Cloned2Preserve
/
TrueChartsClone
mirror of https://github.com/truecharts/charts.git
1
0
Fork 0
Code

fix(firezone) fix secrets, add probe, and custom config (#12269) 

**Description**
- Fix secrets and bump app version.
- add probe
- custom config sections
- fix icon name
⚒️ Fixes  # <!--(issue)-->

**⚙️ Type of change**

- [ ] ⚙️ Feature/App addition
- [X] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [X] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [X] ⚖️ My code follows the style guidelines of this project
- [X] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [ ] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [X] ⬆️ I increased versions for any altered app according to semantic
versioning

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._
This commit is contained in:
Xstar97TheNoob 2023-09-07 04:27:15 -04:00 committed by GitHub
parent a69386d845
commit cd913c96a7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 310 additions and 285 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
charts/incubator/firezone/Chart.yaml
View File

@ -1,9 +1,9 @@
apiVersion: v2
appVersion: "0.7.30"
appVersion: "0.7.35"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 14.0.1
version: 14.0.3
deprecated: false
description: WireGuard-based VPN server and egress firewall
home: https://truecharts.org/charts/incubator/firezone
@ -22,7 +22,7 @@ sources:
- https://github.com/truecharts/charts/tree/master/charts/incubator/firezone
- https://github.com/firezone/firezone
type: application
version: 0.0.8
version: 0.1.0
annotations:
truecharts.org/catagories: |
- vpn

0
charts/incubator/firezone/logo.png → charts/incubator/firezone/icon.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

