commit 93c57a988470c1948976b1bb70abbd5855c5b810 · tjh.dev/nixpkgs

+10 -21

nixos/lib/make-options-doc/default.nix

··· 99 99 100 100 optionsNix = builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList); 101 101 102 - pythonMD = 103 - let 104 - self = (pkgs.python3Minimal.override { 105 - inherit self; 106 - includeSiteCustomize = true; 107 - }); 108 - in self.withPackages (p: [ p.mistune_2_0 ]); 109 - 110 102 in rec { 111 103 inherit optionsNix; 112 104 ··· 124 116 125 117 optionsJSON = pkgs.runCommand "options.json" 126 118 { meta.description = "List of NixOS options in JSON format"; 127 - buildInputs = [ pkgs.brotli pythonMD ]; 119 + buildInputs = [ 120 + pkgs.brotli 121 + (let 122 + self = (pkgs.python3Minimal.override { 123 + inherit self; 124 + includeSiteCustomize = true; 125 + }); 126 + in self.withPackages (p: [ p.mistune_2_0 ])) 127 + ]; 128 128 options = builtins.toFile "options.json" 129 129 (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix)); 130 - # convert markdown to docbook in its own derivation to cache the 131 - # conversion results. the conversion is surprisingly expensive. 132 - baseJSON = 133 - if baseOptionsJSON != null 134 - then 135 - pkgs.runCommand "base-json-md-converted" { 136 - buildInputs = [ pythonMD ]; 137 - } '' 138 - python ${./mergeJSON.py} ${baseOptionsJSON} <(echo '{}') > $out 139 - '' 140 - else null; 141 130 } 142 131 '' 143 132 # Export list of options in different format. ··· 154 143 else '' 155 144 python ${./mergeJSON.py} \ 156 145 ${lib.optionalString warningsAreErrors "--warnings-are-errors"} \ 157 - $baseJSON $options \ 146 + ${baseOptionsJSON} $options \ 158 147 > $dst/options.json 159 148 '' 160 149 }

+120 -117

nixos/lib/make-options-doc/mergeJSON.py

··· 3 3 import sys 4 4 from typing import Any, Dict, List 5 5 6 + # for MD conversion 7 + import mistune 8 + import re 9 + from xml.sax.saxutils import escape, quoteattr 10 + 6 11 JSON = Dict[str, Any] 7 12 8 13 class Key: ··· 41 46 result[opt.name] = opt.value 42 47 return result 43 48 44 - # converts in-place! 45 - def convertMD(options: Dict[str, Any]) -> str: 46 - import mistune 47 - import re 48 - from xml.sax.saxutils import escape, quoteattr 49 + admonitions = { 50 + '.warning': 'warning', 51 + '.important': 'important', 52 + '.note': 'note' 53 + } 54 + class Renderer(mistune.renderers.BaseRenderer): 55 + def _get_method(self, name): 56 + try: 57 + return super(Renderer, self)._get_method(name) 58 + except AttributeError: 59 + def not_supported(*args, **kwargs): 60 + raise NotImplementedError("md node not supported yet", name, args, **kwargs) 61 + return not_supported 49 62 50 - admonitions = { 51 - '.warning': 'warning', 52 - '.important': 'important', 53 - '.note': 'note' 54 - } 55 - class Renderer(mistune.renderers.BaseRenderer): 56 - def __init__(self, path): 57 - self.path = path 58 - def _get_method(self, name): 59 - try: 60 - return super(Renderer, self)._get_method(name) 61 - except AttributeError: 62 - def not_supported(*args, **kwargs): 63 - raise NotImplementedError("md node not supported yet", self.path, name, args, **kwargs) 64 - return not_supported 63 + def text(self, text): 64 + return escape(text) 65 + def paragraph(self, text): 66 + return text + "\n\n" 67 + def newline(self): 68 + return "<literallayout>\n</literallayout>" 69 + def codespan(self, text): 70 + return f"<literal>{escape(text)}</literal>" 71 + def block_code(self, text, info=None): 72 + info = f" language={quoteattr(info)}" if info is not None else "" 73 + return f"<programlisting{info}>\n{escape(text)}</programlisting>" 74 + def link(self, link, text=None, title=None): 75 + tag = "link" 76 + if link[0:1] == '#': 77 + if text == "": 78 + tag = "xref" 79 + attr = "linkend" 80 + link = quoteattr(link[1:]) 81 + else: 82 + # try to faithfully reproduce links that were of the form <link href="..."/> 83 + # in docbook format 84 + if text == link: 85 + text = "" 86 + attr = "xlink:href" 87 + link = quoteattr(link) 88 + return f"<{tag} {attr}={link}>{text}</{tag}>" 89 + def list(self, text, ordered, level, start=None): 90 + if ordered: 91 + raise NotImplementedError("ordered lists not supported yet") 92 + return f"<itemizedlist>\n{text}\n</itemizedlist>" 93 + def list_item(self, text, level): 94 + return f"<listitem><para>{text}</para></listitem>\n" 95 + def block_text(self, text): 96 + return text 97 + def emphasis(self, text): 98 + return f"<emphasis>{text}</emphasis>" 99 + def strong(self, text): 100 + return f"<emphasis role=\"strong\">{text}</emphasis>" 101 + def admonition(self, text, kind): 102 + if kind not in admonitions: 103 + raise NotImplementedError(f"admonition {kind} not supported yet") 104 + tag = admonitions[kind] 105 + # we don't keep whitespace here because usually we'll contain only 106 + # a single paragraph and the original docbook string is no longer 107 + # available to restore the trailer. 108 + return f"<{tag}><para>{text.rstrip()}</para></{tag}>" 109 + def block_quote(self, text): 110 + return f"<blockquote><para>{text}</para></blockquote>" 111 + def command(self, text): 112 + return f"<command>{escape(text)}</command>" 113 + def option(self, text): 114 + return f"<option>{escape(text)}</option>" 115 + def file(self, text): 116 + return f"<filename>{escape(text)}</filename>" 117 + def manpage(self, page, section): 118 + title = f"<refentrytitle>{escape(page)}</refentrytitle>" 119 + vol = f"<manvolnum>{escape(section)}</manvolnum>" 120 + return f"<citerefentry>{title}{vol}</citerefentry>" 65 121 66 - def text(self, text): 67 - return escape(text) 68 - def paragraph(self, text): 69 - return text + "\n\n" 70 - def newline(self): 71 - return "<literallayout>\n</literallayout>" 72 - def codespan(self, text): 73 - return f"<literal>{escape(text)}</literal>" 74 - def block_code(self, text, info=None): 75 - info = f" language={quoteattr(info)}" if info is not None else "" 76 - return f"<programlisting{info}>\n{escape(text)}</programlisting>" 77 - def link(self, link, text=None, title=None): 78 - if link[0:1] == '#': 79 - attr = "linkend" 80 - link = quoteattr(link[1:]) 81 - else: 82 - # try to faithfully reproduce links that were of the form <link href="..."/> 83 - # in docbook format 84 - if text == link: 85 - text = "" 86 - attr = "xlink:href" 87 - link = quoteattr(link) 88 - return f"<link {attr}={link}>{text}</link>" 89 - def list(self, text, ordered, level, start=None): 90 - if ordered: 91 - raise NotImplementedError("ordered lists not supported yet") 92 - return f"<itemizedlist>\n{text}\n</itemizedlist>" 93 - def list_item(self, text, level): 94 - return f"<listitem><para>{text}</para></listitem>\n" 95 - def block_text(self, text): 96 - return text 97 - def emphasis(self, text): 98 - return f"<emphasis>{text}</emphasis>" 99 - def strong(self, text): 100 - return f"<emphasis role=\"strong\">{text}</emphasis>" 101 - def admonition(self, text, kind): 102 - if kind not in admonitions: 103 - raise NotImplementedError(f"admonition {kind} not supported yet") 104 - tag = admonitions[kind] 105 - # we don't keep whitespace here because usually we'll contain only 106 - # a single paragraph and the original docbook string is no longer 107 - # available to restore the trailer. 108 - return f"<{tag}><para>{text.rstrip()}</para></{tag}>" 109 - def block_quote(self, text): 110 - return f"<blockquote><para>{text}</para></blockquote>" 111 - def command(self, text): 112 - return f"<command>{escape(text)}</command>" 113 - def option(self, text): 114 - return f"<option>{escape(text)}</option>" 115 - def file(self, text): 116 - return f"<filename>{escape(text)}</filename>" 117 - def manpage(self, page, section): 118 - title = f"<refentrytitle>{escape(page)}</refentrytitle>" 119 - vol = f"<manvolnum>{escape(section)}</manvolnum>" 120 - return f"<citerefentry>{title}{vol}</citerefentry>" 122 + def finalize(self, data): 123 + return "".join(data) 121 124 122 - def finalize(self, data): 123 - return "".join(data) 124 - 125 - plugins = [] 126 - 125 + def p_command(md): 127 126 COMMAND_PATTERN = r'\{command\}`(.*?)`' 128 - def command(md): 129 - def parse(self, m, state): 130 - return ('command', m.group(1)) 131 - md.inline.register_rule('command', COMMAND_PATTERN, parse) 132 - md.inline.rules.append('command') 133 - plugins.append(command) 127 + def parse(self, m, state): 128 + return ('command', m.group(1)) 129 + md.inline.register_rule('command', COMMAND_PATTERN, parse) 130 + md.inline.rules.append('command') 134 131 132 + def p_file(md): 135 133 FILE_PATTERN = r'\{file\}`(.*?)`' 136 - def file(md): 137 - def parse(self, m, state): 138 - return ('file', m.group(1)) 139 - md.inline.register_rule('file', FILE_PATTERN, parse) 140 - md.inline.rules.append('file') 141 - plugins.append(file) 134 + def parse(self, m, state): 135 + return ('file', m.group(1)) 136 + md.inline.register_rule('file', FILE_PATTERN, parse) 137 + md.inline.rules.append('file') 142 138 139 + def p_option(md): 143 140 OPTION_PATTERN = r'\{option\}`(.*?)`' 144 - def option(md): 145 - def parse(self, m, state): 146 - return ('option', m.group(1)) 147 - md.inline.register_rule('option', OPTION_PATTERN, parse) 148 - md.inline.rules.append('option') 149 - plugins.append(option) 141 + def parse(self, m, state): 142 + return ('option', m.group(1)) 143 + md.inline.register_rule('option', OPTION_PATTERN, parse) 144 + md.inline.rules.append('option') 150 145 146 + def p_manpage(md): 151 147 MANPAGE_PATTERN = r'\{manpage\}`(.*?)$(.+?)$`' 152 - def manpage(md): 153 - def parse(self, m, state): 154 - return ('manpage', m.group(1), m.group(2)) 155 - md.inline.register_rule('manpage', MANPAGE_PATTERN, parse) 156 - md.inline.rules.append('manpage') 157 - plugins.append(manpage) 148 + def parse(self, m, state): 149 + return ('manpage', m.group(1), m.group(2)) 150 + md.inline.register_rule('manpage', MANPAGE_PATTERN, parse) 151 + md.inline.rules.append('manpage') 158 152 153 + def p_admonition(md): 159 154 ADMONITION_PATTERN = re.compile(r'^::: \{([^\n]*?)\}\n(.*?)^:::\n', flags=re.MULTILINE|re.DOTALL) 160 - def admonition(md): 161 - def parse(self, m, state): 162 - return { 163 - 'type': 'admonition', 164 - 'children': self.parse(m.group(2), state), 165 - 'params': [ m.group(1) ], 166 - } 167 - md.block.register_rule('admonition', ADMONITION_PATTERN, parse) 168 - md.block.rules.append('admonition') 169 - plugins.append(admonition) 155 + def parse(self, m, state): 156 + return { 157 + 'type': 'admonition', 158 + 'children': self.parse(m.group(2), state), 159 + 'params': [ m.group(1) ], 160 + } 161 + md.block.register_rule('admonition', ADMONITION_PATTERN, parse) 162 + md.block.rules.append('admonition') 163 + 164 + md = mistune.create_markdown(renderer=Renderer(), plugins=[ 165 + p_command, p_file, p_option, p_manpage, p_admonition 166 + ]) 170 167 168 + # converts in-place! 169 + def convertMD(options: Dict[str, Any]) -> str: 171 170 def convertString(path: str, text: str) -> str: 172 - rendered = mistune.markdown(text, renderer=Renderer(path), plugins=plugins) 173 - # keep trailing spaces so we can diff the generated XML to check for conversion bugs. 174 - return rendered.rstrip() + text[len(text.rstrip()):] 171 + try: 172 + rendered = md(text) 173 + # keep trailing spaces so we can diff the generated XML to check for conversion bugs. 174 + return rendered.rstrip() + text[len(text.rstrip()):] 175 + except: 176 + print(f"error in {path}") 177 + raise 175 178 176 179 def optionIs(option: Dict[str, Any], key: str, typ: str) -> bool: 177 180 if key not in option: return False

+3 -4

nixos/modules/config/i18n.nix

··· 71 71 )) 72 72 ''; 73 73 example = ["en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1"]; 74 - description = '' 74 + description = lib.mdDoc '' 75 75 List of locales that the system should support. The value 76 - <literal>"all"</literal> means that all locales supported by 76 + `"all"` means that all locales supported by 77 77 Glibc will be installed. A full list of supported locales 78 - can be found at <link 79 - xlink:href="https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED"/>. 78 + can be found at <https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED>. 80 79 ''; 81 80 }; 82 81

+3 -3

nixos/modules/config/resolvconf.nix

··· 83 83 dnsExtensionMechanism = mkOption { 84 84 type = types.bool; 85 85 default = true; 86 - description = '' 87 - Enable the <code>edns0</code> option in <filename>resolv.conf</filename>. With 88 - that option set, <code>glibc</code> supports use of the extension mechanisms for 86 + description = lib.mdDoc '' 87 + Enable the `edns0` option in {file}`resolv.conf`. With 88 + that option set, `glibc` supports use of the extension mechanisms for 89 89 DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC, 90 90 which does not work without it. 91 91 '';

+2 -2

nixos/modules/config/shells-environment.nix

··· 109 109 110 110 environment.shellAliases = mkOption { 111 111 example = { l = null; ll = "ls -l"; }; 112 - description = '' 112 + description = lib.mdDoc '' 113 113 An attribute set that maps aliases (the top level attribute names in 114 114 this option) to command strings or directly to build outputs. The 115 115 aliases are added to all users' shells. 116 - Aliases mapped to <code>null</code> are ignored. 116 + Aliases mapped to `null` are ignored. 117 117 ''; 118 118 type = with types; attrsOf (nullOr (either str path)); 119 119 };

+5 -5

nixos/modules/config/system-environment.nix

··· 16 16 17 17 environment.sessionVariables = mkOption { 18 18 default = {}; 19 - description = '' 19 + description = lib.mdDoc '' 20 20 A set of environment variables used in the global environment. 21 21 These variables will be set by PAM early in the login process. 22 22 ··· 25 25 colon characters. 26 26 27 27 Note, due to limitations in the PAM format values may not 28 - contain the <literal>"</literal> character. 28 + contain the `"` character. 29 29 30 30 Also, these variables are merged into 31 - <xref linkend="opt-environment.variables"/> and it is 31 + [](#opt-environment.variables) and it is 32 32 therefore not possible to use PAM style variables such as 33 - <code>@{HOME}</code>. 33 + `@{HOME}`. 34 34 ''; 35 35 type = with types; attrsOf (either str (listOf str)); 36 36 apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v); ··· 58 58 Also, these variables are merged into 59 59 <xref linkend="opt-environment.profileRelativeEnvVars"/> and it is 60 60 therefore not possible to use PAM style variables such as 61 - <code>@{HOME}</code>. 61 + <literal>@{HOME}</literal>. 62 62 ''; 63 63 }; 64 64

+19 -20

nixos/modules/config/users-groups.nix

··· 100 100 isNormalUser = mkOption { 101 101 type = types.bool; 102 102 default = false; 103 - description = '' 103 + description = lib.mdDoc '' 104 104 Indicates whether this is an account for a “real” user. This 105 - automatically sets <option>group</option> to 106 - <literal>users</literal>, <option>createHome</option> to 107 - <literal>true</literal>, <option>home</option> to 108 - <filename>/home/<replaceable>username</replaceable></filename>, 109 - <option>useDefaultShell</option> to <literal>true</literal>, 110 - and <option>isSystemUser</option> to 111 - <literal>false</literal>. 112 - Exactly one of <literal>isNormalUser</literal> and 113 - <literal>isSystemUser</literal> must be true. 105 + automatically sets {option}`group` to 106 + `users`, {option}`createHome` to 107 + `true`, {option}`home` to 108 + {file}`/home/«username»`, 109 + {option}`useDefaultShell` to `true`, 110 + and {option}`isSystemUser` to 111 + `false`. 112 + Exactly one of `isNormalUser` and 113 + `isSystemUser` must be true. 114 114 ''; 115 115 }; 116 116 ··· 151 151 pamMount = mkOption { 152 152 type = with types; attrsOf str; 153 153 default = {}; 154 - description = '' 154 + description = lib.mdDoc '' 155 155 Attributes for user's entry in 156 - <filename>pam_mount.conf.xml</filename>. 157 - Useful attributes might include <code>path</code>, 158 - <code>options</code>, <code>fstype</code>, and <code>server</code>. 159 - See <link 160 - xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" /> 156 + {file}`pam_mount.conf.xml`. 157 + Useful attributes might include `path`, 158 + `options`, `fstype`, and `server`. 159 + See <http://pam-mount.sourceforge.net/pam_mount.conf.5.html> 161 160 for more information. 162 161 ''; 163 162 }; ··· 167 166 default = pkgs.shadow; 168 167 defaultText = literalExpression "pkgs.shadow"; 169 168 example = literalExpression "pkgs.bashInteractive"; 170 - description = '' 169 + description = lib.mdDoc '' 171 170 The path to the user's shell. Can use shell derivations, 172 - like <literal>pkgs.bashInteractive</literal>. Don’t 171 + like `pkgs.bashInteractive`. Don’t 173 172 forget to enable your shell in 174 - <literal>programs</literal> if necessary, 175 - like <code>programs.zsh.enable = true;</code>. 173 + `programs` if necessary, 174 + like `programs.zsh.enable = true;`. 176 175 ''; 177 176 }; 178 177

+1 -1

nixos/modules/config/xdg/portal.nix

··· 33 33 34 34 options.xdg.portal = { 35 35 enable = 36 - mkEnableOption "<link xlink:href='https://github.com/flatpak/xdg-desktop-portal'>xdg desktop integration</link>" // { 36 + mkEnableOption ''<link xlink:href="https://github.com/flatpak/xdg-desktop-portal">xdg desktop integration</link>'' // { 37 37 default = false; 38 38 }; 39 39

+2 -3

nixos/modules/hardware/logitech.nix

··· 32 32 devices = mkOption { 33 33 type = types.listOf types.str; 34 34 default = [ "0a07" "c222" "c225" "c227" "c251" ]; 35 - description = '' 35 + description = lib.mdDoc '' 36 36 List of USB device ids supported by g15daemon. 37 - </para> 38 - <para> 37 + 39 38 You most likely do not need to change this. 40 39 ''; 41 40 };

+1 -1

nixos/modules/hardware/tuxedo-keyboard.nix

··· 13 13 14 14 To configure the driver, pass the options to the <option>boot.kernelParams</option> configuration. 15 15 There are several parameters you can change. It's best to check at the source code description which options are supported. 16 - You can find all the supported parameters at: <link xlink:href="https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam" /> 16 + You can find all the supported parameters at: <link xlink:href="https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam"/> 17 17 18 18 In order to use the <literal>custom</literal> lighting with the maximumg brightness and a color of <literal>0xff0a0a</literal> one would put pass <option>boot.kernelParams</option> like this: 19 19

+6 -6

nixos/modules/hardware/video/uvcvideo/default.nix

··· 34 34 packages = mkOption { 35 35 type = types.listOf types.path; 36 36 example = literalExpression "[ pkgs.tiscamera ]"; 37 - description = '' 38 - List of packages containing <command>uvcvideo</command> dynamic controls 37 + description = lib.mdDoc '' 38 + List of packages containing {command}`uvcvideo` dynamic controls 39 39 rules. All files found in 40 - <filename><replaceable>pkg</replaceable>/share/uvcdynctrl/data</filename> 40 + {file}`«pkg»/share/uvcdynctrl/data` 41 41 will be included. 42 42 43 - Note that these will serve as input to the <command>libwebcam</command> 44 - package which through its own <command>udev</command> rule will register 45 - the dynamic controls from specified packages to the <command>uvcvideo</command> 43 + Note that these will serve as input to the {command}`libwebcam` 44 + package which through its own {command}`udev` rule will register 45 + the dynamic controls from specified packages to the {command}`uvcvideo` 46 46 driver. 47 47 ''; 48 48 apply = map getBin;

+1 -1

nixos/modules/installer/cd-dvd/iso-image.nix

··· 618 618 This will be directly appended (without whitespace) to the NixOS version 619 619 string, like for example if it is set to <literal>XXX</literal>: 620 620 621 - <para><literal>NixOS 99.99-pre666XXX</literal></para> 621 + <literal>NixOS 99.99-pre666XXX</literal> 622 622 ''; 623 623 }; 624 624

+22 -22

nixos/modules/misc/nixpkgs.nix

··· 119 119 example = literalExpression "import <nixpkgs> {}"; 120 120 description = '' 121 121 If set, the pkgs argument to all NixOS modules is the value of 122 - this option, extended with <code>nixpkgs.overlays</code>, if 123 - that is also set. Either <code>nixpkgs.crossSystem</code> or 124 - <code>nixpkgs.localSystem</code> will be used in an assertion 122 + this option, extended with <literal>nixpkgs.overlays</literal>, if 123 + that is also set. Either <literal>nixpkgs.crossSystem</literal> or 124 + <literal>nixpkgs.localSystem</literal> will be used in an assertion 125 125 to check that the NixOS and Nixpkgs architectures match. Any 126 - other options in <code>nixpkgs.*</code>, notably <code>config</code>, 126 + other options in <literal>nixpkgs.*</literal>, notably <literal>config</literal>, 127 127 will be ignored. 128 128 129 129 If unset, the pkgs argument to all NixOS modules is determined ··· 132 132 The default value imports the Nixpkgs source files 133 133 relative to the location of this NixOS module, because 134 134 NixOS and Nixpkgs are distributed together for consistency, 135 - so the <code>nixos</code> in the default value is in fact a 136 - relative path. The <code>config</code>, <code>overlays</code>, 137 - <code>localSystem</code>, and <code>crossSystem</code> come 135 + so the <literal>nixos</literal> in the default value is in fact a 136 + relative path. The <literal>config</literal>, <literal>overlays</literal>, 137 + <literal>localSystem</literal>, and <literal>crossSystem</literal> come 138 138 from this option's siblings. 139 139 140 140 This option can be used by applications like NixOps to increase 141 141 the performance of evaluation, or to create packages that depend 142 142 on a container that should be built with the exact same evaluation 143 143 of Nixpkgs, for example. Applications like this should set 144 - their default value using <code>lib.mkDefault</code>, so 144 + their default value using <literal>lib.mkDefault</literal>, so 145 145 user-provided configuration can override it without using 146 - <code>lib</code>. 146 + <literal>lib</literal>. 147 147 148 148 Note that using a distinct version of Nixpkgs with NixOS may 149 149 be an unexpected source of problems. Use this option with care. ··· 162 162 details, see the Nixpkgs documentation.) It allows you to set 163 163 package configuration options. 164 164 165 - Ignored when <code>nixpkgs.pkgs</code> is set. 165 + Ignored when <literal>nixpkgs.pkgs</literal> is set. 166 166 ''; 167 167 }; 168 168 ··· 188 188 The first argument should be used for finding dependencies, and 189 189 the second should be used for overriding recipes. 190 190 191 - If <code>nixpkgs.pkgs</code> is set, overlays specified here 191 + If <literal>nixpkgs.pkgs</literal> is set, overlays specified here 192 192 will be applied after the overlays that were already present 193 - in <code>nixpkgs.pkgs</code>. 193 + in <literal>nixpkgs.pkgs</literal>. 194 194 ''; 195 195 }; 196 196 ··· 205 205 description = '' 206 206 Specifies the platform where the NixOS configuration will run. 207 207 208 - To cross-compile, set also <code>nixpkgs.buildPlatform</code>. 208 + To cross-compile, set also <literal>nixpkgs.buildPlatform</literal>. 209 209 210 - Ignored when <code>nixpkgs.pkgs</code> is set. 210 + Ignored when <literal>nixpkgs.pkgs</literal> is set. 211 211 ''; 212 212 }; 213 213 ··· 230 230 or if you're building machines, you can set this to match your 231 231 development system and/or build farm. 232 232 233 - Ignored when <code>nixpkgs.pkgs</code> is set. 233 + Ignored when <literal>nixpkgs.pkgs</literal> is set. 234 234 ''; 235 235 }; 236 236 ··· 253 253 use the old options. 254 254 255 255 Specifies the platform on which NixOS should be built. When 256 - <code>nixpkgs.crossSystem</code> is unset, it also specifies 256 + <literal>nixpkgs.crossSystem</literal> is unset, it also specifies 257 257 the platform <emphasis>for</emphasis> which NixOS should be 258 258 built. If this option is unset, it defaults to the platform 259 259 type of the machine where evaluation happens. Specifying this ··· 261 261 deployment, or when building virtual machines. See its 262 262 description in the Nixpkgs manual for more details. 263 263 264 - Ignored when <code>nixpkgs.pkgs</code> or <code>hostPlatform</code> is set. 264 + Ignored when <literal>nixpkgs.pkgs</literal> or <literal>hostPlatform</literal> is set. 265 265 ''; 266 266 }; 267 267 ··· 279 279 280 280 Specifies the platform for which NixOS should be 281 281 built. Specify this only if it is different from 282 - <code>nixpkgs.localSystem</code>, the platform 282 + <literal>nixpkgs.localSystem</literal>, the platform 283 283 <emphasis>on</emphasis> which NixOS should be built. In other 284 284 words, specify this to cross-compile NixOS. Otherwise it 285 285 should be set as null, the default. See its description in the 286 286 Nixpkgs manual for more details. 287 287 288 - Ignored when <code>nixpkgs.pkgs</code> or <code>hostPlatform</code> is set. 288 + Ignored when <literal>nixpkgs.pkgs</literal> or <literal>hostPlatform</literal> is set. 289 289 ''; 290 290 }; 291 291 ··· 316 316 with a recently generated <literal>hardware-configuration.nix</literal>. 317 317 318 318 Specifies the Nix platform type on which NixOS should be built. 319 - It is better to specify <code>nixpkgs.localSystem</code> instead. 319 + It is better to specify <literal>nixpkgs.localSystem</literal> instead. 320 320 <programlisting> 321 321 { 322 322 nixpkgs.system = ..; ··· 328 328 nixpkgs.localSystem.system = ..; 329 329 } 330 330 </programlisting> 331 - See <code>nixpkgs.localSystem</code> for more information. 331 + See <literal>nixpkgs.localSystem</literal> for more information. 332 332 333 - Ignored when <code>nixpkgs.pkgs</code>, <code>nixpkgs.localSystem</code> or <code>nixpkgs.hostPlatform</code> is set. 333 + Ignored when <literal>nixpkgs.pkgs</literal>, <literal>nixpkgs.localSystem</literal> or <literal>nixpkgs.hostPlatform</literal> is set. 334 334 ''; 335 335 }; 336 336 };

