diff options
| -rw-r--r-- | nixos/modules/security/misc.nix | 37 | ||||
| -rw-r--r-- | nixos/modules/services/computing/boinc/client.nix | 43 | ||||
| -rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 30 | ||||
| -rw-r--r-- | nixos/modules/services/security/tor.nix | 172 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/keycloak.nix | 44 |
5 files changed, 108 insertions, 218 deletions
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 6833452a570e1..cd48eade7784f 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -83,34 +83,19 @@ with lib; security.virtualisation.flushL1DataCache = mkOption { type = types.nullOr (types.enum [ "never" "cond" "always" ]); default = null; - description = '' + description = lib.mdDoc '' Whether the hypervisor should flush the L1 data cache before entering guests. - See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>. - - <variablelist> - <varlistentry> - <term><literal>null</literal></term> - <listitem><para>uses the kernel default</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"never"</literal></term> - <listitem><para>disables L1 data cache flushing entirely. - May be appropriate if all guests are trusted.</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"cond"</literal></term> - <listitem><para>flushes L1 data cache only for pre-determined - code paths. May leak information about the host address space - layout.</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"always"</literal></term> - <listitem><para>flushes L1 data cache every time the hypervisor - enters the guest. May incur significant performance cost. - </para></listitem> - </varlistentry> - </variablelist> + See also [](#opt-security.allowSimultaneousMultithreading). + + - `null`: uses the kernel default + - `"never"`: disables L1 data cache flushing entirely. + May be appropriate if all guests are trusted. + - `"cond"`: flushes L1 data cache only for pre-determined + code paths. May leak information about the host address space + layout. + - `"always"`: flushes L1 data cache every time the hypervisor + enters the guest. May incur significant performance cost. ''; }; }; diff --git a/nixos/modules/services/computing/boinc/client.nix b/nixos/modules/services/computing/boinc/client.nix index ec88be95ecbfc..bfa2dbd4d0af1 100644 --- a/nixos/modules/services/computing/boinc/client.nix +++ b/nixos/modules/services/computing/boinc/client.nix @@ -61,36 +61,23 @@ in type = types.listOf types.package; default = []; example = literalExpression "[ pkgs.virtualbox ]"; - description = '' + description = lib.mdDoc '' Additional packages to make available in the environment in which BOINC will run. Common choices are: - <variablelist> - <varlistentry> - <term><varname>pkgs.virtualbox</varname></term> - <listitem><para> - The VirtualBox virtual machine framework. Required by some BOINC - projects, such as ATLAS@home. - </para></listitem> - </varlistentry> - <varlistentry> - <term><varname>pkgs.ocl-icd</varname></term> - <listitem><para> - OpenCL infrastructure library. Required by BOINC projects that - use OpenCL, in addition to a device-specific OpenCL driver. - </para></listitem> - </varlistentry> - <varlistentry> - <term><varname>pkgs.linuxPackages.nvidia_x11</varname></term> - <listitem><para> - Provides CUDA libraries. Required by BOINC projects that use - CUDA. Note that this requires an NVIDIA graphics device to be - present on the system. - </para><para> - Also provides OpenCL drivers for NVIDIA GPUs; - <varname>pkgs.ocl-icd</varname> is also needed in this case. - </para></listitem> - </varlistentry> - </variablelist> + + - {var}`pkgs.virtualbox`: + The VirtualBox virtual machine framework. Required by some BOINC + projects, such as ATLAS@home. + - {var}`pkgs.ocl-icd`: + OpenCL infrastructure library. Required by BOINC projects that + use OpenCL, in addition to a device-specific OpenCL driver. + - {var}`pkgs.linuxPackages.nvidia_x11`: + Provides CUDA libraries. Required by BOINC projects that use + CUDA. Note that this requires an NVIDIA graphics device to be + present on the system. + + Also provides OpenCL drivers for NVIDIA GPUs; + {var}`pkgs.ocl-icd` is also needed in this case. ''; }; }; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index d5d562e7ba5f1..c9e54f9b92206 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -106,30 +106,14 @@ let type = types.either types.str (types.enum ["permanent" "preserve" "random" "stable"]); default = "preserve"; example = "00:11:22:33:44:55"; - description = '' + description = lib.mdDoc '' Set the MAC address of the interface. - <variablelist> - <varlistentry> - <term>"XX:XX:XX:XX:XX:XX"</term> - <listitem><para>MAC address of the interface</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"permanent"</literal></term> - <listitem><para>Use the permanent MAC address of the device</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"preserve"</literal></term> - <listitem><para>Don’t change the MAC address of the device upon activation</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"random"</literal></term> - <listitem><para>Generate a randomized value upon each connect</para></listitem> - </varlistentry> - <varlistentry> - <term><literal>"stable"</literal></term> - <listitem><para>Generate a stable, hashed MAC address</para></listitem> - </varlistentry> - </variablelist> + + - `"XX:XX:XX:XX:XX:XX"`: MAC address of the interface + - `"permanent"`: Use the permanent MAC address of the device + - `"preserve"`: Don’t change the MAC address of the device upon activation + - `"random"`: Generate a randomized value upon each connect + - `"stable"`: Generate a stable, hashed MAC address ''; }; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 269354c151591..75f9cf3cc7f45 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -305,133 +305,87 @@ in role = mkOption { type = types.enum [ "exit" "relay" "bridge" "private-bridge" ]; - description = '' + description = lib.mdDoc '' Your role in Tor network. There're several options: - <variablelist> - <varlistentry> - <term><literal>exit</literal></term> - <listitem> - <para> - An exit relay. This allows Tor users to access regular - Internet services through your public IP. - </para> + - `exit`: + An exit relay. This allows Tor users to access regular + Internet services through your public IP. - <important><para> - Running an exit relay may expose you to abuse - complaints. See - <link xlink:href="https://www.torproject.org/faq.html.en#ExitPolicies"/> - for more info. - </para></important> + You can specify which services Tor users may access via + your exit relay using {option}`settings.ExitPolicy` option. - <para> - You can specify which services Tor users may access via - your exit relay using <option>settings.ExitPolicy</option> option. - </para> - </listitem> - </varlistentry> + - `relay`: + Regular relay. This allows Tor users to relay onion + traffic to other Tor nodes, but not to public + Internet. - <varlistentry> - <term><literal>relay</literal></term> - <listitem> - <para> - Regular relay. This allows Tor users to relay onion - traffic to other Tor nodes, but not to public - Internet. - </para> + See + <https://www.torproject.org/docs/tor-doc-relay.html.en> + for more info. - <important><para> - Note that some misconfigured and/or disrespectful - towards privacy sites will block you even if your - relay is not an exit relay. That is, just being listed - in a public relay directory can have unwanted - consequences. + - `bridge`: + Regular bridge. Works like a regular relay, but + doesn't list you in the public relay directory and + hides your Tor node behind obfs4proxy. - Which means you might not want to use - this role if you browse public Internet from the same - network as your relay, unless you want to write - e-mails to those sites (you should!). - </para></important> + Using this option will make Tor advertise your bridge + to users through various mechanisms like + <https://bridges.torproject.org/>, though. - <para> - See - <link xlink:href="https://www.torproject.org/docs/tor-doc-relay.html.en"/> - for more info. - </para> - </listitem> - </varlistentry> + See <https://www.torproject.org/docs/bridges.html.en> + for more info. - <varlistentry> - <term><literal>bridge</literal></term> - <listitem> - <para> - Regular bridge. Works like a regular relay, but - doesn't list you in the public relay directory and - hides your Tor node behind obfs4proxy. - </para> + - `private-bridge`: + Private bridge. Works like regular bridge, but does + not advertise your node in any way. - <para> - Using this option will make Tor advertise your bridge - to users through various mechanisms like - <link