nixos/strongswan: convert to MD descriptions

pyrox.dev / nixpkgs

fork atom

lol

fork atom

no changes to the manpage output. the html output changes, but only by
whitespace.

authored by

pennae and committed by

pennae 3 years ago a2ceee8f d9a636e9

+242 -302

2 changed files

expand all

nixos

modules

services

networking

strongswan-swanctl

param-constructors.nix

swanctl-params.nix

+6 -6

nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix

··· 57 57 58 58 documentDefault = description : strongswanDefault : 59 59 if strongswanDefault == null 60 - then description 61 - else description + '' 60 + then mdDoc description 61 + else mdDoc (description + '' 62 62 63 63 64 - StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal> 65 - ''; 64 + StrongSwan default: ````${builtins.toJSON strongswanDefault}```` 65 + ''); 66 66 67 67 single = f: name: value: { ${name} = f value; }; 68 68 ··· 121 121 option = mkOption { 122 122 type = types.attrsOf option; 123 123 default = {}; 124 - inherit description; 124 + description = mdDoc description; 125 125 }; 126 126 render = single (attrs: 127 127 (paramsToRenderedStrings attrs ··· 139 139 option = mkOption { 140 140 type = types.attrsOf option; 141 141 default = {}; 142 - inherit description; 142 + description = mdDoc description; 143 143 }; 144 144 render = prefix: attrs: 145 145 let prefixedAttrs = mapAttrs' (name: nameValuePair "${prefix}-${name}") attrs;

