+12 -13

nixos/modules/programs/java.nix

··· 15 16 programs.java = { 17 18 - enable = mkEnableOption "java" // { 19 - description = '' 20 Install and setup the Java development kit. 21 - <note> 22 - <para>This adds JAVA_HOME to the global environment, by sourcing the 23 - jdk's setup-hook on shell init. It is equivalent to starting a shell 24 - through 'nix-shell -p jdk', or roughly the following system-wide 25 - configuration: 26 - </para> 27 - <programlisting> 28 - environment.variables.JAVA_HOME = ''${pkgs.jdk.home}/lib/openjdk; 29 - environment.systemPackages = [ pkgs.jdk ]; 30 - </programlisting> 31 - </note> 32 ''; 33 }; 34

··· 15 16 programs.java = { 17 18 + enable = mkEnableOption (lib.mdDoc "java") // { 19 + description = lib.mdDoc '' 20 Install and setup the Java development kit. 21 + 22 + ::: {.note} 23 + This adds JAVA_HOME to the global environment, by sourcing the 24 + jdk's setup-hook on shell init. It is equivalent to starting a shell 25 + through 'nix-shell -p jdk', or roughly the following system-wide 26 + configuration: 27 + 28 + environment.variables.JAVA_HOME = ''${pkgs.jdk.home}/lib/openjdk; 29 + environment.systemPackages = [ pkgs.jdk ]; 30 + ::: 0 31 ''; 32 }; 33

+22 -14

nixos/modules/security/dhparams.nix

··· 56 in attrsOf (coercedTo int coerce (submodule paramsSubmodule)); 57 default = {}; 58 example = lib.literalExpression "{ nginx.bits = 3072; }"; 59 - description = '' 60 Diffie-Hellman parameters to generate. 61 62 The value is the size (in bits) of the DH params to generate. The 63 generated DH params path can be found in 64 - <literal>config.security.dhparams.params.«name».path</literal>. 65 66 - <note><para>The name of the DH params is taken as being the name of 0 67 the service it serves and the params will be generated before the 68 - said service is started.</para></note> 0 69 70 - <warning><para>If you are removing all dhparams from this list, you 71 - have to leave <option>security.dhparams.enable</option> for at 0 72 least one activation in order to have them be cleaned up. This also 73 means if you rollback to a version without any dhparams the 74 existing ones won't be cleaned up. Of course this only applies if 75 - <option>security.dhparams.stateful</option> is 76 - <literal>true</literal>.</para></warning> 0 77 78 - <note><title>For module implementers:</title><para>It's recommended 0 79 to not set a specific bit size here, so that users can easily 80 override this by setting 81 - <option>security.dhparams.defaultBitSize</option>.</para></note> 0 82 ''; 83 }; 84 85 stateful = mkOption { 86 type = types.bool; 87 default = true; 88 - description = '' 89 Whether generation of Diffie-Hellman parameters should be stateful or 90 not. If this is enabled, PEM-encoded files for Diffie-Hellman 91 parameters are placed in the directory specified by 92 - <option>security.dhparams.path</option>. Otherwise the files are 93 created within the Nix store. 94 95 - <note><para>If this is <literal>false</literal> the resulting store 0 96 path will be non-deterministic and will be rebuilt every time the 97 - <literal>openssl</literal> package changes.</para></note> 0 98 ''; 99 }; 100

··· 56 in attrsOf (coercedTo int coerce (submodule paramsSubmodule)); 57 default = {}; 58 example = lib.literalExpression "{ nginx.bits = 3072; }"; 59 + description = lib.mdDoc '' 60 Diffie-Hellman parameters to generate. 61 62 The value is the size (in bits) of the DH params to generate. The 63 generated DH params path can be found in 64 + `config.security.dhparams.params.«name».path`. 65 66 + ::: {.note} 67 + The name of the DH params is taken as being the name of 68 the service it serves and the params will be generated before the 69 + said service is started. 70 + ::: 71 72 + ::: {.warning} 73 + If you are removing all dhparams from this list, you 74 + have to leave {option}`security.dhparams.enable` for at 75 least one activation in order to have them be cleaned up. This also 76 means if you rollback to a version without any dhparams the 77 existing ones won't be cleaned up. Of course this only applies if 78 + {option}`security.dhparams.stateful` is 79 + `true`. 80 + ::: 81 82 + ::: {.note} 83 + **For module implementers:** It's recommended 84 to not set a specific bit size here, so that users can easily 85 override this by setting 86 + {option}`security.dhparams.defaultBitSize`. 87 + ::: 88 ''; 89 }; 90 91 stateful = mkOption { 92 type = types.bool; 93 default = true; 94 + description = lib.mdDoc '' 95 Whether generation of Diffie-Hellman parameters should be stateful or 96 not. If this is enabled, PEM-encoded files for Diffie-Hellman 97 parameters are placed in the directory specified by 98 + {option}`security.dhparams.path`. Otherwise the files are 99 created within the Nix store. 100 101 + ::: {.note} 102 + If this is `false` the resulting store 103 path will be non-deterministic and will be rebuilt every time the 104 + `openssl` package changes. 105 + ::: 106 ''; 107 }; 108

+18 -16

nixos/modules/security/systemd-confinement.nix

··· 38 type = types.listOf (types.either types.str types.package); 39 default = []; 40 description = let 41 - mkScOption = optName: "<option>serviceConfig.${optName}</option>"; 42 - in '' 43 Additional packages or strings with context to add to the closure of 44 the chroot. By default, this includes all the packages from the 45 ${lib.concatMapStringsSep ", " mkScOption [ ··· 47 "ExecStopPost" 48 ]} and ${mkScOption "ExecStart"} options. If you want to have all the 49 dependencies of this systemd unit, you can use 50 - <option>confinement.fullUnit</option>. 51 52 - <note><para>The store paths listed in <option>path</option> are 53 - <emphasis role="strong">not</emphasis> included in the closure as 0 54 well as paths from other options except those listed 55 - above.</para></note> 0 56 ''; 57 }; 58 ··· 74 options.confinement.mode = lib.mkOption { 75 type = types.enum [ "full-apivfs" "chroot-only" ]; 76 default = "full-apivfs"; 77 - description = '' 78 - The value <literal>full-apivfs</literal> (the default) sets up 79 - private <filename class="directory">/dev</filename>, <filename 80 - class="directory">/proc</filename>, <filename 81 - class="directory">/sys</filename> and <filename 82 - class="directory">/tmp</filename> file systems in a separate user 83 name space. 84 85 - If this is set to <literal>chroot-only</literal>, only the file 86 system name space is set up along with the call to 87 - <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>. 88 89 - <note><para>This doesn't cover network namespaces and is solely for 90 - file system level isolation.</para></note> 0 0 91 ''; 92 }; 93

··· 38 type = types.listOf (types.either types.str types.package); 39 default = []; 40 description = let 41 + mkScOption = optName: "{option}`serviceConfig.${optName}`"; 42 + in lib.mdDoc '' 43 Additional packages or strings with context to add to the closure of 44 the chroot. By default, this includes all the packages from the 45 ${lib.concatMapStringsSep ", " mkScOption [ ··· 47 "ExecStopPost" 48 ]} and ${mkScOption "ExecStart"} options. If you want to have all the 49 dependencies of this systemd unit, you can use 50 + {option}`confinement.fullUnit`. 51 52 + ::: {.note} 53 + The store paths listed in {option}`path` are 54 + **not** included in the closure as 55 well as paths from other options except those listed 56 + above. 57 + ::: 58 ''; 59 }; 60 ··· 76 options.confinement.mode = lib.mkOption { 77 type = types.enum [ "full-apivfs" "chroot-only" ]; 78 default = "full-apivfs"; 79 + description = lib.mdDoc '' 80 + The value `full-apivfs` (the default) sets up 81 + private {file}`/dev`, {file}`/proc`, 82 + {file}`/sys` and {file}`/tmp` file systems in a separate user 0 0 83 name space. 84 85 + If this is set to `chroot-only`, only the file 86 system name space is set up along with the call to 87 + {manpage}`chroot(2)`. 88 89 + ::: {.note} 90 + This doesn't cover network namespaces and is solely for 91 + file system level isolation. 92 + ::: 93 ''; 94 }; 95

+10 -10

nixos/modules/security/wrappers/default.nix

··· 51 options.capabilities = lib.mkOption 52 { type = lib.types.commas; 53 default = ""; 54 - description = '' 55 A comma-separated list of capabilities to be given to the wrapper 56 program. For capabilities supported by the system check the 57 - <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> 58 manual page. 59 60 - <note><para> 61 - <literal>cap_setpcap</literal>, which is required for the wrapper 62 - program to be able to raise caps into the Ambient set is NOT raised 63 - to the Ambient set so that the real program cannot modify its own 64 - capabilities!! This may be too restrictive for cases in which the 65 - real program needs cap_setpcap but it at least leans on the side 66 - security paranoid vs. too relaxed. 67 - </para></note> 68 ''; 69 }; 70 options.setuid = lib.mkOption

··· 51 options.capabilities = lib.mkOption 52 { type = lib.types.commas; 53 default = ""; 54 + description = lib.mdDoc '' 55 A comma-separated list of capabilities to be given to the wrapper 56 program. For capabilities supported by the system check the 57 + {manpage}`capabilities(7)` 58 manual page. 59 60 + ::: {.note} 61 + `cap_setpcap`, which is required for the wrapper 62 + program to be able to raise caps into the Ambient set is NOT raised 63 + to the Ambient set so that the real program cannot modify its own 64 + capabilities!! This may be too restrictive for cases in which the 65 + real program needs cap_setpcap but it at least leans on the side 66 + security paranoid vs. too relaxed. 67 + ::: 68 ''; 69 }; 70 options.setuid = lib.mkOption

+6 -6

nixos/modules/services/backup/duplicati.nix

··· 21 dataDir = mkOption { 22 type = types.str; 23 default = "/var/lib/duplicati"; 24 - description = '' 25 The directory where Duplicati stores its data files. 26 27 - <note><para> 28 - If left as the default value this directory will automatically be created 29 - before the Duplicati server starts, otherwise you are responsible for ensuring 30 - the directory exists with appropriate ownership and permissions. 31 - </para></note> 32 ''; 33 }; 34

··· 21 dataDir = mkOption { 22 type = types.str; 23 default = "/var/lib/duplicati"; 24 + description = lib.mdDoc '' 25 The directory where Duplicati stores its data files. 26 27 + ::: {.note} 28 + If left as the default value this directory will automatically be created 29 + before the Duplicati server starts, otherwise you are responsible for ensuring 30 + the directory exists with appropriate ownership and permissions. 31 + ::: 32 ''; 33 }; 34

+19 -21

nixos/modules/services/databases/mysql.nix

··· 44 user = mkOption { 45 type = types.str; 46 default = "mysql"; 47 - description = '' 48 User account under which MySQL runs. 49 50 - <note><para> 51 If left as the default value this user will automatically be created 52 on system activation, otherwise you are responsible for 53 ensuring the user exists before the MySQL service starts. 54 - </para></note> 55 ''; 56 }; 57 58 group = mkOption { 59 type = types.str; 60 default = "mysql"; 61 - description = '' 62 Group account under which MySQL runs. 63 64 - <note><para> 65 If left as the default value this group will automatically be created 66 on system activation, otherwise you are responsible for 67 ensuring the user exists before the MySQL service starts. 68 - </para></note> 69 ''; 70 }; 71 72 dataDir = mkOption { 73 type = types.path; 74 example = "/var/lib/mysql"; 75 - description = '' 76 The data directory for MySQL. 77 78 - <note><para> 79 - If left as the default value of <literal>/var/lib/mysql</literal> this directory will automatically be created before the MySQL 80 server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions. 81 - </para></note> 82 ''; 83 }; 84 ··· 107 settings = mkOption { 108 type = format.type; 109 default = {}; 110 - description = '' 111 MySQL configuration. Refer to 112 - <link xlink:href="https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html"/>, 113 - <link xlink:href="https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html"/>, 114 - and <link xlink:href="https://mariadb.com/kb/en/server-system-variables/"/> 115 for details on supported values. 116 117 - <note> 118 - <para> 119 - MySQL configuration options such as <literal>--quick</literal> should be treated as 120 - boolean options and provided values such as <literal>true</literal>, <literal>false</literal>, 121 - <literal>1</literal>, or <literal>0</literal>. See the provided example below. 122 - </para> 123 - </note> 124 ''; 125 example = literalExpression '' 126 {

