diff options
Diffstat (limited to 'nixos/modules/services/security')
40 files changed, 416 insertions, 419 deletions
diff --git a/nixos/modules/services/security/aesmd.nix b/nixos/modules/services/security/aesmd.nix index 8b3f010d7c4d0..864d408c0220a 100644 --- a/nixos/modules/services/security/aesmd.nix +++ b/nixos/modules/services/security/aesmd.nix @@ -19,16 +19,16 @@ let in { options.services.aesmd = { - enable = mkEnableOption (lib.mdDoc "Intel's Architectural Enclave Service Manager (AESM) for Intel SGX"); + enable = mkEnableOption "Intel's Architectural Enclave Service Manager (AESM) for Intel SGX"; debug = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether to build the PSW package in debug mode."; + description = "Whether to build the PSW package in debug mode."; }; environment = mkOption { type = with types; attrsOf str; default = { }; - description = mdDoc "Additional environment variables to pass to the AESM service."; + description = "Additional environment variables to pass to the AESM service."; # Example environment variable for `sgx-azure-dcap-client` provider library example = { AZDCAP_COLLATERAL_VERSION = "v2"; @@ -39,23 +39,23 @@ in type = with types; nullOr path; default = null; example = literalExpression "pkgs.sgx-azure-dcap-client"; - description = lib.mdDoc "Custom quote provider library to use."; + description = "Custom quote provider library to use."; }; settings = mkOption { - description = lib.mdDoc "AESM configuration"; + description = "AESM configuration"; default = { }; type = types.submodule { options.whitelistUrl = mkOption { type = with types; nullOr str; default = null; example = "http://whitelist.trustedservices.intel.com/SGX/LCWL/Linux/sgx_white_list_cert.bin"; - description = lib.mdDoc "URL to retrieve authorized Intel SGX enclave signers."; + description = "URL to retrieve authorized Intel SGX enclave signers."; }; options.proxy = mkOption { type = with types; nullOr str; default = null; example = "http://proxy_url:1234"; - description = lib.mdDoc "HTTP network proxy."; + description = "HTTP network proxy."; }; options.proxyType = mkOption { type = with types; nullOr (enum [ "default" "direct" "manual" ]); @@ -64,7 +64,7 @@ in if (config.${opt.settings}.proxy != null) then "manual" else null ''; example = "default"; - description = lib.mdDoc '' + description = '' Type of proxy to use. The `default` uses the system's default proxy. If `direct` is given, uses no proxy. A value of `manual` uses the proxy from @@ -75,7 +75,7 @@ in type = with types; nullOr (enum [ "ecdsa_256" "epid_linkable" "epid_unlinkable" ]); default = null; example = "ecdsa_256"; - description = lib.mdDoc "Attestation quote type."; + description = "Attestation quote type."; }; }; }; diff --git a/nixos/modules/services/security/authelia.nix b/nixos/modules/services/security/authelia.nix index 614b3b1e22b28..cf1c57e34c4ef 100644 --- a/nixos/modules/services/security/authelia.nix +++ b/nixos/modules/services/security/authelia.nix @@ -12,12 +12,12 @@ let autheliaOpts = with lib; { name, ... }: { options = { - enable = mkEnableOption (mdDoc "Authelia instance"); + enable = mkEnableOption "Authelia instance"; name = mkOption { type = types.str; default = name; - description = mdDoc '' + description = '' Name is used as a suffix for the service name, user, and group. By default it takes the value you use for `<instance>` in: {option}`services.authelia.<instance>` @@ -29,17 +29,17 @@ let user = mkOption { default = "authelia-${name}"; type = types.str; - description = mdDoc "The name of the user for this authelia instance."; + description = "The name of the user for this authelia instance."; }; group = mkOption { default = "authelia-${name}"; type = types.str; - description = mdDoc "The name of the group for this authelia instance."; + description = "The name of the group for this authelia instance."; }; secrets = mkOption { - description = mdDoc '' + description = '' It is recommended you keep your secrets separate from the configuration. It's especially important to keep the raw secrets out of your nix configuration, as the values will be preserved in your nix store. @@ -53,7 +53,7 @@ let manual = mkOption { default = false; example = true; - description = mdDoc '' + description = '' Configuring authelia's secret files via the secrets attribute set is intended to be convenient and help catch cases where values are required to run at all. @@ -66,7 +66,7 @@ let jwtSecretFile = mkOption { type = types.nullOr types.path; default = null; - description = mdDoc '' + description = '' Path to your JWT secret used during identity verificaton. ''; }; @@ -74,7 +74,7 @@ let oidcIssuerPrivateKeyFile = mkOption { type = types.nullOr types.path; default = null; - description = mdDoc '' + description = '' Path to your private key file used to encrypt OIDC JWTs. ''; }; @@ -82,7 +82,7 @@ let oidcHmacSecretFile = mkOption { type = types.nullOr types.path; default = null; - description = mdDoc '' + description = '' Path to your HMAC secret used to sign OIDC JWTs. ''; }; @@ -90,7 +90,7 @@ let sessionSecretFile = mkOption { type = types.nullOr types.path; default = null; - description = mdDoc '' + description = '' Path to your session secret. Only used when redis is used as session storage. ''; }; @@ -99,7 +99,7 @@ let storageEncryptionKeyFile = mkOption { type = types.nullOr types.path; default = null; - description = mdDoc '' + description = '' Path to your storage encryption key. ''; }; @@ -109,7 +109,7 @@ let environmentVariables = mkOption { type = types.attrsOf types.str; - description = mdDoc '' + description = '' Additional environment variables to provide to authelia. If you are providing secrets please consider the options under {option}`services.authelia.<instance>.secrets` or make sure you use the `_FILE` suffix. @@ -120,7 +120,7 @@ let }; settings = mkOption { - description = mdDoc '' + description = '' Your Authelia config.yml as a Nix attribute set. There are several values that are defined and documented in nix such as `default_2fa_method`, but additional items can also be included. @@ -143,14 +143,14 @@ let type = types.enum [ "light" "dark" "grey" "auto" ]; default = "light"; example = "dark"; - description = mdDoc "The theme to display."; + description = "The theme to display."; }; default_2fa_method = mkOption { type = types.enum [ "" "totp" "webauthn" "mobile_push" ]; default = ""; example = "webauthn"; - description = mdDoc '' + description = '' Default 2FA method for new users and fallback for preferred but disabled methods. ''; }; @@ -160,13 +160,13 @@ let type = types.str; default = "localhost"; example = "0.0.0.0"; - description = mdDoc "The address to listen on."; + description = "The address to listen on."; }; port = mkOption { type = types.port; default = 9091; - description = mdDoc "The port to listen on."; + description = "The port to listen on."; }; }; @@ -175,28 +175,28 @@ let type = types.enum [ "info" "debug" "trace" ]; default = "debug"; example = "info"; - description = mdDoc "Level of verbosity for logs: info, debug, trace."; + description = "Level of verbosity for logs: info, debug, trace."; }; format = mkOption { type = types.enum [ "json" "text" ]; default = "json"; example = "text"; - description = mdDoc "Format the logs are written as."; + description = "Format the logs are written as."; }; file_path = mkOption { type = types.nullOr types.path; default = null; example = "/var/log/authelia/authelia.log"; - description = mdDoc "File path where the logs will be written. If not set logs are written to stdout."; + description = "File path where the logs will be written. If not set logs are written to stdout."; }; keep_stdout = mkOption { type = types.bool; default = false; example = true; - description = mdDoc "Whether to also log to stdout when a `file_path` is defined."; + description = "Whether to also log to stdout when a `file_path` is defined."; }; }; @@ -206,14 +206,14 @@ let type = types.bool; default = false; example = true; - description = mdDoc "Enable Metrics."; + description = "Enable Metrics."; }; address = mkOption { type = types.str; default = "tcp://127.0.0.1:9959"; example = "tcp://0.0.0.0:8888"; - description = mdDoc "The address to listen on for metrics. This should be on a different port to the main `server.port` value."; + description = "The address to listen on for metrics. This should be on a different port to the main `server.port` value."; }; }; }; @@ -225,7 +225,7 @@ let type = types.listOf types.path; default = [ ]; example = [ "/etc/authelia/config.yml" "/etc/authelia/access-control.yml" "/etc/authelia/config/" ]; - description = mdDoc '' + description = '' Here you can provide authelia with configuration files or directories. It is possible to give authelia multiple files and use the nix generated configuration file set via {option}`services.authelia.<instance>.settings`. @@ -238,7 +238,7 @@ in options.services.authelia.instances = with lib; mkOption { default = { }; type = types.attrsOf (types.submodule autheliaOpts); - description = mdDoc '' + description = '' Multi-domain protection currently requires multiple instances of Authelia. If you don't require multiple instances of Authelia you can define just the one. diff --git a/nixos/modules/services/security/bitwarden-directory-connector-cli.nix b/nixos/modules/services/security/bitwarden-directory-connector-cli.nix index a55758322a75a..d21322caf4c33 100644 --- a/nixos/modules/services/security/bitwarden-directory-connector-cli.nix +++ b/nixos/modules/services/security/bitwarden-directory-connector-cli.nix @@ -14,24 +14,24 @@ in { domain = mkOption { type = types.str; - description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessible on."; + description = "The domain the Bitwarden/Vaultwarden is accessible on."; example = "https://vaultwarden.example.com"; }; user = mkOption { type = types.str; - description = lib.mdDoc "User to run the program."; + description = "User to run the program."; default = "bwdc"; }; interval = mkOption { type = types.str; default = "*:0,15,30,45"; - description = lib.mdDoc "The interval when to run the connector. This uses systemd's OnCalendar syntax."; + description = "The interval when to run the connector. This uses systemd's OnCalendar syntax."; }; ldap = mkOption { - description = lib.mdDoc '' + description = '' Options to configure the LDAP connection. If you used the desktop application to test the configuration you can find the settings by searching for `ldap` in `~/.config/Bitwarden\ Directory\ Connector/data.json`. ''; @@ -56,47 +56,47 @@ in { ssl = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether to use TLS."; + description = "Whether to use TLS."; }; startTls = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether to use STARTTLS."; + description = "Whether to use STARTTLS."; }; hostname = mkOption { type = types.str; - description = lib.mdDoc "The host the LDAP is accessible on."; + description = "The host the LDAP is accessible on."; example = "ldap.example.com"; }; port = mkOption { type = types.port; default = 389; - description = lib.mdDoc "Port LDAP is accessible on."; + description = "Port LDAP is accessible on."; }; ad = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether the LDAP Server is an Active Directory."; + description = "Whether the LDAP Server is an Active Directory."; }; pagedSearch = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether the LDAP server paginates search results."; + description = "Whether the LDAP server paginates search results."; }; rootPath = mkOption { type = types.str; - description = lib.mdDoc "Root path for LDAP."; + description = "Root path for LDAP."; example = "dc=example,dc=com"; }; username = mkOption { type = types.str; - description = lib.mdDoc "The user to authenticate as."; + description = "The user to authenticate as."; example = "cn=admin,dc=example,dc=com"; }; }; @@ -104,7 +104,7 @@ in { }; sync = mkOption { - description = lib.mdDoc '' + description = '' Options to configure what gets synced. If you used the desktop application to test the configuration you can find the settings by searching for `sync` in `~/.config/Bitwarden\ Directory\ Connector/data.json`. ''; @@ -129,73 +129,72 @@ in { removeDisabled = mkOption { type = types.bool; default = true; - description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group."; + description = "Remove users from bitwarden groups if no longer in the ldap group."; }; overwriteExisting = mkOption { type = types.bool; default = false; - description = - lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details."; + description = "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details."; }; largeImport = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups."; + description = "Enable if you are syncing more than 2000 users/groups."; }; memberAttribute = mkOption { type = types.str; - description = lib.mdDoc "Attribute that lists members in a LDAP group."; + description = "Attribute that lists members in a LDAP group."; example = "uniqueMember"; }; creationDateAttribute = mkOption { type = types.str; - description = lib.mdDoc "Attribute that lists a user's creation date."; + description = "Attribute that lists a user's creation date."; example = "whenCreated"; }; useEmailPrefixSuffix = mkOption { type = types.bool; default = false; - description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email."; + description = "If a user has no email address, combine a username prefix with a suffix value to form an email."; }; emailPrefixAttribute = mkOption { type = types.str; - description = lib.mdDoc "The attribute that contains the users username."; + description = "The attribute that contains the users username."; example = "accountName"; }; emailSuffix = mkOption { type = types.str; - description = lib.mdDoc "Suffix for the email, normally @example.com."; + description = "Suffix for the email, normally @example.com."; example = "@example.com"; }; users = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Sync users."; + description = "Sync users."; }; userPath = mkOption { type = types.str; - description = lib.mdDoc "User directory, relative to root."; + description = "User directory, relative to root."; default = "ou=users"; }; userObjectClass = mkOption { type = types.str; - description = lib.mdDoc "Class that users must have."; + description = "Class that users must have."; default = "inetOrgPerson"; }; userEmailAttribute = mkOption { type = types.str; - description = lib.mdDoc "Attribute for a users email."; + description = "Attribute for a users email."; default = "mail"; }; userFilter = mkOption { type = types.str; - description = lib.mdDoc "LDAP filter for users."; + description = "LDAP filter for users."; example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)"; default = ""; }; @@ -203,26 +202,26 @@ in { groups = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether to sync ldap groups into BitWarden."; + description = "Whether to sync ldap groups into BitWarden."; }; groupPath = mkOption { type = types.str; - description = lib.mdDoc "Group directory, relative to root."; + description = "Group directory, relative to root."; default = "ou=groups"; }; groupObjectClass = mkOption { type = types.str; - description = lib.mdDoc "A class that groups will have."; + description = "A class that groups will have."; default = "groupOfNames"; }; groupNameAttribute = mkOption { type = types.str; - description = lib.mdDoc "Attribute for a name of group."; + description = "Attribute for a name of group."; default = "cn"; }; groupFilter = mkOption { type = types.str; - description = lib.mdDoc "LDAP filter for groups."; + description = "LDAP filter for groups."; example = "(cn=sales)"; default = ""; }; diff --git a/nixos/modules/services/security/certmgr.nix b/nixos/modules/services/security/certmgr.nix index 02cb7afe87bad..c6d6e83576c5c 100644 --- a/nixos/modules/services/security/certmgr.nix +++ b/nixos/modules/services/security/certmgr.nix @@ -35,38 +35,38 @@ let in { options.services.certmgr = { - enable = mkEnableOption (lib.mdDoc "certmgr"); + enable = mkEnableOption "certmgr"; package = mkPackageOption pkgs "certmgr" { }; defaultRemote = mkOption { type = types.str; default = "127.0.0.1:8888"; - description = lib.mdDoc "The default CA host:port to use."; + description = "The default CA host:port to use."; }; validMin = mkOption { default = "72h"; type = types.str; - description = lib.mdDoc "The interval before a certificate expires to start attempting to renew it."; + description = "The interval before a certificate expires to start attempting to renew it."; }; renewInterval = mkOption { default = "30m"; type = types.str; - description = lib.mdDoc "How often to check certificate expirations and how often to update the cert_next_expires metric."; + description = "How often to check certificate expirations and how often to update the cert_next_expires metric."; }; metricsAddress = mkOption { default = "127.0.0.1"; type = types.str; - description = lib.mdDoc "The address for the Prometheus HTTP endpoint."; + description = "The address for the Prometheus HTTP endpoint."; }; metricsPort = mkOption { default = 9488; type = types.ints.u16; - description = lib.mdDoc "The port for the Prometheus HTTP endpoint."; + description = "The port for the Prometheus HTTP endpoint."; }; specs = mkOption { @@ -113,38 +113,38 @@ in service = mkOption { type = nullOr str; default = null; - description = lib.mdDoc "The service on which to perform \<action\> after fetching."; + description = "The service on which to perform \<action\> after fetching."; }; action = mkOption { type = addCheck str (x: cfg.svcManager == "command" || elem x ["restart" "reload" "nop"]); default = "nop"; - description = lib.mdDoc "The action to take after fetching."; + description = "The action to take after fetching."; }; # These ought all to be specified according to certmgr spec def. authority = mkOption { type = attrs; - description = lib.mdDoc "certmgr spec authority object."; + description = "certmgr spec authority object."; }; certificate = mkOption { type = nullOr attrs; - description = lib.mdDoc "certmgr spec certificate object."; + description = "certmgr spec certificate object."; }; private_key = mkOption { type = nullOr attrs; - description = lib.mdDoc "certmgr spec private_key object."; + description = "certmgr spec private_key object."; }; request = mkOption { type = nullOr attrs; - description = lib.mdDoc "certmgr spec request object."; + description = "certmgr spec request object."; }; }; })); - description = lib.mdDoc '' + description = '' Certificate specs as described by: <https://github.com/cloudflare/certmgr#certificate-specs> These will be added to the Nix store, so they will be world readable. @@ -154,7 +154,7 @@ in svcManager = mkOption { default = "systemd"; type = types.enum [ "circus" "command" "dummy" "openrc" "systemd" "sysv" ]; - description = lib.mdDoc '' + description = '' This specifies the service manager to use for restarting or reloading services. See: <https://github.com/cloudflare/certmgr#certmgryaml>. For how to use the "command" service manager in particular, diff --git a/nixos/modules/services/security/cfssl.nix b/nixos/modules/services/security/cfssl.nix index 202db98e222c0..a6012e78c5b64 100644 --- a/nixos/modules/services/security/cfssl.nix +++ b/nixos/modules/services/security/cfssl.nix @@ -6,12 +6,12 @@ let cfg = config.services.cfssl; in { options.services.cfssl = { - enable = mkEnableOption (lib.mdDoc "the CFSSL CA api-server"); + enable = mkEnableOption "the CFSSL CA api-server"; dataDir = mkOption { default = "/var/lib/cfssl"; type = types.path; - description = lib.mdDoc '' + description = '' The work directory for CFSSL. ::: {.note} @@ -26,49 +26,49 @@ in { address = mkOption { default = "127.0.0.1"; type = types.str; - description = lib.mdDoc "Address to bind."; + description = "Address to bind."; }; port = mkOption { default = 8888; type = types.port; - description = lib.mdDoc "Port to bind."; + description = "Port to bind."; }; ca = mkOption { defaultText = literalExpression ''"''${cfg.dataDir}/ca.pem"''; type = types.str; - description = lib.mdDoc "CA used to sign the new certificate -- accepts '[file:]fname' or 'env:varname'."; + description = "CA used to sign the new certificate -- accepts '[file:]fname' or 'env:varname'."; }; caKey = mkOption { defaultText = literalExpression ''"file:''${cfg.dataDir}/ca-key.pem"''; type = types.str; - description = lib.mdDoc "CA private key -- accepts '[file:]fname' or 'env:varname'."; + description = "CA private key -- accepts '[file:]fname' or 'env:varname'."; }; caBundle = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc "Path to root certificate store."; + description = "Path to root certificate store."; }; intBundle = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc "Path to intermediate certificate store."; + description = "Path to intermediate certificate store."; }; intDir = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc "Intermediates directory."; + description = "Intermediates directory."; }; metadata = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc '' + description = '' Metadata file for root certificate presence. The content of the file is a json dictionary (k,v): each key k is a SHA-1 digest of a root certificate while value v is a list of key @@ -79,79 +79,79 @@ in { remote = mkOption { default = null; type = types.nullOr types.str; - description = lib.mdDoc "Remote CFSSL server."; + description = "Remote CFSSL server."; }; configFile = mkOption { default = null; type = types.nullOr types.str; - description = lib.mdDoc "Path to configuration file. Do not put this in nix-store as it might contain secrets."; + description = "Path to configuration file. Do not put this in nix-store as it might contain secrets."; }; responder = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc "Certificate for OCSP responder."; + description = "Certificate for OCSP responder."; }; responderKey = mkOption { default = null; type = types.nullOr types.str; - description = lib.mdDoc "Private key for OCSP responder certificate. Do not put this in nix-store."; + description = "Private key for OCSP responder certificate. Do not put this in nix-store."; }; tlsKey = mkOption { default = null; type = types.nullOr types.str; - description = lib.mdDoc "Other endpoint's CA private key. Do not put this in nix-store."; + description = "Other endpoint's CA private key. Do not put this in nix-store."; }; tlsCert = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc "Other endpoint's CA to set up TLS protocol."; + description = "Other endpoint's CA to set up TLS protocol."; }; mutualTlsCa = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc "Mutual TLS - require clients be signed by this CA."; + description = "Mutual TLS - require clients be signed by this CA."; }; mutualTlsCn = mkOption { default = null; type = types.nullOr types.str; - description = lib.mdDoc "Mutual TLS - regex for whitelist of allowed client CNs."; + description = "Mutual TLS - regex for whitelist of allowed client CNs."; }; tlsRemoteCa = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc "CAs to trust for remote TLS requests."; + description = "CAs to trust for remote TLS requests."; }; mutualTlsClientCert = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc "Mutual TLS - client certificate to call remote instance requiring client certs."; + description = "Mutual TLS - client certificate to call remote instance requiring client certs."; }; mutualTlsClientKey = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc "Mutual TLS - client key to call remote instance requiring client certs. Do not put this in nix-store."; + description = "Mutual TLS - client key to call remote instance requiring client certs. Do not put this in nix-store."; }; dbConfig = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc "Certificate db configuration file. Path must be writeable."; + description = "Certificate db configuration file. Path must be writeable."; }; logLevel = mkOption { default = 1; type = types.enum [ 0 1 2 3 4 5 ]; - description = lib.mdDoc "Log level (0 = DEBUG, 5 = FATAL)."; + description = "Log level (0 = DEBUG, 5 = FATAL)."; }; }; diff --git a/nixos/modules/services/security/clamav.nix b/nixos/modules/services/security/clamav.nix index 4480c0cae60c9..b3598606d8be7 100644 --- a/nixos/modules/services/security/clamav.nix +++ b/nixos/modules/services/security/clamav.nix @@ -28,24 +28,24 @@ in options = { services.clamav = { daemon = { - enable = mkEnableOption (lib.mdDoc "ClamAV clamd daemon"); + enable = mkEnableOption "ClamAV clamd daemon"; settings = mkOption { type = with types; attrsOf (oneOf [ bool int str (listOf str) ]); default = { }; - description = lib.mdDoc '' + description = '' ClamAV configuration. Refer to <https://linux.die.net/man/5/clamd.conf>, for details on supported values. ''; }; }; updater = { - enable = mkEnableOption (lib.mdDoc "ClamAV freshclam updater"); + enable = mkEnableOption "ClamAV freshclam updater"; frequency = mkOption { type = types.int; default = 12; - description = lib.mdDoc '' + description = '' Number of database checks per day. ''; }; @@ -53,7 +53,7 @@ in interval = mkOption { type = types.str; default = "hourly"; - description = lib.mdDoc '' + description = '' How often freshclam is invoked. See systemd.time(7) for more information about the format. ''; @@ -62,19 +62,19 @@ in settings = mkOption { type = with types; attrsOf (oneOf [ bool int str (listOf str) ]); default = { }; - description = lib.mdDoc '' + description = '' freshclam configuration. Refer to <https://linux.die.net/man/5/freshclam.conf>, for details on supported values. ''; }; }; fangfrisch = { - enable = mkEnableOption (lib.mdDoc "ClamAV fangfrisch updater"); + enable = mkEnableOption "ClamAV fangfrisch updater"; interval = mkOption { type = types.str; default = "hourly"; - description = lib.mdDoc '' + description = '' How often freshclam is invoked. See systemd.time(7) for more information about the format. ''; @@ -91,7 +91,7 @@ in customer_id = "your customer_id"; }; }; - description = lib.mdDoc '' + description = '' fangfrisch configuration. Refer to <https://rseichter.github.io/fangfrisch/#_configuration>, for details on supported values. Note that by default urlhaus and sanesecurity are enabled. @@ -100,12 +100,12 @@ in }; scanner = { - enable = mkEnableOption (lib.mdDoc "ClamAV scanner"); + enable = mkEnableOption "ClamAV scanner"; interval = mkOption { type = types.str; default = "*-*-* 04:00:00"; - description = lib.mdDoc '' + description = '' How often clamdscan is invoked. See systemd.time(7) for more information about the format. By default this runs using 10 cores at most, be sure to run it at a time of low traffic. @@ -115,7 +115,7 @@ in scanDirectories = mkOption { type = with types; listOf str; default = [ "/home" "/var/lib" "/tmp" "/etc" "/var/tmp" ]; - description = lib.mdDoc '' + description = '' List of directories to scan. The default includes everything I could think of that is valid for nixos. Feel free to contribute a PR to add to the default if you see something missing. ''; diff --git a/nixos/modules/services/security/endlessh-go.nix b/nixos/modules/services/security/endlessh-go.nix index 6557ec953cd86..480bfc8cb9ef0 100644 --- a/nixos/modules/services/security/endlessh-go.nix +++ b/nixos/modules/services/security/endlessh-go.nix @@ -7,13 +7,13 @@ let in { options.services.endlessh-go = { - enable = mkEnableOption (mdDoc "endlessh-go service"); + enable = mkEnableOption "endlessh-go service"; listenAddress = mkOption { type = types.str; default = "0.0.0.0"; example = "[::]"; - description = mdDoc '' + description = '' Interface address to bind the endlessh-go daemon to SSH connections. ''; }; @@ -22,7 +22,7 @@ in type = types.port; default = 2222; example = 22; - description = mdDoc '' + description = '' Specifies on which port the endlessh-go daemon listens for SSH connections. @@ -31,13 +31,13 @@ in }; prometheus = { - enable = mkEnableOption (mdDoc "Prometheus integration"); + enable = mkEnableOption "Prometheus integration"; listenAddress = mkOption { type = types.str; default = "0.0.0.0"; example = "[::]"; - description = mdDoc '' + description = '' Interface address to bind the endlessh-go daemon to answer Prometheus queries. ''; @@ -47,7 +47,7 @@ in type = types.port; default = 2112; example = 9119; - description = mdDoc '' + description = '' Specifies on which port the endlessh-go daemon listens for Prometheus queries. ''; @@ -58,7 +58,7 @@ in type = with types; listOf str; default = [ ]; example = [ "-conn_type=tcp4" "-max_clients=8192" ]; - description = mdDoc '' + description = '' Additional command line options to pass to the endlessh-go daemon. ''; }; @@ -66,7 +66,7 @@ in openFirewall = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Whether to open a firewall port for the SSH listener. ''; }; diff --git a/nixos/modules/services/security/endlessh.nix b/nixos/modules/services/security/endlessh.nix index e99b4dadcd581..cb7480dbeaba0 100644 --- a/nixos/modules/services/security/endlessh.nix +++ b/nixos/modules/services/security/endlessh.nix @@ -7,13 +7,13 @@ let in { options.services.endlessh = { - enable = mkEnableOption (mdDoc "endlessh service"); + enable = mkEnableOption "endlessh service"; port = mkOption { type = types.port; default = 2222; example = 22; - description = mdDoc '' + description = '' Specifies on which port the endlessh daemon listens for SSH connections. @@ -25,7 +25,7 @@ in type = with types; listOf str; default = [ ]; example = [ "-6" "-d 9000" "-v" ]; - description = mdDoc '' + description = '' Additional command line options to pass to the endlessh daemon. ''; }; @@ -33,7 +33,7 @@ in openFirewall = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Whether to open a firewall port for the SSH listener. ''; }; diff --git a/nixos/modules/services/security/esdm.nix b/nixos/modules/services/security/esdm.nix index c34fba1b3c75b..835c3b6a090e2 100644 --- a/nixos/modules/services/security/esdm.nix +++ b/nixos/modules/services/security/esdm.nix @@ -24,12 +24,12 @@ in ]; options.services.esdm = { - enable = lib.mkEnableOption (lib.mdDoc "ESDM service configuration"); + enable = lib.mkEnableOption "ESDM service configuration"; package = lib.mkPackageOption pkgs "esdm" { }; enableLinuxCompatServices = lib.mkOption { type = lib.types.bool; default = true; - description = lib.mdDoc '' + description = '' Enable /dev/random, /dev/urandom and /proc/sys/kernel/random/* userspace wrapper. ''; }; diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 59b9ea70209d4..c4031b64ba6aa 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -69,7 +69,7 @@ in enable = mkOption { default = false; type = types.bool; - description = lib.mdDoc '' + description = '' Whether to enable the fail2ban service. See the documentation of {option}`services.fail2ban.jails` @@ -85,14 +85,14 @@ in default = config.networking.firewall.package; defaultText = literalExpression "config.networking.firewall.package"; type = types.package; - description = lib.mdDoc "The firewall package used by fail2ban service. Defaults to the package for your firewall (iptables or nftables)."; + description = "The firewall package used by fail2ban service. Defaults to the package for your firewall (iptables or nftables)."; }; extraPackages = mkOption { default = [ ]; type = types.listOf types.package; example = lib.literalExpression "[ pkgs.ipset ]"; - description = lib.mdDoc '' + description = '' Extra packages to be made available to the fail2ban service. The example contains the packages needed by the `iptables-ipset-proto6` action. ''; @@ -102,20 +102,20 @@ in default = "10m"; type = types.str; example = "1h"; - description = lib.mdDoc "Number of seconds that a host is banned."; + description = "Number of seconds that a host is banned."; }; maxretry = mkOption { default = 3; type = types.ints.unsigned; - description = lib.mdDoc "Number of failures before a host gets banned."; + description = "Number of failures before a host gets banned."; }; banaction = mkOption { default = if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"; defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"''; type = types.str; - description = lib.mdDoc '' + description = '' Default banning action (e.g. iptables, iptables-new, iptables-multiport, iptables-ipset-proto6-allports, shorewall, etc). It is used to define action_* variables. Can be overridden globally or per @@ -127,7 +127,7 @@ in default = if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"; defaultText = literalExpression ''if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"''; type = types.str; - description = lib.mdDoc '' + description = '' Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) for "allports" jails. It is used to define action_* variables. Can be overridden globally or per section within jail.local file @@ -137,7 +137,7 @@ in bantime-increment.enable = mkOption { default = false; type = types.bool; - description = lib.mdDoc '' + description = '' "bantime.increment" allows to use database for searching of previously banned ip's to increase a default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32 ... ''; @@ -147,7 +147,7 @@ in default = null; type = types.nullOr types.str; example = "8m"; - description = lib.mdDoc '' + description = '' "bantime.rndtime" is the max number of seconds using for mixing with random time to prevent "clever" botnets calculate exact time IP can be unbanned again ''; @@ -157,7 +157,7 @@ in default = null; type = types.nullOr types.str; example = "48h"; - description = lib.mdDoc '' + description = '' "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further) ''; }; @@ -166,7 +166,7 @@ in default = null; type = types.nullOr types.str; example = "4"; - description = lib.mdDoc '' + description = '' "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, default value of factor is 1 and with default value of formula, the ban time grows by 1, 2, 4, 8, 16 ... ''; @@ -176,7 +176,7 @@ in default = null; type = types.nullOr types.str; example = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; - description = lib.mdDoc '' + description = '' "bantime.formula" used by default to calculate next value of ban time, default value bellow, the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32 ... ''; @@ -186,7 +186,7 @@ in default = null; type = types.nullOr types.str; example = "1 2 4 8 16 32 64"; - description = lib.mdDoc '' + description = '' "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding previously ban count and given "bantime.factor" (for multipliers default is 1); following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, @@ -198,7 +198,7 @@ in default = null; type = types.nullOr types.bool; example = true; - description = lib.mdDoc '' + description = '' "bantime.overalljails" (if true) specifies the search of IP in the database will be executed cross over all jails, if false (default), only current jail of the ban IP will be searched. ''; @@ -208,7 +208,7 @@ in default = [ ]; type = types.listOf types.str; example = [ "192.168.0.0/16" "2001:DB8::42" ]; - description = lib.mdDoc '' + description = '' "ignoreIP" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban will not ban a host which matches an address in this list. Several addresses can be defined using space (and/or comma) separator. ''; @@ -227,7 +227,7 @@ in }; } ''; - description = lib.mdDoc '' + description = '' The contents of Fail2ban's main configuration file. It's generally not necessary to change it. ''; @@ -272,18 +272,18 @@ in type = nullOr (either str configFormat.type); default = null; - description = lib.mdDoc "Content of the filter used for this jail."; + description = "Content of the filter used for this jail."; }; settings = mkOption { inherit (settingsFormat) type; default = { }; - description = lib.mdDoc "Additional settings for this jail."; + description = "Additional settings for this jail."; }; }; }))); - description = lib.mdDoc '' + description = '' The configuration of each Fail2ban “jail”. A jail consists of an action (such as blocking a port using {command}`iptables`) that is triggered when a diff --git a/nixos/modules/services/security/fprintd.nix b/nixos/modules/services/security/fprintd.nix index 28f9b5908b536..87c3f1f6f9e42 100644 --- a/nixos/modules/services/security/fprintd.nix +++ b/nixos/modules/services/security/fprintd.nix @@ -18,25 +18,25 @@ in services.fprintd = { - enable = mkEnableOption (lib.mdDoc "fprintd daemon and PAM module for fingerprint readers handling"); + enable = mkEnableOption "fprintd daemon and PAM module for fingerprint readers handling"; package = mkOption { type = types.package; default = fprintdPkg; defaultText = literalExpression "if config.services.fprintd.tod.enable then pkgs.fprintd-tod else pkgs.fprintd"; - description = lib.mdDoc '' + description = '' fprintd package to use. ''; }; tod = { - enable = mkEnableOption (lib.mdDoc "Touch OEM Drivers library support"); + enable = mkEnableOption "Touch OEM Drivers library support"; driver = mkOption { type = types.package; example = literalExpression "pkgs.libfprint-2-tod1-goodix"; - description = lib.mdDoc '' + description = '' Touch OEM Drivers (TOD) package to use. ''; }; diff --git a/nixos/modules/services/security/haka.nix b/nixos/modules/services/security/haka.nix index dda039857401f..66666a57fd8ef 100644 --- a/nixos/modules/services/security/haka.nix +++ b/nixos/modules/services/security/haka.nix @@ -55,7 +55,7 @@ in services.haka = { - enable = mkEnableOption (lib.mdDoc "Haka"); + enable = mkEnableOption "Haka"; package = mkPackageOption pkgs "haka" { }; @@ -63,7 +63,7 @@ in default = "empty.lua"; example = "/srv/haka/myfilter.lua"; type = types.str; - description = lib.mdDoc '' + description = '' Specify which configuration file Haka uses. It can be absolute path or a path relative to the sample directory of the haka git repo. @@ -74,7 +74,7 @@ in default = [ "eth0" ]; example = [ "any" ]; type = with types; listOf str; - description = lib.mdDoc '' + description = '' Specify which interface(s) Haka listens to. Use 'any' to listen to all interfaces. ''; @@ -84,7 +84,7 @@ in default = 0; example = 4; type = types.int; - description = lib.mdDoc '' + description = '' The number of threads that will be used. All system threads are used by default. ''; @@ -93,24 +93,24 @@ in pcap = mkOption { default = true; type = types.bool; - description = lib.mdDoc "Whether to enable pcap"; + description = "Whether to enable pcap"; }; - nfqueue = mkEnableOption (lib.mdDoc "nfqueue"); + nfqueue = mkEnableOption "nfqueue"; - dump.enable = mkEnableOption (lib.mdDoc "dump"); + dump.enable = mkEnableOption "dump"; dump.input = mkOption { default = "/tmp/input.pcap"; example = "/path/to/file.pcap"; type = types.path; - description = lib.mdDoc "Path to file where incoming packets are dumped"; + description = "Path to file where incoming packets are dumped"; }; dump.output = mkOption { default = "/tmp/output.pcap"; example = "/path/to/file.pcap"; type = types.path; - description = lib.mdDoc "Path to file where outgoing packets are dumped"; + description = "Path to file where outgoing packets are dumped"; }; }; }; diff --git a/nixos/modules/services/security/haveged.nix b/nixos/modules/services/security/haveged.nix index db12a28a7d0bd..57cef7e44d503 100644 --- a/nixos/modules/services/security/haveged.nix +++ b/nixos/modules/services/security/haveged.nix @@ -15,16 +15,16 @@ in services.haveged = { - enable = mkEnableOption (lib.mdDoc '' + enable = mkEnableOption '' haveged entropy daemon, which refills /dev/random when low. NOTE: does nothing on kernels newer than 5.6. - ''); + ''; # source for the note https://github.com/jirka-h/haveged/issues/57 refill_threshold = mkOption { type = types.int; default = 1024; - description = lib.mdDoc '' + description = '' The number of bits of available entropy beneath which haveged should refill the entropy pool. ''; diff --git a/nixos/modules/services/security/hockeypuck.nix b/nixos/modules/services/security/hockeypuck.nix index 56c13d791920c..2e7d6ef5b0e32 100644 --- a/nixos/modules/services/security/hockeypuck.nix +++ b/nixos/modules/services/security/hockeypuck.nix @@ -7,12 +7,12 @@ in { meta.maintainers = with lib.maintainers; [ etu ]; options.services.hockeypuck = { - enable = lib.mkEnableOption (lib.mdDoc "Hockeypuck OpenPGP Key Server"); + enable = lib.mkEnableOption "Hockeypuck OpenPGP Key Server"; port = lib.mkOption { default = 11371; type = lib.types.port; - description = lib.mdDoc "HKP port to listen on."; + description = "HKP port to listen on."; }; settings = lib.mkOption { @@ -37,7 +37,7 @@ in { }; } ''; - description = lib.mdDoc '' + description = '' Configuration file for hockeypuck, here you can override certain settings (`loglevel` and `openpgp.db.dsn`) by just setting those values. diff --git a/nixos/modules/services/security/hologram-agent.nix b/nixos/modules/services/security/hologram-agent.nix index 666d95b9b94a7..e29267e50003b 100644 --- a/nixos/modules/services/security/hologram-agent.nix +++ b/nixos/modules/services/security/hologram-agent.nix @@ -14,19 +14,19 @@ in { enable = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether to enable the Hologram agent for AWS instance credentials"; + description = "Whether to enable the Hologram agent for AWS instance credentials"; }; dialAddress = mkOption { type = types.str; default = "localhost:3100"; - description = lib.mdDoc "Hologram server and port."; + description = "Hologram server and port."; }; httpPort = mkOption { type = types.str; default = "80"; - description = lib.mdDoc "Port for metadata service to listen on."; + description = "Port for metadata service to listen on."; }; }; diff --git a/nixos/modules/services/security/hologram-server.nix b/nixos/modules/services/security/hologram-server.nix index e995bc79b1129..4acf6ae0e2182 100644 --- a/nixos/modules/services/security/hologram-server.nix +++ b/nixos/modules/services/security/hologram-server.nix @@ -33,85 +33,85 @@ in { enable = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether to enable the Hologram server for AWS instance credentials"; + description = "Whether to enable the Hologram server for AWS instance credentials"; }; listenAddress = mkOption { type = types.str; default = "0.0.0.0:3100"; - description = lib.mdDoc "Address and port to listen on"; + description = "Address and port to listen on"; }; ldapHost = mkOption { type = types.str; - description = lib.mdDoc "Address of the LDAP server to use"; + description = "Address of the LDAP server to use"; }; ldapInsecure = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether to connect to LDAP over SSL or not"; + description = "Whether to connect to LDAP over SSL or not"; }; ldapUserAttr = mkOption { type = types.str; default = "cn"; - description = lib.mdDoc "The LDAP attribute for usernames"; + description = "The LDAP attribute for usernames"; }; ldapBaseDN = mkOption { type = types.str; - description = lib.mdDoc "The base DN for your Hologram users"; + description = "The base DN for your Hologram users"; }; ldapBindDN = mkOption { type = types.str; - description = lib.mdDoc "DN of account to use to query the LDAP server"; + description = "DN of account to use to query the LDAP server"; }; ldapBindPassword = mkOption { type = types.str; - description = lib.mdDoc "Password of account to use to query the LDAP server"; + description = "Password of account to use to query the LDAP server"; }; enableLdapRoles = mkOption { type = types.bool; default = false; - description = lib.mdDoc "Whether to assign user roles based on the user's LDAP group memberships"; + description = "Whether to assign user roles based on the user's LDAP group memberships"; }; groupClassAttr = mkOption { type = types.str; default = "groupOfNames"; - description = lib.mdDoc "The objectclass attribute to search for groups when enableLdapRoles is true"; + description = "The objectclass attribute to search for groups when enableLdapRoles is true"; }; roleAttr = mkOption { type = types.str; default = "businessCategory"; - description = lib.mdDoc "Which LDAP group attribute to search for authorized role ARNs"; + description = "Which LDAP group attribute to search for authorized role ARNs"; }; awsAccount = mkOption { type = types.str; - description = lib.mdDoc "AWS account number"; + description = "AWS account number"; }; awsDefaultRole = mkOption { type = types.str; - description = lib.mdDoc "AWS default role"; + description = "AWS default role"; }; statsAddress = mkOption { type = types.str; default = ""; - description = lib.mdDoc "Address of statsd server"; + description = "Address of statsd server"; }; cacheTimeoutSeconds = mkOption { type = types.int; default = 3600; - description = lib.mdDoc "How often (in seconds) to refresh the LDAP cache"; + description = "How often (in seconds) to refresh the LDAP cache"; }; }; }; diff --git a/nixos/modules/services/security/infnoise.nix b/nixos/modules/services/security/infnoise.nix index 739a0a84d90b2..4fb8adaf33f89 100644 --- a/nixos/modules/services/security/infnoise.nix +++ b/nixos/modules/services/security/infnoise.nix @@ -7,10 +7,10 @@ let in { options = { services.infnoise = { - enable = mkEnableOption (lib.mdDoc "the Infinite Noise TRNG driver"); + enable = mkEnableOption "the Infinite Noise TRNG driver"; fillDevRandom = mkOption { - description = lib.mdDoc '' + description = '' Whether to run the infnoise driver as a daemon to refill /dev/random. If disabled, you can use the `infnoise` command-line tool to diff --git a/nixos/modules/services/security/intune.nix b/nixos/modules/services/security/intune.nix index 93cecaca5f43e..c0f1ca77031dc 100644 --- a/nixos/modules/services/security/intune.nix +++ b/nixos/modules/services/security/intune.nix @@ -8,7 +8,7 @@ let in { options.services.intune = { - enable = lib.mkEnableOption (lib.mdDoc "Microsoft Intune"); + enable = lib.mkEnableOption "Microsoft Intune"; }; diff --git a/nixos/modules/services/security/jitterentropy-rngd.nix b/nixos/modules/services/security/jitterentropy-rngd.nix index 289d2f7a9839d..104aeccebc9cc 100644 --- a/nixos/modules/services/security/jitterentropy-rngd.nix +++ b/nixos/modules/services/security/jitterentropy-rngd.nix @@ -5,7 +5,7 @@ in { options.services.jitterentropy-rngd = { enable = - lib.mkEnableOption (lib.mdDoc "jitterentropy-rngd service configuration"); + lib.mkEnableOption "jitterentropy-rngd service configuration"; package = lib.mkPackageOption pkgs "jitterentropy-rngd" { }; }; diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix index 9d074c3027d02..1ab9dac48d470 100644 --- a/nixos/modules/services/security/kanidm.nix +++ b/nixos/modules/services/security/kanidm.nix @@ -65,9 +65,9 @@ let in { options.services.kanidm = { - enableClient = lib.mkEnableOption (lib.mdDoc "the Kanidm client"); - enableServer = lib.mkEnableOption (lib.mdDoc "the Kanidm server"); - enablePam = lib.mkEnableOption (lib.mdDoc "the Kanidm PAM and NSS integration"); + enableClient = lib.mkEnableOption "the Kanidm client"; + enableServer = lib.mkEnableOption "the Kanidm server"; + enablePam = lib.mkEnableOption "the Kanidm PAM and NSS integration"; package = lib.mkPackageOption pkgs "kanidm" {}; @@ -77,13 +77,13 @@ in options = { bindaddress = lib.mkOption { - description = lib.mdDoc "Address/port combination the webserver binds to."; + description = "Address/port combination the webserver binds to."; example = "[::1]:8443"; type = lib.types.str; }; # Should be optional but toml does not accept null ldapbindaddress = lib.mkOption { - description = lib.mdDoc '' + description = '' Address and port the LDAP server is bound to. Setting this to `null` disables the LDAP interface. ''; example = "[::1]:636"; @@ -91,12 +91,12 @@ in type = lib.types.nullOr lib.types.str; }; origin = lib.mkOption { - description = lib.mdDoc "The origin of your Kanidm instance. Must have https as protocol."; + description = "The origin of your Kanidm instance. Must have https as protocol."; example = "https://idm.example.org"; type = lib.types.strMatching "^https://.*"; }; domain = lib.mkOption { - description = lib.mdDoc '' + description = '' The `domain` that Kanidm manages. Must be below or equal to the domain specified in `serverSettings.origin`. This can be left at `null`, only if your instance has the role `ReadOnlyReplica`. @@ -109,42 +109,42 @@ in type = lib.types.nullOr lib.types.str; }; db_path = lib.mkOption { - description = lib.mdDoc "Path to Kanidm database."; + description = "Path to Kanidm database."; default = "/var/lib/kanidm/kanidm.db"; readOnly = true; type = lib.types.path; }; tls_chain = lib.mkOption { - description = lib.mdDoc "TLS chain in pem format."; + description = "TLS chain in pem format."; type = lib.types.path; }; tls_key = lib.mkOption { - description = lib.mdDoc "TLS key in pem format."; + description = "TLS key in pem format."; type = lib.types.path; }; log_level = lib.mkOption { - description = lib.mdDoc "Log level of the server."; + description = "Log level of the server."; default = "info"; type = lib.types.enum [ "info" "debug" "trace" ]; }; role = lib.mkOption { - description = lib.mdDoc "The role of this server. This affects the replication relationship and thereby available features."; + description = "The role of this server. This affects the replication relationship and thereby available features."; default = "WriteReplica"; type = lib.types.enum [ "WriteReplica" "WriteReplicaNoUI" "ReadOnlyReplica" ]; }; online_backup = { path = lib.mkOption { - description = lib.mdDoc "Path to the output directory for backups."; + description = "Path to the output directory for backups."; type = lib.types.path; default = "/var/lib/kanidm/backups"; }; schedule = lib.mkOption { - description = lib.mdDoc "The schedule for backups in cron format."; + description = "The schedule for backups in cron format."; type = lib.types.str; default = "00 22 * * *"; }; versions = lib.mkOption { - description = lib.mdDoc '' + description = '' Number of backups to keep. The default is set to `0`, in order to disable backups by default. @@ -157,7 +157,7 @@ in }; }; default = { }; - description = lib.mdDoc '' + description = '' Settings for Kanidm, see [the documentation](https://kanidm.github.io/kanidm/stable/server_configuration.html) and [example configuration](https://github.com/kanidm/kanidm/blob/master/examples/server.toml) @@ -170,12 +170,12 @@ in freeformType = settingsFormat.type; options.uri = lib.mkOption { - description = lib.mdDoc "Address of the Kanidm server."; + description = "Address of the Kanidm server."; example = "http://127.0.0.1:8080"; type = lib.types.str; }; }; - description = lib.mdDoc '' + description = '' Configure Kanidm clients, needed for the PAM daemon. See [the documentation](https://kanidm.github.io/kanidm/stable/client_tools.html#kanidm-configuration) and [example configuration](https://github.com/kanidm/kanidm/blob/master/examples/config) @@ -189,18 +189,18 @@ in options = { pam_allowed_login_groups = lib.mkOption { - description = lib.mdDoc "Kanidm groups that are allowed to login using PAM."; + description = "Kanidm groups that are allowed to login using PAM."; example = "my_pam_group"; type = lib.types.listOf lib.types.str; }; hsm_pin_path = lib.mkOption { - description = lib.mdDoc "Path to a HSM pin."; + description = "Path to a HSM pin."; default = "/var/cache/kanidm-unixd/hsm-pin"; type = lib.types.path; }; }; }; - description = lib.mdDoc '' + description = '' Configure Kanidm unix daemon. See [the