vyos-1x.git/src/helpers, branch 1.4.0-epa2

boot-config-loader: T1622: add missing groups to failsafe user

2024-01-10T07:11:39+00:00

This extends commit 86d1291ec5 ("[boot-config-loader] T1622: Add failsafe and back trace") and adds missing groups to the vyos user. Without this change the vyos user will only have operator (vyos@vyos>) privileges, even if this level is discontinued. One could hack himself up as the user has sudo rights, but rather place the user in the right groups from the beginning. NOTE: This user is only added if booted with "vyos-config-debug" and an error when the configuration can not be loaded at all. (cherry picked from commit 07e802a2d3f98cdf29928bf321cc8b89cb41766c)

pki: T5886: add support for ACME protocol (LetsEncrypt)

2024-01-08T20:11:13+00:00

The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates. (cherry picked from commit b8db1a9d7baf91b70c1b735e58710f1e2bc9fc7a) # Conflicts: # debian/control

image-tools: T5821: restore vrf-aware add system image

2023-12-17T02:37:11+00:00

(cherry picked from commit 90f2d9865051b00290dd5b7328a046e823b658dc)

T5763: fix imprecise check for remote file name

2023-11-20T17:33:05+00:00

(cherry picked from commit fe9b08665367b8e7d9b906a0760d44efc9b5cafb)

T5713: only strip "secret" CLI node and nothing else

2023-11-07T16:40:02+00:00

Commit 30eb308149 ("T5713: Strip string after "secret" in IPSEC config") had good intention but this will happen: use-secret foo CLI node will become " secret xxxxxx" so the output of strip-private invalidates the configuration. This has been changed to an exact match of "secret" only (cherry picked from commit 863af115df853987dd8ad25ecef3f0ea58485e83)

T5713: Strip string after "secret" in IPSEC config

2023-11-07T16:40:01+00:00

Make "strip-private" strip the string after "secret" (cherry picked from commit 30eb308149f24b7f15aa3e40ced6918a8a3a04b8)

config: T5631: save copy of config in JSON format on commit

2023-10-05T17:34:48+00:00

(cherry picked from commit 27605426a4ad613f45d36e7db5b1664dc3192981)

conf-mode: T5412: add script for add-on package check of dependencies

2023-09-27T17:53:03+00:00

(cherry picked from commit 0869b91c0b15ddedd72b4d0e1475c52eb45994f0)

utils: T5239: add low-level read from config.boot

2023-09-19T18:39:54+00:00

(cherry picked from commit 56d3f75de487c1dcfd075cf7b65cb16b6501d0ca)

save-config: T5551: check if None before write, as is the case at boot

2023-09-05T18:07:23+00:00

(cherry picked from commit 3fe5482a29042c92298d3e69d90c0c38404d2fcc)