Compare commits
5 Commits
master
...
container/
Author | SHA1 | Date |
---|---|---|
Eri - | 1d32924d85 | |
Eri - | 6946bbd224 | |
Eri - | a1490e209a | |
Eri - | fbe1f6c5b0 | |
Eri - | 0b59c8cf5b |
|
@ -1,10 +0,0 @@
|
|||
# This file contains a list of commits that are not likely what you
|
||||
# are looking for in a blame, such as mass reformatting or renaming.
|
||||
# You can set this file as a default ignore file for blame by running
|
||||
# the following command.
|
||||
#
|
||||
# $ git config blame.ignoreRevsFile .git-blame-ignore-revs
|
||||
|
||||
# format commits
|
||||
aaddec81945750222721659be65ecd6bf2503c6a
|
||||
b4d2a7f95952f8ca9ca13f9ff629f689a284c6fb
|
|
@ -1,2 +0,0 @@
|
|||
# see https://github.com/getsops/sops/blob/main/README.rst#47showing-diffs-in-cleartext-in-git how to use this
|
||||
*.yaml diff=sops
|
|
@ -1,5 +0,0 @@
|
|||
.*.swp
|
||||
*.retry
|
||||
result
|
||||
result-*
|
||||
/hosts/mediawiki/MediaWikiExtensionsComposer/
|
|
@ -0,0 +1,3 @@
|
|||
[submodule "secrets"]
|
||||
path = secrets
|
||||
url = ssh://git@gitea.c3d2.de:2222/c3d2-admins/secrets.git
|
436
.sops.yaml
436
.sops.yaml
|
@ -1,436 +0,0 @@
|
|||
keys:
|
||||
# The PGP keys in keys/
|
||||
- &admins
|
||||
- DD0998E6CDF294537FC604F991FA5E5BF9AA901C # 0xA
|
||||
- A5EE826D645DBE35F9B0993358512AE87A69900F # astro
|
||||
- 8F79E6CD6434700615867480D11A514F5095BFA8 # dennis
|
||||
- 4F9F44A64CC2E438979329E1F122F05437696FCE # poelzi
|
||||
- 91EBE87016391323642A6803B966009D57E69CC6 # revol-xut
|
||||
- 53B26AEDC08246715E15504B236B6291555E8401 # sandro
|
||||
- 4B12EFA69166CA8C23FC47E49CD3A46248B660CA # vv01f
|
||||
- A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 # winzlieb
|
||||
|
||||
- &users
|
||||
- A5EE826D645DBE35F9B0993358512AE87A69900F # astro
|
||||
- 8F79E6CD6434700615867480D11A514F5095BFA8 # dennis
|
||||
- 53B26AEDC08246715E15504B236B6291555E8401 # sandro
|
||||
- 9580391316684474BFBD41EC3E8C55248C19AF2A # xyrill
|
||||
|
||||
- &polygon-snowflake age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c # polygon
|
||||
|
||||
# Generate AGE keys from SSH keys with:
|
||||
# nix-shell -p ssh-to-age --run 'ssh some.serv.zentralwerk.org cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
||||
- &activity-relay age1a8k72egc2vg4jn445wwcr0a68y9xu5ft68s2xwehugs5sjawpv4q5nnrmy
|
||||
- &auth age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
|
||||
- &blogs age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
|
||||
- &broker age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte
|
||||
- &buzzrelay age1j2euh5qt4a7cvx0t93uj4n9t8y8tkv9h3nefszc6g2q7t7gvngxswhrve0
|
||||
- &c3d2-web age18h6vmfduhmj28wxdgur8wugn7scm5vwvwkj5sr4f7nl0czr2zvaqscsdsv
|
||||
- &caveman age13dl5qjzddaazmquf7zfecru5tr4ld8l8xd7xpmhaqqzmchpua4usswqykd
|
||||
- &dacbert age1g2ewsxcu5uqlesaznp2qwlcz8w66pxh4qxkul8wu7x8g2hw83saqxynpyk
|
||||
- &dn42 age1726t33dl7pv3xrxxlafj2sexh7c0jm8pza84yu6l3wpz3fw5dauqxlass3
|
||||
- &drone age1w6u8zjfya63q9rjfll98eegnfdsvyaspnwn802t2mxh47gt8p30q0kn898
|
||||
- &freifunk age17rrjtdgzzwgjatyqqv27pftx42t8xhksls46jc3f78juzw4g04vsd7lr7e
|
||||
- &ftp age1lkr5rkf3z0976g8snmznf755gnexhjkwpzsw8xxwyesqmneawa4qgsqx77
|
||||
- &gitea age12n5k6c4rxp4mjnexw9uw83yp34sallt44kldupfmxr2xkppj8a8sdsmv8h
|
||||
- &glotzbert age1zqpep2vgfqeyvtj2jpxczfgrpjffwda429rnuztfp0vpqsrqdq8s8f4yua
|
||||
- &gnunet age1kk0thtx6mg5cs0gqm4ylc4r8w6klq660s3j04w7m8w0w084yrpcqh3tqwf
|
||||
- &grafana age1yahhqn2620300n20k68az5lr2u42wdgtjwysgqyr99a4cj52ay0qjw02pl
|
||||
- &hedgedoc age1jt5pj0c0fvmzg7quaucq4n2rzcx9ajzstp8ruwc8ewjpay5vqfqsdjaal8
|
||||
- &home-assistant age1l2tld2cttpkj4vpuh9hm4xjwq94rmf8vukjgvdzcvwwtze6k6s6qjf0s5r
|
||||
- &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
|
||||
- &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a
|
||||
- &knot age1hfzpctkk5tz0ddc86ul9t0nf8c37jtngawepvgxk5rxlvv938vusx4kuc6
|
||||
- &mail age15t7hj27j6ccs8u7mfz8su3aa74g4dxp4crkgc3c0rs28hct7q4ssgk8zcm
|
||||
- &mastodon age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt
|
||||
- &matemat age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6
|
||||
- &matrix age1s2ww76ll6nclz74gny27tk42xfsepl23z2k0849a8jv8xpnmpe3shgunxr
|
||||
- &mediawiki age1xjvep7hsnfefgxvuwall8nq0486qu8yknhzwhf0cskw5xlpm8qws9txc56
|
||||
- &mobilizon age182ms3ygypflk7mtpemp4k4ks9rz4gwhvzc9jlk95u4py5q68ppxstzu2e3
|
||||
- &mucbot age1qen44cx5sx0y299zl93cz3tflx8agt8y9vtm0d4uxw42t9gyecdsw9jade
|
||||
- &nfsroot age18yxgwpakrkzq8ca2enayf79py25se3d8dsed2q523869re30jcaqx6rjln
|
||||
- &nncp age15853dr2kd6r2329tkcanwnruh6zd2xvsu5twc7gnxeyu3h7t6q5scckaq8
|
||||
- &oparl age14aq8fscrwkgmu5yv86vj7p7kmxclzs6dp7fpvdhvrnmce83ztphqc4mr9q
|
||||
- &owncast age1cp9gsuyfu52exk0hr3fvj404v5njhahakzwlugwtneyrs4vgdyaq0sg92f
|
||||
- &pretalx age1u6xeayzwfdj9l0mg3f4xvjd8e9nemz5psqavauvacjgp2nku95yqc4f29s
|
||||
- &prometheus age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k
|
||||
- &public-access-proxy age1xcj6peyaf5xvj2673vl9j0z7supwtw7hzuk782zk7gt69k2ykytqe65mg5
|
||||
- &pulsebert age12hdk2stter0cjexxwx3sqn9wx3vmptkxszvx7knq9zgm9uqzjs7suvkcqu
|
||||
- &radiobert age1lga6hjmxa95fmtdn3frlmy64ej3hyswxrcuz25qvw0kfsxkqeugs8gjw8q
|
||||
- &riscbert age148d87gqw59lmst5jv3vynhsu3tv4t4sj49s4lktvnplfcrjq2y5sjcwsu8
|
||||
- &scrape age1p60rg45qrzpv2hcfzxl8d8k9afkk7dtrhr98cngeyuhlega83ynssmtx5k
|
||||
- &sdrweb age1makkpv2t74lxmw0nk6m89nespva7j700pmt83pl5a4ldtj2k8fzqakw8h7
|
||||
- &server10 age15qj8latetnrmgzd7krq02y65kn7lhq2pcwv8cvzej2783u5a9scqs79nmf
|
||||
- &server8 age12jcu0jtw7m96evxnd0vu6lvsm8uswslrdhxd2u655vjrwhljmqdsptry37
|
||||
- &server9 age15vrlmtckjf4j242juw7l5e0s6eunn67ejr9acaztnl3tmvwpufrsevntva
|
||||
- &spaceapi age125k9uyqw5ae5jqkfsak4d6c6rcx9q63ywuusk62pmxdnhwzqxgqq2jsau7
|
||||
- &storage-ng age1qjvds58pedjdk9rj0yqfvad4xhpteapr9chvfucwcgwrsr8n7axqyhg2vu
|
||||
- &stream age14h2npkt6m40ewkkaee7zx49redew5rjsjpm70qhka8cwkekmspqqpspy4g
|
||||
- &ticker age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl
|
||||
- &vaultwarden age1xs22728ltpl3yh8hzvwt4g3gk8uc32lg8cqh86fp5d8c2jlvp3gshmejun
|
||||
|
||||
creation_rules:
|
||||
- path_regex: modules/backup\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *activity-relay
|
||||
- *auth
|
||||
- *blogs
|
||||
- *buzzrelay
|
||||
- *caveman
|
||||
- *drone
|
||||
- *gitea
|
||||
- *grafana
|
||||
- *hedgedoc
|
||||
- *home-assistant
|
||||
- *hydra
|
||||
- *jabber
|
||||
- *mail
|
||||
- *mastodon
|
||||
- *matemat
|
||||
- *matrix
|
||||
- *mediawiki
|
||||
- *mobilizon
|
||||
- *owncast
|
||||
- *pretalx
|
||||
- *sdrweb
|
||||
- *ticker
|
||||
- *vaultwarden
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: modules/cluster/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *hydra
|
||||
- *server8
|
||||
- *server9
|
||||
- *server10
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: config/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *polygon-snowflake
|
||||
- *auth
|
||||
- *blogs
|
||||
- *broker
|
||||
- *buzzrelay
|
||||
- *c3d2-web
|
||||
- *dacbert
|
||||
- *dn42
|
||||
- *freifunk
|
||||
- *ftp
|
||||
- *gitea
|
||||
- *glotzbert
|
||||
- *gnunet
|
||||
- *grafana
|
||||
- *hedgedoc
|
||||
- *hydra
|
||||
- *jabber
|
||||
- *knot
|
||||
- *mail
|
||||
- *mastodon
|
||||
- *matemat
|
||||
- *matrix
|
||||
- *mediawiki
|
||||
- *mucbot
|
||||
- *nfsroot
|
||||
- *oparl
|
||||
- *pretalx
|
||||
- *prometheus
|
||||
- *public-access-proxy
|
||||
- *pulsebert
|
||||
- *radiobert
|
||||
- *riscbert
|
||||
- *scrape
|
||||
- *sdrweb
|
||||
- *server8
|
||||
- *server9
|
||||
- *server10
|
||||
- *spaceapi
|
||||
- *storage-ng
|
||||
- *stream
|
||||
- *ticker
|
||||
- *vaultwarden
|
||||
|
||||
- path_regex: hosts/activity-relay/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *activity-relay
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/auth/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *auth
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/knot/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *knot
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/blogs/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *blogs
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/broker/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *broker
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/buzzrelay/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *buzzrelay
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/c3d2-web/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *c3d2-web
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/caveman/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *caveman
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/dacbert/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *dacbert
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/dn42/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *dn42
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/drone/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *drone
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/freifunk/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *freifunk
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/gitea/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *gitea
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/glotzbert/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *glotzbert
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/grafana/secrets+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *grafana
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/hedgedoc/secrets+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *hedgedoc
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/home-assistant/secrets+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *home-assistant
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/hydra/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *hydra
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/jabber/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *jabber
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/mail/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *mail
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/mastodon/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *mastodon
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/matemat/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *matemat
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/matrix/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *matrix
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/mediawiki/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *mediawiki
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/mobilizon/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *mobilizon
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/mucbot/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *mucbot
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/oparl/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *oparl
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/owncast/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *owncast
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/pretalx/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *pretalx
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/sdrweb/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *sdrweb
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/radiobert/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *radiobert
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/scrape/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *scrape
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/server8/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *server8
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/server9/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *server9
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/server10/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *server10
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/storage-ng/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *storage-ng
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/ticker/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *ticker
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/prometheus/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *prometheus
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/stream/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *stream
|
||||
- *polygon-snowflake
|
||||
|
||||
- path_regex: hosts/vaultwarden/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *vaultwarden
|
||||
- *polygon-snowflake
|
292
README.md
292
README.md
|
@ -1,293 +1,17 @@
|
|||
---
|
||||
gitea: none
|
||||
title: Flockige Infrastruktur deklarativ
|
||||
include_toc: yes
|
||||
lang: en
|
||||
---
|
||||
# Deployment
|
||||
|
||||
# C3D2 infrastructure based on NixOS
|
||||
Beide failen bei Activation des neuen Profils. (TODO)
|
||||
|
||||
## Setup
|
||||
|
||||
### Enable nix flakes user wide
|
||||
|
||||
Add the setting to the user nix.conf. Only do this once!
|
||||
|
||||
```bash
|
||||
echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf
|
||||
```
|
||||
|
||||
### Enable nix flakes system wide (preferred for NixOS)
|
||||
|
||||
add this to your NixOS configuration:
|
||||
|
||||
```nix
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
```
|
||||
|
||||
### nixpkgs/nixos
|
||||
|
||||
The nixpkgs/nixos input used lives at <https://github.com/supersandro2000/nixpkgs/tree/nixos-23.05>.
|
||||
We are using a fork managed by sandro to make backports, cherry-picks and custom fixes dead easy.
|
||||
If you want to have an additional backport, cherry-pick or other change, please contact sandro.
|
||||
|
||||
### nixos-modules repo
|
||||
|
||||
The nixos-modules repo lives at <https://github.com/supersandro2000/nixos-modules> and is mirrored to <https://gitea.c3d2.de/c3d2/nixos-modules>.
|
||||
Auto generated documentation about all options is available at <https://supersandro2000.github.io/nixos-modules/>.
|
||||
It contains options sandro shares between his private nixos configs and the C3D2 one.
|
||||
It sets many options by default and when searching for a particular setting you should always grep this repo, too.
|
||||
In question ask sandro and consider improving the documentation about this with comments and readme explanations.
|
||||
Something should be changed/added/removed/etc? Please create a PR or start a conversations with your ideas.
|
||||
|
||||
### secrets repo
|
||||
|
||||
The secrets repo is absolutely deprecated!
|
||||
Everything new must be done through sops and everything old should be migrated.
|
||||
If you don't have secrets access ask sandro or astro to get onboarded.
|
||||
|
||||
### SSH access
|
||||
|
||||
If people should get root access to *all* machines, their keys should be added to ``ssh-public-keys.nix``.
|
||||
|
||||
## Deployment
|
||||
|
||||
### Deploy to a remote NixOS system
|
||||
|
||||
For every host that has a `nixosConfiguration` in our Flake, there are two scripts that can be run for deployment via ssh.
|
||||
|
||||
- `nix run .#HOSTNAME-nixos-rebuild switch`
|
||||
|
||||
Copies the current state to build on the target system.
|
||||
This may fail due to resource limits on eg. Raspberry Pis.
|
||||
|
||||
- `nix run .#HOSTNAME-nixos-rebuild-local switch`
|
||||
|
||||
Builds everything locally, then uses `nix copy` to transfer the new NixOS system to the target.
|
||||
|
||||
To use the cache from hydra set the following nix options similar to enabling flakes:
|
||||
|
||||
```
|
||||
trusted-public-keys = nix-cache.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=
|
||||
trusted-substituters = https://nix-cache.hq.c3d2.de
|
||||
```
|
||||
|
||||
This can also be set with the `c3d2.addBinaryCache` option from the [c3d2-user-module](https://gitea.c3d2.de/c3d2/nix-user-module).
|
||||
|
||||
### Checking for updates
|
||||
## Mit `nixos-switch rebuild`
|
||||
|
||||
```shell
|
||||
nix run .#list-upgradable
|
||||
nixos-rebuild switch -I nixos-config=./hosts/containers/$HOST/configuration.nix --target-host "root@$HOST.hq.c3d2.de"
|
||||
```
|
||||
|
||||
![list-upgradable output](doc/list-upgradable.png)
|
||||
|
||||
Checks all hosts with a `nixosConfiguration` in `flake.nix`.
|
||||
|
||||
### Update from [Hydra build](https://hydra.hq.c3d2.de/jobset/c3d2/nix-config#tabs-jobs)
|
||||
|
||||
The fastest way to update a system, a manual alternative to setting
|
||||
`c3d2.autoUpdate = true;`
|
||||
|
||||
Just run:
|
||||
## Mit NixOps
|
||||
|
||||
```shell
|
||||
update-from-hydra
|
||||
nixops create hq.nixops -d hq
|
||||
nixops deploy -d hq --debug --include=dhcp --force-reboot
|
||||
nixops deploy -d hq --include=grafana -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-18.09.tar.gz --force-reboot
|
||||
```
|
||||
|
||||
### Deploy a MicroVM
|
||||
|
||||
#### Build a microvm remotely and deploy
|
||||
|
||||
```shell
|
||||
nix run .#microvm-update-HOSTNAME
|
||||
```
|
||||
|
||||
#### Build microvm locally and deploy
|
||||
|
||||
```shell
|
||||
nix run .#microvm-update-HOSTNAME-local
|
||||
```
|
||||
|
||||
#### Update MicroVM from our Hydra
|
||||
|
||||
Our Hydra runs `nix flake update` daily in the `updater.timer`,
|
||||
pushing it to the `flake-update` branch so that it can build fresh
|
||||
systems. This branch is setup as the source flake in all the MicroVMs,
|
||||
so the following is all that is needed on a MicroVM-hosting server:
|
||||
|
||||
```shell
|
||||
microvm -Ru $hostname
|
||||
```
|
||||
|
||||
## Cluster deployment with Skyflake
|
||||
|
||||
### About
|
||||
|
||||
[Skyflake](https://github.com/astro/skyflake) provides Hyperconverged
|
||||
Infrastructure to run NixOS MicroVMs on a cluster. Our setup unifies
|
||||
networking with one bridge per VLAN. Persistent storage is replicated
|
||||
with Cephfs.
|
||||
|
||||
Recognize nixosConfiguration for our Skyflake deployment by the
|
||||
`self.nixosModules.cluster-options` module being included.
|
||||
|
||||
### User interface
|
||||
|
||||
We use the less-privileged `c3d2@` user for deployment. This flake's
|
||||
name on the cluster is `config`. Other flakes can coexist in the same
|
||||
user so that we can run separately developed projects like
|
||||
*dump-dvb*. *leon* and potentially other users can deploy Flakes and
|
||||
MicroVMs without name clashes.
|
||||
|
||||
#### Deploying
|
||||
|
||||
**git push** this repo to any machine in the cluster, preferably to
|
||||
Hydra because there building won't disturb any services.
|
||||
|
||||
You don't deploy all MicroVMs at once. Instead, Skyflake allows you to
|
||||
select NixOS systems by the branches you push to. **You must commit
|
||||
before you push!**
|
||||
|
||||
**Example:** deploy nixosConfigurations `mucbot` and `sdrweb` (`HEAD` is your
|
||||
current commit)
|
||||
|
||||
```bash
|
||||
git push c3d2@hydra.serv.zentralwerk.org:config HEAD:mucbot HEAD:sdrweb
|
||||
```
|
||||
|
||||
This will:
|
||||
1. Build the configuration on Hydra, refusing the branch update on
|
||||
broken builds (through a git hook)
|
||||
2. Copy the MicroVM package and its dependencies to the binary cache
|
||||
that is accessible to all nodes with Cephfs
|
||||
3. Submit one job per MicroVM into the Nomad cluster
|
||||
|
||||
*Deleting* a nixosConfiguration's branch will **stop** the MicroVM in Nomad.
|
||||
|
||||
#### Updating
|
||||
|
||||
**TODO:** how would you like it?
|
||||
|
||||
#### MicroVM status
|
||||
|
||||
```bash
|
||||
ssh c3d2@hydra.serv.zentralwerk.org status
|
||||
```
|
||||
|
||||
### Debugging for cluster admins
|
||||
|
||||
#### Nomad
|
||||
|
||||
##### Check the cluster state
|
||||
|
||||
```shell
|
||||
nomad server members
|
||||
```
|
||||
|
||||
Nomad *servers* **coordinate** the cluster.
|
||||
|
||||
Nomad *clients* **run** the tasks.
|
||||
|
||||
##### Browse in the terminal
|
||||
|
||||
[wander](https://github.com/robinovitch61/wander) and
|
||||
[damon](https://github.com/hashicorp/damon) are nice TUIs that are
|
||||
preinstalled on our cluster nodes.
|
||||
|
||||
##### Browse with a browser
|
||||
|
||||
First, tunnel TCP port `:4646` from a cluster server:
|
||||
|
||||
```bash
|
||||
ssh -L 4646:localhost:4646 root@server10.cluster.zentralwerk.org
|
||||
```
|
||||
|
||||
Then, visit https://localhost:4646 for for full klickibunti.
|
||||
|
||||
##### Reset the Nomad state on a node
|
||||
|
||||
After upgrades, Nomad servers may fail rejoining the cluster. Do this
|
||||
to make a *Nomad server* behave like a newborn:
|
||||
|
||||
```shell
|
||||
systemctl stop nomad
|
||||
rm -rf /var/lib/nomad/server/raft/
|
||||
systemctl start nomad
|
||||
```
|
||||
|
||||
## Secrets management
|
||||
|
||||
### Secrets Management Using `sops-nix`
|
||||
|
||||
#### Adding a new host
|
||||
|
||||
Edit `.sops.yaml`:
|
||||
|
||||
1. Add an AGE key for this host. Comments in this file tell you how to do it.
|
||||
2. Add a `creation_rules` section for `host/$host/*.yaml` files
|
||||
|
||||
#### Editing a hosts secrets
|
||||
|
||||
Edit `.sops.yaml` to add files for a new host and its SSH pubkey.
|
||||
|
||||
```bash
|
||||
# Get sops
|
||||
nix develop
|
||||
# Decrypt, start en EDITOR, encrypt
|
||||
sops hosts/.../secrets.yaml
|
||||
# Push
|
||||
git commit -a -m Adding new secrets
|
||||
git push origin
|
||||
```
|
||||
|
||||
### Secrets management with PGP
|
||||
|
||||
Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
|
||||
Maybe this works for you, maybe not. I did it somehow:
|
||||
|
||||
```bash
|
||||
PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
|
||||
```
|
||||
|
||||
Your gpg key has to have the Authenticate flag set. If not update it and push it to a keyserver and wait.
|
||||
This is necessary, so you can login to any machine with your gpg key.
|
||||
|
||||
## Laptops / Desktops
|
||||
|
||||
This repo could be used in the past as a module. While still technically possible, it is not recommended
|
||||
because the amounts of flake inputs highly increased and the modules are not designed with that in mind.
|
||||
|
||||
For end user modules take a look at the [c3d2-user-module](https://gitea.c3d2.de/c3d2/nix-user-module).
|
||||
|
||||
For the deployment options take a look at [deployment](https://gitea.c3d2.de/c3d2/deployment).
|
||||
|
||||
## File system setup
|
||||
|
||||
Set the `disko` options for the machine and run:
|
||||
|
||||
```shell
|
||||
$(nix build --print-out-paths --no-link -L '.#nixosConfigurations.HOSTNAME.config.system.build.disko')
|
||||
```
|
||||
|
||||
When adding new disks the paths under ``/dev/disk/by-id/`` should be used, so that the script is idempotent across device restarts.
|
||||
|
||||
## Install new server
|
||||
|
||||
- Copy the nix files from an existing, similar host.
|
||||
- Disable all secrets until after the installation is finished.
|
||||
- Set `simd.arch` option to the output of ``nix shell nixpkgs#gcc -c gcc -march=native -Q --help=target | grep march`` and update the comment next to it
|
||||
- If that returns `x86_64` search on a search engine for the `ark.intel.com` entry for the processor which can be found by catting ``/proc/cpuinfo``
|
||||
- Generate `networking.hostId` with ``head -c4 /dev/urandom | od -A none -t x4`` according to the options description.
|
||||
- Boot live ISO
|
||||
- If your ssh key is not baked into the iso, set a password for the `nixos` with passwd to be able to log in over ssh.
|
||||
- `rsync` the this directory into the live system.
|
||||
- generate and apply disk layout with disko (see above).
|
||||
- Generate `hardware-configuration.nix` with ``sudo nixos-generate-config --no-filesystems --root /mnt``.
|
||||
- If luks disks should be decrypted in initrd over ssh, enable DHCP in the `hardware-configuration.nix` for the interfaces that should be used for that.
|
||||
- Install nixos system with ``sudo nixos-install --root /mnt --no-channel-copy --no-root-passwd --flake .#HOSTNAME``.
|
||||
- After a reboot add age key to sops-nix with ``nix shell nixpkgs#ssh-to-age`` and ``ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub``.
|
||||
- Add ``/etc/machine-id`` and luks password to sops secrets.
|
||||
- Enable and deploy secrets again.
|
||||
- Improve new machine setup by automating easy to automate steps and document others.
|
||||
- Commit everything and push
|
||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 79 KiB |
Binary file not shown.
Before Width: | Height: | Size: 13 KiB |
Binary file not shown.
Before Width: | Height: | Size: 402 KiB |
|
@ -1,343 +0,0 @@
|
|||
{ config, hostRegistry, lib, nixos, pkgs, ssh-public-keys, zentralwerk, ... }:
|
||||
|
||||
# this file contains default configuration that may be turned on depending on other config settings.
|
||||
# options should go to modules.
|
||||
|
||||
{
|
||||
assertions = [
|
||||
{
|
||||
assertion = config.system.replaceRuntimeDependencies == [];
|
||||
message = "system.replaceRuntimeDependencies causes hydra to build the system at evaluation time. It must be removed!";
|
||||
}
|
||||
{
|
||||
assertion = lib.versions.major pkgs.ceph.version != 16;
|
||||
message = "Please pin ceph to major version 16!";
|
||||
}
|
||||
];
|
||||
|
||||
boot = {
|
||||
enableContainers = false; # should be enabled explicitly
|
||||
loader.systemd-boot = {
|
||||
configurationLimit = lib.mkDefault 10;
|
||||
editor = false;
|
||||
graceful = true;
|
||||
};
|
||||
kernel.sysctl = {
|
||||
"kernel.panic" = 60; # reset 60 seconds after a kernel panic
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
};
|
||||
tmp.cleanOnBoot = true;
|
||||
# recommend to turn off, only on by default for backwards compatibility
|
||||
zfs.forceImportRoot = false;
|
||||
};
|
||||
|
||||
c3d2 = {
|
||||
# NOTE: this must be off, otherwise our nix binary cache creates a loop with itself
|
||||
addBinaryCache = lib.mkForce false;
|
||||
addKnownHosts = true;
|
||||
sshKeys = ssh-public-keys;
|
||||
};
|
||||
|
||||
documentation.enable = false;
|
||||
|
||||
environment = {
|
||||
etc."resolv.conf" = lib.mkIf (!config.services.resolved.enable) {
|
||||
text = lib.concatMapStrings (ns: ''
|
||||
nameserver ${ns}
|
||||
'') config.networking.nameservers;
|
||||
};
|
||||
|
||||
gnome.excludePackages = with pkgs; with gnome; [
|
||||
baobab
|
||||
cheese
|
||||
epiphany # we are using firefox or chromium and requires second webkitgtk
|
||||
geary
|
||||
gnome-calendar
|
||||
gnome-contacts
|
||||
gnome-maps
|
||||
gnome-music
|
||||
gnome-photos
|
||||
gnome-weather
|
||||
orca
|
||||
simple-scan
|
||||
totem
|
||||
yelp # less webkitgtk's
|
||||
];
|
||||
|
||||
interactiveShellInit = /* sh */ ''
|
||||
# raise some awareness torwards failed services
|
||||
systemctl --no-pager --failed || true
|
||||
'';
|
||||
|
||||
noXlibs = !config.services.xserver.enable;
|
||||
|
||||
systemPackages = with pkgs; [
|
||||
bmon
|
||||
curl
|
||||
dig
|
||||
ethtool
|
||||
fd
|
||||
git
|
||||
htop
|
||||
iotop
|
||||
(iproute2.overrideAttrs ({ configureFlags ? [], src, ... }: let
|
||||
version = "6.8.0";
|
||||
in {
|
||||
inherit version;
|
||||
src = pkgs.fetchurl {
|
||||
url = "mirror://kernel/linux/utils/net/iproute2/iproute2-${version}.tar.xz";
|
||||
hash = "sha256-A6bMo9cakI0fFfe0lb4rj+hR+UFFjcRmSQDX9F/PaM4=";
|
||||
};
|
||||
configureFlags = configureFlags ++ [
|
||||
"--color" "auto"
|
||||
];
|
||||
}))
|
||||
jq
|
||||
lsof # to find lingering nix processes locking files in nix store
|
||||
mtr
|
||||
pv
|
||||
ripgrep
|
||||
rsync
|
||||
screen
|
||||
strace
|
||||
tcpdump
|
||||
tree
|
||||
vim
|
||||
wget
|
||||
];
|
||||
};
|
||||
|
||||
hardware.enableRedistributableFirmware = lib.mkDefault true;
|
||||
|
||||
i18n = {
|
||||
defaultLocale = "en_US.UTF-8";
|
||||
supportedLocales = [
|
||||
"en_US.UTF-8/UTF-8"
|
||||
"de_DE.UTF-8/UTF-8"
|
||||
];
|
||||
};
|
||||
|
||||
networking = {
|
||||
firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
|
||||
# proxy protocol used by public-access-proxy
|
||||
8080
|
||||
8443
|
||||
];
|
||||
nameservers = with hostRegistry.dnscache; [
|
||||
ip4
|
||||
ip6
|
||||
] ++ (if config.services.resolved.enable then [
|
||||
"9.9.9.9#dns.quad9.net"
|
||||
"1.1.1.1#cloudflare-dns.com"
|
||||
] else [
|
||||
"9.9.9.9"
|
||||
"1.1.1.1"
|
||||
]);
|
||||
useHostResolvConf = lib.mkIf (!config.services.resolved.enable) true;
|
||||
};
|
||||
|
||||
nix = {
|
||||
deleteChannels = true;
|
||||
deleteUserProfiles = true;
|
||||
gc = {
|
||||
automatic = lib.mkDefault true;
|
||||
dates = "06:00";
|
||||
options = "--delete-older-than 21d";
|
||||
randomizedDelaySec = "6h";
|
||||
};
|
||||
nixPath = [
|
||||
"nixpkgs=${builtins.unsafeDiscardStringContext nixos}"
|
||||
"nixos=${builtins.unsafeDiscardStringContext nixos}"
|
||||
"nixos-config=/you/shall/deploy/from/the/flake"
|
||||
];
|
||||
registry.nixpkgs.flake = nixos;
|
||||
settings = {
|
||||
extra-experimental-features = "ca-derivations";
|
||||
# if a download from hydra fails, we want to stop and retry it, instead of building it
|
||||
fallback = false;
|
||||
trusted-public-keys = [
|
||||
"nix-cache.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
|
||||
];
|
||||
stalled-download-timeout = 60; # in case hydra is not reachable fail faster
|
||||
# don't self feed hydra
|
||||
substituters = lib.mkIf (config.networking.hostName != "hydra") (
|
||||
lib.mkBefore [ "https://nix-cache.hq.c3d2.de" ]
|
||||
);
|
||||
};
|
||||
};
|
||||
|
||||
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [
|
||||
"drone.io"
|
||||
"drone-runner-ssh"
|
||||
"elasticsearch" # mastodon
|
||||
];
|
||||
|
||||
# trust sandro to set good defaults in nixos-modules
|
||||
opinionatedDefaults = true;
|
||||
|
||||
programs = {
|
||||
fzf.keybindings = true;
|
||||
|
||||
git = {
|
||||
enable = true;
|
||||
# silence hints in various programs like drone
|
||||
config.init.defaultBranch = "master";
|
||||
};
|
||||
|
||||
tmux = {
|
||||
enable = true;
|
||||
historyLimit = 50000;
|
||||
extraConfig = ''
|
||||
# mouse control
|
||||
set -g mouse on
|
||||
|
||||
# don't clear selection on copy
|
||||
bind-key -Tcopy-mode-vi MouseDragEnd1Pane send -X copy-selection-no-clear
|
||||
bind-key -Tcopy-mode-vi y send -X copy-selection-no-clear
|
||||
'';
|
||||
};
|
||||
|
||||
vim.defaultEditor = true;
|
||||
};
|
||||
|
||||
security.ldap.domainComponent = [ "c3d2" "de" ];
|
||||
|
||||
services = {
|
||||
# set here explicitly, so that other modules can acces it like nixos-modules grafana
|
||||
# keep in sync with nixos/modules/services/misc/portunus.nix
|
||||
dex.settings.issuer = "https://${config.services.portunus.domain}/dex";
|
||||
|
||||
gitea.ldap = {
|
||||
adminGroup = "gitea-admins";
|
||||
userGroup = "gitea-users";
|
||||
};
|
||||
|
||||
gnome = {
|
||||
# less webkitgtk's
|
||||
evolution-data-server.enable = lib.mkForce false;
|
||||
gnome-initial-setup.enable = false;
|
||||
};
|
||||
|
||||
grafana.oauth = {
|
||||
adminGroup = "grafana-admins";
|
||||
userGroup = "grafana-users";
|
||||
};
|
||||
|
||||
hedgedoc.ldap.userGroup = "hedgedoc-users";
|
||||
|
||||
home-assistant.ldap = {
|
||||
adminGroup = "home-assistant-admins";
|
||||
userGroup = "home-assistant-users";
|
||||
};
|
||||
|
||||
hydra.ldap = {
|
||||
roleMappings = [
|
||||
{ hydra-admins = "admin"; }
|
||||
];
|
||||
userGroup = "hydra-users";
|
||||
};
|
||||
|
||||
mastodon.ldap.userGroup = "mastodon-users";
|
||||
|
||||
matrix-synapse.ldap.userGroup = "matrix-users";
|
||||
|
||||
nginx = {
|
||||
appendHttpConfig = ''
|
||||
log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
|
||||
access_log /var/log/nginx/access.log proxyCombined;
|
||||
'';
|
||||
commonServerConfig = with zentralwerk.lib.config.site.net.serv; ''
|
||||
# https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
|
||||
set_real_ip_from ${hosts4.public-access-proxy};
|
||||
set_real_ip_from ${hosts6.up4.public-access-proxy};
|
||||
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
proxy_set_header X-Real-IP $proxy_protocol_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
|
||||
'';
|
||||
};
|
||||
|
||||
openssh = {
|
||||
# Required for deployment and sops
|
||||
enable = true;
|
||||
settings = {
|
||||
AcceptEnv = "SYSTEMD_PAGER";
|
||||
LoginGraceTime = 30; # throw out unauthenticated connections earlier than the 120 default
|
||||
PasswordAuthentication = lib.mkIf (!config.c3d2.k-ot.enable) false;
|
||||
PermitRootLogin = lib.mkOverride 900 "prohibit-password";
|
||||
};
|
||||
};
|
||||
|
||||
portunus = with zentralwerk.lib.config.site.net.serv; {
|
||||
domain = "auth.c3d2.de";
|
||||
internalIp4 = hosts4.auth;
|
||||
internalIp6 = hosts6.up4.auth;
|
||||
ldapPreset = true;
|
||||
# those can't be under hosts/*/default.nix because those are not imported for the auth microvm
|
||||
seedSettings.groups = map (n: {
|
||||
long_name = n;
|
||||
name = lib.toLower (lib.replaceStrings [" "] ["-"] n);
|
||||
permissions = { };
|
||||
}) [
|
||||
"Mail Users"
|
||||
"Mobilizon Users"
|
||||
"Vaultwarden Users"
|
||||
"Vaultwarden Social Media Accounts"
|
||||
];
|
||||
};
|
||||
|
||||
postgresql.upgrade = {
|
||||
extraArgs = [ "--link" ]
|
||||
++ lib.optional (config ? microvm) "--jobs=${toString config.microvm.vcpu}";
|
||||
newPackage = pkgs.postgresql_16;
|
||||
stopServices = lib.optional config.services.nginx.enable "nginx"
|
||||
++ lib.optional config.c3d2.hq.statistics.enable "collectd";
|
||||
};
|
||||
|
||||
redis.vmOverCommit = true;
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
email = "mail@c3d2.de";
|
||||
# letsencrypt staging server with way higher rate limits
|
||||
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||
};
|
||||
};
|
||||
|
||||
# does not suceed on installation which is okay
|
||||
system.activationScripts.deleteOldSystemProfiles = lib.mkIf config.nix.gc.automatic ''
|
||||
echo "Deleting old system profiles..."
|
||||
${config.nix.package}/bin/nix-env --profile /nix/var/nix/profiles/system --delete-generations +10 || true
|
||||
'';
|
||||
|
||||
systemd = {
|
||||
# don't kick us out if one disk is missing
|
||||
enableEmergencyMode = false;
|
||||
|
||||
# maybe set enable = false instead?
|
||||
network.wait-online.anyInterface = true;
|
||||
|
||||
services.nix-daemon.serviceConfig = {
|
||||
# kill all worker thread when restarting
|
||||
KillMode = "control-group";
|
||||
# restart if killed eg oom killed
|
||||
Restart = "on-failure";
|
||||
};
|
||||
|
||||
# Reboot on hang
|
||||
watchdog = lib.mkIf (!config.boot.isContainer) {
|
||||
runtimeTime = "15s";
|
||||
rebootTime = "15s";
|
||||
};
|
||||
};
|
||||
|
||||
time.timeZone = lib.mkDefault "Europe/Berlin";
|
||||
|
||||
users.motdFile = ./motd;
|
||||
}
|
|
@ -1,6 +0,0 @@
|
|||
______ ______
|
||||
/ / / / / /\ \ \
|
||||
/ / / / / / \ \ \
|
||||
\ \ \ \ / / / / /
|
||||
\_\_\_\/_/ /_/_/
|
||||
|
Binary file not shown.
