diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6d493f4d7cde9317baf40f82887fcd17e11c5d97..4c932a024e1a894d9c1af9a4e17454a186ecdf99 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -23,6 +23,7 @@ workflow:
 
 stages:
 - build-image
+- housekeeping
 - lint
 - hotfix-prepare
 - cluster-tests
@@ -133,14 +134,32 @@ flake8:
       when: on_success
     - when: never
 
+render-options:
+  stage: housekeeping
+  image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}"
+  before_script:
+    - git config --global user.email "$GITLAB_USER_EMAIL"
+    - git config --global user.name "$GITLAB_USER_NAME"
+  script:
+    - bash ./ci/housekeeping/render-options.sh
+  artifacts:
+    paths:
+      - public/
+  rules:
+    - !reference [.default_lint_rules, rules]
+    - changes:
+      - nix/yk8s/*
+      when: on_success
+    - when: never
+
 poetry-lock:
   image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}"
   before_script:
     - git config --global user.email "$GITLAB_USER_EMAIL"
     - git config --global user.name "$GITLAB_USER_NAME"
   script:
-    - bash ./ci/lint/poetry-lock.sh
-  stage: lint
+    - bash ./ci/housekeeping/poetry-lock.sh
+  stage: housekeeping
   tags:
     - docker
   rules:
@@ -179,7 +198,6 @@ build-docs-check:
     - export PATH="$VIRTUAL_ENV/bin:$PATH"
   script:
     - towncrier build --version x.x.x --keep
-    - nix build .#docsRST -o docs/user/reference/options
     - sphinx-build -W docs _build/html
     - mv _build/html public
   artifacts:
diff --git a/ci/lint/poetry-lock.sh b/ci/housekeeping/poetry-lock.sh
similarity index 100%
rename from ci/lint/poetry-lock.sh
rename to ci/housekeeping/poetry-lock.sh
diff --git a/ci/housekeeping/render-options.sh b/ci/housekeeping/render-options.sh
new file mode 100755
index 0000000000000000000000000000000000000000..ec3cafb91d8b28271ef99739428a97705b993644
--- /dev/null
+++ b/ci/housekeeping/render-options.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -euo pipefail
+actions_dir="$(dirname "$0")/../../actions"
+
+# shellcheck source=actions/lib.sh
+. "$actions_dir/lib.sh"
+
+function diff_options() {
+    url="$1"
+    branch="$2"
+
+    run git remote set-url origin "${url}"
+    run git fetch origin
+    run git checkout "${branch}"
+    run git add ./docs/user/reference/options
+    run pre-commit run || true
+    run git add ./docs/user/reference/options
+    run git status
+    CHANGES=$(git diff "${branch}" --staged --name-only -- ./docs/user/reference/options | wc -l)
+    if [ "${CHANGES}" -gt 0 ]; then
+        run pre-commit install
+        run git commit -m "Update rendered docs" -m "job url: ${CI_JOB_URL}"
+    else
+        echo "Rendered docs are up-to-date. Nothing to commit."
+    fi
+}
+
+run nix build --no-link .#docsRST
+out="$(nix build --print-out-paths --no-link .#docsRST)"
+run rsync -rL --delete --chmod 664 "$out/" docs/user/reference/options
+
+if [[ -n "${CI_COMMIT_BRANCH:-""}" ]]; then
+    diff_options "https://gitlab-ci-token:${PUSH_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git" "${CI_COMMIT_BRANCH}"
+    run git push
+    exit 0
+elif [[ -n "${CI_MERGE_REQUEST_IID:-""}" ]]; then
+    diff_options "https://gitlab-ci-token:${PUSH_TOKEN}@${CI_SERVER_HOST}/${CI_MERGE_REQUEST_SOURCE_PROJECT_PATH}.git" "origin/${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}"
+    run git push origin HEAD:"${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}"
+    exit 0
+else
+    echo "Automatically rendering docs is only available for MRs and on predefined branches. This pipeline runs for neither of them."
+    exit 1
+fi
diff --git a/docs/_releasenotes/1545.misc.fixes-stage b/docs/_releasenotes/1545.misc.fixes-stage
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/docs/user/reference/.gitignore b/docs/user/reference/.gitignore
deleted file mode 100644
index 55bdd06939d0a07413a1b3e8b86ad0b90a85c3dc..0000000000000000000000000000000000000000
--- a/docs/user/reference/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-options
diff --git a/docs/user/reference/options/index.rst b/docs/user/reference/options/index.rst
new file mode 100644
index 0000000000000000000000000000000000000000..addcf9e25238288d8305877e34d462e8704d9d88
--- /dev/null
+++ b/docs/user/reference/options/index.rst
@@ -0,0 +1,80 @@
+Configuration Options
+#####################
+
+
+.. toctree::
+  :maxdepth: 2
+  :hidden:
+
+  yk8s.ch-k8s-lbaas
+  yk8s.ipsec
+  yk8s.k8s-service-layer.cert-manager
+  yk8s.k8s-service-layer.etcd-backup
+  yk8s.k8s-service-layer.fluxcd
+  yk8s.k8s-service-layer.ingress
+  yk8s.k8s-service-layer.prometheus
+  yk8s.k8s-service-layer.rook
+  yk8s.k8s-service-layer.vault
+  yk8s.kubernetes.kubelet
+  yk8s.kubernetes.local_storage.dynamic
+  yk8s.kubernetes.local_storage.static
+  yk8s.kubernetes.network.calico
+  yk8s.kubernetes.network
+  yk8s.kubernetes
+  yk8s.kubernetes.storage
+  yk8s.load-balancing
+  yk8s.miscellaneous
+  yk8s.node-scheduling
+  yk8s.nvidia
+  yk8s.terraform
+  yk8s.testing
+  yk8s.vault
+  yk8s.wireguard
+
+:doc:`ch-k8s-lbaas <yk8s.ch-k8s-lbaas>`
+
+:doc:`ipsec <yk8s.ipsec>`
+
+:doc:`k8s-service-layer.cert-manager <yk8s.k8s-service-layer.cert-manager>`
+
+:doc:`k8s-service-layer.etcd-backup <yk8s.k8s-service-layer.etcd-backup>`
+
+:doc:`k8s-service-layer.fluxcd <yk8s.k8s-service-layer.fluxcd>`
+
+:doc:`k8s-service-layer.ingress <yk8s.k8s-service-layer.ingress>`
+
+:doc:`k8s-service-layer.prometheus <yk8s.k8s-service-layer.prometheus>`
+
+:doc:`k8s-service-layer.rook <yk8s.k8s-service-layer.rook>`
+
+:doc:`k8s-service-layer.vault <yk8s.k8s-service-layer.vault>`
+
+:doc:`kubernetes.kubelet <yk8s.kubernetes.kubelet>`
+
+:doc:`kubernetes.local_storage.dynamic <yk8s.kubernetes.local_storage.dynamic>`
+
+:doc:`kubernetes.local_storage.static <yk8s.kubernetes.local_storage.static>`
+
+:doc:`kubernetes.network.calico <yk8s.kubernetes.network.calico>`
+
+:doc:`kubernetes.network <yk8s.kubernetes.network>`
+
+:doc:`kubernetes <yk8s.kubernetes>`
+
+:doc:`kubernetes.storage <yk8s.kubernetes.storage>`
+
+:doc:`load-balancing <yk8s.load-balancing>`
+
+:doc:`miscellaneous <yk8s.miscellaneous>`
+
+:doc:`node-scheduling <yk8s.node-scheduling>`
+
+:doc:`nvidia <yk8s.nvidia>`
+
+:doc:`terraform <yk8s.terraform>`
+
+:doc:`testing <yk8s.testing>`
+
+:doc:`vault <yk8s.vault>`
+
+:doc:`wireguard <yk8s.wireguard>`
diff --git a/docs/user/reference/options/yk8s.ch-k8s-lbaas.rst b/docs/user/reference/options/yk8s.ch-k8s-lbaas.rst
new file mode 100644
index 0000000000000000000000000000000000000000..f42438fc1780769ce6f8898174798fed482ad22e
--- /dev/null
+++ b/docs/user/reference/options/yk8s.ch-k8s-lbaas.rst
@@ -0,0 +1,400 @@
+.. _configuration-options.yk8s.ch-k8s-lbaas:
+
+yk8s.ch-k8s-lbaas
+^^^^^^^^^^^^^^^^^
+
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.agent_port:
+
+``yk8s.ch-k8s-lbaas.agent_port``
+################################
+
+The TCP port on which the LBaaS agent should listen on the frontend nodes.
+
+
+**Type:**::
+
+  16 bit unsigned integer; between 0 and 65535 (both inclusive)
+
+
+**Default:**::
+
+  15203
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.agent_source:
+
+``yk8s.ch-k8s-lbaas.agent_source``
+##################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "https://github.com/cloudandheat/ch-k8s-lbaas/releases/download"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.agent_urls:
+
+``yk8s.ch-k8s-lbaas.agent_urls``
+################################
+
+Customize URLs for the agents. This will typically be a list of HTTP URLs
+like http://agent_ip:15203. This option is only used if the port manager is
+set to `static`, and must be set if the port manager is `static`.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.agent_user:
+
+``yk8s.ch-k8s-lbaas.agent_user``
+################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "ch-k8s-lbaas-agent"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.controller_repo:
+
+``yk8s.ch-k8s-lbaas.controller_repo``
+#####################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "registry.gitlab.com/yaook/ch-k8s-lbaas/controller"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.controller_resources:
+
+``yk8s.ch-k8s-lbaas.controller_resources``
+##########################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.controller_resources.limits.cpu:
+
+``yk8s.ch-k8s-lbaas.controller_resources.limits.cpu``
+#####################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.controller_resources.limits.memory:
+
+``yk8s.ch-k8s-lbaas.controller_resources.limits.memory``
+########################################################
+
+Request and limit for the LBaaS controller
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "256Mi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.controller_resources.requests.cpu:
+
+``yk8s.ch-k8s-lbaas.controller_resources.requests.cpu``
+#######################################################
+
+Request and limit for the LBaaS controller
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "100m"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.controller_resources.requests.memory:
+
+``yk8s.ch-k8s-lbaas.controller_resources.requests.memory``
+##########################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.ch-k8s-lbaas.controller_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.enabled:
+
+``yk8s.ch-k8s-lbaas.enabled``
+#############################
+
+Whether to enable our LBaas service.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.port_manager:
+
+``yk8s.ch-k8s-lbaas.port_manager``
+##################################
+
+Configure which IP address ("port") manager to use. Two options are available:
+
+* openstack: Uses OpenStack and the yaook/k8s gateway nodes to provision
+  LBaaS IP addresses ports.
+* static: Uses a fixed set of IP addresses to use for load balancing. When the
+  static port manager is used, the ``agent_urls`` and ``static_ipv4_addresses``
+  options must also be configured.
+
+
+**Type:**::
+
+  string matching the pattern openstack|static
+
+
+**Default:**::
+
+  "openstack"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.shared_secret:
+
+``yk8s.ch-k8s-lbaas.shared_secret``
+###################################
+
+A unique, random, base64-encoded secret.
+To generate such a secret, you can use the following command:
+$ dd if=/dev/urandom bs=16 count=1 status=none | base64
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Example:**::
+
+  "RuDXD7CcNZHrRAV9AAN83T7Hc6wVk9IGzPou6UjwWhL+4hu1I4XPj+YG/AgKiFIc1a1EzmQKax9VAj6P/oA45w=="
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.static_ipv4_addresses:
+
+``yk8s.ch-k8s-lbaas.static_ipv4_addresses``
+###########################################
+
+List of IPv4 addresses which are usable for the static port manager. It is
+your responsibility to ensure that the node(s) which run the agent(s) receive
+traffic for these IPv4 addresses.
+
+
+**Type:**::
+
+  list of string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])$
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.use_bgp:
+
+``yk8s.ch-k8s-lbaas.use_bgp``
+#############################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.use_floating_ips:
+
+``yk8s.ch-k8s-lbaas.use_floating_ips``
+######################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
+
+
+.. _configuration-options.yk8s.ch-k8s-lbaas.version:
+
+``yk8s.ch-k8s-lbaas.version``
+#############################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "0.9.0"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ch-k8s-lbaas.nix
diff --git a/docs/user/reference/options/yk8s.ipsec.rst b/docs/user/reference/options/yk8s.ipsec.rst
new file mode 100644
index 0000000000000000000000000000000000000000..443b9ec774b1f07ef814e2704e3a7b32d04b890d
--- /dev/null
+++ b/docs/user/reference/options/yk8s.ipsec.rst
@@ -0,0 +1,275 @@
+.. _configuration-options.yk8s.ipsec:
+
+yk8s.ipsec
+^^^^^^^^^^
+
+
+More details about the IPsec setup can be found
+:doc:`here </user/explanation/vpn/ipsec>`.
+
+.. _configuration-options.yk8s.ipsec.enabled:
+
+``yk8s.ipsec.enabled``
+######################
+
+Whether to enable .
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ipsec.nix
+
+
+.. _configuration-options.yk8s.ipsec.esp_proposals:
+
+``yk8s.ipsec.esp_proposals``
+############################
+
+A list of parent SA proposals to offer to the client.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  "\${cfg.proposals}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ipsec.nix
+
+
+.. _configuration-options.yk8s.ipsec.local_networks:
+
+``yk8s.ipsec.local_networks``
+#############################
+
+List of CIDRs to offer to the peer
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [
+    "172.30.154.0/24"
+  ]
+
+
+**Example:**::
+
+  ''
+    Set the following for a working NAT-free setup
+    [
+      config.yk8s.terraform.subnet_cidr
+      config.yk8s.kubernetes.network.pod_subnet
+      config.yk8s.kubernetes.network.service_subnet
+    ]
+  ''
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ipsec.nix
+
+
+.. _configuration-options.yk8s.ipsec.peer_networks:
+
+``yk8s.ipsec.peer_networks``
+############################
+
+List of CIDRs to route to the peer. If not set, only dynamic IP
+assignments will be routed.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ipsec.nix
+
+
+.. _configuration-options.yk8s.ipsec.proposals:
+
+``yk8s.ipsec.proposals``
+########################
+
+A list of parent SA proposals to offer to the client.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ipsec.nix
+
+
+.. _configuration-options.yk8s.ipsec.purge_installation:
+
+``yk8s.ipsec.purge_installation``
+#################################
+
+Whether to enable purging the ipsec installation.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ipsec.nix
+
+
+.. _configuration-options.yk8s.ipsec.remote_addrs:
+
+``yk8s.ipsec.remote_addrs``
+###########################
+
+List of addresses to accept as remote. When initiating, the first single IP
+address is used.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ipsec.nix
+
+
+.. _configuration-options.yk8s.ipsec.remote_name:
+
+``yk8s.ipsec.remote_name``
+##########################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "peerid"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ipsec.nix
+
+
+.. _configuration-options.yk8s.ipsec.remote_private_addrs:
+
+``yk8s.ipsec.remote_private_addrs``
+###################################
+
+Private address of remote endpoint.
+only used when test_enabled is True
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ipsec.nix
+
+
+.. _configuration-options.yk8s.ipsec.test_enabled:
+
+``yk8s.ipsec.test_enabled``
+###########################
+
+Whether to enable the test suite.
+Must make sure a remote endpoint, with ipsec enabled, is running and open for connections.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ipsec.nix
+
+
+.. _configuration-options.yk8s.ipsec.virtual_subnet_pool:
+
+``yk8s.ipsec.virtual_subnet_pool``
+##################################
+
+Pool to source virtual IP addresses from. Those are the IP addresses assigned
+to clients which do not have remote networks. (e.g.: "10.3.0.0/24")
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ipsec.nix
diff --git a/docs/user/reference/options/yk8s.k8s-service-layer.cert-manager.rst b/docs/user/reference/options/yk8s.k8s-service-layer.cert-manager.rst
new file mode 100644
index 0000000000000000000000000000000000000000..5faa4f4c8aa5112b594195bb0139ae74a40db66b
--- /dev/null
+++ b/docs/user/reference/options/yk8s.k8s-service-layer.cert-manager.rst
@@ -0,0 +1,295 @@
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager:
+
+yk8s.k8s-service-layer.cert-manager
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+The used Cert-Manager controller setup will be explained in more detail
+soon :)
+
+  .. note::
+
+      To enable cert-manager,
+      ``k8s-service-layer.cert-manager.enabled`` needs to be set to
+      ``true``.
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.chart_ref:
+
+``yk8s.k8s-service-layer.cert-manager.chart_ref``
+#################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "jetstack/cert-manager"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.chart_version:
+
+``yk8s.k8s-service-layer.cert-manager.chart_version``
+#####################################################
+
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "1.15.2"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.enabled:
+
+``yk8s.k8s-service-layer.cert-manager.enabled``
+###############################################
+
+Whether to enable management of a cert-manager.io instance.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.helm_repo_url:
+
+``yk8s.k8s-service-layer.cert-manager.helm_repo_url``
+#####################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "https://charts.jetstack.io"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.install:
+
+``yk8s.k8s-service-layer.cert-manager.install``
+###############################################
+
+Install or uninstall cert manager. If set to false, the cert-manager will be
+uninstalled WITHOUT CHECK FOR DISRUPTION!
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.letsencrypt_email:
+
+``yk8s.k8s-service-layer.cert-manager.letsencrypt_email``
+#########################################################
+
+If given, a *cluster wide* Let's Encrypt issuer with that email address will
+be generated. Requires an ingress to work correctly.
+DO NOT ENABLE THIS IN CUSTOMER CLUSTERS, BECAUSE THEY SHOULD NOT CREATE
+CERTIFICATES UNDER OUR NAME. Customers are supposed to deploy their own
+ACME/Let's Encrypt issuer.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.letsencrypt_ingress:
+
+``yk8s.k8s-service-layer.cert-manager.letsencrypt_ingress``
+###########################################################
+
+The ingress class to use for responding to the ACME challenge.
+The default value works for the default k8s-service-layer.ingress
+configuration and may need to be adapted in case a different ingress is to be
+used.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "nginx"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.letsencrypt_preferred_chain:
+
+``yk8s.k8s-service-layer.cert-manager.letsencrypt_preferred_chain``
+###################################################################
+
+By default, the ACME issuer will let the server choose the certificate chain
+to use for the certificate. This can be used to override it.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.letsencrypt_server:
+
+``yk8s.k8s-service-layer.cert-manager.letsencrypt_server``
+##########################################################
+
+This variable let's you specify the endpoint of the ACME issuer. A common usecase
+is to switch between staging and production.
+See https://letsencrypt.org/docs/staging-environment/
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "https://acme-v02.api.letsencrypt.org/directory"
+
+
+**Example:**::
+
+  "https://acme-staging-v02.api.letsencrypt.org/directory"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.namespace:
+
+``yk8s.k8s-service-layer.cert-manager.namespace``
+#################################################
+
+Configure in which namespace the cert-manager is run. The namespace is
+created automatically, but never deleted automatically.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "k8s-svc-cert-manager"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.release_name:
+
+``yk8s.k8s-service-layer.cert-manager.release_name``
+####################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "cert-manager"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.cert-manager.scheduling_key:
+
+``yk8s.k8s-service-layer.cert-manager.scheduling_key``
+######################################################
+
+Scheduling key for the cert manager instance and its resources. Has no
+default.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/cert-manager.nix
diff --git a/docs/user/reference/options/yk8s.k8s-service-layer.etcd-backup.rst b/docs/user/reference/options/yk8s.k8s-service-layer.etcd-backup.rst
new file mode 100644
index 0000000000000000000000000000000000000000..150f051ca753abf12e27ea199f7bb8b19a3f325e
--- /dev/null
+++ b/docs/user/reference/options/yk8s.k8s-service-layer.etcd-backup.rst
@@ -0,0 +1,360 @@
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup:
+
+yk8s.k8s-service-layer.etcd-backup
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+Automated etcd backups can be configured in this section. When enabled
+it periodically creates snapshots of etcd database and store it in a
+object storage using s3. It uses the helm chart
+`etcdbackup <https://gitlab.com/yaook/operator/-/tree/devel/yaook/helm_builder/Charts/etcd-backup>`__
+present in yaook operator helm chart repository. The object storage
+retains data for 30 days then deletes it.
+
+The usage of it is disabled by default but can be enabled (and
+configured) in the following section. The credentials are stored in
+Vault. By default, they are searched for in the cluster’s kv storage (at
+``yaook/$clustername/kv``) under ``etcdbackup``. They must be in the
+form of a JSON object/dict with the keys ``access_key`` and
+``secret_key``.
+
+.. note::
+
+  To enable etcd-backup,
+  ``k8s-service-layer.etcd-backup.enabled`` needs to be set to
+  ``true``.
+
+The following values need to be set:
+
+================== =======================================
+Variable           Description
+================== =======================================
+``access_key``     Identifier for your S3 endpoint
+``secret_key``     Credential for your S3 endpoint
+``endpoint_url``   URL of your S3 endpoint
+``endpoint_cacrt`` Certificate bundle of the endpoint.
+================== =======================================
+
+.. raw:: html
+
+  <details>
+  <summary>etcd-backup configuration template</summary>
+
+.. literalinclude:: /templates/etcd_backup_s3_config.template.yaml
+  :language: yaml
+
+.. raw:: html
+
+  </details>
+
+.. raw:: html
+
+  <details>
+  <summary>Generate/Figure out etcd-backup configuration values</summary>
+
+.. code:: shell
+
+  # Generate access and secret key on OpenStack
+  openstack ec2 credentials create
+
+  # Get certificate bundle of url
+  openssl s_client -connect ENDPOINT_URL:PORT showcerts 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p'
+
+.. raw:: html
+
+  </details>
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.bucket_name:
+
+``yk8s.k8s-service-layer.etcd-backup.bucket_name``
+##################################################
+
+Name of the s3 bucket to store the backups.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "etcd-backup"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.chart_version:
+
+``yk8s.k8s-service-layer.etcd-backup.chart_version``
+####################################################
+
+etcdbackup chart version to install.
+If this is not specified, the latest version is installed.
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  ""
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.days_of_retention:
+
+``yk8s.k8s-service-layer.etcd-backup.days_of_retention``
+########################################################
+
+Number of days after which individual items in the bucket are dropped. Enforced by S3 lifecyle rules which
+are also implemented by Ceph's RGW.
+
+
+**Type:**::
+
+  signed integer
+
+
+**Default:**::
+
+  30
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.enabled:
+
+``yk8s.k8s-service-layer.etcd-backup.enabled``
+##############################################
+
+Whether to enable etcd-backups.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.file_prefix:
+
+``yk8s.k8s-service-layer.etcd-backup.file_prefix``
+##################################################
+
+Name of the folder to keep the backup files.
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "etcd-backup"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.helm_repo_url:
+
+``yk8s.k8s-service-layer.etcd-backup.helm_repo_url``
+####################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "https://charts.yaook.cloud/operator/stable/"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.metrics_port:
+
+``yk8s.k8s-service-layer.etcd-backup.metrics_port``
+###################################################
+
+Metrics port on which the backup-shifter Pod will provide metrics.
+Please note that the etcd-backup deployment runs in host network mode
+for easier access to the etcd cluster.
+
+
+**Type:**::
+
+  16 bit unsigned integer; between 0 and 65535 (both inclusive)
+
+
+**Default:**::
+
+  19100
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.name:
+
+``yk8s.k8s-service-layer.etcd-backup.name``
+###########################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "etcd-backup"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.namespace:
+
+``yk8s.k8s-service-layer.etcd-backup.namespace``
+################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "kube-system"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.schedule:
+
+``yk8s.k8s-service-layer.etcd-backup.schedule``
+###############################################
+
+Configure value for the cron job schedule for etcd backups.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "21 */12 * * *"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.secret_name:
+
+``yk8s.k8s-service-layer.etcd-backup.secret_name``
+##################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "etcd-backup-s3-credentials"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.vault_mount_point:
+
+``yk8s.k8s-service-layer.etcd-backup.vault_mount_point``
+########################################################
+
+Configure the location of the Vault kv2 storage where the credentials can
+be found. This location is the default location used by import.sh and is
+recommended.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "yaook/\${config.yk8s.vault.cluster_name}/kv"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.etcd-backup.vault_path:
+
+``yk8s.k8s-service-layer.etcd-backup.vault_path``
+#################################################
+
+Configure the kv2 key under which the credentials are found inside Vault.
+This location is the default location used by import.sh and is recommended.
+
+The role expects a JSON object with `access_key` and `secret_key` keys,
+containing the corresponding S3 credentials.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "etcdbackup"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
diff --git a/docs/user/reference/options/yk8s.k8s-service-layer.fluxcd.rst b/docs/user/reference/options/yk8s.k8s-service-layer.fluxcd.rst
new file mode 100644
index 0000000000000000000000000000000000000000..3a1f459935841e5b5f40ca526634a8932dacd477
--- /dev/null
+++ b/docs/user/reference/options/yk8s.k8s-service-layer.fluxcd.rst
@@ -0,0 +1,173 @@
+.. _configuration-options.yk8s.k8s-service-layer.fluxcd:
+
+yk8s.k8s-service-layer.fluxcd
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+More details about our FluxCD2 implementation can be found
+:doc:`here </user/explanation/services/fluxcd>`.
+
+The following configuration options are available:
+
+.. _configuration-options.yk8s.k8s-service-layer.fluxcd.enabled:
+
+``yk8s.k8s-service-layer.fluxcd.enabled``
+#########################################
+
+Whether to enable Flux management.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/fluxcd.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.fluxcd.helm_repo_url:
+
+``yk8s.k8s-service-layer.fluxcd.helm_repo_url``
+###############################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "https://fluxcd-community.github.io/helm-charts"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/fluxcd.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.fluxcd.install:
+
+``yk8s.k8s-service-layer.fluxcd.install``
+#########################################
+
+If enabled, choose whether to install or uninstall fluxcd2. IF SET TO
+FALSE, FLUXCD2 WILL BE DELETED WITHOUT CHECKING FOR DISRUPTION.
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/fluxcd.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.fluxcd.legacy:
+
+``yk8s.k8s-service-layer.fluxcd.legacy``
+########################################
+
+Whether to enable usage of the legacy version of flux.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/fluxcd.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.fluxcd.namespace:
+
+``yk8s.k8s-service-layer.fluxcd.namespace``
+###########################################
+
+Namespace to deploy the flux-system in (will be created if it does not exist, but
+never deleted).
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "k8s-svc-flux-system"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/fluxcd.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.fluxcd.scheduling_key:
+
+``yk8s.k8s-service-layer.fluxcd.scheduling_key``
+################################################
+
+Scheduling key for the flux instance and its resources. Has no
+default.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/fluxcd.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.fluxcd.version:
+
+``yk8s.k8s-service-layer.fluxcd.version``
+#########################################
+
+Helm chart version of fluxcd to be deployed.
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "2.9.2"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/fluxcd.nix
diff --git a/docs/user/reference/options/yk8s.k8s-service-layer.ingress.rst b/docs/user/reference/options/yk8s.k8s-service-layer.ingress.rst
new file mode 100644
index 0000000000000000000000000000000000000000..a5b39e2b43e8428e28b690b93c877338af367297
--- /dev/null
+++ b/docs/user/reference/options/yk8s.k8s-service-layer.ingress.rst
@@ -0,0 +1,449 @@
+.. _configuration-options.yk8s.k8s-service-layer.ingress:
+
+yk8s.k8s-service-layer.ingress
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+The used NGINX ingress controller setup will be explained in more detail
+soon :)
+
+.. note::
+
+  To enable an ingress controller,
+  ``k8s-service-layer.ingress.enabled`` needs to be set to ``true``.
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.allow_snippet_annotations:
+
+``yk8s.k8s-service-layer.ingress.allow_snippet_annotations``
+############################################################
+
+Whether to enable snippet annotations.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.chart_ref:
+
+``yk8s.k8s-service-layer.ingress.chart_ref``
+############################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "ingress-nginx/ingress-nginx"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.chart_version:
+
+``yk8s.k8s-service-layer.ingress.chart_version``
+################################################
+
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "4.11.1"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.enable_ssl_passthrough:
+
+``yk8s.k8s-service-layer.ingress.enable_ssl_passthrough``
+#########################################################
+
+Enable SSL passthrough in the controller
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.enabled:
+
+``yk8s.k8s-service-layer.ingress.enabled``
+##########################################
+
+Whether to enable nginx-ingress management..
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.helm_repo_url:
+
+``yk8s.k8s-service-layer.ingress.helm_repo_url``
+################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "https://kubernetes.github.io/ingress-nginx"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.install:
+
+``yk8s.k8s-service-layer.ingress.install``
+##########################################
+
+If enabled, choose whether to install or uninstall the ingress. IF SET TO
+FALSE, THE INGRESS CONTROLLER WILL BE DELETED WITHOUT CHECKING FOR
+DISRUPTION.
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.namespace:
+
+``yk8s.k8s-service-layer.ingress.namespace``
+############################################
+
+Namespace to deploy the ingress in (will be created if it does not exist, but
+never deleted).
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "k8s-svc-ingress"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.nodeport_http:
+
+``yk8s.k8s-service-layer.ingress.nodeport_http``
+################################################
+
+Node port for the HTTP endpoint
+
+
+**Type:**::
+
+  16 bit unsigned integer; between 0 and 65535 (both inclusive)
+
+
+**Default:**::
+
+  32080
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.nodeport_https:
+
+``yk8s.k8s-service-layer.ingress.nodeport_https``
+#################################################
+
+Node port for the HTTPS endpoint
+
+
+**Type:**::
+
+  16 bit unsigned integer; between 0 and 65535 (both inclusive)
+
+
+**Default:**::
+
+  32443
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.release_name:
+
+``yk8s.k8s-service-layer.ingress.release_name``
+###############################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "ingress"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.replica_count:
+
+``yk8s.k8s-service-layer.ingress.replica_count``
+################################################
+
+Replica Count
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  1
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.resources:
+
+``yk8s.k8s-service-layer.ingress.resources``
+############################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.resources.limits.cpu:
+
+``yk8s.k8s-service-layer.ingress.resources.limits.cpu``
+#######################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.resources.limits.memory:
+
+``yk8s.k8s-service-layer.ingress.resources.limits.memory``
+##########################################################
+
+Request and limit for the Nginx Ingress controller
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "128Mi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.resources.requests.cpu:
+
+``yk8s.k8s-service-layer.ingress.resources.requests.cpu``
+#########################################################
+
+Request and limit for the Nginx Ingress controller
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "100m"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.resources.requests.memory:
+
+``yk8s.k8s-service-layer.ingress.resources.requests.memory``
+############################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.ingress.resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.scheduling_key:
+
+``yk8s.k8s-service-layer.ingress.scheduling_key``
+#################################################
+
+Scheduling key for the cert manager instance and its resources. Has no
+default.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.ingress.service_type:
+
+``yk8s.k8s-service-layer.ingress.service_type``
+###############################################
+
+Service type for the frontend Kubernetes service.
+
+
+**Type:**::
+
+  string matching the pattern ClusterIP|NodeIP|LoadBalancer
+
+
+**Default:**::
+
+  "LoadBalancer"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/ingress.nix
diff --git a/docs/user/reference/options/yk8s.k8s-service-layer.prometheus.rst b/docs/user/reference/options/yk8s.k8s-service-layer.prometheus.rst
new file mode 100644
index 0000000000000000000000000000000000000000..c68cd7ba6e709f155bd4c053c3bb4888bc90527e
--- /dev/null
+++ b/docs/user/reference/options/yk8s.k8s-service-layer.prometheus.rst
@@ -0,0 +1,2303 @@
+.. _configuration-options.yk8s.k8s-service-layer.prometheus:
+
+yk8s.k8s-service-layer.prometheus
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+The used prometheus-based monitoring setup will be explained in more
+detail soon :)
+
+.. note::
+
+  To enable prometheus,
+  ``k8s-service-layer.prometheus.install`` and
+  ``kubernetes.monitoring.enabled`` need to be set to ``true``.
+
+
+Tweak Thanos Configuration
+""""""""""""""""""""""""""
+
+index-cache-size / in-memory-max-size
+*************************************
+
+Thanos is unaware of its Kubernetes limits
+which can lead to OOM kills of the storegateway
+if a lot of metrics are requested.
+
+We therefore added an option to configure the
+``index-cache-size``
+(see `Tweak Thanos configuration (!1116) · Merge requests · YAOOK / k8s · GitLab <https://gitlab.com/yaook/k8s/-/merge_requests/1116/diffs>`__
+and (see `Thanos - Highly available Prometheus setup with long term storage capabilities <https://thanos.io/tip/components/store.md/#in-memory-index-cache>`__)
+which should prevent that and is available as of `release/v3.0 · YAOOK / k8s · GitLab <https://gitlab.com/yaook/k8s/-/blob/release/v3.0/CHANGELOG.rst>`__.
+
+It can be configured by setting
+the following configuration options:
+
+.. code:: nix
+
+  k8s-service-layer.prometheus.thanos_store_in_memory_max_size = "XGB";
+  k8s-service-layer.prometheus.thanos_store_memory_request = "XGi";
+  k8s-service-layer.prometheus.thanos_store_memory_limit = "XGi";
+
+Note that the value must be a decimal unit!
+Please also note that you should set a meaningful value
+based on the configured ``thanos_store_memory_limit``.
+If this variable is not explicitly configured,
+the helm chart default is used which is not optimal.
+You should configure both variables and in the best
+case you additionally set ``thanos_store_memory_request``
+to the same value as ``thanos_store_memory_limit``.
+
+Persistence
+***********
+
+With `release/v3.0 · YAOOK / k8s · GitLab <https://gitlab.com/yaook/k8s/-/blob/release/v3.0/CHANGELOG.rst>`__,
+persistence for Thanos components has been reworked.
+By default, Thanos components use emptyDirs.
+Depending on the size of the cluster and the metrics
+flying around, Thanos components may need more disk
+than the host node can provide them and in that cases
+it makes sense to configure persistence.
+
+If you want to enable persistence for Thanos components,
+you can do so by configuring a storage class
+to use and you can specify the persistent volume
+size for each component like in the following.
+
+.. code:: nix
+
+  k8s-service-layer.prometheus.thanos_storage_class = "SOME_STORAGE_CLASS";
+  k8s-service-layer.prometheus.thanos_storegateway_size = "XGi";
+  k8s-service-layer.prometheus.thanos_compactor_size = "YGi";
+
+Options
+*******
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.alertmanager_replicas:
+
+``yk8s.k8s-service-layer.prometheus.alertmanager_replicas``
+###########################################################
+
+How many replicas of the alertmanager should be deployed inside the cluster
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  1
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.alertmanager_resources:
+
+``yk8s.k8s-service-layer.prometheus.alertmanager_resources``
+############################################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.alertmanager_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.prometheus.alertmanager_resources.limits.cpu``
+#######################################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.alertmanager_resources.limits.memory:
+
+``yk8s.k8s-service-layer.prometheus.alertmanager_resources.limits.memory``
+##########################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "256Mi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.alertmanager_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.prometheus.alertmanager_resources.requests.cpu``
+#########################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "100m"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.alertmanager_resources.requests.memory:
+
+``yk8s.k8s-service-layer.prometheus.alertmanager_resources.requests.memory``
+############################################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.prometheus.alertmanager_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.allow_external_rules:
+
+``yk8s.k8s-service-layer.prometheus.allow_external_rules``
+##########################################################
+
+Whether to enable external rules.
+By default, prometheus and alertmanager only consider global rules from the monitoring
+namespace while other rules can only alert on their own namespace. If this variable is
+set, cluster wide rules are considered from all namespaces.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.blackbox_version:
+
+``yk8s.k8s-service-layer.prometheus.blackbox_version``
+######################################################
+
+Deploy a specific blackbox exporter version
+https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-blackbox-exporter
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "7.0.0"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.common_labels:
+
+``yk8s.k8s-service-layer.prometheus.common_labels``
+###################################################
+
+If at least one common_label is defined, Prometheus will be created with selectors
+matching these labels and only ServiceMonitors that meet the criteria of the selector,
+i.e. are labeled accordingly, are included by Prometheus.
+The LCM takes care that all ServiceMonitors created by itself are labeled accordingly.
+The key can not be "release" as that one is already used by the Prometheus helm chart.
+
+
+**Type:**::
+
+  attribute set of non-empty string
+
+
+**Default:**::
+
+  {
+    managed-by = "yaook-k8s";
+  }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.grafana_admin_secret_name:
+
+``yk8s.k8s-service-layer.prometheus.grafana_admin_secret_name``
+###############################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "cah-grafana-admin"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.grafana_dashboard_enable_multicluster_support:
+
+``yk8s.k8s-service-layer.prometheus.grafana_dashboard_enable_multicluster_support``
+###################################################################################
+
+Enable referencing multiple K8s clusters by a single Grafana datasource.
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.grafana_persistent_storage_class:
+
+``yk8s.k8s-service-layer.prometheus.grafana_persistent_storage_class``
+######################################################################
+
+If this variable is defined, Grafana will store its data in a PersistentVolume
+in the defined StorageClass. Otherwise, persistence is disabled for Grafana.
+The value has to be a valid StorageClass available in your cluster.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.grafana_resources:
+
+``yk8s.k8s-service-layer.prometheus.grafana_resources``
+#######################################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.grafana_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.prometheus.grafana_resources.limits.cpu``
+##################################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.grafana_resources.limits.memory:
+
+``yk8s.k8s-service-layer.prometheus.grafana_resources.limits.memory``
+#####################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "512Mi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.grafana_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.prometheus.grafana_resources.requests.cpu``
+####################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "100m"
+
+
+**Example:**::
+
+  "500m"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.grafana_resources.requests.memory:
+
+``yk8s.k8s-service-layer.prometheus.grafana_resources.requests.memory``
+#######################################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.prometheus.grafana_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.grafana_root_url:
+
+``yk8s.k8s-service-layer.prometheus.grafana_root_url``
+######################################################
+
+The full public facing url you use in browser, used for redirects and emails
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.install:
+
+``yk8s.k8s-service-layer.prometheus.install``
+#############################################
+
+If kubernetes.monitoring.enabled is true, choose whether to install or uninstall
+Prometheus. IF SET TO FALSE, PROMETHEUS WILL BE DELETED WITHOUT CHECKING FOR
+DISRUPTION (sic!).
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.internet_probe:
+
+``yk8s.k8s-service-layer.prometheus.internet_probe``
+####################################################
+
+Whether to enable scraping external targets via blackbox exporter
+https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-blackbox-exporter
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.internet_probe_targets:
+
+``yk8s.k8s-service-layer.prometheus.internet_probe_targets``
+############################################################
+
+
+
+**Type:**::
+
+  list of (submodule)
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.interval:
+
+``yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.interval``
+#######################################################################
+
+Scraping interval. Overrides value set in `defaults`
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "60s"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.module:
+
+``yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.module``
+#####################################################################
+
+module to be used. Can be "http_2xx" (default), "http_api" (allow status codes 200, 300, 401), "http_api_insecure", "icmp" or "tcp_connect".
+
+
+**Type:**::
+
+  string matching the pattern http_2xx|http_api(_insecure)?|icmp|tcp_connect
+
+
+**Default:**::
+
+  "http_2xx"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.name:
+
+``yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.name``
+###################################################################
+
+Human readable URL that will appear in Prometheus / AlertManager
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.scrapeTimeout:
+
+``yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.scrapeTimeout``
+############################################################################
+
+Scrape timeout. Overrides value set in `defaults`
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "60s"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.url:
+
+``yk8s.k8s-service-layer.prometheus.internet_probe_targets.*.url``
+##################################################################
+
+The URL that blackbox will scrape
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Example:**::
+
+  "http://example.com/healthz"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.kube_state_metrics_resources:
+
+``yk8s.k8s-service-layer.prometheus.kube_state_metrics_resources``
+##################################################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.kube_state_metrics_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.prometheus.kube_state_metrics_resources.limits.cpu``
+#############################################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.kube_state_metrics_resources.limits.memory:
+
+``yk8s.k8s-service-layer.prometheus.kube_state_metrics_resources.limits.memory``
+################################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "128Mi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.kube_state_metrics_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.prometheus.kube_state_metrics_resources.requests.cpu``
+###############################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "50m"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.kube_state_metrics_resources.requests.memory:
+
+``yk8s.k8s-service-layer.prometheus.kube_state_metrics_resources.requests.memory``
+##################################################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.prometheus.kube_state_metrics_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.manage_thanos_bucket:
+
+``yk8s.k8s-service-layer.prometheus.manage_thanos_bucket``
+##########################################################
+
+Let terraform create an object storage container / bucket for you if `true`.
+If set to `false` one must provide a valid configuration via Vault
+See: https://yaook.gitlab.io/k8s/release/v3.0/managed-services/prometheus/prometheus-stack.html#custom-bucket-management
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.monitoring_internet_probe:
+
+``yk8s.k8s-service-layer.prometheus.monitoring_internet_probe``
+###############################################################
+
+Whether to enable adding blackbox-exporter to test basic internet connectivity
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.namespace:
+
+``yk8s.k8s-service-layer.prometheus.namespace``
+###############################################
+
+Namespace to deploy the monitoring in (will be created if it does not exist, but
+never deleted).
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "monitoring"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.node_exporter_textfile_collector_path:
+
+``yk8s.k8s-service-layer.prometheus.node_exporter_textfile_collector_path``
+###########################################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "/var/lib/node_exporter/textfile_collector"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.nvidia_dcgm_exporter_helm_repo_url:
+
+``yk8s.k8s-service-layer.prometheus.nvidia_dcgm_exporter_helm_repo_url``
+########################################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "https://nvidia.github.io/dcgm-exporter/helm-charts"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.nvidia_dcgm_exporter_helm_version:
+
+``yk8s.k8s-service-layer.prometheus.nvidia_dcgm_exporter_helm_version``
+#######################################################################
+
+if not specified, latest
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  ""
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.operator_resources:
+
+``yk8s.k8s-service-layer.prometheus.operator_resources``
+########################################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.operator_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.prometheus.operator_resources.limits.cpu``
+###################################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.operator_resources.limits.memory:
+
+``yk8s.k8s-service-layer.prometheus.operator_resources.limits.memory``
+######################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "400Mi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.operator_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.prometheus.operator_resources.requests.cpu``
+#####################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "100m"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.operator_resources.requests.memory:
+
+``yk8s.k8s-service-layer.prometheus.operator_resources.requests.memory``
+########################################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.prometheus.operator_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_adapter_release_name:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_adapter_release_name``
+#####################################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "prometheus-adapter"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_adapter_version:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_adapter_version``
+################################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "4.10.0"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_helm_repo_url:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_helm_repo_url``
+##############################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "https://prometheus-community.github.io/helm-charts"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_persistent_storage_class:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_persistent_storage_class``
+#########################################################################
+
+Configure persistent storage for Prometheus
+By default an empty-dir is used.
+https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/storage.md
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_persistent_storage_resource_request:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_persistent_storage_resource_request``
+####################################################################################
+
+Configure persistent storage for Prometheus
+https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/storage.md
+
+
+**Type:**::
+
+  string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "50Gi"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_resources:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_resources``
+##########################################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_resources.limits.cpu``
+#####################################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_resources.limits.memory:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_resources.limits.memory``
+########################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "3Gi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_resources.requests.cpu``
+#######################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "1"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_resources.requests.memory:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_resources.requests.memory``
+##########################################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.prometheus.prometheus_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_service_name:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_service_name``
+#############################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "prometheus-operated"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_stack_chart_name:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_stack_chart_name``
+#################################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "prometheus-community/kube-prometheus-stack"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_stack_release_name:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_stack_release_name``
+###################################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "prometheus-stack"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.prometheus_stack_version:
+
+``yk8s.k8s-service-layer.prometheus.prometheus_stack_version``
+##############################################################
+
+helm chart version of the prometheus stack
+https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
+If you set this empty (not unset), the latest version is used
+Note that upgrades require additional steps and maybe even LCM changes are needed:
+https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#upgrading-chart
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "59.1.0"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.remote_writes:
+
+``yk8s.k8s-service-layer.prometheus.remote_writes``
+###################################################
+
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.scheduling_key:
+
+``yk8s.k8s-service-layer.prometheus.scheduling_key``
+####################################################
+
+Scheduling keys control where services may run. A scheduling key corresponds
+to both a node label and to a taint. In order for a service to run on a node,
+it needs to have that label key.
+If no scheduling key is defined for service, it will run on any untainted
+node.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "\${config.yk8s.node-scheduling.scheduling_key_prefix}/monitoring"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_chart_version:
+
+``yk8s.k8s-service-layer.prometheus.thanos_chart_version``
+##########################################################
+
+Set custom Bitnami/Thanos chart version
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "15.5.0"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_compact_resources:
+
+``yk8s.k8s-service-layer.prometheus.thanos_compact_resources``
+##############################################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_compact_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.prometheus.thanos_compact_resources.limits.cpu``
+#########################################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_compact_resources.limits.memory:
+
+``yk8s.k8s-service-layer.prometheus.thanos_compact_resources.limits.memory``
+############################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "200Mi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_compact_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.prometheus.thanos_compact_resources.requests.cpu``
+###########################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "100m"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_compact_resources.requests.memory:
+
+``yk8s.k8s-service-layer.prometheus.thanos_compact_resources.requests.memory``
+##############################################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.prometheus.thanos_compact_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_compactor_size:
+
+``yk8s.k8s-service-layer.prometheus.thanos_compactor_size``
+###########################################################
+
+You can explicitly set the PV size for each component.
+If left undefined, the helm chart defaults will be used
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_objectstorage_config_file:
+
+``yk8s.k8s-service-layer.prometheus.thanos_objectstorage_config_file``
+######################################################################
+
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_objectstorage_config_path:
+
+``yk8s.k8s-service-layer.prometheus.thanos_objectstorage_config_path``
+######################################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "{{ playbook_dir }}/../../../config"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_objectstorage_container_name:
+
+``yk8s.k8s-service-layer.prometheus.thanos_objectstorage_container_name``
+#########################################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "\${config.yk8s.terraform.cluster_name}-monitoring-thanos-data"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_query_additional_store_endpoints:
+
+``yk8s.k8s-service-layer.prometheus.thanos_query_additional_store_endpoints``
+#############################################################################
+
+Provide a list of DNS endpoints for additional thanos store endpoints.
+The endpoint will be extended to `dnssrv+_grpc._tcp.{{ endpoint }}.monitoring.svc.cluster.local`.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_query_resources:
+
+``yk8s.k8s-service-layer.prometheus.thanos_query_resources``
+############################################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_query_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.prometheus.thanos_query_resources.limits.cpu``
+#######################################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_query_resources.limits.memory:
+
+``yk8s.k8s-service-layer.prometheus.thanos_query_resources.limits.memory``
+##########################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "786Mi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_query_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.prometheus.thanos_query_resources.requests.cpu``
+#########################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "100m"
+
+
+**Example:**::
+
+  "1"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_query_resources.requests.memory:
+
+``yk8s.k8s-service-layer.prometheus.thanos_query_resources.requests.memory``
+############################################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.prometheus.thanos_query_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_sidecar_resources:
+
+``yk8s.k8s-service-layer.prometheus.thanos_sidecar_resources``
+##############################################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_sidecar_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.prometheus.thanos_sidecar_resources.limits.cpu``
+#########################################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_sidecar_resources.limits.memory:
+
+``yk8s.k8s-service-layer.prometheus.thanos_sidecar_resources.limits.memory``
+############################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "256Mi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_sidecar_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.prometheus.thanos_sidecar_resources.requests.cpu``
+###########################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "500m"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_sidecar_resources.requests.memory:
+
+``yk8s.k8s-service-layer.prometheus.thanos_sidecar_resources.requests.memory``
+##############################################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.prometheus.thanos_sidecar_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_storage_class:
+
+``yk8s.k8s-service-layer.prometheus.thanos_storage_class``
+##########################################################
+
+Thanos uses emptyDirs by default for its components
+for faster access.
+If that's not feasible, a storage class can be set to
+enable persistence and the size for each component volume
+can be configured.
+Note that switching between persistence requires
+manual intervention and it may be necessary to reinstall
+the helm chart completely.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_store_in_memory_max_size:
+
+``yk8s.k8s-service-layer.prometheus.thanos_store_in_memory_max_size``
+#####################################################################
+
+https://thanos.io/tip/components/store.md/#in-memory-index-cache
+Note: Unit must be specified as decimal! (MB,GB)
+This value should be chosen in a sane matter based on
+thanos_store_memory_request and thanos_store_memory_limit
+
+
+**Type:**::
+
+  null or string matching the pattern ([0-9]+[MG]B)
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_store_resources:
+
+``yk8s.k8s-service-layer.prometheus.thanos_store_resources``
+############################################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_store_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.prometheus.thanos_store_resources.limits.cpu``
+#######################################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_store_resources.limits.memory:
+
+``yk8s.k8s-service-layer.prometheus.thanos_store_resources.limits.memory``
+##########################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "2Gi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_store_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.prometheus.thanos_store_resources.requests.cpu``
+#########################################################################
+
+PROMETHEUS POD RESOURCE LIMITS
+The following limits are applied to the respective pods.
+Note that the Prometheus limits are chosen fairly conservatively and may need
+tuning for larger and smaller clusters.
+By default, we prefer to set limits in such a way that the Pods end up in the
+Guaranteed QoS class (i.e. both CPU and Memory limits and requests set to the
+same value).
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "100m"
+
+
+**Example:**::
+
+  "500m"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_store_resources.requests.memory:
+
+``yk8s.k8s-service-layer.prometheus.thanos_store_resources.requests.memory``
+############################################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.prometheus.thanos_store_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.thanos_storegateway_size:
+
+``yk8s.k8s-service-layer.prometheus.thanos_storegateway_size``
+##############################################################
+
+You can explicitly set the PV size for each component.
+If left undefined, the helm chart defaults will be used
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.use_grafana:
+
+``yk8s.k8s-service-layer.prometheus.use_grafana``
+#################################################
+
+Enable grafana
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.prometheus.use_thanos:
+
+``yk8s.k8s-service-layer.prometheus.use_thanos``
+################################################
+
+Whether to enable use of Thanos.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/monitoring.nix
diff --git a/docs/user/reference/options/yk8s.k8s-service-layer.rook.rst b/docs/user/reference/options/yk8s.k8s-service-layer.rook.rst
new file mode 100644
index 0000000000000000000000000000000000000000..45bada636264b621ffeeb6709cb07d9ddd9b3672
--- /dev/null
+++ b/docs/user/reference/options/yk8s.k8s-service-layer.rook.rst
@@ -0,0 +1,1817 @@
+.. _configuration-options.yk8s.k8s-service-layer.rook:
+
+yk8s.k8s-service-layer.rook
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+The used rook setup is explained in more detail
+:doc:`here </user/explanation/services/rook-storage>`.
+
+.. note::
+
+  To enable rook in a cluster on top of OpenStack, you need
+  to set both ``k8s-service-layer.rook.nosds`` and
+  ``k8s-service-layer.rook.osd_volume_size``, as well as enable
+  ``kubernetes.storage.rook_enabled`` and either
+  ``kubernetes.local_storage.dynamic.enabled`` or
+  ``kubernetes.local_storage.static.enabled`` local
+  storage (or both) (see :ref:`storage configuration <configuration-options.yk8s.kubernetes.storage>`).
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.ceph_fs:
+
+``yk8s.k8s-service-layer.rook.ceph_fs``
+#######################################
+
+Whether to enable the CephFS shared filesystem.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.ceph_fs_name:
+
+``yk8s.k8s-service-layer.rook.ceph_fs_name``
+############################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "ceph-fs"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.ceph_fs_preserve_pools_on_delete:
+
+``yk8s.k8s-service-layer.rook.ceph_fs_preserve_pools_on_delete``
+################################################################
+
+Whether to enable preservation of pools on delete.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.ceph_fs_replicated:
+
+``yk8s.k8s-service-layer.rook.ceph_fs_replicated``
+##################################################
+
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  1
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.cluster_name:
+
+``yk8s.k8s-service-layer.rook.cluster_name``
+############################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "rook-ceph"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.csi_plugins:
+
+``yk8s.k8s-service-layer.rook.csi_plugins``
+###########################################
+
+Set to false to disable CSI plugins, if they are not needed in the rook cluster.
+(For example if the ceph cluster is used for an OpenStack cluster)
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.custom_ceph_version:
+
+``yk8s.k8s-service-layer.rook.custom_ceph_version``
+###################################################
+
+Configure a custom Ceph version.
+If not defined, the one mapped to the rook version
+will be used. Be aware that you can't choose an
+arbitrary Ceph version, but should stick to the
+rook-ceph-compatibility-matrix.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.dashboard:
+
+``yk8s.k8s-service-layer.rook.dashboard``
+#########################################
+
+Whether to enable the ceph dashboard for viewing cluster status
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.encrypt_osds:
+
+``yk8s.k8s-service-layer.rook.encrypt_osds``
+############################################
+
+Whether to enable encryption of OSDs.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.helm_release_name_cluster:
+
+``yk8s.k8s-service-layer.rook.helm_release_name_cluster``
+#########################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "rook-ceph-cluster"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.helm_release_name_operator:
+
+``yk8s.k8s-service-layer.rook.helm_release_name_operator``
+##########################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "rook-ceph"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.manage_pod_budgets:
+
+``yk8s.k8s-service-layer.rook.manage_pod_budgets``
+##################################################
+
+If true, the rook operator will create and manage PodDisruptionBudgets
+for OSD, Mon, RGW, and MDS daemons.
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mds_resources:
+
+``yk8s.k8s-service-layer.rook.mds_resources``
+#############################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mds_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.rook.mds_resources.limits.cpu``
+########################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mds_resources.limits.memory:
+
+``yk8s.k8s-service-layer.rook.mds_resources.limits.memory``
+###########################################################
+
+Requests and limits for rook/ceph
+
+The default values are the *absolute minimum* values required by rook. Going
+below these numbers will make rook refuse to even create the pods. See also:
+https://rook.io/docs/rook/v1.2/ceph-cluster-crd.html#cluster-wide-resources-configuration-settings
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "4Gi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mds_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.rook.mds_resources.requests.cpu``
+##########################################################
+
+Requests and limits for rook/ceph
+
+The default values are the *absolute minimum* values required by rook. Going
+below these numbers will make rook refuse to even create the pods. See also:
+https://rook.io/docs/rook/v1.2/ceph-cluster-crd.html#cluster-wide-resources-configuration-settings
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mds_resources.requests.memory:
+
+``yk8s.k8s-service-layer.rook.mds_resources.requests.memory``
+#############################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.rook.mds_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mgr_resources:
+
+``yk8s.k8s-service-layer.rook.mgr_resources``
+#############################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mgr_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.rook.mgr_resources.limits.cpu``
+########################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mgr_resources.limits.memory:
+
+``yk8s.k8s-service-layer.rook.mgr_resources.limits.memory``
+###########################################################
+
+Requests and limits for rook/ceph
+
+The default values are the *absolute minimum* values required by rook. Going
+below these numbers will make rook refuse to even create the pods. See also:
+https://rook.io/docs/rook/v1.2/ceph-cluster-crd.html#cluster-wide-resources-configuration-settings
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "512Mi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mgr_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.rook.mgr_resources.requests.cpu``
+##########################################################
+
+Requests and limits for rook/ceph
+
+The default values are the *absolute minimum* values required by rook. Going
+below these numbers will make rook refuse to even create the pods. See also:
+https://rook.io/docs/rook/v1.2/ceph-cluster-crd.html#cluster-wide-resources-configuration-settings
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "100m"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mgr_resources.requests.memory:
+
+``yk8s.k8s-service-layer.rook.mgr_resources.requests.memory``
+#############################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.rook.mgr_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mgr_scheduling_key:
+
+``yk8s.k8s-service-layer.rook.mgr_scheduling_key``
+##################################################
+
+Additionally it is possible to schedule mons and mgrs pods specifically.
+NOTE: Rook does not merge scheduling rules set in 'all' and the ones in 'mon' and 'mgr',
+but will use the most specific one for scheduling.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "\${config.yk8s.node-scheduling.scheduling_key_prefix}/rook-mgr"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mgr_use_pg_autoscaler:
+
+``yk8s.k8s-service-layer.rook.mgr_use_pg_autoscaler``
+#####################################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mon_allow_multiple_per_node:
+
+``yk8s.k8s-service-layer.rook.mon_allow_multiple_per_node``
+###########################################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mon_resources:
+
+``yk8s.k8s-service-layer.rook.mon_resources``
+#############################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mon_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.rook.mon_resources.limits.cpu``
+########################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mon_resources.limits.memory:
+
+``yk8s.k8s-service-layer.rook.mon_resources.limits.memory``
+###########################################################
+
+Requests and limits for rook/ceph
+
+The default values are the *absolute minimum* values required by rook. Going
+below these numbers will make rook refuse to even create the pods. See also:
+https://rook.io/docs/rook/v1.2/ceph-cluster-crd.html#cluster-wide-resources-configuration-settings
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "1Gi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mon_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.rook.mon_resources.requests.cpu``
+##########################################################
+
+Requests and limits for rook/ceph
+
+The default values are the *absolute minimum* values required by rook. Going
+below these numbers will make rook refuse to even create the pods. See also:
+https://rook.io/docs/rook/v1.2/ceph-cluster-crd.html#cluster-wide-resources-configuration-settings
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  "100m"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mon_resources.requests.memory:
+
+``yk8s.k8s-service-layer.rook.mon_resources.requests.memory``
+#############################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.rook.mon_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mon_scheduling_key:
+
+``yk8s.k8s-service-layer.rook.mon_scheduling_key``
+##################################################
+
+Additionally it is possible to schedule mons and mgrs pods specifically.
+NOTE: Rook does not merge scheduling rules set in 'all' and the ones in 'mon' and 'mgr',
+but will use the most specific one for scheduling.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "\${config.yk8s.node-scheduling.scheduling_key_prefix}/rook-mon"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mon_volume:
+
+``yk8s.k8s-service-layer.rook.mon_volume``
+##########################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mon_volume_size:
+
+``yk8s.k8s-service-layer.rook.mon_volume_size``
+###############################################
+
+
+
+**Type:**::
+
+  string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "10Gi"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.mon_volume_storage_class:
+
+``yk8s.k8s-service-layer.rook.mon_volume_storage_class``
+########################################################
+
+Storage class name to be used by the ceph mons. SHOULD be compliant with one
+storage class you have configured in the kubernetes.local_storage section (or
+you should know what your are doing). Note that this is not the storage class
+name that rook will provide.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "\${kubernetes.local_storage.dynamic.storageclass_name}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.namespace:
+
+``yk8s.k8s-service-layer.rook.namespace``
+#########################################
+
+Namespace to deploy the rook in (will be created if it does not exist, but
+never deleted).
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "rook-ceph"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.nmgrs:
+
+``yk8s.k8s-service-layer.rook.nmgrs``
+#####################################
+
+Number of mgrs to run. Default is 1 and can be extended to 2
+and achieve high-availability.
+The count of mgrs is adjustable since rook v1.6 and does not work with older versions.
+
+
+**Type:**::
+
+  integer between 1 and 2 (both inclusive)
+
+
+**Default:**::
+
+  2
+
+
+**Example:**::
+
+  1
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.nmons:
+
+``yk8s.k8s-service-layer.rook.nmons``
+#####################################
+
+Number of mons to run.
+Default is 3 and is the minimum to ensure high-availability!
+The number of mons has to be uneven.
+
+
+**Type:**::
+
+  signed integer
+
+
+**Default:**::
+
+  3
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.nodeplugin_toleration:
+
+``yk8s.k8s-service-layer.rook.nodeplugin_toleration``
+#####################################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.nodes:
+
+``yk8s.k8s-service-layer.rook.nodes``
+#####################################
+
+You do also have the option to manually define the nodes to be used,
+their configuration and devices of the configured nodes as well as
+device-specific configurations. For these configurations to take effect
+one must set :ref:`configuration-options.yk8s.k8s-service-layer.rook.use_all_available_devices` and
+:ref:`configuration-options.yk8s.k8s-service-layer.rook.use_all_available_nodes` to ``false``.
+
+See :doc:`/user/guide/rook/custom-storage`
+
+
+**Type:**::
+
+  list of (submodule)
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.nodes.*.config:
+
+``yk8s.k8s-service-layer.rook.nodes.*.config``
+##############################################
+
+
+
+**Type:**::
+
+  attribute set
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.nodes.*.devices:
+
+``yk8s.k8s-service-layer.rook.nodes.*.devices``
+###############################################
+
+
+
+**Type:**::
+
+  list of (submodule)
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.nodes.*.devices.*.config:
+
+``yk8s.k8s-service-layer.rook.nodes.*.devices.*.config``
+########################################################
+
+
+
+**Type:**::
+
+  attribute set
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.nodes.*.devices.*.name:
+
+``yk8s.k8s-service-layer.rook.nodes.*.devices.*.name``
+######################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.nodes.*.name:
+
+``yk8s.k8s-service-layer.rook.nodes.*.name``
+############################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.nosds:
+
+``yk8s.k8s-service-layer.rook.nosds``
+#####################################
+
+Number of OSDs to run. This should be equal to the number of storage meta
+workers you use.
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  3
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.operator_resources:
+
+``yk8s.k8s-service-layer.rook.operator_resources``
+##################################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.operator_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.rook.operator_resources.limits.cpu``
+#############################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.operator_resources.limits.memory:
+
+``yk8s.k8s-service-layer.rook.operator_resources.limits.memory``
+################################################################
+
+Requests and limits for rook/ceph
+
+The default values are the *absolute minimum* values required by rook. Going
+below these numbers will make rook refuse to even create the pods. See also:
+https://rook.io/docs/rook/v1.2/ceph-cluster-crd.html#cluster-wide-resources-configuration-settings
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "512Mi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.operator_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.rook.operator_resources.requests.cpu``
+###############################################################
+
+Requests and limits for rook/ceph
+
+The default values are the *absolute minimum* values required by rook. Going
+below these numbers will make rook refuse to even create the pods. See also:
+https://rook.io/docs/rook/v1.2/ceph-cluster-crd.html#cluster-wide-resources-configuration-settings
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.operator_resources.requests.memory:
+
+``yk8s.k8s-service-layer.rook.operator_resources.requests.memory``
+##################################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.rook.operator_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.osd_anti_affinity:
+
+``yk8s.k8s-service-layer.rook.osd_anti_affinity``
+#################################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.osd_autodestroy_safe:
+
+``yk8s.k8s-service-layer.rook.osd_autodestroy_safe``
+####################################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.osd_resources:
+
+``yk8s.k8s-service-layer.rook.osd_resources``
+#############################################
+
+
+
+**Type:**::
+
+  submodule
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.osd_resources.limits.cpu:
+
+``yk8s.k8s-service-layer.rook.osd_resources.limits.cpu``
+########################################################
+
+CPU limits should never be set.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.osd_resources.limits.memory:
+
+``yk8s.k8s-service-layer.rook.osd_resources.limits.memory``
+###########################################################
+
+Requests and limits for rook/ceph
+
+The default values are the *absolute minimum* values required by rook. Going
+below these numbers will make rook refuse to even create the pods. See also:
+https://rook.io/docs/rook/v1.2/ceph-cluster-crd.html#cluster-wide-resources-configuration-settings
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "2Gi"
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.osd_resources.requests.cpu:
+
+``yk8s.k8s-service-layer.rook.osd_resources.requests.cpu``
+##########################################################
+
+Requests and limits for rook/ceph
+
+The default values are the *absolute minimum* values required by rook. Going
+below these numbers will make rook refuse to even create the pods. See also:
+https://rook.io/docs/rook/v1.2/ceph-cluster-crd.html#cluster-wide-resources-configuration-settings
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*m?
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.osd_resources.requests.memory:
+
+``yk8s.k8s-service-layer.rook.osd_resources.requests.memory``
+#############################################################
+
+Memory requests should always be equal to the limits.
+
+Thus, this option is deprecated.
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "\${config.yk8s.k8s-service-layer.rook.osd_resources.limits.memory}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.osd_storage_class:
+
+``yk8s.k8s-service-layer.rook.osd_storage_class``
+#################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "csi-sc-cinderplugin"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.osd_volume_size:
+
+``yk8s.k8s-service-layer.rook.osd_volume_size``
+###############################################
+
+The size of the storage backing each OSD.
+
+
+**Type:**::
+
+  string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "90Gi"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.pools:
+
+``yk8s.k8s-service-layer.rook.pools``
+#####################################
+
+
+
+**Type:**::
+
+  list of (submodule)
+
+
+**Default:**::
+
+  [
+    {
+      name = "data";
+    }
+  ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.pools.*.create_storage_class:
+
+``yk8s.k8s-service-layer.rook.pools.*.create_storage_class``
+############################################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.pools.*.device_class:
+
+``yk8s.k8s-service-layer.rook.pools.*.device_class``
+####################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "hdd"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.pools.*.erasure_coded:
+
+``yk8s.k8s-service-layer.rook.pools.*.erasure_coded``
+#####################################################
+
+
+
+**Type:**::
+
+  null or (submodule)
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.pools.*.erasure_coded.coding_chunks:
+
+``yk8s.k8s-service-layer.rook.pools.*.erasure_coded.coding_chunks``
+###################################################################
+
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  1
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.pools.*.erasure_coded.data_chunks:
+
+``yk8s.k8s-service-layer.rook.pools.*.erasure_coded.data_chunks``
+#################################################################
+
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  2
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.pools.*.failure_domain:
+
+``yk8s.k8s-service-layer.rook.pools.*.failure_domain``
+######################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "host"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.pools.*.name:
+
+``yk8s.k8s-service-layer.rook.pools.*.name``
+############################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Example:**::
+
+  "data"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.pools.*.replicated:
+
+``yk8s.k8s-service-layer.rook.pools.*.replicated``
+##################################################
+
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  1
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.scheduling_key:
+
+``yk8s.k8s-service-layer.rook.scheduling_key``
+##############################################
+
+Scheduling keys control where services may run. A scheduling key corresponds
+to both a node label and to a taint. In order for a service to run on a node,
+it needs to have that label key.
+If no scheduling key is defined for a service, it will run on any untainted
+node.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "\${config.yk8s.node-scheduling.scheduling_key_prefix}/storage"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.skip_upgrade_checks:
+
+``yk8s.k8s-service-layer.rook.skip_upgrade_checks``
+###################################################
+
+If OSDs are not replicated, the rook-ceph-operator will reject
+to perform upgrades, because OSDs will become unavailable.
+Set to True so rook will update even if OSDs would become unavailable.
+
+If set to true Rook won’t perform any upgrade checks on Ceph daemons
+during an upgrade. Use this at YOUR OWN RISK, only if you know what
+you’re doing.
+https://rook.github.io/docs/rook/v1.3/ceph-cluster-crd.html#cluster-settings
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.toolbox:
+
+``yk8s.k8s-service-layer.rook.toolbox``
+#######################################
+
+Enable the rook toolbox, which is a pod with ceph tools installed to
+introspect the cluster state.
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.use_all_available_devices:
+
+``yk8s.k8s-service-layer.rook.use_all_available_devices``
+#########################################################
+
+See :doc:`/user/guide/rook/custom-storage`
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.use_all_available_nodes:
+
+``yk8s.k8s-service-layer.rook.use_all_available_nodes``
+#######################################################
+
+See :doc:`/user/guide/rook/custom-storage`
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.use_host_networking:
+
+``yk8s.k8s-service-layer.rook.use_host_networking``
+###################################################
+
+Whether to enable usage of the host network..
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.rook.version:
+
+``yk8s.k8s-service-layer.rook.version``
+#######################################
+
+Version of rook to deploy
+
+
+**Type:**::
+
+  string matching the pattern v1\.[0-9]+\.[0-9]+
+
+
+**Default:**::
+
+  "v1.15.4"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/rook.nix
diff --git a/docs/user/reference/options/yk8s.k8s-service-layer.vault.rst b/docs/user/reference/options/yk8s.k8s-service-layer.vault.rst
new file mode 100644
index 0000000000000000000000000000000000000000..d8aedc7409e33d4897f7cec6469f8a10f3b72c18
--- /dev/null
+++ b/docs/user/reference/options/yk8s.k8s-service-layer.vault.rst
@@ -0,0 +1,528 @@
+.. _configuration-options.yk8s.k8s-service-layer.vault:
+
+yk8s.k8s-service-layer.vault
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.backup_approle_path:
+
+``yk8s.k8s-service-layer.vault.backup_approle_path``
+####################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "yaook/vault_v1/approle/"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.ca_issuer:
+
+``yk8s.k8s-service-layer.vault.ca_issuer``
+##########################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "selfsigned-issuer"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.ca_issuer_kind:
+
+``yk8s.k8s-service-layer.vault.ca_issuer_kind``
+###############################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "Issuer"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.chart_version:
+
+``yk8s.k8s-service-layer.vault.chart_version``
+##############################################
+
+Version of the Helm Chart to use
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "0.23.0"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.dnsnames:
+
+``yk8s.k8s-service-layer.vault.dnsnames``
+#########################################
+
+Extra DNS names for which certificates should be prepared.
+NOTE: to work correctly, there must exist an ingress of class `nginx` and it
+must allow ssl passthrough.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.enable_backups:
+
+``yk8s.k8s-service-layer.vault.enable_backups``
+###############################################
+
+If `true`, then an additional backup service will be deployed which creates snapshots and stores
+them in an S3 bucket.
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.enabled:
+
+``yk8s.k8s-service-layer.vault.enabled``
+########################################
+
+Whether to enable HashiCorp Vault management.
+NOTE: On the first run, the unseal keys and the root token will be printed IN
+PLAINTEXT on the ansible output. The unseal keys MUST BE SAVED IN A SECURE
+LOCATION to use the Vault instance in the future!
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.external_ingress_class:
+
+``yk8s.k8s-service-layer.vault.external_ingress_class``
+#######################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "nginx"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.external_ingress_issuer_kind:
+
+``yk8s.k8s-service-layer.vault.external_ingress_issuer_kind``
+#############################################################
+
+Can be `Issuer` or `ClusterIssuer`, depending on the kind of issuer you would like
+to use for externally facing certificates.
+
+
+**Type:**::
+
+  string matching the pattern (Cluster)?Issuer
+
+
+**Default:**::
+
+  "ClusterIssuer"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.external_ingress_issuer_name:
+
+``yk8s.k8s-service-layer.vault.external_ingress_issuer_name``
+#############################################################
+
+If `ingress=True` and `dnsnames` is not empty, you have to tell the LCM which (Cluster)Issuer to use
+for your ACME service.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.helm_repo_url:
+
+``yk8s.k8s-service-layer.vault.helm_repo_url``
+##############################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "https://helm.releases.hashicorp.com"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.ingress:
+
+``yk8s.k8s-service-layer.vault.ingress``
+########################################
+
+Whether to enable creation of a publically reachable ingress resource for the API endpoint of vault.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.init_key_shares:
+
+``yk8s.k8s-service-layer.vault.init_key_shares``
+################################################
+
+Number of unseal key shares to generate upon vault initialization.
+NOTE: On the first run, the unseal keys and the root token will be printed IN
+PLAINTEXT on the ansible output. The unseal keys MUST BE SAVED IN A SECURE
+LOCATION to use the Vault instance in the future!
+
+
+**Type:**::
+
+  signed integer
+
+
+**Default:**::
+
+  5
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.init_key_threshold:
+
+``yk8s.k8s-service-layer.vault.init_key_threshold``
+###################################################
+
+Threshold for the Shamir's Secret Sharing Scheme used for unsealing, i.e. the
+number of shares required to unseal the vault after a restart
+NOTE: On the first run, the unseal keys and the root token will be printed IN
+PLAINTEXT on the ansible output. The unseal keys MUST BE SAVED IN A SECURE
+LOCATION to use the Vault instance in the future!
+
+
+**Type:**::
+
+  signed integer
+
+
+**Default:**::
+
+  2
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.management_cluster_integration:
+
+``yk8s.k8s-service-layer.vault.management_cluster_integration``
+###############################################################
+
+Whether to enable management cluster integration.
+If set to true, the Vault is configured to be exposed via yaook/operator
+infra-ironic, that is, via the integrated DNSmasq to all nodes associated.
+The default is false. This can be enabled in non-infra-ironic clusters,
+without significant damage.
+NOTE: To work in infra-ironic clusters, this requires the vault to be in the
+same namespace as the infra-ironic instance.
+NOTE: if you enable this, you MUST NOT set the service_type to ClusterIP; it
+will default to NodePort and it must be at least NodePort or LoadBalancer for
+the integration to work correctly.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.namespace:
+
+``yk8s.k8s-service-layer.vault.namespace``
+##########################################
+
+Namespace to deploy the vault in (will be created if it does not exist, but
+ever deleted).
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "k8s-svc-vault"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.s3_config_file:
+
+``yk8s.k8s-service-layer.vault.s3_config_file``
+###############################################
+
+Credentials to access an S3 bucket to which the backups will be written. Required if `enable_backups = true`.
+You can find a template in `managed-k8s/templates/vault_backup_s3_config.template.yaml`.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "vault_backup_s3_config.yaml"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.scheduling_key:
+
+``yk8s.k8s-service-layer.vault.scheduling_key``
+###############################################
+
+Scheduling key for the vault instance and its resources. Has no default.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.service_active_node_port:
+
+``yk8s.k8s-service-layer.vault.service_active_node_port``
+#########################################################
+
+Node port to use for the Service which exposes the active Vault instance
+See NOTE above regarding exposure of the Vault.
+
+
+**Type:**::
+
+  16 bit unsigned integer; between 0 and 65535 (both inclusive)
+
+
+**Default:**::
+
+  32048
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.service_type:
+
+``yk8s.k8s-service-layer.vault.service_type``
+#############################################
+
+Type of the Kubernetes Service of the Vault
+NOTE: You may set this to LoadBalancer, but note that this will still use the internal certificate.
+If you want to expose the Vault to the outside world, use the ingress config above.
+
+
+**Type:**::
+
+  string matching the pattern ClusterIP|NodeIP|LoadBalancer
+
+
+**Default:**::
+
+  "ClusterIP"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.storage_class:
+
+``yk8s.k8s-service-layer.vault.storage_class``
+##############################################
+
+Storage class for the vault file storage backend.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "csi-sc-cinderplugin"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
+
+
+.. _configuration-options.yk8s.k8s-service-layer.vault.storage_size:
+
+``yk8s.k8s-service-layer.vault.storage_size``
+#############################################
+
+Storage size for the vault file storage backend.
+
+
+**Type:**::
+
+  string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  "8Gi"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/vault.nix
diff --git a/docs/user/reference/options/yk8s.kubernetes.kubelet.rst b/docs/user/reference/options/yk8s.kubernetes.kubelet.rst
new file mode 100644
index 0000000000000000000000000000000000000000..dc138ff602bd49afc8e0fdc1a9cc90efd3bf6e65
--- /dev/null
+++ b/docs/user/reference/options/yk8s.kubernetes.kubelet.rst
@@ -0,0 +1,105 @@
+.. _configuration-options.yk8s.kubernetes.kubelet:
+
+yk8s.kubernetes.kubelet
+^^^^^^^^^^^^^^^^^^^^^^^
+
+
+The LCM supports the customization of certain variables of ``kubelet``
+for (meta-)worker nodes.
+
+.. note::
+
+  Applying changes requires to enable
+  :ref:`disruptive actions <environmental-variables.behavior-altering-variables>`.
+
+.. _configuration-options.yk8s.kubernetes.kubelet.evictionhard_nodefs_available:
+
+``yk8s.kubernetes.kubelet.evictionhard_nodefs_available``
+#########################################################
+
+Config for hard eviction values.
+Note: To change this value you have to release the Kraken
+
+
+**Type:**::
+
+  unspecified value
+
+
+**Default:**::
+
+  "10%"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/kubelet.nix
+
+
+.. _configuration-options.yk8s.kubernetes.kubelet.evictionhard_nodefs_inodesfree:
+
+``yk8s.kubernetes.kubelet.evictionhard_nodefs_inodesfree``
+##########################################################
+
+Config for hard eviction values.
+Note: To change this value you have to release the Kraken
+
+
+**Type:**::
+
+  unspecified value
+
+
+**Default:**::
+
+  "5%"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/kubelet.nix
+
+
+.. _configuration-options.yk8s.kubernetes.kubelet.evictionsoft_memory_period:
+
+``yk8s.kubernetes.kubelet.evictionsoft_memory_period``
+######################################################
+
+Config for soft eviction values.
+Note: To change this value you have to release the Kraken
+
+
+**Type:**::
+
+  unspecified value
+
+
+**Default:**::
+
+  "1m30s"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/kubelet.nix
+
+
+.. _configuration-options.yk8s.kubernetes.kubelet.pod_limit:
+
+``yk8s.kubernetes.kubelet.pod_limit``
+#####################################
+
+Maximum number of Pods per worker
+Increasing this value may also decrease performance,
+as more Pods can be packed into a single node.
+
+
+**Type:**::
+
+  signed integer
+
+
+**Default:**::
+
+  110
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/kubelet.nix
diff --git a/docs/user/reference/options/yk8s.kubernetes.local_storage.dynamic.rst b/docs/user/reference/options/yk8s.kubernetes.local_storage.dynamic.rst
new file mode 100644
index 0000000000000000000000000000000000000000..81853c6dfbf74909d0d2430be466dce0605a4772
--- /dev/null
+++ b/docs/user/reference/options/yk8s.kubernetes.local_storage.dynamic.rst
@@ -0,0 +1,148 @@
+.. _configuration-options.yk8s.kubernetes.local_storage.dynamic:
+
+yk8s.kubernetes.local_storage.dynamic
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.dynamic.data_directory:
+
+``yk8s.kubernetes.local_storage.dynamic.data_directory``
+########################################################
+
+Directory where the volumes will be placed on the worker node
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "/mnt/dynamic-data"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-path-provisioner.nix
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.dynamic.enabled:
+
+``yk8s.kubernetes.local_storage.dynamic.enabled``
+#################################################
+
+Whether to enable dynamic local storage provisioning. This provides a storage class which
+can be used with PVCs to allocate local storage on a node.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-path-provisioner.nix
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.dynamic.namespace:
+
+``yk8s.kubernetes.local_storage.dynamic.namespace``
+###################################################
+
+Namespace to deploy the components in
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "kube-system"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-path-provisioner.nix
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.dynamic.nodeplugin_toleration:
+
+``yk8s.kubernetes.local_storage.dynamic.nodeplugin_toleration``
+###############################################################
+
+nodeplugin toleration.
+Setting this to true will cause the dynamic storage plugin
+to run on all nodes (ignoring all taints). This is often desirable.
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  "\${config.yk8s.kubernetes.storage.nodeplugin_toleration}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-path-provisioner.nix
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.dynamic.storageclass_name:
+
+``yk8s.kubernetes.local_storage.dynamic.storageclass_name``
+###########################################################
+
+Name of the storage class to create.
+
+NOTE: the static and dynamic provisioner must have distinct storage class
+names if both are enabled!
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "local-storage"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-path-provisioner.nix
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.dynamic.version:
+
+``yk8s.kubernetes.local_storage.dynamic.version``
+#################################################
+
+Version of the local path controller to deploy
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "v0.0.20"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-path-provisioner.nix
diff --git a/docs/user/reference/options/yk8s.kubernetes.local_storage.static.rst b/docs/user/reference/options/yk8s.kubernetes.local_storage.static.rst
new file mode 100644
index 0000000000000000000000000000000000000000..b3fcbba24416136443d4ef24d4484a7ee4d621f0
--- /dev/null
+++ b/docs/user/reference/options/yk8s.kubernetes.local_storage.static.rst
@@ -0,0 +1,166 @@
+.. _configuration-options.yk8s.kubernetes.local_storage.static:
+
+yk8s.kubernetes.local_storage.static
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.static.data_directory:
+
+``yk8s.kubernetes.local_storage.static.data_directory``
+#######################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "/mnt/data"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-storage-controller.nix
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.static.discovery_directory:
+
+``yk8s.kubernetes.local_storage.static.discovery_directory``
+############################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "/mnt/mk8s-disks"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-storage-controller.nix
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.static.enabled:
+
+``yk8s.kubernetes.local_storage.static.enabled``
+################################################
+
+Whether to enable static provisioning of local storage. This provisions a single local
+storage volume per worker node.
+
+It is recommended to use the dynamic local storage instead.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-storage-controller.nix
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.static.namespace:
+
+``yk8s.kubernetes.local_storage.static.namespace``
+##################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "kube-system"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-storage-controller.nix
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.static.nodeplugin_toleration:
+
+``yk8s.kubernetes.local_storage.static.nodeplugin_toleration``
+##############################################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-storage-controller.nix
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.static.storageclass_name:
+
+``yk8s.kubernetes.local_storage.static.storageclass_name``
+##########################################################
+
+Name of the storage class to create.
+
+NOTE: the static and dynamic provisioner must have distinct storage class
+names if both are enabled!
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "local-storage"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-storage-controller.nix
+
+
+.. _configuration-options.yk8s.kubernetes.local_storage.static.version:
+
+``yk8s.kubernetes.local_storage.static.version``
+################################################
+
+See https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner/releases/tag/v2.5.0
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "v2.5.0"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/k8s-local-storage-controller.nix
diff --git a/docs/user/reference/options/yk8s.kubernetes.network.calico.rst b/docs/user/reference/options/yk8s.kubernetes.network.calico.rst
new file mode 100644
index 0000000000000000000000000000000000000000..a6a3efd3e8737170f45ce859c68d97d97654e563
--- /dev/null
+++ b/docs/user/reference/options/yk8s.kubernetes.network.calico.rst
@@ -0,0 +1,184 @@
+.. _configuration-options.yk8s.kubernetes.network.calico:
+
+yk8s.kubernetes.network.calico
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+The following configuration options are specific to calico, our CNI
+plugin in use.
+
+.. _configuration-options.yk8s.kubernetes.network.calico.bgp_router_id:
+
+``yk8s.kubernetes.network.calico.bgp_router_id``
+################################################
+
+An arbitrary ID (four octet unsigned integer) used by Calico as BGP Identifier
+
+
+**Type:**::
+
+  string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])$
+
+
+**Default:**::
+
+  "244.0.0.1"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/calico.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.calico.custom_version:
+
+``yk8s.kubernetes.network.calico.custom_version``
+#################################################
+
+We're mapping a fitting calico version to the configured Kubernetes version.
+You can however pick a custom Calico version.
+Be aware that not all combinations of Kubernetes and Calico versions are recommended:
+https://docs.tigera.io/calico/latest/getting-started/kubernetes/requirements
+Any version should work as long as
+you stick to the calico-Kubernetes compatibility matrix.
+
+If not specified here, a predefined Calico version will be matched against
+the above specified Kubernetes version.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "3.25.1"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/calico.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.calico.encapsulation:
+
+``yk8s.kubernetes.network.calico.encapsulation``
+################################################
+
+EncapsulationType is the type of encapsulation to use on an IP pool.
+Only takes effect for operator-based installations
+https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.EncapsulationType
+
+
+**Type:**::
+
+  string matching the pattern IPIP|VXLAN|IPIPCrossSubnet|VXLANCrossSubnet|None
+
+
+**Default:**::
+
+  "None"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/calico.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.calico.image_registry:
+
+``yk8s.kubernetes.network.calico.image_registry``
+#################################################
+
+Specify the registry endpoint
+Changing this value can be useful if one endpoint hosts outdated images or you're subject to rate limiting
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "quay.io"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/calico.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.calico.ipipmode:
+
+``yk8s.kubernetes.network.calico.ipipmode``
+###########################################
+
+Only takes effect for manifest-based installations
+Define if the IP-in-IP encapsulation of calico should be activated
+https://docs.tigera.io/calico/latest/reference/resources/ippool#spec
+
+
+**Type:**::
+
+  string matching the pattern Always|CrossSubnet|Never
+
+
+**Default:**::
+
+  "Never"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/calico.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.calico.mtu:
+
+``yk8s.kubernetes.network.calico.mtu``
+######################################
+
+for OpenStack at most 1450
+
+**Type:**::
+
+  signed integer
+
+
+**Default:**::
+
+  "\${config.yk8s.terraform.network_mtu}"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/calico.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.calico.values_file_path:
+
+``yk8s.kubernetes.network.calico.values_file_path``
+###################################################
+
+For the operator-based installation,
+it is possible to link to self-maintained values file for the helm chart
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "path-to-a-custom/values.yaml"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/calico.nix
diff --git a/docs/user/reference/options/yk8s.kubernetes.network.rst b/docs/user/reference/options/yk8s.kubernetes.network.rst
new file mode 100644
index 0000000000000000000000000000000000000000..38916cdc330b610b1248e7effadb5cb4d7423d35
--- /dev/null
+++ b/docs/user/reference/options/yk8s.kubernetes.network.rst
@@ -0,0 +1,243 @@
+.. _configuration-options.yk8s.kubernetes.network:
+
+yk8s.kubernetes.network
+^^^^^^^^^^^^^^^^^^^^^^^
+
+
+.. note::
+
+  To enable the calico network plugin,
+  ``kubernetes.network.plugin`` needs to be set to ``calico``.
+
+.. _configuration-options.yk8s.kubernetes.network.bgp_announce_service_ips:
+
+``yk8s.kubernetes.network.bgp_announce_service_ips``
+####################################################
+
+Whether to enable announcement of the service cluster IP range to external
+BGP peers. By default, only per-node pod networks are announced.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/network.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.bgp_gateway_as:
+
+``yk8s.kubernetes.network.bgp_gateway_as``
+##########################################
+
+
+
+**Type:**::
+
+  signed integer
+
+
+**Default:**::
+
+  65000
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/network.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.bgp_worker_as:
+
+``yk8s.kubernetes.network.bgp_worker_as``
+#########################################
+
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  64512
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/network.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.ipv4_nat_outgoing:
+
+``yk8s.kubernetes.network.ipv4_nat_outgoing``
+#############################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/network.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.ipv6_nat_outgoing:
+
+``yk8s.kubernetes.network.ipv6_nat_outgoing``
+#############################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/network.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.plugin:
+
+``yk8s.kubernetes.network.plugin``
+##################################
+
+Currently only "calico" is supported.
+
+Calico: High-performance, pure IP networking, policy engine. Calico provides
+layer 3 networking capabilities and associates a virtual router with each node.
+Allows the establishment of zone boundaries through BGP
+
+
+**Type:**::
+
+  string matching the pattern calico
+
+
+**Default:**::
+
+  "calico"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/network.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.pod_subnet:
+
+``yk8s.kubernetes.network.pod_subnet``
+######################################
+
+This is the IPv4 subnet used by Kubernetes for Pods. Subnets will be delegated
+automatically to each node.
+
+
+**Type:**::
+
+  string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$
+
+
+**Default:**::
+
+  "10.244.0.0/16"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/network.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.pod_subnet_v6:
+
+``yk8s.kubernetes.network.pod_subnet_v6``
+#########################################
+
+This is the IPv6 subnet used by Kubernetes for Pods. Subnets will be delegated
+automatically to each node.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "fdff:2::/56"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/network.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.service_subnet:
+
+``yk8s.kubernetes.network.service_subnet``
+##########################################
+
+This is the IPv4 subnet used by Kubernetes for Services.
+
+
+**Type:**::
+
+  string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$
+
+
+**Default:**::
+
+  "10.96.0.0/12"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/network.nix
+
+
+.. _configuration-options.yk8s.kubernetes.network.service_subnet_v6:
+
+``yk8s.kubernetes.network.service_subnet_v6``
+#############################################
+
+This is the IPv6 subnet used by Kubernetes for Services.
+
+The service subnet is bounded; for 128-bit addresses, the mask must be >= 108
+The service cluster IP range is validated by the kube-apiserver to have at most 20 host bits
+https://github.com/kubernetes/kubernetes/blob/v1.9.2/cmd/kube-apiserver/app/options/validation.go#L29-L32
+https://github.com/kubernetes/kubernetes/pull/12841
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "fdff:3::/108"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/network.nix
diff --git a/docs/user/reference/options/yk8s.kubernetes.rst b/docs/user/reference/options/yk8s.kubernetes.rst
new file mode 100644
index 0000000000000000000000000000000000000000..4f525e03e4d3b6921ac411c6dcb72ac1a89f6a3f
--- /dev/null
+++ b/docs/user/reference/options/yk8s.kubernetes.rst
@@ -0,0 +1,214 @@
+.. _configuration-options.yk8s.kubernetes:
+
+yk8s.kubernetes
+^^^^^^^^^^^^^^^
+
+
+This section contains generic information about the Kubernetes cluster
+configuration.
+
+.. _configuration-options.yk8s.kubernetes.apiserver.frontend_port:
+
+``yk8s.kubernetes.apiserver.frontend_port``
+###########################################
+
+
+
+**Type:**::
+
+  16 bit unsigned integer; between 0 and 65535 (both inclusive)
+
+
+**Default:**::
+
+  8888
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes
+
+
+.. _configuration-options.yk8s.kubernetes.apiserver.memory_limit:
+
+``yk8s.kubernetes.apiserver.memory_limit``
+##########################################
+
+Memory resources limit for the apiserver
+
+
+**Type:**::
+
+  null or string matching the pattern [1-9][0-9]*(\.[0-9]+)?([KMGT]i)?
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "1Gi"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes
+
+
+.. _configuration-options.yk8s.kubernetes.controller_manager.enable_signing_requests:
+
+``yk8s.kubernetes.controller_manager.enable_signing_requests``
+##############################################################
+
+Whether to enable signing requests.
+
+Note: This currently means that the cluster CA key is copied to the control
+plane nodes which decreases security compared to storing the CA only in the Vault.
+IMPORTANT: Manual steps required when enabled after cluster creation
+The CA key is made available through Vault's kv store and fetched by Ansible.
+Due to Vault's security architecture this means
+you must run the CA rotation script
+(or manually upload the CA key from your backup to Vault's kv store).
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes
+
+
+.. _configuration-options.yk8s.kubernetes.controller_manager.large_cluster_size_threshold:
+
+``yk8s.kubernetes.controller_manager.large_cluster_size_threshold``
+###################################################################
+
+
+
+**Type:**::
+
+  signed integer
+
+
+**Default:**::
+
+  50
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes
+
+
+.. _configuration-options.yk8s.kubernetes.is_gpu_cluster:
+
+``yk8s.kubernetes.is_gpu_cluster``
+##################################
+
+Set this variable if this cluster contains worker with GPU access
+and you want to make use of these inside of the cluster,
+so that the driver and surrounding framework is deployed.
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes
+
+
+.. _configuration-options.yk8s.kubernetes.monitoring.enabled:
+
+``yk8s.kubernetes.monitoring.enabled``
+######################################
+
+Whether to enable Prometheus-based monitoring.
+For prometheus-specific configurations take a look at the
+k8s-service-layer.prometheus section.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/monitoring.nix
+
+
+.. _configuration-options.yk8s.kubernetes.version:
+
+``yk8s.kubernetes.version``
+###########################
+
+Kubernetes version
+
+
+**Type:**::
+
+  string matching the pattern 1.(28|29|30).[0-9]+
+
+
+**Default:**::
+
+  "1.30.5"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes
+
+
+.. _configuration-options.yk8s.kubernetes.virtualize_gpu:
+
+``yk8s.kubernetes.virtualize_gpu``
+##################################
+
+Set this variable to virtualize Nvidia GPUs on worker nodes
+for usage outside of the Kubernetes cluster / above the Kubernetes layer.
+It will install a VGPU manager on the worker node and
+split the GPU according to chosen vgpu type.
+Note: This will not install Nvidia drivers to utilize vGPU guest VMs!!
+If set to true, please set further variables in the [miscellaneous] section.
+Note: This is mutually exclusive with "is_gpu_cluster"yed.
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes
diff --git a/docs/user/reference/options/yk8s.kubernetes.storage.rst b/docs/user/reference/options/yk8s.kubernetes.storage.rst
new file mode 100644
index 0000000000000000000000000000000000000000..5cbd89ba1ed56b1a0d49b9e3da375a346fd2c435
--- /dev/null
+++ b/docs/user/reference/options/yk8s.kubernetes.storage.rst
@@ -0,0 +1,94 @@
+.. _configuration-options.yk8s.kubernetes.storage:
+
+yk8s.kubernetes.storage
+^^^^^^^^^^^^^^^^^^^^^^^
+
+
+
+.. _configuration-options.yk8s.kubernetes.storage.cinder_enable_topology:
+
+``yk8s.kubernetes.storage.cinder_enable_topology``
+##################################################
+
+This flag enables the topology feature gate of the cinder controller plugin.
+Its purpose is to allocate volumes from cinder which are in the same AZ as
+the worker node to which the volume should be attached.
+Important: Cinder must support AZs and the AZs must match the AZs used by nova!
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/storage.nix
+
+
+.. _configuration-options.yk8s.kubernetes.storage.nodeplugin_toleration:
+
+``yk8s.kubernetes.storage.nodeplugin_toleration``
+#################################################
+
+Whether to enable nodeplugin toleration.
+Setting this to true will cause the storage plugins
+to run on all nodes (ignoring all taints). This is often desirable.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/storage.nix
+
+
+.. _configuration-options.yk8s.kubernetes.storage.rook_enabled:
+
+``yk8s.kubernetes.storage.rook_enabled``
+########################################
+
+Whether to enable Rook.
+Many clusters will want to use rook, so you should enable
+or disable it here if you want. It requires extra options
+which need to be chosen with care.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/kubernetes/storage.nix
diff --git a/docs/user/reference/options/yk8s.load-balancing.rst b/docs/user/reference/options/yk8s.load-balancing.rst
new file mode 100644
index 0000000000000000000000000000000000000000..4074c55a8084747d0047589a84c9873784441531
--- /dev/null
+++ b/docs/user/reference/options/yk8s.load-balancing.rst
@@ -0,0 +1,169 @@
+.. _configuration-options.yk8s.load-balancing:
+
+yk8s.load-balancing
+^^^^^^^^^^^^^^^^^^^
+
+
+By default, if you’re deploying on top of OpenStack, the self-developed
+load-balancing solution :doc:`ch-k8s-lbaas </user/explanation/services/ch-k8s-lbaas>`
+will be used to avoid the aches of using OpenStack Octavia. Nonetheless,
+you are not forced to use it and can easily disable it.
+
+The following section contains legacy load-balancing options which will
+probably be removed in the foreseeable future.
+
+.. _configuration-options.yk8s.load-balancing.deprecated_nodeport_lb_test_port:
+
+``yk8s.load-balancing.deprecated_nodeport_lb_test_port``
+########################################################
+
+
+
+**Type:**::
+
+  16 bit unsigned integer; between 0 and 65535 (both inclusive)
+
+
+**Default:**::
+
+  0
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/load-balancing.nix
+
+
+.. _configuration-options.yk8s.load-balancing.haproxy_stats_port:
+
+``yk8s.load-balancing.haproxy_stats_port``
+##########################################
+
+Port for HAProxy statistics
+
+
+**Type:**::
+
+  signed integer
+
+
+**Default:**::
+
+  48981
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/load-balancing.nix
+
+
+.. _configuration-options.yk8s.load-balancing.lb_ports:
+
+``yk8s.load-balancing.lb_ports``
+################################
+
+lb_ports is a list of ports that are exposed by HAProxy on the gateway nodes and forwarded
+to NodePorts in the k8s cluster. This poor man's load-balancing / exposing of services
+has been superseded by ch-k8s-lbaas. For legacy reasons and because it's useful under
+certain circumstances it is kept inside the repository.
+The NodePorts are either literally exposed by HAProxy or can be mapped to other ports.
+
+
+**Type:**::
+
+  list of (16 bit unsigned integer; between 0 and 65535 (both inclusive) or (submodule))
+
+
+**Default:**::
+
+  [ ]
+
+
+**Example:**::
+
+  ''
+    Short form: [30060];
+    Explicit form: [{external=80,nodeport=30080, layer=tcp, use_proxy_protocol=true}]
+  ''
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/load-balancing.nix
+
+
+.. _configuration-options.yk8s.load-balancing.openstack_lbaas:
+
+``yk8s.load-balancing.openstack_lbaas``
+#######################################
+
+Whether to enable OpenStack-based load-balancing.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/load-balancing.nix
+
+
+.. _configuration-options.yk8s.load-balancing.priorities:
+
+``yk8s.load-balancing.priorities``
+##################################
+
+Deprecated
+
+
+**Type:**::
+
+  list of string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/load-balancing.nix
+
+
+.. _configuration-options.yk8s.load-balancing.vrrp_priorities:
+
+``yk8s.load-balancing.vrrp_priorities``
+#######################################
+
+A list of priorities to assign to the gateway/frontend nodes. The priorities
+will be assigned based on the sorted list of matching nodes.
+
+If more nodes exist than there are entries in this list, the rollout will
+fail.
+
+Please note the keepalived.conf manpage for choosing priority values.
+
+
+**Type:**::
+
+  list of signed integer
+
+
+**Default:**::
+
+  [
+    150
+    100
+    50
+  ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/load-balancing.nix
diff --git a/docs/user/reference/options/yk8s.miscellaneous.rst b/docs/user/reference/options/yk8s.miscellaneous.rst
new file mode 100644
index 0000000000000000000000000000000000000000..9940448c68f4285a8375c3905c049d3cc7079344
--- /dev/null
+++ b/docs/user/reference/options/yk8s.miscellaneous.rst
@@ -0,0 +1,667 @@
+.. _configuration-options.yk8s.miscellaneous:
+
+yk8s.miscellaneous
+^^^^^^^^^^^^^^^^^^
+
+
+This section contains various configuration options for special use
+cases. You won’t need to enable and adjust any of these under normal
+circumstances.
+
+.. _configuration-options.yk8s.miscellaneous.apt_proxy_url:
+
+``yk8s.miscellaneous.apt_proxy_url``
+####################################
+
+APT Proxy Configuration
+As a secondary effect, https repositories are not used, since
+those don't work with caching proxies like apt-cacher-ng.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.check_openstack_credentials:
+
+``yk8s.miscellaneous.check_openstack_credentials``
+##################################################
+
+OpenStack credential checks
+Terrible things will happen when certain tasks are run and OpenStack credentials are not sourced.
+Okay, maybe not so terrible after all, but the templates do not check if certain values exist.
+Hence config files with empty credentials are written. The LCM will execute a simple check to see
+if you provided valid credentials as a sanity check iff you're on openstack and the flag below is set
+to True.
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.cluster_behind_proxy:
+
+``yk8s.miscellaneous.cluster_behind_proxy``
+###########################################
+
+Whether to enable the cluster will be placed behind a HTTP proxy.
+If unconfigured images will be used to setup the cluster, the updates of
+package sources, the download of docker images and the initial cluster setup will fail.
+NOTE: These chances are currently only tested for Debian-based operating systems and not for RHEL-based!
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.container_mirror_default_host:
+
+``yk8s.miscellaneous.container_mirror_default_host``
+####################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "install-node"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.container_mirrors:
+
+``yk8s.miscellaneous.container_mirrors``
+########################################
+
+
+
+**Type:**::
+
+  list of (submodule)
+
+
+**Default:**::
+
+  [ ]
+
+
+**Example:**::
+
+  [
+    {
+      name = "docker.io";
+      port = 5000;
+      upstream = "https://registry-1.docker.io/";
+    }
+    {
+      mirrors = [
+        "https://install-node:8000"
+      ];
+      name = "gitlab.cloudandheat.com";
+      upstream = "https://registry.gitlab.cloudandheat.com/";
+    }
+  ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.container_mirrors.*.mirrors:
+
+``yk8s.miscellaneous.container_mirrors.*.mirrors``
+##################################################
+
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.container_mirrors.*.name:
+
+``yk8s.miscellaneous.container_mirrors.*.name``
+###############################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.container_mirrors.*.port:
+
+``yk8s.miscellaneous.container_mirrors.*.port``
+###############################################
+
+
+
+**Type:**::
+
+  null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.container_mirrors.*.upstream:
+
+``yk8s.miscellaneous.container_mirrors.*.upstream``
+###################################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.custom_chrony_configuration:
+
+``yk8s.miscellaneous.custom_chrony_configuration``
+##################################################
+
+Whether to enable custom Chrony configration
+The ntp servers used by chrony can be customized if it should be necessary or wanted.
+A list of pools and/or servers can be specified.
+Chrony treats both similarily but it expects that a pool will resolve to several ntp servers.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.custom_ntp_pools:
+
+``yk8s.miscellaneous.custom_ntp_pools``
+#######################################
+
+A list of NTP pools.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Example:**::
+
+  [
+    "0.pool.ntp.example.org"
+    "1.pool.ntp.example.org"
+  ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.custom_ntp_servers:
+
+``yk8s.miscellaneous.custom_ntp_servers``
+#########################################
+
+A list of NTP servers.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Example:**::
+
+  [
+    "0.server.ntp.example.org"
+    "1.server.ntp.example.org"
+  ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.docker_insecure_registries:
+
+``yk8s.miscellaneous.docker_insecure_registries``
+#################################################
+
+Custom Docker Configuration
+A list of insecure registries that can be accessed without TLS verification.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Example:**::
+
+  [
+    "0.docker-registry.example.org"
+    "1.docker-registry.example.org"
+  ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.docker_registry_mirrors:
+
+``yk8s.miscellaneous.docker_registry_mirrors``
+##############################################
+
+Custom Docker Configuration
+A list of registry mirrors can be configured as a pull through cache to reduce
+external network traffic and the amount of docker pulls from dockerhub.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Example:**::
+
+  [
+    "https://0.docker-mirror.example.org"
+    "https://1.docker-mirror.example.org"
+  ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.haproxy_frontend_k8s_api_maxconn:
+
+``yk8s.miscellaneous.haproxy_frontend_k8s_api_maxconn``
+#######################################################
+
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  2000
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.haproxy_frontend_nodeport_maxconn:
+
+``yk8s.miscellaneous.haproxy_frontend_nodeport_maxconn``
+########################################################
+
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  2000
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.hosts_file:
+
+``yk8s.miscellaneous.hosts_file``
+#################################
+
+A custom hosts file in case terraform is disabled
+
+
+**Type:**::
+
+  null or path in the Nix store
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "hosts_file = ./hosts;"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.http_proxy:
+
+``yk8s.miscellaneous.http_proxy``
+#################################
+
+Set the approriate HTTP proxy settings for your cluster here. E.g. the address of the proxy or
+internal docker repositories can be added to the no_proxy config entry
+Important note: Settings for the yaook-k8s cluster itself (like the service subnet or the pod subnet)
+will be set automagically and do not have to set manually here.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "http://proxy.example.com:8889"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.https_proxy:
+
+``yk8s.miscellaneous.https_proxy``
+##################################
+
+Set the approriate HTTP proxy settings for your cluster here. E.g. the address of the proxy or
+internal docker repositories can be added to the no_proxy config entry
+Important note: Settings for the yaook-k8s cluster itself (like the service subnet or the pod subnet)
+will be set automagically and do not have to set manually here.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "https://proxy.example.com:8889"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.no_proxy:
+
+``yk8s.miscellaneous.no_proxy``
+###############################
+
+Set the approriate HTTP proxy settings for your cluster here. E.g. the address of the proxy or
+internal docker repositories can be added to the no_proxy config entry
+Important note: Settings for the yaook-k8s cluster itself (like the service subnet or the pod subnet)
+will be set automagically and do not have to set manually here.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "localhost,127.0.0.0/8"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.openstack_connect_use_helm:
+
+``yk8s.miscellaneous.openstack_connect_use_helm``
+#################################################
+
+Use the helm chart to deploy the CCM and the cinder csi plugin.
+If openstack_connect_use_helm is false the deployment will be done with the help
+of the deprecated manifest code.
+This will be enforced for clusters with Kubernetes >= v1.29 and
+the deprecated manifest code will be dropped along with Kubernetes v1.28
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.openstack_network_name:
+
+``yk8s.miscellaneous.openstack_network_name``
+#############################################
+
+Name of the internal OpenStack network. This field becomes important if a VM is
+attached to two networks but the controller-manager should only pick up one. If
+you don't understand the purpose of this field, there's a very high chance you
+won't need to touch it/uncomment it.
+Note: This network name isn't fetched automagically (by terraform) on purpose
+because there might be situations where the CCM should not pick the managed network.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "\${config.yk8s.terraform.cluster_name}-network"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.subnet_cidr:
+
+``yk8s.miscellaneous.subnet_cidr``
+##################################
+
+In case it is not set via terraform
+
+
+**Type:**::
+
+  null or string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.vm_max_map_count:
+
+``yk8s.miscellaneous.vm_max_map_count``
+#######################################
+
+Value for the kernel parameter `vm.max_map_count` on k8s nodes. Modifications
+might be required depending on the software running on the nodes (e.g., ElasticSearch).
+If you leave the value commented out you're fine and the system's default will be kept.
+
+
+**Type:**::
+
+  signed integer
+
+
+**Default:**::
+
+  262144
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
+
+
+.. _configuration-options.yk8s.miscellaneous.wireguard_on_workers:
+
+``yk8s.miscellaneous.wireguard_on_workers``
+###########################################
+
+Whether to enable to install wireguard on all workers (without setting up any server-side stuff)
+so that it can be used from within Pods.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/miscellaneous.nix
diff --git a/docs/user/reference/options/yk8s.node-scheduling.rst b/docs/user/reference/options/yk8s.node-scheduling.rst
new file mode 100644
index 0000000000000000000000000000000000000000..fe0a9e519d7788e4faf3a19fff3f9c1511951bf4
--- /dev/null
+++ b/docs/user/reference/options/yk8s.node-scheduling.rst
@@ -0,0 +1,120 @@
+.. _configuration-options.yk8s.node-scheduling:
+
+yk8s.node-scheduling
+^^^^^^^^^^^^^^^^^^^^
+
+
+.. note::
+  Nodes get their labels and taints during the Kubernetes
+  cluster initialization and node-join process.
+  Once a node has joined the cluster,
+  its labels and taints will **not** get updated anymore.
+
+More details about the labels and taints configuration can be found
+:doc:`here </user/explanation/node-scheduling>`.
+
+.. _configuration-options.yk8s.node-scheduling.labels:
+
+``yk8s.node-scheduling.labels``
+###############################
+
+Labels are assigned to a node during its initialization/join process only!
+
+
+**Type:**::
+
+  attribute set of list of non-empty string
+
+
+**Default:**::
+
+  { }
+
+
+**Example:**::
+
+  {
+    managed-k8s-worker-0 = [
+      "''scheduling.mk8s.cloudandheat.com/storage=true"
+    ];
+    managed-k8s-worker-1 = [
+      "''scheduling.mk8s.cloudandheat.com/monitoring=true"
+    ];
+    managed-k8s-worker-2 = [
+      "''scheduling.mk8s.cloudandheat.com/storage=true"
+    ];
+    managed-k8s-worker-3 = [
+      "''scheduling.mk8s.cloudandheat.com/monitoring=true"
+    ];
+    managed-k8s-worker-4 = [
+      "''scheduling.mk8s.cloudandheat.com/storage=true"
+    ];
+    managed-k8s-worker-5 = [
+      "''scheduling.mk8s.cloudandheat.com/monitoring=true"
+    ];
+  }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/node-scheduling.nix
+
+
+.. _configuration-options.yk8s.node-scheduling.scheduling_key_prefix:
+
+``yk8s.node-scheduling.scheduling_key_prefix``
+##############################################
+
+Scheduling keys control where services may run. A scheduling key corresponds
+to both a node label and to a taint. In order for a service to run on a node,
+it needs to have that label key. The following defines a prefix for these keys
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "scheduling.mk8s.cloudandheat.com"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/node-scheduling.nix
+
+
+.. _configuration-options.yk8s.node-scheduling.taints:
+
+``yk8s.node-scheduling.taints``
+###############################
+
+Taints are assigned to a node during its initialization/join process only!
+
+
+**Type:**::
+
+  attribute set of list of non-empty string
+
+
+**Default:**::
+
+  { }
+
+
+**Example:**::
+
+  {
+    managed-k8s-worker-0 = [
+      "{{ scheduling_key_prefix }}/storage=true:NoSchedule"
+    ];
+    managed-k8s-worker-2 = [
+      "{{ scheduling_key_prefix }}/storage=true:NoSchedule"
+    ];
+    managed-k8s-worker-4 = [
+      "{{ scheduling_key_prefix }}/storage=true:NoSchedule"
+    ];
+  }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/node-scheduling.nix
diff --git a/docs/user/reference/options/yk8s.nvidia.rst b/docs/user/reference/options/yk8s.nvidia.rst
new file mode 100644
index 0000000000000000000000000000000000000000..c397dc055c2e9c60e4c81ac830e4148dd253a5ac
--- /dev/null
+++ b/docs/user/reference/options/yk8s.nvidia.rst
@@ -0,0 +1,39 @@
+.. _configuration-options.yk8s.nvidia:
+
+yk8s.nvidia
+^^^^^^^^^^^
+
+
+
+.. _configuration-options.yk8s.nvidia.vgpu.driver_blob_url:
+
+``yk8s.nvidia.vgpu.driver_blob_url``
+####################################
+
+Should point to a object store or otherwise web server, where the vGPU Manager installation file is available.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/nvidia.nix
+
+
+.. _configuration-options.yk8s.nvidia.vgpu.manager_filename:
+
+``yk8s.nvidia.vgpu.manager_filename``
+#####################################
+
+Should hold the name of the vGPU Manager installation file.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/nvidia.nix
diff --git a/docs/user/reference/options/yk8s.terraform.rst b/docs/user/reference/options/yk8s.terraform.rst
new file mode 100644
index 0000000000000000000000000000000000000000..581b0e89fa8303e02f1d46815f33381a17b5b71b
--- /dev/null
+++ b/docs/user/reference/options/yk8s.terraform.rst
@@ -0,0 +1,1079 @@
+.. _configuration-options.yk8s.terraform:
+
+yk8s.terraform
+^^^^^^^^^^^^^^
+
+
+.. note::
+
+   There is a variable ``nodes`` to configure
+   the k8s master and worker servers.
+   The ``role`` attribute must be used to distinguish both [1]_.
+
+   The amount of gateway nodes can be controlled with the `gateway_count` variable.
+   It defaults to the number of elements in the ``azs`` array when
+   ``spread_gateways_across_azs=true`` and 3 otherwise.
+
+.. [1] Caveat: Changing the role of a Terraform node
+               will completely rebuild the node.
+
+.. attention::
+
+    You must configure at least one master node.
+
+You can add and delete Terraform nodes simply
+by adding and removing their entries to/from the config
+or tuning ``gateway_count`` for gateway nodes.
+Consider the following example:
+
+.. code:: diff
+
+    terraform = {
+
+   -  gateway_count = 3;
+   +  gateway_count = 2;                 # <-- one gateway gets deleted
+
+      nodes = {
+        worker-0 = {
+          role = "worker";
+          flavor = "M";
+          image = "Debian 12 (bookworm)";
+        };
+   -    worker-1 = {                     # <-- gets deleted
+   -      role = "worker";
+   -      flavor = "M";
+   -    };
+        worker-2 = {
+          role = "worker";
+          flavor = "L";
+        };
+   +    mon1 = {                         # <-- gets created
+   +      role = "worker";
+   +      flavor = "S";
+   +      image = "Ubuntu 22.04 LTS x64";
+   +    };
+      };
+   };
+
+The name of a Terraform node is composed from the following parts:
+
+- for master/worker nodes:
+  ``terraform.cluster_name`` ``<the nodes' table name>``
+
+- for gateway nodes:
+  ``terraform.cluster_name`` ``terraform.gateway_defaults.common_name`` ``<numeric-index>``
+
+.. code:: nix
+
+   terraform = {
+
+    cluster_name = "yk8s";
+    gateway_count = 1;
+    #....
+
+    gateway_defaults.common_name = "gateway-";
+
+    nodes.master-X.role = "master";
+    nodes.worker-A.role = "worker";
+
+    # yields the following node names:
+    # - yk8s-gateway-0
+    # - yk8s-master-X
+    # - yk8s-worker-A
+
+
+To activate automatic backend of Terraform statefiles to Gitlab,
+adapt the Terraform section of your config:
+set `gitlab_backend` to True,
+set the URL of the Gitlab project and
+the name of the Gitlab state object.
+
+.. code:: nix
+
+  terraform = {
+    gitlab_backend    = true;
+    gitlab_base_url   = "https://gitlab.com";
+    gitlab_project_id = "012345678";
+    gitlab_state_name = "tf-state";
+  };
+
+Put your Gitlab username and access token
+into the ``~/.config/yaook-k8s/env``.
+Your Gitlab access token must have
+at least Maintainer role and
+read/write access to the API.
+Please see GitLab documentation for creating a
+`personal access token <https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html>`__.
+
+To successful migrate from the "local" to "http" Terraform backend method,
+ensure that `gitlab_backend` is set to `true`
+and all other required variables are set correctly.
+Incorrect data entry may result in an HTTP error respond,
+such as a HTTP/401 error for incorrect credentials.
+Assuming correct credentials in the case of an HTTP/404 error,
+Terraform is executed and the state is migrated to Gitlab.
+
+To migrate from the "http" to "local" Terraform backend method,
+set `gitlab_backend=false`,
+`MANAGED_K8S_NUKE_FROM_ORBIT=true`,
+and assume
+that all variables above are properly set
+and the Terraform state exists on GitLab.
+Once the migration is successful,
+unset the variables above
+to continue using the "local" backend method.
+
+.. code:: bash
+
+  export TF_HTTP_USERNAME="<gitlab-username>"
+  export TF_HTTP_PASSWORD="<gitlab-access-token>"
+
+.. _configuration-options.yk8s.terraform.azs:
+
+``yk8s.terraform.azs``
+######################
+
+Defines the availability zones of your cloud to use for the creation of servers.
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [
+    "AZ1"
+    "AZ2"
+    "AZ3"
+  ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.cluster_name:
+
+``yk8s.terraform.cluster_name``
+###############################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.create_root_disk_on_volume:
+
+``yk8s.terraform.create_root_disk_on_volume``
+#############################################
+
+Whether to enable creation of root disk volumes.
+If true, create block volume for each instance and boot from there.
+Equivalent to ``openstack server create --boot-from-volume […]``.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.dns_nameservers_v4:
+
+``yk8s.terraform.dns_nameservers_v4``
+#####################################
+
+A list of IPv4 addresses which will be configured as DNS nameservers of the IPv4 subnet.
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.enabled:
+
+``yk8s.terraform.enabled``
+##########################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.gateway_count:
+
+``yk8s.terraform.gateway_count``
+################################
+
+Amount of gateway nodes to create. (default: 0 --> one for each availability zone when 'spread_gateways_across_azs=true', 3 otherwise)
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  3
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.gateway_defaults.common_name:
+
+``yk8s.terraform.gateway_defaults.common_name``
+###############################################
+
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "gw-"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.gateway_defaults.flavor:
+
+``yk8s.terraform.gateway_defaults.flavor``
+##########################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "XS"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.gateway_defaults.image:
+
+``yk8s.terraform.gateway_defaults.image``
+#########################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "Debian 12 (bookworm)"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.gateway_defaults.root_disk_size:
+
+``yk8s.terraform.gateway_defaults.root_disk_size``
+##################################################
+
+Only apples if 'terraform.create_root_disk_on_volume=true'.
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  10
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.gateway_defaults.root_disk_volume_type:
+
+``yk8s.terraform.gateway_defaults.root_disk_volume_type``
+#########################################################
+
+Only apples if 'terraform.create_root_disk_on_volume=true'.
+If left empty, the default of the IaaS environment will be used.
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  ""
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.gitlab_backend:
+
+``yk8s.terraform.gitlab_backend``
+#################################
+
+Whether to enable GitLab-managed Terraform backend
+If true, the Terraform state will be stored inside the provided gitlab project.
+If set, the environment `TF_HTTP_USERNAME` and `TF_HTTP_PASSWO = mkOptionD`
+must be configured in a separate file `~/.config/yaook-k8s/env`.
+.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.gitlab_base_url:
+
+``yk8s.terraform.gitlab_base_url``
+##################################
+
+The base URL of your GitLab project.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "https://gitlab.com"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.gitlab_project_id:
+
+``yk8s.terraform.gitlab_project_id``
+####################################
+
+The unique ID of your GitLab project.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.gitlab_state_name:
+
+``yk8s.terraform.gitlab_state_name``
+####################################
+
+The name of the Gitlab state object in which to store the Terraform state, e.g. 'tf-state'
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "tf-state"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.ipv4_enabled:
+
+``yk8s.terraform.ipv4_enabled``
+###############################
+
+If set to true, ipv4 will be used
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.ipv6_enabled:
+
+``yk8s.terraform.ipv6_enabled``
+###############################
+
+Whether to enable IPv6.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Example:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.keypair:
+
+``yk8s.terraform.keypair``
+##########################
+
+Will most of the time be set via the environment variable TF_VAR_keypair
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.master_defaults.flavor:
+
+``yk8s.terraform.master_defaults.flavor``
+#########################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "M"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.master_defaults.image:
+
+``yk8s.terraform.master_defaults.image``
+########################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "Ubuntu 22.04 LTS x64"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.master_defaults.root_disk_size:
+
+``yk8s.terraform.master_defaults.root_disk_size``
+#################################################
+
+Only apples if 'terraform.create_root_disk_on_volume=true'.
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  50
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.master_defaults.root_disk_volume_type:
+
+``yk8s.terraform.master_defaults.root_disk_volume_type``
+########################################################
+
+Only apples if 'terraform.create_root_disk_on_volume=true'.
+If left empty, the default of the IaaS environment will be used.
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  ""
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.network_mtu:
+
+``yk8s.terraform.network_mtu``
+##############################
+
+MTU for the network used for the cluster.
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  1450
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.nodes:
+
+``yk8s.terraform.nodes``
+########################
+
+User defined attribute set of control plane and worker nodes to be created with specified values
+
+At least one node with role=master must be given.
+
+
+**Type:**::
+
+  attribute set of (submodule)
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.nodes.<name>.anti_affinity_group:
+
+``yk8s.terraform.nodes.<name>.anti_affinity_group``
+###################################################
+
+'anti_affinity_group' must not be set when role!="worker"
+Leaving 'anti_affinity_group' empty means to not join any anti affinity group
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.nodes.<name>.az:
+
+``yk8s.terraform.nodes.<name>.az``
+##################################
+
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.nodes.<name>.flavor:
+
+``yk8s.terraform.nodes.<name>.flavor``
+######################################
+
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.nodes.<name>.image:
+
+``yk8s.terraform.nodes.<name>.image``
+#####################################
+
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.nodes.<name>.role:
+
+``yk8s.terraform.nodes.<name>.role``
+####################################
+
+
+
+**Type:**::
+
+  string matching the pattern master|worker
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.nodes.<name>.root_disk_size:
+
+``yk8s.terraform.nodes.<name>.root_disk_size``
+##############################################
+
+
+
+**Type:**::
+
+  null or (positive integer, meaning >0)
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.nodes.<name>.root_disk_volume_type:
+
+``yk8s.terraform.nodes.<name>.root_disk_volume_type``
+#####################################################
+
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.prevent_disruption:
+
+``yk8s.terraform.prevent_disruption``
+#####################################
+
+If true, prevent Terraform from performing disruptive action
+defaults to true if unset
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.public_network:
+
+``yk8s.terraform.public_network``
+#################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "shared-public-IPv4"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.spread_gateways_across_azs:
+
+``yk8s.terraform.spread_gateways_across_azs``
+#############################################
+
+If true, spawn a gateway node in each availability zone listed in 'azs'. Otherwise leave the distribution to the cloud controller.
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.subnet_cidr:
+
+``yk8s.terraform.subnet_cidr``
+##############################
+
+
+
+**Type:**::
+
+  string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$
+
+
+**Default:**::
+
+  "172.30.154.0/24"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.subnet_v6_cidr:
+
+``yk8s.terraform.subnet_v6_cidr``
+#################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "fd00::/120"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.thanos_delete_container:
+
+``yk8s.terraform.thanos_delete_container``
+##########################################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.timeout_time:
+
+``yk8s.terraform.timeout_time``
+###############################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "30m"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.worker_defaults.anti_affinity_group:
+
+``yk8s.terraform.worker_defaults.anti_affinity_group``
+######################################################
+
+Leaving this empty means to not join any anti affinity group
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.worker_defaults.flavor:
+
+``yk8s.terraform.worker_defaults.flavor``
+#########################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "M"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.worker_defaults.image:
+
+``yk8s.terraform.worker_defaults.image``
+########################################
+
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Default:**::
+
+  "Ubuntu 22.04 LTS x64"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.worker_defaults.root_disk_size:
+
+``yk8s.terraform.worker_defaults.root_disk_size``
+#################################################
+
+Only apples if 'terraform.create_root_disk_on_volume=true'.
+
+
+**Type:**::
+
+  positive integer, meaning >0
+
+
+**Default:**::
+
+  50
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
+
+
+.. _configuration-options.yk8s.terraform.worker_defaults.root_disk_volume_type:
+
+``yk8s.terraform.worker_defaults.root_disk_volume_type``
+########################################################
+
+Only apples if 'terraform.create_root_disk_on_volume=true'.
+If left empty, the default of the IaaS environment will be used.
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  ""
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/terraform.nix
diff --git a/docs/user/reference/options/yk8s.testing.rst b/docs/user/reference/options/yk8s.testing.rst
new file mode 100644
index 0000000000000000000000000000000000000000..b05956dfbd32146a29e61ce5134e41cd35d95fb1
--- /dev/null
+++ b/docs/user/reference/options/yk8s.testing.rst
@@ -0,0 +1,54 @@
+.. _configuration-options.yk8s.testing:
+
+yk8s.testing
+^^^^^^^^^^^^
+
+
+The following configuration section can be used to ensure that smoke
+tests and checks are executed from different nodes. This is disabled by
+default as it requires some prethinking.
+
+.. _configuration-options.yk8s.testing.force_reboot_nodes:
+
+``yk8s.testing.force_reboot_nodes``
+###################################
+
+Enforce rebooting of nodes after every system update
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  false
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/testing.nix
+
+
+.. _configuration-options.yk8s.testing.test-nodes:
+
+``yk8s.testing.test-nodes``
+###########################
+
+You can define specifc nodes for some
+smoke tests. If you define these, you
+must specify at least two nodes.
+
+
+**Type:**::
+
+  list of non-empty string
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/testing.nix
diff --git a/docs/user/reference/options/yk8s.vault.rst b/docs/user/reference/options/yk8s.vault.rst
new file mode 100644
index 0000000000000000000000000000000000000000..41ce8733f3b8b4b43b6a99d7f403df347a020cd7
--- /dev/null
+++ b/docs/user/reference/options/yk8s.vault.rst
@@ -0,0 +1,88 @@
+.. _configuration-options.yk8s.vault:
+
+yk8s.vault
+^^^^^^^^^^
+
+
+
+.. _configuration-options.yk8s.vault.cluster_name:
+
+``yk8s.vault.cluster_name``
+###########################
+
+Name of the cluster inside Vault. The secrets engines are searched for
+relative to $path_prefix/$cluster_name/.
+This name must be unique within a single vault instance and cannot be
+reasonably changed after a cluster has been spawned.
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/vault.nix
+
+
+.. _configuration-options.yk8s.vault.nodes_approle:
+
+``yk8s.vault.nodes_approle``
+############################
+
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "yaook/nodes"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/vault.nix
+
+
+.. _configuration-options.yk8s.vault.path_prefix:
+
+``yk8s.vault.path_prefix``
+##########################
+
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "yaook"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/vault.nix
+
+
+.. _configuration-options.yk8s.vault.policy_prefix:
+
+``yk8s.vault.policy_prefix``
+############################
+
+
+
+**Type:**::
+
+  string
+
+
+**Default:**::
+
+  "yaook"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/vault.nix
diff --git a/docs/user/reference/options/yk8s.wireguard.rst b/docs/user/reference/options/yk8s.wireguard.rst
new file mode 100644
index 0000000000000000000000000000000000000000..f89e7ef701c1030910dd9b64976bc06f31ea35aa
--- /dev/null
+++ b/docs/user/reference/options/yk8s.wireguard.rst
@@ -0,0 +1,534 @@
+.. _configuration-options.yk8s.wireguard:
+
+yk8s.wireguard
+^^^^^^^^^^^^^^
+
+
+You **MUST** add yourself to the :doc:`wireguard </user/explanation/vpn/wireguard>`
+peers.
+
+You can do so either in the following section of the config file or by
+using and configuring a git submodule. This submodule would then refer
+to another repository, holding the wireguard public keys of everybody
+that should have access to the cluster by default. This is the
+recommended approach for companies and organizations.
+
+.. _configuration-options.yk8s.wireguard.enabled:
+
+``yk8s.wireguard.enabled``
+##########################
+
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.endpoints:
+
+``yk8s.wireguard.endpoints``
+############################
+
+Defines a WireGuard endpoint/server.
+To allow rolling key rotations, multiple endpoints can be added.
+Each endpoint's id, port and subnet need to be unique.
+
+
+**Type:**::
+
+  list of (submodule)
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.endpoints.*.enabled:
+
+``yk8s.wireguard.endpoints.*.enabled``
+######################################
+
+Whether this endpoint is enabled on the frontend nodes.
+
+
+**Type:**::
+
+  boolean
+
+
+**Default:**::
+
+  true
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.endpoints.*.id:
+
+``yk8s.wireguard.endpoints.*.id``
+#################################
+
+An ID unique to this endpoint
+
+
+**Type:**::
+
+  unsigned integer, meaning >=0, or non-empty string
+
+
+**Example:**::
+
+  0
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.endpoints.*.ip_cidr:
+
+``yk8s.wireguard.endpoints.*.ip_cidr``
+######################################
+
+IP address range to use for WireGuard clients. Must be set to a CIDR and must
+not conflict with the terraform.subnet_cidr.
+Should be chosen uniquely for all clusters of a customer at the very least
+so that they can use all of their clusters at the same time without having
+to tear down tunnels.
+
+
+**Type:**::
+
+  string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.endpoints.*.ip_gw:
+
+``yk8s.wireguard.endpoints.*.ip_gw``
+####################################
+
+IP address range to use for WireGuard servers. Must be set to a CIDR and must
+not conflict with the terraform.subnet_cidr.
+Should be chosen uniquely for all clusters of a customer at the very least
+so that they can use all of their clusters at the same time without having
+to tear down tunnels.
+
+
+**Type:**::
+
+  string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.endpoints.*.ipv6_cidr:
+
+``yk8s.wireguard.endpoints.*.ipv6_cidr``
+########################################
+
+IP address range to use for WireGuard clients. Must be set to a CIDR and must
+not conflict with the terraform.subnet_cidr.
+Should be chosen uniquely for all clusters of a customer at the very least
+so that they can use all of their clusters at the same time without having
+to tear down tunnels.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "fd01::/120"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.endpoints.*.ipv6_gw:
+
+``yk8s.wireguard.endpoints.*.ipv6_gw``
+######################################
+
+IP address range to use for WireGuard servers. Must be set to a CIDR and must
+not conflict with the terraform.subnet_cidr.
+Should be chosen uniquely for all clusters of a customer at the very least
+so that they can use all of their clusters at the same time without having
+to tear down tunnels.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "fd01::1/120"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.endpoints.*.port:
+
+``yk8s.wireguard.endpoints.*.port``
+###################################
+
+The port Wireguard should use on the frontend nodes
+
+
+**Type:**::
+
+  16 bit unsigned integer; between 0 and 65535 (both inclusive)
+
+
+**Default:**::
+
+  7777
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.ip_cidr:
+
+``yk8s.wireguard.ip_cidr``
+##########################
+
+DEPRECATED. Use endpoints instead
+
+IP address range to use for WireGuard clients. Must be set to a CIDR and must
+not conflict with the terraform.subnet_cidr.
+Should be chosen uniquely for all clusters of a customer at the very least
+so that they can use all of their clusters at the same time without having
+to tear down tunnels.
+
+
+**Type:**::
+
+  null or string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "172.30.153.64/26"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.ip_gw:
+
+``yk8s.wireguard.ip_gw``
+########################
+
+DEPRECATED. Use endpoints instead
+
+IP address range to use for WireGuard servers. Must be set to a CIDR and must
+not conflict with the terraform.subnet_cidr.
+Should be chosen uniquely for all clusters of a customer at the very least
+so that they can use all of their clusters at the same time without having
+to tear down tunnels.
+
+
+**Type:**::
+
+  null or string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "172.30.153.65/26"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.ipv6_cidr:
+
+``yk8s.wireguard.ipv6_cidr``
+############################
+
+DEPRECATED. Use endpoints instead
+
+IP address range to use for WireGuard clients. Must be set to a CIDR and must
+not conflict with the terraform.subnet_cidr.
+Should be chosen uniquely for all clusters of a customer at the very least
+so that they can use all of their clusters at the same time without having
+to tear down tunnels.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "fd01::/120"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.ipv6_gw:
+
+``yk8s.wireguard.ipv6_gw``
+##########################
+
+DEPRECATED. Use endpoints instead
+
+IP address range to use for WireGuard servers. Must be set to a CIDR and must
+not conflict with the terraform.subnet_cidr.
+Should be chosen uniquely for all clusters of a customer at the very least
+so that they can use all of their clusters at the same time without having
+to tear down tunnels.
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  "fd01::1/120"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.peers:
+
+``yk8s.wireguard.peers``
+########################
+
+The Wireguard peers that should be able to connect to the frontend nodes.
+
+
+**Type:**::
+
+  list of (submodule)
+
+
+**Default:**::
+
+  [ ]
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.peers.*.ident:
+
+``yk8s.wireguard.peers.*.ident``
+################################
+
+An identifier for the public key
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Example:**::
+
+  "name.lastname"
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.peers.*.ip:
+
+``yk8s.wireguard.peers.*.ip``
+#############################
+
+
+
+**Type:**::
+
+  null or string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$ or string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])$
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.peers.*.ips:
+
+``yk8s.wireguard.peers.*.ips``
+##############################
+
+
+
+**Type:**::
+
+  attribute set of (string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$ or string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])$)
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.peers.*.ipsv6:
+
+``yk8s.wireguard.peers.*.ipsv6``
+################################
+
+
+
+**Type:**::
+
+  attribute set of non-empty string
+
+
+**Default:**::
+
+  { }
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.peers.*.ipv6:
+
+``yk8s.wireguard.peers.*.ipv6``
+###############################
+
+
+
+**Type:**::
+
+  null or non-empty string
+
+
+**Default:**::
+
+  null
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.peers.*.pub_key:
+
+``yk8s.wireguard.peers.*.pub_key``
+##################################
+
+The public key of the peer created with `wg keygen`
+
+
+**Type:**::
+
+  non-empty string
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
+
+
+.. _configuration-options.yk8s.wireguard.port:
+
+``yk8s.wireguard.port``
+#######################
+
+DEPRECATED. Use endpoints instead
+
+The port Wireguard should use on the frontend nodes
+
+
+**Type:**::
+
+  null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
+
+
+**Default:**::
+
+  null
+
+
+**Example:**::
+
+  7777
+
+
+**Declared by**
+https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard
diff --git a/nix/renderDocs.nix b/nix/renderDocs.nix
index 9eeaacdf742e3ce3205b670286e4ea72ac54aaf2..95caec8657101ae8335ca483654e7351df046145 100644
--- a/nix/renderDocs.nix
+++ b/nix/renderDocs.nix
@@ -210,9 +210,6 @@
 
               ''
               + indent (lib.strings.concatLines sectionList)
-              + ''
-
-              ''
               + lib.strings.concatLines (map (n: ''
                   :doc:`${lib.strings.removePrefix "yk8s." n} <${n}>`
                 '')
diff --git a/nix/yk8s/terraform.nix b/nix/yk8s/terraform.nix
index 00918886ff1eb113291241d1fab14a34d66aefff..71a92ff09d44db062f547a782d01c553917292d0 100644
--- a/nix/yk8s/terraform.nix
+++ b/nix/yk8s/terraform.nix
@@ -304,7 +304,8 @@ in {
 
     gitlab_state_name = mkOption {
       description = ''
-        The name of the Gitlab state object in which to store the Terraform state, e.g. 'tf-state'      '';
+        The name of the Gitlab state object in which to store the Terraform state, e.g. 'tf-state'
+      '';
       type = with types; nullOr nonEmptyStr;
       default = null;
       example = "tf-state";