<?xml version="1.0"?>
<interfaceDefinition>
  <node name="pki" owner="${vyos_conf_scripts_dir}/pki.py">
    <properties>
      <help>VyOS PKI configuration</help>
      <priority>300</priority>
    </properties>
    <children>
      <tagNode name="ca">
        <properties>
          <help>Certificate Authority</help>
          <constraint>
            #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
          </constraint>
        </properties>
        <children>
          #include <include/pki/cli-certificate-base64.xml.i>
          #include <include/generic-description.xml.i>
          <node name="private">
            <properties>
              <help>CA private key in PEM format</help>
            </properties>
            <children>
              #include <include/pki/cli-private-key-base64.xml.i>
              #include <include/pki/password-protected.xml.i>
            </children>
          </node>
          <leafNode name="crl">
            <properties>
              <help>Certificate revocation list in PEM format</help>
              <constraint>
                <validator name="base64"/>
              </constraint>
              <constraintErrorMessage>CRL is not base64-encoded</constraintErrorMessage>
              <multi/>
            </properties>
          </leafNode>
          #include <include/pki/cli-revoke.xml.i>
        </children>
      </tagNode>
      <tagNode name="certificate">
        <properties>
          <help>Certificate</help>
          <constraint>
            #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
          </constraint>
        </properties>
        <children>
          #include <include/pki/cli-certificate-base64.xml.i>
          <node name="acme">
            <properties>
              <help>Automatic Certificate Management Environment (ACME) request</help>
            </properties>
            <children>
              #include <include/url-http-https.xml.i>
              <leafNode name="url">
                <defaultValue>https://acme-v02.api.letsencrypt.org/directory</defaultValue>
              </leafNode>
              <leafNode name="domain-name">
                <properties>
                  <help>Domain Name</help>
                  <constraint>
                    <validator name="fqdn"/>
                  </constraint>
                  <constraintErrorMessage>Invalid domain name (RFC 1123 section 2).\nMay only contain letters, numbers and .-_</constraintErrorMessage>
                  <multi/>
                </properties>
              </leafNode>
              <leafNode name="email">
                <properties>
                  <help>Email address to associate with certificate</help>
                  <constraint>
                    #include <include/constraint/email.xml.i>
                  </constraint>
                </properties>
              </leafNode>
              #include <include/listen-address-ipv4-single.xml.i>
              <leafNode name="rsa-key-size">
                <properties>
                  <help>Size of the RSA key</help>
                  <completionHelp>
                    <list>2048 3072 4096</list>
                  </completionHelp>
                  <valueHelp>
                    <format>2048</format>
                    <description>RSA key length 2048 bit</description>
                  </valueHelp>
                  <valueHelp>
                    <format>3072</format>
                    <description>RSA key length 3072 bit</description>
                  </valueHelp>
                  <valueHelp>
                    <format>4096</format>
                    <description>RSA key length 4096 bit</description>
                  </valueHelp>
                  <constraint>
                    <regex>(2048|3072|4096)</regex>
                  </constraint>
                </properties>
                <defaultValue>2048</defaultValue>
              </leafNode>
            </children>
          </node>
          #include <include/generic-description.xml.i>
          <node name="private">
            <properties>
              <help>Certificate private key</help>
            </properties>
            <children>
              #include <include/pki/cli-private-key-base64.xml.i>
              #include <include/pki/password-protected.xml.i>
            </children>
          </node>
          #include <include/pki/cli-revoke.xml.i>
        </children>
      </tagNode>
      <tagNode name="dh">
        <properties>
          <help>Diffie-Hellman parameters</help>
          <constraint>
            #include <include/constraint/alpha-numeric-hyphen-underscore-dot.xml.i>
          </constraint>
        </properties>
        <children>
          <leafNode name="parameters">
            <properties>
              <help>DH parameters in PEM format</help>
              <constraint>
                <validator name="base64"/>
              </constraint>
              <constraintErrorMessage>DH parameters are not base64-encoded</constraintErrorMessage>
            </properties>
          </leafNode>
        </children>
      </tagNode>
      <tagNode name="key-pair">
        <properties>
          <help>Public and private keys</help>
        </properties>
        <children>
          <node name="public">
            <properties>
              <help>Public key</help>
            </properties>
            <children>
              #include <include/pki/cli-public-key-base64.xml.i>
            </children>
          </node>
          <node name="private">
            <properties>
              <help>Private key</help>
            </properties>
            <children>
              #include <include/pki/cli-private-key-base64.xml.i>
              #include <include/pki/password-protected.xml.i>
            </children>
          </node>
        </children>
      </tagNode>
      <tagNode name="openssh">
        <properties>
          <help>OpenSSH public and private keys</help>
        </properties>
        <children>
          <node name="public">
            <properties>
              <help>Public key</help>
            </properties>
            <children>
              #include <include/pki/cli-public-key-base64.xml.i>
              <leafNode name="type">
                <properties>
                  <help>SSH public key type</help>
                  <completionHelp>
                    <list>ssh-rsa</list>
                  </completionHelp>
                  <valueHelp>
                    <format>ssh-rsa</format>
                    <description>Key pair based on RSA algorithm</description>
                  </valueHelp>
                  <constraint>
                    <regex>(ssh-rsa)</regex>
                  </constraint>
                </properties>
              </leafNode>
            </children>
          </node>
          <node name="private">
            <properties>
              <help>Private key</help>
            </properties>
            <children>
              #include <include/pki/cli-private-key-base64.xml.i>
              #include <include/pki/password-protected.xml.i>
            </children>
          </node>
        </children>
      </tagNode>
      <tagNode name="openssh">
        <properties>
          <help>OpenSSH public and private keys</help>
        </properties>
        <children>
          <node name="public">
            <properties>
              <help>Public key</help>
            </properties>
            <children>
              #include <include/pki/cli-public-key-base64.xml.i>
            </children>
          </node>
          <node name="private">
            <properties>
              <help>Private key</help>
            </properties>
            <children>
              #include <include/pki/cli-private-key-base64.xml.i>
              #include <include/pki/password-protected.xml.i>
            </children>
          </node>
        </children>
      </tagNode>
      <node name="openvpn">
        <properties>
          <help>OpenVPN keys</help>
        </properties>
        <children>
          <tagNode name="shared-secret">
            <properties>
              <help>OpenVPN shared secret key</help>
            </properties>
            <children>
              <leafNode name="key">
                <properties>
                  <help>OpenVPN shared secret key data</help>
                </properties>
              </leafNode>
              <leafNode name="version">
                <properties>
                  <help>OpenVPN shared secret key version</help>
                </properties>
              </leafNode>
            </children>
          </tagNode>
        </children>
      </node>
      <node name="x509">
        <properties>
          <help>X509 Settings</help>
        </properties>
        <children>
          <node name="default">
            <properties>
              <help>X509 Default Values</help>
            </properties>
            <children>
              <leafNode name="country">
                <properties>
                  <help>Default country</help>
                </properties>
                <defaultValue>GB</defaultValue>
              </leafNode>
              <leafNode name="state">
                <properties>
                  <help>Default state</help>
                </properties>
                <defaultValue>Some-State</defaultValue>
              </leafNode>
              <leafNode name="locality">
                <properties>
                  <help>Default locality</help>
                </properties>
                <defaultValue>Some-City</defaultValue>
              </leafNode>
              <leafNode name="organization">
                <properties>
                  <help>Default organization</help>
                </properties>
                <defaultValue>VyOS</defaultValue>
              </leafNode>
            </children>
          </node>
        </children>
      </node>
    </children>
  </node>
</interfaceDefinition>