+236 -296

nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix

··· 16 16 Absolute path to the certificate to load. Passed as-is to the daemon, so 17 17 it must be readable by it. 18 18 19 - Configure either this or <option>handle</option>, but not both, in one section. 19 + Configure either this or {option}`handle`, but not both, in one section. 20 20 ''; 21 21 22 22 handle = mkOptionalHexParam '' 23 23 Hex-encoded CKA_ID or handle of the certificate on a token or TPM, 24 24 respectively. 25 25 26 - Configure either this or <option>file</option>, but not both, in one section. 26 + Configure either this or {option}`file`, but not both, in one section. 27 27 ''; 28 28 29 29 slot = mkOptionalIntParam '' ··· 39 39 40 40 cacert = mkOptionalStrParam '' 41 41 The certificates may use a relative path from the swanctl 42 - <literal>x509ca</literal> directory or an absolute path. 42 + `x509ca` directory or an absolute path. 43 43 44 - Configure one of <option>cacert</option>, 45 - <option>file</option>, or 46 - <option>handle</option> per section. 44 + Configure one of {option}`cacert`, 45 + {option}`file`, or 46 + {option}`handle` per section. 47 47 ''; 48 48 49 49 cert_uri_base = mkOptionalStrParam '' ··· 71 71 72 72 version = mkIntParam 0 '' 73 73 IKE major version to use for connection. 74 - <itemizedlist> 75 - <listitem><para>1 uses IKEv1 aka ISAKMP,</para></listitem> 76 - <listitem><para>2 uses IKEv2.</para></listitem> 77 - <listitem><para>A connection using the default of 0 accepts both IKEv1 and IKEv2 as 78 - responder, and initiates the connection actively with IKEv2.</para></listitem> 79 - </itemizedlist> 74 + 75 + - 1 uses IKEv1 aka ISAKMP, 76 + - 2 uses IKEv2. 77 + - A connection using the default of 0 accepts both IKEv1 and IKEv2 as 78 + responder, and initiates the connection actively with IKEv2. 80 79 ''; 81 80 82 81 local_addrs = mkCommaSepListParam [] '' ··· 107 106 108 107 local_port = mkIntParam 500 '' 109 108 Local UDP port for IKE communication. By default the port of the socket 110 - backend is used, which is usually <literal>500</literal>. If port 111 - <literal>500</literal> is used, automatic IKE port floating to port 112 - <literal>4500</literal> is used to work around NAT issues. 109 + backend is used, which is usually `500`. If port 110 + `500` is used, automatic IKE port floating to port 111 + `4500` is used to work around NAT issues. 113 112 114 113 Using a non-default local IKE port requires support from the socket 115 114 backend in use (socket-dynamic). ··· 117 116 118 117 remote_port = mkIntParam 500 '' 119 118 Remote UDP port for IKE communication. If the default of port 120 - <literal>500</literal> is used, automatic IKE port floating to port 121 - <literal>4500</literal> is used to work around NAT issues. 119 + `500` is used, automatic IKE port floating to port 120 + `4500` is used to work around NAT issues. 122 121 ''; 123 122 124 123 proposals = mkCommaSepListParam ["default"] '' ··· 134 133 combinations in IKEv1. 135 134 136 135 Algorithm keywords get separated using dashes. Multiple proposals may be 137 - specified in a list. The special value <literal>default</literal> forms a 136 + specified in a list. The special value `default` forms a 138 137 default proposal of supported algorithms considered safe, and is usually a 139 138 good choice for interoperability. 140 139 ''; 141 140 142 141 vips = mkCommaSepListParam [] '' 143 142 List of virtual IPs to request in IKEv2 configuration payloads or IKEv1 144 - Mode Config. The wildcard addresses <literal>0.0.0.0</literal> and 145 - <literal>::</literal> request an arbitrary address, specific addresses may 143 + Mode Config. The wildcard addresses `0.0.0.0` and 144 + `::` request an arbitrary address, specific addresses may 146 145 be defined. The responder may return a different address, though, or none 147 146 at all. 148 147 ''; ··· 207 206 208 207 fragmentation = mkEnumParam ["yes" "accept" "force" "no"] "yes" '' 209 208 Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 210 - fragmentation). Acceptable values are <literal>yes</literal> (the default 211 - since 5.5.1), <literal>accept</literal> (since versions:5.5.3), 212 - <literal>force</literal> and <literal>no</literal>. 213 - <itemizedlist> 214 - <listitem><para>If set to <literal>yes</literal>, and the peer 215 - supports it, oversized IKE messages will be sent in fragments.</para></listitem> 216 - <listitem><para>If set to 217 - <literal>accept</literal>, support for fragmentation is announced to the peer but the daemon 218 - does not send its own messages in fragments.</para></listitem> 219 - <listitem><para>If set to <literal>force</literal> (only 220 - supported for IKEv1) the initial IKE message will already be fragmented if 221 - required.</para></listitem> 222 - <listitem><para>Finally, setting the option to <literal>no</literal> will disable announcing 223 - support for this feature.</para></listitem> 224 - </itemizedlist> 209 + fragmentation). Acceptable values are `yes` (the default 210 + since 5.5.1), `accept` (since versions:5.5.3), 211 + `force` and `no`. 212 + 213 + - If set to `yes`, and the peer 214 + supports it, oversized IKE messages will be sent in fragments. 215 + - If set to 216 + `accept`, support for fragmentation is announced to the peer but the daemon 217 + does not send its own messages in fragments. 218 + - If set to `force` (only 219 + supported for IKEv1) the initial IKE message will already be fragmented if 220 + required. 221 + - Finally, setting the option to `no` will disable announcing 222 + support for this feature. 225 223 226 224 Note that fragmented IKE messages sent by a peer are always processed 227 225 irrespective of the value of this option (even when set to no). ··· 229 227 230 228 childless = mkEnumParam [ "allow" "force" "never" ] "allow" '' 231 229 Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values 232 - are <literal>allow</literal> (the default), <literal>force</literal> and 233 - <literal>never</literal>. If set to <literal>allow</literal>, responders 230 + are `allow` (the default), `force` and 231 + `never`. If set to `allow`, responders 234 232 will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT 235 233 response) while initiators continue to create regular IKE_SAs with the 236 234 first CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated 237 235 explicitly without any children (which will fail if the responder does not 238 236 support or has disabled this extension). If set to 239 - <literal>force</literal>, only childless initiation is accepted and the 237 + `force`, only childless initiation is accepted and the 240 238 first CHILD_SA is created with a separate CREATE_CHILD_SA exchange 241 239 (e.g. to use an independent DH exchange for all CHILD_SAs). Finally, 242 - setting the option to <literal>never</literal> disables support for 240 + setting the option to `never` disables support for 243 241 childless IKE_SAs as responder. 244 242 ''; 245 243 ··· 254 252 255 253 send_cert = mkEnumParam ["always" "never" "ifasked" ] "ifasked" '' 256 254 Send certificate payloads when using certificate authentication. 