commit 93c57a988470c1948976b1bb70abbd5855c5b810 · tjh.dev/nixpkgs

+10 -21

nixos/lib/make-options-doc/default.nix

··· 99 100 optionsNix = builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList); 101 102 - pythonMD = 103 - let 104 - self = (pkgs.python3Minimal.override { 105 - inherit self; 106 - includeSiteCustomize = true; 107 - }); 108 - in self.withPackages (p: [ p.mistune_2_0 ]); 109 - 110 in rec { 111 inherit optionsNix; 112 ··· 124 125 optionsJSON = pkgs.runCommand "options.json" 126 { meta.description = "List of NixOS options in JSON format"; 127 - buildInputs = [ pkgs.brotli pythonMD ]; 128 options = builtins.toFile "options.json" 129 (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix)); 130 - # convert markdown to docbook in its own derivation to cache the 131 - # conversion results. the conversion is surprisingly expensive. 132 - baseJSON = 133 - if baseOptionsJSON != null 134 - then 135 - pkgs.runCommand "base-json-md-converted" { 136 - buildInputs = [ pythonMD ]; 137 - } '' 138 - python ${./mergeJSON.py} ${baseOptionsJSON} <(echo '{}') > $out 139 - '' 140 - else null; 141 } 142 '' 143 # Export list of options in different format. ··· 154 else '' 155 python ${./mergeJSON.py} \ 156 ${lib.optionalString warningsAreErrors "--warnings-are-errors"} \ 157 - $baseJSON $options \ 158 > $dst/options.json 159 '' 160 }

··· 99 100 optionsNix = builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList); 101 102 in rec { 103 inherit optionsNix; 104 ··· 116 117 optionsJSON = pkgs.runCommand "options.json" 118 { meta.description = "List of NixOS options in JSON format"; 119 + buildInputs = [ 120 + pkgs.brotli 121 + (let 122 + self = (pkgs.python3Minimal.override { 123 + inherit self; 124 + includeSiteCustomize = true; 125 + }); 126 + in self.withPackages (p: [ p.mistune_2_0 ])) 127 + ]; 128 options = builtins.toFile "options.json" 129 (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix)); 130 } 131 '' 132 # Export list of options in different format. ··· 143 else '' 144 python ${./mergeJSON.py} \ 145 ${lib.optionalString warningsAreErrors "--warnings-are-errors"} \ 146 + ${baseOptionsJSON} $options \ 147 > $dst/options.json 148 '' 149 }

+120 -117

nixos/lib/make-options-doc/mergeJSON.py

··· 3 import sys 4 from typing import Any, Dict, List 5 6 JSON = Dict[str, Any] 7 8 class Key: ··· 41 result[opt.name] = opt.value 42 return result 43 44 - # converts in-place! 45 - def convertMD(options: Dict[str, Any]) -> str: 46 - import mistune 47 - import re 48 - from xml.sax.saxutils import escape, quoteattr 49 50 - admonitions = { 51 - '.warning': 'warning', 52 - '.important': 'important', 53 - '.note': 'note' 54 - } 55 - class Renderer(mistune.renderers.BaseRenderer): 56 - def __init__(self, path): 57 - self.path = path 58 - def _get_method(self, name): 59 - try: 60 - return super(Renderer, self)._get_method(name) 61 - except AttributeError: 62 - def not_supported(*args, **kwargs): 63 - raise NotImplementedError("md node not supported yet", self.path, name, args, **kwargs) 64 - return not_supported 65 66 - def text(self, text): 67 - return escape(text) 68 - def paragraph(self, text): 69 - return text + "\n\n" 70 - def newline(self): 71 - return "<literallayout>\n</literallayout>" 72 - def codespan(self, text): 73 - return f"<literal>{escape(text)}</literal>" 74 - def block_code(self, text, info=None): 75 - info = f" language={quoteattr(info)}" if info is not None else "" 76 - return f"<programlisting{info}>\n{escape(text)}</programlisting>" 77 - def link(self, link, text=None, title=None): 78 - if link[0:1] == '#': 79 - attr = "linkend" 80 - link = quoteattr(link[1:]) 81 - else: 82 - # try to faithfully reproduce links that were of the form <link href="..."/> 83 - # in docbook format 84 - if text == link: 85 - text = "" 86 - attr = "xlink:href" 87 - link = quoteattr(link) 88 - return f"<link {attr}={link}>{text}</link>" 89 - def list(self, text, ordered, level, start=None): 90 - if ordered: 91 - raise NotImplementedError("ordered lists not supported yet") 92 - return f"<itemizedlist>\n{text}\n</itemizedlist>" 93 - def list_item(self, text, level): 94 - return f"<listitem><para>{text}</para></listitem>\n" 95 - def block_text(self, text): 96 - return text 97 - def emphasis(self, text): 98 - return f"<emphasis>{text}</emphasis>" 99 - def strong(self, text): 100 - return f"<emphasis role=\"strong\">{text}</emphasis>" 101 - def admonition(self, text, kind): 102 - if kind not in admonitions: 103 - raise NotImplementedError(f"admonition {kind} not supported yet") 104 - tag = admonitions[kind] 105 - # we don't keep whitespace here because usually we'll contain only 106 - # a single paragraph and the original docbook string is no longer 107 - # available to restore the trailer. 108 - return f"<{tag}><para>{text.rstrip()}</para></{tag}>" 109 - def block_quote(self, text): 110 - return f"<blockquote><para>{text}</para></blockquote>" 111 - def command(self, text): 112 - return f"<command>{escape(text)}</command>" 113 - def option(self, text): 114 - return f"<option>{escape(text)}</option>" 115 - def file(self, text): 116 - return f"<filename>{escape(text)}</filename>" 117 - def manpage(self, page, section): 118 - title = f"<refentrytitle>{escape(page)}</refentrytitle>" 119 - vol = f"<manvolnum>{escape(section)}</manvolnum>" 120 - return f"<citerefentry>{title}{vol}</citerefentry>" 121 122 - def finalize(self, data): 123 - return "".join(data) 124 - 125 - plugins = [] 126 - 127 COMMAND_PATTERN = r'\{command\}`(.*?)`' 128 - def command(md): 129 - def parse(self, m, state): 130 - return ('command', m.group(1)) 131 - md.inline.register_rule('command', COMMAND_PATTERN, parse) 132 - md.inline.rules.append('command') 133 - plugins.append(command) 134 135 FILE_PATTERN = r'\{file\}`(.*?)`' 136 - def file(md): 137 - def parse(self, m, state): 138 - return ('file', m.group(1)) 139 - md.inline.register_rule('file', FILE_PATTERN, parse) 140 - md.inline.rules.append('file') 141 - plugins.append(file) 142 143 OPTION_PATTERN = r'\{option\}`(.*?)`' 144 - def option(md): 145 - def parse(self, m, state): 146 - return ('option', m.group(1)) 147 - md.inline.register_rule('option', OPTION_PATTERN, parse) 148 - md.inline.rules.append('option') 149 - plugins.append(option) 150 151 MANPAGE_PATTERN = r'\{manpage\}`(.*?)$(.+?)$`' 152 - def manpage(md): 153 - def parse(self, m, state): 154 - return ('manpage', m.group(1), m.group(2)) 155 - md.inline.register_rule('manpage', MANPAGE_PATTERN, parse) 156 - md.inline.rules.append('manpage') 157 - plugins.append(manpage) 158 159 ADMONITION_PATTERN = re.compile(r'^::: \{([^\n]*?)\}\n(.*?)^:::\n', flags=re.MULTILINE|re.DOTALL) 160 - def admonition(md): 161 - def parse(self, m, state): 162 - return { 163 - 'type': 'admonition', 164 - 'children': self.parse(m.group(2), state), 165 - 'params': [ m.group(1) ], 166 - } 167 - md.block.register_rule('admonition', ADMONITION_PATTERN, parse) 168 - md.block.rules.append('admonition') 169 - plugins.append(admonition) 170 171 def convertString(path: str, text: str) -> str: 172 - rendered = mistune.markdown(text, renderer=Renderer(path), plugins=plugins) 173 - # keep trailing spaces so we can diff the generated XML to check for conversion bugs. 174 - return rendered.rstrip() + text[len(text.rstrip()):] 175 176 def optionIs(option: Dict[str, Any], key: str, typ: str) -> bool: 177 if key not in option: return False

··· 3 import sys 4 from typing import Any, Dict, List 5 6 + # for MD conversion 7 + import mistune 8 + import re 9 + from xml.sax.saxutils import escape, quoteattr 10 + 11 JSON = Dict[str, Any] 12 13 class Key: ··· 46 result[opt.name] = opt.value 47 return result 48 49 + admonitions = { 50 + '.warning': 'warning', 51 + '.important': 'important', 52 + '.note': 'note' 53 + } 54 + class Renderer(mistune.renderers.BaseRenderer): 55 + def _get_method(self, name): 56 + try: 57 + return super(Renderer, self)._get_method(name) 58 + except AttributeError: 59 + def not_supported(*args, **kwargs): 60 + raise NotImplementedError("md node not supported yet", name, args, **kwargs) 61 + return not_supported 62 63 + def text(self, text): 64 + return escape(text) 65 + def paragraph(self, text): 66 + return text + "\n\n" 67 + def newline(self): 68 + return "<literallayout>\n</literallayout>" 69 + def codespan(self, text): 70 + return f"<literal>{escape(text)}</literal>" 71 + def block_code(self, text, info=None): 72 + info = f" language={quoteattr(info)}" if info is not None else "" 73 + return f"<programlisting{info}>\n{escape(text)}</programlisting>" 74 + def link(self, link, text=None, title=None): 75 + tag = "link" 76 + if link[0:1] == '#': 77 + if text == "": 78 + tag = "xref" 79 + attr = "linkend" 80 + link = quoteattr(link[1:]) 81 + else: 82 + # try to faithfully reproduce links that were of the form <link href="..."/> 83 + # in docbook format 84 + if text == link: 85 + text = "" 86 + attr = "xlink:href" 87 + link = quoteattr(link) 88 + return f"<{tag} {attr}={link}>{text}</{tag}>" 89 + def list(self, text, ordered, level, start=None): 90 + if ordered: 91 + raise NotImplementedError("ordered lists not supported yet") 92 + return f"<itemizedlist>\n{text}\n</itemizedlist>" 93 + def list_item(self, text, level): 94 + return f"<listitem><para>{text}</para></listitem>\n" 95 + def block_text(self, text): 96 + return text 97 + def emphasis(self, text): 98 + return f"<emphasis>{text}</emphasis>" 99 + def strong(self, text): 100 + return f"<emphasis role=\"strong\">{text}</emphasis>" 101 + def admonition(self, text, kind): 102 + if kind not in admonitions: 103 + raise NotImplementedError(f"admonition {kind} not supported yet") 104 + tag = admonitions[kind] 105 + # we don't keep whitespace here because usually we'll contain only 106 + # a single paragraph and the original docbook string is no longer 107 + # available to restore the trailer. 108 + return f"<{tag}><para>{text.rstrip()}</para></{tag}>" 109 + def block_quote(self, text): 110 + return f"<blockquote><para>{text}</para></blockquote>" 111 + def command(self, text): 112 + return f"<command>{escape(text)}</command>" 113 + def option(self, text): 114 + return f"<option>{escape(text)}</option>" 115 + def file(self, text): 116 + return f"<filename>{escape(text)}</filename>" 117 + def manpage(self, page, section): 118 + title = f"<refentrytitle>{escape(page)}</refentrytitle>" 119 + vol = f"<manvolnum>{escape(section)}</manvolnum>" 120 + return f"<citerefentry>{title}{vol}</citerefentry>" 121 122 + def finalize(self, data): 123 + return "".join(data) 124 125 + def p_command(md): 126 COMMAND_PATTERN = r'\{command\}`(.*?)`' 127 + def parse(self, m, state): 128 + return ('command', m.group(1)) 129 + md.inline.register_rule('command', COMMAND_PATTERN, parse) 130 + md.inline.rules.append('command') 131 132 + def p_file(md): 133 FILE_PATTERN = r'\{file\}`(.*?)`' 134 + def parse(self, m, state): 135 + return ('file', m.group(1)) 136 + md.inline.register_rule('file', FILE_PATTERN, parse) 137 + md.inline.rules.append('file') 138 139 + def p_option(md): 140 OPTION_PATTERN = r'\{option\}`(.*?)`' 141 + def parse(self, m, state): 142 + return ('option', m.group(1)) 143 + md.inline.register_rule('option', OPTION_PATTERN, parse) 144 + md.inline.rules.append('option') 145 146 + def p_manpage(md): 147 MANPAGE_PATTERN = r'\{manpage\}`(.*?)$(.+?)$`' 148 + def parse(self, m, state): 149 + return ('manpage', m.group(1), m.group(2)) 150 + md.inline.register_rule('manpage', MANPAGE_PATTERN, parse) 151 + md.inline.rules.append('manpage') 152 153 + def p_admonition(md): 154 ADMONITION_PATTERN = re.compile(r'^::: \{([^\n]*?)\}\n(.*?)^:::\n', flags=re.MULTILINE|re.DOTALL) 155 + def parse(self, m, state): 156 + return { 157 + 'type': 'admonition', 158 + 'children': self.parse(m.group(2), state), 159 + 'params': [ m.group(1) ], 160 + } 161 + md.block.register_rule('admonition', ADMONITION_PATTERN, parse) 162 + md.block.rules.append('admonition') 163 + 164 + md = mistune.create_markdown(renderer=Renderer(), plugins=[ 165 + p_command, p_file, p_option, p_manpage, p_admonition 166 + ]) 167 168 + # converts in-place! 169 + def convertMD(options: Dict[str, Any]) -> str: 170 def convertString(path: str, text: str) -> str: 171 + try: 172 + rendered = md(text) 173 + # keep trailing spaces so we can diff the generated XML to check for conversion bugs. 174 + return rendered.rstrip() + text[len(text.rstrip()):] 175 + except: 176 + print(f"error in {path}") 177 + raise 178 179 def optionIs(option: Dict[str, Any], key: str, typ: str) -> bool: 180 if key not in option: return False

+3 -4

nixos/modules/config/i18n.nix

··· 71 )) 72 ''; 73 example = ["en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1"]; 74 - description = '' 75 List of locales that the system should support. The value 76 - <literal>"all"</literal> means that all locales supported by 77 Glibc will be installed. A full list of supported locales 78 - can be found at <link 79 - xlink:href="https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED"/>. 80 ''; 81 }; 82

··· 71 )) 72 ''; 73 example = ["en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1"]; 74 + description = lib.mdDoc '' 75 List of locales that the system should support. The value 76 + `"all"` means that all locales supported by 77 Glibc will be installed. A full list of supported locales 78 + can be found at <https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED>. 79 ''; 80 }; 81

+3 -3

nixos/modules/config/resolvconf.nix

··· 83 dnsExtensionMechanism = mkOption { 84 type = types.bool; 85 default = true; 86 - description = '' 87 - Enable the <code>edns0</code> option in <filename>resolv.conf</filename>. With 88 - that option set, <code>glibc</code> supports use of the extension mechanisms for 89 DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC, 90 which does not work without it. 91 '';

··· 83 dnsExtensionMechanism = mkOption { 84 type = types.bool; 85 default = true; 86 + description = lib.mdDoc '' 87 + Enable the `edns0` option in {file}`resolv.conf`. With 88 + that option set, `glibc` supports use of the extension mechanisms for 89 DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC, 90 which does not work without it. 91 '';

+2 -2

nixos/modules/config/shells-environment.nix

··· 109 110 environment.shellAliases = mkOption { 111 example = { l = null; ll = "ls -l"; }; 112 - description = '' 113 An attribute set that maps aliases (the top level attribute names in 114 this option) to command strings or directly to build outputs. The 115 aliases are added to all users' shells. 116 - Aliases mapped to <code>null</code> are ignored. 117 ''; 118 type = with types; attrsOf (nullOr (either str path)); 119 };

··· 109 110 environment.shellAliases = mkOption { 111 example = { l = null; ll = "ls -l"; }; 112 + description = lib.mdDoc '' 113 An attribute set that maps aliases (the top level attribute names in 114 this option) to command strings or directly to build outputs. The 115 aliases are added to all users' shells. 116 + Aliases mapped to `null` are ignored. 117 ''; 118 type = with types; attrsOf (nullOr (either str path)); 119 };

+5 -5

nixos/modules/config/system-environment.nix

··· 16 17 environment.sessionVariables = mkOption { 18 default = {}; 19 - description = '' 20 A set of environment variables used in the global environment. 21 These variables will be set by PAM early in the login process. 22 ··· 25 colon characters. 26 27 Note, due to limitations in the PAM format values may not 28 - contain the <literal>"</literal> character. 29 30 Also, these variables are merged into 31 - <xref linkend="opt-environment.variables"/> and it is 32 therefore not possible to use PAM style variables such as 33 - <code>@{HOME}</code>. 34 ''; 35 type = with types; attrsOf (either str (listOf str)); 36 apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v); ··· 58 Also, these variables are merged into 59 <xref linkend="opt-environment.profileRelativeEnvVars"/> and it is 60 therefore not possible to use PAM style variables such as 61 - <code>@{HOME}</code>. 62 ''; 63 }; 64

··· 16 17 environment.sessionVariables = mkOption { 18 default = {}; 19 + description = lib.mdDoc '' 20 A set of environment variables used in the global environment. 21 These variables will be set by PAM early in the login process. 22 ··· 25 colon characters. 26 27 Note, due to limitations in the PAM format values may not 28 + contain the `"` character. 29 30 Also, these variables are merged into 31 + [](#opt-environment.variables) and it is 32 therefore not possible to use PAM style variables such as 33 + `@{HOME}`. 34 ''; 35 type = with types; attrsOf (either str (listOf str)); 36 apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v); ··· 58 Also, these variables are merged into 59 <xref linkend="opt-environment.profileRelativeEnvVars"/> and it is 60 therefore not possible to use PAM style variables such as 61 + <literal>@{HOME}</literal>. 62 ''; 63 }; 64

+19 -20

nixos/modules/config/users-groups.nix

··· 100 isNormalUser = mkOption { 101 type = types.bool; 102 default = false; 103 - description = '' 104 Indicates whether this is an account for a “real” user. This 105 - automatically sets <option>group</option> to 106 - <literal>users</literal>, <option>createHome</option> to 107 - <literal>true</literal>, <option>home</option> to 108 - <filename>/home/<replaceable>username</replaceable></filename>, 109 - <option>useDefaultShell</option> to <literal>true</literal>, 110 - and <option>isSystemUser</option> to 111 - <literal>false</literal>. 112 - Exactly one of <literal>isNormalUser</literal> and 113 - <literal>isSystemUser</literal> must be true. 114 ''; 115 }; 116 ··· 151 pamMount = mkOption { 152 type = with types; attrsOf str; 153 default = {}; 154 - description = '' 155 Attributes for user's entry in 156 - <filename>pam_mount.conf.xml</filename>. 157 - Useful attributes might include <code>path</code>, 158 - <code>options</code>, <code>fstype</code>, and <code>server</code>. 159 - See <link 160 - xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" /> 161 for more information. 162 ''; 163 }; ··· 167 default = pkgs.shadow; 168 defaultText = literalExpression "pkgs.shadow"; 169 example = literalExpression "pkgs.bashInteractive"; 170 - description = '' 171 The path to the user's shell. Can use shell derivations, 172 - like <literal>pkgs.bashInteractive</literal>. Don’t 173 forget to enable your shell in 174 - <literal>programs</literal> if necessary, 175 - like <code>programs.zsh.enable = true;</code>. 176 ''; 177 }; 178

··· 100 isNormalUser = mkOption { 101 type = types.bool; 102 default = false; 103 + description = lib.mdDoc '' 104 Indicates whether this is an account for a “real” user. This 105 + automatically sets {option}`group` to 106 + `users`, {option}`createHome` to 107 + `true`, {option}`home` to 108 + {file}`/home/«username»`, 109 + {option}`useDefaultShell` to `true`, 110 + and {option}`isSystemUser` to 111 + `false`. 112 + Exactly one of `isNormalUser` and 113 + `isSystemUser` must be true. 114 ''; 115 }; 116 ··· 151 pamMount = mkOption { 152 type = with types; attrsOf str; 153 default = {}; 154 + description = lib.mdDoc '' 155 Attributes for user's entry in 156 + {file}`pam_mount.conf.xml`. 157 + Useful attributes might include `path`, 158 + `options`, `fstype`, and `server`. 159 + See <http://pam-mount.sourceforge.net/pam_mount.conf.5.html> 160 for more information. 161 ''; 162 }; ··· 166 default = pkgs.shadow; 167 defaultText = literalExpression "pkgs.shadow"; 168 example = literalExpression "pkgs.bashInteractive"; 169 + description = lib.mdDoc '' 170 The path to the user's shell. Can use shell derivations, 171 + like `pkgs.bashInteractive`. Don’t 172 forget to enable your shell in 173 + `programs` if necessary, 174 + like `programs.zsh.enable = true;`. 175 ''; 176 }; 177

+1 -1

nixos/modules/config/xdg/portal.nix

··· 33 34 options.xdg.portal = { 35 enable = 36 - mkEnableOption "<link xlink:href='https://github.com/flatpak/xdg-desktop-portal'>xdg desktop integration</link>" // { 37 default = false; 38 }; 39

··· 33 34 options.xdg.portal = { 35 enable = 36 + mkEnableOption ''<link xlink:href="https://github.com/flatpak/xdg-desktop-portal">xdg desktop integration</link>'' // { 37 default = false; 38 }; 39

+2 -3

nixos/modules/hardware/logitech.nix

··· 32 devices = mkOption { 33 type = types.listOf types.str; 34 default = [ "0a07" "c222" "c225" "c227" "c251" ]; 35 - description = '' 36 List of USB device ids supported by g15daemon. 37 - </para> 38 - <para> 39 You most likely do not need to change this. 40 ''; 41 };

··· 32 devices = mkOption { 33 type = types.listOf types.str; 34 default = [ "0a07" "c222" "c225" "c227" "c251" ]; 35 + description = lib.mdDoc '' 36 List of USB device ids supported by g15daemon. 37 + 38 You most likely do not need to change this. 39 ''; 40 };

+1 -1

nixos/modules/hardware/tuxedo-keyboard.nix

··· 13 14 To configure the driver, pass the options to the <option>boot.kernelParams</option> configuration. 15 There are several parameters you can change. It's best to check at the source code description which options are supported. 16 - You can find all the supported parameters at: <link xlink:href="https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam" /> 17 18 In order to use the <literal>custom</literal> lighting with the maximumg brightness and a color of <literal>0xff0a0a</literal> one would put pass <option>boot.kernelParams</option> like this: 19

··· 13 14 To configure the driver, pass the options to the <option>boot.kernelParams</option> configuration. 15 There are several parameters you can change. It's best to check at the source code description which options are supported. 16 + You can find all the supported parameters at: <link xlink:href="https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam"/> 17 18 In order to use the <literal>custom</literal> lighting with the maximumg brightness and a color of <literal>0xff0a0a</literal> one would put pass <option>boot.kernelParams</option> like this: 19

+6 -6

nixos/modules/hardware/video/uvcvideo/default.nix

··· 34 packages = mkOption { 35 type = types.listOf types.path; 36 example = literalExpression "[ pkgs.tiscamera ]"; 37 - description = '' 38 - List of packages containing <command>uvcvideo</command> dynamic controls 39 rules. All files found in 40 - <filename><replaceable>pkg</replaceable>/share/uvcdynctrl/data</filename> 41 will be included. 42 43 - Note that these will serve as input to the <command>libwebcam</command> 44 - package which through its own <command>udev</command> rule will register 45 - the dynamic controls from specified packages to the <command>uvcvideo</command> 46 driver. 47 ''; 48 apply = map getBin;

··· 34 packages = mkOption { 35 type = types.listOf types.path; 36 example = literalExpression "[ pkgs.tiscamera ]"; 37 + description = lib.mdDoc '' 38 + List of packages containing {command}`uvcvideo` dynamic controls 39 rules. All files found in 40 + {file}`«pkg»/share/uvcdynctrl/data` 41 will be included. 42 43 + Note that these will serve as input to the {command}`libwebcam` 44 + package which through its own {command}`udev` rule will register 45 + the dynamic controls from specified packages to the {command}`uvcvideo` 46 driver. 47 ''; 48 apply = map getBin;

+1 -1

nixos/modules/installer/cd-dvd/iso-image.nix

··· 618 This will be directly appended (without whitespace) to the NixOS version 619 string, like for example if it is set to <literal>XXX</literal>: 620 621 - <para><literal>NixOS 99.99-pre666XXX</literal></para> 622 ''; 623 }; 624

··· 618 This will be directly appended (without whitespace) to the NixOS version 619 string, like for example if it is set to <literal>XXX</literal>: 620 621 + <literal>NixOS 99.99-pre666XXX</literal> 622 ''; 623 }; 624

+22 -22

nixos/modules/misc/nixpkgs.nix

··· 119 example = literalExpression "import <nixpkgs> {}"; 120 description = '' 121 If set, the pkgs argument to all NixOS modules is the value of 122 - this option, extended with <code>nixpkgs.overlays</code>, if 123 - that is also set. Either <code>nixpkgs.crossSystem</code> or 124 - <code>nixpkgs.localSystem</code> will be used in an assertion 125 to check that the NixOS and Nixpkgs architectures match. Any 126 - other options in <code>nixpkgs.*</code>, notably <code>config</code>, 127 will be ignored. 128 129 If unset, the pkgs argument to all NixOS modules is determined ··· 132 The default value imports the Nixpkgs source files 133 relative to the location of this NixOS module, because 134 NixOS and Nixpkgs are distributed together for consistency, 135 - so the <code>nixos</code> in the default value is in fact a 136 - relative path. The <code>config</code>, <code>overlays</code>, 137 - <code>localSystem</code>, and <code>crossSystem</code> come 138 from this option's siblings. 139 140 This option can be used by applications like NixOps to increase 141 the performance of evaluation, or to create packages that depend 142 on a container that should be built with the exact same evaluation 143 of Nixpkgs, for example. Applications like this should set 144 - their default value using <code>lib.mkDefault</code>, so 145 user-provided configuration can override it without using 146 - <code>lib</code>. 147 148 Note that using a distinct version of Nixpkgs with NixOS may 149 be an unexpected source of problems. Use this option with care. ··· 162 details, see the Nixpkgs documentation.) It allows you to set 163 package configuration options. 164 165 - Ignored when <code>nixpkgs.pkgs</code> is set. 166 ''; 167 }; 168 ··· 188 The first argument should be used for finding dependencies, and 189 the second should be used for overriding recipes. 190 191 - If <code>nixpkgs.pkgs</code> is set, overlays specified here 192 will be applied after the overlays that were already present 193 - in <code>nixpkgs.pkgs</code>. 194 ''; 195 }; 196 ··· 205 description = '' 206 Specifies the platform where the NixOS configuration will run. 207 208 - To cross-compile, set also <code>nixpkgs.buildPlatform</code>. 209 210 - Ignored when <code>nixpkgs.pkgs</code> is set. 211 ''; 212 }; 213 ··· 230 or if you're building machines, you can set this to match your 231 development system and/or build farm. 232 233 - Ignored when <code>nixpkgs.pkgs</code> is set. 234 ''; 235 }; 236 ··· 253 use the old options. 254 255 Specifies the platform on which NixOS should be built. When 256 - <code>nixpkgs.crossSystem</code> is unset, it also specifies 257 the platform <emphasis>for</emphasis> which NixOS should be 258 built. If this option is unset, it defaults to the platform 259 type of the machine where evaluation happens. Specifying this ··· 261 deployment, or when building virtual machines. See its 262 description in the Nixpkgs manual for more details. 263 264 - Ignored when <code>nixpkgs.pkgs</code> or <code>hostPlatform</code> is set. 265 ''; 266 }; 267 ··· 279 280 Specifies the platform for which NixOS should be 281 built. Specify this only if it is different from 282 - <code>nixpkgs.localSystem</code>, the platform 283 <emphasis>on</emphasis> which NixOS should be built. In other 284 words, specify this to cross-compile NixOS. Otherwise it 285 should be set as null, the default. See its description in the 286 Nixpkgs manual for more details. 287 288 - Ignored when <code>nixpkgs.pkgs</code> or <code>hostPlatform</code> is set. 289 ''; 290 }; 291 ··· 316 with a recently generated <literal>hardware-configuration.nix</literal>. 317 318 Specifies the Nix platform type on which NixOS should be built. 319 - It is better to specify <code>nixpkgs.localSystem</code> instead. 320 <programlisting> 321 { 322 nixpkgs.system = ..; ··· 328 nixpkgs.localSystem.system = ..; 329 } 330 </programlisting> 331 - See <code>nixpkgs.localSystem</code> for more information. 332 333 - Ignored when <code>nixpkgs.pkgs</code>, <code>nixpkgs.localSystem</code> or <code>nixpkgs.hostPlatform</code> is set. 334 ''; 335 }; 336 };

··· 119 example = literalExpression "import <nixpkgs> {}"; 120 description = '' 121 If set, the pkgs argument to all NixOS modules is the value of 122 + this option, extended with <literal>nixpkgs.overlays</literal>, if 123 + that is also set. Either <literal>nixpkgs.crossSystem</literal> or 124 + <literal>nixpkgs.localSystem</literal> will be used in an assertion 125 to check that the NixOS and Nixpkgs architectures match. Any 126 + other options in <literal>nixpkgs.*</literal>, notably <literal>config</literal>, 127 will be ignored. 128 129 If unset, the pkgs argument to all NixOS modules is determined ··· 132 The default value imports the Nixpkgs source files 133 relative to the location of this NixOS module, because 134 NixOS and Nixpkgs are distributed together for consistency, 135 + so the <literal>nixos</literal> in the default value is in fact a 136 + relative path. The <literal>config</literal>, <literal>overlays</literal>, 137 + <literal>localSystem</literal>, and <literal>crossSystem</literal> come 138 from this option's siblings. 139 140 This option can be used by applications like NixOps to increase 141 the performance of evaluation, or to create packages that depend 142 on a container that should be built with the exact same evaluation 143 of Nixpkgs, for example. Applications like this should set 144 + their default value using <literal>lib.mkDefault</literal>, so 145 user-provided configuration can override it without using 146 + <literal>lib</literal>. 147 148 Note that using a distinct version of Nixpkgs with NixOS may 149 be an unexpected source of problems. Use this option with care. ··· 162 details, see the Nixpkgs documentation.) It allows you to set 163 package configuration options. 164 165 + Ignored when <literal>nixpkgs.pkgs</literal> is set. 166 ''; 167 }; 168 ··· 188 The first argument should be used for finding dependencies, and 189 the second should be used for overriding recipes. 190 191 + If <literal>nixpkgs.pkgs</literal> is set, overlays specified here 192 will be applied after the overlays that were already present 193 + in <literal>nixpkgs.pkgs</literal>. 194 ''; 195 }; 196 ··· 205 description = '' 206 Specifies the platform where the NixOS configuration will run. 207 208 + To cross-compile, set also <literal>nixpkgs.buildPlatform</literal>. 209 210 + Ignored when <literal>nixpkgs.pkgs</literal> is set. 211 ''; 212 }; 213 ··· 230 or if you're building machines, you can set this to match your 231 development system and/or build farm. 232 233 + Ignored when <literal>nixpkgs.pkgs</literal> is set. 234 ''; 235 }; 236 ··· 253 use the old options. 254 255 Specifies the platform on which NixOS should be built. When 256 + <literal>nixpkgs.crossSystem</literal> is unset, it also specifies 257 the platform <emphasis>for</emphasis> which NixOS should be 258 built. If this option is unset, it defaults to the platform 259 type of the machine where evaluation happens. Specifying this ··· 261 deployment, or when building virtual machines. See its 262 description in the Nixpkgs manual for more details. 263 264 + Ignored when <literal>nixpkgs.pkgs</literal> or <literal>hostPlatform</literal> is set. 265 ''; 266 }; 267 ··· 279 280 Specifies the platform for which NixOS should be 281 built. Specify this only if it is different from 282 + <literal>nixpkgs.localSystem</literal>, the platform 283 <emphasis>on</emphasis> which NixOS should be built. In other 284 words, specify this to cross-compile NixOS. Otherwise it 285 should be set as null, the default. See its description in the 286 Nixpkgs manual for more details. 287 288 + Ignored when <literal>nixpkgs.pkgs</literal> or <literal>hostPlatform</literal> is set. 289 ''; 290 }; 291 ··· 316 with a recently generated <literal>hardware-configuration.nix</literal>. 317 318 Specifies the Nix platform type on which NixOS should be built. 319 + It is better to specify <literal>nixpkgs.localSystem</literal> instead. 320 <programlisting> 321 { 322 nixpkgs.system = ..; ··· 328 nixpkgs.localSystem.system = ..; 329 } 330 </programlisting> 331 + See <literal>nixpkgs.localSystem</literal> for more information. 332 333 + Ignored when <literal>nixpkgs.pkgs</literal>, <literal>nixpkgs.localSystem</literal> or <literal>nixpkgs.hostPlatform</literal> is set. 334 ''; 335 }; 336 };

+2 -2

nixos/modules/programs/adb.nix

··· 11 enable = mkOption { 12 default = false; 13 type = types.bool; 14 - description = '' 15 Whether to configure system to use Android Debug Bridge (adb). 16 To grant access to a user, it must be part of adbusers group: 17 - <code>users.users.alice.extraGroups = ["adbusers"];</code> 18 ''; 19 }; 20 };

··· 11 enable = mkOption { 12 default = false; 13 type = types.bool; 14 + description = lib.mdDoc '' 15 Whether to configure system to use Android Debug Bridge (adb). 16 To grant access to a user, it must be part of adbusers group: 17 + `users.users.alice.extraGroups = ["adbusers"];` 18 ''; 19 }; 20 };

+3 -4

nixos/modules/programs/firejail.nix

··· 69 }; 70 } 71 ''; 72 - description = '' 73 Wrap the binaries in firejail and place them in the global path. 74 - </para> 75 - <para> 76 You will get file collisions if you put the actual application binary in 77 the global environment (such as by adding the application package to 78 - <code>environment.systemPackages</code>), and applications started via 79 .desktop files are not wrapped if they specify the absolute path to the 80 binary. 81 '';

··· 69 }; 70 } 71 ''; 72 + description = lib.mdDoc '' 73 Wrap the binaries in firejail and place them in the global path. 74 + 75 You will get file collisions if you put the actual application binary in 76 the global environment (such as by adding the application package to 77 + `environment.systemPackages`), and applications started via 78 .desktop files are not wrapped if they specify the absolute path to the 79 binary. 80 '';

+2 -2

nixos/modules/programs/gphoto2.nix

··· 11 enable = mkOption { 12 default = false; 13 type = types.bool; 14 - description = '' 15 Whether to configure system to use gphoto2. 16 To grant digital camera access to a user, the user must 17 be part of the camera group: 18 - <code>users.users.alice.extraGroups = ["camera"];</code> 19 ''; 20 }; 21 };

··· 11 enable = mkOption { 12 default = false; 13 type = types.bool; 14 + description = lib.mdDoc '' 15 Whether to configure system to use gphoto2. 16 To grant digital camera access to a user, the user must 17 be part of the camera group: 18 + `users.users.alice.extraGroups = ["camera"];` 19 ''; 20 }; 21 };

+1 -1

nixos/modules/programs/kdeconnect.nix

··· 8 Note that it will open the TCP and UDP port from 9 1714 to 1764 as they are needed for it to function properly. 10 You can use the <option>package</option> to use 11 - <code>gnomeExtensions.gsconnect</code> as an alternative 12 implementation if you use Gnome. 13 ''; 14 package = mkOption {

··· 8 Note that it will open the TCP and UDP port from 9 1714 to 1764 as they are needed for it to function properly. 10 You can use the <option>package</option> to use 11 + <literal>gnomeExtensions.gsconnect</literal> as an alternative 12 implementation if you use Gnome. 13 ''; 14 package = mkOption {

+2 -2

nixos/modules/programs/neovim.nix

··· 72 }; 73 } 74 ''; 75 - description = '' 76 Generate your init file from your list of plugins and custom commands. 77 - Neovim will then be wrapped to load <command>nvim -u /nix/store/<replaceable>hash</replaceable>-vimrc</command> 78 ''; 79 }; 80

