+7 -7

nixos/modules/hardware/tuxedo-keyboard.nix

··· 8 in 9 { 10 options.hardware.tuxedo-keyboard = { 11 - enable = mkEnableOption '' 12 Enables the tuxedo-keyboard driver. 13 14 - To configure the driver, pass the options to the <option>boot.kernelParams</option> configuration. 15 There are several parameters you can change. It's best to check at the source code description which options are supported. 16 - You can find all the supported parameters at: <link xlink:href="https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam"/> 17 18 - In order to use the <literal>custom</literal> lighting with the maximumg brightness and a color of <literal>0xff0a0a</literal> one would put pass <option>boot.kernelParams</option> like this: 19 20 - <programlisting> 21 boot.kernelParams = [ 22 "tuxedo_keyboard.mode=0" 23 "tuxedo_keyboard.brightness=255" 24 "tuxedo_keyboard.color_left=0xff0a0a" 25 ]; 26 - </programlisting> 27 - ''; 28 }; 29 30 config = mkIf cfg.enable

··· 8 in 9 { 10 options.hardware.tuxedo-keyboard = { 11 + enable = mkEnableOption (lib.mdDoc '' 12 Enables the tuxedo-keyboard driver. 13 14 + To configure the driver, pass the options to the {option}`boot.kernelParams` configuration. 15 There are several parameters you can change. It's best to check at the source code description which options are supported. 16 + You can find all the supported parameters at: <https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam> 17 18 + In order to use the `custom` lighting with the maximumg brightness and a color of `0xff0a0a` one would put pass {option}`boot.kernelParams` like this: 19 20 + ``` 21 boot.kernelParams = [ 22 "tuxedo_keyboard.mode=0" 23 "tuxedo_keyboard.brightness=255" 24 "tuxedo_keyboard.color_left=0xff0a0a" 25 ]; 26 + ``` 27 + ''); 28 }; 29 30 config = mkIf cfg.enable

+12 -12

nixos/modules/misc/label.nix

··· 12 13 nixos.label = mkOption { 14 type = types.strMatching "[a-zA-Z0-9:_\\.-]*"; 15 - description = '' 16 NixOS version name to be used in the names of generated 17 outputs and boot labels. 18 ··· 20 this is the option for you. 21 22 It can only contain letters, numbers and the following symbols: 23 - <literal>:</literal>, <literal>_</literal>, <literal>.</literal> and <literal>-</literal>. 24 25 - The default is <option>system.nixos.tags</option> separated by 26 - "-" + "-" + <envar>NIXOS_LABEL_VERSION</envar> environment 27 variable (defaults to the value of 28 - <option>system.nixos.version</option>). 29 30 - Can be overriden by setting <envar>NIXOS_LABEL</envar>. 31 32 Useful for not loosing track of configurations built from different 33 nixos branches/revisions, e.g.: 34 35 - <programlisting> 36 #!/bin/sh 37 today=`date +%Y%m%d` 38 branch=`(cd nixpkgs ; git branch 2>/dev/null | sed -n '/^\* / { s|^\* ||; p; }')` 39 revision=`(cd nixpkgs ; git rev-parse HEAD)` 40 export NIXOS_LABEL_VERSION="$today.$branch-''${revision:0:7}" 41 nixos-rebuild switch 42 - </programlisting> 43 ''; 44 }; 45 ··· 47 type = types.listOf types.str; 48 default = []; 49 example = [ "with-xen" ]; 50 - description = '' 51 Strings to prefix to the default 52 - <option>system.nixos.label</option>. 53 54 Useful for not loosing track of configurations built with 55 different options, e.g.: 56 57 - <programlisting> 58 { 59 system.nixos.tags = [ "with-xen" ]; 60 virtualisation.xen.enable = true; 61 } 62 - </programlisting> 63 ''; 64 }; 65

··· 12 13 nixos.label = mkOption { 14 type = types.strMatching "[a-zA-Z0-9:_\\.-]*"; 15 + description = lib.mdDoc '' 16 NixOS version name to be used in the names of generated 17 outputs and boot labels. 18 ··· 20 this is the option for you. 21 22 It can only contain letters, numbers and the following symbols: 23 + `:`, `_`, `.` and `-`. 24 25 + The default is {option}`system.nixos.tags` separated by 26 + "-" + "-" + {env}`NIXOS_LABEL_VERSION` environment 27 variable (defaults to the value of 28 + {option}`system.nixos.version`). 29 30 + Can be overriden by setting {env}`NIXOS_LABEL`. 31 32 Useful for not loosing track of configurations built from different 33 nixos branches/revisions, e.g.: 34 35 + ``` 36 #!/bin/sh 37 today=`date +%Y%m%d` 38 branch=`(cd nixpkgs ; git branch 2>/dev/null | sed -n '/^\* / { s|^\* ||; p; }')` 39 revision=`(cd nixpkgs ; git rev-parse HEAD)` 40 export NIXOS_LABEL_VERSION="$today.$branch-''${revision:0:7}" 41 nixos-rebuild switch 42 + ``` 43 ''; 44 }; 45 ··· 47 type = types.listOf types.str; 48 default = []; 49 example = [ "with-xen" ]; 50 + description = lib.mdDoc '' 51 Strings to prefix to the default 52 + {option}`system.nixos.label`. 53 54 Useful for not loosing track of configurations built with 55 different options, e.g.: 56 57 + ``` 58 { 59 system.nixos.tags = [ "with-xen" ]; 60 virtualisation.xen.enable = true; 61 } 62 + ``` 63 ''; 64 }; 65

+9 -9

nixos/modules/misc/nixpkgs.nix

··· 311 defaultText = lib.literalMD '' 312 Traditionally `builtins.currentSystem`, but unset when invoking NixOS through `lib.nixosSystem`. 313 ''; 314 - description = '' 315 This option does not need to be specified for NixOS configurations 316 - with a recently generated <literal>hardware-configuration.nix</literal>. 317 318 Specifies the Nix platform type on which NixOS should be built. 319 - It is better to specify <literal>nixpkgs.localSystem</literal> instead. 320 - <programlisting> 321 { 322 nixpkgs.system = ..; 323 } 324 - </programlisting> 325 is the same as 326 - <programlisting> 327 { 328 nixpkgs.localSystem.system = ..; 329 } 330 - </programlisting> 331 - See <literal>nixpkgs.localSystem</literal> for more information. 332 333 - Ignored when <literal>nixpkgs.pkgs</literal>, <literal>nixpkgs.localSystem</literal> or <literal>nixpkgs.hostPlatform</literal> is set. 334 ''; 335 }; 336 };

