gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/*: replace </para><para> with double linebreaks

Browse Source 
our xslt already replaces double line breaks with a paragraph close and
reopen. not using explicit para tags lets nix-doc-munge convert more
descriptions losslessly.

only whitespace changes to generated documents, except for two
strongswan options gaining paragraph two breaks they arguably should've
had anyway.
This commit is contained in:
pennae
2022-08-02 17:34:22 +02:00
parent 951c50ec6d
commit 694d5b19d3
26 changed files with 105 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/modules/hardware/logitech.nix
View File

@@ -34,8 +34,7 @@ in
default = [ "0a07" "c222" "c225" "c227" "c251" ]; default = [ "0a07" "c222" "c225" "c227" "c251" ];
description = '' description = ''
List of USB device ids supported by g15daemon. List of USB device ids supported by g15daemon.
</para>
<para>
You most likely do not need to change this. You most likely do not need to change this.
''; '';
}; };

2
nixos/modules/installer/cd-dvd/iso-image.nix
View File

@@ -618,7 +618,7 @@ in
This will be directly appended (without whitespace) to the NixOS version This will be directly appended (without whitespace) to the NixOS version
string, like for example if it is set to <literal>XXX</literal>: string, like for example if it is set to <literal>XXX</literal>:
<para><literal>NixOS 99.99-pre666XXX</literal></para> <literal>NixOS 99.99-pre666XXX</literal>
''; '';
}; };

3
nixos/modules/programs/firejail.nix
View File

@@ -71,8 +71,7 @@ in {
''; '';
description = '' description = ''
Wrap the binaries in firejail and place them in the global path. Wrap the binaries in firejail and place them in the global path.
</para>
<para>
You will get file collisions if you put the actual application binary in You will get file collisions if you put the actual application binary in
the global environment (such as by adding the application package to the global environment (such as by adding the application package to
<code>environment.systemPackages</code>), and applications started via <code>environment.systemPackages</code>), and applications started via

45
nixos/modules/services/databases/neo4j.nix
View File

@@ -145,8 +145,7 @@ in {
<option>directories.imports</option>. It restricts <option>directories.imports</option>. It restricts
access to only those files within that directory and its access to only those files within that directory and its
subdirectories. subdirectories.
</para>
<para>
Setting this option to <literal>false</literal> introduces Setting this option to <literal>false</literal> introduces
possible security problems. possible security problems.
''; '';
@@ -158,8 +157,7 @@ in {
description = '' description = ''
Default network interface to listen for incoming connections. To Default network interface to listen for incoming connections. To
listen for connections on all interfaces, use "0.0.0.0". listen for connections on all interfaces, use "0.0.0.0".
</para>
<para>
Specifies the default IP address and address part of connector Specifies the default IP address and address part of connector
specific <option>listenAddress</option> options. To bind specific specific <option>listenAddress</option> options. To bind specific
connectors to a specific network interfaces, specify the entire connectors to a specific network interfaces, specify the entire
@@ -229,15 +227,13 @@ in {
default = "legacy"; default = "legacy";
description = '' description = ''
Neo4j SSL policy for BOLT traffic. Neo4j SSL policy for BOLT traffic.
</para>
<para>
The legacy policy is a special policy which is not defined in The legacy policy is a special policy which is not defined in
the policy configuration section, but rather derives from the policy configuration section, but rather derives from
<option>directories.certificates</option> and <option>directories.certificates</option> and
associated files (by default: <filename>neo4j.key</filename> and associated files (by default: <filename>neo4j.key</filename> and
<filename>neo4j.cert</filename>). Its use will be deprecated. <filename>neo4j.cert</filename>). Its use will be deprecated.
</para>
<para>
Note: This connector must be configured to support/require Note: This connector must be configured to support/require
SSL/TLS for the legacy policy to actually be utilized. See SSL/TLS for the legacy policy to actually be utilized. See
<option>bolt.tlsLevel</option>. <option>bolt.tlsLevel</option>.
@@ -261,13 +257,11 @@ in {
description = '' description = ''
Directory for storing certificates to be used by Neo4j for Directory for storing certificates to be used by Neo4j for
TLS connections. TLS connections.
</para>
<para>
When setting this directory to something other than its default, When setting this directory to something other than its default,
ensure the directory's existence, and that read/write permissions are ensure the directory's existence, and that read/write permissions are
given to the Neo4j daemon user <literal>neo4j</literal>. given to the Neo4j daemon user <literal>neo4j</literal>.
</para>
<para>
Note that changing this directory from its default will prevent Note that changing this directory from its default will prevent
the directory structure required for each SSL policy from being the directory structure required for each SSL policy from being
automatically generated. A policy's directory structure as defined by automatically generated. A policy's directory structure as defined by
@@ -286,8 +280,7 @@ in {
description = '' description = ''
Path of the data directory. You must not configure more than one Path of the data directory. You must not configure more than one
Neo4j installation to use the same data directory. Neo4j installation to use the same data directory.
</para>
<para>
When setting this directory to something other than its default, When setting this directory to something other than its default,
ensure the directory's existence, and that read/write permissions are ensure the directory's existence, and that read/write permissions are
given to the Neo4j daemon user <literal>neo4j</literal>. given to the Neo4j daemon user <literal>neo4j</literal>.
@@ -314,8 +307,7 @@ in {
<literal>LOAD CSV</literal> clause. Only meaningful when <literal>LOAD CSV</literal> clause. Only meaningful when
<option>constrainLoadCvs</option> is set to <option>constrainLoadCvs</option> is set to
<literal>true</literal>. <literal>true</literal>.
</para>
<para>
When setting this directory to something other than its default, When setting this directory to something other than its default,
ensure the directory's existence, and that read permission is ensure the directory's existence, and that read permission is
given to the Neo4j daemon user <literal>neo4j</literal>. given to the Neo4j daemon user <literal>neo4j</literal>.
@@ -330,8 +322,7 @@ in {
Path of the database plugin directory. Compiled Java JAR files that Path of the database plugin directory. Compiled Java JAR files that
contain database procedures will be loaded if they are placed in contain database procedures will be loaded if they are placed in
this directory. this directory.
</para>
<para>
When setting this directory to something other than its default, When setting this directory to something other than its default,
ensure the directory's existence, and that read permission is ensure the directory's existence, and that read permission is
given to the Neo4j daemon user <literal>neo4j</literal>. given to the Neo4j daemon user <literal>neo4j</literal>.
@@ -388,8 +379,7 @@ in {
default = "legacy"; default = "legacy";
description = '' description = ''
Neo4j SSL policy for HTTPS traffic. Neo4j SSL policy for HTTPS traffic.
</para>
<para>
The legacy policy is a special policy which is not defined in the The legacy policy is a special policy which is not defined in the
policy configuration section, but rather derives from policy configuration section, but rather derives from
<option>directories.certificates</option> and <option>directories.certificates</option> and
@@ -422,13 +412,11 @@ in {
certificate. Only performed when both objects cannot be found for certificate. Only performed when both objects cannot be found for
this policy. It is recommended to turn this off again after keys this policy. It is recommended to turn this off again after keys
have been generated. have been generated.
</para>
<para>
The public certificate is required to be duplicated to the The public certificate is required to be duplicated to the
directory holding trusted certificates as defined by the directory holding trusted certificates as defined by the
<option>trustedDir</option> option. <option>trustedDir</option> option.
</para>
<para>
Keys should in general be generated and distributed offline by a Keys should in general be generated and distributed offline by a
trusted certificate authority and not by utilizing this mode. trusted certificate authority and not by utilizing this mode.
''; '';
@@ -444,8 +432,7 @@ in {
option as well as <option>directories.certificates</option> are option as well as <option>directories.certificates</option> are
left at their default. Ensure read/write permissions are given left at their default. Ensure read/write permissions are given
to the Neo4j daemon user <literal>neo4j</literal>. to the Neo4j daemon user <literal>neo4j</literal>.
</para>
<para>
It is also possible to override each individual It is also possible to override each individual
configuration with absolute paths. See the configuration with absolute paths. See the
<option>privateKey</option> and <option>publicCertificate</option> <option>privateKey</option> and <option>publicCertificate</option>
@@ -488,8 +475,7 @@ in {
for this policy to be found in the <option>baseDirectory</option>, for this policy to be found in the <option>baseDirectory</option>,
or the absolute path to the certificate file. It is mandatory or the absolute path to the certificate file. It is mandatory
that a certificate can be found or generated. that a certificate can be found or generated.
</para>
<para>
The public certificate is required to be duplicated to the The public certificate is required to be duplicated to the
directory holding trusted certificates as defined by the directory holding trusted certificates as defined by the
<option>trustedDir</option> option. <option>trustedDir</option> option.
@@ -545,8 +531,7 @@ in {
<option>directories.certificates</option> to something other than <option>directories.certificates</option> to something other than
their default. Ensure read/write permissions are given to the their default. Ensure read/write permissions are given to the
Neo4j daemon user <literal>neo4j</literal>. Neo4j daemon user <literal>neo4j</literal>.
</para>
<para>
The public certificate as defined by The public certificate as defined by
<option>publicCertificate</option> is required to be duplicated <option>publicCertificate</option> is required to be duplicated
to this directory. to this directory.

