commit f2ea09ecbe1fa1da32eaa6e036d64ac324a2986f · tjh.dev/nixpkgs

+7 -7

nixos/modules/hardware/tuxedo-keyboard.nix

··· 8 8 in 9 9 { 10 10 options.hardware.tuxedo-keyboard = { 11 - enable = mkEnableOption '' 11 + enable = mkEnableOption (lib.mdDoc '' 12 12 Enables the tuxedo-keyboard driver. 13 13 14 - To configure the driver, pass the options to the <option>boot.kernelParams</option> configuration. 14 + To configure the driver, pass the options to the {option}`boot.kernelParams` configuration. 15 15 There are several parameters you can change. It's best to check at the source code description which options are supported. 16 - You can find all the supported parameters at: <link xlink:href="https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam"/> 16 + You can find all the supported parameters at: <https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam> 17 17 18 - In order to use the <literal>custom</literal> lighting with the maximumg brightness and a color of <literal>0xff0a0a</literal> one would put pass <option>boot.kernelParams</option> like this: 18 + In order to use the `custom` lighting with the maximumg brightness and a color of `0xff0a0a` one would put pass {option}`boot.kernelParams` like this: 19 19 20 - <programlisting> 20 + ``` 21 21 boot.kernelParams = [ 22 22 "tuxedo_keyboard.mode=0" 23 23 "tuxedo_keyboard.brightness=255" 24 24 "tuxedo_keyboard.color_left=0xff0a0a" 25 25 ]; 26 - </programlisting> 27 - ''; 26 + ``` 27 + ''); 28 28 }; 29 29 30 30 config = mkIf cfg.enable

+12 -12

nixos/modules/misc/label.nix

··· 12 12 13 13 nixos.label = mkOption { 14 14 type = types.strMatching "[a-zA-Z0-9:_\\.-]*"; 15 - description = '' 15 + description = lib.mdDoc '' 16 16 NixOS version name to be used in the names of generated 17 17 outputs and boot labels. 18 18 ··· 20 20 this is the option for you. 21 21 22 22 It can only contain letters, numbers and the following symbols: 23 - <literal>:</literal>, <literal>_</literal>, <literal>.</literal> and <literal>-</literal>. 23 + `:`, `_`, `.` and `-`. 24 24 25 - The default is <option>system.nixos.tags</option> separated by 26 - "-" + "-" + <envar>NIXOS_LABEL_VERSION</envar> environment 25 + The default is {option}`system.nixos.tags` separated by 26 + "-" + "-" + {env}`NIXOS_LABEL_VERSION` environment 27 27 variable (defaults to the value of 28 - <option>system.nixos.version</option>). 28 + {option}`system.nixos.version`). 29 29 30 - Can be overriden by setting <envar>NIXOS_LABEL</envar>. 30 + Can be overriden by setting {env}`NIXOS_LABEL`. 31 31 32 32 Useful for not loosing track of configurations built from different 33 33 nixos branches/revisions, e.g.: 34 34 35 - <programlisting> 35 + ``` 36 36 #!/bin/sh 37 37 today=`date +%Y%m%d` 38 38 branch=`(cd nixpkgs ; git branch 2>/dev/null | sed -n '/^\* / { s|^\* ||; p; }')` 39 39 revision=`(cd nixpkgs ; git rev-parse HEAD)` 40 40 export NIXOS_LABEL_VERSION="$today.$branch-''${revision:0:7}" 41 41 nixos-rebuild switch 42 - </programlisting> 42 + ``` 43 43 ''; 44 44 }; 45 45 ··· 47 47 type = types.listOf types.str; 48 48 default = []; 49 49 example = [ "with-xen" ]; 50 - description = '' 50 + description = lib.mdDoc '' 51 51 Strings to prefix to the default 52 - <option>system.nixos.label</option>. 52 + {option}`system.nixos.label`. 53 53 54 54 Useful for not loosing track of configurations built with 55 55 different options, e.g.: 56 56 57 - <programlisting> 57 + ``` 58 58 { 59 59 system.nixos.tags = [ "with-xen" ]; 60 60 virtualisation.xen.enable = true; 61 61 } 62 - </programlisting> 62 + ``` 63 63 ''; 64 64 }; 65 65

