#!/usr/bin/env python3 # # Copyright (C) 2019 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. # # import sys import os import jinja2 import vyos.defaults import vyos.certbot_util from vyos.config import Config from vyos import ConfigError config_file = '/etc/nginx/sites-available/default' # Please be careful if you edit the template. config_tmpl = """ ### Autogenerated by https.py ### # Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$server_name$request_uri; } {% for server in server_block_list %} server { # SSL configuration # {% if server.address == '*' %} listen {{ server.port }} ssl; listen [::]:{{ server.port }} ssl; {% else %} listen {{ server.address }}:{{ server.port }} ssl; {% endif %} {% for name in server.name %} server_name {{ name }}; {% endfor %} {% if server.certbot %} ssl_certificate /etc/letsencrypt/live/{{ server.certbot_dir }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ server.certbot_dir }}/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; {% elif server.vyos_cert %} include {{ server.vyos_cert.conf }}; {% else %} # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # include snippets/snakeoil.conf; {% endif %} # proxy settings for HTTP API, if enabled; 503, if not location ~ /(retrieve|configure|config-file|image|generate|show) { {% if server.api %} proxy_pass http://localhost:{{ server.api.port }}; proxy_buffering off; {% else %} return 503; {% endif %} } error_page 501 502 503 =200 @50*_json; location @50*_json { default_type application/json; return 200 '{"error": "Start service in configuration mode: set service https api"}'; } } {% endfor %} """ default_server_block = { 'address' : '*', 'port' : '443', 'name' : ['_'], 'api' : {}, 'vyos_cert' : {}, 'certbot' : False } def get_config(): server_block_list = [] conf = Config() if not conf.exists('service https'): return None else: conf.set_level('service https') if conf.exists('listen-address'): for addr in conf.list_nodes('listen-address'): server_block = {'address' : addr} server_block['port'] = '443' server_block['name'] = ['_'] if conf.exists('listen-address {0} listen-port'.format(addr)): port = conf.return_value('listen-address {0} listen-port'.format(addr)) server_block['port'] = port if conf.exists('listen-address {0} server-name'.format(addr)): names = conf.return_values('listen-address {0} server-name'.format(addr)) server_block['name'] = names[:] server_block_list.append(server_block) if not server_block_list: server_block_list.append(default_server_block) vyos_cert_data = {} if conf.exists('certificates system-generated-certificate'): vyos_cert_data = vyos.defaults.vyos_cert_data if vyos_cert_data: for block in server_block_list: block['vyos_cert'] = vyos_cert_data certbot = False certbot_domains = [] if conf.exists('certificates certbot domain-name'): certbot_domains = conf.return_values('certificates certbot domain-name') if certbot_domains: certbot = True for domain in certbot_domains: sub_list = vyos.certbot_util.choose_server_block(server_block_list, domain) if sub_list: for sb in sub_list: sb['certbot'] = True # certbot organizes certificates by first domain sb['certbot_dir'] = certbot_domains[0] api_data = {} if conf.exists('api'): api_data = vyos.defaults.api_data if conf.exists('api port'): port = conf.return_value('api port') api_data['port'] = port if api_data: for block in server_block_list: block['api'] = api_data https = {'server_block_list' : server_block_list, 'certbot': certbot} return https def verify(https): if https is None: return None if https['certbot']: for sb in https['server_block_list']: if sb['certbot']: return None raise ConfigError("At least one 'listen-address x.x.x.x server-name' " "matching the 'certbot domain-name' is required.") return None def generate(https): if https is None: return None if 'server_block_list' not in https or not https['server_block_list']: https['server_block_list'] = [default_server_block] tmpl = jinja2.Template(config_tmpl, trim_blocks=True) config_text = tmpl.render(https) with open(config_file, 'w') as f: f.write(config_text) return None def apply(https): if https is not None: os.system('sudo systemctl restart nginx.service') else: os.system('sudo systemctl stop nginx.service') if __name__ == '__main__': try: c = get_config() verify(c) generate(c) apply(c) except ConfigError as e: print(e) sys.exit(1)