diff options
Diffstat (limited to 'data/templates')
-rw-r--r-- | data/templates/dhcp-client/ipv4.j2 | 24 | ||||
-rw-r--r-- | data/templates/dns-dynamic/ddclient.conf.j2 | 48 | ||||
-rw-r--r-- | data/templates/firewall/nftables-bridge.j2 | 6 | ||||
-rw-r--r-- | data/templates/firewall/nftables-zone.j2 | 18 | ||||
-rw-r--r-- | data/templates/firewall/nftables.j2 | 22 | ||||
-rw-r--r-- | data/templates/frr/igmp.frr.j2 | 41 | ||||
-rw-r--r-- | data/templates/frr/pim6d.frr.j2 | 45 | ||||
-rw-r--r-- | data/templates/frr/pimd.frr.j2 | 115 | ||||
-rw-r--r-- | data/templates/grub/grub_common.j2 | 23 | ||||
-rw-r--r-- | data/templates/grub/grub_compat.j2 | 63 | ||||
-rw-r--r-- | data/templates/grub/grub_main.j2 | 7 | ||||
-rw-r--r-- | data/templates/grub/grub_menu.j2 | 5 | ||||
-rw-r--r-- | data/templates/grub/grub_modules.j2 | 3 | ||||
-rw-r--r-- | data/templates/grub/grub_options.j2 | 52 | ||||
-rw-r--r-- | data/templates/grub/grub_vars.j2 | 4 | ||||
-rw-r--r-- | data/templates/grub/grub_vyos_version.j2 | 22 | ||||
-rw-r--r-- | data/templates/https/nginx.default.j2 | 6 | ||||
-rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 18 | ||||
-rw-r--r-- | data/templates/openvpn/server.conf.j2 | 2 |
19 files changed, 392 insertions, 132 deletions
diff --git a/data/templates/dhcp-client/ipv4.j2 b/data/templates/dhcp-client/ipv4.j2 index cc5ddf09c..77905e054 100644 --- a/data/templates/dhcp-client/ipv4.j2 +++ b/data/templates/dhcp-client/ipv4.j2 @@ -9,14 +9,30 @@ interface "{{ ifname }}" { send host-name "{{ dhcp_options.host_name }}"; {% if dhcp_options.client_id is vyos_defined %} {% set client_id = dhcp_options.client_id %} -{# Use HEX representation of client-id as it is send in MAC-address style using hex characters. If not HEX, use double quotes ASCII format #} -{% if not dhcp_options.client_id.split(':') | length >= 5 %} -{% set client_id = '"' + dhcp_options.client_id + '"' %} +{# Use HEX representation of client-id as it is send in MAC-address style using hex characters. #} +{# If not HEX, use double quotes ASCII format #} +{% if not client_id.split(':') | length >= 3 %} +{% set client_id = '"' ~ dhcp_options.client_id ~ '"' %} {% endif %} send dhcp-client-identifier {{ client_id }}; {% endif %} {% if dhcp_options.vendor_class_id is vyos_defined %} - send vendor-class-identifier "{{ dhcp_options.vendor_class_id }}"; +{% set vendor_class_id = dhcp_options.vendor_class_id %} +{# Use HEX representation of client-id as it is send in MAC-address style using hex characters. #} +{# If not HEX, use double quotes ASCII format #} +{% if not vendor_class_id.split(':') | length >= 3 %} +{% set vendor_class_id = '"' ~ dhcp_options.vendor_class_id ~ '"' %} +{% endif %} + send vendor-class-identifier {{ vendor_class_id }}; +{% endif %} +{% if dhcp_options.user_class is vyos_defined %} +{% set user_class = dhcp_options.user_class %} +{# Use HEX representation of client-id as it is send in MAC-address style using hex characters. #} +{# If not HEX, use double quotes ASCII format #} +{% if not user_class.split(':') | length >= 3 %} +{% set user_class = '"' ~ dhcp_options.user_class ~ '"' %} +{% endif %} + send user-class {{ user_class }}; {% endif %} # The request statement causes the client to request that any server responding to the # client send the client its values for the specified options. diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2 index 356b8d0d0..30afb9e64 100644 --- a/data/templates/dns-dynamic/ddclient.conf.j2 +++ b/data/templates/dns-dynamic/ddclient.conf.j2 @@ -29,44 +29,28 @@ cache={{ config_file | replace('.conf', '.cache') }} {# ddclient default (web=dyndns) doesn't support ssl and results in process lockup #} web=googledomains {# ddclient default (use=ip) results in confusing warning message in log #} -use=disabled +use=no -{% if address is vyos_defined %} -{% for address, service_cfg in address.items() %} -{% if service_cfg.rfc2136 is vyos_defined %} -{% for name, config in service_cfg.rfc2136.items() %} -{% if config.description is vyos_defined %} +{% if name is vyos_defined %} +{% for service, config in name.items() %} +{% if config.description is vyos_defined %} # {{ config.description }} -{% endif %} -{% for host in config.host_name if config.host_name is vyos_defined %} - -# RFC2136 dynamic DNS configuration for {{ name }}: [{{ config.zone }}, {{ host }}] -{# Don't append 'new-style' compliant suffix ('usev4', 'usev6', 'ifv4', 'ifv6' etc.) - to the properties since 'nsupdate' doesn't support that yet. #} -{{ render_config(host, address, service_cfg.web_options, - protocol='nsupdate', server=config.server, zone=config.zone, - password=config.key, ttl=config.ttl) }} -{% endfor %} -{% endfor %} {% endif %} -{% if service_cfg.service is vyos_defined %} -{% for name, config in service_cfg.service.items() %} -{% if config.description is vyos_defined %} - -# {{ config.description }} -{% endif %} -{% for host in config.host_name if config.host_name is vyos_defined %} -{% set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both' - else [config.ip_version[2:]] %} +{% for host in config.host_name if config.host_name is vyos_defined %} +{# ip_suffixes can be either of ['v4'], ['v6'], ['v4', 'v6'] for all protocols except 'nsupdate' + ip_suffixes must be [''] for nsupdate since it doesn't support usevX/wantipvX yet #} +{% set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both' + else ([config.ip_version[2:]] if config.protocol != 'nsupdate' + else ['']) %} +{% set password = config.key if config.protocol == 'nsupdate' + else config.password %} -# Web service dynamic DNS configuration for {{ name }}: [{{ config.protocol }}, {{ host }}] -{{ render_config(host, address, service_cfg.web_options, ip_suffixes, +# Web service dynamic DNS configuration for {{ service }}: [{{ config.protocol }}, {{ host }}] +{{ render_config(host, config.address, config.web_options, ip_suffixes, protocol=config.protocol, server=config.server, zone=config.zone, - login=config.username, password=config.password, ttl=config.ttl, + login=config.username, password=password, ttl=config.ttl, min_interval=config.wait_time, max_interval=config.expiry_time) }} -{% endfor %} -{% endfor %} -{% endif %} +{% endfor %} {% endfor %} {% endif %} diff --git a/data/templates/firewall/nftables-bridge.j2 b/data/templates/firewall/nftables-bridge.j2 index 7f94e10d6..dec027bf9 100644 --- a/data/templates/firewall/nftables-bridge.j2 +++ b/data/templates/firewall/nftables-bridge.j2 @@ -2,9 +2,8 @@ {% set ns = namespace(sets=[]) %} {% if bridge.forward is vyos_defined %} {% for prior, conf in bridge.forward.items() %} -{% set def_action = conf.default_action %} chain VYOS_FORWARD_{{ prior }} { - type filter hook forward priority {{ prior }}; policy {{ def_action }}; + type filter hook forward priority {{ prior }}; policy accept; {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }} @@ -13,6 +12,7 @@ {% endif %} {% endfor %} {% endif %} + {{ conf | nft_default_rule('FWD-filter', 'bri') }} } {% endfor %} {% endif %} @@ -28,7 +28,7 @@ {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule(name_text) }} + {{ conf | nft_default_rule(name_text, 'bri') }} } {% endfor %} {% endif %} diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2 index 1e9351f97..beb14ff00 100644 --- a/data/templates/firewall/nftables-zone.j2 +++ b/data/templates/firewall/nftables-zone.j2 @@ -1,7 +1,13 @@ -{% macro zone_chains(zone, ipv6=False) %} -{% set fw_name = 'ipv6_name' if ipv6 else 'name' %} -{% set suffix = '6' if ipv6 else '' %} +{% macro zone_chains(zone, family) %} +{% if family == 'ipv6' %} +{% set fw_name = 'ipv6_name' %} +{% set suffix = '6' %} +{% else %} +{% set fw_name = 'name' %} +{% set suffix = '' %} +{% endif %} + chain VYOS_ZONE_FORWARD { type filter hook forward priority 1; policy accept; {% for zone_name, zone_conf in zone.items() %} @@ -36,7 +42,7 @@ iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} {% endif %} - {{ zone_conf | nft_default_rule('zone_' + zone_name) }} + {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }} } chain VZONE_{{ zone_name }}_OUT { oifname lo counter return @@ -46,7 +52,7 @@ oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} {% endif %} - {{ zone_conf | nft_default_rule('zone_' + zone_name) }} + {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }} } {% else %} chain VZONE_{{ zone_name }} { @@ -62,7 +68,7 @@ {% endif %} {% endfor %} {% endif %} - {{ zone_conf | nft_default_rule('zone_' + zone_name) }} + {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }} } {% endif %} {% endfor %} diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index e24a9655d..63195d25f 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -54,7 +54,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('FWD-filter') }} + {{ conf | nft_default_rule('FWD-filter', 'ipv4') }} } {% endfor %} {% endif %} @@ -71,7 +71,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('INP-filter') }} + {{ conf | nft_default_rule('INP-filter', 'ipv4') }} } {% endfor %} {% endif %} @@ -88,7 +88,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('OUT-filter') }} + {{ conf | nft_default_rule('OUT-filter', 'ipv4') }} } {% endfor %} {% endif %} @@ -108,7 +108,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('PRE-filter') }} + {{ conf | nft_default_rule('PRE-filter', 'ipv4') }} } {% endfor %} {% endif %} @@ -124,7 +124,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule(name_text) }} + {{ conf | nft_default_rule(name_text, 'ipv4') }} } {% endfor %} {% endif %} @@ -154,7 +154,7 @@ table ip vyos_filter { {{ group_tmpl.groups(group, False, True) }} {% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, False) }} +{{ zone_tmpl.zone_chains(zone, 'ipv4') }} {% endif %} } @@ -182,7 +182,7 @@ table ip6 vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('FWD-filter', ipv6=True) }} + {{ conf | nft_default_rule('FWD-filter', 'ipv6') }} } {% endfor %} {% endif %} @@ -199,7 +199,7 @@ table ip6 vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('INP-filter', ipv6=True) }} + {{ conf | nft_default_rule('INP-filter', 'ipv6') }} } {% endfor %} {% endif %} @@ -216,7 +216,7 @@ table ip6 vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('OUT-filter', ipv6=True) }} + {{ conf | nft_default_rule('OUT-filter', 'ipv6') }} } {% endfor %} {% endif %} @@ -237,7 +237,7 @@ table ip6 vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule(name_text, ipv6=True) }} + {{ conf | nft_default_rule(name_text, 'ipv6') }} } {% endfor %} {% endif %} @@ -266,7 +266,7 @@ table ip6 vyos_filter { {% endif %} {{ group_tmpl.groups(group, True, True) }} {% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, True) }} +{{ zone_tmpl.zone_chains(zone, 'ipv6') }} {% endif %} } diff --git a/data/templates/frr/igmp.frr.j2 b/data/templates/frr/igmp.frr.j2 deleted file mode 100644 index b75884484..000000000 --- a/data/templates/frr/igmp.frr.j2 +++ /dev/null @@ -1,41 +0,0 @@ -! -{% for iface in old_ifaces %} -interface {{ iface }} -{% for group in old_ifaces[iface].gr_join %} -{% if old_ifaces[iface].gr_join[group] %} -{% for source in old_ifaces[iface].gr_join[group] %} - no ip igmp join {{ group }} {{ source }} -{% endfor %} -{% else %} - no ip igmp join {{ group }} -{% endif %} -{% endfor %} - no ip igmp -! -{% endfor %} -{% for interface, interface_config in ifaces.items() %} -interface {{ interface }} -{% if interface_config.version %} - ip igmp version {{ interface_config.version }} -{% else %} -{# IGMP default version 3 #} - ip igmp -{% endif %} -{% if interface_config.query_interval %} - ip igmp query-interval {{ interface_config.query_interval }} -{% endif %} -{% if interface_config.query_max_resp_time %} - ip igmp query-max-response-time {{ interface_config.query_max_resp_time }} -{% endif %} -{% for group, sources in interface_config.gr_join.items() %} -{% if sources is vyos_defined %} -{% for source in sources %} - ip igmp join {{ group }} {{ source }} -{% endfor %} -{% else %} - ip igmp join {{ group }} -{% endif %} -{% endfor %} -! -{% endfor %} -! diff --git a/data/templates/frr/pim6d.frr.j2 b/data/templates/frr/pim6d.frr.j2 index 8e430541d..bac716fcc 100644 --- a/data/templates/frr/pim6d.frr.j2 +++ b/data/templates/frr/pim6d.frr.j2 @@ -1,7 +1,24 @@ ! {% if interface is vyos_defined %} {% for iface, iface_config in interface.items() %} +! interface {{ iface }} + ipv6 pim +{% if iface_config.no_bsm is vyos_defined %} + no ipv6 pim bsm +{% endif %} +{% if iface_config.dr_priority is vyos_defined %} + ipv6 pim drpriority {{ iface_config.dr_priority }} +{% endif %} +{% if iface_config.hello is vyos_defined %} + ipv6 pim hello {{ iface_config.hello }} +{% endif %} +{% if iface_config.no_unicast_bsm is vyos_defined %} + no ipv6 pim unicast-bsm +{% endif %} +{% if iface_config.passive is vyos_defined %} + ipv6 pim passive +{% endif %} {% if iface_config.mld is vyos_defined and iface_config.mld.disable is not vyos_defined %} ipv6 mld {% if iface_config.mld.version is vyos_defined %} @@ -32,7 +49,33 @@ interface {{ iface }} {% endif %} {% endif %} exit -! {% endfor %} +{% endif %} ! +{% if join_prune_interval is vyos_defined %} +ipv6 pim join-prune-interval {{ join_prune_interval }} +{% endif %} +{% if keep_alive_timer is vyos_defined %} +ipv6 pim keep-alive-timer {{ keep_alive_timer }} +{% endif %} +{% if packets is vyos_defined %} +ipv6 pim packets {{ packets }} +{% endif %} +{% if register_suppress_time is vyos_defined %} +ipv6 pim register-suppress-time {{ register_suppress_time }} +{% endif %} +{% if rp.address is vyos_defined %} +{% for address, address_config in rp.address.items() %} +{% if address_config.group is vyos_defined %} +{% for group in address_config.group %} +ipv6 pim rp {{ address }} {{ group }} +{% endfor %} +{% endif %} +{% if address_config.prefix_list6 is vyos_defined %} +ipv6 pim rp {{ address }} prefix-list {{ address_config.prefix_list6 }} +{% endif %} +{% endfor %} +{% endif %} +{% if rp.keep_alive_timer is vyos_defined %} +ipv6 pim rp keep-alive-timer {{ rp.keep_alive_timer }} {% endif %} diff --git a/data/templates/frr/pimd.frr.j2 b/data/templates/frr/pimd.frr.j2 index cb2f2aa98..68edf4a5c 100644 --- a/data/templates/frr/pimd.frr.j2 +++ b/data/templates/frr/pimd.frr.j2 @@ -1,34 +1,95 @@ +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} ! -{% for rp_addr in old_pim.rp %} -{% for group in old_pim.rp[rp_addr] %} -no ip pim rp {{ rp_addr }} {{ group }} +interface {{ iface }} + ip pim +{% if iface_config.bfd is vyos_defined %} + ip pim bfd {{ 'profile ' ~ iface_config.bfd.profile if iface_config.bfd.profile is vyos_defined }} +{% endif %} +{% if iface_config.no_bsm is vyos_defined %} + no ip pim bsm +{% endif %} +{% if iface_config.dr_priority is vyos_defined %} + ip pim drpriority {{ iface_config.dr_priority }} +{% endif %} +{% if iface_config.hello is vyos_defined %} + ip pim hello {{ iface_config.hello }} +{% endif %} +{% if iface_config.no_unicast_bsm is vyos_defined %} + no ip pim unicast-bsm +{% endif %} +{% if iface_config.passive is vyos_defined %} + ip pim passive +{% endif %} +{% if iface_config.source_address is vyos_defined %} + ip pim use-source {{ iface_config.source_address }} +{% endif %} +{% if iface_config.igmp is vyos_defined and iface_config.igmp.disable is not vyos_defined %} + ip igmp +{% if iface_config.igmp.query_interval %} + ip igmp query-interval {{ iface_config.igmp.query_interval }} +{% endif %} +{% if iface_config.igmp.query_max_response_time %} + ip igmp query-max-response-time {{ iface_config.igmp.query_max_response_time }} +{% endif %} +{% if iface_config.igmp.version is vyos_defined %} + ip igmp version {{ iface_config.igmp.version }} +{% endif %} +{% if iface_config.igmp.join is vyos_defined %} +{% for join, join_config in iface_config.igmp.join.items() %} +{% if join_config.source_address is vyos_defined %} +{% for source_address in join_config.source_address %} + ip igmp join {{ join }} {{ source_address }} +{% endfor %} +{% else %} + ip igmp join {{ join }} +{% endif %} +{% endfor %} +{% endif %} +{% endif %} +exit {% endfor %} -{% endfor %} -{% if old_pim.rp_keep_alive %} -no ip pim rp keep-alive-timer {{ old_pim.rp_keep_alive }} {% endif %} -{% for iface in old_pim.ifaces %} -interface {{ iface }} -no ip pim -! -{% endfor %} -{% for iface in pim.ifaces %} -interface {{ iface }} -ip pim -{% if pim.ifaces[iface].dr_prio %} -ip pim drpriority {{ pim.ifaces[iface].dr_prio }} -{% endif %} -{% if pim.ifaces[iface].hello %} -ip pim hello {{ pim.ifaces[iface].hello }} -{% endif %} ! -{% endfor %} -{% for rp_addr in pim.rp %} -{% for group in pim.rp[rp_addr] %} -ip pim rp {{ rp_addr }} {{ group }} +{% if ecmp is vyos_defined %} +ip pim ecmp {{ 'rebalance' if ecmp.rebalance is vyos_defined }} +{% endif %} +{% if join_prune_interval is vyos_defined %} +ip pim join-prune-interval {{ join_prune_interval }} +{% endif %} +{% if keep_alive_timer is vyos_defined %} +ip pim keep-alive-timer {{ keep_alive_timer }} +{% endif %} +{% if packets is vyos_defined %} +ip pim packets {{ packets }} +{% endif %} +{% if register_accept_list.prefix_list is vyos_defined %} +ip pim register-accept-list {{ register_accept_list.prefix_list }} +{% endif %} +{% if register_suppress_time is vyos_defined %} +ip pim register-suppress-time {{ register_suppress_time }} +{% endif %} +{% if rp.address is vyos_defined %} +{% for address, address_config in rp.address.items() %} +{% for group in address_config.group %} +ip pim rp {{ address }} {{ group }} +{% endfor %} {% endfor %} -{% endfor %} -{% if pim.rp_keep_alive %} -ip pim rp keep-alive-timer {{ pim.rp_keep_alive }} +{% endif %} +{% if rp.keep_alive_timer is vyos_defined %} +ip pim rp keep-alive-timer {{ rp.keep_alive_timer }} +{% endif %} +{% if no_v6_secondary is vyos_defined %} +no ip pim send-v6-secondary +{% endif %} +{% if spt_switchover.infinity_and_beyond is vyos_defined %} +ip pim spt-switchover infinity-and-beyond {{ 'prefix-list ' ~ spt_switchover.infinity_and_beyond.prefix_list if spt_switchover.infinity_and_beyond.prefix_list is defined }} +{% endif %} +{% if ssm.prefix_list is vyos_defined %} +ip pim ssm prefix-list {{ ssm.prefix_list }} +{% endif %} +! +{% if igmp.watermark_warning is vyos_defined %} +ip igmp watermark-warn {{ igmp.watermark_warning }} {% endif %} ! diff --git a/data/templates/grub/grub_common.j2 b/data/templates/grub/grub_common.j2 new file mode 100644 index 000000000..278ffbf2c --- /dev/null +++ b/data/templates/grub/grub_common.j2 @@ -0,0 +1,23 @@ +# load EFI video modules +if [ "${grub_platform}" == "efi" ]; then + insmod efi_gop + insmod efi_uga +fi + +# create and activate serial console +function setup_serial { + # initialize the first serial port by default + if [ "${console_type}" == "ttyS" ]; then + serial --unit=${console_num} + else + serial --unit=0 + fi + terminal_output --append serial console + terminal_input --append serial console +} + +setup_serial + +{% if search_root %} +{{ search_root }} +{% endif %} diff --git a/data/templates/grub/grub_compat.j2 b/data/templates/grub/grub_compat.j2 new file mode 100644 index 000000000..887d5d0bd --- /dev/null +++ b/data/templates/grub/grub_compat.j2 @@ -0,0 +1,63 @@ +{# j2lint: disable=S6 #} +### Generated by VyOS image-tools v.{{ tools_version }} ### +{% macro menu_name(mode) -%} +{% if mode == 'normal' -%} + VyOS +{%- elif mode == 'pw_reset' -%} + Lost password change +{%- else -%} + Unknown +{%- endif %} +{%- endmacro %} +{% macro console_name(type) -%} +{% if type == 'tty' -%} + KVM +{%- elif type == 'ttyS' -%} + Serial +{%- elif type == 'ttyUSB' -%} + USB +{%- else -%} + Unknown +{%- endif %} +{%- endmacro %} +{% macro console_opts(type) -%} +{% if type == 'tty' -%} + console=ttyS0,115200 console=tty0 +{%- elif type == 'ttyS' -%} + console=tty0 console=ttyS0,115200 +{%- elif type == 'ttyUSB' -%} + console=tty0 console=ttyUSB0,115200 +{%- else -%} + console=tty0 console=ttyS0,115200 +{%- endif %} +{%- endmacro %} +{% macro passwd_opts(mode) -%} +{% if mode == 'pw_reset' -%} + init=/opt/vyatta/sbin/standalone_root_pw_reset +{%- endif %} +{%- endmacro %} +set default={{ default }} +set timeout={{ timeout }} +{% if console_type == 'ttyS' %} +serial --unit={{ console_num }} --speed=115200 +{% else %} +serial --unit=0 --speed=115200 +{% endif %} +terminal_output --append serial +terminal_input serial console +{% for mod in modules %} +insmod {{ mod }} +{% endfor %} +{% if root %} +set root={{ root }} +{% endif %} +{% if search_root %} +{{ search_root }} +{% endif %} + +{% for v in versions %} +menuentry "{{ menu_name(v.bootmode) }} {{ v.version }} ({{ console_name(v.console_type) }} console)" { + linux /boot/{{ v.version }}/vmlinuz {{ v.boot_opts }} {{ console_opts(v.console_type) }} {{ passwd_opts(v.bootmode) }} + initrd /boot/{{ v.version }}/initrd.img +} +{% endfor %} diff --git a/data/templates/grub/grub_main.j2 b/data/templates/grub/grub_main.j2 new file mode 100644 index 000000000..0c7ea0202 --- /dev/null +++ b/data/templates/grub/grub_main.j2 @@ -0,0 +1,7 @@ +load_env +insmod regexp + +for cfgfile in ${prefix}/grub.cfg.d/*-autoload.cfg +do + source ${cfgfile} +done diff --git a/data/templates/grub/grub_menu.j2 b/data/templates/grub/grub_menu.j2 new file mode 100644 index 000000000..e73005f5d --- /dev/null +++ b/data/templates/grub/grub_menu.j2 @@ -0,0 +1,5 @@ +for cfgfile in ${config_directory}/vyos-versions/*.cfg +do + source "${cfgfile}" +done +source ${config_directory}/50-vyos-options.cfg diff --git a/data/templates/grub/grub_modules.j2 b/data/templates/grub/grub_modules.j2 new file mode 100644 index 000000000..24b540c9d --- /dev/null +++ b/data/templates/grub/grub_modules.j2 @@ -0,0 +1,3 @@ +{% for mod_name in mods_list %} +insmod {{ mod_name | e }} +{% endfor %} diff --git a/data/templates/grub/grub_options.j2 b/data/templates/grub/grub_options.j2 new file mode 100644 index 000000000..c8a1472e1 --- /dev/null +++ b/data/templates/grub/grub_options.j2 @@ -0,0 +1,52 @@ +submenu "Boot options" { + submenu "Select boot mode" { + menuentry "Normal" { + set bootmode="normal" + export bootmode + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + menuentry "Password reset" { + set bootmode="pw_reset" + export bootmode + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + menuentry "System recovery" { + set bootmode="recovery" + export bootmode + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + menuentry "Load the whole root filesystem to RAM" { + set boot_toram="yes" + export boot_toram + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + } + submenu "Select console type" { + menuentry "tty (graphical)" { + set console_type="tty" + export console_type + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + menuentry "ttyS (serial)" { + set console_type="ttyS" + export console_type + setup_serial + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + menuentry "ttyUSB (USB serial)" { + set console_type="ttyUSB" + export console_type + setup_serial + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + } + menuentry "Enter console number" { + read console_num + export console_num + setup_serial + configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg + } + menuentry "Current: boot mode: ${bootmode}, console: ${console_type}${console_num}" { + echo + } +} diff --git a/data/templates/grub/grub_vars.j2 b/data/templates/grub/grub_vars.j2 new file mode 100644 index 000000000..e0002e8d8 --- /dev/null +++ b/data/templates/grub/grub_vars.j2 @@ -0,0 +1,4 @@ +{% for var_name, var_value in vars.items() %} +set {{ var_name | e }}="{{ var_value | e }}" +export {{ var_name | e }} +{% endfor %} diff --git a/data/templates/grub/grub_vyos_version.j2 b/data/templates/grub/grub_vyos_version.j2 new file mode 100644 index 000000000..97fbe8473 --- /dev/null +++ b/data/templates/grub/grub_vyos_version.j2 @@ -0,0 +1,22 @@ +{% set boot_opts_default = "boot=live rootdelay=5 noautologin net.ifnames=0 biosdevname=0 vyos-union=/boot/" + version_name %} +{% if boot_opts != '' %} +{% set boot_opts_rendered = boot_opts %} +{% else %} +{% set boot_opts_rendered = boot_opts_default %} +{% endif %} +menuentry "{{ version_name }}" --id {{ version_uuid }} { + set boot_opts="{{ boot_opts_rendered }}" + # load rootfs to RAM + if [ "${boot_toram}" == "yes" ]; then + set boot_opts="${boot_opts} toram" + fi + if [ "${bootmode}" == "pw_reset" ]; then + set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/libexec/vyos/system/standalone_root_pw_reset" + elif [ "${bootmode}" == "recovery" ]; then + set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/bin/busybox init" + else + set boot_opts="${boot_opts} console=${console_type}${console_num}" + fi + linux "/boot/{{ version_name }}/vmlinuz" ${boot_opts} + initrd "/boot/{{ version_name }}/initrd.img" +} diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 index b541ff309..dde839e9f 100644 --- a/data/templates/https/nginx.default.j2 +++ b/data/templates/https/nginx.default.j2 @@ -36,13 +36,9 @@ server { ssl_protocols TLSv1.2 TLSv1.3; # proxy settings for HTTP API, if enabled; 503, if not - location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reset|docs|openapi.json|redoc|graphql) { + location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) { {% if server.api %} -{% if server.api.socket %} proxy_pass http://unix:/run/api.sock; -{% else %} - proxy_pass http://localhost:{{ server.api.port }}; -{% endif %} proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 600; diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 1401b8b26..80ba357bc 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -119,4 +119,20 @@ split-dns = {{ tmp }} {% for grp in authentication.group %} select-group = {{ grp }} {% endfor %} -{% endif %}
\ No newline at end of file +{% endif %} + + +# HTTP security headers +included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains +included-http-headers = X-Frame-Options: deny +included-http-headers = X-Content-Type-Options: nosniff +included-http-headers = Content-Security-Policy: default-src ´none´ +included-http-headers = X-Permitted-Cross-Domain-Policies: none +included-http-headers = Referrer-Policy: no-referrer +included-http-headers = Clear-Site-Data: "cache","cookies","storage" +included-http-headers = Cross-Origin-Embedder-Policy: require-corp +included-http-headers = Cross-Origin-Opener-Policy: same-origin +included-http-headers = Cross-Origin-Resource-Policy: same-origin +included-http-headers = X-XSS-Protection: 0 +included-http-headers = Pragma: no-cache +included-http-headers = Cache-control: no-store, no-cache diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index 746155c37..c02411904 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -79,7 +79,7 @@ server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} {{ 'nop {% if server.push_route is vyos_defined %} {% for route, route_config in server.push_route.items() %} {% if route | is_ipv4 %} -push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}" +push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ 'vpn_gateway' ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}" {% elif route | is_ipv6 %} push "route-ipv6 {{ route }}" {% endif %} |