diff options
Diffstat (limited to 'data')
24 files changed, 954 insertions, 0 deletions
diff --git a/data/templates/frr-bfd/bfd.frr.tmpl b/data/templates/frr-bfd/bfd.frr.tmpl new file mode 100644 index 000000000..7df4bfd01 --- /dev/null +++ b/data/templates/frr-bfd/bfd.frr.tmpl @@ -0,0 +1,16 @@ +! +bfd +{% for peer in old_peers -%} + no peer {{ peer.remote }}{% if peer.multihop %} multihop{% endif %}{% if peer.src_addr %} local-address {{ peer.src_addr }}{% endif %}{% if peer.src_if %} interface {{ peer.src_if }}{% endif %} +{% endfor -%} +! +{% for peer in new_peers -%} + peer {{ peer.remote }}{% if peer.multihop %} multihop{% endif %}{% if peer.src_addr %} local-address {{ peer.src_addr }}{% endif %}{% if peer.src_if %} interface {{ peer.src_if }}{% endif %} + detect-multiplier {{ peer.multiplier }} + receive-interval {{ peer.rx_interval }} + transmit-interval {{ peer.tx_interval }} + {% if peer.echo_mode %}echo-mode{% endif %} + {% if peer.echo_interval != '' %}echo-interval {{ peer.echo_interval }}{% endif %} + {% if not peer.shutdown %}no {% endif %}shutdown +{% endfor -%} +! diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.tmpl new file mode 100644 index 000000000..b6d3aaf83 --- /dev/null +++ b/data/templates/https/nginx.default.tmpl @@ -0,0 +1,61 @@ +### Autogenerated by https.py ### +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + return 301 https://$server_name$request_uri; +} + +{% for server in server_block_list %} +server { + + # SSL configuration + # +{% if server.address == '*' %} + listen {{ server.port }} ssl; + listen [::]:{{ server.port }} ssl; +{% else %} + listen {{ server.address }}:{{ server.port }} ssl; +{% endif %} + +{% for name in server.name %} + server_name {{ name }}; +{% endfor %} + +{% if server.certbot %} + ssl_certificate /etc/letsencrypt/live/{{ server.certbot_dir }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ server.certbot_dir }}/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +{% elif server.vyos_cert %} + include {{ server.vyos_cert.conf }}; +{% else %} + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + include snippets/snakeoil.conf; +{% endif %} + + # proxy settings for HTTP API, if enabled; 503, if not + location ~ /(retrieve|configure|config-file|image|generate|show) { +{% if server.api %} + proxy_pass http://localhost:{{ server.api.port }}; + proxy_buffering off; +{% else %} + return 503; +{% endif %} + } + + error_page 501 502 503 =200 @50*_json; + + location @50*_json { + default_type application/json; + return 200 '{"error": "Start service in configuration mode: set service https api"}'; + } + +} + +{% endfor %} diff --git a/data/templates/igmp/igmp.frr.tmpl b/data/templates/igmp/igmp.frr.tmpl new file mode 100644 index 000000000..de4696c1f --- /dev/null +++ b/data/templates/igmp/igmp.frr.tmpl @@ -0,0 +1,41 @@ +! +{% for iface in old_ifaces -%} +interface {{ iface }} +{% for group in old_ifaces[iface].gr_join -%} +{% if old_ifaces[iface].gr_join[group] -%} +{% for source in old_ifaces[iface].gr_join[group] -%} +no ip igmp join {{ group }} {{ source }} +{% endfor -%} +{% else -%} +no ip igmp join {{ group }} +{% endif -%} +{% endfor -%} +no ip igmp +! +{% endfor -%} +{% for iface in ifaces -%} +interface {{ iface }} +{% if ifaces[iface].version -%} +ip igmp version {{ ifaces[iface].version }} +{% else -%} +{# IGMP default version 3 #} +ip igmp +{% endif -%} +{% if ifaces[iface].query_interval -%} +ip igmp query-interval {{ ifaces[iface].query_interval }} +{% endif -%} +{% if ifaces[iface].query_max_resp_time -%} +ip igmp query-max-response-time {{ ifaces[iface].query_max_resp_time }} +{% endif -%} +{% for group in ifaces[iface].gr_join -%} +{% if ifaces[iface].gr_join[group] -%} +{% for source in ifaces[iface].gr_join[group] -%} +ip igmp join {{ group }} {{ source }} +{% endfor -%} +{% else -%} +ip igmp join {{ group }} +{% endif -%} +{% endfor -%} +! +{% endfor -%} +! diff --git a/data/templates/ipoe-server/chap-secrets.tmpl b/data/templates/ipoe-server/chap-secrets.tmpl new file mode 100644 index 000000000..707718e94 --- /dev/null +++ b/data/templates/ipoe-server/chap-secrets.tmpl @@ -0,0 +1,18 @@ +# username server password acceptable local IP addresses shaper +{% for aifc in auth['auth_if'] %} +{% for mac in auth['auth_if'][aifc] %} +{% if (auth['auth_if'][aifc][mac]['up']) and (auth['auth_if'][aifc][mac]['down']) %} +{% if auth['auth_if'][aifc][mac]['vlan'] %} +{{aifc}}.{{auth['auth_if'][aifc][mac]['vlan']}}\t*\t{{mac.lower()}}\t*\t{{auth['auth_if'][aifc][mac]['down']}}/{{auth['auth_if'][aifc][mac]['up']}} +{% else %} +{{aifc}}\t*\t{{mac.lower()}}\t*\t{{auth['auth_if'][aifc][mac]['down']}}/{{auth['auth_if'][aifc][mac]['up']}} +{% endif %} +{% else %} +{% if auth['auth_if'][aifc][mac]['vlan'] %} +{{aifc}}.{{auth['auth_if'][aifc][mac]['vlan']}}\t*\t{{mac.lower()}}\t* +{% else %} +{{aifc}}\t*\t{{mac.lower()}}\t* +{% endif %} +{% endif %} +{% endfor %} +{% endfor %} diff --git a/data/templates/ipoe-server/ipoe.config.tmpl b/data/templates/ipoe-server/ipoe.config.tmpl new file mode 100644 index 000000000..109bc0d92 --- /dev/null +++ b/data/templates/ipoe-server/ipoe.config.tmpl @@ -0,0 +1,123 @@ +### generated by ipoe.py ### +[modules] +log_syslog +ipoe +shaper +ipv6pool +ipv6_nd +ipv6_dhcp +{% if auth['mech'] == 'radius' %} +radius +{% endif -%} +ippool +{% if auth['mech'] == 'local' %} +chap-secrets +{% endif %} + +[core] +thread-count={{thread_cnt}} + +[log] +syslog=accel-ipoe,daemon +copy=1 +level=5 + +[ipoe] +verbose=1 +{% for intfc in interfaces %} +{% if interfaces[intfc]['vlan_mon'] %} +interface=re:{{intfc}}\.\d+,\ +{% else %} +interface={{intfc}},\ +{% endif %} +shared={{interfaces[intfc]['shared']}},\ +mode={{interfaces[intfc]['mode']}},\ +ifcfg={{interfaces[intfc]['ifcfg']}},\ +range={{interfaces[intfc]['range']}},\ +start={{interfaces[intfc]['sess_start']}},\ +ipv6=1 +{% endfor %} +{% if auth['mech'] == 'noauth' %} +noauth=1 +{% endif %} +{% if auth['mech'] == 'local' %} +username=ifname +password=csid +{% endif %} + +{%- for intfc in interfaces %} +{% if (interfaces[intfc]['shared'] == '0') and (interfaces[intfc]['vlan_mon']) %} +vlan-mon={{intfc}},{{interfaces[intfc]['vlan_mon']|join(',')}} +{% endif %} +{% endfor %} + +{% if (dns['server1']) or (dns['server2']) %} +[dns] +{% if dns['server1'] %} +dns1={{dns['server1']}} +{% endif -%} +{% if dns['server2'] %} +dns2={{dns['server2']}} +{% endif -%} +{% endif -%} + +{% if (dnsv6['server1']) or (dnsv6['server2']) or (dnsv6['server3']) %} +[dnsv6] +dns={{dnsv6['server1']}} +dns={{dnsv6['server2']}} +dns={{dnsv6['server3']}} +{% endif %} + +[ipv6-nd] +verbose=1 + +[ipv6-dhcp] +verbose=1 + +{% if ipv6['prfx'] %} +[ipv6-pool] +{% for prfx in ipv6['prfx'] %} +{{prfx}} +{% endfor %} +{% for pd in ipv6['pd'] %} +delegate={{pd}} +{% endfor %} +{% endif %} + +{% if auth['mech'] == 'local' %} +[chap-secrets] +chap-secrets=/etc/accel-ppp/ipoe/chap-secrets +{% endif %} + +{% if auth['mech'] == 'radius' %} +[radius] +verbose=1 +{% for srv in auth['radius'] %} +server={{srv}},{{auth['radius'][srv]['secret']}},\ +req-limit={{auth['radius'][srv]['req-limit']}},\ +fail-time={{auth['radius'][srv]['fail-time']}} +{% endfor %} +{% if auth['radsettings']['dae-server']['ip-address'] %} +dae-server={{auth['radsettings']['dae-server']['ip-address']}}:\ +{{auth['radsettings']['dae-server']['port']}},\ +{{auth['radsettings']['dae-server']['secret']}} +{% endif -%} +{% if auth['radsettings']['acct-timeout'] %} +acct-timeout={{auth['radsettings']['acct-timeout']}} +{% endif -%} +{% if auth['radsettings']['max-try'] %} +max-try={{auth['radsettings']['max-try']}} +{% endif -%} +{% if auth['radsettings']['timeout'] %} +timeout={{auth['radsettings']['timeout']}} +{% endif -%} +{% if auth['radsettings']['nas-ip-address'] %} +nas-ip-address={{auth['radsettings']['nas-ip-address']}} +{% endif -%} +{% if auth['radsettings']['nas-identifier'] %} +nas-identifier={{auth['radsettings']['nas-identifier']}} +{% endif -%} +{% endif %} + +[cli] +tcp=127.0.0.1:2002 diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl new file mode 100644 index 000000000..d0b60765b --- /dev/null +++ b/data/templates/ipsec/ipsec.conf.tmpl @@ -0,0 +1,3 @@ +{{delim_ipsec_l2tp_begin}} +include {{ipsec_ra_conn_file}} +{{delim_ipsec_l2tp_end}} diff --git a/data/templates/ipsec/ipsec.secrets.tmpl b/data/templates/ipsec/ipsec.secrets.tmpl new file mode 100644 index 000000000..55c010a3b --- /dev/null +++ b/data/templates/ipsec/ipsec.secrets.tmpl @@ -0,0 +1,7 @@ +{{delim_ipsec_l2tp_begin}} +{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %} +{{outside_addr}} %any : PSK "{{ipsec_l2tp_secret}}" +{% elif ipsec_l2tp_auth_mode == 'x509' %} +: RSA {{server_key_file_copied}} +{% endif%} +{{delim_ipsec_l2tp_end}} diff --git a/data/templates/ipsec/remote-access.tmpl b/data/templates/ipsec/remote-access.tmpl new file mode 100644 index 000000000..fae48232f --- /dev/null +++ b/data/templates/ipsec/remote-access.tmpl @@ -0,0 +1,28 @@ +{{delim_ipsec_l2tp_begin}} +conn {{ra_conn_name}} + type=transport + left={{outside_addr}} + leftsubnet=%dynamic[/1701] + rightsubnet=%dynamic + mark_in=%unique + auto=add + ike=aes256-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024! + dpddelay=15 + dpdtimeout=45 + dpdaction=clear + esp=aes256-sha1,3des-sha1! + rekey=no +{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %} + authby=secret + leftauth=psk + rightauth=psk +{% elif ipsec_l2tp_auth_mode == 'x509' %} + authby=rsasig + leftrsasigkey=%cert + rightrsasigkey=%cert + rightca=%same + leftcert={{server_cert_file_copied}} +{% endif %} + ikelifetime={{ipsec_l2tp_ike_lifetime}} + keylife={{ipsec_l2tp_lifetime}} +{{delim_ipsec_l2tp_end}} diff --git a/data/templates/mdns-repeater/mdns-repeater.tmpl b/data/templates/mdns-repeater/mdns-repeater.tmpl new file mode 100644 index 000000000..3fc4db67e --- /dev/null +++ b/data/templates/mdns-repeater/mdns-repeater.tmpl @@ -0,0 +1,2 @@ +### Autogenerated by mdns_repeater.py ### +DAEMON_ARGS="{{ interfaces | join(' ') }}" diff --git a/data/templates/mpls/ldpd.frr.tmpl b/data/templates/mpls/ldpd.frr.tmpl new file mode 100644 index 000000000..bbff88ae5 --- /dev/null +++ b/data/templates/mpls/ldpd.frr.tmpl @@ -0,0 +1,58 @@ +! +{% if mpls_ldp -%} +mpls ldp +{% if old_router_id -%} +no router-id {{ old_router_id }} +{% endif -%} +{% if router_id -%} +router-id {{ router_id }} +{% endif -%} +{% for neighbor_id in old_ldp.neighbors -%} +no neighbor {{neighbor_id}} password {{old_ldp.neighbors[neighbor_id].password}} +{% endfor -%} +{% for neighbor_id in ldp.neighbors -%} +neighbor {{neighbor_id}} password {{ldp.neighbors[neighbor_id].password}} +{% endfor -%} +address-family ipv4 +label local allocate host-routes +{% if old_ldp.d_transp_ipv4 -%} +no discovery transport-address {{ old_ldp.d_transp_ipv4 }} +{% endif -%} +{% if ldp.d_transp_ipv4 -%} +discovery transport-address {{ ldp.d_transp_ipv4 }} +{% endif -%} +{% for interface in old_ldp.interfaces -%} +no interface {{interface}} +{% endfor -%} +{% for interface in ldp.interfaces -%} +interface {{interface}} +{% endfor -%} +! +! +exit-address-family +! +{% if ldp.d_transp_ipv6 -%} +address-family ipv6 +label local allocate host-routes +{% if old_ldp.d_transp_ipv6 -%} +no discovery transport-address {{ old_ldp.d_transp_ipv6 }} +{% endif -%} +{% if ldp.d_transp_ipv6 -%} +discovery transport-address {{ ldp.d_transp_ipv6 }} +{% endif -%} +{% for interface in old_ldp.interfaces -%} +no interface {{interface}} +{% endfor -%} +{% for interface in ldp.interfaces -%} +interface {{interface}} +{% endfor -%} +! +exit-address-family +{% else -%} +no address-family ipv6 +{% endif -%} +! +{% else -%} +no mpls ldp +{% endif -%} +! diff --git a/data/templates/pim/pimd.frr.tmpl b/data/templates/pim/pimd.frr.tmpl new file mode 100644 index 000000000..1d1532c60 --- /dev/null +++ b/data/templates/pim/pimd.frr.tmpl @@ -0,0 +1,34 @@ +! +{% for rp_addr in old_pim.rp -%} +{% for group in old_pim.rp[rp_addr] -%} +no ip pim rp {{ rp_addr }} {{ group }} +{% endfor -%} +{% endfor -%} +{% if old_pim.rp_keep_alive -%} +no ip pim rp keep-alive-timer {{ old_pim.rp_keep_alive }} +{% endif -%} +{% for iface in old_pim.ifaces -%} +interface {{ iface }} +no ip pim +! +{% endfor -%} +{% for iface in pim.ifaces -%} +interface {{ iface }} +ip pim +{% if pim.ifaces[iface].dr_prio -%} +ip pim drpriority {{ pim.ifaces[iface].dr_prio }} +{% endif -%} +{% if pim.ifaces[iface].hello -%} +ip pim hello {{ pim.ifaces[iface].hello }} +{% endif -%} +! +{% endfor -%} +{% for rp_addr in pim.rp -%} +{% for group in pim.rp[rp_addr] -%} +ip pim rp {{ rp_addr }} {{ group }} +{% endfor -%} +{% endfor -%} +{% if pim.rp_keep_alive -%} +ip pim rp keep-alive-timer {{ pim.rp_keep_alive }} +{% endif -%} +! diff --git a/data/templates/pppoe-server/chap-secrets.tmpl b/data/templates/pppoe-server/chap-secrets.tmpl new file mode 100644 index 000000000..808debccb --- /dev/null +++ b/data/templates/pppoe-server/chap-secrets.tmpl @@ -0,0 +1,11 @@ +# username server password acceptable local IP addresses shaper +{% for user in authentication['local-users'] %} +{% if authentication['local-users'][user]['state'] == 'enabled' %} +{% if (authentication['local-users'][user]['upload']) and (authentication['local-users'][user]['download']) %} +{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}}\t\ +{{authentication['local-users'][user]['download']}}/{{authentication['local-users'][user]['upload']}} +{% else %} +{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}} +{% endif %} +{% endif %} +{% endfor %} diff --git a/data/templates/pppoe-server/pppoe.config.tmpl b/data/templates/pppoe-server/pppoe.config.tmpl new file mode 100644 index 000000000..d44c0aa93 --- /dev/null +++ b/data/templates/pppoe-server/pppoe.config.tmpl @@ -0,0 +1,228 @@ + +### generated by accel_pppoe.py ### +[modules] +log_syslog +pppoe +{% if authentication['mode'] == 'radius' %} +radius +{% endif %} +ippool +{% if ppp_options['ipv6'] != 'deny' %} +ipv6pool +ipv6_nd +ipv6_dhcp +{% endif %} +chap-secrets +auth_pap +auth_chap_md5 +auth_mschap_v1 +auth_mschap_v2 +#pppd_compat +shaper +{% if snmp == 'enable' or snmp == 'enable-ma' %} +net-snmp +{% endif %} +{% if limits %} +connlimit +{% endif %} + +[core] +thread-count={{thread_cnt}} + +[log] +syslog=accel-pppoe,daemon +copy=1 +level=5 + +{% if snmp == 'enable-ma' %} +[snmp] +master=1 +{% endif -%} + +[client-ip-range] +disable + +{% if ppp_gw %} +[ip-pool] +gw-ip-address={{ppp_gw}} +{% if client_ip_pool %} +{{client_ip_pool}} +{% endif -%} + +{% if client_ip_subnets %} +{% for sn in client_ip_subnets %} +{{sn}} +{% endfor %} +{% endif %} +{% endif -%} + +{% if client_ipv6_pool %} +[ipv6-pool] +{% for prfx in client_ipv6_pool['prefix']: %} +{{prfx}} +{% endfor %} +{% for prfx in client_ipv6_pool['delegate-prefix']: %} +delegate={{prfx}} +{% endfor %} +{% endif %} + +{% if dns %} +[dns] +{% if dns[0] %} +dns1={{dns[0]}} +{% endif -%} +{% if dns[1] %} +dns2={{dns[1]}} +{% endif -%} +{% endif %} + +{% if dnsv6 %} +[ipv6-dns] +{% for srv in dnsv6: %} +{{srv}} +{% endfor %} +{% endif %} + +{% if wins %} +[wins] +{% if wins[0] %} +wins1={{wins[0]}} +{% endif %} +{% if wins[1] %} +wins2={{wins[1]}} +{% endif -%} +{% endif -%} + +{% if authentication['mode'] == 'local' %} +[chap-secrets] +chap-secrets=/etc/accel-ppp/pppoe/chap-secrets +{% endif -%} + +{% if authentication['mode'] == 'radius' %} +[radius] +{% for rsrv in authentication['radiussrv']: %} +server={{rsrv}},{{authentication['radiussrv'][rsrv]['secret']}},\ +req-limit={{authentication['radiussrv'][rsrv]['req-limit']}},\ +fail-time={{authentication['radiussrv'][rsrv]['fail-time']}} +{% endfor %} +{% if authentication['radiusopt']['timeout'] %} +timeout={{authentication['radiusopt']['timeout']}} +{% endif %} +{% if authentication['radiusopt']['acct-timeout'] %} +acct-timeout={{authentication['radiusopt']['acct-timeout']}} +{% endif %} +{% if authentication['radiusopt']['max-try'] %} +max-try={{authentication['radiusopt']['max-try']}} +{% endif %} +{% if authentication['radiusopt']['nas-id'] %} +nas-identifier={{authentication['radiusopt']['nas-id']}} +{% endif %} +{% if authentication['radiusopt']['nas-ip'] %} +nas-ip-address={{authentication['radiusopt']['nas-ip']}} +{% endif -%} +{% if authentication['radiusopt']['dae-srv'] %} +dae-server={{authentication['radiusopt']['dae-srv']['ip-addr']}}:\ +{{authentication['radiusopt']['dae-srv']['port']}},\ +{{authentication['radiusopt']['dae-srv']['secret']}} +{% endif -%} +gw-ip-address={{ppp_gw}} +verbose=1 + +{% if authentication['radiusopt']['shaper'] %} +[shaper] +verbose=1 +attr={{authentication['radiusopt']['shaper']['attr']}} +{% if authentication['radiusopt']['shaper']['vendor'] %} +vendor={{authentication['radiusopt']['shaper']['vendor']}} +{% endif -%} +{% endif -%} +{% endif %} + +[ppp] +verbose=1 +check-ip=1 +{% if not sesscrtl == 'disable' %} +single-session={{sesscrtl}} +{% endif -%} +{% if ppp_options['ccp'] %} +ccp=1 +{% endif %} +{% if ppp_options['min-mtu'] %} +min-mtu={{ppp_options['min-mtu']}} +{% else %} +min-mtu={{mtu}} +{% endif %} +{% if ppp_options['mru'] %} +mru={{ppp_options['mru']}} +{% endif %} +{% if ppp_options['mppe'] %} +mppe={{ppp_options['mppe']}} +{% else %} +mppe=prefer +{% endif %} +{% if ppp_options['lcp-echo-interval'] %} +lcp-echo-interval={{ppp_options['lcp-echo-interval']}} +{% else %} +lcp-echo-interval=30 +{% endif %} +{% if ppp_options['lcp-echo-timeout'] %} +lcp-echo-timeout={{ppp_options['lcp-echo-timeout']}} +{% endif %} +{% if ppp_options['lcp-echo-failure'] %} +lcp-echo-failure={{ppp_options['lcp-echo-failure']}} +{% else %} +lcp-echo-failure=3 +{% endif %} +{% if ppp_options['ipv4'] %} +ipv4={{ppp_options['ipv4']}} +{% endif %} +{% if client_ipv6_pool %} +ipv6=allow +{% endif %} + +{% if ppp_options['ipv6'] %} +ipv6={{ppp_options['ipv6']}} +{% if ppp_options['ipv6-intf-id'] %} +ipv6-intf-id={{ppp_options['ipv6-intf-id']}} +{% endif %} +{% if ppp_options['ipv6-peer-intf-id'] %} +ipv6-peer-intf-id={{ppp_options['ipv6-peer-intf-id']}} +{% endif %} +{% if ppp_options['ipv6-accept-peer-intf-id'] %} +ipv6-accept-peer-intf-id={{ppp_options['ipv6-accept-peer-intf-id']}} +{% endif %} +{% endif %} +mtu={{mtu}} + +[pppoe] +verbose=1 +{% if concentrator %} +ac-name={{concentrator}} +{% endif %} +{% if interface %} +{% for int in interface %} +interface={{int}} +{% if interface[int]['vlans'] %} +vlan-mon={{int}},{{interface[int]['vlans']|join(',')}} +interface=re:{{int}}\.\d+ +{% endif %} +{% endfor -%} +{% endif -%} + +{% if svc_name %} +service-name={{svc_name|join(',')}} +{% endif -%} + +{% if pado_delay %} +pado-delay={{pado_delay}} +{% endif %} + +{% if limits %} +[connlimit] +limit={{limits['conn-limit']}} +burst={{limits['burst']}} +timeout={{limits['timeout']}} +{% endif %} + +[cli] +tcp=127.0.0.1:2001 diff --git a/data/templates/pptp/chap-secrets.tmpl b/data/templates/pptp/chap-secrets.tmpl new file mode 100644 index 000000000..6bfa2d64e --- /dev/null +++ b/data/templates/pptp/chap-secrets.tmpl @@ -0,0 +1,6 @@ +# username server password acceptable local IP addresses +{% for user in authentication['local-users'] %} +{% if authentication['local-users'][user]['state'] == 'enabled' %} +{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}} +{% endif %} +{% endfor %} diff --git a/data/templates/pptp/pptp.config.tmpl b/data/templates/pptp/pptp.config.tmpl new file mode 100644 index 000000000..2596507af --- /dev/null +++ b/data/templates/pptp/pptp.config.tmpl @@ -0,0 +1,87 @@ + +### generated by accel_pptp.py ### +[modules] +log_syslog +pptp +ippool +chap-secrets +{% if authentication['auth_proto'] %} +{{ authentication['auth_proto'] }} +{% else %} +auth_mschap_v2 +{% endif %} +{% if authentication['mode'] == 'radius' %} +radius +{% endif -%} + +[core] +thread-count={{thread_cnt}} + +[log] +syslog=accel-pptp,daemon +copy=1 +level=5 + +{% if dns %} +[dns] +{% if dns[0] %} +dns1={{dns[0]}} +{% endif %} +{% if dns[1] %} +dns2={{dns[1]}} +{% endif %} +{% endif %} + +{% if wins %} +[wins] +{% if wins[0] %} +wins1={{wins[0]}} +{% endif %} +{% if wins[1] %} +wins2={{wins[1]}} +{% endif %} +{% endif %} + +[pptp] +ifname=pptp%d +{% if outside_addr %} +bind={{outside_addr}} +{% endif %} +verbose=1 +ppp-max-mtu={{mtu}} +mppe={{authentication['mppe']}} +echo-interval=10 +echo-failure=3 + + +[client-ip-range] +0.0.0.0/0 + +[ip-pool] +tunnel={{client_ip_pool}} +gw-ip-address={{gw_ip}} + +{% if authentication['mode'] == 'local' %} +[chap-secrets] +chap-secrets=/etc/accel-ppp/pptp/chap-secrets +{% endif %} + +[ppp] +verbose=5 +check-ip=1 +single-session=replace + +{% if authentication['mode'] == 'radius' %} +[radius] +{% for rsrv in authentication['radiussrv']: %} +server={{rsrv}},{{authentication['radiussrv'][rsrv]['secret']}},\ +req-limit={{authentication['radiussrv'][rsrv]['req-limit']}},\ +fail-time={{authentication['radiussrv'][rsrv]['fail-time']}} +{% endfor %} +timeout=30 +acct-timeout=30 +max-try=3 +{%endif %} + +[cli] +tcp=127.0.0.1:2003 diff --git a/data/templates/router-advert/radvd.conf.tmpl b/data/templates/router-advert/radvd.conf.tmpl new file mode 100644 index 000000000..2768f6f2e --- /dev/null +++ b/data/templates/router-advert/radvd.conf.tmpl @@ -0,0 +1,37 @@ +### Autogenerated by service-router-advert.py ### + +{% for i in interfaces -%} +interface {{ i.name }} { + IgnoreIfMissing on; + AdvDefaultPreference {{ i.default_preference }}; + AdvManagedFlag {{ i.managed_flag }}; + MaxRtrAdvInterval {{ i.interval_max }}; +{% if i.interval_min %} + MinRtrAdvInterval {{ i.interval_min }}; +{% endif %} + AdvReachableTime {{ i.reachable_time }}; + AdvIntervalOpt {{ i.send_advert }}; + AdvSendAdvert {{ i.send_advert }}; +{% if i.default_lifetime %} + AdvDefaultLifetime {{ i.default_lifetime }}; +{% endif %} +{% if i.link_mtu %} + AdvLinkMTU {{ i.link_mtu }}; +{% endif %} + AdvOtherConfigFlag {{ i.other_config_flag }}; + AdvRetransTimer {{ i.retrans_timer }}; + AdvCurHopLimit {{ i.hop_limit }}; +{% for p in i.prefixes %} + prefix {{ p.prefix }} { + AdvAutonomous {{ p.autonomous_flag }}; + AdvValidLifetime {{ p.valid_lifetime }}; + AdvOnLink {{ p.on_link }}; + AdvPreferredLifetime {{ p.preferred_lifetime }}; + }; +{% endfor %} +{% if i.name_server %} + RDNSS {{ i.name_server | join(" ") }} { + }; +{% endif %} +}; +{% endfor -%} diff --git a/data/templates/salt-minion/minion.tmpl b/data/templates/salt-minion/minion.tmpl new file mode 100644 index 000000000..5e50d588c --- /dev/null +++ b/data/templates/salt-minion/minion.tmpl @@ -0,0 +1,63 @@ +### Autogenerated by salt-minion.py ### + +##### Primary configuration settings ##### +########################################## + +# The hash_type is the hash to use when discovering the hash of a file on +# the master server. The default is sha256, but md5, sha1, sha224, sha384 and +# sha512 are also supported. +# +# WARNING: While md5 and sha1 are also supported, do not use them due to the +# high chance of possible collisions and thus security breach. +# +# Prior to changing this value, the master should be stopped and all Salt +# caches should be cleared. +hash_type: {{ hash_type }} + +##### Logging settings ##### +########################################## +# The location of the minion log file +# The minion log can be sent to a regular file, local path name, or network +# location. Remote logging works best when configured to use rsyslogd(8) (e.g.: +# ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI +# format is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility> +#log_file: /var/log/salt/minion +#log_file: file:///dev/log +#log_file: udp://loghost:10514 +# +log_file: {{ log_file }} + +# The level of messages to send to the console. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# +# The following log levels are considered INSECURE and may log sensitive data: +# ['garbage', 'trace', 'debug'] +# +# Default: 'warning' +log_level: {{ log_level }} + +# Set the location of the salt master server, if the master server cannot be +# resolved, then the minion will fail to start. +master: +{% for host in master -%} +- {{ host }} +{% endfor %} + +# The user to run salt +user: {{ user }} + +# The directory to store the pki information in +pki_dir: /config/salt/pki/minion + +# Explicitly declare the id for this minion to use, if left commented the id +# will be the hostname as returned by the python call: socket.getfqdn() +# Since salt uses detached ids it is possible to run multiple minions on the +# same machine but with different ids, this can be useful for salt compute +# clusters. +id: {{ salt_id }} + + +# The number of minutes between mine updates. +mine_interval: {{ mine_interval }} + +verify_master_pubkey_sign: {{ verify_master_pubkey_sign }} diff --git a/data/templates/system-login/pam_radius_auth.conf.tmpl b/data/templates/system-login/pam_radius_auth.conf.tmpl new file mode 100644 index 000000000..6cff67867 --- /dev/null +++ b/data/templates/system-login/pam_radius_auth.conf.tmpl @@ -0,0 +1,13 @@ +# Automatically generated by VyOS +# RADIUS configuration file +{%- if radius_server %} +# server[:port] shared_secret timeout (s) source_ip +{% for s in radius_server %} +{%- if not s.disabled -%} +{{ s.address }}:{{ s.port }} {{ s.key }} {{ s.timeout }} {% if radius_source_address -%}{{ radius_source_address }}{% endif %} +{% endif %} +{%- endfor %} + +priv-lvl 15 +mapped_priv_user radius_priv_user +{% endif %} diff --git a/data/templates/tftp-server/default.tmpl b/data/templates/tftp-server/default.tmpl new file mode 100644 index 000000000..18fee35d1 --- /dev/null +++ b/data/templates/tftp-server/default.tmpl @@ -0,0 +1,2 @@ +### Autogenerated by tftp_server.py ### +DAEMON_ARGS="--listen --user tftp --address {% for a in listen-%}{{ a }}{% endfor %}{% if allow_upload %} --create --umask 000{% endif %} --secure {{ directory }}" diff --git a/data/templates/vrf/vrf.conf.tmpl b/data/templates/vrf/vrf.conf.tmpl new file mode 100644 index 000000000..761b0bb6f --- /dev/null +++ b/data/templates/vrf/vrf.conf.tmpl @@ -0,0 +1,8 @@ +### Autogenerated by vrf.py ### +# +# Routing table ID to name mapping reference + +# id vrf name comment +{% for vrf in vrf_add -%} +{{ "%-10s" | format(vrf.table) }} {{ "%-16s" | format(vrf.name) }} # {{ vrf.description }} +{% endfor -%} diff --git a/data/templates/vrrp/daemon.tmpl b/data/templates/vrrp/daemon.tmpl new file mode 100644 index 000000000..62d0ba63b --- /dev/null +++ b/data/templates/vrrp/daemon.tmpl @@ -0,0 +1,5 @@ +# Autogenerated by VyOS
+# Options to pass to keepalived
+
+# DAEMON_ARGS are appended to the keepalived command-line
+DAEMON_ARGS="--snmp"
diff --git a/data/templates/vrrp/keepalived.conf.tmpl b/data/templates/vrrp/keepalived.conf.tmpl new file mode 100644 index 000000000..08b821f70 --- /dev/null +++ b/data/templates/vrrp/keepalived.conf.tmpl @@ -0,0 +1,97 @@ +# Autogenerated by VyOS +# Do not edit this file, all your changes will be lost +# on next commit or reboot + +global_defs { + dynamic_interfaces + script_user root + notify_fifo /run/keepalived_notify_fifo + notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py +} + +{% for group in groups -%} + +{% if group.health_check_script -%} +vrrp_script healthcheck_{{ group.name }} { + script "{{ group.health_check_script }}" + interval {{ group.health_check_interval }} + fall {{ group.health_check_count }} + rise 1 + +} +{% endif %} + +vrrp_instance {{ group.name }} { + {% if group.description -%} + # {{ group.description }} + {% endif -%} + + state BACKUP + interface {{ group.interface }} + virtual_router_id {{ group.vrid }} + priority {{ group.priority }} + advert_int {{ group.advertise_interval }} + + {% if group.preempt -%} + preempt_delay {{ group.preempt_delay }} + {% else -%} + nopreempt + {% endif -%} + + {% if group.peer_address -%} + unicast_peer { {{ group.peer_address }} } + {% endif -%} + + {% if group.hello_source -%} + {%- if group.peer_address -%} + unicast_src_ip {{ group.hello_source }} + {%- else -%} + mcast_src_ip {{ group.hello_source }} + {%- endif %} + {% endif -%} + + {% if group.use_vmac and group.peer_address -%} + use_vmac {{group.interface}}v{{group.vrid}} + vmac_xmit_base + {% elif group.use_vmac -%} + use_vmac {{group.interface}}v{{group.vrid}} + {% endif -%} + + {% if group.auth_password -%} + authentication { + auth_pass "{{ group.auth_password }}" + auth_type {{ group.auth_type }} + } + {% endif -%} + + virtual_ipaddress { + {% for addr in group.virtual_addresses -%} + {{ addr }} + {% endfor -%} + } + + {% if group.health_check_script -%} + track_script { + healthcheck_{{ group.name }} + } + {% endif -%} +} + +{% endfor -%} + +{% for sync_group in sync_groups -%} +vrrp_sync_group {{ sync_group.name }} { + group { + {% for member in sync_group.members -%} + {{ member }} + {% endfor -%} + } + + {% if sync_group.conntrack_sync -%} + notify_master "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh master {{ sync_group.name }}" + notify_backup "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh backup {{ sync_group.name }}" + notify_fault "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh fault {{ sync_group.name }}" + {% endif -%} +} + +{% endfor -%} diff --git a/data/templates/wifi/cfg80211.conf.tmpl b/data/templates/wifi/cfg80211.conf.tmpl new file mode 100644 index 000000000..b21bacc1e --- /dev/null +++ b/data/templates/wifi/cfg80211.conf.tmpl @@ -0,0 +1,3 @@ +{%- if regdom -%} +options cfg80211 ieee80211_regdom={{ regdom }} +{% endif %} diff --git a/data/templates/wifi/crda.tmpl b/data/templates/wifi/crda.tmpl new file mode 100644 index 000000000..750ad86ee --- /dev/null +++ b/data/templates/wifi/crda.tmpl @@ -0,0 +1,3 @@ +{%- if regdom -%} +REGDOMAIN={{ regdom }} +{% endif %} |