··· 44 user = mkOption { 45 type = types.str; 46 default = "mysql"; 47 + description = lib.mdDoc '' 48 User account under which MySQL runs. 49 50 + ::: {.note} 51 If left as the default value this user will automatically be created 52 on system activation, otherwise you are responsible for 53 ensuring the user exists before the MySQL service starts. 54 + ::: 55 ''; 56 }; 57 58 group = mkOption { 59 type = types.str; 60 default = "mysql"; 61 + description = lib.mdDoc '' 62 Group account under which MySQL runs. 63 64 + ::: {.note} 65 If left as the default value this group will automatically be created 66 on system activation, otherwise you are responsible for 67 ensuring the user exists before the MySQL service starts. 68 + ::: 69 ''; 70 }; 71 72 dataDir = mkOption { 73 type = types.path; 74 example = "/var/lib/mysql"; 75 + description = lib.mdDoc '' 76 The data directory for MySQL. 77 78 + ::: {.note} 79 + If left as the default value of `/var/lib/mysql` this directory will automatically be created before the MySQL 80 server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions. 81 + ::: 82 ''; 83 }; 84 ··· 107 settings = mkOption { 108 type = format.type; 109 default = {}; 110 + description = lib.mdDoc '' 111 MySQL configuration. Refer to 112 + <https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html>, 113 + <https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html>, 114 + and <https://mariadb.com/kb/en/server-system-variables/> 115 for details on supported values. 116 117 + ::: {.note} 118 + MySQL configuration options such as `--quick` should be treated as 119 + boolean options and provided values such as `true`, `false`, 120 + `1`, or `0`. See the provided example below. 121 + ::: 0 0 122 ''; 123 example = literalExpression '' 124 {

+7 -7

nixos/modules/services/databases/postgresql.nix

··· 230 settings = mkOption { 231 type = with types; attrsOf (oneOf [ bool float int str ]); 232 default = {}; 233 - description = '' 234 PostgreSQL configuration. Refer to 235 - <link xlink:href="https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE"/> 236 - for an overview of <literal>postgresql.conf</literal>. 237 238 - <note><para> 239 - String values will automatically be enclosed in single quotes. Single quotes will be 240 - escaped with two single quotes as described by the upstream documentation linked above. 241 - </para></note> 242 ''; 243 example = literalExpression '' 244 {

··· 230 settings = mkOption { 231 type = with types; attrsOf (oneOf [ bool float int str ]); 232 default = {}; 233 + description = lib.mdDoc '' 234 PostgreSQL configuration. Refer to 235 + <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE> 236 + for an overview of `postgresql.conf`. 237 238 + ::: {.note} 239 + String values will automatically be enclosed in single quotes. Single quotes will be 240 + escaped with two single quotes as described by the upstream documentation linked above. 241 + ::: 242 ''; 243 example = literalExpression '' 244 {

+4 -4

nixos/modules/services/hardware/acpid.nix

··· 72 }; 73 }); 74 75 - description = '' 76 Event handlers. 77 78 - <note><para> 79 - Handler can be a single command. 80 - </para></note> 81 ''; 82 default = {}; 83 example = {

··· 72 }; 73 }); 74 75 + description = lib.mdDoc '' 76 Event handlers. 77 78 + ::: {.note} 79 + Handler can be a single command. 80 + ::: 81 ''; 82 default = {}; 83 example = {

+5 -5

nixos/modules/services/hardware/bluetooth.nix

··· 51 default = pkgs.bluez; 52 defaultText = literalExpression "pkgs.bluez"; 53 example = literalExpression "pkgs.bluezFull"; 54 - description = '' 55 Which BlueZ package to use. 56 57 - <note><para> 58 - Use the <literal>pkgs.bluezFull</literal> package to enable all 59 - bluez plugins. 60 - </para></note> 61 ''; 62 }; 63

··· 51 default = pkgs.bluez; 52 defaultText = literalExpression "pkgs.bluez"; 53 example = literalExpression "pkgs.bluezFull"; 54 + description = lib.mdDoc '' 55 Which BlueZ package to use. 56 57 + ::: {.note} 58 + Use the `pkgs.bluezFull` package to enable all 59 + bluez plugins. 60 + ::: 61 ''; 62 }; 63

+8 -8

nixos/modules/services/hardware/sane.nix

··· 48 hardware.sane.enable = mkOption { 49 type = types.bool; 50 default = false; 51 - description = '' 52 Enable support for SANE scanners. 53 54 - <note><para> 55 - Users in the "scanner" group will gain access to the scanner, or the "lp" group if it's also a printer. 56 - </para></note> 57 ''; 58 }; 59 ··· 66 hardware.sane.extraBackends = mkOption { 67 type = types.listOf types.path; 68 default = []; 69 - description = '' 70 Packages providing extra SANE backends to enable. 71 72 - <note><para> 73 - The example contains the package for HP scanners. 74 - </para></note> 75 ''; 76 example = literalExpression "[ pkgs.hplipWithPlugin ]"; 77 };

··· 48 hardware.sane.enable = mkOption { 49 type = types.bool; 50 default = false; 51 + description = lib.mdDoc '' 52 Enable support for SANE scanners. 53 54 + ::: {.note} 55 + Users in the "scanner" group will gain access to the scanner, or the "lp" group if it's also a printer. 56 + ::: 57 ''; 58 }; 59 ··· 66 hardware.sane.extraBackends = mkOption { 67 type = types.listOf types.path; 68 default = []; 69 + description = lib.mdDoc '' 70 Packages providing extra SANE backends to enable. 71 72 + ::: {.note} 73 + The example contains the package for HP scanners. 74 + ::: 75 ''; 76 example = literalExpression "[ pkgs.hplipWithPlugin ]"; 77 };

+11 -10

nixos/modules/services/mail/maddy.nix

··· 144 user = mkOption { 145 default = "maddy"; 146 type = with types; uniq string; 147 - description = '' 148 User account under which maddy runs. 149 150 - <note><para> 151 If left as the default value this user will automatically be created 152 on system activation, otherwise the sysadmin is responsible for 153 ensuring the user exists before the maddy service starts. 154 - </para></note> 155 ''; 156 }; 157 158 group = mkOption { 159 default = "maddy"; 160 type = with types; uniq string; 161 - description = '' 162 Group account under which maddy runs. 163 164 - <note><para> 165 If left as the default value this group will automatically be created 166 on system activation, otherwise the sysadmin is responsible for 167 ensuring the group exists before the maddy service starts. 168 - </para></note> 169 ''; 170 }; 171 ··· 203 config = mkOption { 204 type = with types; nullOr lines; 205 default = defaultConfig; 206 - description = '' 207 Server configuration, see 208 - <link xlink:href="https://maddy.email">https://maddy.email</link> for 209 more information. The default configuration of this module will setup 210 minimal maddy instance for mail transfer without TLS encryption. 211 - <note><para> 0 212 This should not be used in a production environment. 213 - </para></note> 214 ''; 215 }; 216

··· 144 user = mkOption { 145 default = "maddy"; 146 type = with types; uniq string; 147 + description = lib.mdDoc '' 148 User account under which maddy runs. 149 150 + ::: {.note} 151 If left as the default value this user will automatically be created 152 on system activation, otherwise the sysadmin is responsible for 153 ensuring the user exists before the maddy service starts. 154 + ::: 155 ''; 156 }; 157 158 group = mkOption { 159 default = "maddy"; 160 type = with types; uniq string; 161 + description = lib.mdDoc '' 162 Group account under which maddy runs. 163 164 + ::: {.note} 165 If left as the default value this group will automatically be created 166 on system activation, otherwise the sysadmin is responsible for 167 ensuring the group exists before the maddy service starts. 168 + ::: 169 ''; 170 }; 171 ··· 203 config = mkOption { 204 type = with types; nullOr lines; 205 default = defaultConfig; 206 + description = lib.mdDoc '' 207 Server configuration, see 208 + [https://maddy.email](https://maddy.email) for 209 more information. The default configuration of this module will setup 210 minimal maddy instance for mail transfer without TLS encryption. 211 + 212 + ::: {.note} 213 This should not be used in a production environment. 214 + ::: 215 ''; 216 }; 217

+16 -22

nixos/modules/services/misc/gitlab.nix

··· 748 type = types.int; 749 default = 2; 750 apply = x: builtins.toString x; 751 - description = '' 752 The number of worker processes Puma should spawn. This 753 controls the amount of parallel Ruby code can be 754 - executed. GitLab recommends <literal>Number of CPU cores - 1</literal>, but at least two. 755 756 - <note> 757 - <para> 758 - Each worker consumes quite a bit of memory, so 759 - be careful when increasing this. 760 - </para> 761 - </note> 762 ''; 763 }; 764 ··· 766 type = types.int; 767 default = 0; 768 apply = x: builtins.toString x; 769 - description = '' 770 The minimum number of threads Puma should use per 771 worker. 772 773 - <note> 774 - <para> 775 - Each thread consumes memory and contributes to Global VM 776 - Lock contention, so be careful when increasing this. 777 - </para> 778 - </note> 779 ''; 780 }; 781 ··· 783 type = types.int; 784 default = 4; 785 apply = x: builtins.toString x; 786 - description = '' 787 The maximum number of threads Puma should use per 788 worker. This limits how many threads Puma will automatically 789 spawn in response to requests. In contrast to workers, 790 threads will never be able to run Ruby code in parallel, but 791 give higher IO parallelism. 792 793 - <note> 794 - <para> 795 - Each thread consumes memory and contributes to Global VM 796 - Lock contention, so be careful when increasing this. 797 - </para> 798 - </note> 799 ''; 800 }; 801

··· 748 type = types.int; 749 default = 2; 750 apply = x: builtins.toString x; 751 + description = lib.mdDoc '' 752 The number of worker processes Puma should spawn. This 753 controls the amount of parallel Ruby code can be 754 + executed. GitLab recommends `Number of CPU cores - 1`, but at least two. 755 756 + ::: {.note} 757 + Each worker consumes quite a bit of memory, so 758 + be careful when increasing this. 759 + ::: 0 0 760 ''; 761 }; 762 ··· 764 type = types.int; 765 default = 0; 766 apply = x: builtins.toString x; 767 + description = lib.mdDoc '' 768 The minimum number of threads Puma should use per 769 worker. 770 771 + ::: {.note} 772 + Each thread consumes memory and contributes to Global VM 773 + Lock contention, so be careful when increasing this. 774 + ::: 0 0 775 ''; 776 }; 777 ··· 779 type = types.int; 780 default = 4; 781 apply = x: builtins.toString x; 782 + description = lib.mdDoc '' 783 The maximum number of threads Puma should use per 784 worker. This limits how many threads Puma will automatically 785 spawn in response to requests. In contrast to workers, 786 threads will never be able to run Ruby code in parallel, but 787 give higher IO parallelism. 788 789 + ::: {.note} 790 + Each thread consumes memory and contributes to Global VM 791 + Lock contention, so be careful when increasing this. 792 + ::: 0 0 793 ''; 794 }; 795

+5 -5

nixos/modules/services/misc/sdrplay.nix

··· 5 enable = mkOption { 6 default = false; 7 example = true; 8 - description = '' 9 Whether to enable the SDRplay API service and udev rules. 10 11 - <note><para> 12 - To enable integration with SoapySDR and GUI applications like gqrx create an overlay containing 13 - <literal>soapysdr-with-plugins = super.soapysdr.override { extraPackages = [ super.soapysdrplay ]; };</literal> 14 - </para></note> 15 ''; 16 type = lib.types.bool; 17 };

