c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Compare commits

base: c3d2:master
Branches Tags
c3d2:master
c3d2:flake-update
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius
..
compare: c3d2:container/radius
Branches Tags
c3d2:flake-update
c3d2:master
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius

5 Commits
master ... container/

Author SHA1 Message Date
Eri - 1d32924d85 things and stuff 2021-03-06 20:44:03 +01:00
Eri - 6946bbd224 fix configDir 2019-04-07 23:12:31 +02:00
Eri - a1490e209a typo 2019-04-07 23:02:11 +02:00
Eri - fbe1f6c5b0 enable freeradius for authless eap wifi 2019-04-07 22:56:27 +02:00
Eri - 0b59c8cf5b new container for freeradius 2019-04-07 22:45:06 +02:00
357 changed files with 12976 additions and 63017 deletions
Show Stats Expand all files Collapse all files

10
.git-blame-ignore-revs
View File

@ -1,10 +0,0 @@
# This file contains a list of commits that are not likely what you
# are looking for in a blame, such as mass reformatting or renaming.
# You can set this file as a default ignore file for blame by running
# the following command.
#
# $ git config blame.ignoreRevsFile .git-blame-ignore-revs
# format commits
aaddec81945750222721659be65ecd6bf2503c6a
b4d2a7f95952f8ca9ca13f9ff629f689a284c6fb

2
.gitattributes vendored
View File

@ -1,2 +0,0 @@
# see https://github.com/getsops/sops/blob/main/README.rst#47showing-diffs-in-cleartext-in-git how to use this
*.yaml diff=sops

5
.gitignore vendored
View File

@ -1,5 +0,0 @@
.*.swp
*.retry
result
result-*
/hosts/mediawiki/MediaWikiExtensionsComposer/

3
.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "secrets"]
path = secrets
url = ssh://git@gitea.c3d2.de:2222/c3d2-admins/secrets.git

436
.sops.yaml
View File

@ -1,436 +0,0 @@
keys:
# The PGP keys in keys/
- &admins
- DD0998E6CDF294537FC604F991FA5E5BF9AA901C # 0xA
- A5EE826D645DBE35F9B0993358512AE87A69900F # astro
- 8F79E6CD6434700615867480D11A514F5095BFA8 # dennis
- 4F9F44A64CC2E438979329E1F122F05437696FCE # poelzi
- 91EBE87016391323642A6803B966009D57E69CC6 # revol-xut
- 53B26AEDC08246715E15504B236B6291555E8401 # sandro
- 4B12EFA69166CA8C23FC47E49CD3A46248B660CA # vv01f
- A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 # winzlieb
- &users
- A5EE826D645DBE35F9B0993358512AE87A69900F # astro
- 8F79E6CD6434700615867480D11A514F5095BFA8 # dennis
- 53B26AEDC08246715E15504B236B6291555E8401 # sandro
- 9580391316684474BFBD41EC3E8C55248C19AF2A # xyrill
- &polygon-snowflake age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c # polygon
# Generate AGE keys from SSH keys with:
# nix-shell -p ssh-to-age --run 'ssh some.serv.zentralwerk.org cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
- &activity-relay age1a8k72egc2vg4jn445wwcr0a68y9xu5ft68s2xwehugs5sjawpv4q5nnrmy
- &auth age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
- &blogs age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
- &broker age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte
- &buzzrelay age1j2euh5qt4a7cvx0t93uj4n9t8y8tkv9h3nefszc6g2q7t7gvngxswhrve0
- &c3d2-web age18h6vmfduhmj28wxdgur8wugn7scm5vwvwkj5sr4f7nl0czr2zvaqscsdsv
- &caveman age13dl5qjzddaazmquf7zfecru5tr4ld8l8xd7xpmhaqqzmchpua4usswqykd
- &dacbert age1g2ewsxcu5uqlesaznp2qwlcz8w66pxh4qxkul8wu7x8g2hw83saqxynpyk
- &dn42 age1726t33dl7pv3xrxxlafj2sexh7c0jm8pza84yu6l3wpz3fw5dauqxlass3
- &drone age1w6u8zjfya63q9rjfll98eegnfdsvyaspnwn802t2mxh47gt8p30q0kn898
- &freifunk age17rrjtdgzzwgjatyqqv27pftx42t8xhksls46jc3f78juzw4g04vsd7lr7e
- &ftp age1lkr5rkf3z0976g8snmznf755gnexhjkwpzsw8xxwyesqmneawa4qgsqx77
- &gitea age12n5k6c4rxp4mjnexw9uw83yp34sallt44kldupfmxr2xkppj8a8sdsmv8h
- &glotzbert age1zqpep2vgfqeyvtj2jpxczfgrpjffwda429rnuztfp0vpqsrqdq8s8f4yua
- &gnunet age1kk0thtx6mg5cs0gqm4ylc4r8w6klq660s3j04w7m8w0w084yrpcqh3tqwf
- &grafana age1yahhqn2620300n20k68az5lr2u42wdgtjwysgqyr99a4cj52ay0qjw02pl
- &hedgedoc age1jt5pj0c0fvmzg7quaucq4n2rzcx9ajzstp8ruwc8ewjpay5vqfqsdjaal8
- &home-assistant age1l2tld2cttpkj4vpuh9hm4xjwq94rmf8vukjgvdzcvwwtze6k6s6qjf0s5r
- &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
- &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a
- &knot age1hfzpctkk5tz0ddc86ul9t0nf8c37jtngawepvgxk5rxlvv938vusx4kuc6
- &mail age15t7hj27j6ccs8u7mfz8su3aa74g4dxp4crkgc3c0rs28hct7q4ssgk8zcm
- &mastodon age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt
- &matemat age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6
- &matrix age1s2ww76ll6nclz74gny27tk42xfsepl23z2k0849a8jv8xpnmpe3shgunxr
- &mediawiki age1xjvep7hsnfefgxvuwall8nq0486qu8yknhzwhf0cskw5xlpm8qws9txc56
- &mobilizon age182ms3ygypflk7mtpemp4k4ks9rz4gwhvzc9jlk95u4py5q68ppxstzu2e3
- &mucbot age1qen44cx5sx0y299zl93cz3tflx8agt8y9vtm0d4uxw42t9gyecdsw9jade
- &nfsroot age18yxgwpakrkzq8ca2enayf79py25se3d8dsed2q523869re30jcaqx6rjln
- &nncp age15853dr2kd6r2329tkcanwnruh6zd2xvsu5twc7gnxeyu3h7t6q5scckaq8
- &oparl age14aq8fscrwkgmu5yv86vj7p7kmxclzs6dp7fpvdhvrnmce83ztphqc4mr9q
- &owncast age1cp9gsuyfu52exk0hr3fvj404v5njhahakzwlugwtneyrs4vgdyaq0sg92f
- &pretalx age1u6xeayzwfdj9l0mg3f4xvjd8e9nemz5psqavauvacjgp2nku95yqc4f29s
- &prometheus age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k
- &public-access-proxy age1xcj6peyaf5xvj2673vl9j0z7supwtw7hzuk782zk7gt69k2ykytqe65mg5
- &pulsebert age12hdk2stter0cjexxwx3sqn9wx3vmptkxszvx7knq9zgm9uqzjs7suvkcqu
- &radiobert age1lga6hjmxa95fmtdn3frlmy64ej3hyswxrcuz25qvw0kfsxkqeugs8gjw8q
- &riscbert age148d87gqw59lmst5jv3vynhsu3tv4t4sj49s4lktvnplfcrjq2y5sjcwsu8
- &scrape age1p60rg45qrzpv2hcfzxl8d8k9afkk7dtrhr98cngeyuhlega83ynssmtx5k
- &sdrweb age1makkpv2t74lxmw0nk6m89nespva7j700pmt83pl5a4ldtj2k8fzqakw8h7
- &server10 age15qj8latetnrmgzd7krq02y65kn7lhq2pcwv8cvzej2783u5a9scqs79nmf
- &server8 age12jcu0jtw7m96evxnd0vu6lvsm8uswslrdhxd2u655vjrwhljmqdsptry37
- &server9 age15vrlmtckjf4j242juw7l5e0s6eunn67ejr9acaztnl3tmvwpufrsevntva
- &spaceapi age125k9uyqw5ae5jqkfsak4d6c6rcx9q63ywuusk62pmxdnhwzqxgqq2jsau7
- &storage-ng age1qjvds58pedjdk9rj0yqfvad4xhpteapr9chvfucwcgwrsr8n7axqyhg2vu
- &stream age14h2npkt6m40ewkkaee7zx49redew5rjsjpm70qhka8cwkekmspqqpspy4g
- &ticker age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl
- &vaultwarden age1xs22728ltpl3yh8hzvwt4g3gk8uc32lg8cqh86fp5d8c2jlvp3gshmejun
creation_rules:
- path_regex: modules/backup\.yaml$
key_groups:
- pgp: *admins
age:
- *activity-relay
- *auth
- *blogs
- *buzzrelay
- *caveman
- *drone
- *gitea
- *grafana
- *hedgedoc
- *home-assistant
- *hydra
- *jabber
- *mail
- *mastodon
- *matemat
- *matrix
- *mediawiki
- *mobilizon
- *owncast
- *pretalx
- *sdrweb
- *ticker
- *vaultwarden
- *polygon-snowflake
- path_regex: modules/cluster/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *hydra
- *server8
- *server9
- *server10
- *polygon-snowflake
- path_regex: config/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *polygon-snowflake
- *auth
- *blogs
- *broker
- *buzzrelay
- *c3d2-web
- *dacbert
- *dn42
- *freifunk
- *ftp
- *gitea
- *glotzbert
- *gnunet
- *grafana
- *hedgedoc
- *hydra
- *jabber
- *knot
- *mail
- *mastodon
- *matemat
- *matrix
- *mediawiki
- *mucbot
- *nfsroot
- *oparl
- *pretalx
- *prometheus
- *public-access-proxy
- *pulsebert
- *radiobert
- *riscbert
- *scrape
- *sdrweb
- *server8
- *server9
- *server10
- *spaceapi
- *storage-ng
- *stream
- *ticker
- *vaultwarden
- path_regex: hosts/activity-relay/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *activity-relay
- *polygon-snowflake
- path_regex: hosts/auth/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *auth
- *polygon-snowflake
- path_regex: hosts/knot/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *knot
- *polygon-snowflake
- path_regex: hosts/blogs/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *blogs
- *polygon-snowflake
- path_regex: hosts/broker/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *broker
- *polygon-snowflake
- path_regex: hosts/buzzrelay/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *buzzrelay
- *polygon-snowflake
- path_regex: hosts/c3d2-web/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *c3d2-web
- *polygon-snowflake
- path_regex: hosts/caveman/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *caveman
- *polygon-snowflake
- path_regex: hosts/dacbert/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *dacbert
- *polygon-snowflake
- path_regex: hosts/dn42/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *dn42
- *polygon-snowflake
- path_regex: hosts/drone/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *drone
- *polygon-snowflake
- path_regex: hosts/freifunk/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *freifunk
- *polygon-snowflake
- path_regex: hosts/gitea/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *gitea
- *polygon-snowflake
- path_regex: hosts/glotzbert/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *glotzbert
- *polygon-snowflake
- path_regex: hosts/grafana/secrets+\.yaml$
key_groups:
- pgp: *admins
age:
- *grafana
- *polygon-snowflake
- path_regex: hosts/hedgedoc/secrets+\.yaml$
key_groups:
- pgp: *admins
age:
- *hedgedoc
- *polygon-snowflake
- path_regex: hosts/home-assistant/secrets+\.yaml$
key_groups:
- pgp: *admins
age:
- *home-assistant
- *polygon-snowflake
- path_regex: hosts/hydra/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *hydra
- *polygon-snowflake
- path_regex: hosts/jabber/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *jabber
- *polygon-snowflake
- path_regex: hosts/mail/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *mail
- *polygon-snowflake
- path_regex: hosts/mastodon/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *mastodon
- *polygon-snowflake
- path_regex: hosts/matemat/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *matemat
- *polygon-snowflake
- path_regex: hosts/matrix/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *matrix
- *polygon-snowflake
- path_regex: hosts/mediawiki/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *mediawiki
- *polygon-snowflake
- path_regex: hosts/mobilizon/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *mobilizon
- *polygon-snowflake
- path_regex: hosts/mucbot/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *mucbot
- *polygon-snowflake
- path_regex: hosts/oparl/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *oparl
- *polygon-snowflake
- path_regex: hosts/owncast/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *owncast
- *polygon-snowflake
- path_regex: hosts/pretalx/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *pretalx
- *polygon-snowflake
- path_regex: hosts/sdrweb/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *sdrweb
- *polygon-snowflake
- path_regex: hosts/radiobert/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *radiobert
- *polygon-snowflake
- path_regex: hosts/scrape/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *scrape
- *polygon-snowflake
- path_regex: hosts/server8/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *server8
- *polygon-snowflake
- path_regex: hosts/server9/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *server9
- *polygon-snowflake
- path_regex: hosts/server10/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *server10
- *polygon-snowflake
- path_regex: hosts/storage-ng/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *storage-ng
- *polygon-snowflake
- path_regex: hosts/ticker/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *ticker
- *polygon-snowflake
- path_regex: hosts/prometheus/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *prometheus
- *polygon-snowflake
- path_regex: hosts/stream/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *stream
- *polygon-snowflake
- path_regex: hosts/vaultwarden/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *vaultwarden
- *polygon-snowflake

292
README.md
View File

@ -1,293 +1,17 @@
---
gitea: none
title: Flockige Infrastruktur deklarativ
include_toc: yes
lang: en
---
# Deployment
# C3D2 infrastructure based on NixOS
Beide failen bei Activation des neuen Profils. (TODO)
## Setup
### Enable nix flakes user wide
Add the setting to the user nix.conf. Only do this once!
```bash
echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf
```
### Enable nix flakes system wide (preferred for NixOS)
add this to your NixOS configuration:
```nix
nix.settings.experimental-features = [ "nix-command" "flakes" ];
```
### nixpkgs/nixos
The nixpkgs/nixos input used lives at <https://github.com/supersandro2000/nixpkgs/tree/nixos-23.05>.
We are using a fork managed by sandro to make backports, cherry-picks and custom fixes dead easy.
If you want to have an additional backport, cherry-pick or other change, please contact sandro.
### nixos-modules repo
The nixos-modules repo lives at <https://github.com/supersandro2000/nixos-modules> and is mirrored to <https://gitea.c3d2.de/c3d2/nixos-modules>.
Auto generated documentation about all options is available at <https://supersandro2000.github.io/nixos-modules/>.
It contains options sandro shares between his private nixos configs and the C3D2 one.
It sets many options by default and when searching for a particular setting you should always grep this repo, too.
In question ask sandro and consider improving the documentation about this with comments and readme explanations.
Something should be changed/added/removed/etc? Please create a PR or start a conversations with your ideas.
### secrets repo
The secrets repo is absolutely deprecated!
Everything new must be done through sops and everything old should be migrated.
If you don't have secrets access ask sandro or astro to get onboarded.
### SSH access
If people should get root access to *all* machines, their keys should be added to ``ssh-public-keys.nix``.
## Deployment
### Deploy to a remote NixOS system
For every host that has a `nixosConfiguration` in our Flake, there are two scripts that can be run for deployment via ssh.
- `nix run .#HOSTNAME-nixos-rebuild switch`
Copies the current state to build on the target system.
This may fail due to resource limits on eg. Raspberry Pis.
- `nix run .#HOSTNAME-nixos-rebuild-local switch`
Builds everything locally, then uses `nix copy` to transfer the new NixOS system to the target.
To use the cache from hydra set the following nix options similar to enabling flakes:
```
trusted-public-keys = nix-cache.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=
trusted-substituters = https://nix-cache.hq.c3d2.de
```
This can also be set with the `c3d2.addBinaryCache` option from the [c3d2-user-module](https://gitea.c3d2.de/c3d2/nix-user-module).
### Checking for updates
## Mit `nixos-switch rebuild`
```shell
nix run .#list-upgradable
nixos-rebuild switch -I nixos-config=./hosts/containers/$HOST/configuration.nix --target-host "root@$HOST.hq.c3d2.de"
```
![list-upgradable output](doc/list-upgradable.png)
Checks all hosts with a `nixosConfiguration` in `flake.nix`.
### Update from [Hydra build](https://hydra.hq.c3d2.de/jobset/c3d2/nix-config#tabs-jobs)
The fastest way to update a system, a manual alternative to setting
`c3d2.autoUpdate = true;`
Just run:
## Mit NixOps
```shell
update-from-hydra
nixops create hq.nixops -d hq
nixops deploy -d hq --debug --include=dhcp --force-reboot
nixops deploy -d hq --include=grafana -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-18.09.tar.gz --force-reboot
```
### Deploy a MicroVM
#### Build a microvm remotely and deploy
```shell
nix run .#microvm-update-HOSTNAME
```
#### Build microvm locally and deploy
```shell
nix run .#microvm-update-HOSTNAME-local
```
#### Update MicroVM from our Hydra
Our Hydra runs `nix flake update` daily in the `updater.timer`,
pushing it to the `flake-update` branch so that it can build fresh
systems. This branch is setup as the source flake in all the MicroVMs,
so the following is all that is needed on a MicroVM-hosting server:
```shell
microvm -Ru $hostname
```
## Cluster deployment with Skyflake
### About
[Skyflake](https://github.com/astro/skyflake) provides Hyperconverged
Infrastructure to run NixOS MicroVMs on a cluster. Our setup unifies
networking with one bridge per VLAN. Persistent storage is replicated
with Cephfs.
Recognize nixosConfiguration for our Skyflake deployment by the
`self.nixosModules.cluster-options` module being included.
### User interface
We use the less-privileged `c3d2@` user for deployment. This flake's
name on the cluster is `config`. Other flakes can coexist in the same
user so that we can run separately developed projects like
*dump-dvb*. *leon* and potentially other users can deploy Flakes and
MicroVMs without name clashes.
#### Deploying
**git push** this repo to any machine in the cluster, preferably to
Hydra because there building won't disturb any services.
You don't deploy all MicroVMs at once. Instead, Skyflake allows you to
select NixOS systems by the branches you push to. **You must commit
before you push!**
**Example:** deploy nixosConfigurations `mucbot` and `sdrweb` (`HEAD` is your
current commit)
```bash
git push c3d2@hydra.serv.zentralwerk.org:config HEAD:mucbot HEAD:sdrweb
```
This will:
1. Build the configuration on Hydra, refusing the branch update on
broken builds (through a git hook)
2. Copy the MicroVM package and its dependencies to the binary cache
that is accessible to all nodes with Cephfs
3. Submit one job per MicroVM into the Nomad cluster
*Deleting* a nixosConfiguration's branch will **stop** the MicroVM in Nomad.
#### Updating
**TODO:** how would you like it?
#### MicroVM status
```bash
ssh c3d2@hydra.serv.zentralwerk.org status
```
### Debugging for cluster admins
#### Nomad
##### Check the cluster state
```shell
nomad server members
```
Nomad *servers* **coordinate** the cluster.
Nomad *clients* **run** the tasks.
##### Browse in the terminal
[wander](https://github.com/robinovitch61/wander) and
[damon](https://github.com/hashicorp/damon) are nice TUIs that are
preinstalled on our cluster nodes.
##### Browse with a browser
First, tunnel TCP port `:4646` from a cluster server:
```bash
ssh -L 4646:localhost:4646 root@server10.cluster.zentralwerk.org
```
Then, visit https://localhost:4646 for for full klickibunti.
##### Reset the Nomad state on a node
After upgrades, Nomad servers may fail rejoining the cluster. Do this
to make a *Nomad server* behave like a newborn:
```shell
systemctl stop nomad
rm -rf /var/lib/nomad/server/raft/
systemctl start nomad
```
## Secrets management
### Secrets Management Using `sops-nix`
#### Adding a new host
Edit `.sops.yaml`:
1. Add an AGE key for this host. Comments in this file tell you how to do it.
2. Add a `creation_rules` section for `host/$host/*.yaml` files
#### Editing a hosts secrets
Edit `.sops.yaml` to add files for a new host and its SSH pubkey.
```bash
# Get sops
nix develop
# Decrypt, start en EDITOR, encrypt
sops hosts/.../secrets.yaml
# Push
git commit -a -m Adding new secrets
git push origin
```
### Secrets management with PGP
Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
Maybe this works for you, maybe not. I did it somehow:
```bash
PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
```
Your gpg key has to have the Authenticate flag set. If not update it and push it to a keyserver and wait.
This is necessary, so you can login to any machine with your gpg key.
## Laptops / Desktops
This repo could be used in the past as a module. While still technically possible, it is not recommended
because the amounts of flake inputs highly increased and the modules are not designed with that in mind.
For end user modules take a look at the [c3d2-user-module](https://gitea.c3d2.de/c3d2/nix-user-module).
For the deployment options take a look at [deployment](https://gitea.c3d2.de/c3d2/deployment).
## File system setup
Set the `disko` options for the machine and run:
```shell
$(nix build --print-out-paths --no-link -L '.#nixosConfigurations.HOSTNAME.config.system.build.disko')
```
When adding new disks the paths under ``/dev/disk/by-id/`` should be used, so that the script is idempotent across device restarts.
## Install new server
- Copy the nix files from an existing, similar host.
- Disable all secrets until after the installation is finished.
- Set `simd.arch` option to the output of ``nix shell nixpkgs#gcc -c gcc -march=native -Q --help=target | grep march`` and update the comment next to it
- If that returns `x86_64` search on a search engine for the `ark.intel.com` entry for the processor which can be found by catting ``/proc/cpuinfo``
- Generate `networking.hostId` with ``head -c4 /dev/urandom | od -A none -t x4`` according to the options description.
- Boot live ISO
- If your ssh key is not baked into the iso, set a password for the `nixos` with passwd to be able to log in over ssh.
- `rsync` the this directory into the live system.
- generate and apply disk layout with disko (see above).
- Generate `hardware-configuration.nix` with ``sudo nixos-generate-config --no-filesystems --root /mnt``.
- If luks disks should be decrypted in initrd over ssh, enable DHCP in the `hardware-configuration.nix` for the interfaces that should be used for that.
- Install nixos system with ``sudo nixos-install --root /mnt --no-channel-copy --no-root-passwd --flake .#HOSTNAME``.
- After a reboot add age key to sops-nix with ``nix shell nixpkgs#ssh-to-age`` and ``ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub``.
- Add ``/etc/machine-id`` and luks password to sops secrets.
- Enable and deploy secrets again.
- Improve new machine setup by automating easy to automate steps and document others.
- Commit everything and push

BIN
backgrounds/ae_c3d2_blue3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 79 KiB

BIN
backgrounds/c3d2 galaxy dots.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
backgrounds/c3d2_blue.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 402 KiB

343
config/default.nix
View File

@ -1,343 +0,0 @@
{ config, hostRegistry, lib, nixos, pkgs, ssh-public-keys, zentralwerk, ... }:
# this file contains default configuration that may be turned on depending on other config settings.
# options should go to modules.
{
assertions = [
{
assertion = config.system.replaceRuntimeDependencies == [];
message = "system.replaceRuntimeDependencies causes hydra to build the system at evaluation time. It must be removed!";
}
{
assertion = lib.versions.major pkgs.ceph.version != 16;
message = "Please pin ceph to major version 16!";
}
];
boot = {
enableContainers = false; # should be enabled explicitly
loader.systemd-boot = {
configurationLimit = lib.mkDefault 10;
editor = false;
graceful = true;
};
kernel.sysctl = {
"kernel.panic" = 60; # reset 60 seconds after a kernel panic
"net.ipv4.tcp_congestion_control" = "bbr";
};
tmp.cleanOnBoot = true;
# recommend to turn off, only on by default for backwards compatibility
zfs.forceImportRoot = false;
};
c3d2 = {
# NOTE: this must be off, otherwise our nix binary cache creates a loop with itself
addBinaryCache = lib.mkForce false;
addKnownHosts = true;
sshKeys = ssh-public-keys;
};
documentation.enable = false;
environment = {
etc."resolv.conf" = lib.mkIf (!config.services.resolved.enable) {
text = lib.concatMapStrings (ns: ''
nameserver ${ns}
'') config.networking.nameservers;
};
gnome.excludePackages = with pkgs; with gnome; [
baobab
cheese
epiphany # we are using firefox or chromium and requires second webkitgtk
geary
gnome-calendar
gnome-contacts
gnome-maps
gnome-music
gnome-photos
gnome-weather
orca
simple-scan
totem
yelp # less webkitgtk's
];
interactiveShellInit = /* sh */ ''
# raise some awareness torwards failed services
systemctl --no-pager --failed || true
'';
noXlibs = !config.services.xserver.enable;
systemPackages = with pkgs; [
bmon
curl
dig
ethtool
fd
git
htop
iotop
(iproute2.overrideAttrs ({ configureFlags ? [], src, ... }: let
version = "6.8.0";
in {
inherit version;
src = pkgs.fetchurl {
url = "mirror://kernel/linux/utils/net/iproute2/iproute2-${version}.tar.xz";
hash = "sha256-A6bMo9cakI0fFfe0lb4rj+hR+UFFjcRmSQDX9F/PaM4=";
};
configureFlags = configureFlags ++ [
"--color" "auto"
];
}))
jq
lsof # to find lingering nix processes locking files in nix store
mtr
pv
ripgrep
rsync
screen
strace
tcpdump
tree
vim
wget
];
};
hardware.enableRedistributableFirmware = lib.mkDefault true;
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
];
};
networking = {
firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
# proxy protocol used by public-access-proxy
8080
8443
];
nameservers = with hostRegistry.dnscache; [
ip4
ip6
] ++ (if config.services.resolved.enable then [
"9.9.9.9#dns.quad9.net"
"1.1.1.1#cloudflare-dns.com"
] else [
"9.9.9.9"
"1.1.1.1"
]);
useHostResolvConf = lib.mkIf (!config.services.resolved.enable) true;
};
nix = {
deleteChannels = true;
deleteUserProfiles = true;
gc = {
automatic = lib.mkDefault true;
dates = "06:00";
options = "--delete-older-than 21d";
randomizedDelaySec = "6h";
};
nixPath = [
"nixpkgs=${builtins.unsafeDiscardStringContext nixos}"
"nixos=${builtins.unsafeDiscardStringContext nixos}"
"nixos-config=/you/shall/deploy/from/the/flake"
];
registry.nixpkgs.flake = nixos;
settings = {
extra-experimental-features = "ca-derivations";
# if a download from hydra fails, we want to stop and retry it, instead of building it
fallback = false;
trusted-public-keys = [
"nix-cache.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
];
stalled-download-timeout = 60; # in case hydra is not reachable fail faster
# don't self feed hydra
substituters = lib.mkIf (config.networking.hostName != "hydra") (
lib.mkBefore [ "https://nix-cache.hq.c3d2.de" ]
);
};
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [
"drone.io"
"drone-runner-ssh"
"elasticsearch" # mastodon
];
# trust sandro to set good defaults in nixos-modules
opinionatedDefaults = true;
programs = {
fzf.keybindings = true;
git = {
enable = true;
# silence hints in various programs like drone
config.init.defaultBranch = "master";
};
tmux = {
enable = true;
historyLimit = 50000;
extraConfig = ''
# mouse control
set -g mouse on
# don't clear selection on copy
bind-key -Tcopy-mode-vi MouseDragEnd1Pane send -X copy-selection-no-clear
bind-key -Tcopy-mode-vi y send -X copy-selection-no-clear
'';
};
vim.defaultEditor = true;
};
security.ldap.domainComponent = [ "c3d2" "de" ];
services = {
# set here explicitly, so that other modules can acces it like nixos-modules grafana
# keep in sync with nixos/modules/services/misc/portunus.nix
dex.settings.issuer = "https://${config.services.portunus.domain}/dex";
gitea.ldap = {
adminGroup = "gitea-admins";
userGroup = "gitea-users";
};
gnome = {
# less webkitgtk's
evolution-data-server.enable = lib.mkForce false;
gnome-initial-setup.enable = false;
};
grafana.oauth = {
adminGroup = "grafana-admins";
userGroup = "grafana-users";
};
hedgedoc.ldap.userGroup = "hedgedoc-users";
home-assistant.ldap = {
adminGroup = "home-assistant-admins";
userGroup = "home-assistant-users";
};
hydra.ldap = {
roleMappings = [
{ hydra-admins = "admin"; }
];
userGroup = "hydra-users";
};
mastodon.ldap.userGroup = "mastodon-users";
matrix-synapse.ldap.userGroup = "matrix-users";
nginx = {
appendHttpConfig = ''
log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log proxyCombined;
'';
commonServerConfig = with zentralwerk.lib.config.site.net.serv; ''
# https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
set_real_ip_from ${hosts4.public-access-proxy};
set_real_ip_from ${hosts6.up4.public-access-proxy};
real_ip_header proxy_protocol;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
'';
};
openssh = {
# Required for deployment and sops
enable = true;
settings = {
AcceptEnv = "SYSTEMD_PAGER";
LoginGraceTime = 30; # throw out unauthenticated connections earlier than the 120 default
PasswordAuthentication = lib.mkIf (!config.c3d2.k-ot.enable) false;
PermitRootLogin = lib.mkOverride 900 "prohibit-password";
};
};
portunus = with zentralwerk.lib.config.site.net.serv; {
domain = "auth.c3d2.de";
internalIp4 = hosts4.auth;
internalIp6 = hosts6.up4.auth;
ldapPreset = true;
# those can't be under hosts/*/default.nix because those are not imported for the auth microvm
seedSettings.groups = map (n: {
long_name = n;
name = lib.toLower (lib.replaceStrings [" "] ["-"] n);
permissions = { };
}) [
"Mail Users"
"Mobilizon Users"
"Vaultwarden Users"
"Vaultwarden Social Media Accounts"
];
};
postgresql.upgrade = {
extraArgs = [ "--link" ]
++ lib.optional (config ? microvm) "--jobs=${toString config.microvm.vcpu}";
newPackage = pkgs.postgresql_16;
stopServices = lib.optional config.services.nginx.enable "nginx"
++ lib.optional config.c3d2.hq.statistics.enable "collectd";
};
redis.vmOverCommit = true;
};
security.acme = {
acceptTerms = true;
defaults = {
email = "mail@c3d2.de";
# letsencrypt staging server with way higher rate limits
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
};
# does not suceed on installation which is okay
system.activationScripts.deleteOldSystemProfiles = lib.mkIf config.nix.gc.automatic ''
echo "Deleting old system profiles..."
${config.nix.package}/bin/nix-env --profile /nix/var/nix/profiles/system --delete-generations +10 || true
'';
systemd = {
# don't kick us out if one disk is missing
enableEmergencyMode = false;
# maybe set enable = false instead?
network.wait-online.anyInterface = true;
services.nix-daemon.serviceConfig = {
# kill all worker thread when restarting
KillMode = "control-group";
# restart if killed eg oom killed
Restart = "on-failure";
};
# Reboot on hang
watchdog = lib.mkIf (!config.boot.isContainer) {
runtimeTime = "15s";
rebootTime = "15s";
};
};
time.timeZone = lib.mkDefault "Europe/Berlin";
users.motdFile = ./motd;
}

6
config/motd
View File

@ -1,6 +0,0 @@
______ ______
/ / / / / /\ \ \
/ / / / / / \ \ \
\ \ \ \ / / / / /
\_\_\_\/_/ /_/_/

BIN
doc/list-upgradable.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

970
flake.lock
View File

@ -1,970 +0,0 @@
{
"nodes": {
"affection-src": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1700847735,
"narHash": "sha256-hSHgLPZwWP7tPoUhH2GLQ4GvHvVGFiXIM0CLps+O5KE=",
"ref": "refs/heads/master",
"rev": "d0465fa3e1d122503439df7c2de9d16598fc0cf5",
"revCount": 306,
"type": "git",
"url": "https://gitea.nek0.eu/nek0/affection"
},
"original": {
"type": "git",
"url": "https://gitea.nek0.eu/nek0/affection"
}
},
"alert2muc": {
"inputs": {
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1685997764,
"narHash": "sha256-SMIfPyGgNq7+8uChNnhIAma4QbKRTpZJnBtmggaAhiM=",
"ref": "refs/heads/main",
"rev": "0aaae8587303499c40b9c9ea726dbb1277a3e1c7",
"revCount": 23,
"type": "git",
"url": "https://gitea.c3d2.de/astro/alert2muc"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/astro/alert2muc"
}
},
"bevy-julia": {
"inputs": {
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1663441942,
"narHash": "sha256-KNKnxcD8mHfjCqI0FluGOY1gfDfOMo8K9upGnCGksGo=",
"ref": "main",
"rev": "7feee1b6c436230f2adea774aab14a74d862e355",
"revCount": 3,
"type": "git",
"url": "https://gitea.c3d2.de/astro/bevy-julia.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://gitea.c3d2.de/astro/bevy-julia.git"
}
},
"bevy-mandelbrot": {
"inputs": {
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1663194086,
"narHash": "sha256-412sqKeKP8qm8Teno8xnl8/yMWxjZaRa7ujw5xaa5qw=",
"ref": "main",
"rev": "a37a6e16946f0515242a30699a9b34bdc45ef87e",
"revCount": 9,
"type": "git",
"url": "https://gitea.c3d2.de/astro/bevy-mandelbrot.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://gitea.c3d2.de/astro/bevy-mandelbrot.git"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"buzzrelay": {
"inputs": {
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1714004061,
"narHash": "sha256-gvRG8CkCFxQ3jqdiU+O6s9YdZRTPU53yK7XmEwPO3mk=",
"owner": "astro",
"repo": "buzzrelay",
"rev": "c5fddfba89fd2d8dd7f415248a8ed878ffdb1f10",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "buzzrelay",
"type": "github"
}
},
"c3d2-user-module": {
"inputs": {
"nixos-modules": [
"nixos-modules"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1710844300,
"narHash": "sha256-pSP6v7VqWWWgekbYnASTrZXgOW270I7MoDIXLz960KY=",
"ref": "refs/heads/master",
"rev": "319dffc67b5c17c98d3ab77959568fc2b7c46513",
"revCount": 62,
"type": "git",
"url": "https://gitea.c3d2.de/c3d2/nix-user-module.git"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/c3d2/nix-user-module.git"
}
},
"caveman": {
"inputs": {
"fenix": [
"fenix"
],
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1713402078,
"narHash": "sha256-gFkpX4PA5hEmuvQxZX+TWBOdIGmwzOXs5bgGAwOEdvA=",
"ref": "main",
"rev": "bc45f3513e952e95660c2e063e7a2a79b350b024",
"revCount": 347,
"type": "git",
"url": "https://gitea.c3d2.de/astro/caveman.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://gitea.c3d2.de/astro/caveman.git"
}
},
"deployment": {
"inputs": {
"zentralwerk": [
"zentralwerk"
]
},
"locked": {
"lastModified": 1684524757,
"narHash": "sha256-gwJsDfc9hSqpqscyaEZkLccz0RH0NVss4FaxR2spUns=",
"ref": "refs/heads/main",
"rev": "399fb47d7e3898bd972c5e9f1ef04e29bb7d05b0",
"revCount": 4,
"type": "git",
"url": "https://gitea.c3d2.de/c3d2/deployment.git"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/c3d2/deployment.git"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1714103775,
"narHash": "sha256-kcBiIrmqzt3bNTr2GMBfAyA+on8BEKO1iKzzDFQZkjI=",
"owner": "nix-community",
"repo": "disko",
"rev": "285e26465a0bae510897ca04da26ce6307c652b4",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"dns-nix": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"zentralwerk",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703643450,
"narHash": "sha256-EUUF5oxFFPX/etKm0FNQg+7MPHQlNjmM1XhNgyDf7A0=",
"owner": "SuperSandro2000",
"repo": "dns.nix",
"rev": "70dcce71560d4253f63812fa36dee994c81ae814",
"type": "github"
},
"original": {
"owner": "SuperSandro2000",
"repo": "dns.nix",
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"nixos"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1711952616,
"narHash": "sha256-WJvDdOph001fA1Ap3AyaQtz/afJAe7meSG5uJAdSE+A=",
"owner": "nix-community",
"repo": "fenix",
"rev": "209048d7c545905c470f6f8c05c5061f391031a8",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "monthly",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1614513358,
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"heliwatch": {
"inputs": {
"fenix": [
"fenix"
],
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1713125817,
"narHash": "sha256-GpW5PN4JIV5SYp6ZuAeN2qRQH3hyiOUWNbR5J0Jhh2E=",
"ref": "refs/heads/master",
"rev": "9172dc5abd036707d5b5a21bcff5c61f6e55fde1",
"revCount": 73,
"type": "git",
"url": "https://gitea.c3d2.de/astro/heliwatch.git"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/astro/heliwatch.git"
}
},
"microvm": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixos"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1714072181,
"narHash": "sha256-MOxTGzM8lgq8uo6zAy6e4ZUdzUpF/eSQPBXeH5G5BtE=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "ac28e21ac336dbe01b1f1bcab01fd31db3855e40",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "microvm.nix",
"type": "github"
}
},
"naersk": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1713520724,
"narHash": "sha256-CO8MmVDmqZX2FovL75pu5BvwhW+Vugc7Q6ze7Hj8heI=",
"owner": "nix-community",
"repo": "naersk",
"rev": "c5037590290c6c7dae2e42e7da1e247e54ed2d49",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "naersk",
"type": "github"
}
},
"nix-cache-cut": {
"inputs": {
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1686178371,
"narHash": "sha256-RwyZ3ZNlkTE6O7A5Lj5JcHHNCij3ZqfmZ5Pq+PB9Sq0=",
"owner": "astro",
"repo": "nix-cache-cut",
"rev": "9133ed18136e6acfd591e76fe06e4c095a66c39f",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "nix-cache-cut",
"type": "github"
}
},
"nixos": {
"locked": {
"lastModified": 1714342774,
"narHash": "sha256-gtwvQlNT1iY2reQLcsZ+7N+oeTyFzdWJcsKTS6Jv1xU=",
"owner": "SuperSandro2000",
"repo": "nixpkgs",
"rev": "b0ecb7c93fb862fd1f32abb6e23087740d9a8a1f",
"type": "github"
},
"original": {
"owner": "SuperSandro2000",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1714201532,
"narHash": "sha256-nk0W4rH7xYdDeS7k1SqqNtBaNrcgIBYNmOVc8P2puEY=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "53db5e1070d07e750030bf65f1b9963df8f0c678",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixos-modules": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1714345437,
"narHash": "sha256-95Jrew6RACxyEATJg1asSfFq/dzDadLGBAxItb6/LRA=",
"owner": "SuperSandro2000",
"repo": "nixos-modules",
"rev": "1aeeba70ada1b0f1f8bc408ea3131882d35f15c3",
"type": "github"
},
"original": {
"owner": "SuperSandro2000",
"repo": "nixos-modules",
"type": "github"
}
},
"nixos-unstable": {
"locked": {
"lastModified": 1714342499,
"narHash": "sha256-YdOQ/cIKBprDFR6VQ9cxrIct/RPJ3oeu+mhB8VeGsak=",
"owner": "SuperSandro2000",
"repo": "nixpkgs",
"rev": "4758ee042302e38b9ad81611719a4798ed7d2165",
"type": "github"
},
"original": {
"owner": "SuperSandro2000",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1704290814,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-23_11": {
"locked": {
"lastModified": 1706098335,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"type": "indirect"
}
},
"oparl-scraper": {
"flake": false,
"locked": {
"lastModified": 1656290558,
"narHash": "sha256-f9JRkxMWK4ONeCePB8UcQX8pAksQPF9YcxLbbcCgpFY=",
"owner": "offenesdresden",
"repo": "ratsinfo-scraper",
"rev": "0bc947ef28a6b83943db6fd9abbe2ae21ced7d06",
"type": "github"
},
"original": {
"owner": "offenesdresden",
"ref": "oparl",
"repo": "ratsinfo-scraper",
"type": "github"
}
},
"openwrt": {
"flake": false,
"locked": {
"lastModified": 1699273785,
"narHash": "sha256-zIUV/P275kSI1HlEnsYeBEGgj4YHmhu1VTvQ9lrki9w=",
"ref": "openwrt-21.02",
"rev": "4a1d8ef55cbf247f06dae8e958eb8eb42f1882a5",
"revCount": 51342,
"type": "git",
"url": "https://git.openwrt.org/openwrt/openwrt.git"
},
"original": {
"ref": "openwrt-21.02",
"type": "git",
"url": "https://git.openwrt.org/openwrt/openwrt.git"
}
},
"openwrt-imagebuilder": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1714298595,
"narHash": "sha256-ac3N94sLDsms82KM5/b7AnJ40PIZF24nqcnZzGzedJY=",
"owner": "astro",
"repo": "nix-openwrt-imagebuilder",
"rev": "b1c6a3baac6acb1269dbfa003a498ef523f1bd6a",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "nix-openwrt-imagebuilder",
"type": "github"
}
},
"root": {
"inputs": {
"affection-src": "affection-src",
"alert2muc": "alert2muc",
"bevy-julia": "bevy-julia",
"bevy-mandelbrot": "bevy-mandelbrot",
"buzzrelay": "buzzrelay",
"c3d2-user-module": "c3d2-user-module",
"caveman": "caveman",
"deployment": "deployment",
"disko": "disko",
"fenix": "fenix",
"flake-utils": "flake-utils",
"heliwatch": "heliwatch",
"microvm": "microvm",
"naersk": "naersk",
"nix-cache-cut": "nix-cache-cut",
"nixos": "nixos",
"nixos-hardware": "nixos-hardware",
"nixos-modules": "nixos-modules",
"nixos-unstable": "nixos-unstable",
"oparl-scraper": "oparl-scraper",
"openwrt": "openwrt",
"openwrt-imagebuilder": "openwrt-imagebuilder",
"rust-overlay": "rust-overlay",
"scrapers": "scrapers",
"simple-nixos-mailserver": "simple-nixos-mailserver",
"skyflake": "skyflake",
"sops-nix": "sops-nix",
"spacemsg": "spacemsg",
"sshlogd": "sshlogd",
"ticker": "ticker",
"tigger": "tigger",
"tracer": "tracer",
"yammat": "yammat",
"zentralwerk": "zentralwerk"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1711885694,
"narHash": "sha256-dyezzeSbWMpflma+E9USmvSxuLgGcNGcGw3cOnX36ko=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "e4a405f877efd820bef9c0e77a02494e47c17512",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1713752081,
"narHash": "sha256-x0QDETp7paa8qq+LX6191JwSq8abUFXCnKNulQ8L7ps=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "606c0ecb23c676c444a0b026eecf800d5bd5fec2",
"type": "github"
},
"original": {
"owner": "oxalica",
"ref": "stable",
"repo": "rust-overlay",
"type": "github"
}
},
"scrapers": {
"flake": false,
"locked": {
"lastModified": 1713211784,
"narHash": "sha256-WeTVBaVN9UZvw7dy8jkH0Vz8zWhcEqFlwqK9R+VYa0k=",
"ref": "refs/heads/master",
"rev": "4bdef3adf8ca8beefc2ebf6a838bb351bf8ca113",
"revCount": 71,
"type": "git",
"url": "https://gitea.c3d2.de/astro/scrapers.git"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/astro/scrapers.git"
}
},
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": [
"nixos"
],
"nixpkgs-23_05": "nixpkgs-23_05",
"nixpkgs-23_11": "nixpkgs-23_11",
"utils": "utils"
},
"locked": {
"lastModified": 1713017338,
"narHash": "sha256-BGXZdqdEc8+nFiX08q/kd8rWHgyiO42tacBpt39diMI=",
"owner": "SuperSandro2000",
"repo": "nixos-mailserver",
"rev": "04490c0872d91da865b925a8b7f8ccd3ba982cbb",
"type": "gitlab"
},
"original": {
"owner": "SuperSandro2000",
"ref": "quote-ldap-password",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"skyflake": {
"inputs": {
"microvm": [
"microvm"
],
"nix-cache-cut": [
"nix-cache-cut"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1697197264,
"narHash": "sha256-8IQFwDudLZmBLNlA3xnmN7kAAi3RuPelf4iY7Zmt7PI=",
"owner": "astro",
"repo": "skyflake",
"rev": "40fb7a4fb248691014ba5b2c841f77a34d160a80",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "skyflake",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixos"
],
"nixpkgs-stable": [
"nixos"
]
},
"locked": {
"lastModified": 1713892811,
"narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"spacemsg": {
"flake": false,
"locked": {
"lastModified": 1712512415,
"narHash": "sha256-X4JrvBfD9rKi7UN8R+Qwc1k7tqGIwgRFE4T1OGd1YcY=",
"owner": "astro",
"repo": "spacemsg",
"rev": "8842c2ab4144a1b1a9cc5feda5000858882c9617",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "spacemsg",
"type": "github"
}
},
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1708358594,
"narHash": "sha256-e71YOotu2FYA67HoC/voJDTFsiPpZNRwmiQb4f94OxQ=",
"ref": "refs/heads/main",
"rev": "6d0e73864d28794cdbd26ab7b37259ab0e1e044c",
"revCount": 614,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"sshlogd": {
"inputs": {
"fenix": [
"fenix"
],
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1680725015,
"narHash": "sha256-Rpr5ULz07gfdzVwAKHbTmVKAP0s4e51nZ0Kg4WcZcmU=",
"ref": "main",
"rev": "18889b61608af8cd6a5e703682e108c639aec816",
"revCount": 24,
"type": "git",
"url": "https://gitea.c3d2.de/astro/sshlogd.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://gitea.c3d2.de/astro/sshlogd.git"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"ticker": {
"inputs": {
"fenix": [
"fenix"
],
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1711570353,
"narHash": "sha256-kpipz1JwZzXD/BxfmWVDFIY2NisteJsubkcMYyIl8rk=",
"ref": "refs/heads/master",
"rev": "f76b7bc517ffd068972b3660daa67b1f6b22c4cb",
"revCount": 140,
"type": "git",
"url": "https://gitea.c3d2.de/astro/ticker.git"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/astro/ticker.git"
}
},
"tigger": {
"flake": false,
"locked": {
"lastModified": 1713196297,
"narHash": "sha256-xgEtm7r6AS8UetLWtAKm1Zy9N0Cm4MP9SPjNyksRv6Q=",
"owner": "astro",
"repo": "tigger",
"rev": "073cc63fcd6e25cba775b0b4ad8056c6200da03f",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "tigger",
"type": "github"
}
},
"tracer": {
"inputs": {
"affection-src": [
"affection-src"
],
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1663279525,
"narHash": "sha256-lUq4CY//ISplh/4i33nOU7cchpxKrw5V8mVdRnHMBaA=",
"ref": "refs/heads/master",
"rev": "6d8d2cb1268d26add05baa3f21c325cfe051add3",
"revCount": 342,
"type": "git",
"url": "https://gitea.c3d2.de/astro/tracer"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/astro/tracer"
}
},
"utils": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"yammat": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1705059643,
"narHash": "sha256-Y9SI1WGMXrnv02SOGoNdFIFTAbF6lxgtGBtaO3m+uOo=",
"ref": "refs/heads/master",
"rev": "fc279ce4becf8e44d53a2d8a5d68edbf36f19361",
"revCount": 425,
"type": "git",
"url": "https://gitea.c3d2.de/c3d2/yammat.git"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/c3d2/yammat.git"
}
},
"zentralwerk": {
"inputs": {
"dns-nix": "dns-nix",
"nixpkgs": [
"nixos"
],
"openwrt": [
"openwrt"
],
"openwrt-imagebuilder": [
"openwrt-imagebuilder"
]
},
"locked": {
"lastModified": 1714264157,
"narHash": "sha256-/O/XJcp5npOD+qFGidkFJhahfhYuA6/y6BCb67iHB54=",
"ref": "refs/heads/master",
"rev": "848cf110ed4f71cac7b18d7b52378c1e42194187",
"revCount": 2025,
"type": "git",
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
}
}
},
"root": "root",
"version": 7
}

