summaryrefslogtreecommitdiff
path: root/docs/configuration/system
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2026-05-06 14:08:24 +0100
committerGitHub <noreply@github.com>2026-05-06 14:08:24 +0100
commitdfea790b36ddab4c6661436c8eed3cea7af5bd3a (patch)
treec1a9a432839a7ce7aecc4072750d476ae6186248 /docs/configuration/system
parent4b36114e053ee11d0cb264a1e4cfe4692d78f194 (diff)
downloadvyos-documentation-dfea790b36ddab4c6661436c8eed3cea7af5bd3a.tar.gz
vyos-documentation-dfea790b36ddab4c6661436c8eed3cea7af5bd3a.zip
Revert "Add incremental RST-to-MyST swap mechanism (#1857)" (#1892)
This reverts commit 4b36114e053ee11d0cb264a1e4cfe4692d78f194.
Diffstat (limited to 'docs/configuration/system')
-rw-r--r--docs/configuration/system/md-acceleration.md158
-rw-r--r--docs/configuration/system/md-conntrack.md218
-rw-r--r--docs/configuration/system/md-console.md59
-rw-r--r--docs/configuration/system/md-default-route.md40
-rw-r--r--docs/configuration/system/md-flow-accounting.md209
-rw-r--r--docs/configuration/system/md-frr.md45
-rw-r--r--docs/configuration/system/md-host-name.md70
-rw-r--r--docs/configuration/system/md-index.md34
-rw-r--r--docs/configuration/system/md-ip.md126
-rw-r--r--docs/configuration/system/md-ipv6.md193
-rw-r--r--docs/configuration/system/md-lcd.md41
-rw-r--r--docs/configuration/system/md-login.md604
-rw-r--r--docs/configuration/system/md-name-server.md65
-rw-r--r--docs/configuration/system/md-option.md190
-rw-r--r--docs/configuration/system/md-proxy.md27
-rw-r--r--docs/configuration/system/md-sflow.md66
-rw-r--r--docs/configuration/system/md-sysctl.md16
-rw-r--r--docs/configuration/system/md-syslog.md450
-rw-r--r--docs/configuration/system/md-task-scheduler.md45
-rw-r--r--docs/configuration/system/md-time-zone.md17
-rw-r--r--docs/configuration/system/md-updates.md36
-rw-r--r--docs/configuration/system/md-watchdog.md212
22 files changed, 0 insertions, 2921 deletions
diff --git a/docs/configuration/system/md-acceleration.md b/docs/configuration/system/md-acceleration.md
deleted file mode 100644
index 871129e6..00000000
--- a/docs/configuration/system/md-acceleration.md
+++ /dev/null
@@ -1,158 +0,0 @@
-(acceleration)=
-
-# Acceleration
-
-In this command tree, all hardware acceleration options will be handled.
-At the moment only [Intel® QAT] is supported
-
-## Intel® QAT
-
-```{opcmd} show system acceleration qat
-
-use this command to check if there is an Intel® QAT supported Processor in your system.
-
-:::{code-block} none
-vyos@vyos:~$ show system acceleration qat
-01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11)
-:::
-
-if there is non device the command will show `` `No QAT device found` ``
-```
-
-```{cfgcmd} set system acceleration qat
-
-if there is a supported device, enable Intel® QAT
-```
-
-
-```{opcmd} show system acceleration qat status
-
-Check if the Intel® QAT device is up and ready to do the job.
-
-:::{code-block} none
-vyos@vyos:~$ show system acceleration qat status
-Checking status of all devices.
-There is 1 QAT acceleration device(s) in the system:
-qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 0000:01:00.0, #accel: 3 #engines: 6 state: up
-:::
-```
-
-
-### Operation Mode
-
-```{opcmd} show system acceleration qat device \<device\> config
-
-Show the full config uploaded to the QAT device.
-```
-
-
-```{opcmd} show system acceleration qat device \<device\> flows
-
-Get an overview over the encryption counters.
-```
-
-
-```{opcmd} show system acceleration qat interrupts
-
-Show binded qat device interrupts to certain core.
-```
-
-
-### Example
-
-Let's build a simple VPN between 2 Intel® QAT ready devices.
-
-Side A:
-
-```
-set interfaces vti vti1 address '192.168.1.2/24'
-set vpn ipsec authentication psk right id '10.10.10.2'
-set vpn ipsec authentication psk right id '10.10.10.1'
-set vpn ipsec authentication psk right secret 'Qwerty123'
-set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
-set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
-set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
-set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
-set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
-set vpn ipsec interface 'eth0'
-set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2'
-set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret'
-set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1'
-set vpn ipsec site-to-site peer right connection-type 'initiate'
-set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup'
-set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup'
-set vpn ipsec site-to-site peer right local-address '10.10.10.2'
-set vpn ipsec site-to-site peer right remote-address '10.10.10.1'
-set vpn ipsec site-to-site peer right vti bind 'vti1'
-```
-
-Side B:
-
-```
-set interfaces vti vti1 address '192.168.1.1/24'
-set vpn ipsec authentication psk left id '10.10.10.2'
-set vpn ipsec authentication psk left id '10.10.10.1'
-set vpn ipsec authentication psk left secret 'Qwerty123'
-set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
-set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
-set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
-set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
-set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
-set vpn ipsec interface 'eth0'
-set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1'
-set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret'
-set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2'
-set vpn ipsec site-to-site peer left connection-type 'initiate'
-set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup'
-set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup'
-set vpn ipsec site-to-site peer left local-address '10.10.10.1'
-set vpn ipsec site-to-site peer left remote-address '10.10.10.2'
-set vpn ipsec site-to-site peer left vti bind 'vti1'
-```
-
-a bandwidth test over the VPN got these results:
-
-```
-Connecting to host 192.168.1.2, port 5201
-[ 9] local 192.168.1.1 port 51344 connected to 192.168.1.2 port 5201
-[ ID] Interval Transfer Bitrate Retr Cwnd
-[ 9] 0.00-1.01 sec 32.3 MBytes 268 Mbits/sec 0 196 KBytes
-[ 9] 1.01-2.03 sec 32.5 MBytes 268 Mbits/sec 0 208 KBytes
-[ 9] 2.03-3.03 sec 32.5 MBytes 271 Mbits/sec 0 208 KBytes
-[ 9] 3.03-4.04 sec 32.5 MBytes 272 Mbits/sec 0 208 KBytes
-[ 9] 4.04-5.00 sec 31.2 MBytes 272 Mbits/sec 0 208 KBytes
-[ 9] 5.00-6.01 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes
-[ 9] 6.01-7.04 sec 32.5 MBytes 265 Mbits/sec 0 234 KBytes
-[ 9] 7.04-8.04 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes
-[ 9] 8.04-9.04 sec 32.5 MBytes 273 Mbits/sec 0 336 KBytes
-[ 9] 9.04-10.00 sec 31.2 MBytes 272 Mbits/sec 0 336 KBytes
-- - - - - - - - - - - - - - - - - - - - - - - - -
-[ ID] Interval Transfer Bitrate Retr
-[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec 0 sender
-[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec receiver
-```
-
-with {cfgcmd}`set system acceleration qat` on both systems the bandwidth
-increases.
-
-```
-Connecting to host 192.168.1.2, port 5201
-[ 9] local 192.168.1.1 port 51340 connected to 192.168.1.2 port 5201
-[ ID] Interval Transfer Bitrate Retr Cwnd
-[ 9] 0.00-1.00 sec 97.3 MBytes 817 Mbits/sec 0 1000 KBytes
-[ 9] 1.00-2.00 sec 92.5 MBytes 776 Mbits/sec 0 1.07 MBytes
-[ 9] 2.00-3.00 sec 92.5 MBytes 776 Mbits/sec 0 820 KBytes
-[ 9] 3.00-4.00 sec 92.5 MBytes 776 Mbits/sec 0 899 KBytes
-[ 9] 4.00-5.00 sec 91.2 MBytes 765 Mbits/sec 0 972 KBytes
-[ 9] 5.00-6.00 sec 92.5 MBytes 776 Mbits/sec 0 1.02 MBytes
-[ 9] 6.00-7.00 sec 92.5 MBytes 776 Mbits/sec 0 1.08 MBytes
-[ 9] 7.00-8.00 sec 92.5 MBytes 776 Mbits/sec 0 1.14 MBytes
-[ 9] 8.00-9.00 sec 91.2 MBytes 765 Mbits/sec 0 915 KBytes
-[ 9] 9.00-10.00 sec 92.5 MBytes 776 Mbits/sec 0 1000 KBytes
-- - - - - - - - - - - - - - - - - - - - - - - - -
-[ ID] Interval Transfer Bitrate Retr
-[ 9] 0.00-10.00 sec 927 MBytes 778 Mbits/sec 0 sender
-[ 9] 0.00-10.01 sec 925 MBytes 775 Mbits/sec receiver
-```
-
-[intel® qat]: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html
diff --git a/docs/configuration/system/md-conntrack.md b/docs/configuration/system/md-conntrack.md
deleted file mode 100644
index f83f0684..00000000
--- a/docs/configuration/system/md-conntrack.md
+++ /dev/null
@@ -1,218 +0,0 @@
-# Conntrack
-
-VyOS can be configured to track connections using the connection
-tracking subsystem. Connection tracking becomes operational once either
-stateful firewall or NAT is configured.
-
-## Configure
-
-```{cfgcmd} set system conntrack table-size \<1-50000000\>
-:defaultvalue:
-
-The connection tracking table contains one entry for each connection being
-tracked by the system.
-```
-
-```{cfgcmd} set system conntrack expect-table-size \<1-50000000\>
-:defaultvalue:
-
-The connection tracking expect table contains one entry for each expected
-connection related to an existing connection. These are generally used by
-“connection tracking helper” modules such as FTP.
-The default size of the expect table is 2048 entries.
-```
-
-```{cfgcmd} set system conntrack hash-size \<1-50000000\>
-:defaultvalue:
-
-Set the size of the hash table. The connection tracking hash table makes
-searching the connection tracking table faster. The hash table uses
-“buckets” to record entries in the connection tracking table.
-```
-
-```{eval-rst}
-.. cfgcmd:: set system conntrack modules ftp
-.. cfgcmd:: set system conntrack modules h323
-.. cfgcmd:: set system conntrack modules nfs
-.. cfgcmd:: set system conntrack modules pptp
-.. cfgcmd:: set system conntrack modules sip
-.. cfgcmd:: set system conntrack modules sqlnet
-.. cfgcmd:: set system conntrack modules tftp
-
- Configure the connection tracking protocol helper modules.
- All modules are enable by default.
-
- | Use `delete system conntrack modules` to deactive all modules.
- | Or, for example ftp, `delete system conntrack modules ftp`.
-```
-
-```{cfgcmd} set system conntrack tcp half-open-connections \<1-21474836\>
-:defaultvalue:
-
-Set the maximum number of TCP half-open connections.
-```
-
-```{cfgcmd} set system conntrack tcp loose \<enable | disable\>
-:defaultvalue:
-
-Policy to track previously established connections.
-```
-
-```{cfgcmd} set system conntrack tcp max-retrans \<1-2147483647\>
-:defaultvalue:
-
-Set the number of TCP maximum retransmit attempts.
-```
-
-### Contrack Timeouts
-
-You can define custom timeout values to apply to a specific subset of
-connections, based on a packet and flow selector. To do this, you need to
-create a rule defining the packet and flow selector.
-
-```{eval-rst}
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- description <test>
-
- Set a rule description.
-
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- destination address <ip-address>
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- source address <ip-address>
-
- Set a destination and/or source address. Accepted input for ipv4:
-
- .. code-block:: none
-
- set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address
- Possible completions:
- <x.x.x.x> IPv4 address to match
- <x.x.x.x/x> IPv4 prefix to match
- <x.x.x.x>-<x.x.x.x> IPv4 address range to match
- !<x.x.x.x> Match everything except the specified address
- !<x.x.x.x/x> Match everything except the specified prefix
- !<x.x.x.x>-<x.x.x.x> Match everything except the specified range
-
- set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address
- Possible completions:
- <h:h:h:h:h:h:h:h> IP address to match
- <h:h:h:h:h:h:h:h/x> Subnet to match
- <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
- IP range to match
- !<h:h:h:h:h:h:h:h> Match everything except the specified address
- !<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix
- !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
- Match everything except the specified range
-
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- destination port <value>
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- source port <value>
-
- Set a destination and/or source port. Accepted input:
-
- .. code-block:: none
-
- <port name> Named port (any name in /etc/services, e.g., http)
- <1-65535> Numbered port
- <start>-<end> Numbered port range (e.g., 1001-1005)
-
- Multiple destination ports can be specified as a comma-separated list.