+9 -9

nixos/modules/misc/nixpkgs.nix

··· 311 311 defaultText = lib.literalMD '' 312 312 Traditionally `builtins.currentSystem`, but unset when invoking NixOS through `lib.nixosSystem`. 313 313 ''; 314 - description = '' 314 + description = lib.mdDoc '' 315 315 This option does not need to be specified for NixOS configurations 316 - with a recently generated <literal>hardware-configuration.nix</literal>. 316 + with a recently generated `hardware-configuration.nix`. 317 317 318 318 Specifies the Nix platform type on which NixOS should be built. 319 - It is better to specify <literal>nixpkgs.localSystem</literal> instead. 320 - <programlisting> 319 + It is better to specify `nixpkgs.localSystem` instead. 320 + ``` 321 321 { 322 322 nixpkgs.system = ..; 323 323 } 324 - </programlisting> 324 + ``` 325 325 is the same as 326 - <programlisting> 326 + ``` 327 327 { 328 328 nixpkgs.localSystem.system = ..; 329 329 } 330 - </programlisting> 331 - See <literal>nixpkgs.localSystem</literal> for more information. 330 + ``` 331 + See `nixpkgs.localSystem` for more information. 332 332 333 - Ignored when <literal>nixpkgs.pkgs</literal>, <literal>nixpkgs.localSystem</literal> or <literal>nixpkgs.hostPlatform</literal> is set. 333 + Ignored when `nixpkgs.pkgs`, `nixpkgs.localSystem` or `nixpkgs.hostPlatform` is set. 334 334 ''; 335 335 }; 336 336 };

+4 -4

nixos/modules/services/backup/duplicity.nix

··· 54 54 secretFile = mkOption { 55 55 type = types.nullOr types.path; 56 56 default = null; 57 - description = '' 57 + description = lib.mdDoc '' 58 58 Path of a file containing secrets (gpg passphrase, access key...) in 59 59 the format of EnvironmentFile as described by 60 - <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. For example: 61 - <programlisting> 60 + {manpage}`systemd.exec(5)`. For example: 61 + ``` 62 62 PASSPHRASE=«...» 63 63 AWS_ACCESS_KEY_ID=«...» 64 64 AWS_SECRET_ACCESS_KEY=«...» 65 - </programlisting> 65 + ``` 66 66 ''; 67 67 }; 68 68

+3 -3

nixos/modules/services/databases/cockroachdb.nix

··· 58 58 locality = mkOption { 59 59 type = types.nullOr types.str; 60 60 default = null; 61 - description = '' 61 + description = lib.mdDoc '' 62 62 An ordered, comma-separated list of key-value pairs that describe the 63 63 topography of the machine. Topography might include country, 64 64 datacenter or rack designations. Data is automatically replicated to ··· 68 68 like datacenter. The tiers and order must be the same on all nodes. 69 69 Including more tiers is better than including fewer. For example: 70 70 71 - <programlisting> 71 + ``` 72 72 country=us,region=us-west,datacenter=us-west-1b,rack=12 73 73 country=ca,region=ca-east,datacenter=ca-east-2,rack=4 74 74 75 75 planet=earth,province=manitoba,colo=secondary,power=3 76 - </programlisting> 76 + ``` 77 77 ''; 78 78 }; 79 79

+5 -5

nixos/modules/services/development/zammad.nix

··· 149 149 type = types.nullOr types.path; 150 150 default = null; 151 151 example = "/run/keys/secret_key_base"; 152 - description = '' 152 + description = lib.mdDoc '' 153 153 The path to a file containing the 154 - <literal>secret_key_base</literal> secret. 154 + `secret_key_base` secret. 155 155 156 - Zammad uses <literal>secret_key_base</literal> to encrypt 156 + Zammad uses `secret_key_base` to encrypt 157 157 the cookie store, which contains session data, and to digest 158 158 user auth tokens. 159 159 160 160 Needs to be a 64 byte long string of hexadecimal 161 161 characters. You can generate one by running 162 162 163 - <programlisting> 163 + ``` 164 164 openssl rand -hex 64 >/path/to/secret_key_base_file 165 - </programlisting> 165 + ``` 166 166 167 167 This should be a string, not a nix path, since nix paths are 168 168 copied into the world-readable nix store.

+6 -6

nixos/modules/services/hardware/lcd.nix

··· 61 61 usbPermissions = mkOption { 62 62 type = bool; 63 63 default = false; 64 - description = '' 64 + description = lib.mdDoc '' 65 65 Set group-write permissions on a USB device. 66 66 67 67 A USB connected LCD panel will most likely require having its 68 68 permissions modified for lcdd to write to it. Enabling this option 69 69 sets group-write permissions on the device identified by 70 - <option>services.hardware.lcd.usbVid</option> and 71 - <option>services.hardware.lcd.usbPid</option>. In order to find the 72 - values, you can run the <command>lsusb</command> command. Example 70 + {option}`services.hardware.lcd.usbVid` and 71 + {option}`services.hardware.lcd.usbPid`. In order to find the 72 + values, you can run the {command}`lsusb` command. Example 73 73 output: 74 74 75 - <programlisting> 75 + ``` 76 76 Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface 77 - </programlisting> 77 + ``` 78 78 79 79 In this case the vendor id is 0403 and the product id is c630. 80 80 '';

