diff options
| author | pennae <github@quasiparticle.net> | 2022-08-02 17:34:22 +0200 |
|---|---|---|
| committer | pennae <github@quasiparticle.net> | 2022-08-03 20:39:21 +0200 |
| commit | 694d5b19d30bf66687b42fb77f43ea7cd1002a62 (patch) | |
| tree | c6f96a086cfcf7e03ed59ef4974318e161d0925d /nixos/modules | |
| parent | 951c50ec6dfc10324374d905edb2c028a284859e (diff) | |
| download | nixpkgs-694d5b19d30bf66687b42fb77f43ea7cd1002a62.tar nixpkgs-694d5b19d30bf66687b42fb77f43ea7cd1002a62.tar.gz nixpkgs-694d5b19d30bf66687b42fb77f43ea7cd1002a62.tar.bz2 nixpkgs-694d5b19d30bf66687b42fb77f43ea7cd1002a62.tar.lz nixpkgs-694d5b19d30bf66687b42fb77f43ea7cd1002a62.tar.xz nixpkgs-694d5b19d30bf66687b42fb77f43ea7cd1002a62.tar.zst nixpkgs-694d5b19d30bf66687b42fb77f43ea7cd1002a62.zip | |
nixos/*: replace </para><para> with double linebreaks
our xslt already replaces double line breaks with a paragraph close and reopen. not using explicit para tags lets nix-doc-munge convert more descriptions losslessly. only whitespace changes to generated documents, except for two strongswan options gaining paragraph two breaks they arguably should've had anyway.
Diffstat (limited to 'nixos/modules')
26 files changed, 105 insertions, 159 deletions
diff --git a/nixos/modules/hardware/logitech.nix b/nixos/modules/hardware/logitech.nix index 2e3a71c0415..1c3556320e3 100644 --- a/nixos/modules/hardware/logitech.nix +++ b/nixos/modules/hardware/logitech.nix @@ -34,8 +34,7 @@ in default = [ "0a07" "c222" "c225" "c227" "c251" ]; description = '' List of USB device ids supported by g15daemon. - </para> - <para> + You most likely do not need to change this. ''; }; diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 9309fe70a86..cefe252e2e9 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -618,7 +618,7 @@ in This will be directly appended (without whitespace) to the NixOS version string, like for example if it is set to <literal>XXX</literal>: - <para><literal>NixOS 99.99-pre666XXX</literal></para> + <literal>NixOS 99.99-pre666XXX</literal> ''; }; diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index 76b42168c19..e014aea626c 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -71,8 +71,7 @@ in { ''; description = '' Wrap the binaries in firejail and place them in the global path. - </para> - <para> + You will get file collisions if you put the actual application binary in the global environment (such as by adding the application package to <code>environment.systemPackages</code>), and applications started via diff --git a/nixos/modules/services/databases/neo4j.nix b/nixos/modules/services/databases/neo4j.nix index dbbb79f01eb..ad659ccd82e 100644 --- a/nixos/modules/services/databases/neo4j.nix +++ b/nixos/modules/services/databases/neo4j.nix @@ -145,8 +145,7 @@ in { <option>directories.imports</option>. It restricts access to only those files within that directory and its subdirectories. - </para> - <para> + Setting this option to <literal>false</literal> introduces possible security problems. ''; @@ -158,8 +157,7 @@ in { description = '' Default network interface to listen for incoming connections. To listen for connections on all interfaces, use "0.0.0.0". - </para> - <para> + Specifies the default IP address and address part of connector specific <option>listenAddress</option> options. To bind specific connectors to a specific network interfaces, specify the entire @@ -229,15 +227,13 @@ in { default = "legacy"; description = '' Neo4j SSL policy for BOLT traffic. - </para> - <para> + The legacy policy is a special policy which is not defined in the policy configuration section, but rather derives from <option>directories.certificates</option> and associated files (by default: <filename>neo4j.key</filename> and <filename>neo4j.cert</filename>). Its use will be deprecated. - </para> - <para> + Note: This connector must be configured to support/require SSL/TLS for the legacy policy to actually be utilized. See <option>bolt.tlsLevel</option>. @@ -261,13 +257,11 @@ in { description = '' Directory for storing certificates to be used by Neo4j for TLS connections. - </para> - <para> + When setting this directory to something other than its default, ensure the directory's existence, and that read/write permissions are given to the Neo4j daemon user <literal>neo4j</literal>. - </para> - <para> + Note that changing this directory from its default will prevent the directory structure required for each SSL policy from being automatically generated. A policy's directory structure as defined by @@ -286,8 +280,7 @@ in { description = '' Path of the data directory. You must not configure more than one Neo4j installation to use the same data directory. - </para> - <para> + When setting this directory to something other than its default, ensure the directory's existence, and that read/write permissions