- The whole list can also be "negated" using '!'. For example:
- `!22,telnet,http,123,1001-1005``
-
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- protocol tcp close <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- protocol tcp close-wait <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- protocol tcp established <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- protocol tcp fin-wait <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- protocol tcp last-ack <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- protocol tcp syn-recv <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- protocol tcp syn-sent <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- protocol tcp time-wait <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- protocol udp replied <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
- protocol udp unreplied <1-21474836>
-
- Set the timeout in seconds for a protocol or state in a custom rule.
-```
-
-### Conntrack ignore rules
-
-:::{note}
-**Important note about conntrack ignore rules:**
-Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in
-``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in
-the future the conntrack ignore rules will be removed.
-
-> Customized ignore rules, based on a packet and flow selector.
-:::
-
-```{eval-rst}
-.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
- description <text>
-.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
- destination address <ip-address>
-.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
- destination port <port>
-.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
- inbound-interface <interface>
-.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
- protocol <protocol>
-.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
- source address <ip-address>
-.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
- source port <port>
-.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
- tcp flags [not] <text>
-
- Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
- ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
- inverted selection use ``not``, as shown in the example.
-```
-
-### Conntrack log
-
-```{eval-rst}
-.. cfgcmd:: set system conntrack log event destroy
-.. cfgcmd:: set system conntrack log event new
-.. cfgcmd:: set system conntrack log event update
-
- Log the connection tracking events per type.
-
-.. cfgcmd:: set system conntrack log event destroy icmp
-.. cfgcmd:: set system conntrack log event destroy other
-.. cfgcmd:: set system conntrack log event destroy tcp
-.. cfgcmd:: set system conntrack log event destroy udp
-.. cfgcmd:: set system conntrack log event new icmp
-.. cfgcmd:: set system conntrack log event new other
-.. cfgcmd:: set system conntrack log event new tcp
-.. cfgcmd:: set system conntrack log event new udp
-.. cfgcmd:: set system conntrack log event update icmp
-.. cfgcmd:: set system conntrack log event update other
-.. cfgcmd:: set system conntrack log event update tcp
-.. cfgcmd:: set system conntrack log event update udp
-
- Log the connection tracking events per protocol.
-
-.. cfgcmd:: set system conntrack log timestamp
-
- Turn on flow-based timestamp extension.
-
-.. cfgcmd:: set system conntrack log queue-size <100-999999>
-
- Manage internal queue size, default size is 4096 events.
-
-.. cfgcmd:: set system conntrack log log-level <info | debug>
-
- Manage log level
-``` \ No newline at end of file
diff --git a/docs/configuration/system/md-console.md b/docs/configuration/system/md-console.md
deleted file mode 100644
index 9017fa30..00000000
--- a/docs/configuration/system/md-console.md
+++ /dev/null
@@ -1,59 +0,0 @@
-(serial-console)=
-
-# Serial Console
-
-For the average user a serial console has no advantage over a console offered
-by a directly attached keyboard and screen. Serial consoles are much slower,
-taking up to a second to fill a 80 column by 24 line screen. Serial consoles
-generally only support non-proportional ASCII text, with limited support for
-languages other than English.
-
-There are some scenarios where serial consoles are useful. System administration
-of remote computers is usually done using {ref}`ssh`, but there are times when
-access to the console is the only way to diagnose and correct software failures.
-Major upgrades to the installed distribution may also require console access.
-
-```{cfgcmd} set system console device \<device\>
-
-Defines the specified device as a system console. Available console devices
-can be (see completion helper):
-* ``ttySN`` - Serial device name
-* ``ttyAMAN``- Serial device name for some arm64 systems
-* ``ttyUSBX`` - USB Serial device name
-* ``hvc0`` - Xen console
-```
-
-```{cfgcmd} set system console device \<device\> kernel
-
-When set, the selected serial console is used as the kernel boot console.
-When removed, the kernel boot console falls back to tty0.
-
-:::{note}
-Only one serial console can carry the ``kernel`` option.
-When VyOS is installed via serial console, this option is set automatically
-for the serial interface used during installation; usually ``ttyS0`` or
-``ttyAMA0``.
-:::
-```
-
-```{cfgcmd} set system console device \<device\> speed \<speed\>
-
-The speed (baudrate) of the console device. Supported values are:
-* ``1200`` - 1200 bps
-* ``2400`` - 2400 bps
-* ``4800`` - 4800 bps
-* ``9600`` - 9600 bps
-* ``19200`` - 19,200 bps
-* ``38400`` - 38,400 bps (default for Xen console)
-* ``57600`` - 57,600 bps
-* ``115200`` - 115,200 bps (default for serial console)
-
-:::{note}
-If you use USB to serial converters for connecting to your VyOS
-appliance please note that most of them use software emulation without flow
-control. This means you should start with a common baud rate (most likely
-9600 baud) as otherwise you probably can not connect to the device using
-high speed baud rates as your serial converter simply can not process this
-data rate.
-:::
-``` \ No newline at end of file
diff --git a/docs/configuration/system/md-default-route.md b/docs/configuration/system/md-default-route.md
deleted file mode 100644
index 9f2793d1..00000000
--- a/docs/configuration/system/md-default-route.md
+++ /dev/null
@@ -1,40 +0,0 @@
-(default-gateway)=
-
-# Default Gateway/Route
-
-In the past (VyOS 1.1) used a gateway-address configured under the system tree
-({cfgcmd}`set system gateway-address <address>`), this is no longer supported
-and existing configurations are migrated to the new CLI command.
-
-## Configuration
-
-```{cfgcmd} set protocols static route 0.0.0.0/0 next-hop \<address\>
-
-Specify static route into the routing table sending all non local traffic
-to the nexthop address \<address\>.
-```
-
-```{cfgcmd} delete protocols static route 0.0.0.0/0
-
-Delete default route from the system.
-```
-
-
-## Operation
-
-```{opcmd} show ip route 0.0.0.0
-
-Show routing table entry for the default route.
-
-:::{code-block} none
-vyos@vyos:~$ show ip route 0.0.0.0
-Routing entry for 0.0.0.0/0
-Known via "static", distance 10, metric 0, best
-Last update 09:46:30 ago
-* 172.18.201.254, via eth0.201
-:::
-```
-
-:::{seealso}
-Configuration of {ref}`routing-static`
-:::
diff --git a/docs/configuration/system/md-flow-accounting.md b/docs/configuration/system/md-flow-accounting.md
deleted file mode 100644
index c97d5473..00000000
--- a/docs/configuration/system/md-flow-accounting.md
+++ /dev/null
@@ -1,209 +0,0 @@
-(flow-accounting)=
-
-# Flow Accounting
-
-VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts
-as a flow exporter, and you are free to use it with any compatible collector.
-
-Flows can be exported via protocol NetFlow (versions 5, 9 and
-10/IPFIX). Additionally, you may save flows to an in-memory table
-internally in a router.
-
-:::{warning}
-You need to disable the in-memory table in production environments!
-Using {abbr}`IMT (In-Memory Table)` may lead to heavy CPU overloading and
-unstable flow-accounting behavior.
-:::
-
-## NetFlow / IPFIX
-
-NetFlow is a feature that was introduced on Cisco routers around 1996 that
-provides the ability to collect IP network traffic as it enters or exits an
-interface. By analyzing the data provided by NetFlow, a network administrator
-can determine things such as the source and destination of traffic, class of
-service, and the causes of congestion. A typical flow monitoring setup (using
-NetFlow) consists of three main components:
-
-- **exporter**: aggregates packets into flows and exports flow records towards
- one or more flow collectors
-- **collector**: responsible for reception, storage and pre-processing of flow
- data received from a flow exporter
-- **application**: analyzes received flow data in the context of intrusion
- detection or traffic profiling, for example
-
-For connectionless protocols as like ICMP and UDP, a flow is considered
-complete once no more packets for this flow appear after configurable timeout.
-
-NetFlow is usually enabled on a per-interface basis to limit load on the router
-components involved in NetFlow, or to limit the amount of NetFlow records
-exported.
-
-## Configuration
-
-:::{warning}
-Using NetFlow on routers with high traffic levels may lead to
-high CPU usage and may affect the router's performance. In such cases,
-consider using sFlow instead.
-:::
-
-In order for flow accounting information to be collected and displayed for an
-interface, the interface must be configured for flow accounting.
-
-```{cfgcmd} set system flow-accounting interface \<interface\>
-
-Configure and enable collection of flow information for the interface
-identified by \<interface\>.
-
-You can configure multiple interfaces which would participate in flow
-accounting.
-```
-
-:::{note}
-Will be recorded only packets/flows on **incoming** direction in
-configured interfaces by default.
-:::
-
-By default, recorded flows will be saved internally and can be listed with the
-CLI command. You may disable using the local in-memory table with the command:
-
-```{cfgcmd} set system flow-accounting disable-imt
-
-If you need to sample also egress traffic, you may want to
-configure egress flow-accounting:
-```
-
-```{cfgcmd} set system flow-accounting enable-egress
-
-Internally, in flow-accounting processes exist a buffer for data exchanging
-between core process and plugins (each export target is a separated plugin).
-If you have high traffic levels or noted some problems with missed records
-or stopping exporting, you may try to increase a default buffer size (10
-MiB) with the next command:
-```
-
-```{cfgcmd} set system flow-accounting buffer-size \<buffer size\>
-
-In case, if you need to catch some logs from flow-accounting daemon, you may
-configure logging facility:
-```
-
-```{cfgcmd} set system flow-accounting syslog-facility \<facility\>
-
-Set the syslog facility for flow-accounting log messages. Supported values
-include ``daemon``, ``local0`` through ``local7``, and other standard syslog
-facilities.
-```
-
-
-### Flow Export
-
-In addition to displaying flow accounting information locally, one can also
-exported them to a collection server.
-
-#### NetFlow
-
-```{cfgcmd} set system flow-accounting netflow version \<version\>
-
-There are multiple versions available for the NetFlow data. The \<version\>
-used in the exported flow data can be configured here. The following
-versions are supported:
-* **5** - Most common version, but restricted to IPv4 flows only
-* **9** - NetFlow version 9 (default)
-* **10** - {abbr}`IPFIX (IP Flow Information Export)` as per {rfc}`3917`
-```
-
-```{cfgcmd} set system flow-accounting netflow server \<address\>
-
-Configure address of NetFlow collector. NetFlow server at \<address\> can
-be both listening on an IPv4 or IPv6 address.
-```
-
-```{cfgcmd} set system flow-accounting netflow source-ip \<address\>
-
-IPv4 or IPv6 source address of NetFlow packets
-```
-
-```{cfgcmd} set system flow-accounting netflow engine-id \<id\>
-
-NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255.
-```
-
-```{cfgcmd} set system flow-accounting netflow sampling-rate \<rate\>
-
-Use this command to configure the sampling rate for flow accounting. The
-system samples one in every \<rate\> packets, where \<rate\> is the value
-configured for the sampling-rate option. The advantage of sampling every n
-packets, where n > 1, allows you to decrease the amount of processing
-resources required for flow accounting. The disadvantage of not sampling
-every packet is that the statistics produced are estimates of actual data
-flows.
-
-Per default every packet is sampled (that is, the sampling rate is 1).
-```
-
-```{cfgcmd} set system flow-accounting netflow timeout expiry-interval \<interval\>
-
-Specifies the interval at which Netflow data will be sent to a collector. As
-per default, Netflow data will be sent every 60 seconds.
-
-You may also additionally configure timeouts for different types of
-connections.
-```
-
-```{cfgcmd} set system flow-accounting netflow max-flows \<n\>
-
-If you want to change the maximum number of flows, which are tracking
-simultaneously, you may do this with this command (default 8192).
-```
-
-
-### Example:
-
-NetFlow v5 example:
-
-```none
-set system flow-accounting netflow engine-id 100
-set system flow-accounting netflow version 5
-set system flow-accounting netflow server 192.168.2.10 port 2055
-```
-
-
-## Operation
-
-Once flow accounting is configured on an interfaces it provides the ability to
-display captured network traffic information for all configured interfaces.
-
-```{opcmd} show flow-accounting interface \<interface\>
-
-Show flow accounting information for given \<interface\>.