··· 311 defaultText = lib.literalMD '' 312 Traditionally `builtins.currentSystem`, but unset when invoking NixOS through `lib.nixosSystem`. 313 ''; 314 + description = lib.mdDoc '' 315 This option does not need to be specified for NixOS configurations 316 + with a recently generated `hardware-configuration.nix`. 317 318 Specifies the Nix platform type on which NixOS should be built. 319 + It is better to specify `nixpkgs.localSystem` instead. 320 + ``` 321 { 322 nixpkgs.system = ..; 323 } 324 + ``` 325 is the same as 326 + ``` 327 { 328 nixpkgs.localSystem.system = ..; 329 } 330 + ``` 331 + See `nixpkgs.localSystem` for more information. 332 333 + Ignored when `nixpkgs.pkgs`, `nixpkgs.localSystem` or `nixpkgs.hostPlatform` is set. 334 ''; 335 }; 336 };

+4 -4

nixos/modules/services/backup/duplicity.nix

··· 54 secretFile = mkOption { 55 type = types.nullOr types.path; 56 default = null; 57 - description = '' 58 Path of a file containing secrets (gpg passphrase, access key...) in 59 the format of EnvironmentFile as described by 60 - <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. For example: 61 - <programlisting> 62 PASSPHRASE=«...» 63 AWS_ACCESS_KEY_ID=«...» 64 AWS_SECRET_ACCESS_KEY=«...» 65 - </programlisting> 66 ''; 67 }; 68

··· 54 secretFile = mkOption { 55 type = types.nullOr types.path; 56 default = null; 57 + description = lib.mdDoc '' 58 Path of a file containing secrets (gpg passphrase, access key...) in 59 the format of EnvironmentFile as described by 60 + {manpage}`systemd.exec(5)`. For example: 61 + ``` 62 PASSPHRASE=«...» 63 AWS_ACCESS_KEY_ID=«...» 64 AWS_SECRET_ACCESS_KEY=«...» 65 + ``` 66 ''; 67 }; 68

+3 -3

nixos/modules/services/databases/cockroachdb.nix

··· 58 locality = mkOption { 59 type = types.nullOr types.str; 60 default = null; 61 - description = '' 62 An ordered, comma-separated list of key-value pairs that describe the 63 topography of the machine. Topography might include country, 64 datacenter or rack designations. Data is automatically replicated to ··· 68 like datacenter. The tiers and order must be the same on all nodes. 69 Including more tiers is better than including fewer. For example: 70 71 - <programlisting> 72 country=us,region=us-west,datacenter=us-west-1b,rack=12 73 country=ca,region=ca-east,datacenter=ca-east-2,rack=4 74 75 planet=earth,province=manitoba,colo=secondary,power=3 76 - </programlisting> 77 ''; 78 }; 79

··· 58 locality = mkOption { 59 type = types.nullOr types.str; 60 default = null; 61 + description = lib.mdDoc '' 62 An ordered, comma-separated list of key-value pairs that describe the 63 topography of the machine. Topography might include country, 64 datacenter or rack designations. Data is automatically replicated to ··· 68 like datacenter. The tiers and order must be the same on all nodes. 69 Including more tiers is better than including fewer. For example: 70 71 + ``` 72 country=us,region=us-west,datacenter=us-west-1b,rack=12 73 country=ca,region=ca-east,datacenter=ca-east-2,rack=4 74 75 planet=earth,province=manitoba,colo=secondary,power=3 76 + ``` 77 ''; 78 }; 79

+5 -5

nixos/modules/services/development/zammad.nix

··· 149 type = types.nullOr types.path; 150 default = null; 151 example = "/run/keys/secret_key_base"; 152 - description = '' 153 The path to a file containing the 154 - <literal>secret_key_base</literal> secret. 155 156 - Zammad uses <literal>secret_key_base</literal> to encrypt 157 the cookie store, which contains session data, and to digest 158 user auth tokens. 159 160 Needs to be a 64 byte long string of hexadecimal 161 characters. You can generate one by running 162 163 - <programlisting> 164 openssl rand -hex 64 >/path/to/secret_key_base_file 165 - </programlisting> 166 167 This should be a string, not a nix path, since nix paths are 168 copied into the world-readable nix store.

··· 149 type = types.nullOr types.path; 150 default = null; 151 example = "/run/keys/secret_key_base"; 152 + description = lib.mdDoc '' 153 The path to a file containing the 154 + `secret_key_base` secret. 155 156 + Zammad uses `secret_key_base` to encrypt 157 the cookie store, which contains session data, and to digest 158 user auth tokens. 159 160 Needs to be a 64 byte long string of hexadecimal 161 characters. You can generate one by running 162 163 + ``` 164 openssl rand -hex 64 >/path/to/secret_key_base_file 165 + ``` 166 167 This should be a string, not a nix path, since nix paths are 168 copied into the world-readable nix store.

+6 -6

nixos/modules/services/hardware/lcd.nix

··· 61 usbPermissions = mkOption { 62 type = bool; 63 default = false; 64 - description = '' 65 Set group-write permissions on a USB device. 66 67 A USB connected LCD panel will most likely require having its 68 permissions modified for lcdd to write to it. Enabling this option 69 sets group-write permissions on the device identified by 70 - <option>services.hardware.lcd.usbVid</option> and 71 - <option>services.hardware.lcd.usbPid</option>. In order to find the 72 - values, you can run the <command>lsusb</command> command. Example 73 output: 74 75 - <programlisting> 76 Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface 77 - </programlisting> 78 79 In this case the vendor id is 0403 and the product id is c630. 80 '';

··· 61 usbPermissions = mkOption { 62 type = bool; 63 default = false; 64 + description = lib.mdDoc '' 65 Set group-write permissions on a USB device. 66 67 A USB connected LCD panel will most likely require having its 68 permissions modified for lcdd to write to it. Enabling this option 69 sets group-write permissions on the device identified by 70 + {option}`services.hardware.lcd.usbVid` and 71 + {option}`services.hardware.lcd.usbPid`. In order to find the 72 + values, you can run the {command}`lsusb` command. Example 73 output: 74 75 + ``` 76 Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface 77 + ``` 78 79 In this case the vendor id is 0403 and the product id is c630. 80 '';

+6 -6

nixos/modules/services/logging/awstats.nix

··· 25 logFile = mkOption { 26 type = types.str; 27 example = "/var/log/nginx/access.log"; 28 - description = '' 29 The log file to be scanned. 30 31 For mail, set this to 32 - <programlisting> 33 journalctl $OLD_CURSOR -u postfix.service | ''${pkgs.perl}/bin/perl ''${pkgs.awstats.out}/share/awstats/tools/maillogconvert.pl standard | 34 - </programlisting> 35 ''; 36 }; 37 38 logFormat = mkOption { 39 type = types.str; 40 default = "1"; 41 - description = '' 42 The log format being used. 43 44 For mail, set this to 45 - <programlisting> 46 %time2 %email %email_r %host %host_r %method %url %code %bytesd 47 - </programlisting> 48 ''; 49 }; 50