··· 72 }; 73 } 74 ''; 75 + description = lib.mdDoc '' 76 Generate your init file from your list of plugins and custom commands. 77 + Neovim will then be wrapped to load {command}`nvim -u /nix/store/«hash»-vimrc` 78 ''; 79 }; 80

+9 -9

nixos/modules/programs/nncp.nix

··· 33 secrets = mkOption { 34 type = with types; listOf str; 35 example = [ "/run/keys/nncp.hjson" ]; 36 - description = '' 37 A list of paths to NNCP configuration files that should not be 38 in the Nix store. These files are layered on top of the values at 39 - <xref linkend="opt-programs.nncp.settings"/>. 40 ''; 41 }; 42 43 settings = mkOption { 44 type = settingsFormat.type; 45 - description = '' 46 NNCP configuration, see 47 - <link xlink:href="http://www.nncpgo.org/Configuration.html"/>. 48 At runtime these settings will be overlayed by the contents of 49 - <xref linkend="opt-programs.nncp.secrets"/> into the file 50 - <literal>${nncpCfgFile}</literal>. Node keypairs go in 51 - <literal>secrets</literal>, do not specify them in 52 - <literal>settings</literal> as they will be leaked into 53 - <literal>/nix/store</literal>! 54 ''; 55 default = { }; 56 };

··· 33 secrets = mkOption { 34 type = with types; listOf str; 35 example = [ "/run/keys/nncp.hjson" ]; 36 + description = lib.mdDoc '' 37 A list of paths to NNCP configuration files that should not be 38 in the Nix store. These files are layered on top of the values at 39 + [](#opt-programs.nncp.settings). 40 ''; 41 }; 42 43 settings = mkOption { 44 type = settingsFormat.type; 45 + description = lib.mdDoc '' 46 NNCP configuration, see 47 + <http://www.nncpgo.org/Configuration.html>. 48 At runtime these settings will be overlayed by the contents of 49 + [](#opt-programs.nncp.secrets) into the file 50 + `${nncpCfgFile}`. Node keypairs go in 51 + `secrets`, do not specify them in 52 + `settings` as they will be leaked into 53 + `/nix/store`! 54 ''; 55 default = { }; 56 };

+1 -1

nixos/modules/programs/ssh.nix

··· 95 default = ""; 96 description = '' 97 Extra configuration text prepended to <filename>ssh_config</filename>. Other generated 98 - options will be added after a <code>Host *</code> pattern. 99 See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry> 100 for help. 101 '';

··· 95 default = ""; 96 description = '' 97 Extra configuration text prepended to <filename>ssh_config</filename>. Other generated 98 + options will be added after a <literal>Host *</literal> pattern. 99 See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry> 100 for help. 101 '';

+1 -1

nixos/modules/programs/sway.nix

··· 39 Sway, the i3-compatible tiling Wayland compositor. You can manually launch 40 Sway by executing "exec sway" on a TTY. Copy /etc/sway/config to 41 ~/.config/sway/config to modify the default configuration. See 42 - <link xlink:href="https://github.com/swaywm/sway/wiki" /> and 43 "man 5 sway" for more information''; 44 45 wrapperFeatures = mkOption {

··· 39 Sway, the i3-compatible tiling Wayland compositor. You can manually launch 40 Sway by executing "exec sway" on a TTY. Copy /etc/sway/config to 41 ~/.config/sway/config to modify the default configuration. See 42 + <link xlink:href="https://github.com/swaywm/sway/wiki"/> and 43 "man 5 sway" for more information''; 44 45 wrapperFeatures = mkOption {

+3 -3

nixos/modules/programs/turbovnc.nix

··· 15 ensureHeadlessSoftwareOpenGL = mkOption { 16 type = types.bool; 17 default = false; 18 - description = '' 19 Whether to set up NixOS such that TurboVNC's built-in software OpenGL 20 implementation works. 21 22 - This will enable <option>hardware.opengl.enable</option> so that OpenGL 23 programs can find Mesa's llvmpipe drivers. 24 25 - Setting this option to <code>false</code> does not mean that software 26 OpenGL won't work; it may still work depending on your system 27 configuration. 28

··· 15 ensureHeadlessSoftwareOpenGL = mkOption { 16 type = types.bool; 17 default = false; 18 + description = lib.mdDoc '' 19 Whether to set up NixOS such that TurboVNC's built-in software OpenGL 20 implementation works. 21 22 + This will enable {option}`hardware.opengl.enable` so that OpenGL 23 programs can find Mesa's llvmpipe drivers. 24 25 + Setting this option to `false` does not mean that software 26 OpenGL won't work; it may still work depending on your system 27 configuration. 28

+4 -4

nixos/modules/security/acme/default.nix

··· 504 reloadServices = mkOption { 505 type = types.listOf types.str; 506 inherit (defaultAndText "reloadServices" []) default defaultText; 507 - description = '' 508 - The list of systemd services to call <code>systemctl try-reload-or-restart</code> 509 on. 510 ''; 511 }; ··· 581 Turns on the OCSP Must-Staple TLS extension. 582 Make sure you know what you're doing! See: 583 <itemizedlist> 584 - <listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem> 585 - <listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem> 586 </itemizedlist> 587 ''; 588 };

··· 504 reloadServices = mkOption { 505 type = types.listOf types.str; 506 inherit (defaultAndText "reloadServices" []) default defaultText; 507 + description = lib.mdDoc '' 508 + The list of systemd services to call `systemctl try-reload-or-restart` 509 on. 510 ''; 511 }; ··· 581 Turns on the OCSP Must-Staple TLS extension. 582 Make sure you know what you're doing! See: 583 <itemizedlist> 584 + <listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/"/></para></listitem> 585 + <listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html"/></para></listitem> 586 </itemizedlist> 587 ''; 588 };

+1 -1

nixos/modules/security/dhparams.nix

··· 61 62 The value is the size (in bits) of the DH params to generate. The 63 generated DH params path can be found in 64 - <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>. 65 66 <note><para>The name of the DH params is taken as being the name of 67 the service it serves and the params will be generated before the

··· 61 62 The value is the size (in bits) of the DH params to generate. The 63 generated DH params path can be found in 64 + <literal>config.security.dhparams.params.«name».path</literal>. 65 66 <note><para>The name of the DH params is taken as being the name of 67 the service it serves and the params will be generated before the

+30 -30

nixos/modules/security/doas.nix

··· 62 wheelNeedsPassword = mkOption { 63 type = with types; bool; 64 default = true; 65 - description = '' 66 - Whether users of the <code>wheel</code> group must provide a password to 67 - run commands as super user via <command>doas</command>. 68 ''; 69 }; 70 71 extraRules = mkOption { 72 default = []; 73 - description = '' 74 Define specific rules to be set in the 75 - <filename>/etc/doas.conf</filename> file. More specific rules should 76 come after more general ones in order to yield the expected behavior. 77 - You can use <code>mkBefore</code> and/or <code>mkAfter</code> to ensure 78 this is the case when configuration options are merged. 79 ''; 80 example = literalExpression '' ··· 113 noPass = mkOption { 114 type = with types; bool; 115 default = false; 116 - description = '' 117 - If <code>true</code>, the user is not required to enter a 118 password. 119 ''; 120 }; ··· 122 noLog = mkOption { 123 type = with types; bool; 124 default = false; 125 - description = '' 126 - If <code>true</code>, successful executions will not be logged 127 to 128 - <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>. 129 ''; 130 }; 131 132 persist = mkOption { 133 type = with types; bool; 134 default = false; 135 - description = '' 136 - If <code>true</code>, do not ask for a password again for some 137 time after the user successfully authenticates. 138 ''; 139 }; ··· 141 keepEnv = mkOption { 142 type = with types; bool; 143 default = false; 144 - description = '' 145 - If <code>true</code>, environment variables other than those 146 listed in 147 - <citerefentry><refentrytitle>doas</refentrytitle><manvolnum>1</manvolnum></citerefentry> 148 are kept when creating the environment for the new process. 149 ''; 150 }; ··· 152 setEnv = mkOption { 153 type = with types; listOf str; 154 default = []; 155 - description = '' 156 Keep or set the specified variables. Variables may also be 157 removed with a leading '-' or set using 158 - <code>variable=value</code>. If the first character of 159 - <code>value</code> is a '$', the value to be set is taken from 160 the existing environment variable of the indicated name. This 161 option is processed after the default environment has been 162 created. 163 164 - NOTE: All rules have <code>setenv { SSH_AUTH_SOCK }</code> by 165 - default. To prevent <code>SSH_AUTH_SOCK</code> from being 166 - inherited, add <code>"-SSH_AUTH_SOCK"</code> anywhere in this 167 list. 168 ''; 169 }; ··· 183 runAs = mkOption { 184 type = with types; nullOr str; 185 default = null; 186 - description = '' 187 Which user or group the specified command is allowed to run as. 188 - When set to <code>null</code> (the default), all users are 189 allowed. 190 191 A user can be specified using just the username: 192 - <code>"foo"</code>. It is also possible to only allow running as 193 - a specific group with <code>":bar"</code>. 194 ''; 195 }; 196 197 cmd = mkOption { 198 type = with types; nullOr str; 199 default = null; 200 - description = '' 201 The command the user is allowed to run. When set to 202 - <code>null</code> (the default), all commands are allowed. 203 204 NOTE: It is best practice to specify absolute paths. If a 205 relative path is specified, only a restricted PATH will be ··· 210 args = mkOption { 211 type = with types; nullOr (listOf str); 212 default = null; 213 - description = '' 214 Arguments that must be provided to the command. When set to 215 - <code>[]</code>, the command must be run without any arguments. 216 ''; 217 }; 218 };

··· 62 wheelNeedsPassword = mkOption { 63 type = with types; bool; 64 default = true; 65 + description = lib.mdDoc '' 66 + Whether users of the `wheel` group must provide a password to 67 + run commands as super user via {command}`doas`. 68 ''; 69 }; 70 71 extraRules = mkOption { 72 default = []; 73 + description = lib.mdDoc '' 74 Define specific rules to be set in the 75 + {file}`/etc/doas.conf` file. More specific rules should 76 come after more general ones in order to yield the expected behavior. 77 + You can use `mkBefore` and/or `mkAfter` to ensure 78 this is the case when configuration options are merged. 79 ''; 80 example = literalExpression '' ··· 113 noPass = mkOption { 114 type = with types; bool; 115 default = false; 116 + description = lib.mdDoc '' 117 + If `true`, the user is not required to enter a 118 password. 119 ''; 120 }; ··· 122 noLog = mkOption { 123 type = with types; bool; 124 default = false; 125 + description = lib.mdDoc '' 126 + If `true`, successful executions will not be logged 127 to 128 + {manpage}`syslogd(8)`. 129 ''; 130 }; 131 132 persist = mkOption { 133 type = with types; bool; 134 default = false; 135 + description = lib.mdDoc '' 136 + If `true`, do not ask for a password again for some 137 time after the user successfully authenticates. 138 ''; 139 }; ··· 141 keepEnv = mkOption { 142 type = with types; bool; 143 default = false; 144 + description = lib.mdDoc '' 145 + If `true`, environment variables other than those 146 listed in 147 + {manpage}`doas(1)` 148 are kept when creating the environment for the new process. 149 ''; 150 }; ··· 152 setEnv = mkOption { 153 type = with types; listOf str; 154 default = []; 155 + description = lib.mdDoc '' 156 Keep or set the specified variables. Variables may also be 157 removed with a leading '-' or set using 158 + `variable=value`. If the first character of 159 + `value` is a '$', the value to be set is taken from 160 the existing environment variable of the indicated name. This 161 option is processed after the default environment has been 162 created. 163 164 + NOTE: All rules have `setenv { SSH_AUTH_SOCK }` by 165 + default. To prevent `SSH_AUTH_SOCK` from being 166 + inherited, add `"-SSH_AUTH_SOCK"` anywhere in this 167 list. 168 ''; 169 }; ··· 183 runAs = mkOption { 184 type = with types; nullOr str; 185 default = null; 186 + description = lib.mdDoc '' 187 Which user or group the specified command is allowed to run as. 188 + When set to `null` (the default), all users are 189 allowed. 190 191 A user can be specified using just the username: 192 + `"foo"`. It is also possible to only allow running as 193 + a specific group with `":bar"`. 194 ''; 195 }; 196 197 cmd = mkOption { 198 type = with types; nullOr str; 199 default = null; 200 + description = lib.mdDoc '' 201 The command the user is allowed to run. When set to 202 + `null` (the default), all commands are allowed. 203 204 NOTE: It is best practice to specify absolute paths. If a 205 relative path is specified, only a restricted PATH will be ··· 210 args = mkOption { 211 type = with types; nullOr (listOf str); 212 default = null; 213 + description = lib.mdDoc '' 214 Arguments that must be provided to the command. When set to 215 + `[]`, the command must be run without any arguments. 216 ''; 217 }; 218 };

+2 -2

nixos/modules/security/misc.nix

··· 52 security.allowSimultaneousMultithreading = mkOption { 53 type = types.bool; 54 default = true; 55 - description = '' 56 Whether to allow SMT/hyperthreading. Disabling SMT means that only 57 physical CPU cores will be usable at runtime, potentially at 58 significant performance cost. ··· 62 e.g., shared caches). This attack vector is unproven. 63 64 Disabling SMT is a supplement to the L1 data cache flushing mitigation 65 - (see <xref linkend="opt-security.virtualisation.flushL1DataCache"/>) 66 versus malicious VM guests (SMT could "bring back" previously flushed 67 data). 68 '';

··· 52 security.allowSimultaneousMultithreading = mkOption { 53 type = types.bool; 54 default = true; 55 + description = lib.mdDoc '' 56 Whether to allow SMT/hyperthreading. Disabling SMT means that only 57 physical CPU cores will be usable at runtime, potentially at 58 significant performance cost. ··· 62 e.g., shared caches). This attack vector is unproven. 63 64 Disabling SMT is a supplement to the L1 data cache flushing mitigation 65 + (see [](#opt-security.virtualisation.flushL1DataCache)) 66 versus malicious VM guests (SMT could "bring back" previously flushed 67 data). 68 '';

+50 -61

nixos/modules/security/pam.nix

··· 807 default = config.krb5.enable; 808 defaultText = literalExpression "config.krb5.enable"; 809 type = types.bool; 810 - description = '' 811 - Enables Kerberos PAM modules (<literal>pam-krb5</literal>, 812 - <literal>pam-ccreds</literal>). 813 814 If set, users can authenticate with their Kerberos password. 815 This requires a valid Kerberos configuration 816 - (<literal>config.krb5.enable</literal> should be set to 817 - <literal>true</literal>). 818 819 Note that the Kerberos PAM modules are not necessary when using SSS 820 to handle Kerberos authentication. ··· 826 enable = mkOption { 827 default = false; 828 type = types.bool; 829 - description = '' 830 - Enables P11 PAM (<literal>pam_p11</literal>) module. 831 832 If set, users can log in with SSH keys and PKCS#11 tokens. 833 834 - More information can be found <link 835 - xlink:href="https://github.com/OpenSC/pam_p11">here</link>. 836 ''; 837 }; 838 ··· 859 enable = mkOption { 860 default = false; 861 type = types.bool; 862 - description = '' 863 - Enables U2F PAM (<literal>pam-u2f</literal>) module. 864 865 If set, users listed in 866 - <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or 867 - <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is 868 not set) are able to log in with the associated U2F key. The path can 869 - be changed using <option>security.pam.u2f.authFile</option> option. 870 871 File format is: 872 - <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> 873 - This file can be generated using <command>pamu2fcfg</command> command. 874 875 - More information can be found <link 876 - xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. 877 ''; 878 }; 879 880 authFile = mkOption { 881 default = null; 882 type = with types; nullOr path; 883 - description = '' 884 - By default <literal>pam-u2f</literal> module reads the keys from 885 - <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or 886 - <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is 887 not set). 888 889 If you want to change auth file locations or centralize database (for 890 - example use <filename>/etc/u2f-mappings</filename>) you can set this 891 option. 892 893 File format is: 894 - <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> 895 - This file can be generated using <command>pamu2fcfg</command> command. 896 897 - More information can be found <link 898 - xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. 899 ''; 900 }; 901 902 appId = mkOption { 903 default = null; 904 type = with types; nullOr str; 905 - description = '' 906 - By default <literal>pam-u2f</literal> module sets the application 907 - ID to <literal>pam://$HOSTNAME</literal>. 908 909 - When using <command>pamu2fcfg</command>, you can specify your 910 - application ID with the <literal>-i</literal> flag. 911 912 - More information can be found <link 913 - xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html"> 914 - here</link> 915 ''; 916 }; 917 918 origin = mkOption { 919 default = null; 920 type = with types; nullOr str; 921 - description = '' 922 - By default <literal>pam-u2f</literal> module sets the origin 923 - to <literal>pam://$HOSTNAME</literal>. 924 Setting origin to an host independent value will allow you to 925 reuse credentials across machines 926 927 - When using <command>pamu2fcfg</command>, you can specify your 928 - application ID with the <literal>-o</literal> flag. 929 930 - More information can be found <link 931 - xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html"> 932 - here</link> 933 ''; 934 }; 935 ··· 985 enable = mkOption { 986 default = false; 987 type = types.bool; 988 - description = '' 989 - Enables Uber's USSH PAM (<literal>pam-ussh</literal>) module. 990 991 - This is similar to <literal>pam-ssh-agent</literal>, except that 992 the presence of a CA-signed SSH key with a valid principal is checked 993 instead. 994 995 Note that this module must both be enabled using this option and on a 996 - per-PAM-service level as well (using <literal>usshAuth</literal>). 997 998 - More information can be found <link 999 - xlink:href="https://github.com/uber/pam-ussh">here</link>. 1000 ''; 1001 }; 1002 ··· 1075 enable = mkOption { 1076 default = false; 1077 type = types.bool; 1078 - description = '' 1079 - Enables Yubico PAM (<literal>yubico-pam</literal>) module. 1080 1081 If set, users listed in 1082 - <filename>~/.yubico/authorized_yubikeys</filename> 1083 are able to log in with the associated Yubikey tokens. 1084 1085 The file must have only one line: 1086 - <literal>username:yubikey_token_id1:yubikey_token_id2</literal> 1087 - More information can be found <link 1088 - xlink:href="https://developers.yubico.com/yubico-pam/">here</link>. 1089 ''; 1090 }; 1091 control = mkOption { ··· 1120 mode = mkOption { 1121 default = "client"; 1122 type = types.enum [ "client" "challenge-response" ]; 1123 - description = '' 1124 Mode of operation. 1125 1126 Use "client" for online validation with a YubiKey validation service such as ··· 1130 Challenge-Response configurations. See the man-page ykpamcfg(1) for further 1131 details on how to configure offline Challenge-Response validation. 1132 1133 - More information can be found <link 1134 - xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. 1135 ''; 1136 }; 1137 challengeResponsePath = mkOption { 1138 default = null; 1139 type = types.nullOr types.path; 1140 - description = '' 1141 If not null, set the path used by yubico pam module where the challenge expected response is stored. 1142 1143 - More information can be found <link 1144 - xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. 1145 ''; 1146 }; 1147 };

··· 807 default = config.krb5.enable; 808 defaultText = literalExpression "config.krb5.enable"; 809 type = types.bool; 810 + description = lib.mdDoc '' 811 + Enables Kerberos PAM modules (`pam-krb5`, 812 + `pam-ccreds`). 813 814 If set, users can authenticate with their Kerberos password. 815 This requires a valid Kerberos configuration 816 + (`config.krb5.enable` should be set to 817 + `true`). 818 819 Note that the Kerberos PAM modules are not necessary when using SSS 820 to handle Kerberos authentication. ··· 826 enable = mkOption { 827 default = false; 828 type = types.bool; 829 + description = lib.mdDoc '' 830 + Enables P11 PAM (`pam_p11`) module. 831 832 If set, users can log in with SSH keys and PKCS#11 tokens. 833 834 + More information can be found [here](https://github.com/OpenSC/pam_p11). 835 ''; 836 }; 837 ··· 858 enable = mkOption { 859 default = false; 860 type = types.bool; 861 + description = lib.mdDoc '' 862 + Enables U2F PAM (`pam-u2f`) module. 863 864 If set, users listed in 865 + {file}`$XDG_CONFIG_HOME/Yubico/u2f_keys` (or 866 + {file}`$HOME/.config/Yubico/u2f_keys` if XDG variable is 867 not set) are able to log in with the associated U2F key. The path can 868 + be changed using {option}`security.pam.u2f.authFile` option. 869 870 File format is: 871 + `username:first_keyHandle,first_public_key: second_keyHandle,second_public_key` 872 + This file can be generated using {command}`pamu2fcfg` command. 873 874 + More information can be found [here](https://developers.yubico.com/pam-u2f/). 875 ''; 876 }; 877 878 authFile = mkOption { 879 default = null; 880 type = with types; nullOr path; 881 + description = lib.mdDoc '' 882 + By default `pam-u2f` module reads the keys from 883 + {file}`$XDG_CONFIG_HOME/Yubico/u2f_keys` (or 884 + {file}`$HOME/.config/Yubico/u2f_keys` if XDG variable is 885 not set). 886 887 If you want to change auth file locations or centralize database (for 888 + example use {file}`/etc/u2f-mappings`) you can set this 889 option. 890 891 File format is: 892 + `username:first_keyHandle,first_public_key: second_keyHandle,second_public_key` 893 + This file can be generated using {command}`pamu2fcfg` command. 894 895 + More information can be found [here](https://developers.yubico.com/pam-u2f/). 896 ''; 897 }; 898 899 appId = mkOption { 900 default = null; 901 type = with types; nullOr str; 902 + description = lib.mdDoc '' 903 + By default `pam-u2f` module sets the application 904 + ID to `pam://$HOSTNAME`. 905 906 + When using {command}`pamu2fcfg`, you can specify your 907 + application ID with the `-i` flag. 908 909 + More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html) 910 ''; 911 }; 912 913 origin = mkOption { 914 default = null; 915 type = with types; nullOr str; 916 + description = lib.mdDoc '' 917 + By default `pam-u2f` module sets the origin 918 + to `pam://$HOSTNAME`. 919 Setting origin to an host independent value will allow you to 920 reuse credentials across machines 921 922 + When using {command}`pamu2fcfg`, you can specify your 923 + application ID with the `-o` flag. 924 925 + More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html) 926 ''; 927 }; 928 ··· 978 enable = mkOption { 979 default = false; 980 type = types.bool; 981 + description = lib.mdDoc '' 982 + Enables Uber's USSH PAM (`pam-ussh`) module. 983 984 + This is similar to `pam-ssh-agent`, except that 985 the presence of a CA-signed SSH key with a valid principal is checked 986 instead. 987 988 Note that this module must both be enabled using this option and on a 989 + per-PAM-service level as well (using `usshAuth`). 990 991 + More information can be found [here](https://github.com/uber/pam-ussh). 992 ''; 993 }; 994 ··· 1067 enable = mkOption { 1068 default = false; 1069 type = types.bool; 1070 + description = lib.mdDoc '' 1071 + Enables Yubico PAM (`yubico-pam`) module. 1072 1073 If set, users listed in 1074 + {file}`~/.yubico/authorized_yubikeys` 1075 are able to log in with the associated Yubikey tokens. 1076 1077 The file must have only one line: 1078 + `username:yubikey_token_id1:yubikey_token_id2` 1079 + More information can be found [here](https://developers.yubico.com/yubico-pam/). 1080 ''; 1081 }; 1082 control = mkOption { ··· 1111 mode = mkOption { 1112 default = "client"; 1113 type = types.enum [ "client" "challenge-response" ]; 1114 + description = lib.mdDoc '' 1115 Mode of operation. 1116 1117 Use "client" for online validation with a YubiKey validation service such as ··· 1121 Challenge-Response configurations. See the man-page ykpamcfg(1) for further 1122 details on how to configure offline Challenge-Response validation. 1123 1124 + More information can be found [here](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html). 1125 ''; 1126 }; 1127 challengeResponsePath = mkOption { 1128 default = null; 1129 type = types.nullOr types.path; 1130 + description = lib.mdDoc '' 1131 If not null, set the path used by yubico pam module where the challenge expected response is stored. 1132 1133 + More information can be found [here](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html). 1134 ''; 1135 }; 1136 };

+6 -9

nixos/modules/security/pam_mount.nix

··· 31 extraVolumes = mkOption { 32 type = types.listOf types.str; 33 default = []; 34 - description = '' 35 List of volume definitions for pam_mount. 36 - For more information, visit <link 37 - xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. 38 ''; 39 }; 40 ··· 64 type = types.int; 65 default = 0; 66 example = 1; 67 - description = '' 68 Sets the Debug-Level. 0 disables debugging, 1 enables pam_mount tracing, 69 and 2 additionally enables tracing in mount.crypt. The default is 0. 70 - For more information, visit <link 71 - xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. 72 ''; 73 }; 74 75 logoutWait = mkOption { 76 type = types.int; 77 default = 0; 78 - description = '' 79 Amount of microseconds to wait until killing remaining processes after 80 final logout. 81 - For more information, visit <link 82 - xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. 83 ''; 84 }; 85

··· 31 extraVolumes = mkOption { 32 type = types.listOf types.str; 33 default = []; 34 + description = lib.mdDoc '' 35 List of volume definitions for pam_mount. 36 + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. 37 ''; 38 }; 39 ··· 63 type = types.int; 64 default = 0; 65 example = 1; 66 + description = lib.mdDoc '' 67 Sets the Debug-Level. 0 disables debugging, 1 enables pam_mount tracing, 68 and 2 additionally enables tracing in mount.crypt. The default is 0. 69 + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. 70 ''; 71 }; 72 73 logoutWait = mkOption { 74 type = types.int; 75 default = 0; 76 + description = lib.mdDoc '' 77 Amount of microseconds to wait until killing remaining processes after 78 final logout. 79 + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. 80 ''; 81 }; 82

+2 -3

nixos/modules/security/pam_usb.nix

··· 17 enable = mkOption { 18 type = types.bool; 19 default = false; 20 - description = '' 21 Enable USB login for all login systems that support it. For 22 - more information, visit <link 23 - xlink:href="https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users" />. 24 ''; 25 }; 26

··· 17 enable = mkOption { 18 type = types.bool; 19 default = false; 20 + description = lib.mdDoc '' 21 Enable USB login for all login systems that support it. For 22 + more information, visit <https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users>. 23 ''; 24 }; 25

+11 -11

nixos/modules/security/sudo.nix

··· 55 type = types.bool; 56 default = true; 57 description = 58 - '' 59 - Whether users of the <code>wheel</code> group must 60 - provide a password to run commands as super user via <command>sudo</command>. 61 ''; 62 }; 63 64 security.sudo.execWheelOnly = mkOption { 65 type = types.bool; 66 default = false; 67 - description = '' 68 - Only allow members of the <code>wheel</code> group to execute sudo by 69 setting the executable's permissions accordingly. 70 - This prevents users that are not members of <code>wheel</code> from 71 exploiting vulnerabilities in sudo such as CVE-2021-3156. 72 ''; 73 }; ··· 139 runAs = mkOption { 140 type = with types; str; 141 default = "ALL:ALL"; 142 - description = '' 143 Under which user/group the specified command is allowed to run. 144 145 - A user can be specified using just the username: <code>"foo"</code>. 146 - It is also possible to specify a user/group combination using <code>"foo:bar"</code> 147 - or to only allow running as a specific group with <code>":bar"</code>. 148 ''; 149 }; 150 ··· 159 type = with types; str; 160 description = '' 161 A command being either just a path to a binary to allow any arguments, 162 - the full command with arguments pre-set or with <code>""</code> used as the argument, 163 not allowing arguments to the command at all. 164 ''; 165 };

··· 55 type = types.bool; 56 default = true; 57 description = 58 + lib.mdDoc '' 59 + Whether users of the `wheel` group must 60 + provide a password to run commands as super user via {command}`sudo`. 61 ''; 62 }; 63 64 security.sudo.execWheelOnly = mkOption { 65 type = types.bool; 66 default = false; 67 + description = lib.mdDoc '' 68 + Only allow members of the `wheel` group to execute sudo by 69 setting the executable's permissions accordingly. 70 + This prevents users that are not members of `wheel` from 71 exploiting vulnerabilities in sudo such as CVE-2021-3156. 72 ''; 73 }; ··· 139 runAs = mkOption { 140 type = with types; str; 141 default = "ALL:ALL"; 142 + description = lib.mdDoc '' 143 Under which user/group the specified command is allowed to run. 144 145 + A user can be specified using just the username: `"foo"`. 146 + It is also possible to specify a user/group combination using `"foo:bar"` 147 + or to only allow running as a specific group with `":bar"`. 148 ''; 149 }; 150 ··· 159 type = with types; str; 160 description = '' 161 A command being either just a path to a binary to allow any arguments, 162 + the full command with arguments pre-set or with <literal>""</literal> used as the argument, 163 not allowing arguments to the command at all. 164 ''; 165 };

+3 -3

nixos/modules/services/backup/duplicity.nix

··· 63 <citerefentry><refentrytitle>systemd.exec</refentrytitle> 64 <manvolnum>5</manvolnum></citerefentry>. For example: 65 <programlisting> 66 - PASSPHRASE=<replaceable>...</replaceable> 67 - AWS_ACCESS_KEY_ID=<replaceable>...</replaceable> 68 - AWS_SECRET_ACCESS_KEY=<replaceable>...</replaceable> 69 </programlisting> 70 ''; 71 };

··· 63 <citerefentry><refentrytitle>systemd.exec</refentrytitle> 64 <manvolnum>5</manvolnum></citerefentry>. For example: 65 <programlisting> 66 + PASSPHRASE=«...» 67 + AWS_ACCESS_KEY_ID=«...» 68 + AWS_SECRET_ACCESS_KEY=«...» 69 </programlisting> 70 ''; 71 };

+1 -1

nixos/modules/services/backup/restic.nix

··· 227 type = types.package; 228 default = pkgs.restic; 229 defaultText = literalExpression "pkgs.restic"; 230 - description = '' 231 Restic package to use. 232 ''; 233 };

··· 227 type = types.package; 228 default = pkgs.restic; 229 defaultText = literalExpression "pkgs.restic"; 230 + description = lib.mdDoc '' 231 Restic package to use. 232 ''; 233 };

+3 -3

nixos/modules/services/backup/syncoid.nix

··· 192 target = mkOption { 193 type = types.str; 194 example = "user@server:pool/dataset"; 195 - description = '' 196 Target ZFS dataset. Can be either local 197 - (<replaceable>pool/dataset</replaceable>) or remote 198 - (<replaceable>user@server:pool/dataset</replaceable>). 199 ''; 200 }; 201

··· 192 target = mkOption { 193 type = types.str; 194 example = "user@server:pool/dataset"; 195 + description = lib.mdDoc '' 196 Target ZFS dataset. Can be either local 197 + («pool/dataset») or remote 198 + («user@server:pool/dataset»). 199 ''; 200 }; 201

+2 -3

nixos/modules/services/backup/zrepl.nix

··· 22 23 settings = mkOption { 24 default = { }; 25 - description = '' 26 - Configuration for zrepl. See <link 27 - xlink:href="https://zrepl.github.io/configuration.html"/> 28 for more information. 29 ''; 30 type = types.submodule {

··· 22 23 settings = mkOption { 24 default = { }; 25 + description = lib.mdDoc '' 26 + Configuration for zrepl. See <https://zrepl.github.io/configuration.html> 27 for more information. 28 ''; 29 type = types.submodule {

+2 -3

nixos/modules/services/continuous-integration/github-runner.nix

··· 18 enable = mkOption { 19 default = false; 20 example = true; 21 - description = '' 22 Whether to enable GitHub Actions runner. 23 24 Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: 25 - <link xlink:href="https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners" 26 - >About self-hosted runners</link>. 27 ''; 28 type = lib.types.bool; 29 };

··· 18 enable = mkOption { 19 default = false; 20 example = true; 21 + description = lib.mdDoc '' 22 Whether to enable GitHub Actions runner. 23 24 Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: 25 + [About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). 26 ''; 27 type = lib.types.bool; 28 };

+47 -47

nixos/modules/services/continuous-integration/gitlab-runner.nix

··· 113 configFile = mkOption { 114 type = types.nullOr types.path; 115 default = null; 116 - description = '' 117 Configuration file for gitlab-runner. 118 119 - <option>configFile</option> takes precedence over <option>services</option>. 120 - <option>checkInterval</option> and <option>concurrent</option> will be ignored too. 121 122 - This option is deprecated, please use <option>services</option> instead. 123 - You can use <option>registrationConfigFile</option> and 124 - <option>registrationFlags</option> 125 for settings not covered by this module. 126 ''; 127 }; ··· 130 freeformType = (pkgs.formats.json { }).type; 131 }; 132 default = { }; 133 - description = '' 134 Global gitlab-runner configuration. See 135 - <link xlink:href="https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section"/> 136 for supported values. 137 ''; 138 }; 139 gracefulTermination = mkOption { 140 type = types.bool; 141 default = false; 142 - description = '' 143 Finish all remaining jobs before stopping. 144 If not set gitlab-runner will stop immediatly without waiting 145 for jobs to finish, which will lead to failed builds. ··· 149 type = types.str; 150 default = "infinity"; 151 example = "5min 20s"; 152 - description = '' 153 Time to wait until a graceful shutdown is turned into a forceful one. 154 ''; 155 }; ··· 158 default = pkgs.gitlab-runner; 159 defaultText = literalExpression "pkgs.gitlab-runner"; 160 example = literalExpression "pkgs.gitlab-runner_1_11"; 161 - description = "Gitlab Runner package to use."; 162 }; 163 extraPackages = mkOption { 164 type = types.listOf types.package; 165 default = [ ]; 166 - description = '' 167 Extra packages to add to PATH for the gitlab-runner process. 168 ''; 169 }; 170 services = mkOption { 171 - description = "GitLab Runner services."; 172 default = { }; 173 example = literalExpression '' 174 { ··· 250 options = { 251 registrationConfigFile = mkOption { 252 type = types.path; 253 - description = '' 254 Absolute path to a file with environment variables 255 used for gitlab-runner registration. 256 A list of all supported environment variables can be found in 257 - <literal>gitlab-runner register --help</literal>. 258 259 Ones that you probably want to set is 260 261 - <literal>CI_SERVER_URL=<CI server URL></literal> 262 263 - <literal>REGISTRATION_TOKEN=<registration secret></literal> 264 265 WARNING: make sure to use quoted absolute path, 266 or it is going to be copied to Nix Store. ··· 270 type = types.listOf types.str; 271 default = [ ]; 272 example = [ "--docker-helper-image my/gitlab-runner-helper" ]; 273 - description = '' 274 Extra command-line flags passed to 275 - <literal>gitlab-runner register</literal>. 276 - Execute <literal>gitlab-runner register --help</literal> 277 for a list of supported flags. 278 ''; 279 }; ··· 281 type = types.attrsOf types.str; 282 default = { }; 283 example = { NAME = "value"; }; 284 - description = '' 285 Custom environment variables injected to build environment. 286 - For secrets you can use <option>registrationConfigFile</option> 287 - with <literal>RUNNER_ENV</literal> variable set. 288 ''; 289 }; 290 description = mkOption { 291 type = types.nullOr types.str; 292 default = null; 293 - description = '' 294 Name/description of the runner. 295 ''; 296 }; 297 executor = mkOption { 298 type = types.str; 299 default = "docker"; 300 - description = '' 301 Select executor, eg. shell, docker, etc. 302 - See <link xlink:href="https://docs.gitlab.com/runner/executors/README.html">runner documentation</link> for more information. 303 ''; 304 }; 305 buildsDir = mkOption { 306 type = types.nullOr types.path; 307 default = null; 308 example = "/var/lib/gitlab-runner/builds"; 309 - description = '' 310 Absolute path to a directory where builds will be stored 311 in context of selected executor (Locally, Docker, SSH). 312 ''; ··· 315 type = types.nullOr types.str; 316 default = null; 317 example = "http://gitlab.example.local"; 318 - description = '' 319 Overwrite the URL for the GitLab instance. Used if the Runner can’t connect to GitLab on the URL GitLab exposes itself. 320 ''; 321 }; 322 dockerImage = mkOption { 323 type = types.nullOr types.str; 324 default = null; 325 - description = '' 326 Docker image to be used. 327 ''; 328 }; ··· 330 type = types.listOf types.str; 331 default = [ ]; 332 example = [ "/var/run/docker.sock:/var/run/docker.sock" ]; 333 - description = '' 334 Bind-mount a volume and create it 335 if it doesn't exist prior to mounting. 336 ''; ··· 338 dockerDisableCache = mkOption { 339 type = types.bool; 340 default = false; 341 - description = '' 342 Disable all container caching. 343 ''; 344 }; 345 dockerPrivileged = mkOption { 346 type = types.bool; 347 default = false; 348 - description = '' 349 Give extended privileges to container. 350 ''; 351 }; ··· 353 type = types.listOf types.str; 354 default = [ ]; 355 example = [ "other-host:127.0.0.1" ]; 356 - description = '' 357 Add a custom host-to-IP mapping. 358 ''; 359 }; ··· 361 type = types.listOf types.str; 362 default = [ ]; 363 example = [ "ruby:*" "python:*" "php:*" "my.registry.tld:5000/*:*" ]; 364 - description = '' 365 Whitelist allowed images. 366 ''; 367 }; ··· 369 type = types.listOf types.str; 370 default = [ ]; 371 example = [ "postgres:9" "redis:*" "mysql:*" ]; 372 - description = '' 373 Whitelist allowed services. 374 ''; 375 }; 376 preCloneScript = mkOption { 377 type = types.nullOr types.path; 378 default = null; 379 - description = '' 380 Runner-specific command script executed before code is pulled. 381 ''; 382 }; 383 preBuildScript = mkOption { 384 type = types.nullOr types.path; 385 default = null; 386 - description = '' 387 Runner-specific command script executed after code is pulled, 388 just before build executes. 389 ''; ··· 391 postBuildScript = mkOption { 392 type = types.nullOr types.path; 393 default = null; 394 - description = '' 395 Runner-specific command script executed after code is pulled 396 and just after build executes. 397 ''; ··· 399 tagList = mkOption { 400 type = types.listOf types.str; 401 default = [ ]; 402 - description = '' 403 Tag list. 404 ''; 405 }; 406 runUntagged = mkOption { 407 type = types.bool; 408 default = false; 409 - description = '' 410 Register to run untagged builds; defaults to 411 - <literal>true</literal> when <option>tagList</option> is empty. 412 ''; 413 }; 414 limit = mkOption { 415 type = types.int; 416 default = 0; 417 - description = '' 418 Limit how many jobs can be handled concurrently by this service. 419 0 (default) simply means don't limit. 420 ''; ··· 422 requestConcurrency = mkOption { 423 type = types.int; 424 default = 0; 425 - description = '' 426 Limit number of concurrent requests for new jobs from GitLab. 427 ''; 428 }; 429 maximumTimeout = mkOption { 430 type = types.int; 431 default = 0; 432 - description = '' 433 What is the maximum timeout (in seconds) that will be set for 434 job when using this Runner. 0 (default) simply means don't limit. 435 ''; ··· 437 protected = mkOption { 438 type = types.bool; 439 default = false; 440 - description = '' 441 When set to true Runner will only run on pipelines 442 triggered on protected branches. 443 ''; ··· 445 debugTraceDisabled = mkOption { 446 type = types.bool; 447 default = false; 448 - description = '' 449 When set to true Runner will disable the possibility of 450 - using the <literal>CI_DEBUG_TRACE</literal> feature. 451 ''; 452 }; 453 };

··· 113 configFile = mkOption { 114 type = types.nullOr types.path; 115 default = null; 116 + description = lib.mdDoc '' 117 Configuration file for gitlab-runner. 118 119 + {option}`configFile` takes precedence over {option}`services`. 120 + {option}`checkInterval` and {option}`concurrent` will be ignored too. 121 122 + This option is deprecated, please use {option}`services` instead. 123 + You can use {option}`registrationConfigFile` and 124 + {option}`registrationFlags` 125 for settings not covered by this module. 126 ''; 127 }; ··· 130 freeformType = (pkgs.formats.json { }).type; 131 }; 132 default = { }; 133 + description = lib.mdDoc '' 134 Global gitlab-runner configuration. See 135 + <https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section> 136 for supported values. 137 ''; 138 }; 139 gracefulTermination = mkOption { 140 type = types.bool; 141 default = false; 142 + description = lib.mdDoc '' 143 Finish all remaining jobs before stopping. 144 If not set gitlab-runner will stop immediatly without waiting 145 for jobs to finish, which will lead to failed builds. ··· 149 type = types.str; 150 default = "infinity"; 151 example = "5min 20s"; 152 + description = lib.mdDoc '' 153 Time to wait until a graceful shutdown is turned into a forceful one. 154 ''; 155 }; ··· 158 default = pkgs.gitlab-runner; 159 defaultText = literalExpression "pkgs.gitlab-runner"; 160 example = literalExpression "pkgs.gitlab-runner_1_11"; 161 + description = lib.mdDoc "Gitlab Runner package to use."; 162 }; 163 extraPackages = mkOption { 164 type = types.listOf types.package; 165 default = [ ]; 166 + description = lib.mdDoc '' 167 Extra packages to add to PATH for the gitlab-runner process. 168 ''; 169 }; 170 services = mkOption { 171 + description = lib.mdDoc "GitLab Runner services."; 172 default = { }; 173 example = literalExpression '' 174 { ··· 250 options = { 251 registrationConfigFile = mkOption { 252 type = types.path; 253 + description = lib.mdDoc '' 254 Absolute path to a file with environment variables 255 used for gitlab-runner registration. 256 A list of all supported environment variables can be found in 257 + `gitlab-runner register --help`. 258 259 Ones that you probably want to set is 260 261 + `CI_SERVER_URL=<CI server URL>` 262 263 + `REGISTRATION_TOKEN=<registration secret>` 264 265 WARNING: make sure to use quoted absolute path, 266 or it is going to be copied to Nix Store. ··· 270 type = types.listOf types.str; 271 default = [ ]; 272 example = [ "--docker-helper-image my/gitlab-runner-helper" ]; 273 + description = lib.mdDoc '' 274 Extra command-line flags passed to 275 + `gitlab-runner register`. 276 + Execute `gitlab-runner register --help` 277 for a list of supported flags. 278 ''; 279 }; ··· 281 type = types.attrsOf types.str; 282 default = { }; 283 example = { NAME = "value"; }; 284 + description = lib.mdDoc '' 285 Custom environment variables injected to build environment. 286 + For secrets you can use {option}`registrationConfigFile` 287 + with `RUNNER_ENV` variable set. 288 ''; 289 }; 290 description = mkOption { 291 type = types.nullOr types.str; 292 default = null; 293 + description = lib.mdDoc '' 294 Name/description of the runner. 295 ''; 296 }; 297 executor = mkOption { 298 type = types.str; 299 default = "docker"; 300 + description = lib.mdDoc '' 301 Select executor, eg. shell, docker, etc. 302 + See [runner documentation](https://docs.gitlab.com/runner/executors/README.html) for more information. 303 ''; 304 }; 305 buildsDir = mkOption { 306 type = types.nullOr types.path; 307 default = null; 308 example = "/var/lib/gitlab-runner/builds"; 309 + description = lib.mdDoc '' 310 Absolute path to a directory where builds will be stored 311 in context of selected executor (Locally, Docker, SSH). 312 ''; ··· 315 type = types.nullOr types.str; 316 default = null; 317 example = "http://gitlab.example.local"; 318 + description = lib.mdDoc '' 319 Overwrite the URL for the GitLab instance. Used if the Runner can’t connect to GitLab on the URL GitLab exposes itself. 320 ''; 321 }; 322 dockerImage = mkOption { 323 type = types.nullOr types.str; 324 default = null; 325 + description = lib.mdDoc '' 326 Docker image to be used. 327 ''; 328 }; ··· 330 type = types.listOf types.str; 331 default = [ ]; 332 example = [ "/var/run/docker.sock:/var/run/docker.sock" ]; 333 + description = lib.mdDoc '' 334 Bind-mount a volume and create it 335 if it doesn't exist prior to mounting. 336 ''; ··· 338 dockerDisableCache = mkOption { 339 type = types.bool; 340 default = false; 341 + description = lib.mdDoc '' 342 Disable all container caching. 343 ''; 344 }; 345 dockerPrivileged = mkOption { 346 type = types.bool; 347 default = false; 348 + description = lib.mdDoc '' 349 Give extended privileges to container. 350 ''; 351 }; ··· 353 type = types.listOf types.str; 354 default = [ ]; 355 example = [ "other-host:127.0.0.1" ]; 356 + description = lib.mdDoc '' 357 Add a custom host-to-IP mapping. 358 ''; 359 }; ··· 361 type = types.listOf types.str; 362 default = [ ]; 363 example = [ "ruby:*" "python:*" "php:*" "my.registry.tld:5000/*:*" ]; 364 + description = lib.mdDoc '' 365 Whitelist allowed images. 366 ''; 367 }; ··· 369 type = types.listOf types.str; 370 default = [ ]; 371 example = [ "postgres:9" "redis:*" "mysql:*" ]; 372 + description = lib.mdDoc '' 373 Whitelist allowed services. 374 ''; 375 }; 376 preCloneScript = mkOption { 377 type = types.nullOr types.path; 378 default = null; 379 + description = lib.mdDoc '' 380 Runner-specific command script executed before code is pulled. 381 ''; 382 }; 383 preBuildScript = mkOption { 384 type = types.nullOr types.path; 385 default = null; 386 + description = lib.mdDoc '' 387 Runner-specific command script executed after code is pulled, 388 just before build executes. 389 ''; ··· 391 postBuildScript = mkOption { 392 type = types.nullOr types.path; 393 default = null; 394 + description = lib.mdDoc '' 395 Runner-specific command script executed after code is pulled 396 and just after build executes. 397 ''; ··· 399 tagList = mkOption { 400 type = types.listOf types.str; 401 default = [ ]; 402 + description = lib.mdDoc '' 403 Tag list. 404 ''; 405 }; 406 runUntagged = mkOption { 407 type = types.bool; 408 default = false; 409 + description = lib.mdDoc '' 410 Register to run untagged builds; defaults to 411 + `true` when {option}`tagList` is empty. 412 ''; 413 }; 414 limit = mkOption { 415 type = types.int; 416 default = 0; 417 + description = lib.mdDoc '' 418 Limit how many jobs can be handled concurrently by this service. 419 0 (default) simply means don't limit. 420 ''; ··· 422 requestConcurrency = mkOption { 423 type = types.int; 424 default = 0; 425 + description = lib.mdDoc '' 426 Limit number of concurrent requests for new jobs from GitLab. 427 ''; 428 }; 429 maximumTimeout = mkOption { 430 type = types.int; 431 default = 0; 432 + description = lib.mdDoc '' 433 What is the maximum timeout (in seconds) that will be set for 434 job when using this Runner. 0 (default) simply means don't limit. 435 ''; ··· 437 protected = mkOption { 438 type = types.bool; 439 default = false; 440 + description = lib.mdDoc '' 441 When set to true Runner will only run on pipelines 442 triggered on protected branches. 443 ''; ··· 445 debugTraceDisabled = mkOption { 446 type = types.bool; 447 default = false; 448 + description = lib.mdDoc '' 449 When set to true Runner will disable the possibility of 450 + using the `CI_DEBUG_TRACE` feature. 451 ''; 452 }; 453 };

+3 -3

nixos/modules/services/databases/firebird.nix

··· 47 defaultText = literalExpression "pkgs.firebird"; 48 type = types.package; 49 example = literalExpression "pkgs.firebird_3"; 50 - description = '' 51 - Which Firebird package to be installed: <code>pkgs.firebird_3</code> 52 - For SuperServer use override: <code>pkgs.firebird_3.override { superServer = true; };</code> 53 ''; 54 }; 55

··· 47 defaultText = literalExpression "pkgs.firebird"; 48 type = types.package; 49 example = literalExpression "pkgs.firebird_3"; 50 + description = lib.mdDoc '' 51 + Which Firebird package to be installed: `pkgs.firebird_3` 52 + For SuperServer use override: `pkgs.firebird_3.override { superServer = true; };` 53 ''; 54 }; 55

+3 -3

nixos/modules/services/databases/mysql.nix

··· 201 ensurePermissions = mkOption { 202 type = types.attrsOf types.str; 203 default = {}; 204 - description = '' 205 Permissions to ensure for the user, specified as attribute set. 206 The attribute names specify the database and tables to grant the permissions for, 207 separated by a dot. You may use wildcards here. ··· 210 211 For more information on how to specify the target 212 and on which privileges exist, see the 213 - <link xlink:href="https://mariadb.com/kb/en/library/grant/">GRANT syntax</link>. 214 - The attributes are used as <code>GRANT ''${attrName} ON ''${attrValue}</code>. 215 ''; 216 example = literalExpression '' 217 {

··· 201 ensurePermissions = mkOption { 202 type = types.attrsOf types.str; 203 default = {}; 204 + description = lib.mdDoc '' 205 Permissions to ensure for the user, specified as attribute set. 206 The attribute names specify the database and tables to grant the permissions for, 207 separated by a dot. You may use wildcards here. ··· 210 211 For more information on how to specify the target 212 and on which privileges exist, see the 213 + [GRANT syntax](https://mariadb.com/kb/en/library/grant/). 214 + The attributes are used as `GRANT ''${attrName} ON ''${attrValue}`. 215 ''; 216 example = literalExpression '' 217 {

+58 -73

nixos/modules/services/databases/neo4j.nix

··· 139 constrainLoadCsv = mkOption { 140 type = types.bool; 141 default = true; 142 - description = '' 143 Sets the root directory for file URLs used with the Cypher 144 - <literal>LOAD CSV</literal> clause to be that defined by 145 - <option>directories.imports</option>. It restricts 146 access to only those files within that directory and its 147 subdirectories. 148 - </para> 149 - <para> 150 - Setting this option to <literal>false</literal> introduces 151 possible security problems. 152 ''; 153 }; ··· 155 defaultListenAddress = mkOption { 156 type = types.str; 157 default = "127.0.0.1"; 158 - description = '' 159 Default network interface to listen for incoming connections. To 160 listen for connections on all interfaces, use "0.0.0.0". 161 - </para> 162 - <para> 163 Specifies the default IP address and address part of connector 164 - specific <option>listenAddress</option> options. To bind specific 165 connectors to a specific network interfaces, specify the entire 166 - <option>listenAddress</option> option for that connector. 167 ''; 168 }; 169 ··· 227 sslPolicy = mkOption { 228 type = types.str; 229 default = "legacy"; 230 - description = '' 231 Neo4j SSL policy for BOLT traffic. 232 - </para> 233 - <para> 234 The legacy policy is a special policy which is not defined in 235 the policy configuration section, but rather derives from 236 - <option>directories.certificates</option> and 237 - associated files (by default: <filename>neo4j.key</filename> and 238 - <filename>neo4j.cert</filename>). Its use will be deprecated. 239 - </para> 240 - <para> 241 Note: This connector must be configured to support/require 242 SSL/TLS for the legacy policy to actually be utilized. See 243 - <option>bolt.tlsLevel</option>. 244 ''; 245 }; 246 ··· 258 type = types.path; 259 default = "${cfg.directories.home}/certificates"; 260 defaultText = literalExpression ''"''${config.${opt.directories.home}}/certificates"''; 261 - description = '' 262 Directory for storing certificates to be used by Neo4j for 263 TLS connections. 264 - </para> 265 - <para> 266 When setting this directory to something other than its default, 267 ensure the directory's existence, and that read/write permissions are 268 - given to the Neo4j daemon user <literal>neo4j</literal>. 269 - </para> 270 - <para> 271 Note that changing this directory from its default will prevent 272 the directory structure required for each SSL policy from being 273 automatically generated. A policy's directory structure as defined by 274 - its <option>baseDirectory</option>,<option>revokedDir</option> and 275 - <option>trustedDir</option> must then be setup manually. The 276 existence of these directories is mandatory, as well as the presence 277 of the certificate file and the private key. Ensure the correct 278 permissions are set on these directories and files. ··· 283 type = types.path; 284 default = "${cfg.directories.home}/data"; 285 defaultText = literalExpression ''"''${config.${opt.directories.home}}/data"''; 286 - description = '' 287 Path of the data directory. You must not configure more than one 288 Neo4j installation to use the same data directory. 289 - </para> 290 - <para> 291 When setting this directory to something other than its default, 292 ensure the directory's existence, and that read/write permissions are 293 - given to the Neo4j daemon user <literal>neo4j</literal>. 294 ''; 295 }; 296 ··· 309 type = types.path; 310 default = "${cfg.directories.home}/import"; 311 defaultText = literalExpression ''"''${config.${opt.directories.home}}/import"''; 312 - description = '' 313 The root directory for file URLs used with the Cypher 314 - <literal>LOAD CSV</literal> clause. Only meaningful when 315 - <option>constrainLoadCvs</option> is set to 316 - <literal>true</literal>. 317 - </para> 318 - <para> 319 When setting this directory to something other than its default, 320 ensure the directory's existence, and that read permission is 321 - given to the Neo4j daemon user <literal>neo4j</literal>. 322 ''; 323 }; 324 ··· 326 type = types.path; 327 default = "${cfg.directories.home}/plugins"; 328 defaultText = literalExpression ''"''${config.${opt.directories.home}}/plugins"''; 329 - description = '' 330 Path of the database plugin directory. Compiled Java JAR files that 331 contain database procedures will be loaded if they are placed in 332 this directory. 333 - </para> 334 - <para> 335 When setting this directory to something other than its default, 336 ensure the directory's existence, and that read permission is 337 - given to the Neo4j daemon user <literal>neo4j</literal>. 338 ''; 339 }; 340 }; ··· 386 sslPolicy = mkOption { 387 type = types.str; 388 default = "legacy"; 389 - description = '' 390 Neo4j SSL policy for HTTPS traffic. 391 - </para> 392 - <para> 393 The legacy policy is a special policy which is not defined in the 394 policy configuration section, but rather derives from 395 - <option>directories.certificates</option> and 396 - associated files (by default: <filename>neo4j.key</filename> and 397 - <filename>neo4j.cert</filename>). Its use will be deprecated. 398 ''; 399 }; 400 }; ··· 417 allowKeyGeneration = mkOption { 418 type = types.bool; 419 default = false; 420 - description = '' 421 Allows the generation of a private key and associated self-signed 422 certificate. Only performed when both objects cannot be found for 423 this policy. It is recommended to turn this off again after keys 424 have been generated. 425 - </para> 426 - <para> 427 The public certificate is required to be duplicated to the 428 directory holding trusted certificates as defined by the 429 - <option>trustedDir</option> option. 430 - </para> 431 - <para> 432 Keys should in general be generated and distributed offline by a 433 trusted certificate authority and not by utilizing this mode. 434 ''; ··· 438 type = types.path; 439 default = "${cfg.directories.certificates}/${name}"; 440 defaultText = literalExpression ''"''${config.${opt.directories.certificates}}/''${name}"''; 441 - description = '' 442 The mandatory base directory for cryptographic objects of this 443 policy. This path is only automatically generated when this 444 - option as well as <option>directories.certificates</option> are 445 left at their default. Ensure read/write permissions are given 446 - to the Neo4j daemon user <literal>neo4j</literal>. 447 - </para> 448 - <para> 449 It is also possible to override each individual 450 configuration with absolute paths. See the 451 - <option>privateKey</option> and <option>publicCertificate</option> 452 policy options. 453 ''; 454 }; ··· 483 publicCertificate = mkOption { 484 type = types.str; 485 default = "public.crt"; 486 - description = '' 487 The name of public X.509 certificate (chain) file in PEM format 488 - for this policy to be found in the <option>baseDirectory</option>, 489 or the absolute path to the certificate file. It is mandatory 490 that a certificate can be found or generated. 491 - </para> 492 - <para> 493 The public certificate is required to be duplicated to the 494 directory holding trusted certificates as defined by the 495 - <option>trustedDir</option> option. 496 ''; 497 }; 498 ··· 536 type = types.path; 537 default = "${config.baseDirectory}/trusted"; 538 defaultText = literalExpression ''"''${config.${options.baseDirectory}}/trusted"''; 539 - description = '' 540 Path to directory of X.509 certificates in PEM format for 541 trusted parties. Must be an absolute path. The existence of this 542 directory is mandatory and will need to be created manually when: 543 setting this option to something other than its default; setting 544 - either this policy's <option>baseDirectory</option> or 545 - <option>directories.certificates</option> to something other than 546 their default. Ensure read/write permissions are given to the 547 - Neo4j daemon user <literal>neo4j</literal>. 548 - </para> 549 - <para> 550 The public certificate as defined by 551 - <option>publicCertificate</option> is required to be duplicated 552 to this directory. 553 ''; 554 };

··· 139 constrainLoadCsv = mkOption { 140 type = types.bool; 141 default = true; 142 + description = lib.mdDoc '' 143 Sets the root directory for file URLs used with the Cypher 144 + `LOAD CSV` clause to be that defined by 145 + {option}`directories.imports`. It restricts 146 access to only those files within that directory and its 147 subdirectories. 148 + 149 + Setting this option to `false` introduces 150 possible security problems. 151 ''; 152 }; ··· 154 defaultListenAddress = mkOption { 155 type = types.str; 156 default = "127.0.0.1"; 157 + description = lib.mdDoc '' 158 Default network interface to listen for incoming connections. To 159 listen for connections on all interfaces, use "0.0.0.0". 160 + 161 Specifies the default IP address and address part of connector 162 + specific {option}`listenAddress` options. To bind specific 163 connectors to a specific network interfaces, specify the entire 164 + {option}`listenAddress` option for that connector. 165 ''; 166 }; 167 ··· 225 sslPolicy = mkOption { 226 type = types.str; 227 default = "legacy"; 228 + description = lib.mdDoc '' 229 Neo4j SSL policy for BOLT traffic. 230 + 231 The legacy policy is a special policy which is not defined in 232 the policy configuration section, but rather derives from 233 + {option}`directories.certificates` and 234 + associated files (by default: {file}`neo4j.key` and 235 + {file}`neo4j.cert`). Its use will be deprecated. 236 + 237 Note: This connector must be configured to support/require 238 SSL/TLS for the legacy policy to actually be utilized. See 239 + {option}`bolt.tlsLevel`. 240 ''; 241 }; 242 ··· 254 type = types.path; 255 default = "${cfg.directories.home}/certificates"; 256 defaultText = literalExpression ''"''${config.${opt.directories.home}}/certificates"''; 257 + description = lib.mdDoc '' 258 Directory for storing certificates to be used by Neo4j for 259 TLS connections. 260 + 261 When setting this directory to something other than its default, 262 ensure the directory's existence, and that read/write permissions are 263 + given to the Neo4j daemon user `neo4j`. 264 + 265 Note that changing this directory from its default will prevent 266 the directory structure required for each SSL policy from being 267 automatically generated. A policy's directory structure as defined by 268 + its {option}`baseDirectory`,{option}`revokedDir` and 269 + {option}`trustedDir` must then be setup manually. The 270 existence of these directories is mandatory, as well as the presence 271 of the certificate file and the private key. Ensure the correct 272 permissions are set on these directories and files. ··· 277 type = types.path; 278 default = "${cfg.directories.home}/data"; 279 defaultText = literalExpression ''"''${config.${opt.directories.home}}/data"''; 280 + description = lib.mdDoc '' 281 Path of the data directory. You must not configure more than one 282 Neo4j installation to use the same data directory. 283 + 284 When setting this directory to something other than its default, 285 ensure the directory's existence, and that read/write permissions are 286 + given to the Neo4j daemon user `neo4j`. 287 ''; 288 }; 289 ··· 302 type = types.path; 303 default = "${cfg.directories.home}/import"; 304 defaultText = literalExpression ''"''${config.${opt.directories.home}}/import"''; 305 + description = lib.mdDoc '' 306 The root directory for file URLs used with the Cypher 307 + `LOAD CSV` clause. Only meaningful when 308 + {option}`constrainLoadCvs` is set to 309 + `true`. 310 + 311 When setting this directory to something other than its default, 312 ensure the directory's existence, and that read permission is 313 + given to the Neo4j daemon user `neo4j`. 314 ''; 315 }; 316 ··· 318 type = types.path; 319 default = "${cfg.directories.home}/plugins"; 320 defaultText = literalExpression ''"''${config.${opt.directories.home}}/plugins"''; 321 + description = lib.mdDoc '' 322 Path of the database plugin directory. Compiled Java JAR files that 323 contain database procedures will be loaded if they are placed in 324 this directory. 325 + 326 When setting this directory to something other than its default, 327 ensure the directory's existence, and that read permission is 328 + given to the Neo4j daemon user `neo4j`. 329 ''; 330 }; 331 }; ··· 377 sslPolicy = mkOption { 378 type = types.str; 379 default = "legacy"; 380 + description = lib.mdDoc '' 381 Neo4j SSL policy for HTTPS traffic. 382 + 383 The legacy policy is a special policy which is not defined in the 384 policy configuration section, but rather derives from 385 + {option}`directories.certificates` and 386 + associated files (by default: {file}`neo4j.key` and 387 + {file}`neo4j.cert`). Its use will be deprecated. 388 ''; 389 }; 390 }; ··· 407 allowKeyGeneration = mkOption { 408 type = types.bool; 409 default = false; 410 + description = lib.mdDoc '' 411 Allows the generation of a private key and associated self-signed 412 certificate. Only performed when both objects cannot be found for 413 this policy. It is recommended to turn this off again after keys 414 have been generated. 415 + 416 The public certificate is required to be duplicated to the 417 directory holding trusted certificates as defined by the 418 + {option}`trustedDir` option. 419 + 420 Keys should in general be generated and distributed offline by a 421 trusted certificate authority and not by utilizing this mode. 422 ''; ··· 426 type = types.path; 427 default = "${cfg.directories.certificates}/${name}"; 428 defaultText = literalExpression ''"''${config.${opt.directories.certificates}}/''${name}"''; 429 + description = lib.mdDoc '' 430 The mandatory base directory for cryptographic objects of this 431 policy. This path is only automatically generated when this 432 + option as well as {option}`directories.certificates` are 433 left at their default. Ensure read/write permissions are given 434 + to the Neo4j daemon user `neo4j`. 435 + 436 It is also possible to override each individual 437 configuration with absolute paths. See the 438 + {option}`privateKey` and {option}`publicCertificate` 439 policy options. 440 ''; 441 }; ··· 470 publicCertificate = mkOption { 471 type = types.str; 472 default = "public.crt"; 473 + description = lib.mdDoc '' 474 The name of public X.509 certificate (chain) file in PEM format 475 + for this policy to be found in the {option}`baseDirectory`, 476 or the absolute path to the certificate file. It is mandatory 477 that a certificate can be found or generated. 478 + 479 The public certificate is required to be duplicated to the 480 directory holding trusted certificates as defined by the 481 + {option}`trustedDir` option. 482 ''; 483 }; 484 ··· 522 type = types.path; 523 default = "${config.baseDirectory}/trusted"; 524 defaultText = literalExpression ''"''${config.${options.baseDirectory}}/trusted"''; 525 + description = lib.mdDoc '' 526 Path to directory of X.509 certificates in PEM format for 527 trusted parties. Must be an absolute path. The existence of this 528 directory is mandatory and will need to be created manually when: 529 setting this option to something other than its default; setting 530 + either this policy's {option}`baseDirectory` or 531 + {option}`directories.certificates` to something other than 532 their default. Ensure read/write permissions are given to the 533 + Neo4j daemon user `neo4j`. 534 + 535 The public certificate as defined by 536 + {option}`publicCertificate` is required to be duplicated 537 to this directory. 538 ''; 539 };

+5 -5

nixos/modules/services/databases/openldap.nix

··· 88 enable = mkOption { 89 type = types.bool; 90 default = false; 91 - description = "Whether to enable the ldap server."; 92 }; 93 94 package = mkOption { ··· 173 configDir = mkOption { 174 type = types.nullOr types.path; 175 default = null; 176 - description = '' 177 Use this config directory instead of generating one from the 178 - <literal>settings</literal> option. Overrides all NixOS settings. 179 ''; 180 example = "/var/lib/openldap/slapd.d"; 181 }; ··· 183 mutableConfig = mkOption { 184 type = types.bool; 185 default = false; 186 - description = '' 187 Whether to allow writable on-line configuration. If 188 - <literal>true</literal>, the NixOS settings will only be used to 189 initialize the OpenLDAP configuration if it does not exist, and are 190 subsequently ignored. 191 '';

··· 88 enable = mkOption { 89 type = types.bool; 90 default = false; 91 + description = lib.mdDoc "Whether to enable the ldap server."; 92 }; 93 94 package = mkOption { ··· 173 configDir = mkOption { 174 type = types.nullOr types.path; 175 default = null; 176 + description = lib.mdDoc '' 177 Use this config directory instead of generating one from the 178 + `settings` option. Overrides all NixOS settings. 179 ''; 180 example = "/var/lib/openldap/slapd.d"; 181 }; ··· 183 mutableConfig = mkOption { 184 type = types.bool; 185 default = false; 186 + description = lib.mdDoc '' 187 Whether to allow writable on-line configuration. If 188 + `true`, the NixOS settings will only be used to 189 initialize the OpenLDAP configuration if it does not exist, and are 190 subsequently ignored. 191 '';

+4 -4

nixos/modules/services/databases/pgmanage.nix

··· 62 nuc-server = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; 63 mini-server = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; 64 }; 65 - description = '' 66 pgmanage requires at least one PostgreSQL server be defined. 67 - </para><para> 68 Detailed information about PostgreSQL connection strings is available at: 69 - <link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/> 70 - </para><para> 71 Note that you should not specify your user name or password. That 72 information will be entered on the login screen. If you specify a 73 username or password, it will be removed by pgmanage before attempting to

··· 62 nuc-server = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; 63 mini-server = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; 64 }; 65 + description = lib.mdDoc '' 66 pgmanage requires at least one PostgreSQL server be defined. 67 + 68 Detailed information about PostgreSQL connection strings is available at: 69 + <http://www.postgresql.org/docs/current/static/libpq-connect.html> 70 + 71 Note that you should not specify your user name or password. That 72 information will be entered on the login screen. If you specify a 73 username or password, it will be removed by pgmanage before attempting to

+4 -5

nixos/modules/services/databases/postgresql.nix

··· 81 default = ""; 82 description = '' 83 Defines how users authenticate themselves to the server. See the 84 - <link xlink:href="https://www.postgresql.org/docs/current/auth-pg-hba-conf.html"> 85 - PostgreSQL documentation for pg_hba.conf</link> 86 for details on the expected format of this option. By default, 87 peer based authentication will be used for users connecting 88 via the Unix socket, and md5 password authentication will be ··· 150 ensurePermissions = mkOption { 151 type = types.attrsOf types.str; 152 default = {}; 153 - description = '' 154 Permissions to ensure for the user, specified as an attribute set. 155 The attribute names specify the database and tables to grant the permissions for. 156 The attribute values specify the permissions to grant. You may specify one or ··· 158 159 For more information on how to specify the target 160 and on which privileges exist, see the 161 - <link xlink:href="https://www.postgresql.org/docs/current/sql-grant.html">GRANT syntax</link>. 162 - The attributes are used as <code>GRANT ''${attrValue} ON ''${attrName}</code>. 163 ''; 164 example = literalExpression '' 165 {

··· 81 default = ""; 82 description = '' 83 Defines how users authenticate themselves to the server. See the 84 + <link xlink:href="https://www.postgresql.org/docs/current/auth-pg-hba-conf.html">PostgreSQL documentation for pg_hba.conf</link> 85 for details on the expected format of this option. By default, 86 peer based authentication will be used for users connecting 87 via the Unix socket, and md5 password authentication will be ··· 149 ensurePermissions = mkOption { 150 type = types.attrsOf types.str; 151 default = {}; 152 + description = lib.mdDoc '' 153 Permissions to ensure for the user, specified as an attribute set. 154 The attribute names specify the database and tables to grant the permissions for. 155 The attribute values specify the permissions to grant. You may specify one or ··· 157 158 For more information on how to specify the target 159 and on which privileges exist, see the 160 + [GRANT syntax](https://www.postgresql.org/docs/current/sql-grant.html). 161 + The attributes are used as `GRANT ''${attrValue} ON ''${attrName}`. 162 ''; 163 example = literalExpression '' 164 {

+4 -4

nixos/modules/services/databases/victoriametrics.nix

··· 28 extraOptions = mkOption { 29 type = types.listOf types.str; 30 default = []; 31 - description = '' 32 - Extra options to pass to VictoriaMetrics. See the README: <link 33 - xlink:href="https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/README.md" /> 34 - or <command>victoriametrics -help</command> for more 35 information. 36 ''; 37 };

··· 28 extraOptions = mkOption { 29 type = types.listOf types.str; 30 default = []; 31 + description = lib.mdDoc '' 32 + Extra options to pass to VictoriaMetrics. See the README: 33 + <https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/README.md> 34 + or {command}`victoriametrics -help` for more 35 information. 36 ''; 37 };

+1 -1

nixos/modules/services/development/zammad.nix

··· 139 ''; 140 description = '' 141 The <filename>database.yml</filename> configuration file as key value set. 142 - See <link xlink:href='TODO' /> 143 for list of configuration parameters. 144 ''; 145 };

··· 139 ''; 140 description = '' 141 The <filename>database.yml</filename> configuration file as key value set. 142 + See <link xlink:href="TODO"/> 143 for list of configuration parameters. 144 ''; 145 };

+3 -1

nixos/modules/services/games/asf.nix

··· 136 }; 137 settings = mkOption { 138 type = types.attrs; 139 - description = "Additional settings that are documented <link xlink:href=\"https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config\">here</link>."; 140 default = { }; 141 }; 142 };

··· 136 }; 137 settings = mkOption { 138 type = types.attrs; 139 + description = lib.mdDoc '' 140 + Additional settings that are documented [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config). 141 + ''; 142 default = { }; 143 }; 144 };

+7 -7

nixos/modules/services/hardware/kanata.nix

··· 10 device = mkOption { 11 type = types.str; 12 example = "/dev/input/by-id/usb-0000_0000-event-kbd"; 13 - description = "Path to the keyboard device."; 14 }; 15 config = mkOption { 16 type = types.lines; ··· 33 ;; tap within 100ms for capslk, hold more than 100ms for lctl 34 cap (tap-hold 100 100 caps lctl)) 35 ''; 36 - description = '' 37 Configuration other than defcfg. 38 - See <link xlink:href="https://github.com/jtroo/kanata"/> for more information. 39 ''; 40 }; 41 extraDefCfg = mkOption { 42 type = types.lines; 43 default = ""; 44 example = "danger-enable-cmd yes"; 45 - description = '' 46 Configuration of defcfg other than linux-dev. 47 - See <link xlink:href="https://github.com/jtroo/kanata"/> for more information. 48 ''; 49 }; 50 }; ··· 131 default = pkgs.kanata; 132 defaultText = lib.literalExpression "pkgs.kanata"; 133 example = lib.literalExpression "pkgs.kanata-with-cmd"; 134 - description = '' 135 kanata package to use. 136 If you enable danger-enable-cmd, pkgs.kanata-with-cmd should be used. 137 ''; ··· 139 keyboards = mkOption { 140 type = types.attrsOf (types.submodule keyboard); 141 default = { }; 142 - description = "Keyboard configurations."; 143 }; 144 }; 145

