BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

nixos/*: replace </para><para> with double linebreaks

Browse source 
our xslt already replaces double line breaks with a paragraph close and
reopen. not using explicit para tags lets nix-doc-munge convert more
descriptions losslessly.

only whitespace changes to generated documents, except for two
strongswan options gaining paragraph two breaks they arguably should've
had anyway.
This commit is contained in:
pennae 2022-08-02 17:34:22 +02:00
parent 951c50ec6d
commit 694d5b19d3
26 changed files with 105 additions and 159 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
nixos/modules/hardware/logitech.nix
View file

@ -34,8 +34,7 @@ in
default = [ "0a07" "c222" "c225" "c227" "c251" ];
description = ''
List of USB device ids supported by g15daemon.
</para>
<para>
You most likely do not need to change this.
'';
};

2
nixos/modules/installer/cd-dvd/iso-image.nix
View file

@ -618,7 +618,7 @@ in
This will be directly appended (without whitespace) to the NixOS version
string, like for example if it is set to <literal>XXX</literal>:
<para><literal>NixOS 99.99-pre666XXX</literal></para>
<literal>NixOS 99.99-pre666XXX</literal>
'';
};

3
nixos/modules/programs/firejail.nix
View file

@ -71,8 +71,7 @@ in {
'';
description = ''
Wrap the binaries in firejail and place them in the global path.
</para>
<para>
You will get file collisions if you put the actual application binary in
the global environment (such as by adding the application package to
<code>environment.systemPackages</code>), and applications started via

45
nixos/modules/services/databases/neo4j.nix
View file

@ -145,8 +145,7 @@ in {
<option>directories.imports</option>. It restricts
access to only those files within that directory and its
subdirectories.
</para>
<para>
Setting this option to <literal>false</literal> introduces
possible security problems.
'';
@ -158,8 +157,7 @@ in {
description = ''
Default network interface to listen for incoming connections. To
listen for connections on all interfaces, use "0.0.0.0".
</para>
<para>
Specifies the default IP address and address part of connector
specific <option>listenAddress</option> options. To bind specific
connectors to a specific network interfaces, specify the entire
@ -229,15 +227,13 @@ in {
default = "legacy";
description = ''
Neo4j SSL policy for BOLT traffic.
</para>
<para>
The legacy policy is a special policy which is not defined in
the policy configuration section, but rather derives from
<option>directories.certificates</option> and
associated files (by default: <filename>neo4j.key</filename> and
<filename>neo4j.cert</filename>). Its use will be deprecated.
</para>
<para>
Note: This connector must be configured to support/require
SSL/TLS for the legacy policy to actually be utilized. See
<option>bolt.tlsLevel</option>.
@ -261,13 +257,11 @@ in {
description = ''
Directory for storing certificates to be used by Neo4j for
TLS connections.
</para>
<para>
When setting this directory to something other than its default,
ensure the directory's existence, and that read/write permissions are
given to the Neo4j daemon user <literal>neo4j</literal>.
</para>
<para>
Note that changing this directory from its default will prevent
the directory structure required for each SSL policy from being
automatically generated. A policy's directory structure as defined by
@ -286,8 +280,7 @@ in {
description = ''
Path of the data directory. You must not configure more than one
Neo4j installation to use the same data directory.
</para>
<para>
When setting this directory to something other than its default,
ensure the directory's existence, and that read/write permissions are
given to the Neo4j daemon user <literal>neo4j</literal>.
@ -314,8 +307,7 @@ in {
<literal>LOAD CSV</literal> clause. Only meaningful when
<option>constrainLoadCvs</option> is set to
<literal>true</literal>.
</para>
<para>
When setting this directory to something other than its default,
ensure the directory's existence, and that read permission is
given to the Neo4j daemon user <literal>neo4j</literal>.
@ -330,8 +322,7 @@ in {
Path of the database plugin directory. Compiled Java JAR files that
contain database procedures will be loaded if they are placed in
this directory.
</para>
<para>
When setting this directory to something other than its default,
ensure the directory's existence, and that read permission is
given to the Neo4j daemon user <literal>neo4j</literal>.
@ -388,8 +379,7 @@ in {
default = "legacy";
description = ''
Neo4j SSL policy for HTTPS traffic.
</para>
<para>
The legacy policy is a special policy which is not defined in the
policy configuration section, but rather derives from
<option>directories.certificates</option> and
@ -422,13 +412,11 @@ in {
certificate. Only performed when both objects cannot be found for
this policy. It is recommended to turn this off again after keys
have been generated.
</para>
<para>
The public certificate is required to be duplicated to the
directory holding trusted certificates as defined by the
<option>trustedDir</option> option.
</para>
<para>
Keys should in general be generated and distributed offline by a
trusted certificate authority and not by utilizing this mode.
'';
@ -444,8 +432,7 @@ in {
option as well as <option>directories.certificates</option> are
left at their default. Ensure read/write permissions are given
to the Neo4j daemon user <literal>neo4j</literal>.
</para>
<para>
It is also possible to override each individual
configuration with absolute paths. See the
<option>privateKey</option> and <option>publicCertificate</option>
@ -488,8 +475,7 @@ in {
for this policy to be found in the <option>baseDirectory</option>,
or the absolute path to the certificate file. It is mandatory
that a certificate can be found or generated.
</para>
<para>
The public certificate is required to be duplicated to the
directory holding trusted certificates as defined by the
<option>trustedDir</option> option.
@ -545,8 +531,7 @@ in {
<option>directories.certificates</option> to something other than
their default. Ensure read/write permissions are given to the
Neo4j daemon user <literal>neo4j</literal>.
</para>
<para>
The public certificate as defined by
<option>publicCertificate</option> is required to be duplicated
to this directory.