documentation](https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html#the-unix-daemon) and [example configuration](https://github.com/kanidm/kanidm/blob/master/examples/unixd) diff --git a/nixos/modules/services/security/munge.nix b/nixos/modules/services/security/munge.nix index 9d306c205f946..e124f098bfbd3 100644 --- a/nixos/modules/services/security/munge.nix +++ b/nixos/modules/services/security/munge.nix @@ -15,12 +15,12 @@ in options = { services.munge = { - enable = mkEnableOption (lib.mdDoc "munge service"); + enable = mkEnableOption "munge service"; password = mkOption { default = "/etc/munge/munge.key"; type = types.path; - description = lib.mdDoc '' + description = '' The path to a daemon's secret key. ''; }; diff --git a/nixos/modules/services/security/nginx-sso.nix b/nixos/modules/services/security/nginx-sso.nix index dd32b8356cbba..11c5c5dd8e78c 100644 --- a/nixos/modules/services/security/nginx-sso.nix +++ b/nixos/modules/services/security/nginx-sso.nix @@ -8,7 +8,7 @@ let configYml = pkgs.writeText "nginx-sso.yml" (builtins.toJSON cfg.configuration); in { options.services.nginx.sso = { - enable = mkEnableOption (lib.mdDoc "nginx-sso service"); + enable = mkEnableOption "nginx-sso service"; package = mkPackageOption pkgs "nginx-sso" { }; @@ -33,7 +33,7 @@ in { }; } ''; - description = lib.mdDoc '' + description = '' nginx-sso configuration ([documentation](https://github.com/Luzifer/nginx-sso/wiki/Main-Configuration)) as a Nix attribute set. diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index d1dc37d549d2d..abf1ce9ba0200 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -85,7 +85,7 @@ let in { options.services.oauth2_proxy = { - enable = mkEnableOption (lib.mdDoc "oauth2_proxy"); + enable = mkEnableOption "oauth2_proxy"; package = mkPackageOption pkgs "oauth2-proxy" { }; @@ -110,7 +110,7 @@ in "oidc" ]; default = "google"; - description = lib.mdDoc '' + description = '' OAuth provider. ''; }; @@ -118,14 +118,14 @@ in approvalPrompt = mkOption { type = types.enum ["force" "auto"]; default = "force"; - description = lib.mdDoc '' + description = '' OAuth approval_prompt. ''; }; clientID = mkOption { type = types.nullOr types.str; - description = lib.mdDoc '' + description = '' The OAuth Client ID. ''; example = "123456.apps.googleusercontent.com"; @@ -133,7 +133,7 @@ in clientSecret = mkOption { type = types.nullOr types.str; - description = lib.mdDoc '' + description = '' The OAuth Client Secret. ''; }; @@ -141,7 +141,7 @@ in skipAuthRegexes = mkOption { type = types.listOf types.str; default = []; - description = lib.mdDoc '' + description = '' Skip authentication for requests matching any of these regular expressions. ''; @@ -152,7 +152,7 @@ in domains = mkOption { type = types.listOf types.str; default = []; - description = lib.mdDoc '' + description = '' Authenticate emails with the specified domains. Use `*` to authenticate any email. ''; @@ -161,7 +161,7 @@ in addresses = mkOption { type = types.nullOr types.lines; default = null; - description = lib.mdDoc '' + description = '' Line-separated email addresses that are allowed to authenticate. ''; }; @@ -170,7 +170,7 @@ in loginURL = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Authentication endpoint. You only need to set this if you are using a self-hosted provider (e.g. @@ -183,7 +183,7 @@ in redeemURL = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Token redemption endpoint. You only need to set this if you are using a self-hosted provider (e.g. @@ -196,7 +196,7 @@ in validateURL = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Access token validation endpoint. You only need to set this if you are using a self-hosted provider (e.g. @@ -211,7 +211,7 @@ in # doesn't require it so making it optional. type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' The OAuth2 redirect URL. ''; example = "https://internalapp.yourcompany.com/oauth2/callback"; @@ -221,14 +221,14 @@ in tenant = mkOption { type = types.str; default = "common"; - description = lib.mdDoc '' + description = '' Go to a tenant-specific or common (tenant-independent) endpoint. ''; }; resource = mkOption { type = types.str; - description = lib.mdDoc '' + description = '' The resource that is protected. ''; }; @@ -237,7 +237,7 @@ in google = { adminEmail = mkOption { type = types.str; - description = lib.mdDoc '' + description = '' The Google Admin to impersonate for API calls. Only users with access to the Admin APIs can access the Admin SDK @@ -251,14 +251,14 @@ in groups = mkOption { type = types.listOf types.str; default = []; - description = lib.mdDoc '' + description = '' Restrict logins to members of these Google groups. ''; }; serviceAccountJSON = mkOption { type = types.path; - description = lib.mdDoc '' + description = '' The path to the service account JSON credentials. ''; }; @@ -268,7 +268,7 @@ in org = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Restrict logins to members of this organisation. ''; }; @@ -276,7 +276,7 @@ in team = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Restrict logins to members of this team. ''; }; @@ -288,7 +288,7 @@ in upstream = mkOption { type = with types; coercedTo str (x: [x]) (listOf str); default = []; - description = lib.mdDoc '' + description = '' The http url(s) of the upstream endpoint or `file://` paths for static files. Routing is based on the path. ''; @@ -297,7 +297,7 @@ in passAccessToken = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Pass OAuth access_token to upstream via X-Forwarded-Access-Token header. ''; }; @@ -305,7 +305,7 @@ in passBasicAuth = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream. ''; }; @@ -313,7 +313,7 @@ in basicAuthPassword = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' The password to set when passing the HTTP Basic Auth header. ''; }; @@ -321,7 +321,7 @@ in passHostHeader = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Pass the request Host Header to upstream. ''; }; @@ -329,7 +329,7 @@ in signatureKey = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' GAP-Signature request signature key. ''; example = "sha1:secret0"; @@ -339,7 +339,7 @@ in domain = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Optional cookie domains to force cookies to (ie: `.yourcompany.com`). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match). @@ -350,7 +350,7 @@ in expire = mkOption { type = types.str; default = "168h0m0s"; - description = lib.mdDoc '' + description = '' Expire timeframe for cookie. ''; }; @@ -358,7 +358,7 @@ in httpOnly = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Set HttpOnly cookie flag. ''; }; @@ -366,7 +366,7 @@ in name = mkOption { type = types.str; default = "_oauth2_proxy"; - description = lib.mdDoc '' + description = '' The name of the cookie that the oauth_proxy creates. ''; }; @@ -375,7 +375,7 @@ in # XXX: Unclear what the behavior is when this is not specified. type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Refresh the cookie after this duration; 0 to disable. ''; example = "168h0m0s"; @@ -383,7 +383,7 @@ in secret = mkOption { type = types.nullOr types.str; - description = lib.mdDoc '' + description = '' The seed string for secure cookies. ''; }; @@ -391,7 +391,7 @@ in secure = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Set secure (HTTPS) cookie flag. ''; }; @@ -403,7 +403,7 @@ in httpAddress = mkOption { type = types.str; default = "http://127.0.0.1:4180"; - description = lib.mdDoc '' + description = '' HTTPS listening address. This module does not expose the port by default. If you want this URL to be accessible to other machines, please add the port to `networking.firewall.allowedTCPPorts`. @@ -414,7 +414,7 @@ in file = mkOption { type = types.nullOr types.path; default = null; - description = lib.mdDoc '' + description = '' Additionally authenticate against a htpasswd file. Entries must be created with `htpasswd -s` for SHA encryption. ''; @@ -423,7 +423,7 @@ in displayForm = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Display username / password login form if an htpasswd file is provided. ''; }; @@ -432,7 +432,7 @@ in customTemplatesDir = mkOption { type = types.nullOr types.path; default = null; - description = lib.mdDoc '' + description = '' Path to custom HTML templates. ''; }; @@ -440,7 +440,7 @@ in reverseProxy = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' In case when running behind a reverse proxy, controls whether headers like `X-Real-Ip` are accepted. Usage behind a reverse proxy will require this flag to be set to avoid logging the reverse @@ -451,7 +451,7 @@ in proxyPrefix = mkOption { type = types.str; default = "/oauth2"; - description = lib.mdDoc '' + description = '' The url root path that this proxy should be nested under. ''; }; @@ -460,21 +460,21 @@ in enable = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Whether to serve over TLS. ''; }; certificate = mkOption { type = types.path; - description = lib.mdDoc '' + description = '' Path to certificate file. ''; }; key = mkOption { type = types.path; - description = lib.mdDoc '' + description = '' Path to private key file. ''; }; @@ -482,7 +482,7 @@ in httpsAddress = mkOption { type = types.str; default = ":443"; - description = lib.mdDoc '' + description = '' `addr:port` to listen on for HTTPS clients. Remember to add `port` to @@ -495,7 +495,7 @@ in requestLogging = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Log requests to stdout. ''; }; @@ -509,7 +509,7 @@ in # doesn't require it so making it optional. type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' OAuth scope specification. ''; }; @@ -517,7 +517,7 @@ in profileURL = mkOption { type = types.nullOr types.str; default = null; - description = lib.mdDoc '' + description = '' Profile access endpoint. ''; }; @@ -525,7 +525,7 @@ in setXauthrequest = mkOption { type = types.nullOr types.bool; default = false; - description = lib.mdDoc '' + description = '' Set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode). Setting this to 'null' means using the upstream default (false). ''; }; @@ -533,7 +533,7 @@ in extraConfig = mkOption { default = {}; type = types.attrsOf types.anything; - description = lib.mdDoc '' + description = '' Extra config to pass to oauth2-proxy. ''; }; @@ -541,7 +541,7 @@ in keyFile = mkOption { type = types.nullOr types.path; default = null; - description = lib.mdDoc '' + description = '' oauth2-proxy allows passing sensitive configuration via environment variables. Make a file that contains lines like OAUTH2_PROXY_CLIENT_SECRET=asdfasdfasdf.apps.googleuserscontent.com diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix index dd3ded6259c4a..1178b70e43438 100644 --- a/nixos/modules/services/security/oauth2_proxy_nginx.nix +++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix @@ -9,14 +9,14 @@ in type = types.str; default = config.services.oauth2_proxy.httpAddress; defaultText = literalExpression "config.services.oauth2_proxy.httpAddress"; - description = lib.mdDoc '' + description = '' The address of the reverse proxy endpoint for oauth2_proxy ''; }; domain = mkOption { type = types.str; - description = lib.mdDoc '' + description = '' The domain under which the oauth2_proxy will be accesible and the path of cookies are set to. This setting must be set to ensure back-redirects are working properly if oauth2-proxy is configured with {option}`services.oauth2_proxy.cookie.domain` @@ -27,7 +27,7 @@ in virtualHosts = mkOption { type = types.listOf types.str; default = []; - description = lib.mdDoc '' + description = '' A list of nginx virtual hosts to put behind the oauth2 proxy ''; }; diff --git a/nixos/modules/services/security/opensnitch.nix b/nixos/modules/services/security/opensnitch.nix index 42cf8159f3ea5..6e2f6ca73b776 100644 --- a/nixos/modules/services/security/opensnitch.nix +++ b/nixos/modules/services/security/opensnitch.nix @@ -13,7 +13,7 @@ let in { options = { services.opensnitch = { - enable = mkEnableOption (mdDoc "Opensnitch application firewall"); + enable = mkEnableOption "Opensnitch application firewall"; rules = mkOption { default = {}; @@ -34,7 +34,7 @@ in { }; ''; - description = mdDoc '' + description = '' Declarative configuration of firewall rules. All rules will be stored in `/var/lib/opensnitch/rules` by default. Rules path can be configured with `settings.Rules.Path`. @@ -56,7 +56,7 @@ in { Address = mkOption { type = types.str; - description = mdDoc '' + description = '' Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is mandatory) or TCP socket (192.168.1.100:50051). ''; @@ -64,7 +64,7 @@ in { LogFile = mkOption { type = types.path; - description = mdDoc '' + description = '' File to write logs to (use /dev/stdout to write logs to standard output). ''; @@ -74,7 +74,7 @@ in { DefaultAction = mkOption { type = types.enum [ "allow" "deny" ]; - description = mdDoc '' + description = '' Default action whether to block or allow application internet access. ''; @@ -82,21 +82,21 @@ in { InterceptUnknown = mkOption { type = types.bool; - description = mdDoc '' + description = '' Whether to intercept spare connections. ''; }; ProcMonitorMethod = mkOption { type = types.enum [ "ebpf" "proc" "ftrace" "audit" ]; - description = mdDoc '' + description = '' Which process monitoring method to use. ''; }; LogLevel = mkOption { type = types.enum [ 0 1 2 3 4 ]; - description = mdDoc '' + description = '' Default log level from 0 to 4 (debug, info, important, warning, error). ''; @@ -104,7 +104,7 @@ in { Firewall = mkOption { type = types.enum [ "iptables" "nftables" ]; - description = mdDoc '' + description = '' Which firewall backend to use. ''; }; @@ -113,14 +113,14 @@ in { MaxEvents = mkOption { type = types.int; - description = mdDoc '' + description = '' Max events to send to the GUI. ''; }; MaxStats = mkOption { type = types.int; - description = mdDoc '' + description = '' Max stats per item to keep in backlog. ''; }; @@ -135,7 +135,7 @@ in { "\\$\\{config.boot.kernelPackages.opensnitch-ebpf\\}/etc/opensnitchd" else null; ''; - description = mdDoc '' + description = '' Configure eBPF modules path. Used when `settings.ProcMonitorMethod` is set to `ebpf`. ''; @@ -144,7 +144,7 @@ in { Rules.Path = mkOption { type = types.path; default = "/var/lib/opensnitch/rules"; - description = mdDoc '' + description = '' Path to the directory where firewall rules can be found and will get stored by the NixOS module. ''; @@ -152,7 +152,7 @@ in { }; }; - description = mdDoc '' + description = '' opensnitchd configuration. Refer to [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Configurations) for details on supported values. ''; diff --git a/nixos/modules/services/security/pass-secret-service.nix b/nixos/modules/services/security/pass-secret-service.nix index f864f8a265956..9530a9f8cf693 100644 --- a/nixos/modules/services/security/pass-secret-service.nix +++ b/nixos/modules/services/security/pass-secret-service.nix @@ -7,7 +7,7 @@ let in { options.services.passSecretService = { - enable = mkEnableOption (lib.mdDoc "pass secret service"); + enable = mkEnableOption "pass secret service"; package = mkPackageOption pkgs "pass-secret-service" { example = "pass-secret-service.override { python3 = pkgs.python310 }"; diff --git a/nixos/modules/services/security/physlock.nix b/nixos/modules/services/security/physlock.nix index cd77476591521..7285de94ad6cd 100644 --- a/nixos/modules/services/security/physlock.nix +++ b/nixos/modules/services/security/physlock.nix @@ -17,7 +17,7 @@ in enable = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Whether to enable the {command}`physlock` screen locking mechanism. Enable this and then run {command}`systemctl start physlock` @@ -33,7 +33,7 @@ in allowAnyUser = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Whether to allow any user to lock the screen. This will install a setuid wrapper to allow any user to start physlock as root, which is a minor security risk. Call the physlock binary to use this instead @@ -44,7 +44,7 @@ in disableSysRq = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Whether to disable SysRq when locked with physlock. ''; }; @@ -52,7 +52,7 @@ in lockMessage = mkOption { type = types.str; default = ""; - description = lib.mdDoc '' + description = '' Message to show on physlock login terminal. ''; }; @@ -60,7 +60,7 @@ in muteKernelMessages = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Disable kernel messages on console while physlock is running. ''; }; @@ -70,7 +70,7 @@ in suspend = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Whether to lock screen with physlock just before suspend. ''; }; @@ -78,7 +78,7 @@ in hibernate = mkOption { type = types.bool; default = true; - description = lib.mdDoc '' + description = '' Whether to lock screen with physlock just before hibernate. ''; }; @@ -87,7 +87,7 @@ in type = types.listOf types.str; default = []; example = [ "display-manager.service" ]; - description = lib.mdDoc '' + description = '' Other targets to lock the screen just before. Useful if you want to e.g. both autologin to X11 so that diff --git a/nixos/modules/services/security/shibboleth-sp.nix b/nixos/modules/services/security/shibboleth-sp.nix index 975de1efa2f2a..c6d260b902670 100644 --- a/nixos/modules/services/security/shibboleth-sp.nix +++ b/nixos/modules/services/security/shibboleth-sp.nix @@ -8,31 +8,31 @@ in { enable = lib.mkOption { type = lib.types.bool; default = false; - description = lib.mdDoc "Whether to enable the shibboleth service"; + description = "Whether to enable the shibboleth service"; }; configFile = lib.mkOption { type = lib.types.path; example = lib.literalExpression ''"''${pkgs.shibboleth-sp}/etc/shibboleth/shibboleth2.xml"''; - description = lib.mdDoc "Path to shibboleth config file"; + description = "Path to shibboleth config file"; }; fastcgi.enable = lib.mkOption { type = lib.types.bool; default = false; - description = lib.mdDoc "Whether to include the shibauthorizer and shibresponder FastCGI processes"; + description = "Whether to include the shibauthorizer and shibresponder FastCGI processes"; }; fastcgi.shibAuthorizerPort = lib.mkOption { type = lib.types.int; default = 9100; - description = lib.mdDoc "Port for shibauthorizer FastCGI process to bind to"; + description = "Port for shibauthorizer FastCGI process to bind to"; }; fastcgi.shibResponderPort = lib.mkOption { type = lib.types.int; default = 9101; - description = lib.mdDoc "Port for shibauthorizer FastCGI process to bind to"; + description = "Port for shibauthorizer FastCGI process to bind to"; }; }; }; diff --git a/nixos/modules/services/security/sks.nix b/nixos/modules/services/security/sks.nix index 7ac5ecec0d824..520da45c94e2f 100644 --- a/nixos/modules/services/security/sks.nix +++ b/nixos/modules/services/security/sks.nix @@ -16,10 +16,10 @@ in { services.sks = { - enable = mkEnableOption (lib.mdDoc '' + enable = mkEnableOption '' SKS (synchronizing key server for OpenPGP) and start the database server. You need to create "''${dataDir}/dump/*.gpg" for the initial - import''); + import''; package = mkPackageOption pkgs "sks" { }; @@ -30,7 +30,7 @@ in { # TODO: The default might change to "/var/lib/sks" as this is more # common. There's also https://github.com/NixOS/nixpkgs/issues/26256 # and "/var/db" is not FHS compliant (seems to come from BSD). - description = lib.mdDoc '' + description = '' Data directory (-basedir) for SKS, where the database and all configuration files are located (e.g. KDB, PTree, membership and sksconf). @@ -40,7 +40,7 @@ in { extraDbConfig = mkOption { type = types.str; default = ""; - description = lib.mdDoc '' + description = '' Set contents of the files "KDB/DB_CONFIG" and "PTree/DB_CONFIG" within the ''${dataDir} directory. This is used to configure options for the database for the sks key server. @@ -54,7 +54,7 @@ in { hkpAddress = mkOption { default = [ "127.0.0.1" "::1" ]; type = types.listOf types.str; - description = lib.mdDoc '' + description = '' Domain names, IPv4 and/or IPv6 addresses to listen on for HKP requests. ''; @@ -63,14 +63,14 @@ in { hkpPort = mkOption { default = 11371; type = types.ints.u16; - description = lib.mdDoc "HKP port to listen on."; + description = "HKP port to listen on."; }; webroot = mkOption { type = types.nullOr types.path; default = "${sksPkg.webSamples}/OpenPKG"; defaultText = literalExpression ''"''${package.webSamples}/OpenPKG"''; - description = lib.mdDoc '' + description = '' Source directory (will be symlinked, if not null) for the files the built-in webserver should serve. SKS (''${pkgs.sks.webSamples}) provides the following examples: "HTML5", "OpenPKG", and "XHTML+ES". diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 4e9d9571de5ef..3be0a8c700b9e 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -30,13 +30,13 @@ in { enable = mkOption { default = false; type = types.bool; - description = lib.mdDoc "Whether to enable the sshguard service."; + description = "Whether to enable the sshguard service."; }; attack_threshold = mkOption { default = 30; type = types.int; - description = lib.mdDoc '' + description = '' Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10. ''; }; @@ -45,7 +45,7 @@ in { default = null; example = 120; type = types.nullOr types.int; - description = lib.mdDoc '' + description = '' Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. ''; }; @@ -53,7 +53,7 @@ in { blacklist_file = mkOption { default = "/var/lib/sshguard/blacklist.db"; type = types.path; - description = lib.mdDoc '' + description = '' Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file. ''; }; @@ -61,7 +61,7 @@ in { blocktime = mkOption { default = 120; type = types.int; - description = lib.mdDoc '' + description = '' Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5. sshguard unblocks attacks at random intervals, so actual block times will be longer. @@ -71,7 +71,7 @@ in { detection_time = mkOption { default = 1800; type = types.int; - description = lib.mdDoc '' + description = '' Remember potential attackers for up to detection_time seconds before resetting their score. ''; }; @@ -80,7 +80,7 @@ in { default = [ ]; example = [ "198.51.100.56" "198.51.100.2" ]; type = types.listOf types.str; - description = lib.mdDoc '' + description = '' Whitelist a list of addresses, hostnames, or address blocks. ''; }; @@ -89,7 +89,7 @@ in { default = [ "sshd" ]; example = [ "sshd" "exim" ]; type = types.listOf types.str; - description = lib.mdDoc '' + description = '' Systemd services sshguard should receive logs of. ''; }; diff --git a/nixos/modules/services/security/sslmate-agent.nix b/nixos/modules/services/security/sslmate-agent.nix index 2d72406f0db8d..c850eb22a0311 100644 --- a/nixos/modules/services/security/sslmate-agent.nix +++ b/nixos/modules/services/security/sslmate-agent.nix @@ -10,7 +10,7 @@ in { options = { services.sslmate-agent = { - enable = mkEnableOption (lib.mdDoc "sslmate-agent, a daemon for managing SSL/TLS certificates on a server"); + enable = mkEnableOption "sslmate-agent, a daemon for managing SSL/TLS certificates on a server"; }; }; diff --git a/nixos/modules/services/security/step-ca.nix b/nixos/modules/services/security/step-ca.nix index 433f162ecb86e..c708cb2b8910d 100644 --- a/nixos/modules/services/security/step-ca.nix +++ b/nixos/modules/services/security/step-ca.nix @@ -8,18 +8,18 @@ in options = { services.step-ca = { - enable = lib.mkEnableOption (lib.mdDoc "the smallstep certificate authority server"); - openFirewall = lib.mkEnableOption (lib.mdDoc "opening the certificate authority server port"); + enable = lib.mkEnableOption "the smallstep certificate authority server"; + openFirewall = lib.mkEnableOption "opening the certificate authority server port"; package = lib.mkOption { type = lib.types.package; default = pkgs.step-ca; defaultText = lib.literalExpression "pkgs.step-ca"; - description = lib.mdDoc "Which step-ca package to use."; + description = "Which step-ca package to use."; }; address = lib.mkOption { type = lib.types.str; example = "127.0.0.1"; - description = lib.mdDoc '' + description = '' The address (without port) the certificate authority should listen at. This combined with {option}`services.step-ca.port` overrides {option}`services.step-ca.settings.address`. ''; @@ -27,14 +27,14 @@ in port = lib.mkOption { type = lib.types.port; example = 8443; - description = lib.mdDoc '' + description = '' The port the certificate authority should listen on. This combined with {option}`services.step-ca.address` overrides {option}`services.step-ca.settings.address`. ''; }; settings = lib.mkOption { type = with lib.types; attrsOf anything; - description = lib.mdDoc '' + description = '' Settings that go into {file}`ca.json`. See [the step-ca manual](https://smallstep.com/docs/step-ca/configuration) for more information. The easiest way to @@ -57,7 +57,7 @@ in intermediatePasswordFile = lib.mkOption { type = lib.types.path; example = "/run/keys/smallstep-password"; - description = lib.mdDoc '' + description = '' Path to the file containing the password for the intermediate certificate private key. diff --git a/nixos/modules/services/security/tang.nix b/nixos/modules/services/security/tang.nix index 9cb0a22fca427..be36d9895bf30 100644 --- a/nixos/modules/services/security/tang.nix +++ b/nixos/modules/services/security/tang.nix @@ -11,14 +11,14 @@ in type = types.package; default = pkgs.tang; defaultText = literalExpression "pkgs.tang"; - description = mdDoc "The tang package to use."; + description = "The tang package to use."; }; listenStream = mkOption { type = with types; listOf str; default = [ "7654" ]; example = [ "198.168.100.1:7654" "[2001:db8::1]:7654" "7654" ]; - description = mdDoc '' + description = '' Addresses and/or ports on which tang should listen. For detailed syntax see ListenStream in {manpage}`systemd.socket(5)`. ''; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index