diff options
Diffstat (limited to 'data/templates')
30 files changed, 506 insertions, 185 deletions
diff --git a/data/templates/accel-ppp/pppoe.config.tmpl b/data/templates/accel-ppp/pppoe.config.tmpl index 238e7ee15..0a8e0079b 100644 --- a/data/templates/accel-ppp/pppoe.config.tmpl +++ b/data/templates/accel-ppp/pppoe.config.tmpl @@ -108,19 +108,17 @@ ac-name={{ access_concentrator }} {% if iface_config.vlan_id is not defined and iface_config.vlan_range is not defined %} interface={{ iface }} {% endif %} -{% if iface_config.vlan_id is defined and iface_config.vlan_range is not defined %} -{% for vlan in iface_config.vlan_id %} -interface={{ iface }}.{{ vlan }} -vlan-mon={{ iface }},{{ vlan }} +{% if iface_config.vlan_range is defined %} +{% for regex in iface_config.regex %} +interface=re:^{{ iface | replace('.', '\\.') }}\.({{ regex }})$ {% endfor %} -{% endif %} -{% if iface_config.vlan_range is defined and iface_config.vlan_id is not defined %} vlan-mon={{ iface }},{{ iface_config.vlan_range | join(',') }} -interface=re:{{ iface | replace('.', '\\.') }}\.\d+ {% endif %} -{% if iface_config.vlan_id is defined and iface_config.vlan_range is defined %} -vlan-mon={{ iface }},{{ iface_config.vlan_id | join(',') }},{{ iface_config.vlan_range | join(',') }} -interface=re:{{ iface | replace('.', '\\.') }}\.\d+ +{% if iface_config.vlan_id is defined %} +{% for vlan in iface_config.vlan_id %} +vlan-mon={{ iface }},{{ vlan }} +interface=re:^{{ iface | replace('.', '\\.') }}\.{{ vlan }}$ +{% endfor %} {% endif %} {% endfor %} {% endif %} diff --git a/data/templates/dns-forwarding/recursor.conf.tmpl b/data/templates/dns-forwarding/recursor.conf.tmpl index d44f756e8..02efe903b 100644 --- a/data/templates/dns-forwarding/recursor.conf.tmpl +++ b/data/templates/dns-forwarding/recursor.conf.tmpl @@ -31,5 +31,8 @@ dnssec={{ dnssec }} # serve rfc1918 records serve-rfc1918={{ 'no' if no_serve_rfc1918 is defined else 'yes' }} +# zones +auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %} + forward-zones-file=recursor.forward-zones.conf diff --git a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl index 784d5c360..7f29c387e 100644 --- a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl +++ b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl @@ -22,3 +22,9 @@ addNTA("{{ zone }}", "static") {% endfor %} {% endif %} +{% if authoritative_zones is defined %} +-- from 'service dns forwarding authoritative-domain' +{% for zone in authoritative_zones %} +addNTA("{{ zone }}", "static") +{% endfor %} +{% endif %} diff --git a/data/templates/dns-forwarding/recursor.zone.conf.tmpl b/data/templates/dns-forwarding/recursor.zone.conf.tmpl new file mode 100644 index 000000000..758871bef --- /dev/null +++ b/data/templates/dns-forwarding/recursor.zone.conf.tmpl @@ -0,0 +1,7 @@ +; +; Autogenerated by dns_forwarding.py +; +; +{% for r in records %} +{{ r.name }} {{ r.ttl }} {{ r.type }} {{ r.value }} +{% endfor %} diff --git a/data/templates/frr/bfdd.frr.tmpl b/data/templates/frr/bfdd.frr.tmpl index e0e94c24d..439f79d67 100644 --- a/data/templates/frr/bfdd.frr.tmpl +++ b/data/templates/frr/bfdd.frr.tmpl @@ -41,6 +41,9 @@ bfd {% if peer_config.passive is defined %} passive-mode {% endif %} +{% if peer_config.profile is defined and peer_config.profile is not none %} + profile {{ peer_config.profile }} +{% endif %} {% if peer_config.shutdown is defined %} shutdown {% else %} diff --git a/data/templates/frr/bgpd.frr.tmpl b/data/templates/frr/bgpd.frr.tmpl index fbdbafd6e..45e0544b7 100644 --- a/data/templates/frr/bgpd.frr.tmpl +++ b/data/templates/frr/bgpd.frr.tmpl @@ -17,6 +17,12 @@ {% endif %} {% if config.bfd is defined %} neighbor {{ neighbor }} bfd +{% if config.bfd.check_control_plane_failure is defined %} + neighbor {{ neighbor }} bfd check-control-plane-failure +{% endif %} +{% if config.bfd.profile is defined and config.bfd.profile is not none %} + neighbor {{ neighbor }} bfd profile {{ config.bfd.profile }} +{% endif %} {% endif %} {% if config.capability is defined and config.capability is not none %} {% if config.capability.dynamic is defined %} @@ -140,6 +146,17 @@ {% if afi_config.as_override is defined %} neighbor {{ neighbor }} as-override {% endif %} +{% if afi_config.conditionally_advertise is defined and afi_config.conditionally_advertise is not none %} +{% if afi_config.conditionally_advertise.advertise_map is defined and afi_config.conditionally_advertise.advertise_map is not none %} +{% set exist_non_exist_map = 'exist-map' %} +{% if afi_config.conditionally_advertise.exist_map is defined and afi_config.conditionally_advertise.exist_map is not none %} +{% set exist_non_exist_map = 'exist-map ' ~ afi_config.conditionally_advertise.exist_map %} +{% elif afi_config.conditionally_advertise.non_exist_map is defined and afi_config.conditionally_advertise.non_exist_map is not none %} +{% set exist_non_exist_map = 'non-exist-map ' ~ afi_config.conditionally_advertise.non_exist_map %} +{% endif %} + neighbor {{ neighbor }} advertise-map {{ afi_config.conditionally_advertise.advertise_map }} {{ exist_non_exist_map }} +{% endif %} +{% endif %} {% if afi_config.remove_private_as is defined %} neighbor {{ neighbor }} remove-private-AS {% endif %} @@ -469,6 +486,11 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none {% if parameters.cluster_id is defined and parameters.cluster_id is not none %} bgp cluster-id {{ parameters.cluster_id }} {% endif %} +{% if parameters.conditional_advertisement is defined and parameters.conditional_advertisement is not none %} +{% if parameters.conditional_advertisement.timer is defined and parameters.conditional_advertisement.timer is not none %} + bgp conditional-advertisement timer {{ parameters.conditional_advertisement.timer }} +{% endif %} +{% endif %} {% if parameters.confederation is defined and parameters.confederation is not none %} {% if parameters.confederation.identifier is defined and parameters.confederation.identifier is not none %} bgp confederation identifier {{ parameters.confederation.identifier }} @@ -499,6 +521,9 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none {% endfor %} {% endif %} {% endif %} +{% if parameters.fast_convergence is defined %} + bgp fast-convergence +{% endif %} {% if parameters.graceful_restart is defined %} bgp graceful-restart {{ 'stalepath-time ' ~ parameters.graceful_restart.stalepath_time if parameters.graceful_restart.stalepath_time is defined }} {% endif %} @@ -508,6 +533,9 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none {% if parameters.log_neighbor_changes is defined %} bgp log-neighbor-changes {% endif %} +{% if parameters.minimum_holdtime is defined and parameters.minimum_holdtime is not none %} + bgp minimum-holdtime {{ parameters.minimum_holdtime }} +{% endif %} {% if parameters.network_import_check is defined %} bgp network import-check {% endif %} @@ -517,11 +545,20 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none {% if parameters.no_fast_external_failover is defined %} no bgp fast-external-failover {% endif %} +{% if parameters.reject_as_sets is defined %} + bgp reject-as-sets +{% endif %} {% if parameters.router_id is defined and parameters.router_id is not none %} bgp router-id {{ parameters.router_id }} {% endif %} +{% if parameters.shutdown is defined %} + bgp shutdown +{% endif %} +{% if parameters.suppress_fib_pending is defined %} + bgp suppress-fib-pending +{% endif %} {% endif %} {% if timers is defined and timers.keepalive is defined and timers.holdtime is defined %} timers bgp {{ timers.keepalive }} {{ timers.holdtime }} {% endif %} -exit
\ No newline at end of file +exit diff --git a/data/templates/frr/isisd.frr.tmpl b/data/templates/frr/isisd.frr.tmpl index fc0799e02..b1e3f825b 100644 --- a/data/templates/frr/isisd.frr.tmpl +++ b/data/templates/frr/isisd.frr.tmpl @@ -6,6 +6,9 @@ interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} ipv6 router isis VyOS {% if iface_config.bfd is defined %} isis bfd +{% if iface_config.bfd.profile is defined and iface_config.bfd.profile is not none %} + isis bfd profile {{ iface_config.bfd.profile }} +{% endif %} {% endif %} {% if iface_config.network is defined and iface_config.network.point_to_point is defined %} isis network point-to-point diff --git a/data/templates/frr/ldpd.frr.tmpl b/data/templates/frr/ldpd.frr.tmpl index 0a5411552..537ea4025 100644 --- a/data/templates/frr/ldpd.frr.tmpl +++ b/data/templates/frr/ldpd.frr.tmpl @@ -2,69 +2,69 @@ {% if ldp is defined %} mpls ldp {% if ldp.router_id is defined %} -router-id {{ ldp.router_id }} + router-id {{ ldp.router_id }} {% endif %} {% if ldp.parameters is defined %} {% if ldp.parameters.cisco_interop_tlv is defined %} -dual-stack cisco-interop + dual-stack cisco-interop {% endif %} {% if ldp.parameters.transport_prefer_ipv4 is defined%} -dual-stack transport-connection prefer ipv4 + dual-stack transport-connection prefer ipv4 {% endif %} {% if ldp.parameters.ordered_control is defined%} -ordered-control + ordered-control {% endif %} {% endif %} {% if ldp.neighbor is defined %} {% for neighbors in ldp.neighbor %} {% if ldp.neighbor[neighbors].password is defined %} -neighbor {{neighbors}} password {{ldp.neighbor[neighbors].password}} + neighbor {{ neighbors }} password {{ ldp.neighbor[neighbors].password }} {% endif %} {% if ldp.neighbor[neighbors].ttl_security is defined %} {% if 'disable' in ldp.neighbor[neighbors].ttl_security %} -neighbor {{neighbors}} ttl-security disable + neighbor {{ neighbors }} ttl-security disable {% else %} -neighbor {{neighbors}} ttl-security hops {{ldp.neighbor[neighbors].ttl_security}} + neighbor {{ neighbors }} ttl-security hops {{ ldp.neighbor[neighbors].ttl_security }} {% endif %} {% endif %} {% if ldp.neighbor[neighbors].session_holdtime is defined %} -neighbor {{neighbors}} session holdtime {{ldp.neighbor[neighbors].session_holdtime}} + neighbor {{ neighbors }} session holdtime {{ ldp.neighbor[neighbors].session_holdtime }} {% endif %} {% endfor %} {% endif %} -! + ! {% if ldp.discovery is defined %} {% if ldp.discovery.transport_ipv4_address is defined %} -address-family ipv4 + address-family ipv4 {% if ldp.allocation is defined %} {% if ldp.allocation.ipv4 is defined %} {% if ldp.allocation.ipv4.access_list is defined %} -label local allocate for {{ ldp.allocation.ipv4.access_list }} + label local allocate for {{ ldp.allocation.ipv4.access_list }} {% endif %} {% endif %} {% else %} -label local allocate host-routes + label local allocate host-routes {% endif %} {% if ldp.discovery.transport_ipv4_address is defined %} -discovery transport-address {{ ldp.discovery.transport_ipv4_address }} + discovery transport-address {{ ldp.discovery.transport_ipv4_address }} {% endif %} {% if ldp.discovery.hello_ipv4_holdtime is defined %} -discovery hello holdtime {{ ldp.discovery.hello_ipv4_holdtime }} + discovery hello holdtime {{ ldp.discovery.hello_ipv4_holdtime }} {% endif %} {% if ldp.discovery.hello_ipv4_interval is defined %} -discovery hello interval {{ ldp.discovery.hello_ipv4_interval }} + discovery hello interval {{ ldp.discovery.hello_ipv4_interval }} {% endif %} {% if ldp.discovery.session_ipv4_holdtime is defined %} -session holdtime {{ ldp.discovery.session_ipv4_holdtime }} + session holdtime {{ ldp.discovery.session_ipv4_holdtime }} {% endif %} {% if ldp.import is defined %} {% if ldp.import.ipv4 is defined %} {% if ldp.import.ipv4.import_filter is defined %} {% if ldp.import.ipv4.import_filter.filter_access_list is defined %} {% if ldp.import.ipv4.import_filter.neighbor_access_list is defined %} -label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} from {{ ldp.import.ipv4.import_filter.neighbor_access_list }} + label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} from {{ ldp.import.ipv4.import_filter.neighbor_access_list }} {% else %} -label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} + label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} {% endif %} {% endif %} {% endif %} @@ -73,14 +73,14 @@ label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} {% if ldp.export is defined %} {% if ldp.export.ipv4 is defined %} {% if ldp.export.ipv4.explicit_null is defined %} -label local advertise explicit-null + label local advertise explicit-null {% endif %} {% if ldp.export.ipv4.export_filter is defined %} {% if ldp.export.ipv4.export_filter.filter_access_list is defined %} {% if ldp.export.ipv4.export_filter.neighbor_access_list is defined %} -label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} to {{ ldp.export.ipv4.export_filter.neighbor_access_list }} + label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} to {{ ldp.export.ipv4.export_filter.neighbor_access_list }} {% else %} -label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} + label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} {% endif %} {% endif %} {% endif %} @@ -88,59 +88,59 @@ label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} {% endif %} {% if ldp.targeted_neighbor is defined %} {% if ldp.targeted_neighbor.ipv4.enable is defined %} -discovery targeted-hello accept + discovery targeted-hello accept {% endif %} {% if ldp.targeted_neighbor.ipv4.hello_holdtime is defined %} -discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv4.hello_holdtime }} + discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv4.hello_holdtime }} {% endif %} {% if ldp.targeted_neighbor.ipv4.hello_interval is defined %} -discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv4.hello_interval }} + discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv4.hello_interval }} {% endif %} {% for addresses in ldp.targeted_neighbor.ipv4.address %} -neighbor {{addresses}} targeted + neighbor {{addresses}} targeted {% endfor %} {% endif %} {% for interfaces in ldp.interface %} -interface {{interfaces}} + interface {{interfaces}} {% endfor %} -exit-address-family + exit-address-family {% else %} -no address-family ipv4 + no address-family ipv4 {% endif %} {% endif %} -! + ! {% if ldp.discovery is defined %} {% if ldp.discovery.transport_ipv6_address is defined %} -address-family ipv6 + address-family ipv6 {% if ldp.allocation is defined %} {% if ldp.allocation.ipv6 is defined %} {% if ldp.allocation.ipv6.access_list6 is defined %} -label local allocate for {{ ldp.allocation.ipv6.access_list6 }} + label local allocate for {{ ldp.allocation.ipv6.access_list6 }} {% endif %} {% endif %} {% else %} -label local allocate host-routes + label local allocate host-routes {% endif %} {% if ldp.discovery.transport_ipv6_address is defined %} -discovery transport-address {{ ldp.discovery.transport_ipv6_address }} + discovery transport-address {{ ldp.discovery.transport_ipv6_address }} {% endif %} {% if ldp.discovery.hello_ipv6_holdtime is defined %} -discovery hello holdtime {{ ldp.discovery.hello_ipv6_holdtime }} + discovery hello holdtime {{ ldp.discovery.hello_ipv6_holdtime }} {% endif %} {% if ldp.discovery.hello_ipv6_interval is defined %} -discovery hello interval {{ ldp.discovery.hello_ipv6_interval }} + discovery hello interval {{ ldp.discovery.hello_ipv6_interval }} {% endif %} {% if ldp.discovery.session_ipv6_holdtime is defined %} -session holdtime {{ ldp.discovery.session_ipv6_holdtime }} + session holdtime {{ ldp.discovery.session_ipv6_holdtime }} {% endif %} {% if ldp.import is defined %} {% if ldp.import.ipv6 is defined %} {% if ldp.import.ipv6.import_filter is defined %} {% if ldp.import.ipv6.import_filter.filter_access_list6 is defined %} {% if ldp.import.ipv6.import_filter.neighbor_access_list6 is defined %} -label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }} from {{ ldp.import.ipv6.import_filter.neighbor_access_list6 }} + label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }} from {{ ldp.import.ipv6.import_filter.neighbor_access_list6 }} {% else %} -label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }} + label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }} {% endif %} {% endif %} {% endif %} @@ -149,14 +149,14 @@ label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }} {% if ldp.export is defined %} {% if ldp.export.ipv6 is defined %} {% if ldp.export.ipv6.explicit_null is defined %} -label local advertise explicit-null + label local advertise explicit-null {% endif %} {% if ldp.export.ipv6.export_filter is defined %} {% if ldp.export.ipv6.export_filter.filter_access_list6 is defined %} {% if ldp.export.ipv6.export_filter.neighbor_access_list6 is defined %} -label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }} to {{ ldp.export.ipv6.export_filter.neighbor_access_list6 }} + label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }} to {{ ldp.export.ipv6.export_filter.neighbor_access_list6 }} {% else %} -label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }} + label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }} {% endif %} {% endif %} {% endif %} @@ -164,24 +164,27 @@ label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 } {% endif %} {% if ldp.targeted_neighbor is defined %} {% if ldp.targeted_neighbor.ipv6.enable is defined %} -discovery targeted-hello accept + discovery targeted-hello accept {% endif %} {% if ldp.targeted_neighbor.ipv6.hello_holdtime is defined %} -discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv6.hello_holdtime }} + discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv6.hello_holdtime }} {% endif %} {% if ldp.targeted_neighbor.ipv6.hello_interval is defined %} -discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv6.hello_interval }} + discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv6.hello_interval }} {% endif %} {% for addresses in ldp.targeted_neighbor.ipv6.address %} -neighbor {{addresses}} targeted + neighbor {{addresses}} targeted {% endfor %} {% endif %} {% for interfaces in ldp.interface %} -interface {{interfaces}} + interface {{interfaces}} {% endfor %} -exit-address-family + exit-address-family {% else %} -no address-family ipv6 + no address-family ipv6 {% endif %} + ! {% endif %} +exit {% endif %} +! diff --git a/data/templates/frr/ospf6d.frr.tmpl b/data/templates/frr/ospf6d.frr.tmpl index 10a6d9b4b..8279e5abb 100644 --- a/data/templates/frr/ospf6d.frr.tmpl +++ b/data/templates/frr/ospf6d.frr.tmpl @@ -25,6 +25,9 @@ interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% endif %} {% if iface_config.bfd is defined %} ipv6 ospf6 bfd +{% if iface_config.bfd.profile is defined and iface_config.bfd.profile is not none %} + ipv6 ospf6 bfd profile {{ iface_config.bfd.profile }} +{% endif %} {% endif %} {% if iface_config.mtu_ignore is defined %} ipv6 ospf6 mtu-ignore @@ -51,7 +54,7 @@ router ospf6 {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% for area_id, area_config in area.items() %} {% if area_config.area_type is defined and area_config.area_type is not none %} {% for type, type_config in area_config.area_type.items() %} - area {{ area_id }} {{ type }} {{ 'no-summary' if type_config.no_summary is defined }} + area {{ area_id }} {{ type }} {{ 'default-information-originate' if type_config.default_information_originate is defined }} {{ 'no-summary' if type_config.no_summary is defined }} {% endfor %} {% endif %} {% if area_config.range is defined and area_config.range is not none %} @@ -67,6 +70,10 @@ router ospf6 {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% endif %} {% endfor %} {% endif %} + auto-cost reference-bandwidth {{ auto_cost.reference_bandwidth }} +{% if default_information is defined and default_information.originate is defined and default_information.originate is not none %} + default-information originate {{ 'always' if default_information.originate.always is defined }} {{ 'metric ' + default_information.originate.metric if default_information.originate.metric is defined }} {{ 'metric-type ' + default_information.originate.metric_type if default_information.originate.metric_type is defined }} {{ 'route-map ' + default_information.originate.route_map if default_information.originate.route_map is defined }} +{% endif %} {% if distance is defined and distance is not none %} {% if distance.global is defined and distance.global is not none %} distance {{ distance.global }} diff --git a/data/templates/frr/ospfd.frr.tmpl b/data/templates/frr/ospfd.frr.tmpl index a7b770f07..af66baf53 100644 --- a/data/templates/frr/ospfd.frr.tmpl +++ b/data/templates/frr/ospfd.frr.tmpl @@ -42,6 +42,9 @@ interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% endif %} {% if iface_config.bfd is defined %} ip ospf bfd +{% if iface_config.bfd.profile is defined and iface_config.bfd.profile is not none %} + ip ospf bfd profile {{ iface_config.bfd.profile }} +{% endif %} {% endif %} {% if iface_config.mtu_ignore is defined %} ip ospf mtu-ignore diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.tmpl index 9d73baeee..ac9203e83 100644 --- a/data/templates/https/nginx.default.tmpl +++ b/data/templates/https/nginx.default.tmpl @@ -44,7 +44,11 @@ server { # proxy settings for HTTP API, if enabled; 503, if not location ~ /(retrieve|configure|config-file|image|generate|show|docs|openapi.json|redoc|graphql) { {% if server.api %} +{% if server.api.socket %} + proxy_pass http://unix:/run/api.sock; +{% else %} proxy_pass http://localhost:{{ server.api.port }}; +{% endif %} proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 600; diff --git a/data/templates/https/override.conf.tmpl b/data/templates/https/override.conf.tmpl new file mode 100644 index 000000000..824b1ba3b --- /dev/null +++ b/data/templates/https/override.conf.tmpl @@ -0,0 +1,15 @@ +{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + +[Service] +ExecStartPre= +ExecStartPre={{vrf_command}}/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' +ExecStart= +ExecStart={{vrf_command}}/usr/sbin/nginx -g 'daemon on; master_process on;' +ExecReload= +ExecReload={{vrf_command}}/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload +Restart=always +RestartPreventExitStatus= +RestartSec=10 diff --git a/data/templates/https/vyos-http-api.service.tmpl b/data/templates/https/vyos-http-api.service.tmpl new file mode 100644 index 000000000..15bd80d65 --- /dev/null +++ b/data/templates/https/vyos-http-api.service.tmpl @@ -0,0 +1,22 @@ +{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +Description=VyOS HTTP API service +After=vyos-router.service +Requires=vyos-router.service + +[Service] +ExecStart={{vrf_command}}/usr/libexec/vyos/services/vyos-http-api-server +Type=idle + +SyslogIdentifier=vyos-http-api +SyslogFacility=daemon + +Restart=on-failure + +# Does't work but leave it here +User=root +Group=vyattacfg + +[Install] +WantedBy=vyos.target + diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index 161f19f95..68b108365 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -57,7 +57,7 @@ secrets { {% endif %} {% if site_to_site is defined and site_to_site.peer is defined %} {% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} -{% set peer_name = peer.replace(".", "-").replace("@", "") %} +{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %} {% if peer_conf.authentication.mode == 'pre-shared-secret' %} ike_{{ peer_name }} { {% if peer_conf.local_address is defined %} diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index 8c3776bf1..c6b71f2a1 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -1,5 +1,5 @@ {% macro conn(peer, peer_conf, ike_group, esp_group) %} -{% set name = peer.replace(".", "-").replace("@", "") %} +{% set name = peer.replace("@", "") | dot_colon_to_dash %} {# peer needs to reference the global IKE configuration for certain values #} {% set ike = ike_group[peer_conf.ike_group] %} peer_{{ name }} { @@ -101,6 +101,9 @@ {% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %} remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }} {% endif %} +{% if tunnel_conf.priority is defined and tunnel_conf.priority is not none %} + priority = {{ tunnel_conf.priority }} +{% endif %} {% elif tunnel_esp.mode == 'transport' %} local_ts = {{ peer_conf.local_address }}{{ local_suffix }} remote_ts = {{ peer }}{{ remote_suffix }} diff --git a/data/templates/logs/logrotate/vyos-atop.tmpl b/data/templates/logs/logrotate/vyos-atop.tmpl new file mode 100644 index 000000000..2d078f379 --- /dev/null +++ b/data/templates/logs/logrotate/vyos-atop.tmpl @@ -0,0 +1,20 @@ +/var/log/atop/atop.log { + daily + dateext + dateformat _%Y-%m-%d_%H-%M-%S + maxsize {{ max_size }}M + missingok + nocompress + nocreate + nomail + rotate {{ rotate }} + prerotate + # stop the service + systemctl stop atop.service + endscript + postrotate + # start atop service again + systemctl start atop.service + endscript +} + diff --git a/data/templates/logs/logrotate/vyos-rsyslog.tmpl b/data/templates/logs/logrotate/vyos-rsyslog.tmpl new file mode 100644 index 000000000..f2e4d2ab2 --- /dev/null +++ b/data/templates/logs/logrotate/vyos-rsyslog.tmpl @@ -0,0 +1,13 @@ +/var/log/messages { + create + missingok + nomail + notifempty + rotate {{ rotate }} + size {{ max_size }}M + postrotate + # inform rsyslog service about rotation + /usr/lib/rsyslog/rsyslog-rotate + endscript +} + diff --git a/data/templates/monitoring/override.conf.tmpl b/data/templates/monitoring/override.conf.tmpl new file mode 100644 index 000000000..63f6d7391 --- /dev/null +++ b/data/templates/monitoring/override.conf.tmpl @@ -0,0 +1,7 @@ +[Unit] +After=vyos-router.service +ConditionPathExists=/run/telegraf/vyos-telegraf.conf +[Service] +Environment=INFLUX_TOKEN={{ authentication.token }} +CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN +AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN diff --git a/data/templates/monitoring/syslog_telegraf.tmpl b/data/templates/monitoring/syslog_telegraf.tmpl new file mode 100644 index 000000000..cdcbd92a4 --- /dev/null +++ b/data/templates/monitoring/syslog_telegraf.tmpl @@ -0,0 +1,5 @@ +# Generated by /usr/libexec/vyos/conf_mode/service_monitoring_telegraf.py + +$ModLoad omuxsock +$OMUxSockSocket /run/telegraf/telegraf_syslog.sock +*.notice :omuxsock: diff --git a/data/templates/monitoring/systemd_vyos_telegraf_service.tmpl b/data/templates/monitoring/systemd_vyos_telegraf_service.tmpl new file mode 100644 index 000000000..234ef5586 --- /dev/null +++ b/data/templates/monitoring/systemd_vyos_telegraf_service.tmpl @@ -0,0 +1,16 @@ +[Unit] +Description=The plugin-driven server agent for reporting metrics into InfluxDB +Documentation=https://github.com/influxdata/telegraf +After=network.target + +[Service] +EnvironmentFile=-/etc/default/telegraf +User=telegraf +ExecStart=/usr/bin/telegraf -config /run/telegraf/vyos-telegraf.conf -config-directory /etc/telegraf/telegraf.d $TELEGRAF_OPTS +ExecReload=/bin/kill -HUP $MAINPID +Restart=on-failure +RestartForceExitStatus=SIGPIPE +KillMode=control-group + +[Install] +WantedBy=multi-user.target diff --git a/data/templates/monitoring/telegraf.tmpl b/data/templates/monitoring/telegraf.tmpl new file mode 100644 index 000000000..62fa4df7a --- /dev/null +++ b/data/templates/monitoring/telegraf.tmpl @@ -0,0 +1,63 @@ +# Generated by /usr/libexec/vyos/conf_mode/service_monitoring_telegraf.py + +[agent] + interval = "10s" + round_interval = true + metric_batch_size = 1000 + metric_buffer_limit = 10000 + collection_jitter = "0s" + flush_interval = "10s" + flush_jitter = "0s" + precision = "" + debug = false + quiet = false + logfile = "" + hostname = "" + omit_hostname = false +[[outputs.influxdb_v2]] + urls = ["{{ url }}:{{ port }}"] + insecure_skip_verify = true + token = "{{ authentication.token }}" + organization = "{{ authentication.organization }}" + bucket = "{{ bucket }}" +[[inputs.cpu]] + percpu = true + totalcpu = true + collect_cpu_time = false + report_active = false +[[inputs.disk]] + ignore_fs = ["devtmpfs", "devfs"] +[[inputs.diskio]] +[[inputs.mem]] +[[inputs.net]] +[[inputs.system]] +[[inputs.netstat]] +[[inputs.processes]] +[[inputs.kernel]] +[[inputs.interrupts]] +[[inputs.linux_sysctl_fs]] +[[inputs.systemd_units]] +[[inputs.conntrack]] + files = ["ip_conntrack_count","ip_conntrack_max","nf_conntrack_count","nf_conntrack_max"] + dirs = ["/proc/sys/net/ipv4/netfilter","/proc/sys/net/netfilter"] +[[inputs.ethtool]] +[[inputs.iptables]] + use_sudo = false + table = "filter" + chains = {{ nft_chains }} + use_lock = true +[[inputs.ntpq]] + dns_lookup = true +[[inputs.internal]] +[[inputs.nstat]] +[[inputs.syslog]] + server = "unixgram:///run/telegraf/telegraf_syslog.sock" + best_effort = true + syslog_standard = "RFC3164" +[[inputs.exec]] + commands = [ + "{{ custom_scripts_dir }}/show_interfaces_input_filter.py", + "cat /tmp/vyos_services_input_filter" + ] + timeout = "10s" + data_format = "influx" diff --git a/data/templates/netflow/uacctd.conf.tmpl b/data/templates/netflow/uacctd.conf.tmpl index 1c183bb20..f81002dc1 100644 --- a/data/templates/netflow/uacctd.conf.tmpl +++ b/data/templates/netflow/uacctd.conf.tmpl @@ -1,72 +1,74 @@ # Genereated from VyOS configuration daemonize: true promisc: false -pidfile: /var/run/uacctd.pid +pidfile: /run/pmacct/uacctd.pid uacctd_group: 2 uacctd_nl_size: 2097152 -snaplen: {{ snaplen }} -{% if templatecfg['enable-egress'] != none %} -aggregate: in_iface,out_iface,src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows -{% else %} -aggregate: in_iface,src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows +snaplen: {{ packet_length }} +aggregate: in_iface{{ ',out_iface' if enable_egress is defined }},src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows +{% set pipe_size = buffer_size | int *1024 *1024 %} +plugin_pipe_size: {{ pipe_size }} +{# We need an integer division (//) without any remainder or fraction #} +plugin_buffer_size: {{ pipe_size // 1000 }} +{% if syslog_facility is defined and syslog_facility is not none %} +syslog: {{ syslog_facility }} {% endif %} -plugin_pipe_size: {{ templatecfg['plugin_pipe_size'] }} -plugin_buffer_size: {{ templatecfg['plugin_buffer_size'] }} -{% if templatecfg['syslog-facility'] != none %} -syslog: {{ templatecfg['syslog-facility'] }} -{% endif %} -{% if templatecfg['disable-imt'] == none %} +{% if disable_imt is not defined %} imt_path: /tmp/uacctd.pipe imt_mem_pools_number: 169 {% endif %} -plugins: {% if templatecfg['netflow']['servers'] != none %} -{% for server in templatecfg['netflow']['servers'] %} -{% if loop.last %}nfprobe[nf_{{ server['address'] }}]{% else %}nfprobe[nf_{{ server['address'] }}],{% endif %} -{% endfor %} -{% set plugins_presented = true %} -{% endif %} -{% if templatecfg['sflow']['servers'] != none %} -{% if plugins_presented %} -{% for server in templatecfg['sflow']['servers'] %},sfprobe[sf_{{ server['address'] }}]{% endfor %} -{% else %} -{% for server in templatecfg['sflow']['servers'] %} -{% if loop.last %}sfprobe[sf_{{ server['address'] }}]{% else %}sfprobe[sf_{{ server['address'] }}],{% endif %} -{% endfor %} -{% endif %} -{% set plugins_presented = true %} -{% endif %} -{% if templatecfg['disable-imt'] == none %} -{% if plugins_presented %},memory{% else %}memory{% endif %} -{% endif %} -{% if templatecfg['netflow']['servers'] != none %} -{% for server in templatecfg['netflow']['servers'] %} -nfprobe_receiver[nf_{{ server['address'] }}]: {{ server['address'] }}:{{ server['port'] }} -nfprobe_version[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['version'] }} -{% if templatecfg['netflow']['engine-id'] != none %} -nfprobe_engine[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['engine-id'] }} -{% endif %} -{% if templatecfg['netflow']['max-flows'] != none %} -nfprobe_maxflows[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['max-flows'] }} -{% endif %} -{% if templatecfg['netflow']['sampling-rate'] != none %} -sampling_rate[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['sampling-rate'] }} -{% endif %} -{% if templatecfg['netflow']['source-ip'] != none %} -nfprobe_source_ip[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['source-ip'] }} +{% set plugin = [] %} +{% if disable_imt is not defined %} +{% set plugin = ['memory'] %} {% endif %} -{% if templatecfg['netflow']['timeout_string'] != '' %} -nfprobe_timeouts[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['timeout_string'] }} +{% if netflow is defined and netflow.server is defined and netflow.server is not none %} +{% for server in netflow.server %} +{% set plugin = plugin.append('nfprobe[nf_' ~ server ~ ']') %} +{% endfor %} {% endif %} -{% endfor %} +{% if sflow is defined and sflow.server is defined and sflow.server is not none %} +{% for server in sflow.server %} +{% set plugin = plugin.append('sfprobe[sf_' ~ server ~ ']') %} +{% endfor %} {% endif %} +plugins: {{ plugin | join(',') }} -{% if templatecfg['sflow']['servers'] != none %} -{% for server in templatecfg['sflow']['servers'] %} -sfprobe_receiver[sf_{{ server['address'] }}]: {{ server['address'] }}:{{ server['port'] }} -sfprobe_agentip[sf_{{ server['address'] }}]: {{ templatecfg['sflow']['agent-address'] }} -{% if templatecfg['sflow']['sampling-rate'] != none %} -sampling_rate[sf_{{ server['address'] }}]: {{ templatecfg['sflow']['sampling-rate'] }} +{% if netflow is defined and netflow.server is defined and netflow.server is not none %} +# NetFlow servers +{% for server, server_config in netflow.server.items() %} +nfprobe_receiver[nf_{{ server }}]: {{ server }}:{{ server_config.port }} +nfprobe_version[nf_{{ server }}]: {{ netflow.version }} +{% if netflow.engine_id is defined and netflow.engine_id is not none %} +nfprobe_engine[nf_{{ server }}]: {{ netflow.engine_id }} +{% endif %} +{% if netflow.max_flows is defined and netflow.max_flows is not none %} +nfprobe_maxflows[nf_{{ server }}]: {{ netflow.max_flows }} +{% endif %} +{% if netflow.sampling_rate is defined and netflow.sampling_rate is not none %} +sampling_rate[nf_{{ server }}]: {{ netflow.sampling_rate }} +{% endif %} +{% if netflow.source_address is defined and netflow.source_address is not none %} +nfprobe_source_ip[nf_{{ server }}]: {{ netflow.source_address }} +{% endif %} +{% if netflow.timeout is defined and netflow.timeout is not none %} +nfprobe_timeouts[nf_{{ server }}]: expint={{ netflow.timeout.expiry_interval }}:general={{ netflow.timeout.flow_generic }}:icmp={{ netflow.timeout.icmp }}:maxlife={{ netflow.timeout.max_active_life }}:tcp.fin={{ netflow.timeout.tcp_fin }}:tcp={{ netflow.timeout.tcp_generic }}:tcp.rst={{ netflow.timeout.tcp_rst }}:udp={{ netflow.timeout.udp }} +{% endif %} + +{% endfor %} {% endif %} -{% endfor %} + +{% if sflow is defined and sflow.server is defined and sflow.server is not none %} +# sFlow servers +{% for server, server_config in sflow.server.items() %} +sfprobe_receiver[sf_{{ server }}]: {{ server }}:{{ server_config.port }} +sfprobe_agentip[sf_{{ server }}]: {{ sflow.agent_address }} +{% if sflow.sampling_rate is defined and sflow.sampling_rate is not none %} +sampling_rate[sf_{{ server }}]: {{ sflow.sampling_rate }} +{% endif %} +{% if sflow.source_address is defined and sflow.source_address is not none %} +sfprobe_source_ip[sf_{{ server }}]: {{ sflow.source_address }} +{% endif %} + +{% endfor %} {% endif %} diff --git a/data/templates/snmp/etc.snmp.conf.tmpl b/data/templates/snmp/etc.snmp.conf.tmpl index 6e4c6f063..f7d9a3c17 100644 --- a/data/templates/snmp/etc.snmp.conf.tmpl +++ b/data/templates/snmp/etc.snmp.conf.tmpl @@ -1,4 +1,4 @@ ### Autogenerated by snmp.py ### -{% if trap_source %} +{% if trap_source is defined and trap_source is not none %} clientaddr {{ trap_source }} {% endif %} diff --git a/data/templates/snmp/etc.snmpd.conf.tmpl b/data/templates/snmp/etc.snmpd.conf.tmpl index 30806ce8a..befea0122 100644 --- a/data/templates/snmp/etc.snmpd.conf.tmpl +++ b/data/templates/snmp/etc.snmpd.conf.tmpl @@ -33,87 +33,152 @@ interface_replace_old yes # Default system description is VyOS version sysDescr VyOS {{ version }} -{% if description %} +{% if description is defined and description is not none %} # Description SysDescr {{ description }} {% endif %} # Listen -agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{{ li }}{% endfor %}{% else %},{{protocol}}:161{% if ipv6_enabled %},{{protocol}}6:161{% endif %}{% endif %} +{% set options = [] %} +{% if listen_address is defined and listen_address is not none %} +{% for address, address_options in listen_address.items() %} +{% if address | is_ipv6 %} +{% set protocol = protocol ~ '6' %} +{% endif %} +{% set _ = options.append(protocol ~ ':' ~ address | bracketize_ipv6 ~ ':' ~ address_options.port) %} +{% endfor %} +{% else %} +{% set _ = options.append(protocol ~ ':161') %} +{% if ipv6_disabled is not defined %} +{% set _ = options.append(protocol ~ '6:161') %} +{% endif %} +{% endif %} +agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is defined and options is not none }} # SNMP communities -{% for c in communities %} -{% if c.network_v4 %} -{% for network in c.network_v4 %} -{{ c.authorization }}community {{ c.name }} {{ network }} -{% endfor %} -{% elif not c.has_source %} -{{ c.authorization }}community {{ c.name }} -{% endif %} -{% if c.network_v6 %} -{% for network in c.network_v6 %} -{{ c.authorization }}community6 {{ c.name }} {{ network }} -{% endfor %} -{% elif not c.has_source %} -{{ c.authorization }}community6 {{ c.name }} -{% endif %} -{% endfor %} +{% if community is defined and community is not none %} +{% for comm, comm_config in community.items() %} +{% if comm_config.client is defined and comm_config.client is not none %} +{% for client in comm_config.client %} +{% if client | is_ipv4 %} +{{ comm_config.authorization }}community {{ comm }} {{ client }} +{% elif client | is_ipv6 %} +{{ comm_config.authorization }}community6 {{ comm }} {{ client }} +{% endif %} +{% endfor %} +{% endif %} +{% if comm_config.network is defined and comm_config.network is not none %} +{% for network in comm_config.network %} +{% if network | is_ipv4 %} +{{ comm_config.authorization }}community {{ comm }} {{ network }} +{% elif client | is_ipv6 %} +{{ comm_config.authorization }}community6 {{ comm }} {{ network }} +{% endif %} +{% endfor %} +{% endif %} +{% if comm_config.client is not defined and comm_config.network is not defined %} +{{ comm_config.authorization }}community {{ comm }} +{% endif %} +{% endfor %} +{% endif %} -{% if contact %} +{% if contact is defined and contact is not none %} # system contact information SysContact {{ contact }} {% endif %} -{% if location %} +{% if location is defined and location is not none %} # system location information SysLocation {{ location }} {% endif %} -{% if smux_peers %} +{% if smux_peer is defined and smux_peer is not none %} # additional smux peers -{% for sp in smux_peers %} -smuxpeer {{ sp }} +{% for peer in smux_peer %} +smuxpeer {{ peer }} {% endfor %} {% endif %} -{% if trap_targets %} +{% if trap_target is defined and trap_target is not none %} # if there is a problem - tell someone! -{% for trap in trap_targets %} -trap2sink {{ trap.target }}{{ ":" + trap.port if trap.port is defined }} {{ trap.community }} +{% for trap, trap_config in trap_target.items() %} +trap2sink {{ trap }}:{{ trap_config.port }} {{ trap_config.community }} {% endfor %} {% endif %} -{% if v3_enabled %} +{% if v3 is defined and v3 is not none %} # # SNMPv3 stuff goes here # +{% if v3.view is defined and v3.view is not none %} # views -{% for view in v3_views %} -{% for oid in view.oids %} -view {{ view.name }} included .{{ oid.oid }} +{% for view, view_config in v3.view.items() %} +{% if view_config.oid is defined and view_config.oid is not none %} +{% for oid in view_config.oid %} +view {{ view }} included .{{ oid }} +{% endfor %} +{% endif %} {% endfor %} -{% endfor %} +{% endif %} # access +{% if v3.group is defined and v3.group is not none %} # context sec.model sec.level match read write notif -{% for group in v3_groups %} -access {{ group.name }} "" usm {{ group.seclevel }} exact {{ group.view }} {% if group.mode == 'ro' %}none{% else %}{{ group.view }}{% endif %} none -{% endfor %} +{% for group, group_config in v3.group.items() %} +access {{ group }} "" usm {{ group_config.seclevel }} exact {{ group_config.view }} {% if group_config.mode == 'ro' %}none{% else %}{{ group_config.view }}{% endif %} none +{% endfor %} +{% endif %} # trap-target -{% for t in v3_traps %} -trapsess -v 3 {{ '-Ci' if t.type == 'inform' }} -e {{ v3_engineid }} -u {{ t.secName }} -l {{ t.secLevel }} -a {{ t.authProtocol }} {% if t.authPassword %}-A {{ t.authPassword }}{% elif t.authMasterKey %}-3m {{ t.authMasterKey }}{% endif %} -x {{ t.privProtocol }} {% if t.privPassword %}-X {{ t.privPassword }}{% elif t.privMasterKey %}-3M {{ t.privMasterKey }}{% endif %} {{ t.ipProto }}:{{ t.ipAddr }}:{{ t.ipPort }} -{% endfor %} +{% if v3.trap_target is defined and v3.trap_target is not none %} +{% for trap, trap_config in v3.trap_target.items() %} +{% set options = '' %} +{% if trap_config.type == 'inform' %} +{% set options = options ~ ' -Ci' %} +{% endif %} +{% if v3.engineid is defined and v3.engineid is not none %} +{% set options = options ~ ' -e "' ~ v3.engineid ~ '"' %} +{% endif %} +{% if trap_config.user is defined and trap_config.user is not none %} +{% set options = options ~ ' -u ' ~ trap_config.user %} +{% endif %} +{% if trap_config.auth is defined and trap_config.auth.plaintext_password is defined or trap_config.auth.encrypted_password is defined %} +{% set options = options ~ ' -a ' ~ trap_config.auth.type %} +{% if trap_config.auth.plaintext_password is defined and trap_config.auth.plaintext_password is not none %} +{% set options = options ~ ' -A ' ~ trap_config.auth.plaintext_password %} +{% elif trap_config.auth.encrypted_password is defined and trap_config.auth.encrypted_password is not none %} +{% set options = options ~ ' -3m ' ~ trap_config.auth.encrypted_password %} +{% endif %} +{% if trap_config.privacy is defined and trap_config.privacy.plaintext_password is defined or trap_config.privacy.encrypted_password is defined %} +{% set options = options ~ ' -x ' ~ trap_config.privacy.type %} +{% if trap_config.privacy.plaintext_password is defined and trap_config.privacy.plaintext_password is not none %} +{% set options = options ~ ' -X ' ~ trap_config.privacy.plaintext_password %} +{% elif trap_config.privacy.encrypted_password is defined and trap_config.privacy.encrypted_password is not none %} +{% set options = options ~ ' -3M ' ~ trap_config.privacy.encrypted_password %} +{% endif %} +{% set options = options ~ ' -l authPriv' %} +{% else %} +{% set options = options ~ ' -l authNoPriv' %} +{% endif %} +{% else %} +{% set options = options ~ ' -l noAuthNoPriv' %} +{% endif %} +trapsess -v 3 {{ options }} {{ trap }}:{{ trap_config.protocol }}:{{ trap_config.port }} +{% endfor %} +{% endif %} # group -{% for u in v3_users %} -group {{ u.group }} usm {{ u.name }} -{% endfor %} +{% if v3.user is defined and v3.user is not none %} +{% for user, user_config in v3.user.items() %} +group {{ user_config.group }} usm {{ user }} +{% endfor %} +{% endif %} +{# SNMPv3 end #} {% endif %} -{% if script_ext %} +{% if script_extensions is defined and script_extensions.extension_name is defined and script_extensions.extension_name is not none %} # extension scripts -{% for ext in script_ext|sort(attribute='name') %} -extend {{ ext.name }} {{ ext.script }} +{% for script, script_config in script_extensions.extension_name.items() | sort(attribute=script) %} +extend {{ script }} {{ script_config.script }} {% endfor %} {% endif %} diff --git a/data/templates/snmp/override.conf.tmpl b/data/templates/snmp/override.conf.tmpl index 2ac45a89f..3b00aab83 100644 --- a/data/templates/snmp/override.conf.tmpl +++ b/data/templates/snmp/override.conf.tmpl @@ -1,5 +1,5 @@ {% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} -{% set oid_route_table = ' ' if route_table is sameas true else '-I -ipCidrRouteTable,inetCidrRouteTable' %} +{% set oid_route_table = ' ' if oid_enable is defined and oid_enable == 'route-table' else '-I -ipCidrRouteTable,inetCidrRouteTable' %} [Unit] StartLimitIntervalSec=0 After=vyos-router.service diff --git a/data/templates/snmp/usr.snmpd.conf.tmpl b/data/templates/snmp/usr.snmpd.conf.tmpl index e2c5ec102..1c688a61e 100644 --- a/data/templates/snmp/usr.snmpd.conf.tmpl +++ b/data/templates/snmp/usr.snmpd.conf.tmpl @@ -1,6 +1,8 @@ ### Autogenerated by snmp.py ### -{% for u in v3_users %} -{{ u.mode }}user {{ u.name }} -{% endfor %} +{% if v3 is defined and v3.user is defined and v3.user is not none %} +{% for user, user_config in v3.user.items() %} +{{ user_config.mode }}user {{ user }} +{% endfor %} +{% endif %} rwuser {{ vyos_user }} diff --git a/data/templates/snmp/var.snmpd.conf.tmpl b/data/templates/snmp/var.snmpd.conf.tmpl index c779587df..5871a8234 100644 --- a/data/templates/snmp/var.snmpd.conf.tmpl +++ b/data/templates/snmp/var.snmpd.conf.tmpl @@ -1,14 +1,16 @@ ### Autogenerated by snmp.py ### # user -{% for u in v3_users %} -{% if u.authOID == 'none' %} -createUser {{ u.name }} -{% else %} -usmUser 1 3 0x{{ v3_engineid }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} 0x{{ u.authMasterKey }} {{ u.privOID }} 0x{{ u.privMasterKey }} 0x -{% endif %} -{% endfor %} +{% if v3 is defined and v3 is not none %} +{% if v3.user is defined and v3.user is not none %} +{% for user, user_config in v3.user.items() %} +usmUser 1 3 0x{{ v3.engineid }} "{{ user }}" "{{ user }}" NULL {{ user_config.auth.type | snmp_auth_oid }} 0x{{ user_config.auth.encrypted_password }} {{ user_config.privacy.type | snmp_auth_oid }} 0x{{ user_config.privacy.encrypted_password }} 0x +{% endfor %} +{% endif %} +# VyOS default user createUser {{ vyos_user }} MD5 "{{ vyos_user_pass }}" DES -{% if v3_engineid %} -oldEngineID 0x{{ v3_engineid }} + +{% if v3.engineid is defined and v3.engineid is not none %} +oldEngineID 0x{{ v3.engineid }} +{% endif %} {% endif %} diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.tmpl index 80826fc75..26aff90bf 100644 --- a/data/templates/squid/squid.conf.tmpl +++ b/data/templates/squid/squid.conf.tmpl @@ -88,7 +88,7 @@ tcp_outgoing_address {{ outgoing_address }} {% if listen_address is defined and listen_address is not none %} {% for address, config in listen_address.items() %} -http_port {{ address }}:{{ config.port if config.port is defined else default_port }} {{ 'intercept' if config.disable_transparent is not defined }} +http_port {{ address | bracketize_ipv6 }}:{{ config.port if config.port is defined else default_port }} {{ 'intercept' if config.disable_transparent is not defined }} {% endfor %} {% endif %} http_port 127.0.0.1:{{ default_port }} diff --git a/data/templates/syslog/rsyslog.conf.tmpl b/data/templates/syslog/rsyslog.conf.tmpl index e25ef48d4..2fb621760 100644 --- a/data/templates/syslog/rsyslog.conf.tmpl +++ b/data/templates/syslog/rsyslog.conf.tmpl @@ -25,12 +25,18 @@ $outchannel {{ file }},{{ file_options['log-file'] }},{{ file_options['max-size' {% if host_options.proto == 'tcp' %} {% if host_options.port is defined %} {% if host_options.oct_count is defined %} -{{ host_options.selectors }} @@(o){{ host }}:{{ host_options.port }};RSYSLOG_SyslogProtocol23Format +{{ host_options.selectors }} @@(o){{ host | bracketize_ipv6 }}:{{ host_options.port }};RSYSLOG_SyslogProtocol23Format {% else %} -{{ host_options.selectors }} @@{{ host }}:{{ host_options.port }} +{{ host_options.selectors }} @@{{ host | bracketize_ipv6 }}:{{ host_options.port }} {% endif %} {% else %} -{{ host_options.selectors }} @@{{ host }} +{{ host_options.selectors }} @@{{ host | bracketize_ipv6 }} +{% endif %} +{% elif host_options.proto == 'udp' %} +{% if host_options.port is defined %} +{{ host_options.selectors }} @{{ host | bracketize_ipv6 }}:{{ host_options.port }}{{ ';RSYSLOG_SyslogProtocol23Format' if host_options.oct_count is sameas true }} +{% else %} +{{ host_options.selectors }} @{{ host | bracketize_ipv6 }} {% endif %} {% else %} {% if host_options['port'] %} diff --git a/data/templates/vrrp/keepalived.conf.tmpl b/data/templates/vrrp/keepalived.conf.tmpl index b4824a994..6585fc60b 100644 --- a/data/templates/vrrp/keepalived.conf.tmpl +++ b/data/templates/vrrp/keepalived.conf.tmpl @@ -5,9 +5,6 @@ global_defs { dynamic_interfaces script_user root - # Don't run scripts configured to be run as root if any part of the path - # is writable by a non-root user. - enable_script_security notify_fifo /run/keepalived/keepalived_notify_fifo notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py } @@ -86,15 +83,24 @@ vrrp_instance {{ name }} { {% endif %} {% if sync_group is defined and sync_group is not none %} -{% for name, group_config in sync_group.items() if group_config.disable is not defined %} +{% for name, sync_group_config in sync_group.items() if sync_group_config.disable is not defined %} vrrp_sync_group {{ name }} { group { -{% if group_config.member is defined and group_config.member is not none %} -{% for member in group_config.member %} +{% if sync_group_config.member is defined and sync_group_config.member is not none %} +{% for member in sync_group_config.member %} {{ member }} {% endfor %} {% endif %} } + +{# Health-check scripts should be in section sync-group if member is part of the sync-group T4081 #} +{% for name, group_config in group.items() if group_config.disable is not defined %} +{% if group_config.health_check is defined and group_config.health_check.script is defined and group_config.health_check.script is not none and name in sync_group_config.member %} + track_script { + healthcheck_{{ name }} + } +{% endif %} +{% endfor %} {% if conntrack_sync_group is defined and conntrack_sync_group == name %} {% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %} notify_master "{{ vyos_helper }} master {{ name }}" |