diff options
Diffstat (limited to 'data/templates')
-rw-r--r-- | data/templates/dynamic-dns/ddclient.conf.j2 | 2 | ||||
-rw-r--r-- | data/templates/frr/bgpd.frr.j2 | 3 | ||||
-rw-r--r-- | data/templates/load-balancing/haproxy.cfg.j2 | 164 | ||||
-rw-r--r-- | data/templates/load-balancing/override_haproxy.conf.j2 | 14 | ||||
-rw-r--r-- | data/templates/mdns-repeater/avahi-daemon.j2 | 6 | ||||
-rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 13 | ||||
-rw-r--r-- | data/templates/rsyslog/rsyslog.conf.j2 | 2 |
7 files changed, 203 insertions, 1 deletions
diff --git a/data/templates/dynamic-dns/ddclient.conf.j2 b/data/templates/dynamic-dns/ddclient.conf.j2 index c2c9b1dd6..e8ef5ac90 100644 --- a/data/templates/dynamic-dns/ddclient.conf.j2 +++ b/data/templates/dynamic-dns/ddclient.conf.j2 @@ -34,7 +34,9 @@ zone={{ config.zone }} # DynDNS provider configuration for {{ service }}, {{ dns_record }} protocol={{ config.protocol }}, max-interval=28d, +{% if config.login is vyos_defined %} login={{ config.login }}, +{% endif %} password='{{ config.password }}', {% if config.server is vyos_defined %} server={{ config.server }}, diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 index 7bd9efdce..3e101820c 100644 --- a/data/templates/frr/bgpd.frr.j2 +++ b/data/templates/frr/bgpd.frr.j2 @@ -86,6 +86,9 @@ {% if config.solo is vyos_defined %} neighbor {{ neighbor }} solo {% endif %} +{% if config.enforce_first_as is vyos_defined %} + neighbor {{ neighbor }} enforce-first-as +{% endif %} {% if config.strict_capability_match is vyos_defined %} neighbor {{ neighbor }} strict-capability-match {% endif %} diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 new file mode 100644 index 000000000..f8e1587f8 --- /dev/null +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -0,0 +1,164 @@ +# Generated by ${vyos_conf_scripts_dir}/load-balancing-haproxy.py + +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + +{% if global_parameters is vyos_defined %} +{% if global_parameters.max_connections is vyos_defined %} + maxconn {{ global_parameters.max_connections }} +{% endif %} + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + +{% if global_parameters.ssl_bind_ciphers is vyos_defined %} + # https://ssl-config.mozilla.org/#server=haproxy&version=2.6.12-1&config=intermediate&openssl=3.0.8-1&guideline=5.6 + ssl-default-bind-ciphers {{ global_parameters.ssl_bind_ciphers | join(':') | upper }} +{% endif %} + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 +{% if global_parameters.tls_version_min is vyos_defined('1.3') %} + ssl-default-bind-options force-tlsv13 +{% else %} + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets +{% endif %} +{% endif %} + +defaults + log global + mode http + option dontlognull + timeout connect 10s + timeout client 50s + timeout server 50s + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +# Frontend +{% if service is vyos_defined %} +{% for front, front_config in service.items() %} +frontend {{ front }} +{% set ssl_front = 'ssl crt /run/haproxy/' ~ front_config.ssl.certificate ~ '.pem' if front_config.ssl.certificate is vyos_defined else '' %} +{% if front_config.listen_address is vyos_defined %} +{% for address in front_config.listen_address %} + bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_front }} +{% endfor %} +{% else %} + bind :::{{ front_config.port }} v4v6 {{ ssl_front }} +{% endif %} +{% if front_config.redirect_http_to_https is vyos_defined %} + http-request redirect scheme https unless { ssl_fc } +{% endif %} +{% if front_config.mode is vyos_defined %} + mode {{ front_config.mode }} +{% endif %} +{% if front_config.rule is vyos_defined %} +{% for rule, rule_config in front_config.rule.items() %} + # rule {{ rule }} +{% if rule_config.domain_name is vyos_defined and rule_config.set.backend is vyos_defined %} +{% set rule_options = 'hdr(host)' %} +{% if rule_config.ssl is vyos_defined %} +{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %} +{% set rule_options = ssl_rule_translate[rule_config.ssl] %} +{% endif %} +{% for domain in rule_config.domain_name %} + acl {{ rule }} {{ rule_options }} -i {{ domain }} +{% endfor %} + use_backend {{ rule_config.set.backend }} if {{ rule }} +{% endif %} +{# path url #} +{% if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %} +{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %} +{% for path, path_config in rule_config.url_path.items() %} +{% for url in path_config %} + acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }} +{% endfor %} +{% endfor %} + http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }} +{% endif %} +{# endpath #} +{% endfor %} +{% endif %} +{% if front_config.backend is vyos_defined %} +{% for backend in front_config.backend %} + default_backend {{ backend }} +{% endfor %} +{% endif %} + +{% endfor %} +{% endif %} + +# Backend +{% if backend is vyos_defined %} +{% for back, back_config in backend.items() %} +backend {{ back }} +{% if back_config.balance is vyos_defined %} +{% set balance_translate = {'least-connection': 'leastconn', 'round-robin': 'roundrobin', 'source-address': 'source'} %} + balance {{ balance_translate[back_config.balance] }} +{% endif %} +{# If mode is not TCP skip Forwarded #} +{% if back_config.mode is not vyos_defined('tcp') %} + option forwardfor + http-request set-header X-Forwarded-Port %[dst_port] + http-request add-header X-Forwarded-Proto https if { ssl_fc } +{% endif %} +{% if back_config.mode is vyos_defined %} + mode {{ back_config.mode }} +{% endif %} +{% if back_config.rule is vyos_defined %} +{% for rule, rule_config in back_config.rule.items() %} +{% if rule_config.domain_name is vyos_defined and rule_config.set.server is vyos_defined %} +{% set rule_options = 'hdr(host)' %} +{% if rule_config.ssl is vyos_defined %} +{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %} +{% set rule_options = ssl_rule_translate[rule_config.ssl] %} +{% endif %} +{% for domain in rule_config.domain_name %} + acl {{ rule }} {{ rule_options }} -i {{ domain }} +{% endfor %} + use-server {{ rule_config.set.server }} if {{ rule }} +{% endif %} +{# path url #} +{% if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %} +{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %} +{% for path, path_config in rule_config.url_path.items() %} +{% for url in path_config %} + acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }} +{% endfor %} +{% endfor %} + http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }} +{% endif %} +{# endpath #} +{% endfor %} +{% endif %} +{% if back_config.server is vyos_defined %} +{% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %} +{% for server, server_config in back_config.server.items() %} + server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }} +{% endfor %} +{% endif %} +{% if back_config.timeout.check is vyos_defined %} + timeout check {{ back_config.timeout.check }} +{% endif %} +{% if back_config.timeout.connect is vyos_defined %} + timeout connect {{ back_config.timeout.connect }} +{% endif %} +{% if back_config.timeout.server is vyos_defined %} + timeout server {{ back_config.timeout.server }} +{% endif %} + +{% endfor %} +{% endif %} + diff --git a/data/templates/load-balancing/override_haproxy.conf.j2 b/data/templates/load-balancing/override_haproxy.conf.j2 new file mode 100644 index 000000000..395b5d279 --- /dev/null +++ b/data/templates/load-balancing/override_haproxy.conf.j2 @@ -0,0 +1,14 @@ +{% set haproxy_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service +ConditionPathExists=/run/haproxy/haproxy.cfg + +[Service] +EnvironmentFile= +Environment= +Environment="CONFIG=/run/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock" +ExecStart= +ExecStart={{ haproxy_command }}/usr/sbin/haproxy -Ws -f /run/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock +Restart=always +RestartSec=10 diff --git a/data/templates/mdns-repeater/avahi-daemon.j2 b/data/templates/mdns-repeater/avahi-daemon.j2 index 65bb5a306..3aaa7fc82 100644 --- a/data/templates/mdns-repeater/avahi-daemon.j2 +++ b/data/templates/mdns-repeater/avahi-daemon.j2 @@ -2,6 +2,9 @@ use-ipv4=yes use-ipv6=yes allow-interfaces={{ interface | join(', ') }} +{% if browse_domain is vyos_defined and browse_domain | length %} +browse-domains={{ browse_domain | join(', ') }} +{% endif %} disallow-other-stacks=no [wide-area] @@ -16,3 +19,6 @@ publish-workstation=no [reflector] enable-reflector=yes +{% if allow_service is vyos_defined and allow_service | length %} +reflect-filters={{ allow_service | join(', ') }} +{% endif %} diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index aa1073bca..1401b8b26 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -16,6 +16,12 @@ acct = "radius [config=/run/ocserv/radiusclient.conf]" {% if "radius" in authentication.mode %} auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" +{% if authentication.identity_based_config.disabled is not vyos_defined %} +{% if "group" in authentication.identity_based_config.mode %} +config-per-group = {{ authentication.identity_based_config.directory }} +default-group-config = {{ authentication.identity_based_config.default_config }} +{% endif %} +{% endif %} {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" @@ -28,6 +34,13 @@ auth = "plain[/run/ocserv/ocpasswd]" auth = "plain[/run/ocserv/ocpasswd]" {% endif %} +{% if "identity_based_config" in authentication %} +{% if "user" in authentication.identity_based_config.mode %} +config-per-user = {{ authentication.identity_based_config.directory }} +default-user-config = {{ authentication.identity_based_config.default_config }} +{% endif %} +{% endif %} + {% if ssl.certificate is vyos_defined %} server-cert = /run/ocserv/cert.pem server-key = /run/ocserv/cert.key diff --git a/data/templates/rsyslog/rsyslog.conf.j2 b/data/templates/rsyslog/rsyslog.conf.j2 index 0460ae5f0..5352fc367 100644 --- a/data/templates/rsyslog/rsyslog.conf.j2 +++ b/data/templates/rsyslog/rsyslog.conf.j2 @@ -49,7 +49,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv {% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %} {% endfor %} {% if host_options.protocol is vyos_defined('tcp') %} -{% if host_options.oct_count is vyos_defined %} +{% if host_options.format.octet_counted is vyos_defined %} {{ tmp | join(';') }} @@(o){{ host_name | bracketize_ipv6 }}:{{ host_options.port }};RSYSLOG_SyslogProtocol23Format {% else %} {{ tmp | join(';') }} @@{{ host_name | bracketize_ipv6 }}:{{ host_options.port }} |