diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix
index 30d039a2b7a..d770094960b 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/module.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix
@@ -5,12 +5,7 @@ with (import ./param-lib.nix lib);
let
cfg = config.services.strongswan-swanctl;
-
- # TODO: auto-generate these files using:
- # https://github.com/strongswan/strongswan/tree/master/conf
- # IDEA: extend the format-options.py script to output these Nix files.
- #strongswanParams = import ./strongswan-params.nix lib;
- swanctlParams = import ./swanctl-params.nix lib;
+ swanctlParams = import ./swanctl-params.nix lib;
in {
options.services.strongswan-swanctl = {
enable = mkEnableOption "strongswan-swanctl service";
@@ -32,11 +27,7 @@ in {
'';
};
- # The structured strongswan configuration is commented out for
- # now in favour of the literal config above. We should first
- # discus if we want to add the 600+ options by default.
- #strongswan = paramsToOptions strongswanParams;
- swanctl = paramsToOptions swanctlParams;
+ swanctl = paramsToOptions swanctlParams;
};
config = mkIf cfg.enable {
@@ -76,7 +67,6 @@ in {
path = with pkgs; [ kmod iproute iptables utillinux ];
environment.STRONGSWAN_CONF = pkgs.writeTextFile {
name = "strongswan.conf";
- #text = paramsToConf cfg.strongswan strongswanParams;
text = cfg.strongswan.extraConfig;
};
restartTriggers = [ config.environment.etc."swanctl/swanctl.conf".source ];
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
deleted file mode 100644
index 17bd632dc18..00000000000
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
+++ /dev/null
@@ -1,572 +0,0 @@
-lib: with (import ./param-constructors.nix lib);
-
-let loglevelParams = import ./strongswan-loglevel-params.nix lib;
-in {
- accept_unencrypted_mainmode_messages = mkYesNoParam no ''
- Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. Some
- implementations send the third Main Mode message unencrypted, probably
- to find the PSKs for the specified ID for authentication. This is very
- similar to Aggressive Mode, and has the same security implications: A
- passive attacker can sniff the negotiated Identity, and start brute
- forcing the PSK using the HASH payload. It is recommended to keep this
- option to no, unless you know exactly what the implications are and
- require compatibility to such devices (for example, some SonicWall
- boxes).
- '';
-
- block_threshold = mkIntParam 5 ''
- Maximum number of half-open IKE_SAs for a single peer IP.
- '';
-
- cache_crls = mkYesNoParam no ''
- Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
- should be saved under a unique file name derived from the public
- key of the Certification Authority (CA) to
- /etc/ipsec.d/crls (stroke) or
- /etc/swanctl/x509crl (vici), respectively.
- '';
-
- cert_cache = mkYesNoParam yes ''
- Whether relations in validated certificate chains should be cached in memory.
- '';
-
- cisco_unity = mkYesNoParam no ''
- Send Cisco Unity vendor ID payload (IKEv1 only), see unity plugin.
- '';
-
- close_ike_on_child_failure = mkYesNoParam no ''
- Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
- '';
-
- cookie_threshold = mkIntParam 10 ''
- Number of half-open IKE_SAs that activate the cookie mechanism.
- '';
-
- crypto_test.bench = mkYesNoParam no ''
- Benchmark crypto algorithms and order them by efficiency.
- '';
-
- crypto_test.bench_size = mkIntParam 1024 ''
- Buffer size used for crypto benchmark.
- '';
-
- crypto_test.bench_time = mkIntParam 50 ''
- Number of iterations to test each algorithm.
- '';
-
- crypto_test.on_add = mkYesNoParam no ''
- Test crypto algorithms during registration
- (requires test vectors provided by the test-vectors plugin).
- '';
-
- crypto_test.on_create = mkYesNoParam no ''
- Test crypto algorithms on each crypto primitive instantiation.
- '';
-
- crypto_test.required = mkYesNoParam no ''
- Strictly require at least one test vector to enable an algorithm.
- '';
-
- crypto_test.rng_true = mkYesNoParam no ''
- Whether to test RNG with TRUE quality; requires a lot of entropy.
- '';
-
- delete_rekeyed = mkYesNoParam no ''
- Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
- Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
- However, this might cause problems with implementations that continue
- to use rekeyed SAs until they expire.
- '';
-
- delete_rekeyed_delay = mkIntParam 5 ''
- Delay in seconds until inbound IPsec SAs are deleted after rekeyings
- (IKEv2 only).
-
- To process delayed packets the inbound part of a CHILD_SA is kept
- installed up to the configured number of seconds after it got replaced
- during a rekeying. If set to 0 the CHILD_SA will be kept installed until
- it expires (if no lifetime is set it will be destroyed immediately).
- '';
-
- dh_exponent_ansi_x9_42 = mkYesNoParam yes ''
- Use ANSI X9.42 DH exponent size or optimum size matched to
- cryptographical strength.
- '';
-
- dlopen_use_rtld_now = mkYesNoParam no ''
- Use RTLD_NOW with dlopen() when loading plugins and IMV/IMCs to reveal
- missing symbols immediately. Useful during development of custom plugins.
- '';
-
- dns1 = mkOptionalStrParam ''
- DNS server assigned to peer via configuration payload (CP), see attr plugin.
- '';
-
- dns2 = mkOptionalStrParam ''
- DNS server assigned to peer via configuration payload (CP).
- '';
-
- dos_protection = mkYesNoParam yes ''
- Enable Denial of Service protection using cookies and aggressiveness checks.
- '';
-
- ecp_x_coordinate_only = mkYesNoParam yes ''
- Compliance with the errata for RFC 4753.
- '';
-
- filelog = mkAttrsOfParams ({
- append = mkYesNoParam yes ''
- If this option is enabled log entries are appended to the existing file.
- '';
-
- flush_line = mkYesNoParam no ''
- Enabling this option disables block buffering and enables line
- buffering. That is, a flush to disk is enforced for each logged line.
- '';
-
- ike_name = mkYesNoParam no ''
- Prefix each log entry with the connection name and a unique numerical
- identifier for each IKE_SA.
- '';
-
- time_format = mkOptionalStrParam ''
- Prefix each log entry with a timestamp. The option accepts a format string
- as passed to strftime(3).
- '';
-
- time_add_ms = mkYesNoParam no ''
- Adds the milliseconds within the current second after the timestamp
- (separated by a dot, so time_format should end with %S or %T)
- '';
- } // loglevelParams) ''Section to define file loggers, see LoggerConfiguration.'';
-
- flush_auth_cfg = mkYesNoParam no ''
- If enabled objects used during authentication (certificates, identities
- etc.) are released to free memory once an IKE_SA is
- established. Enabling this might conflict with plugins that later need
- access to e.g. the used certificates.
- '';
-
- follow_redirects = mkYesNoParam yes ''
- Whether to follow IKEv2 redirects (RFC 5685).
- '';
-
- fragment_size = mkIntParam 1280 ''
- Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
- when using proprietary IKEv1 or standardized IKEv2 fragmentation,
- defaults to 1280 (use 0 for address family specific default values,
- which uses a lower value for IPv4). If specified this limit is used for
- both IPv4 and IPv6.
- '';
-
- group = mkOptionalStrParam ''
- Name of the group the daemon changes to after startup.
- '';
-
- half_open_timeout = mkIntParam 30 ''
- Timeout in seconds for connecting IKE_SAs, also see IKE_SA_INIT dropping.
- '';
-
- hash_and_url = mkYesNoParam no ''
- Enable hash and URL support.
- '';
-
- host_resolver.max_threads = mkIntParam 3 ''
- Maximum number of concurrent resolver threads (they are terminated if unused).
- '';
-
- host_resolver.min_threads = mkIntParam 0 ''
- Minimum number of resolver threads to keep around.
- '';
-
- i_dont_care_about_security_and_use_aggressive_mode_psk = mkYesNoParam no ''
- If enabled responders are allowed to use IKEv1 Aggressive Mode with
- pre-shared keys, which is discouraged due to security concerns (offline
- attacks on the openly transmitted hash of the PSK).
- '';
-
- ignore_acquire_ts = mkYesNoParam no ''
- If this is disabled the traffic selectors from the kernel's acquire
- events, which are derived from the triggering packet, are prepended to
- the traffic selectors from the configuration for IKEv2 connection. By
- enabling this, such specific traffic selectors will be ignored and only
- the ones in the config will be sent. This always happens for IKEv1
- connections as the protocol only supports one set of traffic selectors
- per CHILD_SA.
- '';
-
- ignore_routing_tables = mkSpaceSepListParam [] ''
- A space-separated list of routing tables to be excluded from route lookup.
- '';
-
- ikesa_limit = mkIntParam 0 ''
- Maximum number of IKE_SAs that can be established at the same time
- before new connection attempts are blocked.
- '';
-
- ikesa_table_segments = mkIntParam 1 ''
- Number of exclusively locked segments in the hash table, see IKE_SA
- lookup tuning.
- '';
-
- ikesa_table_size = mkIntParam 1 ''
- Size of the IKE_SA hash table, see IKE_SA lookup tuning.
- '';
-
- inactivity_close_ike = mkYesNoParam no ''
- Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
- '';
-
- init_limit_half_open = mkIntParam 0 ''
- Limit new connections based on the current number of half open IKE_SAs,
- see IKE_SA_INIT dropping.
