summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/accel-ppp/pppoe.config.tmpl18
-rw-r--r--data/templates/dns-forwarding/recursor.conf.tmpl3
-rw-r--r--data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl6
-rw-r--r--data/templates/dns-forwarding/recursor.zone.conf.tmpl7
-rw-r--r--data/templates/frr/bfdd.frr.tmpl3
-rw-r--r--data/templates/frr/bgpd.frr.tmpl39
-rw-r--r--data/templates/frr/isisd.frr.tmpl3
-rw-r--r--data/templates/frr/ldpd.frr.tmpl99
-rw-r--r--data/templates/frr/ospf6d.frr.tmpl9
-rw-r--r--data/templates/frr/ospfd.frr.tmpl3
-rw-r--r--data/templates/https/nginx.default.tmpl4
-rw-r--r--data/templates/https/override.conf.tmpl15
-rw-r--r--data/templates/https/vyos-http-api.service.tmpl22
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl2
-rw-r--r--data/templates/ipsec/swanctl/peer.tmpl5
-rw-r--r--data/templates/logs/logrotate/vyos-atop.tmpl20
-rw-r--r--data/templates/logs/logrotate/vyos-rsyslog.tmpl13
-rw-r--r--data/templates/monitoring/override.conf.tmpl7
-rw-r--r--data/templates/monitoring/syslog_telegraf.tmpl5
-rw-r--r--data/templates/monitoring/systemd_vyos_telegraf_service.tmpl16
-rw-r--r--data/templates/monitoring/telegraf.tmpl63
-rw-r--r--data/templates/netflow/uacctd.conf.tmpl114
-rw-r--r--data/templates/snmp/etc.snmp.conf.tmpl2
-rw-r--r--data/templates/snmp/etc.snmpd.conf.tmpl151
-rw-r--r--data/templates/snmp/override.conf.tmpl2
-rw-r--r--data/templates/snmp/usr.snmpd.conf.tmpl8
-rw-r--r--data/templates/snmp/var.snmpd.conf.tmpl20
-rw-r--r--data/templates/squid/squid.conf.tmpl2
-rw-r--r--data/templates/syslog/rsyslog.conf.tmpl12
-rw-r--r--data/templates/vrrp/keepalived.conf.tmpl18
30 files changed, 506 insertions, 185 deletions
diff --git a/data/templates/accel-ppp/pppoe.config.tmpl b/data/templates/accel-ppp/pppoe.config.tmpl
index 238e7ee15..0a8e0079b 100644
--- a/data/templates/accel-ppp/pppoe.config.tmpl
+++ b/data/templates/accel-ppp/pppoe.config.tmpl
@@ -108,19 +108,17 @@ ac-name={{ access_concentrator }}
{% if iface_config.vlan_id is not defined and iface_config.vlan_range is not defined %}
interface={{ iface }}
{% endif %}
-{% if iface_config.vlan_id is defined and iface_config.vlan_range is not defined %}
-{% for vlan in iface_config.vlan_id %}
-interface={{ iface }}.{{ vlan }}
-vlan-mon={{ iface }},{{ vlan }}
+{% if iface_config.vlan_range is defined %}
+{% for regex in iface_config.regex %}
+interface=re:^{{ iface | replace('.', '\\.') }}\.({{ regex }})$
{% endfor %}
-{% endif %}
-{% if iface_config.vlan_range is defined and iface_config.vlan_id is not defined %}
vlan-mon={{ iface }},{{ iface_config.vlan_range | join(',') }}
-interface=re:{{ iface | replace('.', '\\.') }}\.\d+
{% endif %}
-{% if iface_config.vlan_id is defined and iface_config.vlan_range is defined %}
-vlan-mon={{ iface }},{{ iface_config.vlan_id | join(',') }},{{ iface_config.vlan_range | join(',') }}
-interface=re:{{ iface | replace('.', '\\.') }}\.\d+
+{% if iface_config.vlan_id is defined %}
+{% for vlan in iface_config.vlan_id %}
+vlan-mon={{ iface }},{{ vlan }}
+interface=re:^{{ iface | replace('.', '\\.') }}\.{{ vlan }}$
+{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
diff --git a/data/templates/dns-forwarding/recursor.conf.tmpl b/data/templates/dns-forwarding/recursor.conf.tmpl
index d44f756e8..02efe903b 100644
--- a/data/templates/dns-forwarding/recursor.conf.tmpl
+++ b/data/templates/dns-forwarding/recursor.conf.tmpl
@@ -31,5 +31,8 @@ dnssec={{ dnssec }}
# serve rfc1918 records
serve-rfc1918={{ 'no' if no_serve_rfc1918 is defined else 'yes' }}
+# zones
+auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %}
+
forward-zones-file=recursor.forward-zones.conf
diff --git a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl
index 784d5c360..7f29c387e 100644
--- a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl
+++ b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl
@@ -22,3 +22,9 @@ addNTA("{{ zone }}", "static")
{% endfor %}
{% endif %}
+{% if authoritative_zones is defined %}
+-- from 'service dns forwarding authoritative-domain'
+{% for zone in authoritative_zones %}
+addNTA("{{ zone }}", "static")
+{% endfor %}
+{% endif %}
diff --git a/data/templates/dns-forwarding/recursor.zone.conf.tmpl b/data/templates/dns-forwarding/recursor.zone.conf.tmpl
new file mode 100644
index 000000000..758871bef
--- /dev/null
+++ b/data/templates/dns-forwarding/recursor.zone.conf.tmpl
@@ -0,0 +1,7 @@
+;
+; Autogenerated by dns_forwarding.py
+;
+;
+{% for r in records %}
+{{ r.name }} {{ r.ttl }} {{ r.type }} {{ r.value }}
+{% endfor %}
diff --git a/data/templates/frr/bfdd.frr.tmpl b/data/templates/frr/bfdd.frr.tmpl
index e0e94c24d..439f79d67 100644
--- a/data/templates/frr/bfdd.frr.tmpl
+++ b/data/templates/frr/bfdd.frr.tmpl
@@ -41,6 +41,9 @@ bfd
{% if peer_config.passive is defined %}
passive-mode
{% endif %}
+{% if peer_config.profile is defined and peer_config.profile is not none %}
+ profile {{ peer_config.profile }}
+{% endif %}
{% if peer_config.shutdown is defined %}
shutdown
{% else %}
diff --git a/data/templates/frr/bgpd.frr.tmpl b/data/templates/frr/bgpd.frr.tmpl
index fbdbafd6e..45e0544b7 100644
--- a/data/templates/frr/bgpd.frr.tmpl
+++ b/data/templates/frr/bgpd.frr.tmpl
@@ -17,6 +17,12 @@
{% endif %}
{% if config.bfd is defined %}
neighbor {{ neighbor }} bfd
+{% if config.bfd.check_control_plane_failure is defined %}
+ neighbor {{ neighbor }} bfd check-control-plane-failure
+{% endif %}
+{% if config.bfd.profile is defined and config.bfd.profile is not none %}
+ neighbor {{ neighbor }} bfd profile {{ config.bfd.profile }}
+{% endif %}
{% endif %}
{% if config.capability is defined and config.capability is not none %}
{% if config.capability.dynamic is defined %}
@@ -140,6 +146,17 @@
{% if afi_config.as_override is defined %}
neighbor {{ neighbor }} as-override
