style-guide: all opcmd and clicmd explanations should be indented by 3

7 files changed, 228 insertions, 217 deletions

diff --git a/docs/interfaces/addresses.rst b/docs/interfaces/addresses.rst
index 034fb0ef..709490c8 100644
--- a/docs/interfaces/addresses.rst
+++ b/docs/interfaces/addresses.rst
@@ -13,7 +13,7 @@ addresses might be:
 
 .. cfgcmd:: set interfaces ethernet eth0 description 'OUTSIDE'
 
-An interface description is assigned using the following command:
+   An interface description is assigned using the following command:
 
 IPv4
 ^^^^
diff --git a/docs/interfaces/geneve.rst b/docs/interfaces/geneve.rst
index 252668c1..dc762738 100644
--- a/docs/interfaces/geneve.rst
+++ b/docs/interfaces/geneve.rst
@@ -34,21 +34,22 @@ Geneve Header:
 
 .. cfgcmd:: set interfaces geneve gnv0 address '192.0.2.2/24'
 
-Create GENEVE tunnel listening on local address `192.0.2.2/24`.
+   Create GENEVE tunnel listening on local address `192.0.2.2/24`.
 
 .. cfgcmd:: set interfaces geneve gnv0 remote '172.18.204.10'
 
-Specify the IP address of the other end of the tunnel.
+   Specify the IP address of the other end of the tunnel.
 
 .. cfgcmd:: set interfaces geneve gnv0 vni '1000'
 
-:abbr:`VNI (Virtual Network Identifier)` is an identifier for a unique element
-of a virtual network.  In many situations this may represent an L2 segment,
-however, the control plane defines the forwarding semantics of decapsulated
-packets. The VNI MAY be used as part of ECMP forwarding decisions or MAY be
-used as a mechanism to distinguish between overlapping address spaces contained
-in the encapsulated packet when load balancing across CPUs.
+   :abbr:`VNI (Virtual Network Identifier)` is an identifier for a unique
+   element of a virtual network.  In many situations this may represent an L2
+   segment, however, the control plane defines the forwarding semantics of
+   decapsulated packets. The VNI MAY be used as part of ECMP forwarding
+   decisions or MAY be used as a mechanism to distinguish between overlapping
+   address spaces contained in the encapsulated packet when load balancing
+   across CPUs.
 
 .. cfgcmd:: set interfaces geneve gnv0 mtu
 
-Set interface :abbr:`MTU (Maximum Transfer Unit)` size.
+   Set interface :abbr:`MTU (Maximum Transfer Unit)` size.
diff --git a/docs/routing/arp.rst b/docs/routing/arp.rst
index 96a6ffeb..70d83503 100644
--- a/docs/routing/arp.rst
+++ b/docs/routing/arp.rst
@@ -21,15 +21,15 @@ Configure
 
 .. cfgcmd:: set protocols static arp 192.0.2.100 hwaddr 00:53:27:de:23:aa
 
-This will configure a static ARP entry always resolving `192.0.2.100` to
-`00:53:27:de:23:aa`
+   This will configure a static ARP entry always resolving `192.0.2.100` to
+   `00:53:27:de:23:aa`
 
 Operation
 =========
 
 .. opcmd:: show protocols static arp
 
-Display all known ARP table entries spanning accross all interfaces
+   Display all known ARP table entries spanning accross all interfaces
 
 .. code-block:: none
 
@@ -41,7 +41,7 @@ Display all known ARP table entries spanning accross all interfaces
 
 .. opcmd:: show protocols static arp interface eth1
 
-Display all known ARP table entries on a given interface only (`eth1`):
+   Display all known ARP table entries on a given interface only (`eth1`):
 
 .. code-block:: none
 
diff --git a/docs/services/dhcp.rst b/docs/services/dhcp.rst
index 1303395a..19c92aac 100644
--- a/docs/services/dhcp.rst
+++ b/docs/services/dhcp.rst
@@ -52,38 +52,37 @@ Explanation
 
 .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample authoritative
 
-This says that this device is the only DHCP server for this network. If other
-devices are trying to offer DHCP leases, this machine will send 'DHCPNAK' to
-any device trying to request an IP address that is
-not valid for this network.
+   This says that this device is the only DHCP server for this network. If other
+   devices are trying to offer DHCP leases, this machine will send 'DHCPNAK' to
+   any device trying to request an IP address that is not valid for this
+   network.
 
 .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 default-router 192.0.2.1
 
-This is a configuration parameter for the subnet, saying that as part of the
-response, tell the client that I am the default router for this network
+   This is a configuration parameter for the subnet, saying that as part of the
+   response, tell the client that I am the default router for this network.
 
