diff options
Diffstat (limited to 'data/templates')
| -rw-r--r-- | data/templates/dhcp-client/daemon-options.j2 | 4 | ||||
| -rw-r--r-- | data/templates/dhcp-client/daemon-options.tmpl | 4 | ||||
| -rw-r--r-- | data/templates/dhcp-client/ipv4.j2 (renamed from data/templates/dhcp-client/ipv4.tmpl) | 10 | ||||
| -rw-r--r-- | data/templates/dhcp-client/ipv6.j2 (renamed from data/templates/dhcp-client/ipv6.tmpl) | 44 | ||||
| -rw-r--r-- | data/templates/dhcp-relay/dhcrelay.conf.j2 (renamed from data/templates/dhcp-relay/dhcrelay.conf.tmpl) | 0 | ||||
| -rw-r--r-- | data/templates/dhcp-relay/dhcrelay6.conf.j2 (renamed from data/templates/dhcp-relay/dhcrelay6.conf.tmpl) | 16 | ||||
| -rw-r--r-- | data/templates/dhcp-server/dhcpd.conf.j2 (renamed from data/templates/dhcp-server/dhcpd.conf.tmpl) | 230 | ||||
| -rw-r--r-- | data/templates/dhcp-server/dhcpdv6.conf.j2 | 132 | ||||
| -rw-r--r-- | data/templates/dhcp-server/dhcpdv6.conf.tmpl | 124 | ||||
| -rw-r--r-- | data/templates/dns-forwarding/recursor.conf.j2 (renamed from data/templates/dns-forwarding/recursor.conf.tmpl) | 1 | ||||
| -rw-r--r-- | data/templates/dns-forwarding/recursor.conf.lua.j2 (renamed from data/templates/dns-forwarding/recursor.conf.lua.tmpl) | 0 | ||||
| -rw-r--r-- | data/templates/dns-forwarding/recursor.forward-zones.conf.j2 (renamed from data/templates/dns-forwarding/recursor.forward-zones.conf.tmpl) | 15 | ||||
| -rw-r--r-- | data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.j2 (renamed from data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl) | 22 | ||||
| -rw-r--r-- | data/templates/dns-forwarding/recursor.zone.conf.j2 (renamed from data/templates/dns-forwarding/recursor.zone.conf.tmpl) | 3 | ||||
| -rw-r--r-- | data/templates/dynamic-dns/ddclient.conf.j2 | 51 | ||||
| -rw-r--r-- | data/templates/dynamic-dns/ddclient.conf.tmpl | 51 | ||||
| -rw-r--r-- | data/templates/firewall/nftables-nat.tmpl | 15 | ||||
| -rw-r--r-- | data/templates/frr/staticd.frr.j2 | 8 | ||||
| -rw-r--r-- | data/templates/ipsec/swanctl/peer.tmpl | 2 | ||||
| -rw-r--r-- | data/templates/monitoring/telegraf.tmpl | 6 | ||||
| -rw-r--r-- | data/templates/openvpn/auth.pw.j2 (renamed from data/templates/openvpn/auth.pw.tmpl) | 0 | ||||
| -rw-r--r-- | data/templates/openvpn/client.conf.j2 (renamed from data/templates/openvpn/client.conf.tmpl) | 24 | ||||
| -rw-r--r-- | data/templates/openvpn/server.conf.j2 (renamed from data/templates/openvpn/server.conf.tmpl) | 186 | ||||
| -rw-r--r-- | data/templates/openvpn/service-override.conf.j2 | 21 | ||||
| -rw-r--r-- | data/templates/openvpn/service-override.conf.tmpl | 20 | ||||
| -rw-r--r-- | data/templates/salt-minion/minion.j2 (renamed from data/templates/salt-minion/minion.tmpl) | 18 | ||||
| -rw-r--r-- | data/templates/vyos-hostsd/hosts.j2 (renamed from data/templates/vyos-hostsd/hosts.tmpl) | 13 | ||||
| -rw-r--r-- | data/templates/vyos-hostsd/resolv.conf.j2 (renamed from data/templates/vyos-hostsd/resolv.conf.tmpl) | 14 |
28 files changed, 536 insertions, 498 deletions
diff --git a/data/templates/dhcp-client/daemon-options.j2 b/data/templates/dhcp-client/daemon-options.j2 new file mode 100644 index 000000000..b21ad08ab --- /dev/null +++ b/data/templates/dhcp-client/daemon-options.j2 @@ -0,0 +1,4 @@ +### Autogenerated by interface.py ### +{% set if_metric = '-e IF_METRIC=' ~ dhcp_options.default_route_distance if dhcp_options.default_route_distance is vyos_defined else '' %} +DHCLIENT_OPTS="-nw -cf /var/lib/dhcp/dhclient_{{ ifname }}.conf -pf /var/lib/dhcp/dhclient_{{ ifname }}.pid -lf /var/lib/dhcp/dhclient_{{ ifname }}.leases {{ if_metric }} {{ ifname }}" + diff --git a/data/templates/dhcp-client/daemon-options.tmpl b/data/templates/dhcp-client/daemon-options.tmpl deleted file mode 100644 index 5b3bff73f..000000000 --- a/data/templates/dhcp-client/daemon-options.tmpl +++ /dev/null @@ -1,4 +0,0 @@ -### Autogenerated by interface.py ### - -DHCLIENT_OPTS="-nw -cf /var/lib/dhcp/dhclient_{{ ifname }}.conf -pf /var/lib/dhcp/dhclient_{{ ifname }}.pid -lf /var/lib/dhcp/dhclient_{{ ifname }}.leases{{" -e IF_METRIC=" ~ dhcp_options.default_route_distance if dhcp_options.default_route_distance is vyos_defined }} {{ ifname }}" - diff --git a/data/templates/dhcp-client/ipv4.tmpl b/data/templates/dhcp-client/ipv4.j2 index 83fb93dc1..cc5ddf09c 100644 --- a/data/templates/dhcp-client/ipv4.tmpl +++ b/data/templates/dhcp-client/ipv4.j2 @@ -8,12 +8,12 @@ initial-interval 2; interface "{{ ifname }}" { send host-name "{{ dhcp_options.host_name }}"; {% if dhcp_options.client_id is vyos_defined %} -{% set client_id = dhcp_options.client_id %} +{% set client_id = dhcp_options.client_id %} {# Use HEX representation of client-id as it is send in MAC-address style using hex characters. If not HEX, use double quotes ASCII format #} -{% if not dhcp_options.client_id.split(':') | length >= 5 %} -{% set client_id = '"' + dhcp_options.client_id + '"' %} -{% endif %} - send dhcp-client-identifier {{ client_id }}; +{% if not dhcp_options.client_id.split(':') | length >= 5 %} +{% set client_id = '"' + dhcp_options.client_id + '"' %} +{% endif %} + send dhcp-client-identifier {{ client_id }}; {% endif %} {% if dhcp_options.vendor_class_id is vyos_defined %} send vendor-class-identifier "{{ dhcp_options.vendor_class_id }}"; diff --git a/data/templates/dhcp-client/ipv6.tmpl b/data/templates/dhcp-client/ipv6.j2 index 085cfe5a9..e136b1789 100644 --- a/data/templates/dhcp-client/ipv6.tmpl +++ b/data/templates/dhcp-client/ipv6.j2 @@ -8,53 +8,53 @@ interface {{ ifname }} { {% if address is vyos_defined and 'dhcpv6' in address %} request domain-name-servers; request domain-name; -{% if dhcpv6_options.parameters_only is vyos_defined %} +{% if dhcpv6_options.parameters_only is vyos_defined %} information-only; -{% endif %} -{% if dhcpv6_options.temporary is not vyos_defined %} +{% endif %} +{% if dhcpv6_options.temporary is not vyos_defined %} send ia-na 0; # non-temporary address -{% endif %} -{% if dhcpv6_options.rapid_commit is vyos_defined %} +{% endif %} +{% if dhcpv6_options.rapid_commit is vyos_defined %} send rapid-commit; # wait for immediate reply instead of advertisements -{% endif %} +{% endif %} {% endif %} {% if dhcpv6_options.pd is vyos_defined %} -{% for pd in dhcpv6_options.pd %} +{% for pd in dhcpv6_options.pd %} send ia-pd {{ pd }}; # prefix delegation #{{ pd }} -{% endfor %} +{% endfor %} {% endif %} }; {% if address is vyos_defined and 'dhcpv6' in address %} -{% if dhcpv6_options.temporary is not vyos_defined %} +{% if dhcpv6_options.temporary is not vyos_defined %} id-assoc na 0 { # Identity association for non temporary address }; -{% endif %} +{% endif %} {% endif %} {% if dhcpv6_options.pd is vyos_defined %} -{% for pd, pd_config in dhcpv6_options.pd.items() %} +{% for pd, pd_config in dhcpv6_options.pd.items() %} id-assoc pd {{ pd }} { {# length got a default value #} prefix ::/{{ pd_config.length }} infinity; -{% set sla_len = 64 - pd_config.length|int %} -{% set count = namespace(value=0) %} -{% for interface, interface_config in pd_config.interface.items() if pd_config.interface is vyos_defined %} +{% set sla_len = 64 - pd_config.length | int %} +{% set count = namespace(value=0) %} +{% for interface, interface_config in pd_config.interface.items() if pd_config.interface is vyos_defined %} prefix-interface {{ interface }} { sla-len {{ sla_len }}; -{% if interface_config.sla_id is vyos_defined %} +{% if interface_config.sla_id is vyos_defined %} sla-id {{ interface_config.sla_id }}; -{% else %} +{% else %} sla-id {{ count.value }}; -{% endif %} -{% if interface_config.address is vyos_defined %} +{% endif %} +{% if interface_config.address is vyos_defined %} ifid {{ interface_config.address }}; -{% endif %} +{% endif %} }; -{% set count.value = count.value + 1 %} -{% endfor %} +{% set count.value = count.value + 1 %} +{% endfor %} }; -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/dhcp-relay/dhcrelay.conf.tmpl b/data/templates/dhcp-relay/dhcrelay.conf.j2 index 11710bd8e..11710bd8e 100644 --- a/data/templates/dhcp-relay/dhcrelay.conf.tmpl +++ b/data/templates/dhcp-relay/dhcrelay.conf.j2 diff --git a/data/templates/dhcp-relay/dhcrelay6.conf.tmpl b/data/templates/dhcp-relay/dhcrelay6.conf.j2 index 1fd5de18c..6365346b4 100644 --- a/data/templates/dhcp-relay/dhcrelay6.conf.tmpl +++ b/data/templates/dhcp-relay/dhcrelay6.conf.j2 @@ -3,18 +3,18 @@ {# upstream_interface is mandatory so it's always present #} {% set upstream = namespace(value='') %} {% for interface, config in upstream_interface.items() %} -{% for address in config.address %} -{% set upstream.value = upstream.value ~ '-u ' ~ address ~ '%' ~ interface ~ ' ' %} -{% endfor %} +{% for address in config.address %} +{% set upstream.value = upstream.value ~ '-u ' ~ address ~ '%' ~ interface ~ ' ' %} +{% endfor %} {% endfor %} {# listen_interface is mandatory so it's always present #} {% set listen = namespace(value='') %} {% for interface, config in listen_interface.items() %} -{% if config.address is vyos_defined %} -{% set listen.value = listen.value ~ '-l ' ~ config.address ~ '%' ~ interface ~ ' ' %} -{% else %} -{% set listen.value = listen.value ~ '-l ' ~ interface ~ ' ' %} -{% endif %} +{% if config.address is vyos_defined %} +{% set listen.value = listen.value ~ '-l ' ~ config.address ~ '%' ~ interface ~ ' ' %} +{% else %} +{% set listen.value = listen.value ~ '-l ' ~ interface ~ ' ' %} +{% endif %} {% endfor %} OPTIONS="{{ listen.value }} {{ upstream.value }} -c {{ max_hop_count }} {{ '-I' if use_interface_id_option is vyos_defined }}" diff --git a/data/templates/dhcp-server/dhcpd.conf.tmpl b/data/templates/dhcp-server/dhcpd.conf.j2 index efc144a1e..4c2da0aa5 100644 --- a/data/templates/dhcp-server/dhcpd.conf.tmpl +++ b/data/templates/dhcp-server/dhcpd.conf.j2 @@ -23,24 +23,33 @@ option rfc3442-static-route code 121 = array of integer 8; option windows-static-route code 249 = array of integer 8; option wpad-url code 252 = text; +# Vendor specific options - Ubiquiti Networks +option space ubnt; +option ubnt.unifi-controller code 1 = ip-address; +class "ubnt" { + match if substring (option vendor-class-identifier , 0, 4) = "ubnt"; + option vendor-class-identifier "ubnt"; + vendor-option-space ubnt; +} + {% if global_parameters is vyos_defined %} # The following {{ global_parameters | length }} line(s) have been added as # global-parameters in the CLI and have not been validated !!! -{% for parameter in global_parameters %} +{% for parameter in global_parameters %} {{ parameter }} -{% endfor %} +{% endfor %} {% endif %} {% if failover is vyos_defined %} # DHCP failover configuration failover peer "{{ failover.name }}" { -{% if failover.status == 'primary' %} +{% if failover.status == 'primary' %} primary; mclt 1800; split 128; -{% elif failover.status == 'secondary' %} +{% elif failover.status == 'secondary' %} secondary; -{% endif %} +{% endif %} address {{ failover.source_address }}; port 647; peer address {{ failover.remote }}; @@ -53,170 +62,173 @@ failover peer "{{ failover.name }}" { {% if listen_address is vyos_defined %} # DHCP server serving relay subnet, we need a connector to the real world -{% for address in listen_address %} +{% for address in listen_address %} # Connected subnet statement for listen-address {{ address }} subnet {{ address | network_from_ipv4 }} netmask {{ address | netmask_from_ipv4 }} { } -{% endfor %} +{% endfor %} {% endif %} # Shared network configration(s) {% if shared_network_name is vyos_defined %} -{% for network, network_config in shared_network_name.items() if network_config.disable is not vyos_defined %} +{% for network, network_config in shared_network_name.items() if network_config.disable is not vyos_defined %} shared-network {{ network }} { -{% if network_config.authoritative is vyos_defined %} +{% if network_config.authoritative is vyos_defined %} authoritative; -{% endif %} -{% if network_config.name_server is vyos_defined %} +{% endif %} +{% if network_config.name_server is vyos_defined %} option domain-name-servers {{ network_config.name_server | join(', ') }}; -{% endif %} -{% if network_config.domain_name is vyos_defined %} +{% endif %} +{% if network_config.domain_name is vyos_defined %} option domain-name "{{ network_config.domain_name }}"; -{% endif %} -{% if network_config.domain_search is vyos_defined %} +{% endif %} +{% if network_config.domain_search is vyos_defined %} option domain-search "{{ network_config.domain_search | join('", "') }}"; -{% endif %} -{% if network_config.ntp_server is vyos_defined %} +{% endif %} +{% if network_config.ntp_server is vyos_defined %} option ntp-servers {{ network_config.ntp_server | join(', ') }}; -{% endif %} -{% if network_config.ping_check is vyos_defined %} +{% endif %} +{% if network_config.ping_check is vyos_defined %} ping-check true; -{% endif %} -{% if network_config.shared_network_parameters is vyos_defined %} +{% endif %} +{% if network_config.shared_network_parameters is vyos_defined %} # The following {{ network_config.shared_network_parameters | length }} line(s) # were added as shared-network-parameters in the CLI and have not been validated -{% for parameter in network_config.shared_network_parameters %} +{% for parameter in network_config.shared_network_parameters %} {{ parameter }} -{% endfor %} -{% endif %} -{% if network_config.subnet is vyos_defined %} -{% for subnet, subnet_config in network_config.subnet.items() %} -{% if subnet_config.description is vyos_defined %} - # {{ subnet_config.description }} +{% endfor %} {% endif %} +{% if network_config.subnet is vyos_defined %} +{% for subnet, subnet_config in network_config.subnet.items() %} +{% if subnet_config.description is vyos_defined %} + # {{ subnet_config.description }} +{% endif %} subnet {{ subnet | address_from_cidr }} netmask {{ subnet | netmask_from_cidr }} { -{% if subnet_config.name_server is vyos_defined %} +{% if subnet_config.name_server is vyos_defined %} option domain-name-servers {{ subnet_config.name_server | join(', ') }}; -{% endif %} -{% if subnet_config.domain_name is vyos_defined %} +{% endif %} +{% if subnet_config.domain_name is vyos_defined %} option domain-name "{{ subnet_config.domain_name }}"; -{% endif %} -{% if subnet_config.domain_search is vyos_defined %} +{% endif %} +{% if subnet_config.domain_search is vyos_defined %} option domain-search "{{ subnet_config.domain_search | join('", "') }}"; -{% endif %} -{% if subnet_config.ntp_server is vyos_defined %} +{% endif %} +{% if subnet_config.ntp_server is vyos_defined %} option ntp-servers {{ subnet_config.ntp_server | join(', ') }}; -{% endif %} -{% if subnet_config.pop_server is vyos_defined %} +{% endif %} +{% if subnet_config.pop_server is vyos_defined %} option pop-server {{ subnet_config.pop_server | join(', ') }}; -{% endif %} -{% if subnet_config.smtp_server is vyos_defined %} +{% endif %} +{% if subnet_config.smtp_server is vyos_defined %} option smtp-server {{ subnet_config.smtp_server | join(', ') }}; -{% endif %} -{% if subnet_config.time_server is vyos_defined %} +{% endif %} +{% if subnet_config.time_server is vyos_defined %} option time-servers {{ subnet_config.time_server | join(', ') }}; -{% endif %} -{% if subnet_config.wins_server is vyos_defined %} +{% endif %} +{% if subnet_config.wins_server is vyos_defined %} option netbios-name-servers {{ subnet_config.wins_server | join(', ') }}; -{% endif %} -{% if subnet_config.static_route is vyos_defined %} -{% set