{% endif %}
+{% if afi_config.conditionally_advertise is defined and afi_config.conditionally_advertise is not none %}
+{% if afi_config.conditionally_advertise.advertise_map is defined and afi_config.conditionally_advertise.advertise_map is not none %}
+{% set exist_non_exist_map = 'exist-map' %}
+{% if afi_config.conditionally_advertise.exist_map is defined and afi_config.conditionally_advertise.exist_map is not none %}
+{% set exist_non_exist_map = 'exist-map ' ~ afi_config.conditionally_advertise.exist_map %}
+{% elif afi_config.conditionally_advertise.non_exist_map is defined and afi_config.conditionally_advertise.non_exist_map is not none %}
+{% set exist_non_exist_map = 'non-exist-map ' ~ afi_config.conditionally_advertise.non_exist_map %}
+{% endif %}
+ neighbor {{ neighbor }} advertise-map {{ afi_config.conditionally_advertise.advertise_map }} {{ exist_non_exist_map }}
+{% endif %}
+{% endif %}
{% if afi_config.remove_private_as is defined %}
neighbor {{ neighbor }} remove-private-AS
{% endif %}
@@ -469,6 +486,11 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none
{% if parameters.cluster_id is defined and parameters.cluster_id is not none %}
bgp cluster-id {{ parameters.cluster_id }}
{% endif %}
+{% if parameters.conditional_advertisement is defined and parameters.conditional_advertisement is not none %}
+{% if parameters.conditional_advertisement.timer is defined and parameters.conditional_advertisement.timer is not none %}
+ bgp conditional-advertisement timer {{ parameters.conditional_advertisement.timer }}
+{% endif %}
+{% endif %}
{% if parameters.confederation is defined and parameters.confederation is not none %}
{% if parameters.confederation.identifier is defined and parameters.confederation.identifier is not none %}
bgp confederation identifier {{ parameters.confederation.identifier }}
@@ -499,6 +521,9 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none
{% endfor %}
{% endif %}
{% endif %}
+{% if parameters.fast_convergence is defined %}
+ bgp fast-convergence
+{% endif %}
{% if parameters.graceful_restart is defined %}
bgp graceful-restart {{ 'stalepath-time ' ~ parameters.graceful_restart.stalepath_time if parameters.graceful_restart.stalepath_time is defined }}
{% endif %}
@@ -508,6 +533,9 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none
{% if parameters.log_neighbor_changes is defined %}
bgp log-neighbor-changes
{% endif %}
+{% if parameters.minimum_holdtime is defined and parameters.minimum_holdtime is not none %}
+ bgp minimum-holdtime {{ parameters.minimum_holdtime }}
+{% endif %}
{% if parameters.network_import_check is defined %}
bgp network import-check
{% endif %}
@@ -517,11 +545,20 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none
{% if parameters.no_fast_external_failover is defined %}
no bgp fast-external-failover
{% endif %}
+{% if parameters.reject_as_sets is defined %}
+ bgp reject-as-sets
+{% endif %}
{% if parameters.router_id is defined and parameters.router_id is not none %}
bgp router-id {{ parameters.router_id }}
{% endif %}
+{% if parameters.shutdown is defined %}
+ bgp shutdown
+{% endif %}
+{% if parameters.suppress_fib_pending is defined %}
+ bgp suppress-fib-pending
+{% endif %}
{% endif %}
{% if timers is defined and timers.keepalive is defined and timers.holdtime is defined %}
timers bgp {{ timers.keepalive }} {{ timers.holdtime }}
{% endif %}
-exit \ No newline at end of file
+exit
diff --git a/data/templates/frr/isisd.frr.tmpl b/data/templates/frr/isisd.frr.tmpl
index fc0799e02..b1e3f825b 100644
--- a/data/templates/frr/isisd.frr.tmpl
+++ b/data/templates/frr/isisd.frr.tmpl
@@ -6,6 +6,9 @@ interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
ipv6 router isis VyOS
{% if iface_config.bfd is defined %}
isis bfd
+{% if iface_config.bfd.profile is defined and iface_config.bfd.profile is not none %}
+ isis bfd profile {{ iface_config.bfd.profile }}
+{% endif %}
{% endif %}
{% if iface_config.network is defined and iface_config.network.point_to_point is defined %}
isis network point-to-point
diff --git a/data/templates/frr/ldpd.frr.tmpl b/data/templates/frr/ldpd.frr.tmpl
index 0a5411552..537ea4025 100644
--- a/data/templates/frr/ldpd.frr.tmpl
+++ b/data/templates/frr/ldpd.frr.tmpl
@@ -2,69 +2,69 @@
{% if ldp is defined %}
mpls ldp
{% if ldp.router_id is defined %}
-router-id {{ ldp.router_id }}
+ router-id {{ ldp.router_id }}
{% endif %}
{% if ldp.parameters is defined %}
{% if ldp.parameters.cisco_interop_tlv is defined %}
-dual-stack cisco-interop
+ dual-stack cisco-interop
{% endif %}
{% if ldp.parameters.transport_prefer_ipv4 is defined%}
-dual-stack transport-connection prefer ipv4
+ dual-stack transport-connection prefer ipv4
{% endif %}
{% if ldp.parameters.ordered_control is defined%}
-ordered-control
+ ordered-control
{% endif %}
{% endif %}
{% if ldp.neighbor is defined %}
{% for neighbors in ldp.neighbor %}
{% if ldp.neighbor[neighbors].password is defined %}
-neighbor {{neighbors}} password {{ldp.neighbor[neighbors].password}}
+ neighbor {{ neighbors }} password {{ ldp.neighbor[neighbors].password }}
{% endif %}
{% if ldp.neighbor[neighbors].ttl_security is defined %}
{% if 'disable' in ldp.neighbor[neighbors].ttl_security %}
-neighbor {{neighbors}} ttl-security disable
+ neighbor {{ neighbors }} ttl-security disable
{% else %}
-neighbor {{neighbors}} ttl-security hops {{ldp.neighbor[neighbors].ttl_security}}
+ neighbor {{ neighbors }} ttl-security hops {{ ldp.neighbor[neighbors].ttl_security }}
{% endif %}
{% endif %}
{% if ldp.neighbor[neighbors].session_holdtime is defined %}
-neighbor {{neighbors}} session holdtime {{ldp.neighbor[neighbors].session_holdtime}}
+ neighbor {{ neighbors }} session holdtime {{ ldp.neighbor[neighbors].session_holdtime }}
{% endif %}
{% endfor %}
{% endif %}
-!
+ !
