diff options
| author | pennae <github@quasiparticle.net> | 2022-08-03 22:46:41 +0200 |
|---|---|---|
| committer | pennae <github@quasiparticle.net> | 2022-08-03 22:46:41 +0200 |
| commit | 61e93df1891972bae3e0c97a477bd44e8a477aa0 (patch) | |
| tree | 4285c1d22db537fb02baf1e978eb4434b0276b0c /nixos/modules/security | |
| parent | 645cfa59ac5690187eac40ef2ac67381668acecc (diff) | |
nixos/*: automatically convert option docs to MD
once again using nix-doc-munge (https://github.com/pennae/nix-doc-munge/commit/69d080323ae27c0d8da3967c62b925a9aedb2828)
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/acme/default.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/security/doas.nix | 60 | ||||
| -rw-r--r-- | nixos/modules/security/misc.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/security/pam.nix | 100 | ||||
| -rw-r--r-- | nixos/modules/security/pam_mount.nix | 12 | ||||
| -rw-r--r-- | nixos/modules/security/pam_usb.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/security/sudo.nix | 20 |
7 files changed, 102 insertions, 102 deletions
diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index 4bc3d8e743d39..a1d8c533304ac 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -504,8 +504,8 @@ let reloadServices = mkOption { type = types.listOf types.str; inherit (defaultAndText "reloadServices" []) default defaultText; - description = '' - The list of systemd services to call <literal>systemctl try-reload-or-restart</literal> + description = lib.mdDoc '' + The list of systemd services to call `systemctl try-reload-or-restart` on. ''; }; diff --git a/nixos/modules/security/doas.nix b/nixos/modules/security/doas.nix index 2641548221a95..4d15ed9a80259 100644 --- a/nixos/modules/security/doas.nix +++ b/nixos/modules/security/doas.nix @@ -62,19 +62,19 @@ in wheelNeedsPassword = mkOption { type = with types; bool; default = true; - description = '' - Whether users of the <literal>wheel</literal> group must provide a password to - run commands as super user via <command>doas</command>. + description = lib.mdDoc '' + Whether users of the `wheel` group must provide a password to + run commands as super user via {command}`doas`. ''; }; extraRules = mkOption { default = []; - description = '' + description = lib.mdDoc '' Define specific rules to be set in the - <filename>/etc/doas.conf</filename> file. More specific rules should + {file}`/etc/doas.conf` file. More specific rules should come after more general ones in order to yield the expected behavior. - You can use <literal>mkBefore</literal> and/or <literal>mkAfter</literal> to ensure + You can use `mkBefore` and/or `mkAfter` to ensure this is the case when configuration options are merged. ''; example = literalExpression '' @@ -113,8 +113,8 @@ in noPass = mkOption { type = with types; bool; default = false; - description = '' - If <literal>true</literal>, the user is not required to enter a + description = lib.mdDoc '' + If `true`, the user is not required to enter a password. ''; }; @@ -122,18 +122,18 @@ in noLog = mkOption { type = with types; bool; default = false; - description = '' - If <literal>true</literal>, successful executions will not be logged + description = lib.mdDoc '' + If `true`, successful executions will not be logged to - <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>. + {manpage}`syslogd(8)`. ''; }; persist = mkOption { type = with types; bool; default = false; - description = '' - If <literal>true</literal>, do not ask for a password again for some + description = lib.mdDoc '' + If `true`, do not ask for a password again for some time after the user successfully authenticates. ''; }; @@ -141,10 +141,10 @@ in keepEnv = mkOption { type = with types; bool; default = false; - description = '' - If <literal>true</literal>, environment variables other than those + description = lib.mdDoc '' + If `true`, environment variables other than those listed in - <citerefentry><refentrytitle>doas</refentrytitle><manvolnum>1</manvolnum></citerefentry> + {manpage}`doas(1)` are kept when creating the environment for the new process. ''; }; @@ -152,18 +152,18 @@ in setEnv = mkOption { type = with types; listOf str; default = []; - description = '' + description = lib.mdDoc '' Keep or set the specified variables. Variables may also be removed with a leading '-' or set using - <literal>variable=value</literal>. If the first character of - <literal>value</literal> is a '$', the value to be set is taken from + `variable=value`. If the first character of + `value` is a '$', the value to be set is taken from the existing environment variable of the