diff options
| author | pennae <github@quasiparticle.net> | 2022-08-30 01:13:36 +0200 |
|---|---|---|
| committer | pennae <github@quasiparticle.net> | 2022-08-31 16:32:53 +0200 |
| commit | e4f876eb7e57f75c52d73b630258e6d85766d8f4 (patch) | |
| tree | 2a916a22f89984e3877052669b552740940a26c7 | |
| parent | c915b915b5e466a0b0b2af2906cd4d2380b8a1de (diff) | |
nixos/*: convert varlist-using options to MD
there are sufficiently few variable list around, and they are sufficiently simple, that it doesn't seem helpful to add another markdown extension for them. rendering differences are small, except in the tor module: admonitions inside other blocks cannot be made to work well with mistune (and likely most other markdown processors), so those had to be shuffled a bit. we also lose paragraph breaks in the list items due to how we have to render from markdown to docbook, but once we remove docbook from the pipeline those paragraph breaks will be restored.
| -rw-r--r-- | nixos/modules/security/misc.nix | 37 | ||||
| -rw-r--r-- | nixos/modules/services/computing/boinc/client.nix | 43 | ||||
| -rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 30 | ||||
| -rw-r--r-- | nixos/modules/services/security/tor.nix | 172 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/keycloak.nix | 44 |
5 files changed, 108 insertions, 218 deletions
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 6833452a570e1..cd48eade7784f 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -83,34 +83,19 @@ with lib; security.virtualisation.flushL1DataCache = mkOption { type = types.nullOr (types.enum [ "never" "cond" "always" ]); default = null; - description = '' + description = lib.mdDoc '' Whether the hypervisor should flush the L1 data cache before entering guests. - See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>. - - <variablelist> - <varlistentry> - <term><literal>null</literal></term> - <listitem><para>uses the kernel default</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"never"</literal></term> - <listitem><para>disables L1 data cache flushing entirely. - May be appropriate if all guests are trusted.</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"cond"</literal></term> - <listitem><para>flushes L1 data cache only for pre-determined - code paths. May leak information about the host address space - layout.</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"always"</literal></term> - <listitem><para>flushes L1 data cache every time the hypervisor - enters the guest. May incur significant performance cost. - </para></listitem> - </varlistentry> - </variablelist> + See also [](#opt-security.allowSimultaneousMultithreading). + + - `null`: uses the kernel default + - `"never"`: disables L1 data cache flushing entirely. + May be appropriate if all guests are trusted. + - `"cond"`: flushes L1 data cache only for pre-determined + code paths. May leak information about the host address space + layout. + - `"always"`: flushes L1 data cache every time the hypervisor + enters the guest. May incur significant performance cost. ''; }; }; diff --git a/nixos/modules/services/computing/boinc/client.nix b/nixos/modules/services/computing/boinc/client.nix index ec88be95ecbfc..bfa2dbd4d0af1 100644 --- a/nixos/modules/services/computing/boinc/client.nix +++ b/nixos/modules/services/computing/boinc/client.nix @@ -61,36 +61,23 @@ in type = types.listOf types.package; default = []; example = literalExpression "[ pkgs.virtualbox ]"; - description = '' + description = lib.mdDoc '' Additional packages to make available in the environment in which BOINC will run. Common choices are: - <variablelist> - <varlistentry> - <term><varname>pkgs.virtualbox</varname></term> - <listitem><para> - The VirtualBox virtual machine framework. Required by some BOINC - projects, such as ATLAS@home. - </para></listitem> - </varlistentry> - <varlistentry> - <term><varname>pkgs.ocl-icd</varname></term> - <listitem><para> - OpenCL infrastructure library. Required by BOINC projects that - use OpenCL, in addition to a device-specific OpenCL driver. - </para></listitem> - </varlistentry> - <varlistentry> - <term><varname>pkgs.linuxPackages.nvidia_x11</varname></term> - <listitem><para> - Provides CUDA libraries. Required by BOINC projects that use - CUDA. Note that this requires an NVIDIA graphics device to be - present on the system. - </para><para> - Also provides OpenCL drivers for NVIDIA GPUs; - <varname>pkgs.ocl-icd</varname> is also needed in this case. - </para></listitem> - </varlistentry> - </variablelist> + + - {var}`pkgs.virtualbox`: + The VirtualBox virtual machine framework. Required by some BOINC + projects, such