441
charts/incubator/firezone/questions.yaml
View File

@ -11,232 +11,227 @@ questions:
# Include{podSpec}
# Include{containerMain}
- variable: env
label: Image Environment
schema:
additional_attrs: true
type: dict
attrs:
- variable: EXTERNAL_URL
label: External Url
description: Must be a valid and public FQDN for ACME SSL issuance to function. Include https://
schema:
type: string
required: true
default: ""
- variable: DEFAULT_ADMIN_EMAIL
label: Default Admin Email
description: Primary administrator email.
schema:
type: string
required: true
default: ""
- variable: DEFAULT_ADMIN_PASSWORD
label: Default Admin Password
description: Primary administrator password.
schema:
type: string
required: true
private: true
default: ""
- variable: RESET_ADMIN_ON_BOOT
label: Reset Admin On Boot
description: to create or reset the admin password every time FireZone starts.
schema:
type: boolean
default: false
- variable: TELEMETRY_ENABLED
label: Telemetry Enabled
description: Enable or disable the FireZone telemetry collection.
schema:
type: boolean
default: false
- variable: devices
label: Devices Settings
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT
label: Allow Unprivileged Devices
description: Enable or disable management of devices on unprivileged accounts.
schema:
type: boolean
default: true
- variable: ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION
label: Allow Unprivileged Device Configuration
description: Enable or disable configuration of device network settings for unprivileged users.
schema:
type: boolean
default: true
- variable: VPN_SESSION_DURATION
label: VPN Session Duration
description: Optionally require users to periodically authenticate to the FireZone, Interval for WireGuard persistent keepalive.
schema:
type: int
default: 0
- variable: DEFAULT_CLIENT_PERSISTENT_KEEPALIVE
label: Default Client Persistent KeepAlive
description: send a keepalive packet every 25 seconds. Otherwise, keep it disabled with a 0 default value.
schema:
type: int
default: 25
- variable: DEFAULT_CLIENT_MTU
label: Default Client MTU
description: WireGuard interface MTU for devices.
schema:
type: int
default: 1280
- variable: DEFAULT_CLIENT_ENDPOINT
label: Default Client EndPoint
description: IPv4, IPv6 address, or FQDN that devices will be configured to connect to. Defaults to this server's FQDN.
schema:
type: string
default: ""
- variable: DEFAULT_CLIENT_DNS
label: Default Client DNS
description: Comma-separated list of DNS servers to use for devices.
schema:
type: string
default: "1.1.1.1,1.0.0.1"
- variable: DEFAULT_CLIENT_ALLOWED_IPS
label: Default Client Allowed IPs
description: AllowedIPs determines which destination IPs get routed through FireZone.
schema:
type: string
default: "0.0.0.0/0,::/0"
- variable: MAX_DEVICES_PER_USER
label: Max Devices Per User
description: Changes how many devices a user can have at a time.
schema:
type: int
default: 10
- variable: authorization
label: Authorization Settings
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: LOCAL_AUTH_ENABLED
label: Local Auth Enabled
description: Enable or disable the local authentication method for all users.
schema:
type: boolean
default: true
- variable: DISABLE_VPN_ON_OIDC_ERROR
label: Disable VPN On OIDC Error
description: Enable or disable auto disabling VPN connection on OIDC refresh error.
schema:
type: boolean
default: false
- variable: wireguard
label: Wireguard Settings
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: WIREGUARD_IPV4_ENABLED
label: WireGuard IPV4 Enabled
description: Enable or disable IPv4 support for WireGuard.
schema:
type: boolean
default: true
- variable: WIREGUARD_IPV6_ENABLED
label: WireGuard IPV6 Enabled
description: Enable or disable IPv6 support for WireGuard.
schema:
type: boolean
default: false
- variable: outbound
label: OutBound Email Settings
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: OUTBOUND_EMAIL_FROM
label: Outbound Email From
description: From address to use for sending outbound emails.
schema:
type: string
default: ""
- variable: OUTBOUND_EMAIL_ADAPTER
label: Outbound Email Adapter
description: Method to use for sending outbound email.
schema:
type: string
default: "Elixir.FzHttpWeb.Mailer.NoopAdapter"
enum:
- value: "Elixir.FzHttpWeb.Mailer.AmazonSES"
description: "AmazonSES"
- value: "Elixir.FzHttpWeb.Mailer.CustomerIO"
description: CustomerIO"
- value: "Elixir.FzHttpWeb.Mailer.Dyn"
description: Dyn
- value: "Elixir.FzHttpWeb.Mailer.ExAwsAmazonSES"
description: ExAwsAmazonSES"
- value: "Elixir.FzHttpWeb.Mailer.Gmail"
description: Gmail"
- value: "Elixir.FzHttpWeb.Mailer.MailPace"
description: MailPace"
- value: "Elixir.FzHttpWeb.Mailer.Mailgun"
description: Mailgun"
- value: "Elixir.FzHttpWeb.Mailer.Mailjet"
description: MailJet"
- value: "Elixir.FzHttpWeb.Mailer.Mandrill"
description: Mandrill"
- value: "Elixir.FzHttpWeb.Mailer.Postmark"
description: Postmark"
- value: "Elixir.FzHttpWeb.Mailer.ProtonBridge"
description: ProtonBridge"
- value: "Elixir.FzHttpWeb.Mailer.SMTP"
description: SMTP"
- value: "Elixir.FzHttpWeb.Mailer.SMTP2GO"
description: SMTP2GO"
- value: "Elixir.FzHttpWeb.Mailer.Sendgrid"
description: SendGrid"
- value: "Elixir.FzHttpWeb.Mailer.Sendinblue"
description: "SendInBlue"
- value: "Elixir.FzHttpWeb.Mailer.Sendmail"
description: "Sendmail"
- value: "Elixir.FzHttpWeb.Mailer.SocketLabs"
description: "SocketLabs"
- value: "Elixir.FzHttpWeb.Mailer.SparkPost"
description: "SparkPost"
- value: "Elixir.FzHttpWeb.Mailer.NoopAdapter"
description: "NoopAdapter"
- variable: OUTBOUND_EMAIL_ADAPTER_OPTS
label: Outbound Email Adapter OPTS
description: Adapter configuration, see https://github.com/swoosh/swoosh#adapters.
