }; 103 ··· 153 configFile = mkOption { 154 type = nullOr path; 155 default = null; 156 - description = '' 157 - Kea DHCP6 configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html"/>. 158 159 - Takes preference over <link linkend="opt-services.kea.dhcp6.settings">settings</link>. 160 - Most users should prefer using <link linkend="opt-services.kea.dhcp6.settings">settings</link> instead. 161 ''; 162 }; 163 ··· 214 configFile = mkOption { 215 type = nullOr path; 216 default = null; 217 - description = '' 218 - Kea DHCP-DDNS configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html"/>. 219 220 - Takes preference over <link linkend="opt-services.kea.dhcp-ddns.settings">settings</link>. 221 - Most users should prefer using <link linkend="opt-services.kea.dhcp-ddns.settings">settings</link> instead. 222 ''; 223 }; 224

··· 54 configFile = mkOption { 55 type = nullOr path; 56 default = null; 57 + description = lib.mdDoc '' 58 + Kea Control Agent configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html>. 59 60 + Takes preference over [settings](#opt-services.kea.ctrl-agent.settings). 61 + Most users should prefer using [settings](#opt-services.kea.ctrl-agent.settings) instead. 62 ''; 63 }; 64 ··· 93 configFile = mkOption { 94 type = nullOr path; 95 default = null; 96 + description = lib.mdDoc '' 97 + Kea DHCP4 configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html>. 98 99 + Takes preference over [settings](#opt-services.kea.dhcp4.settings). 100 + Most users should prefer using [settings](#opt-services.kea.dhcp4.settings) instead. 101 ''; 102 }; 103 ··· 153 configFile = mkOption { 154 type = nullOr path; 155 default = null; 156 + description = lib.mdDoc '' 157 + Kea DHCP6 configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html>. 158 159 + Takes preference over [settings](#opt-services.kea.dhcp6.settings). 160 + Most users should prefer using [settings](#opt-services.kea.dhcp6.settings) instead. 161 ''; 162 }; 163 ··· 214 configFile = mkOption { 215 type = nullOr path; 216 default = null; 217 + description = lib.mdDoc '' 218 + Kea DHCP-DDNS configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html>. 219 220 + Takes preference over [settings](#opt-services.kea.dhcp-ddns.settings). 221 + Most users should prefer using [settings](#opt-services.kea.dhcp-ddns.settings) instead. 222 ''; 223 }; 224

+2 -2

nixos/modules/services/networking/ncdns.nix

··· 176 certstore.nssdbdir = "../../home/alice/.pki/nssdb"; 177 } 178 ''; 179 - description = '' 180 ncdns settings. Use this option to configure ncds 181 settings not exposed in a NixOS option or to bypass one. 182 - See the example ncdns.conf file at <link xlink:href="https://github.com/namecoin/ncdns/blob/master/_doc/ncdns.conf.example"/> 183 for the available options. 184 ''; 185 };

··· 176 certstore.nssdbdir = "../../home/alice/.pki/nssdb"; 177 } 178 ''; 179 + description = lib.mdDoc '' 180 ncdns settings. Use this option to configure ncds 181 settings not exposed in a NixOS option or to bypass one. 182 + See the example ncdns.conf file at <https://github.com/namecoin/ncdns/blob/master/_doc/ncdns.conf.example> 183 for the available options. 184 ''; 185 };

+3 -3

nixos/modules/services/networking/networkmanager.nix

··· 387 enableStrongSwan = mkOption { 388 type = types.bool; 389 default = false; 390 - description = '' 391 Enable the StrongSwan plugin. 392 393 If you enable this option the 394 - <literal>networkmanager_strongswan</literal> plugin will be added to 395 - the <option>networking.networkmanager.plugins</option> option 396 so you don't need to to that yourself. 397 ''; 398 };

··· 387 enableStrongSwan = mkOption { 388 type = types.bool; 389 default = false; 390 + description = lib.mdDoc '' 391 Enable the StrongSwan plugin. 392 393 If you enable this option the 394 + `networkmanager_strongswan` plugin will be added to 395 + the {option}`networking.networkmanager.plugins` option 396 so you don't need to to that yourself. 397 ''; 398 };

+2 -2

nixos/modules/services/networking/nntp-proxy.nix

··· 167 passwordHash = mkOption { 168 type = types.str; 169 example = "$6$GtzE7FrpE$wwuVgFYU.TZH4Rz.Snjxk9XGua89IeVwPQ/fEUD8eujr40q5Y021yhn0aNcsQ2Ifw.BLclyzvzgegopgKcneL0"; 170 - description = '' 171 SHA-512 password hash (can be generated by 172 - <literal>mkpasswd -m sha-512 &lt;password&gt;</literal>) 173 ''; 174 }; 175

··· 167 passwordHash = mkOption { 168 type = types.str; 169 example = "$6$GtzE7FrpE$wwuVgFYU.TZH4Rz.Snjxk9XGua89IeVwPQ/fEUD8eujr40q5Y021yhn0aNcsQ2Ifw.BLclyzvzgegopgKcneL0"; 170 + description = lib.mdDoc '' 171 SHA-512 password hash (can be generated by 172 + `mkpasswd -m sha-512 <password>`) 173 ''; 174 }; 175

+2 -2

nixos/modules/services/networking/nsd.nix

··· 392 requestXFR = mkOption { 393 type = types.listOf types.str; 394 default = []; 395 - description = '' 396 - Format: <literal>[AXFR|UDP] &lt;ip-address&gt; &lt;key-name | NOKEY&gt;</literal> 397 ''; 398 }; 399

··· 392 requestXFR = mkOption { 393 type = types.listOf types.str; 394 default = []; 395 + description = lib.mdDoc '' 396 + Format: `[AXFR|UDP] <ip-address> <key-name | NOKEY>` 397 ''; 398 }; 399

+4 -4

nixos/modules/services/networking/ntp/ntpd.nix

··· 40 enable = mkOption { 41 type = types.bool; 42 default = false; 43 - description = '' 44 Whether to synchronise your machine's time using ntpd, as a peer in 45 the NTP network. 46 47 - Disables <literal>systemd.timesyncd</literal> if enabled. 48 ''; 49 }; 50 51 restrictDefault = mkOption { 52 type = types.listOf types.str; 53 - description = '' 54 The restriction flags to be set by default. 55 56 The default flags prevent external hosts from using ntpd as a DDoS ··· 63 64 restrictSource = mkOption { 65 type = types.listOf types.str; 66 - description = '' 67 The restriction flags to be set on source. 68 69 The default flags allow peers to be added by ntpd from configured