 .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 dns-server 192.0.2.1
 
-This is a configuration parameter for the subnet, saying that as part of the
-response, tell the client that I am the DNS server for this network. If you
-do not want to run a DNS server, you could also provide one of the public
-DNS servers, such as google's. You can add multiple entries by repeating the
-line.
+   This is a configuration parameter for the subnet, saying that as part of the
+   response, tell the client that I am the DNS server for this network. If you
+   do not want to run a DNS server, you could also provide one of the public
+   DNS servers, such as google's. You can add multiple entries by repeating the
+   line.
 
 .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 lease 86400
 
-Assign the IP address to this machine for 24 hours. It is unlikely you'd need
-to shorten this period, unless you are running a network with lots of devices
-appearing and disappearing.
-
+   Assign the IP address to this machine for 24 hours. It is unlikely you'd need
+   to shorten this period, unless you are running a network with lots of devices
+   appearing and disappearing.
 
 .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 range 0 start 192.0.2.100
 
-Make a range of addresses available for clients starting from .100 [...]
+   Make a range of addresses available for clients starting from .100 [...]
 
 .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 range 0 stop 192.0.2.199
 
-[...] and ending at .199.
+   [...] and ending at .199.
 
 Failover
 --------
@@ -93,22 +92,22 @@ explicitly by the following statements.
 
 .. cfgcmd:: set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' failover local-address '192.0.2.1'
 
-Local IP address used when communicating to the failover peer.
+   Local IP address used when communicating to the failover peer.
 
 .. cfgcmd:: set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' failover peer-address '192.0.2.2'
 
-Peer IP address of the second DHCP server in this failover cluster.
+   Peer IP address of the second DHCP server in this failover cluster.
 
 .. cfgcmd:: set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' failover name 'foo'
 
-A generic name referencing this sync service.
+   A generic name referencing this sync service.
 
 .. note:: `name` must be identical on both sides!
 
 .. cfgcmd:: set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' failover status '{primary|secondary}'
 
-The primary and secondary statements determines whether the server is primary
-or secondary.
+   The primary and secondary statements determines whether the server is primary
+   or secondary.
 
 .. note:: In order for the primary and the secondary DHCP server to keep
    their lease tables in sync, they must be able to reach each other on TCP
@@ -131,12 +130,14 @@ inside the subnet definition but can be outside of the range statement.
 
 .. cfgcmd::  set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping static-mapping-01 mac-address ff:ff:ff:ff:ff:ff
 
-Each host is uniquely identified by its MAC address.
+   Each host is uniquely identified by its MAC address.
 
 .. cfgcmd::  set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping static-mapping-01 ip-address 192.0.2.10
 
-IP address to assign to this host. It must be inside the subnet in which it is defined but can be outside the dynamic range.
-If ip-address is not specified, an IP from the dynamic pool (as specified by ``range``) is used. This is useful, for example, in combination with hostfile update.
+   IP address to assign to this host. It must be inside the subnet in which it
+   is defined but can be outside the dynamic range. If ip-address is not
+   specified, an IP from the dynamic pool (as specified by ``range``) is used.
+   This is useful, for example, in combination with hostfile update.
 
 .. hint:: This is the equivalent of the host block in dhcpd.conf of isc-dhcpd.
 
@@ -145,25 +146,25 @@ DHCP Options
 
 .. cfgcmd:: set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 default-router '<address>'
 
-Specify the default routers IPv4 address which should be used in this subnet.
-This can - of course - be a VRRP address (DHCP option 003).
+   Specify the default routers IPv4 address which should be used in this subnet.
+   This can - of course - be a VRRP address (DHCP option 003).
 
 .. cfgcmd:: set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 dns-server '<address>'
 
-Specify the DNS nameservers used (Option 006). This option may be used mulltiple
-times to specify additional DNS nameservers.
+   Specify the DNS nameservers used (Option 006). This option may be used
+   mulltiple times to specify additional DNS nameservers.
 
 .. cfgcmd:: set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 domain-name '<domain-name>'
 
-The domain-name parameter should be the domain name that will be appended to
-the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP
-Option 015).
+   The domain-name parameter should be the domain name that will be appended to
+   the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP
+   Option 015).
 
 .. cfgcmd:: set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 domain-search '<domain-name>'
 
-The domain-name parameter should be the domain name used when completing DNS
-request where no full FQDN is passed. This option can be given multiple times
-if you need multiple search domains (DHCP Option 119).
+   The domain-name parameter should be the domain name used when completing DNS
+   request where no full FQDN is passed. This option can be given multiple times
+   if you need multiple search domains (DHCP Option 119).
 