+6 -6

nixos/modules/services/logging/awstats.nix

··· 25 25 logFile = mkOption { 26 26 type = types.str; 27 27 example = "/var/log/nginx/access.log"; 28 - description = '' 28 + description = lib.mdDoc '' 29 29 The log file to be scanned. 30 30 31 31 For mail, set this to 32 - <programlisting> 32 + ``` 33 33 journalctl $OLD_CURSOR -u postfix.service | ''${pkgs.perl}/bin/perl ''${pkgs.awstats.out}/share/awstats/tools/maillogconvert.pl standard | 34 - </programlisting> 34 + ``` 35 35 ''; 36 36 }; 37 37 38 38 logFormat = mkOption { 39 39 type = types.str; 40 40 default = "1"; 41 - description = '' 41 + description = lib.mdDoc '' 42 42 The log format being used. 43 43 44 44 For mail, set this to 45 - <programlisting> 45 + ``` 46 46 %time2 %email %email_r %host %host_r %method %url %code %bytesd 47 - </programlisting> 47 + ``` 48 48 ''; 49 49 }; 50 50

+7 -7

nixos/modules/services/matrix/dendrite.nix

··· 50 50 type = lib.types.nullOr lib.types.path; 51 51 example = "/var/lib/dendrite/registration_secret"; 52 52 default = null; 53 - description = '' 54 - Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 53 + description = lib.mdDoc '' 54 + Environment file as defined in {manpage}`systemd.exec(5)`. 55 55 Secrets may be passed to the service without adding them to the world-readable 56 56 Nix store, by specifying placeholder variables as the option value in Nix and 57 57 setting these variables accordingly in the environment file. Currently only used 58 58 for the registration secret to allow secure registration when 59 59 client_api.registration_disabled is true. 60 60 61 - <programlisting> 61 + ``` 62 62 # snippet of dendrite-related config 63 63 services.dendrite.settings.client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; 64 - </programlisting> 64 + ``` 65 65 66 - <programlisting> 66 + ``` 67 67 # content of the environment file 68 68 REGISTRATION_SHARED_SECRET=verysecretpassword 69 - </programlisting> 69 + ``` 70 70 71 71 Note that this file needs to be available on the host on which 72 - <literal>dendrite</literal> is running. 72 + `dendrite` is running. 73 73 ''; 74 74 }; 75 75 loadCredential = lib.mkOption {

+4 -4

nixos/modules/services/misc/gitit.nix

··· 348 348 mimeTypesFile = mkOption { 349 349 type = types.path; 350 350 default = "/etc/mime/types.info"; 351 - description = '' 351 + description = lib.mdDoc '' 352 352 Specifies the path of a file containing mime type mappings. Each 353 353 line of the file should contain two fields, separated by whitespace. 354 354 The first field is the mime type, the second is a file extension. 355 355 For example: 356 - <programlisting> 357 - video/x-ms-wmx wmx 358 - </programlisting> 356 + ``` 357 + video/x-ms-wmx wmx 358 + ``` 359 359 If the file is not found, some simple defaults will be used. 360 360 ''; 361 361 };

+6 -8

nixos/modules/services/misc/sssd.nix

··· 54 54 environmentFile = mkOption { 55 55 type = types.nullOr types.path; 56 56 default = null; 57 - description = '' 58 - Environment file as defined in <citerefentry> 59 - <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> 60 - </citerefentry>. 57 + description = lib.mdDoc '' 58 + Environment file as defined in {manpage}`systemd.exec(5)`. 61 59 62 60 Secrets may be passed to the service without adding them to the world-readable 63 61 Nix store, by specifying placeholder variables as the option value in Nix and 64 62 setting these variables accordingly in the environment file. 65 63 66 - <programlisting> 64 + ``` 67 65 # snippet of sssd-related config 68 66 [domain/LDAP] 69 67 ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK 70 - </programlisting> 68 + ``` 71 69 72 - <programlisting> 70 + ``` 73 71 # contents of the environment file 74 72 SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword 75 - </programlisting> 73 + ``` 76 74 ''; 77 75 }; 78 76 };

+5 -5

nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix

··· 19 19 type = types.path; 20 20 default = "/var/run/dovecot/stats"; 21 21 example = "/var/run/dovecot2/old-stats"; 22 - description = '' 22 + description = lib.mdDoc '' 23 23 Path under which the stats socket is placed. 24 24 The user/group under which the exporter runs, 25 25 should be able to access the socket in order 26 26 to scrape the metrics successfully. 27 27 28 28 Please keep in mind that the stats module has changed in 29 - <link xlink:href="https://wiki2.dovecot.org/Upgrading/2.3">Dovecot 2.3+</link> which 30 - is not <link xlink:href="https://github.com/kumina/dovecot_exporter/issues/8">compatible with this exporter</link>. 29 + [Dovecot 2.3+](https://wiki2.dovecot.org/Upgrading/2.3) which 30 + is not [compatible with this exporter](https://github.com/kumina/dovecot_exporter/issues/8). 31 31 32 32 The following extra config has to be passed to Dovecot to ensure that recent versions 33 33 work with this exporter: 34 - <programlisting> 34 + ``` 35 35 { 36 36 services.prometheus.exporters.dovecot.enable = true; 37 37 services.prometheus.exporters.dovecot.socketPath = "/var/run/dovecot2/old-stats"; ··· 60 60 } 61 61 '''; 62 62 } 63 - </programlisting> 63 + ``` 64 64 ''; 65 65 }; 66 66 scopes = mkOption {

+4 -4

nixos/modules/services/monitoring/prometheus/exporters/mail.nix

··· 112 112 detectionDir = "/path/to/Maildir/new"; 113 113 } ] 114 114 ''; 115 - description = '' 115 + description = lib.mdDoc '' 116 116 List of servers that should be probed. 117 117 118 - <emphasis>Note:</emphasis> if your mailserver has <citerefentry><refentrytitle>rspamd</refentrytitle><manvolnum>8</manvolnum></citerefentry> configured, 118 + *Note:* if your mailserver has {manpage}`rspamd(8)` configured, 119 119 it can happen that emails from this exporter are marked as spam. 120 120 121 121 It's possible to work around the issue with a config like this: 122 - <programlisting> 122 + ``` 123 123 { 124 124 services.rspamd.locals."multimap.conf".text = ''' 125 125 ALLOWLIST_PROMETHEUS { ··· 130 130 } 131 131 '''; 132 132 } 133 - </programlisting> 133 + ``` 134 134 ''; 135 135 }; 136 136 };

+4 -4

nixos/modules/services/monitoring/prometheus/exporters/openldap.nix

··· 10 10 ldapCredentialFile = mkOption { 11 11 type = types.path; 12 12 example = "/run/keys/ldap_pass"; 13 - description = '' 13 + description = lib.mdDoc '' 14 14 Environment file to contain the credentials to authenticate against 15 - <literal>openldap</literal>. 15 + `openldap`. 16 16 17 17 The file should look like this: 18 - <programlisting> 18 + ``` 19 19 --- 20 20 ldapUser: "cn=monitoring,cn=Monitor" 21 21 ldapPass: "secret" 22 - </programlisting> 22 + ``` 23 23 ''; 24 24 }; 25 25 protocol = mkOption {

+5 -5

nixos/modules/services/monitoring/prometheus/exporters/postgres.nix

··· 36 36 type = types.nullOr types.path; 37 37 default = null; 38 38 example = "/root/prometheus-postgres-exporter.env"; 39 - description = '' 40 - Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 39 + description = lib.mdDoc '' 40 + Environment file as defined in {manpage}`systemd.exec(5)`. 41 41 42 42 Secrets may be passed to the service without adding them to the 43 43 world-readable Nix store, by specifying placeholder variables as ··· 46 46 47 47 Environment variables from this file will be interpolated into the 48 48 config file using envsubst with this syntax: 49 - <literal>$ENVIRONMENT ''${VARIABLE}</literal> 49 + `$ENVIRONMENT ''${VARIABLE}` 50 50 51 51 The main use is to set the DATA_SOURCE_NAME that contains the 52 52 postgres password ··· 54 54 note that contents from this file will override dataSourceName 55 55 if you have set it from nix. 56 56 57 - <programlisting> 57 + ``` 58 58 # Content of the environment file 59 59 DATA_SOURCE_NAME=postgresql://username:password@localhost:5432/postgres?sslmode=disable 60 - </programlisting> 60 + ``` 61 61 62 62 Note that this file needs to be available on the host on which 63 63 this exporter is running.

+4 -4

nixos/modules/services/network-filesystems/litestream/default.nix

··· 40 40 type = types.nullOr types.path; 41 41 default = null; 42 42 example = "/run/secrets/litestream"; 43 - description = '' 44 - Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 43 + description = lib.mdDoc '' 44 + Environment file as defined in {manpage}`systemd.exec(5)`. 45 45 46 46 Secrets may be passed to the service without adding them to the 47 47 world-readable Nix store, by specifying placeholder variables as ··· 54 54 variable values. If no value is set then it will be replaced with an 55 55 empty string. 56 56 57 - <programlisting> 57 + ``` 58 58 # Content of the environment file 59 59 LITESTREAM_ACCESS_KEY_ID=AKIAxxxxxxxxxxxxxxxx 60 60 LITESTREAM_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxx 61 - </programlisting> 61 + ``` 62 62 63 63 Note that this file needs to be available on the host on which 64 64 this exporter is running.