- '';
-
- init_limit_job_load = mkIntParam 0 ''
- Limit new connections based on the number of jobs currently queued for
- processing, see IKE_SA_INIT dropping.
- '';
-
- initiator_only = mkYesNoParam no ''
- Causes charon daemon to ignore IKE initiation requests.
- '';
-
- install_routes = mkYesNoParam yes ''
- Install routes into a separate routing table for established IPsec
- tunnels. If disabled a more efficient lookup for source and next-hop
- addresses is used since 5.5.2.
- '';
-
- install_virtual_ip = mkYesNoParam yes ''
- Install virtual IP addresses.
- '';
-
- install_virtual_ip_on = mkOptionalStrParam ''
- The name of the interface on which virtual IP addresses should be
- installed. If not specified the addresses will be installed on the
- outbound interface.
- '';
-
- integrity_test = mkYesNoParam no ''
- Check daemon, libstrongswan and plugin integrity at startup.
- '';
-
- interfaces_ignore = mkCommaSepListParam [] ''
- List of network interfaces that should be ignored, if
- is specified this option has no effect.
- '';
-
- interfaces_use = mkCommaSepListParam [] ''
- List of network interfaces that should be used by
- charon. All other interfaces are ignored.
- '';
-
- keep_alive = mkIntParam 20 ''
- NAT keep alive interval in seconds.
- '';
-
- leak_detective.detailed = mkYesNoParam yes ''
- Includes source file names and line numbers in leak detective output.
- '';
-
- leak_detective.usage_threshold = mkIntParam 10240 ''
- Threshold in bytes for leaks to be reported (0 to report all).
- '';
-
- leak_detective.usage_threshold_count = mkIntParam 0 ''
- Threshold in number of allocations for leaks to be reported (0 to report
- all).
- '';
-
- load = mkSpaceSepListParam [] ''
- Plugins to load in IKEv2 charon daemon, see PluginLoad.
- '';
-
- load_modular = mkYesNoParam no ''
- If enabled the list of plugins to load is determined by individual load
- settings for each plugin, see PluginLoad.
- '';
-
- make_before_break = mkYesNoParam no ''
- Initiate IKEv2 reauthentication with a make-before-break instead of a
- break-before-make scheme. Make-before-break uses overlapping IKE and
- CHILD_SA during reauthentication by first recreating all new SAs before
- deleting the old ones. This behavior can be beneficial to avoid
- connectivity gaps during reauthentication, but requires support for
- overlapping SAs by the peer. strongSwan can handle such overlapping SAs
- since 5.3.0.
- '';
-
- max_ikev1_exchanges = mkIntParam 3 ''
- Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
- and track concurrently.
- '';
-
- max_packet = mkIntParam 10000 ''
- Maximum packet size accepted by charon.
- '';
-
- multiple_authentication = mkYesNoParam yes ''
- Enable multiple authentication exchanges (RFC 4739).
- '';
-
- nbns1 = mkOptionalStrParam ''
- WINS server assigned to peer via configuration payload (CP), see attr
- plugin.
- '';
-
- nbns2 = mkOptionalStrParam ''
- WINS server assigned to peer via configuration payload (CP).
- '';
-
- port = mkIntParam 500 ''
- UDP port used locally. If set to 0 a random port will be allocated.
- '';
-
- port_nat_t = mkIntParam 4500 ''
- UDP port used locally in case of NAT-T. If set to 0 a random port will
- be allocated. Has to be different from charon.port, otherwise a random
- port will be allocated.
- '';
-
- prefer_best_path = mkYesNoParam no ''
- By default, charon keeps SAs on the routing path with addresses it
- previously used if that path is still usable. By enabling this option,
- it tries more aggressively to update SAs with MOBIKE on routing priority
- changes using the cheapest path. This adds more noise, but allows to
- dynamically adapt SAs to routing priority changes. This option has no
- effect if MOBIKE is not supported or disabled.
- '';
-
- prefer_configured_proposals = mkYesNoParam yes ''
- Prefer locally configured proposals for IKE/IPsec over supplied ones as
- responder (disabling this can avoid keying retries due to
- INVALID_KE_PAYLOAD notifies).
- '';
-
- prefer_temporary_addrs = mkYesNoParam no ''
- By default public IPv6 addresses are preferred over temporary ones
- (according to RFC 4941), to make connections more stable. Enable this
- option to reverse this.
- '';
-
- process_route = mkYesNoParam yes ''
- Process RTM_NEWROUTE and RTM_DELROUTE events.
- '';
-
- processor.priority_threads = {
- critical = mkIntParam 0 ''
- Threads reserved for CRITICAL priority class jobs.
- '';
-
- high = mkIntParam 0 ''
- Threads reserved for HIGH priority class jobs.
- '';
-
- medium = mkIntParam 0 ''
- Threads reserved for MEDIUM priority class jobs.
- '';
-
- low = mkIntParam 0 ''
- Threads reserved for LOW priority class jobs.
- '';
- };
-
- receive_delay = mkIntParam 0 ''
- Delay in ms for receiving packets, to simulate larger RTT.
- '';
-
- receive_delay_response = mkYesNoParam yes ''
- Delay response messages.
- '';
-
- receive_delay_request = mkYesNoParam yes ''
- Delay request messages.
- '';
-
- receive_delay_type = mkIntParam 0 ''
- Specific IKEv2 message type to delay, 0 for any.
- '';
-
- replay_window = mkIntParam 32 ''
- Size of the AH/ESP replay window, in packets.
- '';
-
- retransmit_base = mkFloatParam "1.8" ''
- Base to use for calculating exponential back off, see Retransmission.
- '';
-
- retransmit_jitter = mkIntParam 0 ''
- Maximum jitter in percent to apply randomly to calculated retransmission
- timeout (0 to disable).
- '';
-
- retransmit_limit = mkIntParam 0 ''
- Upper limit in seconds for calculated retransmission timeout (0 to
- disable).
- '';
-
- retransmit_timeout = mkFloatParam "4.0" ''
- Timeout in seconds before sending first retransmit.
- '';
-
- retransmit_tries = mkIntParam 5 ''
- Number of times to retransmit a packet before giving up.
- '';
-
- retry_initiate_interval = mkIntParam 0 ''
- Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
- DNS resolution failed), 0 to disable retries.
- '';
-
- reuse_ikesa = mkYesNoParam yes ''
- Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
- '';
-
- routing_table = mkIntParam 220 ''
- Numerical routing table to install routes to.
- '';
-
- routing_table_prio = mkIntParam 220 ''
- Priority of the routing table.
- '';
-
- rsa_pss = mkYesNoParam no ''
- Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
- '';
-
- send_delay = mkIntParam 0 ''
- Delay in ms for sending packets, to simulate larger RTT.
- '';
-
- send_delay_request = mkYesNoParam yes ''
- Delay request messages.
- '';
-
- send_delay_response = mkYesNoParam yes ''
- Delay response messages.
- '';
-
- send_delay_type = mkIntParam 0 ''
- Specific IKEv2 message type to delay, 0 for any.
- '';
-
- send_vendor_id = mkYesNoParam no ''
- Send strongSwan vendor ID payload.
- '';
-
- signature_authentication = mkYesNoParam yes ''
- Whether to enable Signature Authentication as per RFC 7427.
- '';
-
- signature_authentication_constraints = mkYesNoParam yes ''
- If enabled, signature schemes configured in rightauth, in addition to
- getting used as constraints against signature schemes employed in the
- certificate chain, are also used as constraints against the signature
- scheme used by peers during IKEv2.
- '';
-
- spi_min = mkHexParam "0xc0000000" ''
- The lower limit for SPIs requested from the kernel for IPsec SAs. Should
- not be set lower than 0x00000100 (256), as SPIs between 1 and 255 are
- reserved by IANA.
- '';
-
- spi_max = mkHexParam "0xcfffffff" ''
- The upper limit for SPIs requested from the kernel for IPsec SAs.
- '';
-
- start-scripts = mkAttrsOfParam (mkStrParam "" "") ''
- Section containing a list of scripts (name = path) that are executed
- when the daemon is started.
- '';
-
- stop-scripts = mkAttrsOfParam (mkStrParam "" "") ''
- Section containing a list of scripts (name = path) that are executed
- when the daemon is terminated.
- '';
-
- syslog = loglevelParams // {
- identifier = mkOptionalStrParam ''
- Identifier for use with openlog(3).
-
- Global identifier used for an openlog(3) call, prepended to each log
- message by syslog. If not configured, openlog(3) is not called, so
- the value will depend on system defaults (often the program name).
- '';
-
- ike_name = mkYesNoParam no ''
- Prefix each log entry with the connection name and a unique numerical
- identifier for each IKE_SA.
- '';
- };
-
- threads = mkIntParam 16 ''
- Number of worker threads in charon. Several of these are reserved for
- long running tasks in internal modules and plugins. Therefore, make sure
- you don't set this value too low. The number of idle worker threads
- listed in ipsec statusall might be used as indicator on the number of
- reserved threads (JobPriority has more on this).
- '';
-
- user = mkOptionalStrParam ''
- Name of the user the daemon changes to after startup.
- '';
-
- x509.enforce_critical = mkYesNoParam yes ''
- Discard certificates with unsupported or unknown critical extensions.