 .. list-table::
    :header-rows: 1
@@ -319,18 +320,18 @@ Example
 
 .. opcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option domain-name-servers 192.0.2.11, 192.0.2.12;"
 
-Override the static-mapping's dns-server with a custom one that will be sent only to this host.
+   Override the static-mapping's dns-server with a custom one that will be sent only to this host.
 
 Operation Mode
 --------------
 
 .. opcmd:: restart dhcp server
 
-Restart the DHCP server
+   Restart the DHCP server
 
 .. opcmd:: show dhcp server statistics
 
-Show the DHCP server statistics:
+   Show the DHCP server statistics:
 
 .. code-block:: none
 
@@ -341,11 +342,11 @@ Show the DHCP server statistics:
 
 .. opcmd:: show dhcp server statistics pool <pool>
 
-Show the DHCP server statistics for the specified pool.
+   Show the DHCP server statistics for the specified pool.
 
 .. opcmd:: show dhcp server leases
 
-Show statuses of all active leases:
+   Show statuses of all active leases:
 
 .. code-block:: none
 
@@ -355,19 +356,22 @@ Show statuses of all active leases:
   192.0.2.104     aa:bb:cc:dd:ee:ff   active   2019/12/05 14:24:23  2019/12/06 02:24:23  6:05:35     dhcpexample  test1
   192.0.2.115     ab:ac:ad:ae:af:bf   active   2019/12/05 18:02:37  2019/12/06 06:02:37  9:43:49     dhcpexample  test2
 
-.. hint:: Static mappings aren't shown. To show all states, use ``show dhcp server leases state all``.
+.. hint:: Static mappings aren't shown. To show all states, use
+   ``show dhcp server leases state all``.
 
 .. opcmd:: show dhcp server leases pool <pool>
 
-Show only leases in the specified pool.
+   Show only leases in the specified pool.
 
 .. opcmd:: show dhcp server leases sort <key>
 
-Sort the output by the specified key. Possible keys: ip, hardware_address, state, start, end, remaining, pool, hostname (default = ip)
+   Sort the output by the specified key. Possible keys: ip, hardware_address,
+   state, start, end, remaining, pool, hostname (default = ip)
 
 .. opcmd:: show dhcp server leases state <state>
 
-Show only leases with the specified state. Possible states: all, active, free, expired, released, abandoned, reset, backup (default = active)
+   Show only leases with the specified state. Possible states: all, active,
+   free, expired, released, abandoned, reset, backup (default = active)
 
 DHCPv6 Server
 =============
@@ -380,47 +384,46 @@ Configuration Options
 
 .. cfgcmd:: set service dhcpv6-server preference <preference value>
 
-Clients receiving advertise messages from multiple servers choose the server
-with the highest preference value. The range for this value is ``0...255``.
-
+   Clients receiving advertise messages from multiple servers choose the server
+   with the highest preference value. The range for this value is ``0...255``.
 
 .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' lease-time {default | maximum | minimum}
 
-The default lease time for DHCPv6 leases is 24 hours. This can be changed by
-supplying a ``default-time``, ``maximum-time`` and ``minimum-time``. All values
-need to be supplied in seconds.
+   The default lease time for DHCPv6 leases is 24 hours. This can be changed by
+   supplying a ``default-time``, ``maximum-time`` and ``minimum-time``. All
+   values need to be supplied in seconds.
 
 .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' nis-domain '<domain-name>'
 
-A :abbr:`NIS (Network Information Service)` domain can be set to be used for
-DHCPv6 clients.
+   A :abbr:`NIS (Network Information Service)` domain can be set to be used for
+   DHCPv6 clients.
 
 .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' nisplus-domain '<domain-name>'
 
-The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)`
-domain is similar to the NIS domain one:
+   The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)`
+   domain is similar to the NIS domain one:
 
 .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' nis-server '<address>'
 
-Specify a NIS server address for DHCPv6 clients.
+   Specify a NIS server address for DHCPv6 clients.
 
 .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' nisplus-server '<address>'
 
-Specify a NIS+ server address for DHCPv6 clients.
+   Specify a NIS+ server address for DHCPv6 clients.
 
 .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' sip-server-address '<address>'
 
-Specify a :abbr:`SIP (Session Initiation Protocol)` server by IPv6 address for
-all DHCPv6 clients.
+   Specify a :abbr:`SIP (Session Initiation Protocol)` server by IPv6 address
+   for all DHCPv6 clients.
 