4
nixos/modules/services/databases/pgmanage.nix
View file

@ -64,10 +64,10 @@ in {
};
description = ''
pgmanage requires at least one PostgreSQL server be defined.
</para><para>
Detailed information about PostgreSQL connection strings is available at:
<link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/>
</para><para>
Note that you should not specify your user name or password. That
information will be entered on the login screen. If you specify a
username or password, it will be removed by pgmanage before attempting to

9
nixos/modules/services/hardware/lcd.nix
View file

@ -63,8 +63,7 @@ in with lib; {
default = false;
description = ''
Set group-write permissions on a USB device.
</para>
<para>
A USB connected LCD panel will most likely require having its
permissions modified for lcdd to write to it. Enabling this option
sets group-write permissions on the device identified by
@ -72,13 +71,11 @@ in with lib; {
<option>services.hardware.lcd.usbPid</option>. In order to find the
values, you can run the <command>lsusb</command> command. Example
output:
</para>
<para>
<literal>
Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface
</literal>
</para>
<para>
In this case the vendor id is 0403 and the product id is c630.
'';
};

6
nixos/modules/services/matrix/appservice-discord.nix
View file

@ -42,20 +42,14 @@ in {
'';
description = ''
<filename>config.yaml</filename> configuration as a Nix attribute set.
</para>
<para>
Configuration options should match those described in
<link xlink:href="https://github.com/Half-Shot/matrix-appservice-discord/blob/master/config/config.sample.yaml">
config.sample.yaml</link>.
</para>
<para>
<option>config.bridge.domain</option> and <option>config.bridge.homeserverUrl</option>
should be set to match the public host name of the Matrix homeserver for webhooks and avatars to work.
</para>
<para>
Secret tokens should be specified using <option>environmentFile</option>
instead of this world-readable attribute set.
'';

2
nixos/modules/services/matrix/mautrix-facebook.nix
View file

@ -80,9 +80,7 @@ in {
Configuration options should match those described in
<link xlink:href="https://github.com/mautrix/facebook/blob/master/mautrix_facebook/example-config.yaml">
example-config.yaml</link>.
</para>
<para>
Secret tokens should be specified using <option>environmentFile</option>
instead of this world-readable attribute set.
'';