··· 40 enable = mkOption { 41 type = types.bool; 42 default = false; 43 + description = lib.mdDoc '' 44 Whether to synchronise your machine's time using ntpd, as a peer in 45 the NTP network. 46 47 + Disables `systemd.timesyncd` if enabled. 48 ''; 49 }; 50 51 restrictDefault = mkOption { 52 type = types.listOf types.str; 53 + description = lib.mdDoc '' 54 The restriction flags to be set by default. 55 56 The default flags prevent external hosts from using ntpd as a DDoS ··· 63 64 restrictSource = mkOption { 65 type = types.listOf types.str; 66 + description = lib.mdDoc '' 67 The restriction flags to be set on source. 68 69 The default flags allow peers to be added by ntpd from configured

+7 -7

nixos/modules/services/networking/openconnect.nix

··· 38 # set an authentication cookie, because they have to be requested 39 # for every new connection and would only work once. 40 passwordFile = mkOption { 41 - description = '' 42 File containing the password to authenticate with. This 43 - is passed to <literal>openconnect</literal> via the 44 - <literal>--passwd-on-stdin</literal> option. 45 ''; 46 default = null; 47 example = "/var/lib/secrets/openconnect-passwd"; ··· 63 }; 64 65 extraOptions = mkOption { 66 - description = '' 67 Extra config to be appended to the interface config. It should 68 contain long-format options as would be accepted on the command 69 - line by <literal>openconnect</literal> 70 (see https://www.infradead.org/openconnect/manual.html). 71 - Non-key-value options like <literal>deflate</literal> can be used by 72 - declaring them as booleans, i. e. <literal>deflate = true;</literal>. 73 ''; 74 default = { }; 75 example = {

··· 38 # set an authentication cookie, because they have to be requested 39 # for every new connection and would only work once. 40 passwordFile = mkOption { 41 + description = lib.mdDoc '' 42 File containing the password to authenticate with. This 43 + is passed to `openconnect` via the 44 + `--passwd-on-stdin` option. 45 ''; 46 default = null; 47 example = "/var/lib/secrets/openconnect-passwd"; ··· 63 }; 64 65 extraOptions = mkOption { 66 + description = lib.mdDoc '' 67 Extra config to be appended to the interface config. It should 68 contain long-format options as would be accepted on the command 69 + line by `openconnect` 70 (see https://www.infradead.org/openconnect/manual.html). 71 + Non-key-value options like `deflate` can be used by 72 + declaring them as booleans, i. e. `deflate = true;`. 73 ''; 74 default = { }; 75 example = {

+2 -2

nixos/modules/services/networking/openvpn.nix

··· 115 } 116 ''; 117 118 - description = '' 119 Each attribute of this option defines a systemd service that 120 runs an OpenVPN instance. These can be OpenVPN servers or 121 clients. The name of each systemd service is 122 - <literal>openvpn-«name».service</literal>, 123 where «name» is the corresponding 124 attribute name. 125 '';

··· 115 } 116 ''; 117 118 + description = lib.mdDoc '' 119 Each attribute of this option defines a systemd service that 120 runs an OpenVPN instance. These can be OpenVPN servers or 121 clients. The name of each systemd service is 122 + `openvpn-«name».service`, 123 where «name» is the corresponding 124 attribute name. 125 '';

+4 -4

nixos/modules/services/networking/pleroma.nix

··· 34 35 configs = mkOption { 36 type = with types; listOf str; 37 - description = '' 38 Pleroma public configuration. 39 40 This list gets appended from left to ··· 42 configuration imperatively, meaning you can override a 43 setting by appending a new str to this NixOS option list. 44 45 - <emphasis>DO NOT STORE ANY PLEROMA SECRET 46 - HERE</emphasis>, use 47 - <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link> 48 instead. 49 50 This setting is going to be stored in a file part of

··· 34 35 configs = mkOption { 36 type = with types; listOf str; 37 + description = lib.mdDoc '' 38 Pleroma public configuration. 39 40 This list gets appended from left to ··· 42 configuration imperatively, meaning you can override a 43 setting by appending a new str to this NixOS option list. 44 45 + *DO NOT STORE ANY PLEROMA SECRET 46 + HERE*, use 47 + [services.pleroma.secretConfigFile](#opt-services.pleroma.secretConfigFile) 48 instead. 49 50 This setting is going to be stored in a file part of

+12 -12

nixos/modules/services/networking/ssh/sshd.nix

··· 257 authorizedKeysFiles = mkOption { 258 type = types.listOf types.str; 259 default = []; 260 - description = '' 261 Specify the rules for which files to read on the host. 262 263 This is an advanced option. If you're looking to configure user 264 - keys, you can generally use <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keys"/> 265 - or <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keyFiles"/>. 266 267 These are paths relative to the host root file system or home 268 directories and they are subject to certain token expansion rules. ··· 298 "curve25519-sha256@libssh.org" 299 "diffie-hellman-group-exchange-sha256" 300 ]; 301 - description = '' 302 Allowed key exchange algorithms 303 304 Uses the lower bound recommended in both 305 - <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html"/> 306 and 307 - <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67"/> 308 ''; 309 }; 310 ··· 318 "aes192-ctr" 319 "aes128-ctr" 320 ]; 321 - description = '' 322 Allowed ciphers 323 324 Defaults to recommended settings from both 325 - <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html"/> 326 and 327 - <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67"/> 328 ''; 329 }; 330 ··· 338 "hmac-sha2-256" 339 "umac-128@openssh.com" 340 ]; 341 - description = '' 342 Allowed MACs 343 344 Defaults to recommended settings from both 345 - <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html"/> 346 and 347 - <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67"/> 348 ''; 349 }; 350

··· 257 authorizedKeysFiles = mkOption { 258 type = types.listOf types.str; 259 default = []; 260 + description = lib.mdDoc '' 261 Specify the rules for which files to read on the host. 262 263 This is an advanced option. If you're looking to configure user 264 + keys, you can generally use [](#opt-users.users._name_.openssh.authorizedKeys.keys) 265 + or [](#opt-users.users._name_.openssh.authorizedKeys.keyFiles). 266 267 These are paths relative to the host root file system or home 268 directories and they are subject to certain token expansion rules. ··· 298 "curve25519-sha256@libssh.org" 299 "diffie-hellman-group-exchange-sha256" 300 ]; 301 + description = lib.mdDoc '' 302 Allowed key exchange algorithms 303 304 Uses the lower bound recommended in both 305 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 306 and 307 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 308 ''; 309 }; 310 ··· 318 "aes192-ctr" 319 "aes128-ctr" 320 ]; 321 + description = lib.mdDoc '' 322 Allowed ciphers 323 324 Defaults to recommended settings from both 325 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 326 and 327 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 328 ''; 329 }; 330 ··· 338 "hmac-sha2-256" 339 "umac-128@openssh.com" 340 ]; 341 + description = lib.mdDoc '' 342 Allowed MACs 343 344 Defaults to recommended settings from both 345 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 346 and 347 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 348 ''; 349 }; 350