dea20dec1ab47..6cceb1bad82d5 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -30,35 +30,35 @@ let optionBool = optionName: mkOption { type = with types; nullOr bool; default = null; - description = lib.mdDoc (descriptionGeneric optionName); + description = (descriptionGeneric optionName); }; optionInt = optionName: mkOption { type = with types; nullOr int; default = null; - description = lib.mdDoc (descriptionGeneric optionName); + description = (descriptionGeneric optionName); }; optionString = optionName: mkOption { type = with types; nullOr str; default = null; - description = lib.mdDoc (descriptionGeneric optionName); + description = (descriptionGeneric optionName); }; optionStrings = optionName: mkOption { type = with types; listOf str; default = []; - description = lib.mdDoc (descriptionGeneric optionName); + description = (descriptionGeneric optionName); }; optionAddress = mkOption { type = with types; nullOr str; default = null; example = "0.0.0.0"; - description = lib.mdDoc '' + description = '' IPv4 or IPv6 (if between brackets) address. ''; }; optionUnix = mkOption { type = with types; nullOr path; default = null; - description = lib.mdDoc '' + description = '' Unix domain socket path to use. ''; }; @@ -69,7 +69,7 @@ let optionPorts = optionName: mkOption { type = with types; listOf port; default = []; - description = lib.mdDoc (descriptionGeneric optionName); + description = (descriptionGeneric optionName); }; optionIsolablePort = with types; oneOf [ port (enum ["auto"]) @@ -89,7 +89,7 @@ let optionIsolablePorts = optionName: mkOption { default = []; type = with types; either optionIsolablePort (listOf optionIsolablePort); - description = lib.mdDoc (descriptionGeneric optionName); + description = (descriptionGeneric optionName); }; isolateFlags = [ "IsolateClientAddr" @@ -144,17 +144,17 @@ let }; })) ]))]; - description = lib.mdDoc (descriptionGeneric optionName); + description = (descriptionGeneric optionName); }; optionBandwidth = optionName: mkOption { type = with types; nullOr (either int str); default = null; - description = lib.mdDoc (descriptionGeneric optionName); + description = (descriptionGeneric optionName); }; optionPath = optionName: mkOption { type = with types; nullOr path; default = null; - description = lib.mdDoc (descriptionGeneric optionName); + description = (descriptionGeneric optionName); }; mkValueString = k: v: @@ -224,40 +224,40 @@ in options = { services.tor = { - enable = mkEnableOption (lib.mdDoc ''Tor daemon. + enable = mkEnableOption ''Tor daemon. By default, the daemon is run without - relay, exit, bridge or client connectivity''); + relay, exit, bridge or client connectivity''; - openFirewall = mkEnableOption (lib.mdDoc "opening of the relay port(s) in the firewall"); + openFirewall = mkEnableOption "opening of the relay port(s) in the firewall"; package = mkPackageOption pkgs "tor" { }; - enableGeoIP = mkEnableOption (lib.mdDoc ''use of GeoIP databases. + enableGeoIP = mkEnableOption ''use of GeoIP databases. Disabling this will disable by-country statistics for bridges and relays - and some client and third-party software functionality'') // { default = true; }; + and some client and third-party software functionality'' // { default = true; }; - controlSocket.enable = mkEnableOption (lib.mdDoc ''control socket, - created in `${runDir}/control`''); + controlSocket.enable = mkEnableOption ''control socket, + created in `${runDir}/control`''; client = { - enable = mkEnableOption (lib.mdDoc ''the routing of application connections. - You might want to disable this if you plan running a dedicated Tor relay''); + enable = mkEnableOption ''the routing of application connections. + You might want to disable this if you plan running a dedicated Tor relay''; - transparentProxy.enable = mkEnableOption (lib.mdDoc "transparent proxy"); - dns.enable = mkEnableOption (lib.mdDoc "DNS resolver"); + transparentProxy.enable = mkEnableOption "transparent proxy"; + dns.enable = mkEnableOption "DNS resolver"; socksListenAddress = mkOption { type = optionSOCKSPort false; default = {addr = "127.0.0.1"; port = 9050; IsolateDestAddr = true;}; example = {addr = "192.168.0.1"; port = 9090; IsolateDestAddr = true;}; - description = lib.mdDoc '' + description = '' Bind to this address to listen for connections from Socks-speaking applications. ''; }; onionServices = mkOption { - description = lib.mdDoc (descriptionGeneric "HiddenServiceDir"); + description = (descriptionGeneric "HiddenServiceDir"); default = {}; example = { "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" = { @@ -266,7 +266,7 @@ in }; type = types.attrsOf (types.submodule ({name, config, ...}: { options.clientAuthorizations = mkOption { - description = lib.mdDoc '' + description = '' Clients' authorizations for a v3 onion service, as a list of files containing each one private key, in the format: ``` @@ -283,8 +283,8 @@ in }; relay = { - enable = mkEnableOption (lib.mdDoc "tor relaying") // { - description = lib.mdDoc '' + enable = mkEnableOption "tor relaying" // { + description = '' Whether to enable relaying of Tor traffic for others. See <https://www.torproject.org/docs/tor-doc-relay> @@ -300,7 +300,7 @@ in role = mkOption { type = types.enum [ "exit" "relay" "bridge" "private-bridge" ]; - description = lib.mdDoc '' + description = '' Your role in Tor network. There're several options: - `exit`: @@ -385,7 +385,7 @@ in }; onionServices = mkOption { - description = lib.mdDoc (descriptionGeneric "HiddenServiceDir"); + description = (descriptionGeneric "HiddenServiceDir"); default = {}; example = { "example.org/www" = { @@ -398,7 +398,7 @@ in type = types.attrsOf (types.submodule ({name, config, ...}: { options.path = mkOption { type = types.path; - description = lib.mdDoc '' + description = '' Path where to store the data files of the hidden service. If the {option}`secretKey` is null this defaults to `${stateDir}/onion/$onion`, @@ -409,7 +409,7 @@ in type = with types; nullOr path; default = null; example = "/run/keys/tor/onion/expyuzz4wqqyqhjn/hs_ed25519_secret_key"; - description = lib.mdDoc '' + description = '' Secret key of the onion service. If null, Tor reuses any preexisting secret key (in {option}`path`) or generates a new one. @@ -418,13 +418,13 @@ in ''; }; options.authorizeClient = mkOption { - description = lib.mdDoc (descriptionGeneric "HiddenServiceAuthorizeClient"); + description = (descriptionGeneric "HiddenServiceAuthorizeClient"); default = null; type = types.nullOr (types.submodule ({...}: { options = { authType = mkOption { type = types.enum [ "basic" "stealth" ]; - description = lib.mdDoc '' + description = '' Either `"basic"` for a general-purpose authorization protocol or `"stealth"` for a less scalable protocol that also hides service activity from unauthorized clients. @@ -432,7 +432,7 @@ in }; clientNames = mkOption { type = with types; nonEmptyListOf (strMatching "[A-Za-z0-9+-_]+"); - description = lib.mdDoc '' + description = '' Only clients that are listed here are authorized to access the hidden service. Generated authorization data can be found in {file}`${stateDir}/onion/$name/hostname`. Clients need to put this authorization data in their configuration file using @@ -443,7 +443,7 @@ in })); }; options.authorizedClients = mkOption { - description = lib.mdDoc '' + description = '' Authorized clients for a v3 onion service, as a list of public key, in the format: ``` @@ -456,7 +456,7 @@ in example = ["descriptor:x25519:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"]; }; options.map = mkOption { - description = lib.mdDoc (descriptionGeneric "HiddenServicePort"); + description = (descriptionGeneric "HiddenServicePort"); type = with types; listOf (oneOf [ port (submodule ({...}: { options = { @@ -477,12 +477,12 @@ in apply = map (v: if isInt v then {port=v; target=null;} else v); }; options.version = mkOption { - description = lib.mdDoc (descriptionGeneric "HiddenServiceVersion"); + description = (descriptionGeneric "HiddenServiceVersion"); type = with types; nullOr (enum [2 3]); default = null; }; options.settings = mkOption { - description = lib.mdDoc '' + description = '' Settings of the onion service. ${descriptionGeneric "_hidden_service_options"} ''; @@ -495,18 +495,18 @@ in options.HiddenServiceAllowUnknownPorts = optionBool "HiddenServiceAllowUnknownPorts"; options.HiddenServiceDirGroupReadable = optionBool "HiddenServiceDirGroupReadable"; options.HiddenServiceExportCircuitID = mkOption { - description = lib.mdDoc (descriptionGeneric "HiddenServiceExportCircuitID"); + description = (descriptionGeneric "HiddenServiceExportCircuitID"); type = with types; nullOr (enum ["haproxy"]); default = null; }; options.HiddenServiceMaxStreams = mkOption { - description = lib.mdDoc (descriptionGeneric "HiddenServiceMaxStreams"); + description = (descriptionGeneric "HiddenServiceMaxStreams"); type = with types; nullOr (ints.between 0 65535); default = null; }; options.HiddenServiceMaxStreamsCloseCircuit = optionBool "HiddenServiceMaxStreamsCloseCircuit"; options.HiddenServiceNumIntroductionPoints = mkOption { - description = lib.mdDoc (descriptionGeneric "HiddenServiceNumIntroductionPoints"); + description = (descriptionGeneric "HiddenServiceNumIntroductionPoints"); type = with types; nullOr (ints.between 0 20); default = null; }; @@ -529,7 +529,7 @@ in }; settings = mkOption { - description = lib.mdDoc '' + description = '' See [torrc manual](https://2019.www.torproject.org/docs/tor-manual.html.en) for documentation. ''; @@ -565,7 +565,7 @@ in options.ClientAutoIPv6ORPort = optionBool "ClientAutoIPv6ORPort"; options.ClientDNSRejectInternalAddresses = optionBool "ClientDNSRejectInternalAddresses"; options.ClientOnionAuthDir = mkOption { - description = lib.mdDoc (descriptionGeneric "ClientOnionAuthDir"); + description = (descriptionGeneric "ClientOnionAuthDir"); default = null; type = with types; nullOr path; }; @@ -578,7 +578,7 @@ in options.ConstrainedSockets = optionBool "ConstrainedSockets"; options.ContactInfo = optionString "ContactInfo"; options.ControlPort = mkOption rec { - description = lib.mdDoc (descriptionGeneric "ControlPort"); + description = (descriptionGeneric "ControlPort"); default = []; example = [{port = 9051;}]; type = with types; oneOf [port (enum ["auto"]) (listOf (oneOf [ @@ -613,7 +613,7 @@ in options.DormantTimeoutDisabledByIdleStreams = optionBool "DormantTimeoutDisabledByIdleStreams"; options.DirCache = optionBool "DirCache"; options.DirPolicy = mkOption { - description = lib.mdDoc (descriptionGeneric "DirPolicy"); + description = (descriptionGeneric "DirPolicy"); type = with types; listOf str; default = []; example = ["accept *:*"]; @@ -640,7 +640,7 @@ in options.ExitPortStatistics = optionBool "ExitPortStatistics"; options.ExitRelay = optionBool "ExitRelay"; # default is null and like "auto" options.ExtORPort = mkOption { - description = lib.mdDoc (descriptionGeneric "ExtORPort"); + description = (descriptionGeneric "ExtORPort"); default = null; type = with types; nullOr (oneOf [ port (enum ["auto"]) (submodule ({...}: { @@ -669,19 +669,19 @@ in options.GeoIPv6File = optionPath "GeoIPv6File"; options.GuardfractionFile = optionPath "GuardfractionFile"; options.HidServAuth = mkOption { - description = lib.mdDoc (descriptionGeneric "HidServAuth"); + description = (descriptionGeneric "HidServAuth"); default = []; type = with types; listOf (oneOf [ (submodule { options = { onion = mkOption { type = strMatching "[a-z2-7]{16}\\.onion"; - description = lib.mdDoc "Onion address."; + description = "Onion address."; example = "xxxxxxxxxxxxxxxx.onion"; }; auth = mkOption { type = strMatching "[A-Za-z0-9+/]{22}"; - description = lib.mdDoc "Authentication cookie."; + description = "Authentication cookie."; }; }; }) @@ -720,7 +720,7 @@ in options.ProtocolWarnings = optionBool "ProtocolWarnings"; options.PublishHidServDescriptors = optionBool "PublishHidServDescriptors"; options.PublishServerDescriptor = mkOption { - description = lib.mdDoc (descriptionGeneric "PublishServerDescriptor"); + description = (descriptionGeneric "PublishServerDescriptor"); type = with types; nullOr (enum [false true 0 1 "0" "1" "v3" "bridge"]); default = null; }; @@ -738,18 +738,18 @@ in options.ServerDNSResolvConfFile = optionPath "ServerDNSResolvConfFile"; options.ServerDNSSearchDomains = optionBool "ServerDNSSearchDomains"; options.ServerTransportPlugin = mkOption { - description = lib.mdDoc (descriptionGeneric "ServerTransportPlugin"); + description = (descriptionGeneric "ServerTransportPlugin"); default = null; type = with types; nullOr (submodule ({...