 .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' sip-server-name '<fqdn>'
 
-Specify a :abbr:`SIP (Session Initiation Protocol)` server by FQDN for all
-DHCPv6 clients.
+   Specify a :abbr:`SIP (Session Initiation Protocol)` server by FQDN for all
+   DHCPv6 clients.
 
 .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' sntp-server-address '<address>'
 
-A SNTP server address can be specified for DHCPv6 clients:
+   A SNTP server address can be specified for DHCPv6 clients.
 
 Address pools
 -------------
@@ -468,9 +471,11 @@ be created. The following example explains the process.
 * IPv6 address ``2001:db8::101`` shall be statically mapped
 * Host specific mapping shall be named ``client1``
 
-.. hint:: The identifier is the device's DUID: colon-separated hex list (as used by isc-dhcp option dhcpv6.client-id).
-   If the device already has a dynamic lease from the DHCPv6 server, its DUID can be found with ``show service dhcpv6 server leases``.
-   The DUID begins at the 5th octet (after the 4th colon) of IAID_DUID.
+.. hint:: The identifier is the device's DUID: colon-separated hex list (as
+   used by isc-dhcp option dhcpv6.client-id). If the device already has a
+   dynamic lease from the DHCPv6 server, its DUID can be found with ``show
+   service dhcpv6 server leases``. The DUID begins at the 5th octet (after the
+   4th colon) of IAID_DUID.
 
 .. code-block:: none
 
@@ -502,15 +507,15 @@ Operation Mode
 
 .. opcmd:: restart dhcpv6 server
 
-To restart the DHCPv6 server
+   To restart the DHCPv6 server
 
 .. opcmd:: show dhcpv6 server status
 
-To show the current status of the DHCPv6 server.
+   To show the current status of the DHCPv6 server.
 
 .. opcmd:: show dhcpv6 server leases
 
-Show statuses of all assigned leases:
+   Show statuses of all assigned leases:
 
 .. code-block:: none
 
@@ -520,19 +525,22 @@ Show statuses of all assigned leases:
   2001:db8::101  active   2019/12/05 19:40:10   2019/12/06 07:40:10  11:45:21     non-temporary  NET1   98:76:54:32:00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff
   2001:db8::102  active   2019/12/05 14:01:23   2019/12/06 02:01:23  6:06:34      non-temporary  NET1   87:65:43:21:00:01:00:01:11:22:33:44:fa:fb:fc:fd:fe:ff
 
-.. hint:: Static mappings aren't shown. To show all states, use ``show dhcp server leases state all``.
+.. hint:: Static mappings aren't shown. To show all states, use ``show dhcp
+   server leases state all``.
 
 .. opcmd:: show dhcpv6 server leases pool <pool>
 
-Show only leases in the specified pool.
+   Show only leases in the specified pool.
 
 .. opcmd:: show dhcpv6 server leases sort <key>
 
-Sort the output by the specified key. Possible keys: expires, iaid_duid, ip, last_comm, pool, remaining, state, type (default = ip)
+   Sort the output by the specified key. Possible keys: expires, iaid_duid, ip,
+   last_comm, pool, remaining, state, type (default = ip)
 
 .. opcmd:: show dhcpv6 server leases state <state>
 
-Show only leases with the specified state. Possible states: abandoned, active, all, backup, expired, free, released, reset (default = active)
+   Show only leases with the specified state. Possible states: abandoned,
+   active, all, backup, expired, free, released, reset (default = active)
 
 DHCP Relay
 ==========
@@ -550,16 +558,16 @@ Configuration
 
 .. cfgcmd:: set service dhcp-relay interface '<interface>'
 
-Enable the DHCP relay service on the given interface.
+   Enable the DHCP relay service on the given interface.
 
 .. cfgcmd:: set service dhcp-relay server 10.0.1.4
 
-Configure IP address of the DHCP server
+   Configure IP address of the DHCP server
 
 .. cfgcmd:: set service dhcp-relay relay-options relay-agents-packets discard
 
-The router should discard DHCP packages already containing relay agent
-information to ensure that only requests from DHCP clients are forwarded.
+   The router should discard DHCP packages already containing relay agent
+   information to ensure that only requests from DHCP clients are forwarded.
 
 Example
 -------
@@ -592,38 +600,38 @@ Options
 
 .. cfgcmd:: set service dhcp-relay relay-options hop-count 'count'
 
-Set the maximum hop count before packets are discarded. Range 0...255,
-default 10.
+   Set the maximum hop count before packets are discarded. Range 0...255,
+   default 10.
 