- '';
-
- plugins = import ./strongswan-charon-plugins-params.nix lib;
-
- imcv = {
- assessment_result = mkYesNoParam yes ''
- Whether IMVs send a standard IETF Assessment Result attribute.
- '';
-
- database = mkOptionalStrParam ''
- Global IMV policy database URI. If it contains a password, make sure to
- adjust the permissions of the config file accordingly.
- '';
-
- os_info.default_password_enabled = mkYesNoParam no ''
- Manually set whether a default password is enabled.
- '';
-
- os_info.name = mkOptionalStrParam ''
- Manually set the name of the client OS (e.g. NixOS).
- '';
-
- os_info.version = mkOptionalStrParam ''
- Manually set the version of the client OS (e.g. 17.09).
- '';
-
- policy_script = mkStrParam "ipsec _imv_policy" ''
- Script called for each TNC connection to generate IMV policies.
- '';
- };
-
- tls = {
- cipher = mkSpaceSepListParam [] ''
- List of TLS encryption ciphers.
- '';
-
- key_exchange = mkSpaceSepListParam [] ''
- List of TLS key exchange methods.
- '';
-
- mac = mkSpaceSepListParam [] ''
- List of TLS MAC algorithms.
- '';
-
- suites = mkSpaceSepListParam [] ''
- List of TLS cipher suites.
- '';
- };
-
- tnc = {
- libtnccs.tnc_config = mkStrParam "/etc/tnc_config" ''
- TNC IMC/IMV configuration file.
- '';
- };
-}
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
deleted file mode 100644
index 116fb6d00a2..00000000000
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
+++ /dev/null
@@ -1,1111 +0,0 @@
-lib : with (import ./param-constructors.nix lib); {
- addrblock.strict = mkYesNoParam yes ''
- If enabled, a subject certificate without an RFC 3779 address block
- extension is rejected if the issuer certificate has such an addrblock
- extension. If disabled, subject certificates issued without addrblock
- extension are accepted without any traffic selector checks and no policy
- is enforced by the plugin.
- '';
-
- android_log.loglevel = mkIntParam 1 ''
- Loglevel for logging to Android specific logger.
- '';
-
- attr = mkAttrsOfParam (mkCommaSepListParam [] "") ''
- Section to specify arbitrary attributes that are assigned to a peer
- via configuration payload, see attr plugin.
-
- The attribute can be either
- address,
- netmask,
- dns,
- nbns,
- dhcp,
- subnet,
- split-include,
- split-exclude
- or the numeric identifier of the attribute type. The assigned value can be
- an IPv4/IPv6 address, a subnet in CIDR notation or an arbitrary value
- depending on the attribute type. Since some attribute types accept multiple
- values all values must be specified as a list.
- '';
-
- attr-sql.crash_recovery = mkYesNoParam yes ''
- Release all online leases during startup. Disable this to share the DB
- between multiple VPN gateways.
- '';
-
- attr-sql.database = mkOptionalStrParam ''
- Database URI for attr-sql plugin used by charon. If it contains a
- password, make sure to adjust the permissions of the config file
- accordingly.
- '';
-
- attr-sql.lease_history = mkYesNoParam yes ''
- Enable logging of SQL IP pool leases.
- '';
-
- bliss.use_bliss_b = mkYesNoParam yes ''
- Use the enhanced BLISS-B key generation and signature algorithm.
- '';
-
- bypass-lan.interfaces_ignore = mkCommaSepListParam [] ''
- List of network interfaces for which connected subnets
- should be ignored, if interfaces_use is specified this option has no
- effect.
- '';
-
- bypass-lan.interfaces_use = mkCommaSepListParam [] ''
- List of network interfaces for which connected subnets
- should be considered. All other interfaces are ignored.
- '';
-
- certexpire.csv.cron = mkOptionalStrParam ''
- Cron style string specifying CSV export times, see certexpire for
- details.
- '';
-
- certexpire.csv.empty_string = mkOptionalStrParam ''
- String to use in empty intermediate CA fields.
- '';
-
- certexpire.csv.fixed_fields = mkYesNoParam yes ''
- Use a fixed intermediate CA field count.
- '';
-
- certexpire.csv.force = mkYesNoParam yes ''
- Force export of all trustchains we have a private key for.
- '';
-
- certexpire.csv.format = mkStrParam "%d:%m:%Y" ''
- strftime(3) format string to export expiration dates as.
- '';
-
- certexpire.csv.local = mkOptionalStrParam ''
- strftime(3) format string for the CSV file name to export local
- certificates to.
- '';
-
- certexpire.csv.remote = mkOptionalStrParam ''
- strftime(3) format string for the CSV file name to export remote
- certificates to.
- '';
-
- certexpire.csv.separator = mkStrParam "," ''
- CSV field separator.
- '';
-
- coupling.file = mkOptionalStrParam ''
- File to store coupling list to, see certcoupling plugin for details.
- '';
-
- coupling.hash = mkStrParam "sha1" ''
- Hashing algorithm to fingerprint coupled certificates.
- '';
-
- coupling.max = mkIntParam 1 ''
- Maximum number of coupling entries to create.
- '';
-
- curl.redir = mkIntParam (-1) ''
- Maximum number of redirects followed by the plugin, set to 0 to disable
- following redirects, set to -1 for no limit.
- '';
-
- dhcp.force_server_address = mkYesNoParam no ''
- Always use the configured server address, see DHCP plugin for details.
- '';
-
- dhcp.identity_lease = mkYesNoParam no ''
- Derive user-defined MAC address from hash of IKEv2 identity.
- '';
-
- dhcp.interface = mkOptionalStrParam ''
- Interface name the plugin uses for address allocation. The default is to
- bind to any and let the system decide which way to route the packets to
- the DHCP server.
- '';
-
- dhcp.server = mkStrParam "255.255.255.255" ''
- DHCP server unicast or broadcast IP address.
- '';
-
- dnscert.enable = mkYesNoParam no ''
- Enable fetching of CERT RRs via DNS.
- '';
-
- duplicheck.enable = mkYesNoParam yes ''
- Enable duplicheck plugin (if loaded).
- '';
-
- duplicheck.socket = mkStrParam "unix://\${piddir}/charon.dck" ''
- Socket provided by the duplicheck plugin.
- '';
-
- eap-aka.request_identity = mkYesNoParam yes "";
-
- eap-aka-3ggp2.seq_check = mkOptionalStrParam ''
- Enable to activate sequence check of the AKA SQN values in order to trigger
- resync cycles.
- '';
-
- eap-dynamic.prefer_user = mkYesNoParam no ''
- If enabled, the eap-dynamic plugin will prefer the order of the EAP
- methods in an EAP-Nak message sent by a client over the one configured
- locally.
- '';
-
- eap-dynamic.preferred = mkCommaSepListParam [] ''
- The preferred EAP method(s) to be used by the eap-dynamic plugin. If it is
- not set, the first registered method will be used initially. The methods
- are tried in the given order before trying the rest of the registered
- methods.
- '';
-
- eap-gtc.backend = mkStrParam "pam" ''
- XAuth backend to be used for credential verification, see EAP-GTC.
- '';
-
- eap-peap.fragment_size = mkIntParam 1024 ''
- Maximum size of an EAP-PEAP packet.
- '';
-
- eap-peap.max_message_count = mkIntParam 32 ''
- Maximum number of processed EAP-PEAP packets.
- '';
-
- eap-peap.include_length = mkYesNoParam no ''
- Include length in non-fragmented EAP-PEAP packets.
- '';
-
- eap-peap.phase2_method = mkStrParam "mschapv2" ''
- Phase2 EAP client authentication method.
- '';
-
- eap-peap.phase2_piggyback = mkYesNoParam no ''
- Phase2 EAP Identity request piggybacked by server onto TLS Finished
- message.
- '';
-
- eap-peap.phase2_tnc = mkYesNoParam no ''
- Start phase2 EAP-TNC protocol after successful client authentication.
- '';
-
- eap-peap.request_peer_auth = mkYesNoParam no ''
- Request peer authentication based on a client certificate.
- '';
-
- eap-radius.accounting = mkYesNoParam no ''
- Enable EAP-RADIUS accounting.
- '';
-
- eap-radius.accounting_close_on_timeout = mkYesNoParam yes ''
- Close the IKE_SA if there is a timeout during interim RADIUS accounting
- updates.
- '';
-
- eap-radius.accounting_interval = mkIntParam 0 ''
- Interval in seconds for interim RADIUS accounting updates, if not
- specified by the RADIUS server in the Access-Accept message.
- '';
-
- eap-radius.accounting_requires_vip = mkYesNoParam no ''
- If enabled, accounting is disabled unless an IKE_SA has at least one
- virtual IP.
- '';
-
- eap-radius.accounting_send_class = mkYesNoParam no ''
- If enabled, adds the Class attributes received in Access-Accept
- message to the RADIUS accounting messages.
- '';
-
- eap-radius.class_group = mkYesNoParam no ''
- Use the class attribute sent in the Access-Accept message as group
- membership information, see EapRadius.
- '';
-
- eap-radius.close_all_on_timeout = mkYesNoParam no ''
- Closes all IKE_SAs if communication with the RADIUS server times out. If
- it is not set only the current IKE_SA is closed.
- '';
-
- eap-radius.dae.enable = mkYesNoParam no ''
- Enables support for the Dynamic Authorization Extension (RFC 5176).