812
flake.nix
View File

@ -1,812 +0,0 @@
{
description = "C3D2 NixOS configurations";
nixConfig = {
extra-substituters = [ "https://nix-cache.hq.c3d2.de" ];
extra-trusted-public-keys = [ "nix-cache.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=" ];
};
inputs = {
# use sandro's fork full with cherry-picked fixes
nixos.url = "github:SuperSandro2000/nixpkgs/nixos-23.11";
nixos-unstable.url = "github:SuperSandro2000/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:nixos/nixos-hardware";
affection-src = {
url = "git+https://gitea.nek0.eu/nek0/affection";
inputs = {
nixpkgs.follows = "nixos";
flake-utils.follows = "flake-utils";
};
};
alert2muc = {
url = "git+https://gitea.c3d2.de/astro/alert2muc";
inputs = {
naersk.follows = "naersk";
nixpkgs.follows = "nixos";
utils.follows = "flake-utils";
};
};
bevy-mandelbrot = {
# url = "github:matelab/bevy_mandelbrot";
url = "git+https://gitea.c3d2.de/astro/bevy-mandelbrot.git?ref=main";
inputs = {
naersk.follows = "naersk";
nixpkgs.follows = "nixos";
rust-overlay.follows = "rust-overlay";
};
};
bevy-julia = {
# url = "github:matelab/bevy_julia";
url = "git+https://gitea.c3d2.de/astro/bevy-julia.git?ref=main";
inputs = {
nixpkgs.follows = "nixos";
naersk.follows = "naersk";
rust-overlay.follows = "rust-overlay";
};
};
buzzrelay = {
url = "github:astro/buzzrelay";
inputs = {
naersk.follows = "naersk";
nixpkgs.follows = "nixos";
utils.follows = "flake-utils";
};
};
caveman = {
url = "git+https://gitea.c3d2.de/astro/caveman.git?ref=main";
inputs = {
nixpkgs.follows = "nixos";
utils.follows = "flake-utils";
fenix.follows = "fenix";
naersk.follows = "naersk";
};
};
c3d2-user-module = {
url = "git+https://gitea.c3d2.de/c3d2/nix-user-module.git";
inputs = {
nixos-modules.follows = "nixos-modules";
nixpkgs.follows = "nixos";
};
};
deployment = {
url = "git+https://gitea.c3d2.de/c3d2/deployment.git";
inputs = {
zentralwerk.follows = "zentralwerk";
};
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixos";
};
fenix = {
url = "github:nix-community/fenix/monthly";
inputs.nixpkgs.follows = "nixos";
};
flake-utils.url = "github:numtide/flake-utils";
heliwatch = {
url = "git+https://gitea.c3d2.de/astro/heliwatch.git";
inputs = {
fenix.follows = "fenix";
nixpkgs.follows = "nixos";
naersk.follows = "naersk";
utils.follows = "flake-utils";
};
};
microvm = {
url = "github:astro/microvm.nix";
inputs = {
flake-utils.follows = "flake-utils";
nixpkgs.follows = "nixos";
};
};
naersk = {
url = "github:nix-community/naersk";
inputs = {
nixpkgs.follows = "nixos";
};
};
nix-cache-cut = {
url = "github:astro/nix-cache-cut";
inputs = {
naersk.follows = "naersk";
nixpkgs.follows = "nixos";
utils.follows = "flake-utils";
};
};
nixos-modules = {
# NOTE: mirrored to https://gitea.c3d2.de/c3d2/nixos-modules
# If there are questions, things should be added or changed, contact sandro
url = "github:SuperSandro2000/nixos-modules";
inputs = {
flake-utils.follows = "flake-utils";
nixpkgs.follows = "nixos";
};
};
oparl-scraper = {
url = "github:offenesdresden/ratsinfo-scraper/oparl";
flake = false;
};
openwrt = {
url = "git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-21.02";
flake = false;
};
openwrt-imagebuilder = {
url = "github:astro/nix-openwrt-imagebuilder";
inputs = {
nixpkgs.follows = "nixos";
};
};
rust-overlay = {
url = "github:oxalica/rust-overlay/stable";
inputs = {
flake-utils.follows = "flake-utils";
nixpkgs.follows = "nixos";
};
};
scrapers = {
url = "git+https://gitea.c3d2.de/astro/scrapers.git";
flake = false;
};
skyflake = {
url = "github:astro/skyflake";
inputs = {
microvm.follows = "microvm";
nixpkgs.follows = "nixos";
nix-cache-cut.follows = "nix-cache-cut";
};
};
sshlogd = {
url = "git+https://gitea.c3d2.de/astro/sshlogd.git?ref=main";
inputs = {
utils.follows = "flake-utils";
naersk.follows = "naersk";
nixpkgs.follows = "nixos";
fenix.follows = "fenix";
};
};
simple-nixos-mailserver = {
# url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
url = "gitlab:SuperSandro2000/nixos-mailserver/quote-ldap-password";
inputs = {
nixpkgs.follows = "nixos";
};
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs = {
nixpkgs.follows = "nixos";
nixpkgs-stable.follows = "nixos";
};
};
spacemsg = {
url = "github:astro/spacemsg";
flake = false;
};
ticker = {
url = "git+https://gitea.c3d2.de/astro/ticker.git";
inputs = {
fenix.follows = "fenix";
naersk.follows = "naersk";
nixpkgs.follows = "nixos";
utils.follows = "flake-utils";
};
};
tigger = {
url = "github:astro/tigger";
flake = false;
};
tracer = {
# url = "git+https://gitea.nek0.eu/nek0/tracer";
url = "git+https://gitea.c3d2.de/astro/tracer";
inputs = {
affection-src.follows = "affection-src";
nixpkgs.follows = "nixos";
flake-utils.follows = "flake-utils";
};
};
yammat = {
url = "git+https://gitea.c3d2.de/c3d2/yammat.git";
inputs.nixpkgs.follows = "nixos";
};
zentralwerk = {
url = "git+https://gitea.c3d2.de/zentralwerk/network.git";
inputs = {
nixpkgs.follows = "nixos";
openwrt.follows = "openwrt";
openwrt-imagebuilder.follows = "openwrt-imagebuilder";
};
};
};
outputs = inputs@{ self, alert2muc, c3d2-user-module, deployment, disko, fenix, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-modules, buzzrelay, caveman, oparl-scraper, simple-nixos-mailserver, scrapers, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }:
let
inherit (nixos) lib;
inherit (import ./lib/network.nix { inherit lib zentralwerk; }) hostRegistry;
libC = {
inherit (import ./lib/nginx.nix {}) defaultListen hqNetworkOnly;
};
overlayList = [
self.overlays
];
ssh-public-keys = import ./ssh-public-keys.nix;
# Our custom NixOS builder
nixosSystem' =
{ nixos ? inputs.nixos
, modules
, system ? "x86_64-linux"
}@args:
{ inherit args; } // nixos.lib.nixosSystem {
inherit system;
modules = [
{
_module.args = {
inherit hostRegistry libC nixos ssh-public-keys zentralwerk;
};
nixpkgs.overlays = overlayList;
}
self.nixosModules.c3d2
] ++ modules;
};
in {
overlays = import ./overlays {
inherit (inputs)
fenix naersk rust-overlay
bevy-julia bevy-mandelbrot tracer;
};
legacyPackages = lib.attrsets.mapAttrs (_: pkgs: pkgs.appendOverlays overlayList) nixos.legacyPackages;
packages = import ./packages.nix { inherit hostRegistry inputs lib microvm self; };
nixosConfigurations = {
activity-relay = nixosSystem' {
modules = [
self.nixosModules.microvm
./modules/activity-relay.nix
./hosts/activity-relay
];
};
auth = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/auth
];
};
blogs = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/blogs
{
nixpkgs.overlays = [
fenix.overlays.default
naersk.overlay
];
}
];
};
broker = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/broker
];
};
buzzrelay = nixosSystem' {
modules = [
self.nixosModules.microvm
buzzrelay.nixosModules.default
./hosts/buzzrelay
];
};
c3d2-web = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/c3d2-web
];
};
caveman = nixosSystem' {
modules = [
self.nixosModules.microvm
caveman.nixosModule
./hosts/caveman
];
};
dacbert = nixosSystem' {
modules = [
nixos-hardware.nixosModules.raspberry-pi-4
self.nixosModules.rpi-netboot
./hosts/dacbert
];
system = "aarch64-linux";
};
dn42 = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/dn42
];
};
knot = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/knot
];
};
drone = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/drone
];
};
freifunk = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/freifunk
];
};
ftp = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/ftp
];
};
gitea = nixosSystem' {
modules = [
self.nixosModules.microvm
self.nixosModules.gitea-actions-registrar
self.nixosModules.gitea-actions-runner
./hosts/gitea
];
};
glotzbert = nixosSystem' {
modules = [
nixos-hardware.nixosModules.common-cpu-intel # also includes iGPU
./hosts/glotzbert
];
};
gnunet = nixosSystem' {
modules = [
self.nixosModules.cluster-options
self.nixosModules.microvm
./hosts/gnunet
];
};
grafana = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/grafana
];
};
hedgedoc = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/hedgedoc
];
};
home-assistant = nixosSystem' {
nixos = inputs.nixos-unstable;
modules = [
self.nixosModules.microvm
./hosts/home-assistant
];
};
hydra = nixosSystem' {
modules = [
self.nixosModules.cluster
self.nixosModules.gitea-actions-runner
# skyflake.nixosModules.default
./hosts/hydra
];
};
iso = nixosSystem' {
modules = [
({ modulesPath, ... }: {
imports = lib.singleton "${modulesPath}/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix";
})
];
};
iso-minimal = nixosSystem' {
modules = [
({ modulesPath, ... }: {
imports = lib.singleton "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix";
})
];
};
jabber = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/jabber
];
};
mail = nixosSystem' {
modules = [
self.nixosModules.microvm
simple-nixos-mailserver.nixosModules.mailserver
./hosts/mail
];
};
matrix = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/matrix
];
};
mastodon = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/mastodon
];
};
matemat = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/matemat
yammat.nixosModule
];
};
mediawiki = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/mediawiki
];
};
mobilizon = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/mobilizon
];
};
mucbot = nixosSystem' {
modules = [
"${tigger}/module.nix"
./hosts/mucbot
self.nixosModules.cluster-options
self.nixosModules.microvm
];
};
network-homepage = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/network-homepage
];
};
nfsroot = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/nfsroot
{
_module.args.tftproots = nixos.lib.filterAttrs (name: _:
builtins.match ".+-tftproot" name != null
) self.packages.x86_64-linux;
}
];
};
nncp = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/nncp
];
};
oparl = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/oparl
{
_module.args = { inherit oparl-scraper; };
}
];
};
owncast = nixosSystem' {
modules = [
self.nixosModules.cluster-options
self.nixosModules.microvm
./hosts/owncast
];
};
pipebert = nixosSystem' {
modules = [
./hosts/pipebert
];
};
pretalx = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/pretalx
];
};
prometheus = nixosSystem' {
modules = [
self.nixosModules.microvm
alert2muc.nixosModules.default
./hosts/prometheus
];
};
pulsebert = nixosSystem' {
modules = [
./hosts/pulsebert
# build: outputs.nixosConfigurations.pulsebert.config.system.build.sdImage
# run: unzstd -cd result/sd-image/nixos-sd-image-*-aarch64-linux.img.zst | pv -br | sudo dd bs=4M of=/dev/sdX
"${inputs.nixos}/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel.nix"
{
nixpkgs = {
hostPlatform = "aarch64-linux";
# buildPlatform = "x86_64-linux";
};
}
];
};
public-access-proxy = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/public-access-proxy
];
};
radiobert = nixosSystem' {
modules = [
./hosts/radiobert
{
nixpkgs.overlays = [ heliwatch.overlay ];
}
];
system = "aarch64-linux";
};
riscbert = nixosSystem' {
modules = [
nixos-hardware.nixosModules.starfive-visionfive-v1
./hosts/riscbert
{
nixpkgs.crossSystem = {
config = "riscv64-unknown-linux-gnu";
system = "riscv64-linux";
};
}
];
system = "x86_64-linux";
};
rpi-netboot = nixosSystem' {
modules = [
nixos-hardware.nixosModules.raspberry-pi-4
self.nixosModules.rpi-netboot
./hosts/rpi-netboot
];
system = "aarch64-linux";
};
scrape = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/scrape
{
_module.args = { inherit scrapers; };
}
];
};
sdrweb = nixosSystem' {
modules = [
./hosts/sdrweb
heliwatch.nixosModules.heliwatch
self.nixosModules.microvm
self.nixosModules.cluster-options
];
};
server8 = nixosSystem' {
modules = [
./hosts/server8
self.nixosModules.cluster-network
self.nixosModules.cluster
# skyflake.nixosModules.default
{ _module.args = { inherit self; }; }
];
};
server9 = nixosSystem' {
modules = [
./hosts/server9
self.nixosModules.microvm-host
self.nixosModules.cluster-network
self.nixosModules.cluster
# skyflake.nixosModules.default
{ _module.args = { inherit self; }; }
];
};
server10 = nixosSystem' {
modules = [
./hosts/server10
self.nixosModules.microvm-host
self.nixosModules.cluster-network
self.nixosModules.cluster
# skyflake.nixosModules.default
{ _module.args = { inherit self; }; }
];
};
spaceapi = nixosSystem' {
modules = [
self.nixosModules.microvm
"${spacemsg}/spaceapi/module.nix"
./hosts/spaceapi
];
};
sshlog = nixosSystem' {
modules = [
self.nixosModules.cluster-options
self.nixosModules.microvm
sshlogd.nixosModule
./hosts/sshlog
];
};
stream = nixosSystem' {
modules = [
self.nixosModules.cluster-options
self.nixosModules.microvm
./hosts/stream
];
};
ticker = nixosSystem' {
modules = [
self.nixosModules.microvm
ticker.nixosModules.ticker
./hosts/ticker
];
};
vaultwarden = nixosSystem' {
modules = [
self.nixosModules.microvm
./hosts/vaultwarden
];
};
};
nixosModules = {
c3d2 = {
imports = [
# adds config.system.build.isoImage which can be used to build an iso for any system
# which is very useful to get its networking configuration
# ({ config, modulesPath, ... }: {
# imports = lib.singleton "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix";
# isoImage.edition = lib.mkForce config.networking.hostName;
# })
c3d2-user-module.nixosModule
disko.nixosModules.disko
nixos-modules.nixosModule
sops-nix.nixosModules.default
./config
./modules/audio-server.nix
./modules/autoupdate.nix
./modules/backup.nix
./modules/baremetal.nix
./modules/c3d2.nix
./modules/disko.nix
./modules/pi-sensors.nix
./modules/plume.nix
./modules/stats.nix
];
c3d2.nncp.neigh = import ./modules/nncp-relays.nix;
};
cluster = ./modules/cluster;
cluster-network = ./modules/cluster/network.nix;
cluster-options.imports = [
deployment.nixosModules.deployment-options
./modules/microvm-defaults.nix
];
microvm.imports = [
microvm.nixosModules.microvm
./modules/microvm-defaults.nix
./modules/microvm.nix
];
microvm-host.imports = [
microvm.nixosModules.host
./modules/microvm-host.nix
];
rpi-netboot = ./modules/rpi-netboot.nix;
gitea-actions-registrar = ./modules/gitea-actions-registrar.nix;
gitea-actions-runner = ./modules/gitea-actions-runner.nix;
};
# `nix develop`
devShell = lib.mapAttrs (system: sopsPkgs:
with nixos.legacyPackages.${system};
mkShell {
sopsPGPKeyDirs = [ "./keys" ];
nativeBuildInputs = [
apacheHttpd
sopsPkgs.sops-import-keys-hook
];
}
) sops-nix.packages;
hydraJobs =
lib.mapAttrs (_: nixos.lib.hydraJob) (
let
getBuildEntryPoint = name: nixosSystem:
let
cfg = if (lib.hasPrefix "iso" name) then
nixosSystem.config.system.build.isoImage
else
nixosSystem.config.microvm.declaredRunner or nixosSystem.config.system.build.toplevel;
in
if nixosSystem.config.nixpkgs.system == "aarch64-linux" then
# increase timeout for chromium
lib.recursiveUpdate cfg { meta.timeout = 24 * 60 * 60; }
else
cfg;
in
lib.mapAttrs getBuildEntryPoint self.nixosConfigurations
# NOTE: left here to have the code as reference if we need something like in the future, eg. on a stable update
# // lib.mapAttrs' (hostname: nixosSystem: let
# hostname' = hostname + "-23-05";
# in lib.nameValuePair
# hostname' # job display name
# (getBuildEntryPoint hostname' (nixosSystem' (nixosSystem.args // (with nixosSystem.args; {
# modules = modules ++ [
# # {
# # simd.enable = lib.mkForce true;
# # }
# ];
# nixos = inputs.nixos-23-05;
# }))))
# ) self.nixosConfigurations
// nixos.lib.filterAttrs (name: attr:
(builtins.match ".+-tftproot" name != null && lib.isDerivation attr)
) self.packages.aarch64-linux
);
};
}

48
hosts/activity-relay/default.nix
View File

@ -1,48 +0,0 @@
{ config, ... }:
{
c3d2 = {
deployment.server = "server10";
hq.statistics.enable = true;
};
microvm = {
mem = 512;
vcpu = 8;
};
networking.hostName = "activity-relay";
services.journald.extraConfig = ''
Storage=volatile
'';
services = {
activity-relay = {
enable = true;
jobConcurrency = config.microvm.vcpu;
relay = {
bind = "127.0.0.1:8080";
domain = "activity-relay.serv.zentralwerk.org";
};
};
backup = {
enable = true;
paths = [ "/var/lib/activity-relay/" ];
};
redis.enable = true;
nginx = {
enable = true;
virtualHosts."activity-relay.serv.zentralwerk.org" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://${config.services.activity-relay.relay.bind}/";
};
};
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "23.05";
}

169
hosts/activity-relay/secrets.yaml
View File

@ -1,169 +0,0 @@
restic:
password: ENC[AES256_GCM,data:m4osUnoEW/uUxIq7RihhnSGWiFSI37BrakLc5VSyRzM=,iv:wdSxFAsN9gndqJbVvi99ZO8KieUzZ1YiqQcTckJ2H7M=,tag:N5mpjfVjMpRVRFcKUYEFxw==,type:str]
repositories:
server9: ENC[AES256_GCM,data:UlgJ5GrSpP6NJnX8tDu1m2WsuzFYYC5l3xgjEsxqnb9I4DiWtzQRi2KlKP0uZiYEmehc/0MjZGw6SJ1AMu+rWKimWD4hAEGXvae3orbtbgosK2TqH+gN4YHYkmxopevkblj09LKWj59Z9lnGE2NF5Z4c,iv:2N0GInT+f8CXBgFQHE72q7Na5Efv0YXVSzECRJzk518=,tag:nsjaWrugU059Xv0cHCiTdw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1a8k72egc2vg4jn445wwcr0a68y9xu5ft68s2xwehugs5sjawpv4q5nnrmy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcjc3THN5QWRhQUg2UWhO
LzFoYVhEUU1ZcE11OWllWmlHeDlzckZtY2t3Ck12cGZjTkRMczZaVDBkWmFqSmlx
UGhhUE5kdjh5aDNFN1kySnV2dmFmVjAKLS0tIDlSd20zbmhMdWJ4TU5hZTd6THB3
OW1BWmdnY2tEK1ptNmZPTFYvNmgzNVkKoupIQLO/x0F3CzYauPgMcEbgRE2WRjjN
P3fPORqZbJzZj5df/H7Wtep8JV40nhpgJrfyHSCnsXeKwP4cFWl5UA==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZWErRGcyVzZ5TXozMjdy
ZWRLaCtwS2dwalQxU1B5eWdleWpwR1RoSTM4Cmx4RWRWaUltYngyaE0zSGRON29h
Wi9MU0Vac2dSL3dXMTNVc25FOGk4emMKLS0tIEREbmUveXA2UXFZRjNiV3FObWh4
MDdoUzlsUWMrS2JSOGsyNElpVFdBeE0KP0UGExM1D4ug3pEMAsDy+63hC46EZlBa
B+jZtrT8Yl0bS+/fCDWTldqFrpJA0myBEjoJA3oeuGUJ/RN3GW8yYQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-14T01:28:24Z"
mac: ENC[AES256_GCM,data:dfl+N7jk0LcAcaMT0zYnFwBCZXvAXnxQ4F0eTdopBLQhrqo/fh79f/aGHP+tCTfiKJZ08tGZkSCG21XmRS1fYh75JjhnEjx0bIojno9NFDVW9EiCQWH1WswqwnrIboclSv5+KDexMiqV7xdtZNKe9ZPWmqxIqWXStYrniK/Xcak=,iv:dvyYP5mzwpWS1WcV9JMzu8UsQraCWQc7OT3HaWD3hA4=,tag:Tedym+/t6R29DJSYCLgk0Q==,type:str]
pgp:
- created_at: "2023-11-14T01:27:48Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ/8DkXqr5/OtflmadoHYlmRswmVsE8NGc2OIdhNVdABr2tQ
Xg4St9y04YD/MlcK48dU+m06VYxh5LlKCtAu+qTQJiEziiAnCfIG9kXtcLn54L/B
nEOnqhQex8sHVNvPhfWgM/jPibDNI2s+AWmdxe1dI5D7xzQIF6RivU1H4wmj6jem
gdE30PHKnCq1Zh0mGLRwZoA3xAYoo78tS/kTvcOlLgnq23EZRYWrcPV6dpRpdLCp
a7mWkCoJEic/Cacfq6yZErHH9CNmBloVK6HO0Cbvu7MkRDxNrPOXKv4KJAUJsDH5
aivGs69vMsZFhk8C624wmKupjmB7rk82rR/w5SHEJ1+h+OQvC+/m8nQuBcVrY++w
++cqcVxrdv0q63LF2mjdTwRrPOGC8bJNIeCELOPMNOcWfdEmNo1ow34sPpAHGo12
ptQ3QCQEtMBSShEXncys0SqBKNI+h7eT0hnFc/0xT9jYwRDaRJ5+Toefg5CKRbs0
cet7FHbWFhCYWa3Ehev4/t1vPq+ZgqxcqBceHsbefp5CG+Ghs7lfvl4CsM45TrD5
c/EH0acXkzqXoRVgjYtzliCm8lnzjTSkWXAf8+lGt7Y/7rJaiH5MKb4uX2u44JI5
NePiSwFj4q2SQue+ZKeBiF8KWAvF6KZMWtoXwoQn9gq6sHfcw+4OQ+hdiI+mKerS
XgENec4taVUBFV3zkN+nHhBUBWmJ1KC82BfXkmmREY+L1P3UYUBN+ZJ4Wzd+gOSK
3DJeWp94xjIDKXnNWo0XnMdHLu0HXDZi28dx1rJlRAjd3a8NpDplf29ud2Ug0uM=
=Ey0c
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2023-11-14T01:27:48Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7ARAAsUJNn7lO/xqFRq54IJodeb0HRWcj3UMPnD4z4StRxjrG
k4TaHrj9JOW8YORVdug/XuhlpsyMJjGhwHF3sTCLpBB77+Tt7eaMmg7PMauQG7ZX
qnt4bxHohV1YlCxP31w8lbjdE64nNpGX9B7cj3PIi1RCM2ekzA74t+uhFFvZj7RZ
BctKNr+LhY83YvvUKoiyRcxcZNCHdyZqoT6d0UZnVFwxuSFUzK0XeEC/XdmKscVl
br0cPtUid/PTZoNE6khLf1Uxj5modcP6gg07/w9bTeXEJjIQbJhCLHAPHgUJfC6G
rvD386e+Niybwncyq7rUtLzO/yc8I5L2jKmJFd2I67nBLFCDAZCB+K6sPzUF9ead
UAxYjy9rz1tsvBXBBg0QtRSsJAYRJ8jKX4bxDNirPBGZb1eoaBCmJr+vtTJtjGNu
DyBEESgKW06DSbzJ5nDDdAFsL4jK9FWdE61dRwS09IJHOkP3OYc8z/LhfapKBvU4
0eJ82DxdiA4rA6I65+9GjoV7kjp0e3bBskoaDaVUx6LN35NB5WCRjiv8DAOFlypY
Ahu2DnZTYKql0U21Bc9NfXAZ1oN3sjHm5T23HBvLyiLH8IadxtZLt5xeBLwMUWer
dz9IECit7NuvLr4RswYL0ttMTjffzv8xbTn39iRg9TGfSAvVyxJwOSDE3nYtqfnS
XgFHBRI+R+Q+HaaYMxlX3V6lRvpDnHLRx8ZU4Be2KfSjzY31xoQJytLv7NsGYvbA
OoTiwfRq3SOH+gsiS2i1eSxeuqhCWaZADR4KqZTN7J+eU0/cuD4EhEBLtCZENvE=
=VYZW
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2023-11-14T01:27:48Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6ARAAstvunj3TcPQMMYUbev09/glNvPBsWmHZKG9QouytpeS2
bROulqLv9jwn0Iq8K4NJQujEWzMKwYsuiYyWce7Zsm1mbTOcvtOq41WFtry2TJ4T
7KjklECWZ5wmg3rUJCTVrEJlQ3s5YNoG9oFax4iQ0aSs8HS9ZyES3NJYbGqDvhP2
QAMj5MyyEhcjVlej+TEZmWcfRNbbh6fLPNGwgr2h5Jg6F/5sVXdnqS/lMmODA/bP
7RuyI8BBZFFoySk4H5M4Gffga3pLR1ou/dWaxTMKrssfLuQBNV4G4XCA+Mpjmvn9
+KkkG0qovx54tRKri7kQPShYycL0cXQZRVEQmYexU45nGsP1pkkojgnob2yqvtRQ
0pao5uQDg67MscISjGgAQR2WNad5Z5tuYDlJoheP2k3jJ1Sn3MSqkaTiueL2tb5N
j6Wt63g0BTK+kmwpozS10/xobD8Q2X/MXOfGO0k+wQcmUYP7U+F6VJIz3Fj6HrLX
Yym2w4bndR6OE8rbovdnkijhdU4Ge2fu2CbwpE3eD43nIt6BH8G4N+B8PO8r7b+J
jCGj5jfcigZ7qLXsh0d0wLBtISq4J1zBLPnendiPE2pWPrLXLh4sWxTiX9KN62+J
M4nuQE731xuwSo1QPMqi0UGfNl8TPYAGLTwl2l5ufCe3aR7cq+nSxtLM5nUjSgXS
jwEY0EnE6juzmk4VZeV22HvqkN+bqg7WR/5txMhQQ+5CKYN0b+iU7jh/T0NSg8wk
emR0/h7cSkzWENweNPjF4vVzdQCZNlgdMAAYW7GaEMV2vPCWYH+fYKwKvCVY/44P
7FB3y6TqgKwHaAd3+w52v7M7qoE5E4rh3EF4prqFD5yVv624PsrFFq3F1S+sBYDY
=78Vq
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-11-14T01:27:48Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJARAAqhLjmCAxtyB1O7y9WStwIpawgISbFeNVtG6CGh6stpiJ
N2kRv3KiGnWwIbmgKZs9Ik7yFMn+T1dvPt2qk3CMcoFrQ0kBVOlWM5K3q8YHWzvJ
ERgIgbhkwXTMrVnl/YUOnrN/RewKJ/QUZkI9bYE/vDLyEAuxPj2u8ncS6e4HH03b
fIRjjE9uOmee1ywhLNBSPPf3UQLQH7M2NoiGaxNFjEoAO/rdM8Y+08ad252+0bB3
tGimVnWx5HtI/+oVjjki0N0UId/zNog7XkM682XMxY24lm/xKcc2qVGDBc7X5BEX
G0jUG9omMj4xHyHOezuU9Wv2Tb4KclEqql635aaNgD1cNYhj60pE2fWOT+lpjVFw
rW7hguc6whsnigLiFVqb7vCCMWkXe2ZJALvVyFMm0S8WI/FRyo1OfrU+CsYTUvhC
pbUuIKg+U8qMrZnIf7rwOkh5ac4Bo/iT7rtoUudkdJiIDoi0qY5B5gxCPk2OzzRx
JzG//MVaThy5Se+i15sPMB2Mj4TUcjIc739TNJ8H1Y4Ev2Kl6wUqNEzthxq0sENz
XbKJHLmNffiH/D/6ZpdnAMhYAtWG8rMr+uSa5htICXc2cSnbLcIJ+ndwFGj+DR0k
aB4kHRp1m78LntOVKYgY4NXvaiRKm6Uw7uhOSGvNJpJzANJpjOFaYQ4mOx7Yoo3S
XgEJpezAuszbv7d0Gbl2DTTqZKsXMZrVmBTC6z9+H54ad/XDa5Twm54/u3bMiIPT
+Y/wo51GXJvXVQKkg0Fz/bmL0KTyRZKddC3Ay93ggaErVNS1Rcg+oVBu1SyTs9g=
=Il/l
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-11-14T01:27:48Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9qJIVK2WMV7AQ//dH2JtDb5i0NYtHZzi59O4pGMYD3qT+JUuIvMmMzrDGpP
xV8Fnn6zIlCL8n4xsIBhGVopv0xpaS2/LTOPlKBrRM/rFgoEZqSw8E99Npmpm5pJ
eBfGTXtCLUR7fSlXiQHO/FKVPmWuO+Fawt8A3wa3TZ0q+E/52E2zS4nfHJ4CnEir
MbAykdYyYtVY+rnqOUwQO9gpvIq4ai2oXlJ5OIp/+C3zIHc1itkepWK670vt+LHJ
c5jvpMtuNTNjJFV6u9n4XqNM4MQ5q5Q1sRfmTkdjvuhZx58OO6SrlvJ751iFv7Pj
dZMGH5nP9t+V+gLiN83Vi+Emu20YQcFFwc3p5SIugKmjrnOFLQvfoFBd7cwftOK9
+q3tLt7VNsH7gA2Kx9ehQYNa2LYwxPLAgdiCn0tMGAcFH43YEaOj22aY2xwj0Iyp
krbkpUuhzDZ4LEXupvm+1UJ3gPQ05sK2v9TMToTrVp+4wremxtElIgyxmAELe58r
b+yjG7omrDWIas2SCZF24ZIfX7FxSjKxb3wHWb1k1r6lOOY+bP5k13fTrs/UC2N1
kXmf+oZVIU4MUFfbyrsVdIfIHM1JJcIeaUe8reetmd2H+Jl2NwVpf9Pdcm8JmcjW
4q1nveFEDoDAWNkW5gjAYJf4DjBZySLtXjDN8L5e32H81NNXcWKSKEiSqBQHrljS
XgFdiRoD7Z8/+uGCPiPqN/muVd+q3J7ytvLJLBz/7zflC7Gkb0Lj0Z9k6zjr+aIS
dCNG/lEobZ7jKTelcV+JruMr4dPFnKxXRfWhNUgZoDDindGQ0MtBYN2wknUg480=
=09vd
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-11-14T01:27:48Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHARAAzQjuzivU4x0pA3lG+lx+V8kNxvQtYSQooe92gsRKs0KK
+K8o+fFfwLVX1MF8XRKeyCwl1XZmOEOCBrfBdoOcO75I3m8qEI2vmMdRsarkbS7F
y61HZNiFEEsAn/o1sFd85yjQSD1dYQqZJnEJ73IQyuc1u/qSLea65/KL/hOHMqGs
jRmst9DoJFFRD3xs4M3dNgVzwvypAwGPNgKIXeOgaPQsE1Cer051tnp4eOCTQMM/
UHCZQ9nJonAgmBufF0li2RrDNuN20RRqGXXJtWrsHaFS8Vh40EBQszQ867BMCBFk
vdkkAeWU/FDQqhQxCAE51asJN3Mh4KzQZ7TM/85e6BtK49slDlszWWyp0+WdPcQ3
JN9YlbL9AXAzd1LLzPYbv7diBreX5QkP04eKGpB0UhFIhUfS8BstcN35stTCX4aP
5bjBE4JQx/WCoGnWev/4I1gXTxGykJoemqJUM+/yLA6pJhB0oYcKscZLXwjjHnqW
ZQrGhcX7Yk0T6E4FgH5Zw7/HqV2ceAx+hwGcegZfLNqBbitCuWOWcf0wLOuGlSHB
B7Kdj2YvcHRJVOgM6kNLpRSfgkOt9+NHnMkFlCE/VHo+pYOlwS+A4Y0VyMhofo6A
77m87OoVSzXtIxYSKq4kQOOXVAiFRmC86fy0nz5Vka53+kf7mMnJ5ZCwO0dnGyTS
XgFeTEeJd4NDGDpZB8/4F32/duMLLh/BnxydAOLepIlB9J7Woi6uVqYYLcBij0Gj
6zG1KuZ0EE48sFXcSHWC/uTeXvYppzHDOYBgoo4bNPUKzInx7Na749UmfhHoyt0=
=FrQw
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-11-14T01:27:48Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf+LGJmxeU+Efansi/90UOb2Pw6vtiiXAyP2GJ65GDt2gMo
fuoCRfElGzymasLfQe9moDs9fyUoAYkreGUn8crsI3RbLbmFjQcT5hMBRwR0iKZQ
egNm5C8R3EuPCUWMuDHWee5isfaghUp5+j17NzkwD6oGy1VtU/XAhlk5YV9436eT
zjJPha1NJwJ8oMLoHGIFtD5q0C4F++TN0PGLQrWxhFeywIymFu6b6z8kkcjVNONQ
oi8CQkjk0bjYopCuc8irv1j2Zu0w0Gp4UP7pHYbf3UCIlhSoQJWx8c29P/phohMT
Ox+TX7+8iwNURtwoP1pZaCgoekfzec1ELLNxj2GzW9JeAbHLMZGmnR16VQBjggRU
ukeYes3ys2GxsRYxPq/a3nHgMvV20IVt7s0IxfGIFb44pjTe9TLVyFhdeGm7RFaP
kxWbgFBS39ITUJC/UP5g6tj541aMONoWFWzAPI5ZJA==
=s4Hv
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
unencrypted_suffix: _unencrypted
version: 3.8.1

17
hosts/auth/README.md
View File

@ -1,17 +0,0 @@
# Design
We are using [portunus](https://github.com/majewsky/portunus) to manage an OpenLDAP server
and currently [dex](https://dexidp.io/) to offer OIDC.
Dex might be replaced in the future with an equivalent solution that can remember sessions to have true SSO.
New services should use OAuth/OIDC if possible to lay the groundwork for SSO.
If the application only support LDAP, that is also fine to use.
# How to use it
See the grafana configuration to see an example on how to use OAuth.
To create a new application edit the dex configuration next to portunus.
The aplication credentials are saved in sops.
For an exmaple ldap configuration see the gitea, hydra or mail.
The ldap settings are documented in portunus in detail.
To connect to `auth.c3d2.de` the nixos-modules option `services.portunus.addToHosts` should be set to true.