indicated name. This option is processed after the default environment has been created. - NOTE: All rules have <literal>setenv { SSH_AUTH_SOCK }</literal> by - default. To prevent <literal>SSH_AUTH_SOCK</literal> from being - inherited, add <literal>"-SSH_AUTH_SOCK"</literal> anywhere in this + NOTE: All rules have `setenv { SSH_AUTH_SOCK }` by + default. To prevent `SSH_AUTH_SOCK` from being + inherited, add `"-SSH_AUTH_SOCK"` anywhere in this list. ''; }; @@ -183,23 +183,23 @@ in runAs = mkOption { type = with types; nullOr str; default = null; - description = '' + description = lib.mdDoc '' Which user or group the specified command is allowed to run as. - When set to <literal>null</literal> (the default), all users are + When set to `null` (the default), all users are allowed. A user can be specified using just the username: - <literal>"foo"</literal>. It is also possible to only allow running as - a specific group with <literal>":bar"</literal>. + `"foo"`. It is also possible to only allow running as + a specific group with `":bar"`. ''; }; cmd = mkOption { type = with types; nullOr str; default = null; - description = '' + description = lib.mdDoc '' The command the user is allowed to run. When set to - <literal>null</literal> (the default), all commands are allowed. + `null` (the default), all commands are allowed. NOTE: It is best practice to specify absolute paths. If a relative path is specified, only a restricted PATH will be @@ -210,9 +210,9 @@ in args = mkOption { type = with types; nullOr (listOf str); default = null; - description = '' + description = lib.mdDoc '' Arguments that must be provided to the command. When set to - <literal>[]</literal>, the command must be run without any arguments. + `[]`, the command must be run without any arguments. ''; }; }; diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 3c83ff8d77397..6833452a570e1 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -52,7 +52,7 @@ with lib; security.allowSimultaneousMultithreading = mkOption { type = types.bool; default = true; - description = '' + description = lib.mdDoc '' Whether to allow SMT/hyperthreading. Disabling SMT means that only physical CPU cores will be usable at runtime, potentially at significant performance cost. @@ -62,7 +62,7 @@ with lib; e.g., shared caches). This attack vector is unproven. Disabling SMT is a supplement to the L1 data cache flushing mitigation - (see <xref linkend="opt-security.virtualisation.flushL1DataCache"/>) + (see [](#opt-security.virtualisation.flushL1DataCache)) versus malicious VM guests (SMT could "bring back" previously flushed data). ''; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 8a70e5f3adbd4..2d0f256897844 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -807,14 +807,14 @@ in default = config.krb5.enable; defaultText = literalExpression "config.krb5.enable"; type = types.bool; - description = '' - Enables Kerberos PAM modules (<literal>pam-krb5</literal>, - <literal>pam-ccreds</literal>). + description = lib.mdDoc '' + Enables Kerberos PAM modules (`pam-krb5`, + `pam-ccreds`). If set, users can authenticate with their Kerberos password. This requires a valid Kerberos configuration - (<literal>config.krb5.enable</literal> should be set to - <literal>true</literal>). + (`config.krb5.enable` should be set to + `true`). Note that the Kerberos PAM modules are not necessary when using SSS to handle Kerberos authentication. @@ -826,12 +826,12 @@ in enable = mkOption { default = false; type = types.bool; - description = '' - Enables P11 PAM (<literal>pam_p11</literal>) module. + description = lib.mdDoc '' + Enables P11 PAM (`pam_p11`) module. If set, users can log in with SSH keys and PKCS#11 tokens. - More information can be found <link xlink:href="https://github.com/OpenSC/pam_p11">here</link>. + More information can be found [here](https://github.com/OpenSC/pam_p11). ''; }; @@ -858,71 +858,71 @@ in enable = mkOption { default = false; type = types.bool; - description = '' - Enables U2F PAM (<literal>pam-u2f</literal>) module. + description = lib.mdDoc '' + Enables U2F PAM (`pam-u2f`) module. If set, users listed in - <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or - <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is + {file}`$XDG_CONFIG_HOME/Yubico/u2f_keys` (or + {file}`$HOME/.config/Yubico/u2f_keys` if XDG variable is not set) are able to log in with the associated U2F key. The path can - be changed using <option>security.pam.u2f.authFile</option> option. + be changed using {option}`security.pam.u2f.authFile` option. File format is: - <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> - This file can be generated using <command>pamu2fcfg</command> command. + `username:first_keyHandle,first_public_key: second_keyHandle,second_public_key` + This file can be generated using {command}`pamu2fcfg` command. - More information can be found <link xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. + More information can be found [here](https://developers.yubico.com/pam-u2f/). ''; }; authFile = mkOption { default = null; type = with types; nullOr path; - description = '' - By default <literal>pam-u2f</literal> module reads the keys from - <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or - <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is + description = lib.mdDoc '' + By default `pam-u2f` module reads the keys from + {file}`$XDG_CONFIG_HOME/Yubico/u2f_keys` (or + {file}`$HOME/.config/Yubico/u2f_keys` if XDG variable is not set). If you want to change auth file locations or centralize database (for - example use <filename>/etc/u2f-mappings</filename>) you can set this + example use {file}`/etc/u2f-mappings`) you can set this option. File format is: - <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> - This file can be generated using <command>pamu2fcfg</command> command. + `username:first_keyHandle,first_public_key: second_keyHandle,second_public_key` + This file can be generated using {command}`pamu2fcfg` command. - More information can be found <link xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. + More information can be found [here](https://developers.yubico.com/pam-u2f/). ''; }; appId = mkOption { default = null; type = with types; nullOr str; - description = '' - By default <literal>pam-u2f</literal> module sets the application - ID to <literal>pam://$HOSTNAME</literal>. + description = lib.mdDoc '' + By default `pam-u2f` module sets the application + ID to `pam://$HOSTNAME`. - When using <command>pamu2fcfg</command>, you can specify your - application ID with the <literal>-i</literal> flag. + When using {command}`pamu2fcfg`, you can specify your + application ID with the `-i` flag. - More information can be found <link xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html">here</link> + More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html) ''; }; origin = mkOption { default = null; type = with types; nullOr str; - description = '' - By default <literal>pam-u2f</literal> module sets the origin - to <literal>pam://$HOSTNAME</literal>. + description = lib.mdDoc '' + By default `pam-u2f` module sets the origin + to `pam://$HOSTNAME`. Setting origin to an host independent value will allow you to reuse credentials across machines - When using <command>pamu2fcfg</command>, you can specify your - application ID with the <literal>-o</literal> flag. + When using {command}`pamu2fcfg`, you can specify your + application ID with the `-o` flag. - More information can be found <link xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html">here</link> + More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html) ''; }; @@ -978,17 +978,17 @@ in enable = mkOption { default = false; type = types.bool; - description = '' - Enables Uber's USSH PAM (<literal>pam-ussh</literal>) module. + description = lib.mdDoc '' + Enables Uber's USSH PAM (`pam-ussh`) module. - This is similar to <literal>pam-ssh-agent</literal>, except that + This is similar to `pam-ssh-agent`, except that the presence of a CA-signed SSH key with a valid principal is checked instead. Note that this module must both be enabled using this option and on a - per-PAM-service level as well (using <literal>usshAuth</literal>). + per-PAM-service level as well (using `usshAuth`). - More information can be found <link xlink:href="https://github.com/uber/pam-ussh">here</link>. + More information can be found [here](https://github.com/uber/pam-ussh). ''; }; @@ -1067,16 +1067,16 @@ in enable = mkOption { default = false; type = types.bool; - description = '' - Enables Yubico PAM (<literal>yubico-pam</literal>) module. + description = lib.mdDoc '' + Enables Yubico PAM (`yubico-pam`) module. If set, users listed in - <filename>~/.yubico/authorized_yubikeys</filename> + {file}`~/.yubico/authorized_yubikeys` are able to log in with the associated Yubikey tokens. The file must have only one line: - <literal>username:yubikey_token_id1:yubikey_token_id2</literal> - More information can be found <link xlink:href="https://developers.yubico.com/yubico-pam/">here</link>. + `username:yubikey_token_id1:yubikey_token_id2` + More information can be found [here](https://developers.yubico.com/yubico-pam/). ''; }; control = mkOption { @@ -1111,7 +1111,7 @@ in mode = mkOption { default = "client"; type = types.enum [ "client" "challenge-response" ]; - description = '' + description = lib.mdDoc '' Mode of operation. Use "client" for online validation with a YubiKey validation service such as @@ -1121,16 +1121,16 @@ in Challenge-Response configurations. See the man-page ykpamcfg(1) for further details on how to configure offline Challenge-Response validation. - More information can be found <link xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. + More information can be found [here](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html). ''; }; challengeResponsePath = mkOption { default = null; type = types.nullOr types.path; - description = '' + description = lib.mdDoc '' If not null, set the path used by yubico pam module where the challenge expected response is stored. - More information can be found <link xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. + More information can be found [here](https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html). ''; }; }; diff --git a/nixos/modules/security/pam_mount.nix b/nixos/modules/security/pam_mount.nix index ae314abd86c60..11cc13a8cbeb2 100644 --- a/nixos/modules/security/pam_mount.nix +++ b/nixos/modules/security/pam_mount.nix @@ -31,9 +31,9 @@ in extraVolumes = mkOption { type = types.listOf types.str; default = []; - description = '' + description = lib.mdDoc '' List of volume definitions for pam_mount. - For more information, visit <link xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html"/>. + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. ''; }; @@ -63,20 +63,20 @@ in type = types.int; default = 0; example = 1; - description = '' + description = lib.mdDoc '' Sets the Debug-Level. 0 disables debugging, 1 enables pam_mount tracing, and 2 additionally enables tracing in mount.crypt. The default is 0. - For more information, visit <link xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html"/>. + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. ''; }; logoutWait = mkOption { type = types.int; default = 0; - description = '' + description = lib.mdDoc '' Amount of microseconds to wait until killing remaining processes after final logout. - For more information, visit <link xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html"/>. + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. ''; }; diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index 71e2af8f3a514..4275c26c6bdaa 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -17,9 +17,9 @@ in enable = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' Enable USB login for all login systems that support it. For - more information, visit <link xlink:href="https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users"/>. + more information, visit <https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users>. ''; }; diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index c1a69aedde452..faa99a31a6d66 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -55,19 +55,19 @@ in type = types.bool; default = true; description = - '' - Whether users of the <literal>wheel</literal> group must - provide a password to run commands as super user via <command>sudo</command>. + lib.mdDoc '' + Whether users of the `wheel` group must + provide a password to run commands as super user via {command}`sudo`. ''; }; security.sudo.execWheelOnly = mkOption { type = types.bool; default = false; - description = '' - Only allow members of the <literal>wheel</literal> group to execute sudo by + description = lib.mdDoc '' + Only allow members of the `wheel` group to execute sudo by setting the executable's permissions accordingly. - This prevents users that are not members of <literal>wheel</literal> from + This prevents users that are not members of `wheel` from exploiting vulnerabilities in sudo such as CVE-2021-3156. ''; }; @@ -139,12 +139,12 @@ in runAs = mkOption { type = with types; str; default = "ALL:ALL"; - description = '' + description = lib.mdDoc '' Under which user/group the specified command is allowed to run. - A user can be specified using just the username: <literal>"foo"</literal>. - It is also possible to specify a user/group combination using <literal>"foo:bar"</literal> - or to only allow running as a specific group with <literal>":bar"</literal>. + A user can be specified using just the username: `"foo"`. + It is also possible to specify a user/group combination using `"foo:bar"` + or to only allow running as a specific group with `":bar"`. ''; }; |