4
nixos/modules/services/databases/pgmanage.nix
View File

@@ -64,10 +64,10 @@ in {
}; };
description = '' description = ''
pgmanage requires at least one PostgreSQL server be defined. pgmanage requires at least one PostgreSQL server be defined.
</para><para>
Detailed information about PostgreSQL connection strings is available at: Detailed information about PostgreSQL connection strings is available at:
<link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/> <link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/>
</para><para>
Note that you should not specify your user name or password. That Note that you should not specify your user name or password. That
information will be entered on the login screen. If you specify a information will be entered on the login screen. If you specify a
username or password, it will be removed by pgmanage before attempting to username or password, it will be removed by pgmanage before attempting to

9
nixos/modules/services/hardware/lcd.nix
View File

@@ -63,8 +63,7 @@ in with lib; {
default = false; default = false;
description = '' description = ''
Set group-write permissions on a USB device. Set group-write permissions on a USB device.
</para>
<para>
A USB connected LCD panel will most likely require having its A USB connected LCD panel will most likely require having its
permissions modified for lcdd to write to it. Enabling this option permissions modified for lcdd to write to it. Enabling this option
sets group-write permissions on the device identified by sets group-write permissions on the device identified by
@@ -72,13 +71,11 @@ in with lib; {
<option>services.hardware.lcd.usbPid</option>. In order to find the <option>services.hardware.lcd.usbPid</option>. In order to find the
values, you can run the <command>lsusb</command> command. Example values, you can run the <command>lsusb</command> command. Example
output: output:
</para>
<para>
<literal> <literal>
Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface
</literal> </literal>
</para>
<para>
In this case the vendor id is 0403 and the product id is c630. In this case the vendor id is 0403 and the product id is c630.
''; '';
}; };

6
nixos/modules/services/matrix/appservice-discord.nix
View File

@@ -42,20 +42,14 @@ in {
''; '';
description = '' description = ''
<filename>config.yaml</filename> configuration as a Nix attribute set. <filename>config.yaml</filename> configuration as a Nix attribute set.
</para>
<para>
Configuration options should match those described in Configuration options should match those described in
<link xlink:href="https://github.com/Half-Shot/matrix-appservice-discord/blob/master/config/config.sample.yaml"> <link xlink:href="https://github.com/Half-Shot/matrix-appservice-discord/blob/master/config/config.sample.yaml">
config.sample.yaml</link>. config.sample.yaml</link>.
</para>
<para>
<option>config.bridge.domain</option> and <option>config.bridge.homeserverUrl</option> <option>config.bridge.domain</option> and <option>config.bridge.homeserverUrl</option>
should be set to match the public host name of the Matrix homeserver for webhooks and avatars to work. should be set to match the public host name of the Matrix homeserver for webhooks and avatars to work.
</para>
<para>
Secret tokens should be specified using <option>environmentFile</option> Secret tokens should be specified using <option>environmentFile</option>
instead of this world-readable attribute set. instead of this world-readable attribute set.
''; '';

2
nixos/modules/services/matrix/mautrix-facebook.nix
View File

@@ -80,9 +80,7 @@ in {
Configuration options should match those described in Configuration options should match those described in
<link xlink:href="https://github.com/mautrix/facebook/blob/master/mautrix_facebook/example-config.yaml"> <link xlink:href="https://github.com/mautrix/facebook/blob/master/mautrix_facebook/example-config.yaml">
example-config.yaml</link>. example-config.yaml</link>.
</para>
<para>
Secret tokens should be specified using <option>environmentFile</option> Secret tokens should be specified using <option>environmentFile</option>
instead of this world-readable attribute set. instead of this world-readable attribute set.
''; '';

2
nixos/modules/services/matrix/mautrix-telegram.nix
View File

@@ -83,9 +83,7 @@ in {
Configuration options should match those described in Configuration options should match those described in
<link xlink:href="https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml"> <link xlink:href="https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml">
example-config.yaml</link>. example-config.yaml</link>.
</para>
<para>
Secret tokens should be specified using <option>environmentFile</option> Secret tokens should be specified using <option>environmentFile</option>
instead of this world-readable attribute set. instead of this world-readable attribute set.
''; '';