schema:
type: string
default: ""
- variable: connectivity
label: Connectivity Settings
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: CONNECTIVITY_CHECKS_ENABLED
label: Connectivity Checks Enabled
description: Enable / disable periodic checking for egress connectivity. Determines the instance's public IP to populate Endpoint fields.
schema:
type: boolean
default: true
- variable: CONNECTIVITY_CHECKS_INTERVAL
label: Connectivity Checks Interval
description: Periodicity in seconds to check for egress connectivity.
schema:
type: int
default: 43200
# Include{containerBasic}
# Include{containerAdvanced}
- variable: firezone
group: App Configuration
label: FireZone
schema:
additional_attrs: true
type: dict
attrs:
- variable: web
label: Web Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: external_url
label: External Url
description: Must be a valid and public FQDN for ACME SSL issuance to function. Include https://
schema:
type: string
required: true
default: ""
- variable: trusted_proxies
label: Trusted Proxies
description: List of trusted reverse proxies.
schema:
type: list
default: []
items:
- variable: proxy
label: Proxy IP
schema:
type: string
required: true
default: ""
- variable: private_clients
label: Private Clients
description: List of trusted clients.
schema:
type: list
default: []
items:
- variable: client_ip
label: Client IP
schema:
type: string
required: true
default: ""
- variable: secure_cookies
label: Secure Cookies
description: Enable or disable requiring secure cookies. Required for HTTPS.
schema:
type: boolean
default: true
- variable: admin
label: Admin Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: reset_admin_on_boot
label: Reset Admin On Boot
description: to create or reset the admin password every time Firezone starts. By default, the admin password is only set when Firezone is installed.
schema:
type: boolean
default: false
- variable: default_email
label: Default Email
description: Primary administrator email.
schema:
type: string
required: true
default: ""
- variable: default_password
label: Default Password
description: Default password that will be used for creating or resetting the primary administrator account.
schema:
type: string
required: true
private: true
default: ""
- variable: devices
label: Devices Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: allow_unprivileged_device_management
label: Allow Unprivileged Device Management
description: Enable or disable management of devices on unprivileged accounts.
schema:
type: boolean
default: true
- variable: allow_unprivileged_device_config
label: Allow Unprivileged Device Configuration
description: Enable or disable configuration of device network settings for unprivileged users.
schema:
type: boolean
default: true
- variable: vpn_session_duration
label: VPN Session Duration
description: Optionally require users to periodically authenticate to the Firezone web UI in order to keep their VPN sessions active.
schema:
type: int
default: 0
- variable: client_persistent_keepalive
label: Client Persistent KeepAlive
description: If you experience NAT or firewall traversal problems, you can enable this to send a keepalive packet every 25 seconds, disabled by setting it to 0.
schema:
type: int
default: 0
- variable: default_client_mtu
label: Default Client MTU
description: WireGuard interface MTU for devices.
schema:
type: int
default: 1280
- variable: client_endpoint
label: Client Endpoint
description: IPv4, IPv6 address, or FQDN that devices will be configured to connect to.
schema:
type: string
default: ""
- variable: client_dns
label: Client DNS
description: List of DNS servers to use for devices.
schema:
type: list
empty: false
required: true
default:
- 1.1.1.1
- 1.0.0.1
items:
- variable: dns
label: DNS
schema:
type: string
required: true
default: ""
- variable: client_allowed_ips
label: Client Allowed Ips
description: Configures the default AllowedIPs setting for devices.
schema:
type: list
default: []
items:
- variable: dns
label: DNS
schema:
type: string
required: true
default: ""
- variable: max_devices_per_user
label: Max Devices Per User
description: Changes how many devices a user can have at a time.
schema:
type: int
default: 10
- variable: authorization
label: Authorization Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: local_auth_enabled
label: Local Auth Enabled
description: Enable or disable the local authentication method for all users.
schema:
type: boolean
default: true
- variable: disable_vpn_on_oidc_error
label: Disable VPN On OIDC Error
description: Enable or disable auto disabling VPN connection on OIDC refresh error.
schema:
type: boolean
default: false
- variable: wireguard
label: Wireguard Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: ipv4_masquerade_enabled
label: IPv4 Masquerade Enabled
description: Enable or disable IPv4 masqeurading.
schema:
type: boolean
default: true
- variable: connectivity
label: Connectivity Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: checks_enabled
label: Checks Enabled
description: Enable / disable periodic checking for egress connectivity.
schema:
type: boolean
default: true
- variable: checks_interval
label: Checks Interval
description: Periodicity in seconds to check for egress connectivity.
schema:
type: int
default: 43200
- variable: other
label: Other Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: telemetry_enabled
label: Telemetry Enabled
description: Enable or disable the Firezone telemetry collection.
schema:
type: boolean
default: false
# Include{containerConfig}
# Include{podOptions}
# Include{serviceRoot}

