summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/dynamic-dns/ddclient.conf.j22
-rw-r--r--data/templates/frr/bgpd.frr.j23
-rw-r--r--data/templates/load-balancing/haproxy.cfg.j2164
-rw-r--r--data/templates/load-balancing/override_haproxy.conf.j214
-rw-r--r--data/templates/mdns-repeater/avahi-daemon.j26
-rw-r--r--data/templates/ocserv/ocserv_config.j213
-rw-r--r--data/templates/rsyslog/rsyslog.conf.j22
7 files changed, 203 insertions, 1 deletions
diff --git a/data/templates/dynamic-dns/ddclient.conf.j2 b/data/templates/dynamic-dns/ddclient.conf.j2
index c2c9b1dd6..e8ef5ac90 100644
--- a/data/templates/dynamic-dns/ddclient.conf.j2
+++ b/data/templates/dynamic-dns/ddclient.conf.j2
@@ -34,7 +34,9 @@ zone={{ config.zone }}
# DynDNS provider configuration for {{ service }}, {{ dns_record }}
protocol={{ config.protocol }},
max-interval=28d,
+{% if config.login is vyos_defined %}
login={{ config.login }},
+{% endif %}
password='{{ config.password }}',
{% if config.server is vyos_defined %}
server={{ config.server }},
diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2
index 7bd9efdce..3e101820c 100644
--- a/data/templates/frr/bgpd.frr.j2
+++ b/data/templates/frr/bgpd.frr.j2
@@ -86,6 +86,9 @@
{% if config.solo is vyos_defined %}
neighbor {{ neighbor }} solo
{% endif %}
+{% if config.enforce_first_as is vyos_defined %}
+ neighbor {{ neighbor }} enforce-first-as
+{% endif %}
{% if config.strict_capability_match is vyos_defined %}
neighbor {{ neighbor }} strict-capability-match
{% endif %}
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
new file mode 100644
index 000000000..f8e1587f8
--- /dev/null
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -0,0 +1,164 @@
+# Generated by ${vyos_conf_scripts_dir}/load-balancing-haproxy.py
+
+global
+ log /dev/log local0
+ log /dev/log local1 notice
+ chroot /var/lib/haproxy
+ stats socket /run/haproxy/admin.sock mode 660 level admin
+ stats timeout 30s
+ user haproxy
+ group haproxy
+ daemon
+
+{% if global_parameters is vyos_defined %}
+{% if global_parameters.max_connections is vyos_defined %}
+ maxconn {{ global_parameters.max_connections }}
+{% endif %}
+
+ # Default SSL material locations
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+
+{% if global_parameters.ssl_bind_ciphers is vyos_defined %}
+ # https://ssl-config.mozilla.org/#server=haproxy&version=2.6.12-1&config=intermediate&openssl=3.0.8-1&guideline=5.6
+ ssl-default-bind-ciphers {{ global_parameters.ssl_bind_ciphers | join(':') | upper }}
+{% endif %}
+ ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+{% if global_parameters.tls_version_min is vyos_defined('1.3') %}
+ ssl-default-bind-options force-tlsv13
+{% else %}
+ ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+{% endif %}
+{% endif %}
+
+defaults
+ log global
+ mode http
+ option dontlognull
+ timeout connect 10s
+ timeout client 50s
+ timeout server 50s
+ errorfile 400 /etc/haproxy/errors/400.http
+ errorfile 403 /etc/haproxy/errors/403.http
+ errorfile 408 /etc/haproxy/errors/408.http
+ errorfile 500 /etc/haproxy/errors/500.http
+ errorfile 502 /etc/haproxy/errors/502.http
+ errorfile 503 /etc/haproxy/errors/503.http
+ errorfile 504 /etc/haproxy/errors/504.http
+
+# Frontend
+{% if service is vyos_defined %}
+{% for front, front_config in service.items() %}
+frontend {{ front }}
+{% set ssl_front = 'ssl crt /run/haproxy/' ~ front_config.ssl.certificate ~ '.pem' if front_config.ssl.certificate is vyos_defined else '' %}
+{% if front_config.listen_address is vyos_defined %}
+{% for address in front_config.listen_address %}
+ bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_front }}