··· 25 logFile = mkOption { 26 type = types.str; 27 example = "/var/log/nginx/access.log"; 28 + description = lib.mdDoc '' 29 The log file to be scanned. 30 31 For mail, set this to 32 + ``` 33 journalctl $OLD_CURSOR -u postfix.service | ''${pkgs.perl}/bin/perl ''${pkgs.awstats.out}/share/awstats/tools/maillogconvert.pl standard | 34 + ``` 35 ''; 36 }; 37 38 logFormat = mkOption { 39 type = types.str; 40 default = "1"; 41 + description = lib.mdDoc '' 42 The log format being used. 43 44 For mail, set this to 45 + ``` 46 %time2 %email %email_r %host %host_r %method %url %code %bytesd 47 + ``` 48 ''; 49 }; 50

+7 -7

nixos/modules/services/matrix/dendrite.nix

··· 50 type = lib.types.nullOr lib.types.path; 51 example = "/var/lib/dendrite/registration_secret"; 52 default = null; 53 - description = '' 54 - Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 55 Secrets may be passed to the service without adding them to the world-readable 56 Nix store, by specifying placeholder variables as the option value in Nix and 57 setting these variables accordingly in the environment file. Currently only used 58 for the registration secret to allow secure registration when 59 client_api.registration_disabled is true. 60 61 - <programlisting> 62 # snippet of dendrite-related config 63 services.dendrite.settings.client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; 64 - </programlisting> 65 66 - <programlisting> 67 # content of the environment file 68 REGISTRATION_SHARED_SECRET=verysecretpassword 69 - </programlisting> 70 71 Note that this file needs to be available on the host on which 72 - <literal>dendrite</literal> is running. 73 ''; 74 }; 75 loadCredential = lib.mkOption {

··· 50 type = lib.types.nullOr lib.types.path; 51 example = "/var/lib/dendrite/registration_secret"; 52 default = null; 53 + description = lib.mdDoc '' 54 + Environment file as defined in {manpage}`systemd.exec(5)`. 55 Secrets may be passed to the service without adding them to the world-readable 56 Nix store, by specifying placeholder variables as the option value in Nix and 57 setting these variables accordingly in the environment file. Currently only used 58 for the registration secret to allow secure registration when 59 client_api.registration_disabled is true. 60 61 + ``` 62 # snippet of dendrite-related config 63 services.dendrite.settings.client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; 64 + ``` 65 66 + ``` 67 # content of the environment file 68 REGISTRATION_SHARED_SECRET=verysecretpassword 69 + ``` 70 71 Note that this file needs to be available on the host on which 72 + `dendrite` is running. 73 ''; 74 }; 75 loadCredential = lib.mkOption {

+4 -4

nixos/modules/services/misc/gitit.nix

··· 348 mimeTypesFile = mkOption { 349 type = types.path; 350 default = "/etc/mime/types.info"; 351 - description = '' 352 Specifies the path of a file containing mime type mappings. Each 353 line of the file should contain two fields, separated by whitespace. 354 The first field is the mime type, the second is a file extension. 355 For example: 356 - <programlisting> 357 - video/x-ms-wmx wmx 358 - </programlisting> 359 If the file is not found, some simple defaults will be used. 360 ''; 361 };

··· 348 mimeTypesFile = mkOption { 349 type = types.path; 350 default = "/etc/mime/types.info"; 351 + description = lib.mdDoc '' 352 Specifies the path of a file containing mime type mappings. Each 353 line of the file should contain two fields, separated by whitespace. 354 The first field is the mime type, the second is a file extension. 355 For example: 356 + ``` 357 + video/x-ms-wmx wmx 358 + ``` 359 If the file is not found, some simple defaults will be used. 360 ''; 361 };

+6 -8

nixos/modules/services/misc/sssd.nix

··· 54 environmentFile = mkOption { 55 type = types.nullOr types.path; 56 default = null; 57 - description = '' 58 - Environment file as defined in <citerefentry> 59 - <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> 60 - </citerefentry>. 61 62 Secrets may be passed to the service without adding them to the world-readable 63 Nix store, by specifying placeholder variables as the option value in Nix and 64 setting these variables accordingly in the environment file. 65 66 - <programlisting> 67 # snippet of sssd-related config 68 [domain/LDAP] 69 ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK 70 - </programlisting> 71 72 - <programlisting> 73 # contents of the environment file 74 SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword 75 - </programlisting> 76 ''; 77 }; 78 };

··· 54 environmentFile = mkOption { 55 type = types.nullOr types.path; 56 default = null; 57 + description = lib.mdDoc '' 58 + Environment file as defined in {manpage}`systemd.exec(5)`. 0 0 59 60 Secrets may be passed to the service without adding them to the world-readable 61 Nix store, by specifying placeholder variables as the option value in Nix and 62 setting these variables accordingly in the environment file. 63 64 + ``` 65 # snippet of sssd-related config 66 [domain/LDAP] 67 ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK 68 + ``` 69 70 + ``` 71 # contents of the environment file 72 SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword 73 + ``` 74 ''; 75 }; 76 };

+5 -5

nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix

··· 19 type = types.path; 20 default = "/var/run/dovecot/stats"; 21 example = "/var/run/dovecot2/old-stats"; 22 - description = '' 23 Path under which the stats socket is placed. 24 The user/group under which the exporter runs, 25 should be able to access the socket in order 26 to scrape the metrics successfully. 27 28 Please keep in mind that the stats module has changed in 29 - <link xlink:href="https://wiki2.dovecot.org/Upgrading/2.3">Dovecot 2.3+</link> which 30 - is not <link xlink:href="https://github.com/kumina/dovecot_exporter/issues/8">compatible with this exporter</link>. 31 32 The following extra config has to be passed to Dovecot to ensure that recent versions 33 work with this exporter: 34 - <programlisting> 35 { 36 services.prometheus.exporters.dovecot.enable = true; 37 services.prometheus.exporters.dovecot.socketPath = "/var/run/dovecot2/old-stats"; ··· 60 } 61 '''; 62 } 63 - </programlisting> 64 ''; 65 }; 66 scopes = mkOption {