static_default_route = '' %} -{% if subnet_config.default_router is vyos_defined %} -{% set static_default_route = ', ' ~ '0.0.0.0/0' | isc_static_route(subnet_config.default_router) %} -{% endif %} -{% if subnet_config.static_route is vyos_defined %} -{% set rfc3442_routes = [] %} -{% for route, route_options in subnet_config.static_route.items() %} -{% set rfc3442_routes = rfc3442_routes.append(route | isc_static_route(route_options.next_hop)) %} -{% endfor %} +{% endif %} +{% if subnet_config.static_route is vyos_defined %} +{% set static_default_route = '' %} +{% if subnet_config.default_router is vyos_defined %} +{% set static_default_route = ', ' ~ '0.0.0.0/0' | isc_static_route(subnet_config.default_router) %} +{% endif %} +{% if subnet_config.static_route is vyos_defined %} +{% set rfc3442_routes = [] %} +{% for route, route_options in subnet_config.static_route.items() %} +{% set rfc3442_routes = rfc3442_routes.append(route | isc_static_route(route_options.next_hop)) %} +{% endfor %} option rfc3442-static-route {{ rfc3442_routes | join(', ') }}{{ static_default_route }}; option windows-static-route {{ rfc3442_routes | join(', ') }}; -{% endif %} -{% endif %} -{% if subnet_config.ip_forwarding is vyos_defined %} +{% endif %} +{% endif %} +{% if subnet_config.ip_forwarding is vyos_defined %} option ip-forwarding true; -{% endif %} -{% if subnet_config.default_router is vyos_defined %} +{% endif %} +{% if subnet_config.default_router is vyos_defined %} option routers {{ subnet_config.default_router }}; -{% endif %} -{% if subnet_config.server_identifier is vyos_defined %} +{% endif %} +{% if subnet_config.server_identifier is vyos_defined %} option dhcp-server-identifier {{ subnet_config.server_identifier }}; -{% endif %} -{% if subnet_config.subnet_parameters is vyos_defined %} +{% endif %} +{% if subnet_config.subnet_parameters is vyos_defined %} # The following {{ subnet_config.subnet_parameters | length }} line(s) were added as # subnet-parameters in the CLI and have not been validated!!! -{% for parameter in subnet_config.subnet_parameters %} +{% for parameter in subnet_config.subnet_parameters %} {{ parameter }} -{% endfor %} -{% endif %} -{% if subnet_config.tftp_server_name is vyos_defined %} +{% endfor %} +{% endif %} +{% if subnet_config.tftp_server_name is vyos_defined %} option tftp-server-name "{{ subnet_config.tftp_server_name }}"; -{% endif %} -{% if subnet_config.bootfile_name is vyos_defined %} +{% endif %} +{% if subnet_config.bootfile_name is vyos_defined %} option bootfile-name "{{ subnet_config.bootfile_name }}"; filename "{{ subnet_config.bootfile_name }}"; -{% endif %} -{% if subnet_config.bootfile_server is vyos_defined %} +{% endif %} +{% if subnet_config.bootfile_server is vyos_defined %} next-server {{ subnet_config.bootfile_server }}; -{% endif %} -{% if subnet_config.bootfile_size is vyos_defined %} +{% endif %} +{% if subnet_config.bootfile_size is vyos_defined %} option boot-size {{ subnet_config.bootfile_size }}; -{% endif %} -{% if subnet_config.time_offset is vyos_defined %} +{% endif %} +{% if subnet_config.time_offset is vyos_defined %} option time-offset {{ subnet_config.time_offset }}; -{% endif %} -{% if subnet_config.wpad_url is vyos_defined %} +{% endif %} +{% if subnet_config.wpad_url is vyos_defined %} option wpad-url "{{ subnet_config.wpad_url }}"; -{% endif %} -{% if subnet_config.client_prefix_length is vyos_defined %} +{% endif %} +{% if subnet_config.client_prefix_length is vyos_defined %} option subnet-mask {{ ('0.0.0.0/' ~ subnet_config.client_prefix_length) | netmask_from_cidr }}; -{% endif %} -{% if subnet_config.lease is vyos_defined %} +{% endif %} +{% if subnet_config.lease is vyos_defined %} default-lease-time {{ subnet_config.lease }}; max-lease-time {{ subnet_config.lease }}; -{% endif %} -{% if network_config.ping_check is not vyos_defined and subnet_config.ping_check is vyos_defined %} +{% endif %} +{% if network_config.ping_check is not vyos_defined and subnet_config.ping_check is vyos_defined %} ping-check true; -{% endif %} -{% if subnet_config.static_mapping is vyos_defined %} -{% for host, host_config in subnet_config.static_mapping.items() if host_config.disable is not vyos_defined %} +{% endif %} +{% if subnet_config.static_mapping is vyos_defined %} +{% for host, host_config in subnet_config.static_mapping.items() if host_config.disable is not vyos_defined %} host {{ host | replace('_','-') if host_decl_name is vyos_defined else network | replace('_','-') ~ '_' ~ host | replace('_','-') }} { -{% if host_config.ip_address is vyos_defined %} +{% if host_config.ip_address is vyos_defined %} fixed-address {{ host_config.ip_address }}; -{% endif %} +{% endif %} hardware ethernet {{ host_config.mac_address }}; -{% if host_config.static_mapping_parameters is vyos_defined %} +{% if host_config.static_mapping_parameters is vyos_defined %} # The following {{ host_config.static_mapping_parameters | length }} line(s) were added # as static-mapping-parameters in the CLI and have not been validated -{% for parameter in host_config.static_mapping_parameters %} +{% for parameter in host_config.static_mapping_parameters %} {{ parameter }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} } -{% endfor %} -{% endif %} -{% if subnet_config.range is vyos_defined %} +{% endfor %} +{% endif %} +{% if subnet_config.vendor_option.ubiquiti.unifi_controller is vyos_defined %} + option ubnt.unifi-controller {{ subnet_config.vendor_option.ubiquiti.unifi_controller }}; +{% endif %} +{% if subnet_config.range is vyos_defined %} {# pool configuration can only be used if there follows a range option #} pool { -{% endif %} -{% if subnet_config.enable_failover is vyos_defined %} +{% endif %} +{% if subnet_config.enable_failover is vyos_defined %} failover peer "{{ failover.name }}"; deny dynamic bootp clients; -{% endif %} -{% if subnet_config.range is vyos_defined %} -{% for range, range_options in subnet_config.range.items() %} +{% endif %} +{% if subnet_config.range is vyos_defined %} +{% for range, range_options in subnet_config.range.items() %} range {{ range_options.start }} {{ range_options.stop }}; -{% endfor %} -{% endif %} -{% if subnet_config.range is vyos_defined %} +{% endfor %} +{% endif %} +{% if subnet_config.range is vyos_defined %} {# pool configuration can only be used if there follows a range option #} } -{% endif %} +{% endif %} } -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} on commit { set shared-networkname = "{{ network }}"; -{% if hostfile_update is vyos_defined %} +{% if hostfile_update is vyos_defined %} set ClientIp = binary-to-ascii(10, 8, ".", leased-address); set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6)); set ClientName = pick-first-value(host-decl-name, option fqdn.hostname, option host-name, "empty_hostname"); @@ -226,9 +238,9 @@ shared-network {{ network }} { } else { log(concat("Hostname is not defined for client with IP: ", ClientIP, " MAC: ", ClientMac)); } -{% endif %} +{% endif %} } } -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/dhcp-server/dhcpdv6.conf.j2 b/data/templates/dhcp-server/dhcpdv6.conf.j2 new file mode 100644 index 000000000..5c3471316 --- /dev/null +++ b/data/templates/dhcp-server/dhcpdv6.conf.j2 @@ -0,0 +1,132 @@ +### Autogenerated by dhcpv6_server.py ### + +# For options please consult the following website: +# https://www.isc.org/wp-content/uploads/2017/08/dhcp43options.html + +log-facility local7; +{% if preference is vyos_defined %} +option dhcp6.preference {{ preference }}; +{% endif %} + +{% if global_parameters.name_server is vyos_defined %} +option dhcp6.name-servers {{ global_parameters.name_server | join(', ') }}; +{% endif %} + +# Vendor specific options - Cisco +option space cisco code width 2 length width 2; +option cisco.tftp-servers code 1 = array of ip6-address; +option vsio.cisco code 9 = encapsulate cisco; + +# Shared network configration(s) +{% if shared_network_name is vyos_defined %} +{% for network, network_config in shared_network_name.items() if network_config.disable is not vyos_defined %} +shared-network {{ network }} { +{% if network_config.common_options is vyos_defined %} +{% if network_config.common_options.info_refresh_time is vyos_defined %} + option dhcp6.info-refresh-time {{ network_config.common_options.info_refresh_time }}; +{% endif %} +{% if network_config.common_options.domain_search is vyos_defined %} + option dhcp6.domain-search "{{ network_config.common_options.domain_search | join('", "') }}"; +{% endif %} +{% if network_config.common_options.name_server is vyos_defined %} + option dhcp6.name-servers {{ network_config.common_options.name_server | join(', ') }}; +{% endif %} +{% endif %} +{% if network_config.subnet is vyos_defined %} +{% for subnet, subnet_config in network_config.subnet.items() %} + subnet6 {{ subnet }} { +{% if subnet_config.address_range is vyos_defined %} +{% if subnet_config.address_range.prefix is vyos_defined %} +{% for prefix, prefix_config in subnet_config.address_range.prefix.items() %} + range6 {{ prefix }} {{ "temporary" if prefix_config.temporary is vyos_defined }}; +{% endfor %} +{% endif %} +{% if subnet_config.address_range.start is vyos_defined %} +{% for address, address_config in subnet_config.address_range.start.items() %} + range6 {{ address }} {{ address_config.stop }}; +{% endfor %} +{% endif %} +{% endif %} +{% if subnet_config.domain_search is vyos_defined %} + option dhcp6.domain-search "{{ subnet_config.domain_search | join('", "') }}"; +{% endif %} +{% if subnet_config.lease_time is vyos_defined %} +{% if subnet_config.lease_time.default is vyos_defined %} + default-lease-time {{ subnet_config.lease_time.default }}; +{% endif %} +{% if subnet_config.lease_time.maximum is vyos_defined %} + max-lease-time {{ subnet_config.lease_time.maximum }}; +{% endif %} +{% if subnet_config.lease_time.minimum is vyos_defined %} + min-lease-time {{ subnet_config.lease_time.minimum }}; +{% endif %} +{% endif %} +{% if subnet_config.name_server is vyos_defined %} + option dhcp6.name-servers {{ subnet_config.name_server | join(', ') }}; +{% endif %} +{% if subnet_config.nis_domain is vyos_defined %} + option dhcp6.nis-domain-name "{{ subnet_config.nis_domain }}"; +{% endif %} +{% if subnet_config.nis_server is vyos_defined %} + option dhcp6.nis-servers {{ subnet_config.nis_server | join(', ') }}; +{% endif %} +{% if subnet_config.nisplus_domain is vyos_defined %} + option dhcp6.nisp-domain-name "{{ subnet_config.nisplus_domain }}"; +{% endif %} +{% if subnet_config.nisplus_server is vyos_defined %} + option dhcp6.nisp-servers {{ subnet_config.nisplus_server | join(', ') }}; +{% endif %} +{% if subnet_config.sip_server is vyos_defined %} +{% set server_ip = [] %} +{% set server_fqdn = [] %} +{% for address in subnet_config.sip_server %} +{% if address | is_ipv6 %} +{% set server_ip = server_ip.append(address) %} +{% else %} +{% set server_fqdn = server_fqdn.append(address) %} +{% endif %} +{% endfor %} +{% if server_ip is vyos_defined and server_ip | length > 0 %} + option dhcp6.sip-servers-addresses {{ server_ip | join(', ') }}; +{% endif %} +{% if server_fqdn is vyos_defined and server_fqdn | length > 0 %} + option dhcp6.sip-servers-names "{{ server_fqdn | join('", "') }}"; +{% endif %} +{% endif %} +{% if subnet_config.sntp_server is vyos_defined %} + option dhcp6.sntp-servers {{ subnet_config.sntp_server | join(', ') }}; +{% endif %} +{% if subnet_config.prefix_delegation.start is vyos_defined %} +{% for prefix, prefix_config in subnet_config.prefix_delegation.start.items() %} + prefix6 {{ prefix }} {{ prefix_config.stop }} /{{ prefix_config.prefix_length }}; +{% endfor %} +{% endif %} +{% if subnet_config.static_mapping is vyos_defined %} + + # begin configuration of static client mappings +{% for host, host_config in subnet_config.static_mapping.items() if host_config.disable is not vyos_defined %} + host {{ network | replace('_','-') }}_{{ host | replace('_','-') }} { +{% if host_config.identifier is vyos_defined %} + host-identifier option dhcp6.client-id {{ host_config.identifier }}; +{% endif %} +{% if host_config.ipv6_address is vyos_defined %} + fixed-address6 {{ host_config.ipv6_address }}; +{% endif %} +{% if host_config.ipv6_prefix is vyos_defined %} + fixed-prefix6 {{ host_config.ipv6_prefix }}; +{% endif %} + } +{% endfor %} +{% endif %} +{% if subnet_config.vendor_option.cisco.tftp_server is vyos_defined %} + option cisco.tftp-servers {{ subnet_config.vendor_option.cisco.tftp_server | join(', ') }}; +{% endif %} + } +{% endfor %} +{% endif %} + on commit { + set shared-networkname = "{{ network }}"; + } +} +{% endfor %} +{% endif %} diff --git a/data/templates/dhcp-server/dhcpdv6.conf.tmpl b/data/templates/dhcp-server/dhcpdv6.conf.tmpl deleted file mode 100644 index 1a55668e1..000000000 --- a/data/templates/dhcp-server/dhcpdv6.conf.tmpl +++ /dev/null @@ -1,124 +0,0 @@ -### Autogenerated by dhcpv6_server.py ### - -# For options please consult the following website: -# https://www.isc.org/wp-content/uploads/2017/08/dhcp43options.html - -log-facility local7; -{% if preference is vyos_defined %} -option dhcp6.preference {{ preference }}; -{% endif %} - -{% if global_parameters.name_server is vyos_defined %} -option dhcp6.name-servers {{ global_parameters.name_server | join(', ') }}; -{% endif %} - -# Shared network configration(s) -{% if shared_network_name is vyos_defined %} -{% for network, network_config in shared_network_name.items() if network_config.disable is not vyos_defined %} -shared-network {{ network }} { -{% if network_config.common_options is vyos_defined %} -{% if network_config.common_options.info_refresh_time is vyos_defined %} - option dhcp6.info-refresh-time {{ network_config.common_options.info_refresh_time }}; -{% endif %} -{% if network_config.common_options.domain_search is vyos_defined %} - option dhcp6.domain-search "{{ network_config.common_options.domain_search | join('", "') }}"; -{% endif %} -{% if network_config.common_options.name_server is vyos_defined %} - option dhcp6.name-servers {{ network_config.common_options.name_server | join(', ') }}; -{% endif %} -{% endif %} -{% if network_config.subnet is vyos_defined %} -{% for subnet, subnet_config in network_config.subnet.items() %} - subnet6 {{ subnet }} { -{% if subnet_config.address_range is vyos_defined %} -{% if subnet_config.address_range.prefix is vyos_defined %} -{% for prefix, prefix_config in subnet_config.address_range.prefix.items() %} - range6 {{ prefix }} {{ "temporary" if prefix_config.temporary is vyos_defined }}; -{% endfor %} -{% endif %} -{% if subnet_config.address_range.start is vyos_defined %} -{% for address, address_config in subnet_config.address_range.start.items() %} - range6 {{ address }} {{ address_config.stop }}; -{% endfor %} -{% endif %} -{% endif %} -{% if subnet_config.domain_search is vyos_defined %} - option dhcp6.domain-search "{{ subnet_config.domain_search | join('", "') }}"; -{% endif %} -{% if subnet_config.lease_time is vyos_defined %} -{% if subnet_config.lease_time.default is vyos_defined %} - default-lease-time {{ subnet_config.lease_time.default }}; -{% endif %} -{% if subnet_config.lease_time.maximum is vyos_defined %} - max-lease-time {{ subnet_config.lease_time.maximum }}; -{% endif %} -{% if subnet_config.lease_time.minimum is vyos_defined %} - min-lease-time {{ subnet_config.lease_time.minimum }}; -{% endif %} -{% endif %} -{% if