2
nixos/modules/services/matrix/mautrix-telegram.nix
View file

@ -83,9 +83,7 @@ in {
Configuration options should match those described in
<link xlink:href="https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml">
example-config.yaml</link>.
</para>
<para>
Secret tokens should be specified using <option>environmentFile</option>
instead of this world-readable attribute set.
'';

4
nixos/modules/services/misc/autorandr.nix
View file

@ -154,7 +154,7 @@ let
});
description = ''
Output scale configuration.
</para><para>
Either configure by pixels or a scaling factor. When using pixel method the
<citerefentry>
<refentrytitle>xrandr</refentrytitle>
@ -165,7 +165,7 @@ let
will be used; when using factor method the option
<parameter class="command">--scale</parameter>
will be used.
</para><para>
This option is a shortcut version of the transform option and they are mutually
exclusive.
'';

9
nixos/modules/services/misc/bees.nix
View file

@ -17,8 +17,7 @@ let
not configure multiple instances for subvolumes of the same filesystem
(or block devices which are part of the same filesystem), but only for
completely independent btrfs filesystems.
</para>
<para>
This must be in a format usable by findmnt; that could be a key=value
pair, or a bare path to a mount point.
Using bare paths will allow systemd to start the beesd service only
@ -31,12 +30,10 @@ let
default = 1024; # 1GB; default from upstream beesd script
description = ''
Hash table size in MB; must be a multiple of 16.
</para>
<para>
A larger ratio of index size to storage size means smaller blocks of
duplicate content are recognized.
</para>
<para>
If you have 1TB of data, a 4GB hash table (which is to say, a value of
4096) will permit 4KB extents (the smallest possible size) to be
recognized, whereas a value of 1024 -- creating a 1GB hash table --

6
nixos/modules/services/misc/nix-daemon.nix
View file

@ -636,12 +636,10 @@ in
<manvolnum>5</manvolnum>
</citerefentry> for avalaible options.
The value declared here will be translated directly to the key-value pairs Nix expects.
</para>
<para>
You can use <command>nix-instantiate --eval --strict '&lt;nixpkgs/nixos&gt;' -A config.nix.settings</command>
to view the current value. By default it is empty.
</para>
<para>
Nix configurations defined under <option>nix.*</option> will be translated and applied to this
option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended
verbatim to the resulting config file.

4
nixos/modules/services/misc/zoneminder.nix
View file

@ -68,7 +68,7 @@ in {
services.zoneminder = with lib; {
enable = lib.mkEnableOption ''
ZoneMinder
</para><para>
If you intend to run the database locally, you should set
`config.services.zoneminder.database.createLocally` to true. Otherwise,
when set to `false` (the default), you will have to create the database
@ -82,8 +82,6 @@ in {
default = "nginx";
description = ''
The webserver to configure for the PHP frontend.
</para>
<para>
Set it to `none` if you want to configure it yourself. PRs are welcome
for support for other web servers.

4
nixos/modules/services/monitoring/netdata.nix
View file

@ -118,10 +118,10 @@ in {
Extra paths to add to the netdata global "plugins directory"
option. Useful for when you want to include your own
collection scripts.
</para><para>
Details about writing a custom netdata plugin are available at:
<link xlink:href="https://docs.netdata.cloud/collectors/plugins.d/"/>
</para><para>
Cannot be combined with configText.
'';
};

5
nixos/modules/services/networking/networkmanager.nix
View file

@ -329,8 +329,7 @@ in {
default = "default";
description = ''
Set the DNS (<literal>resolv.conf</literal>) processing mode.
</para>
<para>
A description of these modes can be found in the main section of
<link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html">
https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html
@ -390,7 +389,7 @@ in {
default = false;
description = ''
Enable the StrongSwan plugin.
</para><para>
If you enable this option the
<literal>networkmanager_strongswan</literal> plugin will be added to
the <option>networking.networkmanager.plugins</option> option