{% if ldp.discovery is defined %}
{% if ldp.discovery.transport_ipv4_address is defined %}
-address-family ipv4
+ address-family ipv4
{% if ldp.allocation is defined %}
{% if ldp.allocation.ipv4 is defined %}
{% if ldp.allocation.ipv4.access_list is defined %}
-label local allocate for {{ ldp.allocation.ipv4.access_list }}
+ label local allocate for {{ ldp.allocation.ipv4.access_list }}
{% endif %}
{% endif %}
{% else %}
-label local allocate host-routes
+ label local allocate host-routes
{% endif %}
{% if ldp.discovery.transport_ipv4_address is defined %}
-discovery transport-address {{ ldp.discovery.transport_ipv4_address }}
+ discovery transport-address {{ ldp.discovery.transport_ipv4_address }}
{% endif %}
{% if ldp.discovery.hello_ipv4_holdtime is defined %}
-discovery hello holdtime {{ ldp.discovery.hello_ipv4_holdtime }}
+ discovery hello holdtime {{ ldp.discovery.hello_ipv4_holdtime }}
{% endif %}
{% if ldp.discovery.hello_ipv4_interval is defined %}
-discovery hello interval {{ ldp.discovery.hello_ipv4_interval }}
+ discovery hello interval {{ ldp.discovery.hello_ipv4_interval }}
{% endif %}
{% if ldp.discovery.session_ipv4_holdtime is defined %}
-session holdtime {{ ldp.discovery.session_ipv4_holdtime }}
+ session holdtime {{ ldp.discovery.session_ipv4_holdtime }}
{% endif %}
{% if ldp.import is defined %}
{% if ldp.import.ipv4 is defined %}
{% if ldp.import.ipv4.import_filter is defined %}
{% if ldp.import.ipv4.import_filter.filter_access_list is defined %}
{% if ldp.import.ipv4.import_filter.neighbor_access_list is defined %}
-label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} from {{ ldp.import.ipv4.import_filter.neighbor_access_list }}
+ label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} from {{ ldp.import.ipv4.import_filter.neighbor_access_list }}
{% else %}
-label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }}
+ label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }}
{% endif %}
{% endif %}
{% endif %}
@@ -73,14 +73,14 @@ label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }}
{% if ldp.export is defined %}
{% if ldp.export.ipv4 is defined %}
{% if ldp.export.ipv4.explicit_null is defined %}
-label local advertise explicit-null
+ label local advertise explicit-null
{% endif %}
{% if ldp.export.ipv4.export_filter is defined %}
{% if ldp.export.ipv4.export_filter.filter_access_list is defined %}
{% if ldp.export.ipv4.export_filter.neighbor_access_list is defined %}
-label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} to {{ ldp.export.ipv4.export_filter.neighbor_access_list }}
+ label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} to {{ ldp.export.ipv4.export_filter.neighbor_access_list }}
{% else %}
-label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }}
+ label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }}
{% endif %}
{% endif %}
{% endif %}
@@ -88,59 +88,59 @@ label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }}
{% endif %}
{% if ldp.targeted_neighbor is defined %}
{% if ldp.targeted_neighbor.ipv4.enable is defined %}
-discovery targeted-hello accept
+ discovery targeted-hello accept
{% endif %}
{% if ldp.targeted_neighbor.ipv4.hello_holdtime is defined %}
-discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv4.hello_holdtime }}
+ discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv4.hello_holdtime }}
{% endif %}
{% if ldp.targeted_neighbor.ipv4.hello_interval is defined %}
-discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv4.hello_interval }}
+ discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv4.hello_interval }}
{% endif %}
{% for addresses in ldp.targeted_neighbor.ipv4.address %}
-neighbor {{addresses}} targeted
+ neighbor {{addresses}} targeted
{% endfor %}
{% endif %}
{% for interfaces in ldp.interface %}
-interface {{interfaces}}
+ interface {{interfaces}}
{% endfor %}
-exit-address-family
+ exit-address-family
{% else %}
-no address-family ipv4
+ no address-family ipv4
{% endif %}
{% endif %}
-!
+ !
{% if ldp.discovery is defined %}
{% if ldp.discovery.transport_ipv6_address is defined %}
-address-family ipv6
+ address-family ipv6
{% if ldp.allocation is defined %}
{% if ldp.allocation.ipv6 is defined %}
{% if ldp.allocation.ipv6.access_list6 is defined %}
-label local allocate for {{ ldp.allocation.ipv6.access_list6 }}
+ label local allocate for {{ ldp.allocation.ipv6.access_list6 }}
{% endif %}
{% endif %}
{% else %}
-label local allocate host-routes
+ label local allocate host-routes
{% endif %}
{% if ldp.discovery.transport_ipv6_address is defined %}
-discovery transport-address {{ ldp.discovery.transport_ipv6_address }}
+ discovery transport-address {{ ldp.discovery.transport_ipv6_address }}
{% endif %}
{% if ldp.discovery.hello_ipv6_holdtime is defined %}
-discovery hello holdtime {{ ldp.discovery.hello_ipv6_holdtime }}
+ discovery hello holdtime {{ ldp.discovery.hello_ipv6_holdtime }}
{% endif %}
{% if ldp.discovery.hello_ipv6_interval is defined %}
-discovery hello interval {{ ldp.discovery.hello_ipv6_interval }}
+ discovery hello interval {{ ldp.discovery.hello_ipv6_interval }}
{% endif %}
{% if ldp.discovery.session_ipv6_holdtime is defined %}
-session holdtime {{ ldp.discovery.session_ipv6_holdtime }}
+ session holdtime {{ ldp.discovery.session_ipv6_holdtime }}
{% endif %}
{% if ldp.import is defined %}
{% if ldp.import.ipv6 is defined %}
{% if ldp.import.ipv6.import_filter is defined %}
{% if ldp.import.ipv6.import_filter.filter_access_list6 is defined %}
{% if ldp.import.ipv6.import_filter.neighbor_access_list6 is defined %}
-label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }} from {{ ldp.import.ipv6.import_filter.neighbor_access_list6 }}
+ label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }} from {{ ldp.import.ipv6.import_filter.neighbor_access_list6 }}
{% else %}
-label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }}
+ label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }}
{% endif %}
{% endif %}
{% endif %}
@@ -149,14 +149,14 @@ label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }}
{% if ldp.export is defined %}
{% if ldp.export.ipv6 is defined %}
{% if ldp.export.ipv6.explicit_null is defined %}
-label local advertise explicit-null
+ label local advertise explicit-null
{% endif %}
{% if ldp.export.ipv6.export_filter is defined %}
{% if ldp.export.ipv6.export_filter.filter_access_list6 is defined %}
{% if ldp.export.ipv6.export_filter.neighbor_access_list6 is defined %}
-label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }} to {{ ldp.export.ipv6.export_filter.neighbor_access_list6 }}
+ label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }} to {{ ldp.export.ipv6.export_filter.neighbor_access_list6 }}
{% else %}
-label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }}
+ label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }}
{% endif %}
{% endif %}
{% endif %}
@@ -164,24 +164,27 @@ label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }
{% endif %}
{% if ldp.targeted_neighbor is defined %}
{% if ldp.targeted_neighbor.ipv6.enable is defined %}
-discovery targeted-hello accept
+ discovery targeted-hello accept
{% endif %}
{% if ldp.targeted_neighbor.ipv6.hello_holdtime is defined %}
-discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv6.hello_holdtime }}
+ discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv6.hello_holdtime }}
{% endif %}
{% if ldp.targeted_neighbor.ipv6.hello_interval is defined %}
-discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv6.hello_interval }}
+ discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv6.hello_interval }}
{% endif %}
{% for addresses in ldp.targeted_neighbor.ipv6.address %}
-neighbor {{addresses}} targeted
+ neighbor {{addresses}} targeted
{% endfor %}
{% endif %}
{% for interfaces in ldp.interface %}
-interface {{interfaces}}
+ interface {{interfaces}}
{% endfor %}
-exit-address-family
+ exit-address-family
{% else %}
-no address-family ipv6
+ no address-family ipv6
{% endif %}
+ !
