--- doc/sample.config.orig	2020-12-03 22:31:10 UTC
+++ doc/sample.config
@@ -19,7 +19,7 @@
 #  This enabled PAM authentication of the user. The gid-min option is used
 # by auto-select-group option, in order to select the minimum valid group ID.
 #
-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
+# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp]
 #  The plain option requires specifying a password file which contains
 # entries of the following format.
 # "username:groupname1,groupname2:encoded-password"
@@ -28,7 +28,7 @@
 # an oath password file to be used for one time passwords; the format of
 # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
 #
-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
+# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
 #  The radius option requires specifying freeradius-client configuration
 # file. If the groupconfig option is set, then config-per-user/group will be overridden,
 # and all configuration will be read from radius. That also includes the
@@ -47,10 +47,10 @@
 
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
-#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
-auth = "plain[passwd=./sample.passwd]"
+#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]"
+auth = "plain[passwd=%%ETCDIR%%/sample.passwd]"
 #auth = "certificate"
-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
+#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]"
 
 # Specify alternative authentication methods that are sufficient
 # for authentication. That is, if set, any of the methods enabled
@@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]"
 #      PAM.
 #
 # Only one accounting method can be specified.
-#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
+#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]"
 
 # Use listen-host to limit to specific IPs or to the IPs of a provided
 # hostname.
@@ -96,8 +96,8 @@ udp-port = 443
 # The user the worker processes will be run as. This should be a dedicated
 # unprivileged user (e.g., 'ocserv') and no other services should run as this
 # user.
-run-as-user = nobody
-run-as-group = daemon
+run-as-user = %%USERS%%
+run-as-group = %%GROUPS%%
 
 # socket file used for IPC with occtl. You only need to set that,
 # if you use more than a single servers.
@@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket
 # certificate renewal (they are checked and reloaded periodically;
 # a SIGHUP signal to main server will force reload).
 
-#server-cert = /etc/ocserv/server-cert.pem
-#server-key = /etc/ocserv/server-key.pem
-server-cert = ../tests/certs/server-cert.pem
-server-key = ../tests/certs/server-key.pem
+server-cert = %%ETCDIR%%/server-cert.pem
+server-key = %%ETCDIR%%/server-key.pem
 
 # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
 # versions of GnuTLS for supporting DHE ciphersuites.
 # Can be generated using:
-# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
-#dh-params = /etc/ocserv/dh.pem
+# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem
+#dh-params = %%ETCDIR%%/dh.pem
 
 # In case PKCS #11, TPM or encrypted keys are used the PINs should be available
 # in files. The srk-pin-file is applicable to TPM keys only, and is the 
 # storage root key.
-#pin-file = /etc/ocserv/pin.txt
-#srk-pin-file = /etc/ocserv/srkpin.txt
+#pin-file = %%ETCDIR%%/pin.txt
+#srk-pin-file = %%ETCDIR%%/srkpin.txt
 
 # The password or PIN needed to unlock the key in server-key file.
 # Only needed if the file is encrypted or a PKCS #11 object. This
@@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
-#ca-cert = /etc/ocserv/ca.pem
-ca-cert = ../tests/certs/ca.pem
+ca-cert = %%ETCDIR%%/ca.pem
 
 
 ### All configuration options below this line are reloaded on a SIGHUP.
@@ -166,15 +163,9 @@ ca-cert = ../tests/certs/ca.pem
 ### failures during the reloading time.
 
 
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
-# system calls allowed to a worker process, in order to reduce damage from a
-# bug in the worker process. It is available on Linux systems at a performance cost.
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
-# Note however, that process isolation is restricted to the specific libc versions
-# the isolation was tested at. If you get random failures on worker processes, try
-# disabling that option and report the failures you, along with system and debugging
-# information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
+# ocserv 1.1.1 on FreeBSD does not currently support process isolation,
+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
+#isolate-workers = false
 
 # A banner to be displayed on clients after connection
 #banner = "Welcome"
@@ -255,7 +246,7 @@ try-mtu-discovery = false
 # You can update this response periodically using:
 # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
 # Make sure that you replace the following file in an atomic way.
-#ocsp-response = /etc/ocserv/ocsp.der
+#ocsp-response = %%ETCDIR%%/ocsp.der
 
 # The object identifier that will be used to read the user ID in the client 
 # certificate. The object identifier should be part of the certificate's DN
@@ -274,7 +265,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
 # See the manual to generate an empty CRL initially. The CRL will be reloaded
 # periodically when ocserv detects a change in the file. To force a reload use
 # SIGHUP.
-#crl = /etc/ocserv/crl.pem
+#crl = %%ETCDIR%%/crl.pem
 
 # Uncomment this to enable compression negotiation (LZS, LZ4).
 #compression = true
@@ -543,15 +534,15 @@ no-route = 192.168.5.0/255.255.255.0
 # Note the that following two firewalling options currently are available
 # in Linux systems with iptables software. 
 
-# If set, the script /usr/bin/ocserv-fw will be called to restrict
+# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict
 # the user to its allowed routes and prevent him from accessing
 # any other routes. In case of defaultroute, the no-routes are restricted.
-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
+# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw
 # --removeall. This option can be set globally or in the per-user configuration.
 #restrict-user-to-routes = true
 
 # This option implies restrict-user-to-routes set to true. If set, the
-# script /usr/bin/ocserv-fw will be called to restrict the user to
+# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to
 # access specific ports in the network. This option can be set globally
 # or in the per-user configuration.
 #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
@@ -599,13 +590,13 @@ no-route = 192.168.5.0/255.255.255.0
 # hostname to override any proposed by the user. Note also, that, any 
 # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
 
-#config-per-user = /etc/ocserv/config-per-user/
-#config-per-group = /etc/ocserv/config-per-group/
+#config-per-user = %%ETCDIR%%/config-per-user/
+#config-per-group = %%ETCDIR%%/config-per-group/
 
 # When config-per-xxx is specified and there is no group or user that
 # matches, then utilize the following configuration.
-#default-user-config = /etc/ocserv/defaults/user.conf
-#default-group-config = /etc/ocserv/defaults/group.conf
+#default-user-config = %%ETCDIR%%/defaults/user.conf
+#default-group-config = %%ETCDIR%%/defaults/group.conf
 
 # The system command to use to setup a route. %{R} will be replaced with the
 # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
@@ -627,7 +618,7 @@ no-route = 192.168.5.0/255.255.255.0
 # In MIT kerberos you'll need to add in realms:
 #   EXAMPLE.COM = {
 #     kdc = https://ocserv.example.com/KdcProxy
-#     http_anchors = FILE:/etc/ocserv-ca.pem
+#     http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem
 #   }
 # In some distributions the krb5-k5tls plugin of kinit is required.
 #
@@ -701,13 +692,13 @@ dtls-legacy = true
 [vhost:www.example.com]
 auth = "certificate"
 
-ca-cert = ../tests/certs/ca.pem
+ca-cert = %%ETCDIR%%/ca.pem
 
 # The certificate set here must include a 'dns_name' corresponding to
 # the virtual host name.
 
-server-cert = ../tests/certs/server-cert-secp521r1.pem
-server-key = ../tests/certs/server-key-secp521r1.pem
+server-cert = %%ETCDIR%%/server-cert-secp521r1.pem
+server-key = %%ETCDIR%%/server-key-secp521r1.pem
 
 ipv4-network = 192.168.2.0
 ipv4-netmask = 255.255.255.0