··· 10 device = mkOption { 11 type = types.str; 12 example = "/dev/input/by-id/usb-0000_0000-event-kbd"; 13 + description = lib.mdDoc "Path to the keyboard device."; 14 }; 15 config = mkOption { 16 type = types.lines; ··· 33 ;; tap within 100ms for capslk, hold more than 100ms for lctl 34 cap (tap-hold 100 100 caps lctl)) 35 ''; 36 + description = lib.mdDoc '' 37 Configuration other than defcfg. 38 + See <https://github.com/jtroo/kanata> for more information. 39 ''; 40 }; 41 extraDefCfg = mkOption { 42 type = types.lines; 43 default = ""; 44 example = "danger-enable-cmd yes"; 45 + description = lib.mdDoc '' 46 Configuration of defcfg other than linux-dev. 47 + See <https://github.com/jtroo/kanata> for more information. 48 ''; 49 }; 50 }; ··· 131 default = pkgs.kanata; 132 defaultText = lib.literalExpression "pkgs.kanata"; 133 example = lib.literalExpression "pkgs.kanata-with-cmd"; 134 + description = lib.mdDoc '' 135 kanata package to use. 136 If you enable danger-enable-cmd, pkgs.kanata-with-cmd should be used. 137 ''; ··· 139 keyboards = mkOption { 140 type = types.attrsOf (types.submodule keyboard); 141 default = { }; 142 + description = lib.mdDoc "Keyboard configurations."; 143 }; 144 }; 145

+3 -6

nixos/modules/services/hardware/lcd.nix

··· 63 default = false; 64 description = '' 65 Set group-write permissions on a USB device. 66 - </para> 67 - <para> 68 A USB connected LCD panel will most likely require having its 69 permissions modified for lcdd to write to it. Enabling this option 70 sets group-write permissions on the device identified by ··· 72 <option>services.hardware.lcd.usbPid</option>. In order to find the 73 values, you can run the <command>lsusb</command> command. Example 74 output: 75 - </para> 76 - <para> 77 <literal> 78 Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface 79 </literal> 80 - </para> 81 - <para> 82 In this case the vendor id is 0403 and the product id is c630. 83 ''; 84 };

··· 63 default = false; 64 description = '' 65 Set group-write permissions on a USB device. 66 + 67 A USB connected LCD panel will most likely require having its 68 permissions modified for lcdd to write to it. Enabling this option 69 sets group-write permissions on the device identified by ··· 71 <option>services.hardware.lcd.usbPid</option>. In order to find the 72 values, you can run the <command>lsusb</command> command. Example 73 output: 74 + 75 <literal> 76 Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface 77 </literal> 78 + 79 In this case the vendor id is 0403 and the product id is c630. 80 ''; 81 };

+11 -12

nixos/modules/services/hardware/udev.nix

··· 209 packages = mkOption { 210 type = types.listOf types.path; 211 default = []; 212 - description = '' 213 - List of packages containing <command>udev</command> rules. 214 All files found in 215 - <filename><replaceable>pkg</replaceable>/etc/udev/rules.d</filename> and 216 - <filename><replaceable>pkg</replaceable>/lib/udev/rules.d</filename> 217 will be included. 218 ''; 219 apply = map getBin; ··· 281 networking.usePredictableInterfaceNames = mkOption { 282 default = true; 283 type = types.bool; 284 - description = '' 285 - Whether to assign <link 286 - xlink:href='http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames'>predictable 287 - names to network interfaces</link>. If enabled, interfaces 288 are assigned names that contain topology information 289 - (e.g. <literal>wlp3s0</literal>) and thus should be stable 290 across reboots. If disabled, names depend on the order in 291 which interfaces are discovered by the kernel, which may 292 change randomly across reboots; for instance, you may find 293 - <literal>eth0</literal> and <literal>eth1</literal> flipping 294 unpredictably. 295 ''; 296 }; ··· 306 307 List of packages containing <command>udev</command> rules that will be copied to stage 1. 308 All files found in 309 - <filename><replaceable>pkg</replaceable>/etc/udev/rules.d</filename> and 310 - <filename><replaceable>pkg</replaceable>/lib/udev/rules.d</filename> 311 will be included. 312 ''; 313 };

··· 209 packages = mkOption { 210 type = types.listOf types.path; 211 default = []; 212 + description = lib.mdDoc '' 213 + List of packages containing {command}`udev` rules. 214 All files found in 215 + {file}`«pkg»/etc/udev/rules.d` and 216 + {file}`«pkg»/lib/udev/rules.d` 217 will be included. 218 ''; 219 apply = map getBin; ··· 281 networking.usePredictableInterfaceNames = mkOption { 282 default = true; 283 type = types.bool; 284 + description = lib.mdDoc '' 285 + Whether to assign [predictable names to network interfaces](http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames). 286 + If enabled, interfaces 287 are assigned names that contain topology information 288 + (e.g. `wlp3s0`) and thus should be stable 289 across reboots. If disabled, names depend on the order in 290 which interfaces are discovered by the kernel, which may 291 change randomly across reboots; for instance, you may find 292 + `eth0` and `eth1` flipping 293 unpredictably. 294 ''; 295 }; ··· 305 306 List of packages containing <command>udev</command> rules that will be copied to stage 1. 307 All files found in 308 + <filename>«pkg»/etc/udev/rules.d</filename> and 309 + <filename>«pkg»/lib/udev/rules.d</filename> 310 will be included. 311 ''; 312 };

+11 -12

nixos/modules/services/logging/filebeat.nix

··· 31 }; 32 33 inputs = mkOption { 34 - description = '' 35 Inputs specify how Filebeat locates and processes input data. 36 37 - This is like <literal>services.filebeat.settings.filebeat.inputs</literal>, 38 but structured as an attribute set. This has the benefit 39 that multiple NixOS modules can contribute settings to a 40 single filebeat input. 41 42 An input type can be specified multiple times by choosing a 43 - different <literal><name></literal> for each, but setting 44 - <xref linkend="opt-services.filebeat.inputs._name_.type"/> 45 to the same value. 46 47 - See <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html"/>. 48 ''; 49 default = {}; 50 type = types.attrsOf (types.submodule ({ name, ... }: { ··· 77 }; 78 79 modules = mkOption { 80 - description = '' 81 Filebeat modules provide a quick way to get started 82 processing common log formats. They contain default 83 configurations, Elasticsearch ingest pipeline definitions, 84 and Kibana dashboards to help you implement and deploy a log 85 monitoring solution. 86 87 - This is like <literal>services.filebeat.settings.filebeat.modules</literal>, 88 but structured as an attribute set. This has the benefit 89 that multiple NixOS modules can contribute settings to a 90 single filebeat module. 91 92 A module can be specified multiple times by choosing a 93 - different <literal><name></literal> for each, but setting 94 - <xref linkend="opt-services.filebeat.modules._name_.module"/> 95 to the same value. 96 97 - See <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html"/>. 98 ''; 99 default = {}; 100 type = types.attrsOf (types.submodule ({ name, ... }: { ··· 161 internal = true; 162 description = '' 163 Inputs specify how Filebeat locates and processes 164 - input data. Use <xref 165 - linkend="opt-services.filebeat.inputs"/> instead. 166 167 See <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html"/>. 168 '';

··· 31 }; 32 33 inputs = mkOption { 34 + description = lib.mdDoc '' 35 Inputs specify how Filebeat locates and processes input data. 36 37 + This is like `services.filebeat.settings.filebeat.inputs`, 38 but structured as an attribute set. This has the benefit 39 that multiple NixOS modules can contribute settings to a 40 single filebeat input. 41 42 An input type can be specified multiple times by choosing a 43 + different `<name>` for each, but setting 44 + [](#opt-services.filebeat.inputs._name_.type) 45 to the same value. 46 47 + See <https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html>. 48 ''; 49 default = {}; 50 type = types.attrsOf (types.submodule ({ name, ... }: { ··· 77 }; 78 79 modules = mkOption { 80 + description = lib.mdDoc '' 81 Filebeat modules provide a quick way to get started 82 processing common log formats. They contain default 83 configurations, Elasticsearch ingest pipeline definitions, 84 and Kibana dashboards to help you implement and deploy a log 85 monitoring solution. 86 87 + This is like `services.filebeat.settings.filebeat.modules`, 88 but structured as an attribute set. This has the benefit 89 that multiple NixOS modules can contribute settings to a 90 single filebeat module. 91 92 A module can be specified multiple times by choosing a 93 + different `<name>` for each, but setting 94 + [](#opt-services.filebeat.modules._name_.module) 95 to the same value. 96 97 + See <https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html>. 98 ''; 99 default = {}; 100 type = types.attrsOf (types.submodule ({ name, ... }: { ··· 161 internal = true; 162 description = '' 163 Inputs specify how Filebeat locates and processes 164 + input data. Use <xref linkend="opt-services.filebeat.inputs"/> instead. 165 166 See <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html"/>. 167 '';

+5 -5

nixos/modules/services/logging/logrotate.nix

··· 276 defaultText = '' 277 A configuration file automatically generated by NixOS. 278 ''; 279 - description = '' 280 Override the configuration file used by MySQL. By default, 281 - NixOS generates one automatically from <xref linkend="opt-services.logrotate.settings"/>. 282 ''; 283 example = literalExpression '' 284 pkgs.writeText "logrotate.conf" ''' ··· 346 extraConfig = mkOption { 347 default = ""; 348 type = types.lines; 349 - description = '' 350 Extra contents to append to the logrotate configuration file. Refer to 351 - <link xlink:href="https://linux.die.net/man/8/logrotate"/> for details. 352 This setting has been deprecated in favor of 353 - <link linkend="opt-services.logrotate.settings">logrotate settings</link>. 354 ''; 355 }; 356 };

··· 276 defaultText = '' 277 A configuration file automatically generated by NixOS. 278 ''; 279 + description = lib.mdDoc '' 280 Override the configuration file used by MySQL. By default, 281 + NixOS generates one automatically from [](#opt-services.logrotate.settings). 282 ''; 283 example = literalExpression '' 284 pkgs.writeText "logrotate.conf" ''' ··· 346 extraConfig = mkOption { 347 default = ""; 348 type = types.lines; 349 + description = lib.mdDoc '' 350 Extra contents to append to the logrotate configuration file. Refer to 351 + <https://linux.die.net/man/8/logrotate> for details. 352 This setting has been deprecated in favor of 353 + [logrotate settings](#opt-services.logrotate.settings). 354 ''; 355 }; 356 };

+2 -2

nixos/modules/services/mail/mailman.nix

··· 112 bindPasswordFile = mkOption { 113 type = types.str; 114 example = "/run/secrets/ldap-bind"; 115 - description = '' 116 Path to the file containing the bind password of the servie account 117 - defined by <xref linkend="opt-services.mailman.ldap.bindDn" />. 118 ''; 119 }; 120 superUserGroup = mkOption {

··· 112 bindPasswordFile = mkOption { 113 type = types.str; 114 example = "/run/secrets/ldap-bind"; 115 + description = lib.mdDoc '' 116 Path to the file containing the bind password of the servie account 117 + defined by [](#opt-services.mailman.ldap.bindDn). 118 ''; 119 }; 120 superUserGroup = mkOption {

+6 -6

nixos/modules/services/mail/nullmailer.nix

··· 38 remotesFile = mkOption { 39 type = types.nullOr types.str; 40 default = null; 41 - description = '' 42 - Path to the <code>remotes</code> control file. This file contains a 43 list of remote servers to which to send each message. 44 45 - See <code>man 8 nullmailer-send</code> for syntax and available 46 options. 47 ''; 48 }; ··· 153 remotes = mkOption { 154 type = types.nullOr types.str; 155 default = null; 156 - description = '' 157 A list of remote servers to which to send each message. Each line 158 contains a remote host name or address followed by an optional 159 protocol string, separated by white space. 160 161 - See <code>man 8 nullmailer-send</code> for syntax and available 162 options. 163 164 WARNING: This is stored world-readable in the nix store. If you need 165 to specify any secret credentials here, consider using the 166 - <code>remotesFile</code> option instead. 167 ''; 168 }; 169

··· 38 remotesFile = mkOption { 39 type = types.nullOr types.str; 40 default = null; 41 + description = lib.mdDoc '' 42 + Path to the `remotes` control file. This file contains a 43 list of remote servers to which to send each message. 44 45 + See `man 8 nullmailer-send` for syntax and available 46 options. 47 ''; 48 }; ··· 153 remotes = mkOption { 154 type = types.nullOr types.str; 155 default = null; 156 + description = lib.mdDoc '' 157 A list of remote servers to which to send each message. Each line 158 contains a remote host name or address followed by an optional 159 protocol string, separated by white space. 160 161 + See `man 8 nullmailer-send` for syntax and available 162 options. 163 164 WARNING: This is stored world-readable in the nix store. If you need 165 to specify any secret credentials here, consider using the 166 + `remotesFile` option instead. 167 ''; 168 }; 169

+3 -3

nixos/modules/services/mail/postfixadmin.nix

··· 13 enable = mkOption { 14 type = types.bool; 15 default = false; 16 - description = '' 17 Whether to enable postfixadmin. 18 19 Also enables nginx virtual host management. 20 - Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.<name></literal>. 21 - See <xref linkend="opt-services.nginx.virtualHosts"/> for further information. 22 ''; 23 }; 24

··· 13 enable = mkOption { 14 type = types.bool; 15 default = false; 16 + description = lib.mdDoc '' 17 Whether to enable postfixadmin. 18 19 Also enables nginx virtual host management. 20 + Further nginx configuration can be done by adapting `services.nginx.virtualHosts.<name>`. 21 + See [](#opt-services.nginx.virtualHosts) for further information. 22 ''; 23 }; 24

+5 -5

nixos/modules/services/mail/public-inbox.nix

··· 23 port = mkOption { 24 type = with types; nullOr (either str port); 25 default = defaultPort; 26 - description = '' 27 Listening port. 28 Beware that public-inbox uses well-known ports number to decide whether to enable TLS or not. 29 - Set to null and use <code>systemd.sockets.public-inbox-${proto}d.listenStreams</code> 30 if you need a more advanced listening. 31 ''; 32 }; ··· 239 type = with types; nullOr (either str port); 240 default = 80; 241 example = "/run/public-inbox-httpd.sock"; 242 - description = '' 243 Listening port or systemd's ListenStream= entry 244 to be used as a reverse proxy, eg. in nginx: 245 - <code>locations."/inbox".proxyPass = "http://unix:''${config.services.public-inbox.http.port}:/inbox";</code> 246 - Set to null and use <code>systemd.sockets.public-inbox-httpd.listenStreams</code> 247 if you need a more advanced listening. 248 ''; 249 };

··· 23 port = mkOption { 24 type = with types; nullOr (either str port); 25 default = defaultPort; 26 + description = lib.mdDoc '' 27 Listening port. 28 Beware that public-inbox uses well-known ports number to decide whether to enable TLS or not. 29 + Set to null and use `systemd.sockets.public-inbox-${proto}d.listenStreams` 30 if you need a more advanced listening. 31 ''; 32 }; ··· 239 type = with types; nullOr (either str port); 240 default = 80; 241 example = "/run/public-inbox-httpd.sock"; 242 + description = lib.mdDoc '' 243 Listening port or systemd's ListenStream= entry 244 to be used as a reverse proxy, eg. in nginx: 245 + `locations."/inbox".proxyPass = "http://unix:''${config.services.public-inbox.http.port}:/inbox";` 246 + Set to null and use `systemd.sockets.public-inbox-httpd.listenStreams` 247 if you need a more advanced listening. 248 ''; 249 };

+5 -5

nixos/modules/services/mail/roundcube.nix

··· 14 enable = mkOption { 15 type = types.bool; 16 default = false; 17 - description = '' 18 Whether to enable roundcube. 19 20 Also enables nginx virtual host management. 21 - Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.<name></literal>. 22 - See <xref linkend="opt-services.nginx.virtualHosts"/> for further information. 23 ''; 24 }; 25 ··· 99 maxAttachmentSize = mkOption { 100 type = types.int; 101 default = 18; 102 - description = '' 103 The maximum attachment size in MB. 104 105 Note: Since roundcube only uses 70% of max upload values configured in php 106 - 30% is added automatically to <xref linkend="opt-services.roundcube.maxAttachmentSize"/>. 107 ''; 108 apply = configuredMaxAttachmentSize: "${toString (configuredMaxAttachmentSize * 1.3)}M"; 109 };

··· 14 enable = mkOption { 15 type = types.bool; 16 default = false; 17 + description = lib.mdDoc '' 18 Whether to enable roundcube. 19 20 Also enables nginx virtual host management. 21 + Further nginx configuration can be done by adapting `services.nginx.virtualHosts.<name>`. 22 + See [](#opt-services.nginx.virtualHosts) for further information. 23 ''; 24 }; 25 ··· 99 maxAttachmentSize = mkOption { 100 type = types.int; 101 default = 18; 102 + description = lib.mdDoc '' 103 The maximum attachment size in MB. 104 105 Note: Since roundcube only uses 70% of max upload values configured in php 106 + 30% is added automatically to [](#opt-services.roundcube.maxAttachmentSize). 107 ''; 108 apply = configuredMaxAttachmentSize: "${toString (configuredMaxAttachmentSize * 1.3)}M"; 109 };

+9 -9

nixos/modules/services/mail/sympa.nix

··· 86 type = str; 87 default = "en_US"; 88 example = "cs"; 89 - description = '' 90 Default Sympa language. 91 - See <link xlink:href='https://github.com/sympa-community/sympa/tree/sympa-6.2/po/sympa' /> 92 for available options. 93 ''; 94 }; ··· 136 example = { 137 default_max_list_members = 3; 138 }; 139 - description = '' 140 - The <filename>robot.conf</filename> configuration file as key value set. 141 - See <link xlink:href='https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html' /> 142 for list of configuration parameters. 143 ''; 144 }; ··· 242 description = '' 243 The webserver used for the Sympa web interface. Set it to `none` if you want to configure it yourself. 244 Further nginx configuration can be done by adapting 245 - <option>services.nginx.virtualHosts.<replaceable>name</replaceable></option>. 246 ''; 247 }; 248 ··· 285 viewlogs_page_size = 50; 286 } 287 ''; 288 - description = '' 289 - The <filename>sympa.conf</filename> configuration file as key value set. 290 - See <link xlink:href='https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html' /> 291 for list of configuration parameters. 292 ''; 293 };

··· 86 type = str; 87 default = "en_US"; 88 example = "cs"; 89 + description = lib.mdDoc '' 90 Default Sympa language. 91 + See <https://github.com/sympa-community/sympa/tree/sympa-6.2/po/sympa> 92 for available options. 93 ''; 94 }; ··· 136 example = { 137 default_max_list_members = 3; 138 }; 139 + description = lib.mdDoc '' 140 + The {file}`robot.conf` configuration file as key value set. 141 + See <https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html> 142 for list of configuration parameters. 143 ''; 144 }; ··· 242 description = '' 243 The webserver used for the Sympa web interface. Set it to `none` if you want to configure it yourself. 244 Further nginx configuration can be done by adapting 245 + <option>services.nginx.virtualHosts.«name»</option>. 246 ''; 247 }; 248 ··· 285 viewlogs_page_size = 50; 286 } 287 ''; 288 + description = lib.mdDoc '' 289 + The {file}`sympa.conf` configuration file as key value set. 290 + See <https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html> 291 for list of configuration parameters. 292 ''; 293 };

+5 -12

nixos/modules/services/matrix/appservice-discord.nix

··· 40 }; 41 } 42 ''; 43 - description = '' 44 - <filename>config.yaml</filename> configuration as a Nix attribute set. 45 - </para> 46 47 - <para> 48 Configuration options should match those described in 49 - <link xlink:href="https://github.com/Half-Shot/matrix-appservice-discord/blob/master/config/config.sample.yaml"> 50 - config.sample.yaml</link>. 51 - </para> 52 53 - <para> 54 - <option>config.bridge.domain</option> and <option>config.bridge.homeserverUrl</option> 55 should be set to match the public host name of the Matrix homeserver for webhooks and avatars to work. 56 - </para> 57 58 - <para> 59 - Secret tokens should be specified using <option>environmentFile</option> 60 instead of this world-readable attribute set. 61 ''; 62 };

··· 40 }; 41 } 42 ''; 43 + description = lib.mdDoc '' 44 + {file}`config.yaml` configuration as a Nix attribute set. 45 46 Configuration options should match those described in 47 + [config.sample.yaml](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/config/config.sample.yaml). 48 49 + {option}`config.bridge.domain` and {option}`config.bridge.homeserverUrl` 50 should be set to match the public host name of the Matrix homeserver for webhooks and avatars to work. 51 52 + Secret tokens should be specified using {option}`environmentFile` 53 instead of this world-readable attribute set. 54 ''; 55 };

+4 -7

nixos/modules/services/matrix/mautrix-facebook.nix

··· 75 }; 76 } 77 ''; 78 - description = '' 79 - <filename>config.yaml</filename> configuration as a Nix attribute set. 80 Configuration options should match those described in 81 - <link xlink:href="https://github.com/mautrix/facebook/blob/master/mautrix_facebook/example-config.yaml"> 82 - example-config.yaml</link>. 83 - </para> 84 85 - <para> 86 - Secret tokens should be specified using <option>environmentFile</option> 87 instead of this world-readable attribute set. 88 ''; 89 };

··· 75 }; 76 } 77 ''; 78 + description = lib.mdDoc '' 79 + {file}`config.yaml` configuration as a Nix attribute set. 80 Configuration options should match those described in 81 + [example-config.yaml](https://github.com/mautrix/facebook/blob/master/mautrix_facebook/example-config.yaml). 82 83 + Secret tokens should be specified using {option}`environmentFile` 84 instead of this world-readable attribute set. 85 ''; 86 };

+4 -7

nixos/modules/services/matrix/mautrix-telegram.nix

··· 78 }; 79 } 80 ''; 81 - description = '' 82 - <filename>config.yaml</filename> configuration as a Nix attribute set. 83 Configuration options should match those described in 84 - <link xlink:href="https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml"> 85 - example-config.yaml</link>. 86 - </para> 87 88 - <para> 89 - Secret tokens should be specified using <option>environmentFile</option> 90 instead of this world-readable attribute set. 91 ''; 92 };

··· 78 }; 79 } 80 ''; 81 + description = lib.mdDoc '' 82 + {file}`config.yaml` configuration as a Nix attribute set. 83 Configuration options should match those described in 84 + [example-config.yaml](https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml). 85 86 + Secret tokens should be specified using {option}`environmentFile` 87 instead of this world-readable attribute set. 88 ''; 89 };

+4 -4

nixos/modules/services/misc/autorandr.nix

··· 27 options = { 28 fingerprint = mkOption { 29 type = types.attrsOf types.str; 30 - description = '' 31 Output name to EDID mapping. 32 - Use <code>autorandr --fingerprint</code> to get current setup values. 33 ''; 34 default = { }; 35 }; ··· 154 }); 155 description = '' 156 Output scale configuration. 157 - </para><para> 158 Either configure by pixels or a scaling factor. When using pixel method the 159 <citerefentry> 160 <refentrytitle>xrandr</refentrytitle> ··· 165 will be used; when using factor method the option 166 <parameter class="command">--scale</parameter> 167 will be used. 168 - </para><para> 169 This option is a shortcut version of the transform option and they are mutually 170 exclusive. 171 '';

··· 27 options = { 28 fingerprint = mkOption { 29 type = types.attrsOf types.str; 30 + description = lib.mdDoc '' 31 Output name to EDID mapping. 32 + Use `autorandr --fingerprint` to get current setup values. 33 ''; 34 default = { }; 35 }; ··· 154 }); 155 description = '' 156 Output scale configuration. 157 + 158 Either configure by pixels or a scaling factor. When using pixel method the 159 <citerefentry> 160 <refentrytitle>xrandr</refentrytitle> ··· 165 will be used; when using factor method the option 166 <parameter class="command">--scale</parameter> 167 will be used. 168 + 169 This option is a shortcut version of the transform option and they are mutually 170 exclusive. 171 '';

+5 -8

nixos/modules/services/misc/bees.nix

··· 11 fsOptions = with types; { 12 options.spec = mkOption { 13 type = str; 14 - description = '' 15 Description of how to identify the filesystem to be duplicated by this 16 instance of bees. Note that deduplication crosses subvolumes; one must 17 not configure multiple instances for subvolumes of the same filesystem 18 (or block devices which are part of the same filesystem), but only for 19 completely independent btrfs filesystems. 20 - </para> 21 - <para> 22 This must be in a format usable by findmnt; that could be a key=value 23 pair, or a bare path to a mount point. 24 Using bare paths will allow systemd to start the beesd service only ··· 29 options.hashTableSizeMB = mkOption { 30 type = types.addCheck types.int (n: mod n 16 == 0); 31 default = 1024; # 1GB; default from upstream beesd script 32 - description = '' 33 Hash table size in MB; must be a multiple of 16. 34 - </para> 35 - <para> 36 A larger ratio of index size to storage size means smaller blocks of 37 duplicate content are recognized. 38 - </para> 39 - <para> 40 If you have 1TB of data, a 4GB hash table (which is to say, a value of 41 4096) will permit 4KB extents (the smallest possible size) to be 42 recognized, whereas a value of 1024 -- creating a 1GB hash table --

··· 11 fsOptions = with types; { 12 options.spec = mkOption { 13 type = str; 14 + description = lib.mdDoc '' 15 Description of how to identify the filesystem to be duplicated by this 16 instance of bees. Note that deduplication crosses subvolumes; one must 17 not configure multiple instances for subvolumes of the same filesystem 18 (or block devices which are part of the same filesystem), but only for 19 completely independent btrfs filesystems. 20 + 21 This must be in a format usable by findmnt; that could be a key=value 22 pair, or a bare path to a mount point. 23 Using bare paths will allow systemd to start the beesd service only ··· 28 options.hashTableSizeMB = mkOption { 29 type = types.addCheck types.int (n: mod n 16 == 0); 30 default = 1024; # 1GB; default from upstream beesd script 31 + description = lib.mdDoc '' 32 Hash table size in MB; must be a multiple of 16. 33 + 34 A larger ratio of index size to storage size means smaller blocks of 35 duplicate content are recognized. 36 + 37 If you have 1TB of data, a 4GB hash table (which is to say, a value of 38 4096) will permit 4KB extents (the smallest possible size) to be 39 recognized, whereas a value of 1024 -- creating a 1GB hash table --

+2 -2

nixos/modules/services/misc/etcd.nix

··· 125 }; 126 127 extraConf = mkOption { 128 - description = '' 129 Etcd extra configuration. See 130 - <link xlink:href='https://github.com/coreos/etcd/blob/master/Documentation/op-guide/configuration.md#configuration-flags' /> 131 ''; 132 type = types.attrsOf types.str; 133 default = {};

··· 125 }; 126 127 extraConf = mkOption { 128 + description = lib.mdDoc '' 129 Etcd extra configuration. See 130 + <https://github.com/coreos/etcd/blob/master/Documentation/op-guide/configuration.md#configuration-flags> 131 ''; 132 type = types.attrsOf types.str; 133 default = {};

+2 -2

nixos/modules/services/misc/etebase-server.nix

··· 135 default = {}; 136 description = '' 137 Configuration for <package>etebase-server</package>. Refer to 138 - <link xlink:href="https://github.com/etesync/server/blob/master/etebase-server.ini.example" /> 139 - and <link xlink:href="https://github.com/etesync/server/wiki" /> 140 for details on supported values. 141 ''; 142 example = {

··· 135 default = {}; 136 description = '' 137 Configuration for <package>etebase-server</package>. Refer to 138 + <link xlink:href="https://github.com/etesync/server/blob/master/etebase-server.ini.example"/> 139 + and <link xlink:href="https://github.com/etesync/server/wiki"/> 140 for details on supported values. 141 ''; 142 example = {

+2 -3

nixos/modules/services/misc/geoipupdate.nix

··· 40 description = '' 41 <productname>geoipupdate</productname> configuration 42 options. See 43 - <link xlink:href="https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md" /> 44 for a full list of available options. 45 46 Settings containing secret data should be set to an ··· 92 93 Always handled as a secret whether the value is 94 wrapped in a <literal>{ _secret = ...; }</literal> 95 - attrset or not (refer to <xref 96 - linkend="opt-services.geoipupdate.settings" /> for 97 details). 98 ''; 99 apply = x: if isAttrs x then x else { _secret = x; };

··· 40 description = '' 41 <productname>geoipupdate</productname> configuration 42 options. See 43 + <link xlink:href="https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md"/> 44 for a full list of available options. 45 46 Settings containing secret data should be set to an ··· 92 93 Always handled as a secret whether the value is 94 wrapped in a <literal>{ _secret = ...; }</literal> 95 + attrset or not (refer to <xref linkend="opt-services.geoipupdate.settings"/> for 96 details). 97 ''; 98 apply = x: if isAttrs x then x else { _secret = x; };

+1 -1

nixos/modules/services/misc/klipper.nix

··· 71 }; 72 73 firmwares = mkOption { 74 - description = "Firmwares klipper should manage"; 75 default = { }; 76 type = with types; attrsOf 77 (submodule {

··· 71 }; 72 73 firmwares = mkOption { 74 + description = lib.mdDoc "Firmwares klipper should manage"; 75 default = { }; 76 type = with types; attrsOf 77 (submodule {

+2 -4

nixos/modules/services/misc/nix-daemon.nix

··· 636 <manvolnum>5</manvolnum> 637 </citerefentry> for avalaible options. 638 The value declared here will be translated directly to the key-value pairs Nix expects. 639 - </para> 640 - <para> 641 You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings</command> 642 to view the current value. By default it is empty. 643 - </para> 644 - <para> 645 Nix configurations defined under <option>nix.*</option> will be translated and applied to this 646 option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended 647 verbatim to the resulting config file.

··· 636 <manvolnum>5</manvolnum> 637 </citerefentry> for avalaible options. 638 The value declared here will be translated directly to the key-value pairs Nix expects. 639 + 640 You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings</command> 641 to view the current value. By default it is empty. 642 + 643 Nix configurations defined under <option>nix.*</option> will be translated and applied to this 644 option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended 645 verbatim to the resulting config file.

+2 -2

nixos/modules/services/misc/persistent-evdev.nix

··· 22 Physical devices should already exist in <filename class="devicefile">/dev/input/by-id/</filename>. 23 Proxy devices will be automatically given a <literal>uinput-</literal> prefix. 24 25 - See the <link xlink:href="https://github.com/aiberia/persistent-evdev#example-usage-with-libvirt"> 26 - project page</link> for example configuration of virtual devices with libvirt 27 and remember to add <literal>uinput-*</literal> devices to the qemu 28 <literal>cgroup_device_acl</literal> list (see <xref linkend="opt-virtualisation.libvirtd.qemu.verbatimConfig"/>). 29 '';

··· 22 Physical devices should already exist in <filename class="devicefile">/dev/input/by-id/</filename>. 23 Proxy devices will be automatically given a <literal>uinput-</literal> prefix. 24 25 + See the <link xlink:href="https://github.com/aiberia/persistent-evdev#example-usage-with-libvirt">project page</link> 26 + for example configuration of virtual devices with libvirt 27 and remember to add <literal>uinput-*</literal> devices to the qemu 28 <literal>cgroup_device_acl</literal> list (see <xref linkend="opt-virtualisation.libvirtd.qemu.verbatimConfig"/>). 29 '';

+5 -5

nixos/modules/services/misc/sourcehut/default.nix

··· 180 network-key = mkOption { 181 description = '' 182 An absolute file path (which should be outside the Nix-store) 183 - to a secret key to encrypt internal messages with. Use <code>srht-keygen network</code> to 184 generate this key. It must be consistent between all services and nodes. 185 ''; 186 type = types.path; ··· 209 service-key = mkOption { 210 description = '' 211 An absolute file path (which should be outside the Nix-store) 212 - to a key used for encrypting session cookies. Use <code>srht-keygen service</code> to 213 generate the service key. This must be shared between each node of the same 214 service (e.g. git1.sr.ht and git2.sr.ht), but different services may use 215 different keys. If you configure all of your services with the same ··· 252 253 Your PGP key information (DO NOT mix up pub and priv here) 254 You must remove the password from your secret key, if present. 255 - You can do this with <code>gpg --edit-key [key-id]</code>, 256 - then use the <code>passwd</code> command and do not enter a new password. 257 ''; 258 }; 259 pgp-pubkey = mkOption { ··· 294 This should be consistent for all *.sr.ht sites, 295 as this key will be used to verify signatures 296 from other sites in your network. 297 - Use the <code>srht-keygen webhook</code> command to generate a key. 298 ''; 299 type = types.path; 300 apply = s: "<" + toString s;

··· 180 network-key = mkOption { 181 description = '' 182 An absolute file path (which should be outside the Nix-store) 183 + to a secret key to encrypt internal messages with. Use <literal>srht-keygen network</literal> to 184 generate this key. It must be consistent between all services and nodes. 185 ''; 186 type = types.path; ··· 209 service-key = mkOption { 210 description = '' 211 An absolute file path (which should be outside the Nix-store) 212 + to a key used for encrypting session cookies. Use <literal>srht-keygen service</literal> to 213 generate the service key. This must be shared between each node of the same 214 service (e.g. git1.sr.ht and git2.sr.ht), but different services may use 215 different keys. If you configure all of your services with the same ··· 252 253 Your PGP key information (DO NOT mix up pub and priv here) 254 You must remove the password from your secret key, if present. 255 + You can do this with <literal>gpg --edit-key [key-id]</literal>, 256 + then use the <literal>passwd</literal> command and do not enter a new password. 257 ''; 258 }; 259 pgp-pubkey = mkOption { ··· 294 This should be consistent for all *.sr.ht sites, 295 as this key will be used to verify signatures 296 from other sites in your network. 297 + Use the <literal>srht-keygen webhook</literal> command to generate a key. 298 ''; 299 type = types.path; 300 apply = s: "<" + toString s;

+1 -1

nixos/modules/services/misc/sssd.nix

··· 42 kcm = mkOption { 43 type = types.bool; 44 default = false; 45 - description = '' 46 Whether to use SSS as a Kerberos Cache Manager (KCM). 47 Kerberos will be configured to cache credentials in SSS. 48 '';

··· 42 kcm = mkOption { 43 type = types.bool; 44 default = false; 45 + description = lib.mdDoc '' 46 Whether to use SSS as a Kerberos Cache Manager (KCM). 47 Kerberos will be configured to cache credentials in SSS. 48 '';

+1 -3

nixos/modules/services/misc/zoneminder.nix

··· 68 services.zoneminder = with lib; { 69 enable = lib.mkEnableOption '' 70 ZoneMinder 71 - </para><para> 72 If you intend to run the database locally, you should set 73 `config.services.zoneminder.database.createLocally` to true. Otherwise, 74 when set to `false` (the default), you will have to create the database ··· 82 default = "nginx"; 83 description = '' 84 The webserver to configure for the PHP frontend. 85 - </para> 86 - <para> 87 88 Set it to `none` if you want to configure it yourself. PRs are welcome 89 for support for other web servers.

··· 68 services.zoneminder = with lib; { 69 enable = lib.mkEnableOption '' 70 ZoneMinder 71 + 72 If you intend to run the database locally, you should set 73 `config.services.zoneminder.database.createLocally` to true. Otherwise, 74 when set to `false` (the default), you will have to create the database ··· 82 default = "nginx"; 83 description = '' 84 The webserver to configure for the PHP frontend. 85 86 Set it to `none` if you want to configure it yourself. PRs are welcome 87 for support for other web servers.