··· 19 type = types.path; 20 default = "/var/run/dovecot/stats"; 21 example = "/var/run/dovecot2/old-stats"; 22 + description = lib.mdDoc '' 23 Path under which the stats socket is placed. 24 The user/group under which the exporter runs, 25 should be able to access the socket in order 26 to scrape the metrics successfully. 27 28 Please keep in mind that the stats module has changed in 29 + [Dovecot 2.3+](https://wiki2.dovecot.org/Upgrading/2.3) which 30 + is not [compatible with this exporter](https://github.com/kumina/dovecot_exporter/issues/8). 31 32 The following extra config has to be passed to Dovecot to ensure that recent versions 33 work with this exporter: 34 + ``` 35 { 36 services.prometheus.exporters.dovecot.enable = true; 37 services.prometheus.exporters.dovecot.socketPath = "/var/run/dovecot2/old-stats"; ··· 60 } 61 '''; 62 } 63 + ``` 64 ''; 65 }; 66 scopes = mkOption {

+4 -4

nixos/modules/services/monitoring/prometheus/exporters/mail.nix

··· 112 detectionDir = "/path/to/Maildir/new"; 113 } ] 114 ''; 115 - description = '' 116 List of servers that should be probed. 117 118 - <emphasis>Note:</emphasis> if your mailserver has <citerefentry><refentrytitle>rspamd</refentrytitle><manvolnum>8</manvolnum></citerefentry> configured, 119 it can happen that emails from this exporter are marked as spam. 120 121 It's possible to work around the issue with a config like this: 122 - <programlisting> 123 { 124 services.rspamd.locals."multimap.conf".text = ''' 125 ALLOWLIST_PROMETHEUS { ··· 130 } 131 '''; 132 } 133 - </programlisting> 134 ''; 135 }; 136 };

··· 112 detectionDir = "/path/to/Maildir/new"; 113 } ] 114 ''; 115 + description = lib.mdDoc '' 116 List of servers that should be probed. 117 118 + *Note:* if your mailserver has {manpage}`rspamd(8)` configured, 119 it can happen that emails from this exporter are marked as spam. 120 121 It's possible to work around the issue with a config like this: 122 + ``` 123 { 124 services.rspamd.locals."multimap.conf".text = ''' 125 ALLOWLIST_PROMETHEUS { ··· 130 } 131 '''; 132 } 133 + ``` 134 ''; 135 }; 136 };

+4 -4

nixos/modules/services/monitoring/prometheus/exporters/openldap.nix

··· 10 ldapCredentialFile = mkOption { 11 type = types.path; 12 example = "/run/keys/ldap_pass"; 13 - description = '' 14 Environment file to contain the credentials to authenticate against 15 - <literal>openldap</literal>. 16 17 The file should look like this: 18 - <programlisting> 19 --- 20 ldapUser: "cn=monitoring,cn=Monitor" 21 ldapPass: "secret" 22 - </programlisting> 23 ''; 24 }; 25 protocol = mkOption {

··· 10 ldapCredentialFile = mkOption { 11 type = types.path; 12 example = "/run/keys/ldap_pass"; 13 + description = lib.mdDoc '' 14 Environment file to contain the credentials to authenticate against 15 + `openldap`. 16 17 The file should look like this: 18 + ``` 19 --- 20 ldapUser: "cn=monitoring,cn=Monitor" 21 ldapPass: "secret" 22 + ``` 23 ''; 24 }; 25 protocol = mkOption {

+5 -5

nixos/modules/services/monitoring/prometheus/exporters/postgres.nix

··· 36 type = types.nullOr types.path; 37 default = null; 38 example = "/root/prometheus-postgres-exporter.env"; 39 - description = '' 40 - Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 41 42 Secrets may be passed to the service without adding them to the 43 world-readable Nix store, by specifying placeholder variables as ··· 46 47 Environment variables from this file will be interpolated into the 48 config file using envsubst with this syntax: 49 - <literal>$ENVIRONMENT ''${VARIABLE}</literal> 50 51 The main use is to set the DATA_SOURCE_NAME that contains the 52 postgres password ··· 54 note that contents from this file will override dataSourceName 55 if you have set it from nix. 56 57 - <programlisting> 58 # Content of the environment file 59 DATA_SOURCE_NAME=postgresql://username:password@localhost:5432/postgres?sslmode=disable 60 - </programlisting> 61 62 Note that this file needs to be available on the host on which 63 this exporter is running.

··· 36 type = types.nullOr types.path; 37 default = null; 38 example = "/root/prometheus-postgres-exporter.env"; 39 + description = lib.mdDoc '' 40 + Environment file as defined in {manpage}`systemd.exec(5)`. 41 42 Secrets may be passed to the service without adding them to the 43 world-readable Nix store, by specifying placeholder variables as ··· 46 47 Environment variables from this file will be interpolated into the 48 config file using envsubst with this syntax: 49 + `$ENVIRONMENT ''${VARIABLE}` 50 51 The main use is to set the DATA_SOURCE_NAME that contains the 52 postgres password ··· 54 note that contents from this file will override dataSourceName 55 if you have set it from nix. 56 57 + ``` 58 # Content of the environment file 59 DATA_SOURCE_NAME=postgresql://username:password@localhost:5432/postgres?sslmode=disable 60 + ``` 61 62 Note that this file needs to be available on the host on which 63 this exporter is running.

+4 -4

nixos/modules/services/network-filesystems/litestream/default.nix

··· 40 type = types.nullOr types.path; 41 default = null; 42 example = "/run/secrets/litestream"; 43 - description = '' 44 - Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 45 46 Secrets may be passed to the service without adding them to the 47 world-readable Nix store, by specifying placeholder variables as ··· 54 variable values. If no value is set then it will be replaced with an 55 empty string. 56 57 - <programlisting> 58 # Content of the environment file 59 LITESTREAM_ACCESS_KEY_ID=AKIAxxxxxxxxxxxxxxxx 60 LITESTREAM_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxx 61 - </programlisting> 62 63 Note that this file needs to be available on the host on which 64 this exporter is running.

··· 40 type = types.nullOr types.path; 41 default = null; 42 example = "/run/secrets/litestream"; 43 + description = lib.mdDoc '' 44 + Environment file as defined in {manpage}`systemd.exec(5)`. 45 46 Secrets may be passed to the service without adding them to the 47 world-readable Nix store, by specifying placeholder variables as ··· 54 variable values. If no value is set then it will be replaced with an 55 empty string. 56 57 + ``` 58 # Content of the environment file 59 LITESTREAM_ACCESS_KEY_ID=AKIAxxxxxxxxxxxxxxxx 60 LITESTREAM_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxx 61 + ``` 62 63 Note that this file needs to be available on the host on which 64 this exporter is running.