9
nixos/modules/services/networking/ntp/ntpd.nix
View file

@ -43,8 +43,7 @@ in
description = ''
Whether to synchronise your machine's time using ntpd, as a peer in
the NTP network.
</para>
<para>
Disables <literal>systemd.timesyncd</literal> if enabled.
'';
};
@ -53,8 +52,7 @@ in
type = types.listOf types.str;
description = ''
The restriction flags to be set by default.
</para>
<para>
The default flags prevent external hosts from using ntpd as a DDoS
reflector, setting system time, and querying OS/ntpd version. As
recommended in section 6.5.1.1.3, answer "No" of
@ -67,8 +65,7 @@ in
type = types.listOf types.str;
description = ''
The restriction flags to be set on source.
</para>
<para>
The default flags allow peers to be added by ntpd from configured
pool(s), but not by other means.
'';

9
nixos/modules/services/networking/ssh/sshd.nix
View file

@ -300,8 +300,7 @@ in
];
description = ''
Allowed key exchange algorithms
</para>
<para>
Uses the lower bound recommended in both
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
and
@ -321,8 +320,7 @@ in
];
description = ''
Allowed ciphers
</para>
<para>
Defaults to recommended settings from both
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
and
@ -342,8 +340,7 @@ in
];
description = ''
Allowed MACs
</para>
<para>
Defaults to recommended settings from both
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
and

3
nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix
View file

@ -59,7 +59,8 @@ rec {
if strongswanDefault == null
then description
else description + ''
</para><para>
StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal>
'';

