diff options
Diffstat (limited to 'data/templates')
| -rw-r--r-- | data/templates/accel-ppp/config_ip_pool.j2 | 12 | ||||
| -rw-r--r-- | data/templates/accel-ppp/config_shaper_radius.j2 | 12 | ||||
| -rw-r--r-- | data/templates/accel-ppp/pppoe.config.j2 | 23 | ||||
| -rw-r--r-- | data/templates/chrony/chrony.conf.j2 | 3 | ||||
| -rw-r--r-- | data/templates/chrony/override.conf.j2 | 5 | ||||
| -rw-r--r-- | data/templates/dhcp-relay/dhcrelay.conf.j2 | 5 | ||||
| -rw-r--r-- | data/templates/dynamic-dns/ddclient.conf.j2 | 2 | ||||
| -rw-r--r-- | data/templates/frr/bgpd.frr.j2 | 7 | ||||
| -rw-r--r-- | data/templates/https/nginx.default.j2 | 4 | ||||
| -rw-r--r-- | data/templates/ipsec/ipsec.conf.j2 | 19 | ||||
| -rw-r--r-- | data/templates/ipsec/ipsec.secrets.j2 | 5 | ||||
| -rw-r--r-- | data/templates/openvpn/server.conf.j2 | 3 | ||||
| -rw-r--r-- | data/templates/pppoe/peer.j2 | 2 | ||||
| -rw-r--r-- | data/templates/snmp/etc.snmpd.conf.j2 | 4 | ||||
| -rw-r--r-- | data/templates/ssh/sshd_config.j2 | 4 | ||||
| -rw-r--r-- | data/templates/sstp-client/peer.j2 | 2 |
16 files changed, 67 insertions, 45 deletions
diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2 index 0bef4ad69..f7511e445 100644 --- a/data/templates/accel-ppp/config_ip_pool.j2 +++ b/data/templates/accel-ppp/config_ip_pool.j2 @@ -11,4 +11,14 @@ gw-ip-address={{ gateway_address }} {{ subnet }} {% endfor %} {% endif %} -{% endif %} +{% if client_ip_pool.name is vyos_defined %} +{% for pool, pool_config in client_ip_pool.name.items() %} +{% if pool_config.subnet is vyos_defined %} +{{ pool_config.subnet }},name={{ pool }} +{% endif %} +{% if pool_config.gateway_address is vyos_defined %} +gw-ip-address={{ pool_config.gateway_address }} +{% endif %} +{% endfor %} +{% endif %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/accel-ppp/config_shaper_radius.j2 b/data/templates/accel-ppp/config_shaper_radius.j2 index 942cdf132..0cf6a6a92 100644 --- a/data/templates/accel-ppp/config_shaper_radius.j2 +++ b/data/templates/accel-ppp/config_shaper_radius.j2 @@ -1,7 +1,7 @@ -{% if authentication.mode is vyos_defined('radius') %} -{% if authentication.radius.rate_limit.enable is vyos_defined %} +{% if authentication.mode is vyos_defined('radius') or shaper is vyos_defined %} [shaper] verbose=1 +{% if authentication.radius.rate_limit.enable is vyos_defined %} attr={{ authentication.radius.rate_limit.attribute }} {% if authentication.radius.rate_limit.vendor is vyos_defined %} vendor={{ authentication.radius.rate_limit.vendor }} @@ -10,4 +10,10 @@ vendor={{ authentication.radius.rate_limit.vendor }} rate-multiplier={{ authentication.radius.rate_limit.multiplier }} {% endif %} {% endif %} -{% endif %} +{% if shaper is vyos_defined %} +{% if shaper.fwmark is vyos_defined %} +fwmark={{ shaper.fwmark }} +down-limiter=htb +{% endif %} +{% endif %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2 index f4129d3e2..dd53edd28 100644 --- a/data/templates/accel-ppp/pppoe.config.j2 +++ b/data/templates/accel-ppp/pppoe.config.j2 @@ -30,6 +30,11 @@ syslog=accel-pppoe,daemon copy=1 level=5 +{% if authentication.mode is vyos_defined("noauth") %} +[auth] +noauth=1 +{% endif %} + {% if snmp.master_agent is vyos_defined %} [snmp] master=1 @@ -69,8 +74,6 @@ ccp={{ "1" if ppp_options.ccp is vyos_defined else "0" }} unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }} {% if ppp_options.min_mtu is vyos_defined %} min-mtu={{ ppp_options.min_mtu }} -{% else %} -min-mtu={{ mtu }} {% endif %} {% if ppp_options.mru is vyos_defined %} mru={{ ppp_options.mru }} @@ -135,6 +138,22 @@ pado-delay={{ pado_delay_param.value }} called-sid={{ authentication.radius.called_sid_format }} {% endif %} +{% if authentication.mode is vyos_defined("local") or authentication.mode is vyos_defined("noauth") %} +{% if authentication.mode is vyos_defined("noauth") %} +noauth=1 +{% endif %} +{% if client_ip_pool.name is vyos_defined %} +{% for pool, pool_config in client_ip_pool.name.items() %} +{% if pool_config.subnet is vyos_defined %} +ip-pool={{ pool }} +{% endif %} +{% if pool_config.gateway_address is vyos_defined %} +gw-ip-address={{ pool_config.gateway_address }}/{{ pool_config.subnet.split('/')[1] }} +{% endif %} +{% endfor %} +{% endif %} +{% endif %} + {% if limits is vyos_defined %} [connlimit] {% if limits.connection_limit is vyos_defined %} diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2 index b3bfc8c0c..711bbbec7 100644 --- a/data/templates/chrony/chrony.conf.j2 +++ b/data/templates/chrony/chrony.conf.j2 @@ -40,8 +40,9 @@ user {{ user }} {% for address in allow_client.address %} allow {{ address }} {% endfor %} -{% endif %} +{% else %} deny all +{% endif %} {% if listen_address is vyos_defined or interface is vyos_defined %} # NTP should listen on configured addresses only diff --git a/data/templates/chrony/override.conf.j2 b/data/templates/chrony/override.conf.j2 index 9eaea7608..0ab8f0824 100644 --- a/data/templates/chrony/override.conf.j2 +++ b/data/templates/chrony/override.conf.j2 @@ -5,6 +5,7 @@ ConditionPathExists={{ config_file }} After=vyos-router.service [Service] +User=root EnvironmentFile= ExecStart= ExecStart={{ vrf_command }}/usr/sbin/chronyd -F 1 -f {{ config_file }} @@ -13,5 +14,5 @@ PIDFile={{ config_file | replace('.conf', '.pid') }} Restart=always RestartSec=10 # Required for VRF support -ProtectControlGroups=No - +ProcSubset=all +ProtectControlGroups=no diff --git a/data/templates/dhcp-relay/dhcrelay.conf.j2 b/data/templates/dhcp-relay/dhcrelay.conf.j2 index 11710bd8e..c26c263fd 100644 --- a/data/templates/dhcp-relay/dhcrelay.conf.j2 +++ b/data/templates/dhcp-relay/dhcrelay.conf.j2 @@ -2,5 +2,8 @@ {% set max_size = '-A ' ~ relay_options.max_size if relay_options.max_size is vyos_defined %} {# hop_count and relay_agents_packets is a default option, thus it is always present #} +{% if interface is vyos_defined %} OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -i {{ interface | join(' -i ') }} {{ server | join(' ') }}" - +{% else %} +OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -id {{ listen_interface | join(' -id ') }} -iu {{ upstream_interface | join(' -iu ') }} {{ server | join(' ') }}" +{% endif %}
\ No newline at end of file diff --git a/data/templates/dynamic-dns/ddclient.conf.j2 b/data/templates/dynamic-dns/ddclient.conf.j2 index 3c2d17cbb..c2c9b1dd6 100644 --- a/data/templates/dynamic-dns/ddclient.conf.j2 +++ b/data/templates/dynamic-dns/ddclient.conf.j2 @@ -10,7 +10,7 @@ ssl=yes {% set web_skip = ", web-skip='" ~ iface_config.use_web.skip ~ "'" if iface_config.use_web.skip is vyos_defined else '' %} use=web, web='{{ iface_config.use_web.url }}'{{ web_skip }} {% else %} -{{ 'usev6=if' if iface_config.ipv6_enable is vyos_defined else 'use=if' }}, if={{ iface }} +{{ 'usev6=ifv6' if iface_config.ipv6_enable is vyos_defined else 'use=if' }}, if={{ iface }} {% endif %} {% if iface_config.rfc2136 is vyos_defined %} diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 index 85c3339bf..5170a12ba 100644 --- a/data/templates/frr/bgpd.frr.j2 +++ b/data/templates/frr/bgpd.frr.j2 @@ -9,6 +9,11 @@ {% if config.remote_as is vyos_defined %} neighbor {{ neighbor }} remote-as {{ config.remote_as }} {% endif %} +{% if config.local_role is vyos_defined %} +{% for role, strict in config.local_role.items() %} + neighbor {{ neighbor }} local-role {{ role }} {{ 'strict-mode' if strict }} +{% endfor %} +{% endif %} {% if config.interface.remote_as is vyos_defined %} neighbor {{ neighbor }} interface remote-as {{ config.interface.remote_as }} {% endif %} @@ -240,7 +245,7 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% else %} no bgp ebgp-requires-policy {% endif %} -{# Option must be set before any neighbor - see https://phabricator.vyos.net/T3463 #} +{# Option must be set before any neighbor - see https://vyos.dev/T3463 #} no bgp default ipv4-unicast {# Workaround for T2100 until we have decided about a migration script #} no bgp network import-check diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 index 753c3a5c9..d42b3b389 100644 --- a/data/templates/https/nginx.default.j2 +++ b/data/templates/https/nginx.default.j2 @@ -16,6 +16,8 @@ server { server_name {{ name }}; {% endfor %} + root /srv/localui; + {% if server.certbot %} ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem; ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem; @@ -34,7 +36,7 @@ server { ssl_protocols TLSv1.2 TLSv1.3; # proxy settings for HTTP API, if enabled; 503, if not - location ~ /(retrieve|configure|config-file|image|container-image|generate|show|reset|docs|openapi.json|redoc|graphql) { + location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reset|docs|openapi.json|redoc|graphql) { {% if server.api %} {% if server.api.socket %} proxy_pass http://unix:/run/api.sock; diff --git a/data/templates/ipsec/ipsec.conf.j2 b/data/templates/ipsec/ipsec.conf.j2 deleted file mode 100644 index f63995b38..000000000 --- a/data/templates/ipsec/ipsec.conf.j2 +++ /dev/null @@ -1,19 +0,0 @@ -# Created by VyOS - manual changes will be overwritten - -config setup -{% set charondebug = '' %} -{% if log.subsystem is vyos_defined %} -{% set subsystem = log.subsystem %} -{% if 'any' in log.subsystem %} -{% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', - 'net', 'asn', 'enc', 'lib', 'esp', 'tls', 'tnc', - 'imc', 'imv', 'pts'] %} -{% endif %} -{% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %} -{% endif %} - charondebug = "{{ charondebug }}" - uniqueids = {{ "no" if disable_uniqreqids is vyos_defined else "yes" }} - -{% if include_ipsec_conf is vyos_defined %} -include {{ include_ipsec_conf }} -{% endif %} diff --git a/data/templates/ipsec/ipsec.secrets.j2 b/data/templates/ipsec/ipsec.secrets.j2 deleted file mode 100644 index a87ac9bc7..000000000 --- a/data/templates/ipsec/ipsec.secrets.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# Created by VyOS - manual changes will be overwritten - -{% if include_ipsec_secrets is vyos_defined %} -include {{ include_ipsec_secrets }} -{% endif %} diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index 6dd4ef88d..af866f2a6 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -213,6 +213,9 @@ keysize 256 data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} {% endif %} {% endif %} +# https://vyos.dev/T5027 +# Required to support BF-CBC (default ciphername when none given) +providers legacy default {% if hash is vyos_defined %} auth {{ hash }} diff --git a/data/templates/pppoe/peer.j2 b/data/templates/pppoe/peer.j2 index f433a9b03..5e650fa3b 100644 --- a/data/templates/pppoe/peer.j2 +++ b/data/templates/pppoe/peer.j2 @@ -53,7 +53,7 @@ mtu {{ mtu }} mru {{ mtu }} {% if authentication is vyos_defined %} -{{ 'user "' + authentication.user + '"' if authentication.user is vyos_defined }} +{{ 'user "' + authentication.username + '"' if authentication.username is vyos_defined }} {{ 'password "' + authentication.password + '"' if authentication.password is vyos_defined }} {% endif %} diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2 index 793facc3f..9d78d479a 100644 --- a/data/templates/snmp/etc.snmpd.conf.j2 +++ b/data/templates/snmp/etc.snmpd.conf.j2 @@ -77,10 +77,6 @@ agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vy {% endif %} {% endfor %} {% endif %} -{% if comm_config.client is not vyos_defined and comm_config.network is not vyos_defined %} -{{ comm_config.authorization }}community {{ comm }} -V RESTRICTED -{{ comm_config.authorization }}community6 {{ comm }} -V RESTRICTED -{% endif %} {% endfor %} {% endif %} diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index 93735020c..422969ed8 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -29,7 +29,7 @@ PermitRootLogin no PidFile /run/sshd/sshd.pid AddressFamily any DebianBanner no -PasswordAuthentication no +KbdInteractiveAuthentication no # # User configurable section @@ -48,7 +48,7 @@ Port {{ value }} LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed -ChallengeResponseAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} +PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} {% if listen_address is vyos_defined %} # Specifies the local addresses sshd should listen on diff --git a/data/templates/sstp-client/peer.j2 b/data/templates/sstp-client/peer.j2 index 7a0b0e1f7..745a09e14 100644 --- a/data/templates/sstp-client/peer.j2 +++ b/data/templates/sstp-client/peer.j2 @@ -45,7 +45,7 @@ lock nodeflate {% if authentication is vyos_defined %} -{{ 'user "' + authentication.user + '"' if authentication.user is vyos_defined }} +{{ 'user "' + authentication.username + '"' if authentication.username is vyos_defined }} {{ 'password "' + authentication.password + '"' if authentication.password is vyos_defined }} {% endif %} |