4
nixos/modules/services/misc/autorandr.nix
View File

@@ -154,7 +154,7 @@ let
}); });
description = '' description = ''
Output scale configuration. Output scale configuration.
</para><para>
Either configure by pixels or a scaling factor. When using pixel method the Either configure by pixels or a scaling factor. When using pixel method the
<citerefentry> <citerefentry>
<refentrytitle>xrandr</refentrytitle> <refentrytitle>xrandr</refentrytitle>
@@ -165,7 +165,7 @@ let
will be used; when using factor method the option will be used; when using factor method the option
<parameter class="command">--scale</parameter> <parameter class="command">--scale</parameter>
will be used. will be used.
</para><para>
This option is a shortcut version of the transform option and they are mutually This option is a shortcut version of the transform option and they are mutually
exclusive. exclusive.
''; '';

9
nixos/modules/services/misc/bees.nix
View File

@@ -17,8 +17,7 @@ let
not configure multiple instances for subvolumes of the same filesystem not configure multiple instances for subvolumes of the same filesystem
(or block devices which are part of the same filesystem), but only for (or block devices which are part of the same filesystem), but only for
completely independent btrfs filesystems. completely independent btrfs filesystems.
</para>
<para>
This must be in a format usable by findmnt; that could be a key=value This must be in a format usable by findmnt; that could be a key=value
pair, or a bare path to a mount point. pair, or a bare path to a mount point.
Using bare paths will allow systemd to start the beesd service only Using bare paths will allow systemd to start the beesd service only
@@ -31,12 +30,10 @@ let
default = 1024; # 1GB; default from upstream beesd script default = 1024; # 1GB; default from upstream beesd script
description = '' description = ''
Hash table size in MB; must be a multiple of 16. Hash table size in MB; must be a multiple of 16.
</para>
<para>
A larger ratio of index size to storage size means smaller blocks of A larger ratio of index size to storage size means smaller blocks of
duplicate content are recognized. duplicate content are recognized.
</para>
<para>
If you have 1TB of data, a 4GB hash table (which is to say, a value of If you have 1TB of data, a 4GB hash table (which is to say, a value of
4096) will permit 4KB extents (the smallest possible size) to be 4096) will permit 4KB extents (the smallest possible size) to be
recognized, whereas a value of 1024 -- creating a 1GB hash table -- recognized, whereas a value of 1024 -- creating a 1GB hash table --

6
nixos/modules/services/misc/nix-daemon.nix
View File

@@ -636,12 +636,10 @@ in
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</citerefentry> for avalaible options. </citerefentry> for avalaible options.
The value declared here will be translated directly to the key-value pairs Nix expects. The value declared here will be translated directly to the key-value pairs Nix expects.
</para>
<para>
You can use <command>nix-instantiate --eval --strict '&lt;nixpkgs/nixos&gt;' -A config.nix.settings</command> You can use <command>nix-instantiate --eval --strict '&lt;nixpkgs/nixos&gt;' -A config.nix.settings</command>
to view the current value. By default it is empty. to view the current value. By default it is empty.
</para>
<para>
Nix configurations defined under <option>nix.*</option> will be translated and applied to this Nix configurations defined under <option>nix.*</option> will be translated and applied to this
option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended option. In addition, configuration specified in <option>nix.extraOptions</option> which will be appended
verbatim to the resulting config file. verbatim to the resulting config file.

4
nixos/modules/services/misc/zoneminder.nix
View File

@@ -68,7 +68,7 @@ in {
services.zoneminder = with lib; { services.zoneminder = with lib; {
enable = lib.mkEnableOption '' enable = lib.mkEnableOption ''
ZoneMinder ZoneMinder
</para><para>
If you intend to run the database locally, you should set If you intend to run the database locally, you should set
`config.services.zoneminder.database.createLocally` to true. Otherwise, `config.services.zoneminder.database.createLocally` to true. Otherwise,
when set to `false` (the default), you will have to create the database when set to `false` (the default), you will have to create the database
@@ -82,8 +82,6 @@ in {
default = "nginx"; default = "nginx";
description = '' description = ''
The webserver to configure for the PHP frontend. The webserver to configure for the PHP frontend.
</para>
<para>
Set it to `none` if you want to configure it yourself. PRs are welcome Set it to `none` if you want to configure it yourself. PRs are welcome
for support for other web servers. for support for other web servers.

4
nixos/modules/services/monitoring/netdata.nix
View File

@@ -118,10 +118,10 @@ in {
Extra paths to add to the netdata global "plugins directory" Extra paths to add to the netdata global "plugins directory"
option. Useful for when you want to include your own option. Useful for when you want to include your own
collection scripts. collection scripts.
</para><para>
Details about writing a custom netdata plugin are available at: Details about writing a custom netdata plugin are available at:
<link xlink:href="https://docs.netdata.cloud/collectors/plugins.d/"/> <link xlink:href="https://docs.netdata.cloud/collectors/plugins.d/"/>
</para><para>
Cannot be combined with configText. Cannot be combined with configText.
''; '';
}; };

5
nixos/modules/services/networking/networkmanager.nix
View File

@@ -329,8 +329,7 @@ in {
default = "default"; default = "default";
description = '' description = ''
Set the DNS (<literal>resolv.conf</literal>) processing mode. Set the DNS (<literal>resolv.conf</literal>) processing mode.
</para>
<para>
A description of these modes can be found in the main section of A description of these modes can be found in the main section of
<link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html">
https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html
@@ -390,7 +389,7 @@ in {
default = false; default = false;
description = '' description = ''
Enable the StrongSwan plugin. Enable the StrongSwan plugin.
</para><para>
If you enable this option the If you enable this option the
<literal>networkmanager_strongswan</literal> plugin will be added to <literal>networkmanager_strongswan</literal> plugin will be added to
the <option>networking.networkmanager.plugins</option> option the <option>networking.networkmanager.plugins</option> option

9
nixos/modules/services/networking/ntp/ntpd.nix
View File

@@ -43,8 +43,7 @@ in
description = '' description = ''
Whether to synchronise your machine's time using ntpd, as a peer in Whether to synchronise your machine's time using ntpd, as a peer in
the NTP network. the NTP network.
</para>
<para>
Disables <literal>systemd.timesyncd</literal> if enabled. Disables <literal>systemd.timesyncd</literal> if enabled.
''; '';
}; };
@@ -53,8 +52,7 @@ in
type = types.listOf types.str; type = types.listOf types.str;
description = '' description = ''
The restriction flags to be set by default. The restriction flags to be set by default.
</para>
<para>
The default flags prevent external hosts from using ntpd as a DDoS The default flags prevent external hosts from using ntpd as a DDoS
reflector, setting system time, and querying OS/ntpd version. As reflector, setting system time, and querying OS/ntpd version. As
recommended in section 6.5.1.1.3, answer "No" of recommended in section 6.5.1.1.3, answer "No" of
@@ -67,8 +65,7 @@ in
type = types.listOf types.str; type = types.listOf types.str;
description = '' description = ''
The restriction flags to be set on source. The restriction flags to be set on source.
</para>
<para>
The default flags allow peers to be added by ntpd from configured The default flags allow peers to be added by ntpd from configured
pool(s), but not by other means. pool(s), but not by other means.
''; '';