+6 -6

nixos/modules/services/networking/3proxy.nix

··· 18 18 type = types.nullOr types.path; 19 19 default = null; 20 20 example = "/var/lib/3proxy/3proxy.passwd"; 21 - description = '' 21 + description = lib.mdDoc '' 22 22 Load users and passwords from this file. 23 23 24 24 Example users file with plain-text passwords: 25 25 26 - <programlisting> 26 + ``` 27 27 test1:CL:password1 28 28 test2:CL:password2 29 - </programlisting> 29 + ``` 30 30 31 31 Example users file with md5-crypted passwords: 32 32 33 - <programlisting> 33 + ``` 34 34 test1:CR:$1$tFkisVd2$1GA8JXkRmTXdLDytM/i3a1 35 35 test2:CR:$1$rkpibm5J$Aq1.9VtYAn0JrqZ8M.1ME. 36 - </programlisting> 36 + ``` 37 37 38 38 You can generate md5-crypted passwords via https://unix4lyfe.org/crypt/ 39 39 Note that htpasswd tool generates incompatible md5-crypted passwords. 40 - Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/How-To-(incomplete)#USERS">documentation</link> for more information. 40 + Consult [documentation](https://github.com/z3APA3A/3proxy/wiki/How-To-%28incomplete%29#USERS) for more information. 41 41 ''; 42 42 }; 43 43 services = mkOption {

+5 -5

nixos/modules/services/networking/firefox-syncserver.nix

··· 34 34 { 35 35 options = { 36 36 services.firefox-syncserver = { 37 - enable = lib.mkEnableOption '' 37 + enable = lib.mkEnableOption (lib.mdDoc '' 38 38 the Firefox Sync storage service. 39 39 40 40 Out of the box this will not be very useful unless you also configure at least 41 41 one service and one nodes by inserting them into the mysql database manually, e.g. 42 42 by running 43 43 44 - <programlisting> 44 + ``` 45 45 INSERT INTO `services` (`id`, `service`, `pattern`) VALUES ('1', 'sync-1.5', '{node}/1.5/{uid}'); 46 46 INSERT INTO `nodes` (`id`, `service`, `node`, `available`, `current_load`, 47 47 `capacity`, `downed`, `backoff`) 48 48 VALUES ('1', '1', 'https://mydomain.tld', '1', '0', '10', '0', '0'); 49 - </programlisting> 49 + ``` 50 50 51 - <option>${opt.singleNode.enable}</option> does this automatically when enabled 52 - ''; 51 + {option}`${opt.singleNode.enable}` does this automatically when enabled 52 + ''); 53 53 54 54 package = lib.mkOption { 55 55 type = lib.types.package;

+6 -6

nixos/modules/services/networking/hylafax/options.nix

··· 172 172 userAccessFile = mkOption { 173 173 type = path; 174 174 default = "/etc/hosts.hfaxd"; 175 - description = '' 176 - The <filename>hosts.hfaxd</filename> 175 + description = lib.mdDoc '' 176 + The {file}`hosts.hfaxd` 177 177 file entry in the spooling area 178 178 will be symlinked to the location given here. 179 179 This file must exist and be 180 - readable only by the <literal>uucp</literal> user. 180 + readable only by the `uucp` user. 181 181 See hosts.hfaxd(5) for details. 182 182 This configuration permits access for all users: 183 - <programlisting> 183 + ``` 184 184 environment.etc."hosts.hfaxd" = { 185 185 mode = "0600"; 186 186 user = "uucp"; 187 187 text = ".*"; 188 188 }; 189 - </programlisting> 189 + ``` 190 190 Note that host-based access can be controlled with 191 - <option>config.systemd.sockets.hylafax-hfaxd.listenStreams</option>; 191 + {option}`config.systemd.sockets.hylafax-hfaxd.listenStreams`; 192 192 by default, only 127.0.0.1 is permitted to connect. 193 193 ''; 194 194 };

+7 -7

nixos/modules/services/networking/murmur.nix

··· 261 261 type = types.nullOr types.path; 262 262 default = null; 263 263 example = "/var/lib/murmur/murmurd.env"; 264 - description = '' 265 - Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 264 + description = lib.mdDoc '' 265 + Environment file as defined in {manpage}`systemd.exec(5)`. 266 266 267 267 Secrets may be passed to the service without adding them to the world-readable 268 268 Nix store, by specifying placeholder variables as the option value in Nix and 269 269 setting these variables accordingly in the environment file. 270 270 271 - <programlisting> 271 + ``` 272 272 # snippet of murmur-related config 273 273 services.murmur.password = "$MURMURD_PASSWORD"; 274 - </programlisting> 274 + ``` 275 275 276 - <programlisting> 276 + ``` 277 277 # content of the environment file 278 278 MURMURD_PASSWORD=verysecretpassword 279 - </programlisting> 279 + ``` 280 280 281 281 Note that this file needs to be available on the host on which 282 - <literal>murmur</literal> is running. 282 + `murmur` is running. 283 283 ''; 284 284 }; 285 285 };