- '';
-
- eap-radius.dae.listen = mkStrParam "0.0.0.0" ''
- Address to listen for DAE messages from the RADIUS server.
- '';
-
- eap-radius.dae.port = mkIntParam 3799 ''
- Port to listen for DAE requests.
- '';
-
- eap-radius.dae.secret = mkOptionalStrParam ''
- Shared secret used to verify/sign DAE messages.If set, make sure to
- adjust the permissions of the config file accordingly.
- '';
-
- eap-radius.eap_start = mkYesNoParam no ''
- Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
- '';
-
- eap-radius.filter_id = mkYesNoParam no ''
- Use the filter_id attribute sent in the RADIUS-Accept message as group
- membership if the RADIUS tunnel_type attribute is set to ESP.
- '';
-
- eap-radius.forward.ike_to_radius = mkOptionalStrParam ''
- RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined
- by name or attribute number, a colon can be used to specify
- vendor-specific attributes, e.g. Reply-Message, or 11, or 36906:12).
- '';
-
- eap-radius.forward.radius_to_ike = mkOptionalStrParam ''
- Same as above but from RADIUS to IKEv2, a strongSwan specific private
- notify (40969) is used to transmit the attributes.
- '';
-
- eap-radius.id_prefix = mkOptionalStrParam ''
- Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
- EAP method.
- '';
-
- eap-radius.nas_identifier = mkStrParam "strongSwan" ''
- NAS-Identifier to include in RADIUS messages.
- '';
-
- eap-radius.port = mkIntParam 1812 ''
- Port of RADIUS server (authentication).
- '';
-
- eap-radius.retransmit_base = mkFloatParam "1.4" ''
- Base to use for calculating exponential back off.
- '';
-
- eap-radius.retransmit_timeout = mkFloatParam "2.0" ''
- Timeout in seconds before sending first retransmit.
- '';
-
- eap-radius.retransmit_tries = mkIntParam 4 ''
- Number of times to retransmit a packet before giving up.
- '';
-
- eap-radius.secret = mkOptionalStrParam ''
- Shared secret between RADIUS and NAS. If set, make sure to adjust the
- permissions of the config file accordingly.
- '';
-
- eap-radius.server = mkOptionalStrParam ''
- IP/Hostname of RADIUS server.
- '';
-
- eap-radius.servers = mkAttrsOfParams {
- nas_identifier = mkStrParam "strongSwan" ''
- The nas_identifer (default: strongSwan) identifies the gateway against the
- RADIUS server and allows it to enforce a policy, for example.
- '';
-
- secret = mkOptionalStrParam "";
-
- sockets = mkIntParam 1 ''
- The number of pre-allocated sockets to use. A value of 5 allows the
- gateway to authentication 5 clients simultaneously over RADIUS.
- '';
-
- auth_port = mkIntParam 1812 ''
- RADIUS UDP port
- '';
-
- address = mkOptionalStrParam ''
- The server's IP/Hostname.
- '';
-
- acct_port = mkIntParam 1813 ''
- Accounting port.
- '';
-
- preference = mkIntParam 0 ''
- With the preference paramter of a server, priorities for specific servers
- can be defined. This allows to use a secondary RADIUS server only if the
- first gets unresponsive, or if it is overloaded.
- '';
- } ''Section to specify multiple RADIUS servers, see EapRadius.'';
-
- eap-radius.sockets = mkIntParam 1 ''
- Number of sockets (ports) to use, increase for high load.
- '';
-
- eap-radius.xauth = mkAttrsOfParams {
- nextpin = mkOptionalStrParam "";
- password = mkOptionalStrParam "";
- passcode = mkOptionalStrParam "";
- answer = mkOptionalStrParam "";
- } ''
- Section to configure multiple XAuth authentication rounds via RADIUS.
- '';
-
- eap-sim.request_identity = mkYesNoParam yes "";
-
- eap-simaka-sql.database = mkOptionalStrParam "";
-
- eap-simaka-sql.remove_used = mkOptionalStrParam "";
-
- eap-tls.fragment_size = mkIntParam 1024 ''
- Maximum size of an EAP-TLS packet.
- '';
-
- eap-tls.include_length = mkYesNoParam yes ''
- Include length in non-fragmented EAP-TLS packets.
- '';
-
- eap-tls.max_message_count = mkIntParam 32 ''
- Maximum number of processed EAP-TLS packets (0 = no limit).
- '';
-
- eap-tnc.max_message_count = mkIntParam 10 ''
- Maximum number of processed EAP-TNC packets (0 = no limit).
- '';
-
- eap-tnc.protocol = mkStrParam "tnccs-2.0" ''
- IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0,
- tnccs-dynamic).
- '';
-
- eap-ttls.fragment_size = mkIntParam 1024 ''
- Maximum size of an EAP-TTLS packet.
- '';
-
- eap-ttls.include_length = mkYesNoParam yes ''
- Include length in non-fragmented EAP-TTLS packets.
- '';
-
- eap-ttls.max_message_count = mkIntParam 32 ''
- Maximum number of processed EAP-TTLS packets (0 = no limit).
- '';
-
- eap-ttls.phase2_method = mkStrParam "md5" ''
- Phase2 EAP client authentication method.
- '';
-
- eap-ttls.phase2_piggyback = mkYesNoParam no ''
- Phase2 EAP Identity request piggybacked by server onto TLS Finished
- message.
- '';
-
- eap-ttls.phase2_tnc = mkYesNoParam no ''
- Start phase2 EAP TNC protocol after successful client authentication.
- '';
-
- eap-ttls-phase2_tnc_method = mkEnumParam ["pt" "legacy"] "pt" ''
- Phase2 EAP TNC transport protocol (pt as IETF standard or legacy tnc)
- '';
-
- eap-ttls.request_peer_auth = mkYesNoParam no ''
- Request peer authentication based on a client certificate.
- '';
-
- error-notify.socket = mkStrParam "unix://\${piddir}/charon.enfy" ''
- Socket provided by the error-notify plugin.
- '';
-
- ext-auth.script = mkOptionalStrParam ''
- Shell script to invoke for peer authorization (see ext-auth).
- '';
-
- gcrypt.quick_random = mkYesNoParam no ''
- Use faster random numbers in gcrypt. For testing only, produces weak
- keys!
- '';
-
- ha.autobalance = mkIntParam 0 ''
- Interval in seconds to automatically balance handled segments between
- nodes. Set to 0 to disable.
- '';
-
- ha.buflen = mkIntParam 2048 ''
- Buffer size for received HA messages. For IKEv1 the public DH factors are
- also transmitted so depending on the DH group the HA messages can get quite
- big (the default should be fine up to modp4096).
- '';
-
- ha.fifo_interface = mkYesNoParam yes "";
-
- ha.heartbeat_delay = mkIntParam 1000 "";
-
- ha.heartbeat_timeout = mkIntParam 2100 "";
-
- ha.local = mkOptionalIntParam "";
-
- ha.monitor = mkYesNoParam yes "";
-
- ha.pools = mkOptionalStrParam "";
-
- ha.remote = mkOptionalStrParam "";
-
- ha.resync = mkYesNoParam yes "";
-
- ha.secret = mkOptionalStrParam "";
-
- ha.segment_count = mkIntParam 1 "";
-
- ipseckey.enable = mkYesNoParam no ''
- Enable fetching of IPSECKEY RRs via DNS.
- '';
-
- kernel-libipsec.allow_peer_ts = mkYesNoParam no ''
- Allow that the remote traffic selector equals the IKE peer (see
- kernel-libipsec for details).
- '';
-
- kernel-netlink.buflen = mkOptionalIntParam ''
- Buffer size for received Netlink messages. Defaults to
- min(PAGE_SIZE, 8192).
- '';
-
- kernel-netlink.force_receive_buffer_size = mkYesNoParam no ''
- If the maximum Netlink socket receive buffer in bytes set by
- receive_buffer_size exceeds the system-wide maximum from
- /proc/sys/net/core/rmem_max, this option can be used to
- override the limit. Enabling this option requires special privileges
- (CAP_NET_ADMIN).
- '';
-
- kernel-netlink.fwmark = mkOptionalStrParam ''
- Firewall mark to set on the routing rule that directs traffic to our own
- routing table. The format is [!]mark[/mask], where the
- optional exclamation mark inverts the meaning (i.e. the rule only applies to
- packets that don't match the mark). A possible use case are host-to-host
- tunnels with kernel-libipsec. When set to !<mark> a more efficient
- lookup for source and next-hop addresses may also be used since 5.3.3.
- '';
-
- kernel-netlink.mss = mkIntParam 0 ''
- MSS to set on installed routes, 0 to disable.
- '';
-
- kernel-netlink.mtu = mkIntParam 0 ''
- MTU to set on installed routes, 0 to disable.
- '';
-
- kernel-netlink.process_rules = mkYesNoParam no ''
- Whether to process changes in routing rules to trigger roam events. This is
- currently only useful if the kernel based route lookup is used (i.e. if
- route installation is disabled or an inverted fwmark match is configured).
- '';
-
- kernel-netlink.receive_buffer_size = mkIntParam 0 ''
- Maximum Netlink socket receive buffer in bytes. This value controls how many
- bytes of Netlink messages can be received on a Netlink socket. The default
- value is set by /proc/sys/net/core/rmem_default. The
- specified value cannot exceed the system-wide maximum from
- /proc/sys/net/core/rmem_max, unless
- is enabled.