+2 -2

nixos/modules/programs/adb.nix

··· 11 11 enable = mkOption { 12 12 default = false; 13 13 type = types.bool; 14 - description = '' 14 + description = lib.mdDoc '' 15 15 Whether to configure system to use Android Debug Bridge (adb). 16 16 To grant access to a user, it must be part of adbusers group: 17 - <code>users.users.alice.extraGroups = ["adbusers"];</code> 17 + `users.users.alice.extraGroups = ["adbusers"];` 18 18 ''; 19 19 }; 20 20 };

+3 -4

nixos/modules/programs/firejail.nix

··· 69 69 }; 70 70 } 71 71 ''; 72 - description = '' 72 + description = lib.mdDoc '' 73 73 Wrap the binaries in firejail and place them in the global path. 74 - </para> 75 - <para> 74 + 76 75 You will get file collisions if you put the actual application binary in 77 76 the global environment (such as by adding the application package to 78 - <code>environment.systemPackages</code>), and applications started via 77 + `environment.systemPackages`), and applications started via 79 78 .desktop files are not wrapped if they specify the absolute path to the 80 79 binary. 81 80 '';

+2 -2

nixos/modules/programs/gphoto2.nix

··· 11 11 enable = mkOption { 12 12 default = false; 13 13 type = types.bool; 14 - description = '' 14 + description = lib.mdDoc '' 15 15 Whether to configure system to use gphoto2. 16 16 To grant digital camera access to a user, the user must 17 17 be part of the camera group: 18 - <code>users.users.alice.extraGroups = ["camera"];</code> 18 + `users.users.alice.extraGroups = ["camera"];` 19 19 ''; 20 20 }; 21 21 };

+1 -1

nixos/modules/programs/kdeconnect.nix

··· 8 8 Note that it will open the TCP and UDP port from 9 9 1714 to 1764 as they are needed for it to function properly. 10 10 You can use the <option>package</option> to use 11 - <code>gnomeExtensions.gsconnect</code> as an alternative 11 + <literal>gnomeExtensions.gsconnect</literal> as an alternative 12 12 implementation if you use Gnome. 13 13 ''; 14 14 package = mkOption {

+2 -2

nixos/modules/programs/neovim.nix

··· 72 72 }; 73 73 } 74 74 ''; 75 - description = '' 75 + description = lib.mdDoc '' 76 76 Generate your init file from your list of plugins and custom commands. 77 - Neovim will then be wrapped to load <command>nvim -u /nix/store/<replaceable>hash</replaceable>-vimrc</command> 77 + Neovim will then be wrapped to load {command}`nvim -u /nix/store/«hash»-vimrc` 78 78 ''; 79 79 }; 80 80

+9 -9

nixos/modules/programs/nncp.nix

··· 33 33 secrets = mkOption { 34 34 type = with types; listOf str; 35 35 example = [ "/run/keys/nncp.hjson" ]; 36 - description = '' 36 + description = lib.mdDoc '' 37 37 A list of paths to NNCP configuration files that should not be 38 38 in the Nix store. These files are layered on top of the values at 39 - <xref linkend="opt-programs.nncp.settings"/>. 39 + [](#opt-programs.nncp.settings). 40 40 ''; 41 41 }; 42 42 43 43 settings = mkOption { 44 44 type = settingsFormat.type; 45 - description = '' 45 + description = lib.mdDoc '' 46 46 NNCP configuration, see 47 - <link xlink:href="http://www.nncpgo.org/Configuration.html"/>. 47 + <http://www.nncpgo.org/Configuration.html>. 48 48 At runtime these settings will be overlayed by the contents of 49 - <xref linkend="opt-programs.nncp.secrets"/> into the file 50 - <literal>${nncpCfgFile}</literal>. Node keypairs go in 51 - <literal>secrets</literal>, do not specify them in 52 - <literal>settings</literal> as they will be leaked into 53 - <literal>/nix/store</literal>! 49 + [](#opt-programs.nncp.secrets) into the file 50 + `${nncpCfgFile}`. Node keypairs go in 51 + `secrets`, do not specify them in 52 + `settings` as they will be leaked into 53 + `/nix/store`! 54 54 ''; 55 55 default = { }; 56 56 };

+1 -1

nixos/modules/programs/ssh.nix

··· 95 95 default = ""; 96 96 description = '' 97 97 Extra configuration text prepended to <filename>ssh_config</filename>. Other generated 98 - options will be added after a <code>Host *</code> pattern. 98 + options will be added after a <literal>Host *</literal> pattern. 99 99 See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry> 100 100 for help. 101 101 '';

+1 -1

nixos/modules/programs/sway.nix

··· 39 39 Sway, the i3-compatible tiling Wayland compositor. You can manually launch 40 40 Sway by executing "exec sway" on a TTY. Copy /etc/sway/config to 41 41 ~/.config/sway/config to modify the default configuration. See 42 - <link xlink:href="https://github.com/swaywm/sway/wiki" /> and 42 + <link xlink:href="https://github.com/swaywm/sway/wiki"/> and 43 43 "man 5 sway" for more information''; 44 44 45 45 wrapperFeatures = mkOption {

+3 -3

nixos/modules/programs/turbovnc.nix

··· 15 15 ensureHeadlessSoftwareOpenGL = mkOption { 16 16 type = types.bool; 17 17 default = false; 18 - description = '' 18 + description = lib.mdDoc '' 19 19 Whether to set up NixOS such that TurboVNC's built-in software OpenGL 20 20 implementation works. 21 21 22 - This will enable <option>hardware.opengl.enable</option> so that OpenGL 22 + This will enable {option}`hardware.opengl.enable` so that OpenGL 23 23 programs can find Mesa's llvmpipe drivers. 24 24 25 - Setting this option to <code>false</code> does not mean that software 25 + Setting this option to `false` does not mean that software 26 26 OpenGL won't work; it may still work depending on your system 27 27 configuration. 28 28

+4 -4

nixos/modules/security/acme/default.nix

··· 504 504 reloadServices = mkOption { 505 505 type = types.listOf types.str; 506 506 inherit (defaultAndText "reloadServices" []) default defaultText; 507 - description = '' 508 - The list of systemd services to call <code>systemctl try-reload-or-restart</code> 507 + description = lib.mdDoc '' 508 + The list of systemd services to call `systemctl try-reload-or-restart` 509 509 on. 510 510 ''; 511 511 }; ··· 581 581 Turns on the OCSP Must-Staple TLS extension. 582 582 Make sure you know what you're doing! See: 583 583 <itemizedlist> 584 - <listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem> 585 - <listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem> 584 + <listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/"/></para></listitem> 585 + <listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html"/></para></listitem> 586 586 </itemizedlist> 587 587 ''; 588 588 };

+1 -1

nixos/modules/security/dhparams.nix

··· 61 61 62 62 The value is the size (in bits) of the DH params to generate. The 63 63 generated DH params path can be found in 64 - <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>. 64 + <literal>config.security.dhparams.params.«name».path</literal>. 65 65 66 66 <note><para>The name of the DH params is taken as being the name of 67 67 the service it serves and the params will be generated before the

+30 -30

nixos/modules/security/doas.nix

··· 62 62 wheelNeedsPassword = mkOption { 63 63 type = with types; bool; 64 64 default = true; 65 - description = '' 66 - Whether users of the <code>wheel</code> group must provide a password to 67 - run commands as super user via <command>doas</command>. 65 + description = lib.mdDoc '' 66 + Whether users of the `wheel` group must provide a password to 67 + run commands as super user via {command}`doas`. 68 68 ''; 69 69 }; 70 70 71 71 extraRules = mkOption { 72 72 default = []; 73 - description = '' 73 + description = lib.mdDoc '' 74 74 Define specific rules to be set in the 75 - <filename>/etc/doas.conf</filename> file. More specific rules should 75 + {file}`/etc/doas.conf` file. More specific rules should 76 76 come after more general ones in order to yield the expected behavior. 77 - You can use <code>mkBefore</code> and/or <code>mkAfter</code> to ensure 77 + You can use `mkBefore` and/or `mkAfter` to ensure 78 78 this is the case when configuration options are merged. 79 79 ''; 80 80 example = literalExpression '' ··· 113 113 noPass = mkOption { 114 114 type = with types; bool; 115 115 default = false; 116 - description = '' 117 - If <code>true</code>, the user is not required to enter a 116 + description = lib.mdDoc '' 117 + If `true`, the user is not required to enter a 118 118 password. 119 119 ''; 120 120 }; ··· 122 122 noLog = mkOption { 123 123 type = with types; bool; 124 124 default = false; 125 - description = '' 126 - If <code>true</code>, successful executions will not be logged 125 + description = lib.mdDoc '' 126 + If `true`, successful executions will not be logged 127 127 to 128 - <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>. 128 + {manpage}`syslogd(8)`. 129 129 ''; 130 130 }; 131 131 132 132 persist = mkOption { 133 133 type = with types; bool; 134 134 default = false; 135 - description = '' 136 - If <code>true</code>, do not ask for a password again for some 135 + description = lib.mdDoc '' 136 + If `true`, do not ask for a password again for some 137 137 time after the user successfully authenticates. 138 138 ''; 139 139 }; ··· 141 141 keepEnv = mkOption { 142 142 type = with types; bool; 143 143 default = false; 144 - description = '' 145 - If <code>true</code>, environment variables other than those 144 + description = lib.mdDoc '' 145 + If `true`, environment variables other than those 146 146 listed in 147 - <citerefentry><refentrytitle>doas</refentrytitle><manvolnum>1</manvolnum></citerefentry> 147 + {manpage}`doas(1)` 148 148 are kept when creating the environment for the new process. 149 149 ''; 150 150 }; ··· 152 152 setEnv = mkOption { 153 153 type = with types; listOf str; 154 154 default = []; 155 - description = '' 155 + description = lib.mdDoc '' 156 156 Keep or set the specified variables. Variables may also be 157 157 removed with a leading '-' or set using 158 - <code>variable=value</code>. If the first character of 159 - <code>value</code> is a '$', the value to be set is taken from 158 + `variable=value`. If the first character of 159 + `value` is a '$', the value to be set is taken from 160 160 the existing environment variable of the indicated name. This 161 161 option is processed after the default environment has been 162 162 created. 163 163 164 - NOTE: All rules have <code>setenv { SSH_AUTH_SOCK }</code> by 165 - default. To prevent <code>SSH_AUTH_SOCK</code> from being 166 - inherited, add <code>"-SSH_AUTH_SOCK"</code> anywhere in this 164 + NOTE: All rules have `setenv { SSH_AUTH_SOCK }` by 165 + default. To prevent `SSH_AUTH_SOCK` from being 166 + inherited, add `"-SSH_AUTH_SOCK"` anywhere in this 167 167 list. 168 168 ''; 169 169 }; ··· 183 183 runAs = mkOption { 184 184 type = with types; nullOr str; 185 185 default = null; 186 - description = '' 186 + description = lib.mdDoc '' 187 187 Which user or group the specified command is allowed to run as. 188 - When set to <code>null</code> (the default), all users are 188 + When set to `null` (the default), all users are 189 189 allowed. 190 190 191 191 A user can be specified using just the username: 192 - <code>"foo"</code>. It is also possible to only allow running as 193 - a specific group with <code>":bar"</code>. 192 + `"foo"`. It is also possible to only allow running as 193 + a specific group with `":bar"`. 194 194 ''; 195 195 }; 196 196 197 197 cmd = mkOption { 198 198 type = with types; nullOr str; 199 199 default = null; 200 - description = '' 200 + description = lib.mdDoc '' 201 201 The command the user is allowed to run. When set to 202 - <code>null</code> (the default), all commands are allowed. 202 + `null` (the default), all commands are allowed. 203 203 204 204 NOTE: It is best practice to specify absolute paths. If a 205 205 relative path is specified, only a restricted PATH will be ··· 210 210 args = mkOption { 211 211 type = with types; nullOr (listOf str); 212 212 default = null; 213 - description = '' 213 + description = lib.mdDoc '' 214 214 Arguments that must be provided to the command. When set to 215 - <code>[]</code>, the command must be run without any arguments. 215 + `[]`, the command must be run without any arguments. 216 216 ''; 217 217 }; 218 218 };

+2 -2

nixos/modules/security/misc.nix

··· 52 52 security.allowSimultaneousMultithreading = mkOption { 53 53 type = types.bool; 54 54 default = true; 55 - description = '' 55 + description = lib.mdDoc '' 56 56 Whether to allow SMT/hyperthreading. Disabling SMT means that only 57 57 physical CPU cores will be usable at runtime, potentially at 58 58 significant performance cost. ··· 62 62 e.g., shared caches). This attack vector is unproven. 63 63 64 64 Disabling SMT is a supplement to the L1 data cache flushing mitigation 65 - (see <xref linkend="opt-security.virtualisation.flushL1DataCache"/>) 65 + (see [](#opt-security.virtualisation.flushL1DataCache)) 66 66 versus malicious VM guests (SMT could "bring back" previously flushed 67 67 data). 68 68 '';

+50 -61

nixos/modules/security/pam.nix

··· 807 807 default = config.krb5.enable; 808 808 defaultText = literalExpression "config.krb5.enable"; 809 809 type = types.bool; 810 - description = '' 811 - Enables Kerberos PAM modules (<literal>pam-krb5</literal>, 812 - <literal>pam-ccreds</literal>). 810 + description = lib.mdDoc '' 811 + Enables Kerberos PAM modules (`pam-krb5`, 812 + `pam-ccreds`). 813 813 814 814 If set, users can authenticate with their Kerberos password. 815 815 This requires a valid Kerberos configuration 816 - (<literal>config.krb5.enable</literal> should be set to 817 - <literal>true</literal>). 816 + (`config.krb5.enable` should be set to 817 + `true`). 818 818 819 819 Note that the Kerberos PAM modules are not necessary when using SSS 820 820 to handle Kerberos authentication. ··· 826 826 enable = mkOption { 827 827 default = false; 828 828 type = types.bool; 829 - description = '' 830 - Enables P11 PAM (<literal>pam_p11</literal>) module. 829 + description = lib.mdDoc '' 830 + Enables P11 PAM (`pam_p11`) module. 831 831 832 832 If set, users can log in with SSH keys and PKCS#11 tokens. 833 833 834 - More information can be found <link 835 - xlink:href="https://github.com/OpenSC/pam_p11">here</link>. 834 + More information can be found [here](https://github.com/OpenSC/pam_p11). 836 835 ''; 837 836 }; 838 837 ··· 859 858 enable = mkOption { 860 859 default = false; 861 860 type = types.bool; 862 - description = '' 863 - Enables U2F PAM (<literal>pam-u2f</literal>) module. 861 + description = lib.mdDoc '' 862 + Enables U2F PAM (`pam-u2f`) module. 864 863 865 864 If set, users listed in 866 - <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or 867 - <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is 865 + {file}`$XDG_CONFIG_HOME/Yubico/u2f_keys` (or 866 + {file}`$HOME/.config/Yubico/u2f_keys` if XDG variable is 868 867 not set) are able to log in with the associated U2F key. The path can 869 - be changed using <option>security.pam.u2f.authFile</option> option. 868 + be changed using {option}`security.pam.u2f.authFile` option. 870 869 871 870 File format is: 872 - <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> 873 - This file can be generated using <command>pamu2fcfg</command> command. 871 + `username:first_keyHandle,first_public_key: second_keyHandle,second_public_key` 872 + This file can be generated using {command}`pamu2fcfg` command. 874 873 875 - More information can be found <link 876 - xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. 874 + More information can be found [here](https://developers.yubico.com/pam-u2f/). 877 875 ''; 878 876 }; 879 877 880 878 authFile = mkOption { 881 879 default = null; 882 880 type = with types; nullOr path; 883 - description = '' 884 - By default <literal>pam-u2f</literal> module reads the keys from 885 - <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or 886 - <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is 881 + description = lib.mdDoc '' 882 + By default `pam-u2f` module reads the keys from 883 + {file}`$XDG_CONFIG_HOME/Yubico/u2f_keys` (or 884 + {file}`$HOME/.config/Yubico/u2f_keys` if XDG variable is 887 885 not set). 888 886 889 887 If you want to change auth file locations or centralize database (for 890 - example use <filename>/etc/u2f-mappings</filename>) you can set this 888 + example use {file}`/etc/u2f-mappings`) you can set this 891 889 option. 892 890 893 891 File format is: 894 - <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> 895 - This file can be generated using <command>pamu2fcfg</command> command. 892 + `username:first_keyHandle,first_public_key: second_keyHandle,second_public_key` 893 + This file can be generated using {command}`pamu2fcfg` command. 896 894 897 - More information can be found <link 898 - xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. 895 + More information can be found [here](https://developers.yubico.com/pam-u2f/). 899 896 ''; 900 897 }; 901 898 902 899 appId = mkOption { 903 900 default = null; 904 901 type = with types; nullOr str; 905 - description = '' 906 - By default <literal>pam-u2f</literal> module sets the application 907 - ID to <literal>pam://$HOSTNAME</literal>. 902 + description = lib.mdDoc '' 903 + By default `pam-u2f` module sets the application 904 + ID to `pam://$HOSTNAME`. 908 905 909 - When using <command>pamu2fcfg</command>, you can specify your 910 - application ID with the <literal>-i</literal> flag. 906 + When using {command}`pamu2fcfg`, you can specify your 907 + application ID with the `-i` flag. 911 908 912 - More information can be found <link 913 - xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html"> 914 - here</link> 909 + More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html) 915 910 ''; 916 911 }; 917 912 918 913 origin = mkOption { 919 914 default = null; 920 915 type = with types; nullOr str; 921 - description = '' 922 - By default <literal>pam-u2f</literal> module sets the origin 923 - to <literal>pam://$HOSTNAME</literal>. 916 + description = lib.mdDoc '' 917 + By default `pam-u2f` module sets the origin 918 + to `pam://$HOSTNAME`. 924 919 Setting origin to an host independent value will allow you to 925 920 reuse credentials across machines 926 921 927 - When using <command>pamu2fcfg</command>, you can specify your 928 - application ID with the <literal>-o</literal> flag. 922 + When using {command}`pamu2fcfg`, you can specify your 923 + application ID with the `-o` flag. 929 924 930 - More information can be found <link 931 - xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html"> 932 - here</link> 925 + More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html) 933 926 ''; 934 927 }; 935 928 ··· 985 978 enable = mkOption { 986 979 default = false; 987 980 type = types.bool; 988 - description = '' 989 - Enables Uber's USSH PAM (<literal>pam-ussh</literal>) module. 981 + description = lib.mdDoc '' 982 + Enables Uber's USSH PAM (`pam-ussh`) module. 990 983 991 - This is similar to <literal>pam-ssh-agent</literal>, except that 984 + This is similar to `pam-ssh-agent`, except that 992 985 the presence of a CA-signed SSH key with a valid principal is checked 993 986 instead. 994 987 995 988 Note that this module must both be enabled using this option and on a 996 - per-PAM-service level as well (using <literal>usshAuth</literal>). 989 + per-PAM-service level as well (using `usshAuth`). 997 990 998 - More information can be found <link 999 - xlink:href="https://github.com/uber/pam-ussh">here</link>. 991 + More information can be found [here](https://github.com/uber/pam-ussh). 1000 992 ''; 1001 993 }; 1002 994 ··· 1075 1067 enable = mkOption { 1076 1068 default = false; 1077 1069 type = types.bool; 1078 - description = '' 1079 - Enables Yubico PAM (<literal>yubico-pam</literal>) module. 1070 + description = lib.mdDoc '' 1071 + Enables Yubico PAM (`yubico-pam`) module. 1080 1072 1081 1073 If set, users listed in 1082 - <filename>~/.yubico/authorized_yubikeys</filename> 1074 + {file}`~/.yubico/authorized_yubikeys` 1083 1075 are able to log in with the associated Yubikey tokens. 1084 1076 1085 1077 The file must have only one line: 1086 - <literal>username:yubikey_token_id1:yubikey_token_id2</literal> 1087 - More information can be found <link 1088 - xlink:href="https://developers.yubico.com/yubico-pam/">here</link>. 1078 + `username:yubikey_token_id1:yubikey_token_id2` 1079 + More information can be found [here](https://developers.yubico.com/yubico-pam/). 1089 1080 ''; 1090 1081 }; 1091 1082 control = mkOption { ··· 1120 1111 mode = mkOption { 1121 1112 default = "client"; 1122 1113 type = types.enum [ "client" "challenge-response" ]; 1123 - description = '' 1114 + description = lib.mdDoc '' 1124 1115 Mode of operation. 1125 1116 1126 1117 Use "client" for online validation with a YubiKey validation service such as ··· 1130 1121 Challenge-Response configurations. See the man-page ykpamcfg(1) for further 1131 1122 details on how to configure offline Challenge-Response validation. 1132 1123 1133 - More information can be found <link 1134 - xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. 1124 + More information can be found [here](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html). 1135 1125 ''; 1136 1126 }; 1137 1127 challengeResponsePath = mkOption { 1138 1128 default = null; 1139 1129 type = types.nullOr types.path; 1140 - description = '' 1130 + description = lib.mdDoc '' 1141 1131 If not null, set the path used by yubico pam module where the challenge expected response is stored. 1142 1132 1143 - More information can be found <link 1144 - xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. 1133 + More information can be found [here](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html). 1145 1134 ''; 1146 1135 }; 1147 1136 };

+6 -9

nixos/modules/security/pam_mount.nix

··· 31 31 extraVolumes = mkOption { 32 32 type = types.listOf types.str; 33 33 default = []; 34 - description = '' 34 + description = lib.mdDoc '' 35 35 List of volume definitions for pam_mount. 36 - For more information, visit <link 37 - xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. 36 + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. 38 37 ''; 39 38 }; 40 39 ··· 64 63 type = types.int; 65 64 default = 0; 66 65 example = 1; 67 - description = '' 66 + description = lib.mdDoc '' 68 67 Sets the Debug-Level. 0 disables debugging, 1 enables pam_mount tracing, 69 68 and 2 additionally enables tracing in mount.crypt. The default is 0. 70 - For more information, visit <link 71 - xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. 69 + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. 72 70 ''; 73 71 }; 74 72 75 73 logoutWait = mkOption { 76 74 type = types.int; 77 75 default = 0; 78 - description = '' 76 + description = lib.mdDoc '' 79 77 Amount of microseconds to wait until killing remaining processes after 80 78 final logout. 81 - For more information, visit <link 82 - xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. 79 + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. 83 80 ''; 84 81 }; 85 82

+2 -3

nixos/modules/security/pam_usb.nix

··· 17 17 enable = mkOption { 18 18 type = types.bool; 19 19 default = false; 20 - description = '' 20 + description = lib.mdDoc '' 21 21 Enable USB login for all login systems that support it. For 22 - more information, visit <link 23 - xlink:href="https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users" />. 22 + more information, visit <https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users>. 24 23 ''; 25 24 }; 26 25

+11 -11

nixos/modules/security/sudo.nix

··· 55 55 type = types.bool; 56 56 default = true; 57 57 description = 58 - '' 59 - Whether users of the <code>wheel</code> group must 60 - provide a password to run commands as super user via <command>sudo</command>. 58 + lib.mdDoc '' 59 + Whether users of the `wheel` group must 60 + provide a password to run commands as super user via {command}`sudo`. 61 61 ''; 62 62 }; 63 63 64 64 security.sudo.execWheelOnly = mkOption { 65 65 type = types.bool; 66 66 default = false; 67 - description = '' 68 - Only allow members of the <code>wheel</code> group to execute sudo by 67 + description = lib.mdDoc '' 68 + Only allow members of the `wheel` group to execute sudo by 69 69 setting the executable's permissions accordingly. 70 - This prevents users that are not members of <code>wheel</code> from 70 + This prevents users that are not members of `wheel` from 71 71 exploiting vulnerabilities in sudo such as CVE-2021-3156. 72 72 ''; 73 73 }; ··· 139 139 runAs = mkOption { 140 140 type = with types; str; 141 141 default = "ALL:ALL"; 142 - description = '' 142 + description = lib.mdDoc '' 143 143 Under which user/group the specified command is allowed to run. 144 144 145 - A user can be specified using just the username: <code>"foo"</code>. 146 - It is also possible to specify a user/group combination using <code>"foo:bar"</code> 147 - or to only allow running as a specific group with <code>":bar"</code>. 145 + A user can be specified using just the username: `"foo"`. 146 + It is also possible to specify a user/group combination using `"foo:bar"` 147 + or to only allow running as a specific group with `":bar"`. 148 148 ''; 149 149 }; 150 150 ··· 159 159 type = with types; str; 160 160 description = '' 161 161 A command being either just a path to a binary to allow any arguments, 162 - the full command with arguments pre-set or with <code>""</code> used as the argument, 162 + the full command with arguments pre-set or with <literal>""</literal> used as the argument, 163 163 not allowing arguments to the command at all. 164 164 ''; 165 165 };

+3 -3

nixos/modules/services/backup/duplicity.nix

··· 63 63 <citerefentry><refentrytitle>systemd.exec</refentrytitle> 64 64 <manvolnum>5</manvolnum></citerefentry>. For example: 65 65 <programlisting> 66 - PASSPHRASE=<replaceable>...</replaceable> 67 - AWS_ACCESS_KEY_ID=<replaceable>...</replaceable> 68 - AWS_SECRET_ACCESS_KEY=<replaceable>...</replaceable> 66 + PASSPHRASE=«...» 67 + AWS_ACCESS_KEY_ID=«...» 68 + AWS_SECRET_ACCESS_KEY=«...» 69 69 </programlisting> 70 70 ''; 71 71 };

+1 -1

nixos/modules/services/backup/restic.nix

··· 227 227 type = types.package; 228 228 default = pkgs.restic; 229 229 defaultText = literalExpression "pkgs.restic"; 230 - description = '' 230 + description = lib.mdDoc '' 231 231 Restic package to use. 232 232 ''; 233 233 };

+3 -3

nixos/modules/services/backup/syncoid.nix

··· 192 192 target = mkOption { 193 193 type = types.str; 194 194 example = "user@server:pool/dataset"; 195 - description = '' 195 + description = lib.mdDoc '' 196 196 Target ZFS dataset. Can be either local 197 - (<replaceable>pool/dataset</replaceable>) or remote 198 - (<replaceable>user@server:pool/dataset</replaceable>). 197 + («pool/dataset») or remote 198 + («user@server:pool/dataset»). 199 199 ''; 200 200 }; 201 201