subnet_config.name_server is vyos_defined %} - option dhcp6.name-servers {{ subnet_config.name_server | join(', ') }}; -{% endif %} -{% if subnet_config.nis_domain is vyos_defined %} - option dhcp6.nis-domain-name "{{ subnet_config.nis_domain }}"; -{% endif %} -{% if subnet_config.nis_server is vyos_defined %} - option dhcp6.nis-servers {{ subnet_config.nis_server | join(', ') }}; -{% endif %} -{% if subnet_config.nisplus_domain is vyos_defined %} - option dhcp6.nisp-domain-name "{{ subnet_config.nisplus_domain }}"; -{% endif %} -{% if subnet_config.nisplus_server is vyos_defined %} - option dhcp6.nisp-servers {{ subnet_config.nisplus_server | join(', ') }}; -{% endif %} -{% if subnet_config.sip_server is vyos_defined %} -{% set server_ip = [] %} -{% set server_fqdn = [] %} -{% for address in subnet_config.sip_server %} -{% if address | is_ipv6 %} -{% set server_ip = server_ip.append(address) %} -{% else %} -{% set server_fqdn = server_fqdn.append(address) %} -{% endif %} -{% endfor %} -{% if server_ip is vyos_defined and server_ip | length > 0 %} - option dhcp6.sip-servers-addresses {{ server_ip | join(', ') }}; -{% endif %} -{% if server_fqdn is vyos_defined and server_fqdn | length > 0 %} - option dhcp6.sip-servers-names "{{ server_fqdn | join('", "') }}"; -{% endif %} -{% endif %} -{% if subnet_config.sntp_server is vyos_defined %} - option dhcp6.sntp-servers {{ subnet_config.sntp_server | join(', ') }}; -{% endif %} -{% if subnet_config.prefix_delegation.start is vyos_defined %} -{% for prefix, prefix_config in subnet_config.prefix_delegation.start.items() %} - prefix6 {{ prefix }} {{ prefix_config.stop }} /{{ prefix_config.prefix_length }}; -{% endfor %} -{% endif %} -{% if subnet_config.static_mapping is vyos_defined %} - - # begin configuration of static client mappings -{% for host, host_config in subnet_config.static_mapping.items() if host_config.disable is not vyos_defined %} - host {{ network | replace('_','-') }}_{{ host | replace('_','-') }} { -{% if host_config.identifier is vyos_defined %} - host-identifier option dhcp6.client-id {{ host_config.identifier }}; -{% endif %} -{% if host_config.ipv6_address is vyos_defined %} - fixed-address6 {{ host_config.ipv6_address }}; -{% endif %} -{% if host_config.ipv6_prefix is vyos_defined %} - fixed-prefix6 {{ host_config.ipv6_prefix }}; -{% endif %} - } -{% endfor %} -{% endif %} - } -{% endfor %} -{% endif %} - on commit { - set shared-networkname = "{{ network }}"; - } -} -{% endfor %} -{% endif %} diff --git a/data/templates/dns-forwarding/recursor.conf.tmpl b/data/templates/dns-forwarding/recursor.conf.j2 index 385bef94b..c1950e1bc 100644 --- a/data/templates/dns-forwarding/recursor.conf.tmpl +++ b/data/templates/dns-forwarding/recursor.conf.j2 @@ -1,3 +1,4 @@ +{# j2lint: disable=single-statement-per-line #} ### Autogenerated by dns_forwarding.py ### # XXX: pdns recursor doesn't like whitespace near entry separators, diff --git a/data/templates/dns-forwarding/recursor.conf.lua.tmpl b/data/templates/dns-forwarding/recursor.conf.lua.j2 index e2506238d..e2506238d 100644 --- a/data/templates/dns-forwarding/recursor.conf.lua.tmpl +++ b/data/templates/dns-forwarding/recursor.conf.lua.j2 diff --git a/data/templates/dns-forwarding/recursor.forward-zones.conf.tmpl b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 index 96cbc35a5..de3269e47 100644 --- a/data/templates/dns-forwarding/recursor.forward-zones.conf.tmpl +++ b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 @@ -1,3 +1,4 @@ +{# j2lint: disable=operator-enclosed-by-spaces #} # Autogenerated by VyOS (vyos-hostsd) # Do not edit, your changes will get overwritten @@ -7,11 +8,11 @@ {# the order of tags, then by the order of nameservers within that tag #} {% set n = namespace(dot_zone_ns='') %} {% for tag in name_server_tags_recursor %} -{% set ns = '' %} -{% if tag in name_servers %} -{% set ns = ns + name_servers[tag]|join(', ') %} -{% set n.dot_zone_ns = (n.dot_zone_ns, ns)|join(', ') if n.dot_zone_ns != '' else ns %} -{% endif %} +{% set ns = '' %} +{% if tag in name_servers %} +{% set ns = ns + name_servers[tag] | join(', ') %} +{% set n.dot_zone_ns = (n.dot_zone_ns, ns) | join(', ') if n.dot_zone_ns != '' else ns %} +{% endif %} # {{ tag }}: {{ ns }} {% endfor %} @@ -21,8 +22,8 @@ {% if forward_zones is vyos_defined %} # zones added via 'service dns forwarding domain' -{% for zone, zonedata in forward_zones.items() %} +{% for zone, zonedata in forward_zones.items() %} {{ "+" if zonedata.recursion_desired is vyos_defined }}{{ zone | replace('_', '-') }}={{ zonedata.server | join(', ') }} -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.j2 index 04fb72121..987c7de1f 100644 --- a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl +++ b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.j2 @@ -3,28 +3,28 @@ {% if hosts %} -- from 'system static-host-mapping' and DHCP server -{% for tag, taghosts in hosts.items() %} -{% for host, hostprops in taghosts.items() %} +{% for tag, taghosts in hosts.items() %} +{% for host, hostprops in taghosts.items() %} addNTA("{{ host }}.", "{{ tag }}") -{% for a in hostprops['aliases'] %} +{% for a in hostprops['aliases'] %} addNTA("{{ a }}.", "{{ tag }} alias") -{% endfor %} +{% endfor %} +{% endfor %} {% endfor %} -{% endfor %} {% endif %} {% if forward_zones is vyos_defined %} -- from 'service dns forwarding domain' -{% for zone, zonedata in forward_zones.items() %} -{% if zonedata.addnta is vyos_defined %} +{% for zone, zonedata in forward_zones.items() %} +{% if zonedata.addnta is vyos_defined %} addNTA("{{ zone }}", "static") -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} {% endif %} {% if authoritative_zones is vyos_defined %} -- from 'service dns forwarding authoritative-domain' -{% for zone in authoritative_zones %} +{% for zone in authoritative_zones %} addNTA("{{ zone }}", "static") -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/dns-forwarding/recursor.zone.conf.tmpl b/data/templates/dns-forwarding/recursor.zone.conf.j2 index 758871bef..25193c2ec 100644 --- a/data/templates/dns-forwarding/recursor.zone.conf.tmpl +++ b/data/templates/dns-forwarding/recursor.zone.conf.j2 @@ -1,7 +1,6 @@ ; ; Autogenerated by dns_forwarding.py ; -; {% for r in records %} -{{ r.name }} {{ r.ttl }} {{ r.type }} {{ r.value }} +{{ r.name }} {{ r.ttl }} {{ r.type }} {{ r.value }} {% endfor %} diff --git a/data/templates/dynamic-dns/ddclient.conf.j2 b/data/templates/dynamic-dns/ddclient.conf.j2 new file mode 100644 index 000000000..3c2d17cbb --- /dev/null +++ b/data/templates/dynamic-dns/ddclient.conf.j2 @@ -0,0 +1,51 @@ +### Autogenerated by dynamic_dns.py ### +daemon=1m +syslog=yes +ssl=yes + +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +# ddclient configuration for interface "{{ iface }}" +{% if iface_config.use_web is vyos_defined %} +{% set web_skip = ", web-skip='" ~ iface_config.use_web.skip ~ "'" if iface_config.use_web.skip is vyos_defined else '' %} +use=web, web='{{ iface_config.use_web.url }}'{{ web_skip }} +{% else %} +{{ 'usev6=if' if iface_config.ipv6_enable is vyos_defined else 'use=if' }}, if={{ iface }} +{% endif %} + +{% if iface_config.rfc2136 is vyos_defined %} +{% for rfc2136, config in iface_config.rfc2136.items() %} +{% for dns_record in config.record if config.record is vyos_defined %} +# RFC2136 dynamic DNS configuration for {{ rfc2136 }}, {{ config.zone }}, {{ dns_record }} +server={{ config.server }} +protocol=nsupdate +password={{ config.key }} +ttl={{ config.ttl }} +zone={{ config.zone }} +{{ dns_record }} + +{% endfor %} +{% endfor %} +{% endif %} + +{% if iface_config.service is vyos_defined %} +{% for service, config in iface_config.service.items() %} +{% for dns_record in config.host_name %} +# DynDNS provider configuration for {{ service }}, {{ dns_record }} +protocol={{ config.protocol }}, +max-interval=28d, +login={{ config.login }}, +password='{{ config.password }}', +{% if config.server is vyos_defined %} +server={{ config.server }}, +{% endif %} +{% if config.zone is vyos_defined %} +zone={{ config.zone }}, +{% endif %} +{{ dns_record }} + +{% endfor %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/dynamic-dns/ddclient.conf.tmpl b/data/templates/dynamic-dns/ddclient.conf.tmpl deleted file mode 100644 index ee55c9fa6..000000000 --- a/data/templates/dynamic-dns/ddclient.conf.tmpl +++ /dev/null @@ -1,51 +0,0 @@ -### Autogenerated by dynamic_dns.py ### -daemon=1m -syslog=yes -ssl=yes - -{% if interface is vyos_defined %} -{% for iface, iface_config in interface.items() %} -# ddclient configuration for interface "{{ iface }}" -{% if iface_config.use_web is vyos_defined %} -{% set web_skip = ", web-skip='" ~ iface_config.use_web.skip ~ "'" if iface_config.use_web.skip is vyos_defined else '' %} -use=web, web='{{ iface_config.use_web.url }}'{{ web_skip }} -{% else %} -{{ 'usev6=if' if iface_config.ipv6_enable is vyos_defined else 'use=if' }}, if={{ iface }} -{% endif %} - -{% if iface_config.rfc2136 is vyos_defined %} -{% for rfc2136, config in iface_config.rfc2136.items() %} -{% for dns_record in config.record if config.record is vyos_defined %} -# RFC2136 dynamic DNS configuration for {{ rfc2136 }}, {{ config.zone }}, {{ dns_record }} -server={{ config.server }} -protocol=nsupdate -password={{ config.key }} -ttl={{ config.ttl }} -zone={{ config.zone }} -{{ dns_record }} - -{% endfor %} -{% endfor %} -{% endif %} - -{% if iface_config.service is vyos_defined %} -{% for service, config in iface_config.service.items() %} -{% for dns_record in config.host_name %} -# DynDNS provider configuration for {{ service }}, {{ dns_record }} -protocol={{ config.protocol }}, -max-interval=28d, -login={{ config.login }}, -password='{{ config.password }}', -{% if config.server is vyos_defined %} -server={{ config.server }}, -{% endif %} -{% if config.zone is vyos_defined %} -zone={{ config.zone }}, -{% endif %} -{{ dns_record }} - -{% endfor %} -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 922f3dcb4..63aa48c77 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -6,14 +6,14 @@ {% set src_addr = 'ip saddr ' ~ config.source.address.replace('!','!= ') if config.source.address is vyos_defined %} {% set dst_addr = 'ip daddr ' ~ config.destination.address.replace('!','!= ') if config.destination.address is vyos_defined %} {# negated port groups need special treatment, move != in front of { } group #} -{% if config.source.port is vyos_defined and config.source.port.startswith('!=') %} -{% set src_port = 'sport != { ' ~ config.source.port.replace('!=','') ~ ' }' %} +{% if config.source.port is vyos_defined and config.source.port.startswith('!') %} +{% set src_port = 'sport != { ' ~ config.source.port.replace('!','') ~ ' }' %} {% else %} {% set src_port = 'sport { ' ~ config.source.port ~ ' }' if config.source.port is vyos_defined %} {% endif %} {# negated port groups need special treatment, move != in front of { } group #} -{% if config.destination.port is vyos_defined and config.destination.port.startswith('!=') %} -{% set dst_port = 'dport != { ' ~ config.destination.port.replace('!=','') ~ ' }' %} +{% if config.destination.port is vyos_defined and config.destination.port.startswith('!') %} +{% set dst_port = 'dport != { ' ~ config.destination.port.replace('!','') ~ ' }' %} {% else %} {% set dst_port = 'dport { ' ~ config.destination.port ~ ' }' if config.destination.port is vyos_defined %} {% endif %} @@ -138,8 +138,9 @@ {% endif %} {% endmacro %} -# Start with clean NAT table -flush table ip nat +# Start with clean SNAT and DNAT chains +flush chain ip nat PREROUTING +flush chain ip nat POSTROUTING {% if helper_functions is vyos_defined('remove') %} {# NAT if going to be disabled - remove rules and targets from nftables #} {% set base_command = 'delete rule ip raw' %} @@ -164,6 +165,7 @@ add rule ip raw NAT_CONNTRACK counter accept # # Destination NAT rules build up here # +add rule ip nat PREROUTING counter jump VYOS_PRE_DNAT_HOOK {% if destination.rule is vyos_defined %} {% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} {{ nat_rule(rule, config, 'PREROUTING') }} @@ -172,6 +174,7 @@ add rule ip raw NAT_CONNTRACK counter accept # # Source NAT rules build up here # +add rule ip nat POSTROUTING counter jump VYOS_PRE_SNAT_HOOK {% if source.rule is vyos_defined %} {% for rule, config in source.rule.items() if config.disable is not vyos_defined %} {{ nat_rule(rule, config, 'POSTROUTING') }} diff --git a/data/templates/frr/staticd.frr.j2 b/data/templates/frr/staticd.frr.j2 index 08b2a3dab..589f03c2c 100644 --- a/data/templates/frr/staticd.frr.j2 +++ b/data/templates/frr/staticd.frr.j2 @@ -20,10 +20,16 @@ vrf {{ vrf }} {% for interface, interface_config in dhcp.items() %} {% set next_hop = interface | get_dhcp_router %} {% if next_hop is vyos_defined %} -{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 {{ interface_config.distance }} +{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 {{ interface_config.dhcp_options.default_route_distance if interface_config.dhcp_options.default_route_distance is vyos_defined }} {% endif %} {% endfor %} {% endif %} +{# IPv4 default routes from PPPoE interfaces #} +{% if pppoe is vyos_defined %} +{% for interface, interface_config in pppoe.items() %} +{{ ip_prefix }} route 0.0.0.0/0 {{ interface }} tag 210 {{ interface_config.default_route_distance if interface_config.default_route_distance is vyos_defined }} +{% endfor %} +{% endif %} {# IPv6 routing #} {% if route6 is vyos_defined %} {% for prefix, prefix_config in route6.items() %} diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index b21dce9f0..61af85ed4 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -152,7 +152,7 @@ {% endif %} } {% if tunnel_conf.passthrough is vyos_defined %} - peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough { + peer_{{ name }}_tunnel_{{ tunnel_id }}_passthrough { local_ts = {{ tunnel_conf.passthrough | join(",") }} remote_ts = {{ tunnel_conf.passthrough | join(",") }} start_action = trap diff --git a/data/templates/monitoring/telegraf.tmpl b/data/templates/monitoring/telegraf.tmpl index d3145a500..cf33eec4e 100644 --- a/data/templates/monitoring/telegraf.tmpl +++ b/data/templates/monitoring/telegraf.tmpl @@ -1,12 +1,12 @@ # Generated by /usr/libexec/vyos/conf_mode/service_monitoring_telegraf.py [agent] - interval = "10s" + interval = "15s" round_interval = true metric_batch_size = 1000 metric_buffer_limit = 10000 - collection_jitter = "0s" - flush_interval = "10s" + collection_jitter = "5s" + flush_interval = "15s" flush_jitter = "0s" precision = "" debug = false diff --git a/data/templates/openvpn/auth.pw.tmpl b/data/templates/openvpn/auth.pw.j2 index 218121062..218121062 100644 --- a/data/templates/openvpn/auth.pw.tmpl +++ b/data/templates/openvpn/auth.pw.j2 diff --git a/data/templates/openvpn/client.conf.tmpl b/data/templates/openvpn/client.conf.j2 index 98c8b0273..2e327e4d3 100644 --- a/data/templates/openvpn/client.conf.tmpl +++ b/data/templates/openvpn/client.conf.j2 @@ -1,30 +1,30 @@ ### Autogenerated by interfaces-openvpn.py ### -{% if ip %} +{% if ip is vyos_defined %} ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }} {% endif %} {% if push_route is vyos_defined %} -{% for route in push_route %} +{% for route in push_route %} push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}" -{% endfor %} +{% endfor %} {% endif %} {% if subnet is vyos_defined %} -{% for network in subnet %} +{% for network in subnet %} iroute {{ network | address_from_cidr }} {{ network | netmask_from_cidr }} -{% endfor %} +{% endfor %} {% endif %} {# ipv6_remote is only set when IPv6 server is enabled #} -{% if ipv6_remote %} +{% if ipv6_remote is vyos_defined %} # IPv6 -{% if ipv6_ip %} +{% if ipv6_ip is vyos_defined %} ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }} -{% endif %} -{% for route6 in ipv6_push_route %} +{% endif %} +{% for route6 in ipv6_push_route %} push "route-ipv6 {{ route6 }}" -{% endfor %} -{% for net6 in ipv6_subnet %} +{% endfor %} +{% for net6 in ipv6_subnet %} iroute-ipv6 {{ net6 }} -{% endfor %} +{% endfor %} {% endif %} {% if disable is vyos_defined %} disable diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.j2 index f26680fa3..6dd4ef88d 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.j2 @@ -10,9 +10,9 @@ verb 3 dev-type {{ device_type }} dev {{ ifname }} persist-key -{% if protocol == 'tcp-active' %} +{% if protocol is vyos_defined('tcp-active') %} proto tcp-client -{% elif protocol == 'tcp-passive' %} +{% elif protocol is vyos_defined('tcp-passive') %} proto tcp-server {% else %} proto udp @@ -30,9 +30,9 @@ lport {{ local_port }} rport {{ remote_port }} {% endif %} {% if remote_host is vyos_defined %} -{% for remote in remote_host %} +{% for remote in remote_host %} remote {{ remote }} -{% endfor %} +{% endfor %} {% endif %} {% if shared_secret_key is vyos_defined %} secret /run/openvpn/{{ ifname }}_shared.key @@ -49,88 +49,88 @@ push "redirect-gateway def1" compress lzo {% endif %} -{% if mode == 'client' %} +{% if mode is vyos_defined('client') %} # # OpenVPN Client mode # client nobind -{% elif mode == 'server' %} +{% elif mode is vyos_defined('server') %} # # OpenVPN Server mode # mode server tls-server -{% if server is vyos_defined %} -{% if server.subnet is vyos_defined %} -{% if server.topology is vyos_defined('point-to-point') %} +{% if server is vyos_defined %} +{% if server.subnet is vyos_defined %} +{% if server.topology is vyos_defined('point-to-point') %} topology p2p -{% elif server.topology is vyos_defined %} +{% elif server.topology is vyos_defined %} topology {{ server.topology }} -{% endif %} -{% for subnet in server.subnet %} -{% if subnet | is_ipv4 %} +{% endif %} +{% for subnet in server.subnet %} +{% if subnet | is_ipv4 %} server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool {# First ip address is used as gateway. It's allows to use metrics #} -{% if server.push_route is vyos_defined %} -{% for route, route_config in server.push_route.items() %} -{% if route | is_ipv4 %} -push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}{% if route_config.metric is vyos_defined %} {{ subnet | first_host_address }} {{ route_config.metric }}{% endif %}" -{% elif route | is_ipv6 %} +{% if server.push_route is vyos_defined %} +{% for route, route_config in server.push_route.items() %} +{% if route | is_ipv4 %} +push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}" +{% elif route | is_ipv6 %} push "route-ipv6 {{ route }}" -{% endif %} -{% endfor %} -{% endif %} +{% endif %} +{% endfor %} +{% endif %} {# OpenVPN assigns the first IP address to its local interface so the pool used #} {# in net30 topology - where each client receives a /30 must start from the second subnet #} -{% if server.topology is vyos_defined('net30') %} +{% if server.topology is vyos_defined('net30') %} ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} -{% else %} +{% else %} {# OpenVPN assigns the first IP address to its local interface so the pool must #} {# start from the second address and end on the last address #} ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }} -{% endif %} -{% elif subnet | is_ipv6 %} +{% endif %} +{% elif subnet | is_ipv6 %} server-ipv6 {{ subnet }} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %} +{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %} ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }} -{% endif %} -{% if server.max_connections is vyos_defined %} +{% endif %} +{% if server.max_connections is vyos_defined %} max-clients {{ server.max_connections }} -{% endif %} -{% if server.client is vyos_defined %} +{% endif %} +{% if server.client is vyos_defined %} client-config-dir /run/openvpn/ccd/{{ ifname }} +{% endif %} {% endif %} -{% endif %} -keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }} +keepalive {{ keep_alive.interval }} {{ keep_alive.interval | int * keep_alive.failure_count | int }} management /run/openvpn/openvpn-mgmt-intf unix -{% if server is vyos_defined %} -{% if server.reject_unconfigured_clients is vyos_defined %} +{% if server is vyos_defined %} +{% if server.reject_unconfigured_clients is vyos_defined %} ccd-exclusive -{% endif %} +{% endif %} -{% if server.name_server is vyos_defined %} -{% for nameserver in server.name_server %} -{% if nameserver | is_ipv4 %} +{% if server.name_server is vyos_defined %} +{% for nameserver in server.name_server %} +{% if nameserver | is_ipv4 %} push "dhcp-option DNS {{ nameserver }}" -{% elif nameserver | is_ipv6 %} +{% elif nameserver | is_ipv6 %} push "dhcp-option DNS6 {{ nameserver }}" +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% if server.domain_name is vyos_defined %} +{% if server.domain_name is vyos_defined %} push "dhcp-option DOMAIN {{ server.domain_name }}" +{% endif %} +{% if server.mfa.totp is vyos_defined %} +{% set totp_config = server.mfa.totp %} +plugin "{{ plugin_dir }}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop={{ totp_config.slop }} totp_t0={{ totp_config.drift }} totp_step={{ totp_config.step }} totp_digits={{ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" +{% endif %} {% endif %} -{% if server.mfa.totp is vyos_defined %} -{% set totp_config = server.mfa.totp %} -plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets {{ 'otp_slop=' ~ totp_config.slop }} {{ 'totp_t0=' ~ totp_config.drift }} {{ 'totp_step=' ~ totp_config.step }} {{ 'totp_digits=' ~ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" -{% endif %} -{% endif %} {% else %} # # OpenVPN site-2-site mode @@ -138,80 +138,80 @@ plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifn ping {{ keep_alive.interval }} ping-restart {{ keep_alive.failure_count }} -{% if device_type == 'tap' %} -{% if local_address is vyos_defined %} -{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} -{% if laddr_conf.subnet_mask is vyos_defined %} +{% if device_type == 'tap' %} +{% if local_address is vyos_defined %} +{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} +{% if laddr_conf.subnet_mask is vyos_defined %} ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% else %} -{% for laddr in local_address if laddr | is_ipv4 %} -{% for raddr in remote_address if raddr | is_ipv4 %} +{% else %} +{% for laddr in local_address if laddr | is_ipv4 %} +{% for raddr in remote_address if raddr | is_ipv4 %} ifconfig {{ laddr }} {{ raddr }} -{% endfor %} -{% endfor %} -{% for laddr in local_address if laddr | is_ipv6 %} -{% for raddr in remote_address if raddr | is_ipv6 %} +{% endfor %} +{% endfor %} +{% for laddr in local_address if laddr | is_ipv6 %} +{% for raddr in remote_address if raddr | is_ipv6 %} ifconfig-ipv6 {{ laddr }} {{ raddr }} -{% endfor %} -{% endfor %} -{% endif %} +{% endfor %} +{% endfor %} +{% endif %} {% endif %} {% if tls is vyos_defined %} # TLS options -{% if tls.ca_certificate is vyos_defined %} +{% if tls.ca_certificate is vyos_defined %} ca /run/openvpn/{{ ifname }}_ca.pem -{% endif %} -{% if tls.certificate is vyos_defined %} +{% endif %} +{% if tls.certificate is vyos_defined %} cert /run/openvpn/{{ ifname }}_cert.pem -{% endif %} -{% if tls.private_key is vyos_defined %} +{% endif %} +{% if tls.private_key is vyos_defined %} key /run/openvpn/{{ ifname }}_cert.key -{% endif %} -{% if tls.crypt_key is vyos_defined %} +{% endif %} +{% if tls.crypt_key is vyos_defined %} tls-crypt /run/openvpn/{{ ifname }}_crypt.key -{% endif %} -{% if tls.crl is vyos_defined %} +{% endif %} +{% if tls.crl is vyos_defined %} crl-verify /run/openvpn/{{ ifname }}_crl.pem -{% endif %} -{% if tls.tls_version_min is vyos_defined %} +{% endif %} +{% if tls.tls_version_min is vyos_defined %} tls-version-min {{ tls.tls_version_min }} -{% endif %} -{% if tls.dh_params is vyos_defined %} +{% endif %} +{% if tls.dh_params is vyos_defined %} dh /run/openvpn/{{ ifname }}_dh.pem -{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} +{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} dh none -{% endif %} -{% if tls.auth_key is vyos_defined %} -{% if mode == 'client' %} +{% endif %} +{% if tls.auth_key is vyos_defined %} +{% if mode == 'client' %} tls-auth /run/openvpn/{{ ifname }}_auth.key 1 -{% elif mode == 'server' %} +{% elif mode == 'server' %} tls-auth /run/openvpn/{{ ifname }}_auth.key 0 +{% endif %} {% endif %} -{% endif %} -{% if tls.role is vyos_defined('active') %} +{% if tls.role is vyos_defined('active') %} tls-client -{% elif tls.role is vyos_defined('passive') %} +{% elif tls.role is vyos_defined('passive') %} tls-server -{% endif %} +{% endif %} {% endif %} # Encryption options {% if encryption is vyos_defined %} -{% if encryption.cipher is vyos_defined %} +{% if encryption.cipher is vyos_defined %} cipher {{ encryption.cipher | openvpn_cipher }} -{% if encryption.cipher is vyos_defined('bf128') %} +{% if encryption.cipher is vyos_defined('bf128') %} keysize 128 -{% elif encryption.cipher is vyos_defined('bf256') %} +{% elif encryption.cipher is vyos_defined('bf256') %} keysize 256 +{% endif %} {% endif %} -{% endif %} -{% if encryption.ncp_ciphers is vyos_defined %} +{% if encryption.ncp_ciphers is vyos_defined %} data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} -{% endif %} +{% endif %} {% endif %} {% if hash is vyos_defined %} diff --git a/data/templates/openvpn/service-override.conf.j2 b/data/templates/openvpn/service-override.conf.j2 new file mode 100644 index 000000000..616ba3bfc --- /dev/null +++ b/data/templates/openvpn/service-override.conf.j2 @@ -0,0 +1,21 @@ +{% set options = namespace(value='') %} +{% if openvpn_option is vyos_defined %} +{% for option in openvpn_option %} +{# Remove the '--' prefix from variable if it is presented #} +{% if option.startswith('--') %} +{% set option = option.split('--', maxsplit=1)[1] %} +{% endif %} +{# Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #} +{# But now it stopped doing this, so we need to add them for compatibility #} +{# HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #} +{# Using 'openvpn-option' you take all responsibility for compatibility for yourself. #} +{% if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %} +{% set option = 'push \"%s\"' | format(option.split('push ', maxsplit=1)[1]) %} +{% endif %} +{% set options.value = options.value ~ ' --' ~ option %} +{% endfor %} +{% endif %} +[Service] +ExecStart= +ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid {{ options.value }} + diff --git a/data/templates/openvpn/service-override.conf.tmpl b/data/templates/openvpn/service-override.conf.tmpl deleted file mode 100644 index cba652223..000000000 --- a/data/templates/openvpn/service-override.conf.tmpl +++ /dev/null @@ -1,20 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid -{%- if openvpn_option is vyos_defined %} -{% for option in openvpn_option %} -{# Remove the '--' prefix from variable if it is presented #} -{% if option.startswith('--') %} -{% set option = option.split('--', maxsplit=1)[1] %} -{% endif %} -{# Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #} -{# But now it stopped doing this, so we need to add them for compatibility #} -{# HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #} -{# Using 'openvpn-option' you take all responsibility for compatibility for yourself. #} -{% if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %} -{% set option = 'push \"%s\"'|format(option.split('push ', maxsplit=1)[1]) %} -{% endif %} - --{{ option }} -{%- endfor %} -{% endif %} - diff --git a/data/templates/salt-minion/minion.tmpl b/data/templates/salt-minion/minion.j2 index 99749b57a..f4001db64 100644 --- a/data/templates/salt-minion/minion.tmpl +++ b/data/templates/salt-minion/minion.j2 @@ -32,17 +32,17 @@ log_file: /var/log/salt/minion # ['garbage', 'trace', 'debug'] # # Default: 'warning' -log_level: {{ log_level }} +log_level: warning # Set the location of the salt master server, if the master server cannot be # resolved, then the minion will fail to start. master: {% for host in master %} -- {{ host }} + - {{ host | bracketize_ipv6 }} {% endfor %} # The user to run salt -user: {{ user }} +user: minion # The directory to store the pki information in pki_dir: /config/salt/pki/minion @@ -52,10 +52,16 @@ pki_dir: /config/salt/pki/minion # Since salt uses detached ids it is possible to run multiple minions on the # same machine but with different ids, this can be useful for salt compute # clusters. -id: {{ salt_id }} - +id: {{ id }} # The number of minutes between mine updates. mine_interval: {{ interval }} -verify_master_pubkey_sign: {{ verify_master_pubkey_sign }} +{% if source_interface is vyos_defined %} +# The name of the interface to use when establishing the connection to the Master. +source_interface_name: {{ source_interface }} +{% endif %} + +# Enables verification of the master-public-signature returned by the master +# in auth-replies. +verify_master_pubkey_sign: {{ 'True' if master_key is vyos_defined else 'False' }} diff --git a/data/templates/vyos-hostsd/hosts.tmpl b/data/templates/vyos-hostsd/hosts.j2 index bc75d384e..5cad983b4 100644 --- a/data/templates/vyos-hostsd/hosts.tmpl +++ b/data/templates/vyos-hostsd/hosts.j2 @@ -1,3 +1,4 @@ +{# j2lint: disable=single-statement-per-line #} ### Autogenerated by VyOS ### ### Do not edit, your changes will get overwritten ### @@ -14,12 +15,12 @@ ff02::2 ip6-allrouters {% if hosts is vyos_defined %} # From 'system static-host-mapping' and DHCP server -{% for tag, taghosts in hosts.items() %} +{% for tag, taghosts in hosts.items() %} # {{ tag }} -{% for host, hostprops in taghosts.items() if hostprops.address is vyos_defined %} -{% for addr in hostprops.address %} -{{ "%-15s" | format(addr) }} {{ host }} {{ hostprops.aliases|join(' ') if hostprops.aliases is vyos_defined }} -{% endfor %} +{% for host, hostprops in taghosts.items() if hostprops.address is vyos_defined %} +{% for addr in hostprops.address %} +{{ "%-15s" | format(addr) }} {{ host }} {{ hostprops.aliases | join(' ') if hostprops.aliases is vyos_defined }} +{% endfor %} +{% endfor %} {% endfor %} -{% endfor %} {% endif %} diff --git a/data/templates/vyos-hostsd/resolv.conf.tmpl b/data/templates/vyos-hostsd/resolv.conf.j2 index 58a5f9312..5f651f1a1 100644 --- a/data/templates/vyos-hostsd/resolv.conf.tmpl +++ b/data/templates/vyos-hostsd/resolv.conf.j2 @@ -5,12 +5,12 @@ {# the order of tags, then by the order of nameservers within that tag #} {% for tag in name_server_tags_system %} -{% if tag in name_servers %} +{% if tag in name_servers %} # {{ tag }} -{% for ns in name_servers[tag] %} +{% for ns in name_servers[tag] %} nameserver {{ ns }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} {% endfor %} {% if domain_name %} @@ -18,8 +18,8 @@ domain {{ domain_name }} {% endif %} {% for tag in name_server_tags_system %} -{% if tag in search_domains %} +{% if tag in search_domains %} # {{ tag }} -search {{ search_domains[tag]|join(' ') }} -{% endif %} +search {{ search_domains[tag] | join(' ') }} +{% endif %} {% endfor %} |