+7 -7

nixos/modules/services/monitoring/cadvisor.nix

··· 66 67 storageDriverPasswordFile = mkOption { 68 type = types.str; 69 - description = '' 70 File that contains the cadvisor storage driver password. 71 72 - <option>storageDriverPasswordFile</option> takes precedence over <option>storageDriverPassword</option> 73 74 - Warning: when <option>storageDriverPassword</option> is non-empty this defaults to a file in the 75 - world-readable Nix store that contains the value of <option>storageDriverPassword</option>. 76 77 It's recommended to override this with a path not in the Nix store. 78 - Tip: use <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'>nixops key management</link> 79 ''; 80 }; 81 ··· 88 extraOptions = mkOption { 89 type = types.listOf types.str; 90 default = []; 91 - description = '' 92 Additional cadvisor options. 93 94 - See <link xlink:href='https://github.com/google/cadvisor/blob/master/docs/runtime_options.md'/> for available options. 95 ''; 96 }; 97 };

··· 66 67 storageDriverPasswordFile = mkOption { 68 type = types.str; 69 + description = lib.mdDoc '' 70 File that contains the cadvisor storage driver password. 71 72 + {option}`storageDriverPasswordFile` takes precedence over {option}`storageDriverPassword` 73 74 + Warning: when {option}`storageDriverPassword` is non-empty this defaults to a file in the 75 + world-readable Nix store that contains the value of {option}`storageDriverPassword`. 76 77 It's recommended to override this with a path not in the Nix store. 78 + Tip: use [nixops key management](https://nixos.org/nixops/manual/#idm140737318306400) 79 ''; 80 }; 81 ··· 88 extraOptions = mkOption { 89 type = types.listOf types.str; 90 default = []; 91 + description = lib.mdDoc '' 92 Additional cadvisor options. 93 94 + See <https://github.com/google/cadvisor/blob/master/docs/runtime_options.md> for available options. 95 ''; 96 }; 97 };

+1 -1

nixos/modules/services/monitoring/grafana-image-renderer.nix

··· 92 description = '' 93 Configuration attributes for <package>grafana-image-renderer</package>. 94 95 - See <link xlink:href="https://github.com/grafana/grafana-image-renderer/blob/ce1f81438e5f69c7fd7c73ce08bab624c4c92e25/default.json" /> 96 for supported values. 97 ''; 98 };

··· 92 description = '' 93 Configuration attributes for <package>grafana-image-renderer</package>. 94 95 + See <link xlink:href="https://github.com/grafana/grafana-image-renderer/blob/ce1f81438e5f69c7fd7c73ce08bab624c4c92e25/default.json"/> 96 for supported values. 97 ''; 98 };

+2 -2

nixos/modules/services/monitoring/graphite.nix

··· 251 252 extraConfig = mkOption { 253 default = {}; 254 - description = '' 255 Extra seyren configuration. See 256 - <link xlink:href='https://github.com/scobal/seyren#config' /> 257 ''; 258 type = types.attrsOf types.str; 259 example = literalExpression ''

··· 251 252 extraConfig = mkOption { 253 default = {}; 254 + description = lib.mdDoc '' 255 Extra seyren configuration. See 256 + <https://github.com/scobal/seyren#config> 257 ''; 258 type = types.attrsOf types.str; 259 example = literalExpression ''

+5 -5

nixos/modules/services/monitoring/metricbeat.nix

··· 32 }; 33 34 modules = mkOption { 35 - description = '' 36 Metricbeat modules are responsible for reading metrics from the various sources. 37 38 - This is like <literal>services.metricbeat.settings.metricbeat.modules</literal>, 39 but structured as an attribute set. This has the benefit that multiple 40 NixOS modules can contribute settings to a single metricbeat module. 41 42 - A module can be specified multiple times by choosing a different <literal><name></literal> 43 - for each, but setting <xref linkend="opt-services.metricbeat.modules._name_.module"/> to the same value. 44 45 - See <link xlink:href="https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-modules.html"/>. 46 ''; 47 default = {}; 48 type = types.attrsOf (types.submodule ({ name, ... }: {

··· 32 }; 33 34 modules = mkOption { 35 + description = lib.mdDoc '' 36 Metricbeat modules are responsible for reading metrics from the various sources. 37 38 + This is like `services.metricbeat.settings.metricbeat.modules`, 39 but structured as an attribute set. This has the benefit that multiple 40 NixOS modules can contribute settings to a single metricbeat module. 41 42 + A module can be specified multiple times by choosing a different `<name>` 43 + for each, but setting [](#opt-services.metricbeat.modules._name_.module) to the same value. 44 45 + See <https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-modules.html>. 46 ''; 47 default = {}; 48 type = types.attrsOf (types.submodule ({ name, ... }: {

+14 -14

nixos/modules/services/monitoring/munin.nix

··· 138 enable = mkOption { 139 default = false; 140 type = types.bool; 141 - description = '' 142 Enable Munin Node agent. Munin node listens on 0.0.0.0 and 143 by default accepts connections only from 127.0.0.1 for security reasons. 144 145 - See <link xlink:href='http://guide.munin-monitoring.org/en/latest/architecture/index.html' />. 146 ''; 147 }; 148 149 extraConfig = mkOption { 150 default = ""; 151 type = types.lines; 152 - description = '' 153 - <filename>munin-node.conf</filename> extra configuration. See 154 - <link xlink:href='http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html' /> 155 ''; 156 }; 157 158 extraPluginConfig = mkOption { 159 default = ""; 160 type = types.lines; 161 - description = '' 162 - <filename>plugin-conf.d</filename> extra plugin configuration. See 163 - <link xlink:href='http://guide.munin-monitoring.org/en/latest/plugin/use.html' /> 164 ''; 165 example = '' 166 [fail2ban_*] ··· 266 extraGlobalConfig = mkOption { 267 default = ""; 268 type = types.lines; 269 - description = '' 270 - <filename>munin.conf</filename> extra global configuration. 271 - See <link xlink:href='http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html' />. 272 Useful to setup notifications, see 273 - <link xlink:href='http://guide.munin-monitoring.org/en/latest/tutorial/alert.html' /> 274 ''; 275 example = '' 276 contact.email.command mail -s "Munin notification for ''${var:host}" someone@example.com ··· 280 hosts = mkOption { 281 default = ""; 282 type = types.lines; 283 - description = '' 284 Definitions of hosts of nodes to collect data from. Needs at least one 285 host for cron to succeed. See 286 - <link xlink:href='http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html' /> 287 ''; 288 example = literalExpression '' 289 '''

··· 138 enable = mkOption { 139 default = false; 140 type = types.bool; 141 + description = lib.mdDoc '' 142 Enable Munin Node agent. Munin node listens on 0.0.0.0 and 143 by default accepts connections only from 127.0.0.1 for security reasons. 144 145 + See <http://guide.munin-monitoring.org/en/latest/architecture/index.html>. 146 ''; 147 }; 148 149 extraConfig = mkOption { 150 default = ""; 151 type = types.lines; 152 + description = lib.mdDoc '' 153 + {file}`munin-node.conf` extra configuration. See 154 + <http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html> 155 ''; 156 }; 157 158 extraPluginConfig = mkOption { 159 default = ""; 160 type = types.lines; 161 + description = lib.mdDoc '' 162 + {file}`plugin-conf.d` extra plugin configuration. See 163 + <http://guide.munin-monitoring.org/en/latest/plugin/use.html> 164 ''; 165 example = '' 166 [fail2ban_*] ··· 266 extraGlobalConfig = mkOption { 267 default = ""; 268 type = types.lines; 269 + description = lib.mdDoc '' 270 + {file}`munin.conf` extra global configuration. 271 + See <http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html>. 272 Useful to setup notifications, see 273 + <http://guide.munin-monitoring.org/en/latest/tutorial/alert.html> 274 ''; 275 example = '' 276 contact.email.command mail -s "Munin notification for ''${var:host}" someone@example.com ··· 280 hosts = mkOption { 281 default = ""; 282 type = types.lines; 283 + description = lib.mdDoc '' 284 Definitions of hosts of nodes to collect data from. Needs at least one 285 host for cron to succeed. See 286 + <http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html> 287 ''; 288 example = literalExpression '' 289 '''

+1 -1

nixos/modules/services/monitoring/nagios.nix

··· 88 89 options = { 90 services.nagios = { 91 - enable = mkEnableOption "<link xlink:href='http://www.nagios.org/'>Nagios</link> to monitor your system or network."; 92 93 objectDefs = mkOption { 94 description = "

··· 88 89 options = { 90 services.nagios = { 91 + enable = mkEnableOption ''<link xlink:href="http://www.nagios.org/">Nagios</link> to monitor your system or network.''; 92 93 objectDefs = mkOption { 94 description = "

+4 -4

nixos/modules/services/monitoring/netdata.nix

··· 114 example = literalExpression '' 115 [ "/path/to/plugins.d" ] 116 ''; 117 - description = '' 118 Extra paths to add to the netdata global "plugins directory" 119 option. Useful for when you want to include your own 120 collection scripts. 121 - </para><para> 122 Details about writing a custom netdata plugin are available at: 123 - <link xlink:href="https://docs.netdata.cloud/collectors/plugins.d/"/> 124 - </para><para> 125 Cannot be combined with configText. 126 ''; 127 };

··· 114 example = literalExpression '' 115 [ "/path/to/plugins.d" ] 116 ''; 117 + description = lib.mdDoc '' 118 Extra paths to add to the netdata global "plugins directory" 119 option. Useful for when you want to include your own 120 collection scripts. 121 + 122 Details about writing a custom netdata plugin are available at: 123 + <https://docs.netdata.cloud/collectors/plugins.d/> 124 + 125 Cannot be combined with configText. 126 ''; 127 };

+17 -22

nixos/modules/services/monitoring/parsedmarc.nix

··· 29 enable = lib.mkOption { 30 type = lib.types.bool; 31 default = false; 32 - description = '' 33 Whether Postfix and Dovecot should be set up to receive 34 mail locally. parsedmarc will be configured to watch the 35 local inbox as the automatically created user specified in 36 - <xref linkend="opt-services.parsedmarc.provision.localMail.recipientName" /> 37 ''; 38 }; 39 ··· 68 geoIp = lib.mkOption { 69 type = lib.types.bool; 70 default = true; 71 - description = '' 72 - Whether to enable and configure the <link 73 - linkend="opt-services.geoipupdate.enable">geoipupdate</link> 74 service to automatically fetch GeoIP databases. Not crucial, 75 but recommended for full functionality. 76 77 - To finish the setup, you need to manually set the <xref 78 - linkend="opt-services.geoipupdate.settings.AccountID" /> and 79 - <xref linkend="opt-services.geoipupdate.settings.LicenseKey" /> 80 options. 81 ''; 82 }; ··· 97 config.${opt.provision.elasticsearch} && config.${options.services.grafana.enable} 98 ''; 99 apply = x: x && cfg.provision.elasticsearch; 100 - description = '' 101 Whether the automatically provisioned Elasticsearch 102 instance should be added as a grafana datasource. Has no 103 effect unless 104 - <xref linkend="opt-services.parsedmarc.provision.elasticsearch" /> 105 is also enabled. 106 ''; 107 }; ··· 208 password = lib.mkOption { 209 type = with lib.types; nullOr (either path (attrsOf path)); 210 default = null; 211 - description = '' 212 The IMAP server password. 213 214 Always handled as a secret whether the value is 215 - wrapped in a <literal>{ _secret = ...; }</literal> 216 - attrset or not (refer to <xref 217 - linkend="opt-services.parsedmarc.settings" /> for 218 details). 219 ''; 220 apply = x: if isAttrs x || x == null then x else { _secret = x; }; ··· 273 password = lib.mkOption { 274 type = with lib.types; nullOr (either path (attrsOf path)); 275 default = null; 276 - description = '' 277 The SMTP server password. 278 279 Always handled as a secret whether the value is 280 - wrapped in a <literal>{ _secret = ...; }</literal> 281 - attrset or not (refer to <xref 282 - linkend="opt-services.parsedmarc.settings" /> for 283 details). 284 ''; 285 apply = x: if isAttrs x || x == null then x else { _secret = x; }; ··· 326 password = lib.mkOption { 327 type = with lib.types; nullOr (either path (attrsOf path)); 328 default = null; 329 - description = '' 330 The password to use when connecting to Elasticsearch, 331 if required. 332 333 Always handled as a secret whether the value is 334 - wrapped in a <literal>{ _secret = ...; }</literal> 335 - attrset or not (refer to <xref 336 - linkend="opt-services.parsedmarc.settings" /> for 337 details). 338 ''; 339 apply = x: if isAttrs x || x == null then x else { _secret = x; };

··· 29 enable = lib.mkOption { 30 type = lib.types.bool; 31 default = false; 32 + description = lib.mdDoc '' 33 Whether Postfix and Dovecot should be set up to receive 34 mail locally. parsedmarc will be configured to watch the 35 local inbox as the automatically created user specified in 36 + [](#opt-services.parsedmarc.provision.localMail.recipientName) 37 ''; 38 }; 39 ··· 68 geoIp = lib.mkOption { 69 type = lib.types.bool; 70 default = true; 71 + description = lib.mdDoc '' 72 + Whether to enable and configure the [geoipupdate](#opt-services.geoipupdate.enable) 73 service to automatically fetch GeoIP databases. Not crucial, 74 but recommended for full functionality. 75 76 + To finish the setup, you need to manually set the [](#opt-services.geoipupdate.settings.AccountID) and 77 + [](#opt-services.geoipupdate.settings.LicenseKey) 78 options. 79 ''; 80 }; ··· 95 config.${opt.provision.elasticsearch} && config.${options.services.grafana.enable} 96 ''; 97 apply = x: x && cfg.provision.elasticsearch; 98 + description = lib.mdDoc '' 99 Whether the automatically provisioned Elasticsearch 100 instance should be added as a grafana datasource. Has no 101 effect unless 102 + [](#opt-services.parsedmarc.provision.elasticsearch) 103 is also enabled. 104 ''; 105 }; ··· 206 password = lib.mkOption { 207 type = with lib.types; nullOr (either path (attrsOf path)); 208 default = null; 209 + description = lib.mdDoc '' 210 The IMAP server password. 211 212 Always handled as a secret whether the value is 213 + wrapped in a `{ _secret = ...; }` 214 + attrset or not (refer to [](#opt-services.parsedmarc.settings) for 215 details). 216 ''; 217 apply = x: if isAttrs x || x == null then x else { _secret = x; }; ··· 270 password = lib.mkOption { 271 type = with lib.types; nullOr (either path (attrsOf path)); 272 default = null; 273 + description = lib.mdDoc '' 274 The SMTP server password. 275 276 Always handled as a secret whether the value is 277 + wrapped in a `{ _secret = ...; }` 278 + attrset or not (refer to [](#opt-services.parsedmarc.settings) for 279 details). 280 ''; 281 apply = x: if isAttrs x || x == null then x else { _secret = x; }; ··· 322 password = lib.mkOption { 323 type = with lib.types; nullOr (either path (attrsOf path)); 324 default = null; 325 + description = lib.mdDoc '' 326 The password to use when connecting to Elasticsearch, 327 if required. 328 329 Always handled as a secret whether the value is 330 + wrapped in a `{ _secret = ...; }` 331 + attrset or not (refer to [](#opt-services.parsedmarc.settings) for 332 details). 333 ''; 334 apply = x: if isAttrs x || x == null then x else { _secret = x; };

+6 -9

nixos/modules/services/monitoring/prometheus/default.nix

··· 379 gce_sd_configs = mkOpt (types.listOf promTypes.gce_sd_config) '' 380 List of Google Compute Engine service discovery configurations. 381 382 - See <link 383 - xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config">the 384 - relevant Prometheus configuration docs</link> for more detail. 385 ''; 386 387 hetzner_sd_configs = mkOpt (types.listOf promTypes.hetzner_sd_config) '' ··· 807 filter = mkOpt types.str '' 808 Filter can be used optionally to filter the instance list by other 809 criteria Syntax of this filter string is described here in the filter 810 - query parameter section: <link 811 - xlink:href="https://cloud.google.com/compute/docs/reference/latest/instances/list" 812 - />. 813 ''; 814 815 refresh_interval = mkDefOpt types.str "60s" '' ··· 825 The tag separator used to separate concatenated GCE instance network tags. 826 827 See the GCP documentation on network tags for more information: 828 - <link xlink:href="https://cloud.google.com/vpc/docs/add-remove-network-tags" /> 829 ''; 830 }; 831 }; ··· 1033 1034 auth_token = mkOpt types.str '' 1035 Optional authentication information for token-based authentication: 1036 - <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token" /> 1037 It is mutually exclusive with <literal>auth_token_file</literal> and other authentication mechanisms. 1038 ''; 1039 1040 auth_token_file = mkOpt types.str '' 1041 Optional authentication information for token-based authentication: 1042 - <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token" /> 1043 It is mutually exclusive with <literal>auth_token</literal> and other authentication mechanisms. 1044 ''; 1045 };

··· 379 gce_sd_configs = mkOpt (types.listOf promTypes.gce_sd_config) '' 380 List of Google Compute Engine service discovery configurations. 381 382 + See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config">the relevant Prometheus configuration docs</link> 383 + for more detail. 384 ''; 385 386 hetzner_sd_configs = mkOpt (types.listOf promTypes.hetzner_sd_config) '' ··· 806 filter = mkOpt types.str '' 807 Filter can be used optionally to filter the instance list by other 808 criteria Syntax of this filter string is described here in the filter 809 + query parameter section: <link xlink:href="https://cloud.google.com/compute/docs/reference/latest/instances/list"/>. 810 ''; 811 812 refresh_interval = mkDefOpt types.str "60s" '' ··· 822 The tag separator used to separate concatenated GCE instance network tags. 823 824 See the GCP documentation on network tags for more information: 825 + <link xlink:href="https://cloud.google.com/vpc/docs/add-remove-network-tags"/> 826 ''; 827 }; 828 }; ··· 1030 1031 auth_token = mkOpt types.str '' 1032 Optional authentication information for token-based authentication: 1033 + <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token"/> 1034 It is mutually exclusive with <literal>auth_token_file</literal> and other authentication mechanisms. 1035 ''; 1036 1037 auth_token_file = mkOpt types.str '' 1038 Optional authentication information for token-based authentication: 1039 + <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token"/> 1040 It is mutually exclusive with <literal>auth_token</literal> and other authentication mechanisms. 1041 ''; 1042 };

+4 -4

nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix

··· 33 work with this exporter: 34 <programlisting> 35 { 36 - <xref linkend="opt-services.prometheus.exporters.dovecot.enable" /> = true; 37 - <xref linkend="opt-services.prometheus.exporters.dovecot.socketPath" /> = "/var/run/dovecot2/old-stats"; 38 - <xref linkend="opt-services.dovecot2.mailPlugins.globally.enable" /> = [ "old_stats" ]; 39 - <xref linkend="opt-services.dovecot2.extraConfig" /> = ''' 40 service old-stats { 41 unix_listener old-stats { 42 user = dovecot-exporter

··· 33 work with this exporter: 34 <programlisting> 35 { 36 + <xref linkend="opt-services.prometheus.exporters.dovecot.enable"/> = true; 37 + <xref linkend="opt-services.prometheus.exporters.dovecot.socketPath"/> = "/var/run/dovecot2/old-stats"; 38 + <xref linkend="opt-services.dovecot2.mailPlugins.globally.enable"/> = [ "old_stats" ]; 39 + <xref linkend="opt-services.dovecot2.extraConfig"/> = ''' 40 service old-stats { 41 unix_listener old-stats { 42 user = dovecot-exporter

+1 -1

nixos/modules/services/monitoring/prometheus/exporters/process.nix

··· 22 All settings expressed as an Nix attrset. 23 24 Check the official documentation for the corresponding YAML 25 - settings that can all be used here: <link xlink:href="https://github.com/ncabatoff/process-exporter" /> 26 ''; 27 }; 28 };

··· 22 All settings expressed as an Nix attrset. 23 24 Check the official documentation for the corresponding YAML 25 + settings that can all be used here: <link xlink:href="https://github.com/ncabatoff/process-exporter"/> 26 ''; 27 }; 28 };

+1 -1

nixos/modules/services/monitoring/prometheus/exporters/script.nix

··· 41 All settings expressed as an Nix attrset. 42 43 Check the official documentation for the corresponding YAML 44 - settings that can all be used here: <link xlink:href="https://github.com/adhocteam/script_exporter#sample-configuration" /> 45 ''; 46 }; 47 };

··· 41 All settings expressed as an Nix attrset. 42 43 Check the official documentation for the corresponding YAML 44 + settings that can all be used here: <link xlink:href="https://github.com/adhocteam/script_exporter#sample-configuration"/> 45 ''; 46 }; 47 };

+5 -5

nixos/modules/services/networking/biboumi.nix

··· 83 }; 84 options.password = mkOption { 85 type = with types; nullOr str; 86 - description = '' 87 The password used to authenticate the XMPP component to your XMPP server. 88 This password must be configured in the XMPP server, 89 associated with the external component on 90 - <link linkend="opt-services.biboumi.settings.hostname">hostname</link>. 91 92 - Set it to null and use <link linkend="opt-services.biboumi.credentialsFile">credentialsFile</link> 93 if you do not want this password to go into the Nix store. 94 ''; 95 }; ··· 155 156 credentialsFile = mkOption { 157 type = types.path; 158 - description = '' 159 Path to a configuration file to be merged with the settings. 160 Beware not to surround "=" with spaces when setting biboumi's options in this file. 161 Useful to merge a file which is better kept out of the Nix store 162 because it contains sensible data like 163 - <link linkend="opt-services.biboumi.settings.password">password</link>. 164 ''; 165 default = "/dev/null"; 166 example = "/run/keys/biboumi.cfg";

··· 83 }; 84 options.password = mkOption { 85 type = with types; nullOr str; 86 + description = lib.mdDoc '' 87 The password used to authenticate the XMPP component to your XMPP server. 88 This password must be configured in the XMPP server, 89 associated with the external component on 90 + [hostname](#opt-services.biboumi.settings.hostname). 91 92 + Set it to null and use [credentialsFile](#opt-services.biboumi.credentialsFile) 93 if you do not want this password to go into the Nix store. 94 ''; 95 }; ··· 155 156 credentialsFile = mkOption { 157 type = types.path; 158 + description = lib.mdDoc '' 159 Path to a configuration file to be merged with the settings. 160 Beware not to surround "=" with spaces when setting biboumi's options in this file. 161 Useful to merge a file which is better kept out of the Nix store 162 because it contains sensible data like 163 + [password](#opt-services.biboumi.settings.password). 164 ''; 165 default = "/dev/null"; 166 example = "/run/keys/biboumi.cfg";

+6 -6

nixos/modules/services/networking/bird-lg.nix

··· 136 extraArgs = mkOption { 137 type = types.lines; 138 default = ""; 139 - description = " 140 - Extra parameters documented <link xlink:href=\"https://github.com/xddxdd/bird-lg-go#frontend\">here</link>. 141 - "; 142 }; 143 }; 144 ··· 183 extraArgs = mkOption { 184 type = types.lines; 185 default = ""; 186 - description = " 187 - Extra parameters documented <link xlink:href=\"https://github.com/xddxdd/bird-lg-go#proxy\">here</link>. 188 - "; 189 }; 190 }; 191 };

··· 136 extraArgs = mkOption { 137 type = types.lines; 138 default = ""; 139 + description = lib.mdDoc '' 140 + Extra parameters documented [here](https://github.com/xddxdd/bird-lg-go#frontend). 141 + ''; 142 }; 143 }; 144 ··· 183 extraArgs = mkOption { 184 type = types.lines; 185 default = ""; 186 + description = lib.mdDoc '' 187 + Extra parameters documented [here](https://github.com/xddxdd/bird-lg-go#proxy). 188 + ''; 189 }; 190 }; 191 };

+6 -6

nixos/modules/services/networking/bird.nix

··· 13 enable = mkEnableOption "BIRD Internet Routing Daemon"; 14 config = mkOption { 15 type = types.lines; 16 - description = '' 17 BIRD Internet Routing Daemon configuration file. 18 - <link xlink:href='http://bird.network.cz/'/> 19 ''; 20 }; 21 checkConfig = mkOption { 22 type = types.bool; 23 default = true; 24 - description = '' 25 Whether the config should be checked at build time. 26 When the config can't be checked during build time, for example when it includes 27 - other files, either disable this option or use <code>preCheckConfig</code> to create 28 the included files before checking. 29 ''; 30 }; ··· 34 example = '' 35 echo "cost 100;" > include.conf 36 ''; 37 - description = '' 38 Commands to execute before the config file check. The file to be checked will be 39 - available as <code>bird2.conf</code> in the current directory. 40 41 Files created with this option will not be available at service runtime, only during 42 build time checking.

··· 13 enable = mkEnableOption "BIRD Internet Routing Daemon"; 14 config = mkOption { 15 type = types.lines; 16 + description = lib.mdDoc '' 17 BIRD Internet Routing Daemon configuration file. 18 + <http://bird.network.cz/> 19 ''; 20 }; 21 checkConfig = mkOption { 22 type = types.bool; 23 default = true; 24 + description = lib.mdDoc '' 25 Whether the config should be checked at build time. 26 When the config can't be checked during build time, for example when it includes 27 + other files, either disable this option or use `preCheckConfig` to create 28 the included files before checking. 29 ''; 30 }; ··· 34 example = '' 35 echo "cost 100;" > include.conf 36 ''; 37 + description = lib.mdDoc '' 38 Commands to execute before the config file check. The file to be checked will be 39 + available as `bird2.conf` in the current directory. 40 41 Files created with this option will not be available at service runtime, only during 42 build time checking.

+4 -1

nixos/modules/services/networking/coredns.nix

··· 17 } 18 ''; 19 type = types.lines; 20 - description = "Verbatim Corefile to use. See <link xlink:href=\"https://coredns.io/manual/toc/#configuration\"/> for details."; 21 }; 22 23 package = mkOption {

··· 17 } 18 ''; 19 type = types.lines; 20 + description = lib.mdDoc '' 21 + Verbatim Corefile to use. 22 + See <https://coredns.io/manual/toc/#configuration> for details. 23 + ''; 24 }; 25 26 package = mkOption {

+9 -9

nixos/modules/services/networking/ghostunnel.nix

··· 40 description = '' 41 Path to keystore (combined PEM with cert/key, or PKCS12 keystore). 42 43 - NB: storepass is not supported because it would expose credentials via <code>/proc/*/cmdline</code>. 44 45 - Specify this or <code>cert</code> and <code>key</code>. 46 ''; 47 type = types.nullOr types.str; 48 default = null; 49 }; 50 51 cert = mkOption { 52 - description = '' 53 Path to certificate (PEM with certificate chain). 54 55 - Not required if <code>keystore</code> is set. 56 ''; 57 type = types.nullOr types.str; 58 default = null; 59 }; 60 61 key = mkOption { 62 - description = '' 63 Path to certificate private key (PEM with private key). 64 65 - Not required if <code>keystore</code> is set. 66 ''; 67 type = types.nullOr types.str; 68 default = null; 69 }; 70 71 cacert = mkOption { 72 - description = '' 73 - Path to CA bundle file (PEM/X509). Uses system trust store if <code>null</code>. 74 ''; 75 type = types.nullOr types.str; 76 }; ··· 124 }; 125 126 extraArguments = mkOption { 127 - description = "Extra arguments to pass to <code>ghostunnel server</code>"; 128 type = types.separatedString " "; 129 default = ""; 130 };

··· 40 description = '' 41 Path to keystore (combined PEM with cert/key, or PKCS12 keystore). 42 43 + NB: storepass is not supported because it would expose credentials via <literal>/proc/*/cmdline</literal>. 44 45 + Specify this or <literal>cert</literal> and <literal>key</literal>. 46 ''; 47 type = types.nullOr types.str; 48 default = null; 49 }; 50 51 cert = mkOption { 52 + description = lib.mdDoc '' 53 Path to certificate (PEM with certificate chain). 54 55 + Not required if `keystore` is set. 56 ''; 57 type = types.nullOr types.str; 58 default = null; 59 }; 60 61 key = mkOption { 62 + description = lib.mdDoc '' 63 Path to certificate private key (PEM with private key). 64 65 + Not required if `keystore` is set. 66 ''; 67 type = types.nullOr types.str; 68 default = null; 69 }; 70 71 cacert = mkOption { 72 + description = lib.mdDoc '' 73 + Path to CA bundle file (PEM/X509). Uses system trust store if `null`. 74 ''; 75 type = types.nullOr types.str; 76 }; ··· 124 }; 125 126 extraArguments = mkOption { 127 + description = lib.mdDoc "Extra arguments to pass to `ghostunnel server`"; 128 type = types.separatedString " "; 129 default = ""; 130 };

+3 -3

nixos/modules/services/networking/hans.nix

··· 19 services.hans = { 20 clients = mkOption { 21 default = {}; 22 - description = '' 23 Each attribute of this option defines a systemd service that 24 runs hans. Many or none may be defined. 25 The name of each service is 26 - <literal>hans-<replaceable>name</replaceable></literal> 27 - where <replaceable>name</replaceable> is the name of the 28 corresponding attribute name. 29 ''; 30 example = literalExpression ''

··· 19 services.hans = { 20 clients = mkOption { 21 default = {}; 22 + description = lib.mdDoc '' 23 Each attribute of this option defines a systemd service that 24 runs hans. Many or none may be defined. 25 The name of each service is 26 + `hans-«name»` 27 + where «name» is the name of the 28 corresponding attribute name. 29 ''; 30 example = literalExpression ''

+3 -3

nixos/modules/services/networking/iodine.nix

··· 28 services.iodine = { 29 clients = mkOption { 30 default = {}; 31 - description = '' 32 Each attribute of this option defines a systemd service that 33 runs iodine. Many or none may be defined. 34 The name of each service is 35 - <literal>iodine-<replaceable>name</replaceable></literal> 36 - where <replaceable>name</replaceable> is the name of the 37 corresponding attribute name. 38 ''; 39 example = literalExpression ''

··· 28 services.iodine = { 29 clients = mkOption { 30 default = {}; 31 + description = lib.mdDoc '' 32 Each attribute of this option defines a systemd service that 33 runs iodine. Many or none may be defined. 34 The name of each service is 35 + `iodine-«name»` 36 + where «name» is the name of the 37 corresponding attribute name. 38 ''; 39 example = literalExpression ''

+16 -16

nixos/modules/services/networking/kea.nix

··· 54 configFile = mkOption { 55 type = nullOr path; 56 default = null; 57 - description = '' 58 - Kea Control Agent configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html"/>. 59 60 - Takes preference over <link linkend="opt-services.kea.ctrl-agent.settings">settings</link>. 61 - Most users should prefer using <link linkend="opt-services.kea.ctrl-agent.settings">settings</link> instead. 62 ''; 63 }; 64 ··· 93 configFile = mkOption { 94 type = nullOr path; 95 default = null; 96 - description = '' 97 - Kea DHCP4 configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html"/>. 98 99 - Takes preference over <link linkend="opt-services.kea.dhcp4.settings">settings</link>. 100 - Most users should prefer using <link linkend="opt-services.kea.dhcp4.settings">settings</link> instead. 101 ''; 102 }; 103 ··· 153 configFile = mkOption { 154 type = nullOr path; 155 default = null; 156 - description = '' 157 - Kea DHCP6 configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html"/>. 158 159 - Takes preference over <link linkend="opt-services.kea.dhcp6.settings">settings</link>. 160 - Most users should prefer using <link linkend="opt-services.kea.dhcp6.settings">settings</link> instead. 161 ''; 162 }; 163 ··· 214 configFile = mkOption { 215 type = nullOr path; 216 default = null; 217 - description = '' 218 - Kea DHCP-DDNS configuration as a path, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html"/>. 219 220 - Takes preference over <link linkend="opt-services.kea.dhcp-ddns.settings">settings</link>. 221 - Most users should prefer using <link linkend="opt-services.kea.dhcp-ddns.settings">settings</link> instead. 222 ''; 223 }; 224

··· 54 configFile = mkOption { 55 type = nullOr path; 56 default = null; 57 + description = lib.mdDoc '' 58 + Kea Control Agent configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html>. 59 60 + Takes preference over [settings](#opt-services.kea.ctrl-agent.settings). 61 + Most users should prefer using [settings](#opt-services.kea.ctrl-agent.settings) instead. 62 ''; 63 }; 64 ··· 93 configFile = mkOption { 94 type = nullOr path; 95 default = null; 96 + description = lib.mdDoc '' 97 + Kea DHCP4 configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html>. 98 99 + Takes preference over [settings](#opt-services.kea.dhcp4.settings). 100 + Most users should prefer using [settings](#opt-services.kea.dhcp4.settings) instead. 101 ''; 102 }; 103 ··· 153 configFile = mkOption { 154 type = nullOr path; 155 default = null; 156 + description = lib.mdDoc '' 157 + Kea DHCP6 configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html>. 158 159 + Takes preference over [settings](#opt-services.kea.dhcp6.settings). 160 + Most users should prefer using [settings](#opt-services.kea.dhcp6.settings) instead. 161 ''; 162 }; 163 ··· 214 configFile = mkOption { 215 type = nullOr path; 216 default = null; 217 + description = lib.mdDoc '' 218 + Kea DHCP-DDNS configuration as a path, see <https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html>. 219 220 + Takes preference over [settings](#opt-services.kea.dhcp-ddns.settings). 221 + Most users should prefer using [settings](#opt-services.kea.dhcp-ddns.settings) instead. 222 ''; 223 }; 224

+2 -2

nixos/modules/services/networking/ncdns.nix

··· 176 certstore.nssdbdir = "../../home/alice/.pki/nssdb"; 177 } 178 ''; 179 - description = '' 180 ncdns settings. Use this option to configure ncds 181 settings not exposed in a NixOS option or to bypass one. 182 - See the example ncdns.conf file at <link xlink:href="https://github.com/namecoin/ncdns/blob/master/_doc/ncdns.conf.example"/> 183 for the available options. 184 ''; 185 };

··· 176 certstore.nssdbdir = "../../home/alice/.pki/nssdb"; 177 } 178 ''; 179 + description = lib.mdDoc '' 180 ncdns settings. Use this option to configure ncds 181 settings not exposed in a NixOS option or to bypass one. 182 + See the example ncdns.conf file at <https://github.com/namecoin/ncdns/blob/master/_doc/ncdns.conf.example> 183 for the available options. 184 ''; 185 };

+5 -6

nixos/modules/services/networking/networkmanager.nix

··· 329 default = "default"; 330 description = '' 331 Set the DNS (<literal>resolv.conf</literal>) processing mode. 332 - </para> 333 - <para> 334 A description of these modes can be found in the main section of 335 <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> 336 https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html ··· 388 enableStrongSwan = mkOption { 389 type = types.bool; 390 default = false; 391 - description = '' 392 Enable the StrongSwan plugin. 393 - </para><para> 394 If you enable this option the 395 - <literal>networkmanager_strongswan</literal> plugin will be added to 396 - the <option>networking.networkmanager.plugins</option> option 397 so you don't need to to that yourself. 398 ''; 399 };

··· 329 default = "default"; 330 description = '' 331 Set the DNS (<literal>resolv.conf</literal>) processing mode. 332 + 333 A description of these modes can be found in the main section of 334 <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> 335 https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html ··· 387 enableStrongSwan = mkOption { 388 type = types.bool; 389 default = false; 390 + description = lib.mdDoc '' 391 Enable the StrongSwan plugin. 392 + 393 If you enable this option the 394 + `networkmanager_strongswan` plugin will be added to 395 + the {option}`networking.networkmanager.plugins` option 396 so you don't need to to that yourself. 397 ''; 398 };

+2 -2

nixos/modules/services/networking/nntp-proxy.nix

··· 167 passwordHash = mkOption { 168 type = types.str; 169 example = "$6$GtzE7FrpE$wwuVgFYU.TZH4Rz.Snjxk9XGua89IeVwPQ/fEUD8eujr40q5Y021yhn0aNcsQ2Ifw.BLclyzvzgegopgKcneL0"; 170 - description = '' 171 SHA-512 password hash (can be generated by 172 - <code>mkpasswd -m sha-512 <password></code>) 173 ''; 174 }; 175

··· 167 passwordHash = mkOption { 168 type = types.str; 169 example = "$6$GtzE7FrpE$wwuVgFYU.TZH4Rz.Snjxk9XGua89IeVwPQ/fEUD8eujr40q5Y021yhn0aNcsQ2Ifw.BLclyzvzgegopgKcneL0"; 170 + description = lib.mdDoc '' 171 SHA-512 password hash (can be generated by 172 + `mkpasswd -m sha-512 <password>`) 173 ''; 174 }; 175

+2 -2

nixos/modules/services/networking/nsd.nix

··· 392 requestXFR = mkOption { 393 type = types.listOf types.str; 394 default = []; 395 - description = '' 396 - Format: <code>[AXFR|UDP] <ip-address> <key-name | NOKEY></code> 397 ''; 398 }; 399

··· 392 requestXFR = mkOption { 393 type = types.listOf types.str; 394 default = []; 395 + description = lib.mdDoc '' 396 + Format: `[AXFR|UDP] <ip-address> <key-name | NOKEY>` 397 ''; 398 }; 399

+7 -10

nixos/modules/services/networking/ntp/ntpd.nix

··· 40 enable = mkOption { 41 type = types.bool; 42 default = false; 43 - description = '' 44 Whether to synchronise your machine's time using ntpd, as a peer in 45 the NTP network. 46 - </para> 47 - <para> 48 - Disables <literal>systemd.timesyncd</literal> if enabled. 49 ''; 50 }; 51 52 restrictDefault = mkOption { 53 type = types.listOf types.str; 54 - description = '' 55 The restriction flags to be set by default. 56 - </para> 57 - <para> 58 The default flags prevent external hosts from using ntpd as a DDoS 59 reflector, setting system time, and querying OS/ntpd version. As 60 recommended in section 6.5.1.1.3, answer "No" of ··· 65 66 restrictSource = mkOption { 67 type = types.listOf types.str; 68 - description = '' 69 The restriction flags to be set on source. 70 - </para> 71 - <para> 72 The default flags allow peers to be added by ntpd from configured 73 pool(s), but not by other means. 74 '';

··· 40 enable = mkOption { 41 type = types.bool; 42 default = false; 43 + description = lib.mdDoc '' 44 Whether to synchronise your machine's time using ntpd, as a peer in 45 the NTP network. 46 + 47 + Disables `systemd.timesyncd` if enabled. 48 ''; 49 }; 50 51 restrictDefault = mkOption { 52 type = types.listOf types.str; 53 + description = lib.mdDoc '' 54 The restriction flags to be set by default. 55 + 56 The default flags prevent external hosts from using ntpd as a DDoS 57 reflector, setting system time, and querying OS/ntpd version. As 58 recommended in section 6.5.1.1.3, answer "No" of ··· 63 64 restrictSource = mkOption { 65 type = types.listOf types.str; 66 + description = lib.mdDoc '' 67 The restriction flags to be set on source. 68 + 69 The default flags allow peers to be added by ntpd from configured 70 pool(s), but not by other means. 71 '';

+7 -7

nixos/modules/services/networking/openconnect.nix

··· 38 # set an authentication cookie, because they have to be requested 39 # for every new connection and would only work once. 40 passwordFile = mkOption { 41 - description = '' 42 File containing the password to authenticate with. This 43 - is passed to <code>openconnect</code> via the 44 - <code>--passwd-on-stdin</code> option. 45 ''; 46 default = null; 47 example = "/var/lib/secrets/openconnect-passwd"; ··· 63 }; 64 65 extraOptions = mkOption { 66 - description = '' 67 Extra config to be appended to the interface config. It should 68 contain long-format options as would be accepted on the command 69 - line by <code>openconnect</code> 70 (see https://www.infradead.org/openconnect/manual.html). 71 - Non-key-value options like <code>deflate</code> can be used by 72 - declaring them as booleans, i. e. <code>deflate = true;</code>. 73 ''; 74 default = { }; 75 example = {

··· 38 # set an authentication cookie, because they have to be requested 39 # for every new connection and would only work once. 40 passwordFile = mkOption { 41 + description = lib.mdDoc '' 42 File containing the password to authenticate with. This 43 + is passed to `openconnect` via the 44 + `--passwd-on-stdin` option. 45 ''; 46 default = null; 47 example = "/var/lib/secrets/openconnect-passwd"; ··· 63 }; 64 65 extraOptions = mkOption { 66 + description = lib.mdDoc '' 67 Extra config to be appended to the interface config. It should 68 contain long-format options as would be accepted on the command 69 + line by `openconnect` 70 (see https://www.infradead.org/openconnect/manual.html). 71 + Non-key-value options like `deflate` can be used by 72 + declaring them as booleans, i. e. `deflate = true;`. 73 ''; 74 default = { }; 75 example = {

+3 -3

nixos/modules/services/networking/openvpn.nix

··· 115 } 116 ''; 117 118 - description = '' 119 Each attribute of this option defines a systemd service that 120 runs an OpenVPN instance. These can be OpenVPN servers or 121 clients. The name of each systemd service is 122 - <literal>openvpn-<replaceable>name</replaceable>.service</literal>, 123 - where <replaceable>name</replaceable> is the corresponding 124 attribute name. 125 ''; 126

··· 115 } 116 ''; 117 118 + description = lib.mdDoc '' 119 Each attribute of this option defines a systemd service that 120 runs an OpenVPN instance. These can be OpenVPN servers or 121 clients. The name of each systemd service is 122 + `openvpn-«name».service`, 123 + where «name» is the corresponding 124 attribute name. 125 ''; 126

+4 -4

nixos/modules/services/networking/pleroma.nix

··· 34 35 configs = mkOption { 36 type = with types; listOf str; 37 - description = '' 38 Pleroma public configuration. 39 40 This list gets appended from left to ··· 42 configuration imperatively, meaning you can override a 43 setting by appending a new str to this NixOS option list. 44 45 - <emphasis>DO NOT STORE ANY PLEROMA SECRET 46 - HERE</emphasis>, use 47 - <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link> 48 instead. 49 50 This setting is going to be stored in a file part of

··· 34 35 configs = mkOption { 36 type = with types; listOf str; 37 + description = lib.mdDoc '' 38 Pleroma public configuration. 39 40 This list gets appended from left to ··· 42 configuration imperatively, meaning you can override a 43 setting by appending a new str to this NixOS option list. 44 45 + *DO NOT STORE ANY PLEROMA SECRET 46 + HERE*, use 47 + [services.pleroma.secretConfigFile](#opt-services.pleroma.secretConfigFile) 48 instead. 49 50 This setting is going to be stored in a file part of

+1 -1

nixos/modules/services/networking/seafile.nix

··· 133 type = types.lines; 134 description = '' 135 Extra config to append to `seahub_settings.py` file. 136 - Refer to <link xlink:href="https://manual.seafile.com/config/seahub_settings_py/" /> 137 for all available options. 138 ''; 139 };

··· 133 type = types.lines; 134 description = '' 135 Extra config to append to `seahub_settings.py` file. 136 + Refer to <link xlink:href="https://manual.seafile.com/config/seahub_settings_py/"/> 137 for all available options. 138 ''; 139 };

+15 -18

nixos/modules/services/networking/ssh/sshd.nix

··· 257 authorizedKeysFiles = mkOption { 258 type = types.listOf types.str; 259 default = []; 260 - description = '' 261 Specify the rules for which files to read on the host. 262 263 This is an advanced option. If you're looking to configure user 264 - keys, you can generally use <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keys"/> 265 - or <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keyFiles"/>. 266 267 These are paths relative to the host root file system or home 268 directories and they are subject to certain token expansion rules. ··· 298 "curve25519-sha256@libssh.org" 299 "diffie-hellman-group-exchange-sha256" 300 ]; 301 - description = '' 302 Allowed key exchange algorithms 303 - </para> 304 - <para> 305 Uses the lower bound recommended in both 306 - <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> 307 and 308 - <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> 309 ''; 310 }; 311 ··· 319 "aes192-ctr" 320 "aes128-ctr" 321 ]; 322 - description = '' 323 Allowed ciphers 324 - </para> 325 - <para> 326 Defaults to recommended settings from both 327 - <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> 328 and 329 - <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> 330 ''; 331 }; 332 ··· 340 "hmac-sha2-256" 341 "umac-128@openssh.com" 342 ]; 343 - description = '' 344 Allowed MACs 345 - </para> 346 - <para> 347 Defaults to recommended settings from both 348 - <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> 349 and 350 - <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> 351 ''; 352 }; 353

··· 257 authorizedKeysFiles = mkOption { 258 type = types.listOf types.str; 259 default = []; 260 + description = lib.mdDoc '' 261 Specify the rules for which files to read on the host. 262 263 This is an advanced option. If you're looking to configure user 264 + keys, you can generally use [](#opt-users.users._name_.openssh.authorizedKeys.keys) 265 + or [](#opt-users.users._name_.openssh.authorizedKeys.keyFiles). 266 267 These are paths relative to the host root file system or home 268 directories and they are subject to certain token expansion rules. ··· 298 "curve25519-sha256@libssh.org" 299 "diffie-hellman-group-exchange-sha256" 300 ]; 301 + description = lib.mdDoc '' 302 Allowed key exchange algorithms 303 + 304 Uses the lower bound recommended in both 305 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 306 and 307 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 308 ''; 309 }; 310 ··· 318 "aes192-ctr" 319 "aes128-ctr" 320 ]; 321 + description = lib.mdDoc '' 322 Allowed ciphers 323 + 324 Defaults to recommended settings from both 325 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 326 and 327 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 328 ''; 329 }; 330 ··· 338 "hmac-sha2-256" 339 "umac-128@openssh.com" 340 ]; 341 + description = lib.mdDoc '' 342 Allowed MACs 343 + 344 Defaults to recommended settings from both 345 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 346 and 347 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 348 ''; 349 }; 350

+2 -1

nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix

··· 59 if strongswanDefault == null 60 then description 61 else description + '' 62 - </para><para> 63 StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal> 64 ''; 65

··· 59 if strongswanDefault == null 60 then description 61 else description + '' 62 + 63 + 64 StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal> 65 ''; 66

+45 -45

nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix

··· 15 file = mkOptionalStrParam '' 16 Absolute path to the certificate to load. Passed as-is to the daemon, so 17 it must be readable by it. 18 - </para><para> 19 Configure either this or <option>handle</option>, but not both, in one section. 20 ''; 21 22 handle = mkOptionalHexParam '' 23 Hex-encoded CKA_ID or handle of the certificate on a token or TPM, 24 respectively. 25 - </para><para> 26 Configure either this or <option>file</option>, but not both, in one section. 27 ''; 28 ··· 40 cacert = mkOptionalStrParam '' 41 The certificates may use a relative path from the swanctl 42 <literal>x509ca</literal> directory or an absolute path. 43 - </para><para> 44 Configure one of <option>cacert</option>, 45 <option>file</option>, or 46 <option>handle</option> per section. ··· 82 local_addrs = mkCommaSepListParam [] '' 83 Local address(es) to use for IKE communication. Takes 84 single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. 85 - </para><para> 86 As initiator, the first non-range/non-subnet is used to initiate the 87 connection from. As responder, the local destination address must match at 88 least to one of the specified addresses, subnets or ranges. 89 - </para><para> 90 If FQDNs are assigned they are resolved every time a configuration lookup 91 is done. If DNS resolution times out, the lookup is delayed for that time. 92 ''; ··· 94 remote_addrs = mkCommaSepListParam [] '' 95 Remote address(es) to use for IKE communication. Takes 96 single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. 97 - </para><para> 98 As initiator, the first non-range/non-subnet is used to initiate the 99 connection to. As responder, the initiator source address must match at 100 least to one of the specified addresses, subnets or ranges. 101 - </para><para> 102 If FQDNs are assigned they are resolved every time a configuration lookup 103 is done. If DNS resolution times out, the lookup is delayed for that time. 104 To initiate a connection, at least one specific address or DNS name must ··· 110 backend is used, which is usually <literal>500</literal>. If port 111 <literal>500</literal> is used, automatic IKE port floating to port 112 <literal>4500</literal> is used to work around NAT issues. 113 - </para><para> 114 Using a non-default local IKE port requires support from the socket 115 backend in use (socket-dynamic). 116 ''; ··· 126 for IKE an encryption algorithm, an integrity algorithm, a pseudo random 127 function and a Diffie-Hellman group. For AEAD algorithms, instead of 128 encryption and integrity algorithms, a combined algorithm is used. 129 - </para><para> 130 In IKEv2, multiple algorithms of the same kind can be specified in a 131 single proposal, from which one gets selected. In IKEv1, only one 132 algorithm per kind is allowed per proposal, more algorithms get implicitly 133 stripped. Use multiple proposals to offer different algorithms 134 combinations in IKEv1. 135 - </para><para> 136 Algorithm keywords get separated using dashes. Multiple proposals may be 137 specified in a list. The special value <literal>default</literal> forms a 138 default proposal of supported algorithms considered safe, and is usually a ··· 159 If the default of yes is used, Mode Config works in pull mode, where the 160 initiator actively requests a virtual IP. With no, push mode is used, 161 where the responder pushes down a virtual IP to the initiating peer. 162 - </para><para> 163 Push mode is currently supported for IKEv1, but not in IKEv2. It is used 164 by a few implementations only, pull mode is recommended. 165 ''; ··· 174 To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the 175 NAT detection payloads. This makes the peer believe that NAT takes place 176 on the path, forcing it to encapsulate ESP packets in UDP. 177 - </para><para> 178 Usually this is not required, but it can help to work around connectivity 179 issues with too restrictive intermediary firewalls. 180 ''; ··· 183 Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2 184 connections, and allows mobility of clients and multi-homing on servers by 185 migrating active IPsec tunnels. 186 - </para><para> 187 Usually keeping MOBIKE enabled is unproblematic, as it is not used if the 188 peer does not indicate support for it. However, due to the design of 189 MOBIKE, IKEv2 always floats to port 4500 starting from the second ··· 222 <listitem><para>Finally, setting the option to <literal>no</literal> will disable announcing 223 support for this feature.</para></listitem> 224 </itemizedlist> 225 - </para><para> 226 Note that fragmented IKE messages sent by a peer are always processed 227 irrespective of the value of this option (even when set to no). 228 ''; ··· 284 unique = mkEnumParam ["no" "never" "keep" "replace"] "no" '' 285 Connection uniqueness policy to enforce. To avoid multiple connections 286 from the same user, a uniqueness policy can be enforced. 287 - </para><para> 288 <itemizedlist> 289 <listitem><para> 290 The value <literal>never</literal> does never enforce such a policy, even ··· 306 To compare connections for uniqueness, the remote IKE identity is used. If 307 EAP or XAuth authentication is involved, the EAP-Identity or XAuth 308 username is used to enforce the uniqueness policy instead. 309 - </para><para> 310 On initiators this setting specifies whether an INITIAL_CONTACT notify is 311 sent during IKE_AUTH if no existing connection is found with the remote 312 peer (determined by the identities of the first authentication ··· 320 possible to actively reauthenticate as responder. The IKEv2 321 reauthentication lifetime negotiation can instruct the client to perform 322 reauthentication. 323 - </para><para> 324 Reauthentication is disabled by default. Enabling it usually may lead to 325 small connection interruptions, as strongSwan uses a break-before-make 326 policy with IKEv2 to avoid any conflicts with associated tunnel resources. ··· 330 IKE rekeying refreshes key material using a Diffie-Hellman exchange, but 331 does not re-check associated credentials. It is supported in IKEv2 only, 332 IKEv1 performs a reauthentication procedure instead. 333 - </para><para> 334 With the default value IKE rekeying is scheduled every 4 hours, minus the 335 configured rand_time. If a reauth_time is configured, rekey_time defaults 336 to zero, disabling rekeying; explicitly set both to enforce rekeying and ··· 343 perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails 344 to rekey or reauthenticate within the specified time, the IKE_SA gets 345 closed. 346 - </para><para> 347 In contrast to CHILD_SA rekeying, over_time is relative in time to the 348 rekey_time and reauth_time values, as it applies to both. 349 - </para><para> 350 The default is 10% of the longer of <option>rekey_time</option> and 351 <option>reauth_time</option>. 352 ''; ··· 356 rekey/reauth times. To avoid having both peers initiating the rekey/reauth 357 procedure simultaneously, a random time gets subtracted from the 358 rekey/reauth times. 359 - </para><para> 360 The default is equal to the configured <option>over_time</option>. 361 ''; 362 ··· 410 List of certificate candidates to use for 411 authentication. The certificates may use a relative path from the 412 swanctl <literal>x509</literal> directory or an absolute path. 413 - </para><para> 414 The certificate used for authentication is selected based on the 415 received certificate request payloads. If no appropriate CA can be 416 located, the first certificate is used. ··· 426 List of raw public key candidates to use for 427 authentication. The public keys may use a relative path from the swanctl 428 <literal>pubkey</literal> directory or an absolute path. 429 - </para><para> 430 Even though multiple local public keys could be defined in principle, 431 only the first public key in the list is used for authentication. 432 ''; ··· 504 authentication. This identity may differ from the IKE identity, 505 especially when EAP authentication is delegated from the IKE responder 506 to an AAA backend. 507 - </para><para> 508 For EAP-(T)TLS, this defines the identity for which the server must 509 provide a certificate in the TLS exchange. 510 ''; ··· 518 defines the rules how authentication is performed for the local 519 peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple 520 Authentication or IKEv1 XAuth. 521 - </para><para> 522 Each round is defined in a section having <literal>local</literal> as 523 prefix, and an optional unique suffix. To define a single authentication 524 round, the suffix may be omitted. ··· 620 Authentication to expect from remote. See the <option>local</option> 621 section's <option>auth</option> keyword description about the details of 622 supported mechanisms. 623 - </para><para> 624 Since 5.4.0, to require a trustchain public key strength for the remote 625 side, specify the key type followed by the minimum strength in bits (for 626 example <literal>ecdsa-384</literal> or ··· 641 <literal>pubkey</literal> or <literal>rsa</literal> constraints are 642 configured RSASSA-PSS signatures will only be accepted if enabled in 643 <literal>strongswan.conf</literal>(5). 644 - </para><para> 645 To specify trust chain constraints for EAP-(T)TLS, append a colon to the 646 EAP method, followed by the key type/size and hash algorithm as 647 discussed above (e.g. <literal>eap-tls:ecdsa-384-sha384</literal>). ··· 652 defines the constraints how the peers must authenticate to use this 653 connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple 654 Authentication or IKEv1 XAuth. 655 - </para><para> 656 Each round is defined in a section having <literal>remote</literal> as 657 prefix, and an optional unique suffix. To define a single authentication 658 round, the suffix may be omitted. ··· 665 Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode 666 rekeying and initial negotiation uses a separate Diffie-Hellman exchange 667 using the specified group (refer to esp_proposals for details). 668 - </para><para> 669 In IKEv2, multiple algorithms of the same kind can be specified in a 670 single proposal, from which one gets selected. In IKEv1, only one 671 algorithm per kind is allowed per proposal, more algorithms get 672 implicitly stripped. Use multiple proposals to offer different algorithms 673 combinations in IKEv1. 674 - </para><para> 675 Algorithm keywords get separated using dashes. Multiple proposals may be 676 specified in a list. The special value <literal>default</literal> forms 677 a default proposal of supported algorithms considered safe, and is ··· 686 an optional Extended Sequence Number Mode indicator. For AEAD proposals, 687 a combined mode algorithm is used instead of the separate 688 encryption/integrity algorithms. 689 - </para><para> 690 If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial 691 negotiation use a separate Diffie-Hellman exchange using the specified 692 group. However, for IKEv2, the keys of the CHILD_SA created implicitly ··· 695 rekeyed or is created with a separate CREATE_CHILD_SA exchange. A 696 proposal mismatch might, therefore, not immediately be noticed when the 697 SA is established, but may later cause rekeying to fail. 698 - </para><para> 699 Extended Sequence Number support may be indicated with the 700 <literal>esn</literal> and <literal>noesn</literal> values, both may be 701 included to indicate support for both modes. If omitted, 702 <literal>noesn</literal> is assumed. 703 - </para><para> 704 In IKEv2, multiple algorithms of the same kind can be specified in a 705 single proposal, from which one gets selected. In IKEv1, only one 706 algorithm per kind is allowed per proposal, more algorithms get 707 implicitly stripped. Use multiple proposals to offer different algorithms 708 combinations in IKEv1. 709 - </para><para> 710 Algorithm keywords get separated using dashes. Multiple proposals may be 711 specified as a list. The special value <literal>default</literal> forms 712 a default proposal of supported algorithms considered safe, and is ··· 729 selector. The special value <literal>dynamic</literal> may be used 730 instead of a subnet definition, which gets replaced by the tunnel outer 731 address or the virtual IP, if negotiated. This is the default. 732 - </para><para> 733 A protocol/port selector is surrounded by opening and closing square 734 brackets. Between these brackets, a numeric or getservent(3) protocol 735 name may be specified. After the optional protocol restriction, an ··· 738 special value <literal>opaque</literal> for RFC 4301 OPAQUE 739 selectors. Port ranges may be specified as well, none of the kernel 740 backends currently support port ranges, though. 741 - </para><para> 742 When IKEv1 is used only the first selector is interpreted, except if the 743 Cisco Unity extension plugin is used. This is due to a limitation of the 744 IKEv1 protocol, which only allows a single pair of selectors per ··· 761 specified in the proposal. To avoid rekey collisions initiated by both 762 ends simultaneously, a value in the range of <option>rand_time</option> 763 gets subtracted to form the effective soft lifetime. 764 - </para><para> 765 By default CHILD_SA rekeying is scheduled every hour, minus 766 <option>rand_time</option>. 767 ''; ··· 783 Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA 784 rekeying refreshes key material, optionally using a Diffie-Hellman 785 exchange if a group is specified in the proposal. 786 - </para><para> 787 To avoid rekey collisions initiated by both ends simultaneously, a value 788 in the range of <option>rand_bytes</option> gets subtracted to form the 789 effective soft volume limit. 790 - </para><para> 791 Volume based CHILD_SA rekeying is disabled by default. 792 ''; 793 ··· 808 Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA 809 rekeying refreshes key material, optionally using a Diffie-Hellman 810 exchange if a group is specified in the proposal. 811 - </para><para> 812 To avoid rekey collisions initiated by both ends simultaneously, a value 813 in the range of <option>rand_packets</option> gets subtracted to form 814 the effective soft packet count limit. 815 - </para><para> 816 Packet count based CHILD_SA rekeying is disabled by default. 817 ''; 818 ··· 821 this hard packets limit is never reached, because the CHILD_SA gets 822 rekeyed before. If that fails for whatever reason, this limit closes the 823 CHILD_SA. 824 - </para><para> 825 The default is 10% more than <option>rekey_bytes</option>. 826 ''; 827 ··· 936 <literal>%unique</literal> sets a unique mark on each CHILD_SA instance, 937 beyond that the value <literal>%unique-dir</literal> assigns a different 938 unique mark for each 939 - </para><para> 940 An additional mask may be appended to the mark, separated by 941 <literal>/</literal>. The default mask if omitted is 942 <literal>0xffffffff</literal>. ··· 960 value <literal>%unique</literal> sets a unique mark on each CHILD_SA 961 instance, beyond that the value <literal>%unique-dir</literal> assigns a 962 different unique mark for each CHILD_SA direction (in/out). 963 - </para><para> 964 An additional mask may be appended to the mark, separated by 965 <literal>/</literal>. The default mask if omitted is 966 <literal>0xffffffff</literal>. ··· 1102 <literal>start</literal> tries to re-create the CHILD_SA. 1103 </para></listitem> 1104 </itemizedlist> 1105 - </para><para> 1106 <option>close_action</option> does not provide any guarantee that the 1107 CHILD_SA is kept alive. It acts on explicit close messages only, but not 1108 on negotiation failures. Use trap policies to reliably re-create failed

··· 15 file = mkOptionalStrParam '' 16 Absolute path to the certificate to load. Passed as-is to the daemon, so 17 it must be readable by it. 18 + 19 Configure either this or <option>handle</option>, but not both, in one section. 20 ''; 21 22 handle = mkOptionalHexParam '' 23 Hex-encoded CKA_ID or handle of the certificate on a token or TPM, 24 respectively. 25 + 26 Configure either this or <option>file</option>, but not both, in one section. 27 ''; 28 ··· 40 cacert = mkOptionalStrParam '' 41 The certificates may use a relative path from the swanctl 42 <literal>x509ca</literal> directory or an absolute path. 43 + 44 Configure one of <option>cacert</option>, 45 <option>file</option>, or 46 <option>handle</option> per section. ··· 82 local_addrs = mkCommaSepListParam [] '' 83 Local address(es) to use for IKE communication. Takes 84 single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. 85 + 86 As initiator, the first non-range/non-subnet is used to initiate the 87 connection from. As responder, the local destination address must match at 88 least to one of the specified addresses, subnets or ranges. 89 + 90 If FQDNs are assigned they are resolved every time a configuration lookup 91 is done. If DNS resolution times out, the lookup is delayed for that time. 92 ''; ··· 94 remote_addrs = mkCommaSepListParam [] '' 95 Remote address(es) to use for IKE communication. Takes 96 single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. 97 + 98 As initiator, the first non-range/non-subnet is used to initiate the 99 connection to. As responder, the initiator source address must match at 100 least to one of the specified addresses, subnets or ranges. 101 + 102 If FQDNs are assigned they are resolved every time a configuration lookup 103 is done. If DNS resolution times out, the lookup is delayed for that time. 104 To initiate a connection, at least one specific address or DNS name must ··· 110 backend is used, which is usually <literal>500</literal>. If port 111 <literal>500</literal> is used, automatic IKE port floating to port 112 <literal>4500</literal> is used to work around NAT issues. 113 + 114 Using a non-default local IKE port requires support from the socket 115 backend in use (socket-dynamic). 116 ''; ··· 126 for IKE an encryption algorithm, an integrity algorithm, a pseudo random 127 function and a Diffie-Hellman group. For AEAD algorithms, instead of 128 encryption and integrity algorithms, a combined algorithm is used. 129 + 130 In IKEv2, multiple algorithms of the same kind can be specified in a 131 single proposal, from which one gets selected. In IKEv1, only one 132 algorithm per kind is allowed per proposal, more algorithms get implicitly 133 stripped. Use multiple proposals to offer different algorithms 134 combinations in IKEv1. 135 + 136 Algorithm keywords get separated using dashes. Multiple proposals may be 137 specified in a list. The special value <literal>default</literal> forms a 138 default proposal of supported algorithms considered safe, and is usually a ··· 159 If the default of yes is used, Mode Config works in pull mode, where the 160 initiator actively requests a virtual IP. With no, push mode is used, 161 where the responder pushes down a virtual IP to the initiating peer. 162 + 163 Push mode is currently supported for IKEv1, but not in IKEv2. It is used 164 by a few implementations only, pull mode is recommended. 165 ''; ··· 174 To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the 175 NAT detection payloads. This makes the peer believe that NAT takes place 176 on the path, forcing it to encapsulate ESP packets in UDP. 177 + 178 Usually this is not required, but it can help to work around connectivity 179 issues with too restrictive intermediary firewalls. 180 ''; ··· 183 Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2 184 connections, and allows mobility of clients and multi-homing on servers by 185 migrating active IPsec tunnels. 186 + 187 Usually keeping MOBIKE enabled is unproblematic, as it is not used if the 188 peer does not indicate support for it. However, due to the design of 189 MOBIKE, IKEv2 always floats to port 4500 starting from the second ··· 222 <listitem><para>Finally, setting the option to <literal>no</literal> will disable announcing 223 support for this feature.</para></listitem> 224 </itemizedlist> 225 + 226 Note that fragmented IKE messages sent by a peer are always processed 227 irrespective of the value of this option (even when set to no). 228 ''; ··· 284 unique = mkEnumParam ["no" "never" "keep" "replace"] "no" '' 285 Connection uniqueness policy to enforce. To avoid multiple connections 286 from the same user, a uniqueness policy can be enforced. 287 + 288 <itemizedlist> 289 <listitem><para> 290 The value <literal>never</literal> does never enforce such a policy, even ··· 306 To compare connections for uniqueness, the remote IKE identity is used. If 307 EAP or XAuth authentication is involved, the EAP-Identity or XAuth 308 username is used to enforce the uniqueness policy instead. 309 + 310 On initiators this setting specifies whether an INITIAL_CONTACT notify is 311 sent during IKE_AUTH if no existing connection is found with the remote 312 peer (determined by the identities of the first authentication ··· 320 possible to actively reauthenticate as responder. The IKEv2 321 reauthentication lifetime negotiation can instruct the client to perform 322 reauthentication. 323 + 324 Reauthentication is disabled by default. Enabling it usually may lead to 325 small connection interruptions, as strongSwan uses a break-before-make 326 policy with IKEv2 to avoid any conflicts with associated tunnel resources. ··· 330 IKE rekeying refreshes key material using a Diffie-Hellman exchange, but 331 does not re-check associated credentials. It is supported in IKEv2 only, 332 IKEv1 performs a reauthentication procedure instead. 333 + 334 With the default value IKE rekeying is scheduled every 4 hours, minus the 335 configured rand_time. If a reauth_time is configured, rekey_time defaults 336 to zero, disabling rekeying; explicitly set both to enforce rekeying and ··· 343 perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails 344 to rekey or reauthenticate within the specified time, the IKE_SA gets 345 closed. 346 + 347 In contrast to CHILD_SA rekeying, over_time is relative in time to the 348 rekey_time and reauth_time values, as it applies to both. 349 + 350 The default is 10% of the longer of <option>rekey_time</option> and 351 <option>reauth_time</option>. 352 ''; ··· 356 rekey/reauth times. To avoid having both peers initiating the rekey/reauth 357 procedure simultaneously, a random time gets subtracted from the 358 rekey/reauth times. 359 + 360 The default is equal to the configured <option>over_time</option>. 361 ''; 362 ··· 410 List of certificate candidates to use for 411 authentication. The certificates may use a relative path from the 412 swanctl <literal>x509</literal> directory or an absolute path. 413 + 414 The certificate used for authentication is selected based on the 415 received certificate request payloads. If no appropriate CA can be 416 located, the first certificate is used. ··· 426 List of raw public key candidates to use for 427 authentication. The public keys may use a relative path from the swanctl 428 <literal>pubkey</literal> directory or an absolute path. 429 + 430 Even though multiple local public keys could be defined in principle, 431 only the first public key in the list is used for authentication. 432 ''; ··· 504 authentication. This identity may differ from the IKE identity, 505 especially when EAP authentication is delegated from the IKE responder 506 to an AAA backend. 507 + 508 For EAP-(T)TLS, this defines the identity for which the server must 509 provide a certificate in the TLS exchange. 510 ''; ··· 518 defines the rules how authentication is performed for the local 519 peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple 520 Authentication or IKEv1 XAuth. 521 + 522 Each round is defined in a section having <literal>local</literal> as 523 prefix, and an optional unique suffix. To define a single authentication 524 round, the suffix may be omitted. ··· 620 Authentication to expect from remote. See the <option>local</option> 621 section's <option>auth</option> keyword description about the details of 622 supported mechanisms. 623 + 624 Since 5.4.0, to require a trustchain public key strength for the remote 625 side, specify the key type followed by the minimum strength in bits (for 626 example <literal>ecdsa-384</literal> or ··· 641 <literal>pubkey</literal> or <literal>rsa</literal> constraints are 642 configured RSASSA-PSS signatures will only be accepted if enabled in 643 <literal>strongswan.conf</literal>(5). 644 + 645 To specify trust chain constraints for EAP-(T)TLS, append a colon to the 646 EAP method, followed by the key type/size and hash algorithm as 647 discussed above (e.g. <literal>eap-tls:ecdsa-384-sha384</literal>). ··· 652 defines the constraints how the peers must authenticate to use this 653 connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple 654 Authentication or IKEv1 XAuth. 655 + 656 Each round is defined in a section having <literal>remote</literal> as 657 prefix, and an optional unique suffix. To define a single authentication 658 round, the suffix may be omitted. ··· 665 Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode 666 rekeying and initial negotiation uses a separate Diffie-Hellman exchange 667 using the specified group (refer to esp_proposals for details). 668 + 669 In IKEv2, multiple algorithms of the same kind can be specified in a 670 single proposal, from which one gets selected. In IKEv1, only one 671 algorithm per kind is allowed per proposal, more algorithms get 672 implicitly stripped. Use multiple proposals to offer different algorithms 673 combinations in IKEv1. 674 + 675 Algorithm keywords get separated using dashes. Multiple proposals may be 676 specified in a list. The special value <literal>default</literal> forms 677 a default proposal of supported algorithms considered safe, and is ··· 686 an optional Extended Sequence Number Mode indicator. For AEAD proposals, 687 a combined mode algorithm is used instead of the separate 688 encryption/integrity algorithms. 689 + 690 If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial 691 negotiation use a separate Diffie-Hellman exchange using the specified 692 group. However, for IKEv2, the keys of the CHILD_SA created implicitly ··· 695 rekeyed or is created with a separate CREATE_CHILD_SA exchange. A 696 proposal mismatch might, therefore, not immediately be noticed when the 697 SA is established, but may later cause rekeying to fail. 698 + 699 Extended Sequence Number support may be indicated with the 700 <literal>esn</literal> and <literal>noesn</literal> values, both may be 701 included to indicate support for both modes. If omitted, 702 <literal>noesn</literal> is assumed. 703 + 704 In IKEv2, multiple algorithms of the same kind can be specified in a 705 single proposal, from which one gets selected. In IKEv1, only one 706 algorithm per kind is allowed per proposal, more algorithms get 707 implicitly stripped. Use multiple proposals to offer different algorithms 708 combinations in IKEv1. 709 + 710 Algorithm keywords get separated using dashes. Multiple proposals may be 711 specified as a list. The special value <literal>default</literal> forms 712 a default proposal of supported algorithms considered safe, and is ··· 729 selector. The special value <literal>dynamic</literal> may be used 730 instead of a subnet definition, which gets replaced by the tunnel outer 731 address or the virtual IP, if negotiated. This is the default. 732 + 733 A protocol/port selector is surrounded by opening and closing square 734 brackets. Between these brackets, a numeric or getservent(3) protocol 735 name may be specified. After the optional protocol restriction, an ··· 738 special value <literal>opaque</literal> for RFC 4301 OPAQUE 739 selectors. Port ranges may be specified as well, none of the kernel 740 backends currently support port ranges, though. 741 + 742 When IKEv1 is used only the first selector is interpreted, except if the 743 Cisco Unity extension plugin is used. This is due to a limitation of the 744 IKEv1 protocol, which only allows a single pair of selectors per ··· 761 specified in the proposal. To avoid rekey collisions initiated by both 762 ends simultaneously, a value in the range of <option>rand_time</option> 763 gets subtracted to form the effective soft lifetime. 764 + 765 By default CHILD_SA rekeying is scheduled every hour, minus 766 <option>rand_time</option>. 767 ''; ··· 783 Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA 784 rekeying refreshes key material, optionally using a Diffie-Hellman 785 exchange if a group is specified in the proposal. 786 + 787 To avoid rekey collisions initiated by both ends simultaneously, a value 788 in the range of <option>rand_bytes</option> gets subtracted to form the 789 effective soft volume limit. 790 + 791 Volume based CHILD_SA rekeying is disabled by default. 792 ''; 793 ··· 808 Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA 809 rekeying refreshes key material, optionally using a Diffie-Hellman 810 exchange if a group is specified in the proposal. 811 + 812 To avoid rekey collisions initiated by both ends simultaneously, a value 813 in the range of <option>rand_packets</option> gets subtracted to form 814 the effective soft packet count limit. 815 + 816 Packet count based CHILD_SA rekeying is disabled by default. 817 ''; 818 ··· 821 this hard packets limit is never reached, because the CHILD_SA gets 822 rekeyed before. If that fails for whatever reason, this limit closes the 823 CHILD_SA. 824 + 825 The default is 10% more than <option>rekey_bytes</option>. 826 ''; 827 ··· 936 <literal>%unique</literal> sets a unique mark on each CHILD_SA instance, 937 beyond that the value <literal>%unique-dir</literal> assigns a different 938 unique mark for each 939 + 940 An additional mask may be appended to the mark, separated by 941 <literal>/</literal>. The default mask if omitted is 942 <literal>0xffffffff</literal>. ··· 960 value <literal>%unique</literal> sets a unique mark on each CHILD_SA 961 instance, beyond that the value <literal>%unique-dir</literal> assigns a 962 different unique mark for each CHILD_SA direction (in/out). 963 + 964 An additional mask may be appended to the mark, separated by 965 <literal>/</literal>. The default mask if omitted is 966 <literal>0xffffffff</literal>. ··· 1102 <literal>start</literal> tries to re-create the CHILD_SA. 1103 </para></listitem> 1104 </itemizedlist> 1105 + 1106 <option>close_action</option> does not provide any guarantee that the 1107 CHILD_SA is kept alive. It acts on explicit close messages only, but not 1108 on negotiation failures. Use trap policies to reliably re-create failed

+8 -10

nixos/modules/services/networking/wireguard.nix

··· 118 default = null; 119 type = with types; nullOr str; 120 example = "container"; 121 - description = ''The pre-existing network namespace in which the 122 WireGuard interface is created, and which retains the socket even if the 123 - interface is moved via <option>interfaceNamespace</option>. When 124 - <literal>null</literal>, the interface is created in the init namespace. 125 - See <link 126 - xlink:href="https://www.wireguard.com/netns/">documentation</link>. 127 ''; 128 }; 129 ··· 131 default = null; 132 type = with types; nullOr str; 133 example = "init"; 134 - description = ''The pre-existing network namespace the WireGuard 135 - interface is moved to. The special value <literal>init</literal> means 136 - the init namespace. When <literal>null</literal>, the interface is not 137 moved. 138 - See <link 139 - xlink:href="https://www.wireguard.com/netns/">documentation</link>. 140 ''; 141 }; 142 };

··· 118 default = null; 119 type = with types; nullOr str; 120 example = "container"; 121 + description = lib.mdDoc ''The pre-existing network namespace in which the 122 WireGuard interface is created, and which retains the socket even if the 123 + interface is moved via {option}`interfaceNamespace`. When 124 + `null`, the interface is created in the init namespace. 125 + See [documentation](https://www.wireguard.com/netns/). 126 ''; 127 }; 128 ··· 130 default = null; 131 type = with types; nullOr str; 132 example = "init"; 133 + description = lib.mdDoc ''The pre-existing network namespace the WireGuard 134 + interface is moved to. The special value `init` means 135 + the init namespace. When `null`, the interface is not 136 moved. 137 + See [documentation](https://www.wireguard.com/netns/). 138 ''; 139 }; 140 };

+1 -1

nixos/modules/services/networking/wpa_supplicant.nix

··· 190 description = '' 191 Whether to allow configuring networks "imperatively" (e.g. via 192 <package>wpa_supplicant_gui</package>) and declaratively via 193 - <xref linkend="opt-networking.wireless.networks" />. 194 195 Please note that this adds a custom patch to <package>wpa_supplicant</package>. 196 '';

··· 190 description = '' 191 Whether to allow configuring networks "imperatively" (e.g. via 192 <package>wpa_supplicant_gui</package>) and declaratively via 193 + <xref linkend="opt-networking.wireless.networks"/>. 194 195 Please note that this adds a custom patch to <package>wpa_supplicant</package>. 196 '';

+8 -8

nixos/modules/services/networking/yggdrasil.nix

··· 44 are supplied, they will be combined, with values from 45 <option>configFile</option> taking precedence. 46 47 - You can use the command <code>nix-shell -p yggdrasil --run 48 - "yggdrasil -genconf"</code> to generate default 49 configuration values with documentation. 50 ''; 51 }; ··· 64 type = types.nullOr types.str; 65 default = null; 66 example = "wheel"; 67 - description = "Group to grant access to the Yggdrasil control socket. If <code>null</code>, only root can access the socket."; 68 }; 69 70 openMulticastPort = mkOption { 71 type = bool; 72 default = false; 73 - description = '' 74 Whether to open the UDP port used for multicast peer 75 discovery. The NixOS firewall blocks link-local 76 communication, so in order to make local peering work you 77 - will also need to set <code>LinkLocalTCPPort</code> in your 78 - yggdrasil configuration (<option>config</option> or 79 - <option>configFile</option>) to a port number other than 0, 80 and then add that port to 81 - <option>networking.firewall.allowedTCPPorts</option>. 82 ''; 83 }; 84

··· 44 are supplied, they will be combined, with values from 45 <option>configFile</option> taking precedence. 46 47 + You can use the command <literal>nix-shell -p yggdrasil --run 48 + "yggdrasil -genconf"</literal> to generate default 49 configuration values with documentation. 50 ''; 51 }; ··· 64 type = types.nullOr types.str; 65 default = null; 66 example = "wheel"; 67 + description = lib.mdDoc "Group to grant access to the Yggdrasil control socket. If `null`, only root can access the socket."; 68 }; 69 70 openMulticastPort = mkOption { 71 type = bool; 72 default = false; 73 + description = lib.mdDoc '' 74 Whether to open the UDP port used for multicast peer 75 discovery. The NixOS firewall blocks link-local 76 communication, so in order to make local peering work you 77 + will also need to set `LinkLocalTCPPort` in your 78 + yggdrasil configuration ({option}`config` or 79 + {option}`configFile`) to a port number other than 0, 80 and then add that port to 81 + {option}`networking.firewall.allowedTCPPorts`. 82 ''; 83 }; 84

+7 -14

nixos/modules/services/networking/znc/default.nix

··· 156 format ZNC expects. This is much more flexible than the legacy options 157 under <option>services.znc.confOptions.*</option>, but also can't do 158 any type checking. 159 - </para> 160 - <para> 161 You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config</command> 162 to view the current value. By default it contains a listener for port 163 5000 with SSL enabled. 164 - </para> 165 - <para> 166 Nix attributes called <literal>extraConfig</literal> will be inserted 167 verbatim into the resulting config file. 168 - </para> 169 - <para> 170 If <option>services.znc.useLegacyConfig</option> is turned on, the 171 option values in <option>services.znc.confOptions.*</option> will be 172 gracefully be applied to this option. 173 - </para> 174 - <para> 175 If you intend to update the configuration through this option, be sure 176 to enable <option>services.znc.mutable</option>, otherwise none of the 177 changes here will be applied after the initial deploy. ··· 184 description = '' 185 Configuration file for ZNC. It is recommended to use the 186 <option>config</option> option instead. 187 - </para> 188 - <para> 189 Setting this option will override any auto-generated config file 190 through the <option>confOptions</option> or <option>config</option> 191 options. ··· 208 Indicates whether to allow the contents of the 209 <literal>dataDir</literal> directory to be changed by the user at 210 run-time. 211 - </para> 212 - <para> 213 If enabled, modifications to the ZNC configuration after its initial 214 creation are not overwritten by a NixOS rebuild. If disabled, the 215 ZNC configuration is rebuilt on every NixOS rebuild. 216 - </para> 217 - <para> 218 If the user wants to manage the ZNC service using the web admin 219 interface, this option should be enabled. 220 '';

··· 156 format ZNC expects. This is much more flexible than the legacy options 157 under <option>services.znc.confOptions.*</option>, but also can't do 158 any type checking. 159 + 160 You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config</command> 161 to view the current value. By default it contains a listener for port 162 5000 with SSL enabled. 163 + 164 Nix attributes called <literal>extraConfig</literal> will be inserted 165 verbatim into the resulting config file. 166 + 167 If <option>services.znc.useLegacyConfig</option> is turned on, the 168 option values in <option>services.znc.confOptions.*</option> will be 169 gracefully be applied to this option. 170 + 171 If you intend to update the configuration through this option, be sure 172 to enable <option>services.znc.mutable</option>, otherwise none of the 173 changes here will be applied after the initial deploy. ··· 180 description = '' 181 Configuration file for ZNC. It is recommended to use the 182 <option>config</option> option instead. 183 + 184 Setting this option will override any auto-generated config file 185 through the <option>confOptions</option> or <option>config</option> 186 options. ··· 203 Indicates whether to allow the contents of the 204 <literal>dataDir</literal> directory to be changed by the user at 205 run-time. 206 + 207 If enabled, modifications to the ZNC configuration after its initial 208 creation are not overwritten by a NixOS rebuild. If disabled, the 209 ZNC configuration is rebuilt on every NixOS rebuild. 210 + 211 If the user wants to manage the ZNC service using the web admin 212 interface, this option should be enabled. 213 '';

+1 -2

nixos/modules/services/networking/znc/options.nix

··· 106 <option>services.znc.confOptions.*</option> options. 107 You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config</command> 108 to view the current value of the config. 109 - </para> 110 - <para> 111 In any case, if you need more flexibility, 112 <option>services.znc.config</option> can be used to override/add to 113 all of the legacy options.

··· 106 <option>services.znc.confOptions.*</option> options. 107 You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config</command> 108 to view the current value of the config. 109 + 110 In any case, if you need more flexibility, 111 <option>services.znc.config</option> can be used to override/add to 112 all of the legacy options.

+4 -4

nixos/modules/services/security/privacyidea.nix

··· 78 using <package>envsubst</package> which is helpful for specifying 79 secrets: 80 <programlisting> 81 - { <xref linkend="opt-services.privacyidea.secretKey" /> = "$SECRET"; } 82 </programlisting> 83 84 The environment-file can now specify the actual secret key: ··· 207 description = '' 208 Attribute-set containing the settings for <package>privacyidea-ldap-proxy</package>. 209 It's possible to pass secrets using env-vars as substitutes and 210 - use the option <xref linkend="opt-services.privacyidea.ldap-proxy.environmentFile" /> 211 to inject them via <package>envsubst</package>. 212 ''; 213 }; ··· 215 environmentFile = mkOption { 216 default = null; 217 type = types.nullOr types.str; 218 - description = '' 219 Environment file containing secrets to be substituted into 220 - <xref linkend="opt-services.privacyidea.ldap-proxy.settings" />. 221 ''; 222 }; 223 };

··· 78 using <package>envsubst</package> which is helpful for specifying 79 secrets: 80 <programlisting> 81 + { <xref linkend="opt-services.privacyidea.secretKey"/> = "$SECRET"; } 82 </programlisting> 83 84 The environment-file can now specify the actual secret key: ··· 207 description = '' 208 Attribute-set containing the settings for <package>privacyidea-ldap-proxy</package>. 209 It's possible to pass secrets using env-vars as substitutes and 210 + use the option <xref linkend="opt-services.privacyidea.ldap-proxy.environmentFile"/> 211 to inject them via <package>envsubst</package>. 212 ''; 213 }; ··· 215 environmentFile = mkOption { 216 default = null; 217 type = types.nullOr types.str; 218 + description = lib.mdDoc '' 219 Environment file containing secrets to be substituted into 220 + [](#opt-services.privacyidea.ldap-proxy.settings). 221 ''; 222 }; 223 };

+2 -2

nixos/modules/services/security/step-ca.nix

··· 36 type = with lib.types; attrsOf anything; 37 description = '' 38 Settings that go into <filename>ca.json</filename>. See 39 - <link xlink:href="https://smallstep.com/docs/step-ca/configuration"> 40 - the step-ca manual</link> for more information. The easiest way to 41 configure this module would be to run <literal>step ca init</literal> 42 to generate <filename>ca.json</filename> and then import it using 43 <literal>builtins.fromJSON</literal>.

··· 36 type = with lib.types; attrsOf anything; 37 description = '' 38 Settings that go into <filename>ca.json</filename>. See 39 + <link xlink:href="https://smallstep.com/docs/step-ca/configuration">the step-ca manual</link> 40 + for more information. The easiest way to 41 configure this module would be to run <literal>step ca init</literal> 42 to generate <filename>ca.json</filename> and then import it using 43 <literal>builtins.fromJSON</literal>.

+8 -8

nixos/modules/services/security/tor.nix

··· 287 relay = { 288 enable = mkEnableOption ''relaying of Tor traffic for others. 289 290 - See <link xlink:href="https://www.torproject.org/docs/tor-doc-relay" /> 291 for details. 292 293 Setting this to true requires setting ··· 348 349 <para> 350 See 351 - <link xlink:href="https://www.torproject.org/docs/tor-doc-relay.html.en" /> 352 for more info. 353 </para> 354 </listitem> ··· 366 <para> 367 Using this option will make Tor advertise your bridge 368 to users through various mechanisms like 369 - <link xlink:href="https://bridges.torproject.org/" />, though. 370 </para> 371 372 <important> ··· 384 </important> 385 386 <para> 387 - See <link xlink:href="https://www.torproject.org/docs/bridges.html.en" /> 388 for more info. 389 </para> 390 </listitem> ··· 419 </para> 420 421 <para> 422 - See <link xlink:href="https://www.torproject.org/docs/bridges.html.en" /> 423 for more info. 424 </para> 425 </listitem> ··· 476 }; 477 clientNames = mkOption { 478 type = with types; nonEmptyListOf (strMatching "[A-Za-z0-9+-_]+"); 479 - description = '' 480 Only clients that are listed here are authorized to access the hidden service. 481 - Generated authorization data can be found in <filename>${stateDir}/onion/$name/hostname</filename>. 482 Clients need to put this authorization data in their configuration file using 483 - <xref linkend="opt-services.tor.settings.HidServAuth"/>. 484 ''; 485 }; 486 };

··· 287 relay = { 288 enable = mkEnableOption ''relaying of Tor traffic for others. 289 290 + See <link xlink:href="https://www.torproject.org/docs/tor-doc-relay"/> 291 for details. 292 293 Setting this to true requires setting ··· 348 349 <para> 350 See 351 + <link xlink:href="https://www.torproject.org/docs/tor-doc-relay.html.en"/> 352 for more info. 353 </para> 354 </listitem> ··· 366 <para> 367 Using this option will make Tor advertise your bridge 368 to users through various mechanisms like 369 + <link xlink:href="https://bridges.torproject.org/"/>, though. 370 </para> 371 372 <important> ··· 384 </important> 385 386 <para> 387 + See <link xlink:href="https://www.torproject.org/docs/bridges.html.en"/> 388 for more info. 389 </para> 390 </listitem> ··· 419 </para> 420 421 <para> 422 + See <link xlink:href="https://www.torproject.org/docs/bridges.html.en"/> 423 for more info. 424 </para> 425 </listitem> ··· 476 }; 477 clientNames = mkOption { 478 type = with types; nonEmptyListOf (strMatching "[A-Za-z0-9+-_]+"); 479 + description = lib.mdDoc '' 480 Only clients that are listed here are authorized to access the hidden service. 481 + Generated authorization data can be found in {file}`${stateDir}/onion/$name/hostname`. 482 Clients need to put this authorization data in their configuration file using 483 + [](#opt-services.tor.settings.HidServAuth). 484 ''; 485 }; 486 };

+2 -2

nixos/modules/services/security/vault.nix

··· 116 storageConfig = mkOption { 117 type = types.nullOr types.lines; 118 default = null; 119 - description = '' 120 HCL configuration to insert in the storageBackend section. 121 122 Confidential values should not be specified here because this option's 123 value is written to the Nix store, which is publicly readable. 124 Provide credentials and such in a separate file using 125 - <xref linkend="opt-services.vault.extraSettingsPaths"/>. 126 ''; 127 }; 128

··· 116 storageConfig = mkOption { 117 type = types.nullOr types.lines; 118 default = null; 119 + description = lib.mdDoc '' 120 HCL configuration to insert in the storageBackend section. 121 122 Confidential values should not be specified here because this option's 123 value is written to the Nix store, which is publicly readable. 124 Provide credentials and such in a separate file using 125 + [](#opt-services.vault.extraSettingsPaths). 126 ''; 127 }; 128

+1 -1

nixos/modules/services/security/vaultwarden/default.nix

··· 116 The available configuration options can be found in 117 <link xlink:href="https://github.com/dani-garcia/vaultwarden/blob/${vaultwarden.version}/.env.template">the environment template file</link>. 118 119 - See <xref linkend="opt-services.vaultwarden.environmentFile" /> for how 120 to set up access to the Admin UI to invite initial users. 121 ''; 122 };

··· 116 The available configuration options can be found in 117 <link xlink:href="https://github.com/dani-garcia/vaultwarden/blob/${vaultwarden.version}/.env.template">the environment template file</link>. 118 119 + See <xref linkend="opt-services.vaultwarden.environmentFile"/> for how 120 to set up access to the Admin UI to invite initial users. 121 ''; 122 };

+7 -7

nixos/modules/services/system/dbus.nix

··· 38 packages = mkOption { 39 type = types.listOf types.path; 40 default = [ ]; 41 - description = '' 42 Packages whose D-Bus configuration files should be included in 43 the configuration of the D-Bus system-wide or session-wide 44 message bus. Specifically, files in the following directories 45 will be included into their respective DBus configuration paths: 46 - <filename><replaceable>pkg</replaceable>/etc/dbus-1/system.d</filename> 47 - <filename><replaceable>pkg</replaceable>/share/dbus-1/system.d</filename> 48 - <filename><replaceable>pkg</replaceable>/share/dbus-1/system-services</filename> 49 - <filename><replaceable>pkg</replaceable>/etc/dbus-1/session.d</filename> 50 - <filename><replaceable>pkg</replaceable>/share/dbus-1/session.d</filename> 51 - <filename><replaceable>pkg</replaceable>/share/dbus-1/services</filename> 52 ''; 53 }; 54

··· 38 packages = mkOption { 39 type = types.listOf types.path; 40 default = [ ]; 41 + description = lib.mdDoc '' 42 Packages whose D-Bus configuration files should be included in 43 the configuration of the D-Bus system-wide or session-wide 44 message bus. Specifically, files in the following directories 45 will be included into their respective DBus configuration paths: 46 + {file}`«pkg»/etc/dbus-1/system.d` 47 + {file}`«pkg»/share/dbus-1/system.d` 48 + {file}`«pkg»/share/dbus-1/system-services` 49 + {file}`«pkg»/etc/dbus-1/session.d` 50 + {file}`«pkg»/share/dbus-1/session.d` 51 + {file}`«pkg»/share/dbus-1/services` 52 ''; 53 }; 54

+8 -8

nixos/modules/services/system/earlyoom.nix

··· 32 freeMemKillThreshold = mkOption { 33 type = types.nullOr (types.ints.between 1 100); 34 default = null; 35 - description = '' 36 Minimum available memory (in percent) before sending SIGKILL. 37 - If unset, this defaults to half of <option>freeMemThreshold</option>. 38 39 - See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. 40 ''; 41 }; 42 43 freeSwapThreshold = mkOption { 44 type = types.ints.between 1 100; 45 default = 10; 46 - description = '' 47 Minimum free swap space (in percent) before sending SIGTERM. 48 49 - See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. 50 ''; 51 }; 52 53 freeSwapKillThreshold = mkOption { 54 type = types.nullOr (types.ints.between 1 100); 55 default = null; 56 - description = '' 57 Minimum free swap space (in percent) before sending SIGKILL. 58 - If unset, this defaults to half of <option>freeSwapThreshold</option>. 59 60 - See the description of <xref linkend="opt-services.earlyoom.freeMemThreshold"/>. 61 ''; 62 }; 63

··· 32 freeMemKillThreshold = mkOption { 33 type = types.nullOr (types.ints.between 1 100); 34 default = null; 35 + description = lib.mdDoc '' 36 Minimum available memory (in percent) before sending SIGKILL. 37 + If unset, this defaults to half of {option}`freeMemThreshold`. 38 39 + See the description of [](#opt-services.earlyoom.freeMemThreshold). 40 ''; 41 }; 42 43 freeSwapThreshold = mkOption { 44 type = types.ints.between 1 100; 45 default = 10; 46 + description = lib.mdDoc '' 47 Minimum free swap space (in percent) before sending SIGTERM. 48 49 + See the description of [](#opt-services.earlyoom.freeMemThreshold). 50 ''; 51 }; 52 53 freeSwapKillThreshold = mkOption { 54 type = types.nullOr (types.ints.between 1 100); 55 default = null; 56 + description = lib.mdDoc '' 57 Minimum free swap space (in percent) before sending SIGKILL. 58 + If unset, this defaults to half of {option}`freeSwapThreshold`. 59 60 + See the description of [](#opt-services.earlyoom.freeMemThreshold). 61 ''; 62 }; 63

+29 -29

nixos/modules/services/torrent/transmission.nix

··· 55 type = types.path; 56 default = "${cfg.home}/${incompleteDir}"; 57 defaultText = literalExpression ''"''${config.${opt.home}}/${incompleteDir}"''; 58 - description = '' 59 When enabled with 60 services.transmission.home 61 - <xref linkend="opt-services.transmission.settings.incomplete-dir-enabled"/>, 62 new torrents will download the files to this directory. 63 When complete, the files will be moved to download-dir 64 - <xref linkend="opt-services.transmission.settings.download-dir"/>. 65 ''; 66 }; 67 options.incomplete-dir-enabled = mkOption { ··· 82 options.peer-port-random-high = mkOption { 83 type = types.port; 84 default = 65535; 85 - description = '' 86 The maximum peer port to listen to for incoming connections 87 - when <xref linkend="opt-services.transmission.settings.peer-port-random-on-start"/> is enabled. 88 ''; 89 }; 90 options.peer-port-random-low = mkOption { 91 type = types.port; 92 default = 65535; 93 - description = '' 94 The minimal peer port to listen to for incoming connections 95 - when <xref linkend="opt-services.transmission.settings.peer-port-random-on-start"/> is enabled. 96 ''; 97 }; 98 options.peer-port-random-on-start = mkOption { ··· 117 options.script-torrent-done-enabled = mkOption { 118 type = types.bool; 119 default = false; 120 - description = '' 121 Whether to run 122 - <xref linkend="opt-services.transmission.settings.script-torrent-done-filename"/> 123 at torrent completion. 124 ''; 125 }; ··· 156 options.watch-dir-enabled = mkOption { 157 type = types.bool; 158 default = false; 159 - description = ''Whether to enable the 160 - <xref linkend="opt-services.transmission.settings.watch-dir"/>. 161 ''; 162 }; 163 options.trash-original-torrent-files = mkOption { 164 type = types.bool; 165 default = false; 166 - description = ''Whether to delete torrents added from the 167 - <xref linkend="opt-services.transmission.settings.watch-dir"/>. 168 ''; 169 }; 170 }; ··· 174 type = with types; nullOr str; 175 default = null; 176 example = "770"; 177 - description = '' 178 - If not <code>null</code>, is used as the permissions 179 - set by <literal>systemd.activationScripts.transmission-daemon</literal> 180 - on the directories <xref linkend="opt-services.transmission.settings.download-dir"/>, 181 - <xref linkend="opt-services.transmission.settings.incomplete-dir"/>. 182 - and <xref linkend="opt-services.transmission.settings.watch-dir"/>. 183 Note that you may also want to change 184 - <xref linkend="opt-services.transmission.settings.umask"/>. 185 ''; 186 }; 187 188 home = mkOption { 189 type = types.path; 190 default = "/var/lib/transmission"; 191 - description = '' 192 - The directory where Transmission will create <literal>${settingsDir}</literal>. 193 - as well as <literal>${downloadsDir}/</literal> unless 194 - <xref linkend="opt-services.transmission.settings.download-dir"/> is changed, 195 - and <literal>${incompleteDir}/</literal> unless 196 - <xref linkend="opt-services.transmission.settings.incomplete-dir"/> is changed. 197 ''; 198 }; 199 ··· 211 212 credentialsFile = mkOption { 213 type = types.path; 214 - description = '' 215 Path to a JSON file to be merged with the settings. 216 Useful to merge a file which is better kept out of the Nix store 217 - to set secret config parameters like <code>rpc-password</code>. 218 ''; 219 default = "/dev/null"; 220 example = "/var/lib/secrets/transmission/settings.json"; ··· 237 to open many more connections at the same time. 238 239 Note that you may also want to increase 240 - <code>peer-limit-global"</code>. 241 And be aware that these settings are quite aggressive 242 and might not suite your regular desktop use. 243 For instance, SSH sessions may time out more easily'';

··· 55 type = types.path; 56 default = "${cfg.home}/${incompleteDir}"; 57 defaultText = literalExpression ''"''${config.${opt.home}}/${incompleteDir}"''; 58 + description = lib.mdDoc '' 59 When enabled with 60 services.transmission.home 61 + [](#opt-services.transmission.settings.incomplete-dir-enabled), 62 new torrents will download the files to this directory. 63 When complete, the files will be moved to download-dir 64 + [](#opt-services.transmission.settings.download-dir). 65 ''; 66 }; 67 options.incomplete-dir-enabled = mkOption { ··· 82 options.peer-port-random-high = mkOption { 83 type = types.port; 84 default = 65535; 85 + description = lib.mdDoc '' 86 The maximum peer port to listen to for incoming connections 87 + when [](#opt-services.transmission.settings.peer-port-random-on-start) is enabled. 88 ''; 89 }; 90 options.peer-port-random-low = mkOption { 91 type = types.port; 92 default = 65535; 93 + description = lib.mdDoc '' 94 The minimal peer port to listen to for incoming connections 95 + when [](#opt-services.transmission.settings.peer-port-random-on-start) is enabled. 96 ''; 97 }; 98 options.peer-port-random-on-start = mkOption { ··· 117 options.script-torrent-done-enabled = mkOption { 118 type = types.bool; 119 default = false; 120 + description = lib.mdDoc '' 121 Whether to run 122 + [](#opt-services.transmission.settings.script-torrent-done-filename) 123 at torrent completion. 124 ''; 125 }; ··· 156 options.watch-dir-enabled = mkOption { 157 type = types.bool; 158 default = false; 159 + description = lib.mdDoc ''Whether to enable the 160 + [](#opt-services.transmission.settings.watch-dir). 161 ''; 162 }; 163 options.trash-original-torrent-files = mkOption { 164 type = types.bool; 165 default = false; 166 + description = lib.mdDoc ''Whether to delete torrents added from the 167 + [](#opt-services.transmission.settings.watch-dir). 168 ''; 169 }; 170 }; ··· 174 type = with types; nullOr str; 175 default = null; 176 example = "770"; 177 + description = lib.mdDoc '' 178 + If not `null`, is used as the permissions 179 + set by `systemd.activationScripts.transmission-daemon` 180 + on the directories [](#opt-services.transmission.settings.download-dir), 181 + [](#opt-services.transmission.settings.incomplete-dir). 182 + and [](#opt-services.transmission.settings.watch-dir). 183 Note that you may also want to change 184 + [](#opt-services.transmission.settings.umask). 185 ''; 186 }; 187 188 home = mkOption { 189 type = types.path; 190 default = "/var/lib/transmission"; 191 + description = lib.mdDoc '' 192 + The directory where Transmission will create `${settingsDir}`. 193 + as well as `${downloadsDir}/` unless 194 + [](#opt-services.transmission.settings.download-dir) is changed, 195 + and `${incompleteDir}/` unless 196 + [](#opt-services.transmission.settings.incomplete-dir) is changed. 197 ''; 198 }; 199 ··· 211 212 credentialsFile = mkOption { 213 type = types.path; 214 + description = lib.mdDoc '' 215 Path to a JSON file to be merged with the settings. 216 Useful to merge a file which is better kept out of the Nix store 217 + to set secret config parameters like `rpc-password`. 218 ''; 219 default = "/dev/null"; 220 example = "/var/lib/secrets/transmission/settings.json"; ··· 237 to open many more connections at the same time. 238 239 Note that you may also want to increase 240 + <literal>peer-limit-global"</literal>. 241 And be aware that these settings are quite aggressive 242 and might not suite your regular desktop use. 243 For instance, SSH sessions may time out more easily'';

+2 -2

nixos/modules/services/web-apps/bookstack.nix

··· 52 description = '' 53 A file containing the Laravel APP_KEY - a 32 character long, 54 base64 encoded key used for encryption where needed. Can be 55 - generated with <code>head -c 32 /dev/urandom | base64</code>. 56 ''; 57 example = "/run/keys/bookstack-appkey"; 58 type = types.path; ··· 74 appURL = mkOption { 75 description = '' 76 The root URL that you want to host BookStack on. All URLs in BookStack will be generated using this value. 77 - If you change this in the future you may need to run a command to update stored URLs in the database. Command example: <code>php artisan bookstack:update-url https://old.example.com https://new.example.com</code> 78 ''; 79 default = "http${lib.optionalString tlsEnabled "s"}://${cfg.hostname}"; 80 defaultText = ''http''${lib.optionalString tlsEnabled "s"}://''${cfg.hostname}'';

··· 52 description = '' 53 A file containing the Laravel APP_KEY - a 32 character long, 54 base64 encoded key used for encryption where needed. Can be 55 + generated with <literal>head -c 32 /dev/urandom | base64</literal>. 56 ''; 57 example = "/run/keys/bookstack-appkey"; 58 type = types.path; ··· 74 appURL = mkOption { 75 description = '' 76 The root URL that you want to host BookStack on. All URLs in BookStack will be generated using this value. 77 + If you change this in the future you may need to run a command to update stored URLs in the database. Command example: <literal>php artisan bookstack:update-url https://old.example.com https://new.example.com</literal> 78 ''; 79 default = "http${lib.optionalString tlsEnabled "s"}://${cfg.hostname}"; 80 defaultText = ''http''${lib.optionalString tlsEnabled "s"}://''${cfg.hostname}'';

+5 -5

nixos/modules/services/web-apps/dokuwiki.nix

··· 260 webserver = mkOption { 261 type = types.enum [ "nginx" "caddy" ]; 262 default = "nginx"; 263 - description = '' 264 Whether to use nginx or caddy for virtual host management. 265 266 - Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.<name></literal>. 267 - See <xref linkend="opt-services.nginx.virtualHosts"/> for further information. 268 269 - Further apache2 configuration can be done by adapting <literal>services.httpd.virtualHosts.<name></literal>. 270 - See <xref linkend="opt-services.httpd.virtualHosts"/> for further information. 271 ''; 272 }; 273

··· 260 webserver = mkOption { 261 type = types.enum [ "nginx" "caddy" ]; 262 default = "nginx"; 263 + description = lib.mdDoc '' 264 Whether to use nginx or caddy for virtual host management. 265 266 + Further nginx configuration can be done by adapting `services.nginx.virtualHosts.<name>`. 267 + See [](#opt-services.nginx.virtualHosts) for further information. 268 269 + Further apache2 configuration can be done by adapting `services.httpd.virtualHosts.<name>`. 270 + See [](#opt-services.httpd.virtualHosts) for further information. 271 ''; 272 }; 273

+2 -3

nixos/modules/services/web-apps/hedgedoc.nix

··· 150 addDefaults = true; 151 } 152 ''; 153 - description = '' 154 Specify the Content Security Policy which is passed to Helmet. 155 - For configuration details see <link xlink:href="https://helmetjs.github.io/docs/csp/" 156 - >https://helmetjs.github.io/docs/csp/</link>. 157 ''; 158 }; 159 protocolUseSSL = mkOption {

··· 150 addDefaults = true; 151 } 152 ''; 153 + description = lib.mdDoc '' 154 Specify the Content Security Policy which is passed to Helmet. 155 + For configuration details see <https://helmetjs.github.io/docs/csp/>. 156 ''; 157 }; 158 protocolUseSSL = mkOption {

+16 -23

nixos/modules/services/web-apps/keycloak.nix

··· 210 name = mkOption { 211 type = str; 212 default = "keycloak"; 213 - description = '' 214 Database name to use when connecting to an external or 215 manually provisioned database; has no effect when a local 216 database is automatically provisioned. 217 218 - To use this with a local database, set <xref 219 - linkend="opt-services.keycloak.database.createLocally" /> to 220 - <literal>false</literal> and create the database and user 221 manually. 222 ''; 223 }; ··· 225 username = mkOption { 226 type = str; 227 default = "keycloak"; 228 - description = '' 229 Username to use when connecting to an external or manually 230 provisioned database; has no effect when a local database is 231 automatically provisioned. 232 233 - To use this with a local database, set <xref 234 - linkend="opt-services.keycloak.database.createLocally" /> to 235 - <literal>false</literal> and create the database and user 236 manually. 237 ''; 238 }; ··· 329 want to set this to <literal>/auth</literal> to 330 keep compatibility with your clients. 331 332 - See <link 333 - xlink:href="https://www.keycloak.org/migration/migrating-to-quarkus" 334 - /> for more information on migrating from Wildfly 335 - to Quarkus. 336 </para> 337 </note> 338 ''; ··· 404 </varlistentry> 405 </variablelist> 406 407 - See <link 408 - xlink:href="https://www.keycloak.org/server/reverseproxy" 409 - /> for more information. 410 ''; 411 }; 412 }; ··· 421 } 422 ''; 423 424 - description = '' 425 Configuration options corresponding to parameters set in 426 - <filename>conf/keycloak.conf</filename>. 427 428 - Most available options are documented at <link 429 - xlink:href="https://www.keycloak.org/server/all-config" />. 430 431 Options containing secret data should be set to an attribute 432 - set containing the attribute <literal>_secret</literal> - a 433 string pointing to a file containing the value the option 434 should be set to. See the example to get a better picture of 435 this: in the resulting 436 - <filename>conf/keycloak.conf</filename> file, the 437 - <literal>https-key-store-password</literal> key will be set 438 to the contents of the 439 - <filename>/run/keys/store_password</filename> file. 440 ''; 441 }; 442 };

··· 210 name = mkOption { 211 type = str; 212 default = "keycloak"; 213 + description = lib.mdDoc '' 214 Database name to use when connecting to an external or 215 manually provisioned database; has no effect when a local 216 database is automatically provisioned. 217 218 + To use this with a local database, set [](#opt-services.keycloak.database.createLocally) to 219 + `false` and create the database and user 220 manually. 221 ''; 222 }; ··· 224 username = mkOption { 225 type = str; 226 default = "keycloak"; 227 + description = lib.mdDoc '' 228 Username to use when connecting to an external or manually 229 provisioned database; has no effect when a local database is 230 automatically provisioned. 231 232 + To use this with a local database, set [](#opt-services.keycloak.database.createLocally) to 233 + `false` and create the database and user 234 manually. 235 ''; 236 }; ··· 327 want to set this to <literal>/auth</literal> to 328 keep compatibility with your clients. 329 330 + See <link xlink:href="https://www.keycloak.org/migration/migrating-to-quarkus"/> 331 + for more information on migrating from Wildfly to Quarkus. 332 </para> 333 </note> 334 ''; ··· 400 </varlistentry> 401 </variablelist> 402 403 + See <link xlink:href="https://www.keycloak.org/server/reverseproxy"/> for more information. 404 ''; 405 }; 406 }; ··· 415 } 416 ''; 417 418 + description = lib.mdDoc '' 419 Configuration options corresponding to parameters set in 420 + {file}`conf/keycloak.conf`. 421 422 + Most available options are documented at <https://www.keycloak.org/server/all-config>. 423 424 Options containing secret data should be set to an attribute 425 + set containing the attribute `_secret` - a 426 string pointing to a file containing the value the option 427 should be set to. See the example to get a better picture of 428 this: in the resulting 429 + {file}`conf/keycloak.conf` file, the 430 + `https-key-store-password` key will be set 431 to the contents of the 432 + {file}`/run/keys/store_password` file. 433 ''; 434 }; 435 };

+18 -18

nixos/modules/services/web-apps/mastodon.nix

··· 113 affect other virtualHosts running on your nginx instance, if any. 114 Alternatively you can configure a reverse-proxy of your choice to serve these paths: 115 116 - <code>/ -> $(nix-instantiate --eval '<nixpkgs>' -A mastodon.outPath)/public</code> 117 118 - <code>/ -> 127.0.0.1:{{ webPort }} </code>(If there was no file in the directory above.) 119 120 - <code>/system/ -> /var/lib/mastodon/public-system/</code> 121 122 - <code>/api/v1/streaming/ -> 127.0.0.1:{{ streamingPort }}</code> 123 124 Make sure that websockets are forwarded properly. You might want to set up caching 125 of some requests. Take a look at mastodon's provided nginx configuration at 126 - <code>https://github.com/mastodon/mastodon/blob/master/dist/nginx.conf</code>. 127 ''; 128 type = lib.types.bool; 129 default = false; ··· 135 that user will be created, otherwise it should be set to the 136 name of a user created elsewhere. In both cases, 137 <package>mastodon</package> and a package containing only 138 - the shell script <code>mastodon-env</code> will be added to 139 the user's package set. To run a command from 140 - <package>mastodon</package> such as <code>tootctl</code> 141 with the environment configured by this module use 142 - <code>mastodon-env</code>, as in: 143 144 - <code>mastodon-env tootctl accounts create newuser --email newuser@example.com</code> 145 ''; 146 type = lib.types.str; 147 default = "mastodon"; ··· 197 }; 198 199 vapidPublicKeyFile = lib.mkOption { 200 - description = '' 201 Path to file containing the public key used for Web Push 202 Voluntary Application Server Identification. A new keypair can 203 be generated by running: 204 205 - <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys</code> 206 207 - If <option>mastodon.vapidPrivateKeyFile</option>does not 208 exist, it and this file will be created with a new keypair. 209 ''; 210 default = "/var/lib/mastodon/secrets/vapid-public-key"; ··· 218 }; 219 220 secretKeyBaseFile = lib.mkOption { 221 - description = '' 222 Path to file containing the secret key base. 223 A new secret key base can be generated by running: 224 225 - <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret</code> 226 227 If this file does not exist, it will be created with a new secret key base. 228 ''; ··· 231 }; 232 233 otpSecretFile = lib.mkOption { 234 - description = '' 235 Path to file containing the OTP secret. 236 A new OTP secret can be generated by running: 237 238 - <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret</code> 239 240 If this file does not exist, it will be created with a new OTP secret. 241 ''; ··· 244 }; 245 246 vapidPrivateKeyFile = lib.mkOption { 247 - description = '' 248 Path to file containing the private key used for Web Push 249 Voluntary Application Server Identification. A new keypair can 250 be generated by running: 251 252 - <code>nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys</code> 253 254 If this file does not exist, it will be created with a new 255 private key.

··· 113 affect other virtualHosts running on your nginx instance, if any. 114 Alternatively you can configure a reverse-proxy of your choice to serve these paths: 115 116 + <literal>/ -> $(nix-instantiate --eval '<nixpkgs>' -A mastodon.outPath)/public</literal> 117 118 + <literal>/ -> 127.0.0.1:{{ webPort }} </literal>(If there was no file in the directory above.) 119 120 + <literal>/system/ -> /var/lib/mastodon/public-system/</literal> 121 122 + <literal>/api/v1/streaming/ -> 127.0.0.1:{{ streamingPort }}</literal> 123 124 Make sure that websockets are forwarded properly. You might want to set up caching 125 of some requests. Take a look at mastodon's provided nginx configuration at 126 + <literal>https://github.com/mastodon/mastodon/blob/master/dist/nginx.conf</literal>. 127 ''; 128 type = lib.types.bool; 129 default = false; ··· 135 that user will be created, otherwise it should be set to the 136 name of a user created elsewhere. In both cases, 137 <package>mastodon</package> and a package containing only 138 + the shell script <literal>mastodon-env</literal> will be added to 139 the user's package set. To run a command from 140 + <package>mastodon</package> such as <literal>tootctl</literal> 141 with the environment configured by this module use 142 + <literal>mastodon-env</literal>, as in: 143 144 + <literal>mastodon-env tootctl accounts create newuser --email newuser@example.com</literal> 145 ''; 146 type = lib.types.str; 147 default = "mastodon"; ··· 197 }; 198 199 vapidPublicKeyFile = lib.mkOption { 200 + description = lib.mdDoc '' 201 Path to file containing the public key used for Web Push 202 Voluntary Application Server Identification. A new keypair can 203 be generated by running: 204 205 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys` 206 207 + If {option}`mastodon.vapidPrivateKeyFile`does not 208 exist, it and this file will be created with a new keypair. 209 ''; 210 default = "/var/lib/mastodon/secrets/vapid-public-key"; ··· 218 }; 219 220 secretKeyBaseFile = lib.mkOption { 221 + description = lib.mdDoc '' 222 Path to file containing the secret key base. 223 A new secret key base can be generated by running: 224 225 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret` 226 227 If this file does not exist, it will be created with a new secret key base. 228 ''; ··· 231 }; 232 233 otpSecretFile = lib.mkOption { 234 + description = lib.mdDoc '' 235 Path to file containing the OTP secret. 236 A new OTP secret can be generated by running: 237 238 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret` 239 240 If this file does not exist, it will be created with a new OTP secret. 241 ''; ··· 244 }; 245 246 vapidPrivateKeyFile = lib.mkOption { 247 + description = lib.mdDoc '' 248 Path to file containing the private key used for Web Push 249 Voluntary Application Server Identification. A new keypair can 250 be generated by running: 251 252 + `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys` 253 254 If this file does not exist, it will be created with a new 255 private key.

+1 -1

nixos/modules/services/web-apps/mediawiki.nix

··· 280 one version of MediaWiki, or have other applications that also use the 281 database, you can give the table names a unique prefix to stop any naming 282 conflicts or confusion. 283 - See <link xlink:href='https://www.mediawiki.org/wiki/Manual:$wgDBprefix'/>. 284 ''; 285 }; 286

··· 280 one version of MediaWiki, or have other applications that also use the 281 database, you can give the table names a unique prefix to stop any naming 282 conflicts or confusion. 283 + See <link xlink:href="https://www.mediawiki.org/wiki/Manual:$wgDBprefix"/>. 284 ''; 285 }; 286

+13 -13

nixos/modules/services/web-apps/nextcloud.nix

··· 93 type = types.str; 94 default = config.services.nextcloud.home; 95 defaultText = literalExpression "config.services.nextcloud.home"; 96 - description = '' 97 - Data storage path of nextcloud. Will be <xref linkend="opt-services.nextcloud.home" /> by default. 98 This folder will be populated with a config.php and data folder which contains the state of the instance (excl the database)."; 99 ''; 100 example = "/mnt/nextcloud-file"; ··· 102 extraApps = mkOption { 103 type = types.attrsOf types.package; 104 default = { }; 105 - description = '' 106 Extra apps to install. Should be an attrSet of appid to packages generated by fetchNextcloudApp. 107 The appid must be identical to the "id" value in the apps appinfo/info.xml. 108 - Using this will disable the appstore to prevent Nextcloud from updating these apps (see <xref linkend="opt-services.nextcloud.appstoreEnable" />). 109 ''; 110 example = literalExpression '' 111 { ··· 127 extraAppsEnable = mkOption { 128 type = types.bool; 129 default = true; 130 - description = '' 131 - Automatically enable the apps in <xref linkend="opt-services.nextcloud.extraApps" /> every time nextcloud starts. 132 If set to false, apps need to be enabled in the Nextcloud user interface or with nextcloud-occ app:enable. 133 ''; 134 }; ··· 136 type = types.nullOr types.bool; 137 default = null; 138 example = true; 139 - description = '' 140 Allow the installation of apps and app updates from the store. 141 - Enabled by default unless there are packages in <xref linkend="opt-services.nextcloud.extraApps" />. 142 - Set to true to force enable the store even if <xref linkend="opt-services.nextcloud.extraApps" /> is used. 143 Set to false to disable the installation of apps from the global appstore. App management is always enabled regardless of this setting. 144 ''; 145 }; ··· 467 This is used by the theming app and for generating previews of certain images (e.g. SVG and HEIF). 468 You may want to disable it for increased security. In that case, previews will still be available 469 for some images (e.g. JPEG and PNG). 470 - See <link xlink:href="https://github.com/nextcloud/server/issues/13099" />. 471 '' // { 472 default = true; 473 }; ··· 585 hstsMaxAge = mkOption { 586 type = types.ints.positive; 587 default = 15552000; 588 - description = '' 589 - Value for the <code>max-age</code> directive of the HTTP 590 - <code>Strict-Transport-Security</code> header. 591 592 See section 6.1.1 of IETF RFC 6797 for detailed information on this 593 directive and header.

··· 93 type = types.str; 94 default = config.services.nextcloud.home; 95 defaultText = literalExpression "config.services.nextcloud.home"; 96 + description = lib.mdDoc '' 97 + Data storage path of nextcloud. Will be [](#opt-services.nextcloud.home) by default. 98 This folder will be populated with a config.php and data folder which contains the state of the instance (excl the database)."; 99 ''; 100 example = "/mnt/nextcloud-file"; ··· 102 extraApps = mkOption { 103 type = types.attrsOf types.package; 104 default = { }; 105 + description = lib.mdDoc '' 106 Extra apps to install. Should be an attrSet of appid to packages generated by fetchNextcloudApp. 107 The appid must be identical to the "id" value in the apps appinfo/info.xml. 108 + Using this will disable the appstore to prevent Nextcloud from updating these apps (see [](#opt-services.nextcloud.appstoreEnable)). 109 ''; 110 example = literalExpression '' 111 { ··· 127 extraAppsEnable = mkOption { 128 type = types.bool; 129 default = true; 130 + description = lib.mdDoc '' 131 + Automatically enable the apps in [](#opt-services.nextcloud.extraApps) every time nextcloud starts. 132 If set to false, apps need to be enabled in the Nextcloud user interface or with nextcloud-occ app:enable. 133 ''; 134 }; ··· 136 type = types.nullOr types.bool; 137 default = null; 138 example = true; 139 + description = lib.mdDoc '' 140 Allow the installation of apps and app updates from the store. 141 + Enabled by default unless there are packages in [](#opt-services.nextcloud.extraApps). 142 + Set to true to force enable the store even if [](#opt-services.nextcloud.extraApps) is used. 143 Set to false to disable the installation of apps from the global appstore. App management is always enabled regardless of this setting. 144 ''; 145 }; ··· 467 This is used by the theming app and for generating previews of certain images (e.g. SVG and HEIF). 468 You may want to disable it for increased security. In that case, previews will still be available 469 for some images (e.g. JPEG and PNG). 470 + See <link xlink:href="https://github.com/nextcloud/server/issues/13099"/>. 471 '' // { 472 default = true; 473 }; ··· 585 hstsMaxAge = mkOption { 586 type = types.ints.positive; 587 default = 15552000; 588 + description = lib.mdDoc '' 589 + Value for the `max-age` directive of the HTTP 590 + `Strict-Transport-Security` header. 591 592 See section 6.1.1 of IETF RFC 6797 for detailed information on this 593 directive and header.

+2 -3

nixos/modules/services/web-apps/node-red.nix

··· 47 type = types.path; 48 default = "${cfg.package}/lib/node_modules/node-red/settings.js"; 49 defaultText = literalExpression ''"''${package}/lib/node_modules/node-red/settings.js"''; 50 - description = '' 51 Path to the JavaScript configuration file. 52 - See <link 53 - xlink:href="https://github.com/node-red/node-red/blob/master/packages/node_modules/node-red/settings.js"/> 54 for a configuration example. 55 ''; 56 };

··· 47 type = types.path; 48 default = "${cfg.package}/lib/node_modules/node-red/settings.js"; 49 defaultText = literalExpression ''"''${package}/lib/node_modules/node-red/settings.js"''; 50 + description = lib.mdDoc '' 51 Path to the JavaScript configuration file. 52 + See <https://github.com/node-red/node-red/blob/master/packages/node_modules/node-red/settings.js> 53 for a configuration example. 54 ''; 55 };

+2 -2

nixos/modules/services/web-apps/snipe-it.nix

··· 46 description = '' 47 A file containing the Laravel APP_KEY - a 32 character long, 48 base64 encoded key used for encryption where needed. Can be 49 - generated with <code>head -c 32 /dev/urandom | base64</code>. 50 ''; 51 example = "/run/keys/snipe-it/appkey"; 52 type = types.path; ··· 69 description = '' 70 The root URL that you want to host Snipe-IT on. All URLs in Snipe-IT will be generated using this value. 71 If you change this in the future you may need to run a command to update stored URLs in the database. 72 - Command example: <code>snipe-it snipe-it:update-url https://old.example.com https://new.example.com</code> 73 ''; 74 default = "http${lib.optionalString tlsEnabled "s"}://${cfg.hostName}"; 75 defaultText = ''

··· 46 description = '' 47 A file containing the Laravel APP_KEY - a 32 character long, 48 base64 encoded key used for encryption where needed. Can be 49 + generated with <literal>head -c 32 /dev/urandom | base64</literal>. 50 ''; 51 example = "/run/keys/snipe-it/appkey"; 52 type = types.path; ··· 69 description = '' 70 The root URL that you want to host Snipe-IT on. All URLs in Snipe-IT will be generated using this value. 71 If you change this in the future you may need to run a command to update stored URLs in the database. 72 + Command example: <literal>snipe-it snipe-it:update-url https://old.example.com https://new.example.com</literal> 73 ''; 74 default = "http${lib.optionalString tlsEnabled "s"}://${cfg.hostName}"; 75 defaultText = ''

+1 -1

nixos/modules/services/web-apps/trilium.nix

··· 53 noAuthentication = mkOption { 54 type = types.bool; 55 default = false; 56 - description = '' 57 If set to true, no password is required to access the web frontend. 58 ''; 59 };

··· 53 noAuthentication = mkOption { 54 type = types.bool; 55 default = false; 56 + description = lib.mdDoc '' 57 If set to true, no password is required to access the web frontend. 58 ''; 59 };

+2 -3

nixos/modules/services/web-apps/wiki-js.nix

··· 95 }; 96 description = '' 97 Settings to configure <package>wiki-js</package>. This directly 98 - corresponds to <link xlink:href="https://docs.requarks.io/install/config">the upstream 99 - configuration options</link>. 100 101 Secrets can be injected via the environment by 102 <itemizedlist> 103 - <listitem><para>specifying <xref linkend="opt-services.wiki-js.environmentFile" /> 104 to contain secrets</para></listitem> 105 <listitem><para>and setting sensitive values to <literal>$(ENVIRONMENT_VAR)</literal> 106 with this value defined in the environment-file.</para></listitem>

··· 95 }; 96 description = '' 97 Settings to configure <package>wiki-js</package>. This directly 98 + corresponds to <link xlink:href="https://docs.requarks.io/install/config">the upstream configuration options</link>. 99 100 Secrets can be injected via the environment by 101 <itemizedlist> 102 + <listitem><para>specifying <xref linkend="opt-services.wiki-js.environmentFile"/> 103 to contain secrets</para></listitem> 104 <listitem><para>and setting sensitive values to <literal>$(ENVIRONMENT_VAR)</literal> 105 with this value defined in the environment-file.</para></listitem>

+2 -2

nixos/modules/services/web-apps/wordpress.nix

··· 192 prefix. Typically this is changed if you are installing multiple WordPress blogs 193 in the same database. 194 195 - See <link xlink:href='https://codex.wordpress.org/Editing_wp-config.php#table_prefix'/>. 196 ''; 197 }; 198 ··· 246 description = '' 247 Any additional text to be appended to the wp-config.php 248 configuration file. This is a PHP script. For configuration 249 - settings, see <link xlink:href='https://codex.wordpress.org/Editing_wp-config.php'/>. 250 ''; 251 example = '' 252 define( 'AUTOSAVE_INTERVAL', 60 ); // Seconds

··· 192 prefix. Typically this is changed if you are installing multiple WordPress blogs 193 in the same database. 194 195 + See <link xlink:href="https://codex.wordpress.org/Editing_wp-config.php#table_prefix"/>. 196 ''; 197 }; 198 ··· 246 description = '' 247 Any additional text to be appended to the wp-config.php 248 configuration file. This is a PHP script. For configuration 249 + settings, see <link xlink:href="https://codex.wordpress.org/Editing_wp-config.php"/>. 250 ''; 251 example = '' 252 define( 'AUTOSAVE_INTERVAL', 60 ); // Seconds

+3 -5

nixos/modules/services/web-servers/apache-httpd/vhost-options.nix

··· 233 default = false; 234 description = '' 235 Whether to enable serving <filename>~/public_html</filename> as 236 - <literal>/~<replaceable>username</replaceable></literal>. 237 ''; 238 }; 239 ··· 261 default = ""; 262 example = "Disallow: /foo/"; 263 description = '' 264 - Specification of pages to be ignored by web crawlers. See <link 265 - xlink:href='http://www.robotstxt.org/'/> for details. 266 ''; 267 }; 268 ··· 280 }; 281 ''; 282 description = '' 283 - Declarative location config. See <link 284 - xlink:href="https://httpd.apache.org/docs/2.4/mod/core.html#location"/> for details. 285 ''; 286 }; 287

··· 233 default = false; 234 description = '' 235 Whether to enable serving <filename>~/public_html</filename> as 236 + <literal>/~«username»</literal>. 237 ''; 238 }; 239 ··· 261 default = ""; 262 example = "Disallow: /foo/"; 263 description = '' 264 + Specification of pages to be ignored by web crawlers. See <link xlink:href="http://www.robotstxt.org/"/> for details. 265 ''; 266 }; 267 ··· 279 }; 280 ''; 281 description = '' 282 + Declarative location config. See <link xlink:href="https://httpd.apache.org/docs/2.4/mod/core.html#location"/> for details. 283 ''; 284 }; 285

+4 -4

nixos/modules/services/web-servers/nginx/default.nix

··· 504 This is mutually exclusive to any other config option for 505 <filename>nginx.conf</filename> except for 506 <itemizedlist> 507 - <listitem><para><xref linkend="opt-services.nginx.appendConfig" /> 508 </para></listitem> 509 - <listitem><para><xref linkend="opt-services.nginx.httpConfig" /> 510 </para></listitem> 511 - <listitem><para><xref linkend="opt-services.nginx.logError" /> 512 </para></listitem> 513 </itemizedlist> 514 515 If additional verbatim config in addition to other options is needed, 516 - <xref linkend="opt-services.nginx.appendConfig" /> should be used instead. 517 ''; 518 }; 519

··· 504 This is mutually exclusive to any other config option for 505 <filename>nginx.conf</filename> except for 506 <itemizedlist> 507 + <listitem><para><xref linkend="opt-services.nginx.appendConfig"/> 508 </para></listitem> 509 + <listitem><para><xref linkend="opt-services.nginx.httpConfig"/> 510 </para></listitem> 511 + <listitem><para><xref linkend="opt-services.nginx.logError"/> 512 </para></listitem> 513 </itemizedlist> 514 515 If additional verbatim config in addition to other options is needed, 516 + <xref linkend="opt-services.nginx.appendConfig"/> should be used instead. 517 ''; 518 }; 519

+1 -2

nixos/modules/services/web-servers/uwsgi.nix

··· 179 <para> 180 When in Emperor mode, any capability to be inherited by a vassal must 181 be specified again in the vassal configuration using <literal>cap</literal>. 182 - See the uWSGI <link 183 - xlink:href="https://uwsgi-docs.readthedocs.io/en/latest/Capabilities.html">docs</link> 184 for more information. 185 </para> 186 </note>

··· 179 <para> 180 When in Emperor mode, any capability to be inherited by a vassal must 181 be specified again in the vassal configuration using <literal>cap</literal>. 182 + See the uWSGI <link xlink:href="https://uwsgi-docs.readthedocs.io/en/latest/Capabilities.html">docs</link> 183 for more information. 184 </para> 185 </note>

+2 -3

nixos/modules/services/x11/desktop-managers/plasma5.nix

··· 170 supportDDC = mkOption { 171 type = types.bool; 172 default = false; 173 - description = '' 174 Support setting monitor brightness via DDC. 175 - </para> 176 - <para> 177 This is not needed for controlling brightness of the internal monitor 178 of a laptop and as it is considered experimental by upstream, it is 179 disabled by default.

··· 170 supportDDC = mkOption { 171 type = types.bool; 172 default = false; 173 + description = lib.mdDoc '' 174 Support setting monitor brightness via DDC. 175 + 176 This is not needed for controlling brightness of the internal monitor 177 of a laptop and as it is considered experimental by upstream, it is 178 disabled by default.

+2 -2

nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix

··· 55 enable = mkOption { 56 type = types.bool; 57 default = false; 58 - description = '' 59 Whether to enable lightdm-mini-greeter as the lightdm greeter. 60 61 Note that this greeter starts only the default X session. 62 You can configure the default X session using 63 - <xref linkend="opt-services.xserver.displayManager.defaultSession"/>. 64 ''; 65 }; 66

··· 55 enable = mkOption { 56 type = types.bool; 57 default = false; 58 + description = lib.mdDoc '' 59 Whether to enable lightdm-mini-greeter as the lightdm greeter. 60 61 Note that this greeter starts only the default X session. 62 You can configure the default X session using 63 + [](#opt-services.xserver.displayManager.defaultSession). 64 ''; 65 }; 66

+2 -2

nixos/modules/services/x11/display-managers/lightdm-greeters/tiny.nix

··· 17 enable = mkOption { 18 type = types.bool; 19 default = false; 20 - description = '' 21 Whether to enable lightdm-tiny-greeter as the lightdm greeter. 22 23 Note that this greeter starts only the default X session. 24 You can configure the default X session using 25 - <xref linkend="opt-services.xserver.displayManager.defaultSession"/>. 26 ''; 27 }; 28

··· 17 enable = mkOption { 18 type = types.bool; 19 default = false; 20 + description = lib.mdDoc '' 21 Whether to enable lightdm-tiny-greeter as the lightdm greeter. 22 23 Note that this greeter starts only the default X session. 24 You can configure the default X session using 25 + [](#opt-services.xserver.displayManager.defaultSession). 26 ''; 27 }; 28

+1 -1

nixos/modules/services/x11/window-managers/fvwm2.nix

··· 24 gestures = mkOption { 25 default = false; 26 type = types.bool; 27 - description = "Whether or not to enable libstroke for gesture support"; 28 }; 29 }; 30 };

··· 24 gestures = mkOption { 25 default = false; 26 type = types.bool; 27 + description = lib.mdDoc "Whether or not to enable libstroke for gesture support"; 28 }; 29 }; 30 };

+1 -1

nixos/modules/system/activation/top-level.nix

··· 335 ''; 336 description = '' 337 The name of the system used in the <option>system.build.toplevel</option> derivation. 338 - </para><para> 339 That derivation has the following name: 340 <literal>"nixos-system-''${config.system.name}-''${config.system.nixos.label}"</literal> 341 '';

··· 335 ''; 336 description = '' 337 The name of the system used in the <option>system.build.toplevel</option> derivation. 338 + 339 That derivation has the following name: 340 <literal>"nixos-system-''${config.system.name}-''${config.system.nixos.label}"</literal> 341 '';

+6 -7

nixos/modules/system/boot/initrd-network.nix

··· 50 boot.initrd.network.enable = mkOption { 51 type = types.bool; 52 default = false; 53 - description = '' 54 Add network connectivity support to initrd. The network may be 55 - configured using the <literal>ip</literal> kernel parameter, 56 - as described in <link 57 - xlink:href="https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt">the 58 - kernel documentation</link>. Otherwise, if 59 - <option>networking.useDHCP</option> is enabled, an IP address 60 is acquired using DHCP. 61 62 You should add the module(s) required for your network card to 63 boot.initrd.availableKernelModules. 64 - <literal>lspci -v | grep -iA8 'network\|ethernet'</literal> 65 will tell you which. 66 ''; 67 };

··· 50 boot.initrd.network.enable = mkOption { 51 type = types.bool; 52 default = false; 53 + description = lib.mdDoc '' 54 Add network connectivity support to initrd. The network may be 55 + configured using the `ip` kernel parameter, 56 + as described in [the kernel documentation](https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt). 57 + Otherwise, if 58 + {option}`networking.useDHCP` is enabled, an IP address 59 is acquired using DHCP. 60 61 You should add the module(s) required for your network card to 62 boot.initrd.availableKernelModules. 63 + `lspci -v | grep -iA8 'network\|ethernet'` 64 will tell you which. 65 ''; 66 };

+6 -6

nixos/modules/system/boot/loader/grub/grub.nix

··· 624 type = types.bool; 625 description = '' 626 Whether to invoke <literal>grub-install</literal> with 627 - <literal>--removable</literal>.</para> 628 629 - <para>Unless you turn this on, GRUB will install itself somewhere in 630 <literal>boot.loader.efi.efiSysMountPoint</literal> (exactly where 631 depends on other config variables). If you've set 632 <literal>boot.loader.efi.canTouchEfiVariables</literal> *AND* you ··· 637 NVRAM will not be modified, and your system will not find GRUB at 638 boot time. However, GRUB will still return success so you may miss 639 the warning that gets printed ("<literal>efibootmgr: EFI variables 640 - are not supported on this system.</literal>").</para> 641 642 - <para>If you turn this feature on, GRUB will install itself in a 643 special location within <literal>efiSysMountPoint</literal> (namely 644 <literal>EFI/boot/boot$arch.efi</literal>) which the firmwares 645 - are hardcoded to try first, regardless of NVRAM EFI variables.</para> 646 647 - <para>To summarize, turn this on if: 648 <itemizedlist> 649 <listitem><para>You are installing NixOS and want it to boot in UEFI mode, 650 but you are currently booted in legacy mode</para></listitem>

··· 624 type = types.bool; 625 description = '' 626 Whether to invoke <literal>grub-install</literal> with 627 + <literal>--removable</literal>. 628 629 + Unless you turn this on, GRUB will install itself somewhere in 630 <literal>boot.loader.efi.efiSysMountPoint</literal> (exactly where 631 depends on other config variables). If you've set 632 <literal>boot.loader.efi.canTouchEfiVariables</literal> *AND* you ··· 637 NVRAM will not be modified, and your system will not find GRUB at 638 boot time. However, GRUB will still return success so you may miss 639 the warning that gets printed ("<literal>efibootmgr: EFI variables 640 + are not supported on this system.</literal>"). 641 642 + If you turn this feature on, GRUB will install itself in a 643 special location within <literal>efiSysMountPoint</literal> (namely 644 <literal>EFI/boot/boot$arch.efi</literal>) which the firmwares 645 + are hardcoded to try first, regardless of NVRAM EFI variables. 646 647 + To summarize, turn this on if: 648 <itemizedlist> 649 <listitem><para>You are installing NixOS and want it to boot in UEFI mode, 650 but you are currently booted in legacy mode</para></listitem>

+2 -2

nixos/modules/system/boot/luksroot.nix

··· 548 boot.initrd.luks.devices = mkOption { 549 default = { }; 550 example = { luksroot.device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; 551 - description = '' 552 The encrypted disk that should be opened before the root 553 filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM 554 setups are supported. The unencrypted devices can be accessed as 555 - <filename>/dev/mapper/<replaceable>name</replaceable></filename>. 556 ''; 557 558 type = with types; attrsOf (submodule (

··· 548 boot.initrd.luks.devices = mkOption { 549 default = { }; 550 example = { luksroot.device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; 551 + description = lib.mdDoc '' 552 The encrypted disk that should be opened before the root 553 filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM 554 setups are supported. The unencrypted devices can be accessed as 555 + {file}`/dev/mapper/«name»`. 556 ''; 557 558 type = with types; attrsOf (submodule (

+4 -7

nixos/modules/system/boot/networkd.nix

··· 1170 <citerefentry><refentrytitle>systemd.netdev</refentrytitle> 1171 <manvolnum>5</manvolnum></citerefentry> for details. 1172 A detailed explanation about how VRFs work can be found in the 1173 - <link xlink:href="https://www.kernel.org/doc/Documentation/networking/vrf.txt">kernel 1174 - docs</link>. 1175 ''; 1176 }; 1177 ··· 1905 }; 1906 1907 extraArgs = mkOption { 1908 - description = '' 1909 Extra command-line arguments to pass to systemd-networkd-wait-online. 1910 - These also affect per-interface <literal>systemd-network-wait-online@</literal> services. 1911 1912 - See <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd-networkd-wait-online.service.html"> 1913 - <citerefentry><refentrytitle>systemd-networkd-wait-online.service</refentrytitle><manvolnum>8</manvolnum> 1914 - </citerefentry></link> for all available options. 1915 ''; 1916 type = with types; listOf str; 1917 default = [];

··· 1170 <citerefentry><refentrytitle>systemd.netdev</refentrytitle> 1171 <manvolnum>5</manvolnum></citerefentry> for details. 1172 A detailed explanation about how VRFs work can be found in the 1173 + <link xlink:href="https://www.kernel.org/doc/Documentation/networking/vrf.txt">kernel docs</link>. 1174 ''; 1175 }; 1176 ··· 1904 }; 1905 1906 extraArgs = mkOption { 1907 + description = lib.mdDoc '' 1908 Extra command-line arguments to pass to systemd-networkd-wait-online. 1909 + These also affect per-interface `systemd-network-wait-online@` services. 1910 1911 + See [{manpage}`systemd-networkd-wait-online.service(8)`](https://www.freedesktop.org/software/systemd/man/systemd-networkd-wait-online.service.html) for all available options. 1912 ''; 1913 type = with types; listOf str; 1914 default = [];

+1 -1

nixos/modules/system/boot/stage-1.nix

··· 480 if you want to resume from file. If left empty, the swap partitions are used. 481 Specify here the device where the file resides. 482 You should also use <varname>boot.kernelParams</varname> to specify 483 - <literal><replaceable>resume_offset</replaceable></literal>. 484 ''; 485 }; 486

··· 480 if you want to resume from file. If left empty, the swap partitions are used. 481 Specify here the device where the file resides. 482 You should also use <varname>boot.kernelParams</varname> to specify 483 + <literal>«resume_offset»</literal>. 484 ''; 485 }; 486

+3 -6

nixos/modules/system/boot/systemd/logind.nix

··· 26 services.logind.killUserProcesses = mkOption { 27 default = false; 28 type = types.bool; 29 - description = '' 30 Specifies whether the processes of a user should be killed 31 when the user logs out. If true, the scope unit corresponding 32 to the session and all processes inside that scope will be 33 terminated. If false, the scope is "abandoned" (see 34 - <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.scope.html#"> 35 - systemd.scope(5)</link>), and processes are not killed. 36 - </para> 37 38 - <para> 39 - See <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=">logind.conf(5)</link> 40 for more details. 41 ''; 42 };

··· 26 services.logind.killUserProcesses = mkOption { 27 default = false; 28 type = types.bool; 29 + description = lib.mdDoc '' 30 Specifies whether the processes of a user should be killed 31 when the user logs out. If true, the scope unit corresponding 32 to the session and all processes inside that scope will be 33 terminated. If false, the scope is "abandoned" (see 34 + [systemd.scope(5)](https://www.freedesktop.org/software/systemd/man/systemd.scope.html#)), and processes are not killed. 35 36 + See [logind.conf(5)](https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=) 37 for more details. 38 ''; 39 };

+5 -5

nixos/modules/system/boot/systemd/tmpfiles.nix

··· 25 default = []; 26 example = literalExpression "[ pkgs.lvm2 ]"; 27 apply = map getLib; 28 - description = '' 29 - List of packages containing <command>systemd-tmpfiles</command> rules. 30 31 All files ending in .conf found in 32 - <filename><replaceable>pkg</replaceable>/lib/tmpfiles.d</filename> 33 will be included. 34 If this folder does not exist or does not contain any files an error will be returned instead. 35 36 - If a <filename>lib</filename> output is available, rules are searched there and only there. 37 - If there is no <filename>lib</filename> output it will fall back to <filename>out</filename> 38 and if that does not exist either, the default output will be used. 39 ''; 40 };

··· 25 default = []; 26 example = literalExpression "[ pkgs.lvm2 ]"; 27 apply = map getLib; 28 + description = lib.mdDoc '' 29 + List of packages containing {command}`systemd-tmpfiles` rules. 30 31 All files ending in .conf found in 32 + {file}`«pkg»/lib/tmpfiles.d` 33 will be included. 34 If this folder does not exist or does not contain any files an error will be returned instead. 35 36 + If a {file}`lib` output is available, rules are searched there and only there. 37 + If there is no {file}`lib` output it will fall back to {file}`out` 38 and if that does not exist either, the default output will be used. 39 ''; 40 };

+3 -3

nixos/modules/tasks/auto-upgrade.nix

··· 25 type = types.enum ["switch" "boot"]; 26 default = "switch"; 27 example = "boot"; 28 - description = '' 29 Whether to run 30 - <literal>nixos-rebuild switch --upgrade</literal> or run 31 - <literal>nixos-rebuild boot --upgrade</literal> 32 ''; 33 }; 34

··· 25 type = types.enum ["switch" "boot"]; 26 default = "switch"; 27 example = "boot"; 28 + description = lib.mdDoc '' 29 Whether to run 30 + `nixos-rebuild switch --upgrade` or run 31 + `nixos-rebuild boot --upgrade` 32 ''; 33 }; 34

+1 -1

nixos/modules/tasks/network-interfaces.nix

··· 1292 description = '' 1293 Whether to enable IPv6 Privacy Extensions for interfaces not 1294 configured explicitly in 1295 - <xref linkend="opt-networking.interfaces._name_.tempAddress" />. 1296 1297 This sets the ipv6.conf.*.use_tempaddr sysctl for all 1298 interfaces. Possible values are:

··· 1292 description = '' 1293 Whether to enable IPv6 Privacy Extensions for interfaces not 1294 configured explicitly in 1295 + <xref linkend="opt-networking.interfaces._name_.tempAddress"/>. 1296 1297 This sets the ipv6.conf.*.use_tempaddr sysctl for all 1298 interfaces. Possible values are:

+2 -2

nixos/modules/tasks/scsi-link-power-management.nix

··· 25 powerManagement.scsiLinkPolicy = mkOption { 26 default = null; 27 type = types.nullOr (types.enum allowedValues); 28 - description = '' 29 SCSI link power management policy. The kernel default is 30 "max_performance". 31 - </para><para> 32 "med_power_with_dipm" is supported by kernel versions 33 4.15 and newer. 34 '';

··· 25 powerManagement.scsiLinkPolicy = mkOption { 26 default = null; 27 type = types.nullOr (types.enum allowedValues); 28 + description = lib.mdDoc '' 29 SCSI link power management policy. The kernel default is 30 "max_performance". 31 + 32 "med_power_with_dipm" is supported by kernel versions 33 4.15 and newer. 34 '';

+6 -6

nixos/modules/virtualisation/nixos-containers.nix

··· 579 privateNetwork = mkOption { 580 type = types.bool; 581 default = false; 582 - description = '' 583 Whether to give the container its own private virtual 584 Ethernet interface. The interface is called 585 - <literal>eth0</literal>, and is hooked up to the interface 586 - <literal>ve-<replaceable>container-name</replaceable></literal> 587 on the host. If this option is not set, then the 588 container shares the network interfaces of the host, 589 and can bind to any port on any interface. ··· 728 }; 729 } 730 ''; 731 - description = '' 732 A set of NixOS system configurations to be run as lightweight 733 containers. Each container appears as a service 734 - <literal>container-<replaceable>name</replaceable></literal> 735 on the host system, allowing it to be started and stopped via 736 - <command>systemctl</command>. 737 ''; 738 }; 739

··· 579 privateNetwork = mkOption { 580 type = types.bool; 581 default = false; 582 + description = lib.mdDoc '' 583 Whether to give the container its own private virtual 584 Ethernet interface. The interface is called 585 + `eth0`, and is hooked up to the interface 586 + `ve-«container-name»` 587 on the host. If this option is not set, then the 588 container shares the network interfaces of the host, 589 and can bind to any port on any interface. ··· 728 }; 729 } 730 ''; 731 + description = lib.mdDoc '' 732 A set of NixOS system configurations to be run as lightweight 733 containers. Each container appears as a service 734 + `container-«name»` 735 on the host system, allowing it to be started and stopped via 736 + {command}`systemctl`. 737 ''; 738 }; 739

+1 -1

nixos/modules/virtualisation/podman/default.nix

··· 74 75 Podman implements the Docker API. 76 77 - Users must be in the <code>podman</code> group in order to connect. As 78 with Docker, members of this group can gain root access. 79 ''; 80 };

··· 74 75 Podman implements the Docker API. 76 77 + Users must be in the <literal>podman</literal> group in order to connect. As 78 with Docker, members of this group can gain root access. 79 ''; 80 };

+1 -1

nixos/modules/virtualisation/podman/network-socket.nix

··· 22 with TLS client certificate authentication. 23 24 This allows Docker clients to connect with the equivalents of the Docker 25 - CLI <code>-H</code> and <code>--tls*</code> family of options. 26 27 For certificate setup, see https://docs.docker.com/engine/security/protect-access/ 28

··· 22 with TLS client certificate authentication. 23 24 This allows Docker clients to connect with the equivalents of the Docker 25 + CLI <literal>-H</literal> and <literal>--tls*</literal> family of options. 26 27 For certificate setup, see https://docs.docker.com/engine/security/protect-access/ 28

+3 -3

nixos/modules/virtualisation/qemu-vm.nix

··· 516 description = 517 '' 518 Virtual networks to which the VM is connected. Each 519 - number <replaceable>N</replaceable> in this list causes 520 the VM to have a virtual Ethernet interface attached to a 521 separate virtual network on which it will be assigned IP 522 address 523 - <literal>192.168.<replaceable>N</replaceable>.<replaceable>M</replaceable></literal>, 524 - where <replaceable>M</replaceable> is the index of this VM 525 in the list of VMs. 526 ''; 527 };

··· 516 description = 517 '' 518 Virtual networks to which the VM is connected. Each 519 + number «N» in this list causes 520 the VM to have a virtual Ethernet interface attached to a 521 separate virtual network on which it will be assigned IP 522 address 523 + <literal>192.168.«N».«M»</literal>, 524 + where «M» is the index of this VM 525 in the list of VMs. 526 ''; 527 };