14
charts/incubator/firezone/templates/_secrets.tpl
View File

@ -17,10 +17,12 @@
{{- end }}
enabled: true
data:
GUARDIAN_SECRET_KEY: {{ $keyGuardian }}
DATABASE_ENCRYPTION_KEY: {{ $keyDatabase }}
SECRET_KEY_BASE: {{ $keySecret }}
LIVE_VIEW_SIGNING_SALT: {{ $keyLive }}
COOKIE_SIGNING_SALT: {{ $keyCookieSigning }}
COOKIE_ENCRYPTION_SALT: {{ $keyCookieEncrypt }}
# firezone requires all these keys to be in base 64 format presented in the container, so this b64enc here is intentional
# https://www.firezone.dev/docs/reference/env-vars#secrets-and-encryption
GUARDIAN_SECRET_KEY: {{ $keyGuardian | b64enc }}
DATABASE_ENCRYPTION_KEY: {{ $keyDatabase | b64enc }}
SECRET_KEY_BASE: {{ $keySecret | b64enc }}
LIVE_VIEW_SIGNING_SALT: {{ $keyLive | b64enc }}
COOKIE_SIGNING_SALT: {{ $keyCookieSigning | b64enc }}
COOKIE_ENCRYPTION_SALT: {{ $keyCookieEncrypt | b64enc }}
{{- end -}}