as ATLAS@home. + - {var}`pkgs.ocl-icd`: + OpenCL infrastructure library. Required by BOINC projects that + use OpenCL, in addition to a device-specific OpenCL driver. + - {var}`pkgs.linuxPackages.nvidia_x11`: + Provides CUDA libraries. Required by BOINC projects that use + CUDA. Note that this requires an NVIDIA graphics device to be + present on the system. + + Also provides OpenCL drivers for NVIDIA GPUs; + {var}`pkgs.ocl-icd` is also needed in this case. ''; }; }; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index d5d562e7ba5f1..c9e54f9b92206 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -106,30 +106,14 @@ let type = types.either types.str (types.enum ["permanent" "preserve" "random" "stable"]); default = "preserve"; example = "00:11:22:33:44:55"; - description = '' + description = lib.mdDoc '' Set the MAC address of the interface. - <variablelist> - <varlistentry> - <term>"XX:XX:XX:XX:XX:XX"</term> - <listitem><para>MAC address of the interface</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"permanent"</literal></term> - <listitem><para>Use the permanent MAC address of the device</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"preserve"</literal></term> - <listitem><para>Don’t change the MAC address of the device upon activation</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"random"</literal></term> - <listitem><para>Generate a randomized value upon each connect</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"stable"</literal></term> - <listitem><para>Generate a stable, hashed MAC address</para></listitem> - </varlistentry> - </variablelist> + + - `"XX:XX:XX:XX:XX:XX"`: MAC address of the interface + - `"permanent"`: Use the permanent MAC address of the device + - `"preserve"`: Don’t change the MAC address of the device upon activation + - `"random"`: Generate a randomized value upon each connect + - `"stable"`: Generate a stable, hashed MAC address ''; }; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 269354c151591..75f9cf3cc7f45 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -305,133 +305,87 @@ in role = mkOption { type = types.enum [ "exit" "relay" "bridge" "private-bridge" ]; - description = '' + description = lib.mdDoc '' Your role in Tor network. There're several options: - <variablelist> - <varlistentry> - <term><literal>exit</literal></term> - <listitem> - <para> - An exit relay. This allows Tor users to access regular - Internet services through your public IP. - </para> + - `exit`: + An exit relay. This allows Tor users to access regular + Internet services through your public IP. - <important><para> - Running an exit relay may expose you to abuse - complaints. See - <link xlink:href="https://www.torproject.org/faq.html.en#ExitPolicies"/> - for more info. - </para></important> + You can specify which services Tor users may access via + your exit relay using {option}`settings.ExitPolicy` option. - <para> - You can specify which services Tor users may access via - your exit relay using <option>settings.ExitPolicy</option> option. - </para> - </listitem> - </varlistentry> + - `relay`: + Regular relay. This allows Tor users to relay onion + traffic to other Tor nodes, but not to public + Internet. - <varlistentry> - <term><literal>relay</literal></term> - <listitem> - <para> - Regular relay. This allows Tor users to relay onion - traffic to other Tor nodes, but not to public - Internet. - </para> + See + <https://www.torproject.org/docs/tor-doc-relay.html.en> + for more info. - <important><para> - Note that some misconfigured and/or disrespectful - towards privacy sites will block you even if your - relay is not an exit relay. That is, just being listed - in a public relay directory can have unwanted - consequences. + - `bridge`: + Regular bridge. Works like a regular relay, but + doesn't list you in the public relay directory and + hides your Tor node behind obfs4proxy. - Which means you might not want to use - this role if you browse public Internet from the same - network as your relay, unless you want to write - e-mails to those sites (you should!). - </para></important> + Using this option will make Tor advertise your bridge + to users through various mechanisms like + <https://bridges.torproject.org/>, though. - <para> - See - <link xlink:href="https://www.torproject.org/docs/tor-doc-relay.html.en"/> - for more info. - </para> - </listitem> - </varlistentry> + See <https://www.torproject.org/docs/bridges.html.en> + for more info. - <varlistentry> - <term><literal>bridge</literal></term> - <listitem> - <para> - Regular bridge. Works like a regular relay, but - doesn't list you in the public relay