are given to the Neo4j daemon user <literal>neo4j</literal>. @@ -314,8 +307,7 @@ in { <literal>LOAD CSV</literal> clause. Only meaningful when <option>constrainLoadCvs</option> is set to <literal>true</literal>. - </para> - <para> + When setting this directory to something other than its default, ensure the directory's existence, and that read permission is given to the Neo4j daemon user <literal>neo4j</literal>. @@ -330,8 +322,7 @@ in { Path of the database plugin directory. Compiled Java JAR files that contain database procedures will be loaded if they are placed in this directory. - </para> - <para> + When setting this directory to something other than its default, ensure the directory's existence, and that read permission is given to the Neo4j daemon user <literal>neo4j</literal>. @@ -388,8 +379,7 @@ in { default = "legacy"; description = '' Neo4j SSL policy for HTTPS traffic. - </para> - <para> + The legacy policy is a special policy which is not defined in the policy configuration section, but rather derives from <option>directories.certificates</option> and @@ -422,13 +412,11 @@ in { certificate. Only performed when both objects cannot be found for this policy. It is recommended to turn this off again after keys have been generated. - </para> - <para> + The public certificate is required to be duplicated to the directory holding trusted certificates as defined by the <option>trustedDir</option> option. - </para> - <para> + Keys should in general be generated and distributed offline by a trusted certificate authority and not by utilizing this mode. ''; @@ -444,8 +432,7 @@ in { option as well as <option>directories.certificates</option> are left at their default. Ensure read/write permissions are given to the Neo4j daemon user <literal>neo4j</literal>. - </para> - <para> + It is also possible to override each individual configuration with absolute paths. See the <option>privateKey</option> and <option>publicCertificate</option> @@ -488,8 +475,7 @@ in { for this policy to be found in the <option>baseDirectory</option>, or the absolute path to the certificate file. It is mandatory that a certificate can be found or generated. - </para> - <para> + The public certificate is required to be duplicated to the directory holding trusted certificates as defined by the <option>trustedDir</option> option. @@ -545,8 +531,7 @@ in { <option>directories.certificates</option> to something other than their default. Ensure read/write permissions are given to the Neo4j daemon user <literal>neo4j</literal>. - </para> - <para> + The public certificate as defined by <option>publicCertificate</option> is required to be duplicated to this directory. diff --git a/nixos/modules/services/databases/pgmanage.nix b/nixos/modules/services/databases/pgmanage.nix index f50e7244ee1..79c958b246c 100644 --- a/nixos/modules/services/databases/pgmanage.nix +++ b/nixos/modules/services/databases/pgmanage.nix @@ -64,10 +64,10 @@ in { }; description = '' pgmanage requires at least one PostgreSQL server be defined. - </para><para> + Detailed information about PostgreSQL connection strings is available at: <link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/> - </para><para> + Note that you should not specify your user name or password. That information will be entered on the login screen. If you specify a username or password, it will be removed by pgmanage before attempting to diff --git a/nixos/modules/services/hardware/lcd.nix b/nixos/modules/services/hardware/lcd.nix index ec4b27bd848..c817225c1f2 100644 --- a/nixos/modules/services/hardware/lcd.nix +++ b/nixos/modules/services/hardware/lcd.nix @@ -63,8 +63,7 @@ in with lib; { default = false; description = '' Set group-write permissions on a USB device. - </para> - <para> + A USB connected LCD panel will most likely require having its permissions modified for lcdd to write to it. Enabling this option sets group-write permissions on the device identified by @@ -72,13 +71,11 @@ in with lib; { <option>services.hardware.lcd.usbPid</option>. In order to find the values, you can run the <command>lsusb</command> command. Example output: - </para> - <para> + <literal> Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface </literal> - </para> - <para> + In this case the vendor id is 0403 and the product id is c630. ''; }; diff --git a/nixos/modules/services/matrix/appservice-discord.nix b/nixos/modules/services/matrix/appservice-discord.nix index fa55b3c5de7..65ad96a3af3 100644 --- a/nixos/modules/services/matrix/appservice-discord.nix +++ b/nixos/modules/services/matrix/appservice-discord.nix @@ -42,20 +42,14 @@ in { ''; description = '' <filename>config.yaml</filename> configuration as a Nix attribute set. - </para> - <para> Configuration options should match those described in <link