Before Width: | Height: | Size: 13 KiB |
970
flake.lock
970
flake.lock
|
@ -1,970 +0,0 @@
|
|||
{
|
||||
"nodes": {
|
||||
"affection-src": {
|
||||
"inputs": {
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1700847735,
|
||||
"narHash": "sha256-hSHgLPZwWP7tPoUhH2GLQ4GvHvVGFiXIM0CLps+O5KE=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "d0465fa3e1d122503439df7c2de9d16598fc0cf5",
|
||||
"revCount": 306,
|
||||
"type": "git",
|
||||
"url": "https://gitea.nek0.eu/nek0/affection"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.nek0.eu/nek0/affection"
|
||||
}
|
||||
},
|
||||
"alert2muc": {
|
||||
"inputs": {
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1685997764,
|
||||
"narHash": "sha256-SMIfPyGgNq7+8uChNnhIAma4QbKRTpZJnBtmggaAhiM=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "0aaae8587303499c40b9c9ea726dbb1277a3e1c7",
|
||||
"revCount": 23,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/alert2muc"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/alert2muc"
|
||||
}
|
||||
},
|
||||
"bevy-julia": {
|
||||
"inputs": {
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"rust-overlay": [
|
||||
"rust-overlay"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1663441942,
|
||||
"narHash": "sha256-KNKnxcD8mHfjCqI0FluGOY1gfDfOMo8K9upGnCGksGo=",
|
||||
"ref": "main",
|
||||
"rev": "7feee1b6c436230f2adea774aab14a74d862e355",
|
||||
"revCount": 3,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/bevy-julia.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "main",
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/bevy-julia.git"
|
||||
}
|
||||
},
|
||||
"bevy-mandelbrot": {
|
||||
"inputs": {
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"rust-overlay": [
|
||||
"rust-overlay"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1663194086,
|
||||
"narHash": "sha256-412sqKeKP8qm8Teno8xnl8/yMWxjZaRa7ujw5xaa5qw=",
|
||||
"ref": "main",
|
||||
"rev": "a37a6e16946f0515242a30699a9b34bdc45ef87e",
|
||||
"revCount": 9,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/bevy-mandelbrot.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "main",
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/bevy-mandelbrot.git"
|
||||
}
|
||||
},
|
||||
"blobs": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1604995301,
|
||||
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"buzzrelay": {
|
||||
"inputs": {
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1714004061,
|
||||
"narHash": "sha256-gvRG8CkCFxQ3jqdiU+O6s9YdZRTPU53yK7XmEwPO3mk=",
|
||||
"owner": "astro",
|
||||
"repo": "buzzrelay",
|
||||
"rev": "c5fddfba89fd2d8dd7f415248a8ed878ffdb1f10",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "buzzrelay",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"c3d2-user-module": {
|
||||
"inputs": {
|
||||
"nixos-modules": [
|
||||
"nixos-modules"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710844300,
|
||||
"narHash": "sha256-pSP6v7VqWWWgekbYnASTrZXgOW270I7MoDIXLz960KY=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "319dffc67b5c17c98d3ab77959568fc2b7c46513",
|
||||
"revCount": 62,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/c3d2/nix-user-module.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/c3d2/nix-user-module.git"
|
||||
}
|
||||
},
|
||||
"caveman": {
|
||||
"inputs": {
|
||||
"fenix": [
|
||||
"fenix"
|
||||
],
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713402078,
|
||||
"narHash": "sha256-gFkpX4PA5hEmuvQxZX+TWBOdIGmwzOXs5bgGAwOEdvA=",
|
||||
"ref": "main",
|
||||
"rev": "bc45f3513e952e95660c2e063e7a2a79b350b024",
|
||||
"revCount": 347,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/caveman.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "main",
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/caveman.git"
|
||||
}
|
||||
},
|
||||
"deployment": {
|
||||
"inputs": {
|
||||
"zentralwerk": [
|
||||
"zentralwerk"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1684524757,
|
||||
"narHash": "sha256-gwJsDfc9hSqpqscyaEZkLccz0RH0NVss4FaxR2spUns=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "399fb47d7e3898bd972c5e9f1ef04e29bb7d05b0",
|
||||
"revCount": 4,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/c3d2/deployment.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/c3d2/deployment.git"
|
||||
}
|
||||
},
|
||||
"disko": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1714103775,
|
||||
"narHash": "sha256-kcBiIrmqzt3bNTr2GMBfAyA+on8BEKO1iKzzDFQZkjI=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "285e26465a0bae510897ca04da26ce6307c652b4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"dns-nix": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": [
|
||||
"zentralwerk",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703643450,
|
||||
"narHash": "sha256-EUUF5oxFFPX/etKm0FNQg+7MPHQlNjmM1XhNgyDf7A0=",
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "dns.nix",
|
||||
"rev": "70dcce71560d4253f63812fa36dee994c81ae814",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "dns.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"fenix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"rust-analyzer-src": "rust-analyzer-src"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1711952616,
|
||||
"narHash": "sha256-WJvDdOph001fA1Ap3AyaQtz/afJAe7meSG5uJAdSE+A=",
|
||||
"owner": "nix-community",
|
||||
"repo": "fenix",
|
||||
"rev": "209048d7c545905c470f6f8c05c5061f391031a8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "monthly",
|
||||
"repo": "fenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1668681692,
|
||||
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_2": {
|
||||
"locked": {
|
||||
"lastModified": 1614513358,
|
||||
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"heliwatch": {
|
||||
"inputs": {
|
||||
"fenix": [
|
||||
"fenix"
|
||||
],
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713125817,
|
||||
"narHash": "sha256-GpW5PN4JIV5SYp6ZuAeN2qRQH3hyiOUWNbR5J0Jhh2E=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "9172dc5abd036707d5b5a21bcff5c61f6e55fde1",
|
||||
"revCount": 73,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/heliwatch.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/heliwatch.git"
|
||||
}
|
||||
},
|
||||
"microvm": {
|
||||
"inputs": {
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"spectrum": "spectrum"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1714072181,
|
||||
"narHash": "sha256-MOxTGzM8lgq8uo6zAy6e4ZUdzUpF/eSQPBXeH5G5BtE=",
|
||||
"owner": "astro",
|
||||
"repo": "microvm.nix",
|
||||
"rev": "ac28e21ac336dbe01b1f1bcab01fd31db3855e40",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "microvm.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"naersk": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713520724,
|
||||
"narHash": "sha256-CO8MmVDmqZX2FovL75pu5BvwhW+Vugc7Q6ze7Hj8heI=",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "c5037590290c6c7dae2e42e7da1e247e54ed2d49",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-cache-cut": {
|
||||
"inputs": {
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1686178371,
|
||||
"narHash": "sha256-RwyZ3ZNlkTE6O7A5Lj5JcHHNCij3ZqfmZ5Pq+PB9Sq0=",
|
||||
"owner": "astro",
|
||||
"repo": "nix-cache-cut",
|
||||
"rev": "9133ed18136e6acfd591e76fe06e4c095a66c39f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "nix-cache-cut",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos": {
|
||||
"locked": {
|
||||
"lastModified": 1714342774,
|
||||
"narHash": "sha256-gtwvQlNT1iY2reQLcsZ+7N+oeTyFzdWJcsKTS6Jv1xU=",
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "b0ecb7c93fb862fd1f32abb6e23087740d9a8a1f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "SuperSandro2000",
|
||||
"ref": "nixos-23.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1714201532,
|
||||
"narHash": "sha256-nk0W4rH7xYdDeS7k1SqqNtBaNrcgIBYNmOVc8P2puEY=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "53db5e1070d07e750030bf65f1b9963df8f0c678",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-modules": {
|
||||
"inputs": {
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1714345437,
|
||||
"narHash": "sha256-95Jrew6RACxyEATJg1asSfFq/dzDadLGBAxItb6/LRA=",
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "nixos-modules",
|
||||
"rev": "1aeeba70ada1b0f1f8bc408ea3131882d35f15c3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "nixos-modules",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1714342499,
|
||||
"narHash": "sha256-YdOQ/cIKBprDFR6VQ9cxrIct/RPJ3oeu+mhB8VeGsak=",
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "4758ee042302e38b9ad81611719a4798ed7d2165",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "SuperSandro2000",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-23_05": {
|
||||
"locked": {
|
||||
"lastModified": 1704290814,
|
||||
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-23.05",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-23_11": {
|
||||
"locked": {
|
||||
"lastModified": 1706098335,
|
||||
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-23.11",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"oparl-scraper": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1656290558,
|
||||
"narHash": "sha256-f9JRkxMWK4ONeCePB8UcQX8pAksQPF9YcxLbbcCgpFY=",
|
||||
"owner": "offenesdresden",
|
||||
"repo": "ratsinfo-scraper",
|
||||
"rev": "0bc947ef28a6b83943db6fd9abbe2ae21ced7d06",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "offenesdresden",
|
||||
"ref": "oparl",
|
||||
"repo": "ratsinfo-scraper",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"openwrt": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1699273785,
|
||||
"narHash": "sha256-zIUV/P275kSI1HlEnsYeBEGgj4YHmhu1VTvQ9lrki9w=",
|
||||
"ref": "openwrt-21.02",
|
||||
"rev": "4a1d8ef55cbf247f06dae8e958eb8eb42f1882a5",
|
||||
"revCount": 51342,
|
||||
"type": "git",
|
||||
"url": "https://git.openwrt.org/openwrt/openwrt.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "openwrt-21.02",
|
||||
"type": "git",
|
||||
"url": "https://git.openwrt.org/openwrt/openwrt.git"
|
||||
}
|
||||
},
|
||||
"openwrt-imagebuilder": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1714298595,
|
||||
"narHash": "sha256-ac3N94sLDsms82KM5/b7AnJ40PIZF24nqcnZzGzedJY=",
|
||||
"owner": "astro",
|
||||
"repo": "nix-openwrt-imagebuilder",
|
||||
"rev": "b1c6a3baac6acb1269dbfa003a498ef523f1bd6a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "nix-openwrt-imagebuilder",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"affection-src": "affection-src",
|
||||
"alert2muc": "alert2muc",
|
||||
"bevy-julia": "bevy-julia",
|
||||
"bevy-mandelbrot": "bevy-mandelbrot",
|
||||
"buzzrelay": "buzzrelay",
|
||||
"c3d2-user-module": "c3d2-user-module",
|
||||
"caveman": "caveman",
|
||||
"deployment": "deployment",
|
||||
"disko": "disko",
|
||||
"fenix": "fenix",
|
||||
"flake-utils": "flake-utils",
|
||||
"heliwatch": "heliwatch",
|
||||
"microvm": "microvm",
|
||||
"naersk": "naersk",
|
||||
"nix-cache-cut": "nix-cache-cut",
|
||||
"nixos": "nixos",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixos-modules": "nixos-modules",
|
||||
"nixos-unstable": "nixos-unstable",
|
||||
"oparl-scraper": "oparl-scraper",
|
||||
"openwrt": "openwrt",
|
||||
"openwrt-imagebuilder": "openwrt-imagebuilder",
|
||||
"rust-overlay": "rust-overlay",
|
||||
"scrapers": "scrapers",
|
||||
"simple-nixos-mailserver": "simple-nixos-mailserver",
|
||||
"skyflake": "skyflake",
|
||||
"sops-nix": "sops-nix",
|
||||
"spacemsg": "spacemsg",
|
||||
"sshlogd": "sshlogd",
|
||||
"ticker": "ticker",
|
||||
"tigger": "tigger",
|
||||
"tracer": "tracer",
|
||||
"yammat": "yammat",
|
||||
"zentralwerk": "zentralwerk"
|
||||
}
|
||||
},
|
||||
"rust-analyzer-src": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1711885694,
|
||||
"narHash": "sha256-dyezzeSbWMpflma+E9USmvSxuLgGcNGcGw3cOnX36ko=",
|
||||
"owner": "rust-lang",
|
||||
"repo": "rust-analyzer",
|
||||
"rev": "e4a405f877efd820bef9c0e77a02494e47c17512",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "rust-lang",
|
||||
"ref": "nightly",
|
||||
"repo": "rust-analyzer",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"rust-overlay": {
|
||||
"inputs": {
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713752081,
|
||||
"narHash": "sha256-x0QDETp7paa8qq+LX6191JwSq8abUFXCnKNulQ8L7ps=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "606c0ecb23c676c444a0b026eecf800d5bd5fec2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "oxalica",
|
||||
"ref": "stable",
|
||||
"repo": "rust-overlay",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"scrapers": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1713211784,
|
||||
"narHash": "sha256-WeTVBaVN9UZvw7dy8jkH0Vz8zWhcEqFlwqK9R+VYa0k=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "4bdef3adf8ca8beefc2ebf6a838bb351bf8ca113",
|
||||
"revCount": 71,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/scrapers.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/scrapers.git"
|
||||
}
|
||||
},
|
||||
"simple-nixos-mailserver": {
|
||||
"inputs": {
|
||||
"blobs": "blobs",
|
||||
"flake-compat": "flake-compat",
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"nixpkgs-23_05": "nixpkgs-23_05",
|
||||
"nixpkgs-23_11": "nixpkgs-23_11",
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713017338,
|
||||
"narHash": "sha256-BGXZdqdEc8+nFiX08q/kd8rWHgyiO42tacBpt39diMI=",
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "nixos-mailserver",
|
||||
"rev": "04490c0872d91da865b925a8b7f8ccd3ba982cbb",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "SuperSandro2000",
|
||||
"ref": "quote-ldap-password",
|
||||
"repo": "nixos-mailserver",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"skyflake": {
|
||||
"inputs": {
|
||||
"microvm": [
|
||||
"microvm"
|
||||
],
|
||||
"nix-cache-cut": [
|
||||
"nix-cache-cut"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1697197264,
|
||||
"narHash": "sha256-8IQFwDudLZmBLNlA3xnmN7kAAi3RuPelf4iY7Zmt7PI=",
|
||||
"owner": "astro",
|
||||
"repo": "skyflake",
|
||||
"rev": "40fb7a4fb248691014ba5b2c841f77a34d160a80",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "skyflake",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713892811,
|
||||
"narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"spacemsg": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1712512415,
|
||||
"narHash": "sha256-X4JrvBfD9rKi7UN8R+Qwc1k7tqGIwgRFE4T1OGd1YcY=",
|
||||
"owner": "astro",
|
||||
"repo": "spacemsg",
|
||||
"rev": "8842c2ab4144a1b1a9cc5feda5000858882c9617",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "spacemsg",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"spectrum": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1708358594,
|
||||
"narHash": "sha256-e71YOotu2FYA67HoC/voJDTFsiPpZNRwmiQb4f94OxQ=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "6d0e73864d28794cdbd26ab7b37259ab0e1e044c",
|
||||
"revCount": 614,
|
||||
"type": "git",
|
||||
"url": "https://spectrum-os.org/git/spectrum"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://spectrum-os.org/git/spectrum"
|
||||
}
|
||||
},
|
||||
"sshlogd": {
|
||||
"inputs": {
|
||||
"fenix": [
|
||||
"fenix"
|
||||
],
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1680725015,
|
||||
"narHash": "sha256-Rpr5ULz07gfdzVwAKHbTmVKAP0s4e51nZ0Kg4WcZcmU=",
|
||||
"ref": "main",
|
||||
"rev": "18889b61608af8cd6a5e703682e108c639aec816",
|
||||
"revCount": 24,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/sshlogd.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "main",
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/sshlogd.git"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"ticker": {
|
||||
"inputs": {
|
||||
"fenix": [
|
||||
"fenix"
|
||||
],
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1711570353,
|
||||
"narHash": "sha256-kpipz1JwZzXD/BxfmWVDFIY2NisteJsubkcMYyIl8rk=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "f76b7bc517ffd068972b3660daa67b1f6b22c4cb",
|
||||
"revCount": 140,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/ticker.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/ticker.git"
|
||||
}
|
||||
},
|
||||
"tigger": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1713196297,
|
||||
"narHash": "sha256-xgEtm7r6AS8UetLWtAKm1Zy9N0Cm4MP9SPjNyksRv6Q=",
|
||||
"owner": "astro",
|
||||
"repo": "tigger",
|
||||
"rev": "073cc63fcd6e25cba775b0b4ad8056c6200da03f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "tigger",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"tracer": {
|
||||
"inputs": {
|
||||
"affection-src": [
|
||||
"affection-src"
|
||||
],
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1663279525,
|
||||
"narHash": "sha256-lUq4CY//ISplh/4i33nOU7cchpxKrw5V8mVdRnHMBaA=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "6d8d2cb1268d26add05baa3f21c325cfe051add3",
|
||||
"revCount": 342,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/tracer"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/tracer"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
"locked": {
|
||||
"lastModified": 1605370193,
|
||||
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"yammat": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705059643,
|
||||
"narHash": "sha256-Y9SI1WGMXrnv02SOGoNdFIFTAbF6lxgtGBtaO3m+uOo=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "fc279ce4becf8e44d53a2d8a5d68edbf36f19361",
|
||||
"revCount": 425,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/c3d2/yammat.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/c3d2/yammat.git"
|
||||
}
|
||||
},
|
||||
"zentralwerk": {
|
||||
"inputs": {
|
||||
"dns-nix": "dns-nix",
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"openwrt": [
|
||||
"openwrt"
|
||||
],
|
||||
"openwrt-imagebuilder": [
|
||||
"openwrt-imagebuilder"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1714264157,
|
||||
"narHash": "sha256-/O/XJcp5npOD+qFGidkFJhahfhYuA6/y6BCb67iHB54=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "848cf110ed4f71cac7b18d7b52378c1e42194187",
|
||||
"revCount": 2025,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
812
flake.nix
812
flake.nix
|
@ -1,812 +0,0 @@
|
|||
{
|
||||
description = "C3D2 NixOS configurations";
|
||||
|
||||
nixConfig = {
|
||||
extra-substituters = [ "https://nix-cache.hq.c3d2.de" ];
|
||||
extra-trusted-public-keys = [ "nix-cache.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=" ];
|
||||
};
|
||||
|
||||
inputs = {
|
||||
# use sandro's fork full with cherry-picked fixes
|
||||
nixos.url = "github:SuperSandro2000/nixpkgs/nixos-23.11";
|
||||
nixos-unstable.url = "github:SuperSandro2000/nixpkgs/nixos-unstable";
|
||||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||
|
||||
affection-src = {
|
||||
url = "git+https://gitea.nek0.eu/nek0/affection";
|
||||
inputs = {
|
||||
nixpkgs.follows = "nixos";
|
||||
flake-utils.follows = "flake-utils";
|
||||
};
|
||||
};
|
||||
alert2muc = {
|
||||
url = "git+https://gitea.c3d2.de/astro/alert2muc";
|
||||
inputs = {
|
||||
naersk.follows = "naersk";
|
||||
nixpkgs.follows = "nixos";
|
||||
utils.follows = "flake-utils";
|
||||
};
|
||||
};
|
||||
bevy-mandelbrot = {
|
||||
# url = "github:matelab/bevy_mandelbrot";
|
||||
url = "git+https://gitea.c3d2.de/astro/bevy-mandelbrot.git?ref=main";
|
||||
inputs = {
|
||||
naersk.follows = "naersk";
|
||||
nixpkgs.follows = "nixos";
|
||||
rust-overlay.follows = "rust-overlay";
|
||||
};
|
||||
};
|
||||
bevy-julia = {
|
||||
# url = "github:matelab/bevy_julia";
|
||||
url = "git+https://gitea.c3d2.de/astro/bevy-julia.git?ref=main";
|
||||
inputs = {
|
||||
nixpkgs.follows = "nixos";
|
||||
naersk.follows = "naersk";
|
||||
rust-overlay.follows = "rust-overlay";
|
||||
};
|
||||
};
|
||||
buzzrelay = {
|
||||
url = "github:astro/buzzrelay";
|
||||
inputs = {
|
||||
naersk.follows = "naersk";
|
||||
nixpkgs.follows = "nixos";
|
||||
utils.follows = "flake-utils";
|
||||
};
|
||||
};
|
||||
caveman = {
|
||||
url = "git+https://gitea.c3d2.de/astro/caveman.git?ref=main";
|
||||
inputs = {
|
||||
nixpkgs.follows = "nixos";
|
||||
utils.follows = "flake-utils";
|
||||
fenix.follows = "fenix";
|
||||
naersk.follows = "naersk";
|
||||
};
|
||||
};
|
||||
c3d2-user-module = {
|
||||
url = "git+https://gitea.c3d2.de/c3d2/nix-user-module.git";
|
||||
inputs = {
|
||||
nixos-modules.follows = "nixos-modules";
|
||||
nixpkgs.follows = "nixos";
|
||||
};
|
||||
};
|
||||
deployment = {
|
||||
url = "git+https://gitea.c3d2.de/c3d2/deployment.git";
|
||||
inputs = {
|
||||
zentralwerk.follows = "zentralwerk";
|
||||
};
|
||||
};
|
||||
disko = {
|
||||
url = "github:nix-community/disko";
|
||||
inputs.nixpkgs.follows = "nixos";
|
||||
};
|
||||
fenix = {
|
||||
url = "github:nix-community/fenix/monthly";
|
||||
inputs.nixpkgs.follows = "nixos";
|
||||
};
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
heliwatch = {
|
||||
url = "git+https://gitea.c3d2.de/astro/heliwatch.git";
|
||||
inputs = {
|
||||
fenix.follows = "fenix";
|
||||
nixpkgs.follows = "nixos";
|
||||
naersk.follows = "naersk";
|
||||
utils.follows = "flake-utils";
|
||||
};
|
||||
};
|
||||
microvm = {
|
||||
url = "github:astro/microvm.nix";
|
||||
inputs = {
|
||||
flake-utils.follows = "flake-utils";
|
||||
nixpkgs.follows = "nixos";
|
||||
};
|
||||
};
|
||||
naersk = {
|
||||
url = "github:nix-community/naersk";
|
||||
inputs = {
|
||||
nixpkgs.follows = "nixos";
|
||||
};
|
||||
};
|
||||
nix-cache-cut = {
|
||||
url = "github:astro/nix-cache-cut";
|
||||
inputs = {
|
||||
naersk.follows = "naersk";
|
||||
nixpkgs.follows = "nixos";
|
||||
utils.follows = "flake-utils";
|
||||
};
|
||||
};
|
||||
nixos-modules = {
|
||||
# NOTE: mirrored to https://gitea.c3d2.de/c3d2/nixos-modules
|
||||
# If there are questions, things should be added or changed, contact sandro
|
||||
url = "github:SuperSandro2000/nixos-modules";
|
||||
inputs = {
|
||||
flake-utils.follows = "flake-utils";
|
||||
nixpkgs.follows = "nixos";
|
||||
};
|
||||
};
|
||||
oparl-scraper = {
|
||||
url = "github:offenesdresden/ratsinfo-scraper/oparl";
|
||||
flake = false;
|
||||
};
|
||||
openwrt = {
|
||||
url = "git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-21.02";
|
||||
flake = false;
|
||||
};
|
||||
openwrt-imagebuilder = {
|
||||
url = "github:astro/nix-openwrt-imagebuilder";
|
||||
inputs = {
|
||||
nixpkgs.follows = "nixos";
|
||||
};
|
||||
};
|
||||
rust-overlay = {
|
||||
url = "github:oxalica/rust-overlay/stable";
|
||||
inputs = {
|
||||
flake-utils.follows = "flake-utils";
|
||||
nixpkgs.follows = "nixos";
|
||||
};
|
||||
};
|
||||
scrapers = {
|
||||
url = "git+https://gitea.c3d2.de/astro/scrapers.git";
|
||||
flake = false;
|
||||
};
|
||||
skyflake = {
|
||||
url = "github:astro/skyflake";
|
||||
inputs = {
|
||||
microvm.follows = "microvm";
|
||||
nixpkgs.follows = "nixos";
|
||||
nix-cache-cut.follows = "nix-cache-cut";
|
||||
};
|
||||
};
|
||||
sshlogd = {
|
||||
url = "git+https://gitea.c3d2.de/astro/sshlogd.git?ref=main";
|
||||
inputs = {
|
||||
utils.follows = "flake-utils";
|
||||
naersk.follows = "naersk";
|
||||
nixpkgs.follows = "nixos";
|
||||
fenix.follows = "fenix";
|
||||
};
|
||||
};
|
||||
simple-nixos-mailserver = {
|
||||
# url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
|
||||
url = "gitlab:SuperSandro2000/nixos-mailserver/quote-ldap-password";
|
||||
inputs = {
|
||||
nixpkgs.follows = "nixos";
|
||||
};
|
||||
};
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs = {
|
||||
nixpkgs.follows = "nixos";
|
||||
nixpkgs-stable.follows = "nixos";
|
||||
};
|
||||
};
|
||||
spacemsg = {
|
||||
url = "github:astro/spacemsg";
|
||||
flake = false;
|
||||
};
|
||||
ticker = {
|
||||
url = "git+https://gitea.c3d2.de/astro/ticker.git";
|
||||
inputs = {
|
||||
fenix.follows = "fenix";
|
||||
naersk.follows = "naersk";
|
||||
nixpkgs.follows = "nixos";
|
||||
utils.follows = "flake-utils";
|
||||
};
|
||||
};
|
||||
tigger = {
|
||||
url = "github:astro/tigger";
|
||||
flake = false;
|
||||
};
|
||||
tracer = {
|
||||
# url = "git+https://gitea.nek0.eu/nek0/tracer";
|
||||
url = "git+https://gitea.c3d2.de/astro/tracer";
|
||||
inputs = {
|
||||
affection-src.follows = "affection-src";
|
||||
nixpkgs.follows = "nixos";
|
||||
flake-utils.follows = "flake-utils";
|
||||
};
|
||||
};
|
||||
yammat = {
|
||||
url = "git+https://gitea.c3d2.de/c3d2/yammat.git";
|
||||
inputs.nixpkgs.follows = "nixos";
|
||||
};
|
||||
zentralwerk = {
|
||||
url = "git+https://gitea.c3d2.de/zentralwerk/network.git";
|
||||
inputs = {
|
||||
nixpkgs.follows = "nixos";
|
||||
openwrt.follows = "openwrt";
|
||||
openwrt-imagebuilder.follows = "openwrt-imagebuilder";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, alert2muc, c3d2-user-module, deployment, disko, fenix, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-modules, buzzrelay, caveman, oparl-scraper, simple-nixos-mailserver, scrapers, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }:
|
||||
let
|
||||
inherit (nixos) lib;
|
||||
|
||||
inherit (import ./lib/network.nix { inherit lib zentralwerk; }) hostRegistry;
|
||||
|
||||
libC = {
|
||||
inherit (import ./lib/nginx.nix {}) defaultListen hqNetworkOnly;
|
||||
};
|
||||
|
||||
overlayList = [
|
||||
self.overlays
|
||||
];
|
||||
|
||||
ssh-public-keys = import ./ssh-public-keys.nix;
|
||||
|
||||
# Our custom NixOS builder
|
||||
nixosSystem' =
|
||||
{ nixos ? inputs.nixos
|
||||
, modules
|
||||
, system ? "x86_64-linux"
|
||||
}@args:
|
||||
|
||||
{ inherit args; } // nixos.lib.nixosSystem {
|
||||
inherit system;
|
||||
|
||||
modules = [
|
||||
{
|
||||
_module.args = {
|
||||
inherit hostRegistry libC nixos ssh-public-keys zentralwerk;
|
||||
};
|
||||
|
||||
nixpkgs.overlays = overlayList;
|
||||
}
|
||||
|
||||
self.nixosModules.c3d2
|
||||
] ++ modules;
|
||||
};
|
||||
in {
|
||||
overlays = import ./overlays {
|
||||
inherit (inputs)
|
||||
fenix naersk rust-overlay
|
||||
bevy-julia bevy-mandelbrot tracer;
|
||||
};
|
||||
|
||||
legacyPackages = lib.attrsets.mapAttrs (_: pkgs: pkgs.appendOverlays overlayList) nixos.legacyPackages;
|
||||
|
||||
packages = import ./packages.nix { inherit hostRegistry inputs lib microvm self; };
|
||||
|
||||
nixosConfigurations = {
|
||||
activity-relay = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./modules/activity-relay.nix
|
||||
./hosts/activity-relay
|
||||
];
|
||||
};
|
||||
|
||||
auth = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/auth
|
||||
];
|
||||
};
|
||||
|
||||
blogs = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/blogs
|
||||
{
|
||||
nixpkgs.overlays = [
|
||||
fenix.overlays.default
|
||||
naersk.overlay
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
broker = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/broker
|
||||
];
|
||||
};
|
||||
|
||||
buzzrelay = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
buzzrelay.nixosModules.default
|
||||
./hosts/buzzrelay
|
||||
];
|
||||
};
|
||||
|
||||
c3d2-web = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/c3d2-web
|
||||
];
|
||||
};
|
||||
|
||||
caveman = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
caveman.nixosModule
|
||||
./hosts/caveman
|
||||
];
|
||||
};
|
||||
|
||||
dacbert = nixosSystem' {
|
||||
modules = [
|
||||
nixos-hardware.nixosModules.raspberry-pi-4
|
||||
self.nixosModules.rpi-netboot
|
||||
./hosts/dacbert
|
||||
];
|
||||
system = "aarch64-linux";
|
||||
};
|
||||
|
||||
dn42 = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/dn42
|
||||
];
|
||||
};
|
||||
|
||||
knot = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/knot
|
||||
];
|
||||
};
|
||||
|
||||
drone = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/drone
|
||||
];
|
||||
};
|
||||
|
||||
freifunk = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/freifunk
|
||||
];
|
||||
};
|
||||
|
||||
ftp = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/ftp
|
||||
];
|
||||
};
|
||||
|
||||
gitea = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
self.nixosModules.gitea-actions-registrar
|
||||
self.nixosModules.gitea-actions-runner
|
||||
./hosts/gitea
|
||||
];
|
||||
};
|
||||
|
||||
glotzbert = nixosSystem' {
|
||||
modules = [
|
||||
nixos-hardware.nixosModules.common-cpu-intel # also includes iGPU
|
||||
./hosts/glotzbert
|
||||
];
|
||||
};
|
||||
|
||||
gnunet = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.cluster-options
|
||||
self.nixosModules.microvm
|
||||
./hosts/gnunet
|
||||
];
|
||||
};
|
||||
|
||||
grafana = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/grafana
|
||||
];
|
||||
};
|
||||
|
||||
hedgedoc = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/hedgedoc
|
||||
];
|
||||
};
|
||||
|
||||
home-assistant = nixosSystem' {
|
||||
nixos = inputs.nixos-unstable;
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/home-assistant
|
||||
];
|
||||
};
|
||||
|
||||
hydra = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.cluster
|
||||
self.nixosModules.gitea-actions-runner
|
||||
# skyflake.nixosModules.default
|
||||
./hosts/hydra
|
||||
];
|
||||
};
|
||||
|
||||
iso = nixosSystem' {
|
||||
modules = [
|
||||
({ modulesPath, ... }: {
|
||||
imports = lib.singleton "${modulesPath}/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix";
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
iso-minimal = nixosSystem' {
|
||||
modules = [
|
||||
({ modulesPath, ... }: {
|
||||
imports = lib.singleton "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix";
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
jabber = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/jabber
|
||||
];
|
||||
};
|
||||
|
||||
mail = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
simple-nixos-mailserver.nixosModules.mailserver
|
||||
./hosts/mail
|
||||
];
|
||||
};
|
||||
|
||||
matrix = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/matrix
|
||||
];
|
||||
};
|
||||
|
||||
mastodon = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/mastodon
|
||||
];
|
||||
};
|
||||
|
||||
matemat = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/matemat
|
||||
yammat.nixosModule
|
||||
];
|
||||
};
|
||||
|
||||
mediawiki = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/mediawiki
|
||||
];
|
||||
};
|
||||
|
||||
mobilizon = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/mobilizon
|
||||
];
|
||||
};
|
||||
|
||||
mucbot = nixosSystem' {
|
||||
modules = [
|
||||
"${tigger}/module.nix"
|
||||
./hosts/mucbot
|
||||
self.nixosModules.cluster-options
|
||||
self.nixosModules.microvm
|
||||
];
|
||||
};
|
||||
|
||||
network-homepage = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/network-homepage
|
||||
];
|
||||
};
|
||||
|
||||
nfsroot = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/nfsroot
|
||||
{
|
||||
_module.args.tftproots = nixos.lib.filterAttrs (name: _:
|
||||
builtins.match ".+-tftproot" name != null
|
||||
) self.packages.x86_64-linux;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
nncp = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/nncp
|
||||
];
|
||||
};
|
||||
|
||||
oparl = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/oparl
|
||||
{
|
||||
_module.args = { inherit oparl-scraper; };
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
owncast = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.cluster-options
|
||||
self.nixosModules.microvm
|
||||
./hosts/owncast
|
||||
];
|
||||
};
|
||||
|
||||
pipebert = nixosSystem' {
|
||||
modules = [
|
||||
./hosts/pipebert
|
||||
];
|
||||
};
|
||||
|
||||
pretalx = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/pretalx
|
||||
];
|
||||
};
|
||||
|
||||
prometheus = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
alert2muc.nixosModules.default
|
||||
./hosts/prometheus
|
||||
];
|
||||
};
|
||||
|
||||
pulsebert = nixosSystem' {
|
||||
modules = [
|
||||
./hosts/pulsebert
|
||||
# build: outputs.nixosConfigurations.pulsebert.config.system.build.sdImage
|
||||
# run: unzstd -cd result/sd-image/nixos-sd-image-*-aarch64-linux.img.zst | pv -br | sudo dd bs=4M of=/dev/sdX
|
||||
"${inputs.nixos}/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel.nix"
|
||||
{
|
||||
nixpkgs = {
|
||||
hostPlatform = "aarch64-linux";
|
||||
# buildPlatform = "x86_64-linux";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
public-access-proxy = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/public-access-proxy
|
||||
];
|
||||
};
|
||||
|
||||
radiobert = nixosSystem' {
|
||||
modules = [
|
||||
./hosts/radiobert
|
||||
{
|
||||
nixpkgs.overlays = [ heliwatch.overlay ];
|
||||
}
|
||||
];
|
||||
system = "aarch64-linux";
|
||||
};
|
||||
|
||||
riscbert = nixosSystem' {
|
||||
modules = [
|
||||
nixos-hardware.nixosModules.starfive-visionfive-v1
|
||||
./hosts/riscbert
|
||||
{
|
||||
nixpkgs.crossSystem = {
|
||||
config = "riscv64-unknown-linux-gnu";
|
||||
system = "riscv64-linux";
|
||||
};
|
||||
}
|
||||
];
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
rpi-netboot = nixosSystem' {
|
||||
modules = [
|
||||
nixos-hardware.nixosModules.raspberry-pi-4
|
||||
self.nixosModules.rpi-netboot
|
||||
./hosts/rpi-netboot
|
||||
];
|
||||
system = "aarch64-linux";
|
||||
};
|
||||
|
||||
scrape = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/scrape
|
||||
{
|
||||
_module.args = { inherit scrapers; };
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
sdrweb = nixosSystem' {
|
||||
modules = [
|
||||
./hosts/sdrweb
|
||||
heliwatch.nixosModules.heliwatch
|
||||
self.nixosModules.microvm
|
||||
self.nixosModules.cluster-options
|
||||
];
|
||||
};
|
||||
|
||||
server8 = nixosSystem' {
|
||||
modules = [
|
||||
./hosts/server8
|
||||
self.nixosModules.cluster-network
|
||||
self.nixosModules.cluster
|
||||
# skyflake.nixosModules.default
|
||||
{ _module.args = { inherit self; }; }
|
||||
];
|
||||
};
|
||||
|
||||
server9 = nixosSystem' {
|
||||
modules = [
|
||||
./hosts/server9
|
||||
self.nixosModules.microvm-host
|
||||
self.nixosModules.cluster-network
|
||||
self.nixosModules.cluster
|
||||
# skyflake.nixosModules.default
|
||||
{ _module.args = { inherit self; }; }
|
||||
];
|
||||
};
|
||||
|
||||
server10 = nixosSystem' {
|
||||
modules = [
|
||||
./hosts/server10
|
||||
self.nixosModules.microvm-host
|
||||
self.nixosModules.cluster-network
|
||||
self.nixosModules.cluster
|
||||
# skyflake.nixosModules.default
|
||||
{ _module.args = { inherit self; }; }
|
||||
];
|
||||
};
|
||||
|
||||
spaceapi = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
"${spacemsg}/spaceapi/module.nix"
|
||||
./hosts/spaceapi
|
||||
];
|
||||
};
|
||||
|
||||
sshlog = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.cluster-options
|
||||
self.nixosModules.microvm
|
||||
sshlogd.nixosModule
|
||||
./hosts/sshlog
|
||||
];
|
||||
};
|
||||
|
||||
stream = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.cluster-options
|
||||
self.nixosModules.microvm
|
||||
./hosts/stream
|
||||
];
|
||||
};
|
||||
|
||||
ticker = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
ticker.nixosModules.ticker
|
||||
./hosts/ticker
|
||||
];
|
||||
};
|
||||
|
||||
vaultwarden = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/vaultwarden
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
nixosModules = {
|
||||
c3d2 = {
|
||||
imports = [
|
||||
# adds config.system.build.isoImage which can be used to build an iso for any system
|
||||
# which is very useful to get its networking configuration
|
||||
# ({ config, modulesPath, ... }: {
|
||||
# imports = lib.singleton "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix";
|
||||
# isoImage.edition = lib.mkForce config.networking.hostName;
|
||||
# })
|
||||
|
||||
c3d2-user-module.nixosModule
|
||||
disko.nixosModules.disko
|
||||
nixos-modules.nixosModule
|
||||
sops-nix.nixosModules.default
|
||||
./config
|
||||
./modules/audio-server.nix
|
||||
./modules/autoupdate.nix
|
||||
./modules/backup.nix
|
||||
./modules/baremetal.nix
|
||||
./modules/c3d2.nix
|
||||
./modules/disko.nix
|
||||
./modules/pi-sensors.nix
|
||||
./modules/plume.nix
|
||||
./modules/stats.nix
|
||||
];
|
||||
c3d2.nncp.neigh = import ./modules/nncp-relays.nix;
|
||||
};
|
||||
cluster = ./modules/cluster;
|
||||
cluster-network = ./modules/cluster/network.nix;
|
||||
cluster-options.imports = [
|
||||
deployment.nixosModules.deployment-options
|
||||
./modules/microvm-defaults.nix
|
||||
];
|
||||
microvm.imports = [
|
||||
microvm.nixosModules.microvm
|
||||
./modules/microvm-defaults.nix
|
||||
./modules/microvm.nix
|
||||
];
|
||||
microvm-host.imports = [
|
||||
microvm.nixosModules.host
|
||||
./modules/microvm-host.nix
|
||||
];
|
||||
rpi-netboot = ./modules/rpi-netboot.nix;
|
||||
gitea-actions-registrar = ./modules/gitea-actions-registrar.nix;
|
||||
gitea-actions-runner = ./modules/gitea-actions-runner.nix;
|
||||
};
|
||||
|
||||
# `nix develop`
|
||||
devShell = lib.mapAttrs (system: sopsPkgs:
|
||||
with nixos.legacyPackages.${system};
|
||||
mkShell {
|
||||
sopsPGPKeyDirs = [ "./keys" ];
|
||||
nativeBuildInputs = [
|
||||
apacheHttpd
|
||||
sopsPkgs.sops-import-keys-hook
|
||||
];
|
||||
}
|
||||
) sops-nix.packages;
|
||||
|
||||
hydraJobs =
|
||||
lib.mapAttrs (_: nixos.lib.hydraJob) (
|
||||
let
|
||||
getBuildEntryPoint = name: nixosSystem:
|
||||
let
|
||||
cfg = if (lib.hasPrefix "iso" name) then
|
||||
nixosSystem.config.system.build.isoImage
|
||||
else
|
||||
nixosSystem.config.microvm.declaredRunner or nixosSystem.config.system.build.toplevel;
|
||||
in
|
||||
if nixosSystem.config.nixpkgs.system == "aarch64-linux" then
|
||||
# increase timeout for chromium
|
||||
lib.recursiveUpdate cfg { meta.timeout = 24 * 60 * 60; }
|
||||
else
|
||||
cfg;
|
||||
in
|
||||
lib.mapAttrs getBuildEntryPoint self.nixosConfigurations
|
||||
# NOTE: left here to have the code as reference if we need something like in the future, eg. on a stable update
|
||||
# // lib.mapAttrs' (hostname: nixosSystem: let
|
||||
# hostname' = hostname + "-23-05";
|
||||
# in lib.nameValuePair
|
||||
# hostname' # job display name
|
||||
# (getBuildEntryPoint hostname' (nixosSystem' (nixosSystem.args // (with nixosSystem.args; {
|
||||
# modules = modules ++ [
|
||||
# # {
|
||||
# # simd.enable = lib.mkForce true;
|
||||
# # }
|
||||
# ];
|
||||
# nixos = inputs.nixos-23-05;
|
||||
# }))))
|
||||
# ) self.nixosConfigurations
|
||||
// nixos.lib.filterAttrs (name: attr:
|
||||
(builtins.match ".+-tftproot" name != null && lib.isDerivation attr)
|
||||
) self.packages.aarch64-linux
|
||||
);
|
||||
};
|
||||
}
|
|
@ -1,48 +0,0 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
c3d2 = {
|
||||
deployment.server = "server10";
|
||||
hq.statistics.enable = true;
|
||||
};
|
||||
|
||||
microvm = {
|
||||
mem = 512;
|
||||
vcpu = 8;
|
||||
};
|
||||
|
||||
networking.hostName = "activity-relay";
|
||||
services.journald.extraConfig = ''
|
||||
Storage=volatile
|
||||
'';
|
||||
|
||||
services = {
|
||||
activity-relay = {
|
||||
enable = true;
|
||||
jobConcurrency = config.microvm.vcpu;
|
||||
relay = {
|
||||
bind = "127.0.0.1:8080";
|
||||
domain = "activity-relay.serv.zentralwerk.org";
|
||||
};
|
||||
};
|
||||
|
||||
backup = {
|
||||
enable = true;
|
||||
paths = [ "/var/lib/activity-relay/" ];
|
||||
};
|
||||
|
||||
redis.enable = true;
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts."activity-relay.serv.zentralwerk.org" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://${config.services.activity-relay.relay.bind}/";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
|
||||
system.stateVersion = "23.05";
|
||||
}
|
|
@ -1,169 +0,0 @@
|
|||
restic:
|
||||
password: ENC[AES256_GCM,data:m4osUnoEW/uUxIq7RihhnSGWiFSI37BrakLc5VSyRzM=,iv:wdSxFAsN9gndqJbVvi99ZO8KieUzZ1YiqQcTckJ2H7M=,tag:N5mpjfVjMpRVRFcKUYEFxw==,type:str]
|
||||
repositories:
|
||||
server9: ENC[AES256_GCM,data:UlgJ5GrSpP6NJnX8tDu1m2WsuzFYYC5l3xgjEsxqnb9I4DiWtzQRi2KlKP0uZiYEmehc/0MjZGw6SJ1AMu+rWKimWD4hAEGXvae3orbtbgosK2TqH+gN4YHYkmxopevkblj09LKWj59Z9lnGE2NF5Z4c,iv:2N0GInT+f8CXBgFQHE72q7Na5Efv0YXVSzECRJzk518=,tag:nsjaWrugU059Xv0cHCiTdw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1a8k72egc2vg4jn445wwcr0a68y9xu5ft68s2xwehugs5sjawpv4q5nnrmy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcjc3THN5QWRhQUg2UWhO
|
||||
LzFoYVhEUU1ZcE11OWllWmlHeDlzckZtY2t3Ck12cGZjTkRMczZaVDBkWmFqSmlx
|
||||
UGhhUE5kdjh5aDNFN1kySnV2dmFmVjAKLS0tIDlSd20zbmhMdWJ4TU5hZTd6THB3
|
||||
OW1BWmdnY2tEK1ptNmZPTFYvNmgzNVkKoupIQLO/x0F3CzYauPgMcEbgRE2WRjjN
|
||||
P3fPORqZbJzZj5df/H7Wtep8JV40nhpgJrfyHSCnsXeKwP4cFWl5UA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZWErRGcyVzZ5TXozMjdy
|
||||
ZWRLaCtwS2dwalQxU1B5eWdleWpwR1RoSTM4Cmx4RWRWaUltYngyaE0zSGRON29h
|
||||
Wi9MU0Vac2dSL3dXMTNVc25FOGk4emMKLS0tIEREbmUveXA2UXFZRjNiV3FObWh4
|
||||
MDdoUzlsUWMrS2JSOGsyNElpVFdBeE0KP0UGExM1D4ug3pEMAsDy+63hC46EZlBa
|
||||
B+jZtrT8Yl0bS+/fCDWTldqFrpJA0myBEjoJA3oeuGUJ/RN3GW8yYQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-11-14T01:28:24Z"
|
||||
mac: ENC[AES256_GCM,data:dfl+N7jk0LcAcaMT0zYnFwBCZXvAXnxQ4F0eTdopBLQhrqo/fh79f/aGHP+tCTfiKJZ08tGZkSCG21XmRS1fYh75JjhnEjx0bIojno9NFDVW9EiCQWH1WswqwnrIboclSv5+KDexMiqV7xdtZNKe9ZPWmqxIqWXStYrniK/Xcak=,iv:dvyYP5mzwpWS1WcV9JMzu8UsQraCWQc7OT3HaWD3hA4=,tag:Tedym+/t6R29DJSYCLgk0Q==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-11-14T01:27:48Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA7zUOKwzpAE7AQ/8DkXqr5/OtflmadoHYlmRswmVsE8NGc2OIdhNVdABr2tQ
|
||||
Xg4St9y04YD/MlcK48dU+m06VYxh5LlKCtAu+qTQJiEziiAnCfIG9kXtcLn54L/B
|
||||
nEOnqhQex8sHVNvPhfWgM/jPibDNI2s+AWmdxe1dI5D7xzQIF6RivU1H4wmj6jem
|
||||
gdE30PHKnCq1Zh0mGLRwZoA3xAYoo78tS/kTvcOlLgnq23EZRYWrcPV6dpRpdLCp
|
||||
a7mWkCoJEic/Cacfq6yZErHH9CNmBloVK6HO0Cbvu7MkRDxNrPOXKv4KJAUJsDH5
|
||||
aivGs69vMsZFhk8C624wmKupjmB7rk82rR/w5SHEJ1+h+OQvC+/m8nQuBcVrY++w
|
||||
++cqcVxrdv0q63LF2mjdTwRrPOGC8bJNIeCELOPMNOcWfdEmNo1ow34sPpAHGo12
|
||||
ptQ3QCQEtMBSShEXncys0SqBKNI+h7eT0hnFc/0xT9jYwRDaRJ5+Toefg5CKRbs0
|
||||
cet7FHbWFhCYWa3Ehev4/t1vPq+ZgqxcqBceHsbefp5CG+Ghs7lfvl4CsM45TrD5
|
||||
c/EH0acXkzqXoRVgjYtzliCm8lnzjTSkWXAf8+lGt7Y/7rJaiH5MKb4uX2u44JI5
|
||||
NePiSwFj4q2SQue+ZKeBiF8KWAvF6KZMWtoXwoQn9gq6sHfcw+4OQ+hdiI+mKerS
|
||||
XgENec4taVUBFV3zkN+nHhBUBWmJ1KC82BfXkmmREY+L1P3UYUBN+ZJ4Wzd+gOSK
|
||||
3DJeWp94xjIDKXnNWo0XnMdHLu0HXDZi28dx1rJlRAjd3a8NpDplf29ud2Ug0uM=
|
||||
=Ey0c
|
||||
-----END PGP MESSAGE-----
|
||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||
- created_at: "2023-11-14T01:27:48Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6j84+xkv3y7ARAAsUJNn7lO/xqFRq54IJodeb0HRWcj3UMPnD4z4StRxjrG
|
||||
k4TaHrj9JOW8YORVdug/XuhlpsyMJjGhwHF3sTCLpBB77+Tt7eaMmg7PMauQG7ZX
|
||||
qnt4bxHohV1YlCxP31w8lbjdE64nNpGX9B7cj3PIi1RCM2ekzA74t+uhFFvZj7RZ
|
||||
BctKNr+LhY83YvvUKoiyRcxcZNCHdyZqoT6d0UZnVFwxuSFUzK0XeEC/XdmKscVl
|
||||
br0cPtUid/PTZoNE6khLf1Uxj5modcP6gg07/w9bTeXEJjIQbJhCLHAPHgUJfC6G
|
||||
rvD386e+Niybwncyq7rUtLzO/yc8I5L2jKmJFd2I67nBLFCDAZCB+K6sPzUF9ead
|
||||
UAxYjy9rz1tsvBXBBg0QtRSsJAYRJ8jKX4bxDNirPBGZb1eoaBCmJr+vtTJtjGNu
|
||||
DyBEESgKW06DSbzJ5nDDdAFsL4jK9FWdE61dRwS09IJHOkP3OYc8z/LhfapKBvU4
|
||||
0eJ82DxdiA4rA6I65+9GjoV7kjp0e3bBskoaDaVUx6LN35NB5WCRjiv8DAOFlypY
|
||||
Ahu2DnZTYKql0U21Bc9NfXAZ1oN3sjHm5T23HBvLyiLH8IadxtZLt5xeBLwMUWer
|
||||
dz9IECit7NuvLr4RswYL0ttMTjffzv8xbTn39iRg9TGfSAvVyxJwOSDE3nYtqfnS
|
||||
XgFHBRI+R+Q+HaaYMxlX3V6lRvpDnHLRx8ZU4Be2KfSjzY31xoQJytLv7NsGYvbA
|
||||
OoTiwfRq3SOH+gsiS2i1eSxeuqhCWaZADR4KqZTN7J+eU0/cuD4EhEBLtCZENvE=
|
||||
=VYZW
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2023-11-14T01:27:48Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAwMCBBrc/JA6ARAAstvunj3TcPQMMYUbev09/glNvPBsWmHZKG9QouytpeS2
|
||||
bROulqLv9jwn0Iq8K4NJQujEWzMKwYsuiYyWce7Zsm1mbTOcvtOq41WFtry2TJ4T
|
||||
7KjklECWZ5wmg3rUJCTVrEJlQ3s5YNoG9oFax4iQ0aSs8HS9ZyES3NJYbGqDvhP2
|
||||
QAMj5MyyEhcjVlej+TEZmWcfRNbbh6fLPNGwgr2h5Jg6F/5sVXdnqS/lMmODA/bP
|
||||
7RuyI8BBZFFoySk4H5M4Gffga3pLR1ou/dWaxTMKrssfLuQBNV4G4XCA+Mpjmvn9
|
||||
+KkkG0qovx54tRKri7kQPShYycL0cXQZRVEQmYexU45nGsP1pkkojgnob2yqvtRQ
|
||||
0pao5uQDg67MscISjGgAQR2WNad5Z5tuYDlJoheP2k3jJ1Sn3MSqkaTiueL2tb5N
|
||||
j6Wt63g0BTK+kmwpozS10/xobD8Q2X/MXOfGO0k+wQcmUYP7U+F6VJIz3Fj6HrLX
|
||||
Yym2w4bndR6OE8rbovdnkijhdU4Ge2fu2CbwpE3eD43nIt6BH8G4N+B8PO8r7b+J
|
||||
jCGj5jfcigZ7qLXsh0d0wLBtISq4J1zBLPnendiPE2pWPrLXLh4sWxTiX9KN62+J
|
||||
M4nuQE731xuwSo1QPMqi0UGfNl8TPYAGLTwl2l5ufCe3aR7cq+nSxtLM5nUjSgXS
|
||||
jwEY0EnE6juzmk4VZeV22HvqkN+bqg7WR/5txMhQQ+5CKYN0b+iU7jh/T0NSg8wk
|
||||
emR0/h7cSkzWENweNPjF4vVzdQCZNlgdMAAYW7GaEMV2vPCWYH+fYKwKvCVY/44P
|
||||
7FB3y6TqgKwHaAd3+w52v7M7qoE5E4rh3EF4prqFD5yVv624PsrFFq3F1S+sBYDY
|
||||
=78Vq
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2023-11-14T01:27:48Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA/YLzOYaRIJJARAAqhLjmCAxtyB1O7y9WStwIpawgISbFeNVtG6CGh6stpiJ
|
||||
N2kRv3KiGnWwIbmgKZs9Ik7yFMn+T1dvPt2qk3CMcoFrQ0kBVOlWM5K3q8YHWzvJ
|
||||
ERgIgbhkwXTMrVnl/YUOnrN/RewKJ/QUZkI9bYE/vDLyEAuxPj2u8ncS6e4HH03b
|
||||
fIRjjE9uOmee1ywhLNBSPPf3UQLQH7M2NoiGaxNFjEoAO/rdM8Y+08ad252+0bB3
|
||||
tGimVnWx5HtI/+oVjjki0N0UId/zNog7XkM682XMxY24lm/xKcc2qVGDBc7X5BEX
|
||||
G0jUG9omMj4xHyHOezuU9Wv2Tb4KclEqql635aaNgD1cNYhj60pE2fWOT+lpjVFw
|
||||
rW7hguc6whsnigLiFVqb7vCCMWkXe2ZJALvVyFMm0S8WI/FRyo1OfrU+CsYTUvhC
|
||||
pbUuIKg+U8qMrZnIf7rwOkh5ac4Bo/iT7rtoUudkdJiIDoi0qY5B5gxCPk2OzzRx
|
||||
JzG//MVaThy5Se+i15sPMB2Mj4TUcjIc739TNJ8H1Y4Ev2Kl6wUqNEzthxq0sENz
|
||||
XbKJHLmNffiH/D/6ZpdnAMhYAtWG8rMr+uSa5htICXc2cSnbLcIJ+ndwFGj+DR0k
|
||||
aB4kHRp1m78LntOVKYgY4NXvaiRKm6Uw7uhOSGvNJpJzANJpjOFaYQ4mOx7Yoo3S
|
||||
XgEJpezAuszbv7d0Gbl2DTTqZKsXMZrVmBTC6z9+H54ad/XDa5Twm54/u3bMiIPT
|
||||
+Y/wo51GXJvXVQKkg0Fz/bmL0KTyRZKddC3Ay93ggaErVNS1Rcg+oVBu1SyTs9g=
|
||||
=Il/l
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
- created_at: "2023-11-14T01:27:48Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA9qJIVK2WMV7AQ//dH2JtDb5i0NYtHZzi59O4pGMYD3qT+JUuIvMmMzrDGpP
|
||||
xV8Fnn6zIlCL8n4xsIBhGVopv0xpaS2/LTOPlKBrRM/rFgoEZqSw8E99Npmpm5pJ
|
||||
eBfGTXtCLUR7fSlXiQHO/FKVPmWuO+Fawt8A3wa3TZ0q+E/52E2zS4nfHJ4CnEir
|
||||
MbAykdYyYtVY+rnqOUwQO9gpvIq4ai2oXlJ5OIp/+C3zIHc1itkepWK670vt+LHJ
|
||||
c5jvpMtuNTNjJFV6u9n4XqNM4MQ5q5Q1sRfmTkdjvuhZx58OO6SrlvJ751iFv7Pj
|
||||
dZMGH5nP9t+V+gLiN83Vi+Emu20YQcFFwc3p5SIugKmjrnOFLQvfoFBd7cwftOK9
|
||||
+q3tLt7VNsH7gA2Kx9ehQYNa2LYwxPLAgdiCn0tMGAcFH43YEaOj22aY2xwj0Iyp
|
||||
krbkpUuhzDZ4LEXupvm+1UJ3gPQ05sK2v9TMToTrVp+4wremxtElIgyxmAELe58r
|
||||
b+yjG7omrDWIas2SCZF24ZIfX7FxSjKxb3wHWb1k1r6lOOY+bP5k13fTrs/UC2N1
|
||||
kXmf+oZVIU4MUFfbyrsVdIfIHM1JJcIeaUe8reetmd2H+Jl2NwVpf9Pdcm8JmcjW
|
||||
4q1nveFEDoDAWNkW5gjAYJf4DjBZySLtXjDN8L5e32H81NNXcWKSKEiSqBQHrljS
|
||||
XgFdiRoD7Z8/+uGCPiPqN/muVd+q3J7ytvLJLBz/7zflC7Gkb0Lj0Z9k6zjr+aIS
|
||||
dCNG/lEobZ7jKTelcV+JruMr4dPFnKxXRfWhNUgZoDDindGQ0MtBYN2wknUg480=
|
||||
=09vd
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2023-11-14T01:27:48Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA9XEenRNYVGHARAAzQjuzivU4x0pA3lG+lx+V8kNxvQtYSQooe92gsRKs0KK
|
||||
+K8o+fFfwLVX1MF8XRKeyCwl1XZmOEOCBrfBdoOcO75I3m8qEI2vmMdRsarkbS7F
|
||||
y61HZNiFEEsAn/o1sFd85yjQSD1dYQqZJnEJ73IQyuc1u/qSLea65/KL/hOHMqGs
|
||||
jRmst9DoJFFRD3xs4M3dNgVzwvypAwGPNgKIXeOgaPQsE1Cer051tnp4eOCTQMM/
|
||||
UHCZQ9nJonAgmBufF0li2RrDNuN20RRqGXXJtWrsHaFS8Vh40EBQszQ867BMCBFk
|
||||
vdkkAeWU/FDQqhQxCAE51asJN3Mh4KzQZ7TM/85e6BtK49slDlszWWyp0+WdPcQ3
|
||||
JN9YlbL9AXAzd1LLzPYbv7diBreX5QkP04eKGpB0UhFIhUfS8BstcN35stTCX4aP
|
||||
5bjBE4JQx/WCoGnWev/4I1gXTxGykJoemqJUM+/yLA6pJhB0oYcKscZLXwjjHnqW
|
||||
ZQrGhcX7Yk0T6E4FgH5Zw7/HqV2ceAx+hwGcegZfLNqBbitCuWOWcf0wLOuGlSHB
|
||||
B7Kdj2YvcHRJVOgM6kNLpRSfgkOt9+NHnMkFlCE/VHo+pYOlwS+A4Y0VyMhofo6A
|
||||
77m87OoVSzXtIxYSKq4kQOOXVAiFRmC86fy0nz5Vka53+kf7mMnJ5ZCwO0dnGyTS
|
||||
XgFeTEeJd4NDGDpZB8/4F32/duMLLh/BnxydAOLepIlB9J7Woi6uVqYYLcBij0Gj
|
||||
6zG1KuZ0EE48sFXcSHWC/uTeXvYppzHDOYBgoo4bNPUKzInx7Na749UmfhHoyt0=
|
||||
=FrQw
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2023-11-14T01:27:48Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA45bZkLXmBFpAQf+LGJmxeU+Efansi/90UOb2Pw6vtiiXAyP2GJ65GDt2gMo
|
||||
fuoCRfElGzymasLfQe9moDs9fyUoAYkreGUn8crsI3RbLbmFjQcT5hMBRwR0iKZQ
|
||||
egNm5C8R3EuPCUWMuDHWee5isfaghUp5+j17NzkwD6oGy1VtU/XAhlk5YV9436eT
|
||||
zjJPha1NJwJ8oMLoHGIFtD5q0C4F++TN0PGLQrWxhFeywIymFu6b6z8kkcjVNONQ
|
||||
oi8CQkjk0bjYopCuc8irv1j2Zu0w0Gp4UP7pHYbf3UCIlhSoQJWx8c29P/phohMT
|
||||
Ox+TX7+8iwNURtwoP1pZaCgoekfzec1ELLNxj2GzW9JeAbHLMZGmnR16VQBjggRU
|
||||
ukeYes3ys2GxsRYxPq/a3nHgMvV20IVt7s0IxfGIFb44pjTe9TLVyFhdeGm7RFaP
|
||||
kxWbgFBS39ITUJC/UP5g6tj541aMONoWFWzAPI5ZJA==
|
||||
=s4Hv
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -1,17 +0,0 @@
|
|||
# Design
|
||||
|
||||
We are using [portunus](https://github.com/majewsky/portunus) to manage an OpenLDAP server
|
||||
and currently [dex](https://dexidp.io/) to offer OIDC.
|
||||
Dex might be replaced in the future with an equivalent solution that can remember sessions to have true SSO.
|
||||
New services should use OAuth/OIDC if possible to lay the groundwork for SSO.
|
||||
If the application only support LDAP, that is also fine to use.
|
||||
|
||||
# How to use it
|
||||
|
||||
See the grafana configuration to see an example on how to use OAuth.
|
||||
To create a new application edit the dex configuration next to portunus.
|
||||
The aplication credentials are saved in sops.
|
||||
|
||||
For an exmaple ldap configuration see the gitea, hydra or mail.
|
||||
The ldap settings are documented in portunus in detail.
|
||||
To connect to `auth.c3d2.de` the nixos-modules option `services.portunus.addToHosts` should be set to true.
