<!-- -*- nxml -*- -->
<!-- Example configuration file for ncs. -->
<ncs-config xmlns="http://tail-f.com/yang/tailf-ncs-config">
<!-- NCS can be configured in fips mode the default is false. -->
<!-- To be able to set this option to true the NCS must be installed -->
<!-- with the flag 'fips-install' otherwise it will not work. -->
<fips-mode>
<enabled>false</enabled>
</fips-mode>
<!-- NCS can be configured to restrict access for incoming connections -->
<!-- to the IPC listener sockets. The access check requires that -->
<!-- connecting clients prove possession of a shared secret. -->
<ncs-ipc-access-check>
<enabled>false</enabled>
<filename>${NCS_DIR}/etc/ncs/ipc_access</filename>
</ncs-ipc-access-check>
<!-- Where to look for .fxs and snmp .bin files to load -->
<load-path>
<dir>./packages</dir>
<dir>${NCS_DIR}/etc/ncs</dir>
<!-- To disable northbound snmp altogether -->
<!-- comment out the path below -->
<dir>${NCS_DIR}/etc/ncs/snmp</dir>
</load-path>
<!-- Plug and play scripting -->
<scripts>
<dir>./scripts</dir>
<dir>${NCS_DIR}/scripts</dir>
</scripts>
<state-dir>./state</state-dir>
<notifications>
<event-streams>
<!-- This is the builtin stream used by NCS to generate northbound -->
<!-- notifications whenever the alarm table is changed. -->
<!-- See tailf-ncs-alarms.yang -->
<!-- If you are not interested in NCS northbound netconf notifications -->
<!-- remove this item since it does consume some CPU -->
<stream>
<name>ncs-alarms</name>
<description>NCS alarms according to tailf-ncs-alarms.yang</description>
<replay-support>false</replay-support>
<builtin-replay-store>
<enabled>false</enabled>
<dir>./state</dir>
<max-size>S10M</max-size>
<max-files>50</max-files>
</builtin-replay-store>
</stream>
<!-- This is the builtin stream used by NCS to generate northbound -->
<!-- notifications for internal events. -->
<!-- See tailf-ncs-devices.yang -->
<!-- Required for cluster mode. -->
<stream>
<name>ncs-events</name>
<description>NCS event according to tailf-ncs-devices.yang</description>
<replay-support>true</replay-support>
<builtin-replay-store>
<enabled>true</enabled>
<dir>./state</dir>
<max-size>S10M</max-size>
<max-files>50</max-files>
</builtin-replay-store>
</stream>
<!-- This is the builtin stream used by NCS to generate northbound -->
<!-- notifications for kicker events. -->
<!-- See tailf-kicker.yang -->
<stream>
<name>kicker-events</name>
<description>NCS event according to tailf-kicker.yang</description>
<replay-support>true</replay-support>
<builtin-replay-store>
<enabled>true</enabled>
<dir>./state</dir>
<max-size>S10M</max-size>
<max-files>50</max-files>
</builtin-replay-store>
</stream>
<!-- This is the builtin stream used by NCS to generate northbound -->
<!-- notifications forwarded from devices. -->
<!-- See tailf-event-forwarding.yang -->
<stream>
<name>device-notifications</name>
<description>NCS events forwarded from devices</description>
<replay-support>true</replay-support>
<builtin-replay-store>
<enabled>true</enabled>
<dir>./state</dir>
<max-size>S10M</max-size>
<max-files>50</max-files>
</builtin-replay-store>
</stream>
<!-- This is the builtin stream used by NCS to generate northbound -->
<!-- notifications for service state changes. -->
<!-- See tailf-ncs-plan.yang and tailf-ncs-services.yang -->
<stream>
<name>service-state-changes</name>
<description>Service state changes according to
tailf-ncs-plan.yang and tailf-ncs-services.yang
</description>
<replay-support>true</replay-support>
<builtin-replay-store>
<enabled>true</enabled>
<dir>./state</dir>
<max-size>S10M</max-size>
<max-files>50</max-files>
</builtin-replay-store>
</stream>
</event-streams>
</notifications>
<!-- Where the database (and init XML) files are kept -->
<cdb>
<db-dir>./ncs-cdb</db-dir>
<!-- Always bring in the good system defaults -->
<init-path>
<dir>${NCS_DIR}/var/ncs/cdb</dir>
</init-path>
</cdb>
<!--
These keys are used to encrypt values of the types
tailf:des3-cbc-encrypted-string, tailf:aes-cfb-128-encrypted-string
and tailf:aes-256-cfb-128-encrypted-string.