257 - <itemizedlist> 258 - <listitem><para>With the default of <literal>ifasked</literal> the daemon sends 259 - certificate payloads only if certificate requests have been received.</para></listitem> 260 - <listitem><para><literal>never</literal> disables sending of certificate payloads 261 - altogether,</para></listitem> 262 - <listitem><para><literal>always</literal> causes certificate payloads to be sent 263 - unconditionally whenever certificate authentication is used.</para></listitem> 264 - </itemizedlist> 255 + 256 + - With the default of `ifasked` the daemon sends 257 + certificate payloads only if certificate requests have been received. 258 + - `never` disables sending of certificate payloads 259 + altogether, 260 + - `always` causes certificate payloads to be sent 261 + unconditionally whenever certificate authentication is used. 265 262 ''; 266 263 267 264 ppk_id = mkOptionalStrParam '' ··· 275 272 keyingtries = mkIntParam 1 '' 276 273 Number of retransmission sequences to perform during initial 277 274 connect. Instead of giving up initiation after the first retransmission 278 - sequence with the default value of <literal>1</literal>, additional 275 + sequence with the default value of `1`, additional 279 276 sequences may be started according to the configured value. A value of 280 - <literal>0</literal> initiates a new sequence until the connection 277 + `0` initiates a new sequence until the connection 281 278 establishes or fails with a permanent error. 282 279 ''; 283 280 ··· 285 282 Connection uniqueness policy to enforce. To avoid multiple connections 286 283 from the same user, a uniqueness policy can be enforced. 287 284 288 - <itemizedlist> 289 - <listitem><para> 290 - The value <literal>never</literal> does never enforce such a policy, even 291 - if a peer included INITIAL_CONTACT notification messages, 292 - </para></listitem> 293 - <listitem><para> 294 - whereas <literal>no</literal> replaces existing connections for the same 295 - identity if a new one has the INITIAL_CONTACT notify. 296 - </para></listitem> 297 - <listitem><para> 298 - <literal>keep</literal> rejects new connection attempts if the same user 299 - already has an active connection, 300 - </para></listitem> 301 - <listitem><para> 302 - <literal>replace</literal> deletes any existing connection if a new one 303 - for the same user gets established. 304 - </para></listitem> 305 - </itemizedlist> 285 + - The value `never` does never enforce such a policy, even 286 + if a peer included INITIAL_CONTACT notification messages, 287 + - whereas `no` replaces existing connections for the same 288 + identity if a new one has the INITIAL_CONTACT notify. 289 + - `keep` rejects new connection attempts if the same user 290 + already has an active connection, 291 + - `replace` deletes any existing connection if a new one 292 + for the same user gets established. 293 + 306 294 To compare connections for uniqueness, the remote IKE identity is used. If 307 295 EAP or XAuth authentication is involved, the EAP-Identity or XAuth 308 296 username is used to enforce the uniqueness policy instead. ··· 310 298 On initiators this setting specifies whether an INITIAL_CONTACT notify is 311 299 sent during IKE_AUTH if no existing connection is found with the remote 312 300 peer (determined by the identities of the first authentication 313 - round). Unless set to <literal>never</literal> the client will send a notify. 301 + round). Unless set to `never` the client will send a notify. 314 302 ''; 315 303 316 304 reauth_time = mkDurationParam "0s" '' ··· 347 335 In contrast to CHILD_SA rekeying, over_time is relative in time to the 348 336 rekey_time and reauth_time values, as it applies to both. 349 337 350 - The default is 10% of the longer of <option>rekey_time</option> and 351 - <option>reauth_time</option>. 338 + The default is 10% of the longer of {option}`rekey_time` and 339 + {option}`reauth_time`. 352 340 ''; 353 341 354 342 rand_time = mkOptionalDurationParam '' ··· 357 345 procedure simultaneously, a random time gets subtracted from the 358 346 rekey/reauth times. 359 347 360 - The default is equal to the configured <option>over_time</option>. 348 + The default is equal to the configured {option}`over_time`. 361 349 ''; 362 350 363 351 pools = mkCommaSepListParam [] '' ··· 409 397 certs = mkCommaSepListParam [] '' 410 398 List of certificate candidates to use for 411 399 authentication. The certificates may use a relative path from the 412 - swanctl <literal>x509</literal> directory or an absolute path. 400 + swanctl `x509` directory or an absolute path. 413 401 414 402 The certificate used for authentication is selected based on the 415 403 received certificate request payloads. If no appropriate CA can be ··· 425 413 pubkeys = mkCommaSepListParam [] '' 426 414 List of raw public key candidates to use for 427 415 authentication. The public keys may use a relative path from the swanctl 428 - <literal>pubkey</literal> directory or an absolute path. 416 + `pubkey` directory or an absolute path. 429 417 430 418 Even though multiple local public keys could be defined in principle, 431 419 only the first public key in the list is used for authentication. ··· 433 421 434 422 auth = mkStrParam "pubkey" '' 435 423 Authentication to perform locally. 436 - <itemizedlist> 437 - <listitem><para> 438 - The default <literal>pubkey</literal> uses public key authentication 439 - using a private key associated to a usable certificate. 440 - </para></listitem> 441 - <listitem><para> 442 - <literal>psk</literal> uses pre-shared key authentication. 443 - </para></listitem> 444 - <listitem><para> 445 - The IKEv1 specific <literal>xauth</literal> is used for XAuth or Hybrid 446 - authentication, 447 - </para></listitem> 448 - <listitem><para> 449 - while the IKEv2 specific <literal>eap</literal> keyword defines EAP 450 - authentication. 451 - </para></listitem> 452 - <listitem><para> 453 - For <literal>xauth</literal>, a specific backend name may be appended, 454 - separated by a dash. The appropriate <literal>xauth</literal> backend is 455 - selected to perform the XAuth exchange. For traditional XAuth, the 456 - <literal>xauth</literal> method is usually defined in the second 457 - authentication round following an initial <literal>pubkey</literal> (or 458 - <literal>psk</literal>) round. Using <literal>xauth</literal> in the 459 - first round performs Hybrid Mode client authentication. 460 - </para></listitem> 461 - <listitem><para> 462 - For <literal>eap</literal>, a specific EAP method name may be appended, separated by a 463 - dash. An EAP module implementing the appropriate method is selected to 464 - perform the EAP conversation. 465 - </para></listitem> 466 - <listitem><para> 467 - Since 5.4.0, if both peers support RFC 7427 ("Signature Authentication 468 - in IKEv2") specific hash algorithms to be used during IKEv2 469 - authentication may be configured. To do so use <literal>ike:</literal> 470 - followed by a trust chain signature scheme constraint (see description 471 - of the <option>remote</option> section's <option>auth</option> 472 - keyword). For example, with <literal>ike:pubkey-sha384-sha256</literal> 473 - a public key signature scheme with either SHA-384 or SHA-256 would get 474 - used for authentication, in that order and depending on the hash 475 - algorithms supported by the peer. If no specific hash algorithms are 476 - configured, the default is to prefer an algorithm that matches or 477 - exceeds the strength of the signature key. If no constraints with 478 - <literal>ike:</literal> prefix are configured any signature scheme 479 - constraint (without <literal>ike:</literal> prefix) will also apply to 480 - IKEv2 authentication, unless this is disabled in 481 - <literal>strongswan.conf</literal>. To use RSASSA-PSS signatures use 482 - <literal>rsa/pss</literal> instead of <literal>pubkey</literal> or 483 - <literal>rsa</literal> as in e.g. 484 - <literal>ike:rsa/pss-sha256</literal>. If <literal>pubkey</literal> or 485 - <literal>rsa</literal> constraints are configured RSASSA-PSS signatures 486 - will only be used if enabled in <literal>strongswan.conf</literal>(5). 487 - </para></listitem> 488 - </itemizedlist> 424 + 425 + - The default `pubkey` uses public key authentication 426 + using a private key associated to a usable certificate. 427 + - `psk` uses pre-shared key authentication. 428 + - The IKEv1 specific `xauth` is used for XAuth or Hybrid 429 + authentication, 430 + - while the IKEv2 specific `eap` keyword defines EAP 431 + authentication. 432 + - For `xauth`, a specific backend name may be appended, 433 + separated by a dash. The appropriate `xauth` backend is 434 + selected to perform the XAuth exchange. For traditional XAuth, the 435 + `xauth` method is usually defined in the second 436 + authentication round following an initial `pubkey` (or 437 + `psk`) round. Using `xauth` in the 438 + first round performs Hybrid Mode client authentication. 439 + - For `eap`, a specific EAP method name may be appended, separated by a 440 + dash. An EAP module implementing the appropriate method is selected to 441 + perform the EAP conversation. 442 + - Since 5.4.0, if both peers support RFC 7427 ("Signature Authentication 443 + in IKEv2") specific hash algorithms to be used during IKEv2 444 + authentication may be configured. To do so use `ike:` 445 + followed by a trust chain signature scheme constraint (see description 446 + of the {option}`remote` section's {option}`auth` 447 + keyword). For example, with `ike:pubkey-sha384-sha256` 448 + a public key signature scheme with either SHA-384 or SHA-256 would get 449 + used for authentication, in that order and depending on the hash 450 + algorithms supported by the peer. If no specific hash algorithms are 451 + configured, the default is to prefer an algorithm that matches or 452 + exceeds the strength of the signature key. If no constraints with 453 + `ike:` prefix are configured any signature scheme 454 + constraint (without `ike:` prefix) will also apply to 455 + IKEv2 authentication, unless this is disabled in 456 + `strongswan.conf`. To use RSASSA-PSS signatures use 457 + `rsa/pss` instead of `pubkey` or 458 + `rsa` as in e.g. 459 + `ike:rsa/pss-sha256`. If `pubkey` or 460 + `rsa` constraints are configured RSASSA-PSS signatures 461 + will only be used if enabled in `strongswan.conf`(5). 489 462 ''; 490 463 491 464 id = mkOptionalStrParam '' ··· 519 492 peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple 520 493 Authentication or IKEv1 XAuth. 521 494 522 - Each round is defined in a section having <literal>local</literal> as 495 + Each round is defined in a section having `local` as 523 496 prefix, and an optional unique suffix. To define a single authentication 524 497 round, the suffix may be omitted. 525 498 ''; ··· 540 513 541 514 eap_id = mkOptionalStrParam '' 542 515 Identity to use as peer identity during EAP authentication. If set to 543 - <literal>%any</literal> the EAP-Identity method will be used to ask the 516 + `%any` the EAP-Identity method will be used to ask the 544 517 client for an EAP identity. 545 518 ''; 546 519 ··· 559 532 560 533 certs = mkCommaSepListParam [] '' 561 534 List of certificates to accept for authentication. The certificates may 562 - use a relative path from the swanctl <literal>x509</literal> directory 535 + use a relative path from the swanctl `x509` directory 563 536 or an absolute path. 564 537 ''; 565 538 ··· 573 546 Identity in CA certificate to accept for authentication. The specified 574 547 identity must be contained in one (intermediate) CA of the remote peer 575 548 trustchain, either as subject or as subjectAltName. This has the same 576 - effect as specifying <literal>cacerts</literal> to force clients under 549 + effect as specifying `cacerts` to force clients under 577 550 a CA to specific connections; it does not require the CA certificate 578 551 to be available locally, and can be received from the peer during the 579 552 IKE exchange. ··· 582 555 cacerts = mkCommaSepListParam [] '' 583 556 List of CA certificates to accept for 584 557 authentication. The certificates may use a relative path from the 585 - swanctl <literal>x509ca</literal> directory or an absolute path. 558 + swanctl `x509ca` directory or an absolute path. 586 559 ''; 587 560 588 561 cacert = mkPostfixedAttrsOfParams certParams '' ··· 594 567 pubkeys = mkCommaSepListParam [] '' 595 568 List of raw public keys to accept for 596 569 authentication. The public keys may use a relative path from the swanctl 597 - <literal>pubkey</literal> directory or an absolute path. 570 + `pubkey` directory or an absolute path. 598 571 ''; 599 572 600 573 revocation = mkEnumParam ["strict" "ifuri" "relaxed"] "relaxed" '' 601 574 Certificate revocation policy for CRL or OCSP revocation. 602 - <itemizedlist> 603 - <listitem><para> 604 - A <literal>strict</literal> revocation policy fails if no revocation information is 605 - available, i.e. the certificate is not known to be unrevoked. 606 - </para></listitem> 607 - <listitem><para> 608 - <literal>ifuri</literal> fails only if a CRL/OCSP URI is available, but certificate 609 - revocation checking fails, i.e. there should be revocation information 610 - available, but it could not be obtained. 611 - </para></listitem> 612 - <listitem><para> 613 - The default revocation policy <literal>relaxed</literal> fails only if a certificate is 614 - revoked, i.e. it is explicitly known that it is bad. 615 - </para></listitem> 616 - </itemizedlist> 575 + 576 + - A `strict` revocation policy fails if no revocation information is 577 + available, i.e. the certificate is not known to be unrevoked. 578 + - `ifuri` fails only if a CRL/OCSP URI is available, but certificate 579 + revocation checking fails, i.e. there should be revocation information 580 + available, but it could not be obtained. 581 + - The default revocation policy `relaxed` fails only if a certificate is 582 + revoked, i.e. it is explicitly known that it is bad. 617 583 ''; 618 584 619 585 auth = mkStrParam "pubkey" '' 620 - Authentication to expect from remote. See the <option>local</option> 621 - section's <option>auth</option> keyword description about the details of 586 + Authentication to expect from remote. See the {option}`local` 587 + section's {option}`auth` keyword description about the details of 622 588 supported mechanisms. 623 589 624 590 Since 5.4.0, to require a trustchain public key strength for the remote 625 591 side, specify the key type followed by the minimum strength in bits (for 626 - example <literal>ecdsa-384</literal> or 627 - <literal>rsa-2048-ecdsa-256</literal>). To limit the acceptable set of 592 + example `ecdsa-384` or 593 + `rsa-2048-ecdsa-256`). To limit the acceptable set of 628 594 hashing algorithms for trustchain validation, append hash algorithms to 629 595 pubkey or a key strength definition (for example 630 - <literal>pubkey-sha256-sha512</literal>, 631 - <literal>rsa-2048-sha256-sha384-sha512</literal> or 632 - <literal>rsa-2048-sha256-ecdsa-256-sha256-sha384</literal>). 633 - Unless disabled in <literal>strongswan.conf</literal>, or explicit IKEv2 596 + `pubkey-sha256-sha512`, 597 + `rsa-2048-sha256-sha384-sha512` or 598 + `rsa-2048-sha256-ecdsa-256-sha256-sha384`). 599 + Unless disabled in `strongswan.conf`, or explicit IKEv2 634 600 signature constraints are configured (refer to the description of the 635 - <option>local</option> section's <option>auth</option> keyword for 601 + {option}`local` section's {option}`auth` keyword for 636 602 details), such key types and hash algorithms are also applied as 637 603 constraints against IKEv2 signature authentication schemes used by the 638 604 remote side. To require RSASSA-PSS signatures use 639 - <literal>rsa/pss</literal> instead of <literal>pubkey</literal> or 640 - <literal>rsa</literal> as in e.g. <literal>rsa/pss-sha256</literal>. If 641 - <literal>pubkey</literal> or <literal>rsa</literal> constraints are 605 + `rsa/pss` instead of `pubkey` or 606 + `rsa` as in e.g. `rsa/pss-sha256`. If 607 + `pubkey` or `rsa` constraints are 642 608 configured RSASSA-PSS signatures will only be accepted if enabled in 643 - <literal>strongswan.conf</literal>(5). 609 + `strongswan.conf`(5). 644 610 645 611 To specify trust chain constraints for EAP-(T)TLS, append a colon to the 646 612 EAP method, followed by the key type/size and hash algorithm as 647 - discussed above (e.g. <literal>eap-tls:ecdsa-384-sha384</literal>). 613 + discussed above (e.g. `eap-tls:ecdsa-384-sha384`). 648 614 ''; 649 615 650 616 } '' ··· 653 619 connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple 654 620 Authentication or IKEv1 XAuth. 655 621 656 - Each round is defined in a section having <literal>remote</literal> as 622 + Each round is defined in a section having `remote` as 657 623 prefix, and an optional unique suffix. To define a single authentication 658 624 round, the suffix may be omitted. 659 625 ''; ··· 673 639 combinations in IKEv1. 674 640 675 641 Algorithm keywords get separated using dashes. Multiple proposals may be 676 - specified in a list. The special value <literal>default</literal> forms 642 + specified in a list. The special value `default` forms 677 643 a default proposal of supported algorithms considered safe, and is 678 644 usually a good choice for interoperability. By default no AH proposals 679 645 are included, instead ESP is proposed. ··· 697 663 SA is established, but may later cause rekeying to fail. 698 664 699 665 Extended Sequence Number support may be indicated with the 700 - <literal>esn</literal> and <literal>noesn</literal> values, both may be 666 + `esn` and `noesn` values, both may be 701 667 included to indicate support for both modes. If omitted, 702 - <literal>noesn</literal> is assumed. 668 + `noesn` is assumed. 703 669 704 670 In IKEv2, multiple algorithms of the same kind can be specified in a 705 671 single proposal, from which one gets selected. In IKEv1, only one ··· 708 674 combinations in IKEv1. 709 675 710 676 Algorithm keywords get separated using dashes. Multiple proposals may be 711 - specified as a list. The special value <literal>default</literal> forms 677 + specified as a list. The special value `default` forms 712 678 a default proposal of supported algorithms considered safe, and is 713 679 usually a good choice for interoperability. If no algorithms are 714 680 specified for AH nor ESP, the default set of algorithms for ESP is ··· 726 692 local_ts = mkCommaSepListParam ["dynamic"] '' 727 693 List of local traffic selectors to include in CHILD_SA. Each selector is 728 694 a CIDR subnet definition, followed by an optional proto/port 729 - selector. The special value <literal>dynamic</literal> may be used 695 + selector. The special value `dynamic` may be used 730 696 instead of a subnet definition, which gets replaced by the tunnel outer 731 697 address or the virtual IP, if negotiated. This is the default. 732 698 ··· 735 701 name may be specified. After the optional protocol restriction, an 736 702 optional port restriction may be specified, separated by a slash. The 737 703 port restriction may be numeric, a getservent(3) service name, or the 738 - special value <literal>opaque</literal> for RFC 4301 OPAQUE 704 + special value `opaque` for RFC 4301 OPAQUE 739 705 selectors. Port ranges may be specified as well, none of the kernel 740 706 backends currently support port ranges, though. 741 707 ··· 752 718 753 719 remote_ts = mkCommaSepListParam ["dynamic"] '' 754 720 List of remote selectors to include in CHILD_SA. See 755 - <option>local_ts</option> for a description of the selector syntax. 721 + {option}`local_ts` for a description of the selector syntax. 756 722 ''; 757 723 758 724 rekey_time = mkDurationParam "1h" '' 759 725 Time to schedule CHILD_SA rekeying. CHILD_SA rekeying refreshes key 760 726 material, optionally using a Diffie-Hellman exchange if a group is 761 727 specified in the proposal. To avoid rekey collisions initiated by both 762 - ends simultaneously, a value in the range of <option>rand_time</option> 728 + ends simultaneously, a value in the range of {option}`rand_time` 763 729 gets subtracted to form the effective soft lifetime. 764 730 765 731 By default CHILD_SA rekeying is scheduled every hour, minus 766 - <option>rand_time</option>. 732 + {option}`rand_time`. 767 733 ''; 768 734 769 735 life_time = mkOptionalDurationParam '' 770 736 Maximum lifetime before CHILD_SA gets closed. Usually this hard lifetime 771 737 is never reached, because the CHILD_SA gets rekeyed before. If that fails 772 738 for whatever reason, this limit closes the CHILD_SA. The default is 10% 773 - more than the <option>rekey_time</option>. 739 + more than the {option}`rekey_time`. 774 740 ''; 775 741 776 742 rand_time = mkOptionalDurationParam '' 777 743 Time range from which to choose a random value to subtract from 778 - <option>rekey_time</option>. The default is the difference between 779 - <option>life_time</option> and <option>rekey_time</option>. 744 + {option}`rekey_time`. The default is the difference between 745 + {option}`life_time` and {option}`rekey_time`. 780 746 ''; 781 747 782 748 rekey_bytes = mkIntParam 0 '' ··· 785 751 exchange if a group is specified in the proposal. 786 752 787 753 To avoid rekey collisions initiated by both ends simultaneously, a value 788 - in the range of <option>rand_bytes</option> gets subtracted to form the 754 + in the range of {option}`rand_bytes` gets subtracted to form the 789 755 effective soft volume limit. 790 756 791 757 Volume based CHILD_SA rekeying is disabled by default. ··· 795 761 Maximum bytes processed before CHILD_SA gets closed. Usually this hard 796 762 volume limit is never reached, because the CHILD_SA gets rekeyed 797 763 before. If that fails for whatever reason, this limit closes the 798 - CHILD_SA. The default is 10% more than <option>rekey_bytes</option>. 764 + CHILD_SA. The default is 10% more than {option}`rekey_bytes`. 799 765 ''; 800 766 801 767 rand_bytes = mkOptionalIntParam '' 802 768 Byte range from which to choose a random value to subtract from 803 - <option>rekey_bytes</option>. The default is the difference between 804 - <option>life_bytes</option> and <option>rekey_bytes</option>. 769 + {option}`rekey_bytes`. The default is the difference between 770 + {option}`life_bytes` and {option}`rekey_bytes`. 805 771 ''; 806 772 807 773 rekey_packets = mkIntParam 0 '' ··· 810 776 exchange if a group is specified in the proposal. 811 777 812 778 To avoid rekey collisions initiated by both ends simultaneously, a value 813 - in the range of <option>rand_packets</option> gets subtracted to form 779 + in the range of {option}`rand_packets` gets subtracted to form 814 780 the effective soft packet count limit. 815 781 816 782 Packet count based CHILD_SA rekeying is disabled by default. ··· 822 788 rekeyed before. If that fails for whatever reason, this limit closes the 823 789 CHILD_SA. 824 790 825 - The default is 10% more than <option>rekey_bytes</option>. 791 + The default is 10% more than {option}`rekey_bytes`. 826 792 ''; 827 793 828 794 rand_packets = mkOptionalIntParam '' 829 795 Packet range from which to choose a random value to subtract from 830 - <option>rekey_packets</option>. The default is the difference between 831 - <option>life_packets</option> and <option>rekey_packets</option>. 796 + {option}`rekey_packets`. The default is the difference between 797 + {option}`life_packets` and {option}`rekey_packets`. 832 798 ''; 833 799 834 800 updown = mkOptionalStrParam '' ··· 836 802 ''; 837 803 838 804 hostaccess = mkYesNoParam no '' 839 - Hostaccess variable to pass to <literal>updown</literal> script. 805 + Hostaccess variable to pass to `updown` script. 840 806 ''; 841 807 842 808 mode = mkEnumParam [ "tunnel" ··· 847 813 "drop" 848 814 ] "tunnel" '' 849 815 IPsec Mode to establish CHILD_SA with. 850 - <itemizedlist> 851 - <listitem><para> 852 - <literal>tunnel</literal> negotiates the CHILD_SA in IPsec Tunnel Mode, 853 - </para></listitem> 854 - <listitem><para> 855 - whereas <literal>transport</literal> uses IPsec Transport Mode. 856 - </para></listitem> 857 - <listitem><para> 858 - <literal>transport_proxy</literal> signifying the special Mobile IPv6 859 - Transport Proxy Mode. 860 - </para></listitem> 861 - <listitem><para> 862 - <literal>beet</literal> is the Bound End to End Tunnel mixture mode, 863 - working with fixed inner addresses without the need to include them in 864 - each packet. 865 - </para></listitem> 866 - <listitem><para> 867 - Both <literal>transport</literal> and <literal>beet</literal> modes are 868 - subject to mode negotiation; <literal>tunnel</literal> mode is 869 - negotiated if the preferred mode is not available. 870 - </para></listitem> 871 - <listitem><para> 872 - <literal>pass</literal> and <literal>drop</literal> are used to install 873 - shunt policies which explicitly bypass the defined traffic from IPsec 874 - processing or drop it, respectively. 875 - </para></listitem> 876 - </itemizedlist> 816 + 817 + - `tunnel` negotiates the CHILD_SA in IPsec Tunnel Mode, 818 + - whereas `transport` uses IPsec Transport Mode. 819 + - `transport_proxy` signifying the special Mobile IPv6 820 + Transport Proxy Mode. 821 + - `beet` is the Bound End to End Tunnel mixture mode, 822 + working with fixed inner addresses without the need to include them in 823 + each packet. 824 + - Both `transport` and `beet` modes are 825 + subject to mode negotiation; `tunnel` mode is 826 + negotiated if the preferred mode is not available. 827 + - `pass` and `drop` are used to install 828 + shunt policies which explicitly bypass the defined traffic from IPsec 829 + processing or drop it, respectively. 877 830 ''; 878 831 879 832 policies = mkYesNoParam yes '' ··· 932 885 set. This allows installing duplicate policies and enables Netfilter 933 886 rules to select specific SAs/policies for incoming traffic. Note that 934 887 inbound marks are only set on policies, by default, unless 935 - <option>mark_in_sa</option> is enabled. The special value 936 - <literal>%unique</literal> sets a unique mark on each CHILD_SA instance, 937 - beyond that the value <literal>%unique-dir</literal> assigns a different 888 + {option}`mark_in_sa` is enabled. The special value 889 + `%unique` sets a unique mark on each CHILD_SA instance, 890 + beyond that the value `%unique-dir` assigns a different 938 891 unique mark for each 939 892 940 893 An additional mask may be appended to the mark, separated by 941 - <literal>/</literal>. The default mask if omitted is 942 - <literal>0xffffffff</literal>. 894 + `/`. The default mask if omitted is 895 + `0xffffffff`. 943 896 ''; 944 897 945 898 mark_in_sa = mkYesNoParam no '' 946 - Whether to set <option>mark_in</option> on the inbound SA. By default, 899 + Whether to set {option}`mark_in` on the inbound SA. By default, 947 900 the inbound mark is only set on the inbound policy. The tuple destination 948 901 address, protocol and SPI is unique and the mark is not required to find 949 902 the correct SA, allowing to mark traffic after decryption instead (where ··· 957 910 require marks on each packet to match a policy/SA having that option 958 911 set. This allows installing duplicate policies and enables Netfilter 959 912 rules to select specific policies/SAs for outgoing traffic. The special 960 - value <literal>%unique</literal> sets a unique mark on each CHILD_SA 961 - instance, beyond that the value <literal>%unique-dir</literal> assigns a 913 + value `%unique` sets a unique mark on each CHILD_SA 914 + instance, beyond that the value `%unique-dir` assigns a 962 915 different unique mark for each CHILD_SA direction (in/out). 963 916 964 917 An additional mask may be appended to the mark, separated by 965 - <literal>/</literal>. The default mask if omitted is 966 - <literal>0xffffffff</literal>. 918 + `/`. The default mask if omitted is 919 + `0xffffffff`. 967 920 ''; 968 921 969 922 set_mark_in = mkStrParam "0/0x00000000" '' ··· 973 926 differently (e.g. via policy routing). 974 927 975 928 An additional mask may be appended to the mark, separated by 976 - <literal>/</literal>. The default mask if omitted is 0xffffffff. The 977 - special value <literal>%same</literal> uses the value (but not the mask) 978 - from <option>mark_in</option> as mark value, which can be fixed, 979 - <literal>%unique</literal> or <literal>%unique-dir</literal>. 929 + `/`. The default mask if omitted is 0xffffffff. The 930 + special value `%same` uses the value (but not the mask) 931 + from {option}`mark_in` as mark value, which can be fixed, 932 + `%unique` or `%unique-dir`. 980 933 981 934 Setting marks in XFRM input requires Linux 4.19 or higher. 982 935 ''; ··· 987 940 traffic (e.g. via policy routing). 988 941 989 942 An additional mask may be appended to the mark, separated by 990 - <literal>/</literal>. The default mask if omitted is 0xffffffff. The 991 - special value <literal>%same</literal> uses the value (but not the mask) 992 - from <option>mark_out</option> as mark value, which can be fixed, 993 - <literal>%unique_</literal> or <literal>%unique-dir</literal>. 943 + `/`. The default mask if omitted is 0xffffffff. The 944 + special value `%same` uses the value (but not the mask) 945 + from {option}`mark_out` as mark value, which can be fixed, 946 + `%unique_` or `%unique-dir`. 994 947 995 948 Setting marks in XFRM output is supported since Linux 4.14. Setting a 996 949 mask requires at least Linux 4.19. ··· 999 952 if_id_in = mkStrParam "0" '' 1000 953 XFRM interface ID set on inbound policies/SA. This allows installing 1001 954 duplicate policies/SAs and associates them with an interface with the 1002 - same ID. The special value <literal>%unique</literal> sets a unique 955 + same ID. The special value `%unique` sets a unique 1003 956 interface ID on each CHILD_SA instance, beyond that the value 1004 - <literal>%unique-dir</literal> assigns a different unique interface ID 957 + `%unique-dir` assigns a different unique interface ID 1005 958 for each CHILD_SA direction (in/out). 1006 959 ''; 1007 960 1008 961 if_id_out = mkStrParam "0" '' 1009 962 XFRM interface ID set on outbound policies/SA. This allows installing 1010 963 duplicate policies/SAs and associates them with an interface with the 1011 - same ID. The special value <literal>%unique</literal> sets a unique 964 + same ID. The special value `%unique` sets a unique 1012 965 interface ID on each CHILD_SA instance, beyond that the value 1013 - <literal>%unique-dir</literal> assigns a different unique interface ID 966 + `%unique-dir` assigns a different unique interface ID 1014 967 for each CHILD_SA direction (in/out). 1015 968 1016 969 The daemon will not install routes for CHILD_SAs that have this option set. ··· 1020 973 Pads ESP packets with additional data to have a consistent ESP packet 1021 974 size for improved Traffic Flow Confidentiality. The padding defines the 1022 975 minimum size of all ESP packets sent. The default value of 1023 - <literal>0</literal> disables TFC padding, the special value 1024 - <literal>mtu</literal> adds TFC padding to create a packet size equal to 976 + `0` disables TFC padding, the special value 977 + `mtu` adds TFC padding to create a packet size equal to 1025 978 the Path Maximum Transfer Unit. 1026 979 ''; 1027 980 1028 981 replay_window = mkIntParam 32 '' 1029 982 IPsec replay window to configure for this CHILD_SA. Larger values than 1030 - the default of <literal>32</literal> are supported using the Netlink 1031 - backend only, a value of <literal>0</literal> disables IPsec replay 983 + the default of `32` are supported using the Netlink 984 + backend only, a value of `0` disables IPsec replay 1032 985 protection. 1033 986 ''; 1034 987 1035 988 hw_offload = mkEnumParam ["yes" "no" "auto"] "no" '' 1036 989 Enable hardware offload for this CHILD_SA, if supported by the IPsec 1037 - implementation. The value <literal>yes</literal> enforces offloading 990 + implementation. The value `yes` enforces offloading 1038 991 and the installation will fail if it's not supported by either kernel or 1039 - device. The value <literal>auto</literal> enables offloading, if it's 992 + device. The value `auto` enables offloading, if it's 1040 993 supported, but the installation does not fail otherwise. 1041 994 ''; 1042 995 ··· 1055 1008 copy_dscp = mkEnumParam [ "out" "in" "yes" "no" ] "out" '' 1056 1009 Whether to copy the DSCP (Differentiated Services Field Codepoint) 1057 1010 header field to/from the outer IP header in tunnel mode. The value 1058 - <literal>out</literal> only copies the field from the inner to the outer 1059 - header, the value <literal>in</literal> does the opposite and only 1011 + `out` only copies the field from the inner to the outer 1012 + header, the value `in` does the opposite and only 1060 1013 copies the field from the outer to the inner header when decapsulating, 1061 - the value <literal>yes</literal> copies the field in both directions, 1062 - and the value <literal>no</literal> disables copying the field 1063 - altogether. Setting this to <literal>yes</literal> or 1064 - <literal>in</literal> could allow an attacker to adversely affect other 1014 + the value `yes` copies the field in both directions, 1015 + and the value `no` disables copying the field 1016 + altogether. Setting this to `yes` or 1017 + `in` could allow an attacker to adversely affect other 1065 1018 traffic at the receiver, which is why the default is 1066 - <literal>out</literal>. Controlling this behavior is not supported by 1019 + `out`. Controlling this behavior is not supported by 1067 1020 all kernel interfaces. 1068 1021 ''; 1069 1022 1070 1023 start_action = mkEnumParam ["none" "trap" "start"] "none" '' 1071 1024 Action to perform after loading the configuration. 1072 - <itemizedlist> 1073 - <listitem><para> 1074 - The default of <literal>none</literal> loads the connection only, which 1075 - then can be manually initiated or used as a responder configuration. 1076 - </para></listitem> 1077 - <listitem><para> 1078 - The value <literal>trap</literal> installs a trap policy, which triggers 1079 - the tunnel as soon as matching traffic has been detected. 1080 - </para></listitem> 1081 - <listitem><para> 1082 - The value <literal>start</literal> initiates the connection actively. 1083 - </para></listitem> 1084 - </itemizedlist> 1025 + 1026 + - The default of `none` loads the connection only, which 1027 + then can be manually initiated or used as a responder configuration. 1028 + - The value `trap` installs a trap policy, which triggers 1029 + the tunnel as soon as matching traffic has been detected. 1030 + - The value `start` initiates the connection actively. 1031 + 1085 1032 When unloading or replacing a CHILD_SA configuration having a 1086 - <option>start_action</option> different from <literal>none</literal>, 1033 + {option}`start_action` different from `none`, 1087 1034 the inverse action is performed. Configurations with 1088 - <literal>start</literal> get closed, while such with 1089 - <literal>trap</literal> get uninstalled. 1035 + `start` get closed, while such with 1036 + `trap` get uninstalled. 1090 1037 ''; 1091 1038 1092 1039 close_action = mkEnumParam ["none" "trap" "start"] "none" '' 1093 1040 Action to perform after a CHILD_SA gets closed by the peer. 1094 - <itemizedlist> 1095 - <listitem><para> 1096 - The default of <literal>none</literal> does not take any action, 1097 - </para></listitem> 1098 - <listitem><para> 1099 - <literal>trap</literal> installs a trap policy for the CHILD_SA. 1100 - </para></listitem> 1101 - <listitem><para> 1102 - <literal>start</literal> tries to re-create the CHILD_SA. 1103 - </para></listitem> 1104 - </itemizedlist> 1041 + 1042 + - The default of `none` does not take any action, 1043 + - `trap` installs a trap policy for the CHILD_SA. 1044 + - `start` tries to re-create the CHILD_SA. 1105 1045 1106 - <option>close_action</option> does not provide any guarantee that the 1046 + {option}`close_action` does not provide any guarantee that the 1107 1047 CHILD_SA is kept alive. It acts on explicit close messages only, but not 1108 1048 on negotiation failures. Use trap policies to reliably re-create failed 1109 1049 CHILD_SAs. ··· 1111 1051 1112 1052 } '' 1113 1053 CHILD_SA configuration sub-section. Each connection definition may have 1114 - one or more sections in its <option>children</option> subsection. The 1054 + one or more sections in its {option}`children` subsection. The 1115 1055 section name defines the name of the CHILD_SA configuration, which must be 1116 - unique within the connection (denoted <child> below). 1056 + unique within the connection (denoted \<child\> below). 1117 1057 ''; 1118 1058 } '' 1119 1059 Section defining IKE connection configurations, each in its own subsection ··· 1130 1070 1131 1071 id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' 1132 1072 Identity the EAP/XAuth secret belongs to. Multiple unique identities may 1133 - be specified, each having an <literal>id</literal> prefix, if a secret 1073 + be specified, each having an `id` prefix, if a secret 1134 1074 is shared between multiple users. 1135 1075 ''; 1136 1076 1137 1077 } '' 1138 1078 EAP secret section for a specific secret. Each EAP secret is defined in a 1139 - unique section having the <literal>eap</literal> prefix. EAP secrets are 1079 + unique section having the `eap` prefix. EAP secrets are 1140 1080 used for XAuth authentication as well. 1141 1081 ''; 1142 1082 ··· 1160 1100 ''; 1161 1101 } '' 1162 1102 NTLM secret section for a specific secret. Each NTLM secret is defined in 1163 - a unique section having the <literal>ntlm</literal> prefix. NTLM secrets 1103 + a unique section having the `ntlm` prefix. NTLM secrets 1164 1104 may only be used for EAP-MSCHAPv2 authentication. 1165 1105 ''; 1166 1106 ··· 1173 1113 1174 1114 id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' 1175 1115 IKE identity the IKE preshared secret belongs to. Multiple unique 1176 - identities may be specified, each having an <literal>id</literal> 1116 + identities may be specified, each having an `id` 1177 1117 prefix, if a secret is shared between multiple peers. 1178 1118 ''; 1179 1119 } '' 1180 1120 IKE preshared secret section for a specific secret. Each IKE PSK is 1181 - defined in a unique section having the <literal>ike</literal> prefix. 1121 + defined in a unique section having the `ike` prefix. 1182 1122 ''; 1183 1123 1184 1124 ppk = mkPrefixedAttrsOfParams { 1185 1125 secret = mkOptionalStrParam '' 1186 1126 Value of the PPK. It may either be an ASCII string, a hex encoded string 1187 - if it has a <literal>0x</literal> prefix or a Base64 encoded string if 1188 - it has a <literal>0s</literal> prefix in its value. Should have at least 1127 + if it has a `0x` prefix or a Base64 encoded string if 1128 + it has a `0s` prefix in its value. Should have at least 1189 1129 256 bits of entropy for 128-bit security. 1190 1130 ''; 1191 1131 1192 1132 id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' 1193 1133 PPK identity the PPK belongs to. Multiple unique identities may be 1194 - specified, each having an <literal>id</literal> prefix, if a secret is 1134 + specified, each having an `id` prefix, if a secret is 1195 1135 shared between multiple peers. 1196 1136 ''; 1197 1137 } '' 1198 1138 Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is 1199 - defined in a unique section having the <literal>ppk</literal> prefix. 1139 + defined in a unique section having the `ppk` prefix. 1200 1140 ''; 1201 1141 1202 1142 private = mkPrefixedAttrsOfParams { ··· 1209 1149 ''; 1210 1150 } '' 1211 1151 Private key decryption passphrase for a key in the 1212 - <literal>private</literal> folder. 1152 + `private` folder. 1213 1153 ''; 1214 1154 1215 1155 rsa = mkPrefixedAttrsOfParams { 1216 1156 file = mkOptionalStrParam '' 1217 - File name in the <literal>rsa</literal> folder for which this passphrase 1157 + File name in the `rsa` folder for which this passphrase 1218 1158 should be used. 1219 1159 ''; 1220 1160 secret = mkOptionalStrParam '' 1221 1161 Value of decryption passphrase for RSA key. 1222 1162 ''; 1223 1163 } '' 1224 - Private key decryption passphrase for a key in the <literal>rsa</literal> 1164 + Private key decryption passphrase for a key in the `rsa` 1225 1165 folder. 1226 1166 ''; 1227 1167 1228 1168 ecdsa = mkPrefixedAttrsOfParams { 1229 1169 file = mkOptionalStrParam '' 1230 - File name in the <literal>ecdsa</literal> folder for which this 1170 + File name in the `ecdsa` folder for which this 1231 1171 passphrase should be used. 1232 1172 ''; 1233 1173 secret = mkOptionalStrParam '' ··· 1235 1175 ''; 1236 1176 } '' 1237 1177 Private key decryption passphrase for a key in the 1238 - <literal>ecdsa</literal> folder. 1178 + `ecdsa` folder. 1239 1179 ''; 1240 1180 1241 1181 pkcs8 = mkPrefixedAttrsOfParams { 1242 1182 file = mkOptionalStrParam '' 1243 - File name in the <literal>pkcs8</literal> folder for which this 1183 + File name in the `pkcs8` folder for which this 1244 1184 passphrase should be used. 1245 1185 ''; 1246 1186 secret = mkOptionalStrParam '' ··· 1248 1188 ''; 1249 1189 } '' 1250 1190 Private key decryption passphrase for a key in the 1251 - <literal>pkcs8</literal> folder. 1191 + `pkcs8` folder. 1252 1192 ''; 1253 1193 1254 1194 pkcs12 = mkPrefixedAttrsOfParams { 1255 1195 file = mkOptionalStrParam '' 1256 - File name in the <literal>pkcs12</literal> folder for which this 1196 + File name in the `pkcs12` folder for which this 1257 1197 passphrase should be used. 1258 1198 ''; 1259 1199 secret = mkOptionalStrParam '' ··· 1261 1201 ''; 1262 1202 } '' 1263 1203 PKCS#12 decryption passphrase for a container in the 1264 - <literal>pkcs12</literal> folder. 1204 + `pkcs12` folder. 1265 1205 ''; 1266 1206 1267 1207 token = mkPrefixedAttrsOfParams { ··· 1281 1221 pin = mkOptionalStrParam '' 1282 1222 Optional PIN required to access the key on the token. If none is 1283 1223 provided the user is prompted during an interactive 1284 - <literal>--load-creds</literal> call. 1224 + `--load-creds` call. 1285 1225 ''; 1286 1226 } "Definition for a private key that's stored on a token/smartcard/TPM."; 1287 1227 ··· 1291 1231 addrs = mkOptionalStrParam '' 1292 1232 Subnet or range defining addresses allocated in pool. Accepts a single 1293 1233 CIDR subnet defining the pool to allocate addresses from or an address 1294 - range (<from>-<to>). Pools must be unique and non-overlapping. 1234 + range (\<from\>-\<to\>). Pools must be unique and non-overlapping. 1295 1235 ''; 1296 1236 1297 1237 dns = mkCommaSepListParam [] "Address or CIDR subnets"; ··· 1305 1245 } '' 1306 1246 Section defining named pools. Named pools may be referenced by connections 1307 1247 with the pools option to assign virtual IPs and other configuration 1308 - attributes. Each pool must have a unique name (denoted <name> below). 1248 + attributes. Each pool must have a unique name (denoted \<name\> below). 1309 1249 ''; 1310 1250 }