|
|
@ -1,108 +0,0 @@
|
|||
{ config, lib, libC, ... }:
|
||||
|
||||
{
|
||||
c3d2.deployment.server = "server10";
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
networking = {
|
||||
hostName = "auth";
|
||||
firewall.allowedTCPPorts = [
|
||||
636 # ldaps
|
||||
];
|
||||
};
|
||||
|
||||
services = {
|
||||
backup = {
|
||||
enable = true;
|
||||
paths = [ "/var/lib/portunus/" ];
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts."auth.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
listen = libC.defaultListen;
|
||||
locations = {
|
||||
"/".proxyPass = "http://127.0.0.1:${toString config.services.portunus.port}";
|
||||
"/dex".proxyPass = "http://127.0.0.1:${toString config.services.portunus.dex.port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
portunus = {
|
||||
enable = true;
|
||||
dex = {
|
||||
enable = true;
|
||||
oidcClients = [{
|
||||
callbackURL = "https://grafana.hq.c3d2.de/login/generic_oauth";
|
||||
id = "grafana";
|
||||
}];
|
||||
};
|
||||
ldap = {
|
||||
searchUserName = "search";
|
||||
suffix = "dc=c3d2,dc=de";
|
||||
tls = true;
|
||||
};
|
||||
port = 5555;
|
||||
removeAddGroup = true;
|
||||
seedGroups = true;
|
||||
seedSettings = {
|
||||
groups = [
|
||||
{
|
||||
long_name = "Portunus Administrators";
|
||||
name = "admins";
|
||||
members = [ "admin" ];
|
||||
permissions.portunus.is_admin = true;
|
||||
}
|
||||
{
|
||||
long_name = "Search";
|
||||
name = "search";
|
||||
members = [ "search" ];
|
||||
permissions.ldap.can_read = true;
|
||||
}
|
||||
];
|
||||
users = [
|
||||
{
|
||||
family_name = "Administrator";
|
||||
given_name = "Initial";
|
||||
login_name = "admin";
|
||||
password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/admin-password" ];
|
||||
}
|
||||
{
|
||||
email = "search@c3d2.de";
|
||||
family_name = "-";
|
||||
given_name = "Search";
|
||||
login_name = "search";
|
||||
password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/search-password" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = {
|
||||
"dex/environment".owner = "dex";
|
||||
"portunus/users/admin-password".owner = "portunus";
|
||||
"portunus/users/search-password".owner = "portunus";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.dex.serviceConfig = {
|
||||
DynamicUser = lib.mkForce false;
|
||||
EnvironmentFile = config.sops.secrets."dex/environment".path;
|
||||
StateDirectory = "dex";
|
||||
User = "dex";
|
||||
};
|
||||
|
||||
users = {
|
||||
groups.dex = { };
|
||||
users.dex = {
|
||||
group = "dex";
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,176 +0,0 @@
|
|||
dex:
|
||||
environment: ENC[AES256_GCM,data:ETmjIma293BdDibQhXkpELlddzfdhrV6xKhBJFVOZb7j+SDsBucH5MtKwcjbSh5/HpM3SuaYvOqiZOs3jpnQx5Fx+A4HaZBLfAtJZvHm3fONcFFmwD05FTB8O7jFRW+PJVyqQsrwFkes5Y6DtFO3Bu0arbjTXfi7R8jWIl+WGq23r4SSdnUyMJxf6G/MRA2xKum0/f3C2C+iWCR+msVKWPLpnPW8l2yHRWM/Pjyg8NYfOFV0NuLTimpslJ4tJvCde9s/vI71Ncokbx85rQS03OnOEdgXdjx/vC5Q2NRbyko7aXnDbgNpGqMXrZ+oHYPrnBT6vXhiC0iHLJSPmEZw1nwNA6Lcc7VbquVWm1c2Rc3XZ2NLgdOK2yaOOYjSGfucbKal2HZZSSSrwiz2,iv:5DqSaK3va9PrxCjv0Tcg2fVZk9+/hVv3M2NwRPlmliQ=,tag:QUfe6rwPJS7qZ8T5ULWlNw==,type:str]
|
||||
portunus:
|
||||
users:
|
||||
admin-password: ENC[AES256_GCM,data:Hxcj/ZxBeUmUDh+R6NWGe2fVTtd56d1VgPGKUG5mIf4=,iv:X6/3hk1SylA9xWNkrE7Ynu7jgY7YDU/rmJeALKfDVRU=,tag:y8RUy45n0EcpsYCrmjLrPQ==,type:str]
|
||||
search-password: ENC[AES256_GCM,data:RsAdOdPYRv5uFiAAEtNHpiPOFV8Qq2ie1a3LWq8CX4A=,iv:jU1EknnTCuivYeZep3+/Fz0TaGVHinwrqXpZRVV1P48=,tag:+gl4bLr8xlCW4Yb2Q6fXcA==,type:str]
|
||||
restic:
|
||||
password: ENC[AES256_GCM,data:pwiTsU7Ibg8zC339BV1ejavrtO9kw20rWO2LEMsFEKY=,iv:hozH7kZjQ54MvmGuRcui/lzznyfKhntDDocGNgi69+Y=,tag:lNFyn94CIon2lEuJOM+PWw==,type:str]
|
||||
repositories:
|
||||
server9: ENC[AES256_GCM,data:FcDuWjo91l7L1wSfWlniaOgipaSldie1QfSiah/W0PZ9DGkBmJwbZZs72I8AcsurKdhp1AS+T6Q9K2BQ1I290dlMsnUzAb1fNW2ripYe8im596FvFbyrT+6H6BRa1w==,iv:TzV9j1K7pRJp2aAqY1nLpeEEc5fvUe3BX6zKw6CA0Wc=,tag:U4fsdO7YhZ5/i8Zeg+Rvyw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPc3BQWVprTzNVSnl5T0M1
|
||||
NWNzSzZoYloyckVKQTVmbStoaHA2eEZ6ZFNRClhmY0Z2aytQRUkxYnZQSTF1bllY
|
||||
UktFdmpUNUZBcG1mc0lWQ3VoYnFpSUUKLS0tIGY3aFhaY0YwUWF6T1JzMUFOdTNF
|
||||
ajd6M0FrSHJVS0cvRnhBcmVHSzU5QjgK25PjPEFG0bksJikCMqXGxTQp4cuoCJUC
|
||||
A5CzQvzL+kczt3HojLCWz/bHQfTY+Icw9Dr5l4Ygdgtgt5O4LgLmfQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsMHhFSk4zUmVGTzF0WmIx
|
||||
OVpBVHdBZi9BRnZIYklOL0NNUTNQUmZ2ajNVCnllL2o5Mm0yZnk5ZVBRTUxNajNW
|
||||
WlRqSFlackVVcU9mL1VGQmRCOVBrWkUKLS0tIGtaT2ZaR0c1cDRzOFBVY3NYTnVq
|
||||
NXdXdHNvVkJSWi9nbU9FeTZpVWprdzAKIvJn74/HKgceHB4UAGOBtN1k8Qd3selq
|
||||
WUaOZJX82Mwr1fnW5COymnqAV3tlh3fywlPhveqL+Ij4z12B68F+1Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-12-03T14:57:46Z"
|
||||
mac: ENC[AES256_GCM,data:t+a5H9OlbMcnwtAB40jbS8ba9UoYhpW21il0kdvBAgI1MamEwY5HxkiudbBEeunQtXv3IDMHfQweE6j5MVEYCOPs37N6nYh3Mp8ggBFsslf0RyjaTh99zVwm67n5goKdaVN+aDzbs1sbNTMWQ6neSSCXG8VZYDXOD0rsQtpfDDA=,iv:HoXM1J/+3ifJ/wiUacKriU1CQOYaxwoB8k71ysJvhyw=,tag:6N3t/568IaDna8yS8hj8cw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-08-08T22:43:03Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6j84+xkv3y7ARAAlLRnHGsXiXHx1S2F3VWaG6GtC/rOiYQkzHy/itkHCeQV
|
||||
AXXslLzkAAxKLor6cEZ50l0PeZKZ4GTpY+wLEsbDl5+Y4kkjFe/Haj/2H+LrSPzL
|
||||
kWBz/MnuvMKP5+pP0qHVS0XtGtB4N1Bp0yOpFhr8aAQz/RF5dmzcMtgankKbYjrV
|
||||
4YpOttee9v5dsrAWSKpUOOtyszT0tpG22k6KVpFGiVgrQ8/2RLVtevn3ot5pbwf+
|
||||
ZpDcSGVXN3a1icYUVBoLeP7mlHOa7oQsm+5zSuQPLdLwf4Qo/8sYdyGYxHJvGO5D
|
||||
+4hnMiXii6v128b/B3aNyPldijK76LP273VkCzMj+717x3pvV0GM7W8ntsHWDgNs
|
||||
8VdD36Maf11ziSFgCTgD/Ysbw4DJM8VFPpurWybylGR4yAOBN7ADdHQ/tA8LtiZq
|
||||
+8JZDQPrgbgR6FOzE/0M5B72WVaS4b0YPrUACQ0yzcs5qNWYTxzdXMu3yCPOkPAu
|
||||
oLq3RdlC/NnagCSG6HodlcsdBFXYJzgb52hqeqwqOXWjxd+zFPBclQK0je4TrbKQ
|
||||
H9YcFRSdx41RLjwcU62O6MX61HKOvc0Cd/vx4/2GmgX5ZV6o+pDLjUigPqPthJ4j
|
||||
J2yXbbMm4elg7sGryb86GsUjdEuWEYwyqj36kJPq8fnJIACw3s/WGZPuo6I+LqPS
|
||||
XgGLNVRhrLAklWZ2AER1Ii3SsE1Uk/ROIhneyA8kPV5feYx7lnhHUNcQTY+sCO7e
|
||||
UFgqCg6bYOY9qnU+dFgLPiip78imK+2fDQQnKdT4VCyyUVOUcQHmMP2YPXvFJpE=
|
||||
=YtF4
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2023-08-08T22:43:03Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA45bZkLXmBFpAQgArI4FBB0Kjp2gbKj/JxLEVHLl9+Dd8Vi+WQk7wKYvgrbD
|
||||
ZnRpzhMAJUPB3G/46tQ9MrHgUbSkvUr37kSMBgV/aMsCCDbymTwahXHb2kIKI9IF
|
||||
EAV09taF7J5Pe8iqsn+vP0H16TFnthXAvlRHIA4xEosLdpkPj1Iw7t0fdKjjj0zJ
|
||||
HA6xfgO54nzrl4Jb7gdDLOv8lZ6F+ro6dAiKTyrdjNQ5WGNrpJVjSU4ID7FU37bn
|
||||
+XLP35noDqkVct/oS9eWYkIlAccWbLSXXy9FvcbYhfNKiy1+O2M2IGht2QXJeTsp
|
||||
6VMvY0T0GD+5HXSjOsr2lIYwWBm2UU/ddwpVkI+kb9JeASq/iOFtW+gdZSQ28esj
|
||||
9XBZS9NhZ7o+JJdS/kLShGYD8+EE3haxtOY3pMhQDT1CIWInkSVmuxbbmtQ/1Fzi
|
||||
kAWzNRmeDblLh1uNZIRL9aemy9CUHYrJCryKMkSOAg==
|
||||
=VpO4
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
- created_at: "2023-08-08T22:43:03Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAwMCBBrc/JA6AQ//SBjfHqC7Gon9DI4PM5g+ywDcB75N28fCJHTgsIvWx6Hp
|
||||
IagB4J7YTpaYSnrvDH3jdlmnso5zYXM9K7Qih293zh5VECdn1jyK+nXDFy7iv3+d
|
||||
e2xnTLzDAIjNYzR5Oa0JiE1MoSVAEMxuDrFCt0KuOXbVjwfIl+ycLDBnOhHg4dHB
|
||||
UZtnU3FD7fab2Kkxqcl1aIn8p3DFplh7TOAG1wQKSx++EWOuRVTXlUauncyHBRaJ
|
||||
STZP7EVZsB2HZGPa0Of5DhuL12tJ8rLoqtm9A3mB9KOTpUPGyhfR1o7kuxduw7LM
|
||||
65u7wQO7vcJofdhiPw7lo1JGooP4rhuDHvhtUDnvKim/9EbvbUxAOFA9lZVEjhFX
|
||||
EM8VsA7knf7G87KOlY+J6KPB2FtA9Mo1jC/rb5RDzEUfK5D5wiu99VdE/wTFldbP
|
||||
Mg8HPVN605hJXqVdzWz33//JxskIR7UW4E9s/sGxH47pYXn4CVIrPoxnnqYCYZes
|
||||
rAEEBl8+zc5azSwYwVXEPMT90xQzc8zGe1nFfOLJq6Bh3ZSzX/WGSsEyXcjStg68
|
||||
4aZq6eJFb0/dYklKUOv4l/wh3PPaGp5F2A2Mcbuhf31iAIfLDyFS7EbXobqUaclG
|
||||
A7AmgY58aznrQu0UmxDFluRpS6suur2pTgA6Fnm/LzWuKYv0OJvsOR1Ek/R8tubS
|
||||
mAHi2kf1BC5CdEiUK8k4MRXZGuPd7dbV8OArlA/PLRUyecm8Ah04sioooFkyJBD1
|
||||
Os98P8SagXFVcoORAovoNRxdfHuCFgSELDKz+JTV8LV3hZOXDzaiFq8fL1ezpGAW
|
||||
imxso6PgQfmqttgBNFNOnANUmeRrGtJ9x2BMhX2fhp6tgfc+n6YPLgO74gd4mal4
|
||||
W1L10MQgRmT6
|
||||
=KJcu
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2023-08-08T22:43:03Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA9XEenRNYVGHARAA4KoonBUrswlioStwINWugQ+FQz8dX8WeXX7giFsqnV82
|
||||
XyWYaq7yRYbulPjRXtL2ymZt/31el5nkBlMbum/7gBADH/3NJbeX/SQ4ejBYf5ED
|
||||
HTVhBrTfFFB8vRUvgiyfp9FmGqJmjbJCxCjeEWmIQpVep5WIaOpHxrBsm98tDw3y
|
||||
PWrsMW3ur0y5p94ehX6IZf78B3WUsWZkqyEOkaRkhe4oXfsCFnoCHxjHkIJYQcfL
|
||||
8gbad309H+mCcCDgMn3NJl+pY7TVZ3vpWpikHnUZ+i5N8Kfs5TUEGCBbepJKfuyt
|
||||
Azf0EkFOLAawmnXqSeuyW+zpqhxUwQMLsjh2zNR9MEVQg34bEy9DfhTHA4xo3ux7
|
||||
5N+tetd8gQwA+nv4xvT2b8R4EtW/d9MLdetWfyAVrhoGrN5pcHH/FCbfnY4OlMoc
|
||||
OHXBnI5u10NcbvxdACn1DQCXIWYvYC61hKqRlcvOIZCZLVgwBk/ccRMh0mxthyFO
|
||||
rTwQaxjZ14a8UGjAJWFPFzSWqQYSl5koG951g46EAnYz1ibMyS+KV1Hrme+ZDoYs
|
||||
KMJN1939OkxPv82HcoIlMp9oZtOqCWRQtbTMTqrA4xuej56n/NU5UuV6GRei4kox
|
||||
BGYQRe67Yh9Q4etFTmjn8oC2cFuIpE8XeuXZxwZ+EfGMaoQpK/nxbUmIjHuBW8/S
|
||||
XgEI1hooSof9JSbsjVKmDnQsRf2mCG4Y6L10xAzrrppEMh0g4iMs0ISshgdpHkzp
|
||||
ZM/KxStYz/9LHLfIwSXEKA5f+ZIjUZPOqITNPK8of6ifo5Per2NA7QuaWry2G/c=
|
||||
=FIBR
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2023-08-08T22:43:03Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7ARAAsioi6fvG+Rq1sGlEhSP6M9ILaVxgghccOcFDw0P22eKd
|
||||
J3gt6C0hIPGYto+G4KZrGEmQZEX7r2Of9w+UwTohP5wUlOuqtlEhw6uuX4A8H9CS
|
||||
0kteTaMnxNSgQ1FJIXejzstdvfJ2mIl3Rfz1weFChrhyzuv1BS+Joqaf4Q2GjP8k
|
||||
8EHVVdUvHTtk/XZbp3LHsD4citdStmBwD/HxXGTiqw3N1FQba5VJPSr+CKPeuaVo
|
||||
TQatri4VgG/U5dJd3njngHKf9FyRIol8QgwFt+ar91rufRjHtx5mBdOqcC+ZuCaV
|
||||
fokUHh9wp5ODPAyfo+c9FLuJ0Wsdfil9MNhoizhq39RaK8h8CXqRkHs+N1jAukx0
|
||||
kXPdHJNKz6OCk0ICTzntmw/W0/me/HX2FdfJUx/LPN6EY1qSGshF0oiTza07FwYO
|
||||
AxlpGiIJSAc7vToxtx6gUEQCQf9LxM6wvYFsfqNQ4yQJL1Jc5pcxFeVEc/9yggYh
|
||||
nTk671kpM8gpEuboP18ETDFKPpdfFMIaRS5SCjJAtbOQF7O5Nm4OhmgViXlBDA6G
|
||||
LZHwx3OF+qIWGf3fJRtUpHNslFv9+b7dyBScV+Vn/6/7vkQZSOxMe+zoFaFW02wN
|
||||
HaCwi+p9izV/WlfJpcWlkEwMMJOJWrmf2dfYQooJVJAmS+yCuor1iL4HkqphBefS
|
||||
UQGXFApWJWOyl5t2/S9MTPc1KzUJzTHTH8+Nak3Lwu5iR4kStROwniDpYmqymaig
|
||||
t+e5plOavhWCLM58TT+O4z3d2fUZMLyKU3pzpDixLLO+dA==
|
||||
=kGby
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2023-08-08T22:43:03Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA/YLzOYaRIJJARAAkc9hptWAsu9kTF7cn+lSANvjFPfweuq1xza2SwMa5L/x
|
||||
HdKwknGrgw3KnQ7h8/Ldsg3B4biKgDBZr4OZPrcesLRWC5NgxcHvMN8vdt18dmz+
|
||||
ajuE64QMoBmj0svJHq3w9k8wcHHfyNKzpICxY955m3es6JOOryVkW1UcysaS3ofC
|
||||
uSGFAAqjl+sew2RxCh0Meqmop/bcBmGWxo1+gclgE3eKDF8ISlWBLf+SDrqnne5m
|
||||
1qz/WG2vID6iXL7kXT1u8/VU3HySbWWO3xsZIQXP6C5Rw0AAPrVn5QdZunCw0FDp
|
||||
PWPNmNgnW4qKjiYfvMpSMTnvYCLXQldu366+WDdATbLhO5BSmpSIG7BAhodDCmr9
|
||||
EJYOsrsZU+FJ5JCL5P4E2Rc26+YkcCxOQEBG6f8hX+6W/ecox/xt0BuSuRgH3s5W
|
||||
rUbYNsvTi/V5i5C0rQMrlbtQ0KMa5+rqpx12jfF+wEatz9zn5VV1aN2wo0TJBVhG
|
||||
XYwYfaYFe0EtdddIxI3X/5/zcokBTQ3JExWQ/sb9qCoMgcW5xXXnfjIMdjaIqna8
|
||||
tUvWHyKUUQBzu5+VF81RtqFt6Y8vR9S3wqjzx8HxzVJ4VDXCVyvdbYbHWiS0uSra
|
||||
ctBii7kN5ihHV187CNup0HznqlFLECj2LnFeqV36vLAM4Hd0sXdRDgokqe+gvtfS
|
||||
XgFvp+EpI9aPXokk4MB6avZOyU4n/2IBf7geR0tvtNGbZiEizphuiYNSGVHiLwiv
|
||||
5aTkjfmmnCHbM5jruT12yBT275LkWlXMmc3H9neaBdxqy974jHnaI3WRkK/C/8I=
|
||||
=4MZa
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
- created_at: "2023-08-08T22:43:03Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA7zUOKwzpAE7AQ/+JHwdk31qNtKbZqddzd3N6IU2tLJkxxkVGefB6+efUEbM
|
||||
UgT6RvZAjmKiFCjktxMmwi/3NwTASq/+lvEM7KwRInpM8ngag7HLHnKKbNqbQMn9
|
||||
gAOMl69TuhvQzuCml40oE4Y3aWb6Q2iBIT92AhBFhMW/4FWrym51wsU7+9aWtSM4
|
||||
woSdM8fEoXTNC/wR3rUF7f5podri8OtL6bmr3Y32XIBz+Zr9u1586LIRRYG4cMBl
|
||||
9o5ZGK+QehatjTGhCOzAXiZkrdT32RaEA2wy+HnUPnMOAWih1HFg61Mum2uAH7wP
|
||||
lohmVjXjNpBpXEKmAZT7YusUsWzkAFP615qQsJ4Q+E1SJJ0XB6kCTZDUr3Vzk1RM
|
||||
hvNaHGnmMLb4JsrhDaMATd1hw5f1Dbdf7gkq0zyLqZQpdpO2QSSGhofK+ZOvmxbi
|
||||
fCURdQKqbAWrrk9PEpH6ZrKw1gE8sVDNY0+UBsU2XJed9QTBCEMJK2LN4fPX5rdC
|
||||
G6xfztrw85ehap9UUFi765jFqM54bCS7ZG2yMLVW4cxrzx1R++/tiGoRXMYpv1fb
|
||||
T61XvEOqV3znpPzht1puXxFm8iJ+X905GyMPnsyBVXnJ2mQhidwH9/MPzUNiu4Sv
|
||||
5KpmJQUedEXBTmwJEyc+lTMeFEQLZCB5J1EaiyVHTtHCE25OKPjcP9GOM4nwGSzS
|
||||
UQFSMrSf9hqE5t0anL3CEN7vriXa5pVUou35qjOIQCIKcwePqK159k7+vWMz19i1
|
||||
OSh027uue8Fn/terrCqtaB+U3ESyqwcQZMa6bf403byWTQ==
|
||||
=tSiN
|
||||
-----END PGP MESSAGE-----
|
||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -1,39 +0,0 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
microvm.mem = 3 * 1024;
|
||||
c3d2.deployment.server = "server10";
|
||||
|
||||
networking.hostName = "blogs";
|
||||
|
||||
services = {
|
||||
backup = {
|
||||
enable = true;
|
||||
paths = [ "/var/lib/plume/" ];
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts."blogs.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:7878";
|
||||
};
|
||||
};
|
||||
plume = {
|
||||
enable = true;
|
||||
# See secrets/hosts/blogs for the .env file with all settings
|
||||
envFile = config.sops.secrets."plume/env".path;
|
||||
};
|
||||
};
|
||||
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = {
|
||||
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
}
|
|
@ -1,172 +0,0 @@
|
|||
plume:
|
||||
env: ENC[AES256_GCM,data:V7pEExE5jGT7JSCejzo1m0QlMgpKuaF5CnHvR7LCvTJSgoCeeNW9ImtVk8MtqtoRngH45jgseuC5wZNzXSMG/ltQ4c3ThDcxKP5ngLmEZ3tOqSlIdV/A3S4ww4f/UAx8YpNY4c/LlL9NuCcfpHyC4zwRFrD6odCSk7BUT0BU+zxOBDpQDAHscBz+YYTbb3cJ7iGYg1fXS6wLJHutf0eXYF5VNcc80SISEfbR+bs9t2f7Dg==,iv:3n+EDT9TO5VxCS6rXZiNKpxtCWeCDi6YT3dQsrECNmU=,tag:ysWwxhR1JNJ7WUM28TIQig==,type:str]
|
||||
restic:
|
||||
password: ENC[AES256_GCM,data:5SUmmFclsGFskWM1E0qOQN0TDB7sllEBnDFslUHTqZs=,iv:WoWtaR4byoRjnZaakBhZYHfzBFKrJ1g3ylWj6Vkom2Y=,tag:0M+MXU8Xe3Ig50rmaqwzjA==,type:str]
|
||||
repositories:
|
||||
server9: ENC[AES256_GCM,data:UdkELx+F4EQywGD3hOKf2NiHjYxMhjMKchPsUsozUoDVAOBiY+bt4Zna8CBE0gmp07waM860F7zayDqgf7fluMCMhfW2H2VEp9O3KTjjhI4XlCjYBzz1xtd6g03COn+b,iv:R5afv0aBSSQG61H7D3mbAg/K43faJ4sTV3Qgxl7n0pE=,tag:oqEKkcCgeM+p2U3RruLm+Q==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJbUZCbDRLSzU3T3ZqeHpI
|
||||
cnU5Z2t1a0hXR0s5bDVpM3ZvNXd2MnhXdUZFCkVKWDJvK0s5QkdtZDNiOHh6L0w5
|
||||
TE5jL085U1ZBWklwbHNMWCtpbEFkMncKLS0tIGF5R3Npb2VyeDJkNW1mL2xoTCtC
|
||||
M1pFcHZJOFpVcFVyTXI3U0hWOEczZEEKwE0HSLdgHazYqJXCPxdtJtnSNf9mR3MM
|
||||
OwmPNDK2SRo++/vAtbGLVquC2TP9XyPIhUPxm/WX9rmBlT3ifFrFEA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVjU2a1RZdG1RUFZORmlC
|
||||
dFlXYW8xUlFOWk5ubGVyTUJuOU1FZk5OWUIwCkZpOWZLVHg1UnNURFNtYkVINDAv
|
||||
YnlZNkkreWIzK2JwUTVhVTZ6MUlqVlEKLS0tIERQQm1aT0swYTVRcnEvbjZCcTVa
|
||||
dHM4NUhEcFJWREtWbnpSa2xMR3VlUVEK5TWq84p8Mkaw/bVNECTQp2IklmIxvtHA
|
||||
pitCs+darbCw7Ux6WLjyGjaGRA3e6BIy2l2BF5l6rlWPRbLrwWDZsA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-11-11T22:42:47Z"
|
||||
mac: ENC[AES256_GCM,data:Rm3Pn7sv3uUyuibvu5icFZsLv+1b1MxHk/bDoBfKvs1mPcEmhXMyviG6oPXgWSwStND5K3EG1YJIHWHLlFzReJvDWQN7SPtidkEj6empjNkt0ZDIvelX0RqHbVbbLDFrGdbo0O+tzpe2rE22VvsMliRxi8Frh9on/CgRLeUsxR4=,iv:5V50bnIW/y4o2FDTuS2p4LOcdiclJweLkAIfqUciGtU=,tag:d0DwlYYvUeo3DekTRzBPAg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-08-08T22:43:23Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6j84+xkv3y7AQ/+JOKlnEfTynJeT2BsY02HhE+VKgSI6C4AifxHSAJue78x
|
||||
5noLVSXVtmW38Tm2CF/wDcmLOFmgxTN5Y9XLKPmkjep9JFjSk1ISGgD3T7SRk9U8
|
||||
BijDRH7ikory/Ul0vwwsWh8xX5TJVRUC7NRaO6CNNT8PDiu5xlVoDw7PW7DrozVE
|
||||
3Q3h3wLMviGWyi5VZiws1lxyA9ZPs+KEEp3hVtIdL+xW9+yaopZIpA2LYt02QPKJ
|
||||
hNTsnsi8OULO4YcXjkjkIUxRt6lQcOWW8Ny6RwEhS0PAwkBMuk+B1/qXZuun5N3Z
|
||||
ReeA0bNBk4WsJ+w2QrREOJl2TpIWf1J2DFZdj/5b3L2DITD3iieynM2Vp9vZeK7g
|
||||
6DCD1jGwAyCqzTW20zTujN0LfRcwfq9LR2/vBdGToD+EV9wuauaKu2WVrJwbtCXI
|
||||
451+gJ+SO5YoTFvEDcOeIrzgvTu06RZltSs7msyfy0ympYpDy6wXvJzr1HHnqK0f
|
||||
Ff5LXO4FK4qNSAYs3c1MioiReeEWyWhiWz/3hA9AGcct65RDUN2xNKTQT0nBtsqT
|
||||
SKMXDMz19fzhLqOU4Yj1Ul0Dm1gIaRdbhaKiSeHPKP0D03bVIZBHv4BZj9/tgxH1
|
||||
/IZL3pr9eIQ1+gZ9sLn/D29MiR9toxrGPokfY8B/9MbaOA3zB9CnNkLjy7A+jD/S
|
||||
XgFRssxCzHd5B8Q5lSioyq64/hWPQlYkeR++FS2S+C4pK6mvJcWCnNaP6gSqlJn0
|
||||
PfYagXTOuk/7h2S+XZy1xyJkHoMOutGx5/iFnUsbB9JmnEtkcTy9c5W8J38cWf0=
|
||||
=DgCd
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2023-08-08T22:43:23Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA45bZkLXmBFpAQf/ZdclvYDMZIZg55kWzWcSvaE2rN6k+h9+hwJxXGRRUb4a
|
||||
/+Ivzor9tw/me3+iDRiOzFQucEs4OjcsltaAKIn2UjowT1QvJtxkI0fm/uGmzxqy
|
||||
p2RlcmdFEHsZcMFdGSDsNSiSPWv8XSA5RPxx00tENGgfJaMHu0xsbl9Wfw1d4yvC
|
||||
W76YVFTMsJXGWSzZKw7OQzIz/5GAKdHBD1I43iVjqa9FH7oi7zXGpexyjxScpl1O
|
||||
/hxpGv8Td194yhT2ChF8NyOVqwHC3N1C1lqEn2dk2t9IFGpyR+doJqgtJzwCNu96
|
||||
z8RYpuFI4Shsu8qKzhVPxwunn6eh+GVCxiU+QeUdedJeAZHvgn8wERyaAFhA+S/2
|
||||
i6nsAbvyrggpLEHTivx7yYBM8+2sa53N4M2qLiXmQHrVSRwSjJKuLm41DVLEO1dO
|
||||
el7D04gfKWg6CkuDrvSvL6jt+Z4izw+wpQzmEBNt/w==
|
||||
=PATM
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
- created_at: "2023-08-08T22:43:23Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAwMCBBrc/JA6ARAApPjRxCdL8mQjNx+vIIv0h0RgG4dUjPezX77tYwWtLlel
|
||||
tH+fP+LBu1MGzx3AbjKN87QqfcIP5nsccKtiRf1EJUxhzwB6ZF8CPUEMDUc7zJus
|
||||
i9k+tAWWwgly+B8gvrUgwXB3BKmfk7npese5yb9+sW3znKmYiD1H4FnOwI0qDgZF
|
||||
Q6v1uwGMjRzd4rJVtlguIfB/TUkX1d3IrxvsDdJNaTLi5xYbOLrq6zNETOXlJad9
|
||||
2Hkm+YMa2wuB4LluT7XtuTbC7hhuW8xQ1HPJUfRObxZOU4ANVcmJ2YglqhZ4kNwE
|
||||
GL8RatF8jy285Lggy1ZUkJokO6VcTWui18R38+cqBqmlGxr66kBFZUpycWfle/qv
|
||||
VS8XyZNxlJV8T8ETFC8xQisnftmfMYdebBfAMUTO/DpNzG6NB3EzfWsV1jcJeFXb
|
||||
g+IMXQz8NAu571jVqWGWnswT5jOwj9yhnnJMyDmJ8Tsjbv8g16oeKjKPs1hBhjls
|
||||
Ll3wLgHvrtKtOUiCltv+7fU56Hc7p/UX88JaqNCu7znbVWx3cKzna9J2W5GU/NPY
|
||||
3CYxz96ts2UYhcgzKATZvNfdRmxinshyVdYBipIu7zEnV9OJ4Sjjnk49YkVimIqL
|
||||
fDf3bwIwiObkxc97XmMI7rBaQLU0IK/drmF1yXdo7W6WujZrMRKd/B8PIz47SwfS
|
||||
mgEng1ufhKvSDfyFrlMxiADnV/Js1PFh6hMOxvpOFVsaOVLSSS20ITBBlIX81u+L
|
||||
kc4ndaBe1+lPuZ7hB4AfJn9Ko4ykBu2PVPw27MQry39D6WAtv8IcBw9Ux7+00tpX
|
||||
ej2LvYQous7tTYPkWbaW53uooEBsrDqu8pKF4MzlzFjjzOOvJox7Bn7ccH53Lfpa
|
||||
e8pMj9POFmwslTw=
|
||||
=FzZD
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2023-08-08T22:43:23Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA9XEenRNYVGHAQ//fY7kofR6Ers9ykFlkZ9mnXDhVwa/t+c7ki8LCRFK4gLF
|
||||
TgUhcD8R5KblHPHoI56TlBGuR8RFgCBeYoq7KM3Y/hLRbeQZnP8dMymE+qRUvCn+
|
||||
WizVkJPbXlT7TN0XLb6tyXKJU245jIbkPWYl+6QPvVb01TCK7X88ehhiE1q0DfNm
|
||||
JR31fxS/93OhjS057b3hQK+jwQphWSNCkou9xQahOhormfTTt6n33DE9pOrgSpvB
|
||||
3uDRMCoHKlkgAIqAtb+Ek6tLEcYE3BgDvbHoei2Y7fxIBmDIsmrVRUwiN2pFx7lh
|
||||
g2UDYfrp6sC/69nh+Ueu/cYcFs8KwDQYcrh2z/WwqkrXTic+PeuSGBAe5hqiTwA5
|
||||
oFPmx2K/P5GM0FfpxW17vMxx3651DWBFv2Q9l7HaQxeOyNd0wMMHDGxEX7cjjwd8
|
||||
oiRXUzA6lARUngjzAfCLUKXmXJVcn/25SU05WtI8kCgqsRrq31Q/vpEN+WuK/U7T
|
||||
SxwH0HH6vyK3fJ1iBlfZYdLPZLkUL0JrTtFY890YnucpOVVfc6HtquItg9mP3vUp
|
||||
e4TYT3Tpp5athKi7xiF5PPBVyTfsH2s4WAiQ8+BBeFOXUbZ938xuF0otcM4jWbvP
|
||||
UMp7f435pzqITgbhr2LpCOTZcHMLKkLtLIaosPDfHjb/qKxu7Gg1Hc1pqiboPSTS
|
||||
XgFLMXuVYkwJwySEwnb57U1Orpgh1zuthLC2sDvFtGwI6uoYzgz+2xKSf3162QuN
|
||||
QlHkJMNOxW1uceiGJEbnwupDhmBVl9zOjhXeUiB/oA61zDho8YxF1ZC+5XnxpWw=
|
||||
=tuJP
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2023-08-08T22:43:23Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7AQ//SR6eDLXCzAzcXLiMrhopKF8dvf9hPDDjSdoPhdmS65C2
|
||||
t24aWBAQArupb0KZRatH7rctn1xAHiUvDwY99+ihchrV2xzXhv2cfi7c+O/QEOtP
|
||||
EiQzbRwosswX5jigPy6shq5FavzunFG/ZqpeVTGnmK0Rb6EFRQ0vlCqrnej5WDaK
|
||||
lBpRt/+ufHTaiaA3ZIjsB/ludGq+bVwmg2nssOoQxaYYrgIccwG3JqqTw/W0M4/4
|
||||
DRTSILCcEJxY/w23uyxeMEvbXdJEbsK4vglhkMrJsNIepIqPgKp1PJUWrXqhk1Yr
|
||||
3LiGOjZm3naWDkxta77YsQNy95Ox8nGyn0Qk778CbAuPRXqkhzSv/YtZSw2OoVdc
|
||||
KVhN/brd3vA+8EK3t/uWkwhsVnfQ/xH7gzr1VVuJyFjho0Iq7ycBU5W/RtfIZZI8
|
||||
HM1j31LmKHUT43dZ6kEXYEckHHNoLJCSUHw1M4BTR9tZPoQigz3kuy386C4gIUM4
|
||||
/PdTUfnRCH5VrWqWu2ny4c+AqzJYHv4RanK6qDnyTsg6SZPdT++kMF1X3VrKDkzY
|
||||
6TrWIakVuvsdK7VssKYSsj4/fGM8yc5piUnFnSB2/A8LePdVSt/yJejo3Q57kVFi
|
||||
pQps5L/oa7s2gkUeK3GH2Gunk2z/DDITUXtAbHuvVqBNnX/j82KPiduUyrH/bF/S
|
||||
UQERmNqVuqY1Rf5aldfQ9j5ufpn5kqrHAaBpCspdI1Xq6P1WLpuxPp5+TiGXnINe
|
||||
Qg/2VCGu2tJ8p0uNhT7XRLbd60enhVwamEEgRCRZ1WFmXg==
|
||||
=UxHV
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2023-08-08T22:43:23Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA/YLzOYaRIJJARAApYwDjYIS1s5HBtrb4cD8PEPw1gDczcA9H+iLUNJN+3BP
|
||||
0k7LwlQosy55fdVmiyykdoQ6fQpavya+WVFhfFkEnnxwzdmNYwcopesJeYBrOJt2
|
||||
3fFzjP7aS83r4smYIji2Ct76/YjiGdQ2sS0+RHWDtoJ029dYmBKQxdrgwByHLPzk
|
||||
mA/yMqpk/T20KnbLEUotAQvWRrHFNOKltKnCiCmhVNWDgV8w6akSYDrTkB8VjS3I
|
||||
k53b7pI0N8bTnKP4Xd2ESd4d6HNQUpxnZw7ybwQKwUL4lFNwrz9kS/OcmQyQ7Mnw
|
||||
Ds7cyTxxcqakoFCtFSOqRVx6Uv5BLSGYNwXjZUoxGQGM83NxcpIosI8doaZoeIRk
|
||||
aQjMx0zm2kXjLRlQ6qGECOaD28oe74SftbiSYFHPNxMow6FPi66ftoNquySqrqMX
|
||||
72xtW4jc4uCmO8bIVr9uzzkOCwycSg7n5f+de7H2drUswqMZVEcnRvPY7buEpLG7
|
||||
c32+MYRQgrBeUDPPR7hCCaOYiQp8rwu0sIMUNs92d+LHtAyZX7zl3Dk5c9wM+SAK
|
||||
Rbo1yrq51uc8ICq5xmMNPOMlUXuokMTaXPDuxQocjDV/D5MR5Bz+L73YlIuvvaL3
|
||||
MNNqMKV7AGSLs4W5DZu/zbMTdGZDxRz4vV/xpbUhB829DmauBQVtxAbGbT5uwa3S
|
||||
XgErp9MPZg7IcdCdA1u/RXdDGWdwDqf5mR+KNpdnEpmBdu6F7KNhG+T5pucfT1B0
|
||||
9Zk4jB13ItI0r2Ysuy9tN4GDgLS6rRYQTFIxZRrvcs+qQeB8h+nH7a7PAAGnX1Y=
|
||||
=kv6h
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
- created_at: "2023-08-08T22:43:23Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA7zUOKwzpAE7AQ//SpDRaVQrlVw39ZRO+g91UKb5zDVfqsuVPH6AVRQQ1pRg
|
||||
kfAfuvBKtLgrqSNIPJJn+Y+OhXCuXUsAJvLb5yZzPQc5yPEbevo20zKqZ2QhW8qe
|
||||
IrrtPxuE5gzIyvzJs74e3Mr6onfdQtWBgJ35BgLSa0hCj9gUSW1x3UmOWamsMdWy
|
||||
Ir+TU1IGblFfPQmuJRsU045z2k+oqALjUJ9H47fFi/cjVA65bV0+4n089n+G885g
|
||||
fc9RsLzVueEyb1aYLS/3wyaPCTpFe2NCq8dRVV+2GKZma4h7AvWWyGEiNwz6sNdr
|
||||
km5fRe/muGiabn/cHea2BIMtM9SajnEF81cAPwDpf8TafTBhKXmvgzliMbBbPCtK
|
||||
gkpZwspJuNXB/uofDNyRAdV+5VG1rd32rQfpUG3S1pXFhZLo7bI09qiqQVGsul9s
|
||||
dK9yhsSVOWPepA6yRDVkcf9DoHP7zTDKf8QKsQmrOZ5pjMnjRvcxboTKZZaJoBeP
|
||||
PLOWdEk+g4pHzn8PdC4oMhRVuVxRQ0r1/LC1MkjpHNnQGODPAvoSluAfBWuE2HhG
|
||||
GHwuXKps/HYOowC7nJRIffEWVSD/Xf/S0wtJ9ZmaJ6e6wSejoHXYoRyACiv3TudX
|
||||
iIHDzXX7JAXKa6S2u9lhjyLoNUmfUs2TdR9aLqkDB323WKWbqsluA90k/3JPH8jS
|
||||
UQGmzLK/xCuFz3njmtUp1hvVGvrg8vao5wirTxXoWJVO2PQ/fjAqpujyd10moevs
|
||||
KTV77cSJLaU3uZ5evJ3sBku3ZQQ1aGdV6owslfWIoXbgNQ==
|
||||
=/HsF
|
||||
-----END PGP MESSAGE-----
|
||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -1,142 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
mymqttui = pkgs.writeScriptBin "mqttui" ''
|
||||
export MQTTUI_USERNAME=consumer
|
||||
export MQTTUI_PASSWORD=`cat ${(builtins.head config.services.mosquitto.listeners).users.consumer.passwordFile}`
|
||||
exec ${pkgs.mqttui}/bin/mqttui
|
||||
'';
|
||||
|
||||
fqdn = "broker.serv.zentralwerk.org";
|
||||
|
||||
mqttWebsocketPort = 9001;
|
||||
in
|
||||
{
|
||||
c3d2.deployment.server = "server10";
|
||||
|
||||
microvm.mem = 1024;
|
||||
|
||||
networking = {
|
||||
hostName = "broker";
|
||||
firewall.allowedTCPPorts = [
|
||||
# mosquitto
|
||||
1883 8883
|
||||
];
|
||||
};
|
||||
|
||||
# runs mainly to obtain a TLS certificate
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.${fqdn} = {
|
||||
default = true;
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/mqtt" = {
|
||||
proxyPass = "http://localhost:${toString mqttWebsocketPort}/";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.mosquitto = {
|
||||
enable = true;
|
||||
listeners =
|
||||
let
|
||||
users = {
|
||||
"zentralwerk-network" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
|
||||
acl = [
|
||||
"write #"
|
||||
];
|
||||
};
|
||||
"services" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/services".path;
|
||||
acl = [
|
||||
"write #"
|
||||
];
|
||||
};
|
||||
"consumer" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
|
||||
acl = [
|
||||
"read #"
|
||||
];
|
||||
};
|
||||
"sensors" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/sensors".path;
|
||||
acl = [
|
||||
"write esp-sdk/#"
|
||||
"write esp-proc/#"
|
||||
];
|
||||
};
|
||||
};
|
||||
in [ {
|
||||
address = "0.0.0.0";
|
||||
port = 1883;
|
||||
inherit users;
|
||||
} {
|
||||
address = "::";
|
||||
port = 1883;
|
||||
inherit users;
|
||||
} {
|
||||
address = "0.0.0.0";
|
||||
port = 8883;
|
||||
settings = {
|
||||
certfile = "/run/credentials/mosquitto.service/cert.pem";
|
||||
keyfile = "/run/credentials/mosquitto.service/key.pem";
|
||||
};
|
||||
inherit users;
|
||||
} {
|
||||
address = "::";
|
||||
port = 8883;
|
||||
settings = {
|
||||
certfile = "/run/credentials/mosquitto.service/cert.pem";
|
||||
keyfile = "/run/credentials/mosquitto.service/key.pem";
|
||||
};
|
||||
inherit users;
|
||||
} {
|
||||
settings.protocol = "websockets";
|
||||
address = "::";
|
||||
port = mqttWebsocketPort;
|
||||
inherit users;
|
||||
} ];
|
||||
};
|
||||
systemd.services.mosquitto = {
|
||||
requires = [ "acme-finished-${fqdn}.target" ];
|
||||
serviceConfig.LoadCredential =
|
||||
let
|
||||
certDir = config.security.acme.certs.${fqdn}.directory;
|
||||
in [
|
||||
"cert.pem:${certDir}/fullchain.pem"
|
||||
"key.pem:${certDir}/key.pem"
|
||||
];
|
||||
};
|
||||
security.acme.certs.${fqdn}.postRun = ''
|
||||
systemctl restart mosquitto
|
||||
'';
|
||||
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = let
|
||||
perms = {
|
||||
owner = config.systemd.services.mosquitto.serviceConfig.User;
|
||||
group = config.systemd.services.mosquitto.serviceConfig.Group;
|
||||
mode = "0440";
|
||||
};
|
||||
in
|
||||
{
|
||||
"mosquitto/users/zentralwerk-network" = perms;
|
||||
"mosquitto/users/services" = perms;
|
||||
"mosquitto/users/consumer" = perms;
|
||||
"mosquitto/users/sensors" = perms;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
mymqttui
|
||||
];
|
||||
|
||||
users.motdFile = lib.mkForce ./motd;
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
}
|
|
@ -1,10 +0,0 @@
|
|||
______ ______
|
||||
/ / / / / /\ \ \
|
||||
/ / / / / / \ \ \
|
||||
\ \ \ \ / / / / /
|
||||
\_\_\_\/_/ /_/_/
|
||||
|
||||
|
||||
C3D2 MQTT Broker
|
||||
================
|
||||
Use `mqttui` to inspect the data in mosquitto.