For a deployment install it is highly recommended to change
these numbers to something random (done by NCS "system install")
-->
<encrypted-strings>
<AESCFB128>
<key>0123456789abcdef0123456789abcdef</key>
<initVector>0123456789abcdef0123456789abcdef</initVector>
</AESCFB128>
<AES256CFB128>
<key>0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef</key>
</AES256CFB128>
</encrypted-strings>
<logs>
<audit-network-log>
<enabled>false</enabled>
<file>
<name>./logs/audit-network.log</name>
<enabled>false</enabled>
</file>
</audit-network-log>
<syslog-config>
<facility>daemon</facility>
</syslog-config>
<ncs-log>
<enabled>true</enabled>
<file>
<name>./logs/ncs.log</name>
<enabled>true</enabled>
</file>
<syslog>
<enabled>true</enabled>
</syslog>
</ncs-log>
<developer-log>
<enabled>true</enabled>
<file>
<name>./logs/devel.log</name>
<enabled>true</enabled>
</file>
</developer-log>
<developer-log-level>trace</developer-log-level>
<audit-log>
<enabled>true</enabled>
<file>
<name>./logs/audit.log</name>
<enabled>true</enabled>
</file>
</audit-log>
<raft-log>
<enabled>true</enabled>
<file>
<name>./logs/raft.log</name>
<enabled>true</enabled>
</file>
<level>info</level>
</raft-log>
<netconf-log>
<enabled>true</enabled>
<file>
<name>./logs/netconf.log</name>
<enabled>true</enabled>
</file>
</netconf-log>
<upgrade-log>
<enabled>true</enabled>
<file>
<name>./logs/upgrade.log</name>
<enabled>true</enabled>
</file>
</upgrade-log>
<snmp-log>
<enabled>true</enabled>
<file>
<name>./logs/snmp.log</name>
<enabled>true</enabled>
</file>
</snmp-log>
<webui-access-log>
<enabled>true</enabled>
<dir>./logs</dir>
</webui-access-log>
<!-- This log is disabled by default if ncs is installed using -->
<!-- the 'system-install' flag. It consumes a lot of CPU power -->
<!-- to have this log turned on, OTOH it is the best tool to -->
<!-- debug must expressions in YANG models -->
<xpath-trace-log>
<enabled>true</enabled>
<filename>./logs/xpath.trace</filename>
</xpath-trace-log>
<transaction-error-log>
<enabled>true</enabled>
<filename>./logs/transerr.log</filename>
</transaction-error-log>
<out-of-band-policy-log>
<enabled>true</enabled>
<filename>./logs/out-of-band-policy.log</filename>
</out-of-band-policy-log>
<error-log>
<enabled>true</enabled>
<filename>./logs/ncserr.log</filename>
</error-log>
<progress-trace>
<enabled>true</enabled>
<dir>./logs</dir>
</progress-trace>
</logs>
<ssh>
<algorithms>
</algorithms>
</ssh>
<aaa>
<ssh-server-key-dir>${NCS_DIR}/etc/ncs/ssh</ssh-server-key-dir>
<!-- Depending on OS - and also depending on user requirements -->
<!-- the pam service value value must be tuned. -->
<pam>
<enabled>true</enabled>
<service>common-auth</service>
</pam>
<external-authentication>
<enabled>false</enabled>
<executable>my-test-auth.sh</executable>
</external-authentication>
<local-authentication>
<enabled>true</enabled>
</local-authentication>
</aaa>