2
charts/incubator/firezone/templates/common.yaml
View File

@ -4,7 +4,7 @@
{{/* Render secrets for firezone */}}
{{- $secrets := include "firezone.secrets" . | fromYaml -}}
{{- if $secrets -}}
{{- $_ := set .Values.secret "secrets" $secrets -}}
{{- $_ := set .Values.secret "firezone-secrets" $secrets -}}
{{- end -}}
{{/* Render the templates */}}

132
charts/incubator/firezone/values.yaml
View File

@ -1,7 +1,7 @@
image:
repository: tccr.io/truecharts/firezone
pullPolicy: IfNotPresent
tag: v0.7.30@sha256:e22dc7a9be93a804bbe0e3d301c883625463a3649d856c8b41f80a2257214667
tag: v0.7.35@sha256:53c08baeb65dde8689ebb3bd1fc9fbb034970dfdc9bceb005c4ffa03fe2b3e93
securityContext:
container:
@ -15,26 +15,66 @@ securityContext:
- NET_ADMIN
- SYS_MODULE
service:
main:
ports:
main:
protocol: http
port: 13000
wireguard:
enabled: true
ports:
wireguard:
enabled: true
protocol: udp
port: 51820
firezone:
web:
external_url: "https://example.com"
trusted_proxies: []
private_clients: []
admin:
reset_admin_on_boot: false
default_email: "admin@email.com"
default_password: "1234567890"
devices:
allow_unprivileged_device_management: true
allow_unprivileged_device_config: true
vpn_session_duration: 0
client_persistent_keepalive: 25
default_client_mtu: 1280
client_endpoint: ""
client_dns:
- 1.1.1.1
- 1.0.0.1
client_allowed_ips:
- 0.0.0.0/0
max_devices_per_user: 10
authorization:
local_auth_enabled: true
disable_vpn_on_oidc_error: false
wireguard:
ipv4_masquerade_enabled: true
connectivity:
checks_enabled: true
checks_interval: 43200
other:
telemetry_enabled: false
workload:
main:
podSpec:
containers:
main:
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
env:
# web
PHOENIX_HTTP_PORT: "{{ .Values.service.main.ports.main.port }}"
EXTERNAL_URL: "https://app.mydomain.com"
# PHOENIX_SECURE_COOKIES: true
EXTERNAL_URL: "{{ .Values.firezone.web.external_url }}"
PHOENIX_SECURE_COOKIES: "{{ .Values.firezone.web.secure_cookies }}"
# PHOENIX_HTTP_PROTOCOL_OPTIONS: "{}"
# PHOENIX_EXTERNAL_TRUSTED_PROXIES: "[]"
# PHOENIX_PRIVATE_CLIENTS: "[]"
PHOENIX_EXTERNAL_TRUSTED_PROXIES: "{{ toJson .Values.firezone.web.trusted_proxies }}"
PHOENIX_PRIVATE_CLIENTS: "{{ toJson .Values.firezone.web.private_clients }}"
# DB
DATABASE_HOST:
secretKeyRef:
@ -51,49 +91,49 @@ workload:
DATABASE_SSL_ENABLED: false
# DATABASE_SSL_OPTS: "{}"
# Admin
RESET_ADMIN_ON_BOOT: false
DEFAULT_ADMIN_EMAIL: "admin@email.com"
DEFAULT_ADMIN_PASSWORD: "1234567890"
RESET_ADMIN_ON_BOOT: "{{ .Values.firezone.admin.reset_admin_on_boot }}"
DEFAULT_ADMIN_EMAIL: "{{ .Values.firezone.admin.default_email }}"
DEFAULT_ADMIN_PASSWORD: "{{ .Values.firezone.admin.default_password }}"
# Secrets and Encryption
GUARDIAN_SECRET_KEY:
secretKeyRef:
name: secrets
name: firezone-secrets
key: GUARDIAN_SECRET_KEY
DATABASE_ENCRYPTION_KEY:
secretKeyRef:
name: secrets
name: firezone-secrets
key: DATABASE_ENCRYPTION_KEY
SECRET_KEY_BASE:
secretKeyRef:
name: secrets
name: firezone-secrets
key: SECRET_KEY_BASE
LIVE_VIEW_SIGNING_SALT:
secretKeyRef:
name: secrets
name: firezone-secrets
key: LIVE_VIEW_SIGNING_SALT
COOKIE_SIGNING_SALT:
secretKeyRef:
name: secrets
name: firezone-secrets
key: COOKIE_SIGNING_SALT
COOKIE_ENCRYPTION_SALT:
secretKeyRef:
name: secrets
name: firezone-secrets
key: COOKIE_ENCRYPTION_SALT
# Devices
ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT: true
ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION: true
VPN_SESSION_DURATION: 0
DEFAULT_CLIENT_PERSISTENT_KEEPALIVE: 25
DEFAULT_CLIENT_MTU: 1280
# DEFAULT_CLIENT_ENDPOINT: ""
DEFAULT_CLIENT_DNS: "1.1.1.1,1.0.0.1"
DEFAULT_CLIENT_ALLOWED_IPS: "0.0.0.0/0, ::/0"
ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT: "{{ .Values.firezone.devices.allow_unprivileged_device_management }}"
ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION: "{{ .Values.firezone.devices.allow_unprivileged_device_config }}"
VPN_SESSION_DURATION: "{{ .Values.firezone.devices.vpn_session_duration }}"
DEFAULT_CLIENT_PERSISTENT_KEEPALIVE: "{{ .Values.firezone.devices.client_persistent_keepalive }}"
DEFAULT_CLIENT_MTU: "{{ .Values.firezone.devices.default_client_mtu }}"
DEFAULT_CLIENT_ENDPOINT: "{{ .Values.firezone.devices.client_endpoint }}"
DEFAULT_CLIENT_DNS: '{{ join "," .Values.firezone.devices.client_dns }}'
DEFAULT_CLIENT_ALLOWED_IPS: '{{ join "," .Values.firezone.devices.client_allowed_ips }}'
# Limits
MAX_DEVICES_PER_USER: 10
MAX_DEVICES_PER_USER: "{{ .Values.firezone.devices.max_devices_per_user }}"
# Authorization
LOCAL_AUTH_ENABLED: true
DISABLE_VPN_ON_OIDC_ERROR: false
SAML_ENTITY_ID: "urn:firezone.dev:firezone-app"
LOCAL_AUTH_ENABLED: "{{ .Values.firezone.authorization.local_auth_enabled }}"
DISABLE_VPN_ON_OIDC_ERROR: "{{ .Values.firezone.authorization.disable_vpn_on_oidc_error }}"
# SAML_ENTITY_ID: "urn:firezone.dev:firezone-app"
# SAML_KEYFILE_PATH: "/var/firezone/saml.key"
# SAML_CERTFILE_PATH: "/var/firezone/saml.crt"
# OPENID_CONNECT_PROVIDERS: "[]"
@ -101,30 +141,18 @@ workload:
# WireGuard
WIREGUARD_PORT: "{{ .Values.service.wireguard.ports.wireguard.port }}"
WIREGUARD_IPV4_ENABLED: true
WIREGUARD_IPV4_MASQUERADE: "{{ .Values.firezone.wireguard.ipv4_masquerade_enabled }}"
WIREGUARD_IPV6_ENABLED: false
WIREGUARD_IPV6_MASQUERADE: false
# Outbound Emails
OUTBOUND_EMAIL_FROM: ""
OUTBOUND_EMAIL_ADAPTER: "Elixir.FzHttpWeb.Mailer.NoopAdapter"
# OUTBOUND_EMAIL_FROM: ""
# OUTBOUND_EMAIL_ADAPTER: "Elixir.FzHttpWeb.Mailer.NoopAdapter"
# OUTBOUND_EMAIL_ADAPTER_OPTS: "{}"
# Connectivity Checks
CONNECTIVITY_CHECKS_ENABLED: true
CONNECTIVITY_CHECKS_INTERVAL: 43200
CONNECTIVITY_CHECKS_ENABLED: "{{ .Values.firezone.connectivity.checks_enabled }}"
CONNECTIVITY_CHECKS_INTERVAL: "{{ .Values.firezone.connectivity.checks_interval }}"
# Telemetry
TELEMETRY_ENABLED: false
service:
main:
ports:
main:
protocol: http
port: 13000
wireguard:
enabled: true
ports:
wireguard:
enabled: true
protocol: udp
port: 51820
TELEMETRY_ENABLED: "{{ .Values.firezone.other.telemetry_enabled }}"
persistence:
config: