1 files changed, 38 insertions, 26 deletions

diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
index 21c798b3b4a4..ce874a6e0b2d 100644
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -25,7 +25,9 @@ In addition to numerous new and updated packages, this release has the following
 
 - NixOS now defaults to using [nsncd](https://github.com/twosigma/nsncd), a non-caching reimplementation of nscd in Rust, as its NSS lookup dispatcher. This replaces the buggy and deprecated nscd implementation provided through glibc. When you find problems, you can switch back by disabling it:
   ```nix
-  services.nscd.enableNsncd = false;
+  {
+    services.nscd.enableNsncd = false;
+  }
   ```
 
 - The internal option `boot.bootspec.enable` is now enabled by default because [RFC 0125](https://github.com/NixOS/rfcs/pull/125) was merged. This means you will have a bootspec document called `boot.json` generated for each system and specialisation in the top-level. This is useful to enable advanced boot use cases in NixOS, such as Secure Boot.
@@ -190,11 +192,13 @@ In addition to numerous new and updated packages, this release has the following
 - MAC-then-encrypt algorithms were removed from the default selection of `services.openssh.settings.Macs`. If you still require these [MACs](https://en.wikipedia.org/wiki/Message_authentication_code), for example when you are relying on libssh2 (e.g. VLC) or the SSH library shipped on the iPhone, you can re-add them like this:
 
   ```nix
-  services.openssh.settings.Macs = [
-    "hmac-sha2-512"
-    "hmac-sha2-256"
-    "umac-128@openssh.com"
-  ];
+  {
+    services.openssh.settings.Macs = [
+      "hmac-sha2-512"
+      "hmac-sha2-256"
+      "umac-128@openssh.com"
+    ];
+  }
   ```
 
 - `podman` now uses the `netavark` network stack. Users will need to delete all of their local containers, images, volumes, etc, by running `podman system reset --force` once before upgrading their systems.
@@ -227,21 +231,25 @@ In addition to numerous new and updated packages, this release has the following
 - The attributes used by `services.snapper.configs.<name>` have changed. Migrate from this:
 
   ```nix
-  services.snapper.configs.example = {
-    subvolume = "/example";
-    extraConfig = ''
-      ALLOW_USERS="alice"
-    '';
-  };
+  {
+    services.snapper.configs.example = {
+      subvolume = "/example";
+      extraConfig = ''
+        ALLOW_USERS="alice"
+      '';
+    };
+  }
   ```
 
   to this:
 
   ```nix
-  services.snapper.configs.example = {
-    SUBVOLUME = "/example";
-    ALLOW_USERS = [ "alice" ];
-  };
+  {
+    services.snapper.configs.example = {
+      SUBVOLUME = "/example";
+      ALLOW_USERS = [ "alice" ];
+    };
+  }
   ```
 
 - The default module options for [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall), [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) and [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) have been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.
@@ -446,15 +454,17 @@ In addition to numerous new and updated packages, this release has the following
 - NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to set up the plain encryption device over the underlying block device rather than allowing them to be determined by `cryptsetup(8)`. One can use these features like so:
 
   ```nix
-  swapDevices = [ {
-    device = "/dev/disk/by-partlabel/swapspace";
-    randomEncryption = {
-      enable = true;
-      cipher = "aes-xts-plain64";
-      keySize = 512;
-      sectorSize = 4096;
-    };
-  } ];
+  {
+    swapDevices = [ {
+      device = "/dev/disk/by-partlabel/swapspace";
+      randomEncryption = {
+        enable = true;
+        cipher = "aes-xts-plain64";
+        keySize = 512;
+        sectorSize = 4096;
+      };
+    } ];
+  }
   ```
 
 - New option `security.pam.zfs` to enable unlocking and mounting of encrypted ZFS home dataset at login.
@@ -465,7 +475,9 @@ In addition to numerous new and updated packages, this release has the following
 
 - PostgreSQL has added opt-in support for [JIT compilation](https://www.postgresql.org/docs/current/jit-reason.html). It can be enabled like this:
   ```nix
-  services.postgresql.enableJIT = true;
+  {
+    services.postgresql.enableJIT = true;
+  }
   ```
 
 - `services.netdata` offers a [`services.netdata.deadlineBeforeStopSec`](#opt-services.netdata.deadlineBeforeStopSec) option which will control the deadline (in seconds) after which systemd will consider your netdata instance as dead if it didn't start in the elapsed time. It is helpful when your netdata instance takes longer to start because of a large amount of state or upgrades.