+6 -6

nixos/modules/services/networking/3proxy.nix

··· 18 type = types.nullOr types.path; 19 default = null; 20 example = "/var/lib/3proxy/3proxy.passwd"; 21 - description = '' 22 Load users and passwords from this file. 23 24 Example users file with plain-text passwords: 25 26 - <programlisting> 27 test1:CL:password1 28 test2:CL:password2 29 - </programlisting> 30 31 Example users file with md5-crypted passwords: 32 33 - <programlisting> 34 test1:CR:$1$tFkisVd2$1GA8JXkRmTXdLDytM/i3a1 35 test2:CR:$1$rkpibm5J$Aq1.9VtYAn0JrqZ8M.1ME. 36 - </programlisting> 37 38 You can generate md5-crypted passwords via https://unix4lyfe.org/crypt/ 39 Note that htpasswd tool generates incompatible md5-crypted passwords. 40 - Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/How-To-(incomplete)#USERS">documentation</link> for more information. 41 ''; 42 }; 43 services = mkOption {

··· 18 type = types.nullOr types.path; 19 default = null; 20 example = "/var/lib/3proxy/3proxy.passwd"; 21 + description = lib.mdDoc '' 22 Load users and passwords from this file. 23 24 Example users file with plain-text passwords: 25 26 + ``` 27 test1:CL:password1 28 test2:CL:password2 29 + ``` 30 31 Example users file with md5-crypted passwords: 32 33 + ``` 34 test1:CR:$1$tFkisVd2$1GA8JXkRmTXdLDytM/i3a1 35 test2:CR:$1$rkpibm5J$Aq1.9VtYAn0JrqZ8M.1ME. 36 + ``` 37 38 You can generate md5-crypted passwords via https://unix4lyfe.org/crypt/ 39 Note that htpasswd tool generates incompatible md5-crypted passwords. 40 + Consult [documentation](https://github.com/z3APA3A/3proxy/wiki/How-To-%28incomplete%29#USERS) for more information. 41 ''; 42 }; 43 services = mkOption {

+5 -5

nixos/modules/services/networking/firefox-syncserver.nix

··· 34 { 35 options = { 36 services.firefox-syncserver = { 37 - enable = lib.mkEnableOption '' 38 the Firefox Sync storage service. 39 40 Out of the box this will not be very useful unless you also configure at least 41 one service and one nodes by inserting them into the mysql database manually, e.g. 42 by running 43 44 - <programlisting> 45 INSERT INTO `services` (`id`, `service`, `pattern`) VALUES ('1', 'sync-1.5', '{node}/1.5/{uid}'); 46 INSERT INTO `nodes` (`id`, `service`, `node`, `available`, `current_load`, 47 `capacity`, `downed`, `backoff`) 48 VALUES ('1', '1', 'https://mydomain.tld', '1', '0', '10', '0', '0'); 49 - </programlisting> 50 51 - <option>${opt.singleNode.enable}</option> does this automatically when enabled 52 - ''; 53 54 package = lib.mkOption { 55 type = lib.types.package;

··· 34 { 35 options = { 36 services.firefox-syncserver = { 37 + enable = lib.mkEnableOption (lib.mdDoc '' 38 the Firefox Sync storage service. 39 40 Out of the box this will not be very useful unless you also configure at least 41 one service and one nodes by inserting them into the mysql database manually, e.g. 42 by running 43 44 + ``` 45 INSERT INTO `services` (`id`, `service`, `pattern`) VALUES ('1', 'sync-1.5', '{node}/1.5/{uid}'); 46 INSERT INTO `nodes` (`id`, `service`, `node`, `available`, `current_load`, 47 `capacity`, `downed`, `backoff`) 48 VALUES ('1', '1', 'https://mydomain.tld', '1', '0', '10', '0', '0'); 49 + ``` 50 51 + {option}`${opt.singleNode.enable}` does this automatically when enabled 52 + ''); 53 54 package = lib.mkOption { 55 type = lib.types.package;

+6 -6

nixos/modules/services/networking/hylafax/options.nix

··· 172 userAccessFile = mkOption { 173 type = path; 174 default = "/etc/hosts.hfaxd"; 175 - description = '' 176 - The <filename>hosts.hfaxd</filename> 177 file entry in the spooling area 178 will be symlinked to the location given here. 179 This file must exist and be 180 - readable only by the <literal>uucp</literal> user. 181 See hosts.hfaxd(5) for details. 182 This configuration permits access for all users: 183 - <programlisting> 184 environment.etc."hosts.hfaxd" = { 185 mode = "0600"; 186 user = "uucp"; 187 text = ".*"; 188 }; 189 - </programlisting> 190 Note that host-based access can be controlled with 191 - <option>config.systemd.sockets.hylafax-hfaxd.listenStreams</option>; 192 by default, only 127.0.0.1 is permitted to connect. 193 ''; 194 };

··· 172 userAccessFile = mkOption { 173 type = path; 174 default = "/etc/hosts.hfaxd"; 175 + description = lib.mdDoc '' 176 + The {file}`hosts.hfaxd` 177 file entry in the spooling area 178 will be symlinked to the location given here. 179 This file must exist and be 180 + readable only by the `uucp` user. 181 See hosts.hfaxd(5) for details. 182 This configuration permits access for all users: 183 + ``` 184 environment.etc."hosts.hfaxd" = { 185 mode = "0600"; 186 user = "uucp"; 187 text = ".*"; 188 }; 189 + ``` 190 Note that host-based access can be controlled with 191 + {option}`config.systemd.sockets.hylafax-hfaxd.listenStreams`; 192 by default, only 127.0.0.1 is permitted to connect. 193 ''; 194 };

+7 -7

nixos/modules/services/networking/murmur.nix

··· 261 type = types.nullOr types.path; 262 default = null; 263 example = "/var/lib/murmur/murmurd.env"; 264 - description = '' 265 - Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 266 267 Secrets may be passed to the service without adding them to the world-readable 268 Nix store, by specifying placeholder variables as the option value in Nix and 269 setting these variables accordingly in the environment file. 270 271 - <programlisting> 272 # snippet of murmur-related config 273 services.murmur.password = "$MURMURD_PASSWORD"; 274 - </programlisting> 275 276 - <programlisting> 277 # content of the environment file 278 MURMURD_PASSWORD=verysecretpassword 279 - </programlisting> 280 281 Note that this file needs to be available on the host on which 282 - <literal>murmur</literal> is running. 283 ''; 284 }; 285 };

··· 261 type = types.nullOr types.path; 262 default = null; 263 example = "/var/lib/murmur/murmurd.env"; 264 + description = lib.mdDoc '' 265 + Environment file as defined in {manpage}`systemd.exec(5)`. 266 267 Secrets may be passed to the service without adding them to the world-readable 268 Nix store, by specifying placeholder variables as the option value in Nix and 269 setting these variables accordingly in the environment file. 270 271 + ``` 272 # snippet of murmur-related config 273 services.murmur.password = "$MURMURD_PASSWORD"; 274 + ``` 275 276 + ``` 277 # content of the environment file 278 MURMURD_PASSWORD=verysecretpassword 279 + ``` 280 281 Note that this file needs to be available on the host on which 282 + `murmur` is running. 283 ''; 284 }; 285 };

