11 files changed, 245 insertions, 57 deletions

diff --git a/data/configd-include.json b/data/configd-include.json
index 456211caa..84bc1f14e 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -9,12 +9,11 @@
 "dhcpv6_relay.py",
 "dhcpv6_server.py",
 "dns_forwarding.py",
-"dynamic_dns.py",
+"dns_dynamic.py",
 "firewall.py",
 "flow_accounting_conf.py",
 "high-availability.py",
 "host_name.py",
-"https.py",
 "igmp_proxy.py",
 "intel_qat.py",
 "interfaces-bonding.py",
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index c7c67198e..042c466ab 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -18,6 +18,7 @@
 "openconnect.py",
 "openvpn.py",
 "reset_vpn.py",
+"reverseproxy.py",
 "route.py",
 "system.py",
 "ipsec.py",
diff --git a/data/templates/container/storage.conf.j2 b/data/templates/container/storage.conf.j2
index ec2046fb5..1a4e601b5 100644
--- a/data/templates/container/storage.conf.j2
+++ b/data/templates/container/storage.conf.j2
@@ -2,5 +2,6 @@
 [storage]
   driver = "overlay"
   graphroot = "/usr/lib/live/mount/persistence/container/storage"
+  runroot = "/var/run/containers/storage"
   [storage.options]
     mount_program = "/usr/bin/fuse-overlayfs"
diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2
new file mode 100644
index 000000000..4da7153c7
--- /dev/null
+++ b/data/templates/dns-dynamic/ddclient.conf.j2
@@ -0,0 +1,75 @@
+{% macro render_config(host, address, web_options, ip_suffixes=['']) %}
+{# Address: use=if, if=ethX, usev6=ifv6, ifv6=ethX, usev6=webv6, webv6=https://v6.example.com #}
+{% for ipv in ip_suffixes %}
+use{{ ipv }}={{ address if address == 'web' else 'if' }}{{ ipv }}, \
+{%     if address == 'web' %}
+{%         if web_options.url is vyos_defined %}
+web{{ ipv }}={{ web_options.url }}, \
+{%         endif %}
+{%         if web_options.skip is vyos_defined %}
+web-skip{{ ipv }}='{{ web_options.skip }}', \
+{%         endif %}
+{%     else %}
+if{{ ipv }}={{ address }}, \
+{%     endif %}
+{% endfor %}
+{# Other service options #}
+{% for k,v in kwargs.items() %}
+{%     if v is vyos_defined %}
+{{ k }}={{ v }}{{ ',' if not loop.last }} \
+{%     endif %}
+{% endfor %}
+{# Actual hostname for the service #}
+{{ host }}
+{% endmacro %}
+### Autogenerated by dns_dynamic.py ###
+daemon=1m
+syslog=yes
+ssl=yes
+pid={{ config_file | replace('.conf', '.pid') }}
+cache={{ config_file | replace('.conf', '.cache') }}
+{# Explicitly override global options for reliability #}
+web=googledomains {# ddclient default ('dyndns') doesn't support ssl and results in process lockup #}
+use=no            {# ddclient default ('ip') results in confusing warning message in log #}
+
+{% if address is vyos_defined %}
+{%     for address, service_cfg in address.items() %}
+{%         if service_cfg.rfc2136 is vyos_defined %}
+{%             for name, config in service_cfg.rfc2136.items() %}
+{%                 if config.description is vyos_defined %}
+# {{ config.description }}
+
+{%                 endif %}
+{%                 for host in config.host_name if config.host_name is vyos_defined %}
+# RFC2136 dynamic DNS configuration for {{ name }}: [{{ config.zone }}, {{ host }}]
+{# Don't append 'new-style' compliant suffix ('usev4', 'usev6', 'ifv4', 'ifv6' etc.)
+   to the properties since 'nsupdate' doesn't support that yet. #}
+{{ render_config(host, address, service_cfg.web_options,
+                 protocol='nsupdate', server=config.server, zone=config.zone,
+                 password=config.key, ttl=config.ttl) }}
+
+{%                 endfor %}
+{%             endfor %}
+{%         endif %}
+{%         if service_cfg.service is vyos_defined %}
+{%             for name, config in service_cfg.service.items() %}
+{%                 if config.description is vyos_defined %}
+# {{ config.description }}
+
+{%                 endif %}
+{%                 for host in config.host_name if config.host_name is vyos_defined %}
+{%                     set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both'
+                                                      else (['v6'] if config.ip_version == 'ipv6' else ['']) %}
+# Web service dynamic DNS configuration for {{ name }}: [{{ config.protocol }}, {{ host }}]
+{# For ipv4 only setup or legacy ipv6 setup, don't append 'new-style' compliant suffix
+   ('usev4', 'ifv4', 'webv4' etc.) to the properties and instead live through the
+   deprecation warnings for better compatibility with most ddclient protocols. #}
+{{ render_config(host, address, service_cfg.web_options, ip_suffixes,
+                 protocol=config.protocol, server=config.server, zone=config.zone,
+                 login=config.username, password=config.password) }}
+
+{%                 endfor %}
+{%             endfor %}
+{%         endif %}
+{%     endfor %}
+{% endif %}
diff --git a/data/templates/dns-dynamic/override.conf.j2 b/data/templates/dns-dynamic/override.conf.j2
new file mode 100644
index 000000000..6ca1b8a45
--- /dev/null
+++ b/data/templates/dns-dynamic/override.conf.j2
@@ -0,0 +1,10 @@
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
+[Unit]
+ConditionPathExists={{ config_file }}
+After=vyos-router.service
+
+[Service]
+PIDFile={{ config_file | replace('.conf', '.pid') }}
+EnvironmentFile=
+ExecStart=
+ExecStart=/usr/bin/ddclient -file {{ config_file }}
diff --git a/data/templates/dynamic-dns/ddclient.conf.j2 b/data/templates/dynamic-dns/ddclient.conf.j2
deleted file mode 100644
index e8ef5ac90..000000000
--- a/data/templates/dynamic-dns/ddclient.conf.j2
+++ /dev/null
@@ -1,53 +0,0 @@
-### Autogenerated by dynamic_dns.py ###
-daemon=1m
-syslog=yes
-ssl=yes
-
-{% if interface is vyos_defined %}
-{%     for iface, iface_config in interface.items() %}
-# ddclient configuration for interface "{{ iface }}"
-{%         if iface_config.use_web is vyos_defined %}
-{%             set web_skip = ", web-skip='" ~ iface_config.use_web.skip ~ "'" if iface_config.use_web.skip is vyos_defined else '' %}
-use=web, web='{{ iface_config.use_web.url }}'{{ web_skip }}
-{%         else %}
-{{ 'usev6=ifv6' if iface_config.ipv6_enable is vyos_defined else 'use=if' }}, if={{ iface }}
-{%         endif %}
-
-{%         if iface_config.rfc2136 is vyos_defined %}
-{%             for rfc2136, config in iface_config.rfc2136.items() %}
-{%                 for dns_record in config.record if config.record is vyos_defined %}
-# RFC2136 dynamic DNS configuration for {{ rfc2136 }}, {{ config.zone }}, {{ dns_record }}
-server={{ config.server }}
-protocol=nsupdate
-password={{ config.key }}
-ttl={{ config.ttl }}
-zone={{ config.zone }}
-{{ dns_record }}
-
-{%                 endfor %}
-{%             endfor %}
-{%         endif %}
-
-{%         if iface_config.service is vyos_defined %}
-{%             for service, config in iface_config.service.items() %}
-{%                 for dns_record in config.host_name %}
-# DynDNS provider configuration for {{ service }}, {{ dns_record }}
-protocol={{ config.protocol }},
-max-interval=28d,
-{%                     if config.login is vyos_defined %}
-login={{ config.login }},
-{%                     endif %}
-password='{{ config.password }}',
-{%                     if config.server is vyos_defined %}
-server={{ config.server }},
-{%                     endif %}
-{%                     if config.zone is vyos_defined %}
-zone={{ config.zone }},
-{%                     endif %}
-{{ dns_record }}
-
-{%                 endfor %}
-{%             endfor %}
-{%         endif %}
-{%     endfor %}
-{% endif %}
diff --git a/data/templates/login/nsswitch.conf.j2 b/data/templates/login/nsswitch.conf.j2
new file mode 100644
index 000000000..65dc88291
--- /dev/null
+++ b/data/templates/login/nsswitch.conf.j2
@@ -0,0 +1,21 @@
+# Automatically generated by system-login.py
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+
+passwd:         {{ 'mapuid ' if radius is vyos_defined }}{{ 'tacplus ' if tacacs is vyos_defined }}files{{ ' mapname' if radius is vyos_defined }}
+group:          {{ 'mapname ' if radius is vyos_defined }}{{ 'tacplus ' if tacacs is vyos_defined }}files
+shadow:         files
+gshadow:        files
+
+# Per T2678, commenting out myhostname
+hosts:          files dns #myhostname
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+
diff --git a/data/templates/login/tacplus_nss.conf.j2 b/data/templates/login/tacplus_nss.conf.j2
new file mode 100644
index 000000000..2a30b1710
--- /dev/null
+++ b/data/templates/login/tacplus_nss.conf.j2
@@ -0,0 +1,74 @@
+#%NSS_TACPLUS-1.0
+# Install this file as /etc/tacplus_nss.conf
+# Edit /etc/nsswitch.conf to add tacplus to the passwd lookup, similar to this
+# where tacplus precede compat (or files), and depending on local policy can
+# follow or precede ldap, nis, etc.
+#    passwd: tacplus compat
+#
+#  Servers are tried in the order listed, and once a server
+#  replies, no other servers are attempted in a given process instantiation
+#
+#  This configuration is similar to the libpam_tacplus configuration, but
+#  is maintained as a configuration file, since nsswitch.conf doesn't
+#  support passing parameters.  Parameters must start in the first
+#  column, and parsing stops at the first whitespace
+
+# if set, errors and other issues are logged with syslog
+#debug=1
+
+# min_uid is the minimum uid to lookup via tacacs.  Setting this to 0
+# means uid 0 (root) is never looked up, good for robustness and performance
+# Cumulus Linux ships with it set to 1001, so we never lookup our standard
+# local users, including the cumulus uid of 1000.  Should not be greater
+# than the local tacacs{0..15} uids
+min_uid=900
+
+# This is a comma separated list of usernames that are never sent to
+# a tacacs server, they cause an early not found return.
+#
+# "*" is not a wild card.  While it's not a legal username, it turns out
+# that during pathname completion, bash can do an NSS lookup on "*"
+# To avoid server round trip delays, or worse, unreachable server delays
+# on filename completion, we include "*" in the exclusion list.
+exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,*{{ ',' + user | join(',') if user is vyos_defined }}
+
+# The include keyword allows centralizing the tacacs+ server information
+# including the IP address and shared secret
+# include=/etc/tacplus_servers
+
+#  The server IP address can be optionally followed by a ':' and a port
+#  number (server=1.1.1.1:49).  It is strongly recommended that you NOT
+#  add secret keys to this file, because it is world readable.
+{% if tacacs.server is vyos_defined %}
+{%     for server, server_config in tacacs.server.items() %}
+secret={{ server_config.key }}
+server={{ server }}:{{ server_config.port }}
+
+{%     endfor %}
+{% endif %}
+
+{% if tacacs.vrf is vyos_defined %}
+# If the management network is in a vrf, set this variable to the vrf name.
+# This would usually be "mgmt". When this variable is set, the connection to the
+# TACACS+ accounting servers will be made through the named vrf.
+vrf={{ tacacs.vrf }}
+{% endif %}
+
+{% if tacacs.source_address is vyos_defined %}
+# Sets the IPv4 address used as the source IP address when communicating with
+# the TACACS+ server. IPv6 addresses are not supported, nor are hostnames.
+# The address must work when passsed to the bind() system call, that is, it must
+# be valid for the interface being used.
+source_ip={{ tacacs.source_address }}
+{% endif %}
+
+# The connection timeout for an NSS library should be short, since it is
+# invoked for many programs and daemons, and a failure is usually not
+# catastrophic.  Not set or set to a negative value disables use of poll().
+# This follows the include of tacplus_servers, so it can override any
+# timeout value set in that file.
+# It's important to have this set in this file, even if the same value
+# as in tacplus_servers, since tacplus_servers should not be readable
+# by users other than root.
+timeout={{ tacacs.timeout }}
+
diff --git a/data/templates/login/tacplus_servers.j2 b/data/templates/login/tacplus_servers.j2
new file mode 100644
index 000000000..5a65d6e68
--- /dev/null
+++ b/data/templates/login/tacplus_servers.j2
@@ -0,0 +1,59 @@
+# Automatically generated by system-login.py
+# TACACS+ configuration file
+
+# This is a common file used by audisp-tacplus, libpam_tacplus, and
+# libtacplus_map config files as shipped.
+#
+# Any tac_plus client config can go here that is common to all users of this
+# file, but typically it's just the TACACS+ server IP address(es) and shared
+# secret(s)
+#
+# This file should normally be mode 600, if you care about the security of your
+# secret key. When set to mode 600 NSS lookups for TACACS users will only work
+# for tacacs users that are logged in, via the local mapping. For root, lookups
+# will work for any tacacs users, logged in or not.
+
+# Set a per-connection timeout of 10 seconds, and enable the use of poll() when
+# trying to read from tacacs servers. Otherwise standard TCP timeouts apply.
+# Not set or set to a negative value disables use of poll(). There are usually
+# multiple connection attempts per login.
+timeout={{ tacacs.timeout }}
+
+{% if tacacs.server is vyos_defined %}
+{%     for server, server_config in tacacs.server.items() %}
+secret={{ server_config.key }}
+server={{ server }}:{{ server_config.port }}
+{%     endfor %}
+{% endif %}
+
+# If set, login/logout accounting records are sent to all servers in
+# the list, otherwise only to the first responding server
+# Also used by audisp-tacplus per-command accounting, if it sources this file.
+acct_all=1
+
+{% if tacacs.vrf is vyos_defined %}
+# If the management network is in a vrf, set this variable to the vrf name.
+# This would usually be "mgmt". When this variable is set, the connection to the
+# TACACS+ accounting servers will be made through the named vrf.
+vrf={{ tacacs.vrf }}
+{% endif %}
+
+{% if tacacs.source_address is vyos_defined %}
+# Sets the IPv4 address used as the source IP address when communicating with
+# the TACACS+ server. IPv6 addresses are not supported, nor are hostnames.
+# The address must work when passsed to the bind() system call, that is, it must
+# be valid for the interface being used.
+source_ip={{ tacacs.source_address }}
+{% endif %}
+
+# If user_homedir=1, then tacacs users will be set to have a home directory
+# based on their login name, rather than the mapped tacacsN home directory.
+# mkhomedir_helper is used to create the directory if it does not exist (similar
+# to use of pam_mkhomedir.so). This flag is ignored for users with restricted
+# shells, e.g., users mapped to a tacacs privilege level that has enforced
+# per-command authorization (see the tacplus-restrict man page).
+user_homedir=1
+
+service=shell
+protocol=ssh
+
diff --git a/data/templates/mdns-repeater/avahi-daemon.j2 b/data/templates/mdns-repeater/avahi-daemon.j2
index 3aaa7fc82..e0dfd897e 100644
--- a/data/templates/mdns-repeater/avahi-daemon.j2
+++ b/data/templates/mdns-repeater/avahi-daemon.j2
@@ -1,3 +1,4 @@
+### Autogenerated by service_mdns-repeater.py ###
 [server]
 use-ipv4=yes
 use-ipv6=yes
diff --git a/data/templates/pmacct/uacctd.conf.j2 b/data/templates/pmacct/uacctd.conf.j2
index 8fbc09e83..1370f8121 100644
--- a/data/templates/pmacct/uacctd.conf.j2
+++ b/data/templates/pmacct/uacctd.conf.j2
@@ -53,7 +53,7 @@ nfprobe_maxflows[{{ nf_server_key }}]: {{ netflow.max_flows }}
 sampling_rate[{{ nf_server_key }}]: {{ netflow.sampling_rate }}
 {%         endif %}
 {%         if netflow.source_address is vyos_defined %}
-nfprobe_source_ip[{{ nf_server_key }}]: {{ netflow.source_address }}
+nfprobe_source_ip[{{ nf_server_key }}]: {{ netflow.source_address | bracketize_ipv6 }}
 {%         endif %}
 {%         if netflow.timeout is vyos_defined %}
 nfprobe_timeouts[{{ nf_server_key }}]: expint={{ netflow.timeout.expiry_interval }}:general={{ netflow.timeout.flow_generic }}:icmp={{ netflow.timeout.icmp }}:maxlife={{ netflow.timeout.max_active_life }}:tcp.fin={{ netflow.timeout.tcp_fin }}:tcp={{ netflow.timeout.tcp_generic }}:tcp.rst={{ netflow.timeout.tcp_rst }}:udp={{ netflow.timeout.udp }}
@@ -73,7 +73,7 @@ sfprobe_agentip[{{ sf_server_key }}]: {{ sflow.agent_address }}
 sampling_rate[{{ sf_server_key }}]: {{ sflow.sampling_rate }}
 {%         endif %}
 {%         if sflow.source_address is vyos_defined %}
-sfprobe_source_ip[{{ sf_server_key }}]: {{ sflow.source_address }}
+sfprobe_source_ip[{{ sf_server_key }}]: {{ sflow.source_address | bracketize_ipv6 }}
 {%         endif %}
 
 {%     endfor %}