directory and - hides your Tor node behind obfs4proxy. - </para> + - `private-bridge`: + Private bridge. Works like regular bridge, but does + not advertise your node in any way. - <para> - Using this option will make Tor advertise your bridge - to users through various mechanisms like - <link xlink:href="https://bridges.torproject.org/"/>, though. - </para> + Using this role means that you won't contribute to Tor + network in any way unless you advertise your node + yourself in some way. - <important> - <para> - WARNING: THE FOLLOWING PARAGRAPH IS NOT LEGAL ADVICE. - Consult with your lawyer when in doubt. - </para> + Use this if you want to run a private bridge, for + example because you'll give out your bridge addr + manually to your friends. - <para> - This role should be safe to use in most situations - (unless the act of forwarding traffic for others is - a punishable offence under your local laws, which - would be pretty insane as it would make ISP illegal). - </para> - </important> + Switching to this role after measurable time in + "bridge" role is pretty useless as some Tor users + would have learned about your node already. In the + latter case you can still change + {option}`port` option. - <para> - See <link xlink:href="https://www.torproject.org/docs/bridges.html.en"/> - for more info. - </para> - </listitem> - </varlistentry> + See <https://www.torproject.org/docs/bridges.html.en> + for more info. - <varlistentry> - <term><literal>private-bridge</literal></term> - <listitem> - <para> - Private bridge. Works like regular bridge, but does - not advertise your node in any way. - </para> + ::: {.important} + Running an exit relay may expose you to abuse + complaints. See + <https://www.torproject.org/faq.html.en#ExitPolicies> + for more info. + ::: - <para> - Using this role means that you won't contribute to Tor - network in any way unless you advertise your node - yourself in some way. - </para> + ::: {.important} + Note that some misconfigured and/or disrespectful + towards privacy sites will block you even if your + relay is not an exit relay. That is, just being listed + in a public relay directory can have unwanted + consequences. - <para> - Use this if you want to run a private bridge, for - example because you'll give out your bridge addr - manually to your friends. - </para> + Which means you might not want to use + this role if you browse public Internet from the same + network as your relay, unless you want to write + e-mails to those sites (you should!). + ::: - <para> - Switching to this role after measurable time in - "bridge" role is pretty useless as some Tor users - would have learned about your node already. In the - latter case you can still change - <option>port</option> option. - </para> + ::: {.important} + WARNING: THE FOLLOWING PARAGRAPH IS NOT LEGAL ADVICE. + Consult with your lawyer when in doubt. - <para> - See <link xlink:href="https://www.torproject.org/docs/bridges.html.en"/> - for more info. - </para> - </listitem> - </varlistentry> - </variablelist> + The `bridge` role should be safe to use in most situations + (unless the act of forwarding traffic for others is + a punishable offence under your local laws, which + would be pretty insane as it would make ISP illegal). + ::: ''; }; diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 26bed24eed276..82684f5e52085 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -366,41 +366,21 @@ in type = enum [ "edge" "reencrypt" "passthrough" "none" ]; default = "none"; example = "edge"; - description = '' + description = lib.mdDoc '' The proxy address forwarding mode if the server is behind a reverse proxy. - <variablelist> - <varlistentry> - <term>edge</term> - <listitem> - <para> - Enables communication through HTTP between the - proxy and Keycloak. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>reencrypt</term> - <listitem> - <para> - Requires communication through HTTPS between the - proxy and Keycloak. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>passthrough</term> - <listitem> - <para> - Enables communication through HTTP or HTTPS between - the proxy and Keycloak. - </para> - </listitem> - </varlistentry> - </variablelist> - - See <link xlink:href="https://www.keycloak.org/server/reverseproxy"/> for more information. + - `edge`: + Enables communication through HTTP between the + proxy and Keycloak. + - `reencrypt`: + Requires communication through HTTPS between the + proxy and Keycloak. + - `passthrough`: + Enables communication through HTTP or HTTPS between + the proxy and Keycloak. + + See <https://www.keycloak.org/server/reverseproxy> for more information. ''; }; }; |