+8 -8

nixos/modules/services/networking/wireguard.nix

··· 118 default = null; 119 type = with types; nullOr str; 120 example = "container"; 121 - description = ''The pre-existing network namespace in which the 122 WireGuard interface is created, and which retains the socket even if the 123 - interface is moved via <option>interfaceNamespace</option>. When 124 - <literal>null</literal>, the interface is created in the init namespace. 125 - See <link xlink:href="https://www.wireguard.com/netns/">documentation</link>. 126 ''; 127 }; 128 ··· 130 default = null; 131 type = with types; nullOr str; 132 example = "init"; 133 - description = ''The pre-existing network namespace the WireGuard 134 - interface is moved to. The special value <literal>init</literal> means 135 - the init namespace. When <literal>null</literal>, the interface is not 136 moved. 137 - See <link xlink:href="https://www.wireguard.com/netns/">documentation</link>. 138 ''; 139 }; 140 };

··· 118 default = null; 119 type = with types; nullOr str; 120 example = "container"; 121 + description = lib.mdDoc ''The pre-existing network namespace in which the 122 WireGuard interface is created, and which retains the socket even if the 123 + interface is moved via {option}`interfaceNamespace`. When 124 + `null`, the interface is created in the init namespace. 125 + See [documentation](https://www.wireguard.com/netns/). 126 ''; 127 }; 128 ··· 130 default = null; 131 type = with types; nullOr str; 132 example = "init"; 133 + description = lib.mdDoc ''The pre-existing network namespace the WireGuard 134 + interface is moved to. The special value `init` means 135 + the init namespace. When `null`, the interface is not 136 moved. 137 + See [documentation](https://www.wireguard.com/netns/). 138 ''; 139 }; 140 };

+6 -6

nixos/modules/services/networking/yggdrasil.nix

··· 64 type = types.nullOr types.str; 65 default = null; 66 example = "wheel"; 67 - description = "Group to grant access to the Yggdrasil control socket. If <literal>null</literal>, only root can access the socket."; 68 }; 69 70 openMulticastPort = mkOption { 71 type = bool; 72 default = false; 73 - description = '' 74 Whether to open the UDP port used for multicast peer 75 discovery. The NixOS firewall blocks link-local 76 communication, so in order to make local peering work you 77 - will also need to set <literal>LinkLocalTCPPort</literal> in your 78 - yggdrasil configuration (<option>config</option> or 79 - <option>configFile</option>) to a port number other than 0, 80 and then add that port to 81 - <option>networking.firewall.allowedTCPPorts</option>. 82 ''; 83 }; 84

··· 64 type = types.nullOr types.str; 65 default = null; 66 example = "wheel"; 67 + description = lib.mdDoc "Group to grant access to the Yggdrasil control socket. If `null`, only root can access the socket."; 68 }; 69 70 openMulticastPort = mkOption { 71 type = bool; 72 default = false; 73 + description = lib.mdDoc '' 74 Whether to open the UDP port used for multicast peer 75 discovery. The NixOS firewall blocks link-local 76 communication, so in order to make local peering work you 77 + will also need to set `LinkLocalTCPPort` in your 78 + yggdrasil configuration ({option}`config` or 79 + {option}`configFile`) to a port number other than 0, 80 and then add that port to 81 + {option}`networking.firewall.allowedTCPPorts`. 82 ''; 83 }; 84

+2 -2

nixos/modules/services/security/privacyidea.nix

··· 215 environmentFile = mkOption { 216 default = null; 217 type = types.nullOr types.str; 218 - description = '' 219 Environment file containing secrets to be substituted into 220 - <xref linkend="opt-services.privacyidea.ldap-proxy.settings"/>. 221 ''; 222 }; 223 };

··· 215 environmentFile = mkOption { 216 default = null; 217 type = types.nullOr types.str; 218 + description = lib.mdDoc '' 219 Environment file containing secrets to be substituted into 220 + [](#opt-services.privacyidea.ldap-proxy.settings). 221 ''; 222 }; 223 };

+3 -3

nixos/modules/services/security/tor.nix

··· 476 }; 477 clientNames = mkOption { 478 type = with types; nonEmptyListOf (strMatching "[A-Za-z0-9+-_]+"); 479 - description = '' 480 Only clients that are listed here are authorized to access the hidden service. 481 - Generated authorization data can be found in <filename>${stateDir}/onion/$name/hostname</filename>. 482 Clients need to put this authorization data in their configuration file using 483 - <xref linkend="opt-services.tor.settings.HidServAuth"/>. 484 ''; 485 }; 486 };

··· 476 }; 477 clientNames = mkOption { 478 type = with types; nonEmptyListOf (strMatching "[A-Za-z0-9+-_]+"); 479 + description = lib.mdDoc '' 480 Only clients that are listed here are authorized to access the hidden service. 481 + Generated authorization data can be found in {file}`${stateDir}/onion/$name/hostname`. 482 Clients need to put this authorization data in their configuration file using 483 + [](#opt-services.tor.settings.HidServAuth). 484 ''; 485 }; 486 };

+2 -2

nixos/modules/services/security/vault.nix

··· 116 storageConfig = mkOption { 117 type = types.nullOr types.lines; 118 default = null; 119 - description = '' 120 HCL configuration to insert in the storageBackend section. 121 122 Confidential values should not be specified here because this option's 123 value is written to the Nix store, which is publicly readable. 124 Provide credentials and such in a separate file using 125 - <xref linkend="opt-services.vault.extraSettingsPaths"/>. 126 ''; 127 }; 128

··· 116 storageConfig = mkOption { 117 type = types.nullOr types.lines; 118 default = null; 119 + description = lib.mdDoc '' 120 HCL configuration to insert in the storageBackend section. 121 122 Confidential values should not be specified here because this option's 123 value is written to the Nix store, which is publicly readable. 124 Provide credentials and such in a separate file using 125 + [](#opt-services.vault.extraSettingsPaths). 126 ''; 127 }; 128

+7 -7

nixos/modules/services/system/dbus.nix

··· 38 packages = mkOption { 39 type = types.listOf types.path; 40 default = [ ]; 41 - description = '' 42 Packages whose D-Bus configuration files should be included in 43 the configuration of the D-Bus system-wide or session-wide 44 message bus. Specifically, files in the following directories 45 will be included into their respective DBus configuration paths: 46 - <filename>«pkg»/etc/dbus-1/system.d</filename> 47 - <filename>«pkg»/share/dbus-1/system.d</filename> 48 - <filename>«pkg»/share/dbus-1/system-services</filename> 49 - <filename>«pkg»/etc/dbus-1/session.d</filename> 50 - <filename>«pkg»/share/dbus-1/session.d</filename> 51 - <filename>«pkg»/share/dbus-1/services</filename> 52 ''; 53 }; 54

··· 38 packages = mkOption { 39 type = types.listOf types.path; 40 default = [ ]; 41 + description = lib.mdDoc '' 42 Packages whose D-Bus configuration files should be included in 43 the configuration of the D-Bus system-wide or session-wide 44 message bus. Specifically, files in the following directories 45 will be included into their respective DBus configuration paths: 46 + {file}`«pkg»/etc/dbus-1/system.d` 47 + {file}`«pkg»/share/dbus-1/system.d` 48 + {file}`«pkg»/share/dbus-1/system-services` 49 + {file}`«pkg»/etc/dbus-1/session.d` 50 + {file}`«pkg»/share/dbus-1/session.d` 51 + {file}`«pkg»/share/dbus-1/services` 52 ''; 53 }; 54