xlink:href="https://github.com/Half-Shot/matrix-appservice-discord/blob/master/config/config.sample.yaml"> config.sample.yaml</link>. - </para> - <para> <option>config.bridge.domain</option> and <option>config.bridge.homeserverUrl</option> should be set to match the public host name of the Matrix homeserver for webhooks and avatars to work. - </para> - <para> Secret tokens should be specified using <option>environmentFile</option> instead of this world-readable attribute set. ''; diff --git a/nixos/modules/services/matrix/mautrix-facebook.nix b/nixos/modules/services/matrix/mautrix-facebook.nix index 55067abaa52..2f91e6e0e52 100644 --- a/nixos/modules/services/matrix/mautrix-facebook.nix +++ b/nixos/modules/services/matrix/mautrix-facebook.nix @@ -80,9 +80,7 @@ in { Configuration options should match those described in <link xlink:href="https://github.com/mautrix/facebook/blob/master/mautrix_facebook/example-config.yaml"> example-config.yaml</link>. - </para> - <para> Secret tokens should be specified using <option>environmentFile</option> instead of this world-readable attribute set. ''; diff --git a/nixos/modules/services/matrix/mautrix-telegram.nix b/nixos/modules/services/matrix/mautrix-telegram.nix index c6527be5263..1d4061b8a81 100644 --- a/nixos/modules/services/matrix/mautrix-telegram.nix +++ b/nixos/modules/services/matrix/mautrix-telegram.nix @@ -83,9 +83,7 @@ in { Configuration options should match those described in <link xlink:href="https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml"> example-config.yaml</link>. - </para> - <para> Secret tokens should be specified using <option>environmentFile</option> instead of this world-readable attribute set. ''; diff --git a/nixos/modules/services/misc/autorandr.nix b/nixos/modules/services/misc/autorandr.nix index 11dc915c2af..9a0530866b5 100644 --- a/nixos/modules/services/misc/autorandr.nix +++ b/nixos/modules/services/misc/autorandr.nix @@ -154,7 +154,7 @@ let }); description = '' Output scale configuration. - </para><para> + Either configure by pixels or a scaling factor. When using pixel method the <citerefentry> <refentrytitle>xrandr</refentrytitle> @@ -165,7 +165,7 @@ let will be used; when using factor method the option <parameter class="command">--scale</parameter> will be used. - </para><para> + This option is a shortcut version of the transform option and they are mutually exclusive. ''; diff --git a/nixos/modules/services/misc/bees.nix b/nixos/modules/services/misc/bees.nix index 1b492315026..2adc9f2a1fa 100644 --- a/nixos/modules/services/misc/bees.nix +++ b/nixos/modules/services/misc/bees.nix @@ -17,8 +17,7 @@ let not configure multiple instances for subvolumes of the same filesystem (or block devices which are part of the same filesystem), but only for completely independent btrfs filesystems. - </para> - <para> + This must be in a format usable by findmnt; that could be a key=value pair, or a bare path to a mount point. Using bare paths will allow systemd to start the beesd service only @@ -31,12 +30,10 @@ let default = 1024; # 1GB; default from upstream beesd script description = '' Hash table size in MB; must be a multiple of 16. - </para> - <para> + A larger ratio of index size to storage size means smaller blocks of duplicate content are recognized. - </para> - <para> + If you have 1TB of data, a 4GB hash table (which is to say, a value of 4096) will permit 4KB extents (the smallest possible size) to be recognized, whereas a value of 1024 -- creating a 1GB hash table -- diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index c76aaaa559b..93ff5fcfb86 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -636,12 +636,10 @@ in <manvolnum>5</manvolnum> </citerefentry> for avalaible options. The value declared here will be translated directly to the key-value pairs Nix expects. - </para> - <para> + You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings</command> to view the current value. By default it is empty. - </para> - <para> + Nix configurations defined under <option>nix.*</option> will be translated and applied to this option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended verbatim to the resulting config file. diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index ab24372037e..ef3f6c1a0fd 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -68,7 +68,7 @@ in { services.zoneminder = with lib; { enable = lib.mkEnableOption '' ZoneMinder - </para><para> + If you intend to run the database locally, you should set `config.services.zoneminder.database.createLocally` to true. Otherwise, when set to `false` (the default), you will have to create the database @@ -82,8 +82,6 @@ in { default = "nginx"; description = '' The webserver to configure for the PHP frontend. - </para> - <para> Set it to `none` if you want to configure it yourself. PRs are welcome for support for other web