9
nixos/modules/services/networking/ssh/sshd.nix
View File

@@ -300,8 +300,7 @@ in
]; ];
description = '' description = ''
Allowed key exchange algorithms Allowed key exchange algorithms
</para>
<para>
Uses the lower bound recommended in both Uses the lower bound recommended in both
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
and and
@@ -321,8 +320,7 @@ in
]; ];
description = '' description = ''
Allowed ciphers Allowed ciphers
</para>
<para>
Defaults to recommended settings from both Defaults to recommended settings from both
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
and and
@@ -342,8 +340,7 @@ in
]; ];
description = '' description = ''
Allowed MACs Allowed MACs
</para>
<para>
Defaults to recommended settings from both Defaults to recommended settings from both
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
and and

3
nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix
View File

@@ -59,7 +59,8 @@ rec {
if strongswanDefault == null if strongswanDefault == null
then description then description
else description + '' else description + ''
</para><para>
StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal> StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal>
''; '';

90
nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
View File

@@ -15,14 +15,14 @@ let
file = mkOptionalStrParam '' file = mkOptionalStrParam ''
Absolute path to the certificate to load. Passed as-is to the daemon, so Absolute path to the certificate to load. Passed as-is to the daemon, so
it must be readable by it. it must be readable by it.
</para><para>
Configure either this or <option>handle</option>, but not both, in one section. Configure either this or <option>handle</option>, but not both, in one section.
''; '';
handle = mkOptionalHexParam '' handle = mkOptionalHexParam ''
Hex-encoded CKA_ID or handle of the certificate on a token or TPM, Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively. respectively.
</para><para>
Configure either this or <option>file</option>, but not both, in one section. Configure either this or <option>file</option>, but not both, in one section.
''; '';
@@ -40,7 +40,7 @@ in {
cacert = mkOptionalStrParam '' cacert = mkOptionalStrParam ''
The certificates may use a relative path from the swanctl The certificates may use a relative path from the swanctl
<literal>x509ca</literal> directory or an absolute path. <literal>x509ca</literal> directory or an absolute path.
</para><para>
Configure one of <option>cacert</option>, Configure one of <option>cacert</option>,
<option>file</option>, or <option>file</option>, or
<option>handle</option> per section. <option>handle</option> per section.
@@ -82,11 +82,11 @@ in {
local_addrs = mkCommaSepListParam [] '' local_addrs = mkCommaSepListParam [] ''
Local address(es) to use for IKE communication. Takes Local address(es) to use for IKE communication. Takes
single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges.
</para><para>
As initiator, the first non-range/non-subnet is used to initiate the As initiator, the first non-range/non-subnet is used to initiate the
connection from. As responder, the local destination address must match at connection from. As responder, the local destination address must match at
least to one of the specified addresses, subnets or ranges. least to one of the specified addresses, subnets or ranges.
</para><para>
If FQDNs are assigned they are resolved every time a configuration lookup If FQDNs are assigned they are resolved every time a configuration lookup
is done. If DNS resolution times out, the lookup is delayed for that time. is done. If DNS resolution times out, the lookup is delayed for that time.
''; '';
@@ -94,11 +94,11 @@ in {
remote_addrs = mkCommaSepListParam [] '' remote_addrs = mkCommaSepListParam [] ''
Remote address(es) to use for IKE communication. Takes Remote address(es) to use for IKE communication. Takes
single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges.
</para><para>
As initiator, the first non-range/non-subnet is used to initiate the As initiator, the first non-range/non-subnet is used to initiate the
connection to. As responder, the initiator source address must match at connection to. As responder, the initiator source address must match at
least to one of the specified addresses, subnets or ranges. least to one of the specified addresses, subnets or ranges.
</para><para>
If FQDNs are assigned they are resolved every time a configuration lookup If FQDNs are assigned they are resolved every time a configuration lookup
is done. If DNS resolution times out, the lookup is delayed for that time. is done. If DNS resolution times out, the lookup is delayed for that time.
To initiate a connection, at least one specific address or DNS name must To initiate a connection, at least one specific address or DNS name must
@@ -110,7 +110,7 @@ in {
backend is used, which is usually <literal>500</literal>. If port backend is used, which is usually <literal>500</literal>. If port
<literal>500</literal> is used, automatic IKE port floating to port <literal>500</literal> is used, automatic IKE port floating to port
<literal>4500</literal> is used to work around NAT issues. <literal>4500</literal> is used to work around NAT issues.
</para><para>
Using a non-default local IKE port requires support from the socket Using a non-default local IKE port requires support from the socket
backend in use (socket-dynamic). backend in use (socket-dynamic).
''; '';
@@ -126,13 +126,13 @@ in {
for IKE an encryption algorithm, an integrity algorithm, a pseudo random for IKE an encryption algorithm, an integrity algorithm, a pseudo random
function and a Diffie-Hellman group. For AEAD algorithms, instead of function and a Diffie-Hellman group. For AEAD algorithms, instead of
encryption and integrity algorithms, a combined algorithm is used. encryption and integrity algorithms, a combined algorithm is used.
</para><para>
In IKEv2, multiple algorithms of the same kind can be specified in a In IKEv2, multiple algorithms of the same kind can be specified in a
single proposal, from which one gets selected. In IKEv1, only one single proposal, from which one gets selected. In IKEv1, only one
algorithm per kind is allowed per proposal, more algorithms get implicitly algorithm per kind is allowed per proposal, more algorithms get implicitly
stripped. Use multiple proposals to offer different algorithms stripped. Use multiple proposals to offer different algorithms
combinations in IKEv1. combinations in IKEv1.
</para><para>
Algorithm keywords get separated using dashes. Multiple proposals may be Algorithm keywords get separated using dashes. Multiple proposals may be
specified in a list. The special value <literal>default</literal> forms a specified in a list. The special value <literal>default</literal> forms a
default proposal of supported algorithms considered safe, and is usually a default proposal of supported algorithms considered safe, and is usually a
@@ -159,7 +159,7 @@ in {
If the default of yes is used, Mode Config works in pull mode, where the If the default of yes is used, Mode Config works in pull mode, where the
initiator actively requests a virtual IP. With no, push mode is used, initiator actively requests a virtual IP. With no, push mode is used,