+8 -8

nixos/modules/services/system/earlyoom.nix

··· 32 freeMemKillThreshold = mkOption { 33 type = types.nullOr (types.ints.between 1 100); 34 default = null; 35 - description = '' 36 Minimum available memory (in percent) before sending SIGKILL. 37 - If unset, this defaults to half of <option>freeMemThreshold</option>. 38 39 - See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. 40 ''; 41 }; 42 43 freeSwapThreshold = mkOption { 44 type = types.ints.between 1 100; 45 default = 10; 46 - description = '' 47 Minimum free swap space (in percent) before sending SIGTERM. 48 49 - See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. 50 ''; 51 }; 52 53 freeSwapKillThreshold = mkOption { 54 type = types.nullOr (types.ints.between 1 100); 55 default = null; 56 - description = '' 57 Minimum free swap space (in percent) before sending SIGKILL. 58 - If unset, this defaults to half of <option>freeSwapThreshold</option>. 59 60 - See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. 61 ''; 62 }; 63

··· 32 freeMemKillThreshold = mkOption { 33 type = types.nullOr (types.ints.between 1 100); 34 default = null; 35 + description = lib.mdDoc '' 36 Minimum available memory (in percent) before sending SIGKILL. 37 + If unset, this defaults to half of {option}`freeMemThreshold`. 38 39 + See the description of [](#opt-services.earlyoom.freeMemThreshold). 40 ''; 41 }; 42 43 freeSwapThreshold = mkOption { 44 type = types.ints.between 1 100; 45 default = 10; 46 + description = lib.mdDoc '' 47 Minimum free swap space (in percent) before sending SIGTERM. 48 49 + See the description of [](#opt-services.earlyoom.freeMemThreshold). 50 ''; 51 }; 52 53 freeSwapKillThreshold = mkOption { 54 type = types.nullOr (types.ints.between 1 100); 55 default = null; 56 + description = lib.mdDoc '' 57 Minimum free swap space (in percent) before sending SIGKILL. 58 + If unset, this defaults to half of {option}`freeSwapThreshold`. 59 60 + See the description of [](#opt-services.earlyoom.freeMemThreshold). 61 ''; 62 }; 63

+28 -28

nixos/modules/services/torrent/transmission.nix

··· 55 type = types.path; 56 default = "${cfg.home}/${incompleteDir}"; 57 defaultText = literalExpression ''"''${config.${opt.home}}/${incompleteDir}"''; 58 - description = '' 59 When enabled with 60 services.transmission.home 61 - <xref linkend="opt-services.transmission.settings.incomplete-dir-enabled"/>, 62 new torrents will download the files to this directory. 63 When complete, the files will be moved to download-dir 64 - <xref linkend="opt-services.transmission.settings.download-dir"/>. 65 ''; 66 }; 67 options.incomplete-dir-enabled = mkOption { ··· 82 options.peer-port-random-high = mkOption { 83 type = types.port; 84 default = 65535; 85 - description = '' 86 The maximum peer port to listen to for incoming connections 87 - when <xref linkend="opt-services.transmission.settings.peer-port-random-on-start"/> is enabled. 88 ''; 89 }; 90 options.peer-port-random-low = mkOption { 91 type = types.port; 92 default = 65535; 93 - description = '' 94 The minimal peer port to listen to for incoming connections 95 - when <xref linkend="opt-services.transmission.settings.peer-port-random-on-start"/> is enabled. 96 ''; 97 }; 98 options.peer-port-random-on-start = mkOption { ··· 117 options.script-torrent-done-enabled = mkOption { 118 type = types.bool; 119 default = false; 120 - description = '' 121 Whether to run 122 - <xref linkend="opt-services.transmission.settings.script-torrent-done-filename"/> 123 at torrent completion. 124 ''; 125 }; ··· 156 options.watch-dir-enabled = mkOption { 157 type = types.bool; 158 default = false; 159 - description = ''Whether to enable the 160 - <xref linkend="opt-services.transmission.settings.watch-dir"/>. 161 ''; 162 }; 163 options.trash-original-torrent-files = mkOption { 164 type = types.bool; 165 default = false; 166 - description = ''Whether to delete torrents added from the 167 - <xref linkend="opt-services.transmission.settings.watch-dir"/>. 168 ''; 169 }; 170 }; ··· 174 type = with types; nullOr str; 175 default = null; 176 example = "770"; 177 - description = '' 178 - If not <literal>null</literal>, is used as the permissions 179 - set by <literal>systemd.activationScripts.transmission-daemon</literal> 180 - on the directories <xref linkend="opt-services.transmission.settings.download-dir"/>, 181 - <xref linkend="opt-services.transmission.settings.incomplete-dir"/>. 182 - and <xref linkend="opt-services.transmission.settings.watch-dir"/>. 183 Note that you may also want to change 184 - <xref linkend="opt-services.transmission.settings.umask"/>. 185 ''; 186 }; 187 188 home = mkOption { 189 type = types.path; 190 default = "/var/lib/transmission"; 191 - description = '' 192 - The directory where Transmission will create <literal>${settingsDir}</literal>. 193 - as well as <literal>${downloadsDir}/</literal> unless 194 - <xref linkend="opt-services.transmission.settings.download-dir"/> is changed, 195 - and <literal>${incompleteDir}/</literal> unless 196 - <xref linkend="opt-services.transmission.settings.incomplete-dir"/> is changed. 197 ''; 198 }; 199 ··· 211 212 credentialsFile = mkOption { 213 type = types.path; 214 - description = '' 215 Path to a JSON file to be merged with the settings. 216 Useful to merge a file which is better kept out of the Nix store 217 - to set secret config parameters like <literal>rpc-password</literal>. 218 ''; 219 default = "/dev/null"; 220 example = "/var/lib/secrets/transmission/settings.json";