|
|
@ -1,172 +0,0 @@
|
|||
mosquitto:
|
||||
users:
|
||||
zentralwerk-network: ENC[AES256_GCM,data:VeIDGMe0+YF6eLkTrBsQLg==,iv:h7KcZusBsP3QOWZWhOLOQM5ID1fWdvPkoEYLQn3XruQ=,tag:rcd6CiCauV/FQ8Y6+8FEwA==,type:str]
|
||||
services: ENC[AES256_GCM,data:IJlgEkiND/QjMqBbyXmBTw==,iv:sATxB+Tfr9pLqOCY/jwAjcxaKCcgGhd/vga4e3M9N3Q=,tag:TodfF26KquW3F1KY9R9Wvg==,type:str]
|
||||
consumer: ENC[AES256_GCM,data:m1ae+G/ZsDShSEWnHx4ShA==,iv:GBTRpJbSpnRYjWBttVZq1Qm8YFvhKZfmMwhCZqqBLJ4=,tag:/6uDJ6yRBuQwgPMVyXRQfg==,type:str]
|
||||
sensors: ENC[AES256_GCM,data:psezcKOTU371ec+4YQ9E6Q==,iv:VxD2x6m+gF2kenJ2Ekhe2IvrW0DVP7Ha6UAavaK8/uM=,tag:aTgC5gfWlsVDfo9RWC3FIA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTejZuQWlrbDlKN0huQXlP
|
||||
RFFVYVNkcWJhdkF3TytVZnFlV3FXcnFHcmw0ClhGR0VuS0tHanZ1T0x1NU9Qa2RN
|
||||
R3UxaUszU1VHUTllWnIwTk1CWnhtU0kKLS0tIEYrSFFKOWNWa3V4TWlXMnRxUjNI
|
||||
dG5GMUYxdUxhd0t6Z1NVVVcyZ3B5V1EKlHW6IEvlj/q3+h5CVFnf0YG41GscsexA
|
||||
pCR5TGLxVcfGPouFNvAQO2Y8L89gvsTjKV5JLCcVQktgxqXfQtAE4Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKeWtUblZCM0VVVGdFblVG
|
||||
T3djOVpUTnNZTnMza1VqZUpCSTc2eE9lZlFNCmlrazJsTUZ2a0oxeGZ5UGp5K1hW
|
||||
TlJVdnVyM1FKeTZHY2JPdkkybGYrWm8KLS0tIFVodGpuYVE3b2Jrb0NSRzZOUUM4
|
||||
alQ5OGtLd0NiZ2pTa3YyOU0wQmhMSzQKjMGhadCYBNSVljlj6Au2Jo4jIfwqT38O
|
||||
qbn1K6MwSzT6BDGJ4bGA52Lm074bxezOrHJRo91N+cAhrSniAws/Nw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-09-05T21:22:51Z"
|
||||
mac: ENC[AES256_GCM,data:sA4lWpltQNotBZldLxVALSb4Z7qD/cpVIkIEn0+9ouTSb66rEfEX1z7pQuZxRNkGHPwJ8MXDREplCPBqNMAPwh03OnqxuOKMVr9QZJSLuNlBi/12LOFHxY2AgWXebQlWvNDJXEp1fwrV2ztKg6iGHtD+kMsd/JMybmYPDTMj0VQ=,iv:bvwh0hg7kqQSpJav6i6g5/8FFT1Gs/6YjzZd2hpJSnc=,tag:E8lDOg6lTaX1aOp4vcSIHg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-08-08T22:43:24Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6j84+xkv3y7AQ//afourwIVvBigjnhyCQKXLi7/fH2xV4u31ZdrYAu8Ftw5
|
||||
ytFPjL8Ef+h5EcH6o9XVsKmnoWS5+FEn75bgJ72U652z4ahcz+uFl5j1d6z9yB3f
|
||||
iRUU0pbFV+n0FibHdX/dbvVX2DPLh1SPQ2wdxdsYFJD7kbtWOOhswYQfdr3e5vlz
|
||||
EMBWNaOznLYoxZbg2MzAHZwFkgOikOhCoAZdzthFiYIcZFHxB/DtadeQTKtRspUR
|
||||
g5c+fGiKyXXAEhBiqsXzeCDwpyeoGvq7Y2StKADoRGClSo5aHVBdYL1/MYn7oZoJ
|
||||
w8WzCBoneeGSrx2hJwFf0f6YyS+c+gapATrkihAR4r/W54gfYSUSxKeVLA37y69e
|
||||
QZ5LmtsE5RUDomdS3+rOgU5ef04NW4rCfAjpEFoSGTneG6EAeu2+goQLTjr7PV4s
|
||||
0nKbeKuhMR+6uku+eKVmslNGhfggM96MQ/MfbyXlYHeGyBFKo52bF/amXtZulghH
|
||||
3N9Fwr1jprL90d7PFtsytVhEfBTHCBvppX8OoTptYb5riOJs84M/6DILZidxqScH
|
||||
RXLTMKCEraYFSAJX/t6wAUGAu5ZrTKbi2QwtpslShZyVlMKqDKCDZ7t+ItELzduu
|
||||
8Ey6bGMBm8TlAt3oim9HC8EiHIr3DSyBQ/hThMxiMs3NH/rvqVoz1b8aVp2OlDHS
|
||||
XgFPTF8cgA5ErZQ6Fbu6JRCtrfw70tFwGcQ1Nr8saOP82opcqrTe1gOsrU0klKVC
|
||||
uZLQ+yvT6ZRt3tVEwuamXxaibLNGMMVKUaQ2bx8kxIPv9mC5c+ctyJSkrbIhUjU=
|
||||
=7wNq
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2023-08-08T22:43:24Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA45bZkLXmBFpAQf+OU7JswNVAOH1bXq4iEbTsuszagym4dQljESBhnlskGTD
|
||||
NK2PgMRxSGStMvSzr97mz+B1YtR3YrWYS5qs45xNGACaTf6BvLHg6Og8BiuS5aTo
|
||||
DlDrJ61wbUM9KPPg19B4rsAa87y16vh2Kv2ED62dOerlmLrSSS96RAWDR5gbToyo
|
||||
V+jbwtV6/6WjCesjvXIOFlxam0nxM4/PvOp9olvxS3Um0beHlLOdq6If457/2h5n
|
||||
EZSPDrrqCycsSBIg8dvfY4Af0HsbdCA7DOkznQ3lHO+eL/opJT6BAOcHp+Eal6zf
|
||||
rxReXXiAuc4XQ4mQk9GVCQnikH0A/X+GJYkFCoGVv9JeAVYQ43hrPmhDPJA90MW8
|
||||
zryz0BIIZHi0k1cq7lOL/NpSFO0iWJCf0XX8IcwiorLkMKGpo4eK1qilLhPydURD
|
||||
8iCGVonPMTijjhhAxBZeoPfFXkrPxUylylrnZL49Ng==
|
||||
=CnmE
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
- created_at: "2023-08-08T22:43:24Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAwMCBBrc/JA6ARAAloHm8DSqQdd+VpEXEUlEmDYlKsJ36SChsOM1nMbo3HBZ
|
||||
Wtwczo7TUEC21dtrSGlxewqAck6BHg6vgwUNYyPiYXn+4NBf5WAfWk5uio23p2XS
|
||||
5fw5h6LbbQoS0rXBdHmH8d9JWNV8NIgoLNxXbDlUQqmcld45HzFzuEtL3vFPOkT8
|
||||
pSxXm9oaKaxQeDvuYPmuFvwhinWZEr9gghhpMMKtOsis3gbmbb4zafhpH3B40nKA
|
||||
5xmIlfm4HSDC3M2AdroXpp1oaWif2aEJ3Qu/KJcRQB4wURyIsos3CDupztL1iE0G
|
||||
B2p1DnHInSMZbXHAuJ35LHrNZ3+nQESqK3NkgU1ZztcaNZgzMLv8vB7gFeG0It6k
|
||||
w/VVtN4Kpo26tU+1NL0kzgrdXhNLnvehZfyUFJ3/0CRaOS10bP8NAut77OZPcZ0A
|
||||
nTVi74DviEnDEhdH3Z5v7tRFEIs/hyCbd+QSLFQpk1vIdjf4FVJXQDWqGNpMZkix
|
||||
oUrc0XNsrq2pu6WKh8rlAEwN2yhPUkIbdPA3GshHunuQsNutzaEThnQjBBNIqQBM
|
||||
K76N/X5XboHBsY2ePqbI5MRBOd6YSS8PnKlpnS2U8IeaRaKo5ljIU3T+o0/CY/TI
|
||||
haWHW9eSKD0v5D7ZRTVD3n0mxO80I4dSyiusMKbO7MUcp7/+Nxlziiq3Mzb4Re7S
|
||||
lwGfEQfSlVh5xuAXEHhsEM5dsdLfWd8dkcgzN1VnZ90e/8CmqE7O2q5/TZ80D2qp
|
||||
mBPK/Zk02PBdFihW5wQWh3mW63N+crDdEzdigNl45HiUNtlscIoi00vp/Im9wypx
|
||||
Rk4tYnXrUhF8Mw+Ytyx/hyUjXT9Oinx/O1hblzgf+kV2TSDBspJvDKqZsWX4+Or8
|
||||
6dHIH+HQToY=
|
||||
=M20v
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2023-08-08T22:43:24Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA9XEenRNYVGHARAA4BtL0muLNU0jMdT5q6e9mbjkEKweO7cXg5q79us/kypk
|
||||
vTwdKPAEXEcqjvn9Dgo3D5LmlPls3QtKKEhoWad6c3NBsedo8As91u0oSh1g4TSN
|
||||
Rkw9tFIM/MYCVxjtQNJGgEfQxJHtNFaW85H9jnDpLaGcVhIbm2m9yKMSM/ryj8zP
|
||||
e3edLiFw7Kvag6Uki//+8Bt8T7Rdasy9tfFvsiyHe7X3SNdCV+SCA7Jm3NZgckxu
|
||||
bi0QkqGXdfjvE3NqKyjcOIYJrWGBVsVcyvyN1ze7uukX8/m3C4FeDnBtD1ng18Ep
|
||||
jvM348/AprnfF2O7RDCUUMISmcL4CXyXn0ULaUxBQJ/JxCgQrztNb1xbPoZVQYJL
|
||||
dYzFTQxiWlhBerGd5UQC1I9N4qSf/rKE9pgJxP5UDrmRnzRXEkKKQloBSmHIbdgo
|
||||
uphBHarbEGsJzh245cAtQkaqK6y4dbRiPc3UJKgct7sfHG1aMac/JOGYM0Xc7O0p
|
||||
xHz0vfr4pVi5f73t5pW99mHGmWMg0TLQExgpo3gvD64YugOZhIAyyfqKUFEOGWEp
|
||||
pvbZgV+0+D/wMQqY7S08cBNVwcHQy5l3ekJN25xNogj/nQ50QO/4uetrEayHr8MX
|
||||
/rrPx2ZTq2oJWqKcpJ3RlneYA+u6F56balHjn3HhfA4nFal8l+veq7mk2F4/5cTS
|
||||
XgFmQWCJc+9NKlY7MDgRMQSnGRddvC/FvRfEVGDQat5Ewt0AoNhOYZk8lWwhODS5
|
||||
/pANwlaboh5VlkOHokMEWTyaea9UTYwv78iz7vSprWxojKuoAAMsGaxcPDFflY0=
|
||||
=fbK1
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2023-08-08T22:43:24Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7ARAArfw/YJenS0FVTjiP0dVRNeOWhm+q+FifUKqQNJoQ2q61
|
||||
kpuCyn4Wv950kQVX20rFCEDNdVm1FYBJ8FQ3NocfOIFmV3lwnW9TFw4GWeWwpZq/
|
||||
aa8sdJ/ASoqbZqPh4gYkoJTfttX4ixi9drtnwIkNhjTwg84gXpQenKCsOFM/8tdl
|
||||
9bcDITJLU96qpYqtRJjCEWiO1qrrO5LMcaXwaX7pprZJvXEqyznV0iO1D9+5GoO5
|
||||
Mumt/EXzcMImhLGq0TUiWcPAUTxgSjmXF4fz/8eYvstrir+bkJgJnWf4/27wbHjB
|
||||
tsRgeGX2jgEI/yQZi3U3uqbPAkXNu3qcARH4Eem3JntBRr4u4b2K8MxOH/Z8NZHH
|
||||
yIILR3e+uiavF8XZ3KaQyBgTA1rrFxaJu2j87y7H5aAGaKjVDRGUQBMmUgFPWGQ/
|
||||
vwBFRxQzsBJlt7L7rlYvZlyuYN7ZmgWTnt/8JP4MokdpvUOeFhNgjW5CRUJ4LA3m
|
||||
exkA7mUOIyLhG6Qn4DfbsDXLiEMop1U0IFCYizwZoP2UbACf+JipUP752FQp9VvA
|
||||
lcjpbO7Y6nqC3lhXpP8hBgr2aoWEemEUiw9GJklBERIKZT3+6H3dRTIqQyQO/aqw
|
||||
QyaEN5WzrIz+hMmBzKzBDkx/pWb/eKA73GzHchq8dvXybCwe1hrSITWGuSydMAfS
|
||||
UQFfNmHkYnpkBBh1p0F71D0ojZvgbJNcZRVG4LCdrsPMkhAXJiuKPBeBe02i//ji
|
||||
TJ19UtfgGSAQByhI/vLsLDEgNEm596hej6qOQ6+7kUPJsw==
|
||||
=A6mI
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2023-08-08T22:43:24Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA/YLzOYaRIJJARAAskgIwo7vhqJgA/wJjyC2n4tIYYaj+0Zxhz+vxy87sQun
|
||||
dmb1pJSW3euOOVHjn2D44blQn8b08HNRlagKfaUJna9tmhTCrQQbfiwJflxEx4v6
|
||||
m3IvhznDVPqK/3il6S/QKi0vDGJ4FOYkTybUfz8zSkc6jjJN4oF9S3HXZ+cI5ZHX
|
||||
OI8XHxFqyBgpkhGN0l7czaXtpNIk3VrE5GtF5OX8Gq0scK+X9JjNA4o4f5PC3UyI
|
||||
O9fp1fPHQGMdsrK3PnHWMP+e5e5nDx+VywXsE2NgmguWRlNKKhc20UsJu/x8YK2E
|
||||
huzes91MXaFroUlFCPDBA/n5MVBse3JfiNoZeELvZYdJXtNzXY6t3B7Dx6WoD6H8
|
||||
SBqPpfhBb1mQy+b3bnagijWhHa8d2j3pR4XH3pFIrgCX9D1a+Wr+B/SoKg8j8qzH
|
||||
wHLcKEsJyQ4csT2yXj8knw4g97/5vD00Fk/4mzCCAcpqV8BYnD0tZD7/VTZpS8ls
|
||||
W21UCbvqFat4gcoRuDJT3pijotREHYJwjAao7GwKuRSybrSLbK2HzMhPcEnbDz+n
|
||||
enkeFosqiPDMU5IiKkSWGt6EvlUc4y2JvpU9OUsy/eX6ElpBEuW/3wfRlLWpV8ZM
|
||||
UYRRWQxKJGi/hfw1y0IE5VWFkA/dBr+33HHpSrvxuGBH90f2vttDWdCDlKpfDIjS
|
||||
XgFTWeUJhiBdFU6xrJ6gXICg9TZI24WWwtGrqDylBzvV+ZI6jOM7y4q4TcnELfq+
|
||||
19Vo06pGkvTED4grvxWL8fxmOquPsrOGiaXJ+1MJaaOcFAFEEOm3m/svyKVtWSc=
|
||||
=8bHQ
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
- created_at: "2023-08-08T22:43:24Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA7zUOKwzpAE7ARAAloAV8C3Wq+0tL5pAMmu/IlPPf4Ix7NaGRkg7jmk11M/S
|
||||
OGI4liKa6JO3vQZvRKajyze9Cm623Ot9j09Vmzr+VjT4b94wakZsLaaFZLSOJ/O2
|
||||
WUexF/vXl/yVL+T8Rc8VM2saAlZ0Vmbe4UnmE7/hRbX37JsEzb+w+ipWs5FGtM2j
|
||||
fjgB+vKbPKEgMDtNUv8s5wM9QVonzue0t88jmrGRBfLqj56sbAs6MqG85blFzl84
|
||||
6laTWXeKqC2H6sG/Kz3Nj5fzW+jjx9lKIfodBiExzjCOfw5rQuGHUs1ulmejxosS
|
||||
osIhADjdt6lZX86fBvhqhBJNunJUAKfBUeuO6eHFF2Vl1uE2mi65b38BPqUMkt5F
|
||||
tNaTuf58TbxbFsjcGLCeXlbSWVZiSTH59r0a8tWc7JmPwKZbSQBgXuiuGeBmQrRf
|
||||
zE5U4ZWscF3McIFWHttCEVVX/NfcVerVA4guRfHN8L6HJptFmtagNZnAEYdfKhTb
|
||||
5h674cA1Mu1ez9b8vHdFWZ0MDpM+0WoiJEZ8MjgNb3GVGFHchs9g/EJBuuMzEeTo
|
||||
d/sGkcojlxlTZ6XoSOg/XstLlbFyFp44CzBID3Kvc/3NXW1vobQcUdeHYFG/6XFh
|
||||
ZSPbGkYwrMDP5QtVwC8fRcgU7zYH00Gk0aTELiTEVzAxZQVkvNu9Jt6gnJLtx0HS
|
||||
UQE801E+dcgh4FJOeENtCuW516emivqbs2X17FYLS78d39YTXxUjl3y6IgBixrDi
|
||||
1IyZgVWJAh3NyQyy/sTjtATclQHX1vTJjuHOEFq6BzBgpQ==
|
||||
=KYRS
|
||||
-----END PGP MESSAGE-----
|
||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
|
@ -1,86 +0,0 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
c3d2 = {
|
||||
deployment.server = "server10";
|
||||
hq.statistics.enable = true;
|
||||
};
|
||||
|
||||
microvm = {
|
||||
mem = 1024;
|
||||
vcpu = 8;
|
||||
};
|
||||
|
||||
networking.hostName = "buzzrelay";
|
||||
# Don't let journald spam the disk
|
||||
services.journald.extraConfig = ''
|
||||
Storage=volatile
|
||||
'';
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = {
|
||||
"buzzrelay/privKey".owner = config.services.buzzrelay.user;
|
||||
"buzzrelay/pubKey".owner = config.services.buzzrelay.user;
|
||||
"buzzrelay/redis/password".owner = config.services.buzzrelay.user;
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
buzzrelay = {
|
||||
enable = true;
|
||||
hostName = "relay.fedi.buzz";
|
||||
privKeyFile = config.sops.secrets."buzzrelay/privKey".path;
|
||||
pubKeyFile = config.sops.secrets."buzzrelay/pubKey".path;
|
||||
redis = {
|
||||
connection = "redis://fedi.buzz:6379/";
|
||||
passwordFile = config.sops.secrets."buzzrelay/redis/password".path;
|
||||
};
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts."relay.fedi.buzz" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.buzzrelay.listenPort}/";
|
||||
};
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
package = pkgs.postgresql_16;
|
||||
settings.log_min_duration_statement = 50;
|
||||
upgrade.stopServices = [ "buzzrelay" ];
|
||||
ensureUsers = [ {
|
||||
name = "collectd";
|
||||
ensurePermissions."DATABASE ${config.services.buzzrelay.database}" = "ALL PRIVILEGES";
|
||||
} ];
|
||||
};
|
||||
|
||||
collectd.plugins.postgresql = ''
|
||||
<Query unique_followers>
|
||||
Statement "select count(distinct id) from follows;"
|
||||
<Result>
|
||||
Type gauge
|
||||
InstancePrefix "unique"
|
||||
ValuesFrom "count"
|
||||
</Result>
|
||||
</Query>
|
||||
<Query total_follows>
|
||||
Statement "select count(id) from follows;"
|
||||
<Result>
|
||||
Type gauge
|
||||
InstancePrefix "total"
|
||||
ValuesFrom "count"
|
||||
</Result>
|
||||
</Query>
|
||||
|
||||
<Database ${config.networking.hostName}>
|
||||
Param database "${config.services.buzzrelay.database}"
|
||||
Query unique_followers
|
||||
Query total_follows
|
||||
</Database>
|
||||
'';
|
||||
};
|
||||
|
||||
system.stateVersion = "22.11";
|
||||
}
|
|
@ -1,175 +0,0 @@
|
|||
buzzrelay:
|
||||
redis:
|
||||
password: ENC[AES256_GCM,data:wYPztbjCe5rBvygF9b4emHWl5GSdRO1Tnq1m7P9GgWg=,iv:34IZVSf3KlozSDAlIr8Vfsc3anRhyYAks+gTX3nax4M=,tag:vp90sXYHMh0WIYLgxQi1bQ==,type:str]
|
||||
privKey: ENC[AES256_GCM,data:syPhReJcOkRY5wf/DS4TKh+878hZ3rc7DGcsJgOK18Og6kIxLYwYPZRbW1ikSC97M7MGWA9xf/WOlVWPQKGfbfIa+5dUqFxFwKhK0G52oeJsss9NC3QJ7IawWH7oEmKNgHcTkUKoX4NftmkA4gBEySvv174TYvLxST2rSji8YLmP/ZuIloMQolxl2qQGiIHytpMynnKCRXq83fbFMhM5Mgrf/npBggV07Unh8BQo00bj6pCuR+gy1swsaSgchtnx8qivaMLOViGUDGe/nuTclO8BZxtB2Uh3/mL8u2g0MogsBqnxk2pOZ52kELkSkDw2pEb3IHsvMcwrSAlTudqkmfVgXWDP/oJCciJlj4wmS/Z/9Ij2ypFMCGVvuygWZ0Uod1Nu5JgcAUWmgBdqet381He6vpx1NKqqRYBQsl7HYCNfVyVVk+MpxJXi82FQ6+CjzEDj8aVnBaEZ/w5SfAjepjj5M/xzIRKkSq6PzaX7qaoJOPYMPPdgjWlkDbWFY8VT011nzwvLUerI7/4gvXLHGDQJInagCAE4eknLHWiizQ3EnI/JXXur8A8oTcRGl22/ob9hAZRQTAU3hvcrWcMKhh/JDXe/FjkZoOWF5o2dl2Lv5fnej3xY9ofFT8RX2DgM7ih44qu7iPdoPpR7mdImPEsQtkJB65ft4iv1Y3e3BtmwLtTQ/2vstIGgeHN3o7ggWkO/Raeec8EepvsxWUbF/NH2y0Q7q5SJF5pR6rupS5pyDkWqFJNo2PGJHpm3/sgEpFyLuqKGxOyTGVyJby4LPadUGjwUaB/EWoq/Ru5L531E/TuI3ETo7VRu2r/DE9p4YHCcjNQrM7nWrHcLvnwTrhQZmruv+w51l17ZS9xak2L5m0t/VNY4r/vB6HCfUOO88mHJ1yuig0TZLlQYVj53mb874/lu7XifFre5O4trE8XX3uYuu+YtTJpdmSgiIw5o4NIDVSgVrDTXmNHDUrmlV6eChlla4r1QLmCJlwiewi3g/vgV9G/40hrtFJzWRY7o2d1UBo8iyjKEew9SJkCpZiy9vKNN0dumJEi17u+9RQdLvQsJ+CjgCBRPNVcyS4VF0sdi+hHAtVyPZ7xNMx7KKuuZg1m0UoeqTqUhLrioJN/g+reyOHeioeAIi++tpAyYgYt/uZNCAHPPtJHh9BzLb5Y5SYcCN5HEzu7MGu5y9CKp/1T1VdCEvqSvVB+QKug4JKba3u9FVaGFg7ms8Gv71LuX8yv0N9UlT0RpjZkg4mJafqougBhnN0p3LnTm1ojbxYLXU5+QMZon3BKcSBQlyxyZPCuzUE4j78oJpPUCoY+5PPmlZzAXlmUYa97K6M2MCs8Y6gNWX/R11PYLfn3ISoNWS9P69jrkGJPdKL4ey+Cw5FaDov2Q7vLtYmEwqWheTsOUKHaYuAoJA3e3vS5/zdeFhkIDB931xfiHnKDo9n8a40+jmlshpv8XkssGbO3Msy3hVhK/gQciLfE3yEAgIxZpO+IMOidSwIMviTAXpL7cyib0kuzq0/809Z73fHrtdvd5ZhgZIjn6SHJVNrgCXZriSuwQb8IdyqLWqo1HHgY8C+QIL5nHKlMvGCWqXKf5WjFJGwZHHKw5jC+K0rPkpjyvYZItlMGCswSOM3GxLLVnBIwJRlcdoML95PYWC8QSFpVcVLIB/S/rNu2RCVyCqQ5NpOd0w9t7mp1cgz7abJ5h9VKUaTzlcQMNQxa81wM1TUobr3uFmIHT3rdPHlUXUbTRacIBjtM7yFgky5wVDuiJYucJzLytEdCZQ4sgvx1fYtC/j2TbaOlfGPHAJHmtYsMdKS3dHuJt8I4hFa5nNH0BWMUFFKlWB94HjxrzLgFNJn7kKhtRbwMJbj+ok+2KJGzyuISMqOQpoF8OLOUL/Y2o9DXPsfD7KwTOuHYgnxTkhUdwiPjlWRBgrC4bFsGFSVki2udonBscjT/MKooFG3n+j0pe+0tVls4bS6dSOuf3TvBbtX1YaKMfpraa2fX+wVXUxtRcMk+WIzfbydmYaa6ca2cSMj6a5tvB04v/ZJg4ieRgu+ZK/kchU4sCaWZQW3t/SvTTq/O9afoux75myjnbRbjhhod8lBe6UbGCafa4uZLOGpWlwVQ1Pop3x0WKbl+FhoZcnbSaK/rXEET8KjRx1fZrXW+r6HMtqqE66Pai72NVGpJEKgEDuqC6WclDHM+nmlXzTzQs4YghKgQFpa98UljnZWTZhHjPg3N2C4ePz9AxaRENk+vSPNNYK5z84gImnvTX9aZIbW2bmzp+K5fby0FDorGhhkgHJ1VTd9y6yL9BnM8BU1f7SLN1QqF2A9EIEpJsrzMmSznDSg0Em9WaFMV0lb6dV2CA5u9uXMC8RJicsItkugIUVn2WZLEepqmBTNnQEQky1IuRT2JHxMbanUiuQYpqDQlC0XfJ4mK2tiUZnTfXmD+hHsR04uL943UN1Ci/HtUPcjFOikYuM4vuRjxfkqIsjdGWpn6VVaoVq8Opu3xu/so0DD5HaPwh6+XWGDKclrqH32cQJihmp7Xl6eOKZDI4OXEihnE/sbPHaDpPaeHo7Dd17KLjUdRi69PL5PE89R/0qd5/5cOPTdYBXfjW+94ruCsf5rZ7sMKAbmDImPAmfKaSgImVnBggXY04PNxzQYc0jFfcLElBj4sTN5MAslvq/qkz8IYQZtmkT60cfaAMN8M5RAmYIlyf0wd0H3F84Zg5yGsDpL6tHUmynrBo68k1CmoTgxjJ4Ry29G9wqzmdvTDw4NT13S6mtf0jW2kRSgr+IApUenicb3cWl8rAr61bFTS0i3H2l5rUez81SqPTi1xEKnU65ORcsVuQaMpXFUk741V5eWpcrVj8kw4ntwsMX4H3a1yu2WoH55QyATlf1PsUV3PZfWdYyI8aSf6Ki0fAnzWG1jpPsnMVmEbWeTMSZKScdNAk98jzyjD6367IjEm4I422TmfgD00OWRP2udjWOqpbv42WO2Ly5RrzEUZfaK/ur4gYyafOiqSsjCv68YzTeeHSWRcm2Yj/GYr5Kf/8JShFGbRu629EOi+iwzJ6agP3MZCsfwA5Tg3ZOCf9KrqSsz3ufQwuJpX3tjDF1lJ9klKCBmLM5CNKN/jqqw5BdwsakXrUJMLCe7wx+Kx5a6uMZ9afHY7/DcSC6Uv4Q/6U1z+WIwmcXvW0+BYpPhuCiLyPu5iuZIG6LLyXVdecIvT1/BGkMEaZTMY1IWG64lB0Y9GYRx6btQAXI3dWC8AF3BoIsJ074cRTCCbVfk+uExsZE41nm9niZuhYPqzANF9eeXySkNfWTiMt9FkAbTMDkFfUgPMXtL8WDQ9vfLVrBCaTqAShPy9tWUEiQ3MC0iCmAX9J+YSeTQSsUZhlmYTL4JYj0LUx1pjDDjpYvLdutzCtHPkwYLlaw1vZfDARmOVs2XBW61dZhU4jV2jTC+O0827DpRzHArFBWOi1KT2wIF9bqfzQ7+blTWX9zmnSpXkTvnDm2ORRd9EvAhWu6XvQd0frFsuf8wZlyruZMzfFVCcmQNvMDAXhVaXRoMb+mpt792yqXxu78CBg2zzwi1FD2mnDH4WW8KDvbrNrQUsBS6arGYUwS9+1Wxt/s75etEgMEKm86uCIKn1TISvS0aSK/jvkzNCw3O8cP++JR4Icxy322xEurKnMWhyGygcdv2UNHZtK7G6d4GMbni5NW7fJcMMkYv4R6leDD4jc9fBn8kEBu3saBIUPPQfZHFlmlDXueIbBo49jcaHQsjLjsjs6x6qK3Rjli2v8Ib4uIfY883JUjI72sj+iPCMPp38y0Bf2zQYh8kOMjiYswAx444zTiglsoWZQngWNblzB2VJrPBEmJr/uCzI/AKM3eD53+J0BH8VGdD5pOA2uUafm8x5vTjp2ALztF7fXmbnOk4FH7dwrB2I/9/47oj2sYiZvh9MUzVL3uIDUDnphtwDUMTqlYZdJ485G0A5czb50WS8coyC7TCHSt0Kazo0zEt92//2VQ5bvCUWmfzOmb0ZNUFu+OtsALOXjG57/MQWoCiJU93mzGoUCuusv312NY5sr7dnRRDNjdcGJnaV79CFueQeIoQoSeGhYpqS3xybLajMzg0uQAl5AwzAYO+aQfaR9V0tEOsbnRXJYJhfz9lvhZaCi/pqR3sOIhvsgg2Ysuppe0cPuTsQ8qKjIZJMvxu61u7gO5tKEDwPBAECF8D7sy6r5yEWxqkTEt+pxJked1pxD1KHwnsa2/Gh3J6tRELKtZC+vLcb3vuAFairqtvQSti4krmsl+glWRYk3zxVWUeTRQCOWoFJ1r57YiGVqWA6k/2Weon9ptENBYIwCHFb0/qsZW2FqX+HdXGT821mJhbtpKn0=,iv:g/jQ0y1QplX3i3yt7bO3l8BFvjN6+Lut8jGMVPx2IsY=,tag:ikfdJWcr/nDK8Vcf0M+WZA==,type:str]
|
||||
pubKey: ENC[AES256_GCM,data:6FLafeSuL8wyHTKfchqaQl3teJ02dTxegqr1HQoQuJHxyagjHMPZekxzrNBojlre5KGjvtcuXoQMcDgPIfsswNmjUiMs9nCZwFQynX8UeCDL15mH489juApclAKSYJBiOnR8UwUj+Zz0YKqX6yNKxnDEoXq2Av9fVGqCM2BSBw5yQEsuQ8Q81SyhnQxikWlolnzfy+Q100VK+fEB+4gohXIZ1TFvPL98t5ooJcb11OKgqOrYf7WurrUjXNrxn3nDlkA2IE2jrLdy2o9H9gV0tugjmURMz4iRX8j3Z60vaEN+2rJBKDx5pVY9rseWkqVTBY2+wNyQ02fethxWtQ5+a3SkwucMSMwsgopYhn1Z0meWbZKC6B68DScmhV0X7ZiB3pJG9W71XCYrMb9FfE1TEbDc9Kq0eqw6xFWt9jSzFKtoAO+Z6wAfbr4ION/EzE5gTq+UIhUCmXyySrnYbL18JPsq/JDCSMCkFqXTC7jy9pWzcIdqZMDJM77aCv9bhK0Gc1mMNjsXv/cD2bld6RYmLSttVTv/Jk48gmzT2qufA0mxa4mNv5lB0rXmcrkglH1O6XAwhR+CJI0xwzsISO5CpSodQWDsQUdg0wVFsGeGQVlXDVcXDPFZTeTh0DS30cGhbyaqsU/z19gy8Ze3juuaI1CKqpS+zw9DJhsgNJ2vGvzEYyxwydoDDMA5BO29mnh0NIUosRM3f7egonA1mOAhMlQoiYyqKMIsi1w/RDN6uNmivoWEhmvj1zypObmLZOJBsazNOljVXSx+MAwYkhJxeV/jEUSLx6PISR2ZytN64YlsuqKnRPdixmW5bIdX8T251EY/wNUPmcN+eC8EcHtYeFiV1DyBSbOrhrcDw0xUskKkq46ay4Mm2Yyy2eI9vvnI7CEU6YzGiXUqKC1yTjNJEYNnMXiv5QZByah53b19K0d3xcqcG8brriNaV3V6jFS7gS5u1Ftts8p5+MHP6cwgjEVe9jglUG3WnDdDfP8CebgXmUDAmVZb+sOeA2o97t82IPepel6wiR7q5tHwZBLYPPJK37mvyJHNc1j7B6CWnjk=,iv:57uSeefhjsCXsqhIR1mOESsyCHMOxVAsmksnRQDOPcQ=,tag:9QE59kct+B+2iFLNBxkPxw==,type:str]
|
||||
restic:
|
||||
password: ENC[AES256_GCM,data:SRh/c+JNWuU+MNfbAuHysU6q8AyO+/5wC9mDBlaVNJ8=,iv:g3xdXDWuC5y9Ot8qSJ9Y+TkgyJEZTGekVEa41aJgdMg=,tag:tqKUWjbq/7r7yjI8f8sCjQ==,type:str]
|
||||
repositories:
|
||||
server9: ENC[AES256_GCM,data:Kf4GoT6lTTOAsc9zSEHTUb73Q0mw5iyRnrgfa2VYpY9GKAy29sFvLX9UBGWRV+a1cJY+reculfxGgD1XVj7undRZ3tTbNVhSQ5oJ2ilvLaAwSeMVHjR0HKrLw5aVM1UU9lOK5/BwvtA=,iv:HikHSP+o3FenzbMQRznbbqWpg+Z4l9dzgs/XqZD7eO8=,tag:vKDCwnZpOQ7/zEj0YjKxQw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1j2euh5qt4a7cvx0t93uj4n9t8y8tkv9h3nefszc6g2q7t7gvngxswhrve0
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTmVnSWlRRHZTUkJtWDB5
|
||||
Z1c3SE1kOGV2RDI4UU9FcnlvbU0xT2dPRkJFCmFGVUdPVUhHQjlvWGcwb09lNGg4
|
||||
cnJocUJjWUpOQm9rVDZqRDFDd1BOOWsKLS0tIG00Qno2Wno1dVpMc0pISlUwYWI5
|
||||
alFiUjZDZ3B3NEJ3WmQwUWN3d1VxaUEK+ayvZ6JUIYPrM1AxygbU8pNFjiTM0OZO
|
||||
WbI4zJe/FjmFjcyi2EX34j2rRy9ixbq5SYFG0jjc8X52leCLoDnIOg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdXFRTmIyVTV4Y05BS21i
|
||||
MlFkelFwdi9qeEhiL0tSOFIxcHN2Yk9vQzF3CmFHWE82emI0QkI4N202bHdBWkp2
|
||||
c0ZTZFdXOTkrVUo2TmFtR2FrekJ0R28KLS0tIDM5VU8xM3MzQ1pmNlVJdDd2a1Ri
|
||||
THRRMnkrWTZOU2pONytuZUVMUkVnR2cKuM2E6N7MFziBTj1E4I805xewCbpAPoEc
|
||||
hHKpdrxso5Jj3IkCD3RzbeVpS/ZTDG3z2DIvkEabN7q5DmyM8Z05rw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-11-11T22:44:18Z"
|
||||
mac: ENC[AES256_GCM,data:Xid791KQORiBL9qiMDEwCZMgzqeXoSuoev2/SBlesTMbE0oV7vYjWgSTa8TlYaK0DpA3ZKpNtzXw7hmkIfG6oQKmZBRbmBr2jInsUD1ev7IhVNq2m3W6n4LgUk71whnv2v6pmda1hd9dzAfGS9hQOFDT2xmyK4RiokHVNd78RAQ=,iv:DNJLeew1GEOnv6IvxDo5ctQL2sOsQBMF8QMQeCjw3Fc=,tag:95RTBhlVgbDx7DODsgrHSw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-08-08T22:43:25Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6j84+xkv3y7AQ//VLqE4jRNELjrSxh2MXsF6oIssVXweIawLCFJcw9rO8rj
|
||||
W7W7vzyNDezHCNUtNrdoxe9DAGbb+j0ixODVvRbtFPvkzUl358DDE0Y0F/fsn8o8
|
||||
tMCcHHhWpPa4nPVMaHH1eTJmFhqxJuPo+tRPXVQNHz5/RppOLB2gso4RZMNI2lvr
|
||||
2hjrtRfC3ZJcLpLpCuG/WxBY5Fe+fxPapC0zWjjKtEbHEQ5LhRY6jyaIaCi3MI1n
|
||||
3VVT7y6JVP/G69/SdYCxeJvf7hVCw5UJpk33AhmD6MWEvVxw7aG4IZtAiA5GVHvx
|
||||
1yh59NfYBVNDD2eihB9xjCxSlRiCzpXq4dgX8XpLitR9E0RxzfFBtNPp85aOsuFY
|
||||
4d2QAuqVDLtBGqsrUUEG1aFFhQVEGJV5o/BoyBosM+XCkePFMSBdZF7U0O+c3Grt
|
||||
UeGWpZUvwQS58KRNc9mvuv8RgfCr7WSefOkskKf5N2pOb4trAfJZhujHNQyFHr/G
|
||||
xgr9zhROKuiWT/PZ8xcu/KaAkjUF9pPoaJBkNmj10bH9O7jDiS2117EaffPk8mMT
|
||||
wMhkj/ml0VFWHnwBTrKWV1uib/1Lpm4Xrn/q3YY1Ybmta0SRMYWk73FBuKLg6cEU
|
||||
RmO4IcG9k2OqbDwE2ZAVyVBolYM2y33H+OvuR1Zbmm1G0d7893n5pH+QUODMJ0DS
|
||||
XgE+imTk80plDxDYAup0Hjzt/UxuwQewOeOD6IU176ZIzagX9X8UK7yzMnpLKwbH
|
||||
PrbdkRGsHBz/FFwRjSGeiENVGQbENwEQUeZhOYXEoihXBb+/dvhwFyJYX89dfUo=
|
||||
=Bdj7
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2023-08-08T22:43:25Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA45bZkLXmBFpAQf+OyaRzlVkj0+OcO73/2pE128UsMOJVWZpMiEVOizVioRM
|
||||
Jw5sGopn4cvUGRWoyK8oeOeXEVmbaRklau6ghPTpyxSWGAlss0+d780+hAJ5QynZ
|
||||
lXOKLgOFVqtyOw5PwVhxE1dGhAuvoK179YYGY54ZAj8nAQS54dJ6Xyi0QTTx4XKC
|
||||
RQ0t4ZpUEI2m+WhtaoIw88e7uMAmGX/mgFUsgnYt+Ocp69SmVqdPUmdPkbMVezKd
|
||||
1SQhiX+tIpuWLYT/4mMVtEt5YLIAhgxB7beWceMDDEAc1ZPvnjFJ67UT/giiHaE7
|
||||
W8x6uxXGwr1q6vK0LGii2juTxrWmPjG4Vy2MfumQOdJeAe2bp+lEb1DABRukbg+9
|
||||
/7PiumQxuXkLFlhO7f3pWnhsSAIgPN1E4RQvicbwKNsiwhLP6lr8DFLjp4K3xpKZ
|
||||
EW6LZOa1N6aC1bMgHooEsAN7R+lgO5ADvMyl7SnOZg==
|
||||
=cLgn
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
- created_at: "2023-08-08T22:43:25Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAwMCBBrc/JA6AQ/9GbBPMrL/ZPMQegBqxfImh3m/FDnJy1g9W9WAgwAknB+o
|
||||
Kqf77kNXLLaTbBie9K90IzVc+nelr4ZwZxddftdRsdr0/VBztmLHvJt5eImKjve5
|
||||
hCH4PpKQIdi6JP0+S6vZve/F07yYYIBIX10sBkcr+VOjpK2RSn4LtxpsnpEotFxh
|
||||
XghpmjdAM6ef9zTjiRXeiS18Yv+0GgFeHhvjSNX0qih+VqOj/WNQWLiWXlx1ARUB
|
||||
WQltKwaFXk2TEUE8aEGnHUf7suK/ZSQ2YD48c1veOpFw2ONPVmXjmWcs685ty7ON
|
||||
nlnx8Yxd2VeqPEw4T+v1p8IhZ13wH7FI0D4Iw2lDu8GRdDpsxSUHjpkUkux6oPLZ
|
||||
3Ci5HhOEWDvKhzrSdPjBf2Ptjw8O90m8ssubuBCb1SXuvcG0/aQ0eHkK5zpE0wCW
|
||||
h4AbNpa1GJ6JfTSjM1FlM1vvW/jfm91UGH6Okf315w3r96iAQrY8FTFYNfMlGt5Q
|
||||
hW+G004fGEdysB55M5fzE/BXwmpmXp4b7LSr35m9kytMcUOX52P/7Je8dTez2Bi4
|
||||
iRsw/HRbWnB24pQ0Dje/vRP9pHkFvqzIpfFdTNrvVyKIEcBXeIBcdLdiNyN0dQPD
|
||||
DN4BcgENXL12O7vNbHPKbKzgXIu0CWeAyU6gZ563PwAXpDXvTYXWOSqmOCCzoajS
|
||||
lAGDarQUuTxEyoHGdVy88I5SnIHNFf+Xkpl+jCHpzrDfKtiOFnLoFCFBs4AuWVGL
|
||||
pW4RZMHyoYkikRzB0nwREbGOeP1PFoq/g82gEMwEqnB6Hm6hl1oozzaBTGhuigUY
|
||||
VmjKsNFcrqtPH1jZ46a/5mS7hs74clpmuWZNMLyw7D3PkD8z9r0Y6OAMTEafdm5B
|
||||
94wb1SA=
|
||||
=eZEP
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2023-08-08T22:43:25Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA9XEenRNYVGHAQ/5AbKZKxBgFVgd/RACohhEE4YMTcv/JC09PaKJlYBEosld
|
||||
ycGi60bHv9yDBAjbbln0lHQ+6wkm3b19YMSpfLfOnntLlh5zlaaamem+mxOqaIwW
|
||||
tIadw1Ls7zAblp8o1MDV8b0TnCysBKWkv+gerj939f6nZslWODg1nQDpFp5cpl4/
|
||||
sFtIiCET7V4k1UR+Fn2Lp6W8vQvx9USkbhciv9T5kuLai0Kt//EgZDKJhI33J0vl
|
||||
T86bfQ30SyZLhbByTydpWbs7m2PCU9KI89B+e3vFvBMGpEASGy2o+cVi6Nkxsnif
|
||||
qu+aTxBm/Lw3EV3ylRYh8NPRTIaGvhapOcmya9qzB9nNe6Z0app3bGc7RL8vzYNL
|
||||
ibvTeg91bJjL35nEm058s4SMtVRVPr2bH+7Bf/KyreyNJhzx3foRD66Nf52Oex8O
|
||||
By4W2ojzO+tQco4ZJrLepUErXZOYh636r1srZRzZ5dBlpw+0ESr6BUBUJz4TLv3p
|
||||
Kq0m1w65/05Wm/Hnc5bIGF6OCoWpvYy3EisXp6ESGuvgsmEvg+rLylE0yHqXPiiW
|
||||
bH+KG8Zs1yqfoycSbftTqIey4Zz7ExMTiUcieo+oEujrF9vy0CQ+pSB2Uce4EVfz
|
||||
+UEV6d/msVU6LSAl9JXZw+sIoOZGeAxt468MB1tpvderezh7OEpPEdBm1w7lZfTS
|
||||
XgFeh/1bPmGwV3sDX4rVVWMI5OFgo9RxmaoAjqy39kIuA7JlQKun8499KzsiD/D9
|
||||
P6DtvXJkS1wnnekUkoEInyg+GeQB2IrkT0Mtkfz/jhOTIGnG2Ld5GQuTXqwE8gk=
|
||||
=oqfs
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2023-08-08T22:43:25Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7AQ/9HZSwoU8DW7nJgWqhSoL0AGGOeGaduV1J7dHhQ2YE3Rv8
|
||||
EevNdcSW36PpHruRNJbbhKxmbYC6Qvi61powYZhKnUcKLI5ORmh/upXVF6sdcLiM
|
||||
mICg8dY55Pod10wlFGuBXG140x8A/zlal3Mnpv+Fd/N/HD6+EjX042X+SIovgPSj
|
||||
l7t1sbhovuF2R/4P8SnHN91kxao8dTQHKhiDKJNJ4wm5LXH2ybul4jgijNlhjd3H
|
||||
tFWO9sr8LYPUxqBgrue2MmW8fWQJIGYwAux41dKJ0oIYccy3bKNKYFOHDkZqPFPu
|
||||
Ridd+JtSLeUo1rV/L8UfulFFpd/6iZYuOqZvA7UjnxfjeWxKhRj7yuhTgFN6pI4H
|
||||
G3JfajHMBqRNY1Z17YYW2g617AgXEScAG1YvzLH6Y6zpaY8M4cxVFXynqbP83C/f
|
||||
Dg6LmdEluZZOC6r6Dilx+CvS0xnXc3NTMhOLlbR7RCz9FyMPkukMv669X5OiqtyH
|
||||
gxhROdC2YE/ocartJbj+egGzBKbcJ+Q7QZjqsHl7bD/drFjNft/7I7x3X4RCk/dL
|
||||
+KNCeOjvAX342qlhf5GcQzP0LjpgUSNm3gLnLlv35vA4z6MHRGCH1S5Jm9/zuP2i
|
||||
ZqIc7+nL6dOnbaPGqrmN9IkI1gDAh1ef7h3J27Dgg5u5MZMTs4VVsZYPH7D1tNnS
|
||||
UQEoSzkCVgZU0YvqCgngZ7hvfF86og0CBaNG+9gI2UO1EZ5EdW5c9kmSmEzJhera
|
||||
Vqt9zPnIdRJUlILUph0kTyAHpR+F1RKd8jeooSHxNcks5A==
|
||||
=LX3r
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2023-08-08T22:43:25Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA/YLzOYaRIJJAQ/8DXcZg6av3b+Nsv/P6uEINLsSdoqt2/esGHgBjOC0cijV
|
||||
jm1RPEotTKJdNPGyRgMySfji7GcxJtVxLarUGBQRg6ekOzxuOZJSkvZRIuYInAJQ
|
||||
9hCWnKOlBdiQz6Xnhwty+4IuSv4ywqBEaVEp+zKpJgZYoEtqiGdJ2odPRIkkpGTA
|
||||
w3Tke8wj2rCe6uXAa0Hcd6+xItvWsrqU50D3bjh7V9tQ3PGxmmm17BYN+tHhg9zf
|
||||
CmGz+mnGFGCms3R5TnDKY8jfh3Vqk8ag82NEVNHZ0PDEjvQLZ/zvYg2x+GcNzqDb
|
||||
OOm0VDjl6HpyM5EaWKkw+nHD8O1P6TyBEfMeYao5ULa3tqA+RujkoWLJ7nkgQgH1
|
||||
wQObwV0MjhYvKp1UOMhtfcmmb/rMcjFzg1Nisy7dnh8ZnBc1n5V7mugyt1iHFWzK
|
||||
85F50xBAokrqa2B6MGQ0o155hnrAiASRXmCcTK1LeuM42pSqxLzJmXfEFeUV5utR
|
||||
XmaxOvkMQHZyTsX9KInW6bFYiHpFoFshlVRTr3YmKa3zptP1gmB03iLOG8VUh2DF
|
||||
OtsndI+0yNTu37VZ2pz7G/8jlFnbcQoEHt8TAZ6uYobWPd6YA/DRJgIm7sh5WaaQ
|
||||
ceTHAO8+kIPReHUqetYG6KARmsJArmy542LC7Dr/pp3tn8kh0tJSUZSlqwgOeQfS
|
||||
XgGWYXLRb9m4s6jl9Ce6h66T5mFTdL7YMMFGGz16HuC19Rox59wi96WzVd7cIQx5
|
||||
mxjvlerARUoXzdvurihUi0IDgJ2Vs3N9AeiV/IB5tAF6RRo4kJpRGDEqBWoMc4Y=
|
||||
=a91P
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
- created_at: "2023-08-08T22:43:25Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA7zUOKwzpAE7ARAAhNMRh2NEv0AY9OjUSPHA/7GjLZqxON9RWGxcxtCv/vt6
|
||||
CFApPqFAATJO76NEHzikYJMy74d+ui84QOCS5uqavNJA9Z5aMQEFhp78RIXY85BN
|
||||
yO62Vo8/u5B/Igcu2Zvlt/hpBYoNN1Ed9F4bsvtQwks6qF62SO5KYBqq3FY8icDI
|
||||
LJtq+ozdcU+QJsjrXwaTexklV3a6DRXndwtQTlhKX6t6JJJRB8BKyrwyF3hNBd6p
|
||||
zpYEx7kYh7Zj20Pt0I3it08+nRlzdvaU54ydMyJbw/AYL/AulAAZ2FyxAyvx/sv2
|
||||
HhvDpBl9TOnGuPztnXA3qpd04/b/6WPtLEABPLuX8C9Jq1kKCeuFZ2rdTD2RF7Qz
|
||||
19tbhMQhFHRCBBza+6BkCg+xF4sbCSJkg9X2lYyXEIUpDb1hVpPOwKBwtbZQ3bit
|
||||
e2PYK8Lsk5FfW3ANqxXKaF91/6rv8j5RyitnSG5D4XanPjyhmiBcgqyAJl9dq2Nx
|
||||
QOhRzNK+F/4z8ym1iOO1ii5uJJQyGPRkZxLj7k8UhCOAOqi0/exxLEO5rZFg1F0m
|
||||
rtKmbEGRJ9sGm8JaK75/C3wEbbt7KkizlSlj1ETB8Ji+zTwlLgpT5va6oJHU9jhv
|
||||
76aCqFW4aGB6NWrSha+BSN9gEqcWKXcCPxH09vYtfUN131r3Wjwt/LTzhwHuLkrS
|
||||
UQHt0+JmZR3hjLapC/GbxSfj/4YbVAWwRCgEpw9K0sI1tEtY0kUhYh/4eEruaDyf
|
||||
UT9db7qBkz06ymPS6hyBovNHaQSYE6B7Rmra7D7fyIlfCw==
|
||||
=oc2l
|
||||
-----END PGP MESSAGE-----
|
||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -1,235 +0,0 @@
|
|||
{ config, hostRegistry, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
microvm = {
|
||||
# Running on server10 which has 40 threads on 20 cores
|
||||
vcpu = 8;
|
||||
# drone-ssh-runner clones the git repo into tmpfs which requires some RAM
|
||||
mem = 2 * 1024;
|
||||
};
|
||||
|
||||
# drone-ssh-runner clones into /tmp which needs to be bigger than the default rootfs tmpfs
|
||||
boot.tmp = {
|
||||
useTmpfs = true;
|
||||
tmpfsSize = "80%";
|
||||
};
|
||||
|
||||
c3d2.deployment = {
|
||||
# /tmp is to small for drone to clone the repo even with depth
|
||||
mounts = lib.mkOptionDefault [ "tmp" ];
|
||||
server = "server10";
|
||||
};
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
networking = {
|
||||
hostName = "c3d2-web";
|
||||
firewall.allowedTCPPorts = [
|
||||
# telme10
|
||||
23
|
||||
# gemini
|
||||
1965
|
||||
];
|
||||
};
|
||||
|
||||
security.acme.certs = {
|
||||
# agate cannot load modern crypto like "ec256" keys
|
||||
"www.c3d2.de".keyType = "rsa4096";
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"www.c3d2.de" = {
|
||||
default = true;
|
||||
serverAliases = [
|
||||
"c3d2.de"
|
||||
"c3dd.de" "www.c3dd.de" "openpgpkey.c3d2.de"
|
||||
"cccdd.de" "www.cccdd.de"
|
||||
"dresden.ccc.de" "www.dresden.ccc.de"
|
||||
"netzbiotop.org" "www.netzbiotop.org"
|
||||
];
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "/var/www/c3d2";
|
||||
extraConfig = ''
|
||||
index portal.html index.html;
|
||||
'';
|
||||
locations = {
|
||||
# Mastodon
|
||||
"~ ^/\\.well-known/webfinger".return = "301 https://c3d2.social/.well-known/webfinger?resource=acct%3ac3d2%40c3d2.social";
|
||||
|
||||
# Matrix
|
||||
"~ ^/\\.well-known/matrix/server" = {
|
||||
return = "200 '{\"m.server\": \"matrix.c3d2.de:443\"}'";
|
||||
extraConfig = ''
|
||||
default_type application/json;
|
||||
'';
|
||||
};
|
||||
"~ ^/\\.well-known/matrix/client" = {
|
||||
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.c3d2.de\"}}'";
|
||||
extraConfig = /* nginx */ ''
|
||||
default_type application/json;
|
||||
add_header "Access-Control-Allow-Origin" *;
|
||||
'';
|
||||
};
|
||||
|
||||
"~ ^/schule$".return = "307 /schule/";
|
||||
"/schule/" = {
|
||||
alias = "/var/www/cms-slides/";
|
||||
extraConfig = ''
|
||||
index index.html;
|
||||
'';
|
||||
};
|
||||
|
||||
# SpaceAPI
|
||||
"/status.png".proxyPass = "http://[${hostRegistry.spaceapi.ip6}]:3000/status.png";
|
||||
"/spaceapi.json".proxyPass = "http://[${hostRegistry.spaceapi.ip6}]:3000/spaceapi.json";
|
||||
|
||||
# WKD: Web Key Directory for PGP Keys
|
||||
"~ ^/openpgp".extraConfig = ''
|
||||
autoindex off;
|
||||
default_type "application/octet-stream";
|
||||
add_header Access-Control-Allow-Origin "* always";
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
"datenspuren.de" = {
|
||||
serverAliases = [
|
||||
"www.datenspuren.de"
|
||||
"ds.c3d2.de" "datenspuren.c3d2.de"
|
||||
];
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "/var/www/c3d2/datenspuren";
|
||||
extraConfig = /* nginx */ ''
|
||||
index index.html;
|
||||
rewrite ^/$ /2024/ redirect;
|
||||
'';
|
||||
# Mastodon
|
||||
locations."~ ^/.well-known/webfinger".return = "301 https://c3d2.social/.well-known/webfinger?resource=acct%3adatenspuren%40c3d2.social";
|
||||
};
|
||||
|
||||
"autotopia.c3d2.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "/var/www/c3d2/autotopia";
|
||||
extraConfig = ''
|
||||
index index.html;
|
||||
rewrite ^/$ /2020/ redirect;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Gemini server
|
||||
services.agate = {
|
||||
enable = true;
|
||||
addresses = [
|
||||
# sysctl net.ipv6.bindv6only = 0
|
||||
"[::]:1965"
|
||||
];
|
||||
certificatesDir = "/var/lib/agate/certificates";
|
||||
contentDir = "/var/www/gemini";
|
||||
language = "de";
|
||||
};
|
||||
|
||||
systemd = {
|
||||
packages = with pkgs; [ telme10 ];
|
||||
services = {
|
||||
# lets agate access the tls certs
|
||||
agate = {
|
||||
requires = [ "agate-keys.service" ];
|
||||
after = [ "agate-keys.service" ];
|
||||
serviceConfig = {
|
||||
Group = "keys";
|
||||
};
|
||||
};
|
||||
agate-keys = {
|
||||
path = with pkgs; [ openssl ];
|
||||
script =
|
||||
let
|
||||
stateDir = "/var/lib/agate/certificates";
|
||||
in
|
||||
''
|
||||
mkdir -p ${stateDir}
|
||||
openssl x509 \
|
||||
-in /var/lib/acme/www.c3d2.de/cert.pem \
|
||||
-out ${stateDir}/cert.der \
|
||||
-outform DER
|
||||
openssl rsa \
|
||||
-in /var/lib/acme/www.c3d2.de/key.pem \
|
||||
-out ${stateDir}/key.der \
|
||||
-outform DER
|
||||
chown root:keys ${stateDir}/*
|
||||
chmod 0640 ${stateDir}/*
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
};
|
||||
};
|
||||
telme10 = {
|
||||
serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
};
|
||||
};
|
||||
|
||||
sockets.telme10.wantedBy = [ "sockets.target" ];
|
||||
};
|
||||
|
||||
users = {
|
||||
groups = {
|
||||
c3d2-web = { };
|
||||
telme10 = { };
|
||||
};
|
||||
users = {
|
||||
c3d2-web = {
|
||||
group = "c3d2-web";
|
||||
home = "/var/lib/c3d2-web";
|
||||
isSystemUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"
|
||||
];
|
||||
packages = with pkgs; [
|
||||
(stdenv.mkDerivation {
|
||||
pname = "atomic-rsync";
|
||||
inherit (rsync) version src meta;
|
||||
|
||||
dontBuild = true;
|
||||
dontConfigure = true;
|
||||
|
||||
buildInputs = [ python3 ];
|
||||
|
||||
installPhase = ''
|
||||
substituteInPlace support/atomic-rsync \
|
||||
--replace /usr/bin/rsync rsync
|
||||
|
||||
install -Dm755 support/atomic-rsync -t $out/bin
|
||||
'';
|
||||
})
|
||||
(libxslt.override { cryptoSupport = true; })
|
||||
libxml2
|
||||
rsync
|
||||
gnumake
|
||||
];
|
||||
# otherwise the the drone ssh runner cannot log in
|
||||
useDefaultShell = true;
|
||||
};
|
||||
telme10 = {
|
||||
isSystemUser = true;
|
||||
group = "telme10";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = with config.users.users.c3d2-web; [
|
||||
"d /var/www/c3d2 0755 c3d2-web ${group} -"
|
||||
"d ${config.services.agate.contentDir} 0755 c3d2-web ${group} -"
|
||||
"d ${home} 0700 c3d2-web ${group} -"
|
||||
];
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."c3d2-web/gitea-token".owner = "c3d2-web";
|
||||
};
|
||||
}
|
|
@ -1,171 +0,0 @@
|
|||
c3d2-web:
|
||||
ssh-key:
|
||||
private: ENC[AES256_GCM,data:TAHMP1U76t+HiPrtV5UnXzJAHy3ZqWfTja62IVSyMSlTFgI+bPaEPK0kyb+120GQWyLZvviAdeQyJ4b/8LgY1jm4W28OAC4fOZcgqUQ9AEvnsnxKzp+/lTGEpWk1ZZq4K+Kns+EHAR1R4huaN+tlpb38ws5pW+VWzqmwHqhrrfeWr0pMqTQ01tmvdf1MEZvmSHWaMzBgUeNEYbVtujJp8fKocTrAxDvVSFl2PbSsXnH6kethOepX6kHQJdPx9ziw09uSeAXV7wTtRh5ISEbpePs4tOJoYQ7Z5UPsiKm+43ux5f3y0vOs1NQDowtPDXjryE6J31jHINa/wCRvNsPYlon/mbYAntP9t+Asex7/PwYQvAW4+P9vzvGWUVpgxTIGPrUUkLz97MVIsZ2P3CV616X/jeZQmKLkiScQggoKqvXOgxH415GqPZ6oOhw+q76t+XFJsYfB/0ENhBOXX3hQz4+FR+/8O4zAobGavsWH8B1ovCW8TWPndmSSlzf1R4uLHOEpuTDJvRfYn7lHZybLao+bipjKE1wr+0Ze,iv:LyMZ+tuxvv/ReTjNoyjs99e3MRnOR36EhazcJ4a7xlw=,tag:yPnQ7QZA35o+acZFK0C1tA==,type:str]
|
||||
public: ENC[AES256_GCM,data:l7lpD0oiR3o2GKLGisTGnXWHBdExy8f7Rhqu42GWS1BKut+DqGxQSVGH+ap6tysCCSVHpDShBoZQD4AWgnGe2S1zZ4p9JUtqzD55Qd1qjOvJ+xI7pwhRiFgODgfrnrU=,iv:0kSxCoKU0es6aU1HEVe+SliwCidySMmwsWXeiMCJ4SE=,tag:XjesvswMhRibEWFRzl4oyQ==,type:str]
|
||||
gitea-token: ENC[AES256_GCM,data:W5NC7+7F2HSwRRyFdqkxwZVdW14PfG8PTJ4RI6UWyv262GMqgLbA1Q==,iv:mW5ahfvdzIng0dqphtZtZwOgF5W5s3rbP0AF0GxmcjQ=,tag:sYyMsqrKerxHcDRM4OkEMQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age18h6vmfduhmj28wxdgur8wugn7scm5vwvwkj5sr4f7nl0czr2zvaqscsdsv
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudy9ubE9UVnhab1FJblBB
|
||||
TjhqWWsrWUdPWGk1UEtXZSsxWVlDTDhnVzIwClU2b1piWkdLTllzQ3ByQ3orVDhj
|
||||
cURCajlrUXY1cW5GRlJTd2hqQTgxT1kKLS0tIEwvWjZiY01XSkFiS0lhWVNubFF2
|
||||
eGZUUUVrZG0zeTBuczEwWEJVWkU1TWcKg3l2j+2wrW5wpYSF2WEiOAQ2gJvHB+bK
|
||||
W7U+9KF6OkpxmC0r0wZrMct73Wi7vS1bMMZLW2wb2C7w0poyCi8iLQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRkR4d0xPbWR2ZTBsQTZB
|
||||
cGpXYnlGNm96dzJGVHpZOFFHNjk0SkpieWhrCjU1YlRBTXZlOWd1dkpxclFwMEYr
|
||||
VDdQZW5YRml6WkRKSEZ0aTdMTC91cmcKLS0tIEJKMGZobGJFY3d2N0Zrdmh1SWk0
|
||||
WEpuS2hQUUhKeGhtR3lFMk8xb0dMRkkKl7dHZga+fism16wyyIR0sTGdIFM1yGRR
|
||||
td8VGUOgh8KCVA4SmnaphSRTjjVbRdiA7mVIfJzQL7uCQjCBTqk2dg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-01-29T21:44:24Z"
|
||||