where the responder pushes down a virtual IP to the initiating peer. where the responder pushes down a virtual IP to the initiating peer.
</para><para>
Push mode is currently supported for IKEv1, but not in IKEv2. It is used Push mode is currently supported for IKEv1, but not in IKEv2. It is used
by a few implementations only, pull mode is recommended. by a few implementations only, pull mode is recommended.
''; '';
@@ -174,7 +174,7 @@ in {
To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the
NAT detection payloads. This makes the peer believe that NAT takes place NAT detection payloads. This makes the peer believe that NAT takes place
on the path, forcing it to encapsulate ESP packets in UDP. on the path, forcing it to encapsulate ESP packets in UDP.
</para><para>
Usually this is not required, but it can help to work around connectivity Usually this is not required, but it can help to work around connectivity
issues with too restrictive intermediary firewalls. issues with too restrictive intermediary firewalls.
''; '';
@@ -183,7 +183,7 @@ in {
Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2 Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2
connections, and allows mobility of clients and multi-homing on servers by connections, and allows mobility of clients and multi-homing on servers by
migrating active IPsec tunnels. migrating active IPsec tunnels.
</para><para>
Usually keeping MOBIKE enabled is unproblematic, as it is not used if the Usually keeping MOBIKE enabled is unproblematic, as it is not used if the
peer does not indicate support for it. However, due to the design of peer does not indicate support for it. However, due to the design of
MOBIKE, IKEv2 always floats to port 4500 starting from the second MOBIKE, IKEv2 always floats to port 4500 starting from the second
@@ -222,7 +222,7 @@ in {
<listitem><para>Finally, setting the option to <literal>no</literal> will disable announcing <listitem><para>Finally, setting the option to <literal>no</literal> will disable announcing
support for this feature.</para></listitem> support for this feature.</para></listitem>
</itemizedlist> </itemizedlist>
</para><para>
Note that fragmented IKE messages sent by a peer are always processed Note that fragmented IKE messages sent by a peer are always processed
irrespective of the value of this option (even when set to no). irrespective of the value of this option (even when set to no).
''; '';
@@ -284,7 +284,7 @@ in {
unique = mkEnumParam ["no" "never" "keep" "replace"] "no" '' unique = mkEnumParam ["no" "never" "keep" "replace"] "no" ''
Connection uniqueness policy to enforce. To avoid multiple connections Connection uniqueness policy to enforce. To avoid multiple connections
from the same user, a uniqueness policy can be enforced. from the same user, a uniqueness policy can be enforced.
</para><para>
<itemizedlist> <itemizedlist>
<listitem><para> <listitem><para>
The value <literal>never</literal> does never enforce such a policy, even The value <literal>never</literal> does never enforce such a policy, even
@@ -306,7 +306,7 @@ in {
To compare connections for uniqueness, the remote IKE identity is used. If To compare connections for uniqueness, the remote IKE identity is used. If
EAP or XAuth authentication is involved, the EAP-Identity or XAuth EAP or XAuth authentication is involved, the EAP-Identity or XAuth
username is used to enforce the uniqueness policy instead. username is used to enforce the uniqueness policy instead.
</para><para>
On initiators this setting specifies whether an INITIAL_CONTACT notify is On initiators this setting specifies whether an INITIAL_CONTACT notify is
sent during IKE_AUTH if no existing connection is found with the remote sent during IKE_AUTH if no existing connection is found with the remote
peer (determined by the identities of the first authentication peer (determined by the identities of the first authentication
@@ -320,7 +320,7 @@ in {
possible to actively reauthenticate as responder. The IKEv2 possible to actively reauthenticate as responder. The IKEv2
reauthentication lifetime negotiation can instruct the client to perform reauthentication lifetime negotiation can instruct the client to perform
reauthentication. reauthentication.
</para><para>
Reauthentication is disabled by default. Enabling it usually may lead to Reauthentication is disabled by default. Enabling it usually may lead to
small connection interruptions, as strongSwan uses a break-before-make small connection interruptions, as strongSwan uses a break-before-make
policy with IKEv2 to avoid any conflicts with associated tunnel resources. policy with IKEv2 to avoid any conflicts with associated tunnel resources.
@@ -330,7 +330,7 @@ in {
IKE rekeying refreshes key material using a Diffie-Hellman exchange, but IKE rekeying refreshes key material using a Diffie-Hellman exchange, but
does not re-check associated credentials. It is supported in IKEv2 only, does not re-check associated credentials. It is supported in IKEv2 only,
IKEv1 performs a reauthentication procedure instead. IKEv1 performs a reauthentication procedure instead.
</para><para>
With the default value IKE rekeying is scheduled every 4 hours, minus the With the default value IKE rekeying is scheduled every 4 hours, minus the
configured rand_time. If a reauth_time is configured, rekey_time defaults configured rand_time. If a reauth_time is configured, rekey_time defaults
to zero, disabling rekeying; explicitly set both to enforce rekeying and to zero, disabling rekeying; explicitly set both to enforce rekeying and
@@ -343,10 +343,10 @@ in {
perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails
to rekey or reauthenticate within the specified time, the IKE_SA gets to rekey or reauthenticate within the specified time, the IKE_SA gets
closed. closed.
</para><para>
In contrast to CHILD_SA rekeying, over_time is relative in time to the In contrast to CHILD_SA rekeying, over_time is relative in time to the
rekey_time and reauth_time values, as it applies to both. rekey_time and reauth_time values, as it applies to both.
</para><para>
The default is 10% of the longer of <option>rekey_time</option> and The default is 10% of the longer of <option>rekey_time</option> and
<option>reauth_time</option>. <option>reauth_time</option>.
''; '';
@@ -356,7 +356,7 @@ in {
rekey/reauth times. To avoid having both peers initiating the rekey/reauth rekey/reauth times. To avoid having both peers initiating the rekey/reauth
procedure simultaneously, a random time gets subtracted from the procedure simultaneously, a random time gets subtracted from the
rekey/reauth times. rekey/reauth times.
</para><para>
The default is equal to the configured <option>over_time</option>. The default is equal to the configured <option>over_time</option>.
''; '';
@@ -410,7 +410,7 @@ in {
List of certificate candidates to use for List of certificate candidates to use for
authentication. The certificates may use a relative path from the authentication. The certificates may use a relative path from the
swanctl <literal>x509</literal> directory or an absolute path. swanctl <literal>x509</literal> directory or an absolute path.
</para><para>
The certificate used for authentication is selected based on the The certificate used for authentication is selected based on the
received certificate request payloads. If no appropriate CA can be received certificate request payloads. If no appropriate CA can be