 .. cfgcmd:: set service dhcp-relay relay-options max-size 'size'
 
-Set maximum size of DHCP packets including relay agent information. If a
-DHCP packet size surpasses this value it will be forwarded without appending
-relay agent information. Range 64...1400, default 576.
+   Set maximum size of DHCP packets including relay agent information. If a
+   DHCP packet size surpasses this value it will be forwarded without appending
+   relay agent information. Range 64...1400, default 576.
 
 .. cfgcmd:: set service dhcp-relay relay-options relay-agents-packet 'policy'
 
-Four policies for reforwarding DHCP packets exist:
+   Four policies for reforwarding DHCP packets exist:
 
-* **append:** The relay agent is allowed to append its own relay information
-  to a received DHCP packet, disregarding relay information already present in
-  the packet.
+   * **append:** The relay agent is allowed to append its own relay information
+     to a received DHCP packet, disregarding relay information already present in
+     the packet.
 
-* **discard:** Received packets which already contain relay information will
-  be discarded.
+   * **discard:** Received packets which already contain relay information will
+     be discarded.
 
-* **forward:** All packets are forwarded, relay information already present
-  will be ignored.
+   * **forward:** All packets are forwarded, relay information already present
+     will be ignored.
 
-* **replace:** Relay information already present in a packet is stripped and
-  replaced with the router's own relay information set.
+   * **replace:** Relay information already present in a packet is stripped and
+     replaced with the router's own relay information set.
 
 Operation
 ---------
 
 .. opcmd:: restart dhcp relay-agent
 
-Restart DHCP relay service
+   Restart DHCP relay service
 
 DHCPv6 relay
 ============
@@ -633,12 +641,12 @@ Configuration
 
 .. cfgcmd:: set service dhcpv6-relay listen-interface eth1
 
-Set eth1 to be the listening interface for the DHCPv6 relay:
+   Set eth1 to be the listening interface for the DHCPv6 relay:
 
 .. cfgcmd:: set service dhcpv6-relay upstream-interface eth2 address 2001:db8::4
 
-Set eth2 to be the upstream interface and specify the IPv6 address of
-the DHCPv6 server:
+   Set eth2 to be the upstream interface and specify the IPv6 address of
+   the DHCPv6 server:
 
 Example
 ^^^^^^^
@@ -670,20 +678,20 @@ Options
 
 .. cfgcmd:: set service dhcpv6-relay max-hop-count 'count'
 
-Set maximum hop count before packets are discarded, default: 10
+   Set maximum hop count before packets are discarded, default: 10
 
 .. cfgcmd:: set service dhcpv6-relay use-interface-id-option
 
-If this is set the relay agent will insert the interface ID. This option is
-set automatically if more than one listening interfaces are in use.
+   If this is set the relay agent will insert the interface ID. This option is
+   set automatically if more than one listening interfaces are in use.
 
 Operation
 ---------
 
 .. opcmd:: show dhcpv6 relay-agent status
 
-Show the current status of the DHCPv6 relay agent:
+   Show the current status of the DHCPv6 relay agent:
 
 .. opcmd:: restart dhcpv6 relay-agent
 
-Restart DHCPv6 relay agent immediately.
+   Restart DHCPv6 relay agent immediately.
diff --git a/docs/services/dns-forwarding.rst b/docs/services/dns-forwarding.rst
index a4fbdd9f..fb996709 100644
--- a/docs/services/dns-forwarding.rst
+++ b/docs/services/dns-forwarding.rst
@@ -18,91 +18,92 @@ avoid to be tracked by the provider of your upstream DNS server.
 
 .. cfgcmd:: set service dns forwarding system
 
-Forward incoming DNS queries to the DNS servers configured under the ``system
-name-server`` nodes.
+   Forward incoming DNS queries to the DNS servers configured under the ``system
+   name-server`` nodes.
 
 .. cfgcmd:: set service dns forwarding name-server <address>
 
-Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>`.
-You can configure multiple nameservers here.
+   Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>`.
+   You can configure multiple nameservers here.
 
 .. cfgcmd:: set service dns forwarding domain <domain-name> server <address>
 
-Forward received queries for a particular domain (specified via `domain-name`)
-to a given name-server. Multiple nameservers can be specified.
+   Forward received queries for a particular domain (specified via `domain-name`)
+   to a given name-server. Multiple nameservers can be specified.
 
 .. note:: This also works for reverse-lookup zones e.g. ``18.172.in-addr.arpa``.
 