··· 5 enable = mkOption { 6 default = false; 7 example = true; 8 + description = lib.mdDoc '' 9 Whether to enable the SDRplay API service and udev rules. 10 11 + ::: {.note} 12 + To enable integration with SoapySDR and GUI applications like gqrx create an overlay containing 13 + `soapysdr-with-plugins = super.soapysdr.override { extraPackages = [ super.soapysdrplay ]; };` 14 + ::: 15 ''; 16 type = lib.types.bool; 17 };

+5 -5

nixos/modules/services/misc/sourcehut/default.nix

··· 668 }; 669 670 builds = { 671 - enableWorker = mkEnableOption '' 672 worker for builds.sr.ht 673 674 - <warning><para> 675 For smaller deployments, job runners can be installed alongside the master server 676 but even if you only build your own software, integration with other services 677 may cause you to run untrusted builds 678 (e.g. automatic testing of patches via listssrht). 679 - See <link xlink:href="https://man.sr.ht/builds.sr.ht/configuration.md#security-model"/>. 680 - </para></warning> 681 - ''; 682 683 images = mkOption { 684 type = with types; attrsOf (attrsOf (attrsOf package));

··· 668 }; 669 670 builds = { 671 + enableWorker = mkEnableOption (lib.mdDoc '' 672 worker for builds.sr.ht 673 674 + ::: {.warning} 675 For smaller deployments, job runners can be installed alongside the master server 676 but even if you only build your own software, integration with other services 677 may cause you to run untrusted builds 678 (e.g. automatic testing of patches via listssrht). 679 + See <https://man.sr.ht/builds.sr.ht/configuration.md#security-model>. 680 + ::: 681 + ''); 682 683 images = mkOption { 684 type = with types; attrsOf (attrsOf (attrsOf package));

+14 -12

nixos/modules/services/misc/taskserver/default.nix

··· 10 mkManualPkiOption = desc: mkOption { 11 type = types.nullOr types.path; 12 default = null; 13 - description = desc + '' 14 - <note><para> 0 0 15 Setting this option will prevent automatic CA creation and handling. 16 - </para></note> 17 ''; 18 }; 19 ··· 35 ''; 36 }; 37 38 - mkAutoDesc = preamble: '' 39 ${preamble} 40 41 - <note><para> 42 This option is for the automatically handled CA and will be ignored if any 43 - of the <option>services.taskserver.pki.manual.*</option> options are set. 44 - </para></note> 45 ''; 46 47 mkExpireOption = desc: mkOption { ··· 50 example = 365; 51 apply = val: if val == null then -1 else val; 52 description = mkAutoDesc '' 53 - The expiration time of ${desc} in days or <literal>null</literal> for no 54 expiration time. 55 ''; 56 }; ··· 140 default = false; 141 description = let 142 url = "https://nixos.org/manual/nixos/stable/index.html#module-services-taskserver"; 143 - in '' 144 Whether to enable the Taskwarrior server. 145 146 More instructions about NixOS in conjuction with Taskserver can be 147 - found <link xlink:href="${url}">in the NixOS manual</link>. 148 ''; 149 }; 150 ··· 172 example = "NORMAL:-VERS-SSL3.0"; 173 description = let 174 url = "https://gnutls.org/manual/html_node/Priority-Strings.html"; 175 - in '' 176 List of GnuTLS ciphers to use. See the GnuTLS documentation about 177 - priority strings at <link xlink:href="${url}"/> for full details. 178 ''; 179 }; 180

··· 10 mkManualPkiOption = desc: mkOption { 11 type = types.nullOr types.path; 12 default = null; 13 + description = lib.mdDoc '' 14 + ${desc} 15 + 16 + ::: {.note} 17 Setting this option will prevent automatic CA creation and handling. 18 + ::: 19 ''; 20 }; 21 ··· 37 ''; 38 }; 39 40 + mkAutoDesc = preamble: lib.mdDoc '' 41 ${preamble} 42 43 + ::: {.note} 44 This option is for the automatically handled CA and will be ignored if any 45 + of the {option}`services.taskserver.pki.manual.*` options are set. 46 + ::: 47 ''; 48 49 mkExpireOption = desc: mkOption { ··· 52 example = 365; 53 apply = val: if val == null then -1 else val; 54 description = mkAutoDesc '' 55 + The expiration time of ${desc} in days or `null` for no 56 expiration time. 57 ''; 58 }; ··· 142 default = false; 143 description = let 144 url = "https://nixos.org/manual/nixos/stable/index.html#module-services-taskserver"; 145 + in lib.mdDoc '' 146 Whether to enable the Taskwarrior server. 147 148 More instructions about NixOS in conjuction with Taskserver can be 149 + found [in the NixOS manual](${url}). 150 ''; 151 }; 152 ··· 174 example = "NORMAL:-VERS-SSL3.0"; 175 description = let 176 url = "https://gnutls.org/manual/html_node/Priority-Strings.html"; 177 + in lib.mdDoc '' 178 List of GnuTLS ciphers to use. See the GnuTLS documentation about 179 + priority strings at <${url}> for full details. 180 ''; 181 }; 182

+7 -7

nixos/modules/services/network-filesystems/samba-wsdd.nix

··· 8 in { 9 options = { 10 services.samba-wsdd = { 11 - enable = mkEnableOption '' 12 Enable Web Services Dynamic Discovery host daemon. This enables (Samba) hosts, like your local NAS device, 13 to be found by Web Service Discovery Clients like Windows. 14 - <note> 15 - <para>If you use the firewall consider adding the following:</para> 16 - <programlisting> 0 17 networking.firewall.allowedTCPPorts = [ 5357 ]; 18 networking.firewall.allowedUDPPorts = [ 3702 ]; 19 - </programlisting> 20 - </note> 21 - ''; 22 interface = mkOption { 23 type = types.nullOr types.str; 24 default = null;

··· 8 in { 9 options = { 10 services.samba-wsdd = { 11 + enable = mkEnableOption (lib.mdDoc '' 12 Enable Web Services Dynamic Discovery host daemon. This enables (Samba) hosts, like your local NAS device, 13 to be found by Web Service Discovery Clients like Windows. 14 + 15 + ::: {.note} 16 + If you use the firewall consider adding the following: 17 + 18 networking.firewall.allowedTCPPorts = [ 5357 ]; 19 networking.firewall.allowedUDPPorts = [ 3702 ]; 20 + ::: 21 + ''); 0 22 interface = mkOption { 23 type = types.nullOr types.str; 24 default = null;

+6 -7

nixos/modules/services/network-filesystems/samba.nix

··· 80 enable = mkOption { 81 type = types.bool; 82 default = false; 83 - description = '' 84 Whether to enable Samba, which provides file and print 85 services to Windows clients through the SMB/CIFS protocol. 86 87 - <note> 88 - <para>If you use the firewall consider adding the following:</para> 89 - <programlisting> 90 - services.samba.openFirewall = true; 91 - </programlisting> 92 - </note> 93 ''; 94 }; 95

··· 80 enable = mkOption { 81 type = types.bool; 82 default = false; 83 + description = lib.mdDoc '' 84 Whether to enable Samba, which provides file and print 85 services to Windows clients through the SMB/CIFS protocol. 86 87 + ::: {.note} 88 + If you use the firewall consider adding the following: 89 + 90 + services.samba.openFirewall = true; 91 + ::: 0 92 ''; 93 }; 94

+7 -7

nixos/modules/services/networking/adguardhome.nix

··· 64 settings = mkOption { 65 type = (pkgs.formats.yaml { }).type; 66 default = { }; 67 - description = '' 68 AdGuard Home configuration. Refer to 69 - <link xlink:href="https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file"/> 70 for details on supported values. 71 72 - <note><para> 73 - On start and if <option>mutableSettings</option> is <literal>true</literal>, 74 - these options are merged into the configuration file on start, taking 75 - precedence over configuration changes made on the web interface. 76 - </para></note> 77 ''; 78 }; 79

··· 64 settings = mkOption { 65 type = (pkgs.formats.yaml { }).type; 66 default = { }; 67 + description = lib.mdDoc '' 68 AdGuard Home configuration. Refer to 69 + <https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file> 70 for details on supported values. 71 72 + ::: {.note} 73 + On start and if {option}`mutableSettings` is `true`, 74 + these options are merged into the configuration file on start, taking 75 + precedence over configuration changes made on the web interface. 76 + ::: 77 ''; 78 }; 79

+8 -6

nixos/modules/services/networking/headscale.nix

··· 26 user = mkOption { 27 default = "headscale"; 28 type = types.str; 29 - description = '' 30 User account under which headscale runs. 31 - <note><para> 0 32 If left as the default value this user will automatically be created 33 on system activation, otherwise you are responsible for 34 ensuring the user exists before the headscale service starts. 35 - </para></note> 36 ''; 37 }; 38 39 group = mkOption { 40 default = "headscale"; 41 type = types.str; 42 - description = '' 43 Group under which headscale runs. 44 - <note><para> 0 45 If left as the default value this group will automatically be created 46 on system activation, otherwise you are responsible for 47 ensuring the user exists before the headscale service starts. 48 - </para></note> 49 ''; 50 }; 51

··· 26 user = mkOption { 27 default = "headscale"; 28 type = types.str; 29 + description = lib.mdDoc '' 30 User account under which headscale runs. 31 + 32 + ::: {.note} 33 If left as the default value this user will automatically be created 34 on system activation, otherwise you are responsible for 35 ensuring the user exists before the headscale service starts. 36 + ::: 37 ''; 38 }; 39 40 group = mkOption { 41 default = "headscale"; 42 type = types.str; 43 + description = lib.mdDoc '' 44 Group under which headscale runs. 45 + 46 + ::: {.note} 47 If left as the default value this group will automatically be created 48 on system activation, otherwise you are responsible for 49 ensuring the user exists before the headscale service starts. 50 + ::: 51 ''; 52 }; 53

+4 -4

nixos/modules/services/networking/libreswan.nix

··· 93 '''; 94 } 95 ''; 96 - description = '' 97 A set of policies to apply to the IPsec connections. 98 99 - <note><para> 100 - The policy name must match the one of connection it needs to apply to. 101 - </para></note> 102 ''; 103 }; 104

··· 93 '''; 94 } 95 ''; 96 + description = lib.mdDoc '' 97 A set of policies to apply to the IPsec connections. 98 99 + ::: {.note} 100 + The policy name must match the one of connection it needs to apply to. 101 + ::: 102 ''; 103 }; 104

+20 -18

nixos/modules/services/networking/privoxy.nix

··· 67 inspectHttps = mkOption { 68 type = types.bool; 69 default = false; 70 - description = '' 71 Whether to configure Privoxy to inspect HTTPS requests, meaning all 72 encrypted traffic will be filtered as well. This works by decrypting 73 and re-encrypting the requests using a per-domain generated certificate. 74 75 To issue per-domain certificates, Privoxy must be provided with a CA 76 - certificate, using the <literal>ca-cert-file</literal>, 77 - <literal>ca-key-file</literal> settings. 78 79 - <warning><para> 80 - The CA certificate must also be added to the system trust roots, 81 - otherwise browsers will reject all Privoxy certificates as invalid. 82 - You can do so by using the option 83 - <option>security.pki.certificateFiles</option>. 84 - </para></warning> 85 ''; 86 }; 87 ··· 89 type = ageType; 90 default = "10d"; 91 example = "12h"; 92 - description = '' 93 - If <literal>inspectHttps</literal> is enabled, the time generated HTTPS 94 certificates will be stored in a temporary directory for reuse. Once 95 the lifetime has expired the directory will cleared and the certificate 96 will have to be generated again, on-demand. ··· 98 Depending on the traffic, you may want to reduce the lifetime to limit 99 the disk usage, since Privoxy itself never deletes the certificates. 100 101 - <note><para>The format is that of the <literal>tmpfiles.d(5)</literal> 102 - Age parameter.</para></note> 0 0 103 ''; 104 }; 105 ··· 179 # debug 64 180 } 181 ''; 182 - description = '' 183 This option is mapped to the main Privoxy configuration file. 184 Check out the Privoxy user manual at 185 - <link xlink:href="https://www.privoxy.org/user-manual/config.html"/> 186 for available settings and documentation. 187 188 - <note><para> 189 - Repeated settings can be represented by using a list. 190 - </para></note> 191 ''; 192 }; 193