mac: ENC[AES256_GCM,data:EmRAkfgdmQ1SWERxQa9B4rMAkoJITvIjuBKNNNC2c6uV0q5IIDB/d7TDRbxnzXPfOUft8lTFCuuCvRN1XRf+yjoRJBIKU6kgJS0YP6RBS5oS/mHkJXGGRI5qvWsm4xxptT6YvR/3ZzJSld/X7QHeHx0JISRGfayvJIqCVKjSThA=,iv:UosrjZe7CPWBeND46Q0dW+zdf5FgPIUkXvVqouTMkIE=,tag:KsHUAkYNMPo+XQwAjM93cA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-08-08T22:43:26Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6j84+xkv3y7ARAAjMRPtYBcO0qQtp5PkLK2PZ6s8ieduthfwm35Ij4gzsY8
|
||||
2NtniLODSpgzTSJxhftbjz/kE08cwwztjK4vSal1aPgC2mcCw7JTx7XDNmBvBqde
|
||||
7bU+h4wSn10P/oThVMlYH3JXyC0S2K3fXdwnh/z0R7EXKnF0FIacUqC5eucByRVh
|
||||
kMI9Y833b23k7Mw2CWb3SrRY95oVq2/B7DkchsjYslP/wKgXoBcZo+o/kdXXZa6N
|
||||
BgBQ/2y0j73jkBHiaXVAsySj/ppRCVLHCa6+VpaVu8kFTjuNGBB/ob1hg1uJ6Z87
|
||||
VCaP/tCN/56DdpoKatYMfsFzczK9N4Y2WysGFBrFG1z34s9rhAzrfcwvMna1pGtf
|
||||
xaIQxw3mac7prWe3TP6I3JgTZ8CXgtArbyucLWHEJeM4OM2C8FLfEj4Z7x4Jn23s
|
||||
ii9W994g3LfNsDAQSGCXU6m0KneZ+s1LR2ObRGmMpnmLjNHz+0+saEECrrdoOwig
|
||||
Yp3Pw5v7kdjAsh86tLTzQFSy0rbaMWYAMCQ+Gk+TrS9aiOygIcNXvp2gVkP7NxJk
|
||||
MxSpmD4ZW0ETn+UVgezbhJJoC+C/wYAnIzz4gNR62yLZeYsDni7rXp091XlhJ+bD
|
||||
vSJSnWMFy+w7gl8pP3YVeVc18Xs36pNkRZ+5S2528+Y2mkNitir5dI3+0788yrbS
|
||||
XAHV8ofUmA3C34/U9I7ZgdtJTo5T5ZKV660NMIiy2SKLkQMDQvQLlljfYIMJPcbX
|
||||
keXKl2mfQocm8YigE2VZpJXKle5RX7612pM+HOn2K3vpSQlzWtxjE9SjAJt4
|
||||
=LPbq
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2023-08-08T22:43:26Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA45bZkLXmBFpAQf8CimRB21o2QiIrKF6LXAeZy0ko5/m0yBc//Goij+4Xdiv
|
||||
jBHsx0TSkpw7Lf59hhlhDBI96rEg2Q9V+Mk9MG7UcSW69B9MzddovKo24ymMPRlk
|
||||
5bIvM6sLC+NW1kpNEAieEZakFtLPxJKh3NAGt3IvDmwtUzrnT+eQA+7mSmt7z06q
|
||||
wElkEf55dqTXNbdI3Zqj1jC5krmApg0UCXv1wW04E4LU0DHicQVM4IAEuil/yiyM
|
||||
VP0DAd8iwlH+WRKO122U1Rzm1xrk2uRzWg4kyt4ZXUCUvoPD4ExPlGqYjwsua4oN
|
||||
1hZL/lBtYjTxlA0ec+oPpYikUuAlWPgt/xpnACdXPdJcAbXrvrIiU9S/NBVkNsBa
|
||||
UMkMVKmfTtHDdvjEv3+3Ikrip4XyraXynXoNGw5Swc3n6IA0QA3/lMSla24vBJ0O
|
||||
dGQGgRX0PFoHfgfQlgtmsUIuINwIOiBtYwAtu8Y=
|
||||
=Slqt
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
- created_at: "2023-08-08T22:43:26Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAwMCBBrc/JA6ARAAxIHplDf29qbDdyQpIP6R5Oosm0PTn0LjlnR7sEFyKU39
|
||||
iYwasQ1eq7iubJLeEkEy65nfySUZBaLm2DvSCeCBI0hnDn0EIR2v1tTw0Il2PHy6
|
||||
ibOCg3swiKPcRwfzHuCC/xirVUyJtyg7UbIJiLxtpU9iUMUVsS51fne5SaxYXlHo
|
||||
R2B5ZgjqV+OMbuEhdCpXehOC23lOTHqQqBN5dx4U5RsenSrZLfENeiFEVTszDpD5
|
||||
hKsoRVFOpyKe3B2nVrRFXCBwNNFkwahRuiO6AeHEJlTm8bNE0Zn5eYnGZMx7odgE
|
||||
RgbC6TN9BJJU32SuLIF8TVthv0Ap1TDoQ26uB3tdYnbaVDKZ5173kWwkPfshzCQm
|
||||
afPASP1BgjPueREGnPMUwqD12ynhTkvL5OwzF+fLwctZwjnfEVmYKmRDs8GZ29s/
|
||||
KhBdTzlA5qvpV9Pufm8cqikRztyooMu8FYD7H0l26dIDqPPdHcE4VHgnPDQEXWJk
|
||||
V5sUc8av4B0xd/ApFsiPMGSTlWROXz+PXqGcrVRm5z09+kQWgqZA8Ez/LXowxuOa
|
||||
7nt2ac39DW2rg31+L6zu52f1oi/FM7AkhmEJAoXtx9xZDvmnIrJTN5BCb2Mmh6bz
|
||||
i4ySBCUU8jWhAL/pNRwvDznUZgwwpywD/ZWIPeMkMfNnyKjydmj+4Rc88F5ODJLS
|
||||
kgGotmlufp3NiVhEWMiiQVudwBZj2kAopXjLCmN9bAHVGARdpsu251TGHPfSIoMX
|
||||
fruClLGtMjhBrzihwrRLOgn+JwG34Qfm5ZKeTM0gdhAu/ZdhvvtTRDWX2xoU/2pY
|
||||
lh598JAjLs2QoF6SXdjLuWxQY2Z9jsjB/QkXfq4zbWyqLe+LDT9/04sXYiaoNG5U
|
||||
8jjq
|
||||
=dq6G
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2023-08-08T22:43:26Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA9XEenRNYVGHAQ/+L1vve9Yl5UVyD2CBXTvxmwnV7XoL59G49CtKG6JKRMkk
|
||||
0ewkIr4Gp6GxH/YrlgShmTXwp8Vpa3FdiGsny5irSdLdtP33OlvnRm0tAbGEV0o3
|
||||
e8SgpUTNDVHCxZcKpEAQIGwxlf+pYuimCCgofCsFmffUFWjW4+R3WIZjQbm+hEho
|
||||
P85KfuYax2QxTUoggBp1bLD8WuizL/KN2Rynyt0GiPVeBaabbWLMJA+79xKNdk48
|
||||
U6cj/TQaSGIG+0eNqmDHwSFYxfTA6ymnUb+a/PPENN15JJqBReWlS3NHF3GhzhC9
|
||||
pSg/pkHledv41Z4mvky7DlzHRUp+FDKm859mkB6jUGww/e2HoECBfSb2/1mv2QFh
|
||||
7BaVonqf3qEBkoGp5RP1nZuPquOGA3Jz8t0XscWx0mFE2BViILaEn/c8l6su5vzt
|
||||
ni44h9Gn7ROke1aCetsF+EXnNHNLytTEq95yiNHyP996tKLgOAUY6bdmWjNMFjhr
|
||||
9trDEOR/cctKzwJ4hDepr/liCAq6IvIiHHU1Fl/efGJkemPA+E8emHFW3Oq9PYtw
|
||||
2T6iIxydkJszSCcQ5cokU/60dDiRLkerkZPQH8XbpHFeefqz91Hpfd+P2u+U85H0
|
||||
95A/xWOz4oisb0yyrH20wqCFnymGvQDoIEox89wTofJoRK8XEBn/m8K9eOSM5nbS
|
||||
XAEqlva82Bdx6+4mXLXY+874sclaUONN14EHfhH3NmkRaUybunAhE511EogOqKmT
|
||||
hmkpTdihP+LanzTImTUp8UqkeccQAPxp2zhKQSV3zeArAZMsJ2ylI6aTUpLs
|
||||
=5JaY
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2023-08-08T22:43:26Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7AQ//WwcMZhnBVhiw6Bncabxzkv0TN7+CBVr644FrFlyoUfxP
|
||||
r3+sg3yPZEuyGk7uAVVrnkkP+3xcG3P9wnI8IGoVkURM4IiEGKR1rFyROJvbDzra
|
||||
uWj82XMPl3rWZM+FYKa9unKZg6aZkRSMxWKxFBb/vAvLIw7zEa47PbAnWoLhxbg9
|
||||
ijSFw9AXvCE9wD9QtRLakYz1GYOacQa1Zg3yOibzOTEd6tunY8QsRcr5IgzNnjDk
|
||||
PSDjaKA3ItdmgYfObZzMmKROfUQuI8gzDSo3hzRICpBicd91Elz1csgSO2G2972v
|
||||
fRML7MTT23wEmSkImmJDAzdCaDguMLK0UECEdd1LvF3LdBvYQdlpdfR7Ts64ofsG
|
||||
uncUXRoWBI5cfltVcvs5CB7LiXIjChJoJK5TsEIlU/oJn2JIiVQTCog3aDoa22ZQ
|
||||
RbHN1G1tkhgifxI4wuNllSERUnc8b0sy4X+1e0+6X/ipfX0kjMFGeRmskyKnUz2p
|
||||
3LSOp6M0oUhoq+BiIUdJgd7otfWmZp9jPOhPLaEKorwWS5h7oJB0KWmm10tprK0r
|
||||
MjNNiJofl3TAosuHl/981mErzkpCL/leRiPRcvbFXpXPAE1mPl9io9k1twtfzrWE
|
||||
OCeqatWWlasbVTm2c5lSnGvD185xZ5/PlBT7na1FrAKFBm4T442YqQXizyInKQHS
|
||||
UQGQzsV80JXiqq97rP53Mfekk7r+nUWIWKW1GzPxov8EvDcodgw6r8TLfFPa50Li
|
||||
/XUH+QKwnFAEX3cjOACv5djsZr/J4oM7mTJNnv7iIBqeFA==
|
||||
=HRj+
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2023-08-08T22:43:26Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA/YLzOYaRIJJARAAo0lLjIxym1PiMwKrzWC4uFXDhAm6saQooomsd+IJAiKa
|
||||
2FFos1oNV7IQ4Gw6S4TATiiUP2Xo71KzAmomh9cTq6kyuZmvrovLLuvNaBCqQEP+
|
||||
VoZ96P0JaNj3+FFdvYlxmH4L5sY6d/pcAmTMh/2Gooq4qqnbaIDcQaDUA6pA03Hk
|
||||
y+2BSMBEk6/xhlEGtsPJA/6+BIbmyfIIEi0ycV/XVZwKQlL6CoWKNG02wiFsAsRW
|
||||
e/kU9I+WYu6i621hDdsccwaIM9Qn95yIn0t0OHVUM86iJFwXO+9n2sYFr9/bKFhC
|
||||
Kt76PiwB2jpqKzLSFgpA/rD946qcq17YWa1UD6/P7eZRDSDIX0yE7j2M4DxSxzHl
|
||||
hJfUluo9J0FanIvyPcGI5Dh/Hr/trjGhtFG9DFeYhB7jIcx+06DHo6bleB0Hnga+
|
||||
i/kDy/dOdPT4hXtv3mrsww757Gmt5ljc7CZDM34jMcuM7usbzfpl60OZ4ykpWRix
|
||||
BurWTCN2QsleFG2T6Vdrt3QmgFf3i5XyWmAwPDVtLSTxwGyFkzxK0cSqpIlVrVap
|
||||
/VR+gKR9bGlvEYFjdaAtkFBw3+T45BZY4g6jaWboXo8M19QqYA0gJ8zzF0ntl2Y5
|
||||
c+WNOcWr8qnC/JexgEyg4ytwHqxZCf78qkd948eVqGRT8EfTixklEpHls9oxWcnS
|
||||
XAE0+TvSIbscE549VrNyj5VD7yUS93YhPnB4+nQoFoseQTg4TievRg4Ch6daf7ow
|
||||
Aumjm4ehuC3KPtz2RbXRDQiRTl2v/JvI+LZGcOjfkf4pCXczGXdFwN1uyCCz
|
||||
=crUu
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
- created_at: "2023-08-08T22:43:26Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA7zUOKwzpAE7AQ/9GzpXwrotfmYJLQlaUNjWHQyBy3ZWGJikaXO0Tbot4VAr
|
||||
lvR6iZ047mYnBHo7z9P2Y0XQTLG1eS727CHktBmMGkw38Sq679ZJaxWRHpaPiqc5
|
||||
DqChaYLaGN7QYT0hPLOnfUPcEEG05RwPa8vt3jGDsD7IdQ/KmWSDPKq38clhTGwz
|
||||
XP7Hv0+/GgS8CCuQ5ehn8THrqAuLlTi82unG0OIYEdBQSdggcRNZqUSPcQGEoDul
|
||||
fgcqMnspQy8VNUaxpj4agdQYAR5N+bgofEvRg/qkQ6QenrpdbxRuZDrzHR/3igfM
|
||||
bv656ovFGN11/LDFMp9KWpK0Mw6B4C07SvKVSeQbLR44gIXQZ54PQtcmpSMoSf00
|
||||
44dsoYF8sZQkHuvHMtoZROp4GsHdHFFj0S05WxMC+7Ikwmy7Vo+dC/v+JTfzwpEc
|
||||
Y/hmSGcWhdq6Hn8GOYXguY9+Qg4uNCfoW4wAWqdppwGiGO4gwOmu+q6a4NUyvWwK
|
||||
7YwopS2YrRUAviQnM8KZqtEgJ9Z40QQ/tecipm73BqnYXZZ5Hb/emrJjsTBFudJz
|
||||
+RpKEMFazQOxspmbRcdAZHNOpcv2r5P7i4g1vj2ahgexstLZcEzm8IO5CvMx40EG
|
||||
7X1bUBGzH98eUX6OU3YYjZbPBHzf1i5fILZwsmc/xIY1zRVPfpCj5DBHU4Z7vDzS
|
||||
UQEwUnXjAIt77JqVyc0aKII0Y+uSuGo5xdFvQF4ME2ArXWD7SbnNBEoYqEmGgMt6
|
||||
6ONmNolD0XwWvBS2RxYajiUyul+TnO/7TnWQtCsJLnOijQ==
|
||||
=blZl
|
||||
-----END PGP MESSAGE-----
|
||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
|
@ -1,94 +0,0 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
c3d2 = {
|
||||
deployment.server = "server10";
|
||||
hq.statistics.enable = true;
|
||||
};
|
||||
microvm = {
|
||||
vcpu = 8;
|
||||
mem = 12 * 1024;
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "caveman";
|
||||
firewall.allowedTCPPorts = [
|
||||
# telnet
|
||||
23
|
||||
# redis
|
||||
6379
|
||||
];
|
||||
};
|
||||
|
||||
services.journald.extraConfig = ''
|
||||
Storage=volatile
|
||||
'';
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = {
|
||||
"redis/caveman/requirePass".mode = "0444";
|
||||
# Must be readable for DynamicUser caveman-sieve
|
||||
"caveman/sieve/privKey".mode = "0444";
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
redis.servers.caveman = {
|
||||
# Listen on the public network
|
||||
bind = null;
|
||||
# Override default backup schedule to reduce I/O
|
||||
save = [
|
||||
# Every 2h if at least 1 entry changed
|
||||
[ 7200 1 ]
|
||||
# Every 30min if at least 10000 entries changed
|
||||
[ 1800 10000 ]
|
||||
];
|
||||
};
|
||||
|
||||
caveman = {
|
||||
redis = {
|
||||
# leave 4 GB for caveman services
|
||||
maxmemory = (config.microvm.mem - 4) * 1024 * 1024;
|
||||
passwordFile = config.sops.secrets."redis/caveman/requirePass".path;
|
||||
};
|
||||
|
||||
hunter = {
|
||||
enable = true;
|
||||
settings = {
|
||||
prometheus_port = 9103;
|
||||
max_workers = 384;
|
||||
hosts = with builtins;
|
||||
filter (line: isString line && line != "") (
|
||||
split "\n" (
|
||||
readFile ./mastodon-instances.txt
|
||||
)
|
||||
);
|
||||
};
|
||||
};
|
||||
sieve = {
|
||||
enable = true;
|
||||
settings.priv_key_file = config.sops.secrets."caveman/sieve/privKey".path;
|
||||
};
|
||||
butcher.enable = true;
|
||||
gatherer.enable = true;
|
||||
smokestack.enable = true;
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts."fedi.buzz" = {
|
||||
default = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
serverAliases = [
|
||||
"www.fedi.buzz"
|
||||
"caveman.flpk.zentralwerk.org"
|
||||
];
|
||||
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.caveman.gatherer.settings.listen_port}/";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
mastodon.social
|
||||
c3d2.social
|
||||
chaos.social
|
||||
dresden.network
|
|
@ -1,174 +0,0 @@
|
|||
restic:
|
||||
password: ENC[AES256_GCM,data:f1kQylVfzI1v+W2P+IklKw==,iv:A72uGclgNYtDyTr8EQVgLZ4Ej1qVRWL6DvmmXExXXVI=,tag:kFhaxLWi89tWNoNtbE/FUQ==,type:str]
|
||||
repositories:
|
||||
server9: ENC[AES256_GCM,data:iLHa9ppMKU0fozooGoTrc/Of6Vh1iDI1Fp91LdWAktZpZ6/dPKyHdug8S3KZT3WpbQggQRmdeB9cgdxd+3H8OU8yrapVx7rIGz9il0eNQc3j0lbI/IIZyboP7HSOYd9soNRKwA==,iv:TFki4AUtMM0lhhuR4a5P33znPASyEWN2MWkZWaBj2i4=,tag:EpPN9BZLp80BAgeAnGzG6A==,type:str]
|
||||
redis:
|
||||
caveman:
|
||||
requirePass: ENC[AES256_GCM,data:08V/ZSarIx+lpGSx5Su0A4Jveejxi83+jj1+Wcqf+nY=,iv:lm412YmiV6rVn5LGx1O5/kCGO457yohieu+UgB5b230=,tag:4cQ7mIlxJh7rGMZqmGIPMQ==,type:str]
|
||||
caveman:
|
||||
sieve:
|
||||
privKey: ENC[AES256_GCM,data:rLl1lAx+hv+8/hHYgDTGSlVbxSS/vk7vnEUqFCLdE5FNUOH73TAEWhHQahBQpj4+nJ33qOeF1F+a3ihY48mNtTIRpDfAeTkuEtBps1BYQu5UOE6Mya5Yq2J+WO8SKXKY/umEpdZtz/8OXQjO7e2CCQ66M++u29wSbWWcWcEltOmiR3DBV02h4Lqn8lHUt5UMNFH9gOgbFvCXwTvTKop3E4H8534a1ZBcVC0v50EGeVNNXlXc1ODX/ldAp4Mxk1tsGAsLGLEPgTQNj6SJXOY1+s/46bg3kRgDTMhXBuBRb8WFcBB0lkB3GHgyGrygo63cL51N1XMPF4f/03N6r2pUiivJixU4o3l0KZn4kTMhcln/KPpxeQjpKX4ZcLYbGHqkXzYmzC7ts6qrayb2ZResrslPLvKz5unQMXSO1gzx+DnN7e5cvwIODdf0SJ/zCfuqvpNv1XzhgOhpu1a2eZJA6bwHvHlqg6CrrPuXTh9cJQvmFQqylQX9+XWTqhwTpymoeb1BUeq2kZ93vfz8EKTUsCbFLQf5P62PONFdv5New5C2kVtrGuwbePcrSNFUpbb/rc+5BtHGYKvW1bf5WNlRdTFjeVQjbSXktFZiClZ2X1sHZufRoMc31Y27Yp/h8vFWgP+LX1Sa968/obI5Zhe2RUu1MU5MCXfw/ICRdD11iLtA7VEY0jS845iat9pNJLfpRrZkyDmka5LfbAgiAyDaH+YggokvzF0L4fAvgfm+4BCm1/tpSUW42ayXUfdcmVsapgdj79MzCBIQd2kNcaYdRoZ3MxLmCoD+RywQoMwko/1McLdJwFEzc8DbUzIL2dGUz4nO36AQUyNnMrmwxf0eOtruezYyoXC8mcRKlB2X/teS8qw7z+UAPsEBYPw334qm/tNPa2mbTIwOjislFP2bo9yjp5eOunhocP8pjXlG6DMu8czojTSAQG4Gu0TuXxTgkcV3+3nvv46jR31mEJBPrWJ5O3JoGXcjQr+go+FdtHdB4rAgAFAGssF5VpACpjD7qLoz4txTbdA4/VB5KLtsiairv11jkmL0rsTiIp1Db/cjcOE6bL12rIUtc4uTUS/V/pCVfnoGBQjLsoYxHXpjLOtDnHujga6bqMMFdLwYg/MaBdjBYGDa9eZE8JNx2R+UIHrh9/U3/x1eQirtGu61J2MWEUNLUCInXJx6GhGe54gCmxToNhxVWxe6nHxPZ2/FxE4jVcpbuyWWthKVqgxvPCDbCanLTkLMDwQgJ/+9n7WpanT4mKO+OiFPpoLIN0jYzT4sr01uIefjjlNyx2yd3NnAvo4MLHZzYG4Y5O6w0JNeiMJEw+MLmQfQtQ6y/nFp+oNil8/scd65q21Nb6Bz4Lx7p3yq/T2Iwu0mfz1wKeWF+VpeF9GJoFgyCqFlSK/eRFJoyqgPUV+zAtUFBGQtw/5gKw9MQLeVn6BHL+JUA0QsOiSx/IJo59ZTKprGFLXEobwNofsTp0DLqy1hqooU6nAcECWc/0wRUdlZ2ry5UAI21eHOnvmrVyxRD5wnOmKhVi9fDB79yDKo4Doavai24+Ko/DBvGmIZAOT+12fpGeHZcr0VDCPpRR1GS8cjCHGSUM0lpJFaLRwWwD4YyxBZYJ3E2V5fQX6n5LFh6dxPjrj52Sph+2qo0rjhlg0DMtGF7EwLYdCux7pbvYvVVLDiQZvi1z5hDipp2JIUByz/+pkF9DAIu9Fefjl68HoglEc53LWy/JY5CzSOSMswaHM3Os0Be9rV8uFKLDZifttWchLIuNGxXxZDmRGj/caYKP5dEGUvHQSaphOLCEMjdvdiLE+h89YVrSyQGh0sz7oDlqV4KFiAIi/SHTTNarcDQDSt6T9+ozPwtq2Sl7KC3bAXwfr3lQIEcKS6w0S162sN/bMFhp10cUN39aJF7AbmKlNSwJBj4AWsDItDlldMB3P5eGBReTxZDKgIodFCMa7FjjdT1mXa2cbe/gpV1J61SCYI4acDgpso0o9CIlOCp/vPFusXktC3QPSIEHYVdd1+FDezo3l7xew8dRSJez7n3Vx3rvEMIEAfqG1VzFAs/1xvITog83ulmScDOiURhubORmSKYQ7/LrRzsVuA09LRmJDWJA/pxpP8ouugsdPBJoMUlz+d5BqFNndGsAiaaq21/+0ydpNbdN+2k43z914hPP5yLj5c0vE8tf1RaY3iavYudfRMgUjFwoKYhVSna765yBC90VVPfMB4hoLr5yNR/GN6GtsHaxqtZyGkj92xxZKesql4IfP+YXPEyoBIoFPTLU0lrFSUaTCnxbi3pJyJAM+3F4X+x5Pie0NqRB+y4oDDvo29spRJoEcE3G9GuJWtF2/+neOfwrcwkyr737cJOdI8NaDjHDVN2wknN3Il68qRYg82nhSR6qCsWcd0zp3beyotEIi4RhUHMv2sjQVpA4WQGVyFG97nfundxO10I6KsJ/RZBkyYafX2hXmBJv6WPbJNGpxnqX6NvluaEN6XvULa248h+pRPydbwFOhISnJNvUtiHA3rFe0g+NeMt4ZFGKUB0lme2jiRZjsR04XEPzToafFN+93RTN07czCERmrvpmjFOkYKsHcQAcW2cGtfRBEJF9NBpXXHD7MtSzDImwkaVJ0JDKeHgOorcu0l8HILFNCXb96jYpVzodQcY5G2sJ4XWGNqfoTKr2eaWNP7Q6qe9gq7NZHSBuyRuMXAZkec9IkH7U+bzu8LZ3P75AzOjxZuSRyTVgx2xvOiCPZ3A64CnjkA2fDX5pQv7eR54eqC5Fq06SA6f7b3yBdUGqHZXrMyTil8JQpg0DBc+U2A2jdmInkajKVZUGSxbQThaSSf+cIuDfMdeErj/pGGowtJLSONkP3qCmVM75/T1MSoBvaGLRxzSgZ1xIVp6LEbxHQXzel31LHZvHev6l68Kcw72F/1tX/gafCuj05JwM1PkZRKsfIAb1oVBm/oIhHAubG6pE+hUqBmsT5ogKMtIgS6c4UfXpFKvokrXCIrPFKE4Og6I0SEMDZ0tSR0nCxcMEvlO5xy9DRk81iN9gsDJUPvspPfd7SOuxX9IPTOkmwva+OXPVORqEcs09Kx/x3nvPk8QjTr6zNxZpxwDmOd5/6FglAmzoIuUAxL5CzWrwGDfM2qrOtpYB7RDdWYXzGbO0SLrKtKyJtYNZZ2mitXIbJTIX0gnqN9Q1Pbl6N6KcmEQEDsZpoSE3isTFvaiGMtsdhR9t/hlPsJs0wcf7zeZZD7AAKCqSGA5CoIKfWctIaxNvPEUHkjP0pRbFK2LPymtp1f2twxgDudPrQFumXnHCN3TuhG7G+SlIPHcIrpipGV7WZGUw0Q8FOVwHXQsRA/nljfggIp9XWMS7Q/L6eI/WzY1ubCtmxAjmw78+/CxDvN+s7RlNk4DHbmfZM3ArQc/JVQlJcqV+jmTwZuZAQcrsTfnhxlWFJm9VBg6phL6+n8UL5BHeLLBw0it0gIuoSfOAcPSEEeM9dnFcALJ1+YAZw8qUc9BVFyF6qkiHnHdKpIfJxq24UOmY3PofmcJjgNAlkJTGwN8dr6/ZXeZdyYZw38UbIlgig3aPGwVo/3u172fkNligYB8sfvzXabjX//GMs/KOqitd46PA1vCxxUSEOuTtzkgxl2rhbTUqBB8aL+rfuxtTuuYBc4TE3YiNhGRDHZ0L1jSJJgIH8yBl7XBQnJ/6pggD22+HBArQh1c4favO/HQZuV+vHf3Z5mL4bhY9d3ooPufP2a9M9GqUVXrO2mgzFSoZXkYUM50vUnZDQWu6dL9xrOhVwfc8rlPWLFheuy4ZtAP4e/Ktt9JDbRzloOdg+jRaAU2i7ubB/VuIOTD5iuK47jYIP5jjNdpe/fnLEdHg7dpjcUAE2ZQE1azTzbyQ1/iMyRF7qKDXXktjS6HCmjmeT2jaEdxiv56lqfjKo0S9lRkvTVxWZgeAR84CaPi+dX0d++txMNa8JZSHKKE3yHiDv2GDz0RkUD4kJfzI0RrGRkhTxzRQCR8vnlk0cll3Vm4uy7HbLSatrWZ32P/kV1c8TH1hd09lxJicOdkdYwE0z2zEyOkJBiRhFGp5ozeCcIg/rhANjsSJN0ZtOonXNRahqsxLTPyJ6bGQIdL1QxrLnFNEefgvZq0Gl7sddMb0DzTbwDKR8TT6W+4SjJyjqMuoQ1nVosZyJfq9E4/SRVgMEwW+SKbqHeipq/RmCQ2KnuwVIp6Jv6cuYVv+ZWfZ7rEPdCC0D0xmuE2w5Jq58oT6laF1VHv61Am+ZO/xDckQ9jXgVuFfFDlqS6HwFhwR8/OPOn5jQB3xkEJz4Ss/IQ8R6dbaMUu08Jp43j8ux6NLaYZV6THYKiaryL+dLl58trAsZSPS5kYuQ=,iv:QzyXJA9TdFIWnQsK0X426vnoBVn+a7jp51jzKzWXBow=,tag:vHatuf24eick+oKrEonadg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age13dl5qjzddaazmquf7zfecru5tr4ld8l8xd7xpmhaqqzmchpua4usswqykd
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVHRWWXhtZmpodE56bUlM
|
||||
YUc4TWQ4SFF5Yk4yR2F6K3JHT2JwSEpTYWpRCkZkSUZpNUFRc3Y5ZGhiM0RzT2t3
|
||||
TVVuSldVd1IyYmU2aWFreWVCSEw0cUkKLS0tIHFUTkhScTRyMTl6WTMzRmdMZXFZ
|
||||
MFdlRWE3eTJDcUZ3ZGxmdWtzZmJ2ZEEKRcH5viZ398JKntCDHwS2joc1OZUgbce2
|
||||
/Tkv+QEEKN6bnz+e1BOu4XSAsf8kX8/rxyxDZcj6L0ndfCgEqB2w0A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3U0FiWUY1OFF0bmJvdUpV
|
||||
TndJUFplMmloUmY2VVJ5MDJEV3NSWFFzTUFRClZNQVBQZ3ZDOEFvNFNYSUl6WjBZ
|
||||
NzIwWFYzSEhBY3JxcjBrSFAyL3lleG8KLS0tIG9PK1UwbEZ5Vzg3bFFvWW9zK3hv
|
||||
Z2ZSNmsxR2lQZWpLeDdqVC9jTEJYVW8KtES5IHyQyMs4MuaGrEt724cQf935ISl2
|
||||
QE+Fpkg4Wb+8gaBA0H6bWzq0OLuaIVzgK5BEoY1YThD6kKbBxTcDww==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-11-11T22:43:02Z"
|
||||
mac: ENC[AES256_GCM,data:GMNGRHhfnxnhHjxIQ3l0FRnMaGS7OJgSJzQnYVR4IZRrPgesZffqnf263pJdo+tGEA2JDTLbz4W+40pJ4IZ6m66BR5sVwKjsimAGTB86dO8G1RlzDgVGQAkU0i/YA0wm4+5DmoMUsRfOtxxOqsbASv44Ua2H3omKG1aLXQebTb8=,iv:iQys+/zsCegYSFy4EZiqKGSOLQCeQUMnTRGVpi4DSTw=,tag:/p18QhzztAhDFTXd+ZAU3Q==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-10-12T20:25:31Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA7zUOKwzpAE7AQ/9HerSRytAVz1k4suti9AxrVl2Gv1AGAJ5AOz9z6QTGquZ
|
||||
TeOCtSBGBz0OPX1KyvU/0SPQTHdO7B+rVW5hLMyHMF4bhnE+6BowLYds9watySUZ
|
||||
EfrXsOoFGTFnP9nIVK6FogfPMqLF6rbyzq69Hb/GWJVER9czba2x/DIHDxjg+jPp
|
||||
cqZdMcgzbycbGgYpkNxrm0udC2aSVlHORCOwOo5MsckwyyTcbCG/4p3Ch3JIteZX
|
||||
oAidQSWxvUC+86n+46lm1+znnPbEo+xEd+W7I+OEux4mQXb9vEQXmYKe75BtheX5
|
||||
GajU5MKJ8OECgGIjoK2QjP4r4e2MNmCo4m4GmKIS/YgU9K9aZCaFTWipFpSmCoM7
|
||||
3GfU7Ok+DeqTkSn/qjhM1HFzluOIcfxLm/xU6QxZv33TVxrFrRz6woE6+M1IbiNI
|
||||
2okUcbD6GECc2/f8/Uvr5/WktsEqaBRzKSOBOjgAlKZU7oKaX/kJjVp3GCjG9Xsq
|
||||
w7y+PxEGE8YyFhZ61iprgaR98YRej/LQw6LT8Y0RV3pIPfAdqP0ZHd9EPbk3XXg1
|
||||
YEmf5o/JAOYX37FCCIXW7w0tm6JNYvvu7ul9Ds7yXBgAgr/t29Ghh7zIwODQDf0v
|
||||
rslLOh9U7vo8oiod6WHbffi6CB3nGuFy5opXlH6lkH7XtARjBYnqZo7WO5KYGZ7S
|
||||
UQHYgSBFYemq9j2e7iMCqn+mdMC/3uvmSL9NCtUE89pKd9g1v2cokZ4E+r06DyNa
|
||||
Zjpt254DefcfYJTGYrFTepgaQOWHfIS4CGBnXlT2uu+5SA==
|
||||
=JzrQ
|
||||
-----END PGP MESSAGE-----
|
||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||
- created_at: "2023-10-12T20:25:31Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA6j84+xkv3y7AQ//VQJsTXBQYcBGl7HZXrOz4/Rr6XG7m0JmNXMwowa97MOA
|
||||
j3gRS3evwwZp81jeBDc3Iq4SVY6wP8zGepGHk1Y9GAe856pHA94ZppXfuyqPntNb
|
||||
Dp3Fz+StWlbrUJzPevgSncci/maSHe5hjwx7LG80Wo/4HCGvf42g73tTZT5Tl1EU
|
||||
ySaX0eVjc/VGIAOYTrfEvUCEqzls28BKL3lFSiz42cbTAwEGb8AzJsB/49PqZMuM
|
||||
Tp58rSJ7MMqMm6OBZK8yjWwOzq+QUUYGvgTbFfZEswgf0+xlrulWh/rAVeiaH8ou
|
||||
EZ8ZAa2GYFWD6b18QYskx3Nvabnr/XGlTxt1yL4xlVEqiv4tegNHFDX0okoWWLhP
|
||||
Fl6ooBLPuBVZL4rU0VLhUlA10sAxZHYshiviJADLdvTyewhPXRL7fYxhfaH9+Q7C
|
||||
0yKOvZUGiQAnzOneA9rDDgsx91xF0oa5VVXLbxdbmD4cYyCdK7rTEVKmfIZPs1Eo
|
||||
O+ibmTu+2z6e23+LYMP5XlgZmIeqPDRsCK8CZFDggS8VmJeyBPVihIhY0z7EIwUm
|
||||
+snlNBx6qXHQYs5FsQzI7v0Ka+VtePiXsOH6qeswABRddStDFHTjkmwzZ16BE83E
|
||||
t3zPudfevkitGAGHx/QNifZaeW1Lm+hdUBN76xHuBPMMg5HT4zJcXtznrjdeVlDS
|
||||
UQE4lRI6bJxq5973rnhRgaq6VrKfaoEulKBnrPwK8WGcMHk2CdnGaQW9V3gexpdE
|
||||
kv8Bda/gP7yK3xtvXeY4ga8AqRHXgXqn8kHbPyeoB9rXhw==
|
||||
=SM6c
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2023-10-12T20:25:31Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMAwMCBBrc/JA6ARAAzyiyxmdfVDzQIUq05KLpQ+hw2ccMRWmkDwIs78Y+6fxh
|
||||
4nnG9CIFvygCtB+PhfO/idzIaLXunErD/nEJkhcoubLu1Uw0D77pbw3+rLiwUH7y
|
||||
ijHGnTFqfV7x24aaaCVbHDRXAEctGmll8JjDi2VpBgEm3QwHHSx0idSo5GUYghmG
|
||||
fh0Fpn5lT9bHcYm7LmHqTTof/KF2tsf4zjOhfggDEj384jvpG5Wq0CoC4Z64HMUl
|
||||
Dk3R2l5nX7XUV0E9YkUz4M3Vt2OEGOX8LiwVTLebdEmWvKa0NhR/pk+4gj75z6BD
|
||||
/EhnnqCwAHDIAV34vn3LaoVnmM3fjZ06DEZ/UsJiAuRZmnqzl/LPudBmcw0T0KwA
|
||||
lX847nXWU9JuunSiBwfBEBVrSjUDqRGm+MyDqPUxvykp1QOlt3gHLiwTf/LqKk4j
|
||||
gtSjfaEK/902ODg+kddXx3piaR6VL8BN8v7sJJ4f0DeeWI5X4sZO3wlW/bMK10Qa
|
||||
aNvWURfxQvVa6E9qiQIi2/sARGMQ08Tu4qbAKuLK2sdz8ABerpbwftXIwh/qJuYr
|
||||
pUPiFIO3M0whSsobEmWg0RJ+tp0Itb6MVR8kPDoc5u9VtWwjw3bKCvVFp+MHRbJ5
|
||||
0RQ0JchzkcVVXBXrTPpT9wIJYYti5x7z0ZLr02i16gIoD5JqMjuGb33KdAmJO3zS
|
||||
UQFQfaO1br/eUnLU6JWAhR2g8iCmXwYZWu96jkbXm863IjnXzz0acEYLvu1Wfgmg
|
||||
1mhpYg9cEXcayQ99tWZ2DIE8F2DGZICeXRIjbPK7d8sblQ==
|
||||
=0N0b
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2023-10-12T20:25:31Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA/YLzOYaRIJJARAAmujv/j5qV10Uyf/YIEa6Xpfg944H1t74XTf33bSIw7TU
|
||||
5xE0IIuyoauRMM/wfFCA8Wob7nCxAZnfIycte2aoiQSJpewRa81SWtTlUR9DnhP4
|
||||
h7SB4iT1b20Tm/5NohDQNwZI2cEKWbEWww41jXAOk1ZYEcblYor/w3oocfRiT6mX
|
||||
VjfPH8jiWVaccFsur8sFfvrJ4LobDMwGbPhZMl2TFtBa6nrJ+chGEj+W3Eez3f/I
|
||||
jPiCGzxtonSsqa2fL8/H4k8L5NsG71OB9CvPMh/DWfCZb0CJieqbAeRfBLzI5Jph
|
||||
a/4icI6ydh0UFSvrlXcmnvgn0HouFAMc7fo8sFttBdSn0qEhE2MKZ5Qu+b1QuQ9k
|
||||
lRKXlraO392eKSYS3F1qlQvw+trwwhQft4ct+sdCcxoRu58sBYOJcxAC43IFe0mj
|
||||
VwKZFTRkE/D9KHc/9zw4mjKa3SC2eWczOuYWof2IggeZiS8kBxdtcyjtWfNdfb9b
|
||||
9T56YEbG61rk5G/iPBzE7EGrW+syD8xFFwKDrm8SCCwz+9DMofOf73aKJrtAYhfi
|
||||
StXV8zc/thiR4Lw1xUuakil7SBtzuITzAZWn35O7TH62pzGbUIc9Xk3lOyTHValv
|
||||
XAXs2Q+I7amT7FuSi3am/1ofGruLA6VcV7R2s53SUZ1BorWnJgAqF8t5aGFk2r7S
|
||||
UQFbq/N/9Hn2LLhyxJ/e+cE26nKIytmQbHeTWVjw4oqNeEBOIB9s6YF35ob6IkzT
|
||||
44oNJ020umVFWAm6ZUnHIBEqnF/ktiG8kSlOS3reHfHugA==
|
||||
=Wz7k
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
- created_at: "2023-10-12T20:25:31Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7AQ//aYz8gjFwHlJvGfE8WU4M3XERh1MtmAmnI2NykNU6L9UE
|
||||
nioPyvbH6k6sBos8pwzIgCa0oOyrNvpyVjzklUG3DVZBXpx/dP1jsjNpKUkDs6Ym
|
||||
O6l5ZPGSYK+0TurIgsQL/gV/crvZUazSajRK6/OszD7lup8lJ5Hm+nHESx1NaMvA
|
||||
2J40Tf7Q8oVQkIpLDGnraQqI2EVHgBbI/yUKeuT2WEO3xaZGJ93mW0kUpYYJD+Yt
|
||||
UDC7ev7ROWQcTqfCWBGfrdzEUYONfwGcz5b6a7tLLozjfAVGbvK9O2HFEFYBUdKb
|
||||
NBI7f21l/ydj6DSmrZf4465s7FNQunmJZTmDdCXMyPgTphFW+9QCMBp5E3wOyhyD
|
||||
B5hQK9RcD8rSi1R5i2kaRm6vsLOXHFBOV76z55imfz82a3RFB92zTAJPiS+BUoHg
|
||||
JnI9Mds5LxXPAmxwDIexunc9yAz4X66nk1foWAPPDgp+ei5mgvnLGpb5SZtGaaV7
|
||||
Wgg38dnY5HKR/oC+L1MC2XUncIp0OvEowAkiX4Xen9JSe65KjBa+SJSssDbcIy33
|
||||
AjoHyk693nalWBQ1zMkO5E+SMzEMXXBlqJ6gQogAVLry9tfpoeP7ix8UxcgHIOKC
|
||||
IIewa7Knoroa8anU8EvNhqpTRiFRLTX01on43nZ+pzCo3tWIe3azJ4lNWZiBgw7S
|
||||
UQEbSrdZj2eFE33gUa9f8i0F38/kBZGVmATJk0d+o9JiYQGv3Yb8IIMHTLXlkZ8a
|
||||
tPO1oTkaean2ZRThLSOvEQ8KUnGMGvAQo5IxPwv9bJqEww==
|
||||
=3Gfv
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2023-10-12T20:25:31Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9XEenRNYVGHAQ//b57lqUjnNil5tbCpuSEzT0WSyglqLDTt/WDeAjYsFneL
|
||||
w1jn8Ivu8AIgU8Jwi9uclSA84/JNAo//uc1+tutmPG5ifGWHZU78VdQ9kWsoYVWi
|
||||
+WYFyFKTsC3uba6F2i1kL8S2IzNd1SBcE5IvKAZpHoFk0c6AvFTOE+MWGJhYSlsf
|
||||
0d+yI2OWdY4/i/NcQLlCbgCKV6RNnKsJLf8+6iJ/QnIoXa8qmGGyCzKK0vRUnarX
|
||||
bG1uKRaUtyDELquw9QVTUAJ5r9PSxJM9SrV+82yljDep38FdAVIbeRVU94YTHHw4
|
||||
2+OTZoa4UdlMNT3gSLfrO6HB32oI1jRnpppRp2JiJoP5nvAEaMLUmty4iDvtJqhx
|
||||
6MbpyDuShsZb7gvy2O7Vtqd++OmYPTCALJ5RRq8/I2Ns751H4/Jj+sz9dvibTFJC
|
||||
oldhfpPbF3SVNh7Ls7zyA3eYMIy3/ntcz4dzFgEvEzcJv2dmWp2YXYOy8X5pEpJb
|
||||
QeAuqhpsok4xlYnGMGERx1vfzhe7xbX21n0eOXmKvVT8WOYZFOPaBpX7HRD7rLAx
|
||||
2TImwIcmrNj0QrtLSEWMnu7m2wH2gb0LDoSy9uGVn/DWOs6XmPRbsq4KKpQlCnPT
|
||||
x2paTkBZPl7OdDtG0idzaSZ40HJfB3WP8sm0Zc4dv1HPY3BSZ6T6tNGpmJUje0TS
|
||||
UQH/GJ/PF6d8cT5olL1BUUOcUsvA/NEU7G+lnFM0FuWiWB6GMRmSAasPJ+8c6pP4
|
||||
7hyufINb8QrsjSLLFCc3K9AZ0rSES6EPIRgfE5IOJlgSJA==
|
||||
=dpZI
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2023-10-12T20:25:31Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcBMA45bZkLXmBFpAQf/SOW6vP/l4XyebkUYjNoNp/+80jtAbNwz13nEDG0Qbi1o
|
||||
dh4WqDDs/0YMC5JQyDkQ9VmvedFhsp824FXU+2hGpRWA1cqGEfgxGbXHjoe3WCDt
|
||||
lFr9mKmgY3DBQ644Egd2sbeZu/GoUonDc6ySbw/FwFWmDIFWjNidij2fueSbWfQd
|
||||
1EeNzFeNrO+lNcviqjq+t5pxc64mc9yu8MNaimCJ9EGNk89G2aushZea9TmHPwi1
|
||||
YchJt67t9x5o3bVHAaHFKNOCHMNNN5dXsgdvSXbRBYwlXOc9HYPtFfGDdY/cx1kX
|
||||
lIEhVaNCMgLT5OAzBz8LtSV6MTWVDUs9M2JMn8MYgtJRAfbOOC8icZulZ3hGCKCL
|
||||
otrbk/vRlASexiC9yw4dTPeB54JkB1eb5BkwcgevnEOMOGX8fdxUd4ZGyCcc/1F0
|
||||
2BQawZTUJgcZ3U+PPau124ig
|
||||
=juFT
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -0,0 +1,41 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ ../../../lib/lxc-container.nix
|
||||
../../../lib/shared.nix
|
||||
../../../lib/admins.nix
|
||||
];
|
||||
|
||||
networking.hostName = "dhcp";
|
||||
networking.defaultGateway = "172.22.99.1";
|
||||
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
|
||||
networking.interfaces.eth0 = {
|
||||
ipv4.addresses = [ {
|
||||
address = "172.22.99.254";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
};
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
];
|
||||
|
||||
# dhcp
|
||||
networking.firewall.allowedUDPPorts = [ 67 68 ];
|
||||
networking.useDHCP = false;
|
||||
|
||||
services.dhcpd4 = {
|
||||
enable = true;
|
||||
interfaces = [ "eth0" ];
|
||||
extraConfig = builtins.readFile ../../../secrets/hosts/dhcp/config;
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
}
|
|
@ -0,0 +1,207 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, strings, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
systemd = {
|
||||
enableEmergencyMode = false;
|
||||
};
|
||||
# Use the GRUB 2 boot loader.
|
||||
#boot.loader.grub.enable = true;
|
||||
#boot.loader.grub.version = 2;
|
||||
# boot.loader.grub.efiSupport = true;
|
||||
# boot.loader.grub.efiInstallAsRemovable = true;
|
||||
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
||||
# Define on which hard drive you want to install Grub.
|
||||
#boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
|
||||
|
||||
# networking = {
|
||||
# hostName = "storage2";
|
||||
# interfaces.ens18.ipv4.addresses = [{
|
||||
# address = "172.22.99.20";
|
||||
# prefixLength = 24;
|
||||
# }];
|
||||
# };
|
||||
|
||||
|
||||
networking = {
|
||||
hostName = "storage-ng";
|
||||
# usePredictableInterfacenames = false;
|
||||
interfaces.ens18.ipv4.addresses = [{
|
||||
address = "172.22.99.20";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
interfaces.ens18.ipv6.addresses = [{
|
||||
address= "2a02:8106:208:5201::20";
|
||||
prefixLength = 64;
|
||||
}];
|
||||
|
||||
nameservers = [ "172.20.72.6" "9.9.9.9" "74.82.42.42" ];
|
||||
|
||||
defaultGateway = {
|
||||
address = "172.22.99.1";
|
||||
interface = "ens18";
|
||||
};
|
||||
#defaultGateway6 = {
|
||||
# address = "fe80::a800:42ff:fe7a:3246";
|
||||
# interface = "ens18";
|
||||
#};
|
||||
};
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
|
||||
# Select internationalisation properties.
|
||||
# i18n = {
|
||||
# consoleFont = "Lat2-Terminus16";
|
||||
# consoleKeyMap = "us";
|
||||
# defaultLocale = "en_US.UTF-8";
|
||||
# };
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget
|
||||
vim
|
||||
screen
|
||||
zsh
|
||||
lftp
|
||||
# ceph
|
||||
lsof
|
||||
psmisc
|
||||
gitAndTools.git-annex
|
||||
gitAndTools.git
|
||||
|
||||
mpv
|
||||
# libmagic how ?
|
||||
];
|
||||
|
||||
services.ceph = {
|
||||
# enable = true;
|
||||
client.enable = true;
|
||||
};
|
||||
|
||||
services.samba = {
|
||||
enable = true;
|
||||
enableNmbd = true;
|
||||
shares = {
|
||||
c3d2 = {
|
||||
browseable = "yes";
|
||||
comment = "Public samba share.";
|
||||
# guest ok = "yes";
|
||||
path = "/mnt/cephfs/c3d2/files";
|
||||
# read only = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# fixme, we need a floating ip here
|
||||
# correct is floating ip 172.22.99.21
|
||||
# does not exist yet
|
||||
|
||||
# secretfile does not work :(
|
||||
|
||||
fileSystems."/mnt/cephfs" = {
|
||||
device = "172.22.99.13:6789:/";
|
||||
fsType = "ceph";
|
||||
options = [ "name=storage2" ("secret=" + (builtins.readFile("/etc/nixos/storage-secret.key"))) "noatime,_netdev" "noauto" "x-systemd.automount" "x-systemd.device-timeout=175" "users" ];
|
||||
};
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
programs.bash.enableCompletion = true;
|
||||
programs.mtr.enable = true;
|
||||
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
|
||||
|
||||
# List services that you want to enable:
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
|
||||
services.atftpd = {
|
||||
enable = true;
|
||||
root = "/mnt/cephfs/c3d2/tftp";
|
||||
};
|
||||
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
package = pkgs.nginx.override {
|
||||
modules = with pkgs.nginxModules; [ fancyindex ];
|
||||
};
|
||||
|
||||
virtualHosts = {
|
||||
"storage-ng.hq.c3d2.de" = {
|
||||
root = "/etc/nixos/www";
|
||||
serverAliases = [ "storage" "storage2" "storageng" ];
|
||||
http2 = true;
|
||||
# addSSL = true;
|
||||
locations = {
|
||||
"/c3d2" = {
|
||||
alias = "/mnt/cephfs/c3d2/files/";
|
||||
extraConfig = ''
|
||||
fancyindex on;
|
||||
# autoindex on;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
# Open ports in the firewall.
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
23
|
||||
80
|
||||
443
|
||||
137 138 445 139 # samba
|
||||
];
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
69
|
||||
137 138 445 139 # samba
|
||||
];
|
||||
# Or disable the firewall altogether.
|
||||
networking.firewall.enable = false;
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
# services.printing.enable = true;
|
||||
|
||||
# Enable sound.
|
||||
# sound.enable = true;
|
||||
# hardware.pulseaudio.enable = true;
|
||||
|
||||
# Enable the X11 windowing system.
|
||||
# services.xserver.enable = true;
|
||||
# services.xserver.layout = "us";
|
||||
# services.xserver.xkbOptions = "eurosign:e";
|
||||
|
||||
# Enable touchpad support.
|
||||
# services.xserver.libinput.enable = true;
|
||||
|
||||
# Enable the KDE Desktop Environment.
|
||||
# services.xserver.displayManager.sddm.enable = true;
|
||||
# services.xserver.desktopManager.plasma5.enable = true;
|
||||
|
||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||
users.extraUsers.k-ot = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups = [ "wheel" ];
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
|
||||
}
|
|
@ -0,0 +1,12 @@
|
|||
<html>
|
||||
<head><title>storage.hq.c3d2.de</title></head>
|
||||
<body>
|
||||
<h1>storage-ng</h1>
|
||||
services available:
|
||||
<ul>
|
||||
<li><a href="/c3d2">c3d2 files http</a></li>
|
||||
<li>SAMBA/Windows Access: storage-ng.hq.c3d2.de</li>
|
||||
<li>tftp</li>
|
||||
</ul>
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1,76 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ ../../../lib/lxc-container.nix
|
||||
../../../lib/shared.nix
|
||||
../../../lib/admins.nix
|
||||
];
|
||||
|
||||
networking.hostName = "grafana";
|
||||
networking.useNetworkd = true;
|
||||
networking.defaultGateway = "172.22.99.4";
|
||||
# Needs IPv4 for obtaining certs?
|
||||
networking.useDHCP = lib.mkForce true;
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
];
|
||||
|
||||
# http https
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
# collectd
|
||||
networking.firewall.allowedUDPPorts = [ 25826 ];
|
||||
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
agree = true;
|
||||
config = ''
|
||||
grafana.hq.c3d2.de
|
||||
proxy / localhost:3000
|
||||
'';
|
||||
};
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
auth.anonymous = {
|
||||
enable = true;
|
||||
org_name = "Chaos";
|
||||
};
|
||||
users.allowSignUp = true;
|
||||
};
|
||||
services.influxdb =
|
||||
let
|
||||
collectdTypes = pkgs.stdenv.mkDerivation {
|
||||
name = "collectd-types";
|
||||
src = ./.;
|
||||
buildInputs = [ pkgs.collectd ];
|
||||
buildPhase = ''
|
||||
mkdir -p $out/share/collectd
|
||||
cat ${pkgs.collectd}/share/collectd/types.db >> $out/share/collectd/types.db
|
||||
echo "stations value:GAUGE:0:U" >> $out/share/collectd/types.db
|
||||
'';
|
||||
installPhase = ''
|
||||
cp -r . $out
|
||||
'';
|
||||
};
|
||||
in {
|
||||
enable = true;
|
||||
extraConfig = {
|
||||
logging.level = "debug";
|
||||
collectd = [{
|
||||
enabled = true;
|
||||
database = "collectd";
|
||||
typesdb = "${collectdTypes}/share/collectd/types.db";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
}
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ ../../lib/lxc-container.nix
|
||||
../../lib/shared.nix
|
||||
];
|
||||
|
||||
networking.hostName = "nixbert"; # Define your hostname.
|
||||
networking.useNetworkd = false;
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget vim
|
||||
];
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
nix-build -I nixos-config=./lxc-template.nix '<nixpkgs/nixos>' -A config.system.build.tarball
|
|
@ -0,0 +1,31 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
tiggerGit = builtins.fetchTarball https://github.com/astro/tigger/archive/master.tar.gz;
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[ ../../../lib/lxc-container.nix
|
||||
../../../lib/shared.nix
|
||||
../../../lib/admins.nix
|
||||
"${tiggerGit}/module.nix"
|
||||
];
|
||||
|
||||
networking.hostName = "mucbot";
|
||||
networking.useNetworkd = true;
|
||||
networking.defaultGateway = "172.22.99.4";
|
||||
networking.useDHCP = lib.mkForce true;
|
||||
|
||||
services.tigger = {
|
||||
enable = true;
|
||||
jid = import ../../../secrets/hosts/mucbot/jabber-jid.nix;
|
||||
password = import ../../../secrets/hosts/mucbot/jabber-password.nix;
|
||||
muc = "c3d2@chat.c3d2.de/Astrobot";
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
}
|
|
@ -0,0 +1,52 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
./proxy.nix
|
||||
];
|
||||
nix.useSandbox = false;
|
||||
nix.maxJobs = lib.mkDefault 2;
|
||||
nix.buildCores = lib.mkDefault 16;
|
||||
|
||||
boot.isContainer = true;
|
||||
# /sbin/init
|
||||
boot.loader.initScript.enable = true;
|
||||
boot.loader.grub.enable = false;
|
||||
|
||||
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
|
||||
|
||||
networking.hostName = "public-access-proxy";
|
||||
networking.defaultGateway = { address = "172.22.99.4"; interface = "eth0"; };
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "yes";
|
||||
ports = [ 1122 ];
|
||||
};
|
||||
|
||||
my.services.proxy = {
|
||||
enable = true;
|
||||
proxyHosts = [
|
||||
{
|
||||
hostNames = [ "arkom.men" "c3d2.arkom.men" "test.arkom.men" ];
|
||||
proxyTo = { host = "cloud.bombenverleih.de"; httpPort = 80; httpsPort = 443; };
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
|
||||
}
|
|
@ -0,0 +1,125 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.my.services.proxy;
|
||||
|
||||
in {
|
||||
|
||||
options.my.services.proxy = {
|
||||
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
description = "whether to enable proxy";
|
||||
type = types.bool;
|
||||
};
|
||||
|
||||
proxyHosts = mkOption {
|
||||
type = types.listOf (types.submodule (
|
||||
{
|
||||
options = {
|
||||
hostNames = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Proxy these hostNames.
|
||||
'';
|
||||
};
|
||||
proxyTo = mkOption {
|
||||
type = types.submodule (
|
||||
{
|
||||
options = {
|
||||
host = mkOption {
|
||||
type = types.nullOr types.string;
|
||||
default = null;
|
||||
description = ''
|
||||
Host to forward traffic to.
|
||||
Any hostname may only be used once
|
||||
'';
|
||||
};
|
||||
httpPort = mkOption {
|
||||
type = types.int;
|
||||
default = 80;
|
||||
description = ''
|
||||
Port to forward http to.
|
||||
'';
|
||||
};
|
||||
httpsPort = mkOption {
|
||||
type = types.int;
|
||||
default = 443;
|
||||
description = ''
|
||||
Port to forward http to.