xlink:href="https://bridges.torproject.org/"/>, though. - </para> + Using this role means that you won't contribute to Tor + network in any way unless you advertise your node + yourself in some way. - <important> - <para> - WARNING: THE FOLLOWING PARAGRAPH IS NOT LEGAL ADVICE. - Consult with your lawyer when in doubt. - </para> + Use this if you want to run a private bridge, for + example because you'll give out your bridge addr + manually to your friends. - <para> - This role should be safe to use in most situations - (unless the act of forwarding traffic for others is - a punishable offence under your local laws, which - would be pretty insane as it would make ISP illegal). - </para> - </important> + Switching to this role after measurable time in + "bridge" role is pretty useless as some Tor users + would have learned about your node already. In the + latter case you can still change + {option}`port` option. - <para> - See <link xlink:href="https://www.torproject.org/docs/bridges.html.en"/> - for more info. - </para> - </listitem> - </varlistentry> + See <https://www.torproject.org/docs/bridges.html.en> + for more info. - <varlistentry> - <term><literal>private-bridge</literal></term> - <listitem> - <para> - Private bridge. Works like regular bridge, but does - not advertise your node in any way. - </para> + ::: {.important} + Running an exit relay may expose you to abuse + complaints. See + <https://www.torproject.org/faq.html.en#ExitPolicies> + for more info. + ::: - <para> - Using this role means that you won't contribute to Tor - network in any way unless you advertise your node - yourself in some way. - </para> + ::: {.important} + Note that some misconfigured and/or disrespectful + towards privacy sites will block you even if your + relay is not an exit relay. That is, just being listed + in a public relay directory can have unwanted + consequences. - <para> - Use this if you want to run a private bridge, for - example because you'll give out your bridge addr - manually to your friends. - </para> + Which means you might not want to use + this role if you browse public Internet from the same + network as your relay, unless you want to write + e-mails to those sites (you should!). + ::: - <para> - Switching to this role after measurable time in - "bridge" role is pretty useless as some Tor users - would have learned about your node already. In the - latter case you can still change - <option>port</option> option. - </para> + ::: {.important} + WARNING: THE FOLLOWING PARAGRAPH IS NOT LEGAL ADVICE. + Consult with your lawyer when in doubt. - <para> - See <link xlink:href="https://www.torproject.org/docs/bridges.html.en"/> - for more info. - </para> - </listitem> - </varlistentry> - </variablelist> + The `bridge` role should be safe to use in most situations + (unless the act of forwarding traffic for others is + a punishable offence under your local laws, which + would be pretty insane as it would make ISP illegal). + ::: ''; }; diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 26bed24eed276..82684f5e52085 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -366,41 +366,21 @@ in type = enum [ "edge" "reencrypt" "passthrough" "none" ]; default = "none"; example = "edge"; - description = '' + description = lib.mdDoc '' The proxy address forwarding mode if the server is behind a reverse proxy. - <variablelist> - <varlistentry> - <term>edge</term> - <listitem> - <para> - Enables communication through HTTP between the - proxy and Keycloak. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>reencrypt</term> - <listitem> - <para> - Requires communication through HTTPS between the - proxy and Keycloak. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>passthrough</term> - <listitem> - <para> - Enables communication through HTTP or HTTPS between - the proxy and Keycloak. - </para> - </listitem> - </varlistentry> - </variablelist> - - See <link xlink:href="https://www.keycloak.org/server/reverseproxy"/> for more information. + - `edge`: + Enables communication through HTTP between the + proxy and Keycloak. + - `reencrypt`: + Requires communication through HTTPS between the + proxy and Keycloak. + - `passthrough`: + Enables communication through HTTP or HTTPS between + the proxy and Keycloak. + + See <https://www.keycloak.org/server/reverseproxy> for more information. ''; }; }; |