··· 67 inspectHttps = mkOption { 68 type = types.bool; 69 default = false; 70 + description = lib.mdDoc '' 71 Whether to configure Privoxy to inspect HTTPS requests, meaning all 72 encrypted traffic will be filtered as well. This works by decrypting 73 and re-encrypting the requests using a per-domain generated certificate. 74 75 To issue per-domain certificates, Privoxy must be provided with a CA 76 + certificate, using the `ca-cert-file`, 77 + `ca-key-file` settings. 78 79 + ::: {.warning} 80 + The CA certificate must also be added to the system trust roots, 81 + otherwise browsers will reject all Privoxy certificates as invalid. 82 + You can do so by using the option 83 + {option}`security.pki.certificateFiles`. 84 + ::: 85 ''; 86 }; 87 ··· 89 type = ageType; 90 default = "10d"; 91 example = "12h"; 92 + description = lib.mdDoc '' 93 + If `inspectHttps` is enabled, the time generated HTTPS 94 certificates will be stored in a temporary directory for reuse. Once 95 the lifetime has expired the directory will cleared and the certificate 96 will have to be generated again, on-demand. ··· 98 Depending on the traffic, you may want to reduce the lifetime to limit 99 the disk usage, since Privoxy itself never deletes the certificates. 100 101 + ::: {.note} 102 + The format is that of the `tmpfiles.d(5)` 103 + Age parameter. 104 + ::: 105 ''; 106 }; 107 ··· 181 # debug 64 182 } 183 ''; 184 + description = lib.mdDoc '' 185 This option is mapped to the main Privoxy configuration file. 186 Check out the Privoxy user manual at 187 + <https://www.privoxy.org/user-manual/config.html> 188 for available settings and documentation. 189 190 + ::: {.note} 191 + Repeated settings can be represented by using a list. 192 + ::: 193 ''; 194 }; 195

+6 -6

nixos/modules/services/networking/prosody.nix

··· 529 user = mkOption { 530 type = types.str; 531 default = "prosody"; 532 - description = '' 533 User account under which prosody runs. 534 535 - <note><para> 536 If left as the default value this user will automatically be created 537 on system activation, otherwise you are responsible for 538 ensuring the user exists before the prosody service starts. 539 - </para></note> 540 ''; 541 }; 542 543 group = mkOption { 544 type = types.str; 545 default = "prosody"; 546 - description = '' 547 Group account under which prosody runs. 548 549 - <note><para> 550 If left as the default value this group will automatically be created 551 on system activation, otherwise you are responsible for 552 ensuring the group exists before the prosody service starts. 553 - </para></note> 554 ''; 555 }; 556

··· 529 user = mkOption { 530 type = types.str; 531 default = "prosody"; 532 + description = lib.mdDoc '' 533 User account under which prosody runs. 534 535 + ::: {.note} 536 If left as the default value this user will automatically be created 537 on system activation, otherwise you are responsible for 538 ensuring the user exists before the prosody service starts. 539 + ::: 540 ''; 541 }; 542 543 group = mkOption { 544 type = types.str; 545 default = "prosody"; 546 + description = lib.mdDoc '' 547 Group account under which prosody runs. 548 549 + ::: {.note} 550 If left as the default value this group will automatically be created 551 on system activation, otherwise you are responsible for 552 ensuring the group exists before the prosody service starts. 553 + ::: 554 ''; 555 }; 556

+20 -23

nixos/modules/services/networking/searx.nix

··· 81 }; 82 } 83 ''; 84 - description = '' 85 Searx settings. These will be merged with (taking precedence over) 86 the default configuration. It's also possible to refer to 87 environment variables 88 - (defined in <xref linkend="opt-services.searx.environmentFile"/>) 89 - using the syntax <literal>@VARIABLE_NAME@</literal>. 90 - <note> 91 - <para> 92 - For available settings, see the Searx 93 - <link xlink:href="https://searx.github.io/searx/admin/settings.html">docs</link>. 94 - </para> 95 - </note> 96 ''; 97 }; 98 99 settingsFile = mkOption { 100 type = types.path; 101 default = "${runDir}/settings.yml"; 102 - description = '' 103 The path of the Searx server settings.yml file. If no file is 104 specified, a default file is used (default config file has debug mode 105 enabled). Note: setting this options overrides 106 - <xref linkend="opt-services.searx.settings"/>. 107 - <warning> 108 - <para> 109 - This file, along with any secret key it contains, will be copied 110 - into the world-readable Nix store. 111 - </para> 112 - </warning> 113 ''; 114 }; 115 ··· 123 runInUwsgi = mkOption { 124 type = types.bool; 125 default = false; 126 - description = '' 127 Whether to run searx in uWSGI as a "vassal", instead of using its 128 built-in HTTP server. This is the recommended mode for public or 129 large instances, but is unecessary for LAN or local-only use. 130 - <warning> 131 - <para> 132 - The built-in HTTP server logs all queries by default. 133 - </para> 134 - </warning> 135 ''; 136 }; 137

··· 81 }; 82 } 83 ''; 84 + description = lib.mdDoc '' 85 Searx settings. These will be merged with (taking precedence over) 86 the default configuration. It's also possible to refer to 87 environment variables 88 + (defined in [](#opt-services.searx.environmentFile)) 89 + using the syntax `@VARIABLE_NAME@`. 90 + 91 + ::: {.note} 92 + For available settings, see the Searx 93 + [docs](https://searx.github.io/searx/admin/settings.html). 94 + ::: 0 95 ''; 96 }; 97 98 settingsFile = mkOption { 99 type = types.path; 100 default = "${runDir}/settings.yml"; 101 + description = lib.mdDoc '' 102 The path of the Searx server settings.yml file. If no file is 103 specified, a default file is used (default config file has debug mode 104 enabled). Note: setting this options overrides 105 + [](#opt-services.searx.settings). 106 + 107 + ::: {.warning} 108 + This file, along with any secret key it contains, will be copied 109 + into the world-readable Nix store. 110 + ::: 0 111 ''; 112 }; 113 ··· 121 runInUwsgi = mkOption { 122 type = types.bool; 123 default = false; 124 + description = lib.mdDoc '' 125 Whether to run searx in uWSGI as a "vassal", instead of using its 126 built-in HTTP server. This is the recommended mode for public or 127 large instances, but is unecessary for LAN or local-only use. 128 + 129 + ::: {.warning} 130 + The built-in HTTP server logs all queries by default. 131 + ::: 0 132 ''; 133 }; 134

+7 -8

nixos/modules/services/networking/shorewall.nix

··· 8 enable = lib.mkOption { 9 type = types.bool; 10 default = false; 11 - description = '' 12 Whether to enable Shorewall IPv4 Firewall. 13 - <warning> 14 - <para> 15 - Enabling this service WILL disable the existing NixOS 16 - firewall! Default firewall rules provided by packages are not 17 - considered at the moment. 18 - </para> 19 - </warning> 20 ''; 21 }; 22 package = lib.mkOption {

··· 8 enable = lib.mkOption { 9 type = types.bool; 10 default = false; 11 + description = lib.mdDoc '' 12 Whether to enable Shorewall IPv4 Firewall. 13 + 14 + ::: {.warning} 15 + Enabling this service WILL disable the existing NixOS 16 + firewall! Default firewall rules provided by packages are not 17 + considered at the moment. 18 + ::: 0 19 ''; 20 }; 21 package = lib.mkOption {

+7 -8

nixos/modules/services/networking/shorewall6.nix

··· 8 enable = lib.mkOption { 9 type = types.bool; 10 default = false; 11 - description = '' 12 Whether to enable Shorewall IPv6 Firewall. 13 - <warning> 14 - <para> 15 - Enabling this service WILL disable the existing NixOS 16 - firewall! Default firewall rules provided by packages are not 17 - considered at the moment. 18 - </para> 19 - </warning> 20 ''; 21 }; 22 package = lib.mkOption {

··· 8 enable = lib.mkOption { 9 type = types.bool; 10 default = false; 11 + description = lib.mdDoc '' 12 Whether to enable Shorewall IPv6 Firewall. 13 + 14 + ::: {.warning} 15 + Enabling this service WILL disable the existing NixOS 16 + firewall! Default firewall rules provided by packages are not 17 + considered at the moment. 18 + ::: 0 19 ''; 20 }; 21 package = lib.mkOption {

+41 -41

nixos/modules/services/networking/wpa_supplicant.nix

··· 170 type = types.listOf types.str; 171 default = []; 172 example = [ "wlan0" "wlan1" ]; 173 - description = '' 174 - The interfaces <command>wpa_supplicant</command> will use. If empty, it will 175 automatically use all wireless interfaces. 176 177 - <note><para> 178 - A separate wpa_supplicant instance will be started for each interface. 179 - </para></note> 180 ''; 181 }; 182 ··· 186 description = lib.mdDoc "Force a specific wpa_supplicant driver."; 187 }; 188 189 - allowAuxiliaryImperativeNetworks = mkEnableOption "support for imperative & declarative networks" // { 190 description = '' 191 Whether to allow configuring networks "imperatively" (e.g. via 192 <literal>wpa_supplicant_gui</literal>) and declaratively via ··· 222 type = types.nullOr types.path; 223 default = null; 224 example = "/run/secrets/wireless.env"; 225 - description = '' 226 - File consisting of lines of the form <literal>varname=value</literal> 227 to define variables for the wireless configuration. 228 229 - See section "EnvironmentFile=" in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for a syntax reference. 230 231 Secrets (PSKs, passwords, etc.) can be provided without adding them to 232 the world-readable Nix store by defining them in the environment file and 233 - referring to them in option <option>networking.wireless.networks</option> 234 - with the syntax <literal>@varname@</literal>. Example: 235 236 - <programlisting> 237 # content of /run/secrets/wireless.env 238 PSK_HOME=mypassword 239 PASS_WORK=myworkpassword 240 - </programlisting> 241 242 - <programlisting> 243 # wireless-related configuration 244 networking.wireless.environmentFile = "/run/secrets/wireless.env"; 245 networking.wireless.networks = { ··· 250 password="@PASS_WORK@" 251 '''; 252 }; 253 - </programlisting> 254 ''; 255 }; 256 ··· 260 psk = mkOption { 261 type = types.nullOr types.str; 262 default = null; 263 - description = '' 264 The network's pre-shared key in plaintext defaulting 265 to being a network without any authentication. 266 267 - <warning><para> 268 - Be aware that this will be written to the nix store 269 - in plaintext! Use an environment variable instead. 270 - </para></warning> 271 272 - <note><para> 273 - Mutually exclusive with <varname>pskRaw</varname>. 274 - </para></note> 275 ''; 276 }; 277 278 pskRaw = mkOption { 279 type = types.nullOr types.str; 280 default = null; 281 - description = '' 282 The network's pre-shared key in hex defaulting 283 to being a network without any authentication. 284 285 - <warning><para> 286 - Be aware that this will be written to the nix store 287 - in plaintext! Use an environment variable instead. 288 - </para></warning> 289 290 - <note><para> 291 - Mutually exclusive with <varname>psk</varname>. 292 - </para></note> 293 ''; 294 }; 295 ··· 343 identity="user@example.com" 344 password="@EXAMPLE_PASSWORD@" 345 ''; 346 - description = '' 347 Use this option to configure advanced authentication methods like EAP. 348 See 349 - <citerefentry><refentrytitle>wpa_supplicant.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> 350 for example configurations. 351 352 - <warning><para> 353 - Be aware that this will be written to the nix store 354 - in plaintext! Use an environment variable for secrets. 355 - </para></warning> 356 357 - <note><para> 358 - Mutually exclusive with <varname>psk</varname> and 359 - <varname>pskRaw</varname>. 360 - </para></note> 361 ''; 362 }; 363

··· 170 type = types.listOf types.str; 171 default = []; 172 example = [ "wlan0" "wlan1" ]; 173 + description = lib.mdDoc '' 174 + The interfaces {command}`wpa_supplicant` will use. If empty, it will 175 automatically use all wireless interfaces. 176 177 + ::: {.note} 178 + A separate wpa_supplicant instance will be started for each interface. 179 + ::: 180 ''; 181 }; 182 ··· 186 description = lib.mdDoc "Force a specific wpa_supplicant driver."; 187 }; 188 189 + allowAuxiliaryImperativeNetworks = mkEnableOption (lib.mdDoc "support for imperative & declarative networks") // { 190 description = '' 191 Whether to allow configuring networks "imperatively" (e.g. via 192 <literal>wpa_supplicant_gui</literal>) and declaratively via ··· 222 type = types.nullOr types.path; 223 default = null; 224 example = "/run/secrets/wireless.env"; 225 + description = lib.mdDoc '' 226 + File consisting of lines of the form `varname=value` 227 to define variables for the wireless configuration. 228 229 + See section "EnvironmentFile=" in {manpage}`systemd.exec(5)` for a syntax reference. 230 231 Secrets (PSKs, passwords, etc.) can be provided without adding them to 232 the world-readable Nix store by defining them in the environment file and 233 + referring to them in option {option}`networking.wireless.networks` 234 + with the syntax `@varname@`. Example: 235 236 + ``` 237 # content of /run/secrets/wireless.env 238 PSK_HOME=mypassword 239 PASS_WORK=myworkpassword 240 + ``` 241 242 + ``` 243 # wireless-related configuration 244 networking.wireless.environmentFile = "/run/secrets/wireless.env"; 245 networking.wireless.networks = { ··· 250 password="@PASS_WORK@" 251 '''; 252 }; 253 + ``` 254 ''; 255 }; 256 ··· 260 psk = mkOption { 261 type = types.nullOr types.str; 262 default = null; 263 + description = lib.mdDoc '' 264 The network's pre-shared key in plaintext defaulting 265 to being a network without any authentication. 266 267 + ::: {.warning} 268 + Be aware that this will be written to the nix store 269 + in plaintext! Use an environment variable instead. 270 + ::: 271 272 + ::: {.note} 273 + Mutually exclusive with {var}`pskRaw`. 274 + ::: 275 ''; 276 }; 277 278 pskRaw = mkOption { 279 type = types.nullOr types.str; 280 default = null; 281 + description = lib.mdDoc '' 282 The network's pre-shared key in hex defaulting 283 to being a network without any authentication. 284 285 + ::: {.warning} 286 + Be aware that this will be written to the nix store 287 + in plaintext! Use an environment variable instead. 288 + ::: 289 290 + ::: {.note} 291 + Mutually exclusive with {var}`psk`. 292 + ::: 293 ''; 294 }; 295 ··· 343 identity="user@example.com" 344 password="@EXAMPLE_PASSWORD@" 345 ''; 346 + description = lib.mdDoc '' 347 Use this option to configure advanced authentication methods like EAP. 348 See 349 + {manpage}`wpa_supplicant.conf(5)` 350 for example configurations. 351 352 + ::: {.warning} 353 + Be aware that this will be written to the nix store 354 + in plaintext! Use an environment variable for secrets. 355 + ::: 356 357 + ::: {.note} 358 + Mutually exclusive with {var}`psk` and 359 + {var}`pskRaw`. 360 + ::: 361 ''; 362 }; 363

+7 -7

nixos/modules/services/security/cfssl.nix

··· 11 dataDir = mkOption { 12 default = "/var/lib/cfssl"; 13 type = types.path; 14 - description = '' 15 The work directory for CFSSL. 16 17 - <note><para> 18 - If left as the default value this directory will automatically be 19 - created before the CFSSL server starts, otherwise you are 20 - responsible for ensuring the directory exists with appropriate 21 - ownership and permissions. 22 - </para></note> 23 ''; 24 }; 25

··· 11 dataDir = mkOption { 12 default = "/var/lib/cfssl"; 13 type = types.path; 14 + description = lib.mdDoc '' 15 The work directory for CFSSL. 16 17 + ::: {.note} 18 + If left as the default value this directory will automatically be 19 + created before the CFSSL server starts, otherwise you are 20 + responsible for ensuring the directory exists with appropriate 21 + ownership and permissions. 22 + ::: 23 ''; 24 }; 25

+20 -24

nixos/modules/services/security/step-ca.nix

··· 34 }; 35 settings = lib.mkOption { 36 type = with lib.types; attrsOf anything; 37 - description = '' 38 - Settings that go into <filename>ca.json</filename>. See 39 - <link xlink:href="https://smallstep.com/docs/step-ca/configuration">the step-ca manual</link> 40 for more information. The easiest way to 41 - configure this module would be to run <literal>step ca init</literal> 42 - to generate <filename>ca.json</filename> and then import it using 43 - <literal>builtins.fromJSON</literal>. 44 - <link xlink:href="https://smallstep.com/docs/step-cli/basic-crypto-operations#run-an-offline-x509-certificate-authority">This article</link> 45 may also be useful if you want to customize certain aspects of 46 certificate generation for your CA. 47 - You need to change the database storage path to <filename>/var/lib/step-ca/db</filename>. 48 49 - <warning> 50 - <para> 51 - The <option>services.step-ca.settings.address</option> option 52 - will be ignored and overwritten by 53 - <option>services.step-ca.address</option> and 54 - <option>services.step-ca.port</option>. 55 - </para> 56 - </warning> 57 ''; 58 }; 59 intermediatePasswordFile = lib.mkOption { 60 type = lib.types.path; 61 example = "/run/keys/smallstep-password"; 62 - description = '' 63 Path to the file containing the password for the intermediate 64 certificate private key. 65 66 - <warning> 67 - <para> 68 - Make sure to use a quoted absolute path instead of a path literal 69 - to prevent it from being copied to the globally readable Nix 70 - store. 71 - </para> 72 - </warning> 73 ''; 74 }; 75 };

··· 34 }; 35 settings = lib.mkOption { 36 type = with lib.types; attrsOf anything; 37 + description = lib.mdDoc '' 38 + Settings that go into {file}`ca.json`. See 39 + [the step-ca manual](https://smallstep.com/docs/step-ca/configuration) 40 for more information. The easiest way to 41 + configure this module would be to run `step ca init` 42 + to generate {file}`ca.json` and then import it using 43 + `builtins.fromJSON`. 44 + [This article](https://smallstep.com/docs/step-cli/basic-crypto-operations#run-an-offline-x509-certificate-authority) 45 may also be useful if you want to customize certain aspects of 46 certificate generation for your CA. 47 + You need to change the database storage path to {file}`/var/lib/step-ca/db`. 48 49 + ::: {.warning} 50 + The {option}`services.step-ca.settings.address` option 51 + will be ignored and overwritten by 52 + {option}`services.step-ca.address` and 53 + {option}`services.step-ca.port`. 54 + ::: 0 0 55 ''; 56 }; 57 intermediatePasswordFile = lib.mkOption { 58 type = lib.types.path; 59 example = "/run/keys/smallstep-password"; 60 + description = lib.mdDoc '' 61 Path to the file containing the password for the intermediate 62 certificate private key. 63 64 + ::: {.warning} 65 + Make sure to use a quoted absolute path instead of a path literal 66 + to prevent it from being copied to the globally readable Nix 67 + store. 68 + ::: 0 0 69 ''; 70 }; 71 };

+8 -8

nixos/modules/services/security/torify.nix

··· 27 enable = mkOption { 28 type = types.bool; 29 default = false; 30 - description = '' 31 Whether to build tsocks wrapper script to relay application traffic via Tor. 32 33 - <important> 34 - <para>You shouldn't use this unless you know what you're 35 - doing because your installation of Tor already comes with 36 - its own superior (doesn't leak DNS queries) 37 - <literal>torsocks</literal> wrapper which does pretty much 38 - exactly the same thing as this.</para> 39 - </important> 40 ''; 41 }; 42

··· 27 enable = mkOption { 28 type = types.bool; 29 default = false; 30 + description = lib.mdDoc '' 31 Whether to build tsocks wrapper script to relay application traffic via Tor. 32 33 + ::: {.important} 34 + You shouldn't use this unless you know what you're 35 + doing because your installation of Tor already comes with 36 + its own superior (doesn't leak DNS queries) 37 + `torsocks` wrapper which does pretty much 38 + exactly the same thing as this. 39 + ::: 40 ''; 41 }; 42

+13 -15

nixos/modules/services/torrent/magnetico.nix

··· 116 myuser = "$2y$12$YE01LZ8jrbQbx6c0s2hdZO71dSjn2p/O9XsYJpz.5968yCysUgiaG"; 117 } 118 ''; 119 - description = '' 120 The credentials to access the web interface, in case authentication is 121 - enabled, in the format <literal>username:hash</literal>. If unset no 122 authentication will be required. 123 124 Usernames must start with a lowercase ([a-z]) ASCII character, might 125 contain non-consecutive underscores except at the end, and consists of 126 small-case a-z characters and digits 0-9. The 127 - <command>htpasswd</command> tool from the <literal>apacheHttpd</literal> 128 package may be used to generate the hash: 129 - <command>htpasswd -bnBC 12 username password</command> 130 131 - <warning> 132 - <para> 133 - The hashes will be stored world-readable in the nix store. 134 - Consider using the <literal>credentialsFile</literal> option if you 135 - don't want this. 136 - </para> 137 - </warning> 138 ''; 139 }; 140 141 web.credentialsFile = mkOption { 142 type = types.nullOr types.path; 143 default = null; 144 - description = '' 145 The path to the file holding the credentials to access the web 146 interface. If unset no authentication will be required. 147 148 The file must constain user names and password hashes in the format 149 - <literal>username:hash </literal>, one for each line. Usernames must 150 start with a lowecase ([a-z]) ASCII character, might contain 151 non-consecutive underscores except at the end, and consists of 152 small-case a-z characters and digits 0-9. 153 - The <command>htpasswd</command> tool from the <literal>apacheHttpd</literal> 154 package may be used to generate the hash: 155 - <command>htpasswd -bnBC 12 username password</command> 156 ''; 157 }; 158

··· 116 myuser = "$2y$12$YE01LZ8jrbQbx6c0s2hdZO71dSjn2p/O9XsYJpz.5968yCysUgiaG"; 117 } 118 ''; 119 + description = lib.mdDoc '' 120 The credentials to access the web interface, in case authentication is 121 + enabled, in the format `username:hash`. If unset no 122 authentication will be required. 123 124 Usernames must start with a lowercase ([a-z]) ASCII character, might 125 contain non-consecutive underscores except at the end, and consists of 126 small-case a-z characters and digits 0-9. The 127 + {command}`htpasswd` tool from the `apacheHttpd` 128 package may be used to generate the hash: 129 + {command}`htpasswd -bnBC 12 username password` 130 131 + ::: {.warning} 132 + The hashes will be stored world-readable in the nix store. 133 + Consider using the `credentialsFile` option if you 134 + don't want this. 135 + ::: 0 0 136 ''; 137 }; 138 139 web.credentialsFile = mkOption { 140 type = types.nullOr types.path; 141 default = null; 142 + description = lib.mdDoc '' 143 The path to the file holding the credentials to access the web 144 interface. If unset no authentication will be required. 145 146 The file must constain user names and password hashes in the format 147 + `username:hash `, one for each line. Usernames must 148 start with a lowecase ([a-z]) ASCII character, might contain 149 non-consecutive underscores except at the end, and consists of 150 small-case a-z characters and digits 0-9. 151 + The {command}`htpasswd` tool from the `apacheHttpd` 152 package may be used to generate the hash: 153 + {command}`htpasswd -bnBC 12 username password` 154 ''; 155 }; 156

+6 -8

nixos/modules/services/video/epgstation/default.nix

··· 101 openFirewall = lib.mkOption { 102 type = lib.types.bool; 103 default = false; 104 - description = '' 105 Open ports in the firewall for the EPGStation web interface. 106 107 - <warning> 108 - <para> 109 - Exposing EPGStation to the open internet is generally advised 110 - against. Only use it inside a trusted local network, or consider 111 - putting it behind a VPN if you want remote access. 112 - </para> 113 - </warning> 114 ''; 115 }; 116