+14 -14

nixos/modules/services/networking/ncdns.nix

··· 78 default = config.networking.hostName; 79 defaultText = literalExpression "config.networking.hostName"; 80 example = "example.com"; 81 - description = '' 82 The hostname of this ncdns instance, which defaults to the machine 83 hostname. If specified, ncdns lists the hostname as an NS record at 84 the zone apex: 85 - <programlisting> 86 bit. IN NS ns1.example.com. 87 - </programlisting> 88 If unset ncdns will generate an internal psuedo-hostname under the 89 zone, which will resolve to the value of 90 - <option>services.ncdns.identity.address</option>. 91 If you are only using ncdns locally you can ignore this. 92 ''; 93 }; ··· 123 dnssec.keys.public = mkOption { 124 type = types.path; 125 default = defaultFiles.public; 126 - description = '' 127 Path to the file containing the KSK public key. 128 - The key can be generated using the <literal>dnssec-keygen</literal> 129 - command, provided by the package <literal>bind</literal> as follows: 130 - <programlisting> 131 $ dnssec-keygen -a RSASHA256 -3 -b 2048 -f KSK bit 132 - </programlisting> 133 ''; 134 }; 135 ··· 144 dnssec.keys.zonePublic = mkOption { 145 type = types.path; 146 default = defaultFiles.zonePublic; 147 - description = '' 148 Path to the file containing the ZSK public key. 149 - The key can be generated using the <literal>dnssec-keygen</literal> 150 - command, provided by the package <literal>bind</literal> as follows: 151 - <programlisting> 152 $ dnssec-keygen -a RSASHA256 -3 -b 2048 bit 153 - </programlisting> 154 ''; 155 }; 156

··· 78 default = config.networking.hostName; 79 defaultText = literalExpression "config.networking.hostName"; 80 example = "example.com"; 81 + description = lib.mdDoc '' 82 The hostname of this ncdns instance, which defaults to the machine 83 hostname. If specified, ncdns lists the hostname as an NS record at 84 the zone apex: 85 + ``` 86 bit. IN NS ns1.example.com. 87 + ``` 88 If unset ncdns will generate an internal psuedo-hostname under the 89 zone, which will resolve to the value of 90 + {option}`services.ncdns.identity.address`. 91 If you are only using ncdns locally you can ignore this. 92 ''; 93 }; ··· 123 dnssec.keys.public = mkOption { 124 type = types.path; 125 default = defaultFiles.public; 126 + description = lib.mdDoc '' 127 Path to the file containing the KSK public key. 128 + The key can be generated using the `dnssec-keygen` 129 + command, provided by the package `bind` as follows: 130 + ``` 131 $ dnssec-keygen -a RSASHA256 -3 -b 2048 -f KSK bit 132 + ``` 133 ''; 134 }; 135 ··· 144 dnssec.keys.zonePublic = mkOption { 145 type = types.path; 146 default = defaultFiles.zonePublic; 147 + description = lib.mdDoc '' 148 Path to the file containing the ZSK public key. 149 + The key can be generated using the `dnssec-keygen` 150 + command, provided by the package `bind` as follows: 151 + ``` 152 $ dnssec-keygen -a RSASHA256 -3 -b 2048 bit 153 + ``` 154 ''; 155 }; 156

+4 -4

nixos/modules/services/networking/nix-serve.nix

··· 35 secretKeyFile = mkOption { 36 type = types.nullOr types.str; 37 default = null; 38 - description = '' 39 The path to the file used for signing derivation data. 40 Generate with: 41 42 - <programlisting> 43 nix-store --generate-binary-cache-key key-name secret-key-file public-key-file 44 - </programlisting> 45 46 - For more details see <citerefentry><refentrytitle>nix-store</refentrytitle><manvolnum>1</manvolnum></citerefentry>. 47 ''; 48 }; 49

··· 35 secretKeyFile = mkOption { 36 type = types.nullOr types.str; 37 default = null; 38 + description = lib.mdDoc '' 39 The path to the file used for signing derivation data. 40 Generate with: 41 42 + ``` 43 nix-store --generate-binary-cache-key key-name secret-key-file public-key-file 44 + ``` 45 46 + For more details see {manpage}`nix-store(1)`. 47 ''; 48 }; 49

+5 -5

nixos/modules/services/security/hockeypuck.nix

··· 37 }; 38 } 39 ''; 40 - description = '' 41 Configuration file for hockeypuck, here you can override 42 - certain settings (<literal>loglevel</literal> and 43 - <literal>openpgp.db.dsn</literal>) by just setting those values. 44 45 For other settings you need to use lib.mkForce to override them. 46 ··· 49 the database yourself. 50 51 Example: 52 - <programlisting> 53 services.postgresql = { 54 enable = true; 55 ensureDatabases = [ "hockeypuck" ]; ··· 58 ensurePermissions."DATABASE hockeypuck" = "ALL PRIVILEGES"; 59 }]; 60 }; 61 - </programlisting> 62 ''; 63 }; 64 };

··· 37 }; 38 } 39 ''; 40 + description = lib.mdDoc '' 41 Configuration file for hockeypuck, here you can override 42 + certain settings (`loglevel` and 43 + `openpgp.db.dsn`) by just setting those values. 44 45 For other settings you need to use lib.mkForce to override them. 46 ··· 49 the database yourself. 50 51 Example: 52 + ``` 53 services.postgresql = { 54 enable = true; 55 ensureDatabases = [ "hockeypuck" ]; ··· 58 ensurePermissions."DATABASE hockeypuck" = "ALL PRIVILEGES"; 59 }]; 60 }; 61 + ``` 62 ''; 63 }; 64 };

+7 -7

nixos/modules/services/security/privacyidea.nix

··· 72 type = types.nullOr types.path; 73 default = null; 74 example = "/root/privacyidea.env"; 75 - description = '' 76 File to load as environment file. Environment variables 77 from this file will be interpolated into the config file 78 - using <literal>envsubst</literal> which is helpful for specifying 79 secrets: 80 - <programlisting> 81 - { <xref linkend="opt-services.privacyidea.secretKey"/> = "$SECRET"; } 82 - </programlisting> 83 84 The environment-file can now specify the actual secret key: 85 - <programlisting> 86 SECRET=veryverytopsecret 87 - </programlisting> 88 ''; 89 }; 90

