1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
|
# See: https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
#
# When strongSwan is upgraded please update the parameters in this file. You can
# see which parameters should be deleted, changed or added by diffing
# the strongswan conf directory:
#
# git clone https://github.com/strongswan/strongswan.git
# cd strongswan
# git diff 5.5.3..5.6.0 conf/
lib: with (import ./param-constructors.nix lib);
let charonParams = import ./strongswan-charon-params.nix lib;
in {
aikgen = {
load = mkSpaceSepListParam [] ''
Plugins to load in ipsec aikgen tool.
'';
};
attest = {
database = mkOptionalStrParam ''
File measurement information database URI. If it contains a password,
make sure to adjust the permissions of the config file accordingly.
'';
load = mkSpaceSepListParam [] ''
Plugins to load in ipsec attest tool.
'';
};
# Since we only use charon-systemd we don't need to generate options for charon.
# charon = charonParams;
charon-nm = {
ca_dir = mkStrParam "<default>" ''
Directory from which to load CA certificates if no certificate is
configured.
'';
};
charon-systemd = charonParams // {
journal = import ./strongswan-loglevel-params.nix lib;
};
imv_policy_manager = {
command_allow = mkOptionalStrParam ''
Shell command to be executed with recommendation allow.
'';
command_block = mkOptionalStrParam ''
Shell command to be executed with all other recommendations.
'';
database = mkOptionalStrParam ''
Database URI for the database that stores the package information. If it
contains a password, make sure to adjust permissions of the config file
accordingly.
'';
load = mkSpaceSepListParam ["sqlite"] ''
Plugins to load in IMV policy manager.
'';
};
libimcv = import ./strongswan-libimcv-params.nix lib;
manager = {
database = mkOptionalStrParam ''
Credential database URI for manager. If it contains a password, make
sure to adjust the permissions of the config file accordingly.
'';
debug = mkYesNoParam no ''
Enable debugging in manager.
'';
load = mkSpaceSepListParam [] ''
Plugins to load in manager.
'';
socket = mkOptionalStrParam ''
FastCGI socket of manager, to run it statically.
'';
threads = mkIntParam 10 ''
Threads to use for request handling.
'';
timeout = mkDurationParam "15m" ''
Session timeout for manager.
'';
};
medcli = {
database = mkOptionalStrParam ''
Mediation client database URI. If it contains a password, make sure to
adjust the permissions of the config file accordingly.
'';
dpd = mkDurationParam "5m" ''
DPD timeout to use in mediation client plugin.
'';
rekey = mkDurationParam "20m" ''
Rekeying time on mediation connections in mediation client plugin.
'';
};
medsrv = {
database = mkOptionalStrParam ''
Mediation server database URI. If it contains a password, make sure to
adjust the permissions of the config file accordingly.
'';
debug = mkYesNoParam no ''
Debugging in mediation server web application.
'';
dpd = mkDurationParam "5m" ''
DPD timeout to use in mediation server plugin.
'';
load = mkSpaceSepListParam [] ''
Plugins to load in mediation server plugin.
'';
password_length = mkIntParam 6 ''
Minimum password length required for mediation server user accounts.
'';
rekey = mkDurationParam "20m" ''
Rekeying time on mediation connections in mediation server plugin.
'';
socket = mkOptionalStrParam ''
Run Mediation server web application statically on socket.
'';
threads = mkIntParam 5 ''
Number of thread for mediation service web application.
'';
timeout = mkDurationParam "15m" ''
Session timeout for mediation service.
'';
};
pki.load = mkSpaceSepListParam [] ''
Plugins to load in ipsec pki tool.
'';
pool = {
database = mkOptionalStrParam ''
Database URI for the database that stores IP pools and configuration
attributes. If it contains a password, make sure to adjust the
permissions of the config file accordingly.
'';
load = mkSpaceSepListParam [] ''
Plugins to load in ipsec pool tool.
'';
};
pt-tls-client.load = mkSpaceSepListParam [] ''
Plugins to load in ipsec pt-tls-client tool.
'';
scepclient.load = mkSpaceSepListParam [] ''
Plugins to load in ipsec scepclient tool.
'';
sec-updater = {
database = mkOptionalStrParam ''
Global IMV policy database URI. If it contains a password, make
sure to adjust the permissions of the config file accordingly.
'';
swid_gen.command = mkStrParam "/usr/local/bin/swid_generator" ''
SWID generator command to be executed.
'';
swid_gen.tag_creator.name = mkStrParam "strongSwan Project" ''
Name of the tagCreator entity.
'';
swid_gen.tag_creator.regid = mkStrParam "strongswan.org" ''
regid of the tagCreator entity.
'';
tnc_manage_command = mkStrParam "/var/www/tnc/manage.py" ''
strongTNC manage.py command used to import SWID tags.
'';
tmp.deb_file = mkStrParam "/tmp/sec-updater.deb" ''
Temporary storage for downloaded deb package file.
'';
tmp.tag_file = mkStrParam "/tmp/sec-updater.tag" ''
Temporary storage for generated SWID tags.
'';
load = mkSpaceSepListParam [] ''
Plugins to load in sec-updater tool.
'';
};
starter = {
config_file = mkStrParam "\${sysconfdir}/ipsec.conf" ''
Location of the ipsec.conf file.
'';
load_warning = mkYesNoParam yes ''
Show charon.load setting warning, see
https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
'';
};
sw-collector = {
database = mkOptionalStrParam ''
URI to software collector database containing event timestamps,
software creation and deletion events and collected software
identifiers. If it contains a password, make sure to adjust the
permissions of the config file accordingly.
'';
first_file = mkStrParam "/var/log/bootstrap.log" ''
Path pointing to file created when the Linux OS was installed.
'';
first_time = mkStrParam "0000-00-00T00:00:00Z" ''
Time in UTC when the Linux OS was installed.
'';
history = mkOptionalStrParam ''
Path pointing to apt history.log file.
'';
rest_api = {
uri = mkOptionalStrParam ''
HTTP URI of the central collector's REST API.
'';
timeout = mkIntParam 120 ''
Timeout of REST API HTTP POST transaction.
'';
};
load = mkSpaceSepListParam [] "Plugins to load in sw-collector tool.";
};
swanctl = {
load = mkSpaceSepListParam [] "Plugins to load in swanctl.";
socket = mkStrParam "unix://\${piddir}/charon.vici" ''
VICI socket to connect to by default.
'';
};
}
|