 .. cfgcmd:: set service dns forwarding allow-from <network>
 
-Given the fact that open DNS recursors could be used on DDOS amplification
-attacts, you must configure the networks which are allowed to use this recursor.
-A network of ``0.0.0.0/0`` or ``::/0`` would allow all IPv4 and IPv6 networks
-to query this server. This is on general a bad idea.
+   Given the fact that open DNS recursors could be used on DDOS amplification
+   attacts, you must configure the networks which are allowed to use this
+   recursor. A network of ``0.0.0.0/0`` or ``::/0`` would allow all IPv4 and
+   IPv6 networks to query this server. This is on general a bad idea.
 
 .. cfgcmd:: set service dns forwarding dnssec <off | process-no-validate | process | log-fail | validate>
 
-The PowerDNS Recursor has 5 different levels of DNSSEC processing, which can
-be set with the dnssec setting. In order from least to most processing, these
-are:
-
-* **off** In this mode, no DNSSEC processing takes place. The recursor will not
-  set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the DO and
-  AD bits in queries.
-
-* **process-no-validate** In this mode the Recursor acts as a "security aware,
-  non-validating" nameserver, meaning it will set the DO-bit on outgoing queries
-  and will provide DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for
-  them (by means of a DO-bit in the query), except for zones provided through
-  the auth-zones setting. It will not do any validation in this mode, not even
-  when requested by the client.
-
-* **process** When dnssec is set to process the behaviour is similar to
-  process-no-validate. However, the recursor will try to validate the data if
-  at least one of the DO or AD bits is set in the query; in that case, it will
-  set the AD-bit in the response when the data is validated successfully, or
-  send SERVFAIL when the validation comes up bogus.
-
-* **log-fail** In this mode, the recursor will attempt to validate all data it
-  retrieves from authoritative servers, regardless of the client's DNSSEC
-  desires, and will log the validation result. This mode can be used to
-  determine the extra load and amount of possibly bogus answers before turning
-  on full-blown validation. Responses to client queries are the same as with
-  process.
-
-* **validate** The highest mode of DNSSEC processing. In this mode, all queries
-  will be be validated and will be answered with a SERVFAIL in case of bogus
-  data, regardless of the client's request.
-
-.. note:: The famous UNIX/Linux ``dig`` tool sets the AD-bit in the query. This
-   might lead to unexpected query results when testing. Set ``+noad`` on the
-   ``dig`` commandline when this is the case.
-
-.. note:: The ``CD``-bit is honored correctly for process and validate. For
-   log-fail, failures will be logged too.
+   The PowerDNS Recursor has 5 different levels of DNSSEC processing, which can
+   be set with the dnssec setting. In order from least to most processing, these
+   are:
+
+   * **off** In this mode, no DNSSEC processing takes place. The recursor will
+     not set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the
+     DO and AD bits in queries.
+
+   * **process-no-validate** In this mode the Recursor acts as a "security
+     aware, non-validating" nameserver, meaning it will set the DO-bit on
+     outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to
+     clients that ask for them (by means of a DO-bit in the query), except for
+     zones provided through the auth-zones setting. It will not do any
+     validation in this mode, not even when requested by the client.
+
+   * **process** When dnssec is set to process the behaviour is similar to
+     process-no-validate. However, the recursor will try to validate the data
+     if at least one of the DO or AD bits is set in the query; in that case,
+     it will set the AD-bit in the response when the data is validated
+     successfully, or send SERVFAIL when the validation comes up bogus.
+
+   * **log-fail** In this mode, the recursor will attempt to validate all data
+     it retrieves from authoritative servers, regardless of the client's DNSSEC
+     desires, and will log the validation result. This mode can be used to
+     determine the extra load and amount of possibly bogus answers before
+     turning on full-blown validation. Responses to client queries are the same
+     as with process.
+
+   * **validate** The highest mode of DNSSEC processing. In this mode, all
+     queries will be be validated and will be answered with a SERVFAIL in case
+     of bogus data, regardless of the client's request.
+
+   .. note:: The famous UNIX/Linux ``dig`` tool sets the AD-bit in the query.
+      This might lead to unexpected query results when testing. Set ``+noad``
+      on the ``dig`` commandline when this is the case.
+
+   .. note:: The ``CD``-bit is honored correctly for process and validate. For
+      log-fail, failures will be logged too.
 