··· 55 type = types.path; 56 default = "${cfg.home}/${incompleteDir}"; 57 defaultText = literalExpression ''"''${config.${opt.home}}/${incompleteDir}"''; 58 + description = lib.mdDoc '' 59 When enabled with 60 services.transmission.home 61 + [](#opt-services.transmission.settings.incomplete-dir-enabled), 62 new torrents will download the files to this directory. 63 When complete, the files will be moved to download-dir 64 + [](#opt-services.transmission.settings.download-dir). 65 ''; 66 }; 67 options.incomplete-dir-enabled = mkOption { ··· 82 options.peer-port-random-high = mkOption { 83 type = types.port; 84 default = 65535; 85 + description = lib.mdDoc '' 86 The maximum peer port to listen to for incoming connections 87 + when [](#opt-services.transmission.settings.peer-port-random-on-start) is enabled. 88 ''; 89 }; 90 options.peer-port-random-low = mkOption { 91 type = types.port; 92 default = 65535; 93 + description = lib.mdDoc '' 94 The minimal peer port to listen to for incoming connections 95 + when [](#opt-services.transmission.settings.peer-port-random-on-start) is enabled. 96 ''; 97 }; 98 options.peer-port-random-on-start = mkOption { ··· 117 options.script-torrent-done-enabled = mkOption { 118 type = types.bool; 119 default = false; 120 + description = lib.mdDoc '' 121 Whether to run 122 + [](#opt-services.transmission.settings.script-torrent-done-filename) 123 at torrent completion. 124 ''; 125 }; ··· 156 options.watch-dir-enabled = mkOption { 157 type = types.bool; 158 default = false; 159 + description = lib.mdDoc ''Whether to enable the 160 + [](#opt-services.transmission.settings.watch-dir). 161 ''; 162 }; 163 options.trash-original-torrent-files = mkOption { 164 type = types.bool; 165 default = false; 166 + description = lib.mdDoc ''Whether to delete torrents added from the 167 + [](#opt-services.transmission.settings.watch-dir). 168 ''; 169 }; 170 }; ··· 174 type = with types; nullOr str; 175 default = null; 176 example = "770"; 177 + description = lib.mdDoc '' 178 + If not `null`, is used as the permissions 179 + set by `systemd.activationScripts.transmission-daemon` 180 + on the directories [](#opt-services.transmission.settings.download-dir), 181 + [](#opt-services.transmission.settings.incomplete-dir). 182 + and [](#opt-services.transmission.settings.watch-dir). 183 Note that you may also want to change 184 + [](#opt-services.transmission.settings.umask). 185 ''; 186 }; 187 188 home = mkOption { 189 type = types.path; 190 default = "/var/lib/transmission"; 191 + description = lib.mdDoc '' 192 + The directory where Transmission will create `${settingsDir}`. 193 + as well as `${downloadsDir}/` unless 194 + [](#opt-services.transmission.settings.download-dir) is changed, 195 + and `${incompleteDir}/` unless 196 + [](#opt-services.transmission.settings.incomplete-dir) is changed. 197 ''; 198 }; 199 ··· 211 212 credentialsFile = mkOption { 213 type = types.path; 214 + description = lib.mdDoc '' 215 Path to a JSON file to be merged with the settings. 216 Useful to merge a file which is better kept out of the Nix store 217 + to set secret config parameters like `rpc-password`. 218 ''; 219 default = "/dev/null"; 220 example = "/var/lib/secrets/transmission/settings.json";

+5 -5

nixos/modules/services/web-apps/dokuwiki.nix

··· 260 webserver = mkOption { 261 type = types.enum [ "nginx" "caddy" ]; 262 default = "nginx"; 263 - description = '' 264 Whether to use nginx or caddy for virtual host management. 265 266 - Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.&lt;name&gt;</literal>. 267 - See <xref linkend="opt-services.nginx.virtualHosts"/> for further information. 268 269 - Further apache2 configuration can be done by adapting <literal>services.httpd.virtualHosts.&lt;name&gt;</literal>. 270 - See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. 271 ''; 272 }; 273

··· 260 webserver = mkOption { 261 type = types.enum [ "nginx" "caddy" ]; 262 default = "nginx"; 263 + description = lib.mdDoc '' 264 Whether to use nginx or caddy for virtual host management. 265 266 + Further nginx configuration can be done by adapting `services.nginx.virtualHosts.<name>`. 267 + See [](#opt-services.nginx.virtualHosts) for further information. 268 269 + Further apache2 configuration can be done by adapting `services.httpd.virtualHosts.<name>`. 270 + See [](#opt-services.httpd.virtualHosts) for further information. 271 ''; 272 }; 273

+2 -2

nixos/modules/services/web-apps/hedgedoc.nix

··· 150 addDefaults = true; 151 } 152 ''; 153 - description = '' 154 Specify the Content Security Policy which is passed to Helmet. 155 - For configuration details see <link xlink:href="https://helmetjs.github.io/docs/csp/"/>. 156 ''; 157 }; 158 protocolUseSSL = mkOption {

··· 150 addDefaults = true; 151 } 152 ''; 153 + description = lib.mdDoc '' 154 Specify the Content Security Policy which is passed to Helmet. 155 + For configuration details see <https://helmetjs.github.io/docs/csp/>. 156 ''; 157 }; 158 protocolUseSSL = mkOption {

+13 -13

nixos/modules/services/web-apps/keycloak.nix

··· 210 name = mkOption { 211 type = str; 212 default = "keycloak"; 213 - description = '' 214 Database name to use when connecting to an external or 215 manually provisioned database; has no effect when a local 216 database is automatically provisioned. 217 218 - To use this with a local database, set <xref linkend="opt-services.keycloak.database.createLocally"/> to 219 - <literal>false</literal> and create the database and user 220 manually. 221 ''; 222 }; ··· 224 username = mkOption { 225 type = str; 226 default = "keycloak"; 227 - description = '' 228 Username to use when connecting to an external or manually 229 provisioned database; has no effect when a local database is 230 automatically provisioned. 231 232 - To use this with a local database, set <xref linkend="opt-services.keycloak.database.createLocally"/> to 233 - <literal>false</literal> and create the database and user 234 manually. 235 ''; 236 }; ··· 415 } 416 ''; 417 418 - description = '' 419 Configuration options corresponding to parameters set in 420 - <filename>conf/keycloak.conf</filename>. 421 422 - Most available options are documented at <link xlink:href="https://www.keycloak.org/server/all-config"/>. 423 424 Options containing secret data should be set to an attribute 425 - set containing the attribute <literal>_secret</literal> - a 426 string pointing to a file containing the value the option 427 should be set to. See the example to get a better picture of 428 this: in the resulting 429 - <filename>conf/keycloak.conf</filename> file, the 430 - <literal>https-key-store-password</literal> key will be set 431 to the contents of the 432 - <filename>/run/keys/store_password</filename> file. 433 ''; 434 }; 435 };

··· 210 name = mkOption { 211 type = str; 212 default = "keycloak"; 213 + description = lib.mdDoc '' 214 Database name to use when connecting to an external or 215 manually provisioned database; has no effect when a local 216 database is automatically provisioned. 217 218 + To use this with a local database, set [](#opt-services.keycloak.database.createLocally) to 219 + `false` and create the database and user 220 manually. 221 ''; 222 }; ··· 224 username = mkOption { 225 type = str; 226 default = "keycloak"; 227 + description = lib.mdDoc '' 228 Username to use when connecting to an external or manually 229 provisioned database; has no effect when a local database is 230 automatically provisioned. 231 232 + To use this with a local database, set [](#opt-services.keycloak.database.createLocally) to 233 + `false` and create the database and user 234 manually. 235 ''; 236 }; ··· 415 } 416 ''; 417 418 + description = lib.mdDoc '' 419 Configuration options corresponding to parameters set in 420 + {file}`conf/keycloak.conf`. 421 422 + Most available options are documented at <https://www.keycloak.org/server/all-config>. 423 424 Options containing secret data should be set to an attribute 425 + set containing the attribute `_secret` - a 426 string pointing to a file containing the value the option 427 should be set to. See the example to get a better picture of 428 this: in the resulting 429 + {file}`conf/keycloak.conf` file, the 430 + `https-key-store-password` key will be set 431 to the contents of the 432 + {file}`/run/keys/store_password` file. 433 ''; 434 }; 435 };