- '';
-
- kernel-netlink.roam_events = mkYesNoParam yes ''
- Whether to trigger roam events when interfaces, addresses or routes
- change.
- '';
-
- kernel-netlink.set_proto_port_transport_sa = mkYesNoParam no ''
- Whether to set protocol and ports in the selector installed on transport
- mode IPsec SAs in the kernel. While doing so enforces policies for
- inbound traffic, it also prevents the use of a single IPsec SA by more
- than one traffic selector.
- '';
-
- kernel-netlink.spdh_thresh.ipv4.lbits = mkIntParam 32 ''
- Local subnet XFRM policy hashing threshold for IPv4.
- '';
-
- kernel-netlink.spdh_thresh.ipv4.rbits = mkIntParam 32 ''
- Remote subnet XFRM policy hashing threshold for IPv4.
- '';
-
- kernel-netlink.spdh_thresh.ipv6.lbits = mkIntParam 128 ''
- Local subnet XFRM policy hashing threshold for IPv6.
- '';
-
- kernel-netlink.spdh_thresh.ipv6.rbits = mkIntParam 128 ''
- Remote subnet XFRM policy hashing threshold for IPv6.
- '';
-
- kernel-netlink.xfrm_acq_expires = mkIntParam 165 ''
- Lifetime of XFRM acquire state created by the kernel when traffic matches a
- trap policy. The value gets written to
- /proc/sys/net/core/xfrm_acq_expires. Indirectly controls
- the delay between XFRM acquire messages triggered by the kernel for a trap
- policy. The same value is used as timeout for SPIs allocated by the
- kernel. The default value equals the default total retransmission timeout
- for IKE messages (since 5.5.3 this value is determined dynamically based on
- the configuration).
- '';
-
- kernel-pfkey.events_buffer_size = mkIntParam 0 ''
- Size of the receive buffer for the event socket (0 for default
- size). Because events are received asynchronously installing e.g. lots
- of policies may require a larger buffer than the default on certain
- platforms in order to receive all messages.
- '';
-
- kernel-pfroute.vip_wait = mkIntParam 1000 ''
- Time in ms to wait until virtual IP addresses appear/disappear before
- failing.
- '';
-
- led.activity_led = mkOptionalStrParam "";
-
- led.blink_time = mkIntParam 50 "";
-
- load-tester = {
- addrs = mkAttrsOfParam (mkOptionalStrParam "") ''
- Section that contains key/value pairs with address pools (in CIDR
- notation) to use for a specific network interface e.g.
- eth0 = 10.10.0.0/16.
- '';
-
- addrs_keep = mkYesNoParam no ''
- Whether to keep dynamic addresses even after the associated SA got
- terminated.
- '';
-
- addrs_prefix = mkIntParam 16 ''
- Network prefix length to use when installing dynamic addresses.
- If set to -1 the full address is used (i.e. 32 or 128).
- '';
-
- ca_dir = mkOptionalStrParam ''
- Directory to load (intermediate) CA certificates from.
- '';
-
- child_rekey = mkIntParam 600 ''
- Seconds to start CHILD_SA rekeying after setup.
- '';
-
- crl = mkOptionalStrParam ''
- URI to a CRL to include as certificate distribution point in generated
- certificates.
- '';
-
- delay = mkIntParam 0 ''
- Delay between initiatons for each thread.
- '';
-
- delete_after_established = mkYesNoParam no ''
- Delete an IKE_SA as soon as it has been established.
- '';
-
- digest = mkStrParam "sha1" ''
- Digest algorithm used when issuing certificates.
- '';
-
- dpd_delay = mkIntParam 0 ''
- DPD delay to use in load test.
- '';
-
- dynamic_port = mkIntParam 0 ''
- Base port to be used for requests (each client uses a different port).
- '';
-
- eap_password = mkStrParam "default-pwd" ''
- EAP secret to use in load test.
- '';
-
- enable = mkYesNoParam no ''
- Enable the load testing plugin. **WARNING**: Never enable this plugin on
- productive systems. It provides preconfigured credentials and allows an
- attacker to authenticate as any user.
- '';
-
- esp = mkStrParam "aes128-sha1" ''
- CHILD_SA proposal to use for load tests.
- '';
-
- fake_kernel = mkYesNoParam no ''
- Fake the kernel interface to allow load-testing against self.
- '';
-
- ike_rekey = mkIntParam 0 ''
- Seconds to start IKE_SA rekeying after setup.
- '';
-
- init_limit = mkIntParam 0 ''
- Global limit of concurrently established SAs during load test.
- '';
-
- initiator = mkStrParam "0.0.0.0" ''
- Address to initiate from.
- '';
-
- initiators = mkIntParam 0 ''
- Number of concurrent initiator threads to use in load test.
- '';
-
- initiator_auth = mkStrParam "pubkey" ''
- Authentication method(s) the intiator uses.
- '';
-
- initiator_id = mkOptionalStrParam ''
- Initiator ID used in load test.
- '';
-
- initiator_match = mkOptionalStrParam ''
- Initiator ID to match against as responder.
- '';
-
- initiator_tsi = mkOptionalStrParam ''
- Traffic selector on initiator side, as proposed by initiator.
- '';
-
- initiator_tsr = mkOptionalStrParam ''
- Traffic selector on responder side, as proposed by initiator.
- '';
-
- iterations = mkIntParam 1 ''
- Number of IKE_SAs to initiate by each initiator in load test.
- '';
-
- issuer_cert = mkOptionalStrParam ''
- Path to the issuer certificate (if not configured a hard-coded default
- value is used).
- '';
-
- issuer_key = mkOptionalStrParam ''
- Path to private key that is used to issue certificates (if not configured
- a hard-coded default value is used).
- '';
-
- mode = mkEnumParam ["tunnel" "transport" "beet"] "tunnel" ''
- IPsec mode to use.
- '';
-
- pool = mkOptionalStrParam ''
- Provide INTERNAL_IPV4_ADDRs from a named pool.
- '';
-
- preshared_key = mkStrParam "" ''
- Preshared key to use in load test.
- '';
-
- proposal = mkStrParam "aes128-sha1-modp768" ''
- IKE proposal to use in load test.
- '';
-
- responder = mkStrParam "127.0.0.1" ''
- Address to initiation connections to.
- '';
-
- responder_auth = mkStrParam "pubkey" ''
- Authentication method(s) the responder uses.
- '';
-
- responder_id = mkOptionalStrParam ''
- Responder ID used in load test.
- '';
-
- responder_tsi = mkStrParam "initiator_tsi" ''
- Traffic selector on initiator side, as narrowed by responder.
- '';
-
- responder_tsr = mkStrParam "initiator_tsr" ''
- Traffic selector on responder side, as narrowed by responder.
- '';
-
- request_virtual_ip = mkYesNoParam no ''
- Request an INTERNAL_IPV4_ADDR from the server.
- '';
-
- shutdown_when_complete = mkYesNoParam no ''
- Shutdown the daemon after all IKE_SAs have been established.
- '';
-
- socket = mkStrParam "unix://\\\${piddir}/charon.ldt" ''
- Socket provided by the load-tester plugin.
- '';
-
- version = mkIntParam 0 ''
- IKE version to use (0 means use IKEv2 as initiator and accept any version
- as responder).
- '';
- };
-
- lookip.socket = mkStrParam "unix://\\\${piddir}/charon.lkp" ''
- Socket provided by the lookip plugin.
- '';
-
- ntru.max_drbg_requests = mkIntParam 4294967294 ''
- Number of pseudo-random bit requests from the DRBG before an automatic
- reseeding occurs.
- '';
-
- ntru.parameter_set =
- mkEnumParam ["x9_98_speed" "x9_98_bandwidth" "x9_98_balance" "optimum"] "optimum" ''
- The following parameter sets are available:
- x9_98_speed, x9_98_bandwidth,
- x9_98_balance and optimum, the last
- set not being part of the X9.98 standard but having the best performance.
- '';
-
- openssl.engine_id = mkStrParam "pkcs11" ''
- ENGINE ID to use in the OpenSSL plugin.
- '';
-
- openssl.fips_mode = mkIntParam 0 ''
- Set OpenSSL FIPS mode:
-
- disabled (0),
- enabled (1),
- Suite B enabled (2).
-
- Defaults to the value configured with the
- --with-fips-mode option.
-
- '';
-
- osx-attr.append = mkYesNoParam yes ''
- Whether DNS servers are appended to existing entries, instead of
- replacing them.
- '';
-
- pkcs11.load_certs = mkYesNoParam yes ''
- Whether to load certificates from tokens.
- '';
-
- pkcs11.modules = mkAttrsOfParams {
- path = mkOptionalStrParam ''
- Full path to the shared object file of this PKCS#11 module
- '';
-
- os_locking = mkYesNoParam no ''
- Whether OS locking should be enabled for this module
- '';
-
- load_certs = mkYesNoParam no ''
- Whether the PKCS#11 modules should load certificates from tokens (since 5.0.2)
- '';
- } ''
- List of available PKCS#11 modules, see SmartCardsIKEv2.
- '';
-
- pkcs11.reload_certs = mkYesNoParam no ''
- Reload certificates from all tokens if charon receives a SIGHUP.