 .. cfgcmd:: set service dns forwarding ignore-hosts-file
 
-Do not use local ``/etc/hosts`` file in name resolution. VyOS DHCP server will
-use this file to add resolvers to assigned addresses.
+   Do not use local ``/etc/hosts`` file in name resolution. VyOS DHCP server
+   will use this file to add resolvers to assigned addresses.
 
 .. cfgcmd:: set service dns forwarding max-cache-entries
 
-Maximum number of DNS cache entries. 1 million per CPU core will generally
-suffice for most installations.
+   Maximum number of DNS cache entries. 1 million per CPU core will generally
+   suffice for most installations.
 
 .. cfgcmd:: set service dns forwarding negative-ttl
 
-A query for which there is authoritatively no answer is cached to quickly deny
-a record's existence later on, without putting a heavy load on the remote
-server. In practice, caches can become saturated with hundreds of thousands of
-hosts which are tried only once. This setting, which defaults to 3600 seconds,
-puts a maximum on the amount of time negative entries are cached.
+   A query for which there is authoritatively no answer is cached to quickly
+   deny a record's existence later on, without putting a heavy load on the
+   remote server. In practice, caches can become saturated with hundreds of
+   thousands of hosts which are tried only once. This setting, which defaults
+   to 3600 seconds, puts a maximum on the amount of time negative entries are
+   cached.
 
 .. cfgcmd:: set service dns forwarding listen-address
 
-Local IPv4 or IPv6 addresses to bind to - waiting on this address for incoming
-connections.
+   Local IPv4 or IPv6 addresses to bind to - waiting on this address for
+   incoming connections.
 
 Example
 =======
@@ -137,9 +138,9 @@ Operation
 
 .. opcmd:: reset dns forwarding <all | domain>
 
-Reset local DNS forwarding cache database. You can reset the cache for all
-entries or only for entries to a specific domain.
+   Reset local DNS forwarding cache database. You can reset the cache for all
+   entries or only for entries to a specific domain.
 
 .. opcmd:: restart dns forwarding
 
-Restart DNS recursor process which also invalidates the cache.
+   Restart DNS recursor process which also invalidates the cache.
diff --git a/docs/services/dynamic-dns.rst b/docs/services/dynamic-dns.rst
index 154f9023..3842c1c4 100644
--- a/docs/services/dynamic-dns.rst
+++ b/docs/services/dynamic-dns.rst
@@ -22,31 +22,33 @@ Configuration
 
 .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
 
-Create new :rfc:`2136` DNS update configuration which will update the IP address
-assigned to `<interface>` on the service you configured under `<service-name>`.
+   Create new :rfc:`2136` DNS update configuration which will update the IP
+   address assigned to `<interface>` on the service you configured under
+   `<service-name>`.
 
 .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> key <keyfile>
 
-File identified by `<keyfile>` containing the secret RNDC key shared with
-remote DNS server.
+   File identified by `<keyfile>` containing the secret RNDC key shared with
+   remote DNS server.
 
 .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> server <server>
 
-Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignemnt.
+   Configure the DNS `<server>` IP/FQDN used when updating this dynamic
+   assignemnt.
 
 .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> zone <zone>
 
-Configure DNS `<zone>` to be updated.
+   Configure DNS `<zone>` to be updated.
 
 .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> record <record>
 
-Configure DNS `<record>` which should be updated. This can be set multiple
-times.
+   Configure DNS `<record>` which should be updated. This can be set multiple
+   times.
 
 .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> ttl <ttl>
 
-Configure optional TTL value on the given resource record. This defualts to 600
-seconds.
+   Configure optional TTL value on the given resource record. This defualts to
+   600 seconds.
 
 Example
 ^^^^^^^
@@ -99,30 +101,30 @@ hostnames, protocol and server.
 
 .. cfgcmd:: set service dns dynamic interface <interface> service <service> host-name <hostname>
 
-Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS provider
-identified by `<service>` when the IP address on interface `<interface>`
-changes.
+   Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS
+   provider identified by `<service>` when the IP address on interface
+   `<interface>` changes.
 
 .. cfgcmd:: set service dns dynamic interface <interface> service <service> login <username>
 
-Configure `<username>` used when authenticating the update request for DynDNS
-service identified by `<service>`.
+   Configure `<username>` used when authenticating the update request for
+   DynDNS service identified by `<service>`.
 
 .. cfgcmd:: set service dns dynamic interface <interface> service <service> password <password>
 
-Configure `<password>` used when authenticating the update request for DynDNS
-service identified by `<service>`.
+   Configure `<password>` used when authenticating the update request for
+   DynDNS service identified by `<service>`.
 