··· 101 openFirewall = lib.mkOption { 102 type = lib.types.bool; 103 default = false; 104 + description = lib.mdDoc '' 105 Open ports in the firewall for the EPGStation web interface. 106 107 + ::: {.warning} 108 + Exposing EPGStation to the open internet is generally advised 109 + against. Only use it inside a trusted local network, or consider 110 + putting it behind a VPN if you want remote access. 111 + ::: 0 0 112 ''; 113 }; 114

+6 -8

nixos/modules/services/video/mirakurun.nix

··· 38 openFirewall = mkOption { 39 type = types.bool; 40 default = false; 41 - description = '' 42 Open ports in the firewall for Mirakurun. 43 44 - <warning> 45 - <para> 46 - Exposing Mirakurun to the open internet is generally advised 47 - against. Only use it inside a trusted local network, or 48 - consider putting it behind a VPN if you want remote access. 49 - </para> 50 - </warning> 51 ''; 52 }; 53

··· 38 openFirewall = mkOption { 39 type = types.bool; 40 default = false; 41 + description = lib.mdDoc '' 42 Open ports in the firewall for Mirakurun. 43 44 + ::: {.warning} 45 + Exposing Mirakurun to the open internet is generally advised 46 + against. Only use it inside a trusted local network, or 47 + consider putting it behind a VPN if you want remote access. 48 + ::: 0 0 49 ''; 50 }; 51

+10 -4

nixos/modules/services/web-apps/dokuwiki.nix

··· 160 plugins = mkOption { 161 type = types.listOf types.path; 162 default = []; 163 - description = '' 164 List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. 165 - <note><para>These plugins need to be packaged before use, see example.</para></note> 0 0 0 166 ''; 167 example = literalExpression '' 168 let ··· 188 templates = mkOption { 189 type = types.listOf types.path; 190 default = []; 191 - description = '' 192 List of path(s) to respective template(s) which are copied from the 'tpl' directory. 193 - <note><para>These templates need to be packaged before use, see example.</para></note> 0 0 0 194 ''; 195 example = literalExpression '' 196 let

··· 160 plugins = mkOption { 161 type = types.listOf types.path; 162 default = []; 163 + description = lib.mdDoc '' 164 List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. 165 + 166 + ::: {.note} 167 + These plugins need to be packaged before use, see example. 168 + ::: 169 ''; 170 example = literalExpression '' 171 let ··· 191 templates = mkOption { 192 type = types.listOf types.path; 193 default = []; 194 + description = lib.mdDoc '' 195 List of path(s) to respective template(s) which are copied from the 'tpl' directory. 196 + 197 + ::: {.note} 198 + These templates need to be packaged before use, see example. 199 + ::: 200 ''; 201 example = literalExpression '' 202 let

+13 -13

nixos/modules/services/web-apps/healthchecks.nix

··· 43 user = mkOption { 44 default = defaultUser; 45 type = types.str; 46 - description = '' 47 User account under which healthchecks runs. 48 49 - <note><para> 50 If left as the default value this user will automatically be created 51 on system activation, otherwise you are responsible for 52 ensuring the user exists before the healthchecks service starts. 53 - </para></note> 54 ''; 55 }; 56 57 group = mkOption { 58 default = defaultUser; 59 type = types.str; 60 - description = '' 61 Group account under which healthchecks runs. 62 63 - <note><para> 64 If left as the default value this group will automatically be created 65 on system activation, otherwise you are responsible for 66 ensuring the group exists before the healthchecks service starts. 67 - </para></note> 68 ''; 69 }; 70 ··· 83 dataDir = mkOption { 84 type = types.str; 85 default = "/var/lib/healthchecks"; 86 - description = '' 87 The directory used to store all data for healthchecks. 88 89 - <note><para> 90 If left as the default value this directory will automatically be created before 91 the healthchecks server starts, otherwise you are responsible for ensuring the 92 directory exists with appropriate ownership and permissions. 93 - </para></note> 94 ''; 95 }; 96 97 settings = lib.mkOption { 98 - description = '' 99 - Environment variables which are read by healthchecks <literal>(local)_settings.py</literal>. 100 101 Settings which are explictly covered in options bewlow, are type-checked and/or transformed 102 before added to the environment, everything else is passed as a string. 103 104 - See <link xlink:href="">https://healthchecks.io/docs/self_hosted_configuration/</link> 105 for a full documentation of settings. 106 107 - We add two variables to this list inside the packages <literal>local_settings.py.</literal> 108 - STATIC_ROOT to set a state directory for dynamically generated static files. 109 - SECRET_KEY_FILE to read SECRET_KEY from a file at runtime and keep it out of /nix/store. 110 '';

··· 43 user = mkOption { 44 default = defaultUser; 45 type = types.str; 46 + description = lib.mdDoc '' 47 User account under which healthchecks runs. 48 49 + ::: {.note} 50 If left as the default value this user will automatically be created 51 on system activation, otherwise you are responsible for 52 ensuring the user exists before the healthchecks service starts. 53 + ::: 54 ''; 55 }; 56 57 group = mkOption { 58 default = defaultUser; 59 type = types.str; 60 + description = lib.mdDoc '' 61 Group account under which healthchecks runs. 62 63 + ::: {.note} 64 If left as the default value this group will automatically be created 65 on system activation, otherwise you are responsible for 66 ensuring the group exists before the healthchecks service starts. 67 + ::: 68 ''; 69 }; 70 ··· 83 dataDir = mkOption { 84 type = types.str; 85 default = "/var/lib/healthchecks"; 86 + description = lib.mdDoc '' 87 The directory used to store all data for healthchecks. 88 89 + ::: {.note} 90 If left as the default value this directory will automatically be created before 91 the healthchecks server starts, otherwise you are responsible for ensuring the 92 directory exists with appropriate ownership and permissions. 93 + ::: 94 ''; 95 }; 96 97 settings = lib.mkOption { 98 + description = lib.mdDoc '' 99 + Environment variables which are read by healthchecks `(local)_settings.py`. 100 101 Settings which are explictly covered in options bewlow, are type-checked and/or transformed 102 before added to the environment, everything else is passed as a string. 103 104 + See <https://healthchecks.io/docs/self_hosted_configuration/> 105 for a full documentation of settings. 106 107 + We add two variables to this list inside the packages `local_settings.py.` 108 - STATIC_ROOT to set a state directory for dynamically generated static files. 109 - SECRET_KEY_FILE to read SECRET_KEY from a file at runtime and keep it out of /nix/store. 110 '';

+5 -2

nixos/modules/services/web-apps/invoiceplane.nix

··· 124 invoiceTemplates = mkOption { 125 type = types.listOf types.path; 126 default = []; 127 - description = '' 128 List of path(s) to respective template(s) which are copied from the 'invoice_templates/pdf' directory. 129 - <note><para>These templates need to be packaged before use, see example.</para></note> 0 0 0 130 ''; 131 example = literalExpression '' 132 let

··· 124 invoiceTemplates = mkOption { 125 type = types.listOf types.path; 126 default = []; 127 + description = lib.mdDoc '' 128 List of path(s) to respective template(s) which are copied from the 'invoice_templates/pdf' directory. 129 + 130 + ::: {.note} 131 + These templates need to be packaged before use, see example. 132 + ::: 133 ''; 134 example = literalExpression '' 135 let

+12 -14

nixos/modules/services/web-apps/keycloak.nix

··· 314 type = str; 315 default = ""; 316 example = "/auth"; 317 - description = '' 318 - The path relative to <literal>/</literal> for serving 319 resources. 320 321 - <note> 322 - <para> 323 - In versions of Keycloak using Wildfly (&lt;17), 324 - this defaulted to <literal>/auth</literal>. If 325 - upgrading from the Wildfly version of Keycloak, 326 - i.e. a NixOS version before 22.05, you'll likely 327 - want to set this to <literal>/auth</literal> to 328 - keep compatibility with your clients. 329 330 - See <link xlink:href="https://www.keycloak.org/migration/migrating-to-quarkus"/> 331 - for more information on migrating from Wildfly to Quarkus. 332 - </para> 333 - </note> 334 ''; 335 }; 336

··· 314 type = str; 315 default = ""; 316 example = "/auth"; 317 + description = lib.mdDoc '' 318 + The path relative to `/` for serving 319 resources. 320 321 + ::: {.note} 322 + In versions of Keycloak using Wildfly (&lt;17), 323 + this defaulted to `/auth`. If 324 + upgrading from the Wildfly version of Keycloak, 325 + i.e. a NixOS version before 22.05, you'll likely 326 + want to set this to `/auth` to 327 + keep compatibility with your clients. 0 328 329 + See <https://www.keycloak.org/migration/migrating-to-quarkus> 330 + for more information on migrating from Wildfly to Quarkus. 331 + ::: 0 332 ''; 333 }; 334

+9 -9

nixos/modules/services/web-apps/nextcloud.nix

··· 371 default = null; 372 type = types.nullOr types.str; 373 example = "DE"; 374 - description = '' 375 - <warning> 376 - <para>This option exists since Nextcloud 21! If older versions are used, 377 - this will throw an eval-error!</para> 378 - </warning> 379 380 - <link xlink:href="https://www.iso.org/iso-3166-country-codes.html">ISO 3611-1</link> 381 country codes for automatic phone-number detection without a country code. 382 383 - With e.g. <literal>DE</literal> set, the <literal>+49</literal> can be omitted for 384 phone-numbers. 385 ''; 386 }; ··· 519 type = with types; either str (listOf str); 520 default = "05:00:00"; 521 example = "Sun 14:00:00"; 522 - description = '' 523 - When to run the update. See `systemd.services.&lt;name&gt;.startAt`. 524 ''; 525 }; 526 };

··· 371 default = null; 372 type = types.nullOr types.str; 373 example = "DE"; 374 + description = lib.mdDoc '' 375 + ::: {.warning} 376 + This option exists since Nextcloud 21! If older versions are used, 377 + this will throw an eval-error! 378 + ::: 379 380 + [ISO 3611-1](https://www.iso.org/iso-3166-country-codes.html) 381 country codes for automatic phone-number detection without a country code. 382 383 + With e.g. `DE` set, the `+49` can be omitted for 384 phone-numbers. 385 ''; 386 }; ··· 519 type = with types; either str (listOf str); 520 default = "05:00:00"; 521 example = "Sun 14:00:00"; 522 + description = lib.mdDoc '' 523 + When to run the update. See `systemd.services.<name>.startAt`. 524 ''; 525 }; 526 };

+10 -4

nixos/modules/services/web-apps/wordpress.nix

··· 97 plugins = mkOption { 98 type = types.listOf types.path; 99 default = []; 100 - description = '' 101 List of path(s) to respective plugin(s) which are copied from the 'plugins' directory. 102 - <note><para>These plugins need to be packaged before use, see example.</para></note> 0 0 0 103 ''; 104 example = literalExpression '' 105 let ··· 124 themes = mkOption { 125 type = types.listOf types.path; 126 default = []; 127 - description = '' 128 List of path(s) to respective theme(s) which are copied from the 'theme' directory. 129 - <note><para>These themes need to be packaged before use, see example.</para></note> 0 0 0 130 ''; 131 example = literalExpression '' 132 let

··· 97 plugins = mkOption { 98 type = types.listOf types.path; 99 default = []; 100 + description = lib.mdDoc '' 101 List of path(s) to respective plugin(s) which are copied from the 'plugins' directory. 102 + 103 + ::: {.note} 104 + These plugins need to be packaged before use, see example. 105 + ::: 106 ''; 107 example = literalExpression '' 108 let ··· 127 themes = mkOption { 128 type = types.listOf types.path; 129 default = []; 130 + description = lib.mdDoc '' 131 List of path(s) to respective theme(s) which are copied from the 'theme' directory. 132 + 133 + ::: {.note} 134 + These themes need to be packaged before use, see example. 135 + ::: 136 ''; 137 example = literalExpression '' 138 let

+4 -4

nixos/modules/services/web-servers/apache-httpd/default.nix

··· 484 user = mkOption { 485 type = types.str; 486 default = "wwwrun"; 487 - description = '' 488 User account under which httpd children processes run. 489 490 If you require the main httpd process to run as 491 - <literal>root</literal> add the following configuration: 492 - <programlisting> 493 systemd.services.httpd.serviceConfig.User = lib.mkForce "root"; 494 - </programlisting> 495 ''; 496 }; 497