{% endif %}
+exit
{% endif %}
+!
diff --git a/data/templates/frr/ospf6d.frr.tmpl b/data/templates/frr/ospf6d.frr.tmpl
index 10a6d9b4b..8279e5abb 100644
--- a/data/templates/frr/ospf6d.frr.tmpl
+++ b/data/templates/frr/ospf6d.frr.tmpl
@@ -25,6 +25,9 @@ interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
{% endif %}
{% if iface_config.bfd is defined %}
ipv6 ospf6 bfd
+{% if iface_config.bfd.profile is defined and iface_config.bfd.profile is not none %}
+ ipv6 ospf6 bfd profile {{ iface_config.bfd.profile }}
+{% endif %}
{% endif %}
{% if iface_config.mtu_ignore is defined %}
ipv6 ospf6 mtu-ignore
@@ -51,7 +54,7 @@ router ospf6 {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
{% for area_id, area_config in area.items() %}
{% if area_config.area_type is defined and area_config.area_type is not none %}
{% for type, type_config in area_config.area_type.items() %}
- area {{ area_id }} {{ type }} {{ 'no-summary' if type_config.no_summary is defined }}
+ area {{ area_id }} {{ type }} {{ 'default-information-originate' if type_config.default_information_originate is defined }} {{ 'no-summary' if type_config.no_summary is defined }}
{% endfor %}
{% endif %}
{% if area_config.range is defined and area_config.range is not none %}
@@ -67,6 +70,10 @@ router ospf6 {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
{% endif %}
{% endfor %}
{% endif %}
+ auto-cost reference-bandwidth {{ auto_cost.reference_bandwidth }}
+{% if default_information is defined and default_information.originate is defined and default_information.originate is not none %}
+ default-information originate {{ 'always' if default_information.originate.always is defined }} {{ 'metric ' + default_information.originate.metric if default_information.originate.metric is defined }} {{ 'metric-type ' + default_information.originate.metric_type if default_information.originate.metric_type is defined }} {{ 'route-map ' + default_information.originate.route_map if default_information.originate.route_map is defined }}
+{% endif %}
{% if distance is defined and distance is not none %}
{% if distance.global is defined and distance.global is not none %}
distance {{ distance.global }}
diff --git a/data/templates/frr/ospfd.frr.tmpl b/data/templates/frr/ospfd.frr.tmpl
index a7b770f07..af66baf53 100644
--- a/data/templates/frr/ospfd.frr.tmpl
+++ b/data/templates/frr/ospfd.frr.tmpl
@@ -42,6 +42,9 @@ interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
{% endif %}
{% if iface_config.bfd is defined %}
ip ospf bfd
+{% if iface_config.bfd.profile is defined and iface_config.bfd.profile is not none %}
+ ip ospf bfd profile {{ iface_config.bfd.profile }}
+{% endif %}
{% endif %}
{% if iface_config.mtu_ignore is defined %}
ip ospf mtu-ignore
diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.tmpl
index 9d73baeee..ac9203e83 100644
--- a/data/templates/https/nginx.default.tmpl
+++ b/data/templates/https/nginx.default.tmpl
@@ -44,7 +44,11 @@ server {
# proxy settings for HTTP API, if enabled; 503, if not
location ~ /(retrieve|configure|config-file|image|generate|show|docs|openapi.json|redoc|graphql) {
{% if server.api %}
+{% if server.api.socket %}
+ proxy_pass http://unix:/run/api.sock;
+{% else %}
proxy_pass http://localhost:{{ server.api.port }};
+{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 600;
diff --git a/data/templates/https/override.conf.tmpl b/data/templates/https/override.conf.tmpl
new file mode 100644
index 000000000..824b1ba3b
--- /dev/null
+++ b/data/templates/https/override.conf.tmpl
@@ -0,0 +1,15 @@
+{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %}
+[Unit]
+StartLimitIntervalSec=0
+After=vyos-router.service
+
+[Service]
+ExecStartPre=
+ExecStartPre={{vrf_command}}/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
+ExecStart=
+ExecStart={{vrf_command}}/usr/sbin/nginx -g 'daemon on; master_process on;'
+ExecReload=
+ExecReload={{vrf_command}}/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
+Restart=always
+RestartPreventExitStatus=
+RestartSec=10
diff --git a/data/templates/https/vyos-http-api.service.tmpl b/data/templates/https/vyos-http-api.service.tmpl
new file mode 100644
index 000000000..15bd80d65
--- /dev/null
+++ b/data/templates/https/vyos-http-api.service.tmpl
@@ -0,0 +1,22 @@
+{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %}
+[Unit]
+Description=VyOS HTTP API service
+After=vyos-router.service
+Requires=vyos-router.service
+
+[Service]
+ExecStart={{vrf_command}}/usr/libexec/vyos/services/vyos-http-api-server
+Type=idle
+
+SyslogIdentifier=vyos-http-api
+SyslogFacility=daemon
+
+Restart=on-failure
+
+# Does't work but leave it here
+User=root
+Group=vyattacfg
+
+[Install]
+WantedBy=vyos.target
+
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index 161f19f95..68b108365 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -57,7 +57,7 @@ secrets {
{% endif %}
{% if site_to_site is defined and site_to_site.peer is defined %}
{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
-{% set peer_name = peer.replace(".", "-").replace("@", "") %}
+{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %}
{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
ike_{{ peer_name }} {
{% if peer_conf.local_address is defined %}
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index 8c3776bf1..c6b71f2a1 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -1,5 +1,5 @@
{% macro conn(peer, peer_conf, ike_group, esp_group) %}
-{% set name = peer.replace(".", "-").replace("@", "") %}
+{% set name = peer.replace("@", "") | dot_colon_to_dash %}
{# peer needs to reference the global IKE configuration for certain values #}
{% set ike = ike_group[peer_conf.ike_group] %}
peer_{{ name }} {
@@ -101,6 +101,9 @@
{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %}
remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }}
{% endif %}
+{% if tunnel_conf.priority is defined and tunnel_conf.priority is not none %}
+ priority = {{ tunnel_conf.priority }}
+{% endif %}
{% elif tunnel_esp.mode == 'transport' %}
local_ts = {{ peer_conf.local_address }}{{ local_suffix }}
remote_ts = {{ peer }}{{ remote_suffix }}
diff --git a/data/templates/logs/logrotate/vyos-atop.tmpl b/data/templates/logs/logrotate/vyos-atop.tmpl
new file mode 100644
index 000000000..2d078f379
--- /dev/null
+++ b/data/templates/logs/logrotate/vyos-atop.tmpl
@@ -0,0 +1,20 @@
+/var/log/atop/atop.log {
+ daily
+ dateext
+ dateformat _%Y-%m-%d_%H-%M-%S
+ maxsize {{ max_size }}M
+ missingok
+ nocompress
+ nocreate
+ nomail
+ rotate {{ rotate }}
+ prerotate
+ # stop the service
+ systemctl stop atop.service
+ endscript
+ postrotate
+ # start atop service again
+ systemctl start atop.service
+ endscript
+}
+
