From cc86483fdf7a6bd988f485c06402fd07368dd26e Mon Sep 17 00:00:00 2001
From: kumvijaya <kumvijaya@gmail.com>
Date: Tue, 21 May 2024 16:41:14 +0530
Subject: T6357: create test repository to validate setup

---
 data/templates/https/nginx.default.j2         | 69 +++++++++++++++++++++++++++
 data/templates/https/override.conf.j2         | 15 ++++++
 data/templates/https/vyos-http-api.service.j2 | 23 +++++++++
 3 files changed, 107 insertions(+)
 create mode 100644 data/templates/https/nginx.default.j2
 create mode 100644 data/templates/https/override.conf.j2
 create mode 100644 data/templates/https/vyos-http-api.service.j2

(limited to 'data/templates/https')

diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2
new file mode 100644
index 0000000..4619361
--- /dev/null
+++ b/data/templates/https/nginx.default.j2
@@ -0,0 +1,69 @@
+### Autogenerated by service_https.py ###
+
+{% if enable_http_redirect is vyos_defined %}
+server {
+    listen 80 default_server;
+    server_name {{ hostname }};
+    return 301 https://$host$request_uri;
+}
+{% endif %}
+
+server {
+{% if listen_address is vyos_defined %}
+{%     for address in listen_address %}
+    listen {{ address | bracketize_ipv6 }}:{{ port }} ssl;
+{%     endfor %}
+{% else %}
+    listen {{ port }} ssl;
+    listen [::]:{{ port }} ssl;
+{% endif %}
+
+    server_name {{ hostname }};
+    root /srv/localui;
+
+{% if request_body_size_limit is vyos_defined %}
+    client_max_body_size {{ request_body_size_limit }}M;
+{% endif %}
+
+    # SSL configuration
+{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %}
+    ssl_certificate {{ certificates.cert_path }};
+    ssl_certificate_key {{ certificates.key_path }};
+{%     if certificates.dh_file is vyos_defined %}
+    ssl_dhparam {{ certificates.dh_file }};
+{%     endif %}
+{% else %}
+    # Self signed certs generated by the ssl-cert package
+    # Don't use them in a production server!
+    include snippets/snakeoil.conf;
+{% endif %}
+
+    # Improve HTTPS performance with session resumption
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }};
+
+    # From LetsEncrypt
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+
+    # proxy settings for HTTP API, if enabled; 503, if not
+    location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
+{% if api is vyos_defined %}
+        proxy_pass http://unix:/run/api.sock;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 600;
+        proxy_buffering off;
+{% else %}
+        return 503;
+{% endif %}
+{% if allow_client.address is vyos_defined %}
+{%     for address in allow_client.address %}
+        allow {{ address }};
+{%     endfor %}
+        deny all;
+{% endif %}
+    }
+    error_page 497 =301 https://$host:{{ port }}$request_uri;
+}
diff --git a/data/templates/https/override.conf.j2 b/data/templates/https/override.conf.j2
new file mode 100644
index 0000000..c2c191b
--- /dev/null
+++ b/data/templates/https/override.conf.j2
@@ -0,0 +1,15 @@
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
+[Unit]
+StartLimitIntervalSec=0
+After=vyos-router.service
+
+[Service]
+ExecStartPre=
+ExecStartPre={{ vrf_command }}/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
+ExecStart=
+ExecStart={{ vrf_command }}/usr/sbin/nginx -g 'daemon on; master_process on;'
+ExecReload=
+ExecReload={{ vrf_command }}/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
+Restart=always
+RestartPreventExitStatus=
+RestartSec=10
diff --git a/data/templates/https/vyos-http-api.service.j2 b/data/templates/https/vyos-http-api.service.j2
new file mode 100644
index 0000000..aa4da76
--- /dev/null
+++ b/data/templates/https/vyos-http-api.service.j2
@@ -0,0 +1,23 @@
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
+[Unit]
+Description=VyOS HTTP API service
+After=vyos-router.service
+Requires=vyos-router.service
+ConditionPathExists={{ api_config_state }}
+
+[Service]
+ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server
+ExecReload=kill -HUP $MAINPID
+Type=idle
+
+SyslogIdentifier=vyos-http-api
+SyslogFacility=daemon
+
+Restart=on-failure
+
+# Does't work but leave it here
+User=root
+Group=vyattacfg
+
+[Install]
+WantedBy=vyos.target
-- 
cgit v1.2.3