--- doc/sample.config.orig	2023-12-17 10:19:23 UTC
+++ doc/sample.config
@@ -19,7 +19,7 @@
 #  This enabled PAM authentication of the user. The gid-min option is used
 # by auto-select-group option, in order to select the minimum valid group ID.
 #
-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
+# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp]
 #  The plain option requires specifying a password file which contains
 # entries of the following format.
 # "username:groupname1,groupname2:encoded-password"
@@ -28,7 +28,7 @@
 # an oath password file to be used for one time passwords; the format of
 # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
 #
-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
+# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
 #  The radius option requires specifying freeradius-client configuration
 # file. If the groupconfig option is set, then config-per-user/group will be overridden,
 # and all configuration will be read from radius. That also includes the
@@ -48,9 +48,9 @@
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
 #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
-auth = "plain[passwd=./sample.passwd]"
+auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]"
 #auth = "certificate"
-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
+#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]"
 
 # Specify alternative authentication methods that are sufficient
 # for authentication. That is, if set, any of the methods enabled
@@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]"
 #      PAM.
 #
 # Only one accounting method can be specified.
-#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
+#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]"
 
 # Use listen-host to limit to specific IPs or to the IPs of a provided
 # hostname.
@@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket
 # certificate renewal (they are checked and reloaded periodically;
 # a SIGHUP signal to main server will force reload).
 
-#server-cert = /etc/ocserv/server-cert.pem
-#server-key = /etc/ocserv/server-key.pem
-server-cert = ../tests/certs/server-cert.pem
-server-key = ../tests/certs/server-key.pem
+server-cert = %%ETCDIR%%/server-cert.pem
+server-key = %%ETCDIR%%/server-key.pem
 
 # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
 # versions of GnuTLS for supporting DHE ciphersuites.
 # Can be generated using:
-# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
-#dh-params = /etc/ocserv/dh.pem
+# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem
+#dh-params = %%ETCDIR%%/dh.pem
 
 # In case PKCS #11, TPM or encrypted keys are used the PINs should be available
 # in files. The srk-pin-file is applicable to TPM keys only, and is the
 # storage root key.
-#pin-file = /etc/ocserv/pin.txt
-#srk-pin-file = /etc/ocserv/srkpin.txt
+#pin-file = %%ETCDIR%%/pin.txt
+#srk-pin-file = %%ETCDIR%%/srkpin.txt
 
 # The password or PIN needed to unlock the key in server-key file.
 # Only needed if the file is encrypted or a PKCS #11 object. This
@@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
-#ca-cert = /etc/ocserv/ca.pem
-ca-cert = ../tests/certs/ca.pem
+ca-cert = %%ETCDIR%%/ca.pem
 
 # The number of sub-processes to use for the security module (authentication)
 # processes. Typically this should not be set as the number of processes
@@ -172,16 +169,6 @@ ca-cert = ../tests/certs/ca.pem
 ### failures during the reloading time.
 
 
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
-# system calls allowed to a worker process, in order to reduce damage from a
-# bug in the worker process. It is available on Linux systems at a performance cost.
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
-# Note however, that process isolation is restricted to the specific libc versions
-# the isolation was tested at. If you get random failures on worker processes, try
-# disabling that option and report the failures you, along with system and debugging
-# information at: https://gitlab.com/openconnect/ocserv/issues
-isolate-workers = true
-
 # A banner to be displayed on clients after connection
 #banner = "Welcome"
 
@@ -262,7 +249,7 @@ try-mtu-discovery = false
 # You can update this response periodically using:
 # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
 # Make sure that you replace the following file in an atomic way.
-#ocsp-response = /etc/ocserv/ocsp.der
+#ocsp-response = %%ETCDIR%%/ocsp.der
 
 # The object identifier that will be used to read the user ID in the client
 # certificate. The object identifier should be part of the certificate's DN
@@ -281,7 +268,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
 # See the manual to generate an empty CRL initially. The CRL will be reloaded
 # periodically when ocserv detects a change in the file. To force a reload use
 # SIGHUP.
-#crl = /etc/ocserv/crl.pem
+crl = %%ETCDIR%%/crl.pem
 
 # Uncomment this to enable compression negotiation (LZS, LZ4).
 #compression = true
@@ -415,14 +402,14 @@ rekey-method = ssl
 # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
 # output from the tun device, and the duration of the session in seconds.
 
-#connect-script = /usr/bin/myscript
-#disconnect-script = /usr/bin/myscript
+#connect-script = %%PREFIX%%/bin/myscript
+#disconnect-script = %%PREFIX%%/bin/myscript
 
 # This script is to be called when the client's advertised hostname becomes
 # available. It will contain REASON with "host-update" value and the
 # variable REMOTE_HOSTNAME in addition to the connect variables.
 
-#host-update-script = /usr/bin/myhostnamescript
+#host-update-script = %%PREFIX%%/bin/myhostnamescript
 
 # UTMP
 # Register the connected clients to utmp. This will allow viewing
@@ -563,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0
 # Note the that following two firewalling options currently are available
 # in Linux systems with iptables software.
 
-# If set, the script /usr/libexec/ocserv-fw will be called to restrict
+# If set, the script %%PREFIX%%/libexec/ocserv-fw will be called to restrict
 # the user to its allowed routes and prevent him from accessing
 # any other routes. In case of defaultroute, the no-routes are restricted.
-# All the routes applied by ocserv can be reverted using /usr/libexec/ocserv-fw
+# All the routes applied by ocserv can be reverted using %%PREFIX%%/libexec/ocserv-fw
 # --removeall. This option can be set globally or in the per-user configuration.
 #restrict-user-to-routes = true
 
 # This option implies restrict-user-to-routes set to true. If set, the
-# script /usr/libexec/ocserv-fw will be called to restrict the user to
+# script %%PREFIX%%/libexec/ocserv-fw will be called to restrict the user to
 # access specific ports in the network. This option can be set globally
 # or in the per-user configuration.
 #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
@@ -619,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0
 # hostname to override any proposed by the user. Note also, that, any
 # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
 
-#config-per-user = /etc/ocserv/config-per-user/
-#config-per-group = /etc/ocserv/config-per-group/
+#config-per-user = %%ETCDIR%%/config-per-user/
+#config-per-group = %%ETCDIR%%/config-per-group/
 
 # When config-per-xxx is specified and there is no group or user that
 # matches, then utilize the following configuration.
-#default-user-config = /etc/ocserv/defaults/user.conf
-#default-group-config = /etc/ocserv/defaults/group.conf
+#default-user-config = %%ETCDIR%%/defaults/user.conf
+#default-group-config = %%ETCDIR%%/defaults/group.conf
 
 # The system command to use to setup a route. %{R} will be replaced with the
 # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
@@ -750,13 +737,13 @@ camouflage_realm = "Restricted Content"
 [vhost:www.example.com]
 auth = "certificate"
 
-ca-cert = ../tests/certs/ca.pem
+ca-cert = %%ETCDIR%%/www.example.com-ca.pem
 
 # The certificate set here must include a 'dns_name' corresponding to
 # the virtual host name.
 
-server-cert = ../tests/certs/server-cert-secp521r1.pem
-server-key = ../tests/certs/server-key-secp521r1.pem
+server-cert = %%ETCDIR%%/server-cert-secp521r1.pem
+server-key = %%ETCDIR%%/server-key-secp521r1.pem
 
 ipv4-network = 192.168.2.0
 ipv4-netmask = 255.255.255.0