+14 -14

nixos/modules/services/networking/ncdns.nix

··· 78 78 default = config.networking.hostName; 79 79 defaultText = literalExpression "config.networking.hostName"; 80 80 example = "example.com"; 81 - description = '' 81 + description = lib.mdDoc '' 82 82 The hostname of this ncdns instance, which defaults to the machine 83 83 hostname. If specified, ncdns lists the hostname as an NS record at 84 84 the zone apex: 85 - <programlisting> 85 + ``` 86 86 bit. IN NS ns1.example.com. 87 - </programlisting> 87 + ``` 88 88 If unset ncdns will generate an internal psuedo-hostname under the 89 89 zone, which will resolve to the value of 90 - <option>services.ncdns.identity.address</option>. 90 + {option}`services.ncdns.identity.address`. 91 91 If you are only using ncdns locally you can ignore this. 92 92 ''; 93 93 }; ··· 123 123 dnssec.keys.public = mkOption { 124 124 type = types.path; 125 125 default = defaultFiles.public; 126 - description = '' 126 + description = lib.mdDoc '' 127 127 Path to the file containing the KSK public key. 128 - The key can be generated using the <literal>dnssec-keygen</literal> 129 - command, provided by the package <literal>bind</literal> as follows: 130 - <programlisting> 128 + The key can be generated using the `dnssec-keygen` 129 + command, provided by the package `bind` as follows: 130 + ``` 131 131 $ dnssec-keygen -a RSASHA256 -3 -b 2048 -f KSK bit 132 - </programlisting> 132 + ``` 133 133 ''; 134 134 }; 135 135 ··· 144 144 dnssec.keys.zonePublic = mkOption { 145 145 type = types.path; 146 146 default = defaultFiles.zonePublic; 147 - description = '' 147 + description = lib.mdDoc '' 148 148 Path to the file containing the ZSK public key. 149 - The key can be generated using the <literal>dnssec-keygen</literal> 150 - command, provided by the package <literal>bind</literal> as follows: 151 - <programlisting> 149 + The key can be generated using the `dnssec-keygen` 150 + command, provided by the package `bind` as follows: 151 + ``` 152 152 $ dnssec-keygen -a RSASHA256 -3 -b 2048 bit 153 - </programlisting> 153 + ``` 154 154 ''; 155 155 }; 156 156

+4 -4

nixos/modules/services/networking/nix-serve.nix

··· 35 35 secretKeyFile = mkOption { 36 36 type = types.nullOr types.str; 37 37 default = null; 38 - description = '' 38 + description = lib.mdDoc '' 39 39 The path to the file used for signing derivation data. 40 40 Generate with: 41 41 42 - <programlisting> 42 + ``` 43 43 nix-store --generate-binary-cache-key key-name secret-key-file public-key-file 44 - </programlisting> 44 + ``` 45 45 46 - For more details see <citerefentry><refentrytitle>nix-store</refentrytitle><manvolnum>1</manvolnum></citerefentry>. 46 + For more details see {manpage}`nix-store(1)`. 47 47 ''; 48 48 }; 49 49

+5 -5

nixos/modules/services/security/hockeypuck.nix

··· 37 37 }; 38 38 } 39 39 ''; 40 - description = '' 40 + description = lib.mdDoc '' 41 41 Configuration file for hockeypuck, here you can override 42 - certain settings (<literal>loglevel</literal> and 43 - <literal>openpgp.db.dsn</literal>) by just setting those values. 42 + certain settings (`loglevel` and 43 + `openpgp.db.dsn`) by just setting those values. 44 44 45 45 For other settings you need to use lib.mkForce to override them. 46 46 ··· 49 49 the database yourself. 50 50 51 51 Example: 52 - <programlisting> 52 + ``` 53 53 services.postgresql = { 54 54 enable = true; 55 55 ensureDatabases = [ "hockeypuck" ]; ··· 58 58 ensurePermissions."DATABASE hockeypuck" = "ALL PRIVILEGES"; 59 59 }]; 60 60 }; 61 - </programlisting> 61 + ``` 62 62 ''; 63 63 }; 64 64 };

+7 -7

nixos/modules/services/security/privacyidea.nix

··· 72 72 type = types.nullOr types.path; 73 73 default = null; 74 74 example = "/root/privacyidea.env"; 75 - description = '' 75 + description = lib.mdDoc '' 76 76 File to load as environment file. Environment variables 77 77 from this file will be interpolated into the config file 78 - using <literal>envsubst</literal> which is helpful for specifying 78 + using `envsubst` which is helpful for specifying 79 79 secrets: 80 - <programlisting> 81 - { <xref linkend="opt-services.privacyidea.secretKey"/> = "$SECRET"; } 82 - </programlisting> 80 + ``` 81 + { services.privacyidea.secretKey = "$SECRET"; } 82 + ``` 83 83 84 84 The environment-file can now specify the actual secret key: 85 - <programlisting> 85 + ``` 86 86 SECRET=veryverytopsecret 87 - </programlisting> 87 + ``` 88 88 ''; 89 89 }; 90 90