- '';
-
- pkcs11.use_dh = mkYesNoParam no ''
- Whether the PKCS#11 modules should be used for DH and ECDH.
- '';
-
- pkcs11.use_ecc = mkYesNoParam no ''
- Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
- operations. ECDSA private keys are used regardless of this option.
- '';
-
- pkcs11.use_hasher = mkYesNoParam no ''
- Whether the PKCS#11 modules should be used to hash data.
- '';
-
- pkcs11.use_pubkey = mkYesNoParam no ''
- Whether the PKCS#11 modules should be used for public key operations,
- even for keys not stored on tokens.
- '';
-
- pkcs11.use_rng = mkYesNoParam no ''
- Whether the PKCS#11 modules should be used as RNG.
- '';
-
- radattr.dir = mkOptionalStrParam ''
- Directory where RADIUS attributes are stored in client-ID specific
- files, see radattr.
- '';
-
- radattr.message_id = mkIntParam (-1) ''
- RADIUS attributes are added to all IKE_AUTH messages by default (-1), or
- only to the IKE_AUTH message with the given IKEv2 message ID.
- '';
-
- random.random = mkStrParam "/dev/random" ''
- File to read random bytes from.
- '';
-
- random.urandom = mkStrParam "/dev/urandom" ''
- File to read pseudo random bytes from.
- '';
-
- random.strong_equals_true = mkYesNoParam no ''
- If enabled the RNG_STRONG class reads random bytes from the same source
- as the RNG_TRUE class.
- '';
-
- resolve.file = mkStrParam "/etc/resolv.conf" ''
- File used by the resolve plugin to write DNS server entries to.
- '';
-
- resolve.resolvconf.iface_prefix = mkStrParam "lo.inet.ipsec." ''
- Prefix used by the resolve plugin for interface names sent to
- resolvconf(8). The name server address is appended to this prefix to
- make it unique. The result has to be a valid interface name according to
- the rules defined by resolvconf. Also, it should have a high priority
- according to the order defined in interface-order(5).
- '';
-
- revocation.enable_crl = mkYesNoParam yes ''
- Whether CRL validation should be enabled.
- '';
-
- revocation.enable_ocsp = mkYesNoParam yes ''
- Whether OCSP validation should be enabled.
- '';
-
- save-keys.load = mkYesNoParam no ''
- Whether to load the plugin.
- '';
-
- save-keys.esp = mkYesNoParam no ''
- Whether to save ESP keys.
- '';
-
- save-keys.ike = mkYesNoParam no ''
- Whether to save IKE keys.
- '';
-
- save-keys.wireshark_keys = mkOptionalStrParam ''
- Directory where the keys are stored in the format supported by Wireshark.
- IKEv1 keys are stored in the ikev1_decryption_table file.
- IKEv2 keys are stored in the ikev2_decryption_table file.
- Keys for ESP CHILD_SAs are stored in the esp_sa file.
- '';
-
- socket-default.fwmark = mkOptionalStrParam ''
- Firewall mark to set on outbound packets (a possible use case are
- host-to-host tunnels with kernel-libipsec).
- '';
-
- socket-default.set_source = mkYesNoParam yes ''
- Set source address on outbound packets, if possible.
- '';
-
- socket-default.set_sourceif = mkYesNoParam no ''
- Force sending interface on outbound packets, if possible. This allows
- using IPv6 link-local addresses as tunnel endpoints.
- '';
-
- socket-default.use_ipv4 = mkYesNoParam yes ''
- Listen on IPv4, if possible.
- '';
-
- socket-default.use_ipv6 = mkYesNoParam yes ''
- Listen on IPv6, if possible.
- '';
-
- sql.database = mkOptionalStrParam ''
- Database URI for charon's SQL plugin. If it contains a password, make
- sure to adjust the permissions of the config file accordingly.
- '';
-
- sql.loglevel = mkIntParam (-1) ''
- Loglevel for logging to SQL database.
- '';
-
- stroke.allow_swap = mkYesNoParam yes ''
- Analyze addresses/hostnames in left/right to detect which side is local
- and swap configuration options if necessary. If disabled left is always
- local.
- '';
-
- stroke.ignore_missing_ca_basic_constraint = mkYesNoParam no ''
- Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
- certificates even if they don't contain a CA basic constraint.
- '';
-
- stroke.max_concurrent = mkIntParam 4 ''
- Maximum number of stroke messages handled concurrently.
- '';
-
- stroke.secrets_file = mkStrParam "\${sysconfdir}/ipsec.secrets" ''
- Location of the ipsec.secrets file.
- '';
-
- stroke.socket = mkStrParam "unix://\${piddir}/charon.ctl" ''
- Socket provided by the stroke plugin.
- '';
-
- stroke.timeout = mkIntParam 0 ''
- Timeout in ms for any stroke command. Use 0 to disable the timeout.
- '';
-
- systime-fix.interval = mkIntParam 0 ''
- Interval in seconds to check system time for validity. 0 disables the
- check. See systime-fix plugin.
- '';
-
- systime-fix.reauth = mkYesNoParam no ''
- Whether to use reauth or delete if an invalid cert lifetime is detected.
- '';
-
- systime-fix.threshold = mkOptionalStrParam ''
- Threshold date where system time is considered valid. Disabled if not
- specified.
- '';
-
- systime-fix.threshold_format = mkStrParam "%Y" ''
- strptime(3) format used to parse threshold option.
- '';
-
- systime-fix.timeout = mkDurationParam "0s" ''
- How long to wait for a valid system time if an interval is
- configured. 0 to recheck indefinitely.
- '';
-
- tnc-ifmap.client_cert = mkOptionalStrParam ''
- Path to X.509 certificate file of IF-MAP client.
- '';
-
- tnc-ifmap.client_key = mkOptionalStrParam ''
- Path to private key file of IF-MAP client.
- '';
-
- tnc-ifmap.device_name = mkOptionalStrParam ''
- Unique name of strongSwan server as a PEP and/or PDP device.
- '';
-
- tnc-ifmap.renew_session_interval = mkIntParam 150 ''
- Interval in seconds between periodic IF-MAP RenewSession requests.
- '';
-
- tnc-ifmap.server_cert = mkOptionalStrParam ''
- Path to X.509 certificate file of IF-MAP server.
- '';
-
- tnc-ifmap.server_uri = mkStrParam "https://localhost:8444/imap" ''
- URI of the form [https://]servername[:port][/path].
- '';
-
- tnc-ifmap.username_password = mkOptionalStrParam ''
- Credentials of IF-MAP client of the form
- username:password. If set, make sure to adjust the
- permissions of the config file accordingly.
- '';
-
- tnc-imc.dlcose = mkYesNoParam yes ''
- Unload IMC after use.
- '';
-
- tnc-imc.preferred_language = mkStrParam "en" ''
- Preferred language for TNC recommendations.
- '';
-
- tnc-imv.dlcose = mkYesNoParam yes ''
- Unload IMV after use.
- '';
-
- tnc-imv.recommendation_policy = mkEnumParam ["default" "any" "all"] "default" ''
- default TNC recommendation policy.
- '';
-
- tnc-pdp.pt_tls.enable = mkYesNoParam yes ''
- Enable PT-TLS protocol on the strongSwan PDP.
- '';
-
- tnc-pdp.pt_tls.port = mkIntParam 271 ''
- PT-TLS server port the strongSwan PDP is listening on.
- '';
-
- tnc-pdp.radius.enable = mkYesNoParam yes ''
- Enable RADIUS protocol on the strongSwan PDP.
- '';
-
- tnc-pdp.radius.method = mkStrParam "ttls" ''
- EAP tunnel method to be used.
- '';
-
- tnc-pdp.radius.port = mkIntParam 1812 ''
- RADIUS server port the strongSwan PDP is listening on.
- '';
-
- tnc-pdp.radius.secret = mkOptionalStrParam ''
- Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure
- to adjust the permissions of the config file accordingly.
- '';
-
- tnc-pdp.server = mkOptionalStrParam ''
- Name of the strongSwan PDP as contained in the AAA certificate.
- '';
-
- tnc-pdp.timeout = mkOptionalIntParam ''
- Timeout in seconds before closing incomplete connections.
- '';
-
- tnccs-11.max_message_size = mkIntParam 45000 ''
- Maximum size of a PA-TNC message (XML & Base64 encoding).
- '';
-
- tnccs-20.max_batch_size = mkIntParam 65522 ''
- Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529).
- '';
-
- tnccs-20.max_message_size = mkIntParam 65490 ''
- Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497).
- '';
-
- tnccs-20.mutual = mkYesNoParam no ''
- Enable PB-TNC mutual protocol.
- '';
-
- tpm.use_rng = mkYesNoParam no ''
- Whether the TPM should be used as RNG.
- '';
-
- unbound.dlv_anchors = mkOptionalStrParam ''
- File to read trusted keys for DLV from. It uses the same format as
- . Only one DLV can be configured, which is
- then used as a root trusted DLV, this means that it is a lookaside for the
- root.
- '';
-
- unbound.resolv_conf = mkStrParam "/etc/resolv.conf" ''
- File to read DNS resolver configuration from.
- '';
-
- unbound.trust_anchors = mkStrParam "/etc/ipsec.d/dnssec.keys" ''
- File to read DNSSEC trust anchors from (usually root zone KSK). The
- format of the file is the standard DNS Zone file format, anchors can be
- stored as DS or DNSKEY entries in the file.