-
-
-:::{code-block} none
-vyos@vyos:~$ show flow-accounting interface eth0
-IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES
----------- ----------------- ----------------- ------------------------ --------------- ---------- ---------- ---------- ----- --------- ------- -------
-eth0 00:53:01:a8:28:ac ff:ff:ff:ff:ff:ff 192.0.2.2 255.255.255.255 5678 5678 udp 0 1 1 178
-eth0 00:53:01:b2:2f:34 33:33:ff:00:00:00 fe80::253:01ff:feb2:2f34 ff02::1:ff00:0 0 0 ipv6-icmp 0 2 1 144
-eth0 00:53:01:1a:b4:53 33:33:ff:00:00:00 fe80::253:01ff:fe1a:b453 ff02::1:ff00:0 0 0 ipv6-icmp 0 1 1 72
-eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 39 1 2064
-eth0 00:53:01:c8:33:af ff:ff:ff:ff:ff:ff 192.0.2.3 255.255.255.255 5678 5678 udp 0 1 1 154
-eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 146 1 9444
-eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 27 1 4455
-:::
-```
-
-```{opcmd} show flow-accounting interface \<interface\> host \<address\>
-
-Show flow accounting information for given \<interface\> for a specific host
-only.
-
-
-:::{code-block} none
-vyos@vyos:~$ show flow-accounting interface eth0 host 192.0.2.14
-IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES
----------- ----------------- ----------------- ----------- ---------- ---------- ---------- ---------- ----- --------- ------- -------
-eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 197 2 12940
-eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 94 1 4924
-eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 36 1 5877
-:::
-``` \ No newline at end of file
diff --git a/docs/configuration/system/md-frr.md b/docs/configuration/system/md-frr.md
deleted file mode 100644
index 1741e286..00000000
--- a/docs/configuration/system/md-frr.md
+++ /dev/null
@@ -1,45 +0,0 @@
-(system-frr)=
-
-# FRR
-
-VyOS uses [FRRouting](https://frrouting.org/) as the control plane for dynamic
-and static routing. The routing daemon behavior can be adjusted during runtime,
-but requires either a restart of the routing daemon, or a reboot of the system.
-
-```{cfgcmd} set system frr bmp
-
-Enable {abbr}`BMP (BGP Monitoring Protocol)` support.
-```
-
-```{cfgcmd} set system frr descriptors \<numer\>
-
-This allows the operator to control the number of open file descriptors
-each daemon is allowed to start with. If the operator plans to run bgp with
-several thousands of peers then this is where we would modify FRR to allow
-this to happen.
-```
-
-```{cfgcmd} set system frr irdp
-
-Enable ICMP Router Discovery Protocol support.
-```
-
-```{cfgcmd} set system frr profile \<traditional | datacenter\>
-
-Select an FRR profile to adapt its default settings. If unset, the
-traditional profile is applied.
-```
-
-```{cfgcmd} set system frr snmp \<daemon\>
-
-Enable SNMP support for an individual routing daemon.
-
-Supported daemons:
-- bgpd
-- isisd
-- ldpd
-- ospf6d
-- ospfd
-- ripd
-- zebra
-``` \ No newline at end of file
diff --git a/docs/configuration/system/md-host-name.md b/docs/configuration/system/md-host-name.md
deleted file mode 100644
index 81840d1f..00000000
--- a/docs/configuration/system/md-host-name.md
+++ /dev/null
@@ -1,70 +0,0 @@
-(host-information)=
-
-# Host Information
-
-This section describes the system's host information and how to configure them,
-it covers the following topics:
-
-- Host name
-- Domain
-- IP address
-- Aliases
-
-## Hostname
-
-A hostname is the label (name) assigned to a network device (a host) on a
-network and is used to distinguish one device from another on specific networks
-or over the internet. On the other hand this will be the name which appears on
-the command line prompt.
-
-```{cfgcmd} set system host-name \<hostname\>
-
- The hostname can be up to 63 characters. A hostname
- must start and end with a letter or digit, and have as interior characters
- only letters, digits, or a hyphen.
-
- The default hostname used is `vyos`.
-```
-
-## Domain Name
-
-
-A domain name is the label (name) assigned to a computer network and is thus
-unique. VyOS appends the domain name as a suffix to any unqualified name. For
-example, if you set the domain name `example.com`, and you would ping the
-unqualified name of `crux`, then VyOS qualifies the name to `crux.example.com`.
-
-```{cfgcmd} set system domain-name \<domain\>
-
-Configure system domain name. A domain name must start and end with a letter
-or digit, and have as interior characters only letters, digits, or a hyphen.
-```
-
-## Static Hostname Mapping
-
-
-How an IP address is assigned to an interface in {ref}`ethernet-interface`.
-This section shows how to statically map an IP address to a hostname for local
-(meaning on this VyOS instance) name resolution. This is the VyOS equivalent to
-`/etc/hosts` file entries.
-
-
-:::{note}
-Do *not* manually edit `/etc/hosts`. This file will automatically be
-regenerated on boot based on the settings in this section, which means you'll
-lose all your manual edits. Instead, configure static host mappings as follows.
-:::
-
-```{cfgcmd} set system static-host-mapping host-name \<hostname\> inet \<address\>
-
-Create a static hostname mapping which will always resolve the name
-`<hostname>` to IP address `<address>`.
-```
-```{cfgcmd} set system static-host-mapping host-name \<hostname\> alias \<alias\>
-
-Create named `<alias>` for the configured static mapping for `<hostname>`.
-Thus the address configured as {cfgcmd}`set system static-host-mapping
-host-name <hostname> inet <address>` can be reached via multiple names.
-
-Multiple aliases can be specified per host-name.
-``` \ No newline at end of file
diff --git a/docs/configuration/system/md-index.md b/docs/configuration/system/md-index.md
deleted file mode 100644
index e0b8a5a1..00000000
--- a/docs/configuration/system/md-index.md
+++ /dev/null
@@ -1,34 +0,0 @@
-# System
-
-```{toctree}
-:includehidden: true
-:maxdepth: 1
-
-acceleration
-conntrack
-console
-flow-accounting
-frr
-host-name
-ip
-ipv6
-lcd
-login
-name-server
-option
-proxy
-sflow
-syslog
-sysctl
-task-scheduler
-time-zone
-updates
-watchdog
-```
-
-```{toctree}
-:includehidden: true
-:maxdepth: 1
-
-default-route
-```
diff --git a/docs/configuration/system/md-ip.md b/docs/configuration/system/md-ip.md
deleted file mode 100644
index 717ee57d..00000000
--- a/docs/configuration/system/md-ip.md
+++ /dev/null
@@ -1,126 +0,0 @@
-# IP
-
-## System configuration commands
-
-```{cfgcmd} set system ip disable-forwarding
-
-Use this command to disable IPv4 forwarding on all interfaces.
-```
-
-```{cfgcmd} set system ip disable-directed-broadcast
-
-Use this command to disable IPv4 directed broadcast forwarding on all
-interfaces.
-
-If set, IPv4 directed broadcast forwarding will be completely disabled
-regardless of whether per-interface directed broadcast forwarding is
-enabled or not.
-```
-
-```{cfgcmd} set system ip arp table-size \<number\>
-
-Use this command to define the maximum number of entries to keep in
-the ARP cache (1024, 2048, 4096, 8192, 16384, 32768).
-```
-
-```{cfgcmd} set system ip multipath layer4-hashing
-
-Use this command to use Layer 4 information for IPv4 ECMP hashing.
-```
-
-```{cfgcmd} set system ip import-table \<table-id\>
-
-Use this command to immport the table, by given table id, into the main RIB.
-```
-
-```{cfgcmd} set system ip import-table \<table-id\> distance \<distance\>
-
-Use this command to override the default distance when importing routers
-from the alternate table.
-```
-
-```{cfgcmd} set system ip import-table \<table-id\> route-map \<route-map\>
-
-Use this command to filter routes that are imported into the main table
-from alternate table using route-map.
-```
-
-
-### Zebra/Kernel route filtering
-
-Zebra supports prefix-lists and Route Maps to match routes received from
-other FRR components. The permit/deny facilities provided by these commands
-can be used to filter which routes zebra will install in the kernel.
-
-```{cfgcmd} set system ip protocol \<protocol\> route-map \<route-map\>
-
-Apply a route-map filter to routes for the specified protocol. The following
-protocols can be used: any, babel, bgp, eigrp, isis, ospf, rip, static
-
-:::{note}
-If you choose any as the option that will cause all protocols that
-are sending routes to zebra.
-:::
-```
-
-
-### Nexthop Tracking
-
-Nexthop tracking resolve nexthops via the default route by default. This is enabled
-by default for a traditional profile of FRR which we use. It and can be disabled if
-you do not want to e.g. allow BGP to peer across the default route.
-
-```{cfgcmd} set system ip nht no-resolve-via-default
-
-Do not allow IPv4 nexthop tracking to resolve via the default route. This
-parameter is configured per-VRF, so the command is also available in the VRF
-subnode.
-```
-
-
-## Operational commands
-
-### show commands
-
-See below the different parameters available for the IPv4 **show** command:
-
-```none
-vyos@vyos:~$ show ip
-Possible completions:
- access-list Show all IP access-lists
- as-path-access-list
- Show all as-path-access-lists
- bgp Show Border Gateway Protocol (BGP) information
- community-list
- Show IP community-lists
- extcommunity-list
- Show extended IP community-lists
- forwarding Show IP forwarding status
- groups Show IP multicast group membership
- igmp Show IGMP (Internet Group Management Protocol) information
- large-community-list
- Show IP large-community-lists
- multicast Show IP multicast
- ospf Show IPv4 Open Shortest Path First (OSPF) routing information
- pim Show PIM (Protocol Independent Multicast) information
- ports Show IP ports in use by various system services
- prefix-list Show all IP prefix-lists
- protocol Show IP route-maps per protocol
- rip Show Routing Information Protocol (RIP) information
- route Show IP routes
-```
-
-
-### reset commands
-
-And the different IPv4 **reset** commands available:
-
-```none
-vyos@vyos:~$ reset ip
-Possible completions:
- arp Reset Address Resolution Protocol (ARP) cache
- bgp Clear Border Gateway Protocol (BGP) statistics or status
- igmp IGMP clear commands
- multicast IP multicast routing table
- route Reset IP route
-```
diff --git a/docs/configuration/system/md-ipv6.md b/docs/configuration/system/md-ipv6.md
deleted file mode 100644
index ee0a6ade..00000000
--- a/docs/configuration/system/md-ipv6.md
+++ /dev/null
@@ -1,193 +0,0 @@
-# IPv6
-
-## System configuration commands
-
-```{cfgcmd} set system ipv6 disable-forwarding
-
- Use this command to disable IPv6 forwarding on all interfaces.
-```
-
-
-```{cfgcmd} set system ipv6 neighbor table-size \<number\>
-
-Use this command to define the maximum number of entries to keep in
-the Neighbor cache (1024, 2048, 4096, 8192, 16384, 32768).
-```
-
-
-```{cfgcmd} set system ipv6 strict-dad
-
-Use this command to disable IPv6 operation on interface when
-Duplicate Address Detection fails on Link-Local address.
-```
-
-
-```{cfgcmd} set system ipv6 multipath layer4-hashing
-
-Use this command to user Layer 4 information for ECMP hashing.
-```
-
-### Zebra/Kernel route filtering
-
-
-Zebra supports prefix-lists and Route Maps to match routes received from
-other FRR components. The permit/deny facilities provided by these commands
-can be used to filter which routes zebra will install in the kernel.
-
-```{cfgcmd} set system ipv6 protocol \<protocol\> route-map \<route-map\>
-
-Apply a route-map filter to routes for the specified protocol. The following
-protocols can be used: any, babel, bgp, isis, ospfv3, ripng, static
-
-:::{note}
-If you choose any as the option that will cause all protocols that
-are sending routes to zebra.
-:::
-```
-
-### Nexthop Tracking
-
-
-Nexthop tracking resolve nexthops via the default route by default. This is enabled
-by default for a traditional profile of FRR which we use. It and can be disabled if
-you do not want to e.g. allow BGP to peer across the default route.
-
-```{cfgcmd} set system ipv6 nht no-resolve-via-default
-
-Do not allow IPv6 nexthop tracking to resolve via the default route. This
-parameter is configured per-VRF, so the command is also available in the VRF
-subnode.
-```
-
-## Operational commands
-
-
-### Show commands
-
-```{opcmd} show ipv6 neighbors
-
-Use this command to show IPv6 Neighbor Discovery Protocol information.
-```
-
-
-```{opcmd} show ipv6 groups
-
-Use this command to show IPv6 multicast group membership.
-```
-
-
-```{opcmd} show ipv6 forwarding
-
-Use this command to show IPv6 forwarding status.
-```
-
-
-```{opcmd} show ipv6 route
-
-Use this command to show IPv6 routes.