108
hosts/auth/default.nix
View File

@ -1,108 +0,0 @@
{ config, lib, libC, ... }:
{
c3d2.deployment.server = "server10";
system.stateVersion = "22.05";
networking = {
hostName = "auth";
firewall.allowedTCPPorts = [
636 # ldaps
];
};
services = {
backup = {
enable = true;
paths = [ "/var/lib/portunus/" ];
};
nginx = {
enable = true;
virtualHosts."auth.c3d2.de" = {
forceSSL = true;
enableACME = true;
listen = libC.defaultListen;
locations = {
"/".proxyPass = "http://127.0.0.1:${toString config.services.portunus.port}";
"/dex".proxyPass = "http://127.0.0.1:${toString config.services.portunus.dex.port}";
};
};
};
portunus = {
enable = true;
dex = {
enable = true;
oidcClients = [{
callbackURL = "https://grafana.hq.c3d2.de/login/generic_oauth";
id = "grafana";
}];
};
ldap = {
searchUserName = "search";
suffix = "dc=c3d2,dc=de";
tls = true;
};
port = 5555;
removeAddGroup = true;
seedGroups = true;
seedSettings = {
groups = [
{
long_name = "Portunus Administrators";
name = "admins";
members = [ "admin" ];
permissions.portunus.is_admin = true;
}
{
long_name = "Search";
name = "search";
members = [ "search" ];
permissions.ldap.can_read = true;
}
];
users = [
{
family_name = "Administrator";
given_name = "Initial";
login_name = "admin";
password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/admin-password" ];
}
{
email = "search@c3d2.de";
family_name = "-";
given_name = "Search";
login_name = "search";
password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/search-password" ];
}
];
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"dex/environment".owner = "dex";
"portunus/users/admin-password".owner = "portunus";
"portunus/users/search-password".owner = "portunus";
};
};
systemd.services.dex.serviceConfig = {
DynamicUser = lib.mkForce false;
EnvironmentFile = config.sops.secrets."dex/environment".path;
StateDirectory = "dex";
User = "dex";
};
users = {
groups.dex = { };
users.dex = {
group = "dex";
isSystemUser = true;
};
};
}

176
hosts/auth/secrets.yaml
View File

@ -1,176 +0,0 @@
dex:
environment: ENC[AES256_GCM,data:ETmjIma293BdDibQhXkpELlddzfdhrV6xKhBJFVOZb7j+SDsBucH5MtKwcjbSh5/HpM3SuaYvOqiZOs3jpnQx5Fx+A4HaZBLfAtJZvHm3fONcFFmwD05FTB8O7jFRW+PJVyqQsrwFkes5Y6DtFO3Bu0arbjTXfi7R8jWIl+WGq23r4SSdnUyMJxf6G/MRA2xKum0/f3C2C+iWCR+msVKWPLpnPW8l2yHRWM/Pjyg8NYfOFV0NuLTimpslJ4tJvCde9s/vI71Ncokbx85rQS03OnOEdgXdjx/vC5Q2NRbyko7aXnDbgNpGqMXrZ+oHYPrnBT6vXhiC0iHLJSPmEZw1nwNA6Lcc7VbquVWm1c2Rc3XZ2NLgdOK2yaOOYjSGfucbKal2HZZSSSrwiz2,iv:5DqSaK3va9PrxCjv0Tcg2fVZk9+/hVv3M2NwRPlmliQ=,tag:QUfe6rwPJS7qZ8T5ULWlNw==,type:str]
portunus:
users:
admin-password: ENC[AES256_GCM,data:Hxcj/ZxBeUmUDh+R6NWGe2fVTtd56d1VgPGKUG5mIf4=,iv:X6/3hk1SylA9xWNkrE7Ynu7jgY7YDU/rmJeALKfDVRU=,tag:y8RUy45n0EcpsYCrmjLrPQ==,type:str]
search-password: ENC[AES256_GCM,data:RsAdOdPYRv5uFiAAEtNHpiPOFV8Qq2ie1a3LWq8CX4A=,iv:jU1EknnTCuivYeZep3+/Fz0TaGVHinwrqXpZRVV1P48=,tag:+gl4bLr8xlCW4Yb2Q6fXcA==,type:str]
restic:
password: ENC[AES256_GCM,data:pwiTsU7Ibg8zC339BV1ejavrtO9kw20rWO2LEMsFEKY=,iv:hozH7kZjQ54MvmGuRcui/lzznyfKhntDDocGNgi69+Y=,tag:lNFyn94CIon2lEuJOM+PWw==,type:str]
repositories:
server9: ENC[AES256_GCM,data:FcDuWjo91l7L1wSfWlniaOgipaSldie1QfSiah/W0PZ9DGkBmJwbZZs72I8AcsurKdhp1AS+T6Q9K2BQ1I290dlMsnUzAb1fNW2ripYe8im596FvFbyrT+6H6BRa1w==,iv:TzV9j1K7pRJp2aAqY1nLpeEEc5fvUe3BX6zKw6CA0Wc=,tag:U4fsdO7YhZ5/i8Zeg+Rvyw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPc3BQWVprTzNVSnl5T0M1
NWNzSzZoYloyckVKQTVmbStoaHA2eEZ6ZFNRClhmY0Z2aytQRUkxYnZQSTF1bllY
UktFdmpUNUZBcG1mc0lWQ3VoYnFpSUUKLS0tIGY3aFhaY0YwUWF6T1JzMUFOdTNF
ajd6M0FrSHJVS0cvRnhBcmVHSzU5QjgK25PjPEFG0bksJikCMqXGxTQp4cuoCJUC
A5CzQvzL+kczt3HojLCWz/bHQfTY+Icw9Dr5l4Ygdgtgt5O4LgLmfQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsMHhFSk4zUmVGTzF0WmIx
OVpBVHdBZi9BRnZIYklOL0NNUTNQUmZ2ajNVCnllL2o5Mm0yZnk5ZVBRTUxNajNW
WlRqSFlackVVcU9mL1VGQmRCOVBrWkUKLS0tIGtaT2ZaR0c1cDRzOFBVY3NYTnVq
NXdXdHNvVkJSWi9nbU9FeTZpVWprdzAKIvJn74/HKgceHB4UAGOBtN1k8Qd3selq
WUaOZJX82Mwr1fnW5COymnqAV3tlh3fywlPhveqL+Ij4z12B68F+1Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-03T14:57:46Z"
mac: ENC[AES256_GCM,data:t+a5H9OlbMcnwtAB40jbS8ba9UoYhpW21il0kdvBAgI1MamEwY5HxkiudbBEeunQtXv3IDMHfQweE6j5MVEYCOPs37N6nYh3Mp8ggBFsslf0RyjaTh99zVwm67n5goKdaVN+aDzbs1sbNTMWQ6neSSCXG8VZYDXOD0rsQtpfDDA=,iv:HoXM1J/+3ifJ/wiUacKriU1CQOYaxwoB8k71ysJvhyw=,tag:6N3t/568IaDna8yS8hj8cw==,type:str]
pgp:
- created_at: "2023-08-08T22:43:03Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7ARAAlLRnHGsXiXHx1S2F3VWaG6GtC/rOiYQkzHy/itkHCeQV
AXXslLzkAAxKLor6cEZ50l0PeZKZ4GTpY+wLEsbDl5+Y4kkjFe/Haj/2H+LrSPzL
kWBz/MnuvMKP5+pP0qHVS0XtGtB4N1Bp0yOpFhr8aAQz/RF5dmzcMtgankKbYjrV
4YpOttee9v5dsrAWSKpUOOtyszT0tpG22k6KVpFGiVgrQ8/2RLVtevn3ot5pbwf+
ZpDcSGVXN3a1icYUVBoLeP7mlHOa7oQsm+5zSuQPLdLwf4Qo/8sYdyGYxHJvGO5D
+4hnMiXii6v128b/B3aNyPldijK76LP273VkCzMj+717x3pvV0GM7W8ntsHWDgNs
8VdD36Maf11ziSFgCTgD/Ysbw4DJM8VFPpurWybylGR4yAOBN7ADdHQ/tA8LtiZq
+8JZDQPrgbgR6FOzE/0M5B72WVaS4b0YPrUACQ0yzcs5qNWYTxzdXMu3yCPOkPAu
oLq3RdlC/NnagCSG6HodlcsdBFXYJzgb52hqeqwqOXWjxd+zFPBclQK0je4TrbKQ
H9YcFRSdx41RLjwcU62O6MX61HKOvc0Cd/vx4/2GmgX5ZV6o+pDLjUigPqPthJ4j
J2yXbbMm4elg7sGryb86GsUjdEuWEYwyqj36kJPq8fnJIACw3s/WGZPuo6I+LqPS
XgGLNVRhrLAklWZ2AER1Ii3SsE1Uk/ROIhneyA8kPV5feYx7lnhHUNcQTY+sCO7e
UFgqCg6bYOY9qnU+dFgLPiip78imK+2fDQQnKdT4VCyyUVOUcQHmMP2YPXvFJpE=
=YtF4
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2023-08-08T22:43:03Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQgArI4FBB0Kjp2gbKj/JxLEVHLl9+Dd8Vi+WQk7wKYvgrbD
ZnRpzhMAJUPB3G/46tQ9MrHgUbSkvUr37kSMBgV/aMsCCDbymTwahXHb2kIKI9IF
EAV09taF7J5Pe8iqsn+vP0H16TFnthXAvlRHIA4xEosLdpkPj1Iw7t0fdKjjj0zJ
HA6xfgO54nzrl4Jb7gdDLOv8lZ6F+ro6dAiKTyrdjNQ5WGNrpJVjSU4ID7FU37bn
+XLP35noDqkVct/oS9eWYkIlAccWbLSXXy9FvcbYhfNKiy1+O2M2IGht2QXJeTsp
6VMvY0T0GD+5HXSjOsr2lIYwWBm2UU/ddwpVkI+kb9JeASq/iOFtW+gdZSQ28esj
9XBZS9NhZ7o+JJdS/kLShGYD8+EE3haxtOY3pMhQDT1CIWInkSVmuxbbmtQ/1Fzi
kAWzNRmeDblLh1uNZIRL9aemy9CUHYrJCryKMkSOAg==
=VpO4
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
- created_at: "2023-08-08T22:43:03Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6AQ//SBjfHqC7Gon9DI4PM5g+ywDcB75N28fCJHTgsIvWx6Hp
IagB4J7YTpaYSnrvDH3jdlmnso5zYXM9K7Qih293zh5VECdn1jyK+nXDFy7iv3+d
e2xnTLzDAIjNYzR5Oa0JiE1MoSVAEMxuDrFCt0KuOXbVjwfIl+ycLDBnOhHg4dHB
UZtnU3FD7fab2Kkxqcl1aIn8p3DFplh7TOAG1wQKSx++EWOuRVTXlUauncyHBRaJ
STZP7EVZsB2HZGPa0Of5DhuL12tJ8rLoqtm9A3mB9KOTpUPGyhfR1o7kuxduw7LM
65u7wQO7vcJofdhiPw7lo1JGooP4rhuDHvhtUDnvKim/9EbvbUxAOFA9lZVEjhFX
EM8VsA7knf7G87KOlY+J6KPB2FtA9Mo1jC/rb5RDzEUfK5D5wiu99VdE/wTFldbP
Mg8HPVN605hJXqVdzWz33//JxskIR7UW4E9s/sGxH47pYXn4CVIrPoxnnqYCYZes
rAEEBl8+zc5azSwYwVXEPMT90xQzc8zGe1nFfOLJq6Bh3ZSzX/WGSsEyXcjStg68
4aZq6eJFb0/dYklKUOv4l/wh3PPaGp5F2A2Mcbuhf31iAIfLDyFS7EbXobqUaclG
A7AmgY58aznrQu0UmxDFluRpS6suur2pTgA6Fnm/LzWuKYv0OJvsOR1Ek/R8tubS
mAHi2kf1BC5CdEiUK8k4MRXZGuPd7dbV8OArlA/PLRUyecm8Ah04sioooFkyJBD1
Os98P8SagXFVcoORAovoNRxdfHuCFgSELDKz+JTV8LV3hZOXDzaiFq8fL1ezpGAW
imxso6PgQfmqttgBNFNOnANUmeRrGtJ9x2BMhX2fhp6tgfc+n6YPLgO74gd4mal4
W1L10MQgRmT6
=KJcu
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-08-08T22:43:03Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHARAA4KoonBUrswlioStwINWugQ+FQz8dX8WeXX7giFsqnV82
XyWYaq7yRYbulPjRXtL2ymZt/31el5nkBlMbum/7gBADH/3NJbeX/SQ4ejBYf5ED
HTVhBrTfFFB8vRUvgiyfp9FmGqJmjbJCxCjeEWmIQpVep5WIaOpHxrBsm98tDw3y
PWrsMW3ur0y5p94ehX6IZf78B3WUsWZkqyEOkaRkhe4oXfsCFnoCHxjHkIJYQcfL
8gbad309H+mCcCDgMn3NJl+pY7TVZ3vpWpikHnUZ+i5N8Kfs5TUEGCBbepJKfuyt
Azf0EkFOLAawmnXqSeuyW+zpqhxUwQMLsjh2zNR9MEVQg34bEy9DfhTHA4xo3ux7
5N+tetd8gQwA+nv4xvT2b8R4EtW/d9MLdetWfyAVrhoGrN5pcHH/FCbfnY4OlMoc
OHXBnI5u10NcbvxdACn1DQCXIWYvYC61hKqRlcvOIZCZLVgwBk/ccRMh0mxthyFO
rTwQaxjZ14a8UGjAJWFPFzSWqQYSl5koG951g46EAnYz1ibMyS+KV1Hrme+ZDoYs
KMJN1939OkxPv82HcoIlMp9oZtOqCWRQtbTMTqrA4xuej56n/NU5UuV6GRei4kox
BGYQRe67Yh9Q4etFTmjn8oC2cFuIpE8XeuXZxwZ+EfGMaoQpK/nxbUmIjHuBW8/S
XgEI1hooSof9JSbsjVKmDnQsRf2mCG4Y6L10xAzrrppEMh0g4iMs0ISshgdpHkzp
ZM/KxStYz/9LHLfIwSXEKA5f+ZIjUZPOqITNPK8of6ifo5Per2NA7QuaWry2G/c=
=FIBR
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-08-08T22:43:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7ARAAsioi6fvG+Rq1sGlEhSP6M9ILaVxgghccOcFDw0P22eKd
J3gt6C0hIPGYto+G4KZrGEmQZEX7r2Of9w+UwTohP5wUlOuqtlEhw6uuX4A8H9CS
0kteTaMnxNSgQ1FJIXejzstdvfJ2mIl3Rfz1weFChrhyzuv1BS+Joqaf4Q2GjP8k
8EHVVdUvHTtk/XZbp3LHsD4citdStmBwD/HxXGTiqw3N1FQba5VJPSr+CKPeuaVo
TQatri4VgG/U5dJd3njngHKf9FyRIol8QgwFt+ar91rufRjHtx5mBdOqcC+ZuCaV
fokUHh9wp5ODPAyfo+c9FLuJ0Wsdfil9MNhoizhq39RaK8h8CXqRkHs+N1jAukx0
kXPdHJNKz6OCk0ICTzntmw/W0/me/HX2FdfJUx/LPN6EY1qSGshF0oiTza07FwYO
AxlpGiIJSAc7vToxtx6gUEQCQf9LxM6wvYFsfqNQ4yQJL1Jc5pcxFeVEc/9yggYh
nTk671kpM8gpEuboP18ETDFKPpdfFMIaRS5SCjJAtbOQF7O5Nm4OhmgViXlBDA6G
LZHwx3OF+qIWGf3fJRtUpHNslFv9+b7dyBScV+Vn/6/7vkQZSOxMe+zoFaFW02wN
HaCwi+p9izV/WlfJpcWlkEwMMJOJWrmf2dfYQooJVJAmS+yCuor1iL4HkqphBefS
UQGXFApWJWOyl5t2/S9MTPc1KzUJzTHTH8+Nak3Lwu5iR4kStROwniDpYmqymaig
t+e5plOavhWCLM58TT+O4z3d2fUZMLyKU3pzpDixLLO+dA==
=kGby
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-08-08T22:43:03Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJARAAkc9hptWAsu9kTF7cn+lSANvjFPfweuq1xza2SwMa5L/x
HdKwknGrgw3KnQ7h8/Ldsg3B4biKgDBZr4OZPrcesLRWC5NgxcHvMN8vdt18dmz+
ajuE64QMoBmj0svJHq3w9k8wcHHfyNKzpICxY955m3es6JOOryVkW1UcysaS3ofC
uSGFAAqjl+sew2RxCh0Meqmop/bcBmGWxo1+gclgE3eKDF8ISlWBLf+SDrqnne5m
1qz/WG2vID6iXL7kXT1u8/VU3HySbWWO3xsZIQXP6C5Rw0AAPrVn5QdZunCw0FDp
PWPNmNgnW4qKjiYfvMpSMTnvYCLXQldu366+WDdATbLhO5BSmpSIG7BAhodDCmr9
EJYOsrsZU+FJ5JCL5P4E2Rc26+YkcCxOQEBG6f8hX+6W/ecox/xt0BuSuRgH3s5W
rUbYNsvTi/V5i5C0rQMrlbtQ0KMa5+rqpx12jfF+wEatz9zn5VV1aN2wo0TJBVhG
XYwYfaYFe0EtdddIxI3X/5/zcokBTQ3JExWQ/sb9qCoMgcW5xXXnfjIMdjaIqna8
tUvWHyKUUQBzu5+VF81RtqFt6Y8vR9S3wqjzx8HxzVJ4VDXCVyvdbYbHWiS0uSra
ctBii7kN5ihHV187CNup0HznqlFLECj2LnFeqV36vLAM4Hd0sXdRDgokqe+gvtfS
XgFvp+EpI9aPXokk4MB6avZOyU4n/2IBf7geR0tvtNGbZiEizphuiYNSGVHiLwiv
5aTkjfmmnCHbM5jruT12yBT275LkWlXMmc3H9neaBdxqy974jHnaI3WRkK/C/8I=
=4MZa
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-08-08T22:43:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ/+JHwdk31qNtKbZqddzd3N6IU2tLJkxxkVGefB6+efUEbM
UgT6RvZAjmKiFCjktxMmwi/3NwTASq/+lvEM7KwRInpM8ngag7HLHnKKbNqbQMn9
gAOMl69TuhvQzuCml40oE4Y3aWb6Q2iBIT92AhBFhMW/4FWrym51wsU7+9aWtSM4
woSdM8fEoXTNC/wR3rUF7f5podri8OtL6bmr3Y32XIBz+Zr9u1586LIRRYG4cMBl
9o5ZGK+QehatjTGhCOzAXiZkrdT32RaEA2wy+HnUPnMOAWih1HFg61Mum2uAH7wP
lohmVjXjNpBpXEKmAZT7YusUsWzkAFP615qQsJ4Q+E1SJJ0XB6kCTZDUr3Vzk1RM
hvNaHGnmMLb4JsrhDaMATd1hw5f1Dbdf7gkq0zyLqZQpdpO2QSSGhofK+ZOvmxbi
fCURdQKqbAWrrk9PEpH6ZrKw1gE8sVDNY0+UBsU2XJed9QTBCEMJK2LN4fPX5rdC
G6xfztrw85ehap9UUFi765jFqM54bCS7ZG2yMLVW4cxrzx1R++/tiGoRXMYpv1fb
T61XvEOqV3znpPzht1puXxFm8iJ+X905GyMPnsyBVXnJ2mQhidwH9/MPzUNiu4Sv
5KpmJQUedEXBTmwJEyc+lTMeFEQLZCB5J1EaiyVHTtHCE25OKPjcP9GOM4nwGSzS
UQFSMrSf9hqE5t0anL3CEN7vriXa5pVUou35qjOIQCIKcwePqK159k7+vWMz19i1
OSh027uue8Fn/terrCqtaB+U3ESyqwcQZMa6bf403byWTQ==
=tSiN
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.8.1

39
hosts/blogs/default.nix
View File

@ -1,39 +0,0 @@
{ config, ... }:
{
microvm.mem = 3 * 1024;
c3d2.deployment.server = "server10";
networking.hostName = "blogs";
services = {
backup = {
enable = true;
paths = [ "/var/lib/plume/" ];
};
nginx = {
enable = true;
virtualHosts."blogs.c3d2.de" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:7878";
};
};
plume = {
enable = true;
# See secrets/hosts/blogs for the .env file with all settings
envFile = config.sops.secrets."plume/env".path;
};
};
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ./secrets.yaml;
secrets = {
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
};
};
system.stateVersion = "22.05";
}

172
hosts/blogs/secrets.yaml
View File

@ -1,172 +0,0 @@
plume:
env: ENC[AES256_GCM,data:V7pEExE5jGT7JSCejzo1m0QlMgpKuaF5CnHvR7LCvTJSgoCeeNW9ImtVk8MtqtoRngH45jgseuC5wZNzXSMG/ltQ4c3ThDcxKP5ngLmEZ3tOqSlIdV/A3S4ww4f/UAx8YpNY4c/LlL9NuCcfpHyC4zwRFrD6odCSk7BUT0BU+zxOBDpQDAHscBz+YYTbb3cJ7iGYg1fXS6wLJHutf0eXYF5VNcc80SISEfbR+bs9t2f7Dg==,iv:3n+EDT9TO5VxCS6rXZiNKpxtCWeCDi6YT3dQsrECNmU=,tag:ysWwxhR1JNJ7WUM28TIQig==,type:str]
restic:
password: ENC[AES256_GCM,data:5SUmmFclsGFskWM1E0qOQN0TDB7sllEBnDFslUHTqZs=,iv:WoWtaR4byoRjnZaakBhZYHfzBFKrJ1g3ylWj6Vkom2Y=,tag:0M+MXU8Xe3Ig50rmaqwzjA==,type:str]
repositories:
server9: ENC[AES256_GCM,data:UdkELx+F4EQywGD3hOKf2NiHjYxMhjMKchPsUsozUoDVAOBiY+bt4Zna8CBE0gmp07waM860F7zayDqgf7fluMCMhfW2H2VEp9O3KTjjhI4XlCjYBzz1xtd6g03COn+b,iv:R5afv0aBSSQG61H7D3mbAg/K43faJ4sTV3Qgxl7n0pE=,tag:oqEKkcCgeM+p2U3RruLm+Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJbUZCbDRLSzU3T3ZqeHpI
cnU5Z2t1a0hXR0s5bDVpM3ZvNXd2MnhXdUZFCkVKWDJvK0s5QkdtZDNiOHh6L0w5
TE5jL085U1ZBWklwbHNMWCtpbEFkMncKLS0tIGF5R3Npb2VyeDJkNW1mL2xoTCtC
M1pFcHZJOFpVcFVyTXI3U0hWOEczZEEKwE0HSLdgHazYqJXCPxdtJtnSNf9mR3MM
OwmPNDK2SRo++/vAtbGLVquC2TP9XyPIhUPxm/WX9rmBlT3ifFrFEA==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVjU2a1RZdG1RUFZORmlC
dFlXYW8xUlFOWk5ubGVyTUJuOU1FZk5OWUIwCkZpOWZLVHg1UnNURFNtYkVINDAv
YnlZNkkreWIzK2JwUTVhVTZ6MUlqVlEKLS0tIERQQm1aT0swYTVRcnEvbjZCcTVa
dHM4NUhEcFJWREtWbnpSa2xMR3VlUVEK5TWq84p8Mkaw/bVNECTQp2IklmIxvtHA
pitCs+darbCw7Ux6WLjyGjaGRA3e6BIy2l2BF5l6rlWPRbLrwWDZsA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-11T22:42:47Z"
mac: ENC[AES256_GCM,data:Rm3Pn7sv3uUyuibvu5icFZsLv+1b1MxHk/bDoBfKvs1mPcEmhXMyviG6oPXgWSwStND5K3EG1YJIHWHLlFzReJvDWQN7SPtidkEj6empjNkt0ZDIvelX0RqHbVbbLDFrGdbo0O+tzpe2rE22VvsMliRxi8Frh9on/CgRLeUsxR4=,iv:5V50bnIW/y4o2FDTuS2p4LOcdiclJweLkAIfqUciGtU=,tag:d0DwlYYvUeo3DekTRzBPAg==,type:str]
pgp:
- created_at: "2023-08-08T22:43:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7AQ/+JOKlnEfTynJeT2BsY02HhE+VKgSI6C4AifxHSAJue78x
5noLVSXVtmW38Tm2CF/wDcmLOFmgxTN5Y9XLKPmkjep9JFjSk1ISGgD3T7SRk9U8
BijDRH7ikory/Ul0vwwsWh8xX5TJVRUC7NRaO6CNNT8PDiu5xlVoDw7PW7DrozVE
3Q3h3wLMviGWyi5VZiws1lxyA9ZPs+KEEp3hVtIdL+xW9+yaopZIpA2LYt02QPKJ
hNTsnsi8OULO4YcXjkjkIUxRt6lQcOWW8Ny6RwEhS0PAwkBMuk+B1/qXZuun5N3Z
ReeA0bNBk4WsJ+w2QrREOJl2TpIWf1J2DFZdj/5b3L2DITD3iieynM2Vp9vZeK7g
6DCD1jGwAyCqzTW20zTujN0LfRcwfq9LR2/vBdGToD+EV9wuauaKu2WVrJwbtCXI
451+gJ+SO5YoTFvEDcOeIrzgvTu06RZltSs7msyfy0ympYpDy6wXvJzr1HHnqK0f
Ff5LXO4FK4qNSAYs3c1MioiReeEWyWhiWz/3hA9AGcct65RDUN2xNKTQT0nBtsqT
SKMXDMz19fzhLqOU4Yj1Ul0Dm1gIaRdbhaKiSeHPKP0D03bVIZBHv4BZj9/tgxH1
/IZL3pr9eIQ1+gZ9sLn/D29MiR9toxrGPokfY8B/9MbaOA3zB9CnNkLjy7A+jD/S
XgFRssxCzHd5B8Q5lSioyq64/hWPQlYkeR++FS2S+C4pK6mvJcWCnNaP6gSqlJn0
PfYagXTOuk/7h2S+XZy1xyJkHoMOutGx5/iFnUsbB9JmnEtkcTy9c5W8J38cWf0=
=DgCd
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2023-08-08T22:43:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf/ZdclvYDMZIZg55kWzWcSvaE2rN6k+h9+hwJxXGRRUb4a
/+Ivzor9tw/me3+iDRiOzFQucEs4OjcsltaAKIn2UjowT1QvJtxkI0fm/uGmzxqy
p2RlcmdFEHsZcMFdGSDsNSiSPWv8XSA5RPxx00tENGgfJaMHu0xsbl9Wfw1d4yvC
W76YVFTMsJXGWSzZKw7OQzIz/5GAKdHBD1I43iVjqa9FH7oi7zXGpexyjxScpl1O
/hxpGv8Td194yhT2ChF8NyOVqwHC3N1C1lqEn2dk2t9IFGpyR+doJqgtJzwCNu96
z8RYpuFI4Shsu8qKzhVPxwunn6eh+GVCxiU+QeUdedJeAZHvgn8wERyaAFhA+S/2
i6nsAbvyrggpLEHTivx7yYBM8+2sa53N4M2qLiXmQHrVSRwSjJKuLm41DVLEO1dO
el7D04gfKWg6CkuDrvSvL6jt+Z4izw+wpQzmEBNt/w==
=PATM
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
- created_at: "2023-08-08T22:43:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6ARAApPjRxCdL8mQjNx+vIIv0h0RgG4dUjPezX77tYwWtLlel
tH+fP+LBu1MGzx3AbjKN87QqfcIP5nsccKtiRf1EJUxhzwB6ZF8CPUEMDUc7zJus
i9k+tAWWwgly+B8gvrUgwXB3BKmfk7npese5yb9+sW3znKmYiD1H4FnOwI0qDgZF
Q6v1uwGMjRzd4rJVtlguIfB/TUkX1d3IrxvsDdJNaTLi5xYbOLrq6zNETOXlJad9
2Hkm+YMa2wuB4LluT7XtuTbC7hhuW8xQ1HPJUfRObxZOU4ANVcmJ2YglqhZ4kNwE
GL8RatF8jy285Lggy1ZUkJokO6VcTWui18R38+cqBqmlGxr66kBFZUpycWfle/qv
VS8XyZNxlJV8T8ETFC8xQisnftmfMYdebBfAMUTO/DpNzG6NB3EzfWsV1jcJeFXb
g+IMXQz8NAu571jVqWGWnswT5jOwj9yhnnJMyDmJ8Tsjbv8g16oeKjKPs1hBhjls
Ll3wLgHvrtKtOUiCltv+7fU56Hc7p/UX88JaqNCu7znbVWx3cKzna9J2W5GU/NPY
3CYxz96ts2UYhcgzKATZvNfdRmxinshyVdYBipIu7zEnV9OJ4Sjjnk49YkVimIqL
fDf3bwIwiObkxc97XmMI7rBaQLU0IK/drmF1yXdo7W6WujZrMRKd/B8PIz47SwfS
mgEng1ufhKvSDfyFrlMxiADnV/Js1PFh6hMOxvpOFVsaOVLSSS20ITBBlIX81u+L
kc4ndaBe1+lPuZ7hB4AfJn9Ko4ykBu2PVPw27MQry39D6WAtv8IcBw9Ux7+00tpX
ej2LvYQous7tTYPkWbaW53uooEBsrDqu8pKF4MzlzFjjzOOvJox7Bn7ccH53Lfpa
e8pMj9POFmwslTw=
=FzZD
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-08-08T22:43:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHAQ//fY7kofR6Ers9ykFlkZ9mnXDhVwa/t+c7ki8LCRFK4gLF
TgUhcD8R5KblHPHoI56TlBGuR8RFgCBeYoq7KM3Y/hLRbeQZnP8dMymE+qRUvCn+
WizVkJPbXlT7TN0XLb6tyXKJU245jIbkPWYl+6QPvVb01TCK7X88ehhiE1q0DfNm
JR31fxS/93OhjS057b3hQK+jwQphWSNCkou9xQahOhormfTTt6n33DE9pOrgSpvB
3uDRMCoHKlkgAIqAtb+Ek6tLEcYE3BgDvbHoei2Y7fxIBmDIsmrVRUwiN2pFx7lh
g2UDYfrp6sC/69nh+Ueu/cYcFs8KwDQYcrh2z/WwqkrXTic+PeuSGBAe5hqiTwA5
oFPmx2K/P5GM0FfpxW17vMxx3651DWBFv2Q9l7HaQxeOyNd0wMMHDGxEX7cjjwd8
oiRXUzA6lARUngjzAfCLUKXmXJVcn/25SU05WtI8kCgqsRrq31Q/vpEN+WuK/U7T
SxwH0HH6vyK3fJ1iBlfZYdLPZLkUL0JrTtFY890YnucpOVVfc6HtquItg9mP3vUp
e4TYT3Tpp5athKi7xiF5PPBVyTfsH2s4WAiQ8+BBeFOXUbZ938xuF0otcM4jWbvP
UMp7f435pzqITgbhr2LpCOTZcHMLKkLtLIaosPDfHjb/qKxu7Gg1Hc1pqiboPSTS
XgFLMXuVYkwJwySEwnb57U1Orpgh1zuthLC2sDvFtGwI6uoYzgz+2xKSf3162QuN
QlHkJMNOxW1uceiGJEbnwupDhmBVl9zOjhXeUiB/oA61zDho8YxF1ZC+5XnxpWw=
=tuJP
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-08-08T22:43:23Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7AQ//SR6eDLXCzAzcXLiMrhopKF8dvf9hPDDjSdoPhdmS65C2
t24aWBAQArupb0KZRatH7rctn1xAHiUvDwY99+ihchrV2xzXhv2cfi7c+O/QEOtP
EiQzbRwosswX5jigPy6shq5FavzunFG/ZqpeVTGnmK0Rb6EFRQ0vlCqrnej5WDaK
lBpRt/+ufHTaiaA3ZIjsB/ludGq+bVwmg2nssOoQxaYYrgIccwG3JqqTw/W0M4/4
DRTSILCcEJxY/w23uyxeMEvbXdJEbsK4vglhkMrJsNIepIqPgKp1PJUWrXqhk1Yr
3LiGOjZm3naWDkxta77YsQNy95Ox8nGyn0Qk778CbAuPRXqkhzSv/YtZSw2OoVdc
KVhN/brd3vA+8EK3t/uWkwhsVnfQ/xH7gzr1VVuJyFjho0Iq7ycBU5W/RtfIZZI8
HM1j31LmKHUT43dZ6kEXYEckHHNoLJCSUHw1M4BTR9tZPoQigz3kuy386C4gIUM4
/PdTUfnRCH5VrWqWu2ny4c+AqzJYHv4RanK6qDnyTsg6SZPdT++kMF1X3VrKDkzY
6TrWIakVuvsdK7VssKYSsj4/fGM8yc5piUnFnSB2/A8LePdVSt/yJejo3Q57kVFi
pQps5L/oa7s2gkUeK3GH2Gunk2z/DDITUXtAbHuvVqBNnX/j82KPiduUyrH/bF/S
UQERmNqVuqY1Rf5aldfQ9j5ufpn5kqrHAaBpCspdI1Xq6P1WLpuxPp5+TiGXnINe
Qg/2VCGu2tJ8p0uNhT7XRLbd60enhVwamEEgRCRZ1WFmXg==
=UxHV
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-08-08T22:43:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJARAApYwDjYIS1s5HBtrb4cD8PEPw1gDczcA9H+iLUNJN+3BP
0k7LwlQosy55fdVmiyykdoQ6fQpavya+WVFhfFkEnnxwzdmNYwcopesJeYBrOJt2
3fFzjP7aS83r4smYIji2Ct76/YjiGdQ2sS0+RHWDtoJ029dYmBKQxdrgwByHLPzk
mA/yMqpk/T20KnbLEUotAQvWRrHFNOKltKnCiCmhVNWDgV8w6akSYDrTkB8VjS3I
k53b7pI0N8bTnKP4Xd2ESd4d6HNQUpxnZw7ybwQKwUL4lFNwrz9kS/OcmQyQ7Mnw
Ds7cyTxxcqakoFCtFSOqRVx6Uv5BLSGYNwXjZUoxGQGM83NxcpIosI8doaZoeIRk
aQjMx0zm2kXjLRlQ6qGECOaD28oe74SftbiSYFHPNxMow6FPi66ftoNquySqrqMX
72xtW4jc4uCmO8bIVr9uzzkOCwycSg7n5f+de7H2drUswqMZVEcnRvPY7buEpLG7
c32+MYRQgrBeUDPPR7hCCaOYiQp8rwu0sIMUNs92d+LHtAyZX7zl3Dk5c9wM+SAK
Rbo1yrq51uc8ICq5xmMNPOMlUXuokMTaXPDuxQocjDV/D5MR5Bz+L73YlIuvvaL3
MNNqMKV7AGSLs4W5DZu/zbMTdGZDxRz4vV/xpbUhB829DmauBQVtxAbGbT5uwa3S
XgErp9MPZg7IcdCdA1u/RXdDGWdwDqf5mR+KNpdnEpmBdu6F7KNhG+T5pucfT1B0
9Zk4jB13ItI0r2Ysuy9tN4GDgLS6rRYQTFIxZRrvcs+qQeB8h+nH7a7PAAGnX1Y=
=kv6h
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-08-08T22:43:23Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ//SpDRaVQrlVw39ZRO+g91UKb5zDVfqsuVPH6AVRQQ1pRg
kfAfuvBKtLgrqSNIPJJn+Y+OhXCuXUsAJvLb5yZzPQc5yPEbevo20zKqZ2QhW8qe
IrrtPxuE5gzIyvzJs74e3Mr6onfdQtWBgJ35BgLSa0hCj9gUSW1x3UmOWamsMdWy
Ir+TU1IGblFfPQmuJRsU045z2k+oqALjUJ9H47fFi/cjVA65bV0+4n089n+G885g
fc9RsLzVueEyb1aYLS/3wyaPCTpFe2NCq8dRVV+2GKZma4h7AvWWyGEiNwz6sNdr
km5fRe/muGiabn/cHea2BIMtM9SajnEF81cAPwDpf8TafTBhKXmvgzliMbBbPCtK
gkpZwspJuNXB/uofDNyRAdV+5VG1rd32rQfpUG3S1pXFhZLo7bI09qiqQVGsul9s
dK9yhsSVOWPepA6yRDVkcf9DoHP7zTDKf8QKsQmrOZ5pjMnjRvcxboTKZZaJoBeP
PLOWdEk+g4pHzn8PdC4oMhRVuVxRQ0r1/LC1MkjpHNnQGODPAvoSluAfBWuE2HhG
GHwuXKps/HYOowC7nJRIffEWVSD/Xf/S0wtJ9ZmaJ6e6wSejoHXYoRyACiv3TudX
iIHDzXX7JAXKa6S2u9lhjyLoNUmfUs2TdR9aLqkDB323WKWbqsluA90k/3JPH8jS
UQGmzLK/xCuFz3njmtUp1hvVGvrg8vao5wirTxXoWJVO2PQ/fjAqpujyd10moevs
KTV77cSJLaU3uZ5evJ3sBku3ZQQ1aGdV6owslfWIoXbgNQ==
=/HsF
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.8.1

142
hosts/broker/default.nix
View File

@ -1,142 +0,0 @@
{ config, lib, pkgs, ... }:
let
mymqttui = pkgs.writeScriptBin "mqttui" ''
export MQTTUI_USERNAME=consumer
export MQTTUI_PASSWORD=`cat ${(builtins.head config.services.mosquitto.listeners).users.consumer.passwordFile}`
exec ${pkgs.mqttui}/bin/mqttui
'';
fqdn = "broker.serv.zentralwerk.org";
mqttWebsocketPort = 9001;
in
{
c3d2.deployment.server = "server10";
microvm.mem = 1024;
networking = {
hostName = "broker";
firewall.allowedTCPPorts = [
# mosquitto
1883 8883
];
};
# runs mainly to obtain a TLS certificate
services.nginx = {
enable = true;
virtualHosts.${fqdn} = {
default = true;
enableACME = true;
forceSSL = true;
locations."/mqtt" = {
proxyPass = "http://localhost:${toString mqttWebsocketPort}/";
proxyWebsockets = true;
};
};
};
services.mosquitto = {
enable = true;
listeners =
let
users = {
"zentralwerk-network" = {
passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
acl = [
"write #"
];
};
"services" = {
passwordFile = config.sops.secrets."mosquitto/users/services".path;
acl = [
"write #"
];
};
"consumer" = {
passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
acl = [
"read #"
];
};
"sensors" = {
passwordFile = config.sops.secrets."mosquitto/users/sensors".path;
acl = [
"write esp-sdk/#"
"write esp-proc/#"
];
};
};
in [ {
address = "0.0.0.0";
port = 1883;
inherit users;
} {
address = "::";
port = 1883;
inherit users;
} {
address = "0.0.0.0";
port = 8883;
settings = {
certfile = "/run/credentials/mosquitto.service/cert.pem";
keyfile = "/run/credentials/mosquitto.service/key.pem";
};
inherit users;
} {
address = "::";
port = 8883;
settings = {
certfile = "/run/credentials/mosquitto.service/cert.pem";
keyfile = "/run/credentials/mosquitto.service/key.pem";
};
inherit users;
} {
settings.protocol = "websockets";
address = "::";
port = mqttWebsocketPort;
inherit users;
} ];
};
systemd.services.mosquitto = {
requires = [ "acme-finished-${fqdn}.target" ];
serviceConfig.LoadCredential =
let
certDir = config.security.acme.certs.${fqdn}.directory;
in [
"cert.pem:${certDir}/fullchain.pem"
"key.pem:${certDir}/key.pem"
];
};
security.acme.certs.${fqdn}.postRun = ''
systemctl restart mosquitto
'';
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ./secrets.yaml;
secrets = let
perms = {
owner = config.systemd.services.mosquitto.serviceConfig.User;
group = config.systemd.services.mosquitto.serviceConfig.Group;
mode = "0440";
};
in
{
"mosquitto/users/zentralwerk-network" = perms;
"mosquitto/users/services" = perms;
"mosquitto/users/consumer" = perms;
"mosquitto/users/sensors" = perms;
};
};
environment.systemPackages = [
mymqttui
];
users.motdFile = lib.mkForce ./motd;
system.stateVersion = "22.05";
}

10
hosts/broker/motd
View File

@ -1,10 +0,0 @@
______ ______
/ / / / / /\ \ \
/ / / / / / \ \ \
\ \ \ \ / / / / /
\_\_\_\/_/ /_/_/
C3D2 MQTT Broker
================
Use `mqttui` to inspect the data in mosquitto.