servers. diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 4fd07a4ba14..661b38b4c5a 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -118,10 +118,10 @@ in { Extra paths to add to the netdata global "plugins directory" option. Useful for when you want to include your own collection scripts. - </para><para> + Details about writing a custom netdata plugin are available at: <link xlink:href="https://docs.netdata.cloud/collectors/plugins.d/"/> - </para><para> + Cannot be combined with configText. ''; }; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 7abdf16b153..563892cb365 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -329,8 +329,7 @@ in { default = "default"; description = '' Set the DNS (<literal>resolv.conf</literal>) processing mode. - </para> - <para> + A description of these modes can be found in the main section of <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html @@ -390,7 +389,7 @@ in { default = false; description = '' Enable the StrongSwan plugin. - </para><para> + If you enable this option the <literal>networkmanager_strongswan</literal> plugin will be added to the <option>networking.networkmanager.plugins</option> option diff --git a/nixos/modules/services/networking/ntp/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix index 47922f5e149..490d1619f11 100644 --- a/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -43,8 +43,7 @@ in description = '' Whether to synchronise your machine's time using ntpd, as a peer in the NTP network. - </para> - <para> + Disables <literal>systemd.timesyncd</literal> if enabled. ''; }; @@ -53,8 +52,7 @@ in type = types.listOf types.str; description = '' The restriction flags to be set by default. - </para> - <para> + The default flags prevent external hosts from using ntpd as a DDoS reflector, setting system time, and querying OS/ntpd version. As recommended in section 6.5.1.1.3, answer "No" of @@ -67,8 +65,7 @@ in type = types.listOf types.str; description = '' The restriction flags to be set on source. - </para> - <para> + The default flags allow peers to be added by ntpd from configured pool(s), but not by other means. ''; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index c6386ed6823..e95fe19dede 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -300,8 +300,7 @@ in ]; description = '' Allowed key exchange algorithms - </para> - <para> + Uses the lower bound recommended in both <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> and @@ -321,8 +320,7 @@ in ]; description = '' Allowed ciphers - </para> - <para> + Defaults to recommended settings from both <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> and @@ -342,8 +340,7 @@ in ]; description = '' Allowed MACs - </para> - <para> + Defaults to recommended settings from both <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> and diff --git a/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix b/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix index dfdfc50d8ae..d5a8daf98ec 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix @@ -59,7 +59,8 @@ rec { if strongswanDefault == null then description else description + '' - </para><para> + + StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal> ''; diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix index cca61b9ce93..737d0331f19 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -15,14 +15,14 @@ let file = mkOptionalStrParam '' Absolute path to the certificate to load. Passed as-is to the daemon, so it must be readable by it. - </para><para> + Configure either this or <option>handle</option>, but not both, in one section. ''; handle = mkOptionalHexParam '' Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively. - </para><para> + Configure either this or <option>file</option>, but not both, in one section. ''; @@ -40,7 +40,7 @@ in { cacert = mkOptionalStrParam '' The certificates may use a relative path from the swanctl <literal>x509ca</literal> directory or an absolute path. - </para><para> + Configure one of <option>cacert</option>, <option>file</option>, or <option>handle</option> per section. @@ -82,11 +82,11 @@ in { local_addrs = mkCommaSepListParam [] '' Local address(es) to use for IKE communication. Takes single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. - </para><para> + As initiator, the first non-range/non-subnet is used to initiate the connection from. As responder, the local destination address must match at least to one of the specified addresses, subnets or ranges. - </para><para> + If FQDNs are assigned they are resolved every time a configuration lookup is done. If DNS resolution times out, the lookup is delayed for that time. ''; @@ -94,11 +94,11 @@ in { remote_addrs = mkCommaSepListParam [] '' Remote address(es) to use for IKE communication. Takes single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. - </para><para> + As initiator, the first non-range/non-subnet is used to initiate the connection to. As responder, the initiator source address must match at least to one of the specified addresses, subnets or ranges. - </para><para> + If FQDNs are assigned they are resolved every time a configuration lookup is done. If DNS resolution times out, the lookup is delayed for that time. To initiate a connection, at least one specific address or DNS name must @@ -110,7 +110,7 @@ in { backend is used, which is usually <literal>500</literal>. If port <literal>500</literal> is used, automatic IKE port floating to port <literal>4500</literal> is used to work around NAT issues. - </para><para> + Using a non-default local IKE port requires support from the socket backend in use (socket-dynamic). ''; @@ -126,13 +126,13 @@ in { for IKE an encryption algorithm, an integrity algorithm, a pseudo random function and a Diffie-Hellman group. For AEAD algorithms, instead of encryption and integrity algorithms, a combined algorithm is used. - </para><para> + In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per kind is allowed per proposal, more algorithms get implicitly stripped. Use multiple proposals to offer different algorithms combinations in IKEv1. - </para><para> + Algorithm keywords get separated using dashes. Multiple proposals may be specified in a list. The special value <literal>default</literal> forms a default proposal of supported algorithms considered safe, and is usually a @@ -159,7 +159,7 @@ in { If the default of yes is used, Mode Config works in pull mode, where the initiator actively requests a virtual IP. With no, push mode is used, where the responder pushes down a virtual IP to the initiating peer. - </para><para> + Push mode is currently supported for IKEv1, but not in IKEv2. It is used by a few implementations only, pull mode is recommended. ''; @@ -174,7 +174,7 @@ in { To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the NAT detection payloads. This makes the peer believe that NAT takes place on the path, forcing it to encapsulate ESP packets in UDP. - </para><para> + Usually this is not required, but it can help to work around connectivity issues with too restrictive intermediary firewalls. ''; @@ -183,7 +183,7 @@ in { Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2 connections, and allows mobility of clients and multi-homing on servers by migrating active IPsec tunnels. - </para><para> + Usually keeping MOBIKE enabled is unproblematic, as it is not used if the peer does not indicate support for it. However, due to the design of MOBIKE, IKEv2 always floats to port 4500 starting from the second @@ -222,7 +222,7 @@ in { <listitem><para>Finally, setting the option to <literal>no</literal> will disable announcing support for this feature.</para></listitem> </itemizedlist> - </para><para> + Note that fragmented IKE messages sent by a peer are always processed irrespective of the value of this option (even when set to no). ''; @@ -284,7 +284,7 @@ in { unique = mkEnumParam ["no" "never" "keep" "replace"] "no" '' Connection uniqueness policy to enforce. To avoid multiple connections from the same user, a uniqueness policy can be enforced. - </para><para> + <itemizedlist> <listitem><para> The value <literal>never</literal> does never enforce such a policy, even @@ -306,7 +306,7 @@ in { To compare connections for uniqueness, the remote IKE identity is used. If EAP or XAuth authentication is involved, the EAP-Identity or XAuth username is used to enforce the uniqueness policy instead. - </para><para> + On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer (determined by the identities of the first authentication @@ -320,7 +320,7 @@ in { possible to actively reauthenticate as responder. The IKEv2 reauthentication lifetime negotiation can instruct the client to perform reauthentication. - </para><para> + Reauthentication is disabled by default. Enabling it usually may lead to small connection interruptions, as strongSwan uses a break-before-make policy with IKEv2 to avoid any conflicts with associated tunnel resources. @@ -330,7 +330,7 @@ in { IKE rekeying refreshes key material using a Diffie-Hellman exchange, but does not re-check associated credentials. It is supported in IKEv2 only, IKEv1 performs a reauthentication procedure instead. - </para><para> + With the default value IKE rekeying is scheduled every 4 hours, minus the configured rand_time. If a reauth_time is configured, rekey_time defaults to zero, disabling rekeying; explicitly set both to enforce rekeying and @@ -343,10 +343,10 @@ in { perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails to rekey or reauthenticate within the specified time, the IKE_SA gets closed. - </para><para> + In contrast to CHILD_SA rekeying, over_time is relative in time to the rekey_time and reauth_time values, as it applies to both. - </para><para> + The default is 10% of the longer of <option>rekey_time</option> and <option>reauth_time</option>. ''; @@ -356,7 +356,7 @@ in { rekey/reauth times. To avoid having both peers initiating the rekey/reauth procedure simultaneously, a random time gets subtracted from the rekey/reauth times. - </para><para> + The default is equal to the configured <option>over_time</option>. ''; @@ -410,7 +410,7 @@ in { List of certificate candidates to use for authentication. The certificates may use a relative path from the swanctl <literal>x509</literal> directory or an absolute path. - </para><para> + The certificate used for authentication is selected based on the received certificate request payloads. If no appropriate CA can be located, the first certificate is used. @@ -426,7 +426,7 @@ in { List of raw public key candidates to use for authentication. The public keys may use a relative path from the swanctl <literal>pubkey</literal> directory or an absolute path. - </para><para> + Even though multiple local public keys could be defined in principle, only the first public key in the list is used for authentication. ''; @@ -504,7 +504,7 @@ in { authentication. This identity may differ from the IKE identity, especially when EAP authentication is delegated from the IKE responder to an AAA backend. - </para><para> + For EAP-(T)TLS, this defines the identity for which the server must provide a certificate in the TLS exchange. ''; @@ -518,7 +518,7 @@ in { defines the rules how authentication is performed for the local peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple Authentication or IKEv1 XAuth. - </para><para> + Each round is defined in a section having <literal>local</literal> as prefix, and an optional unique suffix. To define a single authentication round, the suffix may be omitted. @@ -620,7 +620,7 @@ in { Authentication to expect from remote. See the <option>local</option> section's <option>auth</option> keyword description about the details of supported mechanisms. - </para><para> + Since 5.4.0, to require a trustchain public key strength for the remote side, specify the key type followed by the minimum strength in bits (for example <literal>ecdsa-384</literal> or @@ -641,7 +641,7 @@ in { <literal>pubkey</literal> or <literal>rsa</literal> constraints are configured RSASSA-PSS signatures will only be accepted if enabled in <literal>strongswan.conf</literal>(5). - </para><para> + To specify trust chain constraints for EAP-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as discussed above (e.g. <literal>eap-tls:ecdsa-384-sha384</literal>). @@ -652,7 +652,7 @@ in { defines the constraints how the peers must authenticate to use this connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple Authentication or IKEv1 XAuth. - </para><para> + Each round is defined in a section having <literal>remote</literal> as prefix, and an optional unique suffix. To define a single authentication round, the suffix may be omitted. @@ -665,13 +665,13 @@ in { Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation uses a separate Diffie-Hellman exchange using the specified group (refer to esp_proposals for details). - </para><para> + In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per kind is allowed per proposal, more algorithms get implicitly stripped. Use multiple proposals to offer different algorithms combinations in IKEv1. - </para><para> + Algorithm keywords get separated using dashes. Multiple proposals may be specified in a list. The special value <literal>default</literal> forms a default proposal of supported algorithms considered safe, and is @@ -686,7 +686,7 @@ in { an optional Extended Sequence Number Mode indicator. For AEAD proposals, a combined mode algorithm is used instead of the separate encryption/integrity algorithms. - </para><para> + If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation use a separate Diffie-Hellman exchange using the specified group. However, for IKEv2, the keys of the CHILD_SA created implicitly @@ -695,18 +695,18 @@ in { rekeyed or is created with a separate CREATE_CHILD_SA exchange. A proposal mismatch might, therefore, not immediately be noticed when the SA is established, but may later cause rekeying to fail. - </para><para> + Extended Sequence Number support may be indicated with the <literal>esn</literal> and <literal>noesn</literal> values, both may be included to indicate support for both modes. If omitted, <literal>noesn</literal> is assumed. - </para><para> + In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per kind is allowed per proposal, more algorithms get implicitly stripped. Use multiple proposals to offer different algorithms combinations in IKEv1. - </para><para> + Algorithm keywords get separated using dashes. Multiple proposals may be specified as a list. The special value <literal>default</literal> forms a default proposal of supported algorithms considered safe, and is @@ -729,7 +729,7 @@ in { selector. The special value <literal>dynamic</literal> may be used instead of a subnet definition, which gets replaced by the tunnel outer address or the virtual IP, if negotiated. This is the default. - </para><para> + A protocol/port selector is surrounded by opening and closing square brackets. Between these brackets, a numeric or getservent(3) protocol name may be specified. After the optional protocol restriction, an @@ -738,7 +738,7 @@ in { special value <literal>opaque</literal> for RFC 4301 OPAQUE selectors. Port ranges may be specified as well, none of the kernel backends currently support port ranges, though. - </para><para> + When IKEv1 is used only the first selector is interpreted, except if the Cisco Unity extension plugin is used. This is due to a limitation of the IKEv1 protocol, which only allows a single pair of selectors per @@ -761,7 +761,7 @@ in { specified in the proposal. To avoid rekey collisions initiated by both ends simultaneously, a value in the range of <option>rand_time</option> gets subtracted to form the effective soft lifetime. - </para><para> + By default CHILD_SA rekeying is scheduled every hour, minus <option>rand_time</option>. ''; @@ -783,11 +783,11 @@ in { Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA rekeying refreshes key material, optionally using a Diffie-Hellman exchange if a group is specified in the proposal. - </para><para> + To avoid rekey collisions initiated by both ends simultaneously, a value in the range of <option>rand_bytes</option> gets subtracted to form the effective soft volume limit. - </para><para> + Volume based CHILD_SA rekeying is disabled by default. ''; @@ -808,11 +808,11 @@ in { Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA rekeying refreshes key material, optionally using a Diffie-Hellman exchange if a group is specified in the proposal. - </para><para> + To avoid rekey collisions initiated by both ends simultaneously, a value in the range of <option>rand_packets</option> gets subtracted to form the effective soft packet count limit. - </para><para> + Packet count based CHILD_SA rekeying is disabled by default. ''; @@ -821,7 +821,7 @@ in { this hard packets limit is never reached, because the CHILD_SA gets rekeyed before. If that fails for whatever reason, this limit closes the CHILD_SA. - </para><para> + The default is 10% more than <option>rekey_bytes</option>. ''; @@ -936,7 +936,7 @@ in { <literal>%unique</literal> sets a unique mark on each CHILD_SA instance, beyond that the value <literal>%unique-dir</literal> assigns a different unique mark for each - </para><para> + An additional mask may be appended to the mark, separated by <literal>/</literal>. The default mask if omitted is <literal>0xffffffff</literal>. @@ -960,7 +960,7 @@ in { value <literal>%unique</literal> sets a unique mark on each CHILD_SA instance, beyond that the value <literal>%unique-dir</literal> assigns a different unique mark for each CHILD_SA direction (in/out). - </para><para> + An additional mask may be appended to the mark, separated by <literal>/</literal>. The default mask if omitted is <literal>0xffffffff</literal>. @@ -1102,7 +1102,7 @@ in { <literal>start</literal> tries to re-create the CHILD_SA. </para></listitem> </itemizedlist> - </para><para> + <option>close_action</option> does not provide any guarantee that the CHILD_SA is kept alive. It acts on explicit close messages only, but not on negotiation failures. Use trap policies to reliably re-create failed diff --git a/nixos/modules/services/networking/znc/default.nix b/nixos/modules/services/networking/znc/default.nix index a98f92d2d71..42a332d6bf0 100644 --- a/nixos/modules/services/networking/znc/default.nix +++ b/nixos/modules/services/networking/znc/default.nix @@ -156,22 +156,18 @@ in format ZNC expects. This is much more flexible than the legacy options under <option>services.znc.confOptions.*</option>, but also can't do any type checking. - </para> - <para> + You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config</command> to view the current value. By default it contains a listener for port 5000 with SSL enabled. - </para> - <para> + Nix attributes called <literal>extraConfig</literal> will be inserted verbatim into the resulting config file. - </para> - <para> + If <option>services.znc.useLegacyConfig</option> is turned on, the option values in <option>services.znc.confOptions.*</option> will be gracefully be applied to this option. - </para> - <para> + If you intend to update the configuration through this option, be sure to enable <option>services.znc.mutable</option>, otherwise none of the changes here will be applied after the initial deploy. @@ -184,8 +180,7 @@ in description = '' Configuration file for ZNC. It is recommended to use the <option>config</option> option instead. - </para> - <para> + Setting this option will override any auto-generated config file through the <option>confOptions</option> or <option>config</option> options. @@ -208,13 +203,11 @@ in Indicates whether to allow the contents of the <literal>dataDir</literal> directory to be changed by the user at run-time. - </para> - <para> + If enabled, modifications to the ZNC configuration after its initial creation are not overwritten by a NixOS rebuild. If disabled, the ZNC configuration is rebuilt on every NixOS rebuild. - </para> - <para> + If the user wants to manage the ZNC service using the web admin interface, this option should be enabled. ''; diff --git a/nixos/modules/services/networking/znc/options.nix b/nixos/modules/services/networking/znc/options.nix index 830df809155..021fea9819a 100644 --- a/nixos/modules/services/networking/znc/options.nix +++ b/nixos/modules/services/networking/znc/options.nix @@ -106,8 +106,7 @@ in <option>services.znc.confOptions.*</option> options. You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config</command> to view the current value of the config. - </para> - <para> + In any case, if you need more flexibility, <option>services.znc.config</option> can be used to override/add to all of the legacy options. diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 0a599992316..fcc2976cd2c 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -172,8 +172,7 @@ in default = false; description = '' Support setting monitor brightness via DDC. - </para> - <para> + This is not needed for controlling brightness of the internal monitor of a laptop and as it is considered experimental by upstream, it is disabled by default. diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 84f560691fc..87ff1d97d8f 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -335,7 +335,7 @@ in ''; description = '' The name of the system used in the <option>system.build.toplevel</option> derivation. - </para><para> + That derivation has the following name: <literal>"nixos-system-''${config.system.name}-''${config.system.nixos.label}"</literal> ''; diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 00ec3d237d5..1ad7cd81094 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -624,9 +624,9 @@ in type = types.bool; description = '' Whether to invoke <literal>grub-install</literal> with - <literal>--removable</literal>.</para> + <literal>--removable</literal>. - <para>Unless you turn this on, GRUB will install itself somewhere in + Unless you turn this on, GRUB will install itself somewhere in <literal>boot.loader.efi.efiSysMountPoint</literal> (exactly where depends on other config variables). If you've set <literal>boot.loader.efi.canTouchEfiVariables</literal> *AND* you @@ -637,14 +637,14 @@ in NVRAM will not be modified, and your system will not find GRUB at boot time. However, GRUB will still return success so you may miss the warning that gets printed ("<literal>efibootmgr: EFI variables - are not supported on this system.</literal>").</para> + are not supported on this system.</literal>"). - <para>If you turn this feature on, GRUB will install itself in a + If you turn this feature on, GRUB will install itself in a special location within <literal>efiSysMountPoint</literal> (namely <literal>EFI/boot/boot$arch.efi</literal>) which the firmwares - are hardcoded to try first, regardless of NVRAM EFI variables.</para> + are hardcoded to try first, regardless of NVRAM EFI variables. - <para>To summarize, turn this on if: + To summarize, turn this on if: <itemizedlist> <listitem><para>You are installing NixOS and want it to boot in UEFI mode, but you are currently booted in legacy mode</para></listitem> diff --git a/nixos/modules/system/boot/systemd/logind.nix b/nixos/modules/system/boot/systemd/logind.nix index cb8fc448a9e..0df03e97694 100644 --- a/nixos/modules/system/boot/systemd/logind.nix +++ b/nixos/modules/system/boot/systemd/logind.nix @@ -33,9 +33,7 @@ in terminated. If false, the scope is "abandoned" (see <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.scope.html#"> systemd.scope(5)</link>), and processes are not killed. - </para> - <para> See <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=">logind.conf(5)</link> for more details. ''; diff --git a/nixos/modules/tasks/scsi-link-power-management.nix b/nixos/modules/tasks/scsi-link-power-management.nix index a9d987780ee..549c35fc5b8 100644 --- a/nixos/modules/tasks/scsi-link-power-management.nix +++ b/nixos/modules/tasks/scsi-link-power-management.nix @@ -28,7 +28,7 @@ in description = '' SCSI link power management policy. The kernel default is "max_performance". - </para><para> + "med_power_with_dipm" is supported by kernel versions 4.15 and newer. ''; |