-
-Check the many parameters available for the show ipv6 route command:
-
-:::{code-block} none
-vyos@vyos:~$ show ipv6 route
-Possible completions:
- <Enter> Execute the current command
- <X:X::X:X> Show IPv6 routes of given address or prefix
- <X:X::X:X/M>
- bgp Show IPv6 BGP routes
- cache Show kernel IPv6 route cache
- connected Show IPv6 connected routes
- forward Show kernel IPv6 route table
- isis Show IPv6 ISIS routes
- kernel Show IPv6 kernel routes
- ospfv3 Show IPv6 OSPF6 routes
- ripng Show IPv6 RIPNG routes
- static Show IPv6 static routes
- summary Show IPv6 routes summary
- table Show IP routes in policy table
- tag Show only routes with tag
- vrf Show IPv6 routes in VRF
-:::
-```
-```{opcmd} show ipv6 prefix-list
-
- Use this command to show all IPv6 prefix lists
-
- There are different parameters for getting prefix-list information:
-
- :::{code-block} none
- vyos@vyos:~$ show ipv6 prefix-list
- Possible completions:
- <Enter> Execute the current command
- <WORD> Show specified IPv6 prefix-list
- detail Show detail of IPv6 prefix-lists
- summary Show summary of IPv6 prefix-lists
- :::
-```
-
-
-```{opcmd} show ipv6 access-list
-
-Use this command to show all IPv6 access lists
-
-You can also specify which IPv6 access-list should be shown:
-
-:::{code-block} none
-vyos@vyos:~$ show ipv6 access-list
-Possible completions:
- <Enter> Execute the current command
- <text> Show specified IPv6 access-list
-:::
-```
-```{opcmd} show ipv6 ospfv3
-
- Use this command to get information about OSPFv3.
-
- You can get more specific OSPFv3 information by using the parameters
- shown below:
-
- :::{code-block} none
- vyos@vyos:~$ show ipv6 ospfv3
- Possible completions:
- <Enter> Execute the current command
- area Show OSPFv3 spf-tree information
- border-routers
- Show OSPFv3 border-router (ABR and ASBR) information
- database Show OSPFv3 Link state database information
- interface Show OSPFv3 interface information
- linkstate Show OSPFv3 linkstate routing information
- neighbor Show OSPFv3 neighbor information
- redistribute Show OSPFv3 redistribute External information
- route Show OSPFv3 routing table information
- :::
-```
-
-
-```{opcmd} show ipv6 ripng
-
-Use this command to get information about the RIPNG protocol
-```
-
-
-```{opcmd} show ipv6 ripng status
-
-Use this command to show the status of the RIPNG protocol
-```
-
-### Reset commands
-
-```{opcmd} reset bgp ipv6 \<address\>
-
-Use this command to clear Border Gateway Protocol statistics or
-status.
-```
-```{opcmd} reset ipv6 neighbors \<address | interface\>
-
-Use this command to reset IPv6 Neighbor Discovery Protocol cache for
-an address or interface.
-```
-```{opcmd} reset ipv6 route cache
-
-Use this command to flush the kernel IPv6 route cache.
-An address can be added to flush it only for that route.
-``` \ No newline at end of file
diff --git a/docs/configuration/system/md-lcd.md b/docs/configuration/system/md-lcd.md
deleted file mode 100644
index ef9031ea..00000000
--- a/docs/configuration/system/md-lcd.md
+++ /dev/null
@@ -1,41 +0,0 @@
-(system-display)=
-
-# System Display (LCD)
-
-The system LCD {abbr}`LCD (Liquid-crystal display)` option is for users running
-VyOS on hardware that features an LCD display. This is typically a small display
-built in an 19 inch rack-mountable appliance. Those displays are used to show
-runtime data.
-
-To configure your LCD display you must first identify the used hardware, and
-connectivity of the display to your system. This can be any serial port
-(`ttySxx`) or serial via USB or even old parallel port interfaces.
-
-## Configuration
-
-```{cfgcmd} set system lcd device \<device\>
-
-This is the name of the physical interface used to connect to your LCD
-display. Tab completion is supported and it will list you all available
-serial interface.
-
-For serial via USB port information please refer to the USB hardware section.
-```
-
-```{cfgcmd} set system lcd model \<model\>
-
-This is the LCD model used in your system.
-
-At the time of this writing the following displays are supported:
-* Crystalfontz CFA-533
-* Crystalfontz CFA-631
-* Crystalfontz CFA-633
-* Crystalfontz CFA-635
-
-:::{note}
-We can't support all displays from the beginning. If your display
-type is missing, please create a feature request via
-Phabricator.
-:::
-```
-
diff --git a/docs/configuration/system/md-login.md b/docs/configuration/system/md-login.md
deleted file mode 100644
index 288d30a8..00000000
--- a/docs/configuration/system/md-login.md
+++ /dev/null
@@ -1,604 +0,0 @@
----
-lastproofread: '2026-01-12'
----
-
-(user-management)=
-
-# Login/user management
-
-The default VyOS user account (`vyos`), as well as newly created user accounts,
-possess full system configuration privileges. These accounts are granted sudo
-privileges, allowing them to execute commands as the root user.
-
-VyOS supports both local authentication and remote authentication via
-{abbr}`RADIUS (Remote Authentication Dial-In User Service)`/ {abbr}`TACACS+
-(Terminal Access Controller Access-Control System)`.
-
-## Local authentication
-
-```{cfgcmd} set system login user \<name\> full-name "\<string\>"
-
-**Configure the real name or description for a system user.**
-
-If the description includes spaces, enclose ``<string>`` in double quotes.
-
-If the user ``<name>`` already exists, the command updates the current
-description. If not, it creates a new user with the specified description.
-```
-
-```{cfgcmd} set system login user \<name\> authentication plaintext-password \<password\>
-
-**Configure a password for a system user.**
-
-Enter the password in plaintext. Upon ``commit``, VyOS hashes the password for
-secure storage and removes the plaintext value.
-
-If the user ``<name>`` already exists, the command updates the current password.
-If not, it creates a new user with the specified plaintext password.
-```
-
-```{cfgcmd} set system login user \<name\> authentication encrypted-password \<password\>
-
-**Configure a pre-encrypted password for a system user.**
-
-Enter the password in its hashed format. Upon ``commit``, VyOS stores this value
-directly without modification.
-
-If the user ``<name>`` already exists, the command updates the current password.
-If not, it creates a new user with the specified pre-encrypted password.
-```
-
-```{cfgcmd} set system login user \<name\> authentication principal \<principal\>
-
-**Configure an SSH certificate principal for a system user.**
-
-Enter the principal (a string included in the user's signed SSH certificate).
-Upon ``commit``, VyOS stores this mapping, allowing the user to log in if the
-certificate they present contains this principal.
-
-If the user ``<name>`` already exists, the command updates the principal. If not,
-it creates a new user linked to the specified principal.
-
-**If not configured**, the principal defaults to ``<name>``.
-```
-
-```{cfgcmd} set system login user \<name\> disable
-
-**Disable a system user account.**
-
-VyOS locks the account, preventing the user from logging in.
-```
-
-(ssh_key_based_authentication)=
-
-## Key-based authentication
-
-Key-based authentication is the recommended method for securing SSH access in
-VyOS. It uses a **public/private key pair** to verify user identity without
-requiring a password. To authorize access, you assign **SSH public keys** to
-user accounts on the router, while SSH private keys remain on local devices.
-VyOS allows assigning multiple SSH public keys to a single user account, which
-is useful for accessing a router from different devices.
-
-### Generate the key pair
-
-Generate an SSH key pair on your **local machine** using the `ssh-keygen`
-command. This creates two files:
-- **Private key** (e.g., `id_rsa`): Remains on your local machine and must
- never be shared.
-- **Public key** (e.g., `id_rsa.pub`): Is used to configure the VyOS user
- account. By default, it is saved to `~/.ssh/id_rsa.pub`.
-
-Each SSH public key consists of three parts, separated by spaces:
-- **Encryption algorithm type:** `ssh-rsa`, `ssh-ed25519`, etc.
-- **Key:** The actual data (a long string beginning with `AAAA...`).
-- **Comment:** An identifier for your reference (e.g., `user@host`).
-
-Only the encryption algorithm type and key parts are required to
-configure the authorization entry in VyOS. The comment part is optional.
-
-:::{seealso}
-{ref}`SSH operation <ssh_operation>`
-:::
-
-:::{warning}
-SSH key strings are long. When copying and pasting, ensure your
-terminal does not insert line breaks. The key must be entered as a **single
-line** to function correctly.
-:::
-
-### Configure the router
-
-To configure SSH public key authentication for a user account, run the
-following two commands using the same `<identifier>`:
-
-```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> key \<key\>
-
-**Configure the SSH public key for the user account.**
-* ``<identifier>``: A unique label that identifies this specific key entry.
-* ``<key>``: The actual string of characters from your public key.
-```
-
-```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> type \<type\>
-
-**Configure the SSH key's encryption type.**
-
-The following encryption algorithm types are available:
-
-* ``ecdsa-sha2-nistp256``
-* ``ecdsa-sha2-nistp384``
-* ``ecdsa-sha2-nistp521``
-* ``ssh-dss``
-* ``ssh-ed25519``
-* ``ssh-rsa``
-
-:::{note}
-To assign multiple SSH public keys to a user account, repeat the
-commands above with a unique identifier for each key.
-:::
-```
-
-```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> options \<options\>
-
-**Configure specific restrictions or behaviors for an SSH public key.**
-
-``<options>``: A string of comma-separated values that define permissions
-or restrictions for this key.
-
-The command accepts standard OpenSSH options listed in the router's
-``~/.ssh/authorized_keys`` file.
-
-To include a ``"`` character in the options string, use ``&quot;``.
-
-For example, to restrict allowed source IP addresses for an SSH public key,
-use: ``from=&quot;10.0.0.0/24&quot;``.
-```
-
-
-## OTP-based MFA
-
-VyOS lets you enhance user access security by enabling {abbr}`OTP (One-time
-password)`-based {abbr}`MFA (Multi-factor Authentication)` for individual
-users. Users with {abbr}`OTP (One-time password)`-based {abbr}`MFA
-(Multi-factor Authentication)` must enter a valid {abbr}`OTP (One-time
-password)` along with their password at login. Users without {abbr}`OTP
-(One-time password)`-based {abbr}`MFA (Multi-factor Authentication)` use
-standard authentication.
-
-```{cfgcmd} set system login user \<username\> authentication otp key \<key\>
-
-**Configure** {abbr}`OTP (One-time password)`**-based** {abbr}`MFA
-(Multi-factor Authentication)` **for a user.**
-
-``<key>``: A Base32-encoded secret key. This key must be added to the user's
-authenticator app to generate valid {abbr}`OTPs (One-time passwords)`.
-
-**When configured**, the user is required to enter their password followed by
-a valid OTP for all subsequent logins.
-```
-
-
-### OTP settings
-
-```{cfgcmd} set system login user \<username\> authentication otp rate-limit \<limit\>
-
-**Configure the number of** {abbr}`OTP (One-time password)` **authentication
-attempts allowed within a specified time period.**
-
-If this limit is exceeded, the user is temporarily blocked.
-
-The default value is 3 attempts. The valid range is 1 to 10 attempts.
-```
-
-```{cfgcmd} set system login user \<username\> authentication otp rate-time \<seconds\>
-
-**Configure the time period, in seconds, for tracking** {abbr}`OTP (One-time
-password)` **authentication attempts.**
-
-The default value is 30 seconds. The valid range is 1 to 600 seconds.
-```
-
-```{cfgcmd} set system login user \<username\> authentication otp window-size \<size\>
-
-**Configure the** {abbr}`OTP (One-time password)` **window size for a user.**
-
-The {abbr}`OTP (One-time password)` window size defines the number of
-concurrently valid {abbr}`OTPs (One-time passwords)` that the authentication
-server accepts. This setting assumes a new token is generated every 30 seconds.
-
-The default value is 3. This permits 3 concurrent codes: the code for the
-current 30-second interval, the preceding code, and the following code. This
-allows up to 30 seconds of time skew between the authentication server and
-client.
-
-If the window size is increased to 17, the system permits 17 concurrent codes
-(the current code, the 8 preceding codes, and the 8 following codes). This
-allows for a time skew of up to 4 minutes.
-
-The valid range is 1 to 21.
-```
-
-
-### Generate an OTP-key
-
-Use the following command to generate an OTP key:
-
-```{cfgcmd} generate system login username \<username\> otp-key hotp-time rate-limit \<1-10\> rate-time \<15-600\> window-size \<1-21\>
-```
-
-Key generation example:
-
-```none
-vyos@vyos:~$ generate system login username otptester otp-key hotp-time rate-limit 2 rate-time 20 window-size 5
-# You can share it with the user, he just needs to scan the QR in his OTP app
-# username: otptester
-# OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY
-# OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30
-█████████████████████████████████████████████
-█████████████████████████████████████████████
-████ ▄▄▄▄▄ █▀█ █▄ ▀▄▀▄█▀▄ ▀█▀ █ ▄▄▄▄▄ ████
-████ █ █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀ ▄█ █ █ ████
-████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████
-████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████
-████ ▄ █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄ █ █▄█ █████
-████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█ ████
-█████▄ ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄ ▄████
-████▀▀▄ ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄ ▀█ █ ████
-████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄ ▄ ▄▀ █▄████
-████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄ ▄▄ ████
-████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████
-████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █ ▀▄▄ ▄█▀ ▄▄ ▀▄▄ ████
-████ ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄ ▄████
-████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀ ███▄ ▄████
-████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████
-████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█ ████
-████ █ █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄ ▀ ▄ ▄ ▄▄████
-████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████
-████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████
-█████████████████████████████████████████████
-█████████████████████████████████████████████
-# To add this OTP key to configuration, run the following commands:
-set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY'
-set system login user otptester authentication otp rate-limit '2'
-set system login user otptester authentication otp rate-time '20'
-set system login user otptester authentication otp window-size '5'
-```
-
-### Display the OTP key for a user
-
-Use the following command to display the {abbr}`OTP (One-time password)`
-key for a user:
-
-```{cfgcmd} sh system login authentication user \<username\> otp \<full | key-b32 | qrcode | uri\>
-```
-
-Example:
-
-```none
-vyos@vyos:~$ sh system login authentication user otptester otp full
-# You can share the OTP key with the user. They just need to scan the QR in their OTP app.
-# username: otptester
-# OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY
-# OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30
-█████████████████████████████████████████████
-█████████████████████████████████████████████
-████ ▄▄▄▄▄ █▀█ █▄ ▀▄▀▄█▀▄ ▀█▀ █ ▄▄▄▄▄ ████
-████ █ █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀ ▄█ █ █ ████
-████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████
-████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████
-████ ▄ █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄ █ █▄█ █████
-████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█ ████
-█████▄ ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄ ▄████
-████▀▀▄ ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄ ▀█ █ ████
-████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄ ▄ ▄▀ █▄████
-████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄ ▄▄ ████
-████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████
-████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █ ▀▄▄ ▄█▀ ▄▄ ▀▄▄ ████
-████ ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄ ▄████
-████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀ ███▄ ▄████
-████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████
-████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█ ████
-████ █ █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄ ▀ ▄ ▄ ▄▄████
-████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████
-████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████
-█████████████████████████████████████████████
-█████████████████████████████████████████████
-# To add this OTP key to configuration, run the following commands:
-set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY'
-set system login user otptester authentication otp rate-limit '2'
-set system login user otptester authentication otp rate-time '20'
-set system login user otptester authentication otp window-size '5'
-```
-
-Once {abbr}`OTP (One-time password)`-based {abbr}`MFA (Multi-factor
-Authentication)` is configured for a user account, this user must enter their
-standard password followed by the current 6-digit OTP code at login. For
-example, if the user's password is `vyosrocks` and the OTP is `817454`, they
-should enter `vyosrocks817454`.
-
-## RADIUS authentication
-
-For large-scale deployments, managing individual user accounts across multiple
-VyOS instances is inefficient. VyOS supports centralized authentication via
-{abbr}`RADIUS (Remote Authentication Dial-In User Service)`, consolidating user
-account management on a single backend server.
-
-### Configuration
-
-```{cfgcmd} set system login radius server \<address\> key \<secret\>
-
-**Configure the** {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
-**server's IP address and shared secret.**
-
-The shared secret is used to verify the router's identity and to encrypt user
-passwords during authentication.
-
-You can configure multiple {abbr}`RADIUS (Remote Authentication Dial-In User
-Service)` servers.
-```
-
-```{cfgcmd} set system login radius server \<address\> port \<port\>
-
-**Configure the UDP port for communication with the** {abbr}`RADIUS (Remote
-Authentication Dial-In User Service)` **server.**
-
-The default port is 1812.
-```
-
-```{cfgcmd} set system login radius server \<address\> disable
-
-**Disable a** {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
-**server from the authentication process.**
-
-Disabling a specific {abbr}`RADIUS (Remote Authentication Dial-In User
-Service)` server doesn’t remove its configuration settings (the server’s IP
-address and shared secret).
-```
-
-```{cfgcmd} set system login radius server \<address\> timeout \<timeout\>
-
-Configure the duration, in seconds, that the VyOS router waits for a
-response from the {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
-server after sending an authentication request.
-
-If the server does not respond within this timeframe, the VyOS router tries to
-connect to another configured server or falls back to local authentication.
-```
-
-```{cfgcmd} set system login radius source-address \<address\>
-
-**Configure the source IP address the router uses for** {abbr}`RADIUS (Remote
-Authentication Dial-In User Service)` **authentication requests.**
-
-A consistent source IP address is recommended as RADIUS servers typically
-accept requests only from known, trusted IP addresses.
-
-If not explicitly defined, the router uses the current egress interface
-address, which may change (e.g., due to a link outage), causing authentication
-failures.
-```
-
-```{cfgcmd} set system login radius vrf \<name\>
-
-**Configure the router to send all** {abbr}`RADIUS (Remote Authentication
-Dial-In User Service)` **authentication requests via a specific VRF.**
-
-By default, {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
-authentication requests are sent via the global routing table.
-```
-
-### Configuration example
-
-```none
-set system login radius server 192.168.0.2 key 'test-vyos'
-set system login radius server 192.168.0.2 port '1812'
-set system login radius server 192.168.0.2 timeout '5'
-set system login radius source-address '192.168.0.1'
-```
-
-If communication with the {abbr}`RADIUS (Remote Authentication Dial-In User
-Service)` server fails, the router falls back to local user authentication.
-During this process, users may experience a login delay while the system waits
-for the {abbr}`RADIUS (Remote Authentication Dial-In User Service)` request to
-time out. This delay depends on the configured timeout value.
-
-:::{hint}
-To grant administrative privileges to {abbr}`RADIUS (Remote
-Authentication Dial-In User Service)`-authenticated users, the server must
-return the Cisco-AV-Pair attribute set to `shell:priv-lvl=15`. Otherwise, users
-receive standard privileges and cannot perform configuration tasks.
-:::
-
-## TACACS+ authentication
-
-In addition to {abbr}`RADIUS (Remote Authentication Dial-In User Service)`,
-VyOS supports {abbr}`TACACS+ (Terminal Access Controller Access Control
-System)`, which is commonly used in large enterprise environments.
-
-Unlike {abbr}`RADIUS (Remote Authentication Dial-In User Service)`,
-{abbr}`TACACS+ (Terminal Access Controller Access Control System)` separates
-Authentication, Authorization, and Accounting (AAA) into independent processes
-and encrypts the entire packet body for enhanced security.
-
-{abbr}`TACACS+ (Terminal Access Controller Access Control System)` is defined
-in {rfc}`8907`.
-(tacacs-configuration)=
-
-### Configuration
-
-```{cfgcmd} set system login tacacs server \<address\> key \<secret\>
-
-**Configure the** {abbr}`TACACS+ (Terminal Access Controller Access Control
-System)` **server IP address and shared secret.**
-
-Unlike {abbr}`RADIUS (Remote Authentication Dial-In User Service)`, which
-encrypts only passwords, {abbr}`TACACS+ (Terminal Access Controller Access
-Control System)` encrypts the entire packet body for enhanced security.
-
-You can configure multiple {abbr}`TACACS+ (Terminal Access Controller Access
-Control System)` servers.
-```
-
-```{cfgcmd} set system login tacacs server \<address\> port \<port\>
-
-**Configure the TCP port for communication with the** {abbr}`TACACS+ (Terminal
-Access Controller Access Control System)` **server.**
-
-The default port is 49.
-```
-
-```{cfgcmd} set system login tacacs server \<address\> disable
-
-**Disable a** {abbr}`TACACS+ (Terminal Access Controller Access Control
-System)` **server from the authentication process.**
-
-Disabling a specific {abbr}`TACACS+ (Terminal Access Controller Access Control
-System)` server doesn’t remove its configuration settings (the server’s IP
-address and shared secret).
-```
-
-```{cfgcmd} set system login tacacs server \<address\> timeout \<timeout\>
-
-Configure the duration, in seconds, that the VyOS router waits for a
-response from the {abbr}`TACACS+ (Terminal Access Controller Access
-Control System)` server after sending an authentication request.
-
-If the server does not respond within this timeframe, the VyOS router tries
-to connect to another configured server or falls back to local authentication.
-```
-
-```{cfgcmd} set system login tacacs source-address \<address\>
-
-**Configure the source IP address the router uses for**
-{abbr}`TACACS+ (Terminal Access Controller Access Control System)`
-**authentication requests.**
-
-A consistent source IP address is recommended as {abbr}`TACACS+ (Terminal
-Access Controller Access Control System)` servers typically accept requests
-only from known, trusted IP addresses.
-
-If not explicitly defined, the router uses the current egress interface address,
-which may change (e.g., due to a link outage), causing authentication failures.
-```
-
-```{cfgcmd} set system login tacacs vrf \<name\>
-
-Configure the router to send all {abbr}`TACACS+ (Terminal Access Controller
-Access Control System)` authentication requests via a specific VRF.
-
-By default, {abbr}`TACACS+ (Terminal Access Controller Access Control System)`
-authentication requests are sent via the global routing table.
-```
-
-(login-tacacs-example)=
-
-### Configuration example
-
-```none
-set system login tacacs server 192.168.0.2 key 'test-vyos'
-set system login tacacs server 192.168.0.2 port '49'
-set system login tacacs source-address '192.168.0.1'
-```
-
-If communication with the {abbr}`TACACS+ (Terminal Access Controller Access
-Control System)` server fails, the router falls back to local user
-authentication.
-
-## Login banners
-
-VyOS allows you to configure **pre-login** and **post-login** banners.
-Pre-login banners are typically used for system identification, legal disclaimers, or security warnings
-displayed before authentication, while post-login banners provide system
-information or operational notices to users after login.
-
-```{cfgcmd} set system login banner pre-login \<message\>
-
-Configure a message to be shown to users before the ``username`` and ``password``
-prompts appear.
-```
-
-```{cfgcmd} set system login banner post-login \<message\>
-
-Configure a message to be shown to users after successful authentication.
-```
-:::{note}
-Use `\\n` to insert line breaks in multi-line banner messages.
-:::
-
-## Login session limits
-
-```{cfgcmd} set system login max-login-session \<number\>
-
-**Configure the maximum number of concurrent login sessions.**
-```
-:::{note}
-If you limit concurrent login sessions, you must also configure a
-session `<timeout>`. This clears inactive sessions and prevents blocking new
-login attempts.
-:::
-```{cfgcmd} set system login timeout \<timeout\>
-
-**Configure the login session timeout, in seconds.**
-
-Idle login sessions are terminated after this period.
-```
-
-## Configuration examples
-
-Example 1: Multi-key SSH with MFA and source restrictions
-
-In this configuration, `User1` and `User2` both use the vyos user account,
-each with a unique SSH key. `User1` is restricted to authentication from a
-single IP address.
-
-For both users, password-based logins require {abbr}`OTP (One-time password)`
--based {abbr}`MFA (Multi-factor Authentication)`.
-
-```none
-set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
-set system login user vyos authentication public-keys 'User1' type ssh-rsa
-set system login user vyos authentication public-keys 'User1' options "from=&quot;192.168.0.100&quot;"
-
-set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
-set system login user vyos authentication public-keys 'User2' type ssh-rsa
-
-set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2
-set system login user vyos authentication plaintext-password vyos
-```
-
-Example 2: Containerized {abbr}`TACACS+ (Terminal Access Controller Access Control System)`
-deployment with redundancy.
-
-In this configuration, the VyOS router hosts its own authentication
-infrastructure using two containerized {abbr}`TACACS+ (Terminal Access
-Controller Access Control System)` servers (`tacacs1` and `tacacs2`) on a
-private network for redundancy.
-
-System logins are authenticated against credentials stored within these internal
-containers rather than the router's local user database.
-
-First, download the image in operational mode:
-
-```none
-add container image lfkeitel/tacacs_plus:latest
-```
-
-Next, configure the containers in configuration mode:
-
-```none
-set container network tac-test prefix '100.64.0.0/24'
-
-set container name tacacs1 image 'lfkeitel/tacacs_plus:latest'
-set container name tacacs1 network tac-test address '100.64.0.11'
-
-set container name tacacs2 image 'lfkeitel/tacacs_plus:latest'
-set container name tacacs2 network tac-test address '100.64.0.12'
-
-set system login tacacs server 100.64.0.11 key 'tac_plus_key'
-set system login tacacs server 100.64.0.12 key 'tac_plus_key'
-
-commit
-```
-
-You can now log in via SSH or console using `admin/admin` credentials supplied
-by the container image.
diff --git a/docs/configuration/system/md-name-server.md b/docs/configuration/system/md-name-server.md
deleted file mode 100644
index 9090ba5f..00000000
--- a/docs/configuration/system/md-name-server.md
+++ /dev/null
@@ -1,65 +0,0 @@
-(system-dns)=
-
-# System DNS
-
-:::{warning}
-If you are configuring a VRF for management purposes, there is
-currently no way to force system DNS traffic via a specific VRF.
-:::
-
-This section describes configuring DNS on the system, namely:
-
-> - DNS name servers
-> - Domain search order
-
-## DNS name servers
-
-```{cfgcmd} set system name-server \<address\>
-
-Use this command to specify a DNS server for the system to be used
-for DNS lookups. More than one DNS server can be added, configuring
-one at a time. Both IPv4 and IPv6 addresses are supported.
-```
-
-
-### Example
-
-In this example, some *OpenNIC* servers are used, two IPv4 addresses
-and two IPv6 addresses:
-
-```none
-set system name-server 176.9.37.132
-set system name-server 195.10.195.195
-set system name-server 2a01:4f8:161:3441::1
-set system name-server 2a00:f826:8:2::195
-```
-
-
-## Domain search order
-
-In order for the system to use and complete unqualified host names, a
-list can be defined which will be used for domain searches.
-
-```{cfgcmd} set system domain-search \<domain\>
-
-Use this command to define domains, one at a time, so that the system
-uses them to complete unqualified host names. Maximum: 6 entries.
-```
-
-:::{note}
-Domain names can include letters, numbers, hyphens and periods
-with a maximum length of 253 characters.
-:::
-
-(name-server-domain-search-order-example)=
-
-### Example
-
-The system is configured to attempt domain completion in the following
-order: vyos.io (first), vyos.net (second) and vyos.network (last):
-
-```none
-set system domain-search vyos.io
-set system domain-search vyos.net
-set system domain-search vyos.network
-```
diff --git a/docs/configuration/system/md-option.md b/docs/configuration/system/md-option.md
deleted file mode 100644
index c7a6ccf2..00000000
--- a/docs/configuration/system/md-option.md
+++ /dev/null
@@ -1,190 +0,0 @@
-(system-option)=
-
-# Option
-
-This chapter describe the possibilities of advanced system behavior.
-
-## General
-
-```{cfgcmd} set system option ctrl-alt-delete \<ignore | reboot | poweroff\>
-
-Action which will be run once the ctrl-alt-del keystroke is received.
-```
-
-```{cfgcmd} set system option reboot-on-panic
-
-Automatically reboot system on kernel panic after 60 seconds.
-```
-
-```{cfgcmd} set system option reboot-on-upgrade-failure \<timeout\>
-
-Automatically reboot after `timeout` minutes into the previous running
-image, that was used to perform the image upgrade.
-
-Reboot `timeout` is configurable in minutes. This gives the user the change
-to log into the system and perform some analysis before automatic rebooting.
-
-Automatic reboot can be cancelled after login using: {opcmd}`reboot cancel`
-```
-
-```{cfgcmd} set system option startup-beep
-
-Play an audible beep to the system speaker when system is ready.
-```
-
-```{cfgcmd} set system option root-partition-auto-resize
-
-Enables the root partition auto-extension and resizes to the maximum
-available space on system boot.
-```
-
-
-### Kernel
-
-```{cfgcmd} set system option kernel disable-mitigations
-
-Disable all optional CPU mitigations. This improves system performance,
-but it may also expose users to several CPU vulnerabilities.
-
-This will add the following option to the Kernel commandline:
-* ``mitigations=off``
-
-:::{note}
-Setting will only become active with the next reboot!
-:::
-```
-
-```{cfgcmd} set system option kernel disable-power-saving
-
-This will add the following two options to the Kernel commandline:
-* ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle
-* ``processor.max_cstate=1`` Limit processor to maximum C-state 1
-
-:::{note}
-Setting will only become active with the next reboot!
-:::
-```
-
-```{cfgcmd} set system option kernel amd-pstate-driver \<mode\>
-
-Enables and configures p-state driver for modern AMD Ryzen and Epyc CPUs.
-
-The available modes are:
-* ``active`` This is the low-level firmware control mode based on the profile
-set and the system governor has no effect.
-* ``passive`` The driver allows the system governor to manage CPU frequency
-while providing available performance states.
-* ``guided`` The driver allows to set desired performance levels and the firmware
-selects a performance level in this range and fitting to the current workload.
-
-This will add the following two options to the Kernel commandline:
-* ``initcall_blacklist=acpi_cpufreq_init`` Disable default ACPI CPU frequency scale
-* ``amd_pstate={mode}`` Sets the p-state mode
-
-:::{note}
-Setting will only become active with the next reboot!
-:::
-
-:::{seealso}
-<https://docs.kernel.org/admin-guide/pm/amd-pstate.html>
-:::
-```
-
-```{cfgcmd} set system option kernel quiet
-
-Suppress most kernel messages during boot. This is useful for systems with
-embedded serial console interfaces to speed up the boot process.
-```
-
-
-## HTTP client
-
-```{cfgcmd} set system option http-client source-address \<address\>
-
-Several commands utilize cURL to initiate transfers. Configure the local
-source IPv4/IPv6 address used for all cURL operations.
-```
-
-```{cfgcmd} set system option http-client source-interface \<interface\>
-
-Several commands utilize curl to initiate transfers. Configure the local
-source interface used for all CURL operations.
-```
-
-:::{note}
-`source-address` and `source-interface` can not be used at the same
-time.
-:::
-
-## SSH client
-
-```{cfgcmd} set system option ssh-client source-address \<address\>
-
-Use the specified address on the local machine as the source address of the
-connection. Only useful on systems with more than one address.
-```
-
-```{cfgcmd} set system option ssh-client source-interface \<interface\>
-
-Use the address of the specified interface on the local machine as the
-source address of the connection.
-```
-
-
-## Keyboard Layout
-
-When starting a VyOS live system (the installation CD) the configured keyboard
-layout defaults to US. As this might not suite everyone's use case you can adjust
-the used keyboard layout on the system console.
-
-```{cfgcmd} set system option keyboard-layout \<us | fr | de | fi | no | dk\>
-
-Change system keyboard layout to given language.
-
-Defaults to ``us``.
-
-:::{note}
-Changing the keymap only has an effect on the system console, using
-SSH or Serial remote access to the device is not affected as the keyboard
-layout here corresponds to your access system.
-:::
-```
-
-(system-options-performance)=
-
-## Performance
-
-As more and more routers run on Hypervisors, expecially with a {abbr}`NOS
-(Network Operating System)` as VyOS, it makes fewer and fewer sense to use
-static resource bindings like `smp-affinity` as present in VyOS 1.2 and
-earlier to pin certain interrupt handlers to specific CPUs.
-
-We now utilize `tuned` for dynamic resource balancing based on profiles.
-
-:::{seealso}
-<https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf>
-:::
-
-```{cfgcmd} set system option performance \< throughput | latency \>
-
-Configure one of the predefined system performance profiles.
-
-* ``throughput``: A server profile focused on improving network throughput.
- This profile favors performance over power savings by setting
- ``intel_pstate`` and ``max_perf_pct=100`` and increasing kernel network
- buffer sizes.
-
- It enables transparent huge pages, and uses cpupower to set the performance
- cpufreq governor. It also sets ``kernel.sched_min_granularity_ns`` to 10 us,
- ``kernel.sched_wakeup_granularity_ns`` to 15 uss, and ``vm.dirty_ratio`` to
- 40%.
-
-* ``latency``: A server profile focused on lowering network latency.
- This profile favors performance over power savings by setting
- ``intel_pstate`` and ``min_perf_pct=100``.
-
- It disables transparent huge pages, and automatic NUMA balancing. It also
- uses cpupower to set the performance cpufreq governor, and requests a
- cpu_dma_latency value of 1. It also sets busy_read and busy_poll times to
- 50 us, and tcp_fastopen to 3.
-``` \ No newline at end of file
diff --git a/docs/configuration/system/md-proxy.md b/docs/configuration/system/md-proxy.md
deleted file mode 100644
index 286e835f..00000000
--- a/docs/configuration/system/md-proxy.md
+++ /dev/null
@@ -1,27 +0,0 @@
-(system-proxy)=
-
-# System Proxy
-
-Some IT environments require the use of a proxy to connect to the Internet.
-Without this configuration VyOS updates could not be installed directly by
-using the {opcmd}`add system image` command ({ref}`update_vyos`).
-
-```{cfgcmd} set system proxy url \<url\>
-
-Set proxy for all connections initiated by VyOS, including HTTP, HTTPS, and
-FTP (anonymous ftp).
-```
-```{cfgcmd} set system proxy port \<port\>
-
-Configure proxy port if it does not listen to the default port 80.
-```
-```{cfgcmd} set system proxy username \<username\>
-
-Some proxys require/support the "basic" HTTP authentication scheme as per
-{rfc}`7617`, thus a username can be configured.
-```
-```{cfgcmd} set system proxy password \<password\>
-
-Some proxys require/support the "basic" HTTP authentication scheme as per
-{rfc}`7617`, thus a password can be configured.
-``` \ No newline at end of file
diff --git a/docs/configuration/system/md-sflow.md b/docs/configuration/system/md-sflow.md
deleted file mode 100644
index 350bbdd8..00000000
--- a/docs/configuration/system/md-sflow.md
+++ /dev/null
@@ -1,66 +0,0 @@
-# sFlow
-
-VyOS supports sFlow accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector.
-
-sFlow is a technology that enables monitoring of network traffic by sending sampled packets to a collector device.
-
-The sFlow accounting based on hsflowd <https://sflow.net/>
-
-## Configuration
-
-```{cfgcmd} set system sflow agent-address \<address\>
-
-Configure sFlow agent IPv4 or IPv6 address
-```
-```{cfgcmd} set system sflow agent-interface \<interface\>
-
-Configure agent IP address associated with this interface.
-```
-```{cfgcmd} set system sflow drop-monitor-limit \<limit\>
-
- Dropped packets reported on DROPMON Netlink channel by Linux kernel are exported via the standard sFlow v5 extension for reporting dropped packets
-```
-
-
-```{cfgcmd} set system sflow interface \<interface\>
-
-Configure and enable collection of flow information for the interface identified by \<interface\>.
-
-You can configure multiple interfaces which would participate in sflow accounting.
-```
-```{cfgcmd} set system sflow polling \<sec\>
-
- Configure schedule counter-polling in seconds (default: 30)
-```
-
-
-```{cfgcmd} set system sflow sampling-rate \<rate\>
-
-Use this command to configure the sampling rate for sFlow accounting (default: 1000)
-```
-
-
-```{cfgcmd} set system sflow server \<address\> port \<port\>
-
-Configure address of sFlow collector. sFlow server at \<address\> can be both listening on an IPv4 or IPv6 address.
-```
-
-
-```{cfgcmd} set system sflow enable-egress
-
-Use this command to if you need to sample also egress traffic
-```
-
-## Example
-
-```none
-set system sflow agent-address '192.0.2.14'
-set system sflow agent-interface 'eth0'
-set system sflow drop-monitor-limit '50'
-set system sflow interface 'eth0'
-set system sflow interface 'eth1'
-set system sflow polling '30'
-set system sflow sampling-rate '1000'
-set system sflow server 192.0.2.1 port '6343'
-set system sflow server 203.0.113.23 port '6343'
-```
diff --git a/docs/configuration/system/md-sysctl.md b/docs/configuration/system/md-sysctl.md
deleted file mode 100644
index 90434fb2..00000000
--- a/docs/configuration/system/md-sysctl.md
+++ /dev/null
@@ -1,16 +0,0 @@
-(sysctl)=
-
-# Sysctl
-
-:::{note}
-This page is a stub and needs expansion. Contributions
-welcome via the [VyOS documentation repository](https://github.com/vyos/vyos-documentation).
-:::
-
-This chapter describes how to configure kernel parameters at runtime.
-
-`sysctl` is used to modify kernel parameters at runtime. The parameters
-available are those listed under /proc/sys/.
-
-```{cfgcmd} set system sysctl parameter \<parameter\> value \<value\>
-``` \ No newline at end of file
diff --git a/docs/configuration/system/md-syslog.md b/docs/configuration/system/md-syslog.md
deleted file mode 100644
index ae30d272..00000000
--- a/docs/configuration/system/md-syslog.md
+++ /dev/null
@@ -1,450 +0,0 @@
-(syslog)=
-
-# Syslog
-
-## Overview
-
-By default, VyOS provides a minimal logging configuration with local storage
-and log rotation. All errors, including local7 messages, are saved to a local
-file. Emergency alerts are sent to the console.
-
-To change these settings, enter configuration mode.
-
-## Syslog configuration
-
-Syslog supports logging to multiple destinations: a local file, a console, or
-a remote syslog server over UDP or TCP.
-
-The syslog configuration is organized into the following categories:
-
-- Global settings
-- Local logging
-- Console logging
-- Remote logging
-- TLS-encrypted remote logging
-
-### Global settings
-
-Configure the general behavior of the syslog service.
-
-```{cfgcmd} set system syslog marker interval \<number\>
-
-**Configure the interval, in seconds, for sending syslog mark messages.**
-
-Syslog mark messages confirm the logging service is operational.
-
-Default: 1200 seconds.
-```
-
-```{cfgcmd} set system syslog marker disable
-
-Disable sending syslog mark messages.
-```
-
-```{cfgcmd} set system syslog preserve-fqdn
-
-**Configure how the logging device's hostname appears in log messages sent
-to a remote syslog server.**
-
-If configured, the device includes its {abbr}`FQDN (Fully Qualified Domain
-Name)` in log messages, even if the syslog server is in the same domain.
-```
-
-
-### Local logging
-
-Configure which log messages to save to a local log file.
-
-```{cfgcmd} set system syslog local \<filename\> facility \<keyword\> level \<keyword\>
-
-**Configure syslog to save log messages for a specific facility and
-severity level to \`\`/var/log/messages\`\`.**
-
-Refer to the tables below for valid facility and severity options.
-```
-
-(syslog-console)=
-
-### Console logging
-
-Configure which log messages to send to `/dev/console`.
-
-```{cfgcmd} set system syslog console facility \<keyword\> level \<keyword\>
-
-**Configure syslog to send log messages for a specific facility and severity
-level to the device's console.**
-
-Refer to the tables below for valid facility and severity options.
-```
-
-(syslog-remote)=
-
-### Remote logging
-
-Configure **remote logging** to send log messages to a remote syslog server.
-
-Remote logging does not affect either **local** or **console logging** and
-runs in parallel with them. Remote logging supports sending log messages
-to multiple hosts.
-
-```{cfgcmd} set system syslog remote \<address\> facility \<keyword\> level \<keyword\>
-
-**Configure log transmission to the remote syslog server for a specific
-facility and severity level.**
-
-The server’s address can be specified using either a {abbr}`FQDN (Fully
-Qualified Domain Name)` or an IP address.
-
-Refer to the tables below for valid facility and severity options.
-```
-
-```{cfgcmd} set system syslog remote \<address\> protocol \<udp | tcp\>
-
-**Configure the protocol for log transmission.**
-
-The protocol can be either UDP or TCP. By default, log messages are sent
-over UDP.
-```
-
-```{cfgcmd} set system syslog remote \<address\> port \<port\>
-
-**Configure the port for log transmission.**
-
-By default, the standard port 514 is used.
-```
-
-```{cfgcmd} set system syslog remote \<address\> format include-timezone
-
-**Configure log transmission in the RFC 5424 format.**
-
-The RFC 5424 format includes the timezone in the timestamp. For example:
-
-:::{code-block} none
-<34>1 2003-10-11T22:14:15.003-07:00 mymachine.example.com su - ID47 - BOM’su root’ failed for lonvick on /dev/pts/8.
-:::
-
-By default, log messages are sent in the RFC 3164 format. For example:
-
-:::{code-block} none
-<34>Oct 11 22:14:15 mymachine su: ‘su root’ failed for lonvick on /dev/pts/8
-:::
-```
-
-```{cfgcmd} set system syslog remote \<address\> format octet-counted
-
-**Enable octet-counted framing for log transmission.**
-
-When enabled, multi-line log messages are sent without splitting. Ensure
-the remote server supports octet-counted framing to avoid parsing errors.
-
-Octet-counted framing is not available for the UDP protocol.
-```
-
-```{cfgcmd} set system syslog remote \<address\> vrf \<name\>
-
-Configure the {abbr}`VRF (Virtual Routing and Forwarding)` instance
-for log transmission.
-```
-
-```{cfgcmd} set system syslog remote \<address\> source-address \<address\>
-
-Configure the source IP address (IPv4 or IPv6) for log transmission.
-```
-
-
-#### {abbr}`TLS (Transport Layer Security)`-encrypted remote logging
-
-VyOS supports {abbr}`TLS (Transport Layer Security)`-encrypted remote logging
-over TCP to ensure secure transmission of syslog data to remote syslog servers.
-
-**Prerequisites**: Before configuring {abbr}`TLS (Transport Layer
-Security)`-encrypted remote logging, ensure you have:
-- A valid remote syslog server address.
-- Valid {abbr}`CA (Certificate Authority)` and client certificates uploaded
- to the local {abbr}`PKI (Public Key Infrastructure)` storage.
-- The **remote syslog transport protocol** is set to **TCP**:
-
- ```none
- set system syslog remote <address> protocol tcp
- ```
-
-:::{note}
-{abbr}`TLS (Transport Layer Security)`-encrypted remote logging is
-**not supported** over **UDP**.
-:::
-```{cfgcmd} set system syslog remote \<address\> tls
-
-Enable TLS-encrypted remote logging.
-
-```
-
-```{cfgcmd} set system syslog remote \<address\> tls ca-certificate \<ca_name\>
-
-**Configure the** {abbr}`CA (Certificate Authority)` **certificate.**
-
-The syslog client uses the {abbr}`CA (Certificate Authority)` certificate to
-verify the identity of the remote syslog server.
-
-The {abbr}`CA (Certificate Authority)` certificate is required for **all**
-authentication modes except ``anon``.
-
-```
-
-```{cfgcmd} set system syslog remote \<address\> tls certificate \<cert_name\>
-
-**Configure the client certificate.**
-
-The remote syslog server uses the client certificate to verify the identity
-of the syslog client.
-
-The client certificate is required if the remote syslog server enforces
-client certificate verification.
-
-```
-
-````{cfgcmd} set system syslog remote \<address\> tls auth-mode \<anon | fingerprint | certvalid | name\>
-
-**Configure the authentication mode.**
-
-The authentication mode defines how the syslog client verifies the syslog
-server's identity.
-
-The following authentication modes are available:
-
-```{eval-rst}
-* ``anon`` **(default)**: Allows encrypted connections without verifying the syslog
- server's identity. This mode is **not recommended**, as it is vulnerable to
- :abbr:`MITM (Man-in-the-Middle)` attacks.
-* ``fingerprint``: Verifies the server’s certificate fingerprint against the
- value preconfigured with:
-
- .. code-block:: none
-
- set system syslog remote <address> tls permitted-peer <peer>
-
-* ``certvalid``: Verifies the server certificate is signed by a trusted
- :abbr:`CA (Certificate Authority)`, skipping :abbr:`CN (Common Name)` check.
-* ``name``: Verifies that:
-
- * The server’s certificate is signed by a trusted :abbr:`CA (Certificate
- Authority)`.
- * The :abbr:`CN (Common Name)` in the certificate matches the value
- preconfigured with:
-
- .. code-block:: none
-
- set system syslog remote <address> tls permitted-peer <peer>
-
- This is a **recommended** secure mode for production environments.
-```
-
-````
-
-```{cfgcmd} set system syslog remote \<address\> tls permitted-peer \<peer\>
-
-**Configure the peer certificate identifiers.**
-
-The certificate identifier format depends on the authentication mode:
-* ``fingerprint``: Enter the expected certificate fingerprints (SHA-1 or
-SHA-256).
-* ``name``: Enter the expected certificate {abbr}`CNs (Common Names)`.
-
-For ``anon`` and ``certvalid`` authentication modes, certificate identifiers
-are not required.
-
-```
-
-#### Examples:
-
-```none
-# Example of 'anon' authentication mode
-set system syslog remote 10.10.2.3 facility all level debug
-set system syslog remote 10.10.2.3 port 6514
-set system syslog remote 10.10.2.3 protocol tcp
-set system syslog remote 10.10.2.3 tls auth-mode anon
-# or just use 'set system syslog remote 10.10.2.3 tls'
-
-# Example of 'certvalid' authentication mode
-set system syslog remote elk.example.com facility all level debug
-set system syslog remote elk.example.com port 6514
-set system syslog remote elk.example.com protocol tcp
-set system syslog remote elk.example.com tls ca-certificate my-ca
-set system syslog remote elk.example.com tls auth-mode certvalid
-
-# Example of 'fingerprint' authentication mode
-set system syslog remote syslog.example.com facility all level debug
-set system syslog remote syslog.example.com port 6514
-set system syslog remote syslog.example.com protocol tcp
-set system syslog remote syslog.example.com tls ca-certificate my-ca
-set system syslog remote syslog.example.com tls auth-mode fingerprint
-set system syslog remote syslog.example.com tls permitted-peers 'SHA1:10:C4:26:...,SHA256:7B:4B:10:...'
-
-# Example of 'name' authentication mode
-set system syslog remote graylog.example.com facility all level debug
-set system syslog remote graylog.example.com port 6514
-set system syslog remote graylog.example.com protocol tcp
-set system syslog remote graylog.example.com tls ca-certificate my-ca
-set system syslog remote graylog.example.com tls certificate syslog-client
-set system syslog remote graylog.example.com tls auth-mode name
-set system syslog remote graylog.example.com tls permitted-peers 'graylog.example.com'
-```
-
-#### Security recommendations
-
-- For secure deployments, always use the `name` authentication mode. It
- ensures that the server is validated by a trusted {abbr}`CA (Certificate
- Authority)` and that the hostname matches the certificate.
-- Use the `anon` authentication mode only in testing environments, as it
- doesn't provide server authentication.
-- Ensure private keys are generated, stored, and maintained exclusively within
- the {doc}`PKI system </configuration/pki/index>`.
-(syslog_facilities)=
-
-## Syslog facilities
-
-This section lists facilities used by syslog. Most facility names are self-
-explanatory. The local0–local7 facilities are used for custom purposes, such as
-logging from network nodes and equipment. Facility assignment is flexible and
-should be tailored to your company's needs. Consider facilities as categorization
-tools, rather than strict directives.
-
-```{eval-rst}
-+----------+----------+----------------------------------------------------+
-| Facility | Keyword | Description |
-| code | | |
-+==========+==========+====================================================+
-| | all | All facilities |
-+----------+----------+----------------------------------------------------+
-| 0 | kern | Kernel messages |
-+----------+----------+----------------------------------------------------+
-| 1 | user | User-level messages |
-+----------+----------+----------------------------------------------------+
-| 2 | mail | Mail system |
-+----------+----------+----------------------------------------------------+
-| 3 | daemon | System daemons |
-+----------+----------+----------------------------------------------------+
-| 4 | auth | Security/authentication messages |
-+----------+----------+----------------------------------------------------+
-| 5 | syslog | Messages generated internally by syslog |
-+----------+----------+----------------------------------------------------+
-| 6 | lpr | Line printer subsystem |
-+----------+----------+----------------------------------------------------+
-| 7 | news | Network news subsystem |
-+----------+----------+----------------------------------------------------+
-| 8 | uucp | UUCP subsystem |
-+----------+----------+----------------------------------------------------+
-| 9 | cron | Clock daemon |
-+----------+----------+----------------------------------------------------+
-| 10 | security | Security/authentication messages |
-+----------+----------+----------------------------------------------------+
-| 11 | ftp | FTP daemon |
-+----------+----------+----------------------------------------------------+
-| 12 | ntp | NTP subsystem |
-+----------+----------+----------------------------------------------------+
-| 13 | logaudit | Log audit |
-+----------+----------+----------------------------------------------------+
-| 14 | logalert | Log alert |
-+----------+----------+----------------------------------------------------+
-| 15 | clock | clock daemon (note 2) |
-+----------+----------+----------------------------------------------------+
-| 16 | local0 | local use 0 (local0) |
-+----------+----------+----------------------------------------------------+
-| 17 | local1 | local use 1 (local1) |
-+----------+----------+----------------------------------------------------+
-| 18 | local2 | local use 2 (local2) |
-+----------+----------+----------------------------------------------------+
-| 19 | local3 | local use 3 (local3) |
-+----------+----------+----------------------------------------------------+
-| 20 | local4 | local use 4 (local4) |
-+----------+----------+----------------------------------------------------+
-| 21 | local5 | local use 5 (local5) |
-+----------+----------+----------------------------------------------------+
-| 22 | local6 | local use 6 (local6) |
-+----------+----------+----------------------------------------------------+
-| 23 | local7 | local use 7 (local7) |
-+----------+----------+----------------------------------------------------+
-```
-
-(syslog_severity_level)=
-
-## Severity levels
-
-```{eval-rst}
-+-------+---------------+---------+-------------------------------------------+
-| Value | Severity | Keyword | Description |
-+=======+===============+=========+===========================================+
-| | | all | Log everything. |
-+-------+---------------+---------+-------------------------------------------+
-| 0 | Emergency | emerg | System is unusable - a panic condition. |
-+-------+---------------+---------+-------------------------------------------+
-| 1 | Alert | alert | Action must be taken immediately - A |
-| | | | condition that should be corrected |
-| | | | immediately, such as a corrupted system |
-| | | | database. |
-+-------+---------------+---------+-------------------------------------------+
-| 2 | Critical | crit | Critical conditions - e.g., hard drive |
-| | | | errors. |
-+-------+---------------+---------+-------------------------------------------+
-| 3 | Error | err | Error conditions. |
-+-------+---------------+---------+-------------------------------------------+
-| 4 | Warning | warning | Warning conditions. |
-+-------+---------------+---------+-------------------------------------------+
-| 5 | Notice | notice | Normal but significant conditions - |
-| | | | conditions that are not error conditions, |
-| | | | but that may require special handling. |
-+-------+---------------+---------+-------------------------------------------+
-| 6 | Informational | info | Informational messages. |
-+-------+---------------+---------+-------------------------------------------+
-| 7 | Debug | debug | Debug-level messages - Messages that |
-| | | | contain information normally of use only |
-| | | | when debugging a program. |
-+-------+---------------+---------+-------------------------------------------+
-```
-
-## Display logs
-
-```{opcmd} show log [all | authorization | cluster | conntrack-sync | ...]
-
-**Display logs for a specific category on the console.**
-
-Use tab completion to view a list of available categories.
-
-If no category is specified, all logs are shown.
-
-```
-
-````{opcmd} show log image \<name\> [all | authorization | directory | file \<file name\> | tail \<lines\>]
-
-**Display logs for a specific image on the console.**
-
-Available log categories:
-
-```{eval-rst}
-.. list-table::
- :widths: 25 75
- :header-rows: 0
-
- * - all
- - Displays the contents of system log files of the specified image.
- * - authorization
- - Displays authorization attempts of the specified image.
- * - directory
- - Displays user-defined log files of the specified image.
- * - file <file name>
- - Displays the contents of a specified user-defined log file of the specified
- image.
- * - tail
- - Displays last lines of the system log of the specified image.
- * - <lines>
- - Number of lines to be displayed, default 10.
-```
-
-````
-
-If no category is specified, the contents of the main syslog file are
-displayed.
-
-:::{hint}
-Use `show log | strip-private` to hide private data
-when displaying your logs.
-:::
diff --git a/docs/configuration/system/md-task-scheduler.md b/docs/configuration/system/md-task-scheduler.md
deleted file mode 100644
index 94ca9f4d..00000000
--- a/docs/configuration/system/md-task-scheduler.md
+++ /dev/null
@@ -1,45 +0,0 @@
-(task-scheduler)=
-
-# Task Scheduler
-
-The task scheduler allows you to execute tasks on a given schedule. It makes
-use of UNIX [cron].
-
-:::{note}
-All scripts executed this way are executed as root user - this may
-be dangerous. Together with {ref}`command-scripting` this can be used for
-automating (re-)configuration.
-:::
-
-```{cfgcmd} set system task-scheduler task \<task\> interval \<interval\>
-
-Specify the time interval when `<task>` should be executed. The interval
-is specified as number with one of the following suffixes:
-* ``none`` - Execution interval in minutes
-* ``m`` - Execution interval in minutes
-* ``h`` - Execution interval in hours
-* ``d`` - Execution interval in days
-
-:::{note}
-If suffix is omitted, minutes are implied.
-:::
-```
-
-```{cfgcmd} set system task-scheduler task \<task\> crontab-spec \<spec\>
-
-Set execution time in common cron time format. A cron `<spec>` of
-``30 */6 * * *`` would execute the `<task>` at minute 30 past every 6th hour.
-```
-
-```{cfgcmd} set system task-scheduler task \<task\> executable path \<path\>
-
-Specify absolute `<path>` to script which will be run when `<task>` is
-executed.
-```
-
-```{cfgcmd} set system task-scheduler task \<task\> executable arguments \<args\>
-
-Arguments which will be passed to the executable.
-```
-
-[cron]: https://en.wikipedia.org/wiki/Cron
diff --git a/docs/configuration/system/md-time-zone.md b/docs/configuration/system/md-time-zone.md
deleted file mode 100644
index 2279a773..00000000
--- a/docs/configuration/system/md-time-zone.md
+++ /dev/null
@@ -1,17 +0,0 @@
-(timezone)=
-
-# Time Zone
-
-Time Zone setting is very important as e.g all your logfile entries will be
-based on the configured zone. Without proper time zone configuration it will
-be very difficult to compare logfiles from different systems.
-
-```{cfgcmd} set system time-zone \<timezone\>
-
-Specify the systems \<timezone\> as the Region/Location that best defines
-your location. For example, specifying US/Pacific sets the time zone to US
-Pacific time.
-
-Command completion can be used to list available time zones. The adjustment
-for daylight time will take place automatically based on the time of year.
-``` \ No newline at end of file
diff --git a/docs/configuration/system/md-updates.md b/docs/configuration/system/md-updates.md
deleted file mode 100644
index c82d37be..00000000
--- a/docs/configuration/system/md-updates.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# Updates
-
-VyOS supports online checking for updates
-
-## Configuration
-
-```{cfgcmd} set system update-check auto-check
-
-Configure auto-checking for new images
-```
-
-```{cfgcmd} set system update-check url \<url\>
-
-Configure a URL that contains information about images.
-```
-
-
-## Example
-
-```none
-set system update-check auto-check
-set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json'
-```
-
-Check:
-
-```none
-vyos@r4:~$ show system updates
-Current version: 1.5-rolling-202312220023
-
-Update available: 1.5-rolling-202312250024
-Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso
-vyos@r4:~$
-
-vyos@r4:~$ add system image latest
-```
diff --git a/docs/configuration/system/md-watchdog.md b/docs/configuration/system/md-watchdog.md
deleted file mode 100644
index 700051a6..00000000
--- a/docs/configuration/system/md-watchdog.md
+++ /dev/null
@@ -1,212 +0,0 @@
-(system-watchdog)=
-
-# Watchdog
-
-VyOS supports hardware watchdog timers to automatically reboot the system if
-it becomes unresponsive. This is particularly useful for remote or embedded
-systems where physical access is limited.
-
-A watchdog timer is a hardware or software mechanism that automatically resets
-the system if the operating system stops responding within a configured timeout
-period. The system will periodically notify the watchdog that it is still
-running. If the watchdog is not notified within the timeout period, the watchdog
-will reset the system.
-
-## Configuration
-
-The watchdog feature is configured under the `system watchdog` configuration
-tree. The presence of the `system watchdog` node enables the watchdog feature.
-
-```{cfgcmd} set system watchdog
-
-Enable watchdog support.
-
-The watchdog is enabled only when a watchdog device is available as
-``/dev/watchdog0``.
-
-:::{note}
-If multiple watchdog devices are present, only the first watchdog
-device is supported (VyOS uses ``/dev/watchdog0`` only).
-:::
-If ``/dev/watchdog0`` does not exist and no module is configured, commit will
-fail. If a module is configured but ``/dev/watchdog0`` still cannot be
-created, VyOS will emit a warning and will not enable the systemd watchdog.
-```
-
-```{cfgcmd} set system watchdog module \<module-name\>
-
-Specify the kernel watchdog driver module to load for ``/dev/watchdog0``.
-
-The configured module must be a watchdog driver module, not an arbitrary
-kernel module.
-
-**In most cases, this option is not required** as the kernel will
-automatically load the appropriate watchdog driver for your system. Use this
-option if the kernel fails to load the required driver, or when you want to
-use the software watchdog (``softdog``).
-
-Common modules include:
-* ``softdog`` - Software watchdog timer (available on all systems)
-* ``iTCO_wdt`` - Intel TCO watchdog timer
-* ``sp5100_tco`` - AMD SP5100 TCO watchdog timer
-* ``i6300esb`` - Intel 6300ESB watchdog timer
-* ``ipmi_watchdog`` - IPMI watchdog timer
-
-:::{warning}
-``softdog`` is not a hardware watchdog. It is implemented using
-kernel timers and therefore depends on the Linux kernel continuing to run.
-In some fault conditions (for example, a kernel hang), ``softdog`` may not
-be able to trigger a reset.
-
-Prefer a hardware watchdog driver whenever possible, as hardware watchdogs
-can operate independently of the operating system.
-:::
-
-If no module is specified, VyOS will use an existing ``/dev/watchdog0``
-device if available.
-
-:::{note}
-If a module is specified but a different driver is actually bound
-to ``watchdog0``, VyOS will emit a warning during commit.
-:::
-Example:
-
-:::{code-block} none
-set system watchdog module softdog
-:::
-```
-
-```{cfgcmd} set system watchdog timeout \<seconds\>
-:defaultvalue:
-
-Set the watchdog timeout for normal runtime operation in seconds.
-
-Valid range: 1-65535 seconds
-
-:::{note}
-Some watchdog drivers expose minimum and maximum supported runtime
-timeouts via sysfs. When available, VyOS validates ``timeout`` against
-those driver limits during commit.
-:::
-
-This is the interval during which the system must respond to the watchdog.
-If the system does not respond within this time, the watchdog will trigger
-a reboot.
-
-Example:
-
-:::{code-block} none
-set system watchdog timeout 30
-:::
-```
-
-```{cfgcmd} set system watchdog shutdown-timeout \<seconds\>
-:defaultvalue:
-
-Set the watchdog timeout during system shutdown in seconds.
-
-Valid range: 60-65535 seconds
-
-This extended timeout allows the system to complete a graceful shutdown
-without triggering the watchdog.
-
-:::{warning}
-Setting this value too low (below 120 seconds) may cause
-unclean shutdowns, as the system may not have enough time to properly
-stop all services and flush disk buffers. The recommended minimum value
-is 120 seconds.
-:::
-Example:
-
-:::{code-block} none
-set system watchdog shutdown-timeout 180
-:::
-```
-
-```{cfgcmd} set system watchdog reboot-timeout \<seconds\>
-:defaultvalue:
-
-Set the watchdog timeout during system reboot in seconds.
-
-Valid range: 60-65535 seconds
-
-This extended timeout allows the system to complete the reboot process
-without triggering the watchdog during the transition.
-
-:::{warning}
-Setting this value too low (below 120 seconds) may cause
-unclean reboots, as the system may not have enough time to properly
-stop all services before restarting. The recommended minimum value
-is 120 seconds.
-:::
-Example:
-
-:::{code-block} none
-set system watchdog reboot-timeout 180
-:::
-```
-
-
-## Examples
-
-### Basic Configuration with Software Watchdog
-
-This example configures a basic software watchdog with default timeouts:
-
-```none
-set system watchdog module softdog
-```
-
-This will:
-- Enable the watchdog feature
-- Load the `softdog` kernel module
-- Use a 10-second runtime timeout (default)
-- Use 120-second shutdown and reboot timeouts (default)
-
-### Advanced Configuration
-
-This example shows a more customized configuration suitable for a production
-system:
-
-```none
-set system watchdog module iTCO_wdt
-set system watchdog timeout 30
-set system watchdog shutdown-timeout 300
-set system watchdog reboot-timeout 300
-```
-
-This configuration:
-
-- Enables the watchdog feature
-- Loads the Intel TCO hardware watchdog module
-- Sets a 30-second runtime timeout
-- Allows 5 minutes for shutdown and reboot operations
-
-## Best Practices
-
-- **Start with conservative timeouts**: Use longer timeouts initially and
- reduce them as you gain confidence in system stability.
-- **Test before deployment**: Verify the watchdog works as expected in a
- non-production environment before deploying to production systems.
-- **Choose appropriate modules**: Use hardware watchdog modules (like
- `iTCO_wdt`) when available, as they are more reliable than software
- watchdogs.
-- **Consider shutdown time**: Set `shutdown-timeout` and `reboot-timeout`
- values high enough to allow for normal shutdown procedures, especially on
- systems with many services or slow storage.
-- **Monitor watchdog events**: Check system logs after any unexpected reboots
- to determine if the watchdog triggered the reboot.
-- **Remote systems**: For systems without physical console access, use
- conservative timeout values to avoid false-positive reboots during high
- load conditions.
-
-:::{note}
-The watchdog configuration takes effect immediately after commit,
-but systemd must be reloaded. This happens automatically during commit.
-:::
-
-:::{warning}
-Incorrect watchdog configuration on remote systems can result
-in unexpected reboots. Always test watchdog settings in a controlled
-environment before deploying to production systems.
-:::