90
nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
View file

@ -15,14 +15,14 @@ let
file = mkOptionalStrParam ''
Absolute path to the certificate to load. Passed as-is to the daemon, so
it must be readable by it.
</para><para>
Configure either this or <option>handle</option>, but not both, in one section.
'';
handle = mkOptionalHexParam ''
Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively.
</para><para>
Configure either this or <option>file</option>, but not both, in one section.
'';
@ -40,7 +40,7 @@ in {
cacert = mkOptionalStrParam ''
The certificates may use a relative path from the swanctl
<literal>x509ca</literal> directory or an absolute path.
</para><para>
Configure one of <option>cacert</option>,
<option>file</option>, or
<option>handle</option> per section.
@ -82,11 +82,11 @@ in {
local_addrs = mkCommaSepListParam [] ''
Local address(es) to use for IKE communication. Takes
single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges.
</para><para>
As initiator, the first non-range/non-subnet is used to initiate the
connection from. As responder, the local destination address must match at
least to one of the specified addresses, subnets or ranges.
</para><para>
If FQDNs are assigned they are resolved every time a configuration lookup
is done. If DNS resolution times out, the lookup is delayed for that time.
'';
@ -94,11 +94,11 @@ in {
remote_addrs = mkCommaSepListParam [] ''
Remote address(es) to use for IKE communication. Takes
single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges.
</para><para>
As initiator, the first non-range/non-subnet is used to initiate the
connection to. As responder, the initiator source address must match at
least to one of the specified addresses, subnets or ranges.
</para><para>
If FQDNs are assigned they are resolved every time a configuration lookup
is done. If DNS resolution times out, the lookup is delayed for that time.
To initiate a connection, at least one specific address or DNS name must
@ -110,7 +110,7 @@ in {
backend is used, which is usually <literal>500</literal>. If port
<literal>500</literal> is used, automatic IKE port floating to port
<literal>4500</literal> is used to work around NAT issues.
</para><para>
Using a non-default local IKE port requires support from the socket
backend in use (socket-dynamic).
'';
@ -126,13 +126,13 @@ in {
for IKE an encryption algorithm, an integrity algorithm, a pseudo random
function and a Diffie-Hellman group. For AEAD algorithms, instead of
encryption and integrity algorithms, a combined algorithm is used.
</para><para>
In IKEv2, multiple algorithms of the same kind can be specified in a
single proposal, from which one gets selected. In IKEv1, only one
algorithm per kind is allowed per proposal, more algorithms get implicitly
stripped. Use multiple proposals to offer different algorithms
combinations in IKEv1.
</para><para>
Algorithm keywords get separated using dashes. Multiple proposals may be
specified in a list. The special value <literal>default</literal> forms a
default proposal of supported algorithms considered safe, and is usually a
@ -159,7 +159,7 @@ in {
If the default of yes is used, Mode Config works in pull mode, where the
initiator actively requests a virtual IP. With no, push mode is used,
where the responder pushes down a virtual IP to the initiating peer.
</para><para>
Push mode is currently supported for IKEv1, but not in IKEv2. It is used
by a few implementations only, pull mode is recommended.
'';
@ -174,7 +174,7 @@ in {
To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the
NAT detection payloads. This makes the peer believe that NAT takes place
on the path, forcing it to encapsulate ESP packets in UDP.
</para><para>
Usually this is not required, but it can help to work around connectivity
issues with too restrictive intermediary firewalls.
'';
@ -183,7 +183,7 @@ in {
Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2
connections, and allows mobility of clients and multi-homing on servers by
migrating active IPsec tunnels.
</para><para>
Usually keeping MOBIKE enabled is unproblematic, as it is not used if the
peer does not indicate support for it. However, due to the design of
MOBIKE, IKEv2 always floats to port 4500 starting from the second
@ -222,7 +222,7 @@ in {
<listitem><para>Finally, setting the option to <literal>no</literal> will disable announcing
support for this feature.</para></listitem>
</itemizedlist>
</para><para>
Note that fragmented IKE messages sent by a peer are always processed
irrespective of the value of this option (even when set to no).
'';
@ -284,7 +284,7 @@ in {
unique = mkEnumParam ["no" "never" "keep" "replace"] "no" ''
Connection uniqueness policy to enforce. To avoid multiple connections
from the same user, a uniqueness policy can be enforced.
</para><para>
<itemizedlist>
<listitem><para>
The value <literal>never</literal> does never enforce such a policy, even
@ -306,7 +306,7 @@ in {
To compare connections for uniqueness, the remote IKE identity is used. If
EAP or XAuth authentication is involved, the EAP-Identity or XAuth
username is used to enforce the uniqueness policy instead.
</para><para>
On initiators this setting specifies whether an INITIAL_CONTACT notify is
sent during IKE_AUTH if no existing connection is found with the remote
peer (determined by the identities of the first authentication
@ -320,7 +320,7 @@ in {
possible to actively reauthenticate as responder. The IKEv2
reauthentication lifetime negotiation can instruct the client to perform
reauthentication.
</para><para>
Reauthentication is disabled by default. Enabling it usually may lead to
small connection interruptions, as strongSwan uses a break-before-make
policy with IKEv2 to avoid any conflicts with associated tunnel resources.
@ -330,7 +330,7 @@ in {
IKE rekeying refreshes key material using a Diffie-Hellman exchange, but
does not re-check associated credentials. It is supported in IKEv2 only,
IKEv1 performs a reauthentication procedure instead.
</para><para>
With the default value IKE rekeying is scheduled every 4 hours, minus the
configured rand_time. If a reauth_time is configured, rekey_time defaults
to zero, disabling rekeying; explicitly set both to enforce rekeying and
@ -343,10 +343,10 @@ in {
perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails
to rekey or reauthenticate within the specified time, the IKE_SA gets
closed.
</para><para>
In contrast to CHILD_SA rekeying, over_time is relative in time to the
rekey_time and reauth_time values, as it applies to both.
</para><para>
The default is 10% of the longer of <option>rekey_time</option> and
<option>reauth_time</option>.
'';
@ -356,7 +356,7 @@ in {
rekey/reauth times. To avoid having both peers initiating the rekey/reauth
procedure simultaneously, a random time gets subtracted from the
rekey/reauth times.
</para><para>
The default is equal to the configured <option>over_time</option>.
'';
@ -410,7 +410,7 @@ in {
List of certificate candidates to use for
authentication. The certificates may use a relative path from the
swanctl <literal>x509</literal> directory or an absolute path.
</para><para>
The certificate used for authentication is selected based on the
received certificate request payloads. If no appropriate CA can be
located, the first certificate is used.
@ -426,7 +426,7 @@ in {
List of raw public key candidates to use for
authentication. The public keys may use a relative path from the swanctl
<literal>pubkey</literal> directory or an absolute path.
</para><para>
Even though multiple local public keys could be defined in principle,
only the first public key in the list is used for authentication.
'';
@ -504,7 +504,7 @@ in {
authentication. This identity may differ from the IKE identity,
especially when EAP authentication is delegated from the IKE responder
to an AAA backend.
</para><para>
For EAP-(T)TLS, this defines the identity for which the server must
provide a certificate in the TLS exchange.
'';
@ -518,7 +518,7 @@ in {
defines the rules how authentication is performed for the local
peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple
Authentication or IKEv1 XAuth.
</para><para>
Each round is defined in a section having <literal>local</literal> as
prefix, and an optional unique suffix. To define a single authentication
round, the suffix may be omitted.
@ -620,7 +620,7 @@ in {
Authentication to expect from remote. See the <option>local</option>
section's <option>auth</option> keyword description about the details of
supported mechanisms.
</para><para>
Since 5.4.0, to require a trustchain public key strength for the remote
side, specify the key type followed by the minimum strength in bits (for
example <literal>ecdsa-384</literal> or
@ -641,7 +641,7 @@ in {
<literal>pubkey</literal> or <literal>rsa</literal> constraints are
configured RSASSA-PSS signatures will only be accepted if enabled in
<literal>strongswan.conf</literal>(5).
</para><para>
To specify trust chain constraints for EAP-(T)TLS, append a colon to the
EAP method, followed by the key type/size and hash algorithm as
discussed above (e.g. <literal>eap-tls:ecdsa-384-sha384</literal>).
@ -652,7 +652,7 @@ in {
defines the constraints how the peers must authenticate to use this
connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple
Authentication or IKEv1 XAuth.
</para><para>
Each round is defined in a section having <literal>remote</literal> as
prefix, and an optional unique suffix. To define a single authentication
round, the suffix may be omitted.
@ -665,13 +665,13 @@ in {
Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode
rekeying and initial negotiation uses a separate Diffie-Hellman exchange
using the specified group (refer to esp_proposals for details).
</para><para>
In IKEv2, multiple algorithms of the same kind can be specified in a
single proposal, from which one gets selected. In IKEv1, only one
algorithm per kind is allowed per proposal, more algorithms get
implicitly stripped. Use multiple proposals to offer different algorithms
combinations in IKEv1.
</para><para>