- '';
-
- updown.dns_handler = mkYesNoParam no ''
- Whether the updown script should handle DNS servers assigned via IKEv1
- Mode Config or IKEv2 Config Payloads (if enabled they can't be handled
- by other plugins, like resolve).
- '';
-
- vici.socket = mkStrParam "unix://\${piddir}/charon.vici" ''
- Socket the vici plugin serves clients.
- '';
-
- whitelist.enable = mkYesNoParam yes ''
- Enable loaded whitelist plugin.
- '';
-
- whitelist.socket = mkStrParam "unix://\${piddir}/charon.wlst" ''
- Socket provided by the whitelist plugin.
- '';
-
- xauth-eap.backend = mkStrParam "radius" ''
- EAP plugin to be used as backend for XAuth credential verification, see
- XAuthEAP.
- '';
-
- xauth-pam.pam_service = mkStrParam "login" ''
- PAM service to be used for authentication, see XAuthPAM.
- '';
-
- xauth-pam.session = mkYesNoParam no ''
- Open/close a PAM session for each active IKE_SA.
- '';
-
- xauth-pam.trim_email = mkYesNoParam yes ''
- If an email address is given as an XAuth username, trim it to just the
- username part.
- '';
-}
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-libimcv-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-libimcv-params.nix
deleted file mode 100644
index 2ca2c9c396e..00000000000
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-libimcv-params.nix
+++ /dev/null
@@ -1,291 +0,0 @@
-lib : with (import ./param-constructors.nix lib); {
- debug_level = mkIntParam 1 ''
- Debug level for a stand-alone libimcv library.
- '';
-
- load = mkSpaceSepListParam ["random" "nonce" "gmp" "pubkey" "x509"] ''
- Plugins to load in IMC/IMVs with stand-alone libimcv library.
- '';
-
- stderr_quiet = mkYesNoParam no ''
- Disable the output to stderr with a stand-alone libimcv library.
- '';
-
- swid_gen = {
- command = mkStrParam "/usr/local/bin/swid_generator" ''
- SWID generator command to be executed.
- '';
-
- tag_creator = {
- name = mkStrParam "strongSwan Project" ''
- Name of the tagCreator entity.
- '';
-
- regid = mkStrParam "strongswan.org" ''
- regid of the tagCreator entity.
- '';
- };
- };
-
- plugins = {
-
- imc-attestation = {
- aik_blob = mkOptionalStrParam ''
- AIK encrypted private key blob file.
- '';
-
- aik_cert = mkOptionalStrParam ''
- AIK certificate file.
- '';
-
- aik_handle = mkOptionalStrParam ''
- AIK object handle, e.g. 0x81010003.
- '';
-
- aik_pubkey = mkOptionalStrParam ''
- AIK public key file.
- '';
-
- mandatory_dh_groups = mkYesNoParam yes ''
- Enforce mandatory Diffie-Hellman groups
- '';
-
- nonce_len = mkIntParam 20 ''
- DH nonce length.
- '';
-
- pcr_info = mkYesNoParam no ''
- Whether to send pcr_before and pcr_after info.
- '';
-
- use_quote2 = mkYesNoParam yes ''
- Use Quote2 AIK signature instead of Quote signature.
- '';
-
- use_version_info = mkYesNoParam no ''
- Version Info is included in Quote2 signature.
- '';
- };
-
- imc-hcd.push_info = mkYesNoParam yes ''
- Send quadruple info without being prompted.
- '';
-
- imc-hcd.subtypes = let
- imcHcdSubtypeParams = let
- softwareParams = mkAttrsOfParams {
- name = mkOptionalStrParam ''
- Name of the software installed on the hardcopy device.
- '';
-
- patches = mkOptionalStrParam ''
- String describing all patches applied to the given software on this
- hardcopy device. The individual patches are separated by a newline
- character '\\n'.
- '';
-
- string_version = mkOptionalStrParam ''
- String describing the version of the given software on this hardcopy device.
- '';
-
- version = mkOptionalStrParam ''
- Hex-encoded version string with a length of 16 octets consisting of
- the fields major version number (4 octets), minor version number (4
- octets), build number (4 octets), service pack major number (2
- octets) and service pack minor number (2 octets).
- '';
- } ''
- Defines a software section having an arbitrary name.
- '';
- in {
- firmware = softwareParams;
- resident_application = softwareParams;
- user_application = softwareParams;
- attributes_natural_language = mkStrParam "en" ''
- Variable length natural language tag conforming to RFC 5646 specifies
- the language to be used in the health assessment message of a given
- subtype.
- '';
- };
- in {
- system = imcHcdSubtypeParams // {
- certification_state = mkOptionalStrParam ''
- Hex-encoded certification state.
- '';
-
- configuration_state = mkOptionalStrParam ''
- Hex-encoded configuration state.
- '';
-
- machine_type_model = mkOptionalStrParam ''
- String specifying the machine type and model of the hardcopy device.
- '';
-
- pstn_fax_enabled = mkYesNoParam no ''
- Specifies if a PSTN facsimile interface is installed and enabled on the
- hardcopy device.
- '';
-
- time_source = mkOptionalStrParam ''
- String specifying the hostname of the network time server used by the
- hardcopy device.
- '';
-
- user_application_enabled = mkYesNoParam no ''
- Specifies if users can dynamically download and execute applications on
- the hardcopy device.
- '';
-
- user_application_persistence_enabled = mkYesNoParam no ''
- Specifies if user dynamically downloaded applications can persist outside
- the boundaries of a single job on the hardcopy device.
- '';
-
- vendor_name = mkOptionalStrParam ''
- String specifying the manufacturer of the hardcopy device.
- '';
-
- vendor_smi_code = mkOptionalIntParam ''
- Integer specifying the globally unique 24-bit SMI code assigned to the
- manufacturer of the hardcopy device.
- '';
- };
- control = imcHcdSubtypeParams;
- marker = imcHcdSubtypeParams;
- finisher = imcHcdSubtypeParams;
- interface = imcHcdSubtypeParams;
- scanner = imcHcdSubtypeParams;
- };
-
- imc-os = {
- device_cert = mkOptionalStrParam ''
- Manually set the path to the client device certificate
- (e.g. /etc/pts/aikCert.der)
- '';
-
- device_id = mkOptionalStrParam ''
- Manually set the client device ID in hexadecimal format
- (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
- '';
-
- device_pubkey = mkOptionalStrParam ''
- Manually set the path to the client device public key
- (e.g. /etc/pts/aikPub.der)
- '';
-
- push_info = mkYesNoParam yes ''
- Send operating system info without being prompted.
- '';
- };
-
- imc-scanner.push_info = mkYesNoParam yes ''
- Send open listening ports without being prompted.
- '';
-
- imc-swid = {
- swid_full = mkYesNoParam no ''
- Include file information in the XML-encoded SWID tags.
- '';
-
- swid_pretty = mkYesNoParam no ''
- Generate XML-encoded SWID tags with pretty indentation.
- '';
-
- swid_directory = mkStrParam "\${prefix}/share" ''
- Directory where SWID tags are located.
- '';
- };
-
- imc-swima = {
- eid_epoch = mkHexParam "0x11223344" ''
- Set 32 bit epoch value for event IDs manually if software collector
- database is not available.
- '';
-
- swid_database = mkOptionalStrParam ''
- URI to software collector database containing event timestamps, software
- creation and deletion events and collected software identifiers. If it
- contains a password, make sure to adjust the permissions of the config
- file accordingly.
- '';
-
- swid_directory = mkStrParam "\${prefix}/share" ''
- Directory where SWID tags are located.
- '';
-
- swid_pretty = mkYesNoParam no ''
- Generate XML-encoded SWID tags with pretty indentation.
- '';
-
- swid_full = mkYesNoParam no ''
- Include file information in the XML-encoded SWID tags.
- '';
- };
-
- imc-test = {
- additional_ids = mkIntParam 0 ''
- Number of additional IMC IDs.
- '';
-
- command = mkStrParam "none" ''
- Command to be sent to the Test IMV.
- '';
-
- dummy_size = mkIntParam 0 ''
- Size of dummy attribute to be sent to the Test IMV (0 = disabled).
- '';
-
- retry = mkYesNoParam no ''
- Do a handshake retry.
- '';
-
- retry_command = mkOptionalStrParam ''
- Command to be sent to the IMV Test in the handshake retry.
- '';
- };
-
- imv-attestation = {
- cadir = mkOptionalStrParam ''
- Path to directory with AIK cacerts.
- '';
-
- dh_group = mkStrParam "ecp256" ''
- Preferred Diffie-Hellman group.
- '';
-
- hash_algorithm = mkStrParam "sha256" ''
- Preferred measurement hash algorithm.
- '';
-
- min_nonce_len = mkIntParam 0 ''
- DH minimum nonce length.
- '';
-
- remediation_uri = mkOptionalStrParam ''
- URI pointing to attestation remediation instructions.
- '';
- };
-
- imv-os.remediation_uri = mkOptionalStrParam ''
- URI pointing to operating system remediation instructions.
- '';
-
- imv-scanner.remediation_uri = mkOptionalStrParam ''
- URI pointing to scanner remediation instructions.
- '';
-
- imv-swima.rest_api = {
- uri = mkOptionalStrParam ''
- HTTP URI of the SWID REST API.
- '';
-
- timeout = mkIntParam 120 ''
- Timeout of SWID REST API HTTP POST transaction.
- '';
- };
-
- imv-test.rounds = mkIntParam 0 ''
- Number of IMC-IMV retry rounds.
- '';
- };
-}
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-loglevel-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-loglevel-params.nix
deleted file mode 100644
index 0f517d8ead4..00000000000
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-loglevel-params.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-lib : with (import ./param-constructors.nix lib);
-
-let mkJournalParam = description :
- mkEnumParam [(-1) 0 1 2 3 4] 0 "Logging level for ${description}";
-in {
- default = mkIntParam 1 ''
- Specifies the default loglevel to be used for subsystems for which no
- specific loglevel is defined.
- '';
-
- app = mkJournalParam "applications other than daemons.";
- asn = mkJournalParam "low-level encoding/decoding (ASN.1, X.509 etc.)";
- cfg = mkJournalParam "configuration management and plugins.";
- chd = mkJournalParam "CHILD_SA/IPsec SA.";
- dmn = mkJournalParam "main daemon setup/cleanup/signal handling.";
- enc = mkJournalParam "packet encoding/decoding encryption/decryption operations.";
- esp = mkJournalParam "libipsec library messages.";
- ike = mkJournalParam "IKE_SA/ISAKMP SA.";
- imc = mkJournalParam "integrity Measurement Collector.";
- imv = mkJournalParam "integrity Measurement Verifier.";
- job = mkJournalParam "jobs queuing/processing and thread pool management.";
- knl = mkJournalParam "IPsec/Networking kernel interface.";
- lib = mkJournalParam "libstrongwan library messages.";
- mgr = mkJournalParam "IKE_SA manager, handling synchronization for IKE_SA access.";
- net = mkJournalParam "IKE network communication.";
- pts = mkJournalParam "platform Trust Service.";
- tls = mkJournalParam "libtls library messages.";
- tnc = mkJournalParam "trusted Network Connect.";
-}
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix
deleted file mode 100644
index 249aa22b29e..00000000000
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix
+++ /dev/null
@@ -1,258 +0,0 @@
-# See: https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
-#
-# When strongSwan is upgraded please update the parameters in this file. You can
-# see which parameters should be deleted, changed or added by diffing
-# the strongswan conf directory:
-#
-# git clone https://github.com/strongswan/strongswan.git
-# cd strongswan
-# git diff 5.5.3..5.6.0 conf/
-
-lib: with (import ./param-constructors.nix lib);
-
-let charonParams = import ./strongswan-charon-params.nix lib;
-in {
- aikgen = {
- load = mkSpaceSepListParam [] ''
- Plugins to load in ipsec aikgen tool.
- '';
- };
- attest = {
- database = mkOptionalStrParam ''
- File measurement information database URI. If it contains a password,
- make sure to adjust the permissions of the config file accordingly.
- '';
-
- load = mkSpaceSepListParam [] ''
- Plugins to load in ipsec attest tool.
- '';
- };
-
- # Since we only use charon-systemd we don't need to generate options for charon.
- # charon = charonParams;
-
- charon-nm = {
- ca_dir = mkStrParam "" ''
- Directory from which to load CA certificates if no certificate is
- configured.
- '';
- };
-
- charon-systemd = charonParams // {
- journal = import ./strongswan-loglevel-params.nix lib;
- };
-
- imv_policy_manager = {
- command_allow = mkOptionalStrParam ''
- Shell command to be executed with recommendation allow.
- '';
-
- command_block = mkOptionalStrParam ''
- Shell command to be executed with all other recommendations.
- '';
-
- database = mkOptionalStrParam ''
- Database URI for the database that stores the package information. If it
- contains a password, make sure to adjust permissions of the config file
- accordingly.
- '';
-
- load = mkSpaceSepListParam ["sqlite"] ''
- Plugins to load in IMV policy manager.
- '';
- };
-
- libimcv = import ./strongswan-libimcv-params.nix lib;
-
- manager = {
- database = mkOptionalStrParam ''
- Credential database URI for manager. If it contains a password, make
- sure to adjust the permissions of the config file accordingly.
- '';
-
- debug = mkYesNoParam no ''
- Enable debugging in manager.
- '';
-
- load = mkSpaceSepListParam [] ''
- Plugins to load in manager.
- '';
-
- socket = mkOptionalStrParam ''
- FastCGI socket of manager, to run it statically.
- '';
-
- threads = mkIntParam 10 ''
- Threads to use for request handling.
- '';
-
- timeout = mkDurationParam "15m" ''
- Session timeout for manager.
- '';
- };
-
- medcli = {
- database = mkOptionalStrParam ''
- Mediation client database URI. If it contains a password, make sure to
- adjust the permissions of the config file accordingly.
- '';
-
- dpd = mkDurationParam "5m" ''
- DPD timeout to use in mediation client plugin.
- '';
-
- rekey = mkDurationParam "20m" ''
- Rekeying time on mediation connections in mediation client plugin.
- '';
- };
-
- medsrv = {
- database = mkOptionalStrParam ''
- Mediation server database URI. If it contains a password, make sure to
- adjust the permissions of the config file accordingly.
- '';
-
- debug = mkYesNoParam no ''
- Debugging in mediation server web application.
- '';
-
- dpd = mkDurationParam "5m" ''
- DPD timeout to use in mediation server plugin.
- '';
-
- load = mkSpaceSepListParam [] ''
- Plugins to load in mediation server plugin.
- '';
-
- password_length = mkIntParam 6 ''
- Minimum password length required for mediation server user accounts.
- '';
-
- rekey = mkDurationParam "20m" ''
- Rekeying time on mediation connections in mediation server plugin.
- '';
-
- socket = mkOptionalStrParam ''
- Run Mediation server web application statically on socket.
- '';
-
- threads = mkIntParam 5 ''
- Number of thread for mediation service web application.
- '';
-
- timeout = mkDurationParam "15m" ''
- Session timeout for mediation service.
- '';
- };
-
- pki.load = mkSpaceSepListParam [] ''
- Plugins to load in ipsec pki tool.
- '';
-
- pool = {
- database = mkOptionalStrParam ''
- Database URI for the database that stores IP pools and configuration
- attributes. If it contains a password, make sure to adjust the
- permissions of the config file accordingly.
- '';
-
- load = mkSpaceSepListParam [] ''
- Plugins to load in ipsec pool tool.
- '';
- };
-
- pt-tls-client.load = mkSpaceSepListParam [] ''
- Plugins to load in ipsec pt-tls-client tool.
- '';
-
- scepclient.load = mkSpaceSepListParam [] ''
- Plugins to load in ipsec scepclient tool.
- '';
-
- sec-updater = {
- database = mkOptionalStrParam ''
- Global IMV policy database URI. If it contains a password, make
- sure to adjust the permissions of the config file accordingly.
- '';
-
- swid_gen.command = mkStrParam "/usr/local/bin/swid_generator" ''
- SWID generator command to be executed.
- '';
-
- swid_gen.tag_creator.name = mkStrParam "strongSwan Project" ''
- Name of the tagCreator entity.
- '';
-
- swid_gen.tag_creator.regid = mkStrParam "strongswan.org" ''
- regid of the tagCreator entity.
- '';
-
- tnc_manage_command = mkStrParam "/var/www/tnc/manage.py" ''
- strongTNC manage.py command used to import SWID tags.
- '';
-
- tmp.deb_file = mkStrParam "/tmp/sec-updater.deb" ''
- Temporary storage for downloaded deb package file.
- '';
-
- tmp.tag_file = mkStrParam "/tmp/sec-updater.tag" ''
- Temporary storage for generated SWID tags.
- '';
-
- load = mkSpaceSepListParam [] ''
- Plugins to load in sec-updater tool.
- '';
- };
-
- starter = {
- config_file = mkStrParam "\${sysconfdir}/ipsec.conf" ''
- Location of the ipsec.conf file.
- '';
-
- load_warning = mkYesNoParam yes ''
- Show charon.load setting warning, see
- https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
- '';
- };
-
- sw-collector = {
- database = mkOptionalStrParam ''
- URI to software collector database containing event timestamps,
- software creation and deletion events and collected software
- identifiers. If it contains a password, make sure to adjust the
- permissions of the config file accordingly.
- '';
-
- first_file = mkStrParam "/var/log/bootstrap.log" ''
- Path pointing to file created when the Linux OS was installed.
- '';
-
- first_time = mkStrParam "0000-00-00T00:00:00Z" ''
- Time in UTC when the Linux OS was installed.
- '';
-
- history = mkOptionalStrParam ''
- Path pointing to apt history.log file.
- '';
-
- rest_api = {
- uri = mkOptionalStrParam ''
- HTTP URI of the central collector's REST API.
- '';
-
- timeout = mkIntParam 120 ''
- Timeout of REST API HTTP POST transaction.
- '';
- };
-
- load = mkSpaceSepListParam [] "Plugins to load in sw-collector tool.";
- };
-
- swanctl = {
- load = mkSpaceSepListParam [] "Plugins to load in swanctl.";
-
- socket = mkStrParam "unix://\${piddir}/charon.vici" ''
- VICI socket to connect to by default.
- '';
- };
-}