laalsaas/nix-config
laalsaas
/
nix-config
forked from c3d2/nix-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: laalsaas:master
Branches Tags
laalsaas:master
laalsaas:flake-update
laalsaas:vater-patching
laalsaas:eris
laalsaas:ds-future
laalsaas:nek0/mail_redux
laalsaas:broken
laalsaas:container/radius
c3d2:flake-update
c3d2:master
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius
..
compare: laalsaas:container/radius
Branches Tags
laalsaas:master
laalsaas:flake-update
laalsaas:vater-patching
laalsaas:eris
laalsaas:ds-future
laalsaas:nek0/mail_redux
laalsaas:broken
laalsaas:container/radius
c3d2:flake-update
c3d2:master
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius

5 Commits
master ... container/

Author SHA1 Message Date
Eri - 1d32924d85 things and stuff 2021-03-06 20:44:03 +01:00
Eri - 6946bbd224 fix configDir 2019-04-07 23:12:31 +02:00
Eri - a1490e209a typo 2019-04-07 23:02:11 +02:00
Eri - fbe1f6c5b0 enable freeradius for authless eap wifi 2019-04-07 22:56:27 +02:00
Eri - 0b59c8cf5b new container for freeradius 2019-04-07 22:45:06 +02:00
297 changed files with 12982 additions and 39717 deletions
Show Stats Expand all files Collapse all files

9
.git-blame-ignore-revs
View File

@ -1,9 +0,0 @@
# This file contains a list of commits that are not likely what you
# are looking for in a blame, such as mass reformatting or renaming.
# You can set this file as a default ignore file for blame by running
# the following command.
#
# $ git config blame.ignoreRevsFile .git-blame-ignore-revs
# big format
aaddec81945750222721659be65ecd6bf2503c6a

4
.gitignore vendored
View File

@ -1,4 +0,0 @@
.*.swp
*.retry
result
result-*

3
.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "secrets"]
path = secrets
url = ssh://git@gitea.c3d2.de:2222/c3d2-admins/secrets.git

183
.sops.yaml
View File

@ -1,183 +0,0 @@
keys:
# The PGP keys in keys/
- &admins
- A5EE826D645DBE35F9B0993358512AE87A69900F # astro
#- 270DAEB0EC5A129CE1F38E2FCB5009A2DB4C5190 # blastmaster
- D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A # deployer
#- 844267BA729E32B3329B9DBF59E238FC65F349F2 # eri
- A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 # winzlieb
#- 9580391316684474BFBD41EC3E8C55248C19AF2A # xyrill
- 4F9F44A64CC2E438979329E1F122F05437696FCE # poelzi
#- B2918084D9BA194C66AE78769E5D7AAA5B6B2D79 # schmittlauch?
- 4B12EFA69166CA8C23FC47E49CD3A46248B660CA # vv01f
- 9EA68B7F21204979645182E4287B083353C3241C # j03
- 53B26AEDC08246715E15504B236B6291555E8401 # sandro
- 91EBE87016391323642A6803B966009D57E69CC6 # revol-xut
- &polygon-snowflake age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c # polygon
# Generate AGE keys from SSH keys with:
# nix shell nixpkgs#ssh-to-age
# ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub
- &auth age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
- &bind age1hfzpctkk5tz0ddc86ul9t0nf8c37jtngawepvgxk5rxlvv938vusx4kuc6
- &blogs age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
- &broker age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte
- &c3d2-web age18h6vmfduhmj28wxdgur8wugn7scm5vwvwkj5sr4f7nl0czr2zvaqscsdsv
- &dacbert age1hg0mmua5y82ct7l6q9gpc8w940ce5seqcjhm4dgx7tlzvflznyas7v3hf4
- &direkthilfe age1qe8wvy8kdmfdxh505apkqnnquqgtvykd6x6qlxmzqp93cv6wjy4qlu5mpj
- &dn42 age1726t33dl7pv3xrxxlafj2sexh7c0jm8pza84yu6l3wpz3fw5dauqxlass3
- &factorio age1av4ww0zzyas0egzwkpdaj4crwz3vwnhpq0nfez2zad4me38zss7sjz5kw2
- &freifunk age17rrjtdgzzwgjatyqqv27pftx42t8xhksls46jc3f78juzw4g04vsd7lr7e
- &ftp age1lkr5rkf3z0976g8snmznf755gnexhjkwpzsw8xxwyesqmneawa4qgsqx77
- &gitea age12n5k6c4rxp4mjnexw9uw83yp34sallt44kldupfmxr2xkppj8a8sdsmv8h
- &glotzbert age1zqpep2vgfqeyvtj2