Algorithm keywords get separated using dashes. Multiple proposals may be
specified in a list. The special value <literal>default</literal> forms
a default proposal of supported algorithms considered safe, and is
@ -686,7 +686,7 @@ in {
an optional Extended Sequence Number Mode indicator. For AEAD proposals,
a combined mode algorithm is used instead of the separate
encryption/integrity algorithms.
</para><para>
If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial
negotiation use a separate Diffie-Hellman exchange using the specified
group. However, for IKEv2, the keys of the CHILD_SA created implicitly
@ -695,18 +695,18 @@ in {
rekeyed or is created with a separate CREATE_CHILD_SA exchange. A
proposal mismatch might, therefore, not immediately be noticed when the
SA is established, but may later cause rekeying to fail.
</para><para>
Extended Sequence Number support may be indicated with the
<literal>esn</literal> and <literal>noesn</literal> values, both may be
included to indicate support for both modes. If omitted,
<literal>noesn</literal> is assumed.
</para><para>
In IKEv2, multiple algorithms of the same kind can be specified in a
single proposal, from which one gets selected. In IKEv1, only one
algorithm per kind is allowed per proposal, more algorithms get
implicitly stripped. Use multiple proposals to offer different algorithms
combinations in IKEv1.
</para><para>
Algorithm keywords get separated using dashes. Multiple proposals may be
specified as a list. The special value <literal>default</literal> forms
a default proposal of supported algorithms considered safe, and is
@ -729,7 +729,7 @@ in {
selector. The special value <literal>dynamic</literal> may be used
instead of a subnet definition, which gets replaced by the tunnel outer
address or the virtual IP, if negotiated. This is the default.
</para><para>
A protocol/port selector is surrounded by opening and closing square
brackets. Between these brackets, a numeric or getservent(3) protocol
name may be specified. After the optional protocol restriction, an
@ -738,7 +738,7 @@ in {
special value <literal>opaque</literal> for RFC 4301 OPAQUE
selectors. Port ranges may be specified as well, none of the kernel
backends currently support port ranges, though.
</para><para>
When IKEv1 is used only the first selector is interpreted, except if the
Cisco Unity extension plugin is used. This is due to a limitation of the
IKEv1 protocol, which only allows a single pair of selectors per
@ -761,7 +761,7 @@ in {
specified in the proposal. To avoid rekey collisions initiated by both
ends simultaneously, a value in the range of <option>rand_time</option>
gets subtracted to form the effective soft lifetime.
</para><para>
By default CHILD_SA rekeying is scheduled every hour, minus
<option>rand_time</option>.
'';
@ -783,11 +783,11 @@ in {
Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA
rekeying refreshes key material, optionally using a Diffie-Hellman
exchange if a group is specified in the proposal.
</para><para>
To avoid rekey collisions initiated by both ends simultaneously, a value
in the range of <option>rand_bytes</option> gets subtracted to form the
effective soft volume limit.
</para><para>
Volume based CHILD_SA rekeying is disabled by default.
'';
@ -808,11 +808,11 @@ in {
Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA
rekeying refreshes key material, optionally using a Diffie-Hellman
exchange if a group is specified in the proposal.
</para><para>
To avoid rekey collisions initiated by both ends simultaneously, a value
in the range of <option>rand_packets</option> gets subtracted to form
the effective soft packet count limit.
</para><para>
Packet count based CHILD_SA rekeying is disabled by default.
'';
@ -821,7 +821,7 @@ in {
this hard packets limit is never reached, because the CHILD_SA gets
rekeyed before. If that fails for whatever reason, this limit closes the
CHILD_SA.
</para><para>
The default is 10% more than <option>rekey_bytes</option>.
'';
@ -936,7 +936,7 @@ in {
<literal>%unique</literal> sets a unique mark on each CHILD_SA instance,
beyond that the value <literal>%unique-dir</literal> assigns a different
unique mark for each
</para><para>
An additional mask may be appended to the mark, separated by
<literal>/</literal>. The default mask if omitted is
<literal>0xffffffff</literal>.
@ -960,7 +960,7 @@ in {
value <literal>%unique</literal> sets a unique mark on each CHILD_SA
instance, beyond that the value <literal>%unique-dir</literal> assigns a
different unique mark for each CHILD_SA direction (in/out).
</para><para>
An additional mask may be appended to the mark, separated by
<literal>/</literal>. The default mask if omitted is
<literal>0xffffffff</literal>.
@ -1102,7 +1102,7 @@ in {
<literal>start</literal> tries to re-create the CHILD_SA.
</para></listitem>
</itemizedlist>
</para><para>
<option>close_action</option> does not provide any guarantee that the
CHILD_SA is kept alive. It acts on explicit close messages only, but not
on negotiation failures. Use trap policies to reliably re-create failed