··· 484 user = mkOption { 485 type = types.str; 486 default = "wwwrun"; 487 + description = lib.mdDoc '' 488 User account under which httpd children processes run. 489 490 If you require the main httpd process to run as 491 + `root` add the following configuration: 492 + ``` 493 systemd.services.httpd.serviceConfig.User = lib.mkForce "root"; 494 + ``` 495 ''; 496 }; 497

+13 -15

nixos/modules/services/web-servers/apache-httpd/vhost-options.nix

··· 45 { ip = "192.154.1.1"; port = 80; } 46 { ip = "*"; port = 8080; } 47 ]; 48 - description = '' 49 Listen addresses and ports for this virtual host. 50 - <note> 51 - <para> 52 - This option overrides <literal>addSSL</literal>, <literal>forceSSL</literal> and <literal>onlySSL</literal>. 53 - </para> 54 - <para> 55 - If you only want to set the addresses manually and not the ports, take a look at <literal>listenAddresses</literal>. 56 - </para> 57 - </note> 58 ''; 59 }; 60 ··· 202 file = "/home/eelco/some-file.png"; 203 } 204 ]; 205 - description = '' 206 This option provides a simple way to serve individual, static files. 207 208 - <note><para> 209 - This option has been deprecated and will be removed in a future 210 - version of NixOS. You can achieve the same result by making use of 211 - the <literal>locations.&lt;name&gt;.alias</literal> option. 212 - </para></note> 213 ''; 214 }; 215

··· 45 { ip = "192.154.1.1"; port = 80; } 46 { ip = "*"; port = 8080; } 47 ]; 48 + description = lib.mdDoc '' 49 Listen addresses and ports for this virtual host. 50 + 51 + ::: {.note} 52 + This option overrides `addSSL`, `forceSSL` and `onlySSL`. 53 + 54 + If you only want to set the addresses manually and not the ports, take a look at `listenAddresses`. 55 + ::: 0 0 56 ''; 57 }; 58 ··· 200 file = "/home/eelco/some-file.png"; 201 } 202 ]; 203 + description = lib.mdDoc '' 204 This option provides a simple way to serve individual, static files. 205 206 + ::: {.note} 207 + This option has been deprecated and will be removed in a future 208 + version of NixOS. You can achieve the same result by making use of 209 + the `locations.<name>.alias` option. 210 + ::: 211 ''; 212 }; 213

+33 -36

nixos/modules/services/web-servers/caddy/default.nix

··· 57 user = mkOption { 58 default = "caddy"; 59 type = types.str; 60 - description = '' 61 User account under which caddy runs. 62 63 - <note><para> 64 - If left as the default value this user will automatically be created 65 - on system activation, otherwise you are responsible for 66 - ensuring the user exists before the Caddy service starts. 67 - </para></note> 68 ''; 69 }; 70 71 group = mkOption { 72 default = "caddy"; 73 type = types.str; 74 - description = '' 75 Group account under which caddy runs. 76 77 - <note><para> 78 - If left as the default value this user will automatically be created 79 - on system activation, otherwise you are responsible for 80 - ensuring the user exists before the Caddy service starts. 81 - </para></note> 82 ''; 83 }; 84 ··· 94 dataDir = mkOption { 95 type = types.path; 96 default = "/var/lib/caddy"; 97 - description = '' 98 The data directory for caddy. 99 100 - <note> 101 - <para> 102 - If left as the default value this directory will automatically be created 103 - before the Caddy server starts, otherwise you are responsible for ensuring 104 - the directory exists with appropriate ownership and permissions. 105 - </para> 106 - <para> 107 - Caddy v2 replaced <literal>CADDYPATH</literal> with XDG directories. 108 - See <link xlink:href="https://caddyserver.com/docs/conventions#file-locations"/>. 109 - </para> 110 - </note> 111 ''; 112 }; 113 114 logDir = mkOption { 115 type = types.path; 116 default = "/var/log/caddy"; 117 - description = '' 118 Directory for storing Caddy access logs. 119 120 - <note><para> 121 - If left as the default value this directory will automatically be created 122 - before the Caddy server starts, otherwise the sysadmin is responsible for 123 - ensuring the directory exists with appropriate ownership and permissions. 124 - </para></note> 125 ''; 126 }; 127 ··· 163 default = "caddyfile"; 164 example = "nginx"; 165 type = types.str; 166 - description = '' 167 Name of the config adapter to use. 168 - See <link xlink:href="https://caddyserver.com/docs/config-adapters"/> 169 for the full list. 170 171 - <note><para> 172 - Any value other than <literal>caddyfile</literal> is only valid when 173 - providing your own <option>configFile</option>. 174 - </para></note> 175 ''; 176 }; 177

··· 57 user = mkOption { 58 default = "caddy"; 59 type = types.str; 60 + description = lib.mdDoc '' 61 User account under which caddy runs. 62 63 + ::: {.note} 64 + If left as the default value this user will automatically be created 65 + on system activation, otherwise you are responsible for 66 + ensuring the user exists before the Caddy service starts. 67 + ::: 68 ''; 69 }; 70 71 group = mkOption { 72 default = "caddy"; 73 type = types.str; 74 + description = lib.mdDoc '' 75 Group account under which caddy runs. 76 77 + ::: {.note} 78 + If left as the default value this user will automatically be created 79 + on system activation, otherwise you are responsible for 80 + ensuring the user exists before the Caddy service starts. 81 + ::: 82 ''; 83 }; 84 ··· 94 dataDir = mkOption { 95 type = types.path; 96 default = "/var/lib/caddy"; 97 + description = lib.mdDoc '' 98 The data directory for caddy. 99 100 + ::: {.note} 101 + If left as the default value this directory will automatically be created 102 + before the Caddy server starts, otherwise you are responsible for ensuring 103 + the directory exists with appropriate ownership and permissions. 104 + 105 + Caddy v2 replaced `CADDYPATH` with XDG directories. 106 + See <https://caddyserver.com/docs/conventions#file-locations>. 107 + ::: 0 0 0 108 ''; 109 }; 110 111 logDir = mkOption { 112 type = types.path; 113 default = "/var/log/caddy"; 114 + description = lib.mdDoc '' 115 Directory for storing Caddy access logs. 116 117 + ::: {.note} 118 + If left as the default value this directory will automatically be created 119 + before the Caddy server starts, otherwise the sysadmin is responsible for 120 + ensuring the directory exists with appropriate ownership and permissions. 121 + ::: 122 ''; 123 }; 124 ··· 160 default = "caddyfile"; 161 example = "nginx"; 162 type = types.str; 163 + description = lib.mdDoc '' 164 Name of the config adapter to use. 165 + See <https://caddyserver.com/docs/config-adapters> 166 for the full list. 167 168 + ::: {.note} 169 + Any value other than `caddyfile` is only valid when 170 + providing your own {option}`configFile`. 171 + ::: 172 ''; 173 }; 174

+5 -2

nixos/modules/services/web-servers/phpfpm/default.nix

··· 40 socket = mkOption { 41 type = types.str; 42 readOnly = true; 43 - description = '' 44 Path to the unix socket file on which to accept FastCGI requests. 45 - <note><para>This option is read-only and managed by NixOS.</para></note> 0 0 0 46 ''; 47 example = "${runtimeDir}/<name>.sock"; 48 };

··· 40 socket = mkOption { 41 type = types.str; 42 readOnly = true; 43 + description = lib.mdDoc '' 44 Path to the unix socket file on which to accept FastCGI requests. 45 + 46 + ::: {.note} 47 + This option is read-only and managed by NixOS. 48 + ::: 49 ''; 50 example = "${runtimeDir}/<name>.sock"; 51 };

+13 -15

nixos/modules/services/web-servers/uwsgi.nix

··· 167 "CAP_NET_RAW" # open raw sockets 168 ] 169 ''; 170 - description = '' 171 Grant capabilities to the uWSGI instance. See the 172 - <literal>capabilities(7)</literal> for available values. 173 - <note> 174 - <para> 175 - uWSGI runs as an unprivileged user (even as Emperor) with the minimal 176 - capabilities required. This option can be used to add fine-grained 177 - permissions without running the service as root. 178 - </para> 179 - <para> 180 - When in Emperor mode, any capability to be inherited by a vassal must 181 - be specified again in the vassal configuration using <literal>cap</literal>. 182 - See the uWSGI <link xlink:href="https://uwsgi-docs.readthedocs.io/en/latest/Capabilities.html">docs</link> 183 - for more information. 184 - </para> 185 - </note> 186 ''; 187 }; 188 };

··· 167 "CAP_NET_RAW" # open raw sockets 168 ] 169 ''; 170 + description = lib.mdDoc '' 171 Grant capabilities to the uWSGI instance. See the 172 + `capabilities(7)` for available values. 173 + 174 + ::: {.note} 175 + uWSGI runs as an unprivileged user (even as Emperor) with the minimal 176 + capabilities required. This option can be used to add fine-grained 177 + permissions without running the service as root. 178 + 179 + When in Emperor mode, any capability to be inherited by a vassal must 180 + be specified again in the vassal configuration using `cap`. 181 + See the uWSGI [docs](https://uwsgi-docs.readthedocs.io/en/latest/Capabilities.html) 182 + for more information. 183 + ::: 0 0 184 ''; 185 }; 186 };

+6 -4

nixos/modules/services/x11/xserver.nix

··· 431 firstPrimary = head heads // { primary = true; }; 432 newHeads = singleton firstPrimary ++ tail heads; 433 in if heads != [] && !hasPrimary then newHeads else heads; 434 - description = '' 435 Multiple monitor configuration, just specify a list of XRandR 436 outputs. The individual elements should be either simple strings or 437 an attribute set of output options. 438 439 If the element is a string, it is denoting the physical output for a 440 monitor, if it's an attribute set, you must at least provide the 441 - <option>output</option> option. 442 443 The monitors will be mapped from left to right in the order of the 444 list. 445 446 By default, the first monitor will be set as the primary monitor if 447 none of the elements contain an option that has set 448 - <option>primary</option> to <literal>true</literal>. 449 450 - <note><para>Only one monitor is allowed to be primary.</para></note> 0 0 451 452 Be careful using this option with multiple graphic adapters or with 453 drivers that have poor support for XRandR, unexpected things might

··· 431 firstPrimary = head heads // { primary = true; }; 432 newHeads = singleton firstPrimary ++ tail heads; 433 in if heads != [] && !hasPrimary then newHeads else heads; 434 + description = lib.mdDoc '' 435 Multiple monitor configuration, just specify a list of XRandR 436 outputs. The individual elements should be either simple strings or 437 an attribute set of output options. 438 439 If the element is a string, it is denoting the physical output for a 440 monitor, if it's an attribute set, you must at least provide the 441 + {option}`output` option. 442 443 The monitors will be mapped from left to right in the order of the 444 list. 445 446 By default, the first monitor will be set as the primary monitor if 447 none of the elements contain an option that has set 448 + {option}`primary` to `true`. 449 450 + ::: {.note} 451 + Only one monitor is allowed to be primary. 452 + ::: 453 454 Be careful using this option with multiple graphic adapters or with 455 drivers that have poor support for XRandR, unexpected things might

+5 -7

nixos/modules/system/boot/initrd-openvpn.nix

··· 25 26 boot.initrd.network.openvpn.configuration = mkOption { 27 type = types.path; # Same type as boot.initrd.secrets 28 - description = '' 29 The configuration file for OpenVPN. 30 31 - <warning> 32 - <para> 33 - Unless your bootloader supports initrd secrets, this configuration 34 - is stored insecurely in the global Nix store. 35 - </para> 36 - </warning> 37 ''; 38 example = literalExpression "./configuration.ovpn"; 39 };

··· 25 26 boot.initrd.network.openvpn.configuration = mkOption { 27 type = types.path; # Same type as boot.initrd.secrets 28 + description = lib.mdDoc '' 29 The configuration file for OpenVPN. 30 31 + ::: {.warning} 32 + Unless your bootloader supports initrd secrets, this configuration 33 + is stored insecurely in the global Nix store. 34 + ::: 0 0 35 ''; 36 example = literalExpression "./configuration.ovpn"; 37 };