+5 -5

nixos/modules/services/security/vault.nix

··· 141 141 extraSettingsPaths = mkOption { 142 142 type = types.listOf types.path; 143 143 default = []; 144 - description = '' 144 + description = lib.mdDoc '' 145 145 Configuration files to load besides the immutable one defined by the NixOS module. 146 146 This can be used to avoid putting credentials in the Nix store, which can be read by any user. 147 147 148 148 Each path can point to a JSON- or HCL-formatted file, or a directory 149 - to be scanned for files with <literal>.hcl</literal> or 150 - <literal>.json</literal> extensions. 149 + to be scanned for files with `.hcl` or 150 + `.json` extensions. 151 151 152 152 To upload the confidential file with NixOps, use for example: 153 153 154 - <programlisting><![CDATA[ 154 + ``` 155 155 # https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys 156 156 deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in { 157 157 text = ${"''"} ··· 164 164 services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"]; 165 165 services.vault.storageBackend = "postgresql"; 166 166 users.users.vault.extraGroups = ["keys"]; 167 - ]]></programlisting> 167 + ``` 168 168 ''; 169 169 }; 170 170 };

+15 -15

nixos/modules/services/security/vaultwarden/default.nix

··· 125 125 type = with types; nullOr path; 126 126 default = null; 127 127 example = "/var/lib/vaultwarden.env"; 128 - description = '' 129 - Additional environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 128 + description = lib.mdDoc '' 129 + Additional environment file as defined in {manpage}`systemd.exec(5)`. 130 130 131 - Secrets like <envar>ADMIN_TOKEN</envar> and <envar>SMTP_PASSWORD</envar> 131 + Secrets like {env}`ADMIN_TOKEN` and {env}`SMTP_PASSWORD` 132 132 may be passed to the service without adding them to the world-readable Nix store. 133 133 134 134 Note that this file needs to be available on the host on which 135 - <literal>vaultwarden</literal> is running. 135 + `vaultwarden` is running. 136 136 137 137 As a concrete example, to make the Admin UI available 138 138 (from which new users can be invited initially), 139 - the secret <envar>ADMIN_TOKEN</envar> needs to be defined as described 140 - <link xlink:href="https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page">here</link>. 141 - Setting <literal>environmentFile</literal> to <literal>/var/lib/vaultwarden.env</literal> 139 + the secret {env}`ADMIN_TOKEN` needs to be defined as described 140 + [here](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page). 141 + Setting `environmentFile` to `/var/lib/vaultwarden.env` 142 142 and ensuring permissions with e.g. 143 - <literal>chown vaultwarden:vaultwarden /var/lib/vaultwarden.env</literal> 144 - (the <literal>vaultwarden</literal> user will only exist after activating with 145 - <literal>enable = true;</literal> before this), we can set the contents of the file to have 143 + `chown vaultwarden:vaultwarden /var/lib/vaultwarden.env` 144 + (the `vaultwarden` user will only exist after activating with 145 + `enable = true;` before this), we can set the contents of the file to have 146 146 contents such as: 147 147 148 - <programlisting> 149 - # Admin secret token, see 150 - # https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page 151 - ADMIN_TOKEN=...copy-paste a unique generated secret token here... 152 - </programlisting> 148 + ``` 149 + # Admin secret token, see 150 + # https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page 151 + ADMIN_TOKEN=...copy-paste a unique generated secret token here... 152 + ``` 153 153 ''; 154 154 }; 155 155

+5 -5

nixos/modules/services/web-apps/discourse.nix

··· 57 57 type = with lib.types; nullOr path; 58 58 default = null; 59 59 example = "/run/keys/secret_key_base"; 60 - description = '' 60 + description = lib.mdDoc '' 61 61 The path to a file containing the 62 - <literal>secret_key_base</literal> secret. 62 + `secret_key_base` secret. 63 63 64 - Discourse uses <literal>secret_key_base</literal> to encrypt 64 + Discourse uses `secret_key_base` to encrypt 65 65 the cookie store, which contains session data, and to digest 66 66 user auth tokens. 67 67 68 68 Needs to be a 64 byte long string of hexadecimal 69 69 characters. You can generate one by running 70 70 71 - <programlisting> 71 + ``` 72 72 openssl rand -hex 64 >/path/to/secret_key_base_file 73 - </programlisting> 73 + ``` 74 74 75 75 This should be a string, not a nix path, since nix paths are 76 76 copied into the world-readable nix store.