21
nixos/modules/services/networking/znc/default.nix
View file

@ -156,22 +156,18 @@ in
format ZNC expects. This is much more flexible than the legacy options
under <option>services.znc.confOptions.*</option>, but also can't do
any type checking.
</para>
<para>
You can use <command>nix-instantiate --eval --strict '&lt;nixpkgs/nixos&gt;' -A config.services.znc.config</command>
to view the current value. By default it contains a listener for port
5000 with SSL enabled.
</para>
<para>
Nix attributes called <literal>extraConfig</literal> will be inserted
verbatim into the resulting config file.
</para>
<para>
If <option>services.znc.useLegacyConfig</option> is turned on, the
option values in <option>services.znc.confOptions.*</option> will be
gracefully be applied to this option.
</para>
<para>
If you intend to update the configuration through this option, be sure
to enable <option>services.znc.mutable</option>, otherwise none of the
changes here will be applied after the initial deploy.
@ -184,8 +180,7 @@ in
description = ''
Configuration file for ZNC. It is recommended to use the
<option>config</option> option instead.
</para>
<para>
Setting this option will override any auto-generated config file
through the <option>confOptions</option> or <option>config</option>
options.
@ -208,13 +203,11 @@ in
Indicates whether to allow the contents of the
<literal>dataDir</literal> directory to be changed by the user at
run-time.
</para>
<para>
If enabled, modifications to the ZNC configuration after its initial
creation are not overwritten by a NixOS rebuild. If disabled, the
ZNC configuration is rebuilt on every NixOS rebuild.
</para>
<para>
If the user wants to manage the ZNC service using the web admin
interface, this option should be enabled.
'';

3
nixos/modules/services/networking/znc/options.nix
View file

@ -106,8 +106,7 @@ in
<option>services.znc.confOptions.*</option> options.
You can use <command>nix-instantiate --eval --strict '&lt;nixpkgs/nixos&gt;' -A config.services.znc.config</command>
to view the current value of the config.
</para>
<para>
In any case, if you need more flexibility,
<option>services.znc.config</option> can be used to override/add to
all of the legacy options.

3
nixos/modules/services/x11/desktop-managers/plasma5.nix
View file

@ -172,8 +172,7 @@ in
default = false;
description = ''
Support setting monitor brightness via DDC.
</para>
<para>
This is not needed for controlling brightness of the internal monitor
of a laptop and as it is considered experimental by upstream, it is
disabled by default.

2
nixos/modules/system/activation/top-level.nix
View file

@ -335,7 +335,7 @@ in
'';
description = ''
The name of the system used in the <option>system.build.toplevel</option> derivation.
</para><para>
That derivation has the following name:
<literal>"nixos-system-''${config.system.name}-''${config.system.nixos.label}"</literal>
'';

12
nixos/modules/system/boot/loader/grub/grub.nix
View file

@ -624,9 +624,9 @@ in
type = types.bool;
description = ''
Whether to invoke <literal>grub-install</literal> with
<literal>--removable</literal>.</para>
<literal>--removable</literal>.
<para>Unless you turn this on, GRUB will install itself somewhere in
Unless you turn this on, GRUB will install itself somewhere in
<literal>boot.loader.efi.efiSysMountPoint</literal> (exactly where
depends on other config variables). If you've set
<literal>boot.loader.efi.canTouchEfiVariables</literal> *AND* you
@ -637,14 +637,14 @@ in
NVRAM will not be modified, and your system will not find GRUB at
boot time. However, GRUB will still return success so you may miss
the warning that gets printed ("<literal>efibootmgr: EFI variables
are not supported on this system.</literal>").</para>
are not supported on this system.</literal>").
<para>If you turn this feature on, GRUB will install itself in a
If you turn this feature on, GRUB will install itself in a
special location within <literal>efiSysMountPoint</literal> (namely
<literal>EFI/boot/boot$arch.efi</literal>) which the firmwares
are hardcoded to try first, regardless of NVRAM EFI variables.</para>
are hardcoded to try first, regardless of NVRAM EFI variables.
<para>To summarize, turn this on if:
To summarize, turn this on if:
<itemizedlist>
<listitem><para>You are installing NixOS and want it to boot in UEFI mode,
but you are currently booted in legacy mode</para></listitem>

2
nixos/modules/system/boot/systemd/logind.nix
View file

@ -33,9 +33,7 @@ in
terminated. If false, the scope is "abandoned" (see
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.scope.html#">
systemd.scope(5)</link>), and processes are not killed.
</para>
<para>
See <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=">logind.conf(5)</link>
for more details.
'';

2
nixos/modules/tasks/scsi-link-power-management.nix
View file

@ -28,7 +28,7 @@ in
description = ''
SCSI link power management policy. The kernel default is
"max_performance".
</para><para>
"med_power_with_dipm" is supported by kernel versions
4.15 and newer.
'';