5 files changed, 50 insertions, 12 deletions

diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2
index c8b54dfbb..65436801e 100644
--- a/data/templates/container/containers.conf.j2
+++ b/data/templates/container/containers.conf.j2
@@ -172,7 +172,11 @@ default_sysctls = [
 
 # Logging driver for the container. Available options: k8s-file and journald.
 #
+{% if log_driver is vyos_defined %}
+log_driver = "{{ log_driver }}"
+{% else %}
 #log_driver = "k8s-file"
+{% endif %}
 
 # Maximum size allowed for the container log file. Negative numbers indicate
 # that no size limit is imposed. If positive, it must be >= 8192 to match or
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index 3147b4c37..a1d1fa4f6 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -44,6 +44,15 @@
     }
 {%         endfor %}
 {%     endif %}
+{%     if group.remote_group is vyos_defined and is_l3 and is_ipv6 %}
+{%         for name, name_config in group.remote_group.items() %}
+    set R6_{{ name }} {
+        type {{ ip_type }}
+        flags interval
+        auto-merge
+    }
+{%         endfor %}
+{%     endif %}
 {%     if group.mac_group is vyos_defined %}
 {%         for group_name, group_conf in group.mac_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index 70ea5d2b0..62934c612 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -50,9 +50,29 @@ defaults
     errorfile 503 /etc/haproxy/errors/503.http
     errorfile 504 /etc/haproxy/errors/504.http
 
+# Default ACME backend
+backend buildin_acme_certbot
+    server localhost 127.0.0.1:{{ get_default_port('certbot_haproxy') }}
+
 # Frontend
 {% if service is vyos_defined %}
 {%     for front, front_config in service.items() %}
+{%         if front_config.redirect_http_to_https is vyos_defined %}
+{%             set certbot_backend_name = 'certbot_' ~ front ~ '_backend' %}
+frontend {{ front }}-http
+    mode http
+{%             if front_config.listen_address is vyos_defined %}
+{%                 for address in front_config.listen_address %}
+    bind {{ address | bracketize_ipv6 }}:80
+{%                 endfor %}
+{%             else %}
+    bind [::]:80 v4v6
+{%             endif %}
+    acl acme_acl path_beg /.well-known/acme-challenge/
+    use_backend buildin_acme_certbot if acme_acl
+    redirect scheme https code 301 if !acme_acl
+{%         endif %}
+
 frontend {{ front }}
 {%         set ssl_front = [] %}
 {%         if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %}
@@ -68,9 +88,6 @@ frontend {{ front }}
 {%         else %}
     bind [::]:{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }}
 {%         endif %}
-{%         if front_config.redirect_http_to_https is vyos_defined %}
-    http-request redirect scheme https unless { ssl_fc }
-{%         endif %}
 {%         if front_config.logging is vyos_defined %}
 {%             for facility, facility_config in front_config.logging.facility.items() %}
     log /dev/log {{ facility }} {{ facility_config.level }}
@@ -237,6 +254,5 @@ backend {{ back }}
 {%         if back_config.timeout.server is vyos_defined %}
     timeout server {{ back_config.timeout.server }}s
 {%         endif %}
-
 {%     endfor %}
 {% endif %}
diff --git a/data/templates/prometheus/node_exporter.service.j2 b/data/templates/prometheus/node_exporter.service.j2
index 135439bd6..9a943cd75 100644
--- a/data/templates/prometheus/node_exporter.service.j2
+++ b/data/templates/prometheus/node_exporter.service.j2
@@ -9,6 +9,11 @@ After=network.target
 User=node_exporter
 {% endif %}
 ExecStart={{ vrf_command }}/usr/sbin/node_exporter \
+{% if collectors is vyos_defined %}
+{%     if collectors.textfile is vyos_defined %}
+        --collector.textfile.directory=/run/node_exporter/collector \
+{%     endif %}
+{% endif %}
 {% if listen_address is vyos_defined %}
 {%     for address in listen_address %}
         --web.listen-address={{ address }}:{{ port }}
@@ -16,10 +21,6 @@ ExecStart={{ vrf_command }}/usr/sbin/node_exporter \
 {% else %}
         --web.listen-address=:{{ port }}
 {% endif %}
-{% if collectors is vyos_defined %}
-{%     if collectors.textfile is vyos_defined %}
-        --collector.textfile.directory=/run/node_exporter/collector
-{%     endif %}
-{% endif %}
+
 [Install]
 WantedBy=multi-user.target
diff --git a/data/templates/router-advert/radvd.conf.j2 b/data/templates/router-advert/radvd.conf.j2
index e37cfde6c..34f8e1f6d 100644
--- a/data/templates/router-advert/radvd.conf.j2
+++ b/data/templates/router-advert/radvd.conf.j2
@@ -57,12 +57,20 @@ interface {{ iface }} {
     };
 {%             endfor %}
 {%         endif %}
-{%         if iface_config.auto_ignore is vyos_defined %}
+{%         if iface_config.prefix is vyos_defined and "::/64" in iface_config.prefix %}
+{%             if iface_config.auto_ignore is vyos_defined or iface_config.prefix | count > 1 %}
     autoignoreprefixes {
-{%             for auto_ignore_prefix in iface_config.auto_ignore %}
+{%                 if iface_config.auto_ignore is vyos_defined %}
+{%                     for auto_ignore_prefix in (iface_config.auto_ignore + iface_config.prefix | list) | reject("eq", "::/64") | unique %}
         {{ auto_ignore_prefix }};
-{%             endfor %}
+{%                     endfor %}
+{%                 else %}
+{%                     for auto_ignore_prefix in iface_config.prefix | reject("eq", "::/64") %}
+        {{ auto_ignore_prefix }};
+{%                     endfor %}
+{%                 endif %}
     };
+{%             endif %}
 {%         endif %}
 {%         if iface_config.prefix is vyos_defined %}
 {%             for prefix, prefix_options in iface_config.prefix.items() %}