+2 -3

nixos/modules/services/backup/zrepl.nix

··· 22 22 23 23 settings = mkOption { 24 24 default = { }; 25 - description = '' 26 - Configuration for zrepl. See <link 27 - xlink:href="https://zrepl.github.io/configuration.html"/> 25 + description = lib.mdDoc '' 26 + Configuration for zrepl. See <https://zrepl.github.io/configuration.html> 28 27 for more information. 29 28 ''; 30 29 type = types.submodule {

+2 -3

nixos/modules/services/continuous-integration/github-runner.nix

··· 18 18 enable = mkOption { 19 19 default = false; 20 20 example = true; 21 - description = '' 21 + description = lib.mdDoc '' 22 22 Whether to enable GitHub Actions runner. 23 23 24 24 Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: 25 - <link xlink:href="https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners" 26 - >About self-hosted runners</link>. 25 + [About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). 27 26 ''; 28 27 type = lib.types.bool; 29 28 };

+47 -47

nixos/modules/services/continuous-integration/gitlab-runner.nix

··· 113 113 configFile = mkOption { 114 114 type = types.nullOr types.path; 115 115 default = null; 116 - description = '' 116 + description = lib.mdDoc '' 117 117 Configuration file for gitlab-runner. 118 118 119 - <option>configFile</option> takes precedence over <option>services</option>. 120 - <option>checkInterval</option> and <option>concurrent</option> will be ignored too. 119 + {option}`configFile` takes precedence over {option}`services`. 120 + {option}`checkInterval` and {option}`concurrent` will be ignored too. 121 121 122 - This option is deprecated, please use <option>services</option> instead. 123 - You can use <option>registrationConfigFile</option> and 124 - <option>registrationFlags</option> 122 + This option is deprecated, please use {option}`services` instead. 123 + You can use {option}`registrationConfigFile` and 124 + {option}`registrationFlags` 125 125 for settings not covered by this module. 126 126 ''; 127 127 }; ··· 130 130 freeformType = (pkgs.formats.json { }).type; 131 131 }; 132 132 default = { }; 133 - description = '' 133 + description = lib.mdDoc '' 134 134 Global gitlab-runner configuration. See 135 - <link xlink:href="https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section"/> 135 + <https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section> 136 136 for supported values. 137 137 ''; 138 138 }; 139 139 gracefulTermination = mkOption { 140 140 type = types.bool; 141 141 default = false; 142 - description = '' 142 + description = lib.mdDoc '' 143 143 Finish all remaining jobs before stopping. 144 144 If not set gitlab-runner will stop immediatly without waiting 145 145 for jobs to finish, which will lead to failed builds. ··· 149 149 type = types.str; 150 150 default = "infinity"; 151 151 example = "5min 20s"; 152 - description = '' 152 + description = lib.mdDoc '' 153 153 Time to wait until a graceful shutdown is turned into a forceful one. 154 154 ''; 155 155 }; ··· 158 158 default = pkgs.gitlab-runner; 159 159 defaultText = literalExpression "pkgs.gitlab-runner"; 160 160 example = literalExpression "pkgs.gitlab-runner_1_11"; 161 - description = "Gitlab Runner package to use."; 161 + description = lib.mdDoc "Gitlab Runner package to use."; 162 162 }; 163 163 extraPackages = mkOption { 164 164 type = types.listOf types.package; 165 165 default = [ ]; 166 - description = '' 166 + description = lib.mdDoc '' 167 167 Extra packages to add to PATH for the gitlab-runner process. 168 168 ''; 169 169 }; 170 170 services = mkOption { 171 - description = "GitLab Runner services."; 171 + description = lib.mdDoc "GitLab Runner services."; 172 172 default = { }; 173 173 example = literalExpression '' 174 174 { ··· 250 250 options = { 251 251 registrationConfigFile = mkOption { 252 252 type = types.path; 253 - description = '' 253 + description = lib.mdDoc '' 254 254 Absolute path to a file with environment variables 255 255 used for gitlab-runner registration. 256 256 A list of all supported environment variables can be found in 257 - <literal>gitlab-runner register --help</literal>. 257 + `gitlab-runner register --help`. 258 258 259 259 Ones that you probably want to set is 260 260 261 - <literal>CI_SERVER_URL=<CI server URL></literal> 261 + `CI_SERVER_URL=<CI server URL>` 262 262 263 - <literal>REGISTRATION_TOKEN=<registration secret></literal> 263 + `REGISTRATION_TOKEN=<registration secret>` 264 264 265 265 WARNING: make sure to use quoted absolute path, 266 266 or it is going to be copied to Nix Store. ··· 270 270 type = types.listOf types.str; 271 271 default = [ ]; 272 272 example = [ "--docker-helper-image my/gitlab-runner-helper" ]; 273 - description = '' 273 + description = lib.mdDoc '' 274 274 Extra command-line flags passed to 275 - <literal>gitlab-runner register</literal>. 276 - Execute <literal>gitlab-runner register --help</literal> 275 + `gitlab-runner register`. 276 + Execute `gitlab-runner register --help` 277 277 for a list of supported flags. 278 278 ''; 279 279 }; ··· 281 281 type = types.attrsOf types.str; 282 282 default = { }; 283 283 example = { NAME = "value"; }; 284 - description = '' 284 + description = lib.mdDoc '' 285 285 Custom environment variables injected to build environment. 286 - For secrets you can use <option>registrationConfigFile</option> 287 - with <literal>RUNNER_ENV</literal> variable set. 286 + For secrets you can use {option}`registrationConfigFile` 287 + with `RUNNER_ENV` variable set. 288 288 ''; 289 289 }; 290 290 description = mkOption { 291 291 type = types.nullOr types.str; 292 292 default = null; 293 - description = '' 293 + description = lib.mdDoc '' 294 294 Name/description of the runner. 295 295 ''; 296 296 }; 297 297 executor = mkOption { 298 298 type = types.str; 299 299 default = "docker"; 300 - description = '' 300 + description = lib.mdDoc '' 301 301 Select executor, eg. shell, docker, etc. 302 - See <link xlink:href="https://docs.gitlab.com/runner/executors/README.html">runner documentation</link> for more information. 302 + See [runner documentation](https://docs.gitlab.com/runner/executors/README.html) for more information. 303 303 ''; 304 304 }; 305 305 buildsDir = mkOption { 306 306 type = types.nullOr types.path; 307 307 default = null; 308 308 example = "/var/lib/gitlab-runner/builds"; 309 - description = '' 309 + description = lib.mdDoc '' 310 310 Absolute path to a directory where builds will be stored 311 311 in context of selected executor (Locally, Docker, SSH). 312 312 ''; ··· 315 315 type = types.nullOr types.str; 316 316 default = null; 317 317 example = "http://gitlab.example.local"; 318 - description = '' 318 + description = lib.mdDoc '' 319 319 Overwrite the URL for the GitLab instance. Used if the Runner can’t connect to GitLab on the URL GitLab exposes itself. 320 320 ''; 321 321 }; 322 322 dockerImage = mkOption { 323 323 type = types.nullOr types.str; 324 324 default = null; 325 - description = '' 325 + description = lib.mdDoc '' 326 326 Docker image to be used. 327 327 ''; 328 328 }; ··· 330 330 type = types.listOf types.str; 331 331 default = [ ]; 332 332 example = [ "/var/run/docker.sock:/var/run/docker.sock" ]; 333 - description = '' 333 + description = lib.mdDoc '' 334 334 Bind-mount a volume and create it 335 335 if it doesn't exist prior to mounting. 336 336 ''; ··· 338 338 dockerDisableCache = mkOption { 339 339 type = types.bool; 340 340 default = false; 341 - description = '' 341 + description = lib.mdDoc '' 342 342 Disable all container caching. 343 343 ''; 344 344 }; 345 345 dockerPrivileged = mkOption { 346 346 type = types.bool; 347 347 default = false; 348 - description = '' 348 + description = lib.mdDoc '' 349 349 Give extended privileges to container. 350 350 ''; 351 351 }; ··· 353 353 type = types.listOf types.str; 354 354 default = [ ]; 355 355 example = [ "other-host:127.0.0.1" ]; 356 - description = '' 356 + description = lib.mdDoc '' 357 357 Add a custom host-to-IP mapping. 358 358 ''; 359 359 }; ··· 361 361 type = types.listOf types.str; 362 362 default = [ ]; 363 363 example = [ "ruby:*" "python:*" "php:*" "my.registry.tld:5000/*:*" ]; 364 - description = '' 364 + description = lib.mdDoc '' 365 365 Whitelist allowed images. 366 366 ''; 367 367 }; ··· 369 369 type = types.listOf types.str; 370 370 default = [ ]; 371 371 example = [ "postgres:9" "redis:*" "mysql:*" ]; 372 - description = '' 372 + description = lib.mdDoc '' 373 373 Whitelist allowed services. 374 374 ''; 375 375 }; 376 376 preCloneScript = mkOption { 377 377 type = types.nullOr types.path; 378 378 default = null; 379 - description = '' 379 + description = lib.mdDoc '' 380 380 Runner-specific command script executed before code is pulled. 381 381 ''; 382 382 }; 383 383 preBuildScript = mkOption { 384 384 type = types.nullOr types.path; 385 385 default = null; 386 - description = '' 386 + description = lib.mdDoc '' 387 387 Runner-specific command script executed after code is pulled, 388 388 just before build executes. 389 389 ''; ··· 391 391 postBuildScript = mkOption { 392 392 type = types.nullOr types.path; 393 393 default = null; 394 - description = '' 394 + description = lib.mdDoc '' 395 395 Runner-specific command script executed after code is pulled 396 396 and just after build executes. 397 397 ''; ··· 399 399 tagList = mkOption { 400 400 type = types.listOf types.str; 401 401 default = [ ]; 402 - description = '' 402 + description = lib.mdDoc '' 403 403 Tag list. 404 404 ''; 405 405 }; 406 406 runUntagged = mkOption { 407 407 type = types.bool; 408 408 default = false; 409 - description = '' 409 + description = lib.mdDoc '' 410 410 Register to run untagged builds; defaults to 411 - <literal>true</literal> when <option>tagList</option> is empty. 411 + `true` when {option}`tagList` is empty. 412 412 ''; 413 413 }; 414 414 limit = mkOption { 415 415 type = types.int; 416 416 default = 0; 417 - description = '' 417 + description = lib.mdDoc '' 418 418 Limit how many jobs can be handled concurrently by this service. 419 419 0 (default) simply means don't limit. 420 420 ''; ··· 422 422 requestConcurrency = mkOption { 423 423 type = types.int; 424 424 default = 0; 425 - description = '' 425 + description = lib.mdDoc '' 426 426 Limit number of concurrent requests for new jobs from GitLab. 427 427 ''; 428 428 }; 429 429 maximumTimeout = mkOption { 430 430 type = types.int; 431 431 default = 0; 432 - description = '' 432 + description = lib.mdDoc '' 433 433 What is the maximum timeout (in seconds) that will be set for 434 434 job when using this Runner. 0 (default) simply means don't limit. 435 435 ''; ··· 437 437 protected = mkOption { 438 438 type = types.bool; 439 439 default = false; 440 - description = '' 440 + description = lib.mdDoc '' 441 441 When set to true Runner will only run on pipelines 442 442 triggered on protected branches. 443 443 ''; ··· 445 445 debugTraceDisabled = mkOption { 446 446 type = types.bool; 447 447 default = false; 448 - description = '' 448 + description = lib.mdDoc '' 449 449 When set to true Runner will disable the possibility of 450 - using the <literal>CI_DEBUG_TRACE</literal> feature. 450 + using the `CI_DEBUG_TRACE` feature. 451 451 ''; 452 452 }; 453 453 };

+3 -3

nixos/modules/services/databases/firebird.nix

··· 47 47 defaultText = literalExpression "pkgs.firebird"; 48 48 type = types.package; 49 49 example = literalExpression "pkgs.firebird_3"; 50 - description = '' 51 - Which Firebird package to be installed: <code>pkgs.firebird_3</code> 52 - For SuperServer use override: <code>pkgs.firebird_3.override { superServer = true; };</code> 50 + description = lib.mdDoc '' 51 + Which Firebird package to be installed: `pkgs.firebird_3` 52 + For SuperServer use override: `pkgs.firebird_3.override { superServer = true; };` 53 53 ''; 54 54 }; 55 55

+3 -3

nixos/modules/services/databases/mysql.nix

··· 201 201 ensurePermissions = mkOption { 202 202 type = types.attrsOf types.str; 203 203 default = {}; 204 - description = '' 204 + description = lib.mdDoc '' 205 205 Permissions to ensure for the user, specified as attribute set. 206 206 The attribute names specify the database and tables to grant the permissions for, 207 207 separated by a dot. You may use wildcards here. ··· 210 210 211 211 For more information on how to specify the target 212 212 and on which privileges exist, see the 213 - <link xlink:href="https://mariadb.com/kb/en/library/grant/">GRANT syntax</link>. 214 - The attributes are used as <code>GRANT ''${attrName} ON ''${attrValue}</code>. 213 + [GRANT syntax](https://mariadb.com/kb/en/library/grant/). 214 + The attributes are used as `GRANT ''${attrName} ON ''${attrValue}`. 215 215 ''; 216 216 example = literalExpression '' 217 217 {

+58 -73

nixos/modules/services/databases/neo4j.nix

··· 139 139 constrainLoadCsv = mkOption { 140 140 type = types.bool; 141 141 default = true; 142 - description = '' 142 + description = lib.mdDoc '' 143 143 Sets the root directory for file URLs used with the Cypher 144 - <literal>LOAD CSV</literal> clause to be that defined by 145 - <option>directories.imports</option>. It restricts 144 + `LOAD CSV` clause to be that defined by 145 + {option}`directories.imports`. It restricts 146 146 access to only those files within that directory and its 147 147 subdirectories. 148 - </para> 149 - <para> 150 - Setting this option to <literal>false</literal> introduces 148 + 149 + Setting this option to `false` introduces 151 150 possible security problems. 152 151 ''; 153 152 }; ··· 155 154 defaultListenAddress = mkOption { 156 155 type = types.str; 157 156 default = "127.0.0.1"; 158 - description = '' 157 + description = lib.mdDoc '' 159 158 Default network interface to listen for incoming connections. To 160 159 listen for connections on all interfaces, use "0.0.0.0". 161 - </para> 162 - <para> 160 + 163 161 Specifies the default IP address and address part of connector 164 - specific <option>listenAddress</option> options. To bind specific 162 + specific {option}`listenAddress` options. To bind specific 165 163 connectors to a specific network interfaces, specify the entire 166 - <option>listenAddress</option> option for that connector. 164 + {option}`listenAddress` option for that connector. 167 165 ''; 168 166 }; 169 167 ··· 227 225 sslPolicy = mkOption { 228 226 type = types.str; 229 227 default = "legacy"; 230 - description = '' 228 + description = lib.mdDoc '' 231 229 Neo4j SSL policy for BOLT traffic. 232 - </para> 233 - <para> 230 + 234 231 The legacy policy is a special policy which is not defined in 235 232 the policy configuration section, but rather derives from 236 - <option>directories.certificates</option> and 237 - associated files (by default: <filename>neo4j.key</filename> and 238 - <filename>neo4j.cert</filename>). Its use will be deprecated. 239 - </para> 240 - <para> 233 + {option}`directories.certificates` and 234 + associated files (by default: {file}`neo4j.key` and 235 + {file}`neo4j.cert`). Its use will be deprecated. 236 + 241 237 Note: This connector must be configured to support/require 242 238 SSL/TLS for the legacy policy to actually be utilized. See 243 - <option>bolt.tlsLevel</option>. 239 + {option}`bolt.tlsLevel`. 244 240 ''; 245 241 }; 246 242 ··· 258 254 type = types.path; 259 255 default = "${cfg.directories.home}/certificates"; 260 256 defaultText = literalExpression ''"''${config.${opt.directories.home}}/certificates"''; 261 - description = '' 257 + description = lib.mdDoc '' 262 258 Directory for storing certificates to be used by Neo4j for 263 259 TLS connections. 264 - </para> 265 - <para> 260 + 266 261 When setting this directory to something other than its default, 267 262 ensure the directory's existence, and that read/write permissions are 268 - given to the Neo4j daemon user <literal>neo4j</literal>. 269 - </para> 270 - <para> 263 + given to the Neo4j daemon user `neo4j`. 264 + 271 265 Note that changing this directory from its default will prevent 272 266 the directory structure required for each SSL policy from being 273 267 automatically generated. A policy's directory structure as defined by 274 - its <option>baseDirectory</option>,<option>revokedDir</option> and 275 - <option>trustedDir</option> must then be setup manually. The 268 + its {option}`baseDirectory`,{option}`revokedDir` and 269 + {option}`trustedDir` must then be setup manually. The 276 270 existence of these directories is mandatory, as well as the presence 277 271 of the certificate file and the private key. Ensure the correct 278 272 permissions are set on these directories and files. ··· 283 277 type = types.path; 284 278 default = "${cfg.directories.home}/data"; 285 279 defaultText = literalExpression ''"''${config.${opt.directories.home}}/data"''; 286 - description = '' 280 + description = lib.mdDoc '' 287 281 Path of the data directory. You must not configure more than one 288 282 Neo4j installation to use the same data directory. 289 - </para> 290 - <para> 283 + 291 284 When setting this directory to something other than its default, 292 285 ensure the directory's existence, and that read/write permissions are 293 - given to the Neo4j daemon user <literal>neo4j</literal>. 286 + given to the Neo4j daemon user `neo4j`. 294 287 ''; 295 288 }; 296 289 ··· 309 302 type = types.path; 310 303 default = "${cfg.directories.home}/import"; 311 304 defaultText = literalExpression ''"''${config.${opt.directories.home}}/import"''; 312 - description = '' 305 + description = lib.mdDoc '' 313 306 The root directory for file URLs used with the Cypher 314 - <literal>LOAD CSV</literal> clause. Only meaningful when 315 - <option>constrainLoadCvs</option> is set to 316 - <literal>true</literal>. 317 - </para> 318 - <para> 307 + `LOAD CSV` clause. Only meaningful when 308 + {option}`constrainLoadCvs` is set to 309 + `true`. 310 + 319 311 When setting this directory to something other than its default, 320 312 ensure the directory's existence, and that read permission is 321 - given to the Neo4j daemon user <literal>neo4j</literal>. 313 + given to the Neo4j daemon user `neo4j`. 322 314 ''; 323 315 }; 324 316 ··· 326 318 type = types.path; 327 319 default = "${cfg.directories.home}/plugins"; 328 320 defaultText = literalExpression ''"''${config.${opt.directories.home}}/plugins"''; 329 - description = '' 321 + description = lib.mdDoc '' 330 322 Path of the database plugin directory. Compiled Java JAR files that 331 323 contain database procedures will be loaded if they are placed in 332 324 this directory. 333 - </para> 334 - <para> 325 + 335 326 When setting this directory to something other than its default, 336 327 ensure the directory's existence, and that read permission is 337 - given to the Neo4j daemon user <literal>neo4j</literal>. 328 + given to the Neo4j daemon user `neo4j`. 338 329 ''; 339 330 }; 340 331 }; ··· 386 377 sslPolicy = mkOption { 387 378 type = types.str; 388 379 default = "legacy"; 389 - description = '' 380 + description = lib.mdDoc '' 390 381 Neo4j SSL policy for HTTPS traffic. 391 - </para> 392 - <para> 382 + 393 383 The legacy policy is a special policy which is not defined in the 394 384 policy configuration section, but rather derives from 395 - <option>directories.certificates</option> and 396 - associated files (by default: <filename>neo4j.key</filename> and 397 - <filename>neo4j.cert</filename>). Its use will be deprecated. 385 + {option}`directories.certificates` and 386 + associated files (by default: {file}`neo4j.key` and 387 + {file}`neo4j.cert`). Its use will be deprecated. 398 388 ''; 399 389 }; 400 390 }; ··· 417 407 allowKeyGeneration = mkOption { 418 408 type = types.bool; 419 409 default = false; 420 - description = '' 410 + description = lib.mdDoc '' 421 411 Allows the generation of a private key and associated self-signed 422 412 certificate. Only performed when both objects cannot be found for 423 413 this policy. It is recommended to turn this off again after keys 424 414 have been generated. 425 - </para> 426 - <para> 415 + 427 416 The public certificate is required to be duplicated to the 428 417 directory holding trusted certificates as defined by the 429 - <option>trustedDir</option> option. 430 - </para> 431 - <para> 418 + {option}`trustedDir` option. 419 + 432 420 Keys should in general be generated and distributed offline by a 433 421 trusted certificate authority and not by utilizing this mode. 434 422 ''; ··· 438 426 type = types.path; 439 427 default = "${cfg.directories.certificates}/${name}"; 440 428 defaultText = literalExpression ''"''${config.${opt.directories.certificates}}/''${name}"''; 441 - description = '' 429 + description = lib.mdDoc '' 442 430 The mandatory base directory for cryptographic objects of this 443 431 policy. This path is only automatically generated when this 444 - option as well as <option>directories.certificates</option> are 432 + option as well as {option}`directories.certificates` are 445 433 left at their default. Ensure read/write permissions are given 446 - to the Neo4j daemon user <literal>neo4j</literal>. 447 - </para> 448 - <para> 434 + to the Neo4j daemon user `neo4j`. 435 + 449 436 It is also possible to override each individual 450 437 configuration with absolute paths. See the 451 - <option>privateKey</option> and <option>publicCertificate</option> 438 + {option}`privateKey` and {option}`publicCertificate` 452 439 policy options. 453 440 ''; 454 441 }; ··· 483 470 publicCertificate = mkOption { 484 471 type = types.str; 485 472 default = "public.crt"; 486 - description = '' 473 + description = lib.mdDoc '' 487 474 The name of public X.509 certificate (chain) file in PEM format 488 - for this policy to be found in the <option>baseDirectory</option>, 475 + for this policy to be found in the {option}`baseDirectory`, 489 476 or the absolute path to the certificate file. It is mandatory 490 477 that a certificate can be found or generated. 491 - </para> 492 - <para> 478 + 493 479 The public certificate is required to be duplicated to the 494 480 directory holding trusted certificates as defined by the 495 - <option>trustedDir</option> option. 481 + {option}`trustedDir` option. 496 482 ''; 497 483 }; 498 484 ··· 536 522 type = types.path; 537 523 default = "${config.baseDirectory}/trusted"; 538 524 defaultText = literalExpression ''"''${config.${options.baseDirectory}}/trusted"''; 539 - description = '' 525 + description = lib.mdDoc '' 540 526 Path to directory of X.509 certificates in PEM format for 541 527 trusted parties. Must be an absolute path. The existence of this 542 528 directory is mandatory and will need to be created manually when: 543 529 setting this option to something other than its default; setting 544 - either this policy's <option>baseDirectory</option> or 545 - <option>directories.certificates</option> to something other than 530 + either this policy's {option}`baseDirectory` or 531 + {option}`directories.certificates` to something other than 546 532 their default. Ensure read/write permissions are given to the 547 - Neo4j daemon user <literal>neo4j</literal>. 548 - </para> 549 - <para> 533 + Neo4j daemon user `neo4j`. 534 + 550 535 The public certificate as defined by 551 - <option>publicCertificate</option> is required to be duplicated 536 + {option}`publicCertificate` is required to be duplicated 552 537 to this directory. 553 538 ''; 554 539 };

+5 -5

nixos/modules/services/databases/openldap.nix

··· 88 88 enable = mkOption { 89 89 type = types.bool; 90 90 default = false; 91 - description = "Whether to enable the ldap server."; 91 + description = lib.mdDoc "Whether to enable the ldap server."; 92 92 }; 93 93 94 94 package = mkOption { ··· 173 173 configDir = mkOption { 174 174 type = types.nullOr types.path; 175 175 default = null; 176 - description = '' 176 + description = lib.mdDoc '' 177 177 Use this config directory instead of generating one from the 178 - <literal>settings</literal> option. Overrides all NixOS settings. 178 + `settings` option. Overrides all NixOS settings. 179 179 ''; 180 180 example = "/var/lib/openldap/slapd.d"; 181 181 }; ··· 183 183 mutableConfig = mkOption { 184 184 type = types.bool; 185 185 default = false; 186 - description = '' 186 + description = lib.mdDoc '' 187 187 Whether to allow writable on-line configuration. If 188 - <literal>true</literal>, the NixOS settings will only be used to 188 + `true`, the NixOS settings will only be used to 189 189 initialize the OpenLDAP configuration if it does not exist, and are 190 190 subsequently ignored. 191 191 '';

+4 -4

nixos/modules/services/databases/pgmanage.nix

··· 62 62 nuc-server = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; 63 63 mini-server = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; 64 64 }; 65 - description = '' 65 + description = lib.mdDoc '' 66 66 pgmanage requires at least one PostgreSQL server be defined. 67 - </para><para> 67 + 68 68 Detailed information about PostgreSQL connection strings is available at: 69 - <link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/> 70 - </para><para> 69 + <http://www.postgresql.org/docs/current/static/libpq-connect.html> 70 + 71 71 Note that you should not specify your user name or password. That 72 72 information will be entered on the login screen. If you specify a 73 73 username or password, it will be removed by pgmanage before attempting to

+4 -5

nixos/modules/services/databases/postgresql.nix

··· 81 81 default = ""; 82 82 description = '' 83 83 Defines how users authenticate themselves to the server. See the 84 - <link xlink:href="https://www.postgresql.org/docs/current/auth-pg-hba-conf.html"> 85 - PostgreSQL documentation for pg_hba.conf</link> 84 + <link xlink:href="https://www.postgresql.org/docs/current/auth-pg-hba-conf.html">PostgreSQL documentation for pg_hba.conf</link> 86 85 for details on the expected format of this option. By default, 87 86 peer based authentication will be used for users connecting 88 87 via the Unix socket, and md5 password authentication will be ··· 150 149 ensurePermissions = mkOption { 151 150 type = types.attrsOf types.str; 152 151 default = {}; 153 - description = '' 152 + description = lib.mdDoc '' 154 153 Permissions to ensure for the user, specified as an attribute set. 155 154 The attribute names specify the database and tables to grant the permissions for. 156 155 The attribute values specify the permissions to grant. You may specify one or ··· 158 157 159 158 For more information on how to specify the target 160 159 and on which privileges exist, see the 161 - <link xlink:href="https://www.postgresql.org/docs/current/sql-grant.html">GRANT syntax</link>. 162 - The attributes are used as <code>GRANT ''${attrValue} ON ''${attrName}</code>. 160 + [GRANT syntax](https://www.postgresql.org/docs/current/sql-grant.html). 161 + The attributes are used as `GRANT ''${attrValue} ON ''${attrName}`. 163 162 ''; 164 163 example = literalExpression '' 165 164 {