··· 72 type = types.nullOr types.path; 73 default = null; 74 example = "/root/privacyidea.env"; 75 + description = lib.mdDoc '' 76 File to load as environment file. Environment variables 77 from this file will be interpolated into the config file 78 + using `envsubst` which is helpful for specifying 79 secrets: 80 + ``` 81 + { services.privacyidea.secretKey = "$SECRET"; } 82 + ``` 83 84 The environment-file can now specify the actual secret key: 85 + ``` 86 SECRET=veryverytopsecret 87 + ``` 88 ''; 89 }; 90

+5 -5

nixos/modules/services/security/vault.nix

··· 141 extraSettingsPaths = mkOption { 142 type = types.listOf types.path; 143 default = []; 144 - description = '' 145 Configuration files to load besides the immutable one defined by the NixOS module. 146 This can be used to avoid putting credentials in the Nix store, which can be read by any user. 147 148 Each path can point to a JSON- or HCL-formatted file, or a directory 149 - to be scanned for files with <literal>.hcl</literal> or 150 - <literal>.json</literal> extensions. 151 152 To upload the confidential file with NixOps, use for example: 153 154 - <programlisting><![CDATA[ 155 # https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys 156 deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in { 157 text = ${"''"} ··· 164 services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"]; 165 services.vault.storageBackend = "postgresql"; 166 users.users.vault.extraGroups = ["keys"]; 167 - ]]></programlisting> 168 ''; 169 }; 170 };

··· 141 extraSettingsPaths = mkOption { 142 type = types.listOf types.path; 143 default = []; 144 + description = lib.mdDoc '' 145 Configuration files to load besides the immutable one defined by the NixOS module. 146 This can be used to avoid putting credentials in the Nix store, which can be read by any user. 147 148 Each path can point to a JSON- or HCL-formatted file, or a directory 149 + to be scanned for files with `.hcl` or 150 + `.json` extensions. 151 152 To upload the confidential file with NixOps, use for example: 153 154 + ``` 155 # https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys 156 deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in { 157 text = ${"''"} ··· 164 services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"]; 165 services.vault.storageBackend = "postgresql"; 166 users.users.vault.extraGroups = ["keys"]; 167 + ``` 168 ''; 169 }; 170 };

+15 -15

nixos/modules/services/security/vaultwarden/default.nix

··· 125 type = with types; nullOr path; 126 default = null; 127 example = "/var/lib/vaultwarden.env"; 128 - description = '' 129 - Additional environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 130 131 - Secrets like <envar>ADMIN_TOKEN</envar> and <envar>SMTP_PASSWORD</envar> 132 may be passed to the service without adding them to the world-readable Nix store. 133 134 Note that this file needs to be available on the host on which 135 - <literal>vaultwarden</literal> is running. 136 137 As a concrete example, to make the Admin UI available 138 (from which new users can be invited initially), 139 - the secret <envar>ADMIN_TOKEN</envar> needs to be defined as described 140 - <link xlink:href="https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page">here</link>. 141 - Setting <literal>environmentFile</literal> to <literal>/var/lib/vaultwarden.env</literal> 142 and ensuring permissions with e.g. 143 - <literal>chown vaultwarden:vaultwarden /var/lib/vaultwarden.env</literal> 144 - (the <literal>vaultwarden</literal> user will only exist after activating with 145 - <literal>enable = true;</literal> before this), we can set the contents of the file to have 146 contents such as: 147 148 - <programlisting> 149 - # Admin secret token, see 150 - # https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page 151 - ADMIN_TOKEN=...copy-paste a unique generated secret token here... 152 - </programlisting> 153 ''; 154 }; 155

··· 125 type = with types; nullOr path; 126 default = null; 127 example = "/var/lib/vaultwarden.env"; 128 + description = lib.mdDoc '' 129 + Additional environment file as defined in {manpage}`systemd.exec(5)`. 130 131 + Secrets like {env}`ADMIN_TOKEN` and {env}`SMTP_PASSWORD` 132 may be passed to the service without adding them to the world-readable Nix store. 133 134 Note that this file needs to be available on the host on which 135 + `vaultwarden` is running. 136 137 As a concrete example, to make the Admin UI available 138 (from which new users can be invited initially), 139 + the secret {env}`ADMIN_TOKEN` needs to be defined as described 140 + [here](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page). 141 + Setting `environmentFile` to `/var/lib/vaultwarden.env` 142 and ensuring permissions with e.g. 143 + `chown vaultwarden:vaultwarden /var/lib/vaultwarden.env` 144 + (the `vaultwarden` user will only exist after activating with 145 + `enable = true;` before this), we can set the contents of the file to have 146 contents such as: 147 148 + ``` 149 + # Admin secret token, see 150 + # https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page 151 + ADMIN_TOKEN=...copy-paste a unique generated secret token here... 152 + ``` 153 ''; 154 }; 155

+5 -5

nixos/modules/services/web-apps/discourse.nix

··· 57 type = with lib.types; nullOr path; 58 default = null; 59 example = "/run/keys/secret_key_base"; 60 - description = '' 61 The path to a file containing the 62 - <literal>secret_key_base</literal> secret. 63 64 - Discourse uses <literal>secret_key_base</literal> to encrypt 65 the cookie store, which contains session data, and to digest 66 user auth tokens. 67 68 Needs to be a 64 byte long string of hexadecimal 69 characters. You can generate one by running 70 71 - <programlisting> 72 openssl rand -hex 64 >/path/to/secret_key_base_file 73 - </programlisting> 74 75 This should be a string, not a nix path, since nix paths are 76 copied into the world-readable nix store.

··· 57 type = with lib.types; nullOr path; 58 default = null; 59 example = "/run/keys/secret_key_base"; 60 + description = lib.mdDoc '' 61 The path to a file containing the 62 + `secret_key_base` secret. 63 64 + Discourse uses `secret_key_base` to encrypt 65 the cookie store, which contains session data, and to digest 66 user auth tokens. 67 68 Needs to be a 64 byte long string of hexadecimal 69 characters. You can generate one by running 70 71 + ``` 72 openssl rand -hex 64 >/path/to/secret_key_base_file 73 + ``` 74 75 This should be a string, not a nix path, since nix paths are 76 copied into the world-readable nix store.