+15 -18

nixos/modules/system/boot/initrd-ssh.nix

··· 47 "/etc/secrets/initrd/ssh_host_rsa_key" 48 "/etc/secrets/initrd/ssh_host_ed25519_key" 49 ]; 50 - description = '' 51 Specify SSH host keys to import into the initrd. 52 53 To generate keys, use 54 - <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry> 55 as root: 56 57 - <programlisting> 58 ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key 59 ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key 60 - </programlisting> 0 0 0 0 0 0 61 62 - <warning> 63 - <para> 64 - Unless your bootloader supports initrd secrets, these keys 65 - are stored insecurely in the global Nix store. Do NOT use 66 - your regular SSH host private keys for this purpose or 67 - you'll expose them to regular users! 68 - </para> 69 - <para> 70 - Additionally, even if your initrd supports secrets, if 71 - you're using initrd SSH to unlock an encrypted disk then 72 - using your regular host keys exposes the private keys on 73 - your unencrypted boot partition. 74 - </para> 75 - </warning> 76 ''; 77 }; 78

··· 47 "/etc/secrets/initrd/ssh_host_rsa_key" 48 "/etc/secrets/initrd/ssh_host_ed25519_key" 49 ]; 50 + description = lib.mdDoc '' 51 Specify SSH host keys to import into the initrd. 52 53 To generate keys, use 54 + {manpage}`ssh-keygen(1)` 55 as root: 56 57 + ``` 58 ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key 59 ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key 60 + ``` 61 + 62 + ::: {.warning} 63 + Unless your bootloader supports initrd secrets, these keys 64 + are stored insecurely in the global Nix store. Do NOT use 65 + your regular SSH host private keys for this purpose or 66 + you'll expose them to regular users! 67 68 + Additionally, even if your initrd supports secrets, if 69 + you're using initrd SSH to unlock an encrypted disk then 70 + using your regular host keys exposes the private keys on 71 + your unencrypted boot partition. 72 + ::: 0 0 0 0 0 0 0 0 0 73 ''; 74 }; 75

+22 -22

nixos/modules/system/boot/loader/grub/grub.nix

··· 417 splashImage = mkOption { 418 type = types.nullOr types.path; 419 example = literalExpression "./my-background.png"; 420 - description = '' 421 Background image used for GRUB. 422 - Set to <literal>null</literal> to run GRUB in text mode. 423 424 - <note><para> 425 For grub 1: 426 It must be a 640x480, 427 14-colour image in XPM format, optionally compressed with 428 - <command>gzip</command> or <command>bzip2</command>. 429 - </para></note> 430 431 - <note><para> 432 For grub 2: 433 File must be one of .png, .tga, .jpg, or .jpeg. JPEG images must 434 not be progressive. 435 The image will be scaled if necessary to fit the screen. 436 - </para></note> 437 ''; 438 }; 439 ··· 441 type = types.nullOr types.str; 442 example = "#7EBAE4"; 443 default = null; 444 - description = '' 445 Background color to be used for GRUB to fill the areas the image isn't filling. 446 447 - <note><para> 448 This options has no effect for GRUB 1. 449 - </para></note> 450 ''; 451 }; 452 453 entryOptions = mkOption { 454 default = "--class nixos --unrestricted"; 455 type = types.nullOr types.str; 456 - description = '' 457 Options applied to the primary NixOS menu entry. 458 459 - <note><para> 460 This options has no effect for GRUB 1. 461 - </para></note> 462 ''; 463 }; 464 465 subEntryOptions = mkOption { 466 default = "--class nixos"; 467 type = types.nullOr types.str; 468 - description = '' 469 Options applied to the secondary NixOS submenu entry. 470 471 - <note><para> 472 This options has no effect for GRUB 1. 473 - </para></note> 474 ''; 475 }; 476 ··· 478 type = types.nullOr types.path; 479 example = literalExpression "pkgs.nixos-grub2-theme"; 480 default = null; 481 - description = '' 482 Grub theme to be used. 483 484 - <note><para> 485 This options has no effect for GRUB 1. 486 - </para></note> 487 ''; 488 }; 489 490 splashMode = mkOption { 491 type = types.enum [ "normal" "stretch" ]; 492 default = "stretch"; 493 - description = '' 494 Whether to stretch the image or show the image in the top-left corner unstretched. 495 496 - <note><para> 497 This options has no effect for GRUB 1. 498 - </para></note> 499 ''; 500 }; 501

··· 417 splashImage = mkOption { 418 type = types.nullOr types.path; 419 example = literalExpression "./my-background.png"; 420 + description = lib.mdDoc '' 421 Background image used for GRUB. 422 + Set to `null` to run GRUB in text mode. 423 424 + ::: {.note} 425 For grub 1: 426 It must be a 640x480, 427 14-colour image in XPM format, optionally compressed with 428 + {command}`gzip` or {command}`bzip2`. 429 + ::: 430 431 + ::: {.note} 432 For grub 2: 433 File must be one of .png, .tga, .jpg, or .jpeg. JPEG images must 434 not be progressive. 435 The image will be scaled if necessary to fit the screen. 436 + ::: 437 ''; 438 }; 439 ··· 441 type = types.nullOr types.str; 442 example = "#7EBAE4"; 443 default = null; 444 + description = lib.mdDoc '' 445 Background color to be used for GRUB to fill the areas the image isn't filling. 446 447 + ::: {.note} 448 This options has no effect for GRUB 1. 449 + ::: 450 ''; 451 }; 452 453 entryOptions = mkOption { 454 default = "--class nixos --unrestricted"; 455 type = types.nullOr types.str; 456 + description = lib.mdDoc '' 457 Options applied to the primary NixOS menu entry. 458 459 + ::: {.note} 460 This options has no effect for GRUB 1. 461 + ::: 462 ''; 463 }; 464 465 subEntryOptions = mkOption { 466 default = "--class nixos"; 467 type = types.nullOr types.str; 468 + description = lib.mdDoc '' 469 Options applied to the secondary NixOS submenu entry. 470 471 + ::: {.note} 472 This options has no effect for GRUB 1. 473 + ::: 474 ''; 475 }; 476 ··· 478 type = types.nullOr types.path; 479 example = literalExpression "pkgs.nixos-grub2-theme"; 480 default = null; 481 + description = lib.mdDoc '' 482 Grub theme to be used. 483 484 + ::: {.note} 485 This options has no effect for GRUB 1. 486 + ::: 487 ''; 488 }; 489 490 splashMode = mkOption { 491 type = types.enum [ "normal" "stretch" ]; 492 default = "stretch"; 493 + description = lib.mdDoc '' 494 Whether to stretch the image or show the image in the top-left corner unstretched. 495 496 + ::: {.note} 497 This options has no effect for GRUB 1. 498 + ::: 499 ''; 500 }; 501

+9 -7

nixos/modules/virtualisation/qemu-vm.nix

··· 510 ] 511 ''; 512 description = 513 - '' 514 When using the SLiRP user networking (default), this option allows to 515 forward ports to/from the host/guest. 516 517 - <warning><para> 518 - If the NixOS firewall on the virtual machine is enabled, you also 519 - have to open the guest ports to enable the traffic between host and 520 - guest. 521 - </para></warning> 522 523 - <note><para>Currently QEMU supports only IPv4 forwarding.</para></note> 0 0 524 ''; 525 }; 526

··· 510 ] 511 ''; 512 description = 513 + lib.mdDoc '' 514 When using the SLiRP user networking (default), this option allows to 515 forward ports to/from the host/guest. 516 517 + ::: {.warning} 518 + If the NixOS firewall on the virtual machine is enabled, you also 519 + have to open the guest ports to enable the traffic between host and 520 + guest. 521 + ::: 522 523 + ::: {.note} 524 + Currently QEMU supports only IPv4 forwarding. 525 + ::: 526 ''; 527 }; 528

+17 -17

nixos/modules/virtualisation/virtualbox-host.nix

··· 18 19 { 20 options.virtualisation.virtualbox.host = { 21 - enable = mkEnableOption "VirtualBox" // { 22 - description = '' 23 Whether to enable VirtualBox. 24 25 - <note><para> 26 - In order to pass USB devices from the host to the guests, the user 27 - needs to be in the <literal>vboxusers</literal> group. 28 - </para></note> 29 ''; 30 }; 31 32 - enableExtensionPack = mkEnableOption "VirtualBox extension pack" // { 33 - description = '' 34 Whether to install the Oracle Extension Pack for VirtualBox. 35 36 - <important><para> 37 - You must set <literal>nixpkgs.config.allowUnfree = true</literal> in 38 - order to use this. This requires you accept the VirtualBox PUEL. 39 - </para></important> 40 ''; 41 }; 42 ··· 60 enableHardening = mkOption { 61 type = types.bool; 62 default = true; 63 - description = '' 64 Enable hardened VirtualBox, which ensures that only the binaries in the 65 system path get access to the devices exposed by the kernel modules 66 instead of all users in the vboxusers group. 67 68 - <important><para> 69 - Disabling this can put your system's security at risk, as local users 70 - in the vboxusers group can tamper with the VirtualBox device files. 71 - </para></important> 72 ''; 73 }; 74

··· 18 19 { 20 options.virtualisation.virtualbox.host = { 21 + enable = mkEnableOption (lib.mdDoc "VirtualBox") // { 22 + description = lib.mdDoc '' 23 Whether to enable VirtualBox. 24 25 + ::: {.note} 26 + In order to pass USB devices from the host to the guests, the user 27 + needs to be in the `vboxusers` group. 28 + ::: 29 ''; 30 }; 31 32 + enableExtensionPack = mkEnableOption (lib.mdDoc "VirtualBox extension pack") // { 33 + description = lib.mdDoc '' 34 Whether to install the Oracle Extension Pack for VirtualBox. 35 36 + ::: {.important} 37 + You must set `nixpkgs.config.allowUnfree = true` in 38 + order to use this. This requires you accept the VirtualBox PUEL. 39 + ::: 40 ''; 41 }; 42 ··· 60 enableHardening = mkOption { 61 type = types.bool; 62 default = true; 63 + description = lib.mdDoc '' 64 Enable hardened VirtualBox, which ensures that only the binaries in the 65 system path get access to the devices exposed by the kernel modules 66 instead of all users in the vboxusers group. 67 68 + ::: {.important} 69 + Disabling this can put your system's security at risk, as local users 70 + in the vboxusers group can tamper with the VirtualBox device files. 71 + ::: 72 ''; 73 }; 74

+12 -12

nixos/modules/virtualisation/vmware-host.nix

··· 20 { 21 options = with lib; { 22 virtualisation.vmware.host = { 23 - enable = mkEnableOption "VMware" // { 24 - description = '' 25 This enables VMware host virtualisation for running VMs. 26 27 - <important><para> 28 - <literal>vmware-vmx</literal> will cause kcompactd0 due to 29 - <literal>Transparent Hugepages</literal> feature in kernel. 30 - Apply <literal>[ "transparent_hugepage=never" ]</literal> in 31 - option <option>boot.kernelParams</option> to disable them. 32 - </para></important> 33 34 - <note><para> 35 - If that didn't work disable <literal>TRANSPARENT_HUGEPAGE</literal>, 36 - <literal>COMPACTION</literal> configs and recompile kernel. 37 - </para></note> 38 ''; 39 }; 40 package = mkOption {

··· 20 { 21 options = with lib; { 22 virtualisation.vmware.host = { 23 + enable = mkEnableOption (lib.mdDoc "VMware") // { 24 + description = lib.mdDoc '' 25 This enables VMware host virtualisation for running VMs. 26 27 + ::: {.important} 28 + `vmware-vmx` will cause kcompactd0 due to 29 + `Transparent Hugepages` feature in kernel. 30 + Apply `[ "transparent_hugepage=never" ]` in 31 + option {option}`boot.kernelParams` to disable them. 32 + ::: 33 34 + ::: {.note} 35 + If that didn't work disable `TRANSPARENT_HUGEPAGE`, 36 + `COMPACTION` configs and recompile kernel. 37 + ::: 38 ''; 39 }; 40 package = mkOption {