+4 -4

nixos/modules/services/databases/victoriametrics.nix

··· 28 28 extraOptions = mkOption { 29 29 type = types.listOf types.str; 30 30 default = []; 31 - description = '' 32 - Extra options to pass to VictoriaMetrics. See the README: <link 33 - xlink:href="https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/README.md" /> 34 - or <command>victoriametrics -help</command> for more 31 + description = lib.mdDoc '' 32 + Extra options to pass to VictoriaMetrics. See the README: 33 + <https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/README.md> 34 + or {command}`victoriametrics -help` for more 35 35 information. 36 36 ''; 37 37 };

+1 -1

nixos/modules/services/development/zammad.nix

··· 139 139 ''; 140 140 description = '' 141 141 The <filename>database.yml</filename> configuration file as key value set. 142 - See <link xlink:href='TODO' /> 142 + See <link xlink:href="TODO"/> 143 143 for list of configuration parameters. 144 144 ''; 145 145 };

+3 -1

nixos/modules/services/games/asf.nix

··· 136 136 }; 137 137 settings = mkOption { 138 138 type = types.attrs; 139 - description = "Additional settings that are documented <link xlink:href=\"https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config\">here</link>."; 139 + description = lib.mdDoc '' 140 + Additional settings that are documented [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config). 141 + ''; 140 142 default = { }; 141 143 }; 142 144 };

+7 -7

nixos/modules/services/hardware/kanata.nix

··· 10 10 device = mkOption { 11 11 type = types.str; 12 12 example = "/dev/input/by-id/usb-0000_0000-event-kbd"; 13 - description = "Path to the keyboard device."; 13 + description = lib.mdDoc "Path to the keyboard device."; 14 14 }; 15 15 config = mkOption { 16 16 type = types.lines; ··· 33 33 ;; tap within 100ms for capslk, hold more than 100ms for lctl 34 34 cap (tap-hold 100 100 caps lctl)) 35 35 ''; 36 - description = '' 36 + description = lib.mdDoc '' 37 37 Configuration other than defcfg. 38 - See <link xlink:href="https://github.com/jtroo/kanata"/> for more information. 38 + See <https://github.com/jtroo/kanata> for more information. 39 39 ''; 40 40 }; 41 41 extraDefCfg = mkOption { 42 42 type = types.lines; 43 43 default = ""; 44 44 example = "danger-enable-cmd yes"; 45 - description = '' 45 + description = lib.mdDoc '' 46 46 Configuration of defcfg other than linux-dev. 47 - See <link xlink:href="https://github.com/jtroo/kanata"/> for more information. 47 + See <https://github.com/jtroo/kanata> for more information. 48 48 ''; 49 49 }; 50 50 }; ··· 131 131 default = pkgs.kanata; 132 132 defaultText = lib.literalExpression "pkgs.kanata"; 133 133 example = lib.literalExpression "pkgs.kanata-with-cmd"; 134 - description = '' 134 + description = lib.mdDoc '' 135 135 kanata package to use. 136 136 If you enable danger-enable-cmd, pkgs.kanata-with-cmd should be used. 137 137 ''; ··· 139 139 keyboards = mkOption { 140 140 type = types.attrsOf (types.submodule keyboard); 141 141 default = { }; 142 - description = "Keyboard configurations."; 142 + description = lib.mdDoc "Keyboard configurations."; 143 143 }; 144 144 }; 145 145

+3 -6

nixos/modules/services/hardware/lcd.nix

··· 63 63 default = false; 64 64 description = '' 65 65 Set group-write permissions on a USB device. 66 - </para> 67 - <para> 66 + 68 67 A USB connected LCD panel will most likely require having its 69 68 permissions modified for lcdd to write to it. Enabling this option 70 69 sets group-write permissions on the device identified by ··· 72 71 <option>services.hardware.lcd.usbPid</option>. In order to find the 73 72 values, you can run the <command>lsusb</command> command. Example 74 73 output: 75 - </para> 76 - <para> 74 + 77 75 <literal> 78 76 Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface 79 77 </literal> 80 - </para> 81 - <para> 78 + 82 79 In this case the vendor id is 0403 and the product id is c630. 83 80 ''; 84 81 };

+11 -12

nixos/modules/services/hardware/udev.nix

··· 209 209 packages = mkOption { 210 210 type = types.listOf types.path; 211 211 default = []; 212 - description = '' 213 - List of packages containing <command>udev</command> rules. 212 + description = lib.mdDoc '' 213 + List of packages containing {command}`udev` rules. 214 214 All files found in 215 - <filename><replaceable>pkg</replaceable>/etc/udev/rules.d</filename> and 216 - <filename><replaceable>pkg</replaceable>/lib/udev/rules.d</filename> 215 + {file}`«pkg»/etc/udev/rules.d` and 216 + {file}`«pkg»/lib/udev/rules.d` 217 217 will be included. 218 218 ''; 219 219 apply = map getBin; ··· 281 281 networking.usePredictableInterfaceNames = mkOption { 282 282 default = true; 283 283 type = types.bool; 284 - description = '' 285 - Whether to assign <link 286 - xlink:href='http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames'>predictable 287 - names to network interfaces</link>. If enabled, interfaces 284 + description = lib.mdDoc '' 285 + Whether to assign [predictable names to network interfaces](http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames). 286 + If enabled, interfaces 288 287 are assigned names that contain topology information 289 - (e.g. <literal>wlp3s0</literal>) and thus should be stable 288 + (e.g. `wlp3s0`) and thus should be stable 290 289 across reboots. If disabled, names depend on the order in 291 290 which interfaces are discovered by the kernel, which may 292 291 change randomly across reboots; for instance, you may find 293 - <literal>eth0</literal> and <literal>eth1</literal> flipping 292 + `eth0` and `eth1` flipping 294 293 unpredictably. 295 294 ''; 296 295 }; ··· 306 305 307 306 List of packages containing <command>udev</command> rules that will be copied to stage 1. 308 307 All files found in 309 - <filename><replaceable>pkg</replaceable>/etc/udev/rules.d</filename> and 310 - <filename><replaceable>pkg</replaceable>/lib/udev/rules.d</filename> 308 + <filename>«pkg»/etc/udev/rules.d</filename> and 309 + <filename>«pkg»/lib/udev/rules.d</filename> 311 310 will be included. 312 311 ''; 313 312 };

+11 -12

nixos/modules/services/logging/filebeat.nix

··· 31 31 }; 32 32 33 33 inputs = mkOption { 34 - description = '' 34 + description = lib.mdDoc '' 35 35 Inputs specify how Filebeat locates and processes input data. 36 36 37 - This is like <literal>services.filebeat.settings.filebeat.inputs</literal>, 37 + This is like `services.filebeat.settings.filebeat.inputs`, 38 38 but structured as an attribute set. This has the benefit 39 39 that multiple NixOS modules can contribute settings to a 40 40 single filebeat input. 41 41 42 42 An input type can be specified multiple times by choosing a 43 - different <literal><name></literal> for each, but setting 44 - <xref linkend="opt-services.filebeat.inputs._name_.type"/> 43 + different `<name>` for each, but setting 44 + [](#opt-services.filebeat.inputs._name_.type) 45 45 to the same value. 46 46 47 - See <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html"/>. 47 + See <https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html>. 48 48 ''; 49 49 default = {}; 50 50 type = types.attrsOf (types.submodule ({ name, ... }: { ··· 77 77 }; 78 78 79 79 modules = mkOption { 80 - description = '' 80 + description = lib.mdDoc '' 81 81 Filebeat modules provide a quick way to get started 82 82 processing common log formats. They contain default 83 83 configurations, Elasticsearch ingest pipeline definitions, 84 84 and Kibana dashboards to help you implement and deploy a log 85 85 monitoring solution. 86 86 87 - This is like <literal>services.filebeat.settings.filebeat.modules</literal>, 87 + This is like `services.filebeat.settings.filebeat.modules`, 88 88 but structured as an attribute set. This has the benefit 89 89 that multiple NixOS modules can contribute settings to a 90 90 single filebeat module. 91 91 92 92 A module can be specified multiple times by choosing a 93 - different <literal><name></literal> for each, but setting 94 - <xref linkend="opt-services.filebeat.modules._name_.module"/> 93 + different `<name>` for each, but setting 94 + [](#opt-services.filebeat.modules._name_.module) 95 95 to the same value. 96 96 97 - See <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html"/>. 97 + See <https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html>. 98 98 ''; 99 99 default = {}; 100 100 type = types.attrsOf (types.submodule ({ name, ... }: { ··· 161 161 internal = true; 162 162 description = '' 163 163 Inputs specify how Filebeat locates and processes 164 - input data. Use <xref 165 - linkend="opt-services.filebeat.inputs"/> instead. 164 + input data. Use <xref linkend="opt-services.filebeat.inputs"/> instead. 166 165 167 166 See <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html"/>. 168 167 '';

+5 -5

nixos/modules/services/logging/logrotate.nix

··· 276 276 defaultText = '' 277 277 A configuration file automatically generated by NixOS. 278 278 ''; 279 - description = '' 279 + description = lib.mdDoc '' 280 280 Override the configuration file used by MySQL. By default, 281 - NixOS generates one automatically from <xref linkend="opt-services.logrotate.settings"/>. 281 + NixOS generates one automatically from [](#opt-services.logrotate.settings). 282 282 ''; 283 283 example = literalExpression '' 284 284 pkgs.writeText "logrotate.conf" ''' ··· 346 346 extraConfig = mkOption { 347 347 default = ""; 348 348 type = types.lines; 349 - description = '' 349 + description = lib.mdDoc '' 350 350 Extra contents to append to the logrotate configuration file. Refer to 351 - <link xlink:href="https://linux.die.net/man/8/logrotate"/> for details. 351 + <https://linux.die.net/man/8/logrotate> for details. 352 352 This setting has been deprecated in favor of 353 - <link linkend="opt-services.logrotate.settings">logrotate settings</link>. 353 + [logrotate settings](#opt-services.logrotate.settings). 354 354 ''; 355 355 }; 356 356 };

+2 -2

nixos/modules/services/mail/mailman.nix

··· 112 112 bindPasswordFile = mkOption { 113 113 type = types.str; 114 114 example = "/run/secrets/ldap-bind"; 115 - description = '' 115 + description = lib.mdDoc '' 116 116 Path to the file containing the bind password of the servie account 117 - defined by <xref linkend="opt-services.mailman.ldap.bindDn" />. 117 + defined by [](#opt-services.mailman.ldap.bindDn). 118 118 ''; 119 119 }; 120 120 superUserGroup = mkOption {

+6 -6

nixos/modules/services/mail/nullmailer.nix

··· 38 38 remotesFile = mkOption { 39 39 type = types.nullOr types.str; 40 40 default = null; 41 - description = '' 42 - Path to the <code>remotes</code> control file. This file contains a 41 + description = lib.mdDoc '' 42 + Path to the `remotes` control file. This file contains a 43 43 list of remote servers to which to send each message. 44 44 45 - See <code>man 8 nullmailer-send</code> for syntax and available 45 + See `man 8 nullmailer-send` for syntax and available 46 46 options. 47 47 ''; 48 48 }; ··· 153 153 remotes = mkOption { 154 154 type = types.nullOr types.str; 155 155 default = null; 156 - description = '' 156 + description = lib.mdDoc '' 157 157 A list of remote servers to which to send each message. Each line 158 158 contains a remote host name or address followed by an optional 159 159 protocol string, separated by white space. 160 160 161 - See <code>man 8 nullmailer-send</code> for syntax and available 161 + See `man 8 nullmailer-send` for syntax and available 162 162 options. 163 163 164 164 WARNING: This is stored world-readable in the nix store. If you need 165 165 to specify any secret credentials here, consider using the 166 - <code>remotesFile</code> option instead. 166 + `remotesFile` option instead. 167 167 ''; 168 168 }; 169 169

+3 -3

nixos/modules/services/mail/postfixadmin.nix

··· 13 13 enable = mkOption { 14 14 type = types.bool; 15 15 default = false; 16 - description = '' 16 + description = lib.mdDoc '' 17 17 Whether to enable postfixadmin. 18 18 19 19 Also enables nginx virtual host management. 20 - Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.<name></literal>. 21 - See <xref linkend="opt-services.nginx.virtualHosts"/> for further information. 20 + Further nginx configuration can be done by adapting `services.nginx.virtualHosts.<name>`. 21 + See [](#opt-services.nginx.virtualHosts) for further information. 22 22 ''; 23 23 }; 24 24

+5 -5

nixos/modules/services/mail/public-inbox.nix

··· 23 23 port = mkOption { 24 24 type = with types; nullOr (either str port); 25 25 default = defaultPort; 26 - description = '' 26 + description = lib.mdDoc '' 27 27 Listening port. 28 28 Beware that public-inbox uses well-known ports number to decide whether to enable TLS or not. 29 - Set to null and use <code>systemd.sockets.public-inbox-${proto}d.listenStreams</code> 29 + Set to null and use `systemd.sockets.public-inbox-${proto}d.listenStreams` 30 30 if you need a more advanced listening. 31 31 ''; 32 32 }; ··· 239 239 type = with types; nullOr (either str port); 240 240 default = 80; 241 241 example = "/run/public-inbox-httpd.sock"; 242 - description = '' 242 + description = lib.mdDoc '' 243 243 Listening port or systemd's ListenStream= entry 244 244 to be used as a reverse proxy, eg. in nginx: 245 - <code>locations."/inbox".proxyPass = "http://unix:''${config.services.public-inbox.http.port}:/inbox";</code> 246 - Set to null and use <code>systemd.sockets.public-inbox-httpd.listenStreams</code> 245 + `locations."/inbox".proxyPass = "http://unix:''${config.services.public-inbox.http.port}:/inbox";` 246 + Set to null and use `systemd.sockets.public-inbox-httpd.listenStreams` 247 247 if you need a more advanced listening. 248 248 ''; 249 249 };

+5 -5

nixos/modules/services/mail/roundcube.nix

··· 14 14 enable = mkOption { 15 15 type = types.bool; 16 16 default = false; 17 - description = '' 17 + description = lib.mdDoc '' 18 18 Whether to enable roundcube. 19 19 20 20 Also enables nginx virtual host management. 21 - Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.<name></literal>. 22 - See <xref linkend="opt-services.nginx.virtualHosts"/> for further information. 21 + Further nginx configuration can be done by adapting `services.nginx.virtualHosts.<name>`. 22 + See [](#opt-services.nginx.virtualHosts) for further information. 23 23 ''; 24 24 }; 25 25 ··· 99 99 maxAttachmentSize = mkOption { 100 100 type = types.int; 101 101 default = 18; 102 - description = '' 102 + description = lib.mdDoc '' 103 103 The maximum attachment size in MB. 104 104 105 105 Note: Since roundcube only uses 70% of max upload values configured in php 106 - 30% is added automatically to <xref linkend="opt-services.roundcube.maxAttachmentSize"/>. 106 + 30% is added automatically to [](#opt-services.roundcube.maxAttachmentSize). 107 107 ''; 108 108 apply = configuredMaxAttachmentSize: "${toString (configuredMaxAttachmentSize * 1.3)}M"; 109 109 };

+9 -9

nixos/modules/services/mail/sympa.nix

··· 86 86 type = str; 87 87 default = "en_US"; 88 88 example = "cs"; 89 - description = '' 89 + description = lib.mdDoc '' 90 90 Default Sympa language. 91 - See <link xlink:href='https://github.com/sympa-community/sympa/tree/sympa-6.2/po/sympa' /> 91 + See <https://github.com/sympa-community/sympa/tree/sympa-6.2/po/sympa> 92 92 for available options. 93 93 ''; 94 94 }; ··· 136 136 example = { 137 137 default_max_list_members = 3; 138 138 }; 139 - description = '' 140 - The <filename>robot.conf</filename> configuration file as key value set. 141 - See <link xlink:href='https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html' /> 139 + description = lib.mdDoc '' 140 + The {file}`robot.conf` configuration file as key value set. 141 + See <https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html> 142 142 for list of configuration parameters. 143 143 ''; 144 144 }; ··· 242 242 description = '' 243 243 The webserver used for the Sympa web interface. Set it to `none` if you want to configure it yourself. 244 244 Further nginx configuration can be done by adapting 245 - <option>services.nginx.virtualHosts.<replaceable>name</replaceable></option>. 245 + <option>services.nginx.virtualHosts.«name»</option>. 246 246 ''; 247 247 }; 248 248 ··· 285 285 viewlogs_page_size = 50; 286 286 } 287 287 ''; 288 - description = '' 289 - The <filename>sympa.conf</filename> configuration file as key value set. 290 - See <link xlink:href='https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html' /> 288 + description = lib.mdDoc '' 289 + The {file}`sympa.conf` configuration file as key value set. 290 + See <https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html> 291 291 for list of configuration parameters. 292 292 ''; 293 293 };

+5 -12

nixos/modules/services/matrix/appservice-discord.nix

··· 40 40 }; 41 41 } 42 42 ''; 43 - description = '' 44 - <filename>config.yaml</filename> configuration as a Nix attribute set. 45 - </para> 43 + description = lib.mdDoc '' 44 + {file}`config.yaml` configuration as a Nix attribute set. 46 45 47 - <para> 48 46 Configuration options should match those described in 49 - <link xlink:href="https://github.com/Half-Shot/matrix-appservice-discord/blob/master/config/config.sample.yaml"> 50 - config.sample.yaml</link>. 51 - </para> 47 + [config.sample.yaml](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/config/config.sample.yaml). 52 48 53 - <para> 54 - <option>config.bridge.domain</option> and <option>config.bridge.homeserverUrl</option> 49 + {option}`config.bridge.domain` and {option}`config.bridge.homeserverUrl` 55 50 should be set to match the public host name of the Matrix homeserver for webhooks and avatars to work. 56 - </para> 57 51 58 - <para> 59 - Secret tokens should be specified using <option>environmentFile</option> 52 + Secret tokens should be specified using {option}`environmentFile` 60 53 instead of this world-readable attribute set. 61 54 ''; 62 55 };

+4 -7

nixos/modules/services/matrix/mautrix-facebook.nix

··· 75 75 }; 76 76 } 77 77 ''; 78 - description = '' 79 - <filename>config.yaml</filename> configuration as a Nix attribute set. 78 + description = lib.mdDoc '' 79 + {file}`config.yaml` configuration as a Nix attribute set. 80 80 Configuration options should match those described in 81 - <link xlink:href="https://github.com/mautrix/facebook/blob/master/mautrix_facebook/example-config.yaml"> 82 - example-config.yaml</link>. 83 - </para> 81 + [example-config.yaml](https://github.com/mautrix/facebook/blob/master/mautrix_facebook/example-config.yaml). 84 82 85 - <para> 86 - Secret tokens should be specified using <option>environmentFile</option> 83 + Secret tokens should be specified using {option}`environmentFile` 87 84 instead of this world-readable attribute set. 88 85 ''; 89 86 };

+4 -7

nixos/modules/services/matrix/mautrix-telegram.nix

··· 78 78 }; 79 79 } 80 80 ''; 81 - description = '' 82 - <filename>config.yaml</filename> configuration as a Nix attribute set. 81 + description = lib.mdDoc '' 82 + {file}`config.yaml` configuration as a Nix attribute set. 83 83 Configuration options should match those described in 84 - <link xlink:href="https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml"> 85 - example-config.yaml</link>. 86 - </para> 84 + [example-config.yaml](https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml). 87 85 88 - <para> 89 - Secret tokens should be specified using <option>environmentFile</option> 86 + Secret tokens should be specified using {option}`environmentFile` 90 87 instead of this world-readable attribute set. 91 88 ''; 92 89 };

+4 -4

nixos/modules/services/misc/autorandr.nix

··· 27 27 options = { 28 28 fingerprint = mkOption { 29 29 type = types.attrsOf types.str; 30 - description = '' 30 + description = lib.mdDoc '' 31 31 Output name to EDID mapping. 32 - Use <code>autorandr --fingerprint</code> to get current setup values. 32 + Use `autorandr --fingerprint` to get current setup values. 33 33 ''; 34 34 default = { }; 35 35 }; ··· 154 154 }); 155 155 description = '' 156 156 Output scale configuration. 157 - </para><para> 157 + 158 158 Either configure by pixels or a scaling factor. When using pixel method the 159 159 <citerefentry> 160 160 <refentrytitle>xrandr</refentrytitle> ··· 165 165 will be used; when using factor method the option 166 166 <parameter class="command">--scale</parameter> 167 167 will be used. 168 - </para><para> 168 + 169 169 This option is a shortcut version of the transform option and they are mutually 170 170 exclusive. 171 171 '';

+5 -8

nixos/modules/services/misc/bees.nix

··· 11 11 fsOptions = with types; { 12 12 options.spec = mkOption { 13 13 type = str; 14 - description = '' 14 + description = lib.mdDoc '' 15 15 Description of how to identify the filesystem to be duplicated by this 16 16 instance of bees. Note that deduplication crosses subvolumes; one must 17 17 not configure multiple instances for subvolumes of the same filesystem 18 18 (or block devices which are part of the same filesystem), but only for 19 19 completely independent btrfs filesystems. 20 - </para> 21 - <para> 20 + 22 21 This must be in a format usable by findmnt; that could be a key=value 23 22 pair, or a bare path to a mount point. 24 23 Using bare paths will allow systemd to start the beesd service only ··· 29 28 options.hashTableSizeMB = mkOption { 30 29 type = types.addCheck types.int (n: mod n 16 == 0); 31 30 default = 1024; # 1GB; default from upstream beesd script 32 - description = '' 31 + description = lib.mdDoc '' 33 32 Hash table size in MB; must be a multiple of 16. 34 - </para> 35 - <para> 33 + 36 34 A larger ratio of index size to storage size means smaller blocks of 37 35 duplicate content are recognized. 38 - </para> 39 - <para> 36 + 40 37 If you have 1TB of data, a 4GB hash table (which is to say, a value of 41 38 4096) will permit 4KB extents (the smallest possible size) to be 42 39 recognized, whereas a value of 1024 -- creating a 1GB hash table --

+2 -2

nixos/modules/services/misc/etcd.nix

··· 125 125 }; 126 126 127 127 extraConf = mkOption { 128 - description = '' 128 + description = lib.mdDoc '' 129 129 Etcd extra configuration. See 130 - <link xlink:href='https://github.com/coreos/etcd/blob/master/Documentation/op-guide/configuration.md#configuration-flags' /> 130 + <https://github.com/coreos/etcd/blob/master/Documentation/op-guide/configuration.md#configuration-flags> 131 131 ''; 132 132 type = types.attrsOf types.str; 133 133 default = {};

+2 -2

nixos/modules/services/misc/etebase-server.nix

··· 135 135 default = {}; 136 136 description = '' 137 137 Configuration for <package>etebase-server</package>. Refer to 138 - <link xlink:href="https://github.com/etesync/server/blob/master/etebase-server.ini.example" /> 139 - and <link xlink:href="https://github.com/etesync/server/wiki" /> 138 + <link xlink:href="https://github.com/etesync/server/blob/master/etebase-server.ini.example"/> 139 + and <link xlink:href="https://github.com/etesync/server/wiki"/> 140 140 for details on supported values. 141 141 ''; 142 142 example = {

+2 -3

nixos/modules/services/misc/geoipupdate.nix

··· 40 40 description = '' 41 41 <productname>geoipupdate</productname> configuration 42 42 options. See 43 - <link xlink:href="https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md" /> 43 + <link xlink:href="https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md"/> 44 44 for a full list of available options. 45 45 46 46 Settings containing secret data should be set to an ··· 92 92 93 93 Always handled as a secret whether the value is 94 94 wrapped in a <literal>{ _secret = ...; }</literal> 95 - attrset or not (refer to <xref 96 - linkend="opt-services.geoipupdate.settings" /> for 95 + attrset or not (refer to <xref linkend="opt-services.geoipupdate.settings"/> for 97 96 details). 98 97 ''; 99 98 apply = x: if isAttrs x then x else { _secret = x; };

+1 -1

nixos/modules/services/misc/klipper.nix

··· 71 71 }; 72 72 73 73 firmwares = mkOption { 74 - description = "Firmwares klipper should manage"; 74 + description = lib.mdDoc "Firmwares klipper should manage"; 75 75 default = { }; 76 76 type = with types; attrsOf 77 77 (submodule {

+2 -4

nixos/modules/services/misc/nix-daemon.nix

··· 636 636 <manvolnum>5</manvolnum> 637 637 </citerefentry> for avalaible options. 638 638 The value declared here will be translated directly to the key-value pairs Nix expects. 639 - </para> 640 - <para> 639 + 641 640 You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings</command> 642 641 to view the current value. By default it is empty. 643 - </para> 644 - <para> 642 + 645 643 Nix configurations defined under <option>nix.*</option> will be translated and applied to this 646 644 option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended 647 645 verbatim to the resulting config file.

+2 -2

nixos/modules/services/misc/persistent-evdev.nix

··· 22 22 Physical devices should already exist in <filename class="devicefile">/dev/input/by-id/</filename>. 23 23 Proxy devices will be automatically given a <literal>uinput-</literal> prefix. 24 24 25 - See the <link xlink:href="https://github.com/aiberia/persistent-evdev#example-usage-with-libvirt"> 26 - project page</link> for example configuration of virtual devices with libvirt 25 + See the <link xlink:href="https://github.com/aiberia/persistent-evdev#example-usage-with-libvirt">project page</link> 26 + for example configuration of virtual devices with libvirt 27 27 and remember to add <literal>uinput-*</literal> devices to the qemu 28 28 <literal>cgroup_device_acl</literal> list (see <xref linkend="opt-virtualisation.libvirtd.qemu.verbatimConfig"/>). 29 29 '';

+5 -5

nixos/modules/services/misc/sourcehut/default.nix

··· 180 180 network-key = mkOption { 181 181 description = '' 182 182 An absolute file path (which should be outside the Nix-store) 183 - to a secret key to encrypt internal messages with. Use <code>srht-keygen network</code> to 183 + to a secret key to encrypt internal messages with. Use <literal>srht-keygen network</literal> to 184 184 generate this key. It must be consistent between all services and nodes. 185 185 ''; 186 186 type = types.path; ··· 209 209 service-key = mkOption { 210 210 description = '' 211 211 An absolute file path (which should be outside the Nix-store) 212 - to a key used for encrypting session cookies. Use <code>srht-keygen service</code> to 212 + to a key used for encrypting session cookies. Use <literal>srht-keygen service</literal> to 213 213 generate the service key. This must be shared between each node of the same 214 214 service (e.g. git1.sr.ht and git2.sr.ht), but different services may use 215 215 different keys. If you configure all of your services with the same ··· 252 252 253 253 Your PGP key information (DO NOT mix up pub and priv here) 254 254 You must remove the password from your secret key, if present. 255 - You can do this with <code>gpg --edit-key [key-id]</code>, 256 - then use the <code>passwd</code> command and do not enter a new password. 255 + You can do this with <literal>gpg --edit-key [key-id]</literal>, 256 + then use the <literal>passwd</literal> command and do not enter a new password. 257 257 ''; 258 258 }; 259 259 pgp-pubkey = mkOption { ··· 294 294 This should be consistent for all *.sr.ht sites, 295 295 as this key will be used to verify signatures 296 296 from other sites in your network. 297 - Use the <code>srht-keygen webhook</code> command to generate a key. 297 + Use the <literal>srht-keygen webhook</literal> command to generate a key. 298 298 ''; 299 299 type = types.path; 300 300 apply = s: "<" + toString s;

+1 -1

nixos/modules/services/misc/sssd.nix

··· 42 42 kcm = mkOption { 43 43 type = types.bool; 44 44 default = false; 45 - description = '' 45 + description = lib.mdDoc '' 46 46 Whether to use SSS as a Kerberos Cache Manager (KCM). 47 47 Kerberos will be configured to cache credentials in SSS. 48 48 '';

+1 -3

nixos/modules/services/misc/zoneminder.nix

··· 68 68 services.zoneminder = with lib; { 69 69 enable = lib.mkEnableOption '' 70 70 ZoneMinder 71 - </para><para> 71 + 72 72 If you intend to run the database locally, you should set 73 73 `config.services.zoneminder.database.createLocally` to true. Otherwise, 74 74 when set to `false` (the default), you will have to create the database ··· 82 82 default = "nginx"; 83 83 description = '' 84 84 The webserver to configure for the PHP frontend. 85 - </para> 86 - <para> 87 85 88 86 Set it to `none` if you want to configure it yourself. PRs are welcome 89 87 for support for other web servers.

+7 -7

nixos/modules/services/monitoring/cadvisor.nix

··· 66 66 67 67 storageDriverPasswordFile = mkOption { 68 68 type = types.str; 69 - description = '' 69 + description = lib.mdDoc '' 70 70 File that contains the cadvisor storage driver password. 71 71 72 - <option>storageDriverPasswordFile</option> takes precedence over <option>storageDriverPassword</option> 72 + {option}`storageDriverPasswordFile` takes precedence over {option}`storageDriverPassword` 73 73 74 - Warning: when <option>storageDriverPassword</option> is non-empty this defaults to a file in the 75 - world-readable Nix store that contains the value of <option>storageDriverPassword</option>. 74 + Warning: when {option}`storageDriverPassword` is non-empty this defaults to a file in the 75 + world-readable Nix store that contains the value of {option}`storageDriverPassword`. 76 76 77 77 It's recommended to override this with a path not in the Nix store. 78 - Tip: use <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'>nixops key management</link> 78 + Tip: use [nixops key management](https://nixos.org/nixops/manual/#idm140737318306400) 79 79 ''; 80 80 }; 81 81 ··· 88 88 extraOptions = mkOption { 89 89 type = types.listOf types.str; 90 90 default = []; 91 - description = '' 91 + description = lib.mdDoc '' 92 92 Additional cadvisor options. 93 93 94 - See <link xlink:href='https://github.com/google/cadvisor/blob/master/docs/runtime_options.md'/> for available options. 94 + See <https://github.com/google/cadvisor/blob/master/docs/runtime_options.md> for available options. 95 95 ''; 96 96 }; 97 97 };

+1 -1

nixos/modules/services/monitoring/grafana-image-renderer.nix

··· 92 92 description = '' 93 93 Configuration attributes for <package>grafana-image-renderer</package>. 94 94 95 - See <link xlink:href="https://github.com/grafana/grafana-image-renderer/blob/ce1f81438e5f69c7fd7c73ce08bab624c4c92e25/default.json" /> 95 + See <link xlink:href="https://github.com/grafana/grafana-image-renderer/blob/ce1f81438e5f69c7fd7c73ce08bab624c4c92e25/default.json"/> 96 96 for supported values. 97 97 ''; 98 98 };

+2 -2

nixos/modules/services/monitoring/graphite.nix

··· 251 251 252 252 extraConfig = mkOption { 253 253 default = {}; 254 - description = '' 254 + description = lib.mdDoc '' 255 255 Extra seyren configuration. See 256 - <link xlink:href='https://github.com/scobal/seyren#config' /> 256 + <https://github.com/scobal/seyren#config> 257 257 ''; 258 258 type = types.attrsOf types.str; 259 259 example = literalExpression ''

+5 -5

nixos/modules/services/monitoring/metricbeat.nix

··· 32 32 }; 33 33 34 34 modules = mkOption { 35 - description = '' 35 + description = lib.mdDoc '' 36 36 Metricbeat modules are responsible for reading metrics from the various sources. 37 37 38 - This is like <literal>services.metricbeat.settings.metricbeat.modules</literal>, 38 + This is like `services.metricbeat.settings.metricbeat.modules`, 39 39 but structured as an attribute set. This has the benefit that multiple 40 40 NixOS modules can contribute settings to a single metricbeat module. 41 41 42 - A module can be specified multiple times by choosing a different <literal><name></literal> 43 - for each, but setting <xref linkend="opt-services.metricbeat.modules._name_.module"/> to the same value. 42 + A module can be specified multiple times by choosing a different `<name>` 43 + for each, but setting [](#opt-services.metricbeat.modules._name_.module) to the same value. 44 44 45 - See <link xlink:href="https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-modules.html"/>. 45 + See <https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-modules.html>. 46 46 ''; 47 47 default = {}; 48 48 type = types.attrsOf (types.submodule ({ name, ... }: {

+14 -14

nixos/modules/services/monitoring/munin.nix

··· 138 138 enable = mkOption { 139 139 default = false; 140 140 type = types.bool; 141 - description = '' 141 + description = lib.mdDoc '' 142 142 Enable Munin Node agent. Munin node listens on 0.0.0.0 and 143 143 by default accepts connections only from 127.0.0.1 for security reasons. 144 144 145 - See <link xlink:href='http://guide.munin-monitoring.org/en/latest/architecture/index.html' />. 145 + See <http://guide.munin-monitoring.org/en/latest/architecture/index.html>. 146 146 ''; 147 147 }; 148 148 149 149 extraConfig = mkOption { 150 150 default = ""; 151 151 type = types.lines; 152 - description = '' 153 - <filename>munin-node.conf</filename> extra configuration. See 154 - <link xlink:href='http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html' /> 152 + description = lib.mdDoc '' 153 + {file}`munin-node.conf` extra configuration. See 154 + <http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html> 155 155 ''; 156 156 }; 157 157 158 158 extraPluginConfig = mkOption { 159 159 default = ""; 160 160 type = types.lines; 161 - description = '' 162 - <filename>plugin-conf.d</filename> extra plugin configuration. See 163 - <link xlink:href='http://guide.munin-monitoring.org/en/latest/plugin/use.html' /> 161 + description = lib.mdDoc '' 162 + {file}`plugin-conf.d` extra plugin configuration. See 163 + <http://guide.munin-monitoring.org/en/latest/plugin/use.html> 164 164 ''; 165 165 example = '' 166 166 [fail2ban_*] ··· 266 266 extraGlobalConfig = mkOption { 267 267 default = ""; 268 268 type = types.lines; 269 - description = '' 270 - <filename>munin.conf</filename> extra global configuration. 271 - See <link xlink:href='http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html' />. 269 + description = lib.mdDoc '' 270 + {file}`munin.conf` extra global configuration. 271 + See <http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html>. 272 272 Useful to setup notifications, see 273 - <link xlink:href='http://guide.munin-monitoring.org/en/latest/tutorial/alert.html' /> 273 + <http://guide.munin-monitoring.org/en/latest/tutorial/alert.html> 274 274 ''; 275 275 example = '' 276 276 contact.email.command mail -s "Munin notification for ''${var:host}" someone@example.com ··· 280 280 hosts = mkOption { 281 281 default = ""; 282 282 type = types.lines; 283 - description = '' 283 + description = lib.mdDoc '' 284 284 Definitions of hosts of nodes to collect data from. Needs at least one 285 285 host for cron to succeed. See 286 - <link xlink:href='http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html' /> 286 + <http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html> 287 287 ''; 288 288 example = literalExpression '' 289 289 '''

+1 -1

nixos/modules/services/monitoring/nagios.nix

··· 88 88 89 89 options = { 90 90 services.nagios = { 91 - enable = mkEnableOption "<link xlink:href='http://www.nagios.org/'>Nagios</link> to monitor your system or network."; 91 + enable = mkEnableOption ''<link xlink:href="http://www.nagios.org/">Nagios</link> to monitor your system or network.''; 92 92 93 93 objectDefs = mkOption { 94 94 description = "

+4 -4

nixos/modules/services/monitoring/netdata.nix

··· 114 114 example = literalExpression '' 115 115 [ "/path/to/plugins.d" ] 116 116 ''; 117 - description = '' 117 + description = lib.mdDoc '' 118 118 Extra paths to add to the netdata global "plugins directory" 119 119 option. Useful for when you want to include your own 120 120 collection scripts. 121 - </para><para> 121 + 122 122 Details about writing a custom netdata plugin are available at: 123 - <link xlink:href="https://docs.netdata.cloud/collectors/plugins.d/"/> 124 - </para><para> 123 + <https://docs.netdata.cloud/collectors/plugins.d/> 124 + 125 125 Cannot be combined with configText. 126 126 ''; 127 127 };

+17 -22

nixos/modules/services/monitoring/parsedmarc.nix

··· 29 29 enable = lib.mkOption { 30 30 type = lib.types.bool; 31 31 default = false; 32 - description = '' 32 + description = lib.mdDoc '' 33 33 Whether Postfix and Dovecot should be set up to receive 34 34 mail locally. parsedmarc will be configured to watch the 35 35 local inbox as the automatically created user specified in 36 - <xref linkend="opt-services.parsedmarc.provision.localMail.recipientName" /> 36 + [](#opt-services.parsedmarc.provision.localMail.recipientName) 37 37 ''; 38 38 }; 39 39 ··· 68 68 geoIp = lib.mkOption { 69 69 type = lib.types.bool; 70 70 default = true; 71 - description = '' 72 - Whether to enable and configure the <link 73 - linkend="opt-services.geoipupdate.enable">geoipupdate</link> 71 + description = lib.mdDoc '' 72 + Whether to enable and configure the [geoipupdate](#opt-services.geoipupdate.enable) 74 73 service to automatically fetch GeoIP databases. Not crucial, 75 74 but recommended for full functionality. 76 75 77 - To finish the setup, you need to manually set the <xref 78 - linkend="opt-services.geoipupdate.settings.AccountID" /> and 79 - <xref linkend="opt-services.geoipupdate.settings.LicenseKey" /> 76 + To finish the setup, you need to manually set the [](#opt-services.geoipupdate.settings.AccountID) and 77 + [](#opt-services.geoipupdate.settings.LicenseKey) 80 78 options. 81 79 ''; 82 80 }; ··· 97 95 config.${opt.provision.elasticsearch} && config.${options.services.grafana.enable} 98 96 ''; 99 97 apply = x: x && cfg.provision.elasticsearch; 100 - description = '' 98 + description = lib.mdDoc '' 101 99 Whether the automatically provisioned Elasticsearch 102 100 instance should be added as a grafana datasource. Has no 103 101 effect unless 104 - <xref linkend="opt-services.parsedmarc.provision.elasticsearch" /> 102 + [](#opt-services.parsedmarc.provision.elasticsearch) 105 103 is also enabled. 106 104 ''; 107 105 }; ··· 208 206 password = lib.mkOption { 209 207 type = with lib.types; nullOr (either path (attrsOf path)); 210 208 default = null; 211 - description = '' 209 + description = lib.mdDoc '' 212 210 The IMAP server password. 213 211 214 212 Always handled as a secret whether the value is 215 - wrapped in a <literal>{ _secret = ...; }</literal> 216 - attrset or not (refer to <xref 217 - linkend="opt-services.parsedmarc.settings" /> for 213 + wrapped in a `{ _secret = ...; }` 214 + attrset or not (refer to [](#opt-services.parsedmarc.settings) for 218 215 details). 219 216 ''; 220 217 apply = x: if isAttrs x || x == null then x else { _secret = x; }; ··· 273 270 password = lib.mkOption { 274 271 type = with lib.types; nullOr (either path (attrsOf path)); 275 272 default = null; 276 - description = '' 273 + description = lib.mdDoc '' 277 274 The SMTP server password. 278 275 279 276 Always handled as a secret whether the value is 280 - wrapped in a <literal>{ _secret = ...; }</literal> 281 - attrset or not (refer to <xref 282 - linkend="opt-services.parsedmarc.settings" /> for 277 + wrapped in a `{ _secret = ...; }` 278 + attrset or not (refer to [](#opt-services.parsedmarc.settings) for 283 279 details). 284 280 ''; 285 281 apply = x: if isAttrs x || x == null then x else { _secret = x; }; ··· 326 322 password = lib.mkOption { 327 323 type = with lib.types; nullOr (either path (attrsOf path)); 328 324 default = null; 329 - description = '' 325 + description = lib.mdDoc '' 330 326 The password to use when connecting to Elasticsearch, 331 327 if required. 332 328 333 329 Always handled as a secret whether the value is 334 - wrapped in a <literal>{ _secret = ...; }</literal> 335 - attrset or not (refer to <xref 336 - linkend="opt-services.parsedmarc.settings" /> for 330 + wrapped in a `{ _secret = ...; }` 331 + attrset or not (refer to [](#opt-services.parsedmarc.settings) for 337 332 details). 338 333 ''; 339 334 apply = x: if isAttrs x || x == null then x else { _secret = x; };

+6 -9

nixos/modules/services/monitoring/prometheus/default.nix

··· 379 379 gce_sd_configs = mkOpt (types.listOf promTypes.gce_sd_config) '' 380 380 List of Google Compute Engine service discovery configurations. 381 381 382 - See <link 383 - xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config">the 384 - relevant Prometheus configuration docs</link> for more detail. 382 + See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config">the relevant Prometheus configuration docs</link> 383 + for more detail. 385 384 ''; 386 385 387 386 hetzner_sd_configs = mkOpt (types.listOf promTypes.hetzner_sd_config) '' ··· 807 806 filter = mkOpt types.str '' 808 807 Filter can be used optionally to filter the instance list by other 809 808 criteria Syntax of this filter string is described here in the filter 810 - query parameter section: <link 811 - xlink:href="https://cloud.google.com/compute/docs/reference/latest/instances/list" 812 - />. 809 + query parameter section: <link xlink:href="https://cloud.google.com/compute/docs/reference/latest/instances/list"/>. 813 810 ''; 814 811 815 812 refresh_interval = mkDefOpt types.str "60s" '' ··· 825 822 The tag separator used to separate concatenated GCE instance network tags. 826 823 827 824 See the GCP documentation on network tags for more information: 828 - <link xlink:href="https://cloud.google.com/vpc/docs/add-remove-network-tags" /> 825 + <link xlink:href="https://cloud.google.com/vpc/docs/add-remove-network-tags"/> 829 826 ''; 830 827 }; 831 828 }; ··· 1033 1030 1034 1031 auth_token = mkOpt types.str '' 1035 1032 Optional authentication information for token-based authentication: 1036 - <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token" /> 1033 + <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token"/> 1037 1034 It is mutually exclusive with <literal>auth_token_file</literal> and other authentication mechanisms. 1038 1035 ''; 1039 1036 1040 1037 auth_token_file = mkOpt types.str '' 1041 1038 Optional authentication information for token-based authentication: 1042 - <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token" /> 1039 + <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token"/> 1043 1040 It is mutually exclusive with <literal>auth_token</literal> and other authentication mechanisms. 1044 1041 ''; 1045 1042 };

+4 -4

nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix

··· 33 33 work with this exporter: 34 34 <programlisting> 35 35 { 36 - <xref linkend="opt-services.prometheus.exporters.dovecot.enable" /> = true; 37 - <xref linkend="opt-services.prometheus.exporters.dovecot.socketPath" /> = "/var/run/dovecot2/old-stats"; 38 - <xref linkend="opt-services.dovecot2.mailPlugins.globally.enable" /> = [ "old_stats" ]; 39 - <xref linkend="opt-services.dovecot2.extraConfig" /> = ''' 36 + <xref linkend="opt-services.prometheus.exporters.dovecot.enable"/> = true; 37 + <xref linkend="opt-services.prometheus.exporters.dovecot.socketPath"/> = "/var/run/dovecot2/old-stats"; 38 + <xref linkend="opt-services.dovecot2.mailPlugins.globally.enable"/> = [ "old_stats" ]; 39 + <xref linkend="opt-services.dovecot2.extraConfig"/> = ''' 40 40 service old-stats { 41 41 unix_listener old-stats { 42 42 user = dovecot-exporter

+1 -1

nixos/modules/services/monitoring/prometheus/exporters/process.nix

··· 22 22 All settings expressed as an Nix attrset. 23 23 24 24 Check the official documentation for the corresponding YAML 25 - settings that can all be used here: <link xlink:href="https://github.com/ncabatoff/process-exporter" /> 25 + settings that can all be used here: <link xlink:href="https://github.com/ncabatoff/process-exporter"/> 26 26 ''; 27 27 }; 28 28 };

+1 -1

nixos/modules/services/monitoring/prometheus/exporters/script.nix

··· 41 41 All settings expressed as an Nix attrset. 42 42 43 43 Check the official documentation for the corresponding YAML 44 - settings that can all be used here: <link xlink:href="https://github.com/adhocteam/script_exporter#sample-configuration" /> 44 + settings that can all be used here: <link xlink:href="https://github.com/adhocteam/script_exporter#sample-configuration"/> 45 45 ''; 46 46 }; 47 47 };

+5 -5

nixos/modules/services/networking/biboumi.nix

··· 83 83 }; 84 84 options.password = mkOption { 85 85 type = with types; nullOr str; 86 - description = '' 86 + description = lib.mdDoc '' 87 87 The password used to authenticate the XMPP component to your XMPP server. 88 88 This password must be configured in the XMPP server, 89 89 associated with the external component on 90 - <link linkend="opt-services.biboumi.settings.hostname">hostname</link>. 90 + [hostname](#opt-services.biboumi.settings.hostname). 91 91 92 - Set it to null and use <link linkend="opt-services.biboumi.credentialsFile">credentialsFile</link> 92 + Set it to null and use [credentialsFile](#opt-services.biboumi.credentialsFile) 93 93 if you do not want this password to go into the Nix store. 94 94 ''; 95 95 }; ··· 155 155 156 156 credentialsFile = mkOption { 157 157 type = types.path; 158 - description = '' 158 + description = lib.mdDoc '' 159 159 Path to a configuration file to be merged with the settings. 160 160 Beware not to surround "=" with spaces when setting biboumi's options in this file. 161 161 Useful to merge a file which is better kept out of the Nix store 162 162 because it contains sensible data like 163 - <link linkend="opt-services.biboumi.settings.password">password</link>. 163 + [password](#opt-services.biboumi.settings.password). 164 164 ''; 165 165 default = "/dev/null"; 166 166 example = "/run/keys/biboumi.cfg";

+6 -6

nixos/modules/services/networking/bird-lg.nix

··· 136 136 extraArgs = mkOption { 137 137 type = types.lines; 138 138 default = ""; 139 - description = " 140 - Extra parameters documented <link xlink:href=\"https://github.com/xddxdd/bird-lg-go#frontend\">here</link>. 141 - "; 139 + description = lib.mdDoc '' 140 + Extra parameters documented [here](https://github.com/xddxdd/bird-lg-go#frontend). 141 + ''; 142 142 }; 143 143 }; 144 144 ··· 183 183 extraArgs = mkOption { 184 184 type = types.lines; 185 185 default = ""; 186 - description = " 187 - Extra parameters documented <link xlink:href=\"https://github.com/xddxdd/bird-lg-go#proxy\">here</link>. 188 - "; 186 + description = lib.mdDoc '' 187 + Extra parameters documented [here](https://github.com/xddxdd/bird-lg-go#proxy). 188 + ''; 189 189 }; 190 190 }; 191 191 };

+6 -6

nixos/modules/services/networking/bird.nix

··· 13 13 enable = mkEnableOption "BIRD Internet Routing Daemon"; 14 14 config = mkOption { 15 15 type = types.lines; 16 - description = '' 16 + description = lib.mdDoc '' 17 17 BIRD Internet Routing Daemon configuration file. 18 - <link xlink:href='http://bird.network.cz/'/> 18 + <http://bird.network.cz/> 19 19 ''; 20 20 }; 21 21 checkConfig = mkOption { 22 22 type = types.bool; 23 23 default = true; 24 - description = '' 24 + description = lib.mdDoc '' 25 25 Whether the config should be checked at build time. 26 26 When the config can't be checked during build time, for example when it includes 27 - other files, either disable this option or use <code>preCheckConfig</code> to create 27 + other files, either disable this option or use `preCheckConfig` to create 28 28 the included files before checking. 29 29 ''; 30 30 }; ··· 34 34 example = '' 35 35 echo "cost 100;" > include.conf 36 36 ''; 37 - description = '' 37 + description = lib.mdDoc '' 38 38 Commands to execute before the config file check. The file to be checked will be 39 - available as <code>bird2.conf</code> in the current directory. 39 + available as `bird2.conf` in the current directory. 40 40 41 41 Files created with this option will not be available at service runtime, only during 42 42 build time checking.

+4 -1

nixos/modules/services/networking/coredns.nix

··· 17 17 } 18 18 ''; 19 19 type = types.lines; 20 - description = "Verbatim Corefile to use. See <link xlink:href=\"https://coredns.io/manual/toc/#configuration\"/> for details."; 20 + description = lib.mdDoc '' 21 + Verbatim Corefile to use. 22 + See <https://coredns.io/manual/toc/#configuration> for details. 23 + ''; 21 24 }; 22 25 23 26 package = mkOption {

+9 -9

nixos/modules/services/networking/ghostunnel.nix

··· 40 40 description = '' 41 41 Path to keystore (combined PEM with cert/key, or PKCS12 keystore). 42 42 43 - NB: storepass is not supported because it would expose credentials via <code>/proc/*/cmdline</code>. 43 + NB: storepass is not supported because it would expose credentials via <literal>/proc/*/cmdline</literal>. 44 44 45 - Specify this or <code>cert</code> and <code>key</code>. 45 + Specify this or <literal>cert</literal> and <literal>key</literal>. 46 46 ''; 47 47 type = types.nullOr types.str; 48 48 default = null; 49 49 }; 50 50 51 51 cert = mkOption { 52 - description = '' 52 + description = lib.mdDoc '' 53 53 Path to certificate (PEM with certificate chain). 54 54 55 - Not required if <code>keystore</code> is set. 55 + Not required if `keystore` is set. 56 56 ''; 57 57 type = types.nullOr types.str; 58 58 default = null; 59 59 }; 60 60 61 61 key = mkOption { 62 - description = '' 62 + description = lib.mdDoc '' 63 63 Path to certificate private key (PEM with private key). 64 64 65 - Not required if <code>keystore</code> is set. 65 + Not required if `keystore` is set. 66 66 ''; 67 67 type = types.nullOr types.str; 68 68 default = null; 69 69 }; 70 70 71 71 cacert = mkOption { 72 - description = '' 73 - Path to CA bundle file (PEM/X509). Uses system trust store if <code>null</code>. 72 + description = lib.mdDoc '' 73 + Path to CA bundle file (PEM/X509). Uses system trust store if `null`. 74 74 ''; 75 75 type = types.nullOr types.str; 76 76 }; ··· 124 124 }; 125 125 126 126 extraArguments = mkOption { 127 - description = "Extra arguments to pass to <code>ghostunnel server</code>"; 127 + description = lib.mdDoc "Extra arguments to pass to `ghostunnel server`"; 128 128 type = types.separatedString " "; 129 129 default = ""; 130 130 };

+3 -3

nixos/modules/services/networking/hans.nix

··· 19 19 services.hans = { 20 20 clients = mkOption { 21 21 default = {}; 22 - description = '' 22 + description = lib.mdDoc '' 23 23 Each attribute of this option defines a systemd service that 24 24 runs hans. Many or none may be defined. 25 25 The name of each service is 26 - <literal>hans-<replaceable>name</replaceable></literal> 27 - where <replaceable>name</replaceable> is the name of the 26 + `hans-«name»` 27 + where «name» is the name of the 28 28 corresponding attribute name. 29 29 ''; 30 30 example = literalExpression ''

+3 -3

nixos/modules/services/networking/iodine.nix

··· 28 28 services.iodine = { 29 29 clients = mkOption { 30 30 default = {}; 31 - description = '' 31 + description = lib.mdDoc '' 32 32 Each attribute of this option defines a systemd service that 33 33 runs iodine. Many or none may be defined. 34 34 The name of each service is 35 - <literal>iodine-<replaceable>name</replaceable></literal> 36 - where <replaceable>name</replaceable> is the name of the 35 + `iodine-«name»` 36 + where «name» is the name of the 37 37 corresponding attribute name. 38 38 ''; 39 39 example = literalExpression ''

+16 -16

nixos/modules/services/networking/kea.nix

··· 54 54 configFile = mkOption { 55 55 type = nullOr path; 56 56 default = null; 57 - description = '' 58 - Kea Control Agent configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html"/>. 57 + description = lib.mdDoc '' 58 + Kea Control Agent configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html>. 59 59 60 - Takes preference over <link linkend="opt-services.kea.ctrl-agent.settings">settings</link>. 61 - Most users should prefer using <link linkend="opt-services.kea.ctrl-agent.settings">settings</link> instead. 60 + Takes preference over [settings](#opt-services.kea.ctrl-agent.settings). 61 + Most users should prefer using [settings](#opt-services.kea.ctrl-agent.settings) instead. 62 62 ''; 63 63 }; 64 64 ··· 93 93 configFile = mkOption { 94 94 type = nullOr path; 95 95 default = null; 96 - description = '' 97 - Kea DHCP4 configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html"/>. 96 + description = lib.mdDoc '' 97 + Kea DHCP4 configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html>. 98 98 99 - Takes preference over <link linkend="opt-services.kea.dhcp4.settings">settings</link>. 100 - Most users should prefer using <link linkend="opt-services.kea.dhcp4.settings">settings</link> instead. 99 + Takes preference over [settings](#opt-services.kea.dhcp4.settings). 100 + Most users should prefer using [settings](#opt-services.kea.dhcp4.settings) instead. 101 101 ''; 102 102 }; 103 103 ··· 153 153 configFile = mkOption { 154 154 type = nullOr path; 155 155 default = null; 156 - description = '' 157 - Kea DHCP6 configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html"/>. 156 + description = lib.mdDoc '' 157 + Kea DHCP6 configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html>. 158 158 159 - Takes preference over <link linkend="opt-services.kea.dhcp6.settings">settings</link>. 160 - Most users should prefer using <link linkend="opt-services.kea.dhcp6.settings">settings</link> instead. 159 + Takes preference over [settings](#opt-services.kea.dhcp6.settings). 160 + Most users should prefer using [settings](#opt-services.kea.dhcp6.settings) instead. 161 161 ''; 162 162 }; 163 163 ··· 214 214 configFile = mkOption { 215 215 type = nullOr path; 216 216 default = null; 217 - description = '' 218 - Kea DHCP-DDNS configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html"/>. 217 + description = lib.mdDoc '' 218 + Kea DHCP-DDNS configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html>. 219 219 220 - Takes preference over <link linkend="opt-services.kea.dhcp-ddns.settings">settings</link>. 221 - Most users should prefer using <link linkend="opt-services.kea.dhcp-ddns.settings">settings</link> instead. 220 + Takes preference over [settings](#opt-services.kea.dhcp-ddns.settings). 221 + Most users should prefer using [settings](#opt-services.kea.dhcp-ddns.settings) instead. 222 222 ''; 223 223 }; 224 224

+2 -2

nixos/modules/services/networking/ncdns.nix

··· 176 176 certstore.nssdbdir = "../../home/alice/.pki/nssdb"; 177 177 } 178 178 ''; 179 - description = '' 179 + description = lib.mdDoc '' 180 180 ncdns settings. Use this option to configure ncds 181 181 settings not exposed in a NixOS option or to bypass one. 182 - See the example ncdns.conf file at <link xlink:href="https://github.com/namecoin/ncdns/blob/master/_doc/ncdns.conf.example"/> 182 + See the example ncdns.conf file at <https://github.com/namecoin/ncdns/blob/master/_doc/ncdns.conf.example> 183 183 for the available options. 184 184 ''; 185 185 };

+5 -6

nixos/modules/services/networking/networkmanager.nix

··· 329 329 default = "default"; 330 330 description = '' 331 331 Set the DNS (<literal>resolv.conf</literal>) processing mode. 332 - </para> 333 - <para> 332 + 334 333 A description of these modes can be found in the main section of 335 334 <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> 336 335 https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html ··· 388 387 enableStrongSwan = mkOption { 389 388 type = types.bool; 390 389 default = false; 391 - description = '' 390 + description = lib.mdDoc '' 392 391 Enable the StrongSwan plugin. 393 - </para><para> 392 + 394 393 If you enable this option the 395 - <literal>networkmanager_strongswan</literal> plugin will be added to 396 - the <option>networking.networkmanager.plugins</option> option 394 + `networkmanager_strongswan` plugin will be added to 395 + the {option}`networking.networkmanager.plugins` option 397 396 so you don't need to to that yourself. 398 397 ''; 399 398 };

+2 -2

nixos/modules/services/networking/nntp-proxy.nix

··· 167 167 passwordHash = mkOption { 168 168 type = types.str; 169 169 example = "$6$GtzE7FrpE$wwuVgFYU.TZH4Rz.Snjxk9XGua89IeVwPQ/fEUD8eujr40q5Y021yhn0aNcsQ2Ifw.BLclyzvzgegopgKcneL0"; 170 - description = '' 170 + description = lib.mdDoc '' 171 171 SHA-512 password hash (can be generated by 172 - <code>mkpasswd -m sha-512 <password></code>) 172 + `mkpasswd -m sha-512 <password>`) 173 173 ''; 174 174 }; 175 175

+2 -2

nixos/modules/services/networking/nsd.nix

··· 392 392 requestXFR = mkOption { 393 393 type = types.listOf types.str; 394 394 default = []; 395 - description = '' 396 - Format: <code>[AXFR|UDP] <ip-address> <key-name | NOKEY></code> 395 + description = lib.mdDoc '' 396 + Format: `[AXFR|UDP] <ip-address> <key-name | NOKEY>` 397 397 ''; 398 398 }; 399 399

+7 -10

nixos/modules/services/networking/ntp/ntpd.nix

··· 40 40 enable = mkOption { 41 41 type = types.bool; 42 42 default = false; 43 - description = '' 43 + description = lib.mdDoc '' 44 44 Whether to synchronise your machine's time using ntpd, as a peer in 45 45 the NTP network. 46 - </para> 47 - <para> 48 - Disables <literal>systemd.timesyncd</literal> if enabled. 46 + 47 + Disables `systemd.timesyncd` if enabled. 49 48 ''; 50 49 }; 51 50 52 51 restrictDefault = mkOption { 53 52 type = types.listOf types.str; 54 - description = '' 53 + description = lib.mdDoc '' 55 54 The restriction flags to be set by default. 56 - </para> 57 - <para> 55 + 58 56 The default flags prevent external hosts from using ntpd as a DDoS 59 57 reflector, setting system time, and querying OS/ntpd version. As 60 58 recommended in section 6.5.1.1.3, answer "No" of ··· 65 63 66 64 restrictSource = mkOption { 67 65 type = types.listOf types.str; 68 - description = '' 66 + description = lib.mdDoc '' 69 67 The restriction flags to be set on source. 70 - </para> 71 - <para> 68 + 72 69 The default flags allow peers to be added by ntpd from configured 73 70 pool(s), but not by other means. 74 71 '';

+7 -7

nixos/modules/services/networking/openconnect.nix

··· 38 38 # set an authentication cookie, because they have to be requested 39 39 # for every new connection and would only work once. 40 40 passwordFile = mkOption { 41 - description = '' 41 + description = lib.mdDoc '' 42 42 File containing the password to authenticate with. This 43 - is passed to <code>openconnect</code> via the 44 - <code>--passwd-on-stdin</code> option. 43 + is passed to `openconnect` via the 44 + `--passwd-on-stdin` option. 45 45 ''; 46 46 default = null; 47 47 example = "/var/lib/secrets/openconnect-passwd"; ··· 63 63 }; 64 64 65 65 extraOptions = mkOption { 66 - description = '' 66 + description = lib.mdDoc '' 67 67 Extra config to be appended to the interface config. It should 68 68 contain long-format options as would be accepted on the command 69 - line by <code>openconnect</code> 69 + line by `openconnect` 70 70 (see https://www.infradead.org/openconnect/manual.html). 71 - Non-key-value options like <code>deflate</code> can be used by 72 - declaring them as booleans, i. e. <code>deflate = true;</code>. 71 + Non-key-value options like `deflate` can be used by 72 + declaring them as booleans, i. e. `deflate = true;`. 73 73 ''; 74 74 default = { }; 75 75 example = {

+3 -3

nixos/modules/services/networking/openvpn.nix

··· 115 115 } 116 116 ''; 117 117 118 - description = '' 118 + description = lib.mdDoc '' 119 119 Each attribute of this option defines a systemd service that 120 120 runs an OpenVPN instance. These can be OpenVPN servers or 121 121 clients. The name of each systemd service is 122 - <literal>openvpn-<replaceable>name</replaceable>.service</literal>, 123 - where <replaceable>name</replaceable> is the corresponding 122 + `openvpn-«name».service`, 123 + where «name» is the corresponding 124 124 attribute name. 125 125 ''; 126 126

+4 -4

nixos/modules/services/networking/pleroma.nix

··· 34 34 35 35 configs = mkOption { 36 36 type = with types; listOf str; 37 - description = '' 37 + description = lib.mdDoc '' 38 38 Pleroma public configuration. 39 39 40 40 This list gets appended from left to ··· 42 42 configuration imperatively, meaning you can override a 43 43 setting by appending a new str to this NixOS option list. 44 44 45 - <emphasis>DO NOT STORE ANY PLEROMA SECRET 46 - HERE</emphasis>, use 47 - <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link> 45 + *DO NOT STORE ANY PLEROMA SECRET 46 + HERE*, use 47 + [services.pleroma.secretConfigFile](#opt-services.pleroma.secretConfigFile) 48 48 instead. 49 49 50 50 This setting is going to be stored in a file part of

+1 -1

nixos/modules/services/networking/seafile.nix

··· 133 133 type = types.lines; 134 134 description = '' 135 135 Extra config to append to `seahub_settings.py` file. 136 - Refer to <link xlink:href="https://manual.seafile.com/config/seahub_settings_py/" /> 136 + Refer to <link xlink:href="https://manual.seafile.com/config/seahub_settings_py/"/> 137 137 for all available options. 138 138 ''; 139 139 };

+15 -18

nixos/modules/services/networking/ssh/sshd.nix

··· 257 257 authorizedKeysFiles = mkOption { 258 258 type = types.listOf types.str; 259 259 default = []; 260 - description = '' 260 + description = lib.mdDoc '' 261 261 Specify the rules for which files to read on the host. 262 262 263 263 This is an advanced option. If you're looking to configure user 264 - keys, you can generally use <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keys"/> 265 - or <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keyFiles"/>. 264 + keys, you can generally use [](#opt-users.users._name_.openssh.authorizedKeys.keys) 265 + or [](#opt-users.users._name_.openssh.authorizedKeys.keyFiles). 266 266 267 267 These are paths relative to the host root file system or home 268 268 directories and they are subject to certain token expansion rules. ··· 298 298 "curve25519-sha256@libssh.org" 299 299 "diffie-hellman-group-exchange-sha256" 300 300 ]; 301 - description = '' 301 + description = lib.mdDoc '' 302 302 Allowed key exchange algorithms 303 - </para> 304 - <para> 303 + 305 304 Uses the lower bound recommended in both 306 - <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> 305 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 307 306 and 308 - <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> 307 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 309 308 ''; 310 309 }; 311 310 ··· 319 318 "aes192-ctr" 320 319 "aes128-ctr" 321 320 ]; 322 - description = '' 321 + description = lib.mdDoc '' 323 322 Allowed ciphers 324 - </para> 325 - <para> 323 + 326 324 Defaults to recommended settings from both 327 - <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> 325 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 328 326 and 329 - <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> 327 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 330 328 ''; 331 329 }; 332 330 ··· 340 338 "hmac-sha2-256" 341 339 "umac-128@openssh.com" 342 340 ]; 343 - description = '' 341 + description = lib.mdDoc '' 344 342 Allowed MACs 345 - </para> 346 - <para> 343 + 347 344 Defaults to recommended settings from both 348 - <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> 345 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 349 346 and 350 - <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> 347 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 351 348 ''; 352 349 }; 353 350

+2 -1

nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix

··· 59 59 if strongswanDefault == null 60 60 then description 61 61 else description + '' 62 - </para><para> 62 + 63 + 63 64 StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal> 64 65 ''; 65 66

+45 -45

nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix

··· 15 15 file = mkOptionalStrParam '' 16 16 Absolute path to the certificate to load. Passed as-is to the daemon, so 17 17 it must be readable by it. 18 - </para><para> 18 + 19 19 Configure either this or <option>handle</option>, but not both, in one section. 20 20 ''; 21 21 22 22 handle = mkOptionalHexParam '' 23 23 Hex-encoded CKA_ID or handle of the certificate on a token or TPM, 24 24 respectively. 25 - </para><para> 25 + 26 26 Configure either this or <option>file</option>, but not both, in one section. 27 27 ''; 28 28 ··· 40 40 cacert = mkOptionalStrParam '' 41 41 The certificates may use a relative path from the swanctl 42 42 <literal>x509ca</literal> directory or an absolute path. 43 - </para><para> 43 + 44 44 Configure one of <option>cacert</option>, 45 45 <option>file</option>, or 46 46 <option>handle</option> per section. ··· 82 82 local_addrs = mkCommaSepListParam [] '' 83 83 Local address(es) to use for IKE communication. Takes 84 84 single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. 85 - </para><para> 85 + 86 86 As initiator, the first non-range/non-subnet is used to initiate the 87 87 connection from. As responder, the local destination address must match at 88 88 least to one of the specified addresses, subnets or ranges. 89 - </para><para> 89 + 90 90 If FQDNs are assigned they are resolved every time a configuration lookup 91 91 is done. If DNS resolution times out, the lookup is delayed for that time. 92 92 ''; ··· 94 94 remote_addrs = mkCommaSepListParam [] '' 95 95 Remote address(es) to use for IKE communication. Takes 96 96 single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. 97 - </para><para> 97 + 98 98 As initiator, the first non-range/non-subnet is used to initiate the 99 99 connection to. As responder, the initiator source address must match at 100 100 least to one of the specified addresses, subnets or ranges. 101 - </para><para> 101 + 102 102 If FQDNs are assigned they are resolved every time a configuration lookup 103 103 is done. If DNS resolution times out, the lookup is delayed for that time. 104 104 To initiate a connection, at least one specific address or DNS name must ··· 110 110 backend is used, which is usually <literal>500</literal>. If port 111 111 <literal>500</literal> is used, automatic IKE port floating to port 112 112 <literal>4500</literal> is used to work around NAT issues. 113 - </para><para> 113 + 114 114 Using a non-default local IKE port requires support from the socket 115 115 backend in use (socket-dynamic). 116 116 ''; ··· 126 126 for IKE an encryption algorithm, an integrity algorithm, a pseudo random 127 127 function and a Diffie-Hellman group. For AEAD algorithms, instead of 128 128 encryption and integrity algorithms, a combined algorithm is used. 129 - </para><para> 129 + 130 130 In IKEv2, multiple algorithms of the same kind can be specified in a 131 131 single proposal, from which one gets selected. In IKEv1, only one 132 132 algorithm per kind is allowed per proposal, more algorithms get implicitly 133 133 stripped. Use multiple proposals to offer different algorithms 134 134 combinations in IKEv1. 135 - </para><para> 135 + 136 136 Algorithm keywords get separated using dashes. Multiple proposals may be 137 137 specified in a list. The special value <literal>default</literal> forms a 138 138 default proposal of supported algorithms considered safe, and is usually a ··· 159 159 If the default of yes is used, Mode Config works in pull mode, where the 160 160 initiator actively requests a virtual IP. With no, push mode is used, 161 161 where the responder pushes down a virtual IP to the initiating peer. 162 - </para><para> 162 + 163 163 Push mode is currently supported for IKEv1, but not in IKEv2. It is used 164 164 by a few implementations only, pull mode is recommended. 165 165 ''; ··· 174 174 To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the 175 175 NAT detection payloads. This makes the peer believe that NAT takes place 176 176 on the path, forcing it to encapsulate ESP packets in UDP. 177 - </para><para> 177 + 178 178 Usually this is not required, but it can help to work around connectivity 179 179 issues with too restrictive intermediary firewalls. 180 180 ''; ··· 183 183 Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2 184 184 connections, and allows mobility of clients and multi-homing on servers by 185 185 migrating active IPsec tunnels. 186 - </para><para> 186 + 187 187 Usually keeping MOBIKE enabled is unproblematic, as it is not used if the 188 188 peer does not indicate support for it. However, due to the design of 189 189 MOBIKE, IKEv2 always floats to port 4500 starting from the second ··· 222 222 <listitem><para>Finally, setting the option to <literal>no</literal> will disable announcing 223 223 support for this feature.</para></listitem> 224 224 </itemizedlist> 225 - </para><para> 225 + 226 226 Note that fragmented IKE messages sent by a peer are always processed 227 227 irrespective of the value of this option (even when set to no). 228 228 ''; ··· 284 284 unique = mkEnumParam ["no" "never" "keep" "replace"] "no" '' 285 285 Connection uniqueness policy to enforce. To avoid multiple connections 286 286 from the same user, a uniqueness policy can be enforced. 287 - </para><para> 287 + 288 288 <itemizedlist> 289 289 <listitem><para> 290 290 The value <literal>never</literal> does never enforce such a policy, even ··· 306 306 To compare connections for uniqueness, the remote IKE identity is used. If 307 307 EAP or XAuth authentication is involved, the EAP-Identity or XAuth 308 308 username is used to enforce the uniqueness policy instead. 309 - </para><para> 309 + 310 310 On initiators this setting specifies whether an INITIAL_CONTACT notify is 311 311 sent during IKE_AUTH if no existing connection is found with the remote 312 312 peer (determined by the identities of the first authentication ··· 320 320 possible to actively reauthenticate as responder. The IKEv2 321 321 reauthentication lifetime negotiation can instruct the client to perform 322 322 reauthentication. 323 - </para><para> 323 + 324 324 Reauthentication is disabled by default. Enabling it usually may lead to 325 325 small connection interruptions, as strongSwan uses a break-before-make 326 326 policy with IKEv2 to avoid any conflicts with associated tunnel resources. ··· 330 330 IKE rekeying refreshes key material using a Diffie-Hellman exchange, but 331 331 does not re-check associated credentials. It is supported in IKEv2 only, 332 332 IKEv1 performs a reauthentication procedure instead. 333 - </para><para> 333 + 334 334 With the default value IKE rekeying is scheduled every 4 hours, minus the 335 335 configured rand_time. If a reauth_time is configured, rekey_time defaults 336 336 to zero, disabling rekeying; explicitly set both to enforce rekeying and ··· 343 343 perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails 344 344 to rekey or reauthenticate within the specified time, the IKE_SA gets 345 345 closed. 346 - </para><para> 346 + 347 347 In contrast to CHILD_SA rekeying, over_time is relative in time to the 348 348 rekey_time and reauth_time values, as it applies to both. 349 - </para><para> 349 + 350 350 The default is 10% of the longer of <option>rekey_time</option> and 351 351 <option>reauth_time</option>. 352 352 ''; ··· 356 356 rekey/reauth times. To avoid having both peers initiating the rekey/reauth 357 357 procedure simultaneously, a random time gets subtracted from the 358 358 rekey/reauth times. 359 - </para><para> 359 + 360 360 The default is equal to the configured <option>over_time</option>. 361 361 ''; 362 362 ··· 410 410 List of certificate candidates to use for 411 411 authentication. The certificates may use a relative path from the 412 412 swanctl <literal>x509</literal> directory or an absolute path. 413 - </para><para> 413 + 414 414 The certificate used for authentication is selected based on the 415 415 received certificate request payloads. If no appropriate CA can be 416 416 located, the first certificate is used. ··· 426 426 List of raw public key candidates to use for 427 427 authentication. The public keys may use a relative path from the swanctl 428 428 <literal>pubkey</literal> directory or an absolute path. 429 - </para><para> 429 + 430 430 Even though multiple local public keys could be defined in principle, 431 431 only the first public key in the list is used for authentication. 432 432 ''; ··· 504 504 authentication. This identity may differ from the IKE identity, 505 505 especially when EAP authentication is delegated from the IKE responder 506 506 to an AAA backend. 507 - </para><para> 507 + 508 508 For EAP-(T)TLS, this defines the identity for which the server must 509 509 provide a certificate in the TLS exchange. 510 510 ''; ··· 518 518 defines the rules how authentication is performed for the local 519 519 peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple 520 520 Authentication or IKEv1 XAuth. 521 - </para><para> 521 + 522 522 Each round is defined in a section having <literal>local</literal> as 523 523 prefix, and an optional unique suffix. To define a single authentication 524 524 round, the suffix may be omitted. ··· 620 620 Authentication to expect from remote. See the <option>local</option> 621 621 section's <option>auth</option> keyword description about the details of 622 622 supported mechanisms. 623 - </para><para> 623 + 624 624 Since 5.4.0, to require a trustchain public key strength for the remote 625 625 side, specify the key type followed by the minimum strength in bits (for 626 626 example <literal>ecdsa-384</literal> or ··· 641 641 <literal>pubkey</literal> or <literal>rsa</literal> constraints are 642 642 configured RSASSA-PSS signatures will only be accepted if enabled in 643 643 <literal>strongswan.conf</literal>(5). 644 - </para><para> 644 + 645 645 To specify trust chain constraints for EAP-(T)TLS, append a colon to the 646 646 EAP method, followed by the key type/size and hash algorithm as 647 647 discussed above (e.g. <literal>eap-tls:ecdsa-384-sha384</literal>). ··· 652 652 defines the constraints how the peers must authenticate to use this 653 653 connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple 654 654 Authentication or IKEv1 XAuth. 655 - </para><para> 655 + 656 656 Each round is defined in a section having <literal>remote</literal> as 657 657 prefix, and an optional unique suffix. To define a single authentication 658 658 round, the suffix may be omitted. ··· 665 665 Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode 666 666 rekeying and initial negotiation uses a separate Diffie-Hellman exchange 667 667 using the specified group (refer to esp_proposals for details). 668 - </para><para> 668 + 669 669 In IKEv2, multiple algorithms of the same kind can be specified in a 670 670 single proposal, from which one gets selected. In IKEv1, only one 671 671 algorithm per kind is allowed per proposal, more algorithms get 672 672 implicitly stripped. Use multiple proposals to offer different algorithms 673 673 combinations in IKEv1. 674 - </para><para> 674 + 675 675 Algorithm keywords get separated using dashes. Multiple proposals may be 676 676 specified in a list. The special value <literal>default</literal> forms 677 677 a default proposal of supported algorithms considered safe, and is ··· 686 686 an optional Extended Sequence Number Mode indicator. For AEAD proposals, 687 687 a combined mode algorithm is used instead of the separate 688 688 encryption/integrity algorithms. 689 - </para><para> 689 + 690 690 If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial 691 691 negotiation use a separate Diffie-Hellman exchange using the specified 692 692 group. However, for IKEv2, the keys of the CHILD_SA created implicitly ··· 695 695 rekeyed or is created with a separate CREATE_CHILD_SA exchange. A 696 696 proposal mismatch might, therefore, not immediately be noticed when the 697 697 SA is established, but may later cause rekeying to fail. 698 - </para><para> 698 + 699 699 Extended Sequence Number support may be indicated with the 700 700 <literal>esn</literal> and <literal>noesn</literal> values, both may be 701 701 included to indicate support for both modes. If omitted, 702 702 <literal>noesn</literal> is assumed. 703 - </para><para> 703 + 704 704 In IKEv2, multiple algorithms of the same kind can be specified in a 705 705 single proposal, from which one gets selected. In IKEv1, only one 706 706 algorithm per kind is allowed per proposal, more algorithms get 707 707 implicitly stripped. Use multiple proposals to offer different algorithms 708 708 combinations in IKEv1. 709 - </para><para> 709 + 710 710 Algorithm keywords get separated using dashes. Multiple proposals may be 711 711 specified as a list. The special value <literal>default</literal> forms 712 712 a default proposal of supported algorithms considered safe, and is ··· 729 729 selector. The special value <literal>dynamic</literal> may be used 730 730 instead of a subnet definition, which gets replaced by the tunnel outer 731 731 address or the virtual IP, if negotiated. This is the default. 732 - </para><para> 732 + 733 733 A protocol/port selector is surrounded by opening and closing square 734 734 brackets. Between these brackets, a numeric or getservent(3) protocol 735 735 name may be specified. After the optional protocol restriction, an ··· 738 738 special value <literal>opaque</literal> for RFC 4301 OPAQUE 739 739 selectors. Port ranges may be specified as well, none of the kernel 740 740 backends currently support port ranges, though. 741 - </para><para> 741 + 742 742 When IKEv1 is used only the first selector is interpreted, except if the 743 743 Cisco Unity extension plugin is used. This is due to a limitation of the 744 744 IKEv1 protocol, which only allows a single pair of selectors per ··· 761 761 specified in the proposal. To avoid rekey collisions initiated by both 762 762 ends simultaneously, a value in the range of <option>rand_time</option> 763 763 gets subtracted to form the effective soft lifetime. 764 - </para><para> 764 + 765 765 By default CHILD_SA rekeying is scheduled every hour, minus 766 766 <option>rand_time</option>. 767 767 ''; ··· 783 783 Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA 784 784 rekeying refreshes key material, optionally using a Diffie-Hellman 785 785 exchange if a group is specified in the proposal. 786 - </para><para> 786 + 787 787 To avoid rekey collisions initiated by both ends simultaneously, a value 788 788 in the range of <option>rand_bytes</option> gets subtracted to form the 789 789 effective soft volume limit. 790 - </para><para> 790 + 791 791 Volume based CHILD_SA rekeying is disabled by default. 792 792 ''; 793 793 ··· 808 808 Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA 809 809 rekeying refreshes key material, optionally using a Diffie-Hellman 810 810 exchange if a group is specified in the proposal. 811 - </para><para> 811 + 812 812 To avoid rekey collisions initiated by both ends simultaneously, a value 813 813 in the range of <option>rand_packets</option> gets subtracted to form 814 814 the effective soft packet count limit. 815 - </para><para> 815 + 816 816 Packet count based CHILD_SA rekeying is disabled by default. 817 817 ''; 818 818 ··· 821 821 this hard packets limit is never reached, because the CHILD_SA gets 822 822 rekeyed before. If that fails for whatever reason, this limit closes the 823 823 CHILD_SA. 824 - </para><para> 824 + 825 825 The default is 10% more than <option>rekey_bytes</option>. 826 826 ''; 827 827 ··· 936 936 <literal>%unique</literal> sets a unique mark on each CHILD_SA instance, 937 937 beyond that the value <literal>%unique-dir</literal> assigns a different 938 938 unique mark for each 939 - </para><para> 939 + 940 940 An additional mask may be appended to the mark, separated by 941 941 <literal>/</literal>. The default mask if omitted is 942 942 <literal>0xffffffff</literal>. ··· 960 960 value <literal>%unique</literal> sets a unique mark on each CHILD_SA 961 961 instance, beyond that the value <literal>%unique-dir</literal> assigns a 962 962 different unique mark for each CHILD_SA direction (in/out). 963 - </para><para> 963 + 964 964 An additional mask may be appended to the mark, separated by 965 965 <literal>/</literal>. The default mask if omitted is 966 966 <literal>0xffffffff</literal>. ··· 1102 1102 <literal>start</literal> tries to re-create the CHILD_SA. 1103 1103 </para></listitem> 1104 1104 </itemizedlist> 1105 - </para><para> 1105 + 1106 1106 <option>close_action</option> does not provide any guarantee that the 1107 1107 CHILD_SA is kept alive. It acts on explicit close messages only, but not 1108 1108 on negotiation failures. Use trap policies to reliably re-create failed

+8 -10

nixos/modules/services/networking/wireguard.nix

··· 118 118 default = null; 119 119 type = with types; nullOr str; 120 120 example = "container"; 121 - description = ''The pre-existing network namespace in which the 121 + description = lib.mdDoc ''The pre-existing network namespace in which the 122 122 WireGuard interface is created, and which retains the socket even if the 123 - interface is moved via <option>interfaceNamespace</option>. When 124 - <literal>null</literal>, the interface is created in the init namespace. 125 - See <link 126 - xlink:href="https://www.wireguard.com/netns/">documentation</link>. 123 + interface is moved via {option}`interfaceNamespace`. When 124 + `null`, the interface is created in the init namespace. 125 + See [documentation](https://www.wireguard.com/netns/). 127 126 ''; 128 127 }; 129 128 ··· 131 130 default = null; 132 131 type = with types; nullOr str; 133 132 example = "init"; 134 - description = ''The pre-existing network namespace the WireGuard 135 - interface is moved to. The special value <literal>init</literal> means 136 - the init namespace. When <literal>null</literal>, the interface is not 133 + description = lib.mdDoc ''The pre-existing network namespace the WireGuard 134 + interface is moved to. The special value `init` means 135 + the init namespace. When `null`, the interface is not 137 136 moved. 138 - See <link 139 - xlink:href="https://www.wireguard.com/netns/">documentation</link>. 137 + See [documentation](https://www.wireguard.com/netns/). 140 138 ''; 141 139 }; 142 140 };