+9 -9

nixos/modules/services/web-apps/mastodon.nix

··· 197 }; 198 199 vapidPublicKeyFile = lib.mkOption { 200 - description = '' 201 Path to file containing the public key used for Web Push 202 Voluntary Application Server Identification. A new keypair can 203 be generated by running: 204 205 - <literal>nix build -f '&lt;nixpkgs&gt;' mastodon; cd result; bin/rake webpush:generate_keys</literal> 206 207 - If <option>mastodon.vapidPrivateKeyFile</option>does not 208 exist, it and this file will be created with a new keypair. 209 ''; 210 default = "/var/lib/mastodon/secrets/vapid-public-key"; ··· 218 }; 219 220 secretKeyBaseFile = lib.mkOption { 221 - description = '' 222 Path to file containing the secret key base. 223 A new secret key base can be generated by running: 224 225 - <literal>nix build -f '&lt;nixpkgs&gt;' mastodon; cd result; bin/rake secret</literal> 226 227 If this file does not exist, it will be created with a new secret key base. 228 ''; ··· 231 }; 232 233 otpSecretFile = lib.mkOption { 234 - description = '' 235 Path to file containing the OTP secret. 236 A new OTP secret can be generated by running: 237 238 - <literal>nix build -f '&lt;nixpkgs&gt;' mastodon; cd result; bin/rake secret</literal> 239 240 If this file does not exist, it will be created with a new OTP secret. 241 ''; ··· 244 }; 245 246 vapidPrivateKeyFile = lib.mkOption { 247 - description = '' 248 Path to file containing the private key used for Web Push 249 Voluntary Application Server Identification. A new keypair can 250 be generated by running: 251 252 - <literal>nix build -f '&lt;nixpkgs&gt;' mastodon; cd result; bin/rake webpush:generate_keys</literal> 253 254 If this file does not exist, it will be created with a new 255 private key.

··· 197 }; 198 199 vapidPublicKeyFile = lib.mkOption { 200 + description = lib.mdDoc '' 201 Path to file containing the public key used for Web Push 202 Voluntary Application Server Identification. A new keypair can 203 be generated by running: 204 205 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys` 206 207 + If {option}`mastodon.vapidPrivateKeyFile`does not 208 exist, it and this file will be created with a new keypair. 209 ''; 210 default = "/var/lib/mastodon/secrets/vapid-public-key"; ··· 218 }; 219 220 secretKeyBaseFile = lib.mkOption { 221 + description = lib.mdDoc '' 222 Path to file containing the secret key base. 223 A new secret key base can be generated by running: 224 225 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret` 226 227 If this file does not exist, it will be created with a new secret key base. 228 ''; ··· 231 }; 232 233 otpSecretFile = lib.mkOption { 234 + description = lib.mdDoc '' 235 Path to file containing the OTP secret. 236 A new OTP secret can be generated by running: 237 238 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret` 239 240 If this file does not exist, it will be created with a new OTP secret. 241 ''; ··· 244 }; 245 246 vapidPrivateKeyFile = lib.mkOption { 247 + description = lib.mdDoc '' 248 Path to file containing the private key used for Web Push 249 Voluntary Application Server Identification. A new keypair can 250 be generated by running: 251 252 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys` 253 254 If this file does not exist, it will be created with a new 255 private key.

+12 -12

nixos/modules/services/web-apps/nextcloud.nix

··· 93 type = types.str; 94 default = config.services.nextcloud.home; 95 defaultText = literalExpression "config.services.nextcloud.home"; 96 - description = '' 97 - Data storage path of nextcloud. Will be <xref linkend="opt-services.nextcloud.home"/> by default. 98 This folder will be populated with a config.php and data folder which contains the state of the instance (excl the database)."; 99 ''; 100 example = "/mnt/nextcloud-file"; ··· 102 extraApps = mkOption { 103 type = types.attrsOf types.package; 104 default = { }; 105 - description = '' 106 Extra apps to install. Should be an attrSet of appid to packages generated by fetchNextcloudApp. 107 The appid must be identical to the "id" value in the apps appinfo/info.xml. 108 - Using this will disable the appstore to prevent Nextcloud from updating these apps (see <xref linkend="opt-services.nextcloud.appstoreEnable"/>). 109 ''; 110 example = literalExpression '' 111 { ··· 127 extraAppsEnable = mkOption { 128 type = types.bool; 129 default = true; 130 - description = '' 131 - Automatically enable the apps in <xref linkend="opt-services.nextcloud.extraApps"/> every time nextcloud starts. 132 If set to false, apps need to be enabled in the Nextcloud user interface or with nextcloud-occ app:enable. 133 ''; 134 }; ··· 136 type = types.nullOr types.bool; 137 default = null; 138 example = true; 139 - description = '' 140 Allow the installation of apps and app updates from the store. 141 - Enabled by default unless there are packages in <xref linkend="opt-services.nextcloud.extraApps"/>. 142 - Set to true to force enable the store even if <xref linkend="opt-services.nextcloud.extraApps"/> is used. 143 Set to false to disable the installation of apps from the global appstore. App management is always enabled regardless of this setting. 144 ''; 145 }; ··· 585 hstsMaxAge = mkOption { 586 type = types.ints.positive; 587 default = 15552000; 588 - description = '' 589 - Value for the <literal>max-age</literal> directive of the HTTP 590 - <literal>Strict-Transport-Security</literal> header. 591 592 See section 6.1.1 of IETF RFC 6797 for detailed information on this 593 directive and header.