172
hosts/broker/secrets.yaml
View File

@ -1,172 +0,0 @@
mosquitto:
users:
zentralwerk-network: ENC[AES256_GCM,data:VeIDGMe0+YF6eLkTrBsQLg==,iv:h7KcZusBsP3QOWZWhOLOQM5ID1fWdvPkoEYLQn3XruQ=,tag:rcd6CiCauV/FQ8Y6+8FEwA==,type:str]
services: ENC[AES256_GCM,data:IJlgEkiND/QjMqBbyXmBTw==,iv:sATxB+Tfr9pLqOCY/jwAjcxaKCcgGhd/vga4e3M9N3Q=,tag:TodfF26KquW3F1KY9R9Wvg==,type:str]
consumer: ENC[AES256_GCM,data:m1ae+G/ZsDShSEWnHx4ShA==,iv:GBTRpJbSpnRYjWBttVZq1Qm8YFvhKZfmMwhCZqqBLJ4=,tag:/6uDJ6yRBuQwgPMVyXRQfg==,type:str]
sensors: ENC[AES256_GCM,data:psezcKOTU371ec+4YQ9E6Q==,iv:VxD2x6m+gF2kenJ2Ekhe2IvrW0DVP7Ha6UAavaK8/uM=,tag:aTgC5gfWlsVDfo9RWC3FIA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTejZuQWlrbDlKN0huQXlP
RFFVYVNkcWJhdkF3TytVZnFlV3FXcnFHcmw0ClhGR0VuS0tHanZ1T0x1NU9Qa2RN
R3UxaUszU1VHUTllWnIwTk1CWnhtU0kKLS0tIEYrSFFKOWNWa3V4TWlXMnRxUjNI
dG5GMUYxdUxhd0t6Z1NVVVcyZ3B5V1EKlHW6IEvlj/q3+h5CVFnf0YG41GscsexA
pCR5TGLxVcfGPouFNvAQO2Y8L89gvsTjKV5JLCcVQktgxqXfQtAE4Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKeWtUblZCM0VVVGdFblVG
T3djOVpUTnNZTnMza1VqZUpCSTc2eE9lZlFNCmlrazJsTUZ2a0oxeGZ5UGp5K1hW
TlJVdnVyM1FKeTZHY2JPdkkybGYrWm8KLS0tIFVodGpuYVE3b2Jrb0NSRzZOUUM4
alQ5OGtLd0NiZ2pTa3YyOU0wQmhMSzQKjMGhadCYBNSVljlj6Au2Jo4jIfwqT38O
qbn1K6MwSzT6BDGJ4bGA52Lm074bxezOrHJRo91N+cAhrSniAws/Nw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-05T21:22:51Z"
mac: ENC[AES256_GCM,data:sA4lWpltQNotBZldLxVALSb4Z7qD/cpVIkIEn0+9ouTSb66rEfEX1z7pQuZxRNkGHPwJ8MXDREplCPBqNMAPwh03OnqxuOKMVr9QZJSLuNlBi/12LOFHxY2AgWXebQlWvNDJXEp1fwrV2ztKg6iGHtD+kMsd/JMybmYPDTMj0VQ=,iv:bvwh0hg7kqQSpJav6i6g5/8FFT1Gs/6YjzZd2hpJSnc=,tag:E8lDOg6lTaX1aOp4vcSIHg==,type:str]
pgp:
- created_at: "2023-08-08T22:43:24Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7AQ//afourwIVvBigjnhyCQKXLi7/fH2xV4u31ZdrYAu8Ftw5
ytFPjL8Ef+h5EcH6o9XVsKmnoWS5+FEn75bgJ72U652z4ahcz+uFl5j1d6z9yB3f
iRUU0pbFV+n0FibHdX/dbvVX2DPLh1SPQ2wdxdsYFJD7kbtWOOhswYQfdr3e5vlz
EMBWNaOznLYoxZbg2MzAHZwFkgOikOhCoAZdzthFiYIcZFHxB/DtadeQTKtRspUR
g5c+fGiKyXXAEhBiqsXzeCDwpyeoGvq7Y2StKADoRGClSo5aHVBdYL1/MYn7oZoJ
w8WzCBoneeGSrx2hJwFf0f6YyS+c+gapATrkihAR4r/W54gfYSUSxKeVLA37y69e
QZ5LmtsE5RUDomdS3+rOgU5ef04NW4rCfAjpEFoSGTneG6EAeu2+goQLTjr7PV4s
0nKbeKuhMR+6uku+eKVmslNGhfggM96MQ/MfbyXlYHeGyBFKo52bF/amXtZulghH
3N9Fwr1jprL90d7PFtsytVhEfBTHCBvppX8OoTptYb5riOJs84M/6DILZidxqScH
RXLTMKCEraYFSAJX/t6wAUGAu5ZrTKbi2QwtpslShZyVlMKqDKCDZ7t+ItELzduu
8Ey6bGMBm8TlAt3oim9HC8EiHIr3DSyBQ/hThMxiMs3NH/rvqVoz1b8aVp2OlDHS
XgFPTF8cgA5ErZQ6Fbu6JRCtrfw70tFwGcQ1Nr8saOP82opcqrTe1gOsrU0klKVC
uZLQ+yvT6ZRt3tVEwuamXxaibLNGMMVKUaQ2bx8kxIPv9mC5c+ctyJSkrbIhUjU=
=7wNq
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2023-08-08T22:43:24Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf+OU7JswNVAOH1bXq4iEbTsuszagym4dQljESBhnlskGTD
NK2PgMRxSGStMvSzr97mz+B1YtR3YrWYS5qs45xNGACaTf6BvLHg6Og8BiuS5aTo
DlDrJ61wbUM9KPPg19B4rsAa87y16vh2Kv2ED62dOerlmLrSSS96RAWDR5gbToyo
V+jbwtV6/6WjCesjvXIOFlxam0nxM4/PvOp9olvxS3Um0beHlLOdq6If457/2h5n
EZSPDrrqCycsSBIg8dvfY4Af0HsbdCA7DOkznQ3lHO+eL/opJT6BAOcHp+Eal6zf
rxReXXiAuc4XQ4mQk9GVCQnikH0A/X+GJYkFCoGVv9JeAVYQ43hrPmhDPJA90MW8
zryz0BIIZHi0k1cq7lOL/NpSFO0iWJCf0XX8IcwiorLkMKGpo4eK1qilLhPydURD
8iCGVonPMTijjhhAxBZeoPfFXkrPxUylylrnZL49Ng==
=CnmE
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
- created_at: "2023-08-08T22:43:24Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6ARAAloHm8DSqQdd+VpEXEUlEmDYlKsJ36SChsOM1nMbo3HBZ
Wtwczo7TUEC21dtrSGlxewqAck6BHg6vgwUNYyPiYXn+4NBf5WAfWk5uio23p2XS
5fw5h6LbbQoS0rXBdHmH8d9JWNV8NIgoLNxXbDlUQqmcld45HzFzuEtL3vFPOkT8
pSxXm9oaKaxQeDvuYPmuFvwhinWZEr9gghhpMMKtOsis3gbmbb4zafhpH3B40nKA
5xmIlfm4HSDC3M2AdroXpp1oaWif2aEJ3Qu/KJcRQB4wURyIsos3CDupztL1iE0G
B2p1DnHInSMZbXHAuJ35LHrNZ3+nQESqK3NkgU1ZztcaNZgzMLv8vB7gFeG0It6k
w/VVtN4Kpo26tU+1NL0kzgrdXhNLnvehZfyUFJ3/0CRaOS10bP8NAut77OZPcZ0A
nTVi74DviEnDEhdH3Z5v7tRFEIs/hyCbd+QSLFQpk1vIdjf4FVJXQDWqGNpMZkix
oUrc0XNsrq2pu6WKh8rlAEwN2yhPUkIbdPA3GshHunuQsNutzaEThnQjBBNIqQBM
K76N/X5XboHBsY2ePqbI5MRBOd6YSS8PnKlpnS2U8IeaRaKo5ljIU3T+o0/CY/TI
haWHW9eSKD0v5D7ZRTVD3n0mxO80I4dSyiusMKbO7MUcp7/+Nxlziiq3Mzb4Re7S
lwGfEQfSlVh5xuAXEHhsEM5dsdLfWd8dkcgzN1VnZ90e/8CmqE7O2q5/TZ80D2qp
mBPK/Zk02PBdFihW5wQWh3mW63N+crDdEzdigNl45HiUNtlscIoi00vp/Im9wypx
Rk4tYnXrUhF8Mw+Ytyx/hyUjXT9Oinx/O1hblzgf+kV2TSDBspJvDKqZsWX4+Or8
6dHIH+HQToY=
=M20v
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-08-08T22:43:24Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHARAA4BtL0muLNU0jMdT5q6e9mbjkEKweO7cXg5q79us/kypk
vTwdKPAEXEcqjvn9Dgo3D5LmlPls3QtKKEhoWad6c3NBsedo8As91u0oSh1g4TSN
Rkw9tFIM/MYCVxjtQNJGgEfQxJHtNFaW85H9jnDpLaGcVhIbm2m9yKMSM/ryj8zP
e3edLiFw7Kvag6Uki//+8Bt8T7Rdasy9tfFvsiyHe7X3SNdCV+SCA7Jm3NZgckxu
bi0QkqGXdfjvE3NqKyjcOIYJrWGBVsVcyvyN1ze7uukX8/m3C4FeDnBtD1ng18Ep
jvM348/AprnfF2O7RDCUUMISmcL4CXyXn0ULaUxBQJ/JxCgQrztNb1xbPoZVQYJL
dYzFTQxiWlhBerGd5UQC1I9N4qSf/rKE9pgJxP5UDrmRnzRXEkKKQloBSmHIbdgo
uphBHarbEGsJzh245cAtQkaqK6y4dbRiPc3UJKgct7sfHG1aMac/JOGYM0Xc7O0p
xHz0vfr4pVi5f73t5pW99mHGmWMg0TLQExgpo3gvD64YugOZhIAyyfqKUFEOGWEp
pvbZgV+0+D/wMQqY7S08cBNVwcHQy5l3ekJN25xNogj/nQ50QO/4uetrEayHr8MX
/rrPx2ZTq2oJWqKcpJ3RlneYA+u6F56balHjn3HhfA4nFal8l+veq7mk2F4/5cTS
XgFmQWCJc+9NKlY7MDgRMQSnGRddvC/FvRfEVGDQat5Ewt0AoNhOYZk8lWwhODS5
/pANwlaboh5VlkOHokMEWTyaea9UTYwv78iz7vSprWxojKuoAAMsGaxcPDFflY0=
=fbK1
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-08-08T22:43:24Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7ARAArfw/YJenS0FVTjiP0dVRNeOWhm+q+FifUKqQNJoQ2q61
kpuCyn4Wv950kQVX20rFCEDNdVm1FYBJ8FQ3NocfOIFmV3lwnW9TFw4GWeWwpZq/
aa8sdJ/ASoqbZqPh4gYkoJTfttX4ixi9drtnwIkNhjTwg84gXpQenKCsOFM/8tdl
9bcDITJLU96qpYqtRJjCEWiO1qrrO5LMcaXwaX7pprZJvXEqyznV0iO1D9+5GoO5
Mumt/EXzcMImhLGq0TUiWcPAUTxgSjmXF4fz/8eYvstrir+bkJgJnWf4/27wbHjB
tsRgeGX2jgEI/yQZi3U3uqbPAkXNu3qcARH4Eem3JntBRr4u4b2K8MxOH/Z8NZHH
yIILR3e+uiavF8XZ3KaQyBgTA1rrFxaJu2j87y7H5aAGaKjVDRGUQBMmUgFPWGQ/
vwBFRxQzsBJlt7L7rlYvZlyuYN7ZmgWTnt/8JP4MokdpvUOeFhNgjW5CRUJ4LA3m
exkA7mUOIyLhG6Qn4DfbsDXLiEMop1U0IFCYizwZoP2UbACf+JipUP752FQp9VvA
lcjpbO7Y6nqC3lhXpP8hBgr2aoWEemEUiw9GJklBERIKZT3+6H3dRTIqQyQO/aqw
QyaEN5WzrIz+hMmBzKzBDkx/pWb/eKA73GzHchq8dvXybCwe1hrSITWGuSydMAfS
UQFfNmHkYnpkBBh1p0F71D0ojZvgbJNcZRVG4LCdrsPMkhAXJiuKPBeBe02i//ji
TJ19UtfgGSAQByhI/vLsLDEgNEm596hej6qOQ6+7kUPJsw==
=A6mI
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-08-08T22:43:24Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJARAAskgIwo7vhqJgA/wJjyC2n4tIYYaj+0Zxhz+vxy87sQun
dmb1pJSW3euOOVHjn2D44blQn8b08HNRlagKfaUJna9tmhTCrQQbfiwJflxEx4v6
m3IvhznDVPqK/3il6S/QKi0vDGJ4FOYkTybUfz8zSkc6jjJN4oF9S3HXZ+cI5ZHX
OI8XHxFqyBgpkhGN0l7czaXtpNIk3VrE5GtF5OX8Gq0scK+X9JjNA4o4f5PC3UyI
O9fp1fPHQGMdsrK3PnHWMP+e5e5nDx+VywXsE2NgmguWRlNKKhc20UsJu/x8YK2E
huzes91MXaFroUlFCPDBA/n5MVBse3JfiNoZeELvZYdJXtNzXY6t3B7Dx6WoD6H8
SBqPpfhBb1mQy+b3bnagijWhHa8d2j3pR4XH3pFIrgCX9D1a+Wr+B/SoKg8j8qzH
wHLcKEsJyQ4csT2yXj8knw4g97/5vD00Fk/4mzCCAcpqV8BYnD0tZD7/VTZpS8ls
W21UCbvqFat4gcoRuDJT3pijotREHYJwjAao7GwKuRSybrSLbK2HzMhPcEnbDz+n
enkeFosqiPDMU5IiKkSWGt6EvlUc4y2JvpU9OUsy/eX6ElpBEuW/3wfRlLWpV8ZM
UYRRWQxKJGi/hfw1y0IE5VWFkA/dBr+33HHpSrvxuGBH90f2vttDWdCDlKpfDIjS
XgFTWeUJhiBdFU6xrJ6gXICg9TZI24WWwtGrqDylBzvV+ZI6jOM7y4q4TcnELfq+
19Vo06pGkvTED4grvxWL8fxmOquPsrOGiaXJ+1MJaaOcFAFEEOm3m/svyKVtWSc=
=8bHQ
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-08-08T22:43:24Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7ARAAloAV8C3Wq+0tL5pAMmu/IlPPf4Ix7NaGRkg7jmk11M/S
OGI4liKa6JO3vQZvRKajyze9Cm623Ot9j09Vmzr+VjT4b94wakZsLaaFZLSOJ/O2
WUexF/vXl/yVL+T8Rc8VM2saAlZ0Vmbe4UnmE7/hRbX37JsEzb+w+ipWs5FGtM2j
fjgB+vKbPKEgMDtNUv8s5wM9QVonzue0t88jmrGRBfLqj56sbAs6MqG85blFzl84
6laTWXeKqC2H6sG/Kz3Nj5fzW+jjx9lKIfodBiExzjCOfw5rQuGHUs1ulmejxosS
osIhADjdt6lZX86fBvhqhBJNunJUAKfBUeuO6eHFF2Vl1uE2mi65b38BPqUMkt5F
tNaTuf58TbxbFsjcGLCeXlbSWVZiSTH59r0a8tWc7JmPwKZbSQBgXuiuGeBmQrRf
zE5U4ZWscF3McIFWHttCEVVX/NfcVerVA4guRfHN8L6HJptFmtagNZnAEYdfKhTb
5h674cA1Mu1ez9b8vHdFWZ0MDpM+0WoiJEZ8MjgNb3GVGFHchs9g/EJBuuMzEeTo
d/sGkcojlxlTZ6XoSOg/XstLlbFyFp44CzBID3Kvc/3NXW1vobQcUdeHYFG/6XFh
ZSPbGkYwrMDP5QtVwC8fRcgU7zYH00Gk0aTELiTEVzAxZQVkvNu9Jt6gnJLtx0HS
UQE801E+dcgh4FJOeENtCuW516emivqbs2X17FYLS78d39YTXxUjl3y6IgBixrDi
1IyZgVWJAh3NyQyy/sTjtATclQHX1vTJjuHOEFq6BzBgpQ==
=KYRS
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.7.3

86
hosts/buzzrelay/default.nix
View File

@ -1,86 +0,0 @@
{ config, pkgs, ... }:
{
c3d2 = {
deployment.server = "server10";
hq.statistics.enable = true;
};
microvm = {
mem = 1024;
vcpu = 8;
};
networking.hostName = "buzzrelay";
# Don't let journald spam the disk
services.journald.extraConfig = ''
Storage=volatile
'';
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"buzzrelay/privKey".owner = config.services.buzzrelay.user;
"buzzrelay/pubKey".owner = config.services.buzzrelay.user;
"buzzrelay/redis/password".owner = config.services.buzzrelay.user;
};
};
services = {
buzzrelay = {
enable = true;
hostName = "relay.fedi.buzz";
privKeyFile = config.sops.secrets."buzzrelay/privKey".path;
pubKeyFile = config.sops.secrets."buzzrelay/pubKey".path;
redis = {
connection = "redis://fedi.buzz:6379/";
passwordFile = config.sops.secrets."buzzrelay/redis/password".path;
};
};
nginx = {
enable = true;
virtualHosts."relay.fedi.buzz" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.buzzrelay.listenPort}/";
};
};
postgresql = {
package = pkgs.postgresql_16;
settings.log_min_duration_statement = 50;
upgrade.stopServices = [ "buzzrelay" ];
ensureUsers = [ {
name = "collectd";
ensurePermissions."DATABASE ${config.services.buzzrelay.database}" = "ALL PRIVILEGES";
} ];
};
collectd.plugins.postgresql = ''
<Query unique_followers>
Statement "select count(distinct id) from follows;"
<Result>
Type gauge
InstancePrefix "unique"
ValuesFrom "count"
</Result>
</Query>
<Query total_follows>
Statement "select count(id) from follows;"
<Result>
Type gauge
InstancePrefix "total"
ValuesFrom "count"
</Result>
</Query>
<Database ${config.networking.hostName}>
Param database "${config.services.buzzrelay.database}"
Query unique_followers
Query total_follows
</Database>
'';
};
system.stateVersion = "22.11";
}

175
hosts/buzzrelay/secrets.yaml
View File

@ -1,175 +0,0 @@
buzzrelay:
redis:
password: ENC[AES256_GCM,data:wYPztbjCe5rBvygF9b4emHWl5GSdRO1Tnq1m7P9GgWg=,iv:34IZVSf3KlozSDAlIr8Vfsc3anRhyYAks+gTX3nax4M=,tag:vp90sXYHMh0WIYLgxQi1bQ==,type:str]
privKey: ENC[AES256_GCM,data:syPhReJcOkRY5wf/DS4TKh+878hZ3rc7DGcsJgOK18Og6kIxLYwYPZRbW1ikSC97M7MGWA9xf/WOlVWPQKGfbfIa+5dUqFxFwKhK0G52oeJsss9NC3QJ7IawWH7oEmKNgHcTkUKoX4NftmkA4gBEySvv174TYvLxST2rSji8YLmP/ZuIloMQolxl2qQGiIHytpMynnKCRXq83fbFMhM5Mgrf/npBggV07Unh8BQo00bj6pCuR+gy1swsaSgchtnx8qivaMLOViGUDGe/nuTclO8BZxtB2Uh3/mL8u2g0MogsBqnxk2pOZ52kELkSkDw2pEb3IHsvMcwrSAlTudqkmfVgXWDP/oJCciJlj4wmS/Z/9Ij2ypFMCGVvuygWZ0Uod1Nu5JgcAUWmgBdqet381He6vpx1NKqqRYBQsl7HYCNfVyVVk+MpxJXi82FQ6+CjzEDj8aVnBaEZ/w5SfAjepjj5M/xzIRKkSq6PzaX7qaoJOPYMPPdgjWlkDbWFY8VT011nzwvLUerI7/4gvXLHGDQJInagCAE4eknLHWiizQ3EnI/JXXur8A8oTcRGl22/ob9hAZRQTAU3hvcrWcMKhh/JDXe/FjkZoOWF5o2dl2Lv5fnej3xY9ofFT8RX2DgM7ih44qu7iPdoPpR7mdImPEsQtkJB65ft4iv1Y3e3BtmwLtTQ/2vstIGgeHN3o7ggWkO/Raeec8EepvsxWUbF/NH2y0Q7q5SJF5pR6rupS5pyDkWqFJNo2PGJHpm3/sgEpFyLuqKGxOyTGVyJby4LPadUGjwUaB/EWoq/Ru5L531E/TuI3ETo7VRu2r/DE9p4YHCcjNQrM7nWrHcLvnwTrhQZmruv+w51l17ZS9xak2L5m0t/VNY4r/vB6HCfUOO88mHJ1yuig0TZLlQYVj53mb874/lu7XifFre5O4trE8XX3uYuu+YtTJpdmSgiIw5o4NIDVSgVrDTXmNHDUrmlV6eChlla4r1QLmCJlwiewi3g/vgV9G/40hrtFJzWRY7o2d1UBo8iyjKEew9SJkCpZiy9vKNN0dumJEi17u+9RQdLvQsJ+CjgCBRPNVcyS4VF0sdi+hHAtVyPZ7xNMx7KKuuZg1m0UoeqTqUhLrioJN/g+reyOHeioeAIi++tpAyYgYt/uZNCAHPPtJHh9BzLb5Y5SYcCN5HEzu7MGu5y9CKp/1T1VdCEvqSvVB+QKug4JKba3u9FVaGFg7ms8Gv71LuX8yv0N9UlT0RpjZkg4mJafqougBhnN0p3LnTm1ojbxYLXU5+QMZon3BKcSBQlyxyZPCuzUE4j78oJpPUCoY+5PPmlZzAXlmUYa97K6M2MCs8Y6gNWX/R11PYLfn3ISoNWS9P69jrkGJPdKL4ey+Cw5FaDov2Q7vLtYmEwqWheTsOUKHaYuAoJA3e3vS5/zdeFhkIDB931xfiHnKDo9n8a40+jmlshpv8XkssGbO3Msy3hVhK/gQciLfE3yEAgIxZpO+IMOidSwIMviTAXpL7cyib0kuzq0/809Z73fHrtdvd5ZhgZIjn6SHJVNrgCXZriSuwQb8IdyqLWqo1HHgY8C+QIL5nHKlMvGCWqXKf5WjFJGwZHHKw5jC+K0rPkpjyvYZItlMGCswSOM3GxLLVnBIwJRlcdoML95PYWC8QSFpVcVLIB/S/rNu2RCVyCqQ5NpOd0w9t7mp1cgz7abJ5h9VKUaTzlcQMNQxa81wM1TUobr3uFmIHT3rdPHlUXUbTRacIBjtM7yFgky5wVDuiJYucJzLytEdCZQ4sgvx1fYtC/j2TbaOlfGPHAJHmtYsMdKS3dHuJt8I4hFa5nNH0BWMUFFKlWB94HjxrzLgFNJn7kKhtRbwMJbj+ok+2KJGzyuISMqOQpoF8OLOUL/Y2o9DXPsfD7KwTOuHYgnxTkhUdwiPjlWRBgrC4bFsGFSVki2udonBscjT/MKooFG3n+j0pe+0tVls4bS6dSOuf3TvBbtX1YaKMfpraa2fX+wVXUxtRcMk+WIzfbydmYaa6ca2cSMj6a5tvB04v/ZJg4ieRgu+ZK/kchU4sCaWZQW3t/SvTTq/O9afoux75myjnbRbjhhod8lBe6UbGCafa4uZLOGpWlwVQ1Pop3x0WKbl+FhoZcnbSaK/rXEET8KjRx1fZrXW+r6HMtqqE66Pai72NVGpJEKgEDuqC6WclDHM+nmlXzTzQs4YghKgQFpa98UljnZWTZhHjPg3N2C4ePz9AxaRENk+vSPNNYK5z84gImnvTX9aZIbW2bmzp+K5fby0FDorGhhkgHJ1VTd9y6yL9BnM8BU1f7SLN1QqF2A9EIEpJsrzMmSznDSg0Em9WaFMV0lb6dV2CA5u9uXMC8RJicsItkugIUVn2WZLEepqmBTNnQEQky1IuRT2JHxMbanUiuQYpqDQlC0XfJ4mK2tiUZnTfXmD+hHsR04uL943UN1Ci/HtUPcjFOikYuM4vuRjxfkqIsjdGWpn6VVaoVq8Opu3xu/so0DD5HaPwh6+XWGDKclrqH32cQJihmp7Xl6eOKZDI4OXEihnE/sbPHaDpPaeHo7Dd17KLjUdRi69PL5PE89R/0qd5/5cOPTdYBXfjW+94ruCsf5rZ7sMKAbmDImPAmfKaSgImVnBggXY04PNxzQYc0jFfcLElBj4sTN5MAslvq/qkz8IYQZtmkT60cfaAMN8M5RAmYIlyf0wd0H3F84Zg5yGsDpL6tHUmynrBo68k1CmoTgxjJ4Ry29G9wqzmdvTDw4NT13S6mtf0jW2kRSgr+IApUenicb3cWl8rAr61bFTS0i3H2l5rUez81SqPTi1xEKnU65ORcsVuQaMpXFUk741V5eWpcrVj8kw4ntwsMX4H3a1yu2WoH55QyATlf1PsUV3PZfWdYyI8aSf6Ki0fAnzWG1jpPsnMVmEbWeTMSZKScdNAk98jzyjD6367IjEm4I422TmfgD00OWRP2udjWOqpbv42WO2Ly5RrzEUZfaK/ur4gYyafOiqSsjCv68YzTeeHSWRcm2Yj/GYr5Kf/8JShFGbRu629EOi+iwzJ6agP3MZCsfwA5Tg3ZOCf9KrqSsz3ufQwuJpX3tjDF1lJ9klKCBmLM5CNKN/jqqw5BdwsakXrUJMLCe7wx+Kx5a6uMZ9afHY7/DcSC6Uv4Q/6U1z+WIwmcXvW0+BYpPhuCiLyPu5iuZIG6LLyXVdecIvT1/BGkMEaZTMY1IWG64lB0Y9GYRx6btQAXI3dWC8AF3BoIsJ074cRTCCbVfk+uExsZE41nm9niZuhYPqzANF9eeXySkNfWTiMt9FkAbTMDkFfUgPMXtL8WDQ9vfLVrBCaTqAShPy9tWUEiQ3MC0iCmAX9J+YSeTQSsUZhlmYTL4JYj0LUx1pjDDjpYvLdutzCtHPkwYLlaw1vZfDARmOVs2XBW61dZhU4jV2jTC+O0827DpRzHArFBWOi1KT2wIF9bqfzQ7+blTWX9zmnSpXkTvnDm2ORRd9EvAhWu6XvQd0frFsuf8wZlyruZMzfFVCcmQNvMDAXhVaXRoMb+mpt792yqXxu78CBg2zzwi1FD2mnDH4WW8KDvbrNrQUsBS6arGYUwS9+1Wxt/s75etEgMEKm86uCIKn1TISvS0aSK/jvkzNCw3O8cP++JR4Icxy322xEurKnMWhyGygcdv2UNHZtK7G6d4GMbni5NW7fJcMMkYv4R6leDD4jc9fBn8kEBu3saBIUPPQfZHFlmlDXueIbBo49jcaHQsjLjsjs6x6qK3Rjli2v8Ib4uIfY883JUjI72sj+iPCMPp38y0Bf2zQYh8kOMjiYswAx444zTiglsoWZQngWNblzB2VJrPBEmJr/uCzI/AKM3eD53+J0BH8VGdD5pOA2uUafm8x5vTjp2ALztF7fXmbnOk4FH7dwrB2I/9/47oj2sYiZvh9MUzVL3uIDUDnphtwDUMTqlYZdJ485G0A5czb50WS8coyC7TCHSt0Kazo0zEt92//2VQ5bvCUWmfzOmb0ZNUFu+OtsALOXjG57/MQWoCiJU93mzGoUCuusv312NY5sr7dnRRDNjdcGJnaV79CFueQeIoQoSeGhYpqS3xybLajMzg0uQAl5AwzAYO+aQfaR9V0tEOsbnRXJYJhfz9lvhZaCi/pqR3sOIhvsgg2Ysuppe0cPuTsQ8qKjIZJMvxu61u7gO5tKEDwPBAECF8D7sy6r5yEWxqkTEt+pxJked1pxD1KHwnsa2/Gh3J6tRELKtZC+vLcb3vuAFairqtvQSti4krmsl+glWRYk3zxVWUeTRQCOWoFJ1r57YiGVqWA6k/2Weon9ptENBYIwCHFb0/qsZW2FqX+HdXGT821mJhbtpKn0=,iv:g/jQ0y1QplX3i3yt7bO3l8BFvjN6+Lut8jGMVPx2IsY=,tag:ikfdJWcr/nDK8Vcf0M+WZA==,type:str]
pubKey: ENC[AES256_GCM,data:6FLafeSuL8wyHTKfchqaQl3teJ02dTxegqr1HQoQuJHxyagjHMPZekxzrNBojlre5KGjvtcuXoQMcDgPIfsswNmjUiMs9nCZwFQynX8UeCDL15mH489juApclAKSYJBiOnR8UwUj+Zz0YKqX6yNKxnDEoXq2Av9fVGqCM2BSBw5yQEsuQ8Q81SyhnQxikWlolnzfy+Q100VK+fEB+4gohXIZ1TFvPL98t5ooJcb11OKgqOrYf7WurrUjXNrxn3nDlkA2IE2jrLdy2o9H9gV0tugjmURMz4iRX8j3Z60vaEN+2rJBKDx5pVY9rseWkqVTBY2+wNyQ02fethxWtQ5+a3SkwucMSMwsgopYhn1Z0meWbZKC6B68DScmhV0X7ZiB3pJG9W71XCYrMb9FfE1TEbDc9Kq0eqw6xFWt9jSzFKtoAO+Z6wAfbr4ION/EzE5gTq+UIhUCmXyySrnYbL18JPsq/JDCSMCkFqXTC7jy9pWzcIdqZMDJM77aCv9bhK0Gc1mMNjsXv/cD2bld6RYmLSttVTv/Jk48gmzT2qufA0mxa4mNv5lB0rXmcrkglH1O6XAwhR+CJI0xwzsISO5CpSodQWDsQUdg0wVFsGeGQVlXDVcXDPFZTeTh0DS30cGhbyaqsU/z19gy8Ze3juuaI1CKqpS+zw9DJhsgNJ2vGvzEYyxwydoDDMA5BO29mnh0NIUosRM3f7egonA1mOAhMlQoiYyqKMIsi1w/RDN6uNmivoWEhmvj1zypObmLZOJBsazNOljVXSx+MAwYkhJxeV/jEUSLx6PISR2ZytN64YlsuqKnRPdixmW5bIdX8T251EY/wNUPmcN+eC8EcHtYeFiV1DyBSbOrhrcDw0xUskKkq46ay4Mm2Yyy2eI9vvnI7CEU6YzGiXUqKC1yTjNJEYNnMXiv5QZByah53b19K0d3xcqcG8brriNaV3V6jFS7gS5u1Ftts8p5+MHP6cwgjEVe9jglUG3WnDdDfP8CebgXmUDAmVZb+sOeA2o97t82IPepel6wiR7q5tHwZBLYPPJK37mvyJHNc1j7B6CWnjk=,iv:57uSeefhjsCXsqhIR1mOESsyCHMOxVAsmksnRQDOPcQ=,tag:9QE59kct+B+2iFLNBxkPxw==,type:str]
restic:
password: ENC[AES256_GCM,data:SRh/c+JNWuU+MNfbAuHysU6q8AyO+/5wC9mDBlaVNJ8=,iv:g3xdXDWuC5y9Ot8qSJ9Y+TkgyJEZTGekVEa41aJgdMg=,tag:tqKUWjbq/7r7yjI8f8sCjQ==,type:str]
repositories:
server9: ENC[AES256_GCM,data:Kf4GoT6lTTOAsc9zSEHTUb73Q0mw5iyRnrgfa2VYpY9GKAy29sFvLX9UBGWRV+a1cJY+reculfxGgD1XVj7undRZ3tTbNVhSQ5oJ2ilvLaAwSeMVHjR0HKrLw5aVM1UU9lOK5/BwvtA=,iv:HikHSP+o3FenzbMQRznbbqWpg+Z4l9dzgs/XqZD7eO8=,tag:vKDCwnZpOQ7/zEj0YjKxQw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1j2euh5qt4a7cvx0t93uj4n9t8y8tkv9h3nefszc6g2q7t7gvngxswhrve0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTmVnSWlRRHZTUkJtWDB5
Z1c3SE1kOGV2RDI4UU9FcnlvbU0xT2dPRkJFCmFGVUdPVUhHQjlvWGcwb09lNGg4
cnJocUJjWUpOQm9rVDZqRDFDd1BOOWsKLS0tIG00Qno2Wno1dVpMc0pISlUwYWI5
alFiUjZDZ3B3NEJ3WmQwUWN3d1VxaUEK+ayvZ6JUIYPrM1AxygbU8pNFjiTM0OZO
WbI4zJe/FjmFjcyi2EX34j2rRy9ixbq5SYFG0jjc8X52leCLoDnIOg==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdXFRTmIyVTV4Y05BS21i
MlFkelFwdi9qeEhiL0tSOFIxcHN2Yk9vQzF3CmFHWE82emI0QkI4N202bHdBWkp2
c0ZTZFdXOTkrVUo2TmFtR2FrekJ0R28KLS0tIDM5VU8xM3MzQ1pmNlVJdDd2a1Ri
THRRMnkrWTZOU2pONytuZUVMUkVnR2cKuM2E6N7MFziBTj1E4I805xewCbpAPoEc
hHKpdrxso5Jj3IkCD3RzbeVpS/ZTDG3z2DIvkEabN7q5DmyM8Z05rw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-11T22:44:18Z"
mac: ENC[AES256_GCM,data:Xid791KQORiBL9qiMDEwCZMgzqeXoSuoev2/SBlesTMbE0oV7vYjWgSTa8TlYaK0DpA3ZKpNtzXw7hmkIfG6oQKmZBRbmBr2jInsUD1ev7IhVNq2m3W6n4LgUk71whnv2v6pmda1hd9dzAfGS9hQOFDT2xmyK4RiokHVNd78RAQ=,iv:DNJLeew1GEOnv6IvxDo5ctQL2sOsQBMF8QMQeCjw3Fc=,tag:95RTBhlVgbDx7DODsgrHSw==,type:str]
pgp:
- created_at: "2023-08-08T22:43:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7AQ//VLqE4jRNELjrSxh2MXsF6oIssVXweIawLCFJcw9rO8rj
W7W7vzyNDezHCNUtNrdoxe9DAGbb+j0ixODVvRbtFPvkzUl358DDE0Y0F/fsn8o8
tMCcHHhWpPa4nPVMaHH1eTJmFhqxJuPo+tRPXVQNHz5/RppOLB2gso4RZMNI2lvr
2hjrtRfC3ZJcLpLpCuG/WxBY5Fe+fxPapC0zWjjKtEbHEQ5LhRY6jyaIaCi3MI1n
3VVT7y6JVP/G69/SdYCxeJvf7hVCw5UJpk33AhmD6MWEvVxw7aG4IZtAiA5GVHvx
1yh59NfYBVNDD2eihB9xjCxSlRiCzpXq4dgX8XpLitR9E0RxzfFBtNPp85aOsuFY
4d2QAuqVDLtBGqsrUUEG1aFFhQVEGJV5o/BoyBosM+XCkePFMSBdZF7U0O+c3Grt
UeGWpZUvwQS58KRNc9mvuv8RgfCr7WSefOkskKf5N2pOb4trAfJZhujHNQyFHr/G
xgr9zhROKuiWT/PZ8xcu/KaAkjUF9pPoaJBkNmj10bH9O7jDiS2117EaffPk8mMT
wMhkj/ml0VFWHnwBTrKWV1uib/1Lpm4Xrn/q3YY1Ybmta0SRMYWk73FBuKLg6cEU
RmO4IcG9k2OqbDwE2ZAVyVBolYM2y33H+OvuR1Zbmm1G0d7893n5pH+QUODMJ0DS
XgE+imTk80plDxDYAup0Hjzt/UxuwQewOeOD6IU176ZIzagX9X8UK7yzMnpLKwbH
PrbdkRGsHBz/FFwRjSGeiENVGQbENwEQUeZhOYXEoihXBb+/dvhwFyJYX89dfUo=
=Bdj7
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2023-08-08T22:43:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf+OyaRzlVkj0+OcO73/2pE128UsMOJVWZpMiEVOizVioRM
Jw5sGopn4cvUGRWoyK8oeOeXEVmbaRklau6ghPTpyxSWGAlss0+d780+hAJ5QynZ
lXOKLgOFVqtyOw5PwVhxE1dGhAuvoK179YYGY54ZAj8nAQS54dJ6Xyi0QTTx4XKC
RQ0t4ZpUEI2m+WhtaoIw88e7uMAmGX/mgFUsgnYt+Ocp69SmVqdPUmdPkbMVezKd
1SQhiX+tIpuWLYT/4mMVtEt5YLIAhgxB7beWceMDDEAc1ZPvnjFJ67UT/giiHaE7
W8x6uxXGwr1q6vK0LGii2juTxrWmPjG4Vy2MfumQOdJeAe2bp+lEb1DABRukbg+9
/7PiumQxuXkLFlhO7f3pWnhsSAIgPN1E4RQvicbwKNsiwhLP6lr8DFLjp4K3xpKZ
EW6LZOa1N6aC1bMgHooEsAN7R+lgO5ADvMyl7SnOZg==
=cLgn
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
- created_at: "2023-08-08T22:43:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6AQ/9GbBPMrL/ZPMQegBqxfImh3m/FDnJy1g9W9WAgwAknB+o
Kqf77kNXLLaTbBie9K90IzVc+nelr4ZwZxddftdRsdr0/VBztmLHvJt5eImKjve5
hCH4PpKQIdi6JP0+S6vZve/F07yYYIBIX10sBkcr+VOjpK2RSn4LtxpsnpEotFxh
XghpmjdAM6ef9zTjiRXeiS18Yv+0GgFeHhvjSNX0qih+VqOj/WNQWLiWXlx1ARUB
WQltKwaFXk2TEUE8aEGnHUf7suK/ZSQ2YD48c1veOpFw2ONPVmXjmWcs685ty7ON
nlnx8Yxd2VeqPEw4T+v1p8IhZ13wH7FI0D4Iw2lDu8GRdDpsxSUHjpkUkux6oPLZ
3Ci5HhOEWDvKhzrSdPjBf2Ptjw8O90m8ssubuBCb1SXuvcG0/aQ0eHkK5zpE0wCW
h4AbNpa1GJ6JfTSjM1FlM1vvW/jfm91UGH6Okf315w3r96iAQrY8FTFYNfMlGt5Q
hW+G004fGEdysB55M5fzE/BXwmpmXp4b7LSr35m9kytMcUOX52P/7Je8dTez2Bi4
iRsw/HRbWnB24pQ0Dje/vRP9pHkFvqzIpfFdTNrvVyKIEcBXeIBcdLdiNyN0dQPD
DN4BcgENXL12O7vNbHPKbKzgXIu0CWeAyU6gZ563PwAXpDXvTYXWOSqmOCCzoajS
lAGDarQUuTxEyoHGdVy88I5SnIHNFf+Xkpl+jCHpzrDfKtiOFnLoFCFBs4AuWVGL
pW4RZMHyoYkikRzB0nwREbGOeP1PFoq/g82gEMwEqnB6Hm6hl1oozzaBTGhuigUY
VmjKsNFcrqtPH1jZ46a/5mS7hs74clpmuWZNMLyw7D3PkD8z9r0Y6OAMTEafdm5B
94wb1SA=
=eZEP
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-08-08T22:43:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHAQ/5AbKZKxBgFVgd/RACohhEE4YMTcv/JC09PaKJlYBEosld
ycGi60bHv9yDBAjbbln0lHQ+6wkm3b19YMSpfLfOnntLlh5zlaaamem+mxOqaIwW
tIadw1Ls7zAblp8o1MDV8b0TnCysBKWkv+gerj939f6nZslWODg1nQDpFp5cpl4/
sFtIiCET7V4k1UR+Fn2Lp6W8vQvx9USkbhciv9T5kuLai0Kt//EgZDKJhI33J0vl
T86bfQ30SyZLhbByTydpWbs7m2PCU9KI89B+e3vFvBMGpEASGy2o+cVi6Nkxsnif
qu+aTxBm/Lw3EV3ylRYh8NPRTIaGvhapOcmya9qzB9nNe6Z0app3bGc7RL8vzYNL
ibvTeg91bJjL35nEm058s4SMtVRVPr2bH+7Bf/KyreyNJhzx3foRD66Nf52Oex8O
By4W2ojzO+tQco4ZJrLepUErXZOYh636r1srZRzZ5dBlpw+0ESr6BUBUJz4TLv3p
Kq0m1w65/05Wm/Hnc5bIGF6OCoWpvYy3EisXp6ESGuvgsmEvg+rLylE0yHqXPiiW
bH+KG8Zs1yqfoycSbftTqIey4Zz7ExMTiUcieo+oEujrF9vy0CQ+pSB2Uce4EVfz
+UEV6d/msVU6LSAl9JXZw+sIoOZGeAxt468MB1tpvderezh7OEpPEdBm1w7lZfTS
XgFeh/1bPmGwV3sDX4rVVWMI5OFgo9RxmaoAjqy39kIuA7JlQKun8499KzsiD/D9
P6DtvXJkS1wnnekUkoEInyg+GeQB2IrkT0Mtkfz/jhOTIGnG2Ld5GQuTXqwE8gk=
=oqfs
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-08-08T22:43:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7AQ/9HZSwoU8DW7nJgWqhSoL0AGGOeGaduV1J7dHhQ2YE3Rv8
EevNdcSW36PpHruRNJbbhKxmbYC6Qvi61powYZhKnUcKLI5ORmh/upXVF6sdcLiM
mICg8dY55Pod10wlFGuBXG140x8A/zlal3Mnpv+Fd/N/HD6+EjX042X+SIovgPSj
l7t1sbhovuF2R/4P8SnHN91kxao8dTQHKhiDKJNJ4wm5LXH2ybul4jgijNlhjd3H
tFWO9sr8LYPUxqBgrue2MmW8fWQJIGYwAux41dKJ0oIYccy3bKNKYFOHDkZqPFPu
Ridd+JtSLeUo1rV/L8UfulFFpd/6iZYuOqZvA7UjnxfjeWxKhRj7yuhTgFN6pI4H
G3JfajHMBqRNY1Z17YYW2g617AgXEScAG1YvzLH6Y6zpaY8M4cxVFXynqbP83C/f
Dg6LmdEluZZOC6r6Dilx+CvS0xnXc3NTMhOLlbR7RCz9FyMPkukMv669X5OiqtyH
gxhROdC2YE/ocartJbj+egGzBKbcJ+Q7QZjqsHl7bD/drFjNft/7I7x3X4RCk/dL
+KNCeOjvAX342qlhf5GcQzP0LjpgUSNm3gLnLlv35vA4z6MHRGCH1S5Jm9/zuP2i
ZqIc7+nL6dOnbaPGqrmN9IkI1gDAh1ef7h3J27Dgg5u5MZMTs4VVsZYPH7D1tNnS
UQEoSzkCVgZU0YvqCgngZ7hvfF86og0CBaNG+9gI2UO1EZ5EdW5c9kmSmEzJhera
Vqt9zPnIdRJUlILUph0kTyAHpR+F1RKd8jeooSHxNcks5A==
=LX3r
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-08-08T22:43:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ/8DXcZg6av3b+Nsv/P6uEINLsSdoqt2/esGHgBjOC0cijV
jm1RPEotTKJdNPGyRgMySfji7GcxJtVxLarUGBQRg6ekOzxuOZJSkvZRIuYInAJQ
9hCWnKOlBdiQz6Xnhwty+4IuSv4ywqBEaVEp+zKpJgZYoEtqiGdJ2odPRIkkpGTA
w3Tke8wj2rCe6uXAa0Hcd6+xItvWsrqU50D3bjh7V9tQ3PGxmmm17BYN+tHhg9zf
CmGz+mnGFGCms3R5TnDKY8jfh3Vqk8ag82NEVNHZ0PDEjvQLZ/zvYg2x+GcNzqDb
OOm0VDjl6HpyM5EaWKkw+nHD8O1P6TyBEfMeYao5ULa3tqA+RujkoWLJ7nkgQgH1
wQObwV0MjhYvKp1UOMhtfcmmb/rMcjFzg1Nisy7dnh8ZnBc1n5V7mugyt1iHFWzK
85F50xBAokrqa2B6MGQ0o155hnrAiASRXmCcTK1LeuM42pSqxLzJmXfEFeUV5utR
XmaxOvkMQHZyTsX9KInW6bFYiHpFoFshlVRTr3YmKa3zptP1gmB03iLOG8VUh2DF
OtsndI+0yNTu37VZ2pz7G/8jlFnbcQoEHt8TAZ6uYobWPd6YA/DRJgIm7sh5WaaQ
ceTHAO8+kIPReHUqetYG6KARmsJArmy542LC7Dr/pp3tn8kh0tJSUZSlqwgOeQfS
XgGWYXLRb9m4s6jl9Ce6h66T5mFTdL7YMMFGGz16HuC19Rox59wi96WzVd7cIQx5
mxjvlerARUoXzdvurihUi0IDgJ2Vs3N9AeiV/IB5tAF6RRo4kJpRGDEqBWoMc4Y=
=a91P
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-08-08T22:43:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7ARAAhNMRh2NEv0AY9OjUSPHA/7GjLZqxON9RWGxcxtCv/vt6
CFApPqFAATJO76NEHzikYJMy74d+ui84QOCS5uqavNJA9Z5aMQEFhp78RIXY85BN
yO62Vo8/u5B/Igcu2Zvlt/hpBYoNN1Ed9F4bsvtQwks6qF62SO5KYBqq3FY8icDI
LJtq+ozdcU+QJsjrXwaTexklV3a6DRXndwtQTlhKX6t6JJJRB8BKyrwyF3hNBd6p
zpYEx7kYh7Zj20Pt0I3it08+nRlzdvaU54ydMyJbw/AYL/AulAAZ2FyxAyvx/sv2
HhvDpBl9TOnGuPztnXA3qpd04/b/6WPtLEABPLuX8C9Jq1kKCeuFZ2rdTD2RF7Qz
19tbhMQhFHRCBBza+6BkCg+xF4sbCSJkg9X2lYyXEIUpDb1hVpPOwKBwtbZQ3bit
e2PYK8Lsk5FfW3ANqxXKaF91/6rv8j5RyitnSG5D4XanPjyhmiBcgqyAJl9dq2Nx
QOhRzNK+F/4z8ym1iOO1ii5uJJQyGPRkZxLj7k8UhCOAOqi0/exxLEO5rZFg1F0m
rtKmbEGRJ9sGm8JaK75/C3wEbbt7KkizlSlj1ETB8Ji+zTwlLgpT5va6oJHU9jhv
76aCqFW4aGB6NWrSha+BSN9gEqcWKXcCPxH09vYtfUN131r3Wjwt/LTzhwHuLkrS
UQHt0+JmZR3hjLapC/GbxSfj/4YbVAWwRCgEpw9K0sI1tEtY0kUhYh/4eEruaDyf
UT9db7qBkz06ymPS6hyBovNHaQSYE6B7Rmra7D7fyIlfCw==
=oc2l
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.8.1

235
hosts/c3d2-web/default.nix
View File

@ -1,235 +0,0 @@
{ config, hostRegistry, lib, pkgs, ... }:
{
microvm = {
# Running on server10 which has 40 threads on 20 cores
vcpu = 8;
# drone-ssh-runner clones the git repo into tmpfs which requires some RAM
mem = 2 * 1024;
};
# drone-ssh-runner clones into /tmp which needs to be bigger than the default rootfs tmpfs
boot.tmp = {
useTmpfs = true;
tmpfsSize = "80%";
};
c3d2.deployment = {
# /tmp is to small for drone to clone the repo even with depth
mounts = lib.mkOptionDefault [ "tmp" ];
server = "server10";
};
system.stateVersion = "22.05";
networking = {
hostName = "c3d2-web";
firewall.allowedTCPPorts = [
# telme10
23
# gemini
1965
];
};
security.acme.certs = {
# agate cannot load modern crypto like "ec256" keys
"www.c3d2.de".keyType = "rsa4096";
};
services.nginx = {
enable = true;
virtualHosts = {
"www.c3d2.de" = {
default = true;
serverAliases = [
"c3d2.de"
"c3dd.de" "www.c3dd.de" "openpgpkey.c3d2.de"
"cccdd.de" "www.cccdd.de"
"dresden.ccc.de" "www.dresden.ccc.de"
"netzbiotop.org" "www.netzbiotop.org"
];
enableACME = true;
forceSSL = true;
root = "/var/www/c3d2";
extraConfig = ''
index portal.html index.html;
'';
locations = {
# Mastodon
"~ ^/\\.well-known/webfinger".return = "301 https://c3d2.social/.well-known/webfinger?resource=acct%3ac3d2%40c3d2.social";
# Matrix
"~ ^/\\.well-known/matrix/server" = {
return = "200 '{\"m.server\": \"matrix.c3d2.de:443\"}'";
extraConfig = ''
default_type application/json;
'';
};
"~ ^/\\.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.c3d2.de\"}}'";
extraConfig = /* nginx */ ''
default_type application/json;
add_header "Access-Control-Allow-Origin" *;
'';
};
"~ ^/schule$".return = "307 /schule/";
"/schule/" = {
alias = "/var/www/cms-slides/";
extraConfig = ''
index index.html;
'';
};
# SpaceAPI
"/status.png".proxyPass = "http://[${hostRegistry.spaceapi.ip6}]:3000/status.png";
"/spaceapi.json".proxyPass = "http://[${hostRegistry.spaceapi.ip6}]:3000/spaceapi.json";
# WKD: Web Key Directory for PGP Keys
"~ ^/openpgp".extraConfig = ''
autoindex off;
default_type "application/octet-stream";
add_header Access-Control-Allow-Origin "* always";
'';
};
};
"datenspuren.de" = {
serverAliases = [
"www.datenspuren.de"
"ds.c3d2.de" "datenspuren.c3d2.de"
];
enableACME = true;
forceSSL = true;
root = "/var/www/c3d2/datenspuren";
extraConfig = /* nginx */ ''
index index.html;
rewrite ^/$ /2024/ redirect;
'';
# Mastodon
locations."~ ^/.well-known/webfinger".return = "301 https://c3d2.social/.well-known/webfinger?resource=acct%3adatenspuren%40c3d2.social";
};
"autotopia.c3d2.de" = {
enableACME = true;
forceSSL = true;
root = "/var/www/c3d2/autotopia";
extraConfig = ''
index index.html;
rewrite ^/$ /2020/ redirect;
'';
};
};
};
# Gemini server
services.agate = {
enable = true;
addresses = [
# sysctl net.ipv6.bindv6only = 0
"[::]:1965"
];
certificatesDir = "/var/lib/agate/certificates";
contentDir = "/var/www/gemini";
language = "de";
};
systemd = {
packages = with pkgs; [ telme10 ];
services = {
# lets agate access the tls certs
agate = {
requires = [ "agate-keys.service" ];
after = [ "agate-keys.service" ];
serviceConfig = {
Group = "keys";
};
};
agate-keys = {
path = with pkgs; [ openssl ];
script =
let
stateDir = "/var/lib/agate/certificates";
in
''
mkdir -p ${stateDir}
openssl x509 \
-in /var/lib/acme/www.c3d2.de/cert.pem \
-out ${stateDir}/cert.der \
-outform DER
openssl rsa \
-in /var/lib/acme/www.c3d2.de/key.pem \
-out ${stateDir}/key.der \
-outform DER
chown root:keys ${stateDir}/*
chmod 0640 ${stateDir}/*
'';
serviceConfig = {
Type = "oneshot";
};
};
telme10 = {
serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";
};
};
sockets.telme10.wantedBy = [ "sockets.target" ];
};
users = {
groups = {
c3d2-web = { };
telme10 = { };
};
users = {
c3d2-web = {
group = "c3d2-web";
home = "/var/lib/c3d2-web";
isSystemUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"
];
packages = with pkgs; [
(stdenv.mkDerivation {
pname = "atomic-rsync";
inherit (rsync) version src meta;
dontBuild = true;
dontConfigure = true;
buildInputs = [ python3 ];
installPhase = ''
substituteInPlace support/atomic-rsync \
--replace /usr/bin/rsync rsync
install -Dm755 support/atomic-rsync -t $out/bin
'';
})
(libxslt.override { cryptoSupport = true; })
libxml2
rsync
gnumake
];
# otherwise the the drone ssh runner cannot log in
useDefaultShell = true;
};
telme10 = {
isSystemUser = true;
group = "telme10";
};
};
};
systemd.tmpfiles.rules = with config.users.users.c3d2-web; [
"d /var/www/c3d2 0755 c3d2-web ${group} -"
"d ${config.services.agate.contentDir} 0755 c3d2-web ${group} -"
"d ${home} 0700 c3d2-web ${group} -"
];
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."c3d2-web/gitea-token".owner = "c3d2-web";
};
}

171
hosts/c3d2-web/secrets.yaml
View File

@ -1,171 +0,0 @@
c3d2-web:
ssh-key:
private: ENC[AES256_GCM,data:TAHMP1U76t+HiPrtV5UnXzJAHy3ZqWfTja62IVSyMSlTFgI+bPaEPK0kyb+120GQWyLZvviAdeQyJ4b/8LgY1jm4W28OAC4fOZcgqUQ9AEvnsnxKzp+/lTGEpWk1ZZq4K+Kns+EHAR1R4huaN+tlpb38ws5pW+VWzqmwHqhrrfeWr0pMqTQ01tmvdf1MEZvmSHWaMzBgUeNEYbVtujJp8fKocTrAxDvVSFl2PbSsXnH6kethOepX6kHQJdPx9ziw09uSeAXV7wTtRh5ISEbpePs4tOJoYQ7Z5UPsiKm+43ux5f3y0vOs1NQDowtPDXjryE6J31jHINa/wCRvNsPYlon/mbYAntP9t+Asex7/PwYQvAW4+P9vzvGWUVpgxTIGPrUUkLz97MVIsZ2P3CV616X/jeZQmKLkiScQggoKqvXOgxH415GqPZ6oOhw+q76t+XFJsYfB/0ENhBOXX3hQz4+FR+/8O4zAobGavsWH8B1ovCW8TWPndmSSlzf1R4uLHOEpuTDJvRfYn7lHZybLao+bipjKE1wr+0Ze,iv:LyMZ+tuxvv/ReTjNoyjs99e3MRnOR36EhazcJ4a7xlw=,tag:yPnQ7QZA35o+acZFK0C1tA==,type:str]
public: ENC[AES256_GCM,data:l7lpD0oiR3o2GKLGisTGnXWHBdExy8f7Rhqu42GWS1BKut+DqGxQSVGH+ap6tysCCSVHpDShBoZQD4AWgnGe2S1zZ4p9JUtqzD55Qd1qjOvJ+xI7pwhRiFgODgfrnrU=,iv:0kSxCoKU0es6aU1HEVe+SliwCidySMmwsWXeiMCJ4SE=,tag:XjesvswMhRibEWFRzl4oyQ==,type:str]
gitea-token: ENC[AES256_GCM,data:W5NC7+7F2HSwRRyFdqkxwZVdW14PfG8PTJ4RI6UWyv262GMqgLbA1Q==,iv:mW5ahfvdzIng0dqphtZtZwOgF5W5s3rbP0AF0GxmcjQ=,tag:sYyMsqrKerxHcDRM4OkEMQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18h6vmfduhmj28wxdgur8wugn7scm5vwvwkj5sr4f7nl0czr2zvaqscsdsv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudy9ubE9UVnhab1FJblBB
TjhqWWsrWUdPWGk1UEtXZSsxWVlDTDhnVzIwClU2b1piWkdLTllzQ3ByQ3orVDhj
cURCajlrUXY1cW5GRlJTd2hqQTgxT1kKLS0tIEwvWjZiY01XSkFiS0lhWVNubFF2
eGZUUUVrZG0zeTBuczEwWEJVWkU1TWcKg3l2j+2wrW5wpYSF2WEiOAQ2gJvHB+bK
W7U+9KF6OkpxmC0r0wZrMct73Wi7vS1bMMZLW2wb2C7w0poyCi8iLQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRkR4d0xPbWR2ZTBsQTZB
cGpXYnlGNm96dzJGVHpZOFFHNjk0SkpieWhrCjU1YlRBTXZlOWd1dkpxclFwMEYr
VDdQZW5YRml6WkRKSEZ0aTdMTC91cmcKLS0tIEJKMGZobGJFY3d2N0Zrdmh1SWk0
WEpuS2hQUUhKeGhtR3lFMk8xb0dMRkkKl7dHZga+fism16wyyIR0sTGdIFM1yGRR
td8VGUOgh8KCVA4SmnaphSRTjjVbRdiA7mVIfJzQL7uCQjCBTqk2dg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-29T21:44:24Z"
mac: ENC[AES256_GCM,data:EmRAkfgdmQ1SWERxQa9B4rMAkoJITvIjuBKNNNC2c6uV0q5IIDB/d7TDRbxnzXPfOUft8lTFCuuCvRN1XRf+yjoRJBIKU6kgJS0YP6RBS5oS/mHkJXGGRI5qvWsm4xxptT6YvR/3ZzJSld/X7QHeHx0JISRGfayvJIqCVKjSThA=,iv:UosrjZe7CPWBeND46Q0dW+zdf5FgPIUkXvVqouTMkIE=,tag:KsHUAkYNMPo+XQwAjM93cA==,type:str]
pgp:
- created_at: "2023-08-08T22:43:26Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7ARAAjMRPtYBcO0qQtp5PkLK2PZ6s8ieduthfwm35Ij4gzsY8
2NtniLODSpgzTSJxhftbjz/kE08cwwztjK4vSal1aPgC2mcCw7JTx7XDNmBvBqde
7bU+h4wSn10P/oThVMlYH3JXyC0S2K3fXdwnh/z0R7EXKnF0FIacUqC5eucByRVh
kMI9Y833b23k7Mw2CWb3SrRY95oVq2/B7DkchsjYslP/wKgXoBcZo+o/kdXXZa6N
BgBQ/2y0j73jkBHiaXVAsySj/ppRCVLHCa6+VpaVu8kFTjuNGBB/ob1hg1uJ6Z87
VCaP/tCN/56DdpoKatYMfsFzczK9N4Y2WysGFBrFG1z34s9rhAzrfcwvMna1pGtf
xaIQxw3mac7prWe3TP6I3JgTZ8CXgtArbyucLWHEJeM4OM2C8FLfEj4Z7x4Jn23s
ii9W994g3LfNsDAQSGCXU6m0KneZ+s1LR2ObRGmMpnmLjNHz+0+saEECrrdoOwig
Yp3Pw5v7kdjAsh86tLTzQFSy0rbaMWYAMCQ+Gk+TrS9aiOygIcNXvp2gVkP7NxJk
MxSpmD4ZW0ETn+UVgezbhJJoC+C/wYAnIzz4gNR62yLZeYsDni7rXp091XlhJ+bD
vSJSnWMFy+w7gl8pP3YVeVc18Xs36pNkRZ+5S2528+Y2mkNitir5dI3+0788yrbS
XAHV8ofUmA3C34/U9I7ZgdtJTo5T5ZKV660NMIiy2SKLkQMDQvQLlljfYIMJPcbX
keXKl2mfQocm8YigE2VZpJXKle5RX7612pM+HOn2K3vpSQlzWtxjE9SjAJt4
=LPbq
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2023-08-08T22:43:26Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf8CimRB21o2QiIrKF6LXAeZy0ko5/m0yBc//Goij+4Xdiv
jBHsx0TSkpw7Lf59hhlhDBI96rEg2Q9V+Mk9MG7UcSW69B9MzddovKo24ymMPRlk
5bIvM6sLC+NW1kpNEAieEZakFtLPxJKh3NAGt3IvDmwtUzrnT+eQA+7mSmt7z06q
wElkEf55dqTXNbdI3Zqj1jC5krmApg0UCXv1wW04E4LU0DHicQVM4IAEuil/yiyM
VP0DAd8iwlH+WRKO122U1Rzm1xrk2uRzWg4kyt4ZXUCUvoPD4ExPlGqYjwsua4oN
1hZL/lBtYjTxlA0ec+oPpYikUuAlWPgt/xpnACdXPdJcAbXrvrIiU9S/NBVkNsBa
UMkMVKmfTtHDdvjEv3+3Ikrip4XyraXynXoNGw5Swc3n6IA0QA3/lMSla24vBJ0O
dGQGgRX0PFoHfgfQlgtmsUIuINwIOiBtYwAtu8Y=
=Slqt
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
- created_at: "2023-08-08T22:43:26Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6ARAAxIHplDf29qbDdyQpIP6R5Oosm0PTn0LjlnR7sEFyKU39
iYwasQ1eq7iubJLeEkEy65nfySUZBaLm2DvSCeCBI0hnDn0EIR2v1tTw0Il2PHy6
ibOCg3swiKPcRwfzHuCC/xirVUyJtyg7UbIJiLxtpU9iUMUVsS51fne5SaxYXlHo
R2B5ZgjqV+OMbuEhdCpXehOC23lOTHqQqBN5dx4U5RsenSrZLfENeiFEVTszDpD5
hKsoRVFOpyKe3B2nVrRFXCBwNNFkwahRuiO6AeHEJlTm8bNE0Zn5eYnGZMx7odgE
RgbC6TN9BJJU32SuLIF8TVthv0Ap1TDoQ26uB3tdYnbaVDKZ5173kWwkPfshzCQm
afPASP1BgjPueREGnPMUwqD12ynhTkvL5OwzF+fLwctZwjnfEVmYKmRDs8GZ29s/
KhBdTzlA5qvpV9Pufm8cqikRztyooMu8FYD7H0l26dIDqPPdHcE4VHgnPDQEXWJk
V5sUc8av4B0xd/ApFsiPMGSTlWROXz+PXqGcrVRm5z09+kQWgqZA8Ez/LXowxuOa
7nt2ac39DW2rg31+L6zu52f1oi/FM7AkhmEJAoXtx9xZDvmnIrJTN5BCb2Mmh6bz
i4ySBCUU8jWhAL/pNRwvDznUZgwwpywD/ZWIPeMkMfNnyKjydmj+4Rc88F5ODJLS
kgGotmlufp3NiVhEWMiiQVudwBZj2kAopXjLCmN9bAHVGARdpsu251TGHPfSIoMX
fruClLGtMjhBrzihwrRLOgn+JwG34Qfm5ZKeTM0gdhAu/ZdhvvtTRDWX2xoU/2pY
lh598JAjLs2QoF6SXdjLuWxQY2Z9jsjB/QkXfq4zbWyqLe+LDT9/04sXYiaoNG5U
8jjq
=dq6G
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-08-08T22:43:26Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHAQ/+L1vve9Yl5UVyD2CBXTvxmwnV7XoL59G49CtKG6JKRMkk
0ewkIr4Gp6GxH/YrlgShmTXwp8Vpa3FdiGsny5irSdLdtP33OlvnRm0tAbGEV0o3
e8SgpUTNDVHCxZcKpEAQIGwxlf+pYuimCCgofCsFmffUFWjW4+R3WIZjQbm+hEho
P85KfuYax2QxTUoggBp1bLD8WuizL/KN2Rynyt0GiPVeBaabbWLMJA+79xKNdk48
U6cj/TQaSGIG+0eNqmDHwSFYxfTA6ymnUb+a/PPENN15JJqBReWlS3NHF3GhzhC9
pSg/pkHledv41Z4mvky7DlzHRUp+FDKm859mkB6jUGww/e2HoECBfSb2/1mv2QFh
7BaVonqf3qEBkoGp5RP1nZuPquOGA3Jz8t0XscWx0mFE2BViILaEn/c8l6su5vzt
ni44h9Gn7ROke1aCetsF+EXnNHNLytTEq95yiNHyP996tKLgOAUY6bdmWjNMFjhr
9trDEOR/cctKzwJ4hDepr/liCAq6IvIiHHU1Fl/efGJkemPA+E8emHFW3Oq9PYtw
2T6iIxydkJszSCcQ5cokU/60dDiRLkerkZPQH8XbpHFeefqz91Hpfd+P2u+U85H0
95A/xWOz4oisb0yyrH20wqCFnymGvQDoIEox89wTofJoRK8XEBn/m8K9eOSM5nbS
XAEqlva82Bdx6+4mXLXY+874sclaUONN14EHfhH3NmkRaUybunAhE511EogOqKmT
hmkpTdihP+LanzTImTUp8UqkeccQAPxp2zhKQSV3zeArAZMsJ2ylI6aTUpLs
=5JaY
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-08-08T22:43:26Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7AQ//WwcMZhnBVhiw6Bncabxzkv0TN7+CBVr644FrFlyoUfxP
r3+sg3yPZEuyGk7uAVVrnkkP+3xcG3P9wnI8IGoVkURM4IiEGKR1rFyROJvbDzra
uWj82XMPl3rWZM+FYKa9unKZg6aZkRSMxWKxFBb/vAvLIw7zEa47PbAnWoLhxbg9
ijSFw9AXvCE9wD9QtRLakYz1GYOacQa1Zg3yOibzOTEd6tunY8QsRcr5IgzNnjDk
PSDjaKA3ItdmgYfObZzMmKROfUQuI8gzDSo3hzRICpBicd91Elz1csgSO2G2972v
fRML7MTT23wEmSkImmJDAzdCaDguMLK0UECEdd1LvF3LdBvYQdlpdfR7Ts64ofsG
uncUXRoWBI5cfltVcvs5CB7LiXIjChJoJK5TsEIlU/oJn2JIiVQTCog3aDoa22ZQ
RbHN1G1tkhgifxI4wuNllSERUnc8b0sy4X+1e0+6X/ipfX0kjMFGeRmskyKnUz2p
3LSOp6M0oUhoq+BiIUdJgd7otfWmZp9jPOhPLaEKorwWS5h7oJB0KWmm10tprK0r
MjNNiJofl3TAosuHl/981mErzkpCL/leRiPRcvbFXpXPAE1mPl9io9k1twtfzrWE
OCeqatWWlasbVTm2c5lSnGvD185xZ5/PlBT7na1FrAKFBm4T442YqQXizyInKQHS
UQGQzsV80JXiqq97rP53Mfekk7r+nUWIWKW1GzPxov8EvDcodgw6r8TLfFPa50Li
/XUH+QKwnFAEX3cjOACv5djsZr/J4oM7mTJNnv7iIBqeFA==
=HRj+
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-08-08T22:43:26Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJARAAo0lLjIxym1PiMwKrzWC4uFXDhAm6saQooomsd+IJAiKa
2FFos1oNV7IQ4Gw6S4TATiiUP2Xo71KzAmomh9cTq6kyuZmvrovLLuvNaBCqQEP+
VoZ96P0JaNj3+FFdvYlxmH4L5sY6d/pcAmTMh/2Gooq4qqnbaIDcQaDUA6pA03Hk
y+2BSMBEk6/xhlEGtsPJA/6+BIbmyfIIEi0ycV/XVZwKQlL6CoWKNG02wiFsAsRW
e/kU9I+WYu6i621hDdsccwaIM9Qn95yIn0t0OHVUM86iJFwXO+9n2sYFr9/bKFhC
Kt76PiwB2jpqKzLSFgpA/rD946qcq17YWa1UD6/P7eZRDSDIX0yE7j2M4DxSxzHl
hJfUluo9J0FanIvyPcGI5Dh/Hr/trjGhtFG9DFeYhB7jIcx+06DHo6bleB0Hnga+
i/kDy/dOdPT4hXtv3mrsww757Gmt5ljc7CZDM34jMcuM7usbzfpl60OZ4ykpWRix
BurWTCN2QsleFG2T6Vdrt3QmgFf3i5XyWmAwPDVtLSTxwGyFkzxK0cSqpIlVrVap
/VR+gKR9bGlvEYFjdaAtkFBw3+T45BZY4g6jaWboXo8M19QqYA0gJ8zzF0ntl2Y5
c+WNOcWr8qnC/JexgEyg4ytwHqxZCf78qkd948eVqGRT8EfTixklEpHls9oxWcnS
XAE0+TvSIbscE549VrNyj5VD7yUS93YhPnB4+nQoFoseQTg4TievRg4Ch6daf7ow
Aumjm4ehuC3KPtz2RbXRDQiRTl2v/JvI+LZGcOjfkf4pCXczGXdFwN1uyCCz
=crUu
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-08-08T22:43:26Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ/9GzpXwrotfmYJLQlaUNjWHQyBy3ZWGJikaXO0Tbot4VAr
lvR6iZ047mYnBHo7z9P2Y0XQTLG1eS727CHktBmMGkw38Sq679ZJaxWRHpaPiqc5
DqChaYLaGN7QYT0hPLOnfUPcEEG05RwPa8vt3jGDsD7IdQ/KmWSDPKq38clhTGwz
XP7Hv0+/GgS8CCuQ5ehn8THrqAuLlTi82unG0OIYEdBQSdggcRNZqUSPcQGEoDul
fgcqMnspQy8VNUaxpj4agdQYAR5N+bgofEvRg/qkQ6QenrpdbxRuZDrzHR/3igfM
bv656ovFGN11/LDFMp9KWpK0Mw6B4C07SvKVSeQbLR44gIXQZ54PQtcmpSMoSf00
44dsoYF8sZQkHuvHMtoZROp4GsHdHFFj0S05WxMC+7Ikwmy7Vo+dC/v+JTfzwpEc
Y/hmSGcWhdq6Hn8GOYXguY9+Qg4uNCfoW4wAWqdppwGiGO4gwOmu+q6a4NUyvWwK
7YwopS2YrRUAviQnM8KZqtEgJ9Z40QQ/tecipm73BqnYXZZ5Hb/emrJjsTBFudJz
+RpKEMFazQOxspmbRcdAZHNOpcv2r5P7i4g1vj2ahgexstLZcEzm8IO5CvMx40EG
7X1bUBGzH98eUX6OU3YYjZbPBHzf1i5fILZwsmc/xIY1zRVPfpCj5DBHU4Z7vDzS
UQEwUnXjAIt77JqVyc0aKII0Y+uSuGo5xdFvQF4ME2ArXWD7SbnNBEoYqEmGgMt6
6ONmNolD0XwWvBS2RxYajiUyul+TnO/7TnWQtCsJLnOijQ==
=blZl
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.7.3

94
hosts/caveman/default.nix
View File

@ -1,94 +0,0 @@
{ config, ... }:
{
system.stateVersion = "22.05";
c3d2 = {
deployment.server = "server10";
hq.statistics.enable = true;
};
microvm = {
vcpu = 8;
mem = 12 * 1024;
};
networking = {
hostName = "caveman";
firewall.allowedTCPPorts = [
# telnet
23
# redis
6379
];
};
services.journald.extraConfig = ''
Storage=volatile
'';
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"redis/caveman/requirePass".mode = "0444";
# Must be readable for DynamicUser caveman-sieve
"caveman/sieve/privKey".mode = "0444";
};
};
services = {
redis.servers.caveman = {
# Listen on the public network
bind = null;
# Override default backup schedule to reduce I/O
save = [
# Every 2h if at least 1 entry changed
[ 7200 1 ]
# Every 30min if at least 10000 entries changed
[ 1800 10000 ]
];
};
caveman = {
redis = {
# leave 4 GB for caveman services
maxmemory = (config.microvm.mem - 4) * 1024 * 1024;
passwordFile = config.sops.secrets."redis/caveman/requirePass".path;
};
hunter = {
enable = true;
settings = {
prometheus_port = 9103;
max_workers = 384;
hosts = with builtins;
filter (line: isString line && line != "") (
split "\n" (
readFile ./mastodon-instances.txt
)
);
};
};
sieve = {
enable = true;
settings.priv_key_file = config.sops.secrets."caveman/sieve/privKey".path;
};
butcher.enable = true;
gatherer.enable = true;
smokestack.enable = true;
};
nginx = {
enable = true;
virtualHosts."fedi.buzz" = {
default = true;
forceSSL = true;
enableACME = true;
serverAliases = [
"www.fedi.buzz"
"caveman.flpk.zentralwerk.org"
];
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.caveman.gatherer.settings.listen_port}/";
};
};
};
}

4
hosts/caveman/mastodon-instances.txt
View File

@ -1,4 +0,0 @@
mastodon.social
c3d2.social
chaos.social
dresden.network

174
hosts/caveman/secrets.yaml
View File

@ -1,174 +0,0 @@
restic:
password: ENC[AES256_GCM,data:f1kQylVfzI1v+W2P+IklKw==,iv:A72uGclgNYtDyTr8EQVgLZ4Ej1qVRWL6DvmmXExXXVI=,tag:kFhaxLWi89tWNoNtbE/FUQ==,type:str]
repositories:
server9: ENC[AES256_GCM,data:iLHa9ppMKU0fozooGoTrc/Of6Vh1iDI1Fp91LdWAktZpZ6/dPKyHdug8S3KZT3WpbQggQRmdeB9cgdxd+3H8OU8yrapVx7rIGz9il0eNQc3j0lbI/IIZyboP7HSOYd9soNRKwA==,iv:TFki4AUtMM0lhhuR4a5P33znPASyEWN2MWkZWaBj2i4=,tag:EpPN9BZLp80BAgeAnGzG6A==,type:str]
redis:
caveman:
requirePass: ENC[AES256_GCM,data:08V/ZSarIx+lpGSx5Su0A4Jveejxi83+jj1+Wcqf+nY=,iv:lm412YmiV6rVn5LGx1O5/kCGO457yohieu+UgB5b230=,tag:4cQ7mIlxJh7rGMZqmGIPMQ==,type:str]
caveman:
sieve:
privKey: ENC[AES256_GCM,data:rLl1lAx+hv+8/hHYgDTGSlVbxSS/vk7vnEUqFCLdE5FNUOH73TAEWhHQahBQpj4+nJ33qOeF1F+a3ihY48mNtTIRpDfAeTkuEtBps1BYQu5UOE6Mya5Yq2J+WO8SKXKY/umEpdZtz/8OXQjO7e2CCQ66M++u29wSbWWcWcEltOmiR3DBV02h4Lqn8lHUt5UMNFH9gOgbFvCXwTvTKop3E4H8534a1ZBcVC0v50EGeVNNXlXc1ODX/ldAp4Mxk1tsGAsLGLEPgTQNj6SJXOY1+s/46bg3kRgDTMhXBuBRb8WFcBB0lkB3GHgyGrygo63cL51N1XMPF4f/03N6r2pUiivJixU4o3l0KZn4kTMhcln/KPpxeQjpKX4ZcLYbGHqkXzYmzC7ts6qrayb2ZResrslPLvKz5unQMXSO1gzx+DnN7e5cvwIODdf0SJ/zCfuqvpNv1XzhgOhpu1a2eZJA6bwHvHlqg6CrrPuXTh9cJQvmFQqylQX9+XWTqhwTpymoeb1BUeq2kZ93vfz8EKTUsCbFLQf5P62PONFdv5New5C2kVtrGuwbePcrSNFUpbb/rc+5BtHGYKvW1bf5WNlRdTFjeVQjbSXktFZiClZ2X1sHZufRoMc31Y27Yp/h8vFWgP+LX1Sa968/obI5Zhe2RUu1MU5MCXfw/ICRdD11iLtA7VEY0jS845iat9pNJLfpRrZkyDmka5LfbAgiAyDaH+YggokvzF0L4fAvgfm+4BCm1/tpSUW42ayXUfdcmVsapgdj79MzCBIQd2kNcaYdRoZ3MxLmCoD+RywQoMwko/1McLdJwFEzc8DbUzIL2dGUz4nO36AQUyNnMrmwxf0eOtruezYyoXC8mcRKlB2X/teS8qw7z+UAPsEBYPw334qm/tNPa2mbTIwOjislFP2bo9yjp5eOunhocP8pjXlG6DMu8czojTSAQG4Gu0TuXxTgkcV3+3nvv46jR31mEJBPrWJ5O3JoGXcjQr+go+FdtHdB4rAgAFAGssF5VpACpjD7qLoz4txTbdA4/VB5KLtsiairv11jkmL0rsTiIp1Db/cjcOE6bL12rIUtc4uTUS/V/pCVfnoGBQjLsoYxHXpjLOtDnHujga6bqMMFdLwYg/MaBdjBYGDa9eZE8JNx2R+UIHrh9/U3/x1eQirtGu61J2MWEUNLUCInXJx6GhGe54gCmxToNhxVWxe6nHxPZ2/FxE4jVcpbuyWWthKVqgxvPCDbCanLTkLMDwQgJ/+9n7WpanT4mKO+OiFPpoLIN0jYzT4sr01uIefjjlNyx2yd3NnAvo4MLHZzYG4Y5O6w0JNeiMJEw+MLmQfQtQ6y/nFp+oNil8/scd65q21Nb6Bz4Lx7p3yq/T2Iwu0mfz1wKeWF+VpeF9GJoFgyCqFlSK/eRFJoyqgPUV+zAtUFBGQtw/5gKw9MQLeVn6BHL+JUA0QsOiSx/IJo59ZTKprGFLXEobwNofsTp0DLqy1hqooU6nAcECWc/0wRUdlZ2ry5UAI21eHOnvmrVyxRD5wnOmKhVi9fDB79yDKo4Doavai24+Ko/DBvGmIZAOT+12fpGeHZcr0VDCPpRR1GS8cjCHGSUM0lpJFaLRwWwD4YyxBZYJ3E2V5fQX6n5LFh6dxPjrj52Sph+2qo0rjhlg0DMtGF7EwLYdCux7pbvYvVVLDiQZvi1z5hDipp2JIUByz/+pkF9DAIu9Fefjl68HoglEc53LWy/JY5CzSOSMswaHM3Os0Be9rV8uFKLDZifttWchLIuNGxXxZDmRGj/caYKP5dEGUvHQSaphOLCEMjdvdiLE+h89YVrSyQGh0sz7oDlqV4KFiAIi/SHTTNarcDQDSt6T9+ozPwtq2Sl7KC3bAXwfr3lQIEcKS6w0S162sN/bMFhp10cUN39aJF7AbmKlNSwJBj4AWsDItDlldMB3P5eGBReTxZDKgIodFCMa7FjjdT1mXa2cbe/gpV1J61SCYI4acDgpso0o9CIlOCp/vPFusXktC3QPSIEHYVdd1+FDezo3l7xew8dRSJez7n3Vx3rvEMIEAfqG1VzFAs/1xvITog83ulmScDOiURhubORmSKYQ7/LrRzsVuA09LRmJDWJA/pxpP8ouugsdPBJoMUlz+d5BqFNndGsAiaaq21/+0ydpNbdN+2k43z914hPP5yLj5c0vE8tf1RaY3iavYudfRMgUjFwoKYhVSna765yBC90VVPfMB4hoLr5yNR/GN6GtsHaxqtZyGkj92xxZKesql4IfP+YXPEyoBIoFPTLU0lrFSUaTCnxbi3pJyJAM+3F4X+x5Pie0NqRB+y4oDDvo29spRJoEcE3G9GuJWtF2/+neOfwrcwkyr737cJOdI8NaDjHDVN2wknN3Il68qRYg82nhSR6qCsWcd0zp3beyotEIi4RhUHMv2sjQVpA4WQGVyFG97nfundxO10I6KsJ/RZBkyYafX2hXmBJv6WPbJNGpxnqX6NvluaEN6XvULa248h+pRPydbwFOhISnJNvUtiHA3rFe0g+NeMt4ZFGKUB0lme2jiRZjsR04XEPzToafFN+93RTN07czCERmrvpmjFOkYKsHcQAcW2cGtfRBEJF9NBpXXHD7MtSzDImwkaVJ0JDKeHgOorcu0l8HILFNCXb96jYpVzodQcY5G2sJ4XWGNqfoTKr2eaWNP7Q6qe9gq7NZHSBuyRuMXAZkec9IkH7U+bzu8LZ3P75AzOjxZuSRyTVgx2xvOiCPZ3A64CnjkA2fDX5pQv7eR54eqC5Fq06SA6f7b3yBdUGqHZXrMyTil8JQpg0DBc+U2A2jdmInkajKVZUGSxbQThaSSf+cIuDfMdeErj/pGGowtJLSONkP3qCmVM75/T1MSoBvaGLRxzSgZ1xIVp6LEbxHQXzel31LHZvHev6l68Kcw72F/1tX/gafCuj05JwM1PkZRKsfIAb1oVBm/oIhHAubG6pE+hUqBmsT5ogKMtIgS6c4UfXpFKvokrXCIrPFKE4Og6I0SEMDZ0tSR0nCxcMEvlO5xy9DRk81iN9gsDJUPvspPfd7SOuxX9IPTOkmwva+OXPVORqEcs09Kx/x3nvPk8QjTr6zNxZpxwDmOd5/6FglAmzoIuUAxL5CzWrwGDfM2qrOtpYB7RDdWYXzGbO0SLrKtKyJtYNZZ2mitXIbJTIX0gnqN9Q1Pbl6N6KcmEQEDsZpoSE3isTFvaiGMtsdhR9t/hlPsJs0wcf7zeZZD7AAKCqSGA5CoIKfWctIaxNvPEUHkjP0pRbFK2LPymtp1f2twxgDudPrQFumXnHCN3TuhG7G+SlIPHcIrpipGV7WZGUw0Q8FOVwHXQsRA/nljfggIp9XWMS7Q/L6eI/WzY1ubCtmxAjmw78+/CxDvN+s7RlNk4DHbmfZM3ArQc/JVQlJcqV+jmTwZuZAQcrsTfnhxlWFJm9VBg6phL6+n8UL5BHeLLBw0it0gIuoSfOAcPSEEeM9dnFcALJ1+YAZw8qUc9BVFyF6qkiHnHdKpIfJxq24UOmY3PofmcJjgNAlkJTGwN8dr6/ZXeZdyYZw38UbIlgig3aPGwVo/3u172fkNligYB8sfvzXabjX//GMs/KOqitd46PA1vCxxUSEOuTtzkgxl2rhbTUqBB8aL+rfuxtTuuYBc4TE3YiNhGRDHZ0L1jSJJgIH8yBl7XBQnJ/6pggD22+HBArQh1c4favO/HQZuV+vHf3Z5mL4bhY9d3ooPufP2a9M9GqUVXrO2mgzFSoZXkYUM50vUnZDQWu6dL9xrOhVwfc8rlPWLFheuy4ZtAP4e/Ktt9JDbRzloOdg+jRaAU2i7ubB/VuIOTD5iuK47jYIP5jjNdpe/fnLEdHg7dpjcUAE2ZQE1azTzbyQ1/iMyRF7qKDXXktjS6HCmjmeT2jaEdxiv56lqfjKo0S9lRkvTVxWZgeAR84CaPi+dX0d++txMNa8JZSHKKE3yHiDv2GDz0RkUD4kJfzI0RrGRkhTxzRQCR8vnlk0cll3Vm4uy7HbLSatrWZ32P/kV1c8TH1hd09lxJicOdkdYwE0z2zEyOkJBiRhFGp5ozeCcIg/rhANjsSJN0ZtOonXNRahqsxLTPyJ6bGQIdL1QxrLnFNEefgvZq0Gl7sddMb0DzTbwDKR8TT6W+4SjJyjqMuoQ1nVosZyJfq9E4/SRVgMEwW+SKbqHeipq/RmCQ2KnuwVIp6Jv6cuYVv+ZWfZ7rEPdCC0D0xmuE2w5Jq58oT6laF1VHv61Am+ZO/xDckQ9jXgVuFfFDlqS6HwFhwR8/OPOn5jQB3xkEJz4Ss/IQ8R6dbaMUu08Jp43j8ux6NLaYZV6THYKiaryL+dLl58trAsZSPS5kYuQ=,iv:QzyXJA9TdFIWnQsK0X426vnoBVn+a7jp51jzKzWXBow=,tag:vHatuf24eick+oKrEonadg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age13dl5qjzddaazmquf7zfecru5tr4ld8l8xd7xpmhaqqzmchpua4usswqykd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVHRWWXhtZmpodE56bUlM
YUc4TWQ4SFF5Yk4yR2F6K3JHT2JwSEpTYWpRCkZkSUZpNUFRc3Y5ZGhiM0RzT2t3
TVVuSldVd1IyYmU2aWFreWVCSEw0cUkKLS0tIHFUTkhScTRyMTl6WTMzRmdMZXFZ
MFdlRWE3eTJDcUZ3ZGxmdWtzZmJ2ZEEKRcH5viZ398JKntCDHwS2joc1OZUgbce2
/Tkv+QEEKN6bnz+e1BOu4XSAsf8kX8/rxyxDZcj6L0ndfCgEqB2w0A==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3U0FiWUY1OFF0bmJvdUpV
TndJUFplMmloUmY2VVJ5MDJEV3NSWFFzTUFRClZNQVBQZ3ZDOEFvNFNYSUl6WjBZ
NzIwWFYzSEhBY3JxcjBrSFAyL3lleG8KLS0tIG9PK1UwbEZ5Vzg3bFFvWW9zK3hv
Z2ZSNmsxR2lQZWpLeDdqVC9jTEJYVW8KtES5IHyQyMs4MuaGrEt724cQf935ISl2
QE+Fpkg4Wb+8gaBA0H6bWzq0OLuaIVzgK5BEoY1YThD6kKbBxTcDww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-11T22:43:02Z"
mac: ENC[AES256_GCM,data:GMNGRHhfnxnhHjxIQ3l0FRnMaGS7OJgSJzQnYVR4IZRrPgesZffqnf263pJdo+tGEA2JDTLbz4W+40pJ4IZ6m66BR5sVwKjsimAGTB86dO8G1RlzDgVGQAkU0i/YA0wm4+5DmoMUsRfOtxxOqsbASv44Ua2H3omKG1aLXQebTb8=,iv:iQys+/zsCegYSFy4EZiqKGSOLQCeQUMnTRGVpi4DSTw=,tag:/p18QhzztAhDFTXd+ZAU3Q==,type:str]
pgp:
- created_at: "2023-10-12T20:25:31Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ/9HerSRytAVz1k4suti9AxrVl2Gv1AGAJ5AOz9z6QTGquZ
TeOCtSBGBz0OPX1KyvU/0SPQTHdO7B+rVW5hLMyHMF4bhnE+6BowLYds9watySUZ
EfrXsOoFGTFnP9nIVK6FogfPMqLF6rbyzq69Hb/GWJVER9czba2x/DIHDxjg+jPp
cqZdMcgzbycbGgYpkNxrm0udC2aSVlHORCOwOo5MsckwyyTcbCG/4p3Ch3JIteZX
oAidQSWxvUC+86n+46lm1+znnPbEo+xEd+W7I+OEux4mQXb9vEQXmYKe75BtheX5
GajU5MKJ8OECgGIjoK2QjP4r4e2MNmCo4m4GmKIS/YgU9K9aZCaFTWipFpSmCoM7
3GfU7Ok+DeqTkSn/qjhM1HFzluOIcfxLm/xU6QxZv33TVxrFrRz6woE6+M1IbiNI
2okUcbD6GECc2/f8/Uvr5/WktsEqaBRzKSOBOjgAlKZU7oKaX/kJjVp3GCjG9Xsq
w7y+PxEGE8YyFhZ61iprgaR98YRej/LQw6LT8Y0RV3pIPfAdqP0ZHd9EPbk3XXg1
YEmf5o/JAOYX37FCCIXW7w0tm6JNYvvu7ul9Ds7yXBgAgr/t29Ghh7zIwODQDf0v
rslLOh9U7vo8oiod6WHbffi6CB3nGuFy5opXlH6lkH7XtARjBYnqZo7WO5KYGZ7S
UQHYgSBFYemq9j2e7iMCqn+mdMC/3uvmSL9NCtUE89pKd9g1v2cokZ4E+r06DyNa
Zjpt254DefcfYJTGYrFTepgaQOWHfIS4CGBnXlT2uu+5SA==
=JzrQ
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2023-10-12T20:25:31Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA6j84+xkv3y7AQ//VQJsTXBQYcBGl7HZXrOz4/Rr6XG7m0JmNXMwowa97MOA
j3gRS3evwwZp81jeBDc3Iq4SVY6wP8zGepGHk1Y9GAe856pHA94ZppXfuyqPntNb
Dp3Fz+StWlbrUJzPevgSncci/maSHe5hjwx7LG80Wo/4HCGvf42g73tTZT5Tl1EU
ySaX0eVjc/VGIAOYTrfEvUCEqzls28BKL3lFSiz42cbTAwEGb8AzJsB/49PqZMuM
Tp58rSJ7MMqMm6OBZK8yjWwOzq+QUUYGvgTbFfZEswgf0+xlrulWh/rAVeiaH8ou
EZ8ZAa2GYFWD6b18QYskx3Nvabnr/XGlTxt1yL4xlVEqiv4tegNHFDX0okoWWLhP
Fl6ooBLPuBVZL4rU0VLhUlA10sAxZHYshiviJADLdvTyewhPXRL7fYxhfaH9+Q7C
0yKOvZUGiQAnzOneA9rDDgsx91xF0oa5VVXLbxdbmD4cYyCdK7rTEVKmfIZPs1Eo
O+ibmTu+2z6e23+LYMP5XlgZmIeqPDRsCK8CZFDggS8VmJeyBPVihIhY0z7EIwUm
+snlNBx6qXHQYs5FsQzI7v0Ka+VtePiXsOH6qeswABRddStDFHTjkmwzZ16BE83E
t3zPudfevkitGAGHx/QNifZaeW1Lm+hdUBN76xHuBPMMg5HT4zJcXtznrjdeVlDS
UQE4lRI6bJxq5973rnhRgaq6VrKfaoEulKBnrPwK8WGcMHk2CdnGaQW9V3gexpdE
kv8Bda/gP7yK3xtvXeY4ga8AqRHXgXqn8kHbPyeoB9rXhw==
=SM6c
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2023-10-12T20:25:31Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAwMCBBrc/JA6ARAAzyiyxmdfVDzQIUq05KLpQ+hw2ccMRWmkDwIs78Y+6fxh
4nnG9CIFvygCtB+PhfO/idzIaLXunErD/nEJkhcoubLu1Uw0D77pbw3+rLiwUH7y
ijHGnTFqfV7x24aaaCVbHDRXAEctGmll8JjDi2VpBgEm3QwHHSx0idSo5GUYghmG
fh0Fpn5lT9bHcYm7LmHqTTof/KF2tsf4zjOhfggDEj384jvpG5Wq0CoC4Z64HMUl
Dk3R2l5nX7XUV0E9YkUz4M3Vt2OEGOX8LiwVTLebdEmWvKa0NhR/pk+4gj75z6BD
/EhnnqCwAHDIAV34vn3LaoVnmM3fjZ06DEZ/UsJiAuRZmnqzl/LPudBmcw0T0KwA
lX847nXWU9JuunSiBwfBEBVrSjUDqRGm+MyDqPUxvykp1QOlt3gHLiwTf/LqKk4j
gtSjfaEK/902ODg+kddXx3piaR6VL8BN8v7sJJ4f0DeeWI5X4sZO3wlW/bMK10Qa
aNvWURfxQvVa6E9qiQIi2/sARGMQ08Tu4qbAKuLK2sdz8ABerpbwftXIwh/qJuYr
pUPiFIO3M0whSsobEmWg0RJ+tp0Itb6MVR8kPDoc5u9VtWwjw3bKCvVFp+MHRbJ5
0RQ0JchzkcVVXBXrTPpT9wIJYYti5x7z0ZLr02i16gIoD5JqMjuGb33KdAmJO3zS
UQFQfaO1br/eUnLU6JWAhR2g8iCmXwYZWu96jkbXm863IjnXzz0acEYLvu1Wfgmg
1mhpYg9cEXcayQ99tWZ2DIE8F2DGZICeXRIjbPK7d8sblQ==
=0N0b
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2023-10-12T20:25:31Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA/YLzOYaRIJJARAAmujv/j5qV10Uyf/YIEa6Xpfg944H1t74XTf33bSIw7TU
5xE0IIuyoauRMM/wfFCA8Wob7nCxAZnfIycte2aoiQSJpewRa81SWtTlUR9DnhP4
h7SB4iT1b20Tm/5NohDQNwZI2cEKWbEWww41jXAOk1ZYEcblYor/w3oocfRiT6mX
VjfPH8jiWVaccFsur8sFfvrJ4LobDMwGbPhZMl2TFtBa6nrJ+chGEj+W3Eez3f/I
jPiCGzxtonSsqa2fL8/H4k8L5NsG71OB9CvPMh/DWfCZb0CJieqbAeRfBLzI5Jph
a/4icI6ydh0UFSvrlXcmnvgn0HouFAMc7fo8sFttBdSn0qEhE2MKZ5Qu+b1QuQ9k
lRKXlraO392eKSYS3F1qlQvw+trwwhQft4ct+sdCcxoRu58sBYOJcxAC43IFe0mj
VwKZFTRkE/D9KHc/9zw4mjKa3SC2eWczOuYWof2IggeZiS8kBxdtcyjtWfNdfb9b
9T56YEbG61rk5G/iPBzE7EGrW+syD8xFFwKDrm8SCCwz+9DMofOf73aKJrtAYhfi
StXV8zc/thiR4Lw1xUuakil7SBtzuITzAZWn35O7TH62pzGbUIc9Xk3lOyTHValv
XAXs2Q+I7amT7FuSi3am/1ofGruLA6VcV7R2s53SUZ1BorWnJgAqF8t5aGFk2r7S
UQFbq/N/9Hn2LLhyxJ/e+cE26nKIytmQbHeTWVjw4oqNeEBOIB9s6YF35ob6IkzT
44oNJ020umVFWAm6ZUnHIBEqnF/ktiG8kSlOS3reHfHugA==
=Wz7k
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-10-12T20:25:31Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7AQ//aYz8gjFwHlJvGfE8WU4M3XERh1MtmAmnI2NykNU6L9UE
nioPyvbH6k6sBos8pwzIgCa0oOyrNvpyVjzklUG3DVZBXpx/dP1jsjNpKUkDs6Ym
O6l5ZPGSYK+0TurIgsQL/gV/crvZUazSajRK6/OszD7lup8lJ5Hm+nHESx1NaMvA
2J40Tf7Q8oVQkIpLDGnraQqI2EVHgBbI/yUKeuT2WEO3xaZGJ93mW0kUpYYJD+Yt
UDC7ev7ROWQcTqfCWBGfrdzEUYONfwGcz5b6a7tLLozjfAVGbvK9O2HFEFYBUdKb
NBI7f21l/ydj6DSmrZf4465s7FNQunmJZTmDdCXMyPgTphFW+9QCMBp5E3wOyhyD
B5hQK9RcD8rSi1R5i2kaRm6vsLOXHFBOV76z55imfz82a3RFB92zTAJPiS+BUoHg
JnI9Mds5LxXPAmxwDIexunc9yAz4X66nk1foWAPPDgp+ei5mgvnLGpb5SZtGaaV7
Wgg38dnY5HKR/oC+L1MC2XUncIp0OvEowAkiX4Xen9JSe65KjBa+SJSssDbcIy33
AjoHyk693nalWBQ1zMkO5E+SMzEMXXBlqJ6gQogAVLry9tfpoeP7ix8UxcgHIOKC
IIewa7Knoroa8anU8EvNhqpTRiFRLTX01on43nZ+pzCo3tWIe3azJ4lNWZiBgw7S
UQEbSrdZj2eFE33gUa9f8i0F38/kBZGVmATJk0d+o9JiYQGv3Yb8IIMHTLXlkZ8a
tPO1oTkaean2ZRThLSOvEQ8KUnGMGvAQo5IxPwv9bJqEww==
=3Gfv
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2023-10-12T20:25:31Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9XEenRNYVGHAQ//b57lqUjnNil5tbCpuSEzT0WSyglqLDTt/WDeAjYsFneL
w1jn8Ivu8AIgU8Jwi9uclSA84/JNAo//uc1+tutmPG5ifGWHZU78VdQ9kWsoYVWi
+WYFyFKTsC3uba6F2i1kL8S2IzNd1SBcE5IvKAZpHoFk0c6AvFTOE+MWGJhYSlsf
0d+yI2OWdY4/i/NcQLlCbgCKV6RNnKsJLf8+6iJ/QnIoXa8qmGGyCzKK0vRUnarX
bG1uKRaUtyDELquw9QVTUAJ5r9PSxJM9SrV+82yljDep38FdAVIbeRVU94YTHHw4
2+OTZoa4UdlMNT3gSLfrO6HB32oI1jRnpppRp2JiJoP5nvAEaMLUmty4iDvtJqhx
6MbpyDuShsZb7gvy2O7Vtqd++OmYPTCALJ5RRq8/I2Ns751H4/Jj+sz9dvibTFJC
oldhfpPbF3SVNh7Ls7zyA3eYMIy3/ntcz4dzFgEvEzcJv2dmWp2YXYOy8X5pEpJb
QeAuqhpsok4xlYnGMGERx1vfzhe7xbX21n0eOXmKvVT8WOYZFOPaBpX7HRD7rLAx
2TImwIcmrNj0QrtLSEWMnu7m2wH2gb0LDoSy9uGVn/DWOs6XmPRbsq4KKpQlCnPT
x2paTkBZPl7OdDtG0idzaSZ40HJfB3WP8sm0Zc4dv1HPY3BSZ6T6tNGpmJUje0TS
UQH/GJ/PF6d8cT5olL1BUUOcUsvA/NEU7G+lnFM0FuWiWB6GMRmSAasPJ+8c6pP4
7hyufINb8QrsjSLLFCc3K9AZ0rSES6EPIRgfE5IOJlgSJA==
=dpZI
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2023-10-12T20:25:31Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA45bZkLXmBFpAQf/SOW6vP/l4XyebkUYjNoNp/+80jtAbNwz13nEDG0Qbi1o
dh4WqDDs/0YMC5JQyDkQ9VmvedFhsp824FXU+2hGpRWA1cqGEfgxGbXHjoe3WCDt
lFr9mKmgY3DBQ644Egd2sbeZu/GoUonDc6ySbw/FwFWmDIFWjNidij2fueSbWfQd
1EeNzFeNrO+lNcviqjq+t5pxc64mc9yu8MNaimCJ9EGNk89G2aushZea9TmHPwi1
YchJt67t9x5o3bVHAaHFKNOCHMNNN5dXsgdvSXbRBYwlXOc9HYPtFfGDdY/cx1kX
lIEhVaNCMgLT5OAzBz8LtSV6MTWVDUs9M2JMn8MYgtJRAfbOOC8icZulZ3hGCKCL
otrbk/vRlASexiC9yw4dTPeB54JkB1eb5BkwcgevnEOMOGX8fdxUd4ZGyCcc/1F0
2BQawZTUJgcZ3U+PPau124ig
=juFT
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
unencrypted_suffix: _unencrypted
version: 3.8.1

41
hosts/containers/dhcp/configuration.nix Normal file
View File

@ -0,0 +1,41 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
networking.hostName = "dhcp";
networking.defaultGateway = "172.22.99.1";
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
networking.interfaces.eth0 = {
ipv4.addresses = [ {
address = "172.22.99.254";
prefixLength = 24;
} ];
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
];
# dhcp
networking.firewall.allowedUDPPorts = [ 67 68 ];
networking.useDHCP = false;
services.dhcpd4 = {
enable = true;
interfaces = [ "eth0" ];
extraConfig = builtins.readFile ../../../secrets/hosts/dhcp/config;
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

207
hosts/containers/feile/configuration.nix Normal file
View File

@ -0,0 +1,207 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, strings, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
systemd = {
enableEmergencyMode = false;
};
# Use the GRUB 2 boot loader.
#boot.loader.grub.enable = true;
#boot.loader.grub.version = 2;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
#boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
# networking = {
# hostName = "storage2";
# interfaces.ens18.ipv4.addresses = [{
# address = "172.22.99.20";
# prefixLength = 24;
# }];
# };
networking = {
hostName = "storage-ng";
# usePredictableInterfacenames = false;
interfaces.ens18.ipv4.addresses = [{
address = "172.22.99.20";
prefixLength = 24;
}];
interfaces.ens18.ipv6.addresses = [{
address= "2a02:8106:208:5201::20";
prefixLength = 64;
}];
nameservers = [ "172.20.72.6" "9.9.9.9" "74.82.42.42" ];
defaultGateway = {
address = "172.22.99.1";
interface = "ens18";
};
#defaultGateway6 = {
# address = "fe80::a800:42ff:fe7a:3246";
# interface = "ens18";
#};
};
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Select internationalisation properties.
# i18n = {
# consoleFont = "Lat2-Terminus16";
# consoleKeyMap = "us";
# defaultLocale = "en_US.UTF-8";
# };
# Set your time zone.
time.timeZone = "Europe/Berlin";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget
vim
screen
zsh
lftp
# ceph
lsof
psmisc
gitAndTools.git-annex
gitAndTools.git
mpv
# libmagic how ?
];
services.ceph = {
# enable = true;
client.enable = true;
};
services.samba = {
enable = true;
enableNmbd = true;
shares = {
c3d2 = {
browseable = "yes";
comment = "Public samba share.";
# guest ok = "yes";
path = "/mnt/cephfs/c3d2/files";
# read only = false;
};
};
};
# fixme, we need a floating ip here
# correct is floating ip 172.22.99.21
# does not exist yet
# secretfile does not work :(
fileSystems."/mnt/cephfs" = {
device = "172.22.99.13:6789:/";
fsType = "ceph";
options = [ "name=storage2" ("secret=" + (builtins.readFile("/etc/nixos/storage-secret.key"))) "noatime,_netdev" "noauto" "x-systemd.automount" "x-systemd.device-timeout=175" "users" ];
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
programs.bash.enableCompletion = true;
programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.atftpd = {
enable = true;
root = "/mnt/cephfs/c3d2/tftp";
};
services.nginx = {
enable = true;
package = pkgs.nginx.override {
modules = with pkgs.nginxModules; [ fancyindex ];
};
virtualHosts = {
"storage-ng.hq.c3d2.de" = {
root = "/etc/nixos/www";
serverAliases = [ "storage" "storage2" "storageng" ];
http2 = true;
# addSSL = true;
locations = {
"/c3d2" = {
alias = "/mnt/cephfs/c3d2/files/";
extraConfig = ''
fancyindex on;
# autoindex on;
'';
};
};
};
};
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
23
80
443
137 138 445 139 # samba
];
networking.firewall.allowedUDPPorts = [
69
137 138 445 139 # samba
];
# Or disable the firewall altogether.
networking.firewall.enable = false;
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable the X11 windowing system.
# services.xserver.enable = true;
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable touchpad support.
# services.xserver.libinput.enable = true;
# Enable the KDE Desktop Environment.
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.extraUsers.k-ot = {
isNormalUser = true;
uid = 1000;
extraGroups = [ "wheel" ];
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

12
hosts/containers/feile/www/index.html Normal file
View File

@ -0,0 +1,12 @@
<html>
<head><title>storage.hq.c3d2.de</title></head>
<body>
<h1>storage-ng</h1>
services available:
<ul>
<li><a href="/c3d2">c3d2 files http</a></li>
<li>SAMBA/Windows Access: storage-ng.hq.c3d2.de</li>
<li>tftp</li>
</ul>
</body>
</html>

76
hosts/containers/grafana/configuration.nix Normal file
View File

@ -0,0 +1,76 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
networking.hostName = "grafana";
networking.useNetworkd = true;
networking.defaultGateway = "172.22.99.4";
# Needs IPv4 for obtaining certs?
networking.useDHCP = lib.mkForce true;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
];
# http https
networking.firewall.allowedTCPPorts = [ 80 443 ];
# collectd
networking.firewall.allowedUDPPorts = [ 25826 ];
services.caddy = {
enable = true;
agree = true;
config = ''
grafana.hq.c3d2.de
proxy / localhost:3000
'';
};
services.grafana = {
enable = true;
auth.anonymous = {
enable = true;
org_name = "Chaos";
};
users.allowSignUp = true;
};
services.influxdb =
let
collectdTypes = pkgs.stdenv.mkDerivation {
name = "collectd-types";
src = ./.;
buildInputs = [ pkgs.collectd ];
buildPhase = ''
mkdir -p $out/share/collectd
cat ${pkgs.collectd}/share/collectd/types.db >> $out/share/collectd/types.db
echo "stations value:GAUGE:0:U" >> $out/share/collectd/types.db
'';
installPhase = ''
cp -r . $out
'';
};
in {
enable = true;
extraConfig = {
logging.level = "debug";
collectd = [{
enabled = true;
database = "collectd";
typesdb = "${collectdTypes}/share/collectd/types.db";
}];
};
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

27
hosts/containers/lxc-template.nix Normal file
View File

@ -0,0 +1,27 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[ ../../lib/lxc-container.nix
../../lib/shared.nix
];
networking.hostName = "nixbert"; # Define your hostname.
networking.useNetworkd = false;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim
];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

3
hosts/containers/lxc-template.sh Executable file
View File

@ -0,0 +1,3 @@
#!/usr/bin/env bash
nix-build -I nixos-config=./lxc-template.nix '<nixpkgs/nixos>' -A config.system.build.tarball

31
hosts/containers/mucbot/configuration.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, pkgs, lib, ... }:
let
tiggerGit = builtins.fetchTarball https://github.com/astro/tigger/archive/master.tar.gz;
in
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
"${tiggerGit}/module.nix"
];
networking.hostName = "mucbot";
networking.useNetworkd = true;
networking.defaultGateway = "172.22.99.4";
networking.useDHCP = lib.mkForce true;
services.tigger = {
enable = true;
jid = import ../../../secrets/hosts/mucbot/jabber-jid.nix;
password = import ../../../secrets/hosts/mucbot/jabber-password.nix;
muc = "c3d2@chat.c3d2.de/Astrobot";
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

52
hosts/containers/public-access-proxy/configuration.nix Normal file
View File

@ -0,0 +1,52 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
./proxy.nix
];
nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 2;
nix.buildCores = lib.mkDefault 16;
boot.isContainer = true;
# /sbin/init
boot.loader.initScript.enable = true;
boot.loader.grub.enable = false;
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
networking.hostName = "public-access-proxy";
networking.defaultGateway = { address = "172.22.99.4"; interface = "eth0"; };
# Set your time zone.
time.timeZone = "Europe/Berlin";
services.openssh = {
enable = true;
permitRootLogin = "yes";
ports = [ 1122 ];
};
my.services.proxy = {
enable = true;
proxyHosts = [
{
hostNames = [ "arkom.men" "c3d2.arkom.men" "test.arkom.men" ];
proxyTo = { host = "cloud.bombenverleih.de"; httpPort = 80; httpsPort = 443; };
}
];
};
networking.firewall.allowedTCPPorts = [
80
443
];
system.stateVersion = "18.09"; # Did you read the comment?
}

125
hosts/containers/public-access-proxy/proxy.nix Normal file
View File

@ -0,0 +1,125 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.my.services.proxy;
in {
options.my.services.proxy = {
enable = mkOption {
default = false;
description = "whether to enable proxy";
type = types.bool;
};
proxyHosts = mkOption {
type = types.listOf (types.submodule (
{
options = {
hostNames = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Proxy these hostNames.
'';
};
proxyTo = mkOption {
type = types.submodule (
{
options = {
host = mkOption {
type = types.nullOr types.string;
default = null;
description = ''
Host to forward traffic to.
Any hostname may only be used once
'';
};
httpPort = mkOption {
type = types.int;
default = 80;
description = ''
Port to forward http to.
'';
};
httpsPort = mkOption {
type = types.int;
default = 443;
description = ''
Port to forward http to.
'';
};
};
});
description = ''
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
'';
default = {};
};
};
}));
default = [];
example = [
{ hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
}
];
};
};
config = mkIf cfg.enable {
services.haproxy = {
enable = true;
config = ''
resolvers dns
nameserver quad9 9.9.9.9:53
hold valid 1s
frontend http-in
bind :::80 v4v6
default_backend proxy-backend-http
backend proxy-backend-http
timeout connect 5000
timeout check 5000
timeout client 30000
timeout server 30000
${concatMapStringsSep "\n" (proxyHost:
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
concatMapStringsSep "\n" (hostname: ''
use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
server ${hostname}-http ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpPort} resolvers dns check inter 1000
''
) (proxyHost.hostNames)
)
) (cfg.proxyHosts)
}
frontend https-in
bind :::443 v4v6
default_backend proxy-backend-https
backend proxy-backend-https
timeout connect 5000
timeout check 5000
timeout client 30000
timeout server 30000
${concatMapStringsSep "\n" (proxyHost:
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
concatMapStringsSep "\n" (hostname: ''
use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
server ${hostname}-https ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpsPort} resolvers dns check inter 1000
''
) (proxyHost.hostNames)
)
) (cfg.proxyHosts)
}
'';
};
};
}

71
hosts/containers/radius/configuration.nix Normal file
View File

@ -0,0 +1,71 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
c3d2 = {
isInHq = true;
hq.interface = "eth0";
};
networking = {
hostName = "radius";
interfaces.eth0.useDHCP = lib.mkForce true;
};
imports =
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
];
nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 4;
boot.isContainer = true;
# /sbin/init
boot.loader.initScript.enable = true;
boot.loader.grub.enable = false;
#boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
networking.hostName = "nixbert"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.useNetworkd = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim
git freeradius
];
services.freeradius.enable = true;
services.freeradius.configDir = "/root/nix-config/hosts/containers/radius/freeradius";
services.openssh.enable = true;
# Create a few files early before packing tarball for Proxmox
# architecture/OS detection.
system.extraSystemBuilderCmds =
''
mkdir -m 0755 -p $out/bin
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
mkdir -m 0755 -p $out/sbin
ln -s ../init $out/sbin/init
'';
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

23
hosts/containers/radius/freeradius/acct_users Normal file
View File

@ -0,0 +1,23 @@
#
# $Id: fafac849a0f0519cdaf7acf2ef51c8b36a5a6255 $
#
# This is like the 'users' file, but it is processed only for
# accounting packets.
#
# Select between different accounting methods based for example on the
# Realm, the Huntgroup-Name or any combinaison of the attribute/value
# pairs contained in an accounting packet.
#
#DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo
#
#DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi
#
#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other
#
#DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start
# Replace the User-Name with the Stripped-User-Name, if it exists.
#
#DEFAULT
# User-Name := "%{Stripped-User-Name:-%{User-Name}}"

129
hosts/containers/radius/freeradius/attrs Normal file
View File

@ -0,0 +1,129 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 76c644b100656f8bd45e768b13cbcf140ce5a770 $
#
# This file contains security and configuration information
# for each realm. The first field is the realm name and
# can be up to 253 characters in length. This is followed (on
# the next line) with the list of filter rules to be used to
# decide what attributes and/or values we allow proxy servers
# to pass to the NAS for this realm.
#
# When a proxy-reply packet is received from a home server,
# these attributes and values are tested. Only the first match
# is used unless the "Fall-Through" variable is set to "Yes".
# In that case the rules defined in the DEFAULT case are
# processed as well.
#
# A special realm named "DEFAULT" matches on all realm names.
# You can have only one DEFAULT entry. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# Indented (with the tab character) lines following the first
# line indicate the filter rules.
#
# You can include another `attrs' file with `$INCLUDE attrs.other'
#
#
# This is a complete entry for realm "fisp". Note that there is no
# Fall-Through entry so that no DEFAULT entry will be used, and the
# server will NOT allow any other a/v pairs other than the ones
# listed here.
#
# These rules allow:
# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
# o PPP sessions ( no SLIP, CSLIP, etc. )
# o dynamic ip assignment ( can't assign a static ip )
# o an idle timeout value set to 600 seconds (10 min) or less
# o a max session time set to 28800 seconds (8 hours) or less
#
#fisp
# Service-Type == Framed-User,
# Framed-Protocol == PPP,
# Framed-IP-Address == 255.255.255.254,
# Idle-Timeout <= 600,
# Session-Timeout <= 28800
#
# This is a complete entry for realm "tisp". Note that there is no
# Fall-Through entry so that no DEFAULT entry will be used, and the
# server will NOT allow any other a/v pairs other than the ones
# listed here.
#
# These rules allow:
# o Only Login-User Service-Type ( no framed/ppp sessions )
# o Telnet sessions only ( no rlogin, tcp-clear )
# o Login hosts of either 192.168.1.1 or 192.168.1.2
#
#tisp
# Service-Type == Login-User,
# Login-Service == Telnet,
# Login-TCP-Port == 23,
# Login-IP-Host == 192.168.1.1,
# Login-IP-Host == 192.168.1.2
#
# The following example can be used for a home server which is only
# allowed to supply a Reply-Message, a Session-Timeout attribute of
# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
# Acct-Interim-Interval attribute between 300 and 3600.
# All other attributes sent back will be filtered out.
#
#strictrealm
# Reply-Message =* ANY,
# Session-Timeout <= 86400,
# Idle-Timeout <= 600,
# Acct-Interim-Interval >= 300,
# Acct-Interim-Interval <= 3600
#
# This is a complete entry for realm "spamrealm". Fall-Through is used,
# so that the DEFAULT filter rules are used in addition to these.
#
# These rules allow:
# o Force the application of Filter-ID attribute to be returned
# in the proxy reply, whether the proxy sent it or not.
# o The standard DEFAULT rules as defined below
#
#spamrealm
# Framed-Filter-Id := "nosmtp.in",
# Fall-Through = Yes
#
# The rest of this file contains the DEFAULT entry.
# DEFAULT matches with all realm names. (except if the realm previously
# matched an entry with no Fall-Through)
#
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
MS-MPPE-Recv-Key =* ANY,
MS-MPPE-Send-Key =* ANY,
MS-CHAP-MPPE-Keys =* ANY,
State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Calling-Station-Id =* ANY,
Operator-Name =* ANY,
Port-Limit <= 2

19
hosts/containers/radius/freeradius/attrs.access_challenge Normal file
View File

@ -0,0 +1,19 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 78ea54e83f4a998797f16a8c564b5c2f32642adc $
#
# This configuration file is used to remove almost all of the
# attributes From an Access-Challenge message. The RFC's say
# that an Access-Challenge packet can contain only a few
# attributes. We enforce that here.
#
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY

17
hosts/containers/radius/freeradius/attrs.access_reject Normal file
View File

@ -0,0 +1,17 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: e263d504cfdc5cf5db00fa6aacf2bd148a7623fc $
#
# This configuration file is used to remove almost all of the attributes
# From an Access-Reject message. The RFC's say that an Access-Reject
# packet can contain only a few attributes. We enforce that here.
#
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
MS-CHAP-Error =* ANY,
Proxy-State =* ANY

15
hosts/containers/radius/freeradius/attrs.accounting_response Normal file
View File

@ -0,0 +1,15 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 3746ce4da3d58fcdd0b777a93e599045353c27ac $
#
# This configuration file is used to remove almost all of the attributes
# From an Accounting-Response message. The RFC's say that an
# Accounting-Response packet can contain only a few attributes.
# We enforce that here.
#
DEFAULT
Vendor-Specific =* ANY,
Message-Authenticator =* ANY,
Proxy-State =* ANY

62
hosts/containers/radius/freeradius/attrs.pre-proxy Normal file
View File

@ -0,0 +1,62 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 8c601cf205f9d85b75c1ec7fc8e816e7341a5ba4 $
#
# This file contains security and configuration information
# for each realm. It can be used be an rlm_attr_filter module
# instance to filter attributes before sending packets to the
# home server of a realm.
#
# When a packet is sent to a home server, these attributes
# and values are tested. Only the first match is used unless
# the "Fall-Through" variable is set to "Yes". In that case
# the rules defined in the DEFAULT case are processed as well.
#
# A special realm named "DEFAULT" matches on all realm names.
# You can have only one DEFAULT entry. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# The first line indicates the realm to which the rules apply.
# Indented (with the tab character) lines following the first
# line indicate the filter rules.
#
# This is a complete entry for 'nochap' realm. It allows to send very
# basic attributes to the home server. Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used. Only the listed attributes
# will be sent in the packet, all other attributes will be filtered out.
#
#nochap
# User-Name =* ANY,
# User-Password =* ANY,
# NAS-Ip-Address =* ANY,
# NAS-Identifier =* ANY
# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type
# if its value is different from 'Ethernet'. Then the default rules are
# applied.
#
#brokenas
# NAS-Port-Type == Ethernet
# Fall-Through = Yes
# The rest of this file contains the DEFAULT entry.
# DEFAULT matches with all realm names.
DEFAULT
User-Name =* ANY,
User-Password =* ANY,
CHAP-Password =* ANY,
CHAP-Challenge =* ANY,
MS-CHAP-Challenge =* ANY,
MS-CHAP-Response =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
State =* ANY,
NAS-IP-Address =* ANY,
NAS-Identifier =* ANY,
Proxy-State =* ANY

30
hosts/containers/radius/freeradius/certs/ca.key Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,3AD0523FFE8CE8B72DF17107DF07836B
e0kcoXFr/E2N762180rPOSAeXsWDY2Ej2iv3XD7VYblSK0ChdXfdGmIqoauUlwIn
K6WQ9E6tZFkYtnjFK3Sf7npjqqH8vYA0JewEBoLgA5/upA/ZYXZNXGqF5Xqs0q78
314bOFsCy3Mb034OBPemQ8QY2zjsKvQJBQkzEujNDUfnSE7nKP7lZHIVhIeO8ec0
GfjQ1sE4hACGhINdLdjZAT0UIxYgW8LARbaGt23H6SKOlVvCobCjzetRckVYBdt5
8+m6Unx6z9L938koqUgbN8CJVv6FT5Sgk0fYJCRCEMKuMTDluSEAPFctKetn7eVy
mZY7WaxkbUZhGv4v9+VPuKmCfjlquMK9nKBQskOJNF4fiiWH17920K1hye513+iY
Q7GyTMywZqgirIjzusbeacXQ7MtZmlVlbIlwx2mh0edD73wQ1u42Wbhnxv1Sd4+M
57WGefprxh7XtX3G92joVIRt8Em+tsYnhZ0LdKEChIX6Fnrewr/uWdKcCjazksLX
fi1KVyDa4VVfZzgYRBxMXLBRY4l8g/JMRXI6pOEigzkpfnhVQS/pVWTTf35cJyMw
YSsWs9J8WzNb37SuZqNnKPcZCaf8F66TEeu4jigMtjgt1LwXo2biPUwsyiVq/VCT
pnfJho9OHVfDmplETeanpXTn902Z4ji173iFGe8E1MCqUARiHwtSFIHyCKCKvX7Z
9MnydV75V/JlvL4Tp+x/+h6HKjeDkdQW1kL469DOtvVJLN2nxq969m0ztIntj98B
UVNNQjIbwbVq2JQBdd3jDiDtFGPu+cZmX5/+boxb/Q0hHthf9Z/XfMiQUHyTOUI1
LSOaH2tp0r1N0/C5BxNaqPaauyXEK4S96/YR071rjjWQBiF2qXQHOC3pjSFdrvVb
tZaqNbSvNgxqJhU8u5gf/fKOtMK2XMjzkk8E8jcwAY4gU3c72N17xlBRA2H9FM7B
DfjzNRcyCD39jyM+gfiudczBgarmonMQlTt153cR7UvZ3zZ7YmVWvSQ1hxy0deuT
OqfpSR/lgoIaXEW1igdyaMlXPetnTCMi1CaTzD7A80yJeWpK6abOxGk5O9mwwpUu
02YMas9ETsbnElMscQTYPpDui/0ZXX9gjNEpP03ZEkixr++QUkN3EA76A+i06GDE
3R+4W1GFn8uRrnruyciSR+e/S7g4M5Q99c7QCp9CdsPGKKMe681hj7SqylToNSwB
9DKNo+3QIIRupxkYcpyZBLnofRqiKbd3pcdnAUO6/15WBoiz0sqDnSbUIKf4eWmO
nzRVaA9cJ/6RF3hZ7++om/vbX7rskthZeGGvwZpRNIqwBsA0lHLZ5inB/dsChRTy
oMBX6zcPIyUWo9e0NOJqYTMmsBVA1QeAywzAJo/jRWL6mA8NT/97KizqYS1ZlcjU
PhT/v80l5hWrOzB+URZkBOo3ygkntScj/gxqLsisdrHP9YbOIkhRWSBWzWXGywXy
8PqoOZF1NB2pTuSP7z0THtxKn4B/mq15Lg+26YZgauVWlf8MY8FOOaDBeRGyJ9W7
pbqktLIQ0zPRfF+CGVmTC62Bfcsb+DNXowvgU5DlN8hJ0rMmJYbcyJyWmwyWWKtX
-----END RSA PRIVATE KEY-----

23
hosts/containers/radius/freeradius/certs/ca.pem Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID5TCCAs2gAwIBAgIJAKA5akuqlUzKMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD
VQQGEwJERTEQMA4GA1UECAwHU2FjaHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsG
A1UECgwEQzNEMjENMAsGA1UECwwEQzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMz
ZDIuZGUxGzAZBgkqhkiG9w0BCQEWDG1haWxAYzNkMi5kZTAeFw0xNTA2MDYxOTA5
MjFaFw0yNTA2MDMxOTA5MjFaMIGIMQswCQYDVQQGEwJERTEQMA4GA1UECAwHU2Fj
aHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsGA1UECgwEQzNEMjENMAsGA1UECwwE
QzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMzZDIuZGUxGzAZBgkqhkiG9w0BCQEW
DG1haWxAYzNkMi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPRR
Xf+pocIFjZGeSuo+LM7/lqnQ96Pc2g9cTXlxoeCFP1akwYUzDl1ZqvUZsC3hKKkB
EjmI2VB4rjIgT9Z/57aQ7jYYp1B6ivQDapKSqpKFL6s0VzDljrzOmxvGQFXyV88X
TiMkwmtmS2Bj62poWhSlpQk9sPaioz8SDrJtBxM9fNSbM1ED9rRXGWlSwEVBzeUp
YaNWYCc3CPYLIhNZmtFhAhNmzw/tIx5+MRa/hkEarbyToZ7EceTMJ4KflBBLXQzY
s2PLYkRbZMBUlRM7HDZVx6F8OPusnG1luB2LX/kQCvYuFk6BiBdussOFLD0swdtd
rK820j6dIAJbbxSfy90CAwEAAaNQME4wHQYDVR0OBBYEFDHshd+TNUAwSY0+cpaH
HDQaOXwnMB8GA1UdIwQYMBaAFDHshd+TNUAwSY0+cpaHHDQaOXwnMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBADc7I4dtsIhSN0jDs0iavwBT13a1sslp
e2gwDdcTh0xAVmmrq84JY6uIoMjLrx+roE3vn+oLHP8qrlw4snbOc0mo04o2lMza
DepLQoBtnMNaUTSOHt1avvP8bhFTE0c0MlFAInC1MpqO5mtRwpays/f1Hc+iEOmx
o3iHLpdKpeEfFxFZVNsJKva/A2DlLVqTdH/UvTdnoxwvSRzzEBP3plqdNSFsg5XZ
oGNSsoNT6k2cFjQtxRdrKk+qggbPuPbTC5fXWOTlu4A2eVmW0XfT4eZ9z8QRe7dA
uGOcC1XiDLmIon9q5KIH3k3TiL5hELJu2BvatxJaOpwGR1pbcooZaI0=
-----END CERTIFICATE-----

5
hosts/containers/radius/freeradius/certs/dh Normal file
View File

@ -0,0 +1,5 @@
-----BEGIN DH PARAMETERS-----
MIGHAoGBAKNmmoE+doPb+VmQlXOqsXcVX5ciwWyf+QsdEVyyic6fZUMWbAvFwDN1
hnT5HbpWkCnwU5H27st8+SluOMGfjiwmhtn5TZqX1b0bOWH+UeT1iRLBaClZNNCx
MDWIVbk1cpnNszsMPGhjMrQwN06bZFPwFBS8+smgrDnQoN1BkPPjAgEC
-----END DH PARAMETERS-----

18
hosts/containers/radius/freeradius/certs/server.csr Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC1jCCAb4CAQAwgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAw
DgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIw
IAYDVQQDDBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkB
FgxtYWlsQGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm
yrdjj+J2xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZM
w/0bnHRkzubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCY
rtJX/Yqk/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3
NBR5yyA2Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lO
yK3CYl2i2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrn
ukPf/XhKQp3pPKctUUBBAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAE4GoYZ/w
Jf4rSuS6j/Sq4v4pUIoU3tZd3UvjG5jj34XZFvTNzKHdazS7VYyFjukMPSv+WljV
v2v6xn62RjRHXvRu4/fXBvyAcxdQngf892BYGTVxB3OMVE1JCyc2xARh6gcOvrfC
wwOIYw4Wc5xZ8JjmhK/9zyuVVSOEcV03LY7kSYFrwTgs/k/+Cv2Myimlc+n0r76/
iDHU+8R0O/yD5dkDdJ/GFr9d09OoF+6WQc9pRVloHxQut9YS0C5P03+Xw9CUhRGB
L7n+k6eqzE2Fi43nTqb9KrBaTi/RdYht1DdaVxgJ1n/INqaeORqiAjyAmvuooBTF
jSbFtdKfURnjOQ==
-----END CERTIFICATE REQUEST-----

30
hosts/containers/radius/freeradius/certs/server.key Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,D5409971E41EA7511A983B7756144C03
77B64GyVzF3TkltnC8nZaZENB1zCl626Bi3NcjpszsIw/LnOC8bn2MjiEQwoNXOI
GxcjUSyzB9v++/qMbvPIQ2hJXd7aayu0OWbLoFjyISqQDZhxMNwTlr0ZPppH2LoC
HXQV8BKSMkxN2SMNyLdZt6pfpKtyOBUKoy7jDCCiaTEamvGtGKyhgQZVpyPrz8lS
BFpUR2czPggFu8WsJ5jov7k7rEkuUMFvsNDRajRMwSzr9z6ESmEc9AavB9/t1TZ8
M9eEgp65QUBcDzDVvP05pjwF+4wgqabC41k3EMiA2LLlFIn5Bvamq1Sj3DLdWIQE
fzgw8NM2JRF3CZdFt/rAVoCIcpNx7kcWu8UCpdHYmlB+VwIYnrUWngT5kaMp2vvu
B235/QffgANfB560dIP4Z2CnZI1SLyhTJPLTmwO/XWOtuoQso5nfxtHNq/IwrUA1
jxedKG9AkBQQPsHAErZnxoFotK//zyggx6S41SjnMFWr1PrscU3mA+A+UvwLP7Bu
gmw1oIDWL3sZ5B7KQJ2FC6ryjyoQiSI/AK8Gk0Ryhf1oUhgguxUDnWSKqrxEoeHJ
S635pYjlDVyhU3ct9BWbFBOzdYPZBIQHPfB/lvmbl6lsFA5oOgCvZHDrBSytiSIc
0k5cjhhQanvPRVu8ulIiHNnMFGuvX1rzh0im4IrITK7YtHj65I1gCIU4gFrfXk6T
QtPZoaa5F4VV5BdyljF7t+yFzVthrbPb/MVjWJgC4j40fICmA8x5TTl//HGg41AN
yJcn3295GlTQ/EagxEfWAiy38+1IGwTsNFFHxaTYGoIMON06HTegFH39MmTOBl2G
mmk4d+m/A3KEZ1Le16xZCc7QjQRwMUMzHk4w3FfvkKSDj4Li8xFbKv4zUrXx++Q7
mm5owtMWrit7bAbDli9hpGe+AsQGXIsHPC3i/wsm64niWiTcBK3TO5sF/3n0nNVb
MkdVA9OaBpXG8XjHdK62HylaOHpyNB7kEhRjcTT2EKZZ10DcQpPDvJhx8lkvauww
ubVZHBPqIXdI/L7H/6hqyxe0S0IPtoQpgEr/1lyUWQZtiDyFrQ1ySCY1HGwXtmWa
fUP6TyZQogdND8GhzhEFY4J/FWUM8k5VowzuxYnUGEKKERDwDaQwNRoi+L9fiiKh
nNmTOHCIoxCfN9+H8sVtPiliPr1x4G3aeegsEJfKnmDP5gyj02tOYb2IpqhSsdCZ
qXQ2AuUq42dq5YeQA0KVRD6hiK9L+sO5BSCrr2dtF6SAK+00/CL42EP2ee+C65kW
ksxGssmtGrcjcIW9niHx9acGTgDJ6nBK9zawQkNkF8pr8GUNyAsY5+nGy3H4EsO0
XtszaUyT/xnSwZV+OGLIRP10lCiWPtU+Axay3DjUrxmbzzWZ3XmIbNRrYN2gxZ3b
eA1QJE2kFwmZfngDqTu9uACHINwegj9juCDCOHLYF3shiOgqEsRypCaTYfZKoZY6
feelUSD5Xs86ezKO2KxU1Pan9pZCnKUtJ+lpmlqyQIB+DEKJpNabHIXECMIwnxzK
ftpahPFJDFWqguh1BeFZTCtb9qlDcXLMFac9aTMoK5KWQ3ed9gucvKHUm6G57zB8
-----END RSA PRIVATE KEY-----

22
hosts/containers/radius/freeradius/certs/server.pem Normal file
View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDjjCCAnYCAQEwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAkRFMRAwDgYD
VQQIDAdTYWNoc2VuMRAwDgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0w
CwYDVQQLDARDM0QyMRowGAYDVQQDDBFyYWRpdXMuaHEuYzNkMi5kZTEbMBkGCSqG
SIb3DQEJARYMbWFpbEBjM2QyLmRlMB4XDTE1MDYwNjE5MTAzNloXDTI1MDYwMzE5
MTAzNlowgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAwDgYDVQQH
DAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIwIAYDVQQD
DBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkBFgxtYWls
QGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmyrdjj+J2
xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZMw/0bnHRk
zubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCYrtJX/Yqk
/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3NBR5yyA2
Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lOyK3CYl2i
2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrnukPf/XhK
Qp3pPKctUUBBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJdpPd8HTJwOfjD0COUw
NBlPh7amQeASg0Gzz6w1NFZtVkUrnlp638pjsMsi6ldwwmNyWY5VA9TwwDTOxm9X
CacG2tEirGwIHsrOo4BBMSrMu7V2ts+IIv92C5kgmFU2vbs2jKquepKt4zsOfwd2
X+5qF/5qr3BkOIE6pc00IE9rRyzcE0KvaEEVHlvc/oS8f2F8lYRpJNjFNmW1jKs9
TaLQWG7a0Wy97IWk1kcW5XymjAq4UJjcbPWm+zZVUJq21wlHHLnkbP6KeqY0RE7R
wyq3yVAZTzXimfmwiQgGFA8P5pwrYkXcA342J+IgeblRgsT/6Lirfyd05ctQc3yL
NBU=
-----END CERTIFICATE-----

247
hosts/containers/radius/freeradius/clients.conf Normal file
View File

@ -0,0 +1,247 @@
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
client localhost {
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
ipaddr = 127.0.0.1
# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost
#
# A note on DNS: We STRONGLY recommend using IP addresses
# rather than host names. Using host names means that the
# server will do DNS lookups when it starts, making it
# dependent on DNS. i.e. If anything goes wrong with DNS,
# the server won't start!
#
# The server also looks up the IP address from DNS once, and
# only once, when it starts. If the DNS record is later
# updated, the server WILL NOT see that update.
#
# One client definition can be applied to an entire network.
# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
# "netmask = 8"
#
# If not specified, the default netmask is 32 (i.e. /32)
#
# We do NOT recommend using anything other than 32. There
# are usually other, better ways to achieve the same goal.
# Using netmasks of other than 32 can cause security issues.
#
# You can specify overlapping networks (127/8 and 127.0/16)
# In that case, the smallest possible network will be used
# as the "best match" for the client.
#
# Clients can also be defined dynamically at run time, based
# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
# etc.
# See raddb/sites-available/dynamic-clients for details.
#
# netmask = 32
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 8k characters in length.
#
# Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
# A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
# shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
# And is at LEAST 8 characters long, preferably 16 characters in
# length. The secret MUST be random, and should not be words,
# phrase, or anything else that is recognizable.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
#
secret = testing123
#
# Old-style clients do not send a Message-Authenticator
# in an Access-Request. RFC 5080 suggests that all clients
# SHOULD include it in an Access-Request. The configuration
# item below allows the server to require it. If a client
# is required to include a Message-Authenticator and it does
# not, then the packet will be silently discarded.
#
# allowed values: yes, no
require_message_authenticator = no
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
# It is accepted for compatibility with 1.x, but it is no
# longer necessary in 2.0
#
# shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# juniper
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
#
# As of 2.0, clients can also be tied to a virtual server.
# This is done by setting the "virtual_server" configuration
# item, as in the example below.
#
# virtual_server = home1
#
# A pointer to the "home_server_pool" OR a "home_server"
# section that contains the CoA configuration for this
# client. For an example of a coa home server or pool,
# see raddb/sites-available/originate-coa
# coa_server = coa
}
# IPv6 Client
#client ::1 {
# secret = testing123
# shortname = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
# secret = testing123
# shortname = localhost
#}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
# secret = testing123-1
# shortname = private-network-1
#}
#
#client 192.168.0.0/16 {
# secret = testing123-2
# shortname = private-network-2
#}
#client 10.10.10.10 {
# # secret and password are mapped through the "secrets" file.
# secret = testing123
# shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password = someadminpas
#}
#######################################################################
#
# Per-socket client lists. The configuration entries are exactly
# the same as above, but they are nested inside of a section.
#
# You can have as many per-socket client lists as you have "listen"
# sections, or you can re-use a list among multiple "listen" sections.
#
# Un-comment this section, and edit a "listen" section to add:
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
# }
#}
### ### ### C3D2 ### ### ###
client any {
ipaddr 0.0.0.0/0
secret = public
nastype = other
require_message_authenticator = no
}
### ### ### C3D2 ### ### ###
# EOF

32
hosts/containers/radius/freeradius/dictionary Normal file
View File

@ -0,0 +1,32 @@
#
# This is the master dictionary file, which references the
# pre-defined dictionary files included with the server.
#
# Any new/changed attributes MUST be placed in this file, as
# the pre-defined dictionaries SHOULD NOT be edited.
#
# $Id: ceb31c82feb869972588f60fe6ace2fc1db70224 $
#
#
# The filename given here should be an absolute path.
#
$INCLUDE /usr/share/freeradius/dictionary
#
# Place additional attributes or $INCLUDEs here. They will
# over-ride the definitions in the pre-defined dictionaries.
#
# See the 'man' page for 'dictionary' for information on
# the format of the dictionary files.
#
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them here. The numbers you pick should be between
# 3000 and 4000.
#
#ATTRIBUTE My-Local-String 3000 string
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer

688
hosts/containers/radius/freeradius/eap.conf Normal file
View File

@ -0,0 +1,688 @@
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id: 95bebe4d25ef13871fb201ba540ed008078dab07 $
#######################################################################
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# EAP types NOT listed here may be supported via the "eap2" module.
# See experimental.conf for documentation.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = ttls
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
#
# Help prevent DoS attacks by limiting the number of
# sessions that the server is tracking. For simplicity,
# this is taken from the "max_requests" directive in
# radiusd.conf.
max_sessions = ${max_requests}
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# See raddb/certs/README for additional comments
# on certificates.
#
# If OpenSSL was not found at the time the server was
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
# Otherwise, when the server first starts in debugging
# mode, test certificates will be created. See the
# "make_cert_command" below for details, and the README
# file in raddb/certs
#
# These test certificates SHOULD NOT be used in a normal
# deployment. They are created only to make it easier
# to install the server, and to perform some simple
# tests with EAP-TLS, TTLS, or PEAP.
#
# See also:
#
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
# Note that you should NOT use a globally known CA here!
# e.g. using a Verisign cert as a "known CA" means that
# ANYONE who has a certificate signed by them can
# authenticate via EAP-TLS! This is likely not what you want.
tls {
#
# These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = c3d2
private_key_file = ${certdir}/server.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/ca.pem
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = /dev/urandom
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
CA_path = ${cadir}
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-Issuer attribute. This check
# can be done via any mechanism you choose.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-CN attribute. This check
# can be done via any mechanism you choose.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
#
# As part of checking a client certificate, the EAP-TLS
# sets some attributes such as TLS-Client-Cert-CN. This
# virtual server has access to these attributes, and can
# be used to accept or reject the request.
#
# virtual_server = check-eap-tls
# This command creates the initial "snake oil"
# certificates when the server is run as root,
# and via "radiusd -X".
#
# As of 2.1.11, it *also* checks the server
# certificate for validity, including expiration.
# This means that radiusd will refuse to start
# when the certificate has expired. The alternative
# is to have the 802.1X clients refuse to connect
# when they discover the certificate has expired.
#
# Debugging client issues is hard, so it's better
# for the server to print out an error message,
# and refuse to start.
#
make_cert_command = "${certdir}/bootstrap"
#
# Elliptical cryptography configuration
#
# Only for OpenSSL >= 0.9.8.f
#
ecdh_curve = "prime256v1"
#
# Session resumption / fast reauthentication
# cache.
#
# The cache contains the following information:
#
# session Id - unique identifier, managed by SSL
# User-Name - from the Access-Accept
# Stripped-User-Name - from the Access-Request
# Cached-Session-Policy - from the Access-Accept
#
# The "Cached-Session-Policy" is the name of a
# policy which should be applied to the cached
# session. This policy can be used to assign
# VLANs, IP addresses, etc. It serves as a useful
# way to re-apply the policy from the original
# Access-Accept to the subsequent Access-Accept
# for the cached session.
#
# On session resumption, these attributes are
# copied from the cache, and placed into the
# reply list.
#
# You probably also want "use_tunneled_reply = yes"
# when using fast session resumption.
#
cache {
#
# Enable it. The default is "no".
# Deleting the entire "cache" subsection
# Also disables caching.
#
# You can disallow resumption for a
# particular user by adding the following
# attribute to the control item list:
#
# Allow-Session-Resumption = No
#
# If "enable = no" below, you CANNOT
# enable resumption for just one user
# by setting the above attribute to "yes".
#
enable = no
#
# Lifetime of the cached entries, in hours.
# The sessions will be deleted after this
# time.
#
lifetime = 24 # hours
#
# The maximum number of entries in the
# cache. Set to "0" for "infinite".
#
# This could be set to the number of users
# who are logged in... which can be a LOT.
#
max_entries = 255
}
#
# As of version 2.1.10, client certificates can be
# validated via an external command. This allows
# dynamic CRLs or OCSP to be used.
#
# This configuration is commented out in the
# default configuration. Uncomment it, and configure
# the correct paths below to enable it.
#
verify {
# A temporary directory where the client
# certificates are stored. This directory
# MUST be owned by the UID of the server,
# and MUST not be accessible by any other
# users. When the server starts, it will do
# "chmod go-rwx" on the directory, for
# security reasons. The directory MUST
# exist when the server starts.
#
# You should also delete all of the files
# in the directory when the server starts.
# tmpdir = /tmp/radiusd
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
# tool.
#
# The ${..CA_path} text is a reference to
# the CA_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
# client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
}
#
# OCSP Configuration
# Certificates can be verified against an OCSP
# Responder. This makes it possible to immediately
# revoke certificates without the distribution of
# new Certificate Revokation Lists (CRLs).
#
ocsp {
#
# Enable it. The default is "no".
# Deleting the entire "ocsp" subsection
# Also disables ocsp checking
#
enable = no
#
# The OCSP Responder URL can be automatically
# extracted from the certificate in question.
# To override the OCSP Responder URL set
# "override_cert_url = yes".
#
override_cert_url = yes
#
# If the OCSP Responder address is not
# extracted from the certificate, the
# URL can be defined here.
#
# Limitation: Currently the HTTP
# Request is not sending the "Host: "
# information to the web-server. This
# can be a problem if the OCSP
# Responder is running as a vhost.
#
url = "http://127.0.0.1/ocsp/"
#
# If the OCSP Responder can not cope with nonce
# in the request, then it can be disabled here.
#
# For security reasons, disabling this option
# is not recommended as nonce protects against
# replay attacks.
#
# Note that Microsoft AD Certificate Services OCSP
# Responder does not enable nonce by default. It is
# more secure to enable nonce on the responder than
# to disable it in the query here.
# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
#
# use_nonce = yes
#
# Number of seconds before giving up waiting
# for OCSP response. 0 uses system default.
#
# timeout = 0
#
# Normally an error in querying the OCSP
# responder (no response from server, server did
# not understand the request, etc) will result in
# a validation failure.
#
# To treat these errors as 'soft' failures and
# still accept the certificate, enable this
# option.
#
# Warning: this may enable clients with revoked
# certificates to connect if the OCSP responder
# is not available. Use with caution.
#
# softfail = no
}
}
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
# The TTLS module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-TTLS does not
# require a client certificate.
#
# You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
default_eap_type = md5
# The tunneled authentication request does
# not usually contain useful attributes
# like 'Calling-Station-Id', etc. These
# attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
# 'yes', any attribute which NOT in the
# tunneled authentication request, but
# which IS available outside of the tunnel,
# is copied to the tunneled request.
#
# allowed values: {no, yes}
copy_request_to_tunnel = no
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = no
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
# This has the same meaning as the
# same field in the "tls" module, above.
# The default value here is "yes".
# include_length = yes
}
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-us
#
# For additional Windows XP SP2 issues, see:
#
# http://support.microsoft.com/kb/885453/en-us
#
#
# If is still doesn't work, and you're using Samba,
# you may be encountering a Samba bug. See:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
# Note that we do not necessarily agree with their
# explanation... but the fix does appear to work.
#
##################################################
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
#
# You can make PEAP require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
# This option enables support for MS-SoH
# see doc/SoH.txt for more info.
# It is disabled by default.
#
# soh = yes
#
# The SoH reply will be turned into a request which
# can be sent to a specific virtual server:
#
# soh_virtual_server = "soh-server"
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
# Prior to version 2.1.11, the module never
# sent the MS-CHAP-Error message to the
# client. This worked, but it had issues
# when the cached password was wrong. The
# server *should* send "E=691 R=0" to the
# client, which tells it to prompt the user
# for a new password.
#
# The default is to behave as in 2.1.10 and
# earlier, which is known to work. If you
# set "send_error = yes", then the error
# message will be sent back to the client.
# This *may* help some clients work better,
# but *may* also cause other clients to stop
# working.
#
# send_error = no
}
}

450
hosts/containers/radius/freeradius/experimental.conf Normal file
View File

@ -0,0 +1,450 @@
#
# This file contains the configuration for experimental modules.
#
# By default, it is NOT included in the build.
#
# $Id: 3db2f300329829b4810b00d3181f13bbac10ccd0 $
#
# Configuration for the Python module.
#
# Where radiusd is a Python module, radiusd.py, and the
# function 'authorize' is called. Here is a dummy piece
# of code:
#
# def authorize(params):
# print params
# return (5, ('Reply-Message', 'banned'))
#
# The RADIUS value-pairs are passed as a tuple of tuple
# pairs as the first argument, e.g. (('attribute1',
# 'value1'), ('attribute2', 'value2'))
#
# The function return is a tuple with the first element
# being the return value of the function.
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
# write the return values as Python symbols to avoid
# confusion.
#
# The remaining tuple members are the string form of
# value-pairs which are passed on to pairmake().
#
python {
mod_instantiate = radiusd_test
func_instantiate = instantiate
mod_authorize = radiusd_test
func_authorize = authorize
mod_accounting = radiusd_test
func_accounting = accounting
mod_pre_proxy = radiusd_test
func_pre_proxy = pre_proxy
mod_post_proxy = radiusd_test
func_post_proxy = post_proxy
mod_post_auth = radiusd_test
func_post_auth = post_auth
mod_recv_coa = radiusd_test
func_recv_coa = recv_coa
mod_send_coa = radiusd_test
func_send_coa = send_coa
mod_detach = radiusd_test
func_detach = detach
}
# Configuration for the example module. Uncommenting it will cause it
# to get loaded and initialized, but should have no real effect as long
# it is not referencened in one of the autz/auth/preacct/acct sections
example {
# Boolean variable.
# allowed values: {no, yes}
boolean = yes
# An integer, of any value.
integer = 16
# A string.
string = "This is an example configuration string"
# An IP address, either in dotted quad (1.2.3.4) or hostname
# (example.com)
ipaddr = 127.0.0.1
# A subsection
mysubsection {
anotherinteger = 1000
# They nest
deeply nested {
string = "This is a different string"
}
}
}
#
# To create a dbm users file, do:
#
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
#
# Then add 'dbm' in 'authorize' section.
#
# Note that even if the file has a ".db" or ".dbm" extension,
# you may have to specify it here without that extension. This
# is because the DBM libraries "helpfully" add a ".db" to the
# filename, but don't check if it's already there.
#
dbm {
usersfile = ${confdir}/users_db
}
#
# Perform NT-Domain authentication. This only works
# with PAP authentication. That is, Authentication-Request
# packets containing a User-Password attribute.
#
# To use it, add 'smb' into the 'authenticate' section,
# and then in another module (usually the 'users' file),
# set 'Auth-Type := SMB'
#
# WARNING: this module is not only experimental, it's also
# a security threat. It's not recommended to use it until
# it gets fixed.
#
smb {
server = ntdomain.server.example.com
backup = backup.server.example.com
domain = NTDOMAIN
}
# See doc/rlm_fastusers before using this
# module or changing these values.
#
fastusers {
usersfile = ${confdir}/users_fast
hashsize = 1000
compat = no
# Reload the hash every 600 seconds (10mins)
hash_reload = 600
}
# Caching module
#
# Should be added in the post-auth section (after all other modules)
# and in the authorize section (before any other modules)
#
# authorize {
# caching {
# ok = return
# }
# [... other modules ...]
# }
# post-auth {
# [... other modules ...]
# caching
# }
#
# The caching module will cache the Auth-Type and reply items
# and send them back on any subsequent requests for the same key
#
# Configuration:
#
# filename: The gdbm file to use for the cache database
# (can be memory mapped for more speed)
#
# key: A string to xlat and use as a key. For instance,
# "%{Acct-Unique-Session-Id}"
#
# post-auth: If we find a cached entry, set the post-auth to that value
#
# cache-ttl: The time to cache the entry. The same time format
# as the counter module apply here.
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed.
# e.g. 1d == one day
#
# cache-size: The gdbm cache size to request (default 1000)
#
# hit-ratio: If set to non-zero we print out statistical
# information after so many cache requests
#
# cache-rejects: Do we also cache rejects, or not? (default 'yes')
#
caching {
filename = ${db_dir}/db.cache
cache-ttl = 1d
hit-ratio = 1000
key = "%{Acct-Unique-Session-Id}"
#post-auth = ""
# cache-size = 2000
# cache-rejects = yes
}
# Simple module for logging of Account packets to radiusd.log
# You need to declare it in the accounting section for it to work
acctlog {
acctlog_update = ""
acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online"
acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline"
}
# Another implementation of the EAP module.
#
# This module requires the libeap.so file from the hostap
# software (http://hostap.epitest.fi/hostapd/). It has been
# tested on the development version of hostapd (0.6.1) ONLY.
#
# In order to use it, you MUST build a "libeap.so" in hostapd,
# which is not done by default.
#
# You MUST also edit the file: src/modules/rlm_eap2/Makefile
# to point to the location of the hostap include files.
#
# This module CANNOT be used in the same way as the current
# FreeRADIUS "eap" module. There is NO way to look inside of
# a tunneled request. There is NO way to proxy a tunneled
# request. There is NO way to even look at the user name inside
# of the tunneled request. There is NO way to control the
# choice of EAP types inside of the tunnel. You MUST force
# the server to choose "eap2" for authentication, because this
# module has no "authorize" section.
#
# If you want to use this module for experimentation, please
# post your comments to the freeradius-devel list:
#
# http://lists.freeradius.org/mailman/listinfo/freeradius-devel
#
# If you want to use this module in a production (i.e. real-world)
# environment:
#
# !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
#
# The module needs additional work to make it ready for
# production use.. Please supply patches, or sponsor the
# work by hiring a developer. Do NOT ask when the work will
# be done, because there is no plan to finish this module
# unless there is demand for it.
#
eap2 {
# EAP types are chosen in the order that they are
# listed in this section. There is no "default_eap_type"
# as with rlm_eap. Instead, the *first* EAP type is
# used as the default type.
#
peap {
}
ttls {
}
# This is the ONLY EAP type that has any configuration.
# All other EAP types have no configuration.
#
tls {
ca_cert = ${confdir}/certs/ca.pem
server_cert = ${confdir}/certs/server.pem
private_key_file = ${confdir}/certs/server.pem
private_key_password = whatever
}
#
# These next two methods do not supply keying material.
#
md5 {
}
mschapv2 {
}
fast {
pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
eap_fast_a_id = xxxxxx
eap_fast_a_id_info = my_server
eap_fast_prov = 3
pac_key_lifetime = 604800 # 7 days
pac_key_refresh_tim = 86400
}
# LEAP is NOT supported by this module.
# Use the "eap" module instead.
# For other methods that MIGHT work, see the
# configuration of hostap. The methods are statically
# linked in at compile time, and cannot be controlled
# here.
}
# Configuration for experimental EAP types. The sub-sections
# can be copied into eap.conf.
eap {
ikev2 {
# Server auth type
# Allowed values are:
# cert - for certificate based server authentication,
# other required settings for this type are
# 'private_key_file' and 'certificate_file'
# secret - for shared secret based server authentication,
# other required settings for this type is 'id'
# Default value of this option is 'secret'
# server_authtype=cert
# Allowed default client auth types
# Allowed values are:
# secret - for shared secret based client authentication
# cert - for certificate based client authentication
# both - shared secret and certificate is allowed
# none - authentication will always fail
# Default value for this option is 'both'. This option could
# be overwritten within 'usersfile' file by EAP-IKEv2-Auth
# option.
# default_authtype = both
# path to trusted CA certificate file
CA_file="/path/to/CA/cacert.pem"
# path to CRL file, if not set, then there will be no
# checks against CRL
# crl_file="/path/to/crl.pem"
# path to file with user settings
#
# Note that this file is read ONLY on module initialization!
#
# default ${confdir}/eap_ikev2_users
# usersfile=${confdir}/eap_ikev2_users
#
# Sample "eap_ikev2_users" file entry:
#
#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
## where:
## username - client user name from IKE-AUTH (IDr) or CommonName
## from x509 certificate
## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
## allowable attributes for EAP-IKEv2-IDType:
## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
## DER_ASN1_GN KEY_ID
## EAP-IKEv2-Secret - shared secret
## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
## type. Allowed values are: secret,cert,both,none.
## For the meaning of this values, please see the
## description of 'default_authtype'.
## This attribute can overwrite 'default_authtype' value.
# path to file with server private key
private_key_file="/path/to/srv-private-key.pem"
# password to private key file
private_key_password="passwd"
# path to file with server certificate
certificate_file="/path/to/srv-cert.pem"
# server identity string
id="deMaio"
# Server identity type. Allowed values are:
# IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
# KEY_ID
# Default value is: KEY_ID
# id_type = KEY_ID
# MTU (default: 1398)
# fragment_size = 1398
# maximal allowed number of resends SA_INIT after receiving
# 'invalid KEY' notification (default 3)
# DH_counter_max = 3
# option which is used to control whenever send CERT REQ
# payload or not.
# Allowed values for this option are "yes" or "no".
#Default value is "no".
# certreq = "yes"
# option which cotrols fast reconnect capability.
# Allowed valuse for this option are "yes" or "no".
# Default value is "yes".
# enable_fast_reauth = "no"
# option which is used to control performing of DH exchange
# during fast rekeying protocol run.
# Allowed values for this option are "yes" or "no".
# Default value is "no"
# fast_DH_exchange = "yes"
# Option which is used to set up expiration time of inactive
# IKEv2 session.
# After selected period of time (in seconds), inactive
# session data will be deleted.
# Default value of this option is set to 900 seconds
# fast_timer_expire = 900
# list of server proposals of available cryptographic
# suites
proposals {
# proposal number #1
proposal {
# Supported transforms types: encryption,
# prf, integrity, dhgroup. For multiple
# transforms just simple repeat key (i.e.
# integity).
# encryption algorithm
# supported algorithms:
# null,3des,aes_128_cbc,aes_192_cbc,
# aes_256_cbc,idea
# blowfish:n, where n range from 8 to 448 bits,
# step 8 bits
# cast:n, where n range from 40 to 128 bits,
# step 8 bits
encryption = 3des
# pseudo random function. Supported prf's:
# hmac_md5, hmac_sha1, hmac_tiger
prf = hmac_sha1
# integrity algorithm. Supported algorithms:
# hmac_md5_96, hmac_sha1_96,des_mac
integrity = hmac_sha1_96
integrity = hmac_md5_96
# Diffie-Hellman groups:
# modp768, modp1024, modp1536, modp2048,
# modp3072, modp4096, modp6144, modp8192
dhgroup = modp2048
}
# proposal number #2
proposal {
encryption = 3des
prf = hmac_md5
integrity = hmac_md5_96
dhgroup = modp1024
}
# proposal number #3
proposal {
encryption=3des
prf=hmac_md5
integrity=hmac_md5_96
dhgroup=modp2048
}
}
}
}

77
hosts/containers/radius/freeradius/hints Normal file
View File

@ -0,0 +1,77 @@
# hints
#
# The hints file. This file is used to match
# a request, and then add attributes to it. This
# process allows a user to login as "bob.ppp" (for example),
# and receive a PPP connection, even if the NAS doesn't
# ask for PPP. The "hints" file is used to match the
# ".ppp" portion of the username, and to add a set of
# "user requested PPP" attributes to the request.
#
# Matching can take place with the the Prefix and Suffix
# attributes, just like in the "users" file.
# These attributes operate ONLY on the username, though.
#
# Note that the attributes that are set for each
# entry are _NOT_ passed back to the terminal server.
# Instead they are added to the information that has
# been _SENT_ by the terminal server.
#
# This extra information can be used in the users file to
# match on. Usually this is done in the DEFAULT entries,
# of which there can be more than one.
#
# In addition a matching entry can transform a username
# for authentication purposes if the "Strip-User-Name"
# variable is set to Yes in an entry (default is Yes).
#
# A special non-protocol name-value pair called "Hint"
# can be set to match on in the "users" file.
#
# The following is how most ISPs want to set this up.
#
# Version: $Id: f92ffb9f1e5bd0509b2e0e5e015001fda52bdfc3 $
#
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes
Hint = "PPP",
Service-Type = Framed-User,
Framed-Protocol = PPP
DEFAULT Suffix == ".slip", Strip-User-Name = Yes
Hint = "SLIP",
Service-Type = Framed-User,
Framed-Protocol = SLIP
DEFAULT Suffix == ".cslip", Strip-User-Name = Yes
Hint = "CSLIP",
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
######################################################################
#
# These entries are old, and commented out by default.
# They confuse too many people when "Peter" logs in, and the
# server thinks that the user "eter" is asking for PPP.
#
#DEFAULT Prefix == "U", Strip-User-Name = No
# Hint = "UUCP"
#DEFAULT Prefix == "P", Strip-User-Name = Yes
# Hint = "PPP",
# Service-Type = Framed-User,
# Framed-Protocol = PPP
#DEFAULT Prefix == "S", Strip-User-Name = Yes
# Hint = "SLIP",
# Service-Type = Framed-User,
# Framed-Protocol = SLIP
#DEFAULT Prefix == "C", Strip-User-Name = Yes
# Hint = "CSLIP",
# Service-Type = Framed-User,
# Framed-Protocol = SLIP,
# Framed-Compression = Van-Jacobson-TCP-IP

46
hosts/containers/radius/freeradius/huntgroups Normal file
View File

@ -0,0 +1,46 @@
#
# huntgroups This file defines the `huntgroups' that you have. A
# huntgroup is defined by specifying the IP address of
# the NAS and possibly a port range. Port can be identified
# as just one port, or a range (from-to), and multiple ports
# or ranges of ports must be seperated by a comma. For
# example: 1,2,3-8
#
# Matching is done while RADIUS scans the user file; if it
# includes the selection criterium "Huntgroup-Name == XXX"
# the huntgroup is looked up in this file to see if it
# matches. There can be multiple definitions of the same
# huntgroup; the first one that matches will be used.
#
# This file can also be used to define restricted access
# to certain huntgroups. The second and following lines
# define the access restrictions (based on username and
# UNIX usergroup) for the huntgroup.
#
#
# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
# called Alphen that matches on all three terminal servers.
#
#alphen NAS-IP-Address == 192.168.2.5
#alphen NAS-IP-Address == 192.168.2.6
#alphen NAS-IP-Address == 192.168.2.7
#
# The POP in Delft consists of only one terminal server.
#
#delft NAS-IP-Address == 192.168.3.5
#
# Ports 0-7 on the first terminal server in Alphen are connected to
# a huntgroup that is for business users only. Note that only one
# of the username or groupname has to match to get access (OR/OR).
#
# Note that this huntgroup is a subset of the "alphen" huntgroup.
#
#business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7
# User-Name = rogerl,
# User-Name = henks,
# Group = business,
# Group = staff

76
hosts/containers/radius/freeradius/ldap.attrmap Normal file
View File

@ -0,0 +1,76 @@
#
# Mapping of RADIUS dictionary attributes to LDAP directory attributes
# to be used by LDAP authentication and authorization module (rlm_ldap)
#
# Format:
# ItemType RADIUS-Attribute-Name ldapAttributeName [operator]
#
# Where:
# ItemType = checkItem or replyItem
# RADIUS-Attribute-Name = attribute name in RADIUS dictionary
# ldapAttributeName = attribute name in LDAP schema
# operator = optional, and may not be present.
# If not present, defaults to "==" for checkItems,
# and "=" for replyItems.
# If present, the operator here should be one
# of the same operators as defined in the "users"3
# file ("man users", or "man 5 users").
# If an operator is present in the value of the
# LDAP entry (i.e. ":=foo"), then it over-rides
# both the default, and any operator given here.
#
# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies
# a LDAP attribute which can be used to store any RADIUS
# attribute/value-pair in LDAP directory.
#
# You should edit this file to suit it to your needs.
#
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
checkItem Auth-Type radiusAuthType
checkItem Simultaneous-Use radiusSimultaneousUse
checkItem Called-Station-Id radiusCalledStationId
checkItem Calling-Station-Id radiusCallingStationId
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword
checkItem LM-Password dBCSPwd
checkitem Password-With-Header userPassword
checkItem SMB-Account-CTRL-TEXT acctFlags
checkItem Expiration radiusExpiration
checkItem NAS-IP-Address radiusNASIpAddress
replyItem Service-Type radiusServiceType
replyItem Framed-Protocol radiusFramedProtocol
replyItem Framed-IP-Address radiusFramedIPAddress
replyItem Framed-IP-Netmask radiusFramedIPNetmask
replyItem Framed-Route radiusFramedRoute
replyItem Framed-Routing radiusFramedRouting
replyItem Filter-Id radiusFilterId
replyItem Framed-MTU radiusFramedMTU
replyItem Framed-Compression radiusFramedCompression
replyItem Login-IP-Host radiusLoginIPHost
replyItem Login-Service radiusLoginService
replyItem Login-TCP-Port radiusLoginTCPPort
replyItem Callback-Number radiusCallbackNumber
replyItem Callback-Id radiusCallbackId
replyItem Framed-IPX-Network radiusFramedIPXNetwork
replyItem Class radiusClass
replyItem Session-Timeout radiusSessionTimeout
replyItem Idle-Timeout radiusIdleTimeout
replyItem Termination-Action radiusTerminationAction
replyItem Login-LAT-Service radiusLoginLATService
replyItem Login-LAT-Node radiusLoginLATNode
replyItem Login-LAT-Group radiusLoginLATGroup
replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
replyItem Port-Limit radiusPortLimit
replyItem Login-LAT-Port radiusLoginLATPort
replyItem Reply-Message radiusReplyMessage
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId

17
hosts/containers/radius/freeradius/modules/acct_unique Normal file
View File

@ -0,0 +1,17 @@
# -*- text -*-
#
# $Id: cfd89eb1bf690b605892969ebd922e6885f24fcc $
#
# Create a unique accounting session Id. Many NASes re-use
# or repeat values for Acct-Session-Id, causing no end of
# confusion.
#
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. See doc/rlm_acct_unique for
# more information.
#
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}

31
hosts/containers/radius/freeradius/modules/always Normal file
View File

@ -0,0 +1,31 @@
# -*- text -*-
#
# $Id: c28187f05d4f0416442203b016feb7e2b818716f $
#
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}

48
hosts/containers/radius/freeradius/modules/attr_filter Normal file
View File

@ -0,0 +1,48 @@
# -*- text -*-
#
# $Id: acb28a9c587526a22f9310ade21d6a480a0bfe28 $
#
# This file defines a number of instances of the "attr_filter" module.
#
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_reject
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_challenge {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_challenge
}
# Enforce RFC requirements on the contents of the
# Accounting-Response packets. See the comments at the
# top of the file for more details.
#
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile = ${confdir}/attrs.accounting_response
}

46
hosts/containers/radius/freeradius/modules/attr_rewrite Normal file
View File

@ -0,0 +1,46 @@
# -*- text -*-
#
# $Id: 8fb93224288061781980a156d541f5283abee1a0 $
# rewrite arbitrary packets. Useful in accounting and authorization.
#
# As of 2.0, much of the functionality of this module is in "unlang".
# You should probably investigate using that before trying to use
# the "attr_rewrite" module.
#
#
# The module can also use the Rewrite-Rule attribute. If it
# is set and matches the name of the module instance, then
# that module instance will be the only one which runs.
#
# Also if new_attribute is set to yes then a new attribute
# will be created containing the value replacewith and it
# will be added to searchin (packet, reply, proxy,
# proxy_reply or config).
#
# searchfor,ignore_case and max_matches will be ignored in that case.
#
# Backreferences are supported.
# %{0} will contain the string the whole match
# %{1} to %{8} will contain the contents of the 1st to
# the 8th parentheses
#
# If max_matches is greater than one, the backreferences will
# correspond to the first attributed that matched.
#
attr_rewrite sanecallerid {
attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
searchin = packet
searchfor = "[+ ]"
replacewith = ""
ignore_case = no
new_attribute = no
max_matches = 10
## If set to yes then the replace string will be
## appended to the original string
append = no
}

77
hosts/containers/radius/freeradius/modules/cache Normal file
View File

@ -0,0 +1,77 @@
# -*- text -*-
#
# $Id: da4a099beae8eeb3bfe5f70f20523a4258f7f0cd $
#
# A module to cache attributes. The idea is that you can look
# up information in a database, and then cache it. Repeated
# requests for the same information will then have the cached
# values added to the request.
#
# The module can cache a fixed set of attributes per key.
# It can be listed in "authorize", "post-auth", "pre-proxy"
# and "post-proxy".
#
# If you want different things cached for authorize and post-auth,
# you will need to define two instances of the "cache" module.
#
# The module returns "ok" if it found a cache entry.
# The module returns "updated" if it added a new cache entry.
# The module returns "noop" if it did nothing.
#
cache {
# The key used to index the cache. It is dynamically expanded
# at run time.
key = "%{User-Name}"
# The TTL of cache entries, in seconds. Entries older than this
# will be expired.
#
# You can set the TTL per cache entry, but adding a control
# variable "Cache-TTL". The value there will over-ride this one.
# Setting a Cache-TTL of 0 means "delete this entry".
#
# This value should be between 10 and 86400.
ttl = 10
# A timestamp used to flush the cache, via
#
# radmin -e "set module config cache epoch 123456789"
#
# Where last value is a 32-bit Unix timestamp. Cache entries
# older than this are expired, and new entries added.
#
# You should ALWAYS leave it as "epoch = 0" here.
epoch = 0
# The module can also operate in status-only mode where it will
# not add new cache entries, or merge existing ones.
#
# To enable set the control variable "Cache-Status-Only" to "yes"
# The module will return "ok" if it found a cache entry.
# The module will return "notfound" if it failed to find a cache entry,
# or the entry had expired.
#
# Note: expired entries will still be removed.
# If yes the following attributes will be added to the request list:
# * Cache-Entry-Hits - The number of times this entry has been
# retrieved.
add-stats = no
# The list of attributes to cache for a particular key.
# Each key gets the same set of cached attributes.
# The attributes are dynamically expanded at run time.
#
# You can specify which list the attribute goes into by
# prefixing the attribute name with the list. This allows
# you to update multiple lists with one configuration.
#
# If no list is specified the request list will be updated.
update {
# list:Attr-Name
reply:Reply-Message += "I'm the cached reply from %t"
control:Class := 0x010203
}
}

11
hosts/containers/radius/freeradius/modules/chap Normal file
View File

@ -0,0 +1,11 @@
# -*- text -*-
#
# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
# no configuration
}

44
hosts/containers/radius/freeradius/modules/checkval Normal file
View File

@ -0,0 +1,44 @@
# -*- text -*-
#
# $Id: ed26e571e8f0bcf3bf586ceb16d0cdff182f5017 $
# A simple value checking module
#
# As of 2.0, much of the functionality of this module is in "unlang".
# You should probably investigate using that before trying to use
# the "checkval" module.
#
# It can be used to check if an attribute value in the request
# matches a (possibly multi valued) attribute in the check
# items This can be used for example for caller-id
# authentication. For the module to run, both the request
# attribute and the check items attribute must exist
#
# i.e.
# A user has an ldap entry with 2 radiusCallingStationId
# attributes with values "12345678" and "12345679". If we
# enable rlm_checkval, then any request which contains a
# Calling-Station-Id with one of those two values will be
# accepted. Requests with other values for
# Calling-Station-Id will be rejected.
#
# Regular expressions in the check attribute value are allowed
# as long as the operator is '=~'
#
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}

82
hosts/containers/radius/freeradius/modules/counter Normal file
View File

@ -0,0 +1,82 @@
# -*- text -*-
#
# $Id: 2dad39a25c676821c6e602881e5bec52d738abfd $
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add
# the value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
#
# If the count attribute is Acct-Session-Time then on each
# login we send back the remaining online time as a
# Session-Timeout attribute ELSE and if the reply-name is
# set, we send back that attribute. The reply-name attribute
# MUST be of an integer type.
#
# The counter-name can also be used instead of using the check-name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
allowed-servicetype = Framed-User
cache-size = 5000
}

25
hosts/containers/radius/freeradius/modules/cui Normal file
View File

@ -0,0 +1,25 @@
# -*- text -*-
#
# $Id: 246461369a25c17feae3168bb66050203d4b8a34 $
#
# Write Chargeable-User-Identity to the database.
#
# Schema raddb/sql/mysql/cui.sql
# Queries raddb/sql/mysql/cui.conf
#
sql cui {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "db_login_name"
password = "db_password"
radius_db = "db_name"
# sqltrace = yes
# sqltracefile = ${logdir}/cuitrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
cui_table = "cui"
sql_user_name = "%{User-Name}"
#$INCLUDE sql/${database}/cui.conf
}

93
hosts/containers/radius/freeradius/modules/detail Normal file
View File

@ -0,0 +1,93 @@
# -*- text -*-
#
# $Id: 2e68d065ec93d0644cf7e931d97fdfac4e2be552 $
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
#
# If you are using radrelay, delete the above line for "detailfile",
# and use this one instead:
#
# detailfile = ${radacctdir}/detail
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0600
# The Unix group of the log file.
#
# The user that the server runs as must be in the specified
# system group otherwise this will fail to work.
#
# group = freerad
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customized by editing this
# string. See "doc/variables.txt" for a description
# of what can be put here.
#
header = "%t"
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
# locking = yes
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
# log_packet_header = yes
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
}

27
hosts/containers/radius/freeradius/modules/detail.example.com Normal file
View File

@ -0,0 +1,27 @@
# -*- text -*-
#
# Detail file writer, used in the following examples:
#
# raddb/sites-available/robust-proxy-accounting
# raddb/sites-available/decoupled-accounting
#
# Note that this module can write detail files that are read by
# only ONE "listen" section. If you use BOTH of the examples
# above, you will need to define TWO "detail" modules.
#
# e.g. detail1.example.com && detail2.example.com
#
#
# We write *multiple* detail files here. They will be processed by
# the detail "listen" section in the order that they were created.
# The directory containing these files should NOT be used for any
# other purposes. i.e. It should have NO other files in it.
#
# Writing multiple detail enables the server to process the pieces
# in smaller chunks. This helps in certain catastrophic corner cases.
#
# $Id: af7e3452fdd49ed6a3cd379c2a4d90e17f34532f $
#
detail detail.example.com {
detailfile = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G
}

75
hosts/containers/radius/freeradius/modules/detail.log Normal file
View File

@ -0,0 +1,75 @@
# -*- text -*-
#
# $Id: c36dce75c6d41b7470bd177a27ed96d3fe3dafe5 $
#
# More examples of doing detail logs.
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
detail auth_log {
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
# You may also strip out passwords completely
suppress {
User-Password
}
}
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
detail reply_log {
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
detailperm = 0600
}
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
detail pre_proxy_log {
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
}
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
detail post_proxy_log {
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
detailperm = 0600
}

33
hosts/containers/radius/freeradius/modules/dhcp_sqlippool Normal file
View File

@ -0,0 +1,33 @@
## Configuration for DHCP to use SQL IP Pools.
##
## See sqlippool.conf for common configuration explanation
##
## $Id: 39358b222d016d62e5cf6e8c77fd214cc7614feb $
sqlippool dhcp_sqlippool {
sql-instance-name = "sql"
ippool_table = "radippool"
lease-duration = 7200
# Client's MAC address is mapped to Calling-Station-Id in policy.conf
pool-key = "%{Calling-Station-Id}"
# For now, it only works with MySQL.
# This line is commented by default to enable clean startup when you
# don't have freeradius-mysql installed. Uncomment this line if you
# use this module.
#$INCLUDE ${confdir}/sql/mysql/ippool-dhcp.conf
sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_nopool = "DHCP: No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}

13
hosts/containers/radius/freeradius/modules/digest Normal file
View File

@ -0,0 +1,13 @@
# -*- text -*-
#
# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}

32
hosts/containers/radius/freeradius/modules/dynamic_clients Normal file
View File

@ -0,0 +1,32 @@
# -*- text -*-
#
# $Id: bf047be5c7b48f2f021981a6abf4199d888fc3ee $
# This module loads RADIUS clients as needed, rather than when the server
# starts.
#
# There are no configuration entries for this module. Instead, it
# relies on the "client" configuration. You must:
#
# 1) link raddb/sites-enabled/dyanmic_clients to
# raddb/sites-available/dyanmic_clients
#
# 2) Define a client network/mask (see top of the above file)
#
# 3) uncomment the "directory" entry in that client definition
#
# 4) list "dynamic_clients" in the "authorize" section of the
# "dynamic_clients' virtual server. The default example already
# does this.
#
# 5) put files into the above directory, one per IP.
# e.g. file "192.168.1.1" should contain a normal client definition
# for a client with IP address 192.168.1.1.
#
# For more documentation, see the file:
#
# raddb/sites-available/dynamic-clients
#
dynamic_clients {
}

123
hosts/containers/radius/freeradius/modules/echo Normal file
View File

@ -0,0 +1,123 @@
# -*- text -*-
#
# $Id: 0ca6bd8d27c25bf4f84fd27f97323b8961814d77 $
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
# The return value of the program run determines the result
# of the exec instance call as follows:
# (See doc/configurable_failover for details)
#
# < 0 : fail the module failed
# = 0 : ok the module succeeded
# = 1 : reject the module rejected the user
# = 2 : fail the module failed
# = 3 : ok the module succeeded
# = 4 : handled the module has done everything to handle the request
# = 5 : invalid the user's configuration entry was invalid
# = 6 : userlock the user was locked out
# = 7 : notfound the user was not found
# = 8 : noop the module did nothing
# = 9 : updated the module updated information in the request
# > 9 : fail the module failed
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
#
# Should we escape the environment variables?
#
# If this is set, all the RADIUS attributes
# are capitalised and dashes replaced with
# underscores. Also, RADIUS values are surrounded
# with double-quotes.
#
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
shell_escape = yes
#
# How long should we wait for the program to finish?
#
# Default is 10 seconds, which should be plenty for nearly
# anything. Range is 1 to 30 seconds. You are strongly
# encouraged to NOT increase this value. Decreasing can
# be used to cause authentication to fail sooner when you
# know it's going to fail anyway due to the time taken,
# thereby saving resources.
#
#timeout = 10
}

28
hosts/containers/radius/freeradius/modules/etc_group Normal file
View File

@ -0,0 +1,28 @@
# -*- text -*-
#
# $Id: 614c52b82b3e12fab54313aecb5c1120559781f3 $
# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name
# attribute for every group that the user is member of.
#
# You will have to define the Etc-Group-Name in the 'dictionary' file
# as a 'string' type.
#
# The Group and Group-Name attributes are automatically created by
# the Unix module, and do checking against /etc/group automatically.
# This means that you CANNOT use Group or Group-Name to do any other
# kind of grouping in the server. You MUST define a new group
# attribute.
#
# i.e. this module should NOT be used as-is, but should be edited to
# point to a different group file.
#
passwd etc_group {
filename = /etc/group
format = "=Etc-Group-Name:::*,User-Name"
hashsize = 50
ignorenislike = yes
allowmultiplekeys = yes
delimiter = ":"
}

30
hosts/containers/radius/freeradius/modules/exec Normal file
View File

@ -0,0 +1,30 @@
# -*- text -*-
#
# $Id: 5f21e4350f091ed51813865a31b2796c4b487f9f $
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in "man unlang" and in doc/variables.txt
#
# See also "echo" for more sample configuration.
#
exec {
wait = no
input_pairs = request
shell_escape = yes
output = none
timeout = 10
}

19
hosts/containers/radius/freeradius/modules/expiration Normal file
View File

@ -0,0 +1,19 @@
# -*- text -*-
#
# $Id: 8bbd88973459d82f3967135c66a5b566fffc130a $
#
# The expiration module. This handles the Expiration attribute
# It should be included in the *end* of the authorize section
# in order to handle user Expiration. It should also be included
# in the instantiate section in order to register the Expiration
# compare function
#
expiration {
#
# The Reply-Message which will be sent back in case the
# account has expired. Dynamic substitution is supported
#
reply-message = "Password Has Expired\r\n"
#reply-message = "Your account has expired, %{User-Name}\r\n"
}

20
hosts/containers/radius/freeradius/modules/expr Normal file
View File

@ -0,0 +1,20 @@
# -*- text -*-
#
# $Id: 6caeb9bccb3310d76f0c527afa58d10432359ee5 $
#
# The 'expression' module currently has no configuration.
#
# This module is useful only for 'xlat'. To use it,
# put 'expr' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The module also registers a few paircompare functions
expr {
}

46
hosts/containers/radius/freeradius/modules/files Normal file
View File

@ -0,0 +1,46 @@
# -*- text -*-
#
# $Id: e0198d85b2d14fa7b75b0e8c1bf6427c4bd89058 $
# Livingston-style 'users' file
#
files {
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# An example which defines a second instance of the "files" module.
# This instance is named "second_files". In order for it to be used
# in a virtual server, it needs to be listed as "second_files"
# inside of the "authorize" section (or other section). If you just
# list "files", that will refer to the configuration defined above.
#
# The two names here mean:
# "files" - this is a configuration for the "rlm_files" module
# "second_files" - this is a named configuration, which isn't
# the default configuration.
files second_files {
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
# The names here don't matter. They just need to be different
# from the names for the "files" configuration above. If they
# are the same, then this configuration will end up being the
# same as the one above.
usersfile = ${confdir}/second_users
acctusersfile = ${confdir}/second_acct_users
preproxy_usersfile = ${confdir}/second_preproxy_users
}

161
hosts/containers/radius/freeradius/modules/inner-eap Normal file
View File

@ -0,0 +1,161 @@
# -*- text -*-
#
# $Id: 0a26c9c1672823e46219d831e2be18890450c2a7 $
#
# Sample configuration for an EAP module that occurs *inside*
# of a tunneled method. It is used to limit the EAP types that
# can occur inside of the inner tunnel.
#
# See also raddb/sites-available/inner-tunnel
#
# To use this module, edit raddb/sites-available/inner-tunnel, and
# replace the references to "eap" with "inner-eap".
#
# See raddb/eap.conf for full documentation on the meaning of the
# configuration entries here.
#
eap inner-eap {
# This is the best choice for PEAP.
default_eap_type = mschapv2
timer_expire = 60
# This should be the same as the outer eap "max sessions"
max_sessions = 2048
# Supported EAP-types
md5 {
}
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
auth_type = PAP
}
mschapv2 {
}
# No TTLS or PEAP configuration should be listed here.
## EAP-TLS
#
# You SHOULD use different certificates than are used
# for the outer EAP configuration!
#
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
#
tls {
#
# These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/ca.pem
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = ${certdir}/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
# CA_path = /path/to/directory/with/ca_certs/and/crls/
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
#
# The session resumption / fast reauthentication
# cache CANNOT be used for inner sessions.
#
}
}

75
hosts/containers/radius/freeradius/modules/ippool Normal file
View File

@ -0,0 +1,75 @@
# -*- text -*-
#
# $Id: 05561cf37fe71142adc97410daba3ae08a1cb68c $
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
#
# The module also requires the existance of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools for
# different users. The Pool-Name attribute is a *check* item
# not a reply item.
#
# The Pool-Name should be set to the ippool module instance
# name or to DEFAULT to match any module.
#
# Example:
# radiusd.conf: ippool students { [...] }
# ippool teachers { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
# DEFAULT Group == teachers, Pool-Name := "teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
# ********* THEN ERASE THE DB FILES *********
#
ippool main_pool {
# range-start,range-stop:
# The start and end ip addresses for this pool.
range-start = 192.168.1.1
range-stop = 192.168.3.254
# netmask:
# The network mask used for this pool.
netmask = 255.255.255.0
# cache-size:
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
cache-size = 800
# session-db:
# The main db file used to allocate addresses.
session-db = ${db_dir}/db.ippool
# ip-index:
# Helper db index file used in multilink
ip-index = ${db_dir}/db.ipindex
# override:
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# with a Framed-IP-Address assigned here.
override = no
# maximum-timeout:
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum-timeout = 0
# key:
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
#key = "%{NAS-IP-Address} %{NAS-Port}"
}

11
hosts/containers/radius/freeradius/modules/krb5 Normal file
View File

@ -0,0 +1,11 @@
# -*- text -*-
#
# $Id: 81d1cf2cad2c5dd919acdc993f4484673d80121e $
#
# Kerberos. See doc/rlm_krb5 for minimal docs.
#
krb5 {
keytab = /path/to/keytab
service_principal = name_of_principle
}

197
hosts/containers/radius/freeradius/modules/ldap Normal file
View File

@ -0,0 +1,197 @@
# -*- text -*-
#
# $Id: d13892634e4a8458c942ce170f59f98521dce500 $
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
# See raddb/sites-available/default for reference to the
# ldap module in the authorize and authenticate sections.
#
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
#
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "ldap.your.domain"
#identity = "cn=admin,o=My Org,c=UA"
#password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# How many times the connection can be used before
# being re-established. This is useful for things
# like load balancers, which may exhibit sticky
# behaviour without it. (0) is unlimited.
max_uses = 0
# Port to connect on, defaults to 389. Setting this to
# 636 will enable LDAPS if start_tls (see below) is not
# able to be used.
#port = 389
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
# chase_referrals = yes
# rebind = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
#
# Keepalive configuration. This MAY NOT be supported by your
# LDAP library. If these configuration entries appear in the
# output of "radiusd -X", then they are supported. Otherwise,
# they are unsupported, and changing them will do nothing.
#
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}

105
hosts/containers/radius/freeradius/modules/linelog Normal file
View File

@ -0,0 +1,105 @@
# -*- text -*-
#
# $Id: a57741ac3fa5f884ed64d896da3807af5d2a6b99 $
#
# The "linelog" module will log one line of text to a file.
# Both the filename and the line of text are dynamically expanded.
#
# We STRONGLY suggest that you do not use data from the
# packet as part of the filename.
#
linelog {
#
# The file where the logs will go.
#
# If the filename is "syslog", then the log messages will
# go to syslog.
filename = ${logdir}/linelog
#
# The Unix-style permissions on the log file.
#
# Depending on format string, the log file may contain secret or
# private information about users. Keep the file permissions as
# restrictive as possible.
permissions = 0600
#
# The Unix group of the log file.
#
# The user that freeradius runs as must be in the specified
# group, otherwise it will not be possible to set the group.
#
# group = freerad
#
# If logging via syslog, the facility can be set here. Otherwise
# the syslog_facility option in radiusd.conf will be used.
#
# syslog_facility = daemon
#
# The default format string.
format = "This is a log message for %{User-Name}"
#
# This next line can be omitted. If it is omitted, then
# the log message is static, and is always given by "format",
# above.
#
# If it is defined, then the string is dynamically expanded,
# and the result is used to find another configuration entry
# here, with the given name. That name is then used as the
# format string.
#
# If the configuration entry cannot be found, then no log
# message is printed.
#
# i.e. You can have many log messages in one "linelog" module.
# If this two-step expansion did not exist, you would have
# needed to configure one "linelog" module for each log message.
#
# Reference the Packet-Type (Access-Request, etc.) If it doesn't
# exist, reference the "format" entry, above.
reference = "%{%{Packet-Type}:-format}"
#
# Followed by a series of log messages.
Access-Request = "Requested access: %{User-Name}"
Access-Reject = "Rejected access: %{User-Name}"
Access-Challenge = "Sent challenge: %{User-Name}"
#
# The log messages can be grouped into sections and
# sub-sections, too. The "reference" item needs to have a "."
# for every section. e.g. reference = foo.bar will reference
# the "foo" section, "bar" configuration item.
#
#
# Used if: reference = "foo.bar".
foo {
bar = "Example log. Please ignore"
}
#
# Another example:
# reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
#
Accounting-Request {
Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
# Don't log anything for these packets.
Alive = ""
Accounting-On = "NAS %C (%{NAS-IP-Address}) just came online"
Accounting-Off = "NAS %C (%{NAS-IP-Address}) just went offline"
# don't log anything for other Acct-Status-Types.
unknown = ""
}
}

31
hosts/containers/radius/freeradius/modules/logintime Normal file
View File

@ -0,0 +1,31 @@
# -*- text -*-
#
# $Id: 26691a93664c464f49394773e04d3b2ed565d142 $
# The logintime module. This handles the Login-Time,
# Current-Time, and Time-Of-Day attributes. It should be
# included in the *end* of the authorize section in order to
# handle Login-Time checks. It should also be included in the
# instantiate section in order to register the Current-Time
# and Time-Of-Day comparison functions.
#
# When the Login-Time attribute is set to some value, and the
# user has bene permitted to log in, a Session-Timeout is
# calculated based on the remaining time. See "doc/README".
#
logintime {
#
# The Reply-Message which will be sent back in case
# the account is calling outside of the allowed
# timespan. Dynamic substitution is supported.
#
reply-message = "You are calling outside your allowed timespan\r\n"
#reply-message = "Outside allowed timespan (%{control:Login-Time}), %{User-Name}\r\n"
# The minimum timeout (in seconds) a user is allowed
# to have. If the calculated timeout is lower we don't
# allow the logon. Some NASes do not handle values
# lower than 60 seconds well.
minimum-timeout = 60
}

25
hosts/containers/radius/freeradius/modules/mac2ip Normal file
View File

@ -0,0 +1,25 @@
# -*- text -*-
#
# $Id: 793d5690e1d4520bb3db1d9900d6be09da2587ae $
######################################################################
#
# This next section is a sample configuration for the "passwd"
# module, that reads flat-text files.
#
# The file is in the format <mac>,<ip>
#
# 00:01:02:03:04:05,192.168.1.100
# 01:01:02:03:04:05,192.168.1.101
# 02:01:02:03:04:05,192.168.1.102
#
# This lets you perform simple static IP assignments from a flat-text
# file. You will have to define lease times yourself.
#
######################################################################
passwd mac2ip {
filename = ${confdir}/mac2ip
format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
delimiter = ","
}

18
hosts/containers/radius/freeradius/modules/mac2vlan Normal file
View File

@ -0,0 +1,18 @@
# -*- text -*-
#
# $Id: bdfef238076bb1ea16c494bf6e22f1d2af848b62 $
# A simple file to map a MAC address to a VLAN.
#
# The file should be in the format MAC,VLAN
# the VLAN name cannot have spaces in it, for example:
#
# 00:01:02:03:04:05,VLAN1
# 03:04:05:06:07:08,VLAN2
# ...
#
passwd mac2vlan {
filename = ${confdir}/mac2vlan
format = "*VMPS-Mac:=VMPS-VLAN-Name"
delimiter = ","
}

87
hosts/containers/radius/freeradius/modules/mschap Normal file
View File

@ -0,0 +1,87 @@
# -*- text -*-
#
# $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
# use_mppe = no
# if mppe is enabled require_encryption makes
# encryption moderate
#
# require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
# require_strong = yes
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
# with_ntdomain_hack = no
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# If ntlm_auth is configured below, then the mschap
# module will call ntlm_auth for every MS-CHAP
# authentication request. If there is a cleartext
# or NT hashed password available, you can set
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
# and the mschap module will do the authentication itself,
# without calling ntlm_auth.
#
# Be VERY careful when editing the following line!
#
# You can also try setting the user name as:
#
# ... --username=%{mschap:User-Name} ...
#
# In that case, the mschap module will look at the User-Name
# attribute, and do prefix/suffix checks in order to obtain
# the "best" user name for the request.
#
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
# The default is to wait 10 seconds for ntlm_auth to
# complete. This is a long time, and if it's taking that
# long then you likely have other problems in your domain.
# The length of time can be decreased with the following
# option, which can save clients waiting if your ntlm_auth
# usually finishes quicker. Range 1 to 10 seconds.
#
# ntlm_auth_timeout = 10
# For Apple Server, when running on the same machine as
# Open Directory. It has no effect on other systems.
#
# use_open_directory = yes
# On failure, set (or not) the MS-CHAP error code saying
# "retries allowed".
# allow_retry = yes
# An optional retry message.
# retry_msg = "Re-enter (or reset) the password"
}

12
hosts/containers/radius/freeradius/modules/ntlm_auth Normal file
View File

@ -0,0 +1,12 @@
#
# For testing ntlm_auth authentication with PAP.
#
# If you have problems with authentication failing, even when the
# password is good, it may be a bug in Samba:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}

13
hosts/containers/radius/freeradius/modules/opendirectory Normal file
View File

@ -0,0 +1,13 @@
# -*- text -*-
#
# $Id: 2a44ef695f4eaf6f1c461b3d92fda54e9b910f9e $
# This module is only used when the server is running on the same
# system as OpenDirectory. The configuration of the module is hard-coded
# by Apple, and cannot be changed here.
#
# There are no configuration entries for this module.
#
opendirectory {
}

78
hosts/containers/radius/freeradius/modules/otp Normal file
View File

@ -0,0 +1,78 @@
#
# Configuration for the OTP module.
#
# This module allows you to use various handheld OTP tokens
# for authentication (Auth-Type := otp). These tokens are
# available from various vendors.
#
# It works in conjunction with otpd, which implements token
# management and OTP verification functions; and lsmd or gsmd,
# which implements synchronous state management functions.
# otpd, lsmd and gsmd are available from TRI-D Systems:
# <http://www.tri-dsystems.com/>
# You must list this module in BOTH the authorize and authenticate
# sections in order to use it.
otp {
# otpd rendezvous point.
# (default: /var/run/otpd/socket)
#otpd_rp = /var/run/otpd/socket
# Text to use for the challenge. The '%' character is
# disallowed, except that you MUST have a single "%s"
# sequence in the string; the challenge itself is
# inserted there. (default "Challenge: %s\n Response: ")
#challenge_prompt = "Challenge: %s\n Response: "
# Length of the challenge. Most tokens probably support a
# max of 8 digits. (range: 5-32 digits, default 6)
#challenge_length = 6
# Maximum time, in seconds, that a challenge is valid.
# (The user must respond to a challenge within this time.)
# It is also the minimal time between consecutive async mode
# authentications, a necessary restriction due to an inherent
# weakness of the RADIUS protocol which allows replay attacks.
# (default: 30)
#challenge_delay = 30
# Whether or not to allow asynchronous ("pure" challenge/
# response) mode authentication. Since sync mode is much more
# usable, and all reasonable tokens support it, the typical
# use of async mode is to allow resync of event based tokens.
# But because of the vulnerability of async mode with some tokens,
# you probably want to disable this and require that out-of-sync
# users resync from specifically secured terminals.
# See the otpd docs for more info.
# (default: no)
#allow_async = no
# Whether or not to allow synchronous mode authentication.
# When using otpd with lsmd, it is *CRITICALLY IMPORTANT*
# that if your OTP users can authenticate to multiple RADIUS
# servers, this must be "yes" for the primary/default server,
# and "no" for the others. This is because lsmd does not
# share state information across multiple servers. Using "yes"
# on all your RADIUS servers would allow replay attacks!
# Also, for event based tokens, the user will be out of sync
# on the "other" servers. In order to use "yes" on all your
# servers, you must either use gsmd, which synchronizes state
# globally, or implement your own state synchronization method.
# (default: yes)
#allow_sync = yes
# If both allow_async and allow_sync are "yes", a challenge is
# always presented to the user. This is incompatible with NAS's
# that can't present or don't handle Access-Challenge's, e.g.
# PPTP servers. Even though a challenge is presented, the user
# can still enter their synchronous passcode.
# The following are MPPE settings. Note that MS-CHAP (v1) is
# strongly discouraged. All possible values are listed as
# {value = meaning}. Default values are first.
#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}
#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}
#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}
#mschap_mppe_bits = {2 = 128}
}

26
hosts/containers/radius/freeradius/modules/pam Normal file
View File

@ -0,0 +1,26 @@
# -*- text -*-
#
# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}

22
hosts/containers/radius/freeradius/modules/pap Normal file
View File

@ -0,0 +1,22 @@
# -*- text -*-
#
# $Id: 5c7d29d654bea9c076d6434f32795c2b2d002757 $
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption/hash schemes. See "man rlm_pap"
# for details.
#
# The "auto_header" configuration item can be set to "yes".
# In this case, the module will look inside of the User-Password
# attribute for the headers {crypt}, {clear}, etc., and will
# automatically create the attribute on the right-hand side,
# with the correct value. It will also automatically handle
# Base-64 encoded data, hex strings, and binary data.
#
# For instructions on creating the various types of passwords, see:
#
# http://www.openldap.org/faq/data/cache/347.html
pap {
auto_header = no
}

55
hosts/containers/radius/freeradius/modules/passwd Normal file
View File

@ -0,0 +1,55 @@
# -*- text -*-
#
# $Id: cc37ca0d7eaf9887720eccc2de0ecb75a51117c8 $
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these files.
#
# See the "smbpasswd" and "etc_group" files for more examples.
#
# parameters are:
# filename - path to filename
#
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is a key field. That is, the parameter
# with this name from the request is used to search for
# the record from passwd file
#
# Attributes marked as '=' are added to reply_items instead
# of default configure_itmes
#
# Attributes marked as '~' are added to request_items
#
# Field marked as ',' may contain a comma separated list
# of attributes.
#
# hashsize - hashtable size. Setting it to 0 is no longer permitted
# A future version of the server will have the module
# automatically determine the hash size. Having it set
# manually should not be necessary.
#
# allowmultiplekeys - if many records for a key are allowed
#
# ignorenislike - ignore NIS-related records
#
# delimiter - symbol to use as a field separator in passwd file,
# for format ':' symbol is always used. '\0', '\n' are
# not allowed
#
# An example configuration for using /etc/passwd.
#
# This is an example which will NOT WORK if you have shadow passwords,
# NIS, etc. The "unix" module is normally responsible for reading
# system passwords. You should use it instead of this example.
#
passwd etc_passwd {
filename = /etc/passwd
format = "*User-Name:Crypt-Password:"
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}

58
hosts/containers/radius/freeradius/modules/perl Normal file
View File

@ -0,0 +1,58 @@
# -*- text -*-
#
# $Id: 69ad3076119ec814518a6db45eec4bc41dc090f7 $
# Persistent, embedded Perl interpreter.
#
perl {
#
# The Perl script to execute on authorize, authenticate,
# accounting, xlat, etc. This is very similar to using
# 'rlm_exec' module, but it is persistent, and therefore
# faster.
#
module = ${confdir}/example.pl
#
# The following hashes are given to the module and
# filled with value-pairs (Attribute names and values)
#
# %RAD_CHECK Check items
# %RAD_REQUEST Attributes from the request
# %RAD_REPLY Attributes for the reply
#
# The return codes from functions in the perl_script
# are passed directly back to the server. These
# codes are defined in doc/configurable_failover,
# src/include/modules.h (RLM_MODULE_REJECT, etc),
# and are pre-defined in the 'example.pl' program
# which is included.
#
#
# List of functions in the module to call.
# Uncomment and change if you want to use function
# names other than the defaults.
#
#func_authenticate = authenticate
#func_authorize = authorize
#func_preacct = preacct
#func_accounting = accounting
#func_checksimul = checksimul
#func_pre_proxy = pre_proxy
#func_post_proxy = post_proxy
#func_post_auth = post_auth
#func_recv_coa = recv_coa
#func_send_coa = send_coa
#func_xlat = xlat
#func_detach = detach
#
# Uncomment the following lines if you wish
# to use separate functions for Start and Stop
# accounting packets. In that case, the
# func_accounting function is not called.
#
#func_start_accounting = accounting_start
#func_stop_accounting = accounting_stop
}

21
hosts/containers/radius/freeradius/modules/policy Normal file
View File

@ -0,0 +1,21 @@
# -*- text -*-
#
# $Id: 9b1b111ce70dbfd4ce25cdd2774d5878dbea7023 $
#
# Module implementing a DIFFERENT policy language.
# The syntax here is NOT "unlang", but something else.
#
# See the "raddb/policy.txt" file for documentation and examples.
# There isn't much else in the way of documentation, sorry.
#
policy {
# The only configuration item is a filename containing
# the policies to execute.
#
# When "policy" is listed in a section (e.g. "authorize"),
# it will run a policy named for that section.
#
filename = ${confdir}/policy.txt
}

58
hosts/containers/radius/freeradius/modules/preprocess Normal file
View File

@ -0,0 +1,58 @@
# -*- text -*-
#
# $Id: e00aa85a9bd924b3a79c034f6f5d4d7d9a98c208 $
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NASes, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}

26
hosts/containers/radius/freeradius/modules/radrelay Normal file
View File

@ -0,0 +1,26 @@
# -*- text -*-
#
# $Id: dede42698a19413b524a1a68b7ea312aa8a506aa $
# Write "detail" files which can be read by radrelay.
# This module should be used only by a server which receives
# Accounting-Request packets from the network.
#
# It should NOT be used in the radrelay.conf file.
#
# Use it by adding "radrelay" to the "accounting" section:
#
# accounting {
# ...
# radrelay
# ...
# }
#
detail radrelay {
detailfile = ${radacctdir}/detail
locking = yes
# The other directives from the main detail module
# can be used here, but they're not required.
}

Some files were not shown because too many files have changed in this diff Show More