+1 -1

nixos/modules/services/networking/wpa_supplicant.nix

··· 190 190 description = '' 191 191 Whether to allow configuring networks "imperatively" (e.g. via 192 192 <package>wpa_supplicant_gui</package>) and declaratively via 193 - <xref linkend="opt-networking.wireless.networks" />. 193 + <xref linkend="opt-networking.wireless.networks"/>. 194 194 195 195 Please note that this adds a custom patch to <package>wpa_supplicant</package>. 196 196 '';

+8 -8

nixos/modules/services/networking/yggdrasil.nix

··· 44 44 are supplied, they will be combined, with values from 45 45 <option>configFile</option> taking precedence. 46 46 47 - You can use the command <code>nix-shell -p yggdrasil --run 48 - "yggdrasil -genconf"</code> to generate default 47 + You can use the command <literal>nix-shell -p yggdrasil --run 48 + "yggdrasil -genconf"</literal> to generate default 49 49 configuration values with documentation. 50 50 ''; 51 51 }; ··· 64 64 type = types.nullOr types.str; 65 65 default = null; 66 66 example = "wheel"; 67 - description = "Group to grant access to the Yggdrasil control socket. If <code>null</code>, only root can access the socket."; 67 + description = lib.mdDoc "Group to grant access to the Yggdrasil control socket. If `null`, only root can access the socket."; 68 68 }; 69 69 70 70 openMulticastPort = mkOption { 71 71 type = bool; 72 72 default = false; 73 - description = '' 73 + description = lib.mdDoc '' 74 74 Whether to open the UDP port used for multicast peer 75 75 discovery. The NixOS firewall blocks link-local 76 76 communication, so in order to make local peering work you 77 - will also need to set <code>LinkLocalTCPPort</code> in your 78 - yggdrasil configuration (<option>config</option> or 79 - <option>configFile</option>) to a port number other than 0, 77 + will also need to set `LinkLocalTCPPort` in your 78 + yggdrasil configuration ({option}`config` or 79 + {option}`configFile`) to a port number other than 0, 80 80 and then add that port to 81 - <option>networking.firewall.allowedTCPPorts</option>. 81 + {option}`networking.firewall.allowedTCPPorts`. 82 82 ''; 83 83 }; 84 84

+7 -14

nixos/modules/services/networking/znc/default.nix

··· 156 156 format ZNC expects. This is much more flexible than the legacy options 157 157 under <option>services.znc.confOptions.*</option>, but also can't do 158 158 any type checking. 159 - </para> 160 - <para> 159 + 161 160 You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config</command> 162 161 to view the current value. By default it contains a listener for port 163 162 5000 with SSL enabled. 164 - </para> 165 - <para> 163 + 166 164 Nix attributes called <literal>extraConfig</literal> will be inserted 167 165 verbatim into the resulting config file. 168 - </para> 169 - <para> 166 + 170 167 If <option>services.znc.useLegacyConfig</option> is turned on, the 171 168 option values in <option>services.znc.confOptions.*</option> will be 172 169 gracefully be applied to this option. 173 - </para> 174 - <para> 170 + 175 171 If you intend to update the configuration through this option, be sure 176 172 to enable <option>services.znc.mutable</option>, otherwise none of the 177 173 changes here will be applied after the initial deploy. ··· 184 180 description = '' 185 181 Configuration file for ZNC. It is recommended to use the 186 182 <option>config</option> option instead. 187 - </para> 188 - <para> 183 + 189 184 Setting this option will override any auto-generated config file 190 185 through the <option>confOptions</option> or <option>config</option> 191 186 options. ··· 208 203 Indicates whether to allow the contents of the 209 204 <literal>dataDir</literal> directory to be changed by the user at 210 205 run-time. 211 - </para> 212 - <para> 206 + 213 207 If enabled, modifications to the ZNC configuration after its initial 214 208 creation are not overwritten by a NixOS rebuild. If disabled, the 215 209 ZNC configuration is rebuilt on every NixOS rebuild. 216 - </para> 217 - <para> 210 + 218 211 If the user wants to manage the ZNC service using the web admin 219 212 interface, this option should be enabled. 220 213 '';

+1 -2

nixos/modules/services/networking/znc/options.nix

··· 106 106 <option>services.znc.confOptions.*</option> options. 107 107 You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config</command> 108 108 to view the current value of the config. 109 - </para> 110 - <para> 109 + 111 110 In any case, if you need more flexibility, 112 111 <option>services.znc.config</option> can be used to override/add to 113 112 all of the legacy options.

+4 -4

nixos/modules/services/security/privacyidea.nix

··· 78 78 using <package>envsubst</package> which is helpful for specifying 79 79 secrets: 80 80 <programlisting> 81 - { <xref linkend="opt-services.privacyidea.secretKey" /> = "$SECRET"; } 81 + { <xref linkend="opt-services.privacyidea.secretKey"/> = "$SECRET"; } 82 82 </programlisting> 83 83 84 84 The environment-file can now specify the actual secret key: ··· 207 207 description = '' 208 208 Attribute-set containing the settings for <package>privacyidea-ldap-proxy</package>. 209 209 It's possible to pass secrets using env-vars as substitutes and 210 - use the option <xref linkend="opt-services.privacyidea.ldap-proxy.environmentFile" /> 210 + use the option <xref linkend="opt-services.privacyidea.ldap-proxy.environmentFile"/> 211 211 to inject them via <package>envsubst</package>. 212 212 ''; 213 213 }; ··· 215 215 environmentFile = mkOption { 216 216 default = null; 217 217 type = types.nullOr types.str; 218 - description = '' 218 + description = lib.mdDoc '' 219 219 Environment file containing secrets to be substituted into 220 - <xref linkend="opt-services.privacyidea.ldap-proxy.settings" />. 220 + [](#opt-services.privacyidea.ldap-proxy.settings). 221 221 ''; 222 222 }; 223 223 };

+2 -2

nixos/modules/services/security/step-ca.nix

··· 36 36 type = with lib.types; attrsOf anything; 37 37 description = '' 38 38 Settings that go into <filename>ca.json</filename>. See 39 - <link xlink:href="https://smallstep.com/docs/step-ca/configuration"> 40 - the step-ca manual</link> for more information. The easiest way to 39 + <link xlink:href="https://smallstep.com/docs/step-ca/configuration">the step-ca manual</link> 40 + for more information. The easiest way to 41 41 configure this module would be to run <literal>step ca init</literal> 42 42 to generate <filename>ca.json</filename> and then import it using 43 43 <literal>builtins.fromJSON</literal>.

+8 -8

nixos/modules/services/security/tor.nix

··· 287 287 relay = { 288 288 enable = mkEnableOption ''relaying of Tor traffic for others. 289 289 290 - See <link xlink:href="https://www.torproject.org/docs/tor-doc-relay" /> 290 + See <link xlink:href="https://www.torproject.org/docs/tor-doc-relay"/> 291 291 for details. 292 292 293 293 Setting this to true requires setting ··· 348 348 349 349 <para> 350 350 See 351 - <link xlink:href="https://www.torproject.org/docs/tor-doc-relay.html.en" /> 351 + <link xlink:href="https://www.torproject.org/docs/tor-doc-relay.html.en"/> 352 352 for more info. 353 353 </para> 354 354 </listitem> ··· 366 366 <para> 367 367 Using this option will make Tor advertise your bridge 368 368 to users through various mechanisms like 369 - <link xlink:href="https://bridges.torproject.org/" />, though. 369 + <link xlink:href="https://bridges.torproject.org/"/>, though. 370 370 </para> 371 371 372 372 <important> ··· 384 384 </important> 385 385 386 386 <para> 387 - See <link xlink:href="https://www.torproject.org/docs/bridges.html.en" /> 387 + See <link xlink:href="https://www.torproject.org/docs/bridges.html.en"/> 388 388 for more info. 389 389 </para> 390 390 </listitem> ··· 419 419 </para> 420 420 421 421 <para> 422 - See <link xlink:href="https://www.torproject.org/docs/bridges.html.en" /> 422 + See <link xlink:href="https://www.torproject.org/docs/bridges.html.en"/> 423 423 for more info. 424 424 </para> 425 425 </listitem> ··· 476 476 }; 477 477 clientNames = mkOption { 478 478 type = with types; nonEmptyListOf (strMatching "[A-Za-z0-9+-_]+"); 479 - description = '' 479 + description = lib.mdDoc '' 480 480 Only clients that are listed here are authorized to access the hidden service. 481 - Generated authorization data can be found in <filename>${stateDir}/onion/$name/hostname</filename>. 481 + Generated authorization data can be found in {file}`${stateDir}/onion/$name/hostname`. 482 482 Clients need to put this authorization data in their configuration file using 483 - <xref linkend="opt-services.tor.settings.HidServAuth"/>. 483 + [](#opt-services.tor.settings.HidServAuth). 484 484 ''; 485 485 }; 486 486 };

+2 -2

nixos/modules/services/security/vault.nix

··· 116 116 storageConfig = mkOption { 117 117 type = types.nullOr types.lines; 118 118 default = null; 119 - description = '' 119 + description = lib.mdDoc '' 120 120 HCL configuration to insert in the storageBackend section. 121 121 122 122 Confidential values should not be specified here because this option's 123 123 value is written to the Nix store, which is publicly readable. 124 124 Provide credentials and such in a separate file using 125 - <xref linkend="opt-services.vault.extraSettingsPaths"/>. 125 + [](#opt-services.vault.extraSettingsPaths). 126 126 ''; 127 127 }; 128 128

+1 -1

nixos/modules/services/security/vaultwarden/default.nix

··· 116 116 The available configuration options can be found in 117 117 <link xlink:href="https://github.com/dani-garcia/vaultwarden/blob/${vaultwarden.version}/.env.template">the environment template file</link>. 118 118 119 - See <xref linkend="opt-services.vaultwarden.environmentFile" /> for how 119 + See <xref linkend="opt-services.vaultwarden.environmentFile"/> for how 120 120 to set up access to the Admin UI to invite initial users. 121 121 ''; 122 122 };

+7 -7

nixos/modules/services/system/dbus.nix

··· 38 38 packages = mkOption { 39 39 type = types.listOf types.path; 40 40 default = [ ]; 41 - description = '' 41 + description = lib.mdDoc '' 42 42 Packages whose D-Bus configuration files should be included in 43 43 the configuration of the D-Bus system-wide or session-wide 44 44 message bus. Specifically, files in the following directories 45 45 will be included into their respective DBus configuration paths: 46 - <filename><replaceable>pkg</replaceable>/etc/dbus-1/system.d</filename> 47 - <filename><replaceable>pkg</replaceable>/share/dbus-1/system.d</filename> 48 - <filename><replaceable>pkg</replaceable>/share/dbus-1/system-services</filename> 49 - <filename><replaceable>pkg</replaceable>/etc/dbus-1/session.d</filename> 50 - <filename><replaceable>pkg</replaceable>/share/dbus-1/session.d</filename> 51 - <filename><replaceable>pkg</replaceable>/share/dbus-1/services</filename> 46 + {file}`«pkg»/etc/dbus-1/system.d` 47 + {file}`«pkg»/share/dbus-1/system.d` 48 + {file}`«pkg»/share/dbus-1/system-services` 49 + {file}`«pkg»/etc/dbus-1/session.d` 50 + {file}`«pkg»/share/dbus-1/session.d` 51 + {file}`«pkg»/share/dbus-1/services` 52 52 ''; 53 53 }; 54 54

+8 -8

nixos/modules/services/system/earlyoom.nix

··· 32 32 freeMemKillThreshold = mkOption { 33 33 type = types.nullOr (types.ints.between 1 100); 34 34 default = null; 35 - description = '' 35 + description = lib.mdDoc '' 36 36 Minimum available memory (in percent) before sending SIGKILL. 37 - If unset, this defaults to half of <option>freeMemThreshold</option>. 37 + If unset, this defaults to half of {option}`freeMemThreshold`. 38 38 39 - See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. 39 + See the description of [](#opt-services.earlyoom.freeMemThreshold). 40 40 ''; 41 41 }; 42 42 43 43 freeSwapThreshold = mkOption { 44 44 type = types.ints.between 1 100; 45 45 default = 10; 46 - description = '' 46 + description = lib.mdDoc '' 47 47 Minimum free swap space (in percent) before sending SIGTERM. 48 48 49 - See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. 49 + See the description of [](#opt-services.earlyoom.freeMemThreshold). 50 50 ''; 51 51 }; 52 52 53 53 freeSwapKillThreshold = mkOption { 54 54 type = types.nullOr (types.ints.between 1 100); 55 55 default = null; 56 - description = '' 56 + description = lib.mdDoc '' 57 57 Minimum free swap space (in percent) before sending SIGKILL. 58 - If unset, this defaults to half of <option>freeSwapThreshold</option>. 58 + If unset, this defaults to half of {option}`freeSwapThreshold`. 59 59 60 - See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. 60 + See the description of [](#opt-services.earlyoom.freeMemThreshold). 61 61 ''; 62 62 }; 63 63

+29 -29

nixos/modules/services/torrent/transmission.nix

··· 55 55 type = types.path; 56 56 default = "${cfg.home}/${incompleteDir}"; 57 57 defaultText = literalExpression ''"''${config.${opt.home}}/${incompleteDir}"''; 58 - description = '' 58 + description = lib.mdDoc '' 59 59 When enabled with 60 60 services.transmission.home 61 - <xref linkend="opt-services.transmission.settings.incomplete-dir-enabled"/>, 61 + [](#opt-services.transmission.settings.incomplete-dir-enabled), 62 62 new torrents will download the files to this directory. 63 63 When complete, the files will be moved to download-dir 64 - <xref linkend="opt-services.transmission.settings.download-dir"/>. 64 + [](#opt-services.transmission.settings.download-dir). 65 65 ''; 66 66 }; 67 67 options.incomplete-dir-enabled = mkOption { ··· 82 82 options.peer-port-random-high = mkOption { 83 83 type = types.port; 84 84 default = 65535; 85 - description = '' 85 + description = lib.mdDoc '' 86 86 The maximum peer port to listen to for incoming connections 87 - when <xref linkend="opt-services.transmission.settings.peer-port-random-on-start"/> is enabled. 87 + when [](#opt-services.transmission.settings.peer-port-random-on-start) is enabled. 88 88 ''; 89 89 }; 90 90 options.peer-port-random-low = mkOption { 91 91 type = types.port; 92 92 default = 65535; 93 - description = '' 93 + description = lib.mdDoc '' 94 94 The minimal peer port to listen to for incoming connections 95 - when <xref linkend="opt-services.transmission.settings.peer-port-random-on-start"/> is enabled. 95 + when [](#opt-services.transmission.settings.peer-port-random-on-start) is enabled. 96 96 ''; 97 97 }; 98 98 options.peer-port-random-on-start = mkOption { ··· 117 117 options.script-torrent-done-enabled = mkOption { 118 118 type = types.bool; 119 119 default = false; 120 - description = '' 120 + description = lib.mdDoc '' 121 121 Whether to run 122 - <xref linkend="opt-services.transmission.settings.script-torrent-done-filename"/> 122 + [](#opt-services.transmission.settings.script-torrent-done-filename) 123 123 at torrent completion. 124 124 ''; 125 125 }; ··· 156 156 options.watch-dir-enabled = mkOption { 157 157 type = types.bool; 158 158 default = false; 159 - description = ''Whether to enable the 160 - <xref linkend="opt-services.transmission.settings.watch-dir"/>. 159 + description = lib.mdDoc ''Whether to enable the 160 + [](#opt-services.transmission.settings.watch-dir). 161 161 ''; 162 162 }; 163 163 options.trash-original-torrent-files = mkOption { 164 164 type = types.bool; 165 165 default = false; 166 - description = ''Whether to delete torrents added from the 167 - <xref linkend="opt-services.transmission.settings.watch-dir"/>. 166 + description = lib.mdDoc ''Whether to delete torrents added from the 167 + [](#opt-services.transmission.settings.watch-dir). 168 168 ''; 169 169 }; 170 170 }; ··· 174 174 type = with types; nullOr str; 175 175 default = null; 176 176 example = "770"; 177 - description = '' 178 - If not <code>null</code>, is used as the permissions 179 - set by <literal>systemd.activationScripts.transmission-daemon</literal> 180 - on the directories <xref linkend="opt-services.transmission.settings.download-dir"/>, 181 - <xref linkend="opt-services.transmission.settings.incomplete-dir"/>. 182 - and <xref linkend="opt-services.transmission.settings.watch-dir"/>. 177 + description = lib.mdDoc '' 178 + If not `null`, is used as the permissions 179 + set by `systemd.activationScripts.transmission-daemon` 180 + on the directories [](#opt-services.transmission.settings.download-dir), 181 + [](#opt-services.transmission.settings.incomplete-dir). 182 + and [](#opt-services.transmission.settings.watch-dir). 183 183 Note that you may also want to change 184 - <xref linkend="opt-services.transmission.settings.umask"/>. 184 + [](#opt-services.transmission.settings.umask). 185 185 ''; 186 186 }; 187 187 188 188 home = mkOption { 189 189 type = types.path; 190 190 default = "/var/lib/transmission"; 191 - description = '' 192 - The directory where Transmission will create <literal>${settingsDir}</literal>. 193 - as well as <literal>${downloadsDir}/</literal> unless 194 - <xref linkend="opt-services.transmission.settings.download-dir"/> is changed, 195 - and <literal>${incompleteDir}/</literal> unless 196 - <xref linkend="opt-services.transmission.settings.incomplete-dir"/> is changed. 191 + description = lib.mdDoc '' 192 + The directory where Transmission will create `${settingsDir}`. 193 + as well as `${downloadsDir}/` unless 194 + [](#opt-services.transmission.settings.download-dir) is changed, 195 + and `${incompleteDir}/` unless 196 + [](#opt-services.transmission.settings.incomplete-dir) is changed. 197 197 ''; 198 198 }; 199 199 ··· 211 211 212 212 credentialsFile = mkOption { 213 213 type = types.path; 214 - description = '' 214 + description = lib.mdDoc '' 215 215 Path to a JSON file to be merged with the settings. 216 216 Useful to merge a file which is better kept out of the Nix store 217 - to set secret config parameters like <code>rpc-password</code>. 217 + to set secret config parameters like `rpc-password`. 218 218 ''; 219 219 default = "/dev/null"; 220 220 example = "/var/lib/secrets/transmission/settings.json"; ··· 237 237 to open many more connections at the same time. 238 238 239 239 Note that you may also want to increase 240 - <code>peer-limit-global"</code>. 240 + <literal>peer-limit-global"</literal>. 241 241 And be aware that these settings are quite aggressive 242 242 and might not suite your regular desktop use. 243 243 For instance, SSH sessions may time out more easily'';

+2 -2

nixos/modules/services/web-apps/bookstack.nix

··· 52 52 description = '' 53 53 A file containing the Laravel APP_KEY - a 32 character long, 54 54 base64 encoded key used for encryption where needed. Can be 55 - generated with <code>head -c 32 /dev/urandom | base64</code>. 55 + generated with <literal>head -c 32 /dev/urandom | base64</literal>. 56 56 ''; 57 57 example = "/run/keys/bookstack-appkey"; 58 58 type = types.path; ··· 74 74 appURL = mkOption { 75 75 description = '' 76 76 The root URL that you want to host BookStack on. All URLs in BookStack will be generated using this value. 77 - If you change this in the future you may need to run a command to update stored URLs in the database. Command example: <code>php artisan bookstack:update-url https://old.example.com https://new.example.com</code> 77 + If you change this in the future you may need to run a command to update stored URLs in the database. Command example: <literal>php artisan bookstack:update-url https://old.example.com https://new.example.com</literal> 78 78 ''; 79 79 default = "http${lib.optionalString tlsEnabled "s"}://${cfg.hostname}"; 80 80 defaultText = ''http''${lib.optionalString tlsEnabled "s"}://''${cfg.hostname}'';

+5 -5

nixos/modules/services/web-apps/dokuwiki.nix

··· 260 260 webserver = mkOption { 261 261 type = types.enum [ "nginx" "caddy" ]; 262 262 default = "nginx"; 263 - description = '' 263 + description = lib.mdDoc '' 264 264 Whether to use nginx or caddy for virtual host management. 265 265 266 - Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.<name></literal>. 267 - See <xref linkend="opt-services.nginx.virtualHosts"/> for further information. 266 + Further nginx configuration can be done by adapting `services.nginx.virtualHosts.<name>`. 267 + See [](#opt-services.nginx.virtualHosts) for further information. 268 268 269 - Further apache2 configuration can be done by adapting <literal>services.httpd.virtualHosts.<name></literal>. 270 - See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. 269 + Further apache2 configuration can be done by adapting `services.httpd.virtualHosts.<name>`. 270 + See [](#opt-services.httpd.virtualHosts) for further information. 271 271 ''; 272 272 }; 273 273

+2 -3

nixos/modules/services/web-apps/hedgedoc.nix

··· 150 150 addDefaults = true; 151 151 } 152 152 ''; 153 - description = '' 153 + description = lib.mdDoc '' 154 154 Specify the Content Security Policy which is passed to Helmet. 155 - For configuration details see <link xlink:href="https://helmetjs.github.io/docs/csp/" 156 - >https://helmetjs.github.io/docs/csp/</link>. 155 + For configuration details see <https://helmetjs.github.io/docs/csp/>. 157 156 ''; 158 157 }; 159 158 protocolUseSSL = mkOption {

+16 -23

nixos/modules/services/web-apps/keycloak.nix

··· 210 210 name = mkOption { 211 211 type = str; 212 212 default = "keycloak"; 213 - description = '' 213 + description = lib.mdDoc '' 214 214 Database name to use when connecting to an external or 215 215 manually provisioned database; has no effect when a local 216 216 database is automatically provisioned. 217 217 218 - To use this with a local database, set <xref 219 - linkend="opt-services.keycloak.database.createLocally" /> to 220 - <literal>false</literal> and create the database and user 218 + To use this with a local database, set [](#opt-services.keycloak.database.createLocally) to 219 + `false` and create the database and user 221 220 manually. 222 221 ''; 223 222 }; ··· 225 224 username = mkOption { 226 225 type = str; 227 226 default = "keycloak"; 228 - description = '' 227 + description = lib.mdDoc '' 229 228 Username to use when connecting to an external or manually 230 229 provisioned database; has no effect when a local database is 231 230 automatically provisioned. 232 231 233 - To use this with a local database, set <xref 234 - linkend="opt-services.keycloak.database.createLocally" /> to 235 - <literal>false</literal> and create the database and user 232 + To use this with a local database, set [](#opt-services.keycloak.database.createLocally) to 233 + `false` and create the database and user 236 234 manually. 237 235 ''; 238 236 }; ··· 329 327 want to set this to <literal>/auth</literal> to 330 328 keep compatibility with your clients. 331 329 332 - See <link 333 - xlink:href="https://www.keycloak.org/migration/migrating-to-quarkus" 334 - /> for more information on migrating from Wildfly 335 - to Quarkus. 330 + See <link xlink:href="https://www.keycloak.org/migration/migrating-to-quarkus"/> 331 + for more information on migrating from Wildfly to Quarkus. 336 332 </para> 337 333 </note> 338 334 ''; ··· 404 400 </varlistentry> 405 401 </variablelist> 406 402 407 - See <link 408 - xlink:href="https://www.keycloak.org/server/reverseproxy" 409 - /> for more information. 403 + See <link xlink:href="https://www.keycloak.org/server/reverseproxy"/> for more information. 410 404 ''; 411 405 }; 412 406 }; ··· 421 415 } 422 416 ''; 423 417 424 - description = '' 418 + description = lib.mdDoc '' 425 419 Configuration options corresponding to parameters set in 426 - <filename>conf/keycloak.conf</filename>. 420 + {file}`conf/keycloak.conf`. 427 421 428 - Most available options are documented at <link 429 - xlink:href="https://www.keycloak.org/server/all-config" />. 422 + Most available options are documented at <https://www.keycloak.org/server/all-config>. 430 423 431 424 Options containing secret data should be set to an attribute 432 - set containing the attribute <literal>_secret</literal> - a 425 + set containing the attribute `_secret` - a 433 426 string pointing to a file containing the value the option 434 427 should be set to. See the example to get a better picture of 435 428 this: in the resulting 436 - <filename>conf/keycloak.conf</filename> file, the 437 - <literal>https-key-store-password</literal> key will be set 429 + {file}`conf/keycloak.conf` file, the 430 + `https-key-store-password` key will be set 438 431 to the contents of the 439 - <filename>/run/keys/store_password</filename> file. 432 + {file}`/run/keys/store_password` file. 440 433 ''; 441 434 }; 442 435 };

+18 -18

nixos/modules/services/web-apps/mastodon.nix

··· 113 113 affect other virtualHosts running on your nginx instance, if any. 114 114 Alternatively you can configure a reverse-proxy of your choice to serve these paths: 115 115 116 - <code>/ -> $(nix-instantiate --eval '<nixpkgs>' -A mastodon.outPath)/public</code> 116 + <literal>/ -> $(nix-instantiate --eval '<nixpkgs>' -A mastodon.outPath)/public</literal> 117 117 118 - <code>/ -> 127.0.0.1:{{ webPort }} </code>(If there was no file in the directory above.) 118 + <literal>/ -> 127.0.0.1:{{ webPort }} </literal>(If there was no file in the directory above.) 119 119 120 - <code>/system/ -> /var/lib/mastodon/public-system/</code> 120 + <literal>/system/ -> /var/lib/mastodon/public-system/</literal> 121 121 122 - <code>/api/v1/streaming/ -> 127.0.0.1:{{ streamingPort }}</code> 122 + <literal>/api/v1/streaming/ -> 127.0.0.1:{{ streamingPort }}</literal> 123 123 124 124 Make sure that websockets are forwarded properly. You might want to set up caching 125 125 of some requests. Take a look at mastodon's provided nginx configuration at 126 - <code>https://github.com/mastodon/mastodon/blob/master/dist/nginx.conf</code>. 126 + <literal>https://github.com/mastodon/mastodon/blob/master/dist/nginx.conf</literal>. 127 127 ''; 128 128 type = lib.types.bool; 129 129 default = false; ··· 135 135 that user will be created, otherwise it should be set to the 136 136 name of a user created elsewhere. In both cases, 137 137 <package>mastodon</package> and a package containing only 138 - the shell script <code>mastodon-env</code> will be added to 138 + the shell script <literal>mastodon-env</literal> will be added to 139 139 the user's package set. To run a command from 140 - <package>mastodon</package> such as <code>tootctl</code> 140 + <package>mastodon</package> such as <literal>tootctl</literal> 141 141 with the environment configured by this module use 142 - <code>mastodon-env</code>, as in: 142 + <literal>mastodon-env</literal>, as in: 143 143 144 - <code>mastodon-env tootctl accounts create newuser --email newuser@example.com</code> 144 + <literal>mastodon-env tootctl accounts create newuser --email newuser@example.com</literal> 145 145 ''; 146 146 type = lib.types.str; 147 147 default = "mastodon"; ··· 197 197 }; 198 198 199 199 vapidPublicKeyFile = lib.mkOption { 200 - description = '' 200 + description = lib.mdDoc '' 201 201 Path to file containing the public key used for Web Push 202 202 Voluntary Application Server Identification. A new keypair can 203 203 be generated by running: 204 204 205 - <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys</code> 205 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys` 206 206 207 - If <option>mastodon.vapidPrivateKeyFile</option>does not 207 + If {option}`mastodon.vapidPrivateKeyFile`does not 208 208 exist, it and this file will be created with a new keypair. 209 209 ''; 210 210 default = "/var/lib/mastodon/secrets/vapid-public-key"; ··· 218 218 }; 219 219 220 220 secretKeyBaseFile = lib.mkOption { 221 - description = '' 221 + description = lib.mdDoc '' 222 222 Path to file containing the secret key base. 223 223 A new secret key base can be generated by running: 224 224 225 - <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret</code> 225 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret` 226 226 227 227 If this file does not exist, it will be created with a new secret key base. 228 228 ''; ··· 231 231 }; 232 232 233 233 otpSecretFile = lib.mkOption { 234 - description = '' 234 + description = lib.mdDoc '' 235 235 Path to file containing the OTP secret. 236 236 A new OTP secret can be generated by running: 237 237 238 - <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret</code> 238 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret` 239 239 240 240 If this file does not exist, it will be created with a new OTP secret. 241 241 ''; ··· 244 244 }; 245 245 246 246 vapidPrivateKeyFile = lib.mkOption { 247 - description = '' 247 + description = lib.mdDoc '' 248 248 Path to file containing the private key used for Web Push 249 249 Voluntary Application Server Identification. A new keypair can 250 250 be generated by running: 251 251 252 - <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys</code> 252 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys` 253 253 254 254 If this file does not exist, it will be created with a new 255 255 private key.