}: { options = { transports = mkOption { - description = lib.mdDoc "List of pluggable transports."; + description = "List of pluggable transports."; type = listOf str; example = ["obfs2" "obfs3" "obfs4" "scramblesuit"]; }; exec = mkOption { type = types.str; - description = lib.mdDoc "Command of pluggable transport."; + description = "Command of pluggable transport."; }; }; })); @@ -757,13 +757,13 @@ in options.ShutdownWaitLength = mkOption { type = types.int; default = 30; - description = lib.mdDoc (descriptionGeneric "ShutdownWaitLength"); + description = (descriptionGeneric "ShutdownWaitLength"); }; options.SocksPolicy = optionStrings "SocksPolicy" // { example = ["accept *:*"]; }; options.SOCKSPort = mkOption { - description = lib.mdDoc (descriptionGeneric "SOCKSPort"); + description = (descriptionGeneric "SOCKSPort"); default = lib.optionals cfg.settings.HiddenServiceNonAnonymousMode [{port = 0;}]; defaultText = literalExpression '' if config.${opt.settings}.HiddenServiceNonAnonymousMode == true @@ -776,7 +776,7 @@ in options.TestingTorNetwork = optionBool "TestingTorNetwork"; options.TransPort = optionIsolablePorts "TransPort"; options.TransProxyType = mkOption { - description = lib.mdDoc (descriptionGeneric "TransProxyType"); + description = (descriptionGeneric "TransProxyType"); type = with types; nullOr (enum ["default" "TPROXY" "ipfw" "pf-divert"]); default = null; }; diff --git a/nixos/modules/services/security/torify.nix b/nixos/modules/services/security/torify.nix index 4d311adebcaea..5f147ac4a30fe 100644 --- a/nixos/modules/services/security/torify.nix +++ b/nixos/modules/services/security/torify.nix @@ -27,7 +27,7 @@ in enable = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Whether to build tsocks wrapper script to relay application traffic via Tor. ::: {.important} @@ -44,7 +44,7 @@ in type = types.str; default = "localhost:9050"; example = "192.168.0.20"; - description = lib.mdDoc '' + description = '' IP address of TOR client to use. ''; }; @@ -52,7 +52,7 @@ in config = mkOption { type = types.lines; default = ""; - description = lib.mdDoc '' + description = '' Extra configuration. Contents will be added verbatim to TSocks configuration file. ''; diff --git a/nixos/modules/services/security/torsocks.nix b/nixos/modules/services/security/torsocks.nix index 0647d7eb49bcd..32047f613d9fb 100644 --- a/nixos/modules/services/security/torsocks.nix +++ b/nixos/modules/services/security/torsocks.nix @@ -38,7 +38,7 @@ in type = types.bool; default = config.services.tor.enable && config.services.tor.client.enable; defaultText = literalExpression "config.services.tor.enable && config.services.tor.client.enable"; - description = lib.mdDoc '' + description = '' Whether to build `/etc/tor/torsocks.conf` containing the specified global torsocks configuration. ''; @@ -48,7 +48,7 @@ in type = types.str; default = "127.0.0.1:9050"; example = "192.168.0.20:1234"; - description = lib.mdDoc '' + description = '' IP/Port of the Tor SOCKS server. Currently, hostnames are NOT supported by torsocks. ''; @@ -58,7 +58,7 @@ in type = types.str; default = "127.0.0.1:9063"; example = "192.168.0.20:1234"; - description = lib.mdDoc '' + description = '' IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP. Currently, hostnames are NOT supported by torsocks. ''; @@ -67,7 +67,7 @@ in onionAddrRange = mkOption { type = types.str; default = "127.42.42.0/24"; - description = lib.mdDoc '' + description = '' Tor hidden sites do not have real IP addresses. This specifies what range of IP addresses will be handed to the application as "cookies" for .onion names. Of course, you @@ -81,7 +81,7 @@ in type = types.nullOr types.str; default = null; example = "bob"; - description = lib.mdDoc '' + description = '' SOCKS5 username. The `TORSOCKS_USERNAME` environment variable overrides this option if it is set. ''; @@ -91,7 +91,7 @@ in type = types.nullOr types.str; default = null; example = "sekret"; - description = lib.mdDoc '' + description = '' SOCKS5 password. The `TORSOCKS_PASSWORD` environment variable overrides this option if it is set. ''; @@ -100,7 +100,7 @@ in allowInbound = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Set Torsocks to accept inbound connections. If set to `true`, listen() and accept() will be allowed to be used with non localhost address. diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index ff54176e13d3a..17bffa57ef3ad 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -37,7 +37,7 @@ in options = { services.usbguard = { - enable = mkEnableOption (lib.mdDoc "USBGuard daemon"); + enable = mkEnableOption "USBGuard daemon"; package = mkPackageOption pkgs "usbguard" { extraDescription = '' @@ -49,7 +49,7 @@ in type = types.nullOr types.path; default = "/var/lib/usbguard/rules.conf"; example = "/run/secrets/usbguard-rules"; - description = lib.mdDoc '' + description = '' This tells the USBGuard daemon which file to load as policy rule set. The file can be changed manually or via the IPC interface assuming it has the right file permissions. @@ -64,7 +64,7 @@ in example = '' allow with-interface equals { 08:*:* } ''; - description = lib.mdDoc '' + description = '' The USBGuard daemon will load this as the policy rule set. As these rules are NixOS managed they are immutable and can't be changed by the IPC interface. @@ -82,7 +82,7 @@ in implicitPolicyTarget = mkOption { type = types.enum [ "allow" "block" "reject" ]; default = "block"; - description = lib.mdDoc '' + description = '' How to treat USB devices that don't match any rule in the policy. Target should be one of allow, block or reject (logically remove the device node from the system). @@ -92,7 +92,7 @@ in presentDevicePolicy = mkOption { type = policy; default = "apply-policy"; - description = lib.mdDoc '' + description = '' How to treat USB devices that are already connected when the daemon starts. Policy should be one of allow, block, reject, keep (keep whatever state the device is currently in) or apply-policy (evaluate @@ -103,7 +103,7 @@ in presentControllerPolicy = mkOption { type = policy; default = "keep"; - description = lib.mdDoc '' + description = '' How to treat USB controller devices that are already connected when the daemon starts. One of allow, block, reject, keep or apply-policy. ''; @@ -112,7 +112,7 @@ in insertedDevicePolicy = mkOption { type = types.enum [ "block" "reject" "apply-policy" ]; default = "apply-policy"; - description = lib.mdDoc '' + description = '' How to treat USB devices that are already connected after the daemon starts. One of block, reject, apply-policy. ''; @@ -121,7 +121,7 @@ in restoreControllerDeviceState = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' The USBGuard daemon modifies some attributes of controller devices like the default authorization state of new child device instances. Using this setting, you can control whether the daemon @@ -134,7 +134,7 @@ in type = types.listOf types.str; default = [ "root" ]; example = [ "root" "yourusername" ]; - description = lib.mdDoc '' + description = '' A list of usernames that the daemon will accept IPC connections from. ''; }; @@ -143,7 +143,7 @@ in type = types.listOf types.str; default = [ ]; example = [ "wheel" ]; - description = lib.mdDoc '' + description = '' A list of groupnames that the daemon will accept IPC connections from. ''; @@ -152,12 +152,12 @@ in deviceRulesWithPort = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Generate device specific rules including the "via-port" attribute. ''; }; - dbus.enable = mkEnableOption (lib.mdDoc "USBGuard dbus daemon"); + dbus.enable = mkEnableOption "USBGuard dbus daemon"; }; }; diff --git a/nixos/modules/services/security/vault-agent.nix b/nixos/modules/services/security/vault-agent.nix index f8c281442f5fe..fd3e39fb65981 100644 --- a/nixos/modules/services/security/vault-agent.nix +++ b/nixos/modules/services/security/vault-agent.nix @@ -6,20 +6,20 @@ let format = pkgs.formats.json { }; commonOptions = { pkgName, flavour ? pkgName }: mkOption { default = { }; - description = mdDoc '' + description = '' Attribute set of ${flavour} instances. Creates independent `${flavour}-''${name}.service` systemd units for each instance defined here. ''; type = with types; attrsOf (submodule ({ name, ... }: { options = { - enable = mkEnableOption (mdDoc "this ${flavour} instance") // { default = true; }; + enable = mkEnableOption "this ${flavour} instance" // { default = true; }; package = mkPackageOption pkgs pkgName { }; user = mkOption { type = types.str; default = "root"; - description = mdDoc '' + description = '' User under which this instance runs. ''; }; @@ -27,7 +27,7 @@ let group = mkOption { type = types.str; default = "root"; - description = mdDoc '' + description = '' Group under which this instance runs. ''; }; @@ -40,7 +40,7 @@ let pid_file = mkOption { default = "/run/${flavour}/${name}.pid"; type = types.str; - description = mdDoc '' + description = '' Path to use for the pid file. ''; }; @@ -53,8 +53,7 @@ let if flavour == "vault-agent" then "https://developer.hashicorp.com/vault/docs/agent/template" else "https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#templates"; - in - mdDoc '' + in '' Template section of ${flavour}. Refer to <${upstreamDocs}> for supported values. ''; @@ -69,8 +68,7 @@ let if flavour == "vault-agent" then "https://developer.hashicorp.com/vault/docs/agent#configuration-file-options" else "https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#configuration-file"; - in - mdDoc '' + in '' Free-form settings written directly to the `config.json` file. Refer to <${upstreamDocs}> for supported values. diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 31782073968fe..ab86da47b2e1c 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -43,14 +43,14 @@ in { options = { services.vault = { - enable = mkEnableOption (lib.mdDoc "Vault daemon"); + enable = mkEnableOption "Vault daemon"; package = mkPackageOption pkgs "vault" { }; dev = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' In this mode, Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests. ''; }; @@ -58,7 +58,7 @@ in devRootTokenID = mkOption { type = types.str; default = false; - description = lib.mdDoc '' + description = '' Initial root token. This only applies when {option}`services.vault.dev` is true ''; }; @@ -66,21 +66,21 @@ in address = mkOption { type = types.str; default = "127.0.0.1:8200"; - description = lib.mdDoc "The name of the ip interface to listen to"; + description = "The name of the ip interface to listen to"; }; tlsCertFile = mkOption { type = types.nullOr types.str; default = null; example = "/path/to/your/cert.pem"; - description = lib.mdDoc "TLS certificate file. TLS will be disabled unless this option is set"; + description = "TLS certificate file. TLS will be disabled unless this option is set"; }; tlsKeyFile = mkOption { type = types.nullOr types.str; default = null; example = "/path/to/your/key.pem"; - description = lib.mdDoc "TLS private key file. TLS will be disabled unless this option is set"; + description = "TLS private key file. TLS will be disabled unless this option is set"; }; listenerExtraConfig = mkOption { @@ -88,13 +88,13 @@ in default = '' tls_min_version = "tls12" ''; - description = lib.mdDoc "Extra text appended to the listener section."; + description = "Extra text appended to the listener section."; }; storageBackend = mkOption { type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" "raft" ]; default = "inmem"; - description = lib.mdDoc "The name of the type of storage backend"; + description = "The name of the type of storage backend"; }; storagePath = mkOption { @@ -105,13 +105,13 @@ in then "/var/lib/vault" else null ''; - description = lib.mdDoc "Data directory for file backend"; + description = "Data directory for file backend"; }; storageConfig = mkOption { type = types.nullOr types.lines; default = null; - description = lib.mdDoc '' + description = '' HCL configuration to insert in the storageBackend section. Confidential values should not be specified here because this option's @@ -124,19 +124,19 @@ in telemetryConfig = mkOption { type = types.lines; default = ""; - description = lib.mdDoc "Telemetry configuration"; + description = "Telemetry configuration"; }; extraConfig = mkOption { type = types.lines; default = ""; - description = lib.mdDoc "Extra text appended to {file}`vault.hcl`."; + description = "Extra text appended to {file}`vault.hcl`."; }; extraSettingsPaths = mkOption { type = types.listOf types.path; default = []; - description = lib.mdDoc '' + description = '' Configuration files to load besides the immutable one defined by the NixOS module. This can be used to avoid putting credentials in the Nix store, which can be read by any user. diff --git a/nixos/modules/services/security/yubikey-agent.nix b/nixos/modules/services/security/yubikey-agent.nix index f7ee952e7f61e..991f6a5595451 100644 --- a/nixos/modules/services/security/yubikey-agent.nix +++ b/nixos/modules/services/security/yubikey-agent.nix @@ -18,7 +18,7 @@ in enable = mkOption { type = types.bool; default = false; - description = lib.mdDoc '' + description = '' Whether to start yubikey-agent when you log in. Also sets SSH_AUTH_SOCK to point at yubikey-agent. |