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
description = ''
|
||||
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
|
||||
'';
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
|
||||
}));
|
||||
default = [];
|
||||
example = [
|
||||
{ hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
|
||||
proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
services.haproxy = {
|
||||
enable = true;
|
||||
config = ''
|
||||
resolvers dns
|
||||
nameserver quad9 9.9.9.9:53
|
||||
hold valid 1s
|
||||
|
||||
frontend http-in
|
||||
bind :::80 v4v6
|
||||
default_backend proxy-backend-http
|
||||
|
||||
backend proxy-backend-http
|
||||
timeout connect 5000
|
||||
timeout check 5000
|
||||
timeout client 30000
|
||||
timeout server 30000
|
||||
${concatMapStringsSep "\n" (proxyHost:
|
||||
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
|
||||
concatMapStringsSep "\n" (hostname: ''
|
||||
use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
|
||||
server ${hostname}-http ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpPort} resolvers dns check inter 1000
|
||||
''
|
||||
) (proxyHost.hostNames)
|
||||
)
|
||||
) (cfg.proxyHosts)
|
||||
}
|
||||
|
||||
frontend https-in
|
||||
bind :::443 v4v6
|
||||
default_backend proxy-backend-https
|
||||
|
||||
backend proxy-backend-https
|
||||
timeout connect 5000
|
||||
timeout check 5000
|
||||
timeout client 30000
|
||||
timeout server 30000
|
||||
${concatMapStringsSep "\n" (proxyHost:
|
||||
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
|
||||
concatMapStringsSep "\n" (hostname: ''
|
||||
use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
|
||||
server ${hostname}-https ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpsPort} resolvers dns check inter 1000
|
||||
''
|
||||
) (proxyHost.hostNames)
|
||||
)
|
||||
) (cfg.proxyHosts)
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,71 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
c3d2 = {
|
||||
isInHq = true;
|
||||
hq.interface = "eth0";
|
||||
};
|
||||
networking = {
|
||||
hostName = "radius";
|
||||
interfaces.eth0.useDHCP = lib.mkForce true;
|
||||
};
|
||||
|
||||
imports =
|
||||
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
];
|
||||
nix.useSandbox = false;
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
|
||||
boot.isContainer = true;
|
||||
# /sbin/init
|
||||
boot.loader.initScript.enable = true;
|
||||
boot.loader.grub.enable = false;
|
||||
#boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
|
||||
|
||||
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
|
||||
|
||||
networking.hostName = "nixbert"; # Define your hostname.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
networking.useNetworkd = true;
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
# Select internationalisation properties.
|
||||
i18n = {
|
||||
defaultLocale = "en_US.UTF-8";
|
||||
supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
|
||||
};
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget vim
|
||||
git freeradius
|
||||
];
|
||||
|
||||
services.freeradius.enable = true;
|
||||
services.freeradius.configDir = "/root/nix-config/hosts/containers/radius/freeradius";
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
# Create a few files early before packing tarball for Proxmox
|
||||
# architecture/OS detection.
|
||||
system.extraSystemBuilderCmds =
|
||||
''
|
||||
mkdir -m 0755 -p $out/bin
|
||||
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
|
||||
mkdir -m 0755 -p $out/sbin
|
||||
ln -s ../init $out/sbin/init
|
||||
'';
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
}
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
#
|
||||
# $Id: fafac849a0f0519cdaf7acf2ef51c8b36a5a6255 $
|
||||
#
|
||||
# This is like the 'users' file, but it is processed only for
|
||||
# accounting packets.
|
||||
#
|
||||
|
||||
# Select between different accounting methods based for example on the
|
||||
# Realm, the Huntgroup-Name or any combinaison of the attribute/value
|
||||
# pairs contained in an accounting packet.
|
||||
#
|
||||
#DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo
|
||||
#
|
||||
#DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi
|
||||
#
|
||||
#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other
|
||||
#
|
||||
#DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start
|
||||
|
||||
# Replace the User-Name with the Stripped-User-Name, if it exists.
|
||||
#
|
||||
#DEFAULT
|
||||
# User-Name := "%{Stripped-User-Name:-%{User-Name}}"
|
|
@ -0,0 +1,129 @@
|
|||
#
|
||||
# Configuration file for the rlm_attr_filter module.
|
||||
# Please see rlm_attr_filter(5) manpage for more information.
|
||||
#
|
||||
# $Id: 76c644b100656f8bd45e768b13cbcf140ce5a770 $
|
||||
#
|
||||
# This file contains security and configuration information
|
||||
# for each realm. The first field is the realm name and
|
||||
# can be up to 253 characters in length. This is followed (on
|
||||
# the next line) with the list of filter rules to be used to
|
||||
# decide what attributes and/or values we allow proxy servers
|
||||
# to pass to the NAS for this realm.
|
||||
#
|
||||
# When a proxy-reply packet is received from a home server,
|
||||
# these attributes and values are tested. Only the first match
|
||||
# is used unless the "Fall-Through" variable is set to "Yes".
|
||||
# In that case the rules defined in the DEFAULT case are
|
||||
# processed as well.
|
||||
#
|
||||
# A special realm named "DEFAULT" matches on all realm names.
|
||||
# You can have only one DEFAULT entry. All entries are processed
|
||||
# in the order they appear in this file. The first entry that
|
||||
# matches the login-request will stop processing unless you use
|
||||
# the Fall-Through variable.
|
||||
#
|
||||
# Indented (with the tab character) lines following the first
|
||||
# line indicate the filter rules.
|
||||
#
|
||||
# You can include another `attrs' file with `$INCLUDE attrs.other'
|
||||
#
|
||||
|
||||
#
|
||||
# This is a complete entry for realm "fisp". Note that there is no
|
||||
# Fall-Through entry so that no DEFAULT entry will be used, and the
|
||||
# server will NOT allow any other a/v pairs other than the ones
|
||||
# listed here.
|
||||
#
|
||||
# These rules allow:
|
||||
# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
|
||||
# o PPP sessions ( no SLIP, CSLIP, etc. )
|
||||
# o dynamic ip assignment ( can't assign a static ip )
|
||||
# o an idle timeout value set to 600 seconds (10 min) or less
|
||||
# o a max session time set to 28800 seconds (8 hours) or less
|
||||
#
|
||||
#fisp
|
||||
# Service-Type == Framed-User,
|
||||
# Framed-Protocol == PPP,
|
||||
# Framed-IP-Address == 255.255.255.254,
|
||||
# Idle-Timeout <= 600,
|
||||
# Session-Timeout <= 28800
|
||||
|
||||
#
|
||||
# This is a complete entry for realm "tisp". Note that there is no
|
||||
# Fall-Through entry so that no DEFAULT entry will be used, and the
|
||||
# server will NOT allow any other a/v pairs other than the ones
|
||||
# listed here.
|
||||
#
|
||||
# These rules allow:
|
||||
# o Only Login-User Service-Type ( no framed/ppp sessions )
|
||||
# o Telnet sessions only ( no rlogin, tcp-clear )
|
||||
# o Login hosts of either 192.168.1.1 or 192.168.1.2
|
||||
#
|
||||
#tisp
|
||||
# Service-Type == Login-User,
|
||||
# Login-Service == Telnet,
|
||||
# Login-TCP-Port == 23,
|
||||
# Login-IP-Host == 192.168.1.1,
|
||||
# Login-IP-Host == 192.168.1.2
|
||||
|
||||
#
|
||||
# The following example can be used for a home server which is only
|
||||
# allowed to supply a Reply-Message, a Session-Timeout attribute of
|
||||
# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
|
||||
# Acct-Interim-Interval attribute between 300 and 3600.
|
||||
# All other attributes sent back will be filtered out.
|
||||
#
|
||||
#strictrealm
|
||||
# Reply-Message =* ANY,
|
||||
# Session-Timeout <= 86400,
|
||||
# Idle-Timeout <= 600,
|
||||
# Acct-Interim-Interval >= 300,
|
||||
# Acct-Interim-Interval <= 3600
|
||||
|
||||
#
|
||||
# This is a complete entry for realm "spamrealm". Fall-Through is used,
|
||||
# so that the DEFAULT filter rules are used in addition to these.
|
||||
#
|
||||
# These rules allow:
|
||||
# o Force the application of Filter-ID attribute to be returned
|
||||
# in the proxy reply, whether the proxy sent it or not.
|
||||
# o The standard DEFAULT rules as defined below
|
||||
#
|
||||
#spamrealm
|
||||
# Framed-Filter-Id := "nosmtp.in",
|
||||
# Fall-Through = Yes
|
||||
|
||||
#
|
||||
# The rest of this file contains the DEFAULT entry.
|
||||
# DEFAULT matches with all realm names. (except if the realm previously
|
||||
# matched an entry with no Fall-Through)
|
||||
#
|
||||
|
||||
DEFAULT
|
||||
Service-Type == Framed-User,
|
||||
Service-Type == Login-User,
|
||||
Login-Service == Telnet,
|
||||
Login-Service == Rlogin,
|
||||
Login-Service == TCP-Clear,
|
||||
Login-TCP-Port <= 65536,
|
||||
Framed-IP-Address == 255.255.255.254,
|
||||
Framed-IP-Netmask == 255.255.255.255,
|
||||
Framed-Protocol == PPP,
|
||||
Framed-Protocol == SLIP,
|
||||
Framed-Compression == Van-Jacobson-TCP-IP,
|
||||
Framed-MTU >= 576,
|
||||
Framed-Filter-ID =* ANY,
|
||||
Reply-Message =* ANY,
|
||||
Proxy-State =* ANY,
|
||||
EAP-Message =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
MS-MPPE-Recv-Key =* ANY,
|
||||
MS-MPPE-Send-Key =* ANY,
|
||||
MS-CHAP-MPPE-Keys =* ANY,
|
||||
State =* ANY,
|
||||
Session-Timeout <= 28800,
|
||||
Idle-Timeout <= 600,
|
||||
Calling-Station-Id =* ANY,
|
||||
Operator-Name =* ANY,
|
||||
Port-Limit <= 2
|
|
@ -0,0 +1,19 @@
|
|||
#
|
||||
# Configuration file for the rlm_attr_filter module.
|
||||
# Please see rlm_attr_filter(5) manpage for more information.
|
||||
#
|
||||
# $Id: 78ea54e83f4a998797f16a8c564b5c2f32642adc $
|
||||
#
|
||||
# This configuration file is used to remove almost all of the
|
||||
# attributes From an Access-Challenge message. The RFC's say
|
||||
# that an Access-Challenge packet can contain only a few
|
||||
# attributes. We enforce that here.
|
||||
#
|
||||
DEFAULT
|
||||
EAP-Message =* ANY,
|
||||
State =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
Reply-Message =* ANY,
|
||||
Proxy-State =* ANY,
|
||||
Session-Timeout =* ANY,
|
||||
Idle-Timeout =* ANY
|
|
@ -0,0 +1,17 @@
|
|||
#
|
||||
# Configuration file for the rlm_attr_filter module.
|
||||
# Please see rlm_attr_filter(5) manpage for more information.
|
||||
#
|
||||
# $Id: e263d504cfdc5cf5db00fa6aacf2bd148a7623fc $
|
||||
#
|
||||
# This configuration file is used to remove almost all of the attributes
|
||||
# From an Access-Reject message. The RFC's say that an Access-Reject
|
||||
# packet can contain only a few attributes. We enforce that here.
|
||||
#
|
||||
DEFAULT
|
||||
EAP-Message =* ANY,
|
||||
State =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
Reply-Message =* ANY,
|
||||
MS-CHAP-Error =* ANY,
|
||||
Proxy-State =* ANY
|
|
@ -0,0 +1,15 @@
|
|||
#
|
||||
# Configuration file for the rlm_attr_filter module.
|
||||
# Please see rlm_attr_filter(5) manpage for more information.
|
||||
#
|
||||
# $Id: 3746ce4da3d58fcdd0b777a93e599045353c27ac $
|
||||
#
|
||||
# This configuration file is used to remove almost all of the attributes
|
||||
# From an Accounting-Response message. The RFC's say that an
|
||||
# Accounting-Response packet can contain only a few attributes.
|
||||
# We enforce that here.
|
||||
#
|
||||
DEFAULT
|
||||
Vendor-Specific =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
Proxy-State =* ANY
|
|
@ -0,0 +1,62 @@
|
|||
#
|
||||
# Configuration file for the rlm_attr_filter module.
|
||||
# Please see rlm_attr_filter(5) manpage for more information.
|
||||
#
|
||||
# $Id: 8c601cf205f9d85b75c1ec7fc8e816e7341a5ba4 $
|
||||
#
|
||||
# This file contains security and configuration information
|
||||
# for each realm. It can be used be an rlm_attr_filter module
|
||||
# instance to filter attributes before sending packets to the
|
||||
# home server of a realm.
|
||||
#
|
||||
# When a packet is sent to a home server, these attributes
|
||||
# and values are tested. Only the first match is used unless
|
||||
# the "Fall-Through" variable is set to "Yes". In that case
|
||||
# the rules defined in the DEFAULT case are processed as well.
|
||||
#
|
||||
# A special realm named "DEFAULT" matches on all realm names.
|
||||
# You can have only one DEFAULT entry. All entries are processed
|
||||
# in the order they appear in this file. The first entry that
|
||||
# matches the login-request will stop processing unless you use
|
||||
# the Fall-Through variable.
|
||||
#
|
||||
# The first line indicates the realm to which the rules apply.
|
||||
# Indented (with the tab character) lines following the first
|
||||
# line indicate the filter rules.
|
||||
#
|
||||
|
||||
# This is a complete entry for 'nochap' realm. It allows to send very
|
||||
# basic attributes to the home server. Note that there is no Fall-Through
|
||||
# entry so that no DEFAULT entry will be used. Only the listed attributes
|
||||
# will be sent in the packet, all other attributes will be filtered out.
|
||||
#
|
||||
#nochap
|
||||
# User-Name =* ANY,
|
||||
# User-Password =* ANY,
|
||||
# NAS-Ip-Address =* ANY,
|
||||
# NAS-Identifier =* ANY
|
||||
|
||||
# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type
|
||||
# if its value is different from 'Ethernet'. Then the default rules are
|
||||
# applied.
|
||||
#
|
||||
#brokenas
|
||||
# NAS-Port-Type == Ethernet
|
||||
# Fall-Through = Yes
|
||||
|
||||
# The rest of this file contains the DEFAULT entry.
|
||||
# DEFAULT matches with all realm names.
|
||||
|
||||
DEFAULT
|
||||
User-Name =* ANY,
|
||||
User-Password =* ANY,
|
||||
CHAP-Password =* ANY,
|
||||
CHAP-Challenge =* ANY,
|
||||
MS-CHAP-Challenge =* ANY,
|
||||
MS-CHAP-Response =* ANY,
|
||||
EAP-Message =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
State =* ANY,
|
||||
NAS-IP-Address =* ANY,
|
||||
NAS-Identifier =* ANY,
|
||||
Proxy-State =* ANY
|
|
@ -0,0 +1,30 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-256-CBC,3AD0523FFE8CE8B72DF17107DF07836B
|
||||
|
||||
e0kcoXFr/E2N762180rPOSAeXsWDY2Ej2iv3XD7VYblSK0ChdXfdGmIqoauUlwIn
|
||||
K6WQ9E6tZFkYtnjFK3Sf7npjqqH8vYA0JewEBoLgA5/upA/ZYXZNXGqF5Xqs0q78
|
||||
314bOFsCy3Mb034OBPemQ8QY2zjsKvQJBQkzEujNDUfnSE7nKP7lZHIVhIeO8ec0
|
||||
GfjQ1sE4hACGhINdLdjZAT0UIxYgW8LARbaGt23H6SKOlVvCobCjzetRckVYBdt5
|
||||
8+m6Unx6z9L938koqUgbN8CJVv6FT5Sgk0fYJCRCEMKuMTDluSEAPFctKetn7eVy
|
||||
mZY7WaxkbUZhGv4v9+VPuKmCfjlquMK9nKBQskOJNF4fiiWH17920K1hye513+iY
|
||||
Q7GyTMywZqgirIjzusbeacXQ7MtZmlVlbIlwx2mh0edD73wQ1u42Wbhnxv1Sd4+M
|
||||
57WGefprxh7XtX3G92joVIRt8Em+tsYnhZ0LdKEChIX6Fnrewr/uWdKcCjazksLX
|
||||
fi1KVyDa4VVfZzgYRBxMXLBRY4l8g/JMRXI6pOEigzkpfnhVQS/pVWTTf35cJyMw
|
||||
YSsWs9J8WzNb37SuZqNnKPcZCaf8F66TEeu4jigMtjgt1LwXo2biPUwsyiVq/VCT
|
||||
pnfJho9OHVfDmplETeanpXTn902Z4ji173iFGe8E1MCqUARiHwtSFIHyCKCKvX7Z
|
||||
9MnydV75V/JlvL4Tp+x/+h6HKjeDkdQW1kL469DOtvVJLN2nxq969m0ztIntj98B
|
||||
UVNNQjIbwbVq2JQBdd3jDiDtFGPu+cZmX5/+boxb/Q0hHthf9Z/XfMiQUHyTOUI1
|
||||
LSOaH2tp0r1N0/C5BxNaqPaauyXEK4S96/YR071rjjWQBiF2qXQHOC3pjSFdrvVb
|
||||
tZaqNbSvNgxqJhU8u5gf/fKOtMK2XMjzkk8E8jcwAY4gU3c72N17xlBRA2H9FM7B
|
||||
DfjzNRcyCD39jyM+gfiudczBgarmonMQlTt153cR7UvZ3zZ7YmVWvSQ1hxy0deuT
|
||||
OqfpSR/lgoIaXEW1igdyaMlXPetnTCMi1CaTzD7A80yJeWpK6abOxGk5O9mwwpUu
|
||||
02YMas9ETsbnElMscQTYPpDui/0ZXX9gjNEpP03ZEkixr++QUkN3EA76A+i06GDE
|
||||
3R+4W1GFn8uRrnruyciSR+e/S7g4M5Q99c7QCp9CdsPGKKMe681hj7SqylToNSwB
|
||||
9DKNo+3QIIRupxkYcpyZBLnofRqiKbd3pcdnAUO6/15WBoiz0sqDnSbUIKf4eWmO
|
||||
nzRVaA9cJ/6RF3hZ7++om/vbX7rskthZeGGvwZpRNIqwBsA0lHLZ5inB/dsChRTy
|
||||
oMBX6zcPIyUWo9e0NOJqYTMmsBVA1QeAywzAJo/jRWL6mA8NT/97KizqYS1ZlcjU
|
||||
PhT/v80l5hWrOzB+URZkBOo3ygkntScj/gxqLsisdrHP9YbOIkhRWSBWzWXGywXy
|
||||
8PqoOZF1NB2pTuSP7z0THtxKn4B/mq15Lg+26YZgauVWlf8MY8FOOaDBeRGyJ9W7
|
||||
pbqktLIQ0zPRfF+CGVmTC62Bfcsb+DNXowvgU5DlN8hJ0rMmJYbcyJyWmwyWWKtX
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,23 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIID5TCCAs2gAwIBAgIJAKA5akuqlUzKMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD
|
||||
VQQGEwJERTEQMA4GA1UECAwHU2FjaHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsG
|
||||
A1UECgwEQzNEMjENMAsGA1UECwwEQzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMz
|
||||
ZDIuZGUxGzAZBgkqhkiG9w0BCQEWDG1haWxAYzNkMi5kZTAeFw0xNTA2MDYxOTA5
|
||||
MjFaFw0yNTA2MDMxOTA5MjFaMIGIMQswCQYDVQQGEwJERTEQMA4GA1UECAwHU2Fj
|
||||
aHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsGA1UECgwEQzNEMjENMAsGA1UECwwE
|
||||
QzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMzZDIuZGUxGzAZBgkqhkiG9w0BCQEW
|
||||
DG1haWxAYzNkMi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPRR
|
||||
Xf+pocIFjZGeSuo+LM7/lqnQ96Pc2g9cTXlxoeCFP1akwYUzDl1ZqvUZsC3hKKkB
|
||||
EjmI2VB4rjIgT9Z/57aQ7jYYp1B6ivQDapKSqpKFL6s0VzDljrzOmxvGQFXyV88X
|
||||
TiMkwmtmS2Bj62poWhSlpQk9sPaioz8SDrJtBxM9fNSbM1ED9rRXGWlSwEVBzeUp
|
||||
YaNWYCc3CPYLIhNZmtFhAhNmzw/tIx5+MRa/hkEarbyToZ7EceTMJ4KflBBLXQzY
|
||||
s2PLYkRbZMBUlRM7HDZVx6F8OPusnG1luB2LX/kQCvYuFk6BiBdussOFLD0swdtd
|
||||
rK820j6dIAJbbxSfy90CAwEAAaNQME4wHQYDVR0OBBYEFDHshd+TNUAwSY0+cpaH
|
||||
HDQaOXwnMB8GA1UdIwQYMBaAFDHshd+TNUAwSY0+cpaHHDQaOXwnMAwGA1UdEwQF
|
||||
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBADc7I4dtsIhSN0jDs0iavwBT13a1sslp
|
||||
e2gwDdcTh0xAVmmrq84JY6uIoMjLrx+roE3vn+oLHP8qrlw4snbOc0mo04o2lMza
|
||||
DepLQoBtnMNaUTSOHt1avvP8bhFTE0c0MlFAInC1MpqO5mtRwpays/f1Hc+iEOmx
|
||||
o3iHLpdKpeEfFxFZVNsJKva/A2DlLVqTdH/UvTdnoxwvSRzzEBP3plqdNSFsg5XZ
|
||||
oGNSsoNT6k2cFjQtxRdrKk+qggbPuPbTC5fXWOTlu4A2eVmW0XfT4eZ9z8QRe7dA
|
||||
uGOcC1XiDLmIon9q5KIH3k3TiL5hELJu2BvatxJaOpwGR1pbcooZaI0=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIGHAoGBAKNmmoE+doPb+VmQlXOqsXcVX5ciwWyf+QsdEVyyic6fZUMWbAvFwDN1
|
||||
hnT5HbpWkCnwU5H27st8+SluOMGfjiwmhtn5TZqX1b0bOWH+UeT1iRLBaClZNNCx
|
||||
MDWIVbk1cpnNszsMPGhjMrQwN06bZFPwFBS8+smgrDnQoN1BkPPjAgEC
|
||||
-----END DH PARAMETERS-----
|
|
@ -0,0 +1,18 @@
|
|||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIC1jCCAb4CAQAwgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAw
|
||||
DgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIw
|
||||
IAYDVQQDDBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkB
|
||||
FgxtYWlsQGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm
|
||||
yrdjj+J2xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZM
|
||||
w/0bnHRkzubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCY
|
||||
rtJX/Yqk/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3
|
||||
NBR5yyA2Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lO
|
||||
yK3CYl2i2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrn
|
||||
ukPf/XhKQp3pPKctUUBBAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAE4GoYZ/w
|
||||
Jf4rSuS6j/Sq4v4pUIoU3tZd3UvjG5jj34XZFvTNzKHdazS7VYyFjukMPSv+WljV
|
||||
v2v6xn62RjRHXvRu4/fXBvyAcxdQngf892BYGTVxB3OMVE1JCyc2xARh6gcOvrfC
|
||||
wwOIYw4Wc5xZ8JjmhK/9zyuVVSOEcV03LY7kSYFrwTgs/k/+Cv2Myimlc+n0r76/
|
||||
iDHU+8R0O/yD5dkDdJ/GFr9d09OoF+6WQc9pRVloHxQut9YS0C5P03+Xw9CUhRGB
|
||||
L7n+k6eqzE2Fi43nTqb9KrBaTi/RdYht1DdaVxgJ1n/INqaeORqiAjyAmvuooBTF
|
||||
jSbFtdKfURnjOQ==
|
||||
-----END CERTIFICATE REQUEST-----
|
|
@ -0,0 +1,30 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-256-CBC,D5409971E41EA7511A983B7756144C03
|
||||
|
||||
77B64GyVzF3TkltnC8nZaZENB1zCl626Bi3NcjpszsIw/LnOC8bn2MjiEQwoNXOI
|
||||
GxcjUSyzB9v++/qMbvPIQ2hJXd7aayu0OWbLoFjyISqQDZhxMNwTlr0ZPppH2LoC
|
||||
HXQV8BKSMkxN2SMNyLdZt6pfpKtyOBUKoy7jDCCiaTEamvGtGKyhgQZVpyPrz8lS
|
||||
BFpUR2czPggFu8WsJ5jov7k7rEkuUMFvsNDRajRMwSzr9z6ESmEc9AavB9/t1TZ8
|
||||
M9eEgp65QUBcDzDVvP05pjwF+4wgqabC41k3EMiA2LLlFIn5Bvamq1Sj3DLdWIQE
|
||||
fzgw8NM2JRF3CZdFt/rAVoCIcpNx7kcWu8UCpdHYmlB+VwIYnrUWngT5kaMp2vvu
|
||||
B235/QffgANfB560dIP4Z2CnZI1SLyhTJPLTmwO/XWOtuoQso5nfxtHNq/IwrUA1
|
||||
jxedKG9AkBQQPsHAErZnxoFotK//zyggx6S41SjnMFWr1PrscU3mA+A+UvwLP7Bu
|
||||
gmw1oIDWL3sZ5B7KQJ2FC6ryjyoQiSI/AK8Gk0Ryhf1oUhgguxUDnWSKqrxEoeHJ
|
||||
S635pYjlDVyhU3ct9BWbFBOzdYPZBIQHPfB/lvmbl6lsFA5oOgCvZHDrBSytiSIc
|
||||
0k5cjhhQanvPRVu8ulIiHNnMFGuvX1rzh0im4IrITK7YtHj65I1gCIU4gFrfXk6T
|
||||
QtPZoaa5F4VV5BdyljF7t+yFzVthrbPb/MVjWJgC4j40fICmA8x5TTl//HGg41AN
|
||||
yJcn3295GlTQ/EagxEfWAiy38+1IGwTsNFFHxaTYGoIMON06HTegFH39MmTOBl2G
|
||||
mmk4d+m/A3KEZ1Le16xZCc7QjQRwMUMzHk4w3FfvkKSDj4Li8xFbKv4zUrXx++Q7
|
||||
mm5owtMWrit7bAbDli9hpGe+AsQGXIsHPC3i/wsm64niWiTcBK3TO5sF/3n0nNVb
|
||||
MkdVA9OaBpXG8XjHdK62HylaOHpyNB7kEhRjcTT2EKZZ10DcQpPDvJhx8lkvauww
|
||||
ubVZHBPqIXdI/L7H/6hqyxe0S0IPtoQpgEr/1lyUWQZtiDyFrQ1ySCY1HGwXtmWa
|
||||
fUP6TyZQogdND8GhzhEFY4J/FWUM8k5VowzuxYnUGEKKERDwDaQwNRoi+L9fiiKh
|
||||
nNmTOHCIoxCfN9+H8sVtPiliPr1x4G3aeegsEJfKnmDP5gyj02tOYb2IpqhSsdCZ
|
||||
qXQ2AuUq42dq5YeQA0KVRD6hiK9L+sO5BSCrr2dtF6SAK+00/CL42EP2ee+C65kW
|
||||
ksxGssmtGrcjcIW9niHx9acGTgDJ6nBK9zawQkNkF8pr8GUNyAsY5+nGy3H4EsO0
|
||||
XtszaUyT/xnSwZV+OGLIRP10lCiWPtU+Axay3DjUrxmbzzWZ3XmIbNRrYN2gxZ3b
|
||||
eA1QJE2kFwmZfngDqTu9uACHINwegj9juCDCOHLYF3shiOgqEsRypCaTYfZKoZY6
|
||||
feelUSD5Xs86ezKO2KxU1Pan9pZCnKUtJ+lpmlqyQIB+DEKJpNabHIXECMIwnxzK
|
||||
ftpahPFJDFWqguh1BeFZTCtb9qlDcXLMFac9aTMoK5KWQ3ed9gucvKHUm6G57zB8
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,22 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDjjCCAnYCAQEwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAkRFMRAwDgYD
|
||||
VQQIDAdTYWNoc2VuMRAwDgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0w
|
||||
CwYDVQQLDARDM0QyMRowGAYDVQQDDBFyYWRpdXMuaHEuYzNkMi5kZTEbMBkGCSqG
|
||||
SIb3DQEJARYMbWFpbEBjM2QyLmRlMB4XDTE1MDYwNjE5MTAzNloXDTI1MDYwMzE5
|
||||
MTAzNlowgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAwDgYDVQQH
|
||||
DAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIwIAYDVQQD
|
||||
DBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkBFgxtYWls
|
||||
QGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmyrdjj+J2
|
||||
xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZMw/0bnHRk
|
||||
zubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCYrtJX/Yqk
|
||||
/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3NBR5yyA2
|
||||
Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lOyK3CYl2i
|
||||
2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrnukPf/XhK
|
||||
Qp3pPKctUUBBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJdpPd8HTJwOfjD0COUw
|
||||
NBlPh7amQeASg0Gzz6w1NFZtVkUrnlp638pjsMsi6ldwwmNyWY5VA9TwwDTOxm9X
|
||||
CacG2tEirGwIHsrOo4BBMSrMu7V2ts+IIv92C5kgmFU2vbs2jKquepKt4zsOfwd2
|
||||
X+5qF/5qr3BkOIE6pc00IE9rRyzcE0KvaEEVHlvc/oS8f2F8lYRpJNjFNmW1jKs9
|
||||
TaLQWG7a0Wy97IWk1kcW5XymjAq4UJjcbPWm+zZVUJq21wlHHLnkbP6KeqY0RE7R
|
||||
wyq3yVAZTzXimfmwiQgGFA8P5pwrYkXcA342J+IgeblRgsT/6Lirfyd05ctQc3yL
|
||||
NBU=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,247 @@
|
|||
# -*- text -*-
|
||||
##
|
||||
## clients.conf -- client configuration directives
|
||||
##
|
||||
## $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# Define RADIUS clients (usually a NAS, Access Point, etc.).
|
||||
|
||||
#
|
||||
# Defines a RADIUS client.
|
||||
#
|
||||
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
|
||||
# to allow testing of the server after an initial installation. If you
|
||||
# are not going to be permitting RADIUS queries from localhost, we suggest
|
||||
# that you delete, or comment out, this entry.
|
||||
#
|
||||
#
|
||||
|
||||
#
|
||||
# Each client has a "short name" that is used to distinguish it from
|
||||
# other clients.
|
||||
#
|
||||
# In version 1.x, the string after the word "client" was the IP
|
||||
# address of the client. In 2.0, the IP address is configured via
|
||||
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
|
||||
# format is still accepted.
|
||||
#
|
||||
client localhost {
|
||||
# Allowed values are:
|
||||
# dotted quad (1.2.3.4)
|
||||
# hostname (radius.example.com)
|
||||
ipaddr = 127.0.0.1
|
||||
|
||||
# OR, you can use an IPv6 address, but not both
|
||||
# at the same time.
|
||||
# ipv6addr = :: # any. ::1 == localhost
|
||||
|
||||
#
|
||||
# A note on DNS: We STRONGLY recommend using IP addresses
|
||||
# rather than host names. Using host names means that the
|
||||
# server will do DNS lookups when it starts, making it
|
||||
# dependent on DNS. i.e. If anything goes wrong with DNS,
|
||||
# the server won't start!
|
||||
#
|
||||
# The server also looks up the IP address from DNS once, and
|
||||
# only once, when it starts. If the DNS record is later
|
||||
# updated, the server WILL NOT see that update.
|
||||
#
|
||||
|
||||
# One client definition can be applied to an entire network.
|
||||
# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
|
||||
# "netmask = 8"
|
||||
#
|
||||
# If not specified, the default netmask is 32 (i.e. /32)
|
||||
#
|
||||
# We do NOT recommend using anything other than 32. There
|
||||
# are usually other, better ways to achieve the same goal.
|
||||
# Using netmasks of other than 32 can cause security issues.
|
||||
#
|
||||
# You can specify overlapping networks (127/8 and 127.0/16)
|
||||
# In that case, the smallest possible network will be used
|
||||
# as the "best match" for the client.
|
||||
#
|
||||
# Clients can also be defined dynamically at run time, based
|
||||
# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
|
||||
# etc.
|
||||
# See raddb/sites-available/dynamic-clients for details.
|
||||
#
|
||||
|
||||
# netmask = 32
|
||||
|
||||
#
|
||||
# The shared secret use to "encrypt" and "sign" packets between
|
||||
# the NAS and FreeRADIUS. You MUST change this secret from the
|
||||
# default, otherwise it's not a secret any more!
|
||||
#
|
||||
# The secret can be any string, up to 8k characters in length.
|
||||
#
|
||||
# Control codes can be entered vi octal encoding,
|
||||
# e.g. "\101\102" == "AB"
|
||||
# Quotation marks can be entered by escaping them,
|
||||
# e.g. "foo\"bar"
|
||||
#
|
||||
# A note on security: The security of the RADIUS protocol
|
||||
# depends COMPLETELY on this secret! We recommend using a
|
||||
# shared secret that is composed of:
|
||||
#
|
||||
# upper case letters
|
||||
# lower case letters
|
||||
# numbers
|
||||
#
|
||||
# And is at LEAST 8 characters long, preferably 16 characters in
|
||||
# length. The secret MUST be random, and should not be words,
|
||||
# phrase, or anything else that is recognizable.
|
||||
#
|
||||
# The default secret below is only for testing, and should
|
||||
# not be used in any real environment.
|
||||
#
|
||||
secret = testing123
|
||||
|
||||
#
|
||||
# Old-style clients do not send a Message-Authenticator
|
||||
# in an Access-Request. RFC 5080 suggests that all clients
|
||||
# SHOULD include it in an Access-Request. The configuration
|
||||
# item below allows the server to require it. If a client
|
||||
# is required to include a Message-Authenticator and it does
|
||||
# not, then the packet will be silently discarded.
|
||||
#
|
||||
# allowed values: yes, no
|
||||
require_message_authenticator = no
|
||||
|
||||
#
|
||||
# The short name is used as an alias for the fully qualified
|
||||
# domain name, or the IP address.
|
||||
#
|
||||
# It is accepted for compatibility with 1.x, but it is no
|
||||
# longer necessary in 2.0
|
||||
#
|
||||
# shortname = localhost
|
||||
|
||||
#
|
||||
# the following three fields are optional, but may be used by
|
||||
# checkrad.pl for simultaneous use checks
|
||||
#
|
||||
|
||||
#
|
||||
# The nastype tells 'checkrad.pl' which NAS-specific method to
|
||||
# use to query the NAS for simultaneous use.
|
||||
#
|
||||
# Permitted NAS types are:
|
||||
#
|
||||
# cisco
|
||||
# computone
|
||||
# livingston
|
||||
# juniper
|
||||
# max40xx
|
||||
# multitech
|
||||
# netserver
|
||||
# pathras
|
||||
# patton
|
||||
# portslave
|
||||
# tc
|
||||
# usrhiper
|
||||
# other # for all other types
|
||||
|
||||
#
|
||||
nastype = other # localhost isn't usually a NAS...
|
||||
|
||||
#
|
||||
# The following two configurations are for future use.
|
||||
# The 'naspasswd' file is currently used to store the NAS
|
||||
# login name and password, which is used by checkrad.pl
|
||||
# when querying the NAS for simultaneous use.
|
||||
#
|
||||
# login = !root
|
||||
# password = someadminpas
|
||||
|
||||
#
|
||||
# As of 2.0, clients can also be tied to a virtual server.
|
||||
# This is done by setting the "virtual_server" configuration
|
||||
# item, as in the example below.
|
||||
#
|
||||
# virtual_server = home1
|
||||
|
||||
#
|
||||
# A pointer to the "home_server_pool" OR a "home_server"
|
||||
# section that contains the CoA configuration for this
|
||||
# client. For an example of a coa home server or pool,
|
||||
# see raddb/sites-available/originate-coa
|
||||
# coa_server = coa
|
||||
}
|
||||
|
||||
# IPv6 Client
|
||||
#client ::1 {
|
||||
# secret = testing123
|
||||
# shortname = localhost
|
||||
#}
|
||||
#
|
||||
# All IPv6 Site-local clients
|
||||
#client fe80::/16 {
|
||||
# secret = testing123
|
||||
# shortname = localhost
|
||||
#}
|
||||
|
||||
#client some.host.org {
|
||||
# secret = testing123
|
||||
# shortname = localhost
|
||||
#}
|
||||
|
||||
#
|
||||
# You can now specify one secret for a network of clients.
|
||||
# When a client request comes in, the BEST match is chosen.
|
||||
# i.e. The entry from the smallest possible network.
|
||||
#
|
||||
#client 192.168.0.0/24 {
|
||||
# secret = testing123-1
|
||||
# shortname = private-network-1
|
||||
#}
|
||||
#
|
||||
#client 192.168.0.0/16 {
|
||||
# secret = testing123-2
|
||||
# shortname = private-network-2
|
||||
#}
|
||||
|
||||
|
||||
#client 10.10.10.10 {
|
||||
# # secret and password are mapped through the "secrets" file.
|
||||
# secret = testing123
|
||||
# shortname = liv1
|
||||
# # the following three fields are optional, but may be used by
|
||||
# # checkrad.pl for simultaneous usage checks
|
||||
# nastype = livingston
|
||||
# login = !root
|
||||
# password = someadminpas
|
||||
#}
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# Per-socket client lists. The configuration entries are exactly
|
||||
# the same as above, but they are nested inside of a section.
|
||||
#
|
||||
# You can have as many per-socket client lists as you have "listen"
|
||||
# sections, or you can re-use a list among multiple "listen" sections.
|
||||
#
|
||||
# Un-comment this section, and edit a "listen" section to add:
|
||||
# "clients = per_socket_clients". That IP address/port combination
|
||||
# will then accept ONLY the clients listed in this section.
|
||||
#
|
||||
#clients per_socket_clients {
|
||||
# client 192.168.3.4 {
|
||||
# secret = testing123
|
||||
# }
|
||||
#}
|
||||
|
||||
### ### ### C3D2 ### ### ###
|
||||
|
||||
client any {
|
||||
ipaddr 0.0.0.0/0
|
||||
secret = public
|
||||
nastype = other
|
||||
require_message_authenticator = no
|
||||
}
|
||||
|
||||
### ### ### C3D2 ### ### ###
|
||||
# EOF
|
|
@ -0,0 +1,32 @@
|
|||
#
|
||||
# This is the master dictionary file, which references the
|
||||
# pre-defined dictionary files included with the server.
|
||||
#
|
||||
# Any new/changed attributes MUST be placed in this file, as
|
||||
# the pre-defined dictionaries SHOULD NOT be edited.
|
||||
#
|
||||
# $Id: ceb31c82feb869972588f60fe6ace2fc1db70224 $
|
||||
#
|
||||
|
||||
#
|
||||
# The filename given here should be an absolute path.
|
||||
#
|
||||
$INCLUDE /usr/share/freeradius/dictionary
|
||||
|
||||
#
|
||||
# Place additional attributes or $INCLUDEs here. They will
|
||||
# over-ride the definitions in the pre-defined dictionaries.
|
||||
#
|
||||
# See the 'man' page for 'dictionary' for information on
|
||||
# the format of the dictionary files.
|
||||
|
||||
#
|
||||
# If you want to add entries to the dictionary file,
|
||||
# which are NOT going to be placed in a RADIUS packet,
|
||||
# add them here. The numbers you pick should be between
|
||||
# 3000 and 4000.
|
||||
#
|
||||
|
||||
#ATTRIBUTE My-Local-String 3000 string
|
||||
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
|
||||
#ATTRIBUTE My-Local-Integer 3002 integer
|
|
@ -0,0 +1,688 @@
|
|||
# -*- text -*-
|
||||
##
|
||||
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
|
||||
##
|
||||
## $Id: 95bebe4d25ef13871fb201ba540ed008078dab07 $
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
|
||||
# is smart enough to figure this out on its own. The most
|
||||
# common side effect of setting 'Auth-Type := EAP' is that the
|
||||
# users then cannot use ANY other authentication method.
|
||||
#
|
||||
# EAP types NOT listed here may be supported via the "eap2" module.
|
||||
# See experimental.conf for documentation.
|
||||
#
|
||||
eap {
|
||||
# Invoke the default supported EAP type when
|
||||
# EAP-Identity response is received.
|
||||
#
|
||||
# The incoming EAP messages DO NOT specify which EAP
|
||||
# type they will be using, so it MUST be set here.
|
||||
#
|
||||
# For now, only one default EAP type may be used at a time.
|
||||
#
|
||||
# If the EAP-Type attribute is set by another module,
|
||||
# then that EAP type takes precedence over the
|
||||
# default type configured here.
|
||||
#
|
||||
default_eap_type = ttls
|
||||
|
||||
# A list is maintained to correlate EAP-Response
|
||||
# packets with EAP-Request packets. After a
|
||||
# configurable length of time, entries in the list
|
||||
# expire, and are deleted.
|
||||
#
|
||||
timer_expire = 60
|
||||
|
||||
# There are many EAP types, but the server has support
|
||||
# for only a limited subset. If the server receives
|
||||
# a request for an EAP type it does not support, then
|
||||
# it normally rejects the request. By setting this
|
||||
# configuration to "yes", you can tell the server to
|
||||
# instead keep processing the request. Another module
|
||||
# MUST then be configured to proxy the request to
|
||||
# another RADIUS server which supports that EAP type.
|
||||
#
|
||||
# If another module is NOT configured to handle the
|
||||
# request, then the request will still end up being
|
||||
# rejected.
|
||||
ignore_unknown_eap_types = no
|
||||
|
||||
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
|
||||
# a User-Name attribute in an Access-Accept, it copies one
|
||||
# more byte than it should.
|
||||
#
|
||||
# We can work around it by configurably adding an extra
|
||||
# zero byte.
|
||||
cisco_accounting_username_bug = no
|
||||
|
||||
#
|
||||
# Help prevent DoS attacks by limiting the number of
|
||||
# sessions that the server is tracking. For simplicity,
|
||||
# this is taken from the "max_requests" directive in
|
||||
# radiusd.conf.
|
||||
max_sessions = ${max_requests}
|
||||
|
||||
# Supported EAP-types
|
||||
|
||||
#
|
||||
# We do NOT recommend using EAP-MD5 authentication
|
||||
# for wireless connections. It is insecure, and does
|
||||
# not provide for dynamic WEP keys.
|
||||
#
|
||||
md5 {
|
||||
}
|
||||
|
||||
# Cisco LEAP
|
||||
#
|
||||
# We do not recommend using LEAP in new deployments. See:
|
||||
# http://www.securiteam.com/tools/5TP012ACKE.html
|
||||
#
|
||||
# Cisco LEAP uses the MS-CHAP algorithm (but not
|
||||
# the MS-CHAP attributes) to perform it's authentication.
|
||||
#
|
||||
# As a result, LEAP *requires* access to the plain-text
|
||||
# User-Password, or the NT-Password attributes.
|
||||
# 'System' authentication is impossible with LEAP.
|
||||
#
|
||||
leap {
|
||||
}
|
||||
|
||||
# Generic Token Card.
|
||||
#
|
||||
# Currently, this is only permitted inside of EAP-TTLS,
|
||||
# or EAP-PEAP. The module "challenges" the user with
|
||||
# text, and the response from the user is taken to be
|
||||
# the User-Password.
|
||||
#
|
||||
# Proxying the tunneled EAP-GTC session is a bad idea,
|
||||
# the users password will go over the wire in plain-text,
|
||||
# for anyone to see.
|
||||
#
|
||||
gtc {
|
||||
# The default challenge, which many clients
|
||||
# ignore..
|
||||
#challenge = "Password: "
|
||||
|
||||
# The plain-text response which comes back
|
||||
# is put into a User-Password attribute,
|
||||
# and passed to another module for
|
||||
# authentication. This allows the EAP-GTC
|
||||
# response to be checked against plain-text,
|
||||
# or crypt'd passwords.
|
||||
#
|
||||
# If you say "Local" instead of "PAP", then
|
||||
# the module will look for a User-Password
|
||||
# configured for the request, and do the
|
||||
# authentication itself.
|
||||
#
|
||||
auth_type = PAP
|
||||
}
|
||||
|
||||
## EAP-TLS
|
||||
#
|
||||
# See raddb/certs/README for additional comments
|
||||
# on certificates.
|
||||
#
|
||||
# If OpenSSL was not found at the time the server was
|
||||
# built, the "tls", "ttls", and "peap" sections will
|
||||
# be ignored.
|
||||
#
|
||||
# Otherwise, when the server first starts in debugging
|
||||
# mode, test certificates will be created. See the
|
||||
# "make_cert_command" below for details, and the README
|
||||
# file in raddb/certs
|
||||
#
|
||||
# These test certificates SHOULD NOT be used in a normal
|
||||
# deployment. They are created only to make it easier
|
||||
# to install the server, and to perform some simple
|
||||
# tests with EAP-TLS, TTLS, or PEAP.
|
||||
#
|
||||
# See also:
|
||||
#
|
||||
# http://www.dslreports.com/forum/remark,9286052~mode=flat
|
||||
#
|
||||
# Note that you should NOT use a globally known CA here!
|
||||
# e.g. using a Verisign cert as a "known CA" means that
|
||||
# ANYONE who has a certificate signed by them can
|
||||
# authenticate via EAP-TLS! This is likely not what you want.
|
||||
tls {
|
||||
#
|
||||
# These is used to simplify later configurations.
|
||||
#
|
||||
certdir = ${confdir}/certs
|
||||
cadir = ${confdir}/certs
|
||||
|
||||
private_key_password = c3d2
|
||||
private_key_file = ${certdir}/server.key
|
||||
|
||||
# If Private key & Certificate are located in
|
||||
# the same file, then private_key_file &
|
||||
# certificate_file must contain the same file
|
||||
# name.
|
||||
#
|
||||
# If CA_file (below) is not used, then the
|
||||
# certificate_file below MUST include not
|
||||
# only the server certificate, but ALSO all
|
||||
# of the CA certificates used to sign the
|
||||
# server certificate.
|
||||
certificate_file = ${certdir}/server.pem
|
||||
|
||||
# Trusted Root CA list
|
||||
#
|
||||
# ALL of the CA's in this list will be trusted
|
||||
# to issue client certificates for authentication.
|
||||
#
|
||||
# In general, you should use self-signed
|
||||
# certificates for 802.1x (EAP) authentication.
|
||||
# In that case, this CA file should contain
|
||||
# *one* CA certificate.
|
||||
#
|
||||
# This parameter is used only for EAP-TLS,
|
||||
# when you issue client certificates. If you do
|
||||
# not use client certificates, and you do not want
|
||||
# to permit EAP-TLS authentication, then delete
|
||||
# this configuration item.
|
||||
CA_file = ${cadir}/ca.pem
|
||||
|
||||
#
|
||||
# For DH cipher suites to work, you have to
|
||||
# run OpenSSL to create the DH file first:
|
||||
#
|
||||
# openssl dhparam -out certs/dh 1024
|
||||
#
|
||||
dh_file = ${certdir}/dh
|
||||
random_file = /dev/urandom
|
||||
|
||||
|
||||
#
|
||||
# This can never exceed the size of a RADIUS
|
||||
# packet (4096 bytes), and is preferably half
|
||||
# that, to accomodate other attributes in
|
||||
# RADIUS packet. On most APs the MAX packet
|
||||
# length is configured between 1500 - 1600
|
||||
# In these cases, fragment size should be
|
||||
# 1024 or less.
|
||||
#
|
||||
fragment_size = 1024
|
||||
|
||||
# include_length is a flag which is
|
||||
# by default set to yes If set to
|
||||
# yes, Total Length of the message is
|
||||
# included in EVERY packet we send.
|
||||
# If set to no, Total Length of the
|
||||
# message is included ONLY in the
|
||||
# First packet of a fragment series.
|
||||
#
|
||||
# include_length = yes
|
||||
|
||||
# Check the Certificate Revocation List
|
||||
#
|
||||
# 1) Copy CA certificates and CRLs to same directory.
|
||||
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
||||
# 'c_rehash' is OpenSSL's command.
|
||||
# 3) uncomment the line below.
|
||||
# 5) Restart radiusd
|
||||
# check_crl = yes
|
||||
CA_path = ${cadir}
|
||||
|
||||
#
|
||||
# If check_cert_issuer is set, the value will
|
||||
# be checked against the DN of the issuer in
|
||||
# the client certificate. If the values do not
|
||||
# match, the cerficate verification will fail,
|
||||
# rejecting the user.
|
||||
#
|
||||
# In 2.1.10 and later, this check can be done
|
||||
# more generally by checking the value of the
|
||||
# TLS-Client-Cert-Issuer attribute. This check
|
||||
# can be done via any mechanism you choose.
|
||||
#
|
||||
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
|
||||
|
||||
#
|
||||
# If check_cert_cn is set, the value will
|
||||
# be xlat'ed and checked against the CN
|
||||
# in the client certificate. If the values
|
||||
# do not match, the certificate verification
|
||||
# will fail rejecting the user.
|
||||
#
|
||||
# This check is done only if the previous
|
||||
# "check_cert_issuer" is not set, or if
|
||||
# the check succeeds.
|
||||
#
|
||||
# In 2.1.10 and later, this check can be done
|
||||
# more generally by checking the value of the
|
||||
# TLS-Client-Cert-CN attribute. This check
|
||||
# can be done via any mechanism you choose.
|
||||
#
|
||||
# check_cert_cn = %{User-Name}
|
||||
#
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
cipher_list = "DEFAULT"
|
||||
|
||||
#
|
||||
# As part of checking a client certificate, the EAP-TLS
|
||||
# sets some attributes such as TLS-Client-Cert-CN. This
|
||||
# virtual server has access to these attributes, and can
|
||||
# be used to accept or reject the request.
|
||||
#
|
||||
# virtual_server = check-eap-tls
|
||||
|
||||
# This command creates the initial "snake oil"
|
||||
# certificates when the server is run as root,
|
||||
# and via "radiusd -X".
|
||||
#
|
||||
# As of 2.1.11, it *also* checks the server
|
||||
# certificate for validity, including expiration.
|
||||
# This means that radiusd will refuse to start
|
||||
# when the certificate has expired. The alternative
|
||||
# is to have the 802.1X clients refuse to connect
|
||||
# when they discover the certificate has expired.
|
||||
#
|
||||
# Debugging client issues is hard, so it's better
|
||||
# for the server to print out an error message,
|
||||
# and refuse to start.
|
||||
#
|
||||
make_cert_command = "${certdir}/bootstrap"
|
||||
|
||||
#
|
||||
# Elliptical cryptography configuration
|
||||
#
|
||||
# Only for OpenSSL >= 0.9.8.f
|
||||
#
|
||||
ecdh_curve = "prime256v1"
|
||||
|
||||
#
|
||||
# Session resumption / fast reauthentication
|
||||
# cache.
|
||||
#
|
||||
# The cache contains the following information:
|
||||
#
|
||||
# session Id - unique identifier, managed by SSL
|
||||
# User-Name - from the Access-Accept
|
||||
# Stripped-User-Name - from the Access-Request
|
||||
# Cached-Session-Policy - from the Access-Accept
|
||||
#
|
||||
# The "Cached-Session-Policy" is the name of a
|
||||
# policy which should be applied to the cached
|
||||
# session. This policy can be used to assign
|
||||
# VLANs, IP addresses, etc. It serves as a useful
|
||||
# way to re-apply the policy from the original
|
||||
# Access-Accept to the subsequent Access-Accept
|
||||
# for the cached session.
|
||||
#
|
||||
# On session resumption, these attributes are
|
||||
# copied from the cache, and placed into the
|
||||
# reply list.
|
||||
#
|
||||
# You probably also want "use_tunneled_reply = yes"
|
||||
# when using fast session resumption.
|
||||
#
|
||||
cache {
|
||||
#
|
||||
# Enable it. The default is "no".
|
||||
# Deleting the entire "cache" subsection
|
||||
# Also disables caching.
|
||||
#
|
||||
# You can disallow resumption for a
|
||||
# particular user by adding the following
|
||||
# attribute to the control item list:
|
||||
#
|
||||
# Allow-Session-Resumption = No
|
||||
#
|
||||
# If "enable = no" below, you CANNOT
|
||||
# enable resumption for just one user
|
||||
# by setting the above attribute to "yes".
|
||||
#
|
||||
enable = no
|
||||
|
||||
#
|
||||
# Lifetime of the cached entries, in hours.
|
||||
# The sessions will be deleted after this
|
||||
# time.
|
||||
#
|
||||
lifetime = 24 # hours
|
||||
|
||||
#
|
||||
# The maximum number of entries in the
|
||||
# cache. Set to "0" for "infinite".
|
||||
#
|
||||
# This could be set to the number of users
|
||||
# who are logged in... which can be a LOT.
|
||||
#
|
||||
max_entries = 255
|
||||
}
|
||||
|
||||
#
|
||||
# As of version 2.1.10, client certificates can be
|
||||
# validated via an external command. This allows
|
||||
# dynamic CRLs or OCSP to be used.
|
||||
#
|
||||
# This configuration is commented out in the
|
||||
# default configuration. Uncomment it, and configure
|
||||
# the correct paths below to enable it.
|
||||
#
|
||||
verify {
|
||||
# A temporary directory where the client
|
||||
# certificates are stored. This directory
|
||||
# MUST be owned by the UID of the server,
|
||||
# and MUST not be accessible by any other
|
||||
# users. When the server starts, it will do
|
||||
# "chmod go-rwx" on the directory, for
|
||||
# security reasons. The directory MUST
|
||||
# exist when the server starts.
|
||||
#
|
||||
# You should also delete all of the files
|
||||
# in the directory when the server starts.
|
||||
# tmpdir = /tmp/radiusd
|
||||
|
||||
# The command used to verify the client cert.
|
||||
# We recommend using the OpenSSL command-line
|
||||
# tool.
|
||||
#
|
||||
# The ${..CA_path} text is a reference to
|
||||
# the CA_path variable defined above.
|
||||
#
|
||||
# The %{TLS-Client-Cert-Filename} is the name
|
||||
# of the temporary file containing the cert
|
||||
# in PEM format. This file is automatically
|
||||
# deleted by the server when the command
|
||||
# returns.
|
||||
# client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
|
||||
}
|
||||
|
||||
#
|
||||
# OCSP Configuration
|
||||
# Certificates can be verified against an OCSP
|
||||
# Responder. This makes it possible to immediately
|
||||
# revoke certificates without the distribution of
|
||||
# new Certificate Revokation Lists (CRLs).
|
||||
#
|
||||
ocsp {
|
||||
#
|
||||
# Enable it. The default is "no".
|
||||
# Deleting the entire "ocsp" subsection
|
||||
# Also disables ocsp checking
|
||||
#
|
||||
enable = no
|
||||
|
||||
#
|
||||
# The OCSP Responder URL can be automatically
|
||||
# extracted from the certificate in question.
|
||||
# To override the OCSP Responder URL set
|
||||
# "override_cert_url = yes".
|
||||
#
|
||||
override_cert_url = yes
|
||||
|
||||
#
|
||||
# If the OCSP Responder address is not
|
||||
# extracted from the certificate, the
|
||||
# URL can be defined here.
|
||||
|
||||
#
|
||||
# Limitation: Currently the HTTP
|
||||
# Request is not sending the "Host: "
|
||||
# information to the web-server. This
|
||||
# can be a problem if the OCSP
|
||||
# Responder is running as a vhost.
|
||||
#
|
||||
url = "http://127.0.0.1/ocsp/"
|
||||
|
||||
#
|
||||
# If the OCSP Responder can not cope with nonce
|
||||
# in the request, then it can be disabled here.
|
||||
#
|
||||
# For security reasons, disabling this option
|
||||
# is not recommended as nonce protects against
|
||||
# replay attacks.
|
||||
#
|
||||
# Note that Microsoft AD Certificate Services OCSP
|
||||
# Responder does not enable nonce by default. It is
|
||||
# more secure to enable nonce on the responder than
|
||||
# to disable it in the query here.
|
||||
# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
|
||||
#
|
||||
# use_nonce = yes
|
||||
|
||||
#
|
||||
# Number of seconds before giving up waiting
|
||||
# for OCSP response. 0 uses system default.
|
||||
#
|
||||
# timeout = 0
|
||||
|
||||
#
|
||||
# Normally an error in querying the OCSP
|
||||
# responder (no response from server, server did
|
||||
# not understand the request, etc) will result in
|
||||
# a validation failure.
|
||||
#
|
||||
# To treat these errors as 'soft' failures and
|
||||
# still accept the certificate, enable this
|
||||
# option.
|
||||
#
|
||||
# Warning: this may enable clients with revoked
|
||||
# certificates to connect if the OCSP responder
|
||||
# is not available. Use with caution.
|
||||
#
|
||||
# softfail = no
|
||||
}
|
||||
}
|
||||
|
||||
# The TTLS module implements the EAP-TTLS protocol,
|
||||
# which can be described as EAP inside of Diameter,
|
||||
# inside of TLS, inside of EAP, inside of RADIUS...
|
||||
#
|
||||
# Surprisingly, it works quite well.
|
||||
#
|
||||
# The TTLS module needs the TLS module to be installed
|
||||
# and configured, in order to use the TLS tunnel
|
||||
# inside of the EAP packet. You will still need to
|
||||
# configure the TLS module, even if you do not want
|
||||
# to deploy EAP-TLS in your network. Users will not
|
||||
# be able to request EAP-TLS, as it requires them to
|
||||
# have a client certificate. EAP-TTLS does not
|
||||
# require a client certificate.
|
||||
#
|
||||
# You can make TTLS require a client cert by setting
|
||||
#
|
||||
# EAP-TLS-Require-Client-Cert = Yes
|
||||
#
|
||||
# in the control items for a request.
|
||||
#
|
||||
ttls {
|
||||
# The tunneled EAP session needs a default
|
||||
# EAP type which is separate from the one for
|
||||
# the non-tunneled EAP module. Inside of the
|
||||
# TTLS tunnel, we recommend using EAP-MD5.
|
||||
# If the request does not contain an EAP
|
||||
# conversation, then this configuration entry
|
||||
# is ignored.
|
||||
default_eap_type = md5
|
||||
|
||||
# The tunneled authentication request does
|
||||
# not usually contain useful attributes
|
||||
# like 'Calling-Station-Id', etc. These
|
||||
# attributes are outside of the tunnel,
|
||||
# and normally unavailable to the tunneled
|
||||
# authentication request.
|
||||
#
|
||||
# By setting this configuration entry to
|
||||
# 'yes', any attribute which NOT in the
|
||||
# tunneled authentication request, but
|
||||
# which IS available outside of the tunnel,
|
||||
# is copied to the tunneled request.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
copy_request_to_tunnel = no
|
||||
|
||||
# The reply attributes sent to the NAS are
|
||||
# usually based on the name of the user
|
||||
# 'outside' of the tunnel (usually
|
||||
# 'anonymous'). If you want to send the
|
||||
# reply attributes based on the user name
|
||||
# inside of the tunnel, then set this
|
||||
# configuration entry to 'yes', and the reply
|
||||
# to the NAS will be taken from the reply to
|
||||
# the tunneled request.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
use_tunneled_reply = no
|
||||
|
||||
#
|
||||
# The inner tunneled request can be sent
|
||||
# through a virtual server constructed
|
||||
# specifically for this purpose.
|
||||
#
|
||||
# If this entry is commented out, the inner
|
||||
# tunneled request will be sent through
|
||||
# the virtual server that processed the
|
||||
# outer requests.
|
||||
#
|
||||
virtual_server = "inner-tunnel"