+7 -7

nixos/modules/services/web-apps/hedgedoc.nix

··· 990 type = with types; nullOr path; 991 default = null; 992 example = "/var/lib/hedgedoc/hedgedoc.env"; 993 - description = '' 994 - Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 995 996 Secrets may be passed to the service without adding them to the world-readable 997 Nix store, by specifying placeholder variables as the option value in Nix and 998 setting these variables accordingly in the environment file. 999 1000 - <programlisting> 1001 # snippet of HedgeDoc-related config 1002 services.hedgedoc.configuration.dbURL = "postgres://hedgedoc:\''${DB_PASSWORD}@db-host:5432/hedgedocdb"; 1003 services.hedgedoc.configuration.minio.secretKey = "$MINIO_SECRET_KEY"; 1004 - </programlisting> 1005 1006 - <programlisting> 1007 # content of the environment file 1008 DB_PASSWORD=verysecretdbpassword 1009 MINIO_SECRET_KEY=verysecretminiokey 1010 - </programlisting> 1011 1012 Note that this file needs to be available on the host on which 1013 - <literal>HedgeDoc</literal> is running. 1014 ''; 1015 }; 1016

··· 990 type = with types; nullOr path; 991 default = null; 992 example = "/var/lib/hedgedoc/hedgedoc.env"; 993 + description = lib.mdDoc '' 994 + Environment file as defined in {manpage}`systemd.exec(5)`. 995 996 Secrets may be passed to the service without adding them to the world-readable 997 Nix store, by specifying placeholder variables as the option value in Nix and 998 setting these variables accordingly in the environment file. 999 1000 + ``` 1001 # snippet of HedgeDoc-related config 1002 services.hedgedoc.configuration.dbURL = "postgres://hedgedoc:\''${DB_PASSWORD}@db-host:5432/hedgedocdb"; 1003 services.hedgedoc.configuration.minio.secretKey = "$MINIO_SECRET_KEY"; 1004 + ``` 1005 1006 + ``` 1007 # content of the environment file 1008 DB_PASSWORD=verysecretdbpassword 1009 MINIO_SECRET_KEY=verysecretminiokey 1010 + ``` 1011 1012 Note that this file needs to be available on the host on which 1013 + `HedgeDoc` is running. 1014 ''; 1015 }; 1016

+3 -3

nixos/modules/services/web-servers/molly-brown.nix

··· 34 certPath = mkOption { 35 type = types.path; 36 example = "/var/lib/acme/example.com/cert.pem"; 37 - description = '' 38 Path to TLS certificate. An ACME certificate and key may be 39 shared with an HTTP server, but only if molly-brown has 40 permissions allowing it to read such keys. 41 42 As an example: 43 - <programlisting> 44 systemd.services.molly-brown.serviceConfig.SupplementaryGroups = 45 [ config.security.acme.certs."example.com".group ]; 46 - </programlisting> 47 ''; 48 }; 49

··· 34 certPath = mkOption { 35 type = types.path; 36 example = "/var/lib/acme/example.com/cert.pem"; 37 + description = lib.mdDoc '' 38 Path to TLS certificate. An ACME certificate and key may be 39 shared with an HTTP server, but only if molly-brown has 40 permissions allowing it to read such keys. 41 42 As an example: 43 + ``` 44 systemd.services.molly-brown.serviceConfig.SupplementaryGroups = 45 [ config.security.acme.certs."example.com".group ]; 46 + ``` 47 ''; 48 }; 49

+5 -5

nixos/modules/system/activation/top-level.nix

··· 164 specialisation = mkOption { 165 default = {}; 166 example = lib.literalExpression "{ fewJobsManyCores.configuration = { nix.settings = { core = 0; max-jobs = 1; }; }; }"; 167 - description = '' 168 Additional configurations to build. If 169 - <literal>inheritParentConfig</literal> is true, the system 170 will be based on the overall system configuration. 171 172 To switch to a specialised configuration 173 - (e.g. <literal>fewJobsManyCores</literal>) at runtime, run: 174 175 - <programlisting> 176 sudo /run/current-system/specialisation/fewJobsManyCores/bin/switch-to-configuration test 177 - </programlisting> 178 ''; 179 type = types.attrsOf (types.submodule ( 180 local@{ ... }: let

··· 164 specialisation = mkOption { 165 default = {}; 166 example = lib.literalExpression "{ fewJobsManyCores.configuration = { nix.settings = { core = 0; max-jobs = 1; }; }; }"; 167 + description = lib.mdDoc '' 168 Additional configurations to build. If 169 + `inheritParentConfig` is true, the system 170 will be based on the overall system configuration. 171 172 To switch to a specialised configuration 173 + (e.g. `fewJobsManyCores`) at runtime, run: 174 175 + ``` 176 sudo /run/current-system/specialisation/fewJobsManyCores/bin/switch-to-configuration test 177 + ``` 178 ''; 179 type = types.attrsOf (types.submodule ( 180 local@{ ... }: let

+3 -3

nixos/modules/virtualisation/lxcfs.nix

··· 15 mkOption { 16 type = types.bool; 17 default = false; 18 - description = '' 19 This enables LXCFS, a FUSE filesystem for LXC. 20 To use lxcfs in include the following configuration in your 21 container configuration: 22 - <programlisting> 23 virtualisation.lxc.defaultConfig = "lxc.include = ''${pkgs.lxcfs}/share/lxc/config/common.conf.d/00-lxcfs.conf"; 24 - </programlisting> 25 ''; 26 }; 27 };

··· 15 mkOption { 16 type = types.bool; 17 default = false; 18 + description = lib.mdDoc '' 19 This enables LXCFS, a FUSE filesystem for LXC. 20 To use lxcfs in include the following configuration in your 21 container configuration: 22 + ``` 23 virtualisation.lxc.defaultConfig = "lxc.include = ''${pkgs.lxcfs}/share/lxc/config/common.conf.d/00-lxcfs.conf"; 24 + ``` 25 ''; 26 }; 27 };

+4 -4

nixos/modules/virtualisation/lxd.nix

··· 18 enable = mkOption { 19 type = types.bool; 20 default = false; 21 - description = '' 22 This option enables lxd, a daemon that manages 23 containers. Users in the "lxd" group can interact with 24 the daemon (e.g. to start or stop containers) using the 25 - <command>lxc</command> command line tool, among others. 26 27 Most of the time, you'll also want to start lxcfs, so 28 that containers can "see" the limits: 29 - <programlisting> 30 virtualisation.lxc.lxcfs.enable = true; 31 - </programlisting> 32 ''; 33 }; 34

··· 18 enable = mkOption { 19 type = types.bool; 20 default = false; 21 + description = lib.mdDoc '' 22 This option enables lxd, a daemon that manages 23 containers. Users in the "lxd" group can interact with 24 the daemon (e.g. to start or stop containers) using the 25 + {command}`lxc` command line tool, among others. 26 27 Most of the time, you'll also want to start lxcfs, so 28 that containers can "see" the limits: 29 + ``` 30 virtualisation.lxc.lxcfs.enable = true; 31 + ``` 32 ''; 33 }; 34