+1 -1

nixos/modules/services/web-apps/mediawiki.nix

··· 280 280 one version of MediaWiki, or have other applications that also use the 281 281 database, you can give the table names a unique prefix to stop any naming 282 282 conflicts or confusion. 283 - See <link xlink:href='https://www.mediawiki.org/wiki/Manual:$wgDBprefix'/>. 283 + See <link xlink:href="https://www.mediawiki.org/wiki/Manual:$wgDBprefix"/>. 284 284 ''; 285 285 }; 286 286

+13 -13

nixos/modules/services/web-apps/nextcloud.nix

··· 93 93 type = types.str; 94 94 default = config.services.nextcloud.home; 95 95 defaultText = literalExpression "config.services.nextcloud.home"; 96 - description = '' 97 - Data storage path of nextcloud. Will be <xref linkend="opt-services.nextcloud.home" /> by default. 96 + description = lib.mdDoc '' 97 + Data storage path of nextcloud. Will be [](#opt-services.nextcloud.home) by default. 98 98 This folder will be populated with a config.php and data folder which contains the state of the instance (excl the database)."; 99 99 ''; 100 100 example = "/mnt/nextcloud-file"; ··· 102 102 extraApps = mkOption { 103 103 type = types.attrsOf types.package; 104 104 default = { }; 105 - description = '' 105 + description = lib.mdDoc '' 106 106 Extra apps to install. Should be an attrSet of appid to packages generated by fetchNextcloudApp. 107 107 The appid must be identical to the "id" value in the apps appinfo/info.xml. 108 - Using this will disable the appstore to prevent Nextcloud from updating these apps (see <xref linkend="opt-services.nextcloud.appstoreEnable" />). 108 + Using this will disable the appstore to prevent Nextcloud from updating these apps (see [](#opt-services.nextcloud.appstoreEnable)). 109 109 ''; 110 110 example = literalExpression '' 111 111 { ··· 127 127 extraAppsEnable = mkOption { 128 128 type = types.bool; 129 129 default = true; 130 - description = '' 131 - Automatically enable the apps in <xref linkend="opt-services.nextcloud.extraApps" /> every time nextcloud starts. 130 + description = lib.mdDoc '' 131 + Automatically enable the apps in [](#opt-services.nextcloud.extraApps) every time nextcloud starts. 132 132 If set to false, apps need to be enabled in the Nextcloud user interface or with nextcloud-occ app:enable. 133 133 ''; 134 134 }; ··· 136 136 type = types.nullOr types.bool; 137 137 default = null; 138 138 example = true; 139 - description = '' 139 + description = lib.mdDoc '' 140 140 Allow the installation of apps and app updates from the store. 141 - Enabled by default unless there are packages in <xref linkend="opt-services.nextcloud.extraApps" />. 142 - Set to true to force enable the store even if <xref linkend="opt-services.nextcloud.extraApps" /> is used. 141 + Enabled by default unless there are packages in [](#opt-services.nextcloud.extraApps). 142 + Set to true to force enable the store even if [](#opt-services.nextcloud.extraApps) is used. 143 143 Set to false to disable the installation of apps from the global appstore. App management is always enabled regardless of this setting. 144 144 ''; 145 145 }; ··· 467 467 This is used by the theming app and for generating previews of certain images (e.g. SVG and HEIF). 468 468 You may want to disable it for increased security. In that case, previews will still be available 469 469 for some images (e.g. JPEG and PNG). 470 - See <link xlink:href="https://github.com/nextcloud/server/issues/13099" />. 470 + See <link xlink:href="https://github.com/nextcloud/server/issues/13099"/>. 471 471 '' // { 472 472 default = true; 473 473 }; ··· 585 585 hstsMaxAge = mkOption { 586 586 type = types.ints.positive; 587 587 default = 15552000; 588 - description = '' 589 - Value for the <code>max-age</code> directive of the HTTP 590 - <code>Strict-Transport-Security</code> header. 588 + description = lib.mdDoc '' 589 + Value for the `max-age` directive of the HTTP 590 + `Strict-Transport-Security` header. 591 591 592 592 See section 6.1.1 of IETF RFC 6797 for detailed information on this 593 593 directive and header.

+2 -3

nixos/modules/services/web-apps/node-red.nix

··· 47 47 type = types.path; 48 48 default = "${cfg.package}/lib/node_modules/node-red/settings.js"; 49 49 defaultText = literalExpression ''"''${package}/lib/node_modules/node-red/settings.js"''; 50 - description = '' 50 + description = lib.mdDoc '' 51 51 Path to the JavaScript configuration file. 52 - See <link 53 - xlink:href="https://github.com/node-red/node-red/blob/master/packages/node_modules/node-red/settings.js"/> 52 + See <https://github.com/node-red/node-red/blob/master/packages/node_modules/node-red/settings.js> 54 53 for a configuration example. 55 54 ''; 56 55 };

+2 -2

nixos/modules/services/web-apps/snipe-it.nix

··· 46 46 description = '' 47 47 A file containing the Laravel APP_KEY - a 32 character long, 48 48 base64 encoded key used for encryption where needed. Can be 49 - generated with <code>head -c 32 /dev/urandom | base64</code>. 49 + generated with <literal>head -c 32 /dev/urandom | base64</literal>. 50 50 ''; 51 51 example = "/run/keys/snipe-it/appkey"; 52 52 type = types.path; ··· 69 69 description = '' 70 70 The root URL that you want to host Snipe-IT on. All URLs in Snipe-IT will be generated using this value. 71 71 If you change this in the future you may need to run a command to update stored URLs in the database. 72 - Command example: <code>snipe-it snipe-it:update-url https://old.example.com https://new.example.com</code> 72 + Command example: <literal>snipe-it snipe-it:update-url https://old.example.com https://new.example.com</literal> 73 73 ''; 74 74 default = "http${lib.optionalString tlsEnabled "s"}://${cfg.hostName}"; 75 75 defaultText = ''

+1 -1

nixos/modules/services/web-apps/trilium.nix

··· 53 53 noAuthentication = mkOption { 54 54 type = types.bool; 55 55 default = false; 56 - description = '' 56 + description = lib.mdDoc '' 57 57 If set to true, no password is required to access the web frontend. 58 58 ''; 59 59 };

+2 -3

nixos/modules/services/web-apps/wiki-js.nix

··· 95 95 }; 96 96 description = '' 97 97 Settings to configure <package>wiki-js</package>. This directly 98 - corresponds to <link xlink:href="https://docs.requarks.io/install/config">the upstream 99 - configuration options</link>. 98 + corresponds to <link xlink:href="https://docs.requarks.io/install/config">the upstream configuration options</link>. 100 99 101 100 Secrets can be injected via the environment by 102 101 <itemizedlist> 103 - <listitem><para>specifying <xref linkend="opt-services.wiki-js.environmentFile" /> 102 + <listitem><para>specifying <xref linkend="opt-services.wiki-js.environmentFile"/> 104 103 to contain secrets</para></listitem> 105 104 <listitem><para>and setting sensitive values to <literal>$(ENVIRONMENT_VAR)</literal> 106 105 with this value defined in the environment-file.</para></listitem>

+2 -2

nixos/modules/services/web-apps/wordpress.nix

··· 192 192 prefix. Typically this is changed if you are installing multiple WordPress blogs 193 193 in the same database. 194 194 195 - See <link xlink:href='https://codex.wordpress.org/Editing_wp-config.php#table_prefix'/>. 195 + See <link xlink:href="https://codex.wordpress.org/Editing_wp-config.php#table_prefix"/>. 196 196 ''; 197 197 }; 198 198 ··· 246 246 description = '' 247 247 Any additional text to be appended to the wp-config.php 248 248 configuration file. This is a PHP script. For configuration 249 - settings, see <link xlink:href='https://codex.wordpress.org/Editing_wp-config.php'/>. 249 + settings, see <link xlink:href="https://codex.wordpress.org/Editing_wp-config.php"/>. 250 250 ''; 251 251 example = '' 252 252 define( 'AUTOSAVE_INTERVAL', 60 ); // Seconds

+3 -5

nixos/modules/services/web-servers/apache-httpd/vhost-options.nix

··· 233 233 default = false; 234 234 description = '' 235 235 Whether to enable serving <filename>~/public_html</filename> as 236 - <literal>/~<replaceable>username</replaceable></literal>. 236 + <literal>/~«username»</literal>. 237 237 ''; 238 238 }; 239 239 ··· 261 261 default = ""; 262 262 example = "Disallow: /foo/"; 263 263 description = '' 264 - Specification of pages to be ignored by web crawlers. See <link 265 - xlink:href='http://www.robotstxt.org/'/> for details. 264 + Specification of pages to be ignored by web crawlers. See <link xlink:href="http://www.robotstxt.org/"/> for details. 266 265 ''; 267 266 }; 268 267 ··· 280 279 }; 281 280 ''; 282 281 description = '' 283 - Declarative location config. See <link 284 - xlink:href="https://httpd.apache.org/docs/2.4/mod/core.html#location"/> for details. 282 + Declarative location config. See <link xlink:href="https://httpd.apache.org/docs/2.4/mod/core.html#location"/> for details. 285 283 ''; 286 284 }; 287 285

+4 -4

nixos/modules/services/web-servers/nginx/default.nix

··· 504 504 This is mutually exclusive to any other config option for 505 505 <filename>nginx.conf</filename> except for 506 506 <itemizedlist> 507 - <listitem><para><xref linkend="opt-services.nginx.appendConfig" /> 507 + <listitem><para><xref linkend="opt-services.nginx.appendConfig"/> 508 508 </para></listitem> 509 - <listitem><para><xref linkend="opt-services.nginx.httpConfig" /> 509 + <listitem><para><xref linkend="opt-services.nginx.httpConfig"/> 510 510 </para></listitem> 511 - <listitem><para><xref linkend="opt-services.nginx.logError" /> 511 + <listitem><para><xref linkend="opt-services.nginx.logError"/> 512 512 </para></listitem> 513 513 </itemizedlist> 514 514 515 515 If additional verbatim config in addition to other options is needed, 516 - <xref linkend="opt-services.nginx.appendConfig" /> should be used instead. 516 + <xref linkend="opt-services.nginx.appendConfig"/> should be used instead. 517 517 ''; 518 518 }; 519 519

+1 -2

nixos/modules/services/web-servers/uwsgi.nix

··· 179 179 <para> 180 180 When in Emperor mode, any capability to be inherited by a vassal must 181 181 be specified again in the vassal configuration using <literal>cap</literal>. 182 - See the uWSGI <link 183 - xlink:href="https://uwsgi-docs.readthedocs.io/en/latest/Capabilities.html">docs</link> 182 + See the uWSGI <link xlink:href="https://uwsgi-docs.readthedocs.io/en/latest/Capabilities.html">docs</link> 184 183 for more information. 185 184 </para> 186 185 </note>

+2 -3

nixos/modules/services/x11/desktop-managers/plasma5.nix

··· 170 170 supportDDC = mkOption { 171 171 type = types.bool; 172 172 default = false; 173 - description = '' 173 + description = lib.mdDoc '' 174 174 Support setting monitor brightness via DDC. 175 - </para> 176 - <para> 175 + 177 176 This is not needed for controlling brightness of the internal monitor 178 177 of a laptop and as it is considered experimental by upstream, it is 179 178 disabled by default.

+2 -2

nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix

··· 55 55 enable = mkOption { 56 56 type = types.bool; 57 57 default = false; 58 - description = '' 58 + description = lib.mdDoc '' 59 59 Whether to enable lightdm-mini-greeter as the lightdm greeter. 60 60 61 61 Note that this greeter starts only the default X session. 62 62 You can configure the default X session using 63 - <xref linkend="opt-services.xserver.displayManager.defaultSession"/>. 63 + [](#opt-services.xserver.displayManager.defaultSession). 64 64 ''; 65 65 }; 66 66

+2 -2

nixos/modules/services/x11/display-managers/lightdm-greeters/tiny.nix

··· 17 17 enable = mkOption { 18 18 type = types.bool; 19 19 default = false; 20 - description = '' 20 + description = lib.mdDoc '' 21 21 Whether to enable lightdm-tiny-greeter as the lightdm greeter. 22 22 23 23 Note that this greeter starts only the default X session. 24 24 You can configure the default X session using 25 - <xref linkend="opt-services.xserver.displayManager.defaultSession"/>. 25 + [](#opt-services.xserver.displayManager.defaultSession). 26 26 ''; 27 27 }; 28 28

+1 -1

nixos/modules/services/x11/window-managers/fvwm2.nix

··· 24 24 gestures = mkOption { 25 25 default = false; 26 26 type = types.bool; 27 - description = "Whether or not to enable libstroke for gesture support"; 27 + description = lib.mdDoc "Whether or not to enable libstroke for gesture support"; 28 28 }; 29 29 }; 30 30 };

+1 -1

nixos/modules/system/activation/top-level.nix

··· 335 335 ''; 336 336 description = '' 337 337 The name of the system used in the <option>system.build.toplevel</option> derivation. 338 - </para><para> 338 + 339 339 That derivation has the following name: 340 340 <literal>"nixos-system-''${config.system.name}-''${config.system.nixos.label}"</literal> 341 341 '';

+6 -7

nixos/modules/system/boot/initrd-network.nix

··· 50 50 boot.initrd.network.enable = mkOption { 51 51 type = types.bool; 52 52 default = false; 53 - description = '' 53 + description = lib.mdDoc '' 54 54 Add network connectivity support to initrd. The network may be 55 - configured using the <literal>ip</literal> kernel parameter, 56 - as described in <link 57 - xlink:href="https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt">the 58 - kernel documentation</link>. Otherwise, if 59 - <option>networking.useDHCP</option> is enabled, an IP address 55 + configured using the `ip` kernel parameter, 56 + as described in [the kernel documentation](https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt). 57 + Otherwise, if 58 + {option}`networking.useDHCP` is enabled, an IP address 60 59 is acquired using DHCP. 61 60 62 61 You should add the module(s) required for your network card to 63 62 boot.initrd.availableKernelModules. 64 - <literal>lspci -v | grep -iA8 'network\|ethernet'</literal> 63 + `lspci -v | grep -iA8 'network\|ethernet'` 65 64 will tell you which. 66 65 ''; 67 66 };

+6 -6

nixos/modules/system/boot/loader/grub/grub.nix

··· 624 624 type = types.bool; 625 625 description = '' 626 626 Whether to invoke <literal>grub-install</literal> with 627 - <literal>--removable</literal>.</para> 627 + <literal>--removable</literal>. 628 628 629 - <para>Unless you turn this on, GRUB will install itself somewhere in 629 + Unless you turn this on, GRUB will install itself somewhere in 630 630 <literal>boot.loader.efi.efiSysMountPoint</literal> (exactly where 631 631 depends on other config variables). If you've set 632 632 <literal>boot.loader.efi.canTouchEfiVariables</literal> *AND* you ··· 637 637 NVRAM will not be modified, and your system will not find GRUB at 638 638 boot time. However, GRUB will still return success so you may miss 639 639 the warning that gets printed ("<literal>efibootmgr: EFI variables 640 - are not supported on this system.</literal>").</para> 640 + are not supported on this system.</literal>"). 641 641 642 - <para>If you turn this feature on, GRUB will install itself in a 642 + If you turn this feature on, GRUB will install itself in a 643 643 special location within <literal>efiSysMountPoint</literal> (namely 644 644 <literal>EFI/boot/boot$arch.efi</literal>) which the firmwares 645 - are hardcoded to try first, regardless of NVRAM EFI variables.</para> 645 + are hardcoded to try first, regardless of NVRAM EFI variables. 646 646 647 - <para>To summarize, turn this on if: 647 + To summarize, turn this on if: 648 648 <itemizedlist> 649 649 <listitem><para>You are installing NixOS and want it to boot in UEFI mode, 650 650 but you are currently booted in legacy mode</para></listitem>

+2 -2

nixos/modules/system/boot/luksroot.nix

··· 548 548 boot.initrd.luks.devices = mkOption { 549 549 default = { }; 550 550 example = { luksroot.device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; 551 - description = '' 551 + description = lib.mdDoc '' 552 552 The encrypted disk that should be opened before the root 553 553 filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM 554 554 setups are supported. The unencrypted devices can be accessed as 555 - <filename>/dev/mapper/<replaceable>name</replaceable></filename>. 555 + {file}`/dev/mapper/«name»`. 556 556 ''; 557 557 558 558 type = with types; attrsOf (submodule (

+4 -7

nixos/modules/system/boot/networkd.nix

··· 1170 1170 <citerefentry><refentrytitle>systemd.netdev</refentrytitle> 1171 1171 <manvolnum>5</manvolnum></citerefentry> for details. 1172 1172 A detailed explanation about how VRFs work can be found in the 1173 - <link xlink:href="https://www.kernel.org/doc/Documentation/networking/vrf.txt">kernel 1174 - docs</link>. 1173 + <link xlink:href="https://www.kernel.org/doc/Documentation/networking/vrf.txt">kernel docs</link>. 1175 1174 ''; 1176 1175 }; 1177 1176 ··· 1905 1904 }; 1906 1905 1907 1906 extraArgs = mkOption { 1908 - description = '' 1907 + description = lib.mdDoc '' 1909 1908 Extra command-line arguments to pass to systemd-networkd-wait-online. 1910 - These also affect per-interface <literal>systemd-network-wait-online@</literal> services. 1909 + These also affect per-interface `systemd-network-wait-online@` services. 1911 1910 1912 - See <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd-networkd-wait-online.service.html"> 1913 - <citerefentry><refentrytitle>systemd-networkd-wait-online.service</refentrytitle><manvolnum>8</manvolnum> 1914 - </citerefentry></link> for all available options. 1911 + See [{manpage}`systemd-networkd-wait-online.service(8)`](https://www.freedesktop.org/software/systemd/man/systemd-networkd-wait-online.service.html) for all available options. 1915 1912 ''; 1916 1913 type = with types; listOf str; 1917 1914 default = [];

+1 -1

nixos/modules/system/boot/stage-1.nix

··· 480 480 if you want to resume from file. If left empty, the swap partitions are used. 481 481 Specify here the device where the file resides. 482 482 You should also use <varname>boot.kernelParams</varname> to specify 483 - <literal><replaceable>resume_offset</replaceable></literal>. 483 + <literal>«resume_offset»</literal>. 484 484 ''; 485 485 }; 486 486

+3 -6

nixos/modules/system/boot/systemd/logind.nix

··· 26 26 services.logind.killUserProcesses = mkOption { 27 27 default = false; 28 28 type = types.bool; 29 - description = '' 29 + description = lib.mdDoc '' 30 30 Specifies whether the processes of a user should be killed 31 31 when the user logs out. If true, the scope unit corresponding 32 32 to the session and all processes inside that scope will be 33 33 terminated. If false, the scope is "abandoned" (see 34 - <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.scope.html#"> 35 - systemd.scope(5)</link>), and processes are not killed. 36 - </para> 34 + [systemd.scope(5)](https://www.freedesktop.org/software/systemd/man/systemd.scope.html#)), and processes are not killed. 37 35 38 - <para> 39 - See <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=">logind.conf(5)</link> 36 + See [logind.conf(5)](https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=) 40 37 for more details. 41 38 ''; 42 39 };

+5 -5

nixos/modules/system/boot/systemd/tmpfiles.nix

··· 25 25 default = []; 26 26 example = literalExpression "[ pkgs.lvm2 ]"; 27 27 apply = map getLib; 28 - description = '' 29 - List of packages containing <command>systemd-tmpfiles</command> rules. 28 + description = lib.mdDoc '' 29 + List of packages containing {command}`systemd-tmpfiles` rules. 30 30 31 31 All files ending in .conf found in 32 - <filename><replaceable>pkg</replaceable>/lib/tmpfiles.d</filename> 32 + {file}`«pkg»/lib/tmpfiles.d` 33 33 will be included. 34 34 If this folder does not exist or does not contain any files an error will be returned instead. 35 35 36 - If a <filename>lib</filename> output is available, rules are searched there and only there. 37 - If there is no <filename>lib</filename> output it will fall back to <filename>out</filename> 36 + If a {file}`lib` output is available, rules are searched there and only there. 37 + If there is no {file}`lib` output it will fall back to {file}`out` 38 38 and if that does not exist either, the default output will be used. 39 39 ''; 40 40 };

+3 -3

nixos/modules/tasks/auto-upgrade.nix

··· 25 25 type = types.enum ["switch" "boot"]; 26 26 default = "switch"; 27 27 example = "boot"; 28 - description = '' 28 + description = lib.mdDoc '' 29 29 Whether to run 30 - <literal>nixos-rebuild switch --upgrade</literal> or run 31 - <literal>nixos-rebuild boot --upgrade</literal> 30 + `nixos-rebuild switch --upgrade` or run 31 + `nixos-rebuild boot --upgrade` 32 32 ''; 33 33 }; 34 34

+1 -1

nixos/modules/tasks/network-interfaces.nix

··· 1292 1292 description = '' 1293 1293 Whether to enable IPv6 Privacy Extensions for interfaces not 1294 1294 configured explicitly in 1295 - <xref linkend="opt-networking.interfaces._name_.tempAddress" />. 1295 + <xref linkend="opt-networking.interfaces._name_.tempAddress"/>. 1296 1296 1297 1297 This sets the ipv6.conf.*.use_tempaddr sysctl for all 1298 1298 interfaces. Possible values are:

+2 -2

nixos/modules/tasks/scsi-link-power-management.nix

··· 25 25 powerManagement.scsiLinkPolicy = mkOption { 26 26 default = null; 27 27 type = types.nullOr (types.enum allowedValues); 28 - description = '' 28 + description = lib.mdDoc '' 29 29 SCSI link power management policy. The kernel default is 30 30 "max_performance". 31 - </para><para> 31 + 32 32 "med_power_with_dipm" is supported by kernel versions 33 33 4.15 and newer. 34 34 '';

+6 -6

nixos/modules/virtualisation/nixos-containers.nix

··· 579 579 privateNetwork = mkOption { 580 580 type = types.bool; 581 581 default = false; 582 - description = '' 582 + description = lib.mdDoc '' 583 583 Whether to give the container its own private virtual 584 584 Ethernet interface. The interface is called 585 - <literal>eth0</literal>, and is hooked up to the interface 586 - <literal>ve-<replaceable>container-name</replaceable></literal> 585 + `eth0`, and is hooked up to the interface 586 + `ve-«container-name»` 587 587 on the host. If this option is not set, then the 588 588 container shares the network interfaces of the host, 589 589 and can bind to any port on any interface. ··· 728 728 }; 729 729 } 730 730 ''; 731 - description = '' 731 + description = lib.mdDoc '' 732 732 A set of NixOS system configurations to be run as lightweight 733 733 containers. Each container appears as a service 734 - <literal>container-<replaceable>name</replaceable></literal> 734 + `container-«name»` 735 735 on the host system, allowing it to be started and stopped via 736 - <command>systemctl</command>. 736 + {command}`systemctl`. 737 737 ''; 738 738 }; 739 739

+1 -1

nixos/modules/virtualisation/podman/default.nix

··· 74 74 75 75 Podman implements the Docker API. 76 76 77 - Users must be in the <code>podman</code> group in order to connect. As 77 + Users must be in the <literal>podman</literal> group in order to connect. As 78 78 with Docker, members of this group can gain root access. 79 79 ''; 80 80 };

+1 -1

nixos/modules/virtualisation/podman/network-socket.nix

··· 22 22 with TLS client certificate authentication. 23 23 24 24 This allows Docker clients to connect with the equivalents of the Docker 25 - CLI <code>-H</code> and <code>--tls*</code> family of options. 25 + CLI <literal>-H</literal> and <literal>--tls*</literal> family of options. 26 26 27 27 For certificate setup, see https://docs.docker.com/engine/security/protect-access/ 28 28

+3 -3

nixos/modules/virtualisation/qemu-vm.nix

··· 516 516 description = 517 517 '' 518 518 Virtual networks to which the VM is connected. Each 519 - number <replaceable>N</replaceable> in this list causes 519 + number «N» in this list causes 520 520 the VM to have a virtual Ethernet interface attached to a 521 521 separate virtual network on which it will be assigned IP 522 522 address 523 - <literal>192.168.<replaceable>N</replaceable>.<replaceable>M</replaceable></literal>, 524 - where <replaceable>M</replaceable> is the index of this VM 523 + <literal>192.168.«N».«M»</literal>, 524 + where «M» is the index of this VM 525 525 in the list of VMs. 526 526 ''; 527 527 };