··· 93 type = types.str; 94 default = config.services.nextcloud.home; 95 defaultText = literalExpression "config.services.nextcloud.home"; 96 + description = lib.mdDoc '' 97 + Data storage path of nextcloud. Will be [](#opt-services.nextcloud.home) by default. 98 This folder will be populated with a config.php and data folder which contains the state of the instance (excl the database)."; 99 ''; 100 example = "/mnt/nextcloud-file"; ··· 102 extraApps = mkOption { 103 type = types.attrsOf types.package; 104 default = { }; 105 + description = lib.mdDoc '' 106 Extra apps to install. Should be an attrSet of appid to packages generated by fetchNextcloudApp. 107 The appid must be identical to the "id" value in the apps appinfo/info.xml. 108 + Using this will disable the appstore to prevent Nextcloud from updating these apps (see [](#opt-services.nextcloud.appstoreEnable)). 109 ''; 110 example = literalExpression '' 111 { ··· 127 extraAppsEnable = mkOption { 128 type = types.bool; 129 default = true; 130 + description = lib.mdDoc '' 131 + Automatically enable the apps in [](#opt-services.nextcloud.extraApps) every time nextcloud starts. 132 If set to false, apps need to be enabled in the Nextcloud user interface or with nextcloud-occ app:enable. 133 ''; 134 }; ··· 136 type = types.nullOr types.bool; 137 default = null; 138 example = true; 139 + description = lib.mdDoc '' 140 Allow the installation of apps and app updates from the store. 141 + Enabled by default unless there are packages in [](#opt-services.nextcloud.extraApps). 142 + Set to true to force enable the store even if [](#opt-services.nextcloud.extraApps) is used. 143 Set to false to disable the installation of apps from the global appstore. App management is always enabled regardless of this setting. 144 ''; 145 }; ··· 585 hstsMaxAge = mkOption { 586 type = types.ints.positive; 587 default = 15552000; 588 + description = lib.mdDoc '' 589 + Value for the `max-age` directive of the HTTP 590 + `Strict-Transport-Security` header. 591 592 See section 6.1.1 of IETF RFC 6797 for detailed information on this 593 directive and header.

+2 -2

nixos/modules/services/web-apps/node-red.nix

··· 47 type = types.path; 48 default = "${cfg.package}/lib/node_modules/node-red/settings.js"; 49 defaultText = literalExpression ''"''${package}/lib/node_modules/node-red/settings.js"''; 50 - description = '' 51 Path to the JavaScript configuration file. 52 - See <link xlink:href="https://github.com/node-red/node-red/blob/master/packages/node_modules/node-red/settings.js"/> 53 for a configuration example. 54 ''; 55 };

··· 47 type = types.path; 48 default = "${cfg.package}/lib/node_modules/node-red/settings.js"; 49 defaultText = literalExpression ''"''${package}/lib/node_modules/node-red/settings.js"''; 50 + description = lib.mdDoc '' 51 Path to the JavaScript configuration file. 52 + See <https://github.com/node-red/node-red/blob/master/packages/node_modules/node-red/settings.js> 53 for a configuration example. 54 ''; 55 };

+1 -1

nixos/modules/services/web-apps/trilium.nix

··· 53 noAuthentication = mkOption { 54 type = types.bool; 55 default = false; 56 - description = '' 57 If set to true, no password is required to access the web frontend. 58 ''; 59 };

··· 53 noAuthentication = mkOption { 54 type = types.bool; 55 default = false; 56 + description = lib.mdDoc '' 57 If set to true, no password is required to access the web frontend. 58 ''; 59 };

+1 -1

nixos/modules/services/x11/desktop-managers/plasma5.nix

··· 170 supportDDC = mkOption { 171 type = types.bool; 172 default = false; 173 - description = '' 174 Support setting monitor brightness via DDC. 175 176 This is not needed for controlling brightness of the internal monitor

··· 170 supportDDC = mkOption { 171 type = types.bool; 172 default = false; 173 + description = lib.mdDoc '' 174 Support setting monitor brightness via DDC. 175 176 This is not needed for controlling brightness of the internal monitor

+2 -2

nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix

··· 55 enable = mkOption { 56 type = types.bool; 57 default = false; 58 - description = '' 59 Whether to enable lightdm-mini-greeter as the lightdm greeter. 60 61 Note that this greeter starts only the default X session. 62 You can configure the default X session using 63 - <xref linkend="opt-services.xserver.displayManager.defaultSession"/>. 64 ''; 65 }; 66

··· 55 enable = mkOption { 56 type = types.bool; 57 default = false; 58 + description = lib.mdDoc '' 59 Whether to enable lightdm-mini-greeter as the lightdm greeter. 60 61 Note that this greeter starts only the default X session. 62 You can configure the default X session using 63 + [](#opt-services.xserver.displayManager.defaultSession). 64 ''; 65 }; 66

+2 -2

nixos/modules/services/x11/display-managers/lightdm-greeters/tiny.nix

··· 17 enable = mkOption { 18 type = types.bool; 19 default = false; 20 - description = '' 21 Whether to enable lightdm-tiny-greeter as the lightdm greeter. 22 23 Note that this greeter starts only the default X session. 24 You can configure the default X session using 25 - <xref linkend="opt-services.xserver.displayManager.defaultSession"/>. 26 ''; 27 }; 28

··· 17 enable = mkOption { 18 type = types.bool; 19 default = false; 20 + description = lib.mdDoc '' 21 Whether to enable lightdm-tiny-greeter as the lightdm greeter. 22 23 Note that this greeter starts only the default X session. 24 You can configure the default X session using 25 + [](#opt-services.xserver.displayManager.defaultSession). 26 ''; 27 }; 28

+1 -1

nixos/modules/services/x11/window-managers/fvwm2.nix

··· 24 gestures = mkOption { 25 default = false; 26 type = types.bool; 27 - description = "Whether or not to enable libstroke for gesture support"; 28 }; 29 }; 30 };

··· 24 gestures = mkOption { 25 default = false; 26 type = types.bool; 27 + description = lib.mdDoc "Whether or not to enable libstroke for gesture support"; 28 }; 29 }; 30 };

+5 -5

nixos/modules/system/boot/initrd-network.nix

··· 50 boot.initrd.network.enable = mkOption { 51 type = types.bool; 52 default = false; 53 - description = '' 54 Add network connectivity support to initrd. The network may be 55 - configured using the <literal>ip</literal> kernel parameter, 56 - as described in <link xlink:href="https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt">the kernel documentation</link>. 57 Otherwise, if 58 - <option>networking.useDHCP</option> is enabled, an IP address 59 is acquired using DHCP. 60 61 You should add the module(s) required for your network card to 62 boot.initrd.availableKernelModules. 63 - <literal>lspci -v | grep -iA8 'network\|ethernet'</literal> 64 will tell you which. 65 ''; 66 };

··· 50 boot.initrd.network.enable = mkOption { 51 type = types.bool; 52 default = false; 53 + description = lib.mdDoc '' 54 Add network connectivity support to initrd. The network may be 55 + configured using the `ip` kernel parameter, 56 + as described in [the kernel documentation](https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt). 57 Otherwise, if 58 + {option}`networking.useDHCP` is enabled, an IP address 59 is acquired using DHCP. 60 61 You should add the module(s) required for your network card to 62 boot.initrd.availableKernelModules. 63 + `lspci -v | grep -iA8 'network\|ethernet'` 64 will tell you which. 65 ''; 66 };

+2 -2

nixos/modules/system/boot/luksroot.nix

··· 548 boot.initrd.luks.devices = mkOption { 549 default = { }; 550 example = { luksroot.device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; 551 - description = '' 552 The encrypted disk that should be opened before the root 553 filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM 554 setups are supported. The unencrypted devices can be accessed as 555 - <filename>/dev/mapper/«name»</filename>. 556 ''; 557 558 type = with types; attrsOf (submodule (

