diff --git a/nixos/modules/misc/label.nix b/nixos/modules/misc/label.nix
index b97cbaa26304..e51e935c5c27 100644
--- a/nixos/modules/misc/label.nix
+++ b/nixos/modules/misc/label.nix
@@ -32,13 +32,14 @@ in
         Useful for not loosing track of configurations built from different
         nixos branches/revisions, e.g.:
 
-        <screen>
+        <programlisting>
         #!/bin/sh
         today=`date +%Y%m%d`
         branch=`(cd nixpkgs ; git branch 2>/dev/null | sed -n '/^\* / { s|^\* ||; p; }')`
         revision=`(cd nixpkgs ; git rev-parse HEAD)`
         export NIXOS_LABEL_VERSION="$today.$branch-''${revision:0:7}"
-        nixos-rebuild switch</screen>
+        nixos-rebuild switch
+        </programlisting>
       '';
     };
 
@@ -53,12 +54,12 @@ in
         Useful for not loosing track of configurations built with
         different options, e.g.:
 
-        <screen>
+        <programlisting>
         {
           system.nixos.tags = [ "with-xen" ];
           virtualisation.xen.enable = true;
         }
-        </screen>
+        </programlisting>
       '';
     };
 
diff --git a/nixos/modules/services/development/zammad.nix b/nixos/modules/services/development/zammad.nix
index e81eef3c0a51..b18906f776f5 100644
--- a/nixos/modules/services/development/zammad.nix
+++ b/nixos/modules/services/development/zammad.nix
@@ -160,9 +160,9 @@ in
           Needs to be a 64 byte long string of hexadecimal
           characters. You can generate one by running
 
-          <screen>
-          <prompt>$ </prompt>openssl rand -hex 64 >/path/to/secret_key_base_file
-          </screen>
+          <programlisting>
+          openssl rand -hex 64 >/path/to/secret_key_base_file
+          </programlisting>
 
           This should be a string, not a nix path, since nix paths are
           copied into the world-readable nix store.
diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix
index cf2afcacc528..8fc171b23217 100644
--- a/nixos/modules/services/networking/nsd.nix
+++ b/nixos/modules/services/networking/nsd.nix
@@ -215,22 +215,28 @@ let
                   ];
         description = ''
           Listed primary servers are allowed to notify this secondary server.
-          <screen><![CDATA[
-          Format: <ip> <key-name | NOKEY | BLOCKED>
 
-          <ip> either a plain IPv4/IPv6 address or range. Valid patters for ranges:
-          * 10.0.0.0/24            # via subnet size
-          * 10.0.0.0&255.255.255.0 # via subnet mask
-          * 10.0.0.1-10.0.0.254    # via range
+          Format: <literal>&lt;ip&gt; &lt;key-name | NOKEY | BLOCKED&gt;</literal>
+
+          <literal>&lt;ip&gt;</literal> either a plain IPv4/IPv6 address or range.
+          Valid patters for ranges:
+          <itemizedlist>
+            <listitem><para><literal>10.0.0.0/24</literal>: via subnet size</para></listitem>
+            <listitem><para><literal>10.0.0.0&amp;255.255.255.0</literal>: via subnet mask</para></listitem>
+            <listitem><para><literal>10.0.0.1-10.0.0.254</literal>: via range</para></listitem>
+          </itemizedlist>
 
           A optional port number could be added with a '@':
-          * 2001:1234::1@1234
+          <itemizedlist>
+            <listitem><para><literal>2001:1234::1@1234</literal></para></listitem>
+          </itemizedlist>
 
-          <key-name | NOKEY | BLOCKED>
-          * <key-name> will use the specified TSIG key
-          * NOKEY      no TSIG signature is required
-          * BLOCKED    notifies from non-listed or blocked IPs will be ignored
-          * ]]></screen>
+          <literal>&lt;key-name | NOKEY | BLOCKED&gt;</literal>
+          <itemizedlist>
+            <listitem><para><literal>&lt;key-name&gt;</literal> will use the specified TSIG key</para></listitem>
+            <listitem><para><literal>NOKEY</literal> no TSIG signature is required</para></listitem>
+            <listitem><para><literal>BLOCKED</literal>notifies from non-listed or blocked IPs will be ignored</para></listitem>
+          </itemizedlist>
         '';
       };
 
@@ -347,15 +353,16 @@ let
         description = ''
           This primary server will notify all given secondary servers about
           zone changes.
-          <screen><![CDATA[
-          Format: <ip> <key-name | NOKEY>
 
-          <ip> a plain IPv4/IPv6 address with on optional port number (ip@port)
+          Format: <literal>&lt;ip&gt; &lt;key-name | NOKEY&gt;</literal>
 
-          <key-name | NOKEY>
-          * <key-name> sign notifies with the specified key
-          * NOKEY      don't sign notifies
-          ]]></screen>
+          <literal>&lt;ip&gt;</literal> a plain IPv4/IPv6 address with on optional port number (ip@port)
+
+          <literal>&lt;key-name | NOKEY&gt;</literal>
+          <itemizedlist>
+            <listitem><para><literal>&lt;key-name&gt;</literal> sign notifies with the specified key</para></listitem>
+            <listitem><para><literal>NOKEY</literal> don't sign notifies</para></listitem>
+          </itemizedlist>
         '';
       };
 
diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix
index a1ab3bfca4a6..49db9d8da5a9 100644
--- a/nixos/modules/services/web-apps/discourse.nix
+++ b/nixos/modules/services/web-apps/discourse.nix
@@ -68,9 +68,9 @@ in
           Needs to be a 64 byte long string of hexadecimal
           characters. You can generate one by running
 
-          <screen>
-          <prompt>$ </prompt>openssl rand -hex 64 >/path/to/secret_key_base_file
-          </screen>
+          <programlisting>
+          openssl rand -hex 64 >/path/to/secret_key_base_file
+          </programlisting>
 
           This should be a string, not a nix path, since nix paths are
           copied into the world-readable nix store.
diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix
index 76150cc95999..9f27727cbf8b 100644
--- a/nixos/modules/system/activation/top-level.nix
+++ b/nixos/modules/system/activation/top-level.nix
@@ -172,9 +172,9 @@ in
         To switch to a specialised configuration
         (e.g. <literal>fewJobsManyCores</literal>) at runtime, run:
 
-        <screen>
-        <prompt># </prompt>sudo /run/current-system/specialisation/fewJobsManyCores/bin/switch-to-configuration test
-        </screen>
+        <programlisting>
+        sudo /run/current-system/specialisation/fewJobsManyCores/bin/switch-to-configuration test
+        </programlisting>
       '';
       type = types.attrsOf (types.submodule (
         local@{ ... }: let
diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix
index 265399e562fc..171c51308a79 100644
--- a/nixos/modules/system/boot/initrd-ssh.nix
+++ b/nixos/modules/system/boot/initrd-ssh.nix
@@ -51,12 +51,13 @@ in
         Specify SSH host keys to import into the initrd.
 
         To generate keys, use
-        <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
+        <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+        as root:
 
-        <screen>
-        <prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
-        <prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
-        </screen>
+        <programlisting>
+        ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
+        ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
+        </programlisting>
 
         <warning>
           <para>