|
||||
|
||||
# This has the same meaning as the
|
||||
# same field in the "tls" module, above.
|
||||
# The default value here is "yes".
|
||||
# include_length = yes
|
||||
}
|
||||
|
||||
##################################################
|
||||
#
|
||||
# !!!!! WARNINGS for Windows compatibility !!!!!
|
||||
#
|
||||
##################################################
|
||||
#
|
||||
# If you see the server send an Access-Challenge,
|
||||
# and the client never sends another Access-Request,
|
||||
# then
|
||||
#
|
||||
# STOP!
|
||||
#
|
||||
# The server certificate has to have special OID's
|
||||
# in it, or else the Microsoft clients will silently
|
||||
# fail. See the "scripts/xpextensions" file for
|
||||
# details, and the following page:
|
||||
#
|
||||
# http://support.microsoft.com/kb/814394/en-us
|
||||
#
|
||||
# For additional Windows XP SP2 issues, see:
|
||||
#
|
||||
# http://support.microsoft.com/kb/885453/en-us
|
||||
#
|
||||
#
|
||||
# If is still doesn't work, and you're using Samba,
|
||||
# you may be encountering a Samba bug. See:
|
||||
#
|
||||
# https://bugzilla.samba.org/show_bug.cgi?id=6563
|
||||
#
|
||||
# Note that we do not necessarily agree with their
|
||||
# explanation... but the fix does appear to work.
|
||||
#
|
||||
##################################################
|
||||
|
||||
#
|
||||
# The tunneled EAP session needs a default EAP type
|
||||
# which is separate from the one for the non-tunneled
|
||||
# EAP module. Inside of the TLS/PEAP tunnel, we
|
||||
# recommend using EAP-MS-CHAPv2.
|
||||
#
|
||||
# The PEAP module needs the TLS module to be installed
|
||||
# and configured, in order to use the TLS tunnel
|
||||
# inside of the EAP packet. You will still need to
|
||||
# configure the TLS module, even if you do not want
|
||||
# to deploy EAP-TLS in your network. Users will not
|
||||
# be able to request EAP-TLS, as it requires them to
|
||||
# have a client certificate. EAP-PEAP does not
|
||||
# require a client certificate.
|
||||
#
|
||||
#
|
||||
# You can make PEAP require a client cert by setting
|
||||
#
|
||||
# EAP-TLS-Require-Client-Cert = Yes
|
||||
#
|
||||
# in the control items for a request.
|
||||
#
|
||||
peap {
|
||||
# The tunneled EAP session needs a default
|
||||
# EAP type which is separate from the one for
|
||||
# the non-tunneled EAP module. Inside of the
|
||||
# PEAP tunnel, we recommend using MS-CHAPv2,
|
||||
# as that is the default type supported by
|
||||
# Windows clients.
|
||||
default_eap_type = mschapv2
|
||||
|
||||
# the PEAP module also has these configuration
|
||||
# items, which are the same as for TTLS.
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = no
|
||||
|
||||
# When the tunneled session is proxied, the
|
||||
# home server may not understand EAP-MSCHAP-V2.
|
||||
# Set this entry to "no" to proxy the tunneled
|
||||
# EAP-MSCHAP-V2 as normal MSCHAPv2.
|
||||
# proxy_tunneled_request_as_eap = yes
|
||||
|
||||
#
|
||||
# The inner tunneled request can be sent
|
||||
# through a virtual server constructed
|
||||
# specifically for this purpose.
|
||||
#
|
||||
# If this entry is commented out, the inner
|
||||
# tunneled request will be sent through
|
||||
# the virtual server that processed the
|
||||
# outer requests.
|
||||
#
|
||||
virtual_server = "inner-tunnel"
|
||||
|
||||
# This option enables support for MS-SoH
|
||||
# see doc/SoH.txt for more info.
|
||||
# It is disabled by default.
|
||||
#
|
||||
# soh = yes
|
||||
|
||||
#
|
||||
# The SoH reply will be turned into a request which
|
||||
# can be sent to a specific virtual server:
|
||||
#
|
||||
# soh_virtual_server = "soh-server"
|
||||
}
|
||||
|
||||
#
|
||||
# This takes no configuration.
|
||||
#
|
||||
# Note that it is the EAP MS-CHAPv2 sub-module, not
|
||||
# the main 'mschap' module.
|
||||
#
|
||||
# Note also that in order for this sub-module to work,
|
||||
# the main 'mschap' module MUST ALSO be configured.
|
||||
#
|
||||
# This module is the *Microsoft* implementation of MS-CHAPv2
|
||||
# in EAP. There is another (incompatible) implementation
|
||||
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
|
||||
# currently support.
|
||||
#
|
||||
mschapv2 {
|
||||
# Prior to version 2.1.11, the module never
|
||||
# sent the MS-CHAP-Error message to the
|
||||
# client. This worked, but it had issues
|
||||
# when the cached password was wrong. The
|
||||
# server *should* send "E=691 R=0" to the
|
||||
# client, which tells it to prompt the user
|
||||
# for a new password.
|
||||
#
|
||||
# The default is to behave as in 2.1.10 and
|
||||
# earlier, which is known to work. If you
|
||||
# set "send_error = yes", then the error
|
||||
# message will be sent back to the client.
|
||||
# This *may* help some clients work better,
|
||||
# but *may* also cause other clients to stop
|
||||
# working.
|
||||
#
|
||||
# send_error = no
|
||||
}
|
||||
}
|
|
@ -0,0 +1,450 @@
|
|||
#
|
||||
# This file contains the configuration for experimental modules.
|
||||
#
|
||||
# By default, it is NOT included in the build.
|
||||
#
|
||||
# $Id: 3db2f300329829b4810b00d3181f13bbac10ccd0 $
|
||||
#
|
||||
|
||||
# Configuration for the Python module.
|
||||
#
|
||||
# Where radiusd is a Python module, radiusd.py, and the
|
||||
# function 'authorize' is called. Here is a dummy piece
|
||||
# of code:
|
||||
#
|
||||
# def authorize(params):
|
||||
# print params
|
||||
# return (5, ('Reply-Message', 'banned'))
|
||||
#
|
||||
# The RADIUS value-pairs are passed as a tuple of tuple
|
||||
# pairs as the first argument, e.g. (('attribute1',
|
||||
# 'value1'), ('attribute2', 'value2'))
|
||||
#
|
||||
# The function return is a tuple with the first element
|
||||
# being the return value of the function.
|
||||
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
|
||||
# write the return values as Python symbols to avoid
|
||||
# confusion.
|
||||
#
|
||||
# The remaining tuple members are the string form of
|
||||
# value-pairs which are passed on to pairmake().
|
||||
#
|
||||
python {
|
||||
mod_instantiate = radiusd_test
|
||||
func_instantiate = instantiate
|
||||
|
||||
mod_authorize = radiusd_test
|
||||
func_authorize = authorize
|
||||
|
||||
mod_accounting = radiusd_test
|
||||
func_accounting = accounting
|
||||
|
||||
mod_pre_proxy = radiusd_test
|
||||
func_pre_proxy = pre_proxy
|
||||
|
||||
mod_post_proxy = radiusd_test
|
||||
func_post_proxy = post_proxy
|
||||
|
||||
mod_post_auth = radiusd_test
|
||||
func_post_auth = post_auth
|
||||
|
||||
mod_recv_coa = radiusd_test
|
||||
func_recv_coa = recv_coa
|
||||
|
||||
mod_send_coa = radiusd_test
|
||||
func_send_coa = send_coa
|
||||
|
||||
mod_detach = radiusd_test
|
||||
func_detach = detach
|
||||
}
|
||||
|
||||
|
||||
# Configuration for the example module. Uncommenting it will cause it
|
||||
# to get loaded and initialized, but should have no real effect as long
|
||||
# it is not referencened in one of the autz/auth/preacct/acct sections
|
||||
example {
|
||||
# Boolean variable.
|
||||
# allowed values: {no, yes}
|
||||
boolean = yes
|
||||
|
||||
# An integer, of any value.
|
||||
integer = 16
|
||||
|
||||
# A string.
|
||||
string = "This is an example configuration string"
|
||||
|
||||
# An IP address, either in dotted quad (1.2.3.4) or hostname
|
||||
# (example.com)
|
||||
ipaddr = 127.0.0.1
|
||||
|
||||
# A subsection
|
||||
mysubsection {
|
||||
anotherinteger = 1000
|
||||
# They nest
|
||||
deeply nested {
|
||||
string = "This is a different string"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# To create a dbm users file, do:
|
||||
#
|
||||
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
|
||||
#
|
||||
# Then add 'dbm' in 'authorize' section.
|
||||
#
|
||||
# Note that even if the file has a ".db" or ".dbm" extension,
|
||||
# you may have to specify it here without that extension. This
|
||||
# is because the DBM libraries "helpfully" add a ".db" to the
|
||||
# filename, but don't check if it's already there.
|
||||
#
|
||||
dbm {
|
||||
usersfile = ${confdir}/users_db
|
||||
}
|
||||
|
||||
#
|
||||
# Perform NT-Domain authentication. This only works
|
||||
# with PAP authentication. That is, Authentication-Request
|
||||
# packets containing a User-Password attribute.
|
||||
#
|
||||
# To use it, add 'smb' into the 'authenticate' section,
|
||||
# and then in another module (usually the 'users' file),
|
||||
# set 'Auth-Type := SMB'
|
||||
#
|
||||
# WARNING: this module is not only experimental, it's also
|
||||
# a security threat. It's not recommended to use it until
|
||||
# it gets fixed.
|
||||
#
|
||||
smb {
|
||||
server = ntdomain.server.example.com
|
||||
backup = backup.server.example.com
|
||||
domain = NTDOMAIN
|
||||
}
|
||||
|
||||
# See doc/rlm_fastusers before using this
|
||||
# module or changing these values.
|
||||
#
|
||||
fastusers {
|
||||
usersfile = ${confdir}/users_fast
|
||||
hashsize = 1000
|
||||
compat = no
|
||||
# Reload the hash every 600 seconds (10mins)
|
||||
hash_reload = 600
|
||||
}
|
||||
|
||||
# Caching module
|
||||
#
|
||||
# Should be added in the post-auth section (after all other modules)
|
||||
# and in the authorize section (before any other modules)
|
||||
#
|
||||
# authorize {
|
||||
# caching {
|
||||
# ok = return
|
||||
# }
|
||||
# [... other modules ...]
|
||||
# }
|
||||
# post-auth {
|
||||
# [... other modules ...]
|
||||
# caching
|
||||
# }
|
||||
#
|
||||
# The caching module will cache the Auth-Type and reply items
|
||||
# and send them back on any subsequent requests for the same key
|
||||
#
|
||||
# Configuration:
|
||||
#
|
||||
# filename: The gdbm file to use for the cache database
|
||||
# (can be memory mapped for more speed)
|
||||
#
|
||||
# key: A string to xlat and use as a key. For instance,
|
||||
# "%{Acct-Unique-Session-Id}"
|
||||
#
|
||||
# post-auth: If we find a cached entry, set the post-auth to that value
|
||||
#
|
||||
# cache-ttl: The time to cache the entry. The same time format
|
||||
# as the counter module apply here.
|
||||
# num[hdwm] where:
|
||||
# h: hours, d: days, w: weeks, m: months
|
||||
# If the letter is ommited days will be assumed.
|
||||
# e.g. 1d == one day
|
||||
#
|
||||
# cache-size: The gdbm cache size to request (default 1000)
|
||||
#
|
||||
# hit-ratio: If set to non-zero we print out statistical
|
||||
# information after so many cache requests
|
||||
#
|
||||
# cache-rejects: Do we also cache rejects, or not? (default 'yes')
|
||||
#
|
||||
caching {
|
||||
filename = ${db_dir}/db.cache
|
||||
cache-ttl = 1d
|
||||
hit-ratio = 1000
|
||||
key = "%{Acct-Unique-Session-Id}"
|
||||
#post-auth = ""
|
||||
# cache-size = 2000
|
||||
# cache-rejects = yes
|
||||
}
|
||||
|
||||
|
||||
# Simple module for logging of Account packets to radiusd.log
|
||||
# You need to declare it in the accounting section for it to work
|
||||
acctlog {
|
||||
acctlog_update = ""
|
||||
acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
|
||||
acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
|
||||
acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online"
|
||||
acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline"
|
||||
}
|
||||
|
||||
# Another implementation of the EAP module.
|
||||
#
|
||||
# This module requires the libeap.so file from the hostap
|
||||
# software (http://hostap.epitest.fi/hostapd/). It has been
|
||||
# tested on the development version of hostapd (0.6.1) ONLY.
|
||||
#
|
||||
# In order to use it, you MUST build a "libeap.so" in hostapd,
|
||||
# which is not done by default.
|
||||
#
|
||||
# You MUST also edit the file: src/modules/rlm_eap2/Makefile
|
||||
# to point to the location of the hostap include files.
|
||||
#
|
||||
# This module CANNOT be used in the same way as the current
|
||||
# FreeRADIUS "eap" module. There is NO way to look inside of
|
||||
# a tunneled request. There is NO way to proxy a tunneled
|
||||
# request. There is NO way to even look at the user name inside
|
||||
# of the tunneled request. There is NO way to control the
|
||||
# choice of EAP types inside of the tunnel. You MUST force
|
||||
# the server to choose "eap2" for authentication, because this
|
||||
# module has no "authorize" section.
|
||||
#
|
||||
# If you want to use this module for experimentation, please
|
||||
# post your comments to the freeradius-devel list:
|
||||
#
|
||||
# http://lists.freeradius.org/mailman/listinfo/freeradius-devel
|
||||
#
|
||||
# If you want to use this module in a production (i.e. real-world)
|
||||
# environment:
|
||||
#
|
||||
# !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
|
||||
#
|
||||
# The module needs additional work to make it ready for
|
||||
# production use.. Please supply patches, or sponsor the
|
||||
# work by hiring a developer. Do NOT ask when the work will
|
||||
# be done, because there is no plan to finish this module
|
||||
# unless there is demand for it.
|
||||
#
|
||||
eap2 {
|
||||
# EAP types are chosen in the order that they are
|
||||
# listed in this section. There is no "default_eap_type"
|
||||
# as with rlm_eap. Instead, the *first* EAP type is
|
||||
# used as the default type.
|
||||
#
|
||||
peap {
|
||||
}
|
||||
|
||||
ttls {
|
||||
}
|
||||
|
||||
# This is the ONLY EAP type that has any configuration.
|
||||
# All other EAP types have no configuration.
|
||||
#
|
||||
tls {
|
||||
ca_cert = ${confdir}/certs/ca.pem
|
||||
server_cert = ${confdir}/certs/server.pem
|
||||
private_key_file = ${confdir}/certs/server.pem
|
||||
private_key_password = whatever
|
||||
}
|
||||
|
||||
#
|
||||
# These next two methods do not supply keying material.
|
||||
#
|
||||
md5 {
|
||||
}
|
||||
|
||||
mschapv2 {
|
||||
}
|
||||
|
||||
fast {
|
||||
pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
|
||||
eap_fast_a_id = xxxxxx
|
||||
eap_fast_a_id_info = my_server
|
||||
eap_fast_prov = 3
|
||||
pac_key_lifetime = 604800 # 7 days
|
||||
pac_key_refresh_tim = 86400
|
||||
}
|
||||
|
||||
# LEAP is NOT supported by this module.
|
||||
# Use the "eap" module instead.
|
||||
|
||||
# For other methods that MIGHT work, see the
|
||||
# configuration of hostap. The methods are statically
|
||||
# linked in at compile time, and cannot be controlled
|
||||
# here.
|
||||
}
|
||||
|
||||
# Configuration for experimental EAP types. The sub-sections
|
||||
# can be copied into eap.conf.
|
||||
eap {
|
||||
ikev2 {
|
||||
|
||||
# Server auth type
|
||||
# Allowed values are:
|
||||
# cert - for certificate based server authentication,
|
||||
# other required settings for this type are
|
||||
# 'private_key_file' and 'certificate_file'
|
||||
# secret - for shared secret based server authentication,
|
||||
# other required settings for this type is 'id'
|
||||
# Default value of this option is 'secret'
|
||||
# server_authtype=cert
|
||||
|
||||
# Allowed default client auth types
|
||||
# Allowed values are:
|
||||
# secret - for shared secret based client authentication
|
||||
# cert - for certificate based client authentication
|
||||
# both - shared secret and certificate is allowed
|
||||
# none - authentication will always fail
|
||||
# Default value for this option is 'both'. This option could
|
||||
# be overwritten within 'usersfile' file by EAP-IKEv2-Auth
|
||||
# option.
|
||||
# default_authtype = both
|
||||
|
||||
# path to trusted CA certificate file
|
||||
CA_file="/path/to/CA/cacert.pem"
|
||||
|
||||
# path to CRL file, if not set, then there will be no
|
||||
# checks against CRL
|
||||
# crl_file="/path/to/crl.pem"
|
||||
|
||||
# path to file with user settings
|
||||
#
|
||||
# Note that this file is read ONLY on module initialization!
|
||||
#
|
||||
# default ${confdir}/eap_ikev2_users
|
||||
# usersfile=${confdir}/eap_ikev2_users
|
||||
|
||||
#
|
||||
# Sample "eap_ikev2_users" file entry:
|
||||
#
|
||||
#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
|
||||
|
||||
## where:
|
||||
## username - client user name from IKE-AUTH (IDr) or CommonName
|
||||
## from x509 certificate
|
||||
## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
|
||||
## allowable attributes for EAP-IKEv2-IDType:
|
||||
## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
|
||||
## DER_ASN1_GN KEY_ID
|
||||
## EAP-IKEv2-Secret - shared secret
|
||||
## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
|
||||
## type. Allowed values are: secret,cert,both,none.
|
||||
## For the meaning of this values, please see the
|
||||
## description of 'default_authtype'.
|
||||
## This attribute can overwrite 'default_authtype' value.
|
||||
|
||||
|
||||
|
||||
# path to file with server private key
|
||||
private_key_file="/path/to/srv-private-key.pem"
|
||||
|
||||
# password to private key file
|
||||
private_key_password="passwd"
|
||||
|
||||
# path to file with server certificate
|
||||
certificate_file="/path/to/srv-cert.pem"
|
||||
|
||||
# server identity string
|
||||
id="deMaio"
|
||||
|
||||
# Server identity type. Allowed values are:
|
||||
# IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
|
||||
# KEY_ID
|
||||
# Default value is: KEY_ID
|
||||
# id_type = KEY_ID
|
||||
|
||||
|
||||
# MTU (default: 1398)
|
||||
# fragment_size = 1398
|
||||
|
||||
# maximal allowed number of resends SA_INIT after receiving
|
||||
# 'invalid KEY' notification (default 3)
|
||||
# DH_counter_max = 3
|
||||
|
||||
# option which is used to control whenever send CERT REQ
|
||||
# payload or not.
|
||||
# Allowed values for this option are "yes" or "no".
|
||||
#Default value is "no".
|
||||
# certreq = "yes"
|
||||
|
||||
# option which cotrols fast reconnect capability.
|
||||
# Allowed valuse for this option are "yes" or "no".
|
||||
# Default value is "yes".
|
||||
# enable_fast_reauth = "no"
|
||||
|
||||
# option which is used to control performing of DH exchange
|
||||
# during fast rekeying protocol run.
|
||||
# Allowed values for this option are "yes" or "no".
|
||||
# Default value is "no"
|
||||
# fast_DH_exchange = "yes"
|
||||
|
||||
# Option which is used to set up expiration time of inactive
|
||||
# IKEv2 session.
|
||||
# After selected period of time (in seconds), inactive
|
||||
# session data will be deleted.
|
||||
# Default value of this option is set to 900 seconds
|
||||
# fast_timer_expire = 900
|
||||
|
||||
# list of server proposals of available cryptographic
|
||||
# suites
|
||||
proposals {
|
||||
# proposal number #1
|
||||
proposal {
|
||||
|
||||
# Supported transforms types: encryption,
|
||||
# prf, integrity, dhgroup. For multiple
|
||||
# transforms just simple repeat key (i.e.
|
||||
# integity).
|
||||
|
||||
# encryption algorithm
|
||||
# supported algorithms:
|
||||
# null,3des,aes_128_cbc,aes_192_cbc,
|
||||
# aes_256_cbc,idea
|
||||
# blowfish:n, where n range from 8 to 448 bits,
|
||||
# step 8 bits
|
||||
# cast:n, where n range from 40 to 128 bits,
|
||||
# step 8 bits
|
||||
encryption = 3des
|
||||
|
||||
# pseudo random function. Supported prf's:
|
||||
# hmac_md5, hmac_sha1, hmac_tiger
|
||||
prf = hmac_sha1
|
||||
|
||||
# integrity algorithm. Supported algorithms:
|
||||
# hmac_md5_96, hmac_sha1_96,des_mac
|
||||
integrity = hmac_sha1_96
|
||||
integrity = hmac_md5_96
|
||||
|
||||
# Diffie-Hellman groups:
|
||||
# modp768, modp1024, modp1536, modp2048,
|
||||
# modp3072, modp4096, modp6144, modp8192
|
||||
dhgroup = modp2048
|
||||
}
|
||||
|
||||
# proposal number #2
|
||||
proposal {
|
||||
encryption = 3des
|
||||
prf = hmac_md5
|
||||
integrity = hmac_md5_96
|
||||
dhgroup = modp1024
|
||||
}
|
||||
|
||||
# proposal number #3
|
||||
proposal {
|
||||
encryption=3des
|
||||
prf=hmac_md5
|
||||
integrity=hmac_md5_96
|
||||
dhgroup=modp2048
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,77 @@
|
|||
# hints
|
||||
#
|
||||
# The hints file. This file is used to match
|
||||
# a request, and then add attributes to it. This
|
||||
# process allows a user to login as "bob.ppp" (for example),
|
||||
# and receive a PPP connection, even if the NAS doesn't
|
||||
# ask for PPP. The "hints" file is used to match the
|
||||
# ".ppp" portion of the username, and to add a set of
|
||||
# "user requested PPP" attributes to the request.
|
||||
#
|
||||
# Matching can take place with the the Prefix and Suffix
|
||||
# attributes, just like in the "users" file.
|
||||
# These attributes operate ONLY on the username, though.
|
||||
#
|
||||
# Note that the attributes that are set for each
|
||||
# entry are _NOT_ passed back to the terminal server.
|
||||
# Instead they are added to the information that has
|
||||
# been _SENT_ by the terminal server.
|
||||
#
|
||||
# This extra information can be used in the users file to
|
||||
# match on. Usually this is done in the DEFAULT entries,
|
||||
# of which there can be more than one.
|
||||
#
|
||||
# In addition a matching entry can transform a username
|
||||
# for authentication purposes if the "Strip-User-Name"
|
||||
# variable is set to Yes in an entry (default is Yes).
|
||||
#
|
||||
# A special non-protocol name-value pair called "Hint"
|
||||
# can be set to match on in the "users" file.
|
||||
#
|
||||
# The following is how most ISPs want to set this up.
|
||||
#
|
||||
# Version: $Id: f92ffb9f1e5bd0509b2e0e5e015001fda52bdfc3 $
|
||||
#
|
||||
|
||||
|
||||
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes
|
||||
Hint = "PPP",
|
||||
Service-Type = Framed-User,
|
||||
Framed-Protocol = PPP
|
||||
|
||||
DEFAULT Suffix == ".slip", Strip-User-Name = Yes
|
||||
Hint = "SLIP",
|
||||
Service-Type = Framed-User,
|
||||
Framed-Protocol = SLIP
|
||||
|
||||
DEFAULT Suffix == ".cslip", Strip-User-Name = Yes
|
||||
Hint = "CSLIP",
|
||||
Service-Type = Framed-User,
|
||||
Framed-Protocol = SLIP,
|
||||
Framed-Compression = Van-Jacobson-TCP-IP
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# These entries are old, and commented out by default.
|
||||
# They confuse too many people when "Peter" logs in, and the
|
||||
# server thinks that the user "eter" is asking for PPP.
|
||||
#
|
||||
#DEFAULT Prefix == "U", Strip-User-Name = No
|
||||
# Hint = "UUCP"
|
||||
|
||||
#DEFAULT Prefix == "P", Strip-User-Name = Yes
|
||||
# Hint = "PPP",
|
||||
# Service-Type = Framed-User,
|
||||
# Framed-Protocol = PPP
|
||||
|
||||
#DEFAULT Prefix == "S", Strip-User-Name = Yes
|
||||
# Hint = "SLIP",
|
||||
# Service-Type = Framed-User,
|
||||
# Framed-Protocol = SLIP
|
||||
|
||||
#DEFAULT Prefix == "C", Strip-User-Name = Yes
|
||||
# Hint = "CSLIP",
|
||||
# Service-Type = Framed-User,
|
||||
# Framed-Protocol = SLIP,
|
||||
# Framed-Compression = Van-Jacobson-TCP-IP
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
#
|
||||
# huntgroups This file defines the `huntgroups' that you have. A
|
||||
# huntgroup is defined by specifying the IP address of
|
||||
# the NAS and possibly a port range. Port can be identified
|
||||
# as just one port, or a range (from-to), and multiple ports
|
||||
# or ranges of ports must be seperated by a comma. For
|
||||
# example: 1,2,3-8
|
||||
#
|
||||
# Matching is done while RADIUS scans the user file; if it
|
||||
# includes the selection criterium "Huntgroup-Name == XXX"
|
||||
# the huntgroup is looked up in this file to see if it
|
||||
# matches. There can be multiple definitions of the same
|
||||
# huntgroup; the first one that matches will be used.
|
||||
#
|
||||
# This file can also be used to define restricted access
|
||||
# to certain huntgroups. The second and following lines
|
||||
# define the access restrictions (based on username and
|
||||
# UNIX usergroup) for the huntgroup.
|
||||
#
|
||||
|
||||
#
|
||||
# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
|
||||
# called Alphen that matches on all three terminal servers.
|
||||
#
|
||||
#alphen NAS-IP-Address == 192.168.2.5
|
||||
#alphen NAS-IP-Address == 192.168.2.6
|
||||
#alphen NAS-IP-Address == 192.168.2.7
|
||||
|
||||
#
|
||||
# The POP in Delft consists of only one terminal server.
|
||||
#
|
||||
#delft NAS-IP-Address == 192.168.3.5
|
||||
|
||||
#
|
||||
# Ports 0-7 on the first terminal server in Alphen are connected to
|
||||
# a huntgroup that is for business users only. Note that only one
|
||||
# of the username or groupname has to match to get access (OR/OR).
|
||||
#
|
||||
# Note that this huntgroup is a subset of the "alphen" huntgroup.
|
||||
#
|
||||
#business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7
|
||||
# User-Name = rogerl,
|
||||
# User-Name = henks,
|
||||
# Group = business,
|
||||
# Group = staff
|
||||
|
|
@ -0,0 +1,76 @@
|
|||
#
|
||||
# Mapping of RADIUS dictionary attributes to LDAP directory attributes
|
||||
# to be used by LDAP authentication and authorization module (rlm_ldap)
|
||||
#
|
||||
# Format:
|
||||
# ItemType RADIUS-Attribute-Name ldapAttributeName [operator]
|
||||
#
|
||||
# Where:
|
||||
# ItemType = checkItem or replyItem
|
||||
# RADIUS-Attribute-Name = attribute name in RADIUS dictionary
|
||||
# ldapAttributeName = attribute name in LDAP schema
|
||||
# operator = optional, and may not be present.
|
||||
# If not present, defaults to "==" for checkItems,
|
||||
# and "=" for replyItems.
|
||||
# If present, the operator here should be one
|
||||
# of the same operators as defined in the "users"3
|
||||
# file ("man users", or "man 5 users").
|
||||
# If an operator is present in the value of the
|
||||
# LDAP entry (i.e. ":=foo"), then it over-rides
|
||||
# both the default, and any operator given here.
|
||||
#
|
||||
# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies
|
||||
# a LDAP attribute which can be used to store any RADIUS
|
||||
# attribute/value-pair in LDAP directory.
|
||||
#
|
||||
# You should edit this file to suit it to your needs.
|
||||
#
|
||||
|
||||
checkItem $GENERIC$ radiusCheckItem
|
||||
replyItem $GENERIC$ radiusReplyItem
|
||||
|
||||
checkItem Auth-Type radiusAuthType
|
||||
checkItem Simultaneous-Use radiusSimultaneousUse
|
||||
checkItem Called-Station-Id radiusCalledStationId
|
||||
checkItem Calling-Station-Id radiusCallingStationId
|
||||
checkItem LM-Password lmPassword
|
||||
checkItem NT-Password ntPassword
|
||||
checkItem LM-Password sambaLmPassword
|
||||
checkItem NT-Password sambaNtPassword
|
||||
checkItem LM-Password dBCSPwd
|
||||
checkitem Password-With-Header userPassword
|
||||
checkItem SMB-Account-CTRL-TEXT acctFlags
|
||||
checkItem Expiration radiusExpiration
|
||||
checkItem NAS-IP-Address radiusNASIpAddress
|
||||
|
||||
replyItem Service-Type radiusServiceType
|
||||
replyItem Framed-Protocol radiusFramedProtocol
|
||||
replyItem Framed-IP-Address radiusFramedIPAddress
|
||||
replyItem Framed-IP-Netmask radiusFramedIPNetmask
|
||||
replyItem Framed-Route radiusFramedRoute
|
||||
replyItem Framed-Routing radiusFramedRouting
|
||||
replyItem Filter-Id radiusFilterId
|
||||
replyItem Framed-MTU radiusFramedMTU
|
||||
replyItem Framed-Compression radiusFramedCompression
|
||||
replyItem Login-IP-Host radiusLoginIPHost
|
||||
replyItem Login-Service radiusLoginService
|
||||
replyItem Login-TCP-Port radiusLoginTCPPort
|
||||
replyItem Callback-Number radiusCallbackNumber
|
||||
replyItem Callback-Id radiusCallbackId
|
||||
replyItem Framed-IPX-Network radiusFramedIPXNetwork
|
||||
replyItem Class radiusClass
|
||||
replyItem Session-Timeout radiusSessionTimeout
|
||||
replyItem Idle-Timeout radiusIdleTimeout
|
||||
replyItem Termination-Action radiusTerminationAction
|
||||
replyItem Login-LAT-Service radiusLoginLATService
|
||||
replyItem Login-LAT-Node radiusLoginLATNode
|
||||
replyItem Login-LAT-Group radiusLoginLATGroup
|
||||
replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
|
||||
replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
|
||||
replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
|
||||
replyItem Port-Limit radiusPortLimit
|
||||
replyItem Login-LAT-Port radiusLoginLATPort
|
||||
replyItem Reply-Message radiusReplyMessage
|
||||
replyItem Tunnel-Type radiusTunnelType
|
||||
replyItem Tunnel-Medium-Type radiusTunnelMediumType
|
||||
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
|
|
@ -0,0 +1,17 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: cfd89eb1bf690b605892969ebd922e6885f24fcc $
|
||||
|
||||
#
|
||||
# Create a unique accounting session Id. Many NASes re-use
|
||||
# or repeat values for Acct-Session-Id, causing no end of
|
||||
# confusion.
|
||||
#
|
||||
# This module will add a (probably) unique session id
|
||||
# to an accounting packet based on the attributes listed
|
||||
# below found in the packet. See doc/rlm_acct_unique for
|
||||
# more information.
|
||||
#
|
||||
acct_unique {
|
||||
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: c28187f05d4f0416442203b016feb7e2b818716f $
|
||||
|
||||
#
|
||||
# The "always" module is here for debugging purposes. Each
|
||||
# instance simply returns the same result, always, without
|
||||
# doing anything.
|
||||
always fail {
|
||||
rcode = fail
|
||||
}
|
||||
always reject {
|
||||
rcode = reject
|
||||
}
|
||||
always noop {
|
||||
rcode = noop
|
||||
}
|
||||
always handled {
|
||||
rcode = handled
|
||||
}
|
||||
always updated {
|
||||
rcode = updated
|
||||
}
|
||||
always notfound {
|
||||
rcode = notfound
|
||||
}
|
||||
always ok {
|
||||
rcode = ok
|
||||
simulcount = 0
|
||||
mpp = no
|
||||
}
|
|
@ -0,0 +1,48 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: acb28a9c587526a22f9310ade21d6a480a0bfe28 $
|
||||
|
||||
#
|
||||
# This file defines a number of instances of the "attr_filter" module.
|
||||
#
|
||||
|
||||
# attr_filter - filters the attributes received in replies from
|
||||
# proxied servers, to make sure we send back to our RADIUS client
|
||||
# only allowed attributes.
|
||||
attr_filter attr_filter.post-proxy {
|
||||
attrsfile = ${confdir}/attrs
|
||||
}
|
||||
|
||||
# attr_filter - filters the attributes in the packets we send to
|
||||
# the RADIUS home servers.
|
||||
attr_filter attr_filter.pre-proxy {
|
||||
attrsfile = ${confdir}/attrs.pre-proxy
|
||||
}
|
||||
|
||||
# Enforce RFC requirements on the contents of Access-Reject
|
||||
# packets. See the comments at the top of the file for
|
||||
# more details.
|
||||
#
|
||||
attr_filter attr_filter.access_reject {
|
||||
key = %{User-Name}
|
||||
attrsfile = ${confdir}/attrs.access_reject
|
||||
}
|
||||
|
||||
# Enforce RFC requirements on the contents of Access-Reject
|
||||
# packets. See the comments at the top of the file for
|
||||
# more details.
|
||||
#
|
||||
attr_filter attr_filter.access_challenge {
|
||||
key = %{User-Name}
|
||||
attrsfile = ${confdir}/attrs.access_challenge
|
||||
}
|
||||
|
||||
|
||||
# Enforce RFC requirements on the contents of the
|
||||
# Accounting-Response packets. See the comments at the
|
||||
# top of the file for more details.
|
||||
#
|
||||
attr_filter attr_filter.accounting_response {
|
||||
key = %{User-Name}
|
||||
attrsfile = ${confdir}/attrs.accounting_response
|
||||
}
|
|
@ -0,0 +1,46 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 8fb93224288061781980a156d541f5283abee1a0 $
|
||||
|
||||
# rewrite arbitrary packets. Useful in accounting and authorization.
|
||||
#
|
||||
# As of 2.0, much of the functionality of this module is in "unlang".
|
||||
# You should probably investigate using that before trying to use
|
||||
# the "attr_rewrite" module.
|
||||
#
|
||||
#
|
||||
# The module can also use the Rewrite-Rule attribute. If it
|
||||
# is set and matches the name of the module instance, then
|
||||
# that module instance will be the only one which runs.
|
||||
#
|
||||
# Also if new_attribute is set to yes then a new attribute
|
||||
# will be created containing the value replacewith and it
|
||||
# will be added to searchin (packet, reply, proxy,
|
||||
# proxy_reply or config).
|
||||
#
|
||||
# searchfor,ignore_case and max_matches will be ignored in that case.
|
||||
#
|
||||
# Backreferences are supported.
|
||||
# %{0} will contain the string the whole match
|
||||
# %{1} to %{8} will contain the contents of the 1st to
|
||||
# the 8th parentheses
|
||||
#
|
||||
# If max_matches is greater than one, the backreferences will
|
||||
# correspond to the first attributed that matched.
|
||||
|
||||
#
|
||||
attr_rewrite sanecallerid {
|
||||
attribute = Called-Station-Id
|
||||
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
|
||||
searchin = packet
|
||||
searchfor = "[+ ]"
|
||||
replacewith = ""
|
||||
ignore_case = no
|
||||
new_attribute = no
|
||||
max_matches = 10
|
||||
|
||||
## If set to yes then the replace string will be
|
||||
## appended to the original string
|
||||
append = no
|
||||
}
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: da4a099beae8eeb3bfe5f70f20523a4258f7f0cd $
|
||||
|
||||
#
|
||||
# A module to cache attributes. The idea is that you can look
|
||||
# up information in a database, and then cache it. Repeated
|
||||
# requests for the same information will then have the cached
|
||||
# values added to the request.
|
||||
#
|
||||
# The module can cache a fixed set of attributes per key.
|
||||
# It can be listed in "authorize", "post-auth", "pre-proxy"
|
||||
# and "post-proxy".
|
||||
#
|
||||
# If you want different things cached for authorize and post-auth,
|
||||
# you will need to define two instances of the "cache" module.
|
||||
#
|
||||
# The module returns "ok" if it found a cache entry.
|
||||
# The module returns "updated" if it added a new cache entry.
|
||||
# The module returns "noop" if it did nothing.
|
||||
#
|
||||
cache {
|
||||
# The key used to index the cache. It is dynamically expanded
|
||||
# at run time.
|
||||
key = "%{User-Name}"
|
||||
|
||||
# The TTL of cache entries, in seconds. Entries older than this
|
||||
# will be expired.
|
||||
#
|
||||
# You can set the TTL per cache entry, but adding a control
|
||||
# variable "Cache-TTL". The value there will over-ride this one.
|
||||
# Setting a Cache-TTL of 0 means "delete this entry".
|
||||
#
|
||||
# This value should be between 10 and 86400.
|
||||
ttl = 10
|
||||
|
||||
# A timestamp used to flush the cache, via
|
||||
#
|
||||
# radmin -e "set module config cache epoch 123456789"
|
||||
#
|
||||
# Where last value is a 32-bit Unix timestamp. Cache entries
|
||||
# older than this are expired, and new entries added.
|
||||
#
|
||||
# You should ALWAYS leave it as "epoch = 0" here.
|
||||
epoch = 0
|
||||
|
||||
# The module can also operate in status-only mode where it will
|
||||
# not add new cache entries, or merge existing ones.
|
||||
#
|
||||
# To enable set the control variable "Cache-Status-Only" to "yes"
|
||||
# The module will return "ok" if it found a cache entry.
|
||||
# The module will return "notfound" if it failed to find a cache entry,
|
||||
# or the entry had expired.
|
||||
#
|
||||
# Note: expired entries will still be removed.
|
||||
|
||||
# If yes the following attributes will be added to the request list:
|
||||
# * Cache-Entry-Hits - The number of times this entry has been
|
||||
# retrieved.
|
||||
add-stats = no
|
||||
|
||||
# The list of attributes to cache for a particular key.
|
||||
# Each key gets the same set of cached attributes.
|
||||
# The attributes are dynamically expanded at run time.
|
||||
#
|
||||
# You can specify which list the attribute goes into by
|
||||
# prefixing the attribute name with the list. This allows
|
||||
# you to update multiple lists with one configuration.
|
||||
#
|
||||
# If no list is specified the request list will be updated.
|
||||
update {
|
||||
# list:Attr-Name
|
||||
reply:Reply-Message += "I'm the cached reply from %t"
|
||||
|
||||
control:Class := 0x010203
|
||||
}
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
|
||||
|
||||
# CHAP module
|
||||
#
|
||||
# To authenticate requests containing a CHAP-Password attribute.
|
||||
#
|
||||
chap {
|
||||
# no configuration
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: ed26e571e8f0bcf3bf586ceb16d0cdff182f5017 $
|
||||
|
||||
# A simple value checking module
|
||||
#
|
||||
# As of 2.0, much of the functionality of this module is in "unlang".
|
||||
# You should probably investigate using that before trying to use
|
||||
# the "checkval" module.
|
||||
#
|
||||
# It can be used to check if an attribute value in the request
|
||||
# matches a (possibly multi valued) attribute in the check
|
||||
# items This can be used for example for caller-id
|
||||
# authentication. For the module to run, both the request
|
||||
# attribute and the check items attribute must exist
|
||||
#
|
||||
# i.e.
|
||||
# A user has an ldap entry with 2 radiusCallingStationId
|
||||
# attributes with values "12345678" and "12345679". If we
|
||||
# enable rlm_checkval, then any request which contains a
|
||||
# Calling-Station-Id with one of those two values will be
|
||||
# accepted. Requests with other values for
|
||||
# Calling-Station-Id will be rejected.
|
||||
#
|
||||
# Regular expressions in the check attribute value are allowed
|
||||
# as long as the operator is '=~'
|
||||
#
|
||||
checkval {
|
||||
# The attribute to look for in the request
|
||||
item-name = Calling-Station-Id
|
||||
|
||||
# The attribute to look for in check items. Can be multi valued
|
||||
check-name = Calling-Station-Id
|
||||
|
||||
# The data type. Can be
|
||||
# string,integer,ipaddr,date,abinary,octets
|
||||
data-type = string
|
||||
|
||||
# If set to yes and we dont find the item-name attribute in the
|
||||
# request then we send back a reject
|
||||
# DEFAULT is no
|
||||
#notfound-reject = no
|
||||
}
|
||||
|
|
@ -0,0 +1,82 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 2dad39a25c676821c6e602881e5bec52d738abfd $
|
||||
|
||||
# counter module:
|
||||
# This module takes an attribute (count-attribute).
|
||||
# It also takes a key, and creates a counter for each unique
|
||||
# key. The count is incremented when accounting packets are
|
||||
# received by the server. The value of the increment depends
|
||||
# on the attribute type.
|
||||
# If the attribute is Acct-Session-Time or of an integer type we add
|
||||
# the value of the attribute. If it is anything else we increase the
|
||||
# counter by one.
|
||||
#
|
||||
# The 'reset' parameter defines when the counters are all reset to
|
||||
# zero. It can be hourly, daily, weekly, monthly or never.
|
||||
#
|
||||
# hourly: Reset on 00:00 of every hour
|
||||
# daily: Reset on 00:00:00 every day
|
||||
# weekly: Reset on 00:00:00 on sunday
|
||||
# monthly: Reset on 00:00:00 of the first day of each month
|
||||
#
|
||||
# It can also be user defined. It should be of the form:
|
||||
# num[hdwm] where:
|
||||
# h: hours, d: days, w: weeks, m: months
|
||||
# If the letter is ommited days will be assumed. In example:
|
||||
# reset = 10h (reset every 10 hours)
|
||||
# reset = 12 (reset every 12 days)
|
||||
#
|
||||
#
|
||||
# The check-name attribute defines an attribute which will be
|
||||
# registered by the counter module and can be used to set the
|
||||
# maximum allowed value for the counter after which the user
|
||||
# is rejected.
|
||||
# Something like:
|
||||
#
|
||||
# DEFAULT Max-Daily-Session := 36000
|
||||
# Fall-Through = 1
|
||||
#
|
||||
# You should add the counter module in the instantiate
|
||||
# section so that it registers check-name before the files
|
||||
# module reads the users file.
|
||||
#
|
||||
# If check-name is set and the user is to be rejected then we
|
||||
# send back a Reply-Message and we log a Failure-Message in
|
||||
# the radius.log
|
||||
#
|
||||
# If the count attribute is Acct-Session-Time then on each
|
||||
# login we send back the remaining online time as a
|
||||
# Session-Timeout attribute ELSE and if the reply-name is
|
||||
# set, we send back that attribute. The reply-name attribute
|
||||
# MUST be of an integer type.
|
||||
#
|
||||
# The counter-name can also be used instead of using the check-name
|
||||
# like below:
|
||||
#
|
||||
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
|
||||
# Reply-Message = "You've used up more than one hour today"
|
||||
#
|
||||
# The allowed-servicetype attribute can be used to only take
|
||||
# into account specific sessions. For example if a user first
|
||||
# logs in through a login menu and then selects ppp there will
|
||||
# be two sessions. One for Login-User and one for Framed-User
|
||||
# service type. We only need to take into account the second one.
|
||||
#
|
||||
# The module should be added in the instantiate, authorize and
|
||||
# accounting sections. Make sure that in the authorize
|
||||
# section it comes after any module which sets the
|
||||
# 'check-name' attribute.
|
||||
#
|
||||
counter daily {
|
||||
filename = ${db_dir}/db.daily
|
||||
key = User-Name
|
||||
count-attribute = Acct-Session-Time
|
||||
reset = daily
|
||||
counter-name = Daily-Session-Time
|
||||
check-name = Max-Daily-Session
|
||||
reply-name = Session-Timeout
|
||||
allowed-servicetype = Framed-User
|
||||
cache-size = 5000
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 246461369a25c17feae3168bb66050203d4b8a34 $
|
||||
|
||||
#
|
||||
# Write Chargeable-User-Identity to the database.
|
||||
#
|
||||
# Schema raddb/sql/mysql/cui.sql
|
||||
# Queries raddb/sql/mysql/cui.conf
|
||||
#
|
||||
sql cui {
|
||||
database = "mysql"
|
||||
driver = "rlm_sql_${database}"
|
||||
server = "localhost"
|
||||
login = "db_login_name"
|
||||
password = "db_password"
|
||||
radius_db = "db_name"
|
||||
# sqltrace = yes
|
||||
# sqltracefile = ${logdir}/cuitrace.sql
|
||||
num_sql_socks = 5
|
||||
connect_failure_retry_delay = 60
|
||||
cui_table = "cui"
|
||||
sql_user_name = "%{User-Name}"
|
||||
#$INCLUDE sql/${database}/cui.conf
|
||||
}
|
|
@ -0,0 +1,93 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 2e68d065ec93d0644cf7e931d97fdfac4e2be552 $
|
||||
|
||||
# Write a detailed log of all accounting records received.
|
||||
#
|
||||
detail {
|
||||
# Note that we do NOT use NAS-IP-Address here, as
|
||||
# that attribute MAY BE from the originating NAS, and
|
||||
# NOT from the proxy which actually sent us the
|
||||
# request.
|
||||
#
|
||||
# The following line creates a new detail file for
|
||||
# every radius client (by IP address or hostname).
|
||||
# In addition, a new detail file is created every
|
||||
# day, so that the detail file doesn't have to go
|
||||
# through a 'log rotation'
|
||||
#
|
||||
# If your detail files are large, you may also want
|
||||
# to add a ':%H' (see doc/variables.txt) to the end
|
||||
# of it, to create a new detail file every hour, e.g.:
|
||||
#
|
||||
# ..../detail-%Y%m%d:%H
|
||||
#
|
||||
# This will create a new detail file for every hour.
|
||||
#
|
||||
# If you are reading detail files via the "listen" section
|
||||
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
|
||||
# you MUST use a unique directory for each combination of a
|
||||
# detail file writer, and reader. That is, there can only
|
||||
# be ONE "listen" section reading detail files from a
|
||||
# particular directory.
|
||||
#
|
||||
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
|
||||
|
||||
#
|
||||
# If you are using radrelay, delete the above line for "detailfile",
|
||||
# and use this one instead:
|
||||
#
|
||||
# detailfile = ${radacctdir}/detail
|
||||
|
||||
#
|
||||
# The Unix-style permissions on the 'detail' file.
|
||||
#
|
||||
# The detail file often contains secret or private
|
||||
# information about users. So by keeping the file
|
||||
# permissions restrictive, we can prevent unwanted
|
||||
# people from seeing that information.
|
||||
detailperm = 0600
|
||||
|
||||
# The Unix group of the log file.
|
||||
#
|
||||
# The user that the server runs as must be in the specified
|
||||
# system group otherwise this will fail to work.
|
||||
#
|
||||
# group = freerad
|
||||
|
||||
#
|
||||
# Every entry in the detail file has a header which
|
||||
# is a timestamp. By default, we use the ctime
|
||||
# format (see "man ctime" for details).
|
||||
#
|
||||
# The header can be customized by editing this
|
||||
# string. See "doc/variables.txt" for a description
|
||||
# of what can be put here.
|
||||
#
|
||||
header = "%t"
|
||||
|
||||
#
|
||||
# Uncomment this line if the detail file reader will be
|
||||
# reading this detail file.
|
||||
#
|
||||
# locking = yes
|
||||
|
||||
#
|
||||
# Log the Packet src/dst IP/port. This is disabled by
|
||||
# default, as that information isn't used by many people.
|
||||
#
|
||||
# log_packet_header = yes
|
||||
|
||||
#
|
||||
# Certain attributes such as User-Password may be
|
||||
# "sensitive", so they should not be printed in the
|
||||
# detail file. This section lists the attributes
|
||||
# that should be suppressed.
|
||||
#
|
||||
# The attributes should be listed one to a line.
|
||||
#
|
||||
#suppress {
|
||||
# User-Password
|
||||
#}
|
||||
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# Detail file writer, used in the following examples:
|
||||
#
|
||||
# raddb/sites-available/robust-proxy-accounting
|
||||
# raddb/sites-available/decoupled-accounting
|
||||
#
|
||||
# Note that this module can write detail files that are read by
|
||||
# only ONE "listen" section. If you use BOTH of the examples
|
||||
# above, you will need to define TWO "detail" modules.
|
||||
#
|
||||
# e.g. detail1.example.com && detail2.example.com
|
||||
#
|
||||
#
|
||||
# We write *multiple* detail files here. They will be processed by
|
||||
# the detail "listen" section in the order that they were created.
|
||||
# The directory containing these files should NOT be used for any
|
||||
# other purposes. i.e. It should have NO other files in it.
|
||||
#
|
||||
# Writing multiple detail enables the server to process the pieces
|
||||
# in smaller chunks. This helps in certain catastrophic corner cases.
|
||||
#
|
||||
# $Id: af7e3452fdd49ed6a3cd379c2a4d90e17f34532f $
|
||||
#
|
||||
detail detail.example.com {
|
||||
detailfile = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: c36dce75c6d41b7470bd177a27ed96d3fe3dafe5 $
|
||||
|
||||
#
|
||||
# More examples of doing detail logs.
|
||||
|
||||
#
|
||||
# Many people want to log authentication requests.
|
||||
# Rather than modifying the server core to print out more
|
||||
# messages, we can use a different instance of the 'detail'
|
||||
# module, to log the authentication requests to a file.
|
||||
#
|
||||
# You will also need to un-comment the 'auth_log' line
|
||||
# in the 'authorize' section, below.
|
||||
#
|
||||
detail auth_log {
|
||||
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
|
||||
|
||||
#
|
||||
# This MUST be 0600, otherwise anyone can read
|
||||
# the users passwords!
|
||||
detailperm = 0600
|
||||
|
||||
# You may also strip out passwords completely
|
||||
suppress {
|
||||
User-Password
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# This module logs authentication reply packets sent