··· 548 boot.initrd.luks.devices = mkOption { 549 default = { }; 550 example = { luksroot.device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; 551 + description = lib.mdDoc '' 552 The encrypted disk that should be opened before the root 553 filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM 554 setups are supported. The unencrypted devices can be accessed as 555 + {file}`/dev/mapper/«name»`. 556 ''; 557 558 type = with types; attrsOf (submodule (

+3 -3

nixos/modules/system/boot/networkd.nix

··· 1904 }; 1905 1906 extraArgs = mkOption { 1907 - description = '' 1908 Extra command-line arguments to pass to systemd-networkd-wait-online. 1909 - These also affect per-interface <literal>systemd-network-wait-online@</literal> services. 1910 1911 - See <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd-networkd-wait-online.service.html"><citerefentry><refentrytitle>systemd-networkd-wait-online.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></link> for all available options. 1912 ''; 1913 type = with types; listOf str; 1914 default = [];

··· 1904 }; 1905 1906 extraArgs = mkOption { 1907 + description = lib.mdDoc '' 1908 Extra command-line arguments to pass to systemd-networkd-wait-online. 1909 + These also affect per-interface `systemd-network-wait-online@` services. 1910 1911 + See [{manpage}`systemd-networkd-wait-online.service(8)`](https://www.freedesktop.org/software/systemd/man/systemd-networkd-wait-online.service.html) for all available options. 1912 ''; 1913 type = with types; listOf str; 1914 default = [];

+3 -3

nixos/modules/system/boot/systemd/logind.nix

··· 26 services.logind.killUserProcesses = mkOption { 27 default = false; 28 type = types.bool; 29 - description = '' 30 Specifies whether the processes of a user should be killed 31 when the user logs out. If true, the scope unit corresponding 32 to the session and all processes inside that scope will be 33 terminated. If false, the scope is "abandoned" (see 34 - <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.scope.html#">systemd.scope(5)</link>), and processes are not killed. 35 36 - See <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=">logind.conf(5)</link> 37 for more details. 38 ''; 39 };

··· 26 services.logind.killUserProcesses = mkOption { 27 default = false; 28 type = types.bool; 29 + description = lib.mdDoc '' 30 Specifies whether the processes of a user should be killed 31 when the user logs out. If true, the scope unit corresponding 32 to the session and all processes inside that scope will be 33 terminated. If false, the scope is "abandoned" (see 34 + [systemd.scope(5)](https://www.freedesktop.org/software/systemd/man/systemd.scope.html#)), and processes are not killed. 35 36 + See [logind.conf(5)](https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=) 37 for more details. 38 ''; 39 };

+5 -5

nixos/modules/system/boot/systemd/tmpfiles.nix

··· 25 default = []; 26 example = literalExpression "[ pkgs.lvm2 ]"; 27 apply = map getLib; 28 - description = '' 29 - List of packages containing <command>systemd-tmpfiles</command> rules. 30 31 All files ending in .conf found in 32 - <filename>«pkg»/lib/tmpfiles.d</filename> 33 will be included. 34 If this folder does not exist or does not contain any files an error will be returned instead. 35 36 - If a <filename>lib</filename> output is available, rules are searched there and only there. 37 - If there is no <filename>lib</filename> output it will fall back to <filename>out</filename> 38 and if that does not exist either, the default output will be used. 39 ''; 40 };

··· 25 default = []; 26 example = literalExpression "[ pkgs.lvm2 ]"; 27 apply = map getLib; 28 + description = lib.mdDoc '' 29 + List of packages containing {command}`systemd-tmpfiles` rules. 30 31 All files ending in .conf found in 32 + {file}`«pkg»/lib/tmpfiles.d` 33 will be included. 34 If this folder does not exist or does not contain any files an error will be returned instead. 35 36 + If a {file}`lib` output is available, rules are searched there and only there. 37 + If there is no {file}`lib` output it will fall back to {file}`out` 38 and if that does not exist either, the default output will be used. 39 ''; 40 };

+3 -3

nixos/modules/tasks/auto-upgrade.nix

··· 25 type = types.enum ["switch" "boot"]; 26 default = "switch"; 27 example = "boot"; 28 - description = '' 29 Whether to run 30 - <literal>nixos-rebuild switch --upgrade</literal> or run 31 - <literal>nixos-rebuild boot --upgrade</literal> 32 ''; 33 }; 34

··· 25 type = types.enum ["switch" "boot"]; 26 default = "switch"; 27 example = "boot"; 28 + description = lib.mdDoc '' 29 Whether to run 30 + `nixos-rebuild switch --upgrade` or run 31 + `nixos-rebuild boot --upgrade` 32 ''; 33 }; 34

+1 -1

nixos/modules/tasks/scsi-link-power-management.nix

··· 25 powerManagement.scsiLinkPolicy = mkOption { 26 default = null; 27 type = types.nullOr (types.enum allowedValues); 28 - description = '' 29 SCSI link power management policy. The kernel default is 30 "max_performance". 31

··· 25 powerManagement.scsiLinkPolicy = mkOption { 26 default = null; 27 type = types.nullOr (types.enum allowedValues); 28 + description = lib.mdDoc '' 29 SCSI link power management policy. The kernel default is 30 "max_performance". 31

+6 -6

nixos/modules/virtualisation/nixos-containers.nix

··· 579 privateNetwork = mkOption { 580 type = types.bool; 581 default = false; 582 - description = '' 583 Whether to give the container its own private virtual 584 Ethernet interface. The interface is called 585 - <literal>eth0</literal>, and is hooked up to the interface 586 - <literal>ve-«container-name»</literal> 587 on the host. If this option is not set, then the 588 container shares the network interfaces of the host, 589 and can bind to any port on any interface. ··· 728 }; 729 } 730 ''; 731 - description = '' 732 A set of NixOS system configurations to be run as lightweight 733 containers. Each container appears as a service 734 - <literal>container-«name»</literal> 735 on the host system, allowing it to be started and stopped via 736 - <command>systemctl</command>. 737 ''; 738 }; 739

··· 579 privateNetwork = mkOption { 580 type = types.bool; 581 default = false; 582 + description = lib.mdDoc '' 583 Whether to give the container its own private virtual 584 Ethernet interface. The interface is called 585 + `eth0`, and is hooked up to the interface 586 + `ve-«container-name»` 587 on the host. If this option is not set, then the 588 container shares the network interfaces of the host, 589 and can bind to any port on any interface. ··· 728 }; 729 } 730 ''; 731 + description = lib.mdDoc '' 732 A set of NixOS system configurations to be run as lightweight 733 containers. Each container appears as a service 734 + `container-«name»` 735 on the host system, allowing it to be started and stopped via 736 + {command}`systemctl`. 737 ''; 738 }; 739