located, the first certificate is used. located, the first certificate is used.
@@ -426,7 +426,7 @@ in {
List of raw public key candidates to use for List of raw public key candidates to use for
authentication. The public keys may use a relative path from the swanctl authentication. The public keys may use a relative path from the swanctl
<literal>pubkey</literal> directory or an absolute path. <literal>pubkey</literal> directory or an absolute path.
</para><para>
Even though multiple local public keys could be defined in principle, Even though multiple local public keys could be defined in principle,
only the first public key in the list is used for authentication. only the first public key in the list is used for authentication.
''; '';
@@ -504,7 +504,7 @@ in {
authentication. This identity may differ from the IKE identity, authentication. This identity may differ from the IKE identity,
especially when EAP authentication is delegated from the IKE responder especially when EAP authentication is delegated from the IKE responder
to an AAA backend. to an AAA backend.
</para><para>
For EAP-(T)TLS, this defines the identity for which the server must For EAP-(T)TLS, this defines the identity for which the server must
provide a certificate in the TLS exchange. provide a certificate in the TLS exchange.
''; '';
@@ -518,7 +518,7 @@ in {
defines the rules how authentication is performed for the local defines the rules how authentication is performed for the local
peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple
Authentication or IKEv1 XAuth. Authentication or IKEv1 XAuth.
</para><para>
Each round is defined in a section having <literal>local</literal> as Each round is defined in a section having <literal>local</literal> as
prefix, and an optional unique suffix. To define a single authentication prefix, and an optional unique suffix. To define a single authentication
round, the suffix may be omitted. round, the suffix may be omitted.
@@ -620,7 +620,7 @@ in {
Authentication to expect from remote. See the <option>local</option> Authentication to expect from remote. See the <option>local</option>
section's <option>auth</option> keyword description about the details of section's <option>auth</option> keyword description about the details of
supported mechanisms. supported mechanisms.
</para><para>
Since 5.4.0, to require a trustchain public key strength for the remote Since 5.4.0, to require a trustchain public key strength for the remote
side, specify the key type followed by the minimum strength in bits (for side, specify the key type followed by the minimum strength in bits (for
example <literal>ecdsa-384</literal> or example <literal>ecdsa-384</literal> or
@@ -641,7 +641,7 @@ in {
<literal>pubkey</literal> or <literal>rsa</literal> constraints are <literal>pubkey</literal> or <literal>rsa</literal> constraints are
configured RSASSA-PSS signatures will only be accepted if enabled in configured RSASSA-PSS signatures will only be accepted if enabled in
<literal>strongswan.conf</literal>(5). <literal>strongswan.conf</literal>(5).
</para><para>
To specify trust chain constraints for EAP-(T)TLS, append a colon to the To specify trust chain constraints for EAP-(T)TLS, append a colon to the
EAP method, followed by the key type/size and hash algorithm as EAP method, followed by the key type/size and hash algorithm as
discussed above (e.g. <literal>eap-tls:ecdsa-384-sha384</literal>). discussed above (e.g. <literal>eap-tls:ecdsa-384-sha384</literal>).
@@ -652,7 +652,7 @@ in {
defines the constraints how the peers must authenticate to use this defines the constraints how the peers must authenticate to use this
connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple
Authentication or IKEv1 XAuth. Authentication or IKEv1 XAuth.
</para><para>
Each round is defined in a section having <literal>remote</literal> as Each round is defined in a section having <literal>remote</literal> as
prefix, and an optional unique suffix. To define a single authentication prefix, and an optional unique suffix. To define a single authentication
round, the suffix may be omitted. round, the suffix may be omitted.
@@ -665,13 +665,13 @@ in {
Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode
rekeying and initial negotiation uses a separate Diffie-Hellman exchange rekeying and initial negotiation uses a separate Diffie-Hellman exchange
using the specified group (refer to esp_proposals for details). using the specified group (refer to esp_proposals for details).
</para><para>
In IKEv2, multiple algorithms of the same kind can be specified in a In IKEv2, multiple algorithms of the same kind can be specified in a
single proposal, from which one gets selected. In IKEv1, only one single proposal, from which one gets selected. In IKEv1, only one
algorithm per kind is allowed per proposal, more algorithms get algorithm per kind is allowed per proposal, more algorithms get
implicitly stripped. Use multiple proposals to offer different algorithms implicitly stripped. Use multiple proposals to offer different algorithms
combinations in IKEv1. combinations in IKEv1.
</para><para>
Algorithm keywords get separated using dashes. Multiple proposals may be Algorithm keywords get separated using dashes. Multiple proposals may be
specified in a list. The special value <literal>default</literal> forms specified in a list. The special value <literal>default</literal> forms
a default proposal of supported algorithms considered safe, and is a default proposal of supported algorithms considered safe, and is
@@ -686,7 +686,7 @@ in {
an optional Extended Sequence Number Mode indicator. For AEAD proposals, an optional Extended Sequence Number Mode indicator. For AEAD proposals,
a combined mode algorithm is used instead of the separate a combined mode algorithm is used instead of the separate
encryption/integrity algorithms. encryption/integrity algorithms.
</para><para>
If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial
negotiation use a separate Diffie-Hellman exchange using the specified negotiation use a separate Diffie-Hellman exchange using the specified
group. However, for IKEv2, the keys of the CHILD_SA created implicitly group. However, for IKEv2, the keys of the CHILD_SA created implicitly
@@ -695,18 +695,18 @@ in {
rekeyed or is created with a separate CREATE_CHILD_SA exchange. A rekeyed or is created with a separate CREATE_CHILD_SA exchange. A
proposal mismatch might, therefore, not immediately be noticed when the proposal mismatch might, therefore, not immediately be noticed when the
SA is established, but may later cause rekeying to fail. SA is established, but may later cause rekeying to fail.
</para><para>
Extended Sequence Number support may be indicated with the Extended Sequence Number support may be indicated with the
<literal>esn</literal> and <literal>noesn</literal> values, both may be <literal>esn</literal> and <literal>noesn</literal> values, both may be
included to indicate support for both modes. If omitted, included to indicate support for both modes. If omitted,
<literal>noesn</literal> is assumed. <literal>noesn</literal> is assumed.
</para><para>
In IKEv2, multiple algorithms of the same kind can be specified in a In IKEv2, multiple algorithms of the same kind can be specified in a
