From 111cbd3d2ca4385d326db333ee86843ada652663 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 16 Jan 2023 19:38:17 +0100
Subject: [PATCH] Make manual paths follow build configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use build-configured paths in manual pages instead of default values.
Makes easier customization to non-default values as done on Fedora for
example.

Squashed commit of the following:

commit e99de2aee9f26e3ab97d88902308107d9f048acd
Merge: 8effb06d6 29e324709
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Mon Jan 16 11:41:17 2023 +0100

    Merge branch 'man-sysconfdir'

    Closes strongswan/strongswan#1511

commit 29e32470974aea614c2486c2982767bd62670063
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Mon Jan 16 11:39:29 2023 +0100

    swanctl: Don't use hard-coded path to sysconfdir

commit 1c0b14baa3c04606ad9357dfc658d11f0f96ca65
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Mon Jan 16 11:37:27 2023 +0100

    conf: Add swanctl.conf and swanctl man pages to SEE ALSO

commit 7e43a5f3d28424abfb648b7afd24e25a042efd24
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Mon Jan 16 11:35:42 2023 +0100

    conf: Replace hard-coded /etc where appropriate

    Also document the actual value of ${sysconfdir}.

commit ee046552bb1f3c98d89837d58f7da7d83c8fbb82
Author: Petr Menšík <pemensik@redhat.com>
Date:   Sun Jan 15 16:55:45 2023 +0100

    man: Use configured path for config files in man pages

commit ab4ed21b5cb28eafbc29b09523b062bee159a0d0
Author: Petr Menšík <pemensik@redhat.com>
Date:   Sun Jan 15 16:17:07 2023 +0100

    ipsec: Include IPSEC_CONFDIR variable replacement in man page

    Fedora has chosena different default directory to avoid conflicts with
    libreswan. Use ${sysconfdir} variable to provide the correct location.
---
 conf/options/charon.opt            |  4 ++--
 conf/plugins/unbound.opt           |  2 +-
 conf/strongswan.conf.5.tail.in     | 10 ++++++----
 man/ipsec.conf.5.in                | 22 +++++++++++-----------
 man/ipsec.secrets.5.in             |  8 ++++----
 src/ipsec/Makefile.am              |  1 +
 src/ipsec/_ipsec.8.in              | 20 ++++++++++----------
 src/swanctl/swanctl.conf.5.tail.in |  2 +-
 8 files changed, 36 insertions(+), 33 deletions(-)

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 00949222a..72efd17de 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -38,8 +38,8 @@ charon.cert_cache = yes
 charon.cache_crls = no
 	Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
 	be saved under a unique file name derived from the public key of the
-	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
-	**/etc/swanctl/x509crl** (vici), respectively.
+	Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or
+	**${sysconfdir}/swanctl/x509crl** (vici), respectively.
 
 charon.check_current_path = no
 	Whether to use DPD to check if the current path still works after any
diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt
index f8ca9ca12..007797310 100644
--- a/conf/plugins/unbound.opt
+++ b/conf/plugins/unbound.opt
@@ -1,7 +1,7 @@
 charon.plugins.unbound.resolv_conf = /etc/resolv.conf
 	File to read DNS resolver configuration from.
 
-charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
+charon.plugins.unbound.trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys
 	File to read DNSSEC trust anchors from (usually root zone KSK).
 