diff --git a/data/templates/logs/logrotate/vyos-rsyslog.tmpl b/data/templates/logs/logrotate/vyos-rsyslog.tmpl
new file mode 100644
index 000000000..f2e4d2ab2
--- /dev/null
+++ b/data/templates/logs/logrotate/vyos-rsyslog.tmpl
@@ -0,0 +1,13 @@
+/var/log/messages {
+ create
+ missingok
+ nomail
+ notifempty
+ rotate {{ rotate }}
+ size {{ max_size }}M
+ postrotate
+ # inform rsyslog service about rotation
+ /usr/lib/rsyslog/rsyslog-rotate
+ endscript
+}
+
diff --git a/data/templates/monitoring/override.conf.tmpl b/data/templates/monitoring/override.conf.tmpl
new file mode 100644
index 000000000..63f6d7391
--- /dev/null
+++ b/data/templates/monitoring/override.conf.tmpl
@@ -0,0 +1,7 @@
+[Unit]
+After=vyos-router.service
+ConditionPathExists=/run/telegraf/vyos-telegraf.conf
+[Service]
+Environment=INFLUX_TOKEN={{ authentication.token }}
+CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
diff --git a/data/templates/monitoring/syslog_telegraf.tmpl b/data/templates/monitoring/syslog_telegraf.tmpl
new file mode 100644
index 000000000..cdcbd92a4
--- /dev/null
+++ b/data/templates/monitoring/syslog_telegraf.tmpl
@@ -0,0 +1,5 @@
+# Generated by /usr/libexec/vyos/conf_mode/service_monitoring_telegraf.py
+
+$ModLoad omuxsock
+$OMUxSockSocket /run/telegraf/telegraf_syslog.sock
+*.notice :omuxsock:
diff --git a/data/templates/monitoring/systemd_vyos_telegraf_service.tmpl b/data/templates/monitoring/systemd_vyos_telegraf_service.tmpl
new file mode 100644
index 000000000..234ef5586
--- /dev/null
+++ b/data/templates/monitoring/systemd_vyos_telegraf_service.tmpl
@@ -0,0 +1,16 @@
+[Unit]
+Description=The plugin-driven server agent for reporting metrics into InfluxDB
+Documentation=https://github.com/influxdata/telegraf
+After=network.target
+
+[Service]
+EnvironmentFile=-/etc/default/telegraf
+User=telegraf
+ExecStart=/usr/bin/telegraf -config /run/telegraf/vyos-telegraf.conf -config-directory /etc/telegraf/telegraf.d $TELEGRAF_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+RestartForceExitStatus=SIGPIPE
+KillMode=control-group
+
+[Install]
+WantedBy=multi-user.target
diff --git a/data/templates/monitoring/telegraf.tmpl b/data/templates/monitoring/telegraf.tmpl
new file mode 100644
index 000000000..62fa4df7a
--- /dev/null
+++ b/data/templates/monitoring/telegraf.tmpl
@@ -0,0 +1,63 @@
+# Generated by /usr/libexec/vyos/conf_mode/service_monitoring_telegraf.py
+
+[agent]
+ interval = "10s"
+ round_interval = true
+ metric_batch_size = 1000
+ metric_buffer_limit = 10000
+ collection_jitter = "0s"
+ flush_interval = "10s"
+ flush_jitter = "0s"
+ precision = ""
+ debug = false
+ quiet = false
+ logfile = ""
+ hostname = ""
+ omit_hostname = false
+[[outputs.influxdb_v2]]
+ urls = ["{{ url }}:{{ port }}"]
+ insecure_skip_verify = true
+ token = "{{ authentication.token }}"
+ organization = "{{ authentication.organization }}"
+ bucket = "{{ bucket }}"
+[[inputs.cpu]]
+ percpu = true
+ totalcpu = true
+ collect_cpu_time = false
+ report_active = false
+[[inputs.disk]]
+ ignore_fs = ["devtmpfs", "devfs"]
+[[inputs.diskio]]
+[[inputs.mem]]
+[[inputs.net]]
+[[inputs.system]]
+[[inputs.netstat]]
+[[inputs.processes]]
+[[inputs.kernel]]
+[[inputs.interrupts]]
+[[inputs.linux_sysctl_fs]]
+[[inputs.systemd_units]]
+[[inputs.conntrack]]
+ files = ["ip_conntrack_count","ip_conntrack_max","nf_conntrack_count","nf_conntrack_max"]
+ dirs = ["/proc/sys/net/ipv4/netfilter","/proc/sys/net/netfilter"]
+[[inputs.ethtool]]
+[[inputs.iptables]]
+ use_sudo = false
+ table = "filter"
+ chains = {{ nft_chains }}
+ use_lock = true
+[[inputs.ntpq]]
+ dns_lookup = true
+[[inputs.internal]]
+[[inputs.nstat]]
+[[inputs.syslog]]
+ server = "unixgram:///run/telegraf/telegraf_syslog.sock"
+ best_effort = true
+ syslog_standard = "RFC3164"
+[[inputs.exec]]
+ commands = [
+ "{{ custom_scripts_dir }}/show_interfaces_input_filter.py",
+ "cat /tmp/vyos_services_input_filter"
+ ]
+ timeout = "10s"
+ data_format = "influx"
diff --git a/data/templates/netflow/uacctd.conf.tmpl b/data/templates/netflow/uacctd.conf.tmpl
index 1c183bb20..f81002dc1 100644
--- a/data/templates/netflow/uacctd.conf.tmpl
+++ b/data/templates/netflow/uacctd.conf.tmpl
@@ -1,72 +1,74 @@
# Genereated from VyOS configuration
daemonize: true
promisc: false
-pidfile: /var/run/uacctd.pid
+pidfile: /run/pmacct/uacctd.pid
uacctd_group: 2
uacctd_nl_size: 2097152
-snaplen: {{ snaplen }}
-{% if templatecfg['enable-egress'] != none %}
-aggregate: in_iface,out_iface,src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows
-{% else %}
-aggregate: in_iface,src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows
+snaplen: {{ packet_length }}
+aggregate: in_iface{{ ',out_iface' if enable_egress is defined }},src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows
+{% set pipe_size = buffer_size | int *1024 *1024 %}
+plugin_pipe_size: {{ pipe_size }}
+{# We need an integer division (//) without any remainder or fraction #}
+plugin_buffer_size: {{ pipe_size // 1000 }}
+{% if syslog_facility is defined and syslog_facility is not none %}
+syslog: {{ syslog_facility }}
{% endif %}
-plugin_pipe_size: {{ templatecfg['plugin_pipe_size'] }}
-plugin_buffer_size: {{ templatecfg['plugin_buffer_size'] }}
-{% if templatecfg['syslog-facility'] != none %}
-syslog: {{ templatecfg['syslog-facility'] }}
-{% endif %}
-{% if templatecfg['disable-imt'] == none %}
+{% if disable_imt is not defined %}
imt_path: /tmp/uacctd.pipe
imt_mem_pools_number: 169
{% endif %}
-plugins: {% if templatecfg['netflow']['servers'] != none %}
-{% for server in templatecfg['netflow']['servers'] %}
-{% if loop.last %}nfprobe[nf_{{ server['address'] }}]{% else %}nfprobe[nf_{{ server['address'] }}],{% endif %}
-{% endfor %}
-{% set plugins_presented = true %}
-{% endif %}
-{% if templatecfg['sflow']['servers'] != none %}
-{% if plugins_presented %}
-{% for server in templatecfg['sflow']['servers'] %},sfprobe[sf_{{ server['address'] }}]{% endfor %}
-{% else %}
-{% for server in templatecfg['sflow']['servers'] %}
-{% if loop.last %}sfprobe[sf_{{ server['address'] }}]{% else %}sfprobe[sf_{{ server['address'] }}],{% endif %}
-{% endfor %}
-{% endif %}
-{% set plugins_presented = true %}
-{% endif %}
-{% if templatecfg['disable-imt'] == none %}
-{% if plugins_presented %},memory{% else %}memory{% endif %}
-{% endif %}
-{% if templatecfg['netflow']['servers'] != none %}
-{% for server in templatecfg['netflow']['servers'] %}
-nfprobe_receiver[nf_{{ server['address'] }}]: {{ server['address'] }}:{{ server['port'] }}
-nfprobe_version[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['version'] }}
-{% if templatecfg['netflow']['engine-id'] != none %}
-nfprobe_engine[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['engine-id'] }}