+{% endfor %}
+{% else %}
+ bind :::{{ front_config.port }} v4v6 {{ ssl_front }}
+{% endif %}
+{% if front_config.redirect_http_to_https is vyos_defined %}
+ http-request redirect scheme https unless { ssl_fc }
+{% endif %}
+{% if front_config.mode is vyos_defined %}
+ mode {{ front_config.mode }}
+{% endif %}
+{% if front_config.rule is vyos_defined %}
+{% for rule, rule_config in front_config.rule.items() %}
+ # rule {{ rule }}
+{% if rule_config.domain_name is vyos_defined and rule_config.set.backend is vyos_defined %}
+{% set rule_options = 'hdr(host)' %}
+{% if rule_config.ssl is vyos_defined %}
+{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %}
+{% set rule_options = ssl_rule_translate[rule_config.ssl] %}
+{% endif %}
+{% for domain in rule_config.domain_name %}
+ acl {{ rule }} {{ rule_options }} -i {{ domain }}
+{% endfor %}
+ use_backend {{ rule_config.set.backend }} if {{ rule }}
+{% endif %}
+{# path url #}
+{% if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %}
+{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %}
+{% for path, path_config in rule_config.url_path.items() %}
+{% for url in path_config %}
+ acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }}
+{% endfor %}
+{% endfor %}
+ http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }}
+{% endif %}
+{# endpath #}
+{% endfor %}
+{% endif %}
+{% if front_config.backend is vyos_defined %}
+{% for backend in front_config.backend %}
+ default_backend {{ backend }}
+{% endfor %}
+{% endif %}
+
+{% endfor %}
+{% endif %}
+
+# Backend
+{% if backend is vyos_defined %}
+{% for back, back_config in backend.items() %}
+backend {{ back }}
+{% if back_config.balance is vyos_defined %}
+{% set balance_translate = {'least-connection': 'leastconn', 'round-robin': 'roundrobin', 'source-address': 'source'} %}
+ balance {{ balance_translate[back_config.balance] }}
+{% endif %}
+{# If mode is not TCP skip Forwarded #}
+{% if back_config.mode is not vyos_defined('tcp') %}
+ option forwardfor
+ http-request set-header X-Forwarded-Port %[dst_port]
+ http-request add-header X-Forwarded-Proto https if { ssl_fc }
+{% endif %}
+{% if back_config.mode is vyos_defined %}
+ mode {{ back_config.mode }}
+{% endif %}
+{% if back_config.rule is vyos_defined %}
+{% for rule, rule_config in back_config.rule.items() %}
+{% if rule_config.domain_name is vyos_defined and rule_config.set.server is vyos_defined %}
+{% set rule_options = 'hdr(host)' %}
+{% if rule_config.ssl is vyos_defined %}
+{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %}
+{% set rule_options = ssl_rule_translate[rule_config.ssl] %}
+{% endif %}
+{% for domain in rule_config.domain_name %}
+ acl {{ rule }} {{ rule_options }} -i {{ domain }}
+{% endfor %}
+ use-server {{ rule_config.set.server }} if {{ rule }}
+{% endif %}
+{# path url #}
+{% if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %}
+{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %}
+{% for path, path_config in rule_config.url_path.items() %}
+{% for url in path_config %}
+ acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }}
+{% endfor %}
+{% endfor %}
+ http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }}
+{% endif %}
+{# endpath #}
+{% endfor %}
+{% endif %}
+{% if back_config.server is vyos_defined %}
+{% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %}
+{% for server, server_config in back_config.server.items() %}
+ server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
+{% endfor %}
+{% endif %}
+{% if back_config.timeout.check is vyos_defined %}
+ timeout check {{ back_config.timeout.check }}
+{% endif %}