single proposal, from which one gets selected. In IKEv1, only one single proposal, from which one gets selected. In IKEv1, only one
algorithm per kind is allowed per proposal, more algorithms get algorithm per kind is allowed per proposal, more algorithms get
implicitly stripped. Use multiple proposals to offer different algorithms implicitly stripped. Use multiple proposals to offer different algorithms
combinations in IKEv1. combinations in IKEv1.
</para><para>
Algorithm keywords get separated using dashes. Multiple proposals may be Algorithm keywords get separated using dashes. Multiple proposals may be
specified as a list. The special value <literal>default</literal> forms specified as a list. The special value <literal>default</literal> forms
a default proposal of supported algorithms considered safe, and is a default proposal of supported algorithms considered safe, and is
@@ -729,7 +729,7 @@ in {
selector. The special value <literal>dynamic</literal> may be used selector. The special value <literal>dynamic</literal> may be used
instead of a subnet definition, which gets replaced by the tunnel outer instead of a subnet definition, which gets replaced by the tunnel outer
address or the virtual IP, if negotiated. This is the default. address or the virtual IP, if negotiated. This is the default.
</para><para>
A protocol/port selector is surrounded by opening and closing square A protocol/port selector is surrounded by opening and closing square
brackets. Between these brackets, a numeric or getservent(3) protocol brackets. Between these brackets, a numeric or getservent(3) protocol
name may be specified. After the optional protocol restriction, an name may be specified. After the optional protocol restriction, an
@@ -738,7 +738,7 @@ in {
special value <literal>opaque</literal> for RFC 4301 OPAQUE special value <literal>opaque</literal> for RFC 4301 OPAQUE
selectors. Port ranges may be specified as well, none of the kernel selectors. Port ranges may be specified as well, none of the kernel
backends currently support port ranges, though. backends currently support port ranges, though.
</para><para>
When IKEv1 is used only the first selector is interpreted, except if the When IKEv1 is used only the first selector is interpreted, except if the
Cisco Unity extension plugin is used. This is due to a limitation of the Cisco Unity extension plugin is used. This is due to a limitation of the
IKEv1 protocol, which only allows a single pair of selectors per IKEv1 protocol, which only allows a single pair of selectors per
@@ -761,7 +761,7 @@ in {
specified in the proposal. To avoid rekey collisions initiated by both specified in the proposal. To avoid rekey collisions initiated by both
ends simultaneously, a value in the range of <option>rand_time</option> ends simultaneously, a value in the range of <option>rand_time</option>
gets subtracted to form the effective soft lifetime. gets subtracted to form the effective soft lifetime.
</para><para>
By default CHILD_SA rekeying is scheduled every hour, minus By default CHILD_SA rekeying is scheduled every hour, minus
<option>rand_time</option>. <option>rand_time</option>.
''; '';
@@ -783,11 +783,11 @@ in {
Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA
rekeying refreshes key material, optionally using a Diffie-Hellman rekeying refreshes key material, optionally using a Diffie-Hellman
exchange if a group is specified in the proposal. exchange if a group is specified in the proposal.
</para><para>
To avoid rekey collisions initiated by both ends simultaneously, a value To avoid rekey collisions initiated by both ends simultaneously, a value
in the range of <option>rand_bytes</option> gets subtracted to form the in the range of <option>rand_bytes</option> gets subtracted to form the
effective soft volume limit. effective soft volume limit.
</para><para>
Volume based CHILD_SA rekeying is disabled by default. Volume based CHILD_SA rekeying is disabled by default.
''; '';
@@ -808,11 +808,11 @@ in {
Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA
rekeying refreshes key material, optionally using a Diffie-Hellman rekeying refreshes key material, optionally using a Diffie-Hellman
exchange if a group is specified in the proposal. exchange if a group is specified in the proposal.
</para><para>
To avoid rekey collisions initiated by both ends simultaneously, a value To avoid rekey collisions initiated by both ends simultaneously, a value
in the range of <option>rand_packets</option> gets subtracted to form in the range of <option>rand_packets</option> gets subtracted to form
the effective soft packet count limit. the effective soft packet count limit.
</para><para>
Packet count based CHILD_SA rekeying is disabled by default. Packet count based CHILD_SA rekeying is disabled by default.
''; '';
@@ -821,7 +821,7 @@ in {
this hard packets limit is never reached, because the CHILD_SA gets this hard packets limit is never reached, because the CHILD_SA gets
rekeyed before. If that fails for whatever reason, this limit closes the rekeyed before. If that fails for whatever reason, this limit closes the
CHILD_SA. CHILD_SA.
</para><para>
The default is 10% more than <option>rekey_bytes</option>. The default is 10% more than <option>rekey_bytes</option>.
''; '';
@@ -936,7 +936,7 @@ in {
<literal>%unique</literal> sets a unique mark on each CHILD_SA instance, <literal>%unique</literal> sets a unique mark on each CHILD_SA instance,
beyond that the value <literal>%unique-dir</literal> assigns a different beyond that the value <literal>%unique-dir</literal> assigns a different
unique mark for each unique mark for each
</para><para>
An additional mask may be appended to the mark, separated by An additional mask may be appended to the mark, separated by
<literal>/</literal>. The default mask if omitted is <literal>/</literal>. The default mask if omitted is
<literal>0xffffffff</literal>. <literal>0xffffffff</literal>.
@@ -960,7 +960,7 @@ in {
value <literal>%unique</literal> sets a unique mark on each CHILD_SA value <literal>%unique</literal> sets a unique mark on each CHILD_SA
instance, beyond that the value <literal>%unique-dir</literal> assigns a instance, beyond that the value <literal>%unique-dir</literal> assigns a
different unique mark for each CHILD_SA direction (in/out). different unique mark for each CHILD_SA direction (in/out).
</para><para>
An additional mask may be appended to the mark, separated by An additional mask may be appended to the mark, separated by
<literal>/</literal>. The default mask if omitted is <literal>/</literal>. The default mask if omitted is
<literal>0xffffffff</literal>. <literal>0xffffffff</literal>.
@@ -1102,7 +1102,7 @@ in {
<literal>start</literal> tries to re-create the CHILD_SA. <literal>start</literal> tries to re-create the CHILD_SA.
</para></listitem> </para></listitem>
</itemizedlist> </itemizedlist>
</para><para>
<option>close_action</option> does not provide any guarantee that the <option>close_action</option> does not provide any guarantee that the
CHILD_SA is kept alive. It acts on explicit close messages only, but not CHILD_SA is kept alive. It acts on explicit close messages only, but not
on negotiation failures. Use trap policies to reliably re-create failed on negotiation failures. Use trap policies to reliably re-create failed

21
nixos/modules/services/networking/znc/default.nix
View File

@@ -156,22 +156,18 @@ in
format ZNC expects. This is much more flexible than the legacy options format ZNC expects. This is much more flexible than the legacy options
under <option>services.znc.confOptions.*</option>, but also can't do under <option>services.znc.confOptions.*</option>, but also can't do
any type checking. any type checking.
</para>
<para>
You can use <command>nix-instantiate --eval --strict '&lt;nixpkgs/nixos&gt;' -A config.services.znc.config</command> You can use <command>nix-instantiate --eval --strict '&lt;nixpkgs/nixos&gt;' -A config.services.znc.config</command>
to view the current value. By default it contains a listener for port to view the current value. By default it contains a listener for port
5000 with SSL enabled. 5000 with SSL enabled.
</para>
<para>
Nix attributes called <literal>extraConfig</literal> will be inserted Nix attributes called <literal>extraConfig</literal> will be inserted
verbatim into the resulting config file. verbatim into the resulting config file.
</para>
<para>
If <option>services.znc.useLegacyConfig</option> is turned on, the If <option>services.znc.useLegacyConfig</option> is turned on, the
option values in <option>services.znc.confOptions.*</option> will be option values in <option>services.znc.confOptions.*</option> will be
gracefully be applied to this option. gracefully be applied to this option.
</para>
<para>
If you intend to update the configuration through this option, be sure If you intend to update the configuration through this option, be sure
to enable <option>services.znc.mutable</option>, otherwise none of the to enable <option>services.znc.mutable</option>, otherwise none of the
changes here will be applied after the initial deploy. changes here will be applied after the initial deploy.
@@ -184,8 +180,7 @@ in
description = '' description = ''
Configuration file for ZNC. It is recommended to use the Configuration file for ZNC. It is recommended to use the
<option>config</option> option instead. <option>config</option> option instead.
</para>
<para>
Setting this option will override any auto-generated config file Setting this option will override any auto-generated config file
through the <option>confOptions</option> or <option>config</option> through the <option>confOptions</option> or <option>config</option>
options. options.
@@ -208,13 +203,11 @@ in
Indicates whether to allow the contents of the Indicates whether to allow the contents of the
<literal>dataDir</literal> directory to be changed by the user at <literal>dataDir</literal> directory to be changed by the user at
run-time. run-time.
</para>
<para>
If enabled, modifications to the ZNC configuration after its initial If enabled, modifications to the ZNC configuration after its initial
creation are not overwritten by a NixOS rebuild. If disabled, the creation are not overwritten by a NixOS rebuild. If disabled, the
ZNC configuration is rebuilt on every NixOS rebuild. ZNC configuration is rebuilt on every NixOS rebuild.
</para>
<para>
If the user wants to manage the ZNC service using the web admin If the user wants to manage the ZNC service using the web admin
interface, this option should be enabled. interface, this option should be enabled.
''; '';

3
nixos/modules/services/networking/znc/options.nix
View File

@@ -106,8 +106,7 @@ in
<option>services.znc.confOptions.*</option> options. <option>services.znc.confOptions.*</option> options.
You can use <command>nix-instantiate --eval --strict '&lt;nixpkgs/nixos&gt;' -A config.services.znc.config</command> You can use <command>nix-instantiate --eval --strict '&lt;nixpkgs/nixos&gt;' -A config.services.znc.config</command>
to view the current value of the config. to view the current value of the config.
</para>
<para>
In any case, if you need more flexibility, In any case, if you need more flexibility,
<option>services.znc.config</option> can be used to override/add to <option>services.znc.config</option> can be used to override/add to
all of the legacy options. all of the legacy options.

3
nixos/modules/services/x11/desktop-managers/plasma5.nix
View File

@@ -172,8 +172,7 @@ in
default = false; default = false;
description = '' description = ''
Support setting monitor brightness via DDC. Support setting monitor brightness via DDC.
</para>
<para>
This is not needed for controlling brightness of the internal monitor This is not needed for controlling brightness of the internal monitor
of a laptop and as it is considered experimental by upstream, it is of a laptop and as it is considered experimental by upstream, it is
disabled by default. disabled by default.

2
nixos/modules/system/activation/top-level.nix
View File

@@ -335,7 +335,7 @@ in
''; '';
description = '' description = ''
The name of the system used in the <option>system.build.toplevel</option> derivation. The name of the system used in the <option>system.build.toplevel</option> derivation.
</para><para>
That derivation has the following name: That derivation has the following name:
<literal>"nixos-system-''${config.system.name}-''${config.system.nixos.label}"</literal> <literal>"nixos-system-''${config.system.name}-''${config.system.nixos.label}"</literal>
''; '';

12
nixos/modules/system/boot/loader/grub/grub.nix
View File

@@ -624,9 +624,9 @@ in
type = types.bool; type = types.bool;
description = '' description = ''
Whether to invoke <literal>grub-install</literal> with Whether to invoke <literal>grub-install</literal> with
<literal>--removable</literal>.</para> <literal>--removable</literal>.
<para>Unless you turn this on, GRUB will install itself somewhere in Unless you turn this on, GRUB will install itself somewhere in
<literal>boot.loader.efi.efiSysMountPoint</literal> (exactly where <literal>boot.loader.efi.efiSysMountPoint</literal> (exactly where
depends on other config variables). If you've set depends on other config variables). If you've set
<literal>boot.loader.efi.canTouchEfiVariables</literal> *AND* you <literal>boot.loader.efi.canTouchEfiVariables</literal> *AND* you
@@ -637,14 +637,14 @@ in
NVRAM will not be modified, and your system will not find GRUB at NVRAM will not be modified, and your system will not find GRUB at
boot time. However, GRUB will still return success so you may miss boot time. However, GRUB will still return success so you may miss
the warning that gets printed ("<literal>efibootmgr: EFI variables the warning that gets printed ("<literal>efibootmgr: EFI variables
are not supported on this system.</literal>").</para> are not supported on this system.</literal>").
<para>If you turn this feature on, GRUB will install itself in a If you turn this feature on, GRUB will install itself in a
special location within <literal>efiSysMountPoint</literal> (namely special location within <literal>efiSysMountPoint</literal> (namely
<literal>EFI/boot/boot$arch.efi</literal>) which the firmwares <literal>EFI/boot/boot$arch.efi</literal>) which the firmwares
are hardcoded to try first, regardless of NVRAM EFI variables.</para> are hardcoded to try first, regardless of NVRAM EFI variables.
<para>To summarize, turn this on if: To summarize, turn this on if:
<itemizedlist> <itemizedlist>
<listitem><para>You are installing NixOS and want it to boot in UEFI mode, <listitem><para>You are installing NixOS and want it to boot in UEFI mode,
but you are currently booted in legacy mode</para></listitem> but you are currently booted in legacy mode</para></listitem>

2
nixos/modules/system/boot/systemd/logind.nix
View File

@@ -33,9 +33,7 @@ in
terminated. If false, the scope is "abandoned" (see terminated. If false, the scope is "abandoned" (see
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.scope.html#"> <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.scope.html#">
systemd.scope(5)</link>), and processes are not killed. systemd.scope(5)</link>), and processes are not killed.
</para>
<para>
See <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=">logind.conf(5)</link> See <link xlink:href="https://www.freedesktop.org/software/systemd/man/logind.conf.html#KillUserProcesses=">logind.conf(5)</link>
for more details. for more details.
''; '';

2
nixos/modules/tasks/scsi-link-power-management.nix
View File

@@ -28,7 +28,7 @@ in
description = '' description = ''
SCSI link power management policy. The kernel default is SCSI link power management policy. The kernel default is
"max_performance". "max_performance".
</para><para>
"med_power_with_dipm" is supported by kernel versions "med_power_with_dipm" is supported by kernel versions
4.15 and newer. 4.15 and newer.
''; '';