<!-- Hash algorithm used when setting leafs of type ianach:crypt-hash, -->
<!-- e.g. /aaa/authentication/users/user/password -->
<crypt-hash>
<algorithm>sha-512</algorithm>
</crypt-hash>
<!-- Disable this for performance critical applications, enabling -->
<!-- rollbacks means additional disk IO for each transaction -->
<rollback>
<enabled>true</enabled>
<directory>./logs</directory>
<history-size>500</history-size>
</rollback>
<cli>
<enabled>true</enabled>
<!-- Use the builtin SSH server -->
<ssh>
<enabled>true</enabled>
<ip>0.0.0.0</ip>
<port>2024</port>
</ssh>
<prompt1>\u@ncs> </prompt1>
<prompt2>\u@ncs% </prompt2>
<c-prompt1>\u@ncs# </c-prompt1>
<c-prompt2>\u@ncs(\m)# </c-prompt2>
<show-commit-progress>true</show-commit-progress>
<suppress-commit-message-context>maapi</suppress-commit-message-context>
<suppress-commit-message-context>system</suppress-commit-message-context>
<allow-abbrev-enums>true</allow-abbrev-enums>
<allow-case-insensitive-enums>true</allow-case-insensitive-enums>
</cli>
<webui>
<enabled>true</enabled>
<transport>
<tcp>
<enabled>true</enabled>
<ip>0.0.0.0</ip>
<port>8080</port>
</tcp>
<ssl>
<enabled>false</enabled>
<ip>0.0.0.0</ip>
<port>8888</port>
<key-file>${NCS_DIR}/etc/ncs/ssl/cert/host.key</key-file>
<cert-file>${NCS_DIR}/etc/ncs/ssl/cert/host.cert</cert-file>
<!-- <ha-primary-listen> -->
<!-- <ip>0.0.0.0</ip> -->
<!-- <port>28888</port> -->
<!-- </ha-primary-listen> -->
</ssl>
</transport>
<match-host-name>false</match-host-name>
<cgi>
<enabled>true</enabled>
<php>
<enabled>false</enabled>
</php>
</cgi>
</webui>
<restconf>
<enabled>true</enabled>
</restconf>
<netconf-north-bound>
<enabled>true</enabled>
<transport>
<ssh>
<enabled>true</enabled>
<ip>0.0.0.0</ip>
<port>2022</port>
<!-- <ha-primary-listen> -->
<!-- <ip>0.0.0.0</ip> -->
<!-- <port>22022</port> -->
<!-- </ha-primary-listen> -->
</ssh>
<tcp>
<enabled>false</enabled>
<ip>127.0.0.1</ip>
<port>2023</port>
</tcp>
</transport>
</netconf-north-bound>
<netconf-call-home>
<enabled>false</enabled>
<transport>
<tcp>
<ip>0.0.0.0</ip>
<port>4334</port>
</tcp>
</transport>
</netconf-call-home>
<!-- <ha-raft> -->
<!-- <enabled>true</enabled> -->
<!-- <dist-ip-version>ipv4</dist-ip-version> -->
<!-- <cluster-name>stockholm</cluster-name> -->
<!-- <listen> -->
<!-- <node-address>n1.ha-raft.cluster.example.org</node-address> -->
<!-- </listen> -->
<!-- <seed-nodes> -->
<!-- <seed-node>n2.ha-raft.cluster.example.org</seed-node> -->
<!-- </seed-nodes> -->
<!-- <ssl> -->
<!-- <ca-cert-file>${NCS_DIR}/etc/ncs/dist/ssl/certs/ca.crt</ca-cert-file> -->
<!-- <cert-file>${NCS_DIR}/etc/ncs/dist/ssl/certs/n1.crt</cert-file> -->
<!-- <key-file>${NCS_DIR}/etc/ncs/dist/ssl/private/n1.key</key-file> -->
<!-- </ssl> -->
<!-- </ha-raft> -->
<!-- <ha> -->
<!-- <enabled>true</enabled> -->
<!-- </ha> -->
<!-- Make sure that debug tools can be made visible. -->
<hide-group>
<name>debug</name>
</hide-group>
</ncs-config>