-{% endif %}
-{% if templatecfg['netflow']['max-flows'] != none %}
-nfprobe_maxflows[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['max-flows'] }}
-{% endif %}
-{% if templatecfg['netflow']['sampling-rate'] != none %}
-sampling_rate[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['sampling-rate'] }}
-{% endif %}
-{% if templatecfg['netflow']['source-ip'] != none %}
-nfprobe_source_ip[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['source-ip'] }}
+{% set plugin = [] %}
+{% if disable_imt is not defined %}
+{% set plugin = ['memory'] %}
{% endif %}
-{% if templatecfg['netflow']['timeout_string'] != '' %}
-nfprobe_timeouts[nf_{{ server['address'] }}]: {{ templatecfg['netflow']['timeout_string'] }}
+{% if netflow is defined and netflow.server is defined and netflow.server is not none %}
+{% for server in netflow.server %}
+{% set plugin = plugin.append('nfprobe[nf_' ~ server ~ ']') %}
+{% endfor %}
{% endif %}
-{% endfor %}
+{% if sflow is defined and sflow.server is defined and sflow.server is not none %}
+{% for server in sflow.server %}
+{% set plugin = plugin.append('sfprobe[sf_' ~ server ~ ']') %}
+{% endfor %}
{% endif %}
+plugins: {{ plugin | join(',') }}
-{% if templatecfg['sflow']['servers'] != none %}
-{% for server in templatecfg['sflow']['servers'] %}
-sfprobe_receiver[sf_{{ server['address'] }}]: {{ server['address'] }}:{{ server['port'] }}
-sfprobe_agentip[sf_{{ server['address'] }}]: {{ templatecfg['sflow']['agent-address'] }}
-{% if templatecfg['sflow']['sampling-rate'] != none %}
-sampling_rate[sf_{{ server['address'] }}]: {{ templatecfg['sflow']['sampling-rate'] }}
+{% if netflow is defined and netflow.server is defined and netflow.server is not none %}
+# NetFlow servers
+{% for server, server_config in netflow.server.items() %}
+nfprobe_receiver[nf_{{ server }}]: {{ server }}:{{ server_config.port }}
+nfprobe_version[nf_{{ server }}]: {{ netflow.version }}
+{% if netflow.engine_id is defined and netflow.engine_id is not none %}
+nfprobe_engine[nf_{{ server }}]: {{ netflow.engine_id }}
+{% endif %}
+{% if netflow.max_flows is defined and netflow.max_flows is not none %}
+nfprobe_maxflows[nf_{{ server }}]: {{ netflow.max_flows }}
+{% endif %}
+{% if netflow.sampling_rate is defined and netflow.sampling_rate is not none %}
+sampling_rate[nf_{{ server }}]: {{ netflow.sampling_rate }}
+{% endif %}
+{% if netflow.source_address is defined and netflow.source_address is not none %}
+nfprobe_source_ip[nf_{{ server }}]: {{ netflow.source_address }}
+{% endif %}
+{% if netflow.timeout is defined and netflow.timeout is not none %}
+nfprobe_timeouts[nf_{{ server }}]: expint={{ netflow.timeout.expiry_interval }}:general={{ netflow.timeout.flow_generic }}:icmp={{ netflow.timeout.icmp }}:maxlife={{ netflow.timeout.max_active_life }}:tcp.fin={{ netflow.timeout.tcp_fin }}:tcp={{ netflow.timeout.tcp_generic }}:tcp.rst={{ netflow.timeout.tcp_rst }}:udp={{ netflow.timeout.udp }}
+{% endif %}
+
+{% endfor %}
{% endif %}
-{% endfor %}
+
+{% if sflow is defined and sflow.server is defined and sflow.server is not none %}
+# sFlow servers
+{% for server, server_config in sflow.server.items() %}
+sfprobe_receiver[sf_{{ server }}]: {{ server }}:{{ server_config.port }}
+sfprobe_agentip[sf_{{ server }}]: {{ sflow.agent_address }}
+{% if sflow.sampling_rate is defined and sflow.sampling_rate is not none %}
+sampling_rate[sf_{{ server }}]: {{ sflow.sampling_rate }}
+{% endif %}
+{% if sflow.source_address is defined and sflow.source_address is not none %}
+sfprobe_source_ip[sf_{{ server }}]: {{ sflow.source_address }}
+{% endif %}
+
+{% endfor %}
{% endif %}
diff --git a/data/templates/snmp/etc.snmp.conf.tmpl b/data/templates/snmp/etc.snmp.conf.tmpl
index 6e4c6f063..f7d9a3c17 100644
--- a/data/templates/snmp/etc.snmp.conf.tmpl
+++ b/data/templates/snmp/etc.snmp.conf.tmpl
@@ -1,4 +1,4 @@
### Autogenerated by snmp.py ###
-{% if trap_source %}
+{% if trap_source is defined and trap_source is not none %}
clientaddr {{ trap_source }}
{% endif %}
diff --git a/data/templates/snmp/etc.snmpd.conf.tmpl b/data/templates/snmp/etc.snmpd.conf.tmpl
index 30806ce8a..befea0122 100644
--- a/data/templates/snmp/etc.snmpd.conf.tmpl
+++ b/data/templates/snmp/etc.snmpd.conf.tmpl
@@ -33,87 +33,152 @@ interface_replace_old yes
# Default system description is VyOS version
sysDescr VyOS {{ version }}
-{% if description %}
+{% if description is defined and description is not none %}
# Description
SysDescr {{ description }}
{% endif %}
# Listen
-agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{{ li }}{% endfor %}{% else %},{{protocol}}:161{% if ipv6_enabled %},{{protocol}}6:161{% endif %}{% endif %}
+{% set options = [] %}
+{% if listen_address is defined and listen_address is not none %}
+{% for address, address_options in listen_address.items() %}
+{% if address | is_ipv6 %}
+{% set protocol = protocol ~ '6' %}
+{% endif %}
+{% set _ = options.append(protocol ~ ':' ~ address | bracketize_ipv6 ~ ':' ~ address_options.port) %}
+{% endfor %}
+{% else %}
+{% set _ = options.append(protocol ~ ':161') %}
+{% if ipv6_disabled is not defined %}
+{% set _ = options.append(protocol ~ '6:161') %}
+{% endif %}
+{% endif %}
+agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is defined and options is not none }}
# SNMP communities
-{% for c in communities %}
-{% if c.network_v4 %}
-{% for network in c.network_v4 %}
-{{ c.authorization }}community {{ c.name }} {{ network }}
-{% endfor %}
-{% elif not c.has_source %}
-{{ c.authorization }}community {{ c.name }}
-{% endif %}
-{% if c.network_v6 %}
-{% for network in c.network_v6 %}
-{{ c.authorization }}community6 {{ c.name }} {{ network }}
-{% endfor %}
-{% elif not c.has_source %}
-{{ c.authorization }}community6 {{ c.name }}
-{% endif %}
-{% endfor %}
+{% if community is defined and community is not none %}
+{% for comm, comm_config in community.items() %}
+{% if comm_config.client is defined and comm_config.client is not none %}
+{% for client in comm_config.client %}
+{% if client | is_ipv4 %}
+{{ comm_config.authorization }}community {{ comm }} {{ client }}
+{% elif client | is_ipv6 %}
+{{ comm_config.authorization }}community6 {{ comm }} {{ client }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if comm_config.network is defined and comm_config.network is not none %}
+{% for network in comm_config.network %}
+{% if network | is_ipv4 %}
+{{ comm_config.authorization }}community {{ comm }} {{ network }}
+{% elif client | is_ipv6 %}
+{{ comm_config.authorization }}community6 {{ comm }} {{ network }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if comm_config.client is not defined and comm_config.network is not defined %}
+{{ comm_config.authorization }}community {{ comm }}
+{% endif %}
+{% endfor %}
+{% endif %}
-{% if contact %}
+{% if contact is defined and contact is not none %}
# system contact information
SysContact {{ contact }}
{% endif %}
-{% if location %}
+{% if location is defined and location is not none %}
# system location information
SysLocation {{ location }}
{% endif %}
-{% if smux_peers %}
+{% if smux_peer is defined and smux_peer is not none %}
# additional smux peers
-{% for sp in smux_peers %}
-smuxpeer {{ sp }}
+{% for peer in smux_peer %}
+smuxpeer {{ peer }}
{% endfor %}
{% endif %}
-{% if trap_targets %}
+{% if trap_target is defined and trap_target is not none %}
# if there is a problem - tell someone!
-{% for trap in trap_targets %}
-trap2sink {{ trap.target }}{{ ":" + trap.port if trap.port is defined }} {{ trap.community }}
+{% for trap, trap_config in trap_target.items() %}
+trap2sink {{ trap }}:{{ trap_config.port }} {{ trap_config.community }}
{% endfor %}
{% endif %}
-{% if v3_enabled %}
+{% if v3 is defined and v3 is not none %}
#
# SNMPv3 stuff goes here
#
+{% if v3.view is defined and v3.view is not none %}
# views
-{% for view in v3_views %}
-{% for oid in view.oids %}
-view {{ view.name }} included .{{ oid.oid }}
+{% for view, view_config in v3.view.items() %}
+{% if view_config.oid is defined and view_config.oid is not none %}
+{% for oid in view_config.oid %}
+view {{ view }} included .{{ oid }}
+{% endfor %}
+{% endif %}
{% endfor %}
-{% endfor %}
+{% endif %}
# access
+{% if v3.group is defined and v3.group is not none %}
# context sec.model sec.level match read write notif
-{% for group in v3_groups %}
-access {{ group.name }} "" usm {{ group.seclevel }} exact {{ group.view }} {% if group.mode == 'ro' %}none{% else %}{{ group.view }}{% endif %} none
-{% endfor %}
+{% for group, group_config in v3.group.items() %}
+access {{ group }} "" usm {{ group_config.seclevel }} exact {{ group_config.view }} {% if group_config.mode == 'ro' %}none{% else %}{{ group_config.view }}{% endif %} none
+{% endfor %}
+{% endif %}
# trap-target
-{% for t in v3_traps %}
-trapsess -v 3 {{ '-Ci' if t.type == 'inform' }} -e {{ v3_engineid }} -u {{ t.secName }} -l {{ t.secLevel }} -a {{ t.authProtocol }} {% if t.authPassword %}-A {{ t.authPassword }}{% elif t.authMasterKey %}-3m {{ t.authMasterKey }}{% endif %} -x {{ t.privProtocol }} {% if t.privPassword %}-X {{ t.privPassword }}{% elif t.privMasterKey %}-3M {{ t.privMasterKey }}{% endif %} {{ t.ipProto }}:{{ t.ipAddr }}:{{ t.ipPort }}
-{% endfor %}
+{% if v3.trap_target is defined and v3.trap_target is not none %}
+{% for trap, trap_config in v3.trap_target.items() %}
+{% set options = '' %}
+{% if trap_config.type == 'inform' %}
+{% set options = options ~ ' -Ci' %}
+{% endif %}
+{% if v3.engineid is defined and v3.engineid is not none %}
+{% set options = options ~ ' -e "' ~ v3.engineid ~ '"' %}
+{% endif %}
+{% if trap_config.user is defined and trap_config.user is not none %}
+{% set options = options ~ ' -u ' ~ trap_config.user %}
+{% endif %}
+{% if trap_config.auth is defined and trap_config.auth.plaintext_password is defined or trap_config.auth.encrypted_password is defined %}
+{% set options = options ~ ' -a ' ~ trap_config.auth.type %}
+{% if trap_config.auth.plaintext_password is defined and trap_config.auth.plaintext_password is not none %}
+{% set options = options ~ ' -A ' ~ trap_config.auth.plaintext_password %}
+{% elif trap_config.auth.encrypted_password is defined and trap_config.auth.encrypted_password is not none %}
+{% set options = options ~ ' -3m ' ~ trap_config.auth.encrypted_password %}
+{% endif %}
+{% if trap_config.privacy is defined and trap_config.privacy.plaintext_password is defined or trap_config.privacy.encrypted_password is defined %}
+{% set options = options ~ ' -x ' ~ trap_config.privacy.type %}
+{% if trap_config.privacy.plaintext_password is defined and trap_config.privacy.plaintext_password is not none %}
+{% set options = options ~ ' -X ' ~ trap_config.privacy.plaintext_password %}
+{% elif trap_config.privacy.encrypted_password is defined and trap_config.privacy.encrypted_password is not none %}
+{% set options = options ~ ' -3M ' ~ trap_config.privacy.encrypted_password %}
+{% endif %}
+{% set options = options ~ ' -l authPriv' %}
+{% else %}
+{% set options = options ~ ' -l authNoPriv' %}
+{% endif %}
+{% else %}
+{% set options = options ~ ' -l noAuthNoPriv' %}
+{% endif %}
+trapsess -v 3 {{ options }} {{ trap }}:{{ trap_config.protocol }}:{{ trap_config.port }}
+{% endfor %}
+{% endif %}
# group
-{% for u in v3_users %}
-group {{ u.group }} usm {{ u.name }}
-{% endfor %}
+{% if v3.user is defined and v3.user is not none %}
+{% for user, user_config in v3.user.items() %}
+group {{ user_config.group }} usm {{ user }}
+{% endfor %}
+{% endif %}
+{# SNMPv3 end #}
{% endif %}
-{% if script_ext %}
+{% if script_extensions is defined and script_extensions.extension_name is defined and script_extensions.extension_name is not none %}
# extension scripts
-{% for ext in script_ext|sort(attribute='name') %}
-extend {{ ext.name }} {{ ext.script }}
+{% for script, script_config in script_extensions.extension_name.items() | sort(attribute=script) %}
+extend {{ script }} {{ script_config.script }}
{% endfor %}
{% endif %}
diff --git a/data/templates/snmp/override.conf.tmpl b/data/templates/snmp/override.conf.tmpl
index 2ac45a89f..3b00aab83 100644
--- a/data/templates/snmp/override.conf.tmpl
+++ b/data/templates/snmp/override.conf.tmpl
@@ -1,5 +1,5 @@
{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %}
-{% set oid_route_table = ' ' if route_table is sameas true else '-I -ipCidrRouteTable,inetCidrRouteTable' %}
+{% set oid_route_table = ' ' if oid_enable is defined and oid_enable == 'route-table' else '-I -ipCidrRouteTable,inetCidrRouteTable' %}
[Unit]
StartLimitIntervalSec=0
After=vyos-router.service
diff --git a/data/templates/snmp/usr.snmpd.conf.tmpl b/data/templates/snmp/usr.snmpd.conf.tmpl
index e2c5ec102..1c688a61e 100644
--- a/data/templates/snmp/usr.snmpd.conf.tmpl
+++ b/data/templates/snmp/usr.snmpd.conf.tmpl
@@ -1,6 +1,8 @@
### Autogenerated by snmp.py ###
-{% for u in v3_users %}
-{{ u.mode }}user {{ u.name }}
-{% endfor %}
+{% if v3 is defined and v3.user is defined and v3.user is not none %}
+{% for user, user_config in v3.user.items() %}
+{{ user_config.mode }}user {{ user }}
+{% endfor %}
+{% endif %}
rwuser {{ vyos_user }}
diff --git a/data/templates/snmp/var.snmpd.conf.tmpl b/data/templates/snmp/var.snmpd.conf.tmpl
index c779587df..5871a8234 100644
--- a/data/templates/snmp/var.snmpd.conf.tmpl
+++ b/data/templates/snmp/var.snmpd.conf.tmpl
@@ -1,14 +1,16 @@
### Autogenerated by snmp.py ###
# user
-{% for u in v3_users %}
-{% if u.authOID == 'none' %}
-createUser {{ u.name }}
-{% else %}
-usmUser 1 3 0x{{ v3_engineid }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} 0x{{ u.authMasterKey }} {{ u.privOID }} 0x{{ u.privMasterKey }} 0x
-{% endif %}
-{% endfor %}
+{% if v3 is defined and v3 is not none %}
+{% if v3.user is defined and v3.user is not none %}
+{% for user, user_config in v3.user.items() %}
+usmUser 1 3 0x{{ v3.engineid }} "{{ user }}" "{{ user }}" NULL {{ user_config.auth.type | snmp_auth_oid }} 0x{{ user_config.auth.encrypted_password }} {{ user_config.privacy.type | snmp_auth_oid }} 0x{{ user_config.privacy.encrypted_password }} 0x
+{% endfor %}
+{% endif %}
+# VyOS default user
createUser {{ vyos_user }} MD5 "{{ vyos_user_pass }}" DES
-{% if v3_engineid %}
-oldEngineID 0x{{ v3_engineid }}
+
+{% if v3.engineid is defined and v3.engineid is not none %}
+oldEngineID 0x{{ v3.engineid }}
+{% endif %}
{% endif %}
diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.tmpl
index 80826fc75..26aff90bf 100644
--- a/data/templates/squid/squid.conf.tmpl
+++ b/data/templates/squid/squid.conf.tmpl
@@ -88,7 +88,7 @@ tcp_outgoing_address {{ outgoing_address }}
{% if listen_address is defined and listen_address is not none %}
{% for address, config in listen_address.items() %}
-http_port {{ address }}:{{ config.port if config.port is defined else default_port }} {{ 'intercept' if config.disable_transparent is not defined }}
+http_port {{ address | bracketize_ipv6 }}:{{ config.port if config.port is defined else default_port }} {{ 'intercept' if config.disable_transparent is not defined }}
{% endfor %}
{% endif %}
http_port 127.0.0.1:{{ default_port }}
diff --git a/data/templates/syslog/rsyslog.conf.tmpl b/data/templates/syslog/rsyslog.conf.tmpl
index e25ef48d4..2fb621760 100644
--- a/data/templates/syslog/rsyslog.conf.tmpl
+++ b/data/templates/syslog/rsyslog.conf.tmpl
@@ -25,12 +25,18 @@ $outchannel {{ file }},{{ file_options['log-file'] }},{{ file_options['max-size'
{% if host_options.proto == 'tcp' %}
{% if host_options.port is defined %}
{% if host_options.oct_count is defined %}
-{{ host_options.selectors }} @@(o){{ host }}:{{ host_options.port }};RSYSLOG_SyslogProtocol23Format
+{{ host_options.selectors }} @@(o){{ host | bracketize_ipv6 }}:{{ host_options.port }};RSYSLOG_SyslogProtocol23Format
{% else %}
-{{ host_options.selectors }} @@{{ host }}:{{ host_options.port }}
+{{ host_options.selectors }} @@{{ host | bracketize_ipv6 }}:{{ host_options.port }}
{% endif %}
{% else %}
-{{ host_options.selectors }} @@{{ host }}
+{{ host_options.selectors }} @@{{ host | bracketize_ipv6 }}
+{% endif %}
+{% elif host_options.proto == 'udp' %}
+{% if host_options.port is defined %}
+{{ host_options.selectors }} @{{ host | bracketize_ipv6 }}:{{ host_options.port }}{{ ';RSYSLOG_SyslogProtocol23Format' if host_options.oct_count is sameas true }}
+{% else %}
+{{ host_options.selectors }} @{{ host | bracketize_ipv6 }}
{% endif %}
{% else %}
{% if host_options['port'] %}
diff --git a/data/templates/vrrp/keepalived.conf.tmpl b/data/templates/vrrp/keepalived.conf.tmpl
index b4824a994..6585fc60b 100644
--- a/data/templates/vrrp/keepalived.conf.tmpl
+++ b/data/templates/vrrp/keepalived.conf.tmpl
@@ -5,9 +5,6 @@
global_defs {
dynamic_interfaces
script_user root
- # Don't run scripts configured to be run as root if any part of the path
- # is writable by a non-root user.
- enable_script_security
notify_fifo /run/keepalived/keepalived_notify_fifo
notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py
}
@@ -86,15 +83,24 @@ vrrp_instance {{ name }} {
{% endif %}
{% if sync_group is defined and sync_group is not none %}
-{% for name, group_config in sync_group.items() if group_config.disable is not defined %}
+{% for name, sync_group_config in sync_group.items() if sync_group_config.disable is not defined %}
vrrp_sync_group {{ name }} {
group {
-{% if group_config.member is defined and group_config.member is not none %}
-{% for member in group_config.member %}
+{% if sync_group_config.member is defined and sync_group_config.member is not none %}
+{% for member in sync_group_config.member %}
{{ member }}
{% endfor %}
{% endif %}
}
+
+{# Health-check scripts should be in section sync-group if member is part of the sync-group T4081 #}
+{% for name, group_config in group.items() if group_config.disable is not defined %}
+{% if group_config.health_check is defined and group_config.health_check.script is defined and group_config.health_check.script is not none and name in sync_group_config.member %}
+ track_script {
+ healthcheck_{{ name }}
+ }
+{% endif %}
+{% endfor %}
{% if conntrack_sync_group is defined and conntrack_sync_group == name %}
{% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %}
notify_master "{{ vyos_helper }} master {{ name }}"