+{% if back_config.timeout.connect is vyos_defined %}
+ timeout connect {{ back_config.timeout.connect }}
+{% endif %}
+{% if back_config.timeout.server is vyos_defined %}
+ timeout server {{ back_config.timeout.server }}
+{% endif %}
+
+{% endfor %}
+{% endif %}
+
diff --git a/data/templates/load-balancing/override_haproxy.conf.j2 b/data/templates/load-balancing/override_haproxy.conf.j2
new file mode 100644
index 000000000..395b5d279
--- /dev/null
+++ b/data/templates/load-balancing/override_haproxy.conf.j2
@@ -0,0 +1,14 @@
+{% set haproxy_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
+[Unit]
+StartLimitIntervalSec=0
+After=vyos-router.service
+ConditionPathExists=/run/haproxy/haproxy.cfg
+
+[Service]
+EnvironmentFile=
+Environment=
+Environment="CONFIG=/run/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock"
+ExecStart=
+ExecStart={{ haproxy_command }}/usr/sbin/haproxy -Ws -f /run/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock
+Restart=always
+RestartSec=10
diff --git a/data/templates/mdns-repeater/avahi-daemon.j2 b/data/templates/mdns-repeater/avahi-daemon.j2
index 65bb5a306..3aaa7fc82 100644
--- a/data/templates/mdns-repeater/avahi-daemon.j2
+++ b/data/templates/mdns-repeater/avahi-daemon.j2
@@ -2,6 +2,9 @@
use-ipv4=yes
use-ipv6=yes
allow-interfaces={{ interface | join(', ') }}
+{% if browse_domain is vyos_defined and browse_domain | length %}
+browse-domains={{ browse_domain | join(', ') }}
+{% endif %}
disallow-other-stacks=no
[wide-area]
@@ -16,3 +19,6 @@ publish-workstation=no
[reflector]
enable-reflector=yes
+{% if allow_service is vyos_defined and allow_service | length %}
+reflect-filters={{ allow_service | join(', ') }}
+{% endif %}
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index aa1073bca..1401b8b26 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -16,6 +16,12 @@ acct = "radius [config=/run/ocserv/radiusclient.conf]"
{% if "radius" in authentication.mode %}
auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]"
+{% if authentication.identity_based_config.disabled is not vyos_defined %}
+{% if "group" in authentication.identity_based_config.mode %}
+config-per-group = {{ authentication.identity_based_config.directory }}
+default-group-config = {{ authentication.identity_based_config.default_config }}
+{% endif %}
+{% endif %}
{% elif "local" in authentication.mode %}
{% if authentication.mode.local == "password-otp" %}
auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"
@@ -28,6 +34,13 @@ auth = "plain[/run/ocserv/ocpasswd]"
auth = "plain[/run/ocserv/ocpasswd]"
{% endif %}
+{% if "identity_based_config" in authentication %}
+{% if "user" in authentication.identity_based_config.mode %}
+config-per-user = {{ authentication.identity_based_config.directory }}
+default-user-config = {{ authentication.identity_based_config.default_config }}
+{% endif %}
+{% endif %}
+
{% if ssl.certificate is vyos_defined %}
server-cert = /run/ocserv/cert.pem
server-key = /run/ocserv/cert.key
diff --git a/data/templates/rsyslog/rsyslog.conf.j2 b/data/templates/rsyslog/rsyslog.conf.j2
index 0460ae5f0..5352fc367 100644
--- a/data/templates/rsyslog/rsyslog.conf.j2
+++ b/data/templates/rsyslog/rsyslog.conf.j2
@@ -49,7 +49,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
{% endfor %}
{% if host_options.protocol is vyos_defined('tcp') %}
-{% if host_options.oct_count is vyos_defined %}
+{% if host_options.format.octet_counted is vyos_defined %}
{{ tmp | join(';') }} @@(o){{ host_name | bracketize_ipv6 }}:{{ host_options.port }};RSYSLOG_SyslogProtocol23Format
{% else %}
{{ tmp | join(';') }} @@{{ host_name | bracketize_ipv6 }}:{{ host_options.port }}