 .. cfgcmd:: set service dns dynamic interface <interface> service <service> protocol <protocol>
 
-When a ``custom`` DynDNS provider is used the protocol used for communicating to
-the provider must be specified under `<protocol>`. See the embedded completion
-helper for available protocols.
+   When a ``custom`` DynDNS provider is used the protocol used for communicating
+   to the provider must be specified under `<protocol>`. See the embedded
+   completion helper for available protocols.
 
 .. cfgcmd:: set service dns dynamic interface <interface> service <service> server <server>
 
-When a ``custom`` DynDNS provider is used the `<server>` where update requests
-are beeing sent to must be specified.
+   When a ``custom`` DynDNS provider is used the `<server>` where update
+   requests are beeing sent to must be specified.
 
 Example:
 ^^^^^^^^
@@ -151,11 +153,11 @@ by:
 
 .. cfgcmd:: set service dns dynamic interface <interface> use-web url <url>
 
-Use configured `<url>` to determine your IP address. ddclient_ will load `<url>`
-and tries to extract your IP address from the response.
+   Use configured `<url>` to determine your IP address. ddclient_ will load
+   `<url>` and tries to extract your IP address from the response.
 
 .. cfgcmd:: set service dns dynamic interface <interface> use-web skip <pattern>
 
-ddclient_ will skip any address located before the string set in `<pattern>`.
+   ddclient_ will skip any address located before the string set in `<pattern>`.
 
 .. _ddclient: https://github.com/ddclient/ddclient
diff --git a/docs/services/lldp.rst b/docs/services/lldp.rst
index 05c187b0..c1f39fba 100644
--- a/docs/services/lldp.rst
+++ b/docs/services/lldp.rst
@@ -36,42 +36,41 @@ Configuration
 
 .. cfgcmd:: set service lldp
 
-Enable LLDP service
+   Enable LLDP service
 
 .. cfgcmd:: set service lldp management-address <address>
 
-Define IPv4 management address transmitted via LLDP.
+   Define IPv4 management address transmitted via LLDP.
 
 .. cfgcmd:: set service lldp interface <interface>
 
-Enable transmission of LLDP information on given `<interface>`. You can also
-say ``all`` here so LLDP is turned on on every interface.
+   Enable transmission of LLDP information on given `<interface>`. You can also
+   say ``all`` here so LLDP is turned on on every interface.
 
 .. cfgcmd:: set service lldp interface <interface> disable
 
-Disable transmit of LLDP frames on given `<interface>`. Useful to exclude
-certain interfaces from LLDP when ``all`` have been enabled.
+   Disable transmit of LLDP frames on given `<interface>`. Useful to exclude
+   certain interfaces from LLDP when ``all`` have been enabled.
 
 .. cfgcmd:: set service lldp snmp enable
 
-Enable SNMP queries of the LLDP database
-
+   Enable SNMP queries of the LLDP database
 
 .. cfgcmd:: set service lldp legacy-protocols <cdp|edp|fdp|sonmp>
 
-Enable given legacy protocol on this LLDP instance. Legacy protocols include:
+   Enable given legacy protocol on this LLDP instance. Legacy protocols include:
 
-* ``cdp`` - Listen for CDP for Cisco routers/switches
-* ``edp`` - Listen for EDP for Extreme routers/switches
-* ``fdp`` - Listen for FDP for Foundry routers/switches
-* ``sonmp`` - Listen for SONMP for Nortel routers/switches
+   * ``cdp`` - Listen for CDP for Cisco routers/switches
+   * ``edp`` - Listen for EDP for Extreme routers/switches
+   * ``fdp`` - Listen for FDP for Foundry routers/switches
+   * ``sonmp`` - Listen for SONMP for Nortel routers/switches
 
 Operation
 =========
 
 .. opcmd:: show lldp neighbors
 
-Displays information about all neighbors discovered via LLDP.
+   Displays information about all neighbors discovered via LLDP.
 
 .. code-block:: none
 
@@ -85,7 +84,7 @@ Displays information about all neighbors discovered via LLDP.
 
 .. opcmd:: show lldp neighbors detail
 
-Get detailed information about LLDP neighbors.
+   Get detailed information about LLDP neighbors.
 
 .. code-block:: none
 
@@ -135,8 +134,8 @@ Get detailed information about LLDP neighbors.
 
 .. opcmd:: show lldp neighbors interface <interface>
 
-Show LLDP neighbors connected via interface `<interface>`.
+   Show LLDP neighbors connected via interface `<interface>`.
 
 .. opcmd:: show log lldp
 
-Used for troubleshooting.
+   Used for troubleshooting.