|
||||
# to a NAS. Both Access-Accept and Access-Reject packets
|
||||
# are logged.
|
||||
#
|
||||
# You will also need to un-comment the 'reply_log' line
|
||||
# in the 'post-auth' section, below.
|
||||
#
|
||||
detail reply_log {
|
||||
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
|
||||
|
||||
detailperm = 0600
|
||||
}
|
||||
|
||||
#
|
||||
# This module logs packets proxied to a home server.
|
||||
#
|
||||
# You will also need to un-comment the 'pre_proxy_log' line
|
||||
# in the 'pre-proxy' section, below.
|
||||
#
|
||||
detail pre_proxy_log {
|
||||
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
|
||||
|
||||
#
|
||||
# This MUST be 0600, otherwise anyone can read
|
||||
# the users passwords!
|
||||
detailperm = 0600
|
||||
|
||||
# You may also strip out passwords completely
|
||||
#suppress {
|
||||
# User-Password
|
||||
#}
|
||||
}
|
||||
|
||||
#
|
||||
# This module logs response packets from a home server.
|
||||
#
|
||||
# You will also need to un-comment the 'post_proxy_log' line
|
||||
# in the 'post-proxy' section, below.
|
||||
#
|
||||
detail post_proxy_log {
|
||||
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
|
||||
|
||||
detailperm = 0600
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
## Configuration for DHCP to use SQL IP Pools.
|
||||
##
|
||||
## See sqlippool.conf for common configuration explanation
|
||||
##
|
||||
## $Id: 39358b222d016d62e5cf6e8c77fd214cc7614feb $
|
||||
|
||||
sqlippool dhcp_sqlippool {
|
||||
sql-instance-name = "sql"
|
||||
|
||||
ippool_table = "radippool"
|
||||
|
||||
lease-duration = 7200
|
||||
|
||||
# Client's MAC address is mapped to Calling-Station-Id in policy.conf
|
||||
pool-key = "%{Calling-Station-Id}"
|
||||
|
||||
# For now, it only works with MySQL.
|
||||
# This line is commented by default to enable clean startup when you
|
||||
# don't have freeradius-mysql installed. Uncomment this line if you
|
||||
# use this module.
|
||||
#$INCLUDE ${confdir}/sql/mysql/ippool-dhcp.conf
|
||||
|
||||
sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||
|
||||
sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||
|
||||
sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
|
||||
|
||||
sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||
|
||||
sqlippool_log_nopool = "DHCP: No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||
|
||||
}
|
|
@ -0,0 +1,13 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
|
||||
|
||||
#
|
||||
# The 'digest' module currently has no configuration.
|
||||
#
|
||||
# "Digest" authentication against a Cisco SIP server.
|
||||
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
|
||||
# on performing digest authentication for Cisco SIP servers.
|
||||
#
|
||||
digest {
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: bf047be5c7b48f2f021981a6abf4199d888fc3ee $
|
||||
|
||||
# This module loads RADIUS clients as needed, rather than when the server
|
||||
# starts.
|
||||
#
|
||||
# There are no configuration entries for this module. Instead, it
|
||||
# relies on the "client" configuration. You must:
|
||||
#
|
||||
# 1) link raddb/sites-enabled/dyanmic_clients to
|
||||
# raddb/sites-available/dyanmic_clients
|
||||
#
|
||||
# 2) Define a client network/mask (see top of the above file)
|
||||
#
|
||||
# 3) uncomment the "directory" entry in that client definition
|
||||
#
|
||||
# 4) list "dynamic_clients" in the "authorize" section of the
|
||||
# "dynamic_clients' virtual server. The default example already
|
||||
# does this.
|
||||
#
|
||||
# 5) put files into the above directory, one per IP.
|
||||
# e.g. file "192.168.1.1" should contain a normal client definition
|
||||
# for a client with IP address 192.168.1.1.
|
||||
#
|
||||
# For more documentation, see the file:
|
||||
#
|
||||
# raddb/sites-available/dynamic-clients
|
||||
#
|
||||
dynamic_clients {
|
||||
|
||||
}
|
|
@ -0,0 +1,123 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 0ca6bd8d27c25bf4f84fd27f97323b8961814d77 $
|
||||
|
||||
#
|
||||
# This is a more general example of the execute module.
|
||||
#
|
||||
# This one is called "echo".
|
||||
#
|
||||
# Attribute-Name = `%{echo:/path/to/program args}`
|
||||
#
|
||||
# If you wish to execute an external program in more than
|
||||
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
|
||||
# is probably best to define a different instance of the
|
||||
# 'exec' module for every section.
|
||||
#
|
||||
# The return value of the program run determines the result
|
||||
# of the exec instance call as follows:
|
||||
# (See doc/configurable_failover for details)
|
||||
#
|
||||
# < 0 : fail the module failed
|
||||
# = 0 : ok the module succeeded
|
||||
# = 1 : reject the module rejected the user
|
||||
# = 2 : fail the module failed
|
||||
# = 3 : ok the module succeeded
|
||||
# = 4 : handled the module has done everything to handle the request
|
||||
# = 5 : invalid the user's configuration entry was invalid
|
||||
# = 6 : userlock the user was locked out
|
||||
# = 7 : notfound the user was not found
|
||||
# = 8 : noop the module did nothing
|
||||
# = 9 : updated the module updated information in the request
|
||||
# > 9 : fail the module failed
|
||||
#
|
||||
exec echo {
|
||||
#
|
||||
# Wait for the program to finish.
|
||||
#
|
||||
# If we do NOT wait, then the program is "fire and
|
||||
# forget", and any output attributes from it are ignored.
|
||||
#
|
||||
# If we are looking for the program to output
|
||||
# attributes, and want to add those attributes to the
|
||||
# request, then we MUST wait for the program to
|
||||
# finish, and therefore set 'wait=yes'
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
wait = yes
|
||||
|
||||
#
|
||||
# The name of the program to execute, and it's
|
||||
# arguments. Dynamic translation is done on this
|
||||
# field, so things like the following example will
|
||||
# work.
|
||||
#
|
||||
program = "/bin/echo %{User-Name}"
|
||||
|
||||
#
|
||||
# The attributes which are placed into the
|
||||
# environment variables for the program.
|
||||
#
|
||||
# Allowed values are:
|
||||
#
|
||||
# request attributes from the request
|
||||
# config attributes from the configuration items list
|
||||
# reply attributes from the reply
|
||||
# proxy-request attributes from the proxy request
|
||||
# proxy-reply attributes from the proxy reply
|
||||
#
|
||||
# Note that some attributes may not exist at some
|
||||
# stages. e.g. There may be no proxy-reply
|
||||
# attributes if this module is used in the
|
||||
# 'authorize' section.
|
||||
#
|
||||
input_pairs = request
|
||||
|
||||
#
|
||||
# Where to place the output attributes (if any) from
|
||||
# the executed program. The values allowed, and the
|
||||
# restrictions as to availability, are the same as
|
||||
# for the input_pairs.
|
||||
#
|
||||
output_pairs = reply
|
||||
|
||||
#
|
||||
# When to execute the program. If the packet
|
||||
# type does NOT match what's listed here, then
|
||||
# the module does NOT execute the program.
|
||||
#
|
||||
# For a list of allowed packet types, see
|
||||
# the 'dictionary' file, and look for VALUEs
|
||||
# of the Packet-Type attribute.
|
||||
#
|
||||
# By default, the module executes on ANY packet.
|
||||
# Un-comment out the following line to tell the
|
||||
# module to execute only if an Access-Accept is
|
||||
# being sent to the NAS.
|
||||
#
|
||||
#packet_type = Access-Accept
|
||||
|
||||
#
|
||||
# Should we escape the environment variables?
|
||||
#
|
||||
# If this is set, all the RADIUS attributes
|
||||
# are capitalised and dashes replaced with
|
||||
# underscores. Also, RADIUS values are surrounded
|
||||
# with double-quotes.
|
||||
#
|
||||
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
|
||||
shell_escape = yes
|
||||
|
||||
|
||||
#
|
||||
# How long should we wait for the program to finish?
|
||||
#
|
||||
# Default is 10 seconds, which should be plenty for nearly
|
||||
# anything. Range is 1 to 30 seconds. You are strongly
|
||||
# encouraged to NOT increase this value. Decreasing can
|
||||
# be used to cause authentication to fail sooner when you
|
||||
# know it's going to fail anyway due to the time taken,
|
||||
# thereby saving resources.
|
||||
#
|
||||
#timeout = 10
|
||||
}
|
|
@ -0,0 +1,28 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 614c52b82b3e12fab54313aecb5c1120559781f3 $
|
||||
|
||||
# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name
|
||||
# attribute for every group that the user is member of.
|
||||
#
|
||||
# You will have to define the Etc-Group-Name in the 'dictionary' file
|
||||
# as a 'string' type.
|
||||
#
|
||||
# The Group and Group-Name attributes are automatically created by
|
||||
# the Unix module, and do checking against /etc/group automatically.
|
||||
# This means that you CANNOT use Group or Group-Name to do any other
|
||||
# kind of grouping in the server. You MUST define a new group
|
||||
# attribute.
|
||||
#
|
||||
# i.e. this module should NOT be used as-is, but should be edited to
|
||||
# point to a different group file.
|
||||
#
|
||||
passwd etc_group {
|
||||
filename = /etc/group
|
||||
format = "=Etc-Group-Name:::*,User-Name"
|
||||
hashsize = 50
|
||||
ignorenislike = yes
|
||||
allowmultiplekeys = yes
|
||||
delimiter = ":"
|
||||
}
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 5f21e4350f091ed51813865a31b2796c4b487f9f $
|
||||
|
||||
#
|
||||
# Execute external programs
|
||||
#
|
||||
# This module is useful only for 'xlat'. To use it,
|
||||
# put 'exec' into the 'instantiate' section. You can then
|
||||
# do dynamic translation of attributes like:
|
||||
#
|
||||
# Attribute-Name = `%{exec:/path/to/program args}`
|
||||
#
|
||||
# The value of the attribute will be replaced with the output
|
||||
# of the program which is executed. Due to RADIUS protocol
|
||||
# limitations, any output over 253 bytes will be ignored.
|
||||
#
|
||||
# The RADIUS attributes from the user request will be placed
|
||||
# into environment variables of the executed program, as
|
||||
# described in "man unlang" and in doc/variables.txt
|
||||
#
|
||||
# See also "echo" for more sample configuration.
|
||||
#
|
||||
exec {
|
||||
wait = no
|
||||
input_pairs = request
|
||||
shell_escape = yes
|
||||
output = none
|
||||
timeout = 10
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 8bbd88973459d82f3967135c66a5b566fffc130a $
|
||||
|
||||
#
|
||||
# The expiration module. This handles the Expiration attribute
|
||||
# It should be included in the *end* of the authorize section
|
||||
# in order to handle user Expiration. It should also be included
|
||||
# in the instantiate section in order to register the Expiration
|
||||
# compare function
|
||||
#
|
||||
expiration {
|
||||
#
|
||||
# The Reply-Message which will be sent back in case the
|
||||
# account has expired. Dynamic substitution is supported
|
||||
#
|
||||
reply-message = "Password Has Expired\r\n"
|
||||
#reply-message = "Your account has expired, %{User-Name}\r\n"
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 6caeb9bccb3310d76f0c527afa58d10432359ee5 $
|
||||
|
||||
#
|
||||
# The 'expression' module currently has no configuration.
|
||||
#
|
||||
# This module is useful only for 'xlat'. To use it,
|
||||
# put 'expr' into the 'instantiate' section. You can then
|
||||
# do dynamic translation of attributes like:
|
||||
#
|
||||
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
|
||||
#
|
||||
# The value of the attribute will be replaced with the output
|
||||
# of the program which is executed. Due to RADIUS protocol
|
||||
# limitations, any output over 253 bytes will be ignored.
|
||||
#
|
||||
# The module also registers a few paircompare functions
|
||||
expr {
|
||||
}
|
|
@ -0,0 +1,46 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: e0198d85b2d14fa7b75b0e8c1bf6427c4bd89058 $
|
||||
|
||||
# Livingston-style 'users' file
|
||||
#
|
||||
files {
|
||||
# The default key attribute to use for matches. The content
|
||||
# of this attribute is used to match the "name" of the
|
||||
# entry.
|
||||
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
|
||||
|
||||
usersfile = ${confdir}/users
|
||||
acctusersfile = ${confdir}/acct_users
|
||||
preproxy_usersfile = ${confdir}/preproxy_users
|
||||
|
||||
# If you want to use the old Cistron 'users' file
|
||||
# with FreeRADIUS, you should change the next line
|
||||
# to 'compat = cistron'. You can the copy your 'users'
|
||||
# file from Cistron.
|
||||
compat = no
|
||||
}
|
||||
|
||||
# An example which defines a second instance of the "files" module.
|
||||
# This instance is named "second_files". In order for it to be used
|
||||
# in a virtual server, it needs to be listed as "second_files"
|
||||
# inside of the "authorize" section (or other section). If you just
|
||||
# list "files", that will refer to the configuration defined above.
|
||||
#
|
||||
|
||||
# The two names here mean:
|
||||
# "files" - this is a configuration for the "rlm_files" module
|
||||
# "second_files" - this is a named configuration, which isn't
|
||||
# the default configuration.
|
||||
files second_files {
|
||||
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
|
||||
|
||||
# The names here don't matter. They just need to be different
|
||||
# from the names for the "files" configuration above. If they
|
||||
# are the same, then this configuration will end up being the
|
||||
# same as the one above.
|
||||
usersfile = ${confdir}/second_users
|
||||
acctusersfile = ${confdir}/second_acct_users
|
||||
preproxy_usersfile = ${confdir}/second_preproxy_users
|
||||
}
|
||||
|
|
@ -0,0 +1,161 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 0a26c9c1672823e46219d831e2be18890450c2a7 $
|
||||
|
||||
#
|
||||
# Sample configuration for an EAP module that occurs *inside*
|
||||
# of a tunneled method. It is used to limit the EAP types that
|
||||
# can occur inside of the inner tunnel.
|
||||
#
|
||||
# See also raddb/sites-available/inner-tunnel
|
||||
#
|
||||
# To use this module, edit raddb/sites-available/inner-tunnel, and
|
||||
# replace the references to "eap" with "inner-eap".
|
||||
#
|
||||
# See raddb/eap.conf for full documentation on the meaning of the
|
||||
# configuration entries here.
|
||||
#
|
||||
eap inner-eap {
|
||||
# This is the best choice for PEAP.
|
||||
default_eap_type = mschapv2
|
||||
timer_expire = 60
|
||||
|
||||
# This should be the same as the outer eap "max sessions"
|
||||
max_sessions = 2048
|
||||
|
||||
# Supported EAP-types
|
||||
md5 {
|
||||
}
|
||||
|
||||
gtc {
|
||||
# The default challenge, which many clients
|
||||
# ignore..
|
||||
#challenge = "Password: "
|
||||
|
||||
auth_type = PAP
|
||||
}
|
||||
|
||||
mschapv2 {
|
||||
}
|
||||
|
||||
# No TTLS or PEAP configuration should be listed here.
|
||||
|
||||
## EAP-TLS
|
||||
#
|
||||
# You SHOULD use different certificates than are used
|
||||
# for the outer EAP configuration!
|
||||
#
|
||||
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
|
||||
#
|
||||
tls {
|
||||
#
|
||||
# These is used to simplify later configurations.
|
||||
#
|
||||
certdir = ${confdir}/certs
|
||||
cadir = ${confdir}/certs
|
||||
|
||||
private_key_password = whatever
|
||||
private_key_file = ${certdir}/server.pem
|
||||
|
||||
# If Private key & Certificate are located in
|
||||
# the same file, then private_key_file &
|
||||
# certificate_file must contain the same file
|
||||
# name.
|
||||
#
|
||||
# If CA_file (below) is not used, then the
|
||||
# certificate_file below MUST include not
|
||||
# only the server certificate, but ALSO all
|
||||
# of the CA certificates used to sign the
|
||||
# server certificate.
|
||||
certificate_file = ${certdir}/server.pem
|
||||
|
||||
# Trusted Root CA list
|
||||
#
|
||||
# ALL of the CA's in this list will be trusted
|
||||
# to issue client certificates for authentication.
|
||||
#
|
||||
# In general, you should use self-signed
|
||||
# certificates for 802.1x (EAP) authentication.
|
||||
# In that case, this CA file should contain
|
||||
# *one* CA certificate.
|
||||
#
|
||||
# This parameter is used only for EAP-TLS,
|
||||
# when you issue client certificates. If you do
|
||||
# not use client certificates, and you do not want
|
||||
# to permit EAP-TLS authentication, then delete
|
||||
# this configuration item.
|
||||
CA_file = ${cadir}/ca.pem
|
||||
|
||||
#
|
||||
# For DH cipher suites to work, you have to
|
||||
# run OpenSSL to create the DH file first:
|
||||
#
|
||||
# openssl dhparam -out certs/dh 1024
|
||||
#
|
||||
dh_file = ${certdir}/dh
|
||||
random_file = ${certdir}/random
|
||||
|
||||
#
|
||||
# This can never exceed the size of a RADIUS
|
||||
# packet (4096 bytes), and is preferably half
|
||||
# that, to accomodate other attributes in
|
||||
# RADIUS packet. On most APs the MAX packet
|
||||
# length is configured between 1500 - 1600
|
||||
# In these cases, fragment size should be
|
||||
# 1024 or less.
|
||||
#
|
||||
# fragment_size = 1024
|
||||
|
||||
# include_length is a flag which is
|
||||
# by default set to yes If set to
|
||||
# yes, Total Length of the message is
|
||||
# included in EVERY packet we send.
|
||||
# If set to no, Total Length of the
|
||||
# message is included ONLY in the
|
||||
# First packet of a fragment series.
|
||||
#
|
||||
# include_length = yes
|
||||
|
||||
# Check the Certificate Revocation List
|
||||
#
|
||||
# 1) Copy CA certificates and CRLs to same directory.
|
||||
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
||||
# 'c_rehash' is OpenSSL's command.
|
||||
# 3) uncomment the line below.
|
||||
# 5) Restart radiusd
|
||||
# check_crl = yes
|
||||
# CA_path = /path/to/directory/with/ca_certs/and/crls/
|
||||
|
||||
#
|
||||
# If check_cert_issuer is set, the value will
|
||||
# be checked against the DN of the issuer in
|
||||
# the client certificate. If the values do not
|
||||
# match, the cerficate verification will fail,
|
||||
# rejecting the user.
|
||||
#
|
||||
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
|
||||
|
||||
#
|
||||
# If check_cert_cn is set, the value will
|
||||
# be xlat'ed and checked against the CN
|
||||
# in the client certificate. If the values
|
||||
# do not match, the certificate verification
|
||||
# will fail rejecting the user.
|
||||
#
|
||||
# This check is done only if the previous
|
||||
# "check_cert_issuer" is not set, or if
|
||||
# the check succeeds.
|
||||
#
|
||||
# check_cert_cn = %{User-Name}
|
||||
#
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
cipher_list = "DEFAULT"
|
||||
|
||||
#
|
||||
# The session resumption / fast reauthentication
|
||||
# cache CANNOT be used for inner sessions.
|
||||
#
|
||||
}
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 05561cf37fe71142adc97410daba3ae08a1cb68c $
|
||||
|
||||
# Do server side ip pool management. Should be added in
|
||||
# post-auth and accounting sections.
|
||||
#
|
||||
# The module also requires the existance of the Pool-Name
|
||||
# attribute. That way the administrator can add the Pool-Name
|
||||
# attribute in the user profiles and use different pools for
|
||||
# different users. The Pool-Name attribute is a *check* item
|
||||
# not a reply item.
|
||||
#
|
||||
# The Pool-Name should be set to the ippool module instance
|
||||
# name or to DEFAULT to match any module.
|
||||
|
||||
#
|
||||
# Example:
|
||||
# radiusd.conf: ippool students { [...] }
|
||||
# ippool teachers { [...] }
|
||||
# users file : DEFAULT Group == students, Pool-Name := "students"
|
||||
# DEFAULT Group == teachers, Pool-Name := "teachers"
|
||||
# DEFAULT Group == other, Pool-Name := "DEFAULT"
|
||||
#
|
||||
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
|
||||
# ********* THEN ERASE THE DB FILES *********
|
||||
#
|
||||
ippool main_pool {
|
||||
|
||||
# range-start,range-stop:
|
||||
# The start and end ip addresses for this pool.
|
||||
range-start = 192.168.1.1
|
||||
range-stop = 192.168.3.254
|
||||
|
||||
# netmask:
|
||||
# The network mask used for this pool.
|
||||
netmask = 255.255.255.0
|
||||
|
||||
# cache-size:
|
||||
# The gdbm cache size for the db files. Should
|
||||
# be equal to the number of ip's available in
|
||||
# the ip pool
|
||||
cache-size = 800
|
||||
|
||||
# session-db:
|
||||
# The main db file used to allocate addresses.
|
||||
session-db = ${db_dir}/db.ippool
|
||||
|
||||
# ip-index:
|
||||
# Helper db index file used in multilink
|
||||
ip-index = ${db_dir}/db.ipindex
|
||||
|
||||
# override:
|
||||
# If set, the Framed-IP-Address already in the
|
||||
# reply (if any) will be discarded, and replaced
|
||||
# with a Framed-IP-Address assigned here.
|
||||
override = no
|
||||
|
||||
# maximum-timeout:
|
||||
# Specifies the maximum time in seconds that an
|
||||
# entry may be active. If set to zero, means
|
||||
# "no timeout". The default value is 0
|
||||
maximum-timeout = 0
|
||||
|
||||
# key:
|
||||
# The key to use for the session database (which
|
||||
# holds the allocated ip's) normally it should
|
||||
# just be the nas ip/port (which is the default).
|
||||
#
|
||||
# If your NAS sends the same value of NAS-Port
|
||||
# all requests, the key should be based on some
|
||||
# other attribute that is in ALL requests, AND
|
||||
# is unique to each machine needing an IP address.
|
||||
#key = "%{NAS-IP-Address} %{NAS-Port}"
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 81d1cf2cad2c5dd919acdc993f4484673d80121e $
|
||||
|
||||
#
|
||||
# Kerberos. See doc/rlm_krb5 for minimal docs.
|
||||
#
|
||||
krb5 {
|
||||
keytab = /path/to/keytab
|
||||
service_principal = name_of_principle
|
||||
}
|
|
@ -0,0 +1,197 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: d13892634e4a8458c942ce170f59f98521dce500 $
|
||||
|
||||
# Lightweight Directory Access Protocol (LDAP)
|
||||
#
|
||||
# This module definition allows you to use LDAP for
|
||||
# authorization and authentication.
|
||||
#
|
||||
# See raddb/sites-available/default for reference to the
|
||||
# ldap module in the authorize and authenticate sections.
|
||||
#
|
||||
# However, LDAP can be used for authentication ONLY when the
|
||||
# Access-Request packet contains a clear-text User-Password
|
||||
# attribute. LDAP authentication will NOT work for any other
|
||||
# authentication method.
|
||||
#
|
||||
# This means that LDAP servers don't understand EAP. If you
|
||||
# force "Auth-Type = LDAP", and then send the server a
|
||||
# request containing EAP authentication, then authentication
|
||||
# WILL NOT WORK.
|
||||
#
|
||||
# The solution is to use the default configuration, which does
|
||||
# work.
|
||||
#
|
||||
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
|
||||
# really can't emphasize this enough.
|
||||
#
|
||||
ldap {
|
||||
#
|
||||
# Note that this needs to match the name in the LDAP
|
||||
# server certificate, if you're using ldaps.
|
||||
server = "ldap.your.domain"
|
||||
#identity = "cn=admin,o=My Org,c=UA"
|
||||
#password = mypass
|
||||
basedn = "o=My Org,c=UA"
|
||||
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
|
||||
#base_filter = "(objectclass=radiusprofile)"
|
||||
|
||||
# How many connections to keep open to the LDAP server.
|
||||
# This saves time over opening a new LDAP socket for
|
||||
# every authentication request.
|
||||
ldap_connections_number = 5
|
||||
|
||||
# How many times the connection can be used before
|
||||
# being re-established. This is useful for things
|
||||
# like load balancers, which may exhibit sticky
|
||||
# behaviour without it. (0) is unlimited.
|
||||
max_uses = 0
|
||||
|
||||
# Port to connect on, defaults to 389. Setting this to
|
||||
# 636 will enable LDAPS if start_tls (see below) is not
|
||||
# able to be used.
|
||||
#port = 389
|
||||
|
||||
# seconds to wait for LDAP query to finish. default: 20
|
||||
timeout = 4
|
||||
|
||||
# seconds LDAP server has to process the query (server-side
|
||||
# time limit). default: 20
|
||||
#
|
||||
# LDAP_OPT_TIMELIMIT is set to this value.
|
||||
timelimit = 3
|
||||
|
||||
#
|
||||
# seconds to wait for response of the server. (network
|
||||
# failures) default: 10
|
||||
#
|
||||
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
|
||||
net_timeout = 1
|
||||
|
||||
#
|
||||
# This subsection configures the tls related items
|
||||
# that control how FreeRADIUS connects to an LDAP
|
||||
# server. It contains all of the "tls_*" configuration
|
||||
# entries used in older versions of FreeRADIUS. Those
|
||||
# configuration entries can still be used, but we recommend
|
||||
# using these.
|
||||
#
|
||||
tls {
|
||||
# Set this to 'yes' to use TLS encrypted connections
|
||||
# to the LDAP database by using the StartTLS extended
|
||||
# operation.
|
||||
#
|
||||
# The StartTLS operation is supposed to be
|
||||
# used with normal ldap connections instead of
|
||||
# using ldaps (port 636) connections
|
||||
start_tls = no
|
||||
|
||||
# cacertfile = /path/to/cacert.pem
|
||||
# cacertdir = /path/to/ca/dir/
|
||||
# certfile = /path/to/radius.crt
|
||||
# keyfile = /path/to/radius.key
|
||||
# randfile = /path/to/rnd
|
||||
|
||||
# Certificate Verification requirements. Can be:
|
||||
# "never" (don't even bother trying)
|
||||
# "allow" (try, but don't fail if the cerificate
|
||||
# can't be verified)
|
||||
# "demand" (fail if the certificate doesn't verify.)
|
||||
#
|
||||
# The default is "allow"
|
||||
# require_cert = "demand"
|
||||
}
|
||||
|
||||
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
|
||||
# profile_attribute = "radiusProfileDn"
|
||||
# access_attr = "dialupAccess"
|
||||
|
||||
# Mapping of RADIUS dictionary attributes to LDAP
|
||||
# directory attributes.
|
||||
dictionary_mapping = ${confdir}/ldap.attrmap
|
||||
|
||||
# Set password_attribute = nspmPassword to get the
|
||||
# user's password from a Novell eDirectory
|
||||
# backend. This will work ONLY IF FreeRADIUS has been
|
||||
# built with the --with-edir configure option.
|
||||
#
|
||||
# See also the following links:
|
||||
#
|
||||
# http://www.novell.com/coolsolutions/appnote/16745.html
|
||||
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
|
||||
#
|
||||
# Novell may require TLS encrypted sessions before returning
|
||||
# the user's password.
|
||||
#
|
||||
# password_attribute = userPassword
|
||||
|
||||
# Un-comment the following to disable Novell
|
||||
# eDirectory account policy check and intruder
|
||||
# detection. This will work *only if* FreeRADIUS is
|
||||
# configured to build with --with-edir option.
|
||||
#
|
||||
edir_account_policy_check = no
|
||||
|
||||
#
|
||||
# Group membership checking. Disabled by default.
|
||||
#
|
||||
# groupname_attribute = cn
|
||||
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
|
||||
# groupmembership_attribute = radiusGroupName
|
||||
|
||||
# compare_check_items = yes
|
||||
# do_xlat = yes
|
||||
# access_attr_used_for_allow = yes
|
||||
|
||||
#
|
||||
# The following two configuration items are for Active Directory
|
||||
# compatibility. If you see the helpful "operations error"
|
||||
# being returned to the LDAP module, uncomment the next
|
||||
# two lines.
|
||||
#
|
||||
# chase_referrals = yes
|
||||
# rebind = yes
|
||||
|
||||
#
|
||||
# By default, if the packet contains a User-Password,
|
||||
# and no other module is configured to handle the
|
||||
# authentication, the LDAP module sets itself to do
|
||||
# LDAP bind for authentication.
|
||||
#
|
||||
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
|
||||
#
|
||||
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
|
||||
#
|
||||
# You can disable this behavior by setting the following
|
||||
# configuration entry to "no".
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
# set_auth_type = yes
|
||||
|
||||
# ldap_debug: debug flag for LDAP SDK
|
||||
# (see OpenLDAP documentation). Set this to enable
|
||||
# huge amounts of LDAP debugging on the screen.
|
||||
# You should only use this if you are an LDAP expert.
|
||||
#
|
||||
# default: 0x0000 (no debugging messages)
|
||||
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
|
||||
#ldap_debug = 0x0028
|
||||
|
||||
#
|
||||
# Keepalive configuration. This MAY NOT be supported by your
|
||||
# LDAP library. If these configuration entries appear in the
|
||||
# output of "radiusd -X", then they are supported. Otherwise,
|
||||
# they are unsupported, and changing them will do nothing.
|
||||
#
|
||||
keepalive {
|
||||
# LDAP_OPT_X_KEEPALIVE_IDLE
|
||||
idle = 60
|
||||
|
||||
# LDAP_OPT_X_KEEPALIVE_PROBES
|
||||
probes = 3
|
||||
|
||||
# LDAP_OPT_X_KEEPALIVE_INTERVAL
|
||||
interval = 3
|
||||
}
|
||||
}
|
|
@ -0,0 +1,105 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: a57741ac3fa5f884ed64d896da3807af5d2a6b99 $
|
||||
|
||||
#
|
||||
# The "linelog" module will log one line of text to a file.
|
||||
# Both the filename and the line of text are dynamically expanded.
|
||||
#
|
||||
# We STRONGLY suggest that you do not use data from the
|
||||
# packet as part of the filename.
|
||||
#
|
||||
linelog {
|
||||
#
|
||||
# The file where the logs will go.
|
||||
#
|
||||
# If the filename is "syslog", then the log messages will
|
||||
# go to syslog.
|
||||
filename = ${logdir}/linelog
|
||||
|
||||
#
|
||||
# The Unix-style permissions on the log file.
|
||||
#
|
||||
# Depending on format string, the log file may contain secret or
|
||||
# private information about users. Keep the file permissions as
|
||||
# restrictive as possible.
|
||||
permissions = 0600
|
||||
|
||||
#
|
||||
# The Unix group of the log file.
|
||||
#
|
||||
# The user that freeradius runs as must be in the specified
|
||||
# group, otherwise it will not be possible to set the group.
|
||||
#
|
||||
# group = freerad
|
||||
|
||||
#
|
||||
# If logging via syslog, the facility can be set here. Otherwise
|
||||
# the syslog_facility option in radiusd.conf will be used.
|
||||
#
|
||||
# syslog_facility = daemon
|
||||
|
||||
#
|
||||
# The default format string.
|
||||
format = "This is a log message for %{User-Name}"
|
||||
|
||||
#
|
||||
# This next line can be omitted. If it is omitted, then
|
||||
# the log message is static, and is always given by "format",
|
||||
# above.
|
||||
#
|
||||
# If it is defined, then the string is dynamically expanded,
|
||||
# and the result is used to find another configuration entry
|
||||
# here, with the given name. That name is then used as the
|
||||
# format string.
|
||||
#
|
||||
# If the configuration entry cannot be found, then no log
|
||||
# message is printed.
|
||||
#
|
||||
# i.e. You can have many log messages in one "linelog" module.
|
||||
# If this two-step expansion did not exist, you would have
|
||||
# needed to configure one "linelog" module for each log message.
|
||||
|
||||
#
|
||||
# Reference the Packet-Type (Access-Request, etc.) If it doesn't
|
||||
# exist, reference the "format" entry, above.
|
||||
reference = "%{%{Packet-Type}:-format}"
|
||||
|
||||
#
|
||||
# Followed by a series of log messages.
|
||||
Access-Request = "Requested access: %{User-Name}"
|
||||
Access-Reject = "Rejected access: %{User-Name}"
|
||||
Access-Challenge = "Sent challenge: %{User-Name}"
|
||||
|
||||
#
|
||||
# The log messages can be grouped into sections and
|
||||
# sub-sections, too. The "reference" item needs to have a "."
|
||||
# for every section. e.g. reference = foo.bar will reference
|
||||
# the "foo" section, "bar" configuration item.
|
||||
#
|
||||
|
||||
#
|
||||
# Used if: reference = "foo.bar".
|
||||
foo {
|
||||
bar = "Example log. Please ignore"
|
||||
}
|
||||
|
||||
#
|
||||
# Another example:
|
||||
# reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
|
||||
#
|
||||
Accounting-Request {
|
||||
Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
|
||||
Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
|
||||
|
||||
# Don't log anything for these packets.
|
||||
Alive = ""
|
||||
|
||||
Accounting-On = "NAS %C (%{NAS-IP-Address}) just came online"
|
||||
Accounting-Off = "NAS %C (%{NAS-IP-Address}) just went offline"
|
||||
|
||||
# don't log anything for other Acct-Status-Types.
|
||||
unknown = ""
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 26691a93664c464f49394773e04d3b2ed565d142 $
|
||||
|
||||
# The logintime module. This handles the Login-Time,
|
||||
# Current-Time, and Time-Of-Day attributes. It should be
|
||||
# included in the *end* of the authorize section in order to
|
||||
# handle Login-Time checks. It should also be included in the
|
||||
# instantiate section in order to register the Current-Time
|
||||
# and Time-Of-Day comparison functions.
|
||||
#
|
||||
# When the Login-Time attribute is set to some value, and the
|
||||
# user has bene permitted to log in, a Session-Timeout is
|
||||
# calculated based on the remaining time. See "doc/README".
|
||||
#
|
||||
logintime {
|
||||
#
|
||||
# The Reply-Message which will be sent back in case
|
||||
# the account is calling outside of the allowed
|
||||
# timespan. Dynamic substitution is supported.
|
||||
#
|
||||
reply-message = "You are calling outside your allowed timespan\r\n"
|
||||
#reply-message = "Outside allowed timespan (%{control:Login-Time}), %{User-Name}\r\n"
|
||||
|
||||
# The minimum timeout (in seconds) a user is allowed
|
||||
# to have. If the calculated timeout is lower we don't
|
||||
# allow the logon. Some NASes do not handle values
|
||||
# lower than 60 seconds well.
|
||||
minimum-timeout = 60
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 793d5690e1d4520bb3db1d9900d6be09da2587ae $
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# This next section is a sample configuration for the "passwd"
|
||||
# module, that reads flat-text files.
|
||||
#
|
||||
# The file is in the format <mac>,<ip>
|
||||
#
|
||||
# 00:01:02:03:04:05,192.168.1.100
|
||||
# 01:01:02:03:04:05,192.168.1.101
|
||||
# 02:01:02:03:04:05,192.168.1.102
|
||||
#
|
||||
# This lets you perform simple static IP assignments from a flat-text
|
||||
# file. You will have to define lease times yourself.
|
||||
#
|
||||
######################################################################
|
||||
|
||||
passwd mac2ip {
|
||||
filename = ${confdir}/mac2ip
|
||||
format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
|
||||
delimiter = ","
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: bdfef238076bb1ea16c494bf6e22f1d2af848b62 $
|
||||
|
||||
# A simple file to map a MAC address to a VLAN.
|
||||
#
|
||||
# The file should be in the format MAC,VLAN
|
||||
# the VLAN name cannot have spaces in it, for example:
|
||||
#
|
||||
# 00:01:02:03:04:05,VLAN1
|
||||
# 03:04:05:06:07:08,VLAN2
|
||||
# ...
|
||||
#
|
||||
passwd mac2vlan {
|
||||
filename = ${confdir}/mac2vlan
|
||||
format = "*VMPS-Mac:=VMPS-VLAN-Name"
|
||||
delimiter = ","
|
||||
}
|
|
@ -0,0 +1,87 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $
|
||||
|
||||
# Microsoft CHAP authentication
|
||||
#
|
||||
# This module supports MS-CHAP and MS-CHAPv2 authentication.
|
||||
# It also enforces the SMB-Account-Ctrl attribute.
|
||||
#
|
||||
mschap {
|
||||
#
|
||||
# If you are using /etc/smbpasswd, see the 'passwd'
|
||||
# module for an example of how to use /etc/smbpasswd
|
||||
|
||||
# if use_mppe is not set to no mschap will
|
||||
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
|
||||
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
|
||||
#
|
||||
# use_mppe = no
|
||||
|
||||
# if mppe is enabled require_encryption makes
|
||||
# encryption moderate
|
||||
#
|
||||
# require_encryption = yes
|
||||
|
||||
# require_strong always requires 128 bit key
|
||||
# encryption
|
||||
#
|
||||
# require_strong = yes
|
||||
|
||||
# Windows sends us a username in the form of
|
||||
# DOMAIN\user, but sends the challenge response
|
||||
# based on only the user portion. This hack
|
||||
# corrects for that incorrect behavior.
|
||||
#
|
||||
# with_ntdomain_hack = no
|
||||
|
||||
# The module can perform authentication itself, OR
|
||||
# use a Windows Domain Controller. This configuration
|
||||
# directive tells the module to call the ntlm_auth
|
||||
# program, which will do the authentication, and return
|
||||
# the NT-Key. Note that you MUST have "winbindd" and
|
||||
# "nmbd" running on the local machine for ntlm_auth
|
||||
# to work. See the ntlm_auth program documentation
|
||||
# for details.
|
||||
#
|
||||
# If ntlm_auth is configured below, then the mschap
|
||||
# module will call ntlm_auth for every MS-CHAP
|
||||
# authentication request. If there is a cleartext
|
||||
# or NT hashed password available, you can set
|
||||
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
|
||||
# and the mschap module will do the authentication itself,
|
||||
# without calling ntlm_auth.
|
||||
#
|
||||
# Be VERY careful when editing the following line!
|
||||
#
|
||||
# You can also try setting the user name as:
|
||||
#
|
||||
# ... --username=%{mschap:User-Name} ...
|
||||
#
|
||||
# In that case, the mschap module will look at the User-Name
|
||||
# attribute, and do prefix/suffix checks in order to obtain
|
||||
# the "best" user name for the request.
|
||||
#
|
||||
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
|
||||
|
||||
# The default is to wait 10 seconds for ntlm_auth to
|
||||
# complete. This is a long time, and if it's taking that
|
||||
# long then you likely have other problems in your domain.
|
||||
# The length of time can be decreased with the following
|
||||
# option, which can save clients waiting if your ntlm_auth
|
||||
# usually finishes quicker. Range 1 to 10 seconds.
|
||||
#
|
||||
# ntlm_auth_timeout = 10
|
||||
|
||||
# For Apple Server, when running on the same machine as
|
||||
# Open Directory. It has no effect on other systems.
|
||||
#
|
||||
# use_open_directory = yes
|
||||
|
||||
# On failure, set (or not) the MS-CHAP error code saying
|
||||
# "retries allowed".
|
||||
# allow_retry = yes
|
||||
|
||||
# An optional retry message.
|
||||
# retry_msg = "Re-enter (or reset) the password"
|
||||
}
|
|
@ -0,0 +1,12 @@
|
|||
#
|
||||
# For testing ntlm_auth authentication with PAP.
|
||||
#
|
||||
# If you have problems with authentication failing, even when the
|
||||
# password is good, it may be a bug in Samba:
|
||||
#
|
||||
# https://bugzilla.samba.org/show_bug.cgi?id=6563
|
||||
#
|
||||
exec ntlm_auth {
|
||||
wait = yes
|
||||
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
|
||||
}
|
|
@ -0,0 +1,13 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 2a44ef695f4eaf6f1c461b3d92fda54e9b910f9e $
|
||||
|
||||
# This module is only used when the server is running on the same
|
||||
# system as OpenDirectory. The configuration of the module is hard-coded
|
||||
# by Apple, and cannot be changed here.
|
||||
#
|
||||
# There are no configuration entries for this module.
|
||||
#
|
||||
opendirectory {
|
||||
|
||||
}
|
|
@ -0,0 +1,78 @@
|
|||
#
|
||||
# Configuration for the OTP module.
|
||||
#
|
||||
|
||||
# This module allows you to use various handheld OTP tokens
|
||||
# for authentication (Auth-Type := otp). These tokens are
|
||||
# available from various vendors.
|
||||
#
|
||||
# It works in conjunction with otpd, which implements token
|
||||
# management and OTP verification functions; and lsmd or gsmd,
|
||||
# which implements synchronous state management functions.
|
||||
# otpd, lsmd and gsmd are available from TRI-D Systems:
|
||||
# <http://www.tri-dsystems.com/>
|
||||
|
||||
# You must list this module in BOTH the authorize and authenticate
|
||||
# sections in order to use it.
|
||||
otp {
|
||||
# otpd rendezvous point.
|
||||
# (default: /var/run/otpd/socket)
|
||||
#otpd_rp = /var/run/otpd/socket
|
||||
|
||||
# Text to use for the challenge. The '%' character is
|
||||
# disallowed, except that you MUST have a single "%s"
|
||||
# sequence in the string; the challenge itself is
|
||||
# inserted there. (default "Challenge: %s\n Response: ")
|
||||
#challenge_prompt = "Challenge: %s\n Response: "
|
||||
|
||||
# Length of the challenge. Most tokens probably support a
|
||||
# max of 8 digits. (range: 5-32 digits, default 6)
|
||||
#challenge_length = 6
|
||||
|
||||
# Maximum time, in seconds, that a challenge is valid.
|
||||
# (The user must respond to a challenge within this time.)
|
||||
# It is also the minimal time between consecutive async mode
|
||||
# authentications, a necessary restriction due to an inherent
|
||||
# weakness of the RADIUS protocol which allows replay attacks.
|
||||
# (default: 30)
|
||||
#challenge_delay = 30
|
||||
|
||||
# Whether or not to allow asynchronous ("pure" challenge/
|
||||
# response) mode authentication. Since sync mode is much more
|
||||
# usable, and all reasonable tokens support it, the typical
|
||||
# use of async mode is to allow resync of event based tokens.
|
||||
# But because of the vulnerability of async mode with some tokens,
|
||||
# you probably want to disable this and require that out-of-sync
|
||||
# users resync from specifically secured terminals.
|
||||
# See the otpd docs for more info.
|
||||
# (default: no)
|
||||
#allow_async = no
|
||||
|
||||
# Whether or not to allow synchronous mode authentication.
|
||||
# When using otpd with lsmd, it is *CRITICALLY IMPORTANT*
|
||||
# that if your OTP users can authenticate to multiple RADIUS
|
||||
# servers, this must be "yes" for the primary/default server,
|
||||
# and "no" for the others. This is because lsmd does not
|
||||
# share state information across multiple servers. Using "yes"
|
||||
# on all your RADIUS servers would allow replay attacks!
|
||||
# Also, for event based tokens, the user will be out of sync
|
||||
# on the "other" servers. In order to use "yes" on all your
|
||||
# servers, you must either use gsmd, which synchronizes state
|
||||
# globally, or implement your own state synchronization method.
|
||||
# (default: yes)
|
||||
#allow_sync = yes
|
||||
|
||||
# If both allow_async and allow_sync are "yes", a challenge is
|
||||
# always presented to the user. This is incompatible with NAS's
|
||||
# that can't present or don't handle Access-Challenge's, e.g.
|
||||
# PPTP servers. Even though a challenge is presented, the user
|
||||
# can still enter their synchronous passcode.
|
||||
|
||||
# The following are MPPE settings. Note that MS-CHAP (v1) is
|
||||
# strongly discouraged. All possible values are listed as
|
||||
# {value = meaning}. Default values are first.
|
||||
#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}
|
||||
#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}
|
||||
#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}
|
||||
#mschap_mppe_bits = {2 = 128}
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $
|
||||
|
||||
|
||||
# Pluggable Authentication Modules
|
||||
#
|
||||
# For Linux, see:
|
||||
# http://www.kernel.org/pub/linux/libs/pam/index.html
|
||||
#
|
||||
# WARNING: On many systems, the system PAM libraries have
|
||||
# memory leaks! We STRONGLY SUGGEST that you do not
|
||||
# use PAM for authentication, due to those memory leaks.
|
||||
#
|
||||
pam {
|
||||
#
|
||||
# The name to use for PAM authentication.
|
||||
# PAM looks in /etc/pam.d/${pam_auth_name}
|
||||
# for it's configuration. See 'redhat/radiusd-pam'
|
||||
# for a sample PAM configuration file.
|
||||
#
|
||||
# Note that any Pam-Auth attribute set in the 'authorize'
|
||||
# section will over-ride this one.
|
||||
#
|
||||
pam_auth = radiusd
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 5c7d29d654bea9c076d6434f32795c2b2d002757 $
|
||||
|
||||
# PAP module to authenticate users based on their stored password
|
||||
#
|
||||
# Supports multiple encryption/hash schemes. See "man rlm_pap"
|
||||
# for details.
|
||||
#
|
||||
# The "auto_header" configuration item can be set to "yes".
|
||||
# In this case, the module will look inside of the User-Password
|
||||
# attribute for the headers {crypt}, {clear}, etc., and will
|
||||
# automatically create the attribute on the right-hand side,
|
||||
# with the correct value. It will also automatically handle
|
||||
# Base-64 encoded data, hex strings, and binary data.
|
||||
#
|
||||
# For instructions on creating the various types of passwords, see:
|
||||
#
|
||||
# http://www.openldap.org/faq/data/cache/347.html
|
||||
pap {
|
||||
auto_header = no
|
||||
}
|
|
@ -0,0 +1,55 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: cc37ca0d7eaf9887720eccc2de0ecb75a51117c8 $
|
||||
|
||||
# passwd module allows to do authorization via any passwd-like
|
||||
# file and to extract any attributes from these files.
|
||||
#
|
||||
# See the "smbpasswd" and "etc_group" files for more examples.
|
||||
#
|
||||
# parameters are:
|
||||
# filename - path to filename
|
||||
#
|
||||
# format - format for filename record. This parameters
|
||||
# correlates record in the passwd file and RADIUS
|
||||
# attributes.
|
||||
#
|
||||
# Field marked as '*' is a key field. That is, the parameter
|
||||
# with this name from the request is used to search for
|
||||
# the record from passwd file
|
||||
#
|
||||
# Attributes marked as '=' are added to reply_items instead
|
||||
# of default configure_itmes
|
||||
#
|
||||
# Attributes marked as '~' are added to request_items
|
||||
#
|
||||
# Field marked as ',' may contain a comma separated list
|
||||
# of attributes.
|
||||
#
|
||||
# hashsize - hashtable size. Setting it to 0 is no longer permitted
|
||||
# A future version of the server will have the module
|
||||
# automatically determine the hash size. Having it set
|
||||
# manually should not be necessary.
|
||||
#
|
||||
# allowmultiplekeys - if many records for a key are allowed
|
||||
#
|
||||
# ignorenislike - ignore NIS-related records
|
||||
#
|
||||
# delimiter - symbol to use as a field separator in passwd file,
|
||||
# for format ':' symbol is always used. '\0', '\n' are
|
||||
# not allowed
|
||||
#
|
||||
|
||||
# An example configuration for using /etc/passwd.
|
||||
#
|
||||
# This is an example which will NOT WORK if you have shadow passwords,
|
||||
# NIS, etc. The "unix" module is normally responsible for reading
|
||||
# system passwords. You should use it instead of this example.
|
||||
#
|
||||
passwd etc_passwd {
|
||||
filename = /etc/passwd
|
||||
format = "*User-Name:Crypt-Password:"
|
||||
hashsize = 100
|
||||
ignorenislike = no
|
||||
allowmultiplekeys = no
|
||||
}
|
|
@ -0,0 +1,58 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 69ad3076119ec814518a6db45eec4bc41dc090f7 $
|
||||
|
||||
# Persistent, embedded Perl interpreter.
|
||||
#
|
||||
perl {
|
||||
#
|
||||
# The Perl script to execute on authorize, authenticate,
|
||||
# accounting, xlat, etc. This is very similar to using
|
||||
# 'rlm_exec' module, but it is persistent, and therefore
|
||||
# faster.
|
||||
#
|
||||
module = ${confdir}/example.pl
|
||||
|
||||
#
|
||||
# The following hashes are given to the module and
|
||||
# filled with value-pairs (Attribute names and values)
|
||||
#
|
||||
# %RAD_CHECK Check items
|
||||
# %RAD_REQUEST Attributes from the request
|
||||
# %RAD_REPLY Attributes for the reply
|
||||
#
|
||||
# The return codes from functions in the perl_script
|
||||
# are passed directly back to the server. These
|
||||
# codes are defined in doc/configurable_failover,
|
||||
# src/include/modules.h (RLM_MODULE_REJECT, etc),
|
||||
# and are pre-defined in the 'example.pl' program
|
||||
# which is included.
|
||||
#
|
||||
|
||||
#
|
||||
# List of functions in the module to call.
|
||||
# Uncomment and change if you want to use function
|
||||
# names other than the defaults.
|
||||
#
|
||||
#func_authenticate = authenticate
|
||||
#func_authorize = authorize
|
||||
#func_preacct = preacct
|
||||
#func_accounting = accounting
|
||||
#func_checksimul = checksimul
|
||||
#func_pre_proxy = pre_proxy
|
||||
#func_post_proxy = post_proxy
|
||||
#func_post_auth = post_auth
|
||||
#func_recv_coa = recv_coa
|
||||
#func_send_coa = send_coa
|
||||
#func_xlat = xlat
|
||||
#func_detach = detach
|
||||
|
||||
#
|
||||
# Uncomment the following lines if you wish
|
||||
# to use separate functions for Start and Stop
|
||||
# accounting packets. In that case, the
|
||||
# func_accounting function is not called.
|
||||
#
|
||||
#func_start_accounting = accounting_start
|
||||
#func_stop_accounting = accounting_stop
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 9b1b111ce70dbfd4ce25cdd2774d5878dbea7023 $
|
||||
|
||||
#
|
||||
# Module implementing a DIFFERENT policy language.
|
||||
# The syntax here is NOT "unlang", but something else.
|
||||
#
|
||||
# See the "raddb/policy.txt" file for documentation and examples.
|
||||
# There isn't much else in the way of documentation, sorry.
|
||||
#
|
||||
policy {
|
||||
# The only configuration item is a filename containing
|
||||
# the policies to execute.
|
||||
#
|
||||
# When "policy" is listed in a section (e.g. "authorize"),
|
||||
# it will run a policy named for that section.
|
||||
#
|
||||
filename = ${confdir}/policy.txt
|
||||
}
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: e00aa85a9bd924b3a79c034f6f5d4d7d9a98c208 $
|
||||
|
||||
# Preprocess the incoming RADIUS request, before handing it off
|
||||
# to other modules.
|
||||
#
|
||||
# This module processes the 'huntgroups' and 'hints' files.
|
||||
# In addition, it re-writes some weird attributes created
|
||||
# by some NASes, and converts the attributes into a form which
|
||||
# is a little more standard.
|
||||
#
|
||||
preprocess {
|
||||
huntgroups = ${confdir}/huntgroups
|
||||
hints = ${confdir}/hints
|
||||
|
||||
# This hack changes Ascend's wierd port numberings
|
||||
# to standard 0-??? port numbers so that the "+" works
|
||||
# for IP address assignments.
|
||||
with_ascend_hack = no
|
||||
ascend_channels_per_line = 23
|
||||
|
||||
# Windows NT machines often authenticate themselves as
|
||||
# NT_DOMAIN\username
|
||||
#
|
||||
# If this is set to 'yes', then the NT_DOMAIN portion
|
||||
# of the user-name is silently discarded.
|
||||
#
|
||||
# This configuration entry SHOULD NOT be used.
|
||||
# See the "realms" module for a better way to handle
|
||||
# NT domains.
|
||||
with_ntdomain_hack = no
|
||||
|
||||
# Specialix Jetstream 8500 24 port access server.
|
||||
#
|
||||
# If the user name is 10 characters or longer, a "/"
|
||||
# and the excess characters after the 10th are
|
||||
# appended to the user name.
|
||||
#
|
||||
# If you're not running that NAS, you don't need
|
||||
# this hack.
|
||||
with_specialix_jetstream_hack = no
|
||||
|
||||
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
|
||||
# with the attribute name *again* in the string, like:
|
||||
#
|
||||
# H323-Attribute = "h323-attribute=value".
|
||||
#
|
||||
# If this configuration item is set to 'yes', then
|
||||
# the redundant data in the the attribute text is stripped
|
||||
# out. The result is:
|
||||
#
|
||||
# H323-Attribute = "value"
|
||||
#
|
||||
# If you're not running a Cisco or Quintum NAS, you don't
|
||||
# need this hack.
|
||||
with_cisco_vsa_hack = no
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: dede42698a19413b524a1a68b7ea312aa8a506aa $
|
||||
|
||||
# Write "detail" files which can be read by radrelay.
|
||||
# This module should be used only by a server which receives
|
||||
# Accounting-Request packets from the network.
|
||||
#
|
||||
# It should NOT be used in the radrelay.conf file.
|
||||
#
|
||||
# Use it by adding "radrelay" to the "accounting" section:
|
||||
#
|
||||
# accounting {
|
||||
# ...
|
||||
# radrelay
|
||||
# ...
|
||||
# }
|
||||
#
|
||||
detail radrelay {
|
||||
detailfile = ${radacctdir}/detail
|
||||
|
||||
locking = yes
|
||||
|
||||
# The other directives from the main detail module
|
||||
# can be used here, but they're not required.
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue