10 files changed, 17 insertions, 18 deletions

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index bcbd17d8e10..f522b7c4128 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -486,7 +486,7 @@ let
       extraDomainNames = mkOption {
         type = types.listOf types.str;
         default = [];
-        example = literalExample ''
+        example = literalExpression ''
           [
             "example.org"
             "mydomain.org"
@@ -656,7 +656,7 @@ in {
           to those units if they rely on the certificates being present,
           or trigger restarts of the service if certificates get renewed.
         '';
-        example = literalExample ''
+        example = literalExpression ''
           {
             "example.com" = {
               webroot = "/var/lib/acme/acme-challenge/";
diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix
index 7df86e71423..83c15f90f92 100644
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@@ -24,7 +24,7 @@ in
     security.pki.certificateFiles = mkOption {
       type = types.listOf types.path;
       default = [];
-      example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]";
+      example = literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]'';
       description = ''
         A list of files containing trusted root certificates in PEM
         format. These are concatenated to form
@@ -37,7 +37,7 @@ in
     security.pki.certificates = mkOption {
       type = types.listOf types.str;
       default = [];
-      example = literalExample ''
+      example = literalExpression ''
         [ '''
             NixOS.org
             =========
diff --git a/nixos/modules/security/dhparams.nix b/nixos/modules/security/dhparams.nix
index 62a499ea624..012be2887d8 100644
--- a/nixos/modules/security/dhparams.nix
+++ b/nixos/modules/security/dhparams.nix
@@ -53,7 +53,7 @@ in {
           coerce = bits: { inherit bits; };
         in attrsOf (coercedTo int coerce (submodule paramsSubmodule));
         default = {};
-        example = lib.literalExample "{ nginx.bits = 3072; }";
+        example = lib.literalExpression "{ nginx.bits = 3072; }";
         description = ''
           Diffie-Hellman parameters to generate.
 
diff --git a/nixos/modules/security/doas.nix b/nixos/modules/security/doas.nix
index 35f618b03e8..9a3daf4f504 100644
--- a/nixos/modules/security/doas.nix
+++ b/nixos/modules/security/doas.nix
@@ -77,7 +77,7 @@ in
         You can use <code>mkBefore</code> and/or <code>mkAfter</code> to ensure
         this is the case when configuration options are merged.
       '';
-      example = literalExample ''
+      example = literalExpression ''
         [
           # Allow execution of any command by any user in group doas, requiring
           # a password and keeping any previously-defined environment variables.
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 8b1f653d4e2..4c18fa8cc67 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -586,7 +586,7 @@ in
     };
 
     security.pam.services = mkOption {
-      default = [];
+      default = {};
       type = with types; attrsOf (submodule pamOpts);
       description =
         ''
diff --git a/nixos/modules/security/pam_mount.nix b/nixos/modules/security/pam_mount.nix
index e25ace38f57..462b7f89e2f 100644
--- a/nixos/modules/security/pam_mount.nix
+++ b/nixos/modules/security/pam_mount.nix
@@ -33,7 +33,7 @@ in
       additionalSearchPaths = mkOption {
         type = types.listOf types.package;
         default = [];
-        example = literalExample "[ pkgs.bindfs ]";
+        example = literalExpression "[ pkgs.bindfs ]";
         description = ''
           Additional programs to include in the search path of pam_mount.
           Useful for example if you want to use some FUSE filesystems like bindfs.
@@ -43,7 +43,7 @@ in
       fuseMountOptions = mkOption {
         type = types.listOf types.str;
         default = [];
-        example = literalExample ''
+        example = literalExpression ''
           [ "nodev" "nosuid" "force-user=%(USER)" "gid=%(USERGID)" "perms=0700" "chmod-deny" "chown-deny" "chgrp-deny" ]
         '';
         description = ''
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index 2e73f8f4f31..99e578f8ada 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -45,7 +45,7 @@ in
     security.sudo.package = mkOption {
       type = types.package;
       default = pkgs.sudo;
-      defaultText = "pkgs.sudo";
+      defaultText = literalExpression "pkgs.sudo";
       description = ''
         Which package to use for `sudo`.
       '';
@@ -91,7 +91,7 @@ in
         this is the case when configuration options are merged.
       '';
       default = [];
-      example = literalExample ''
+      example = literalExpression ''
         [
           # Allow execution of any command by all users in group sudo,
           # requiring a password.
diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix
index 0a09a755e93..d859c45c74f 100644
--- a/nixos/modules/security/systemd-confinement.nix
+++ b/nixos/modules/security/systemd-confinement.nix
@@ -62,8 +62,8 @@ in {
       options.confinement.binSh = lib.mkOption {
         type = types.nullOr types.path;
         default = toplevelConfig.environment.binsh;
-        defaultText = "config.environment.binsh";
-        example = lib.literalExample "\${pkgs.dash}/bin/dash";
+        defaultText = lib.literalExpression "config.environment.binsh";
+        example = lib.literalExpression ''"''${pkgs.dash}/bin/dash"'';
         description = ''
           The program to make available as <filename>/bin/sh</filename> inside
           the chroot. If this is set to <literal>null</literal>, no
diff --git a/nixos/modules/security/tpm2.nix b/nixos/modules/security/tpm2.nix
index d37425166f8..be85fd246e3 100644
--- a/nixos/modules/security/tpm2.nix
+++ b/nixos/modules/security/tpm2.nix
@@ -26,8 +26,7 @@ in {
       '';
       type = lib.types.nullOr lib.types.str;
       default = if cfg.abrmd.enable then "tss" else "root";
-      defaultText = ''"tss" when using the userspace resource manager,'' +
-                    ''"root" otherwise'';
+      defaultText = lib.literalExpression ''if config.security.tpm2.abrmd.enable then "tss" else "root"'';
     };
 
     tssGroup = lib.mkOption {
@@ -57,7 +56,7 @@ in {
         description = "tpm2-abrmd package to use";
         type = lib.types.package;
         default = pkgs.tpm2-abrmd;
-        defaultText = "pkgs.tpm2-abrmd";
+        defaultText = lib.literalExpression "pkgs.tpm2-abrmd";
       };
     };
 
@@ -71,7 +70,7 @@ in {
         description = "tpm2-pkcs11 package to use";
         type = lib.types.package;
         default = pkgs.tpm2-pkcs11;
-        defaultText = "pkgs.tpm2-pkcs11";
+        defaultText = lib.literalExpression "pkgs.tpm2-pkcs11";
       };
     };
 
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 2697ab0bde8..a47de7e04f7 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -152,7 +152,7 @@ in
     security.wrappers = lib.mkOption {
       type = lib.types.attrsOf wrapperType;
       default = {};
-      example = lib.literalExample
+      example = lib.literalExpression
         ''
           {
             # a setuid root program