+7 -7

nixos/modules/services/web-apps/hedgedoc.nix

··· 990 990 type = with types; nullOr path; 991 991 default = null; 992 992 example = "/var/lib/hedgedoc/hedgedoc.env"; 993 - description = '' 994 - Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 993 + description = lib.mdDoc '' 994 + Environment file as defined in {manpage}`systemd.exec(5)`. 995 995 996 996 Secrets may be passed to the service without adding them to the world-readable 997 997 Nix store, by specifying placeholder variables as the option value in Nix and 998 998 setting these variables accordingly in the environment file. 999 999 1000 - <programlisting> 1000 + ``` 1001 1001 # snippet of HedgeDoc-related config 1002 1002 services.hedgedoc.configuration.dbURL = "postgres://hedgedoc:\''${DB_PASSWORD}@db-host:5432/hedgedocdb"; 1003 1003 services.hedgedoc.configuration.minio.secretKey = "$MINIO_SECRET_KEY"; 1004 - </programlisting> 1004 + ``` 1005 1005 1006 - <programlisting> 1006 + ``` 1007 1007 # content of the environment file 1008 1008 DB_PASSWORD=verysecretdbpassword 1009 1009 MINIO_SECRET_KEY=verysecretminiokey 1010 - </programlisting> 1010 + ``` 1011 1011 1012 1012 Note that this file needs to be available on the host on which 1013 - <literal>HedgeDoc</literal> is running. 1013 + `HedgeDoc` is running. 1014 1014 ''; 1015 1015 }; 1016 1016

+3 -3

nixos/modules/services/web-servers/molly-brown.nix

··· 34 34 certPath = mkOption { 35 35 type = types.path; 36 36 example = "/var/lib/acme/example.com/cert.pem"; 37 - description = '' 37 + description = lib.mdDoc '' 38 38 Path to TLS certificate. An ACME certificate and key may be 39 39 shared with an HTTP server, but only if molly-brown has 40 40 permissions allowing it to read such keys. 41 41 42 42 As an example: 43 - <programlisting> 43 + ``` 44 44 systemd.services.molly-brown.serviceConfig.SupplementaryGroups = 45 45 [ config.security.acme.certs."example.com".group ]; 46 - </programlisting> 46 + ``` 47 47 ''; 48 48 }; 49 49

+5 -5

nixos/modules/system/activation/top-level.nix

··· 164 164 specialisation = mkOption { 165 165 default = {}; 166 166 example = lib.literalExpression "{ fewJobsManyCores.configuration = { nix.settings = { core = 0; max-jobs = 1; }; }; }"; 167 - description = '' 167 + description = lib.mdDoc '' 168 168 Additional configurations to build. If 169 - <literal>inheritParentConfig</literal> is true, the system 169 + `inheritParentConfig` is true, the system 170 170 will be based on the overall system configuration. 171 171 172 172 To switch to a specialised configuration 173 - (e.g. <literal>fewJobsManyCores</literal>) at runtime, run: 173 + (e.g. `fewJobsManyCores`) at runtime, run: 174 174 175 - <programlisting> 175 + ``` 176 176 sudo /run/current-system/specialisation/fewJobsManyCores/bin/switch-to-configuration test 177 - </programlisting> 177 + ``` 178 178 ''; 179 179 type = types.attrsOf (types.submodule ( 180 180 local@{ ... }: let

+3 -3

nixos/modules/virtualisation/lxcfs.nix

··· 15 15 mkOption { 16 16 type = types.bool; 17 17 default = false; 18 - description = '' 18 + description = lib.mdDoc '' 19 19 This enables LXCFS, a FUSE filesystem for LXC. 20 20 To use lxcfs in include the following configuration in your 21 21 container configuration: 22 - <programlisting> 22 + ``` 23 23 virtualisation.lxc.defaultConfig = "lxc.include = ''${pkgs.lxcfs}/share/lxc/config/common.conf.d/00-lxcfs.conf"; 24 - </programlisting> 24 + ``` 25 25 ''; 26 26 }; 27 27 };

+4 -4

nixos/modules/virtualisation/lxd.nix

··· 18 18 enable = mkOption { 19 19 type = types.bool; 20 20 default = false; 21 - description = '' 21 + description = lib.mdDoc '' 22 22 This option enables lxd, a daemon that manages 23 23 containers. Users in the "lxd" group can interact with 24 24 the daemon (e.g. to start or stop containers) using the 25 - <command>lxc</command> command line tool, among others. 25 + {command}`lxc` command line tool, among others. 26 26 27 27 Most of the time, you'll also want to start lxcfs, so 28 28 that containers can "see" the limits: 29 - <programlisting> 29 + ``` 30 30 virtualisation.lxc.lxcfs.enable = true; 31 - </programlisting> 31 + ``` 32 32 ''; 33 33 }; 34 34