 	File to read DNSSEC trust anchors from (usually root zone KSK). The format
diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in
index baad476d1..74bbd8eec 100644
--- a/conf/strongswan.conf.5.tail.in
+++ b/conf/strongswan.conf.5.tail.in
@@ -458,6 +458,7 @@ The variables used above are configured as follows:
 .na
 ${piddir}               @piddir@
 ${prefix}               @prefix@
+${sysconfdir}           @sysconfdir@
 ${random_device}        @random_device@
 ${urandom_device}       @urandom_device@
 .ad
@@ -467,18 +468,19 @@ ${urandom_device}       @urandom_device@
 .
 .nf
 .na
-/etc/strongswan.conf       configuration file
-/etc/strongswan.d/         directory containing included config snippets
-/etc/strongswan.d/charon/  plugin specific config snippets
+@sysconfdir@/strongswan.conf       configuration file
+@sysconfdir@/strongswan.d/         directory containing included config snippets
+@sysconfdir@/strongswan.d/charon/  plugin specific config snippets
 .ad
 .fi
 .
 .SH SEE ALSO
+\fBswanctl.conf\fR(5), \fBswanctl\fR(8),
 \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
 
 .SH HISTORY
 Written for the
-.UR http://www.strongswan.org
+.UR https://www.strongswan.org
 strongSwan project
 .UE
 by Tobias Brunner, Andreas Steffen and Martin Willi.
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index ced12680f..4e256538e 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -690,7 +690,7 @@ but for the second authentication round (IKEv2 only).
 .BR leftcert " = <path>"
 the path to the left participant's X.509 certificate. The file can be encoded
 either in PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
+Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
 are accepted. By default
 .B leftcert
 sets
@@ -871,7 +871,7 @@ prefix in front of 0x or 0s, the public key is expected to be in either
 the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
 respectively.
 Also accepted is the path to a file containing the public key in PEM, DER or SSH
-encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
+encoding. Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
 are accepted.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
@@ -1219,7 +1219,7 @@ of this connection will be used as peer ID.
 .SH "CA SECTIONS"
 These are optional sections that can be used to assign special
 parameters to a Certification Authority (CA). Because the daemons
-automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
+automatically import CA certificates from \fI@sysconfdir@/ipsec.d/cacerts\fP,
 there is no need to explicitly add them with a CA section, unless you
 want to assign special parameters (like a CRL) to a CA.
 .TP
@@ -1235,7 +1235,7 @@ currently can have either the value
 .TP
 .BR cacert " = <path>"
 defines a path to the CA certificate either relative to
-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+\fI@sysconfdir@/ipsec.d/cacerts\fP or as an absolute path.
 .br
 A value in the form
 .B %smartcard[<slot nr>[@<module>]]:<keyid>
@@ -1284,7 +1284,7 @@ section are:
 .BR cachecrls " = yes | " no
 if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
 be cached in
-.I /etc/ipsec.d/crls/
+.I @sysconfdir@/ipsec.d/crls/
 under a unique file name derived from the certification authority's public key.
 .TP
 .BR charondebug " = <debug list>"
@@ -1463,12 +1463,12 @@ time equals zero and, thus, rekeying gets disabled.
 
 .SH FILES
 .nf
-/etc/ipsec.conf
-/etc/ipsec.d/aacerts
-/etc/ipsec.d/acerts
-/etc/ipsec.d/cacerts
-/etc/ipsec.d/certs
-/etc/ipsec.d/crls
+@sysconfdir@/ipsec.conf
+@sysconfdir@/ipsec.d/aacerts
+@sysconfdir@/ipsec.d/acerts
+@sysconfdir@/ipsec.d/cacerts
+@sysconfdir@/ipsec.d/certs
+@sysconfdir@/ipsec.d/crls
 
 .SH SEE ALSO
 strongswan.conf(5), ipsec.secrets(5), ipsec(8)
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index 15e36faff..c54e1a18b 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -15,7 +15,7 @@ Here is an example.
 .LP
 .RS
 .nf
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
+# @sysconfdir@/ipsec.secrets - strongSwan IPsec secrets file
 192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
 
 : RSA moonKey.pem
@@ -140,7 +140,7 @@ is interpreted as Base64 encoded binary data.
 .TQ
 .B : ECDSA <private key file> [ <passphrase> | %prompt ]
 For the private key file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the private key file is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
 can be used which then causes the daemon to ask the user for the password
@@ -148,7 +148,7 @@ whenever it is required to decrypt the key.
 .TP
 .B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
 For the PKCS#12 file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the container is
+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the container is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
 can be used which then causes the daemon to ask the user for the password
@@ -182,7 +182,7 @@ can be specified, which causes the daemon to ask the user for the pin code.
 .LP
 
 .SH FILES
-/etc/ipsec.secrets
+@sysconfdir@/ipsec.secrets
 .SH SEE ALSO
 ipsec.conf(5), strongswan.conf(5), ipsec(8)
 .br
diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
index 0ab9ab27c..656eba49b 100644
--- a/src/ipsec/Makefile.am
+++ b/src/ipsec/Makefile.am
@@ -10,6 +10,7 @@ _ipsec.8 : _ipsec.8.in
 	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
 	-e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \
 	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
+	-e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
 	$(srcdir)/$@.in > $@
 
 _ipsec : _ipsec.in
diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
index bfc4d50c2..de00d3075 100644
--- a/src/ipsec/_ipsec.8.in
+++ b/src/ipsec/_ipsec.8.in
@@ -145,25 +145,25 @@ locally by the IKE daemon or received via the IKE protocol.
 .TP
 .BI "listcacerts [" --utc ]
 returns a list of X.509 Certification Authority (CA) certificates that were
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts/\fP
 directory or received via the IKE protocol.
 .
 .TP
 .BI "listaacerts [" --utc ]
 returns a list of X.509 Authorization Authority (AA) certificates that were
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts/\fP
 directory.
 .
 .TP
 .BI "listocspcerts [" --utc ]
 returns a list of X.509 OCSP Signer certificates that were either loaded
-locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
+locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
 directory or were sent by an OCSP server.
 .
 .TP
 .BI "listacerts [" --utc ]
 returns a list of X.509 Attribute certificates that were loaded locally by
-the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
+the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP directory.
 .
 .TP
 .BI "listgroups [" --utc ]
@@ -179,7 +179,7 @@ sections in \fIipsec.conf\fP.
 .TP
 .BI "listcrls [" --utc ]
 returns a list of Certificate Revocation Lists (CRLs) that were either loaded
-by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
+by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/crls\fP directory or fetched from
 an HTTP- or LDAP-based CRL distribution point.
 .
 .TP
@@ -211,7 +211,7 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP.
 .TP
 .B "rereadcacerts"
 removes previously loaded CA certificates, reads all certificate files
-contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts\fP directory and adds them to the list
 of Certification Authority (CA) certificates. This does not affect certificates
 explicitly defined in a
 .BR ipsec.conf (5)
@@ -220,23 +220,23 @@ ca section, which may be separately updated using the \fBupdate\fP command.
 .TP
 .B "rereadaacerts"
 removes previously loaded AA certificates, reads all certificate files
-contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts\fP directory and adds them to the list
 of Authorization Authority (AA) certificates.
 .
 .TP
 .B "rereadocspcerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
+reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
 directory and adds them to the list of OCSP signer certificates.
 .
 .TP
 .B "rereadacerts"
-reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
+reads all certificate files contained in the  \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP
 directory and adds them to the list of attribute certificates.
 .
 .TP
 .B "rereadcrls"
 reads  all Certificate  Revocation Lists (CRLs) contained in the
-\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
+\fI@IPSEC_CONFDIR@/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
 .
 .TP
 .B "rereadall"
diff --git a/src/swanctl/swanctl.conf.5.tail.in b/src/swanctl/swanctl.conf.5.tail.in
index 4d24608da..036443843 100644
--- a/src/swanctl/swanctl.conf.5.tail.in
+++ b/src/swanctl/swanctl.conf.5.tail.in
@@ -2,7 +2,7 @@
 .
 .nf
 .na
-/etc/swanctl/swanctl.conf       configuration file
+@sysconfdir@/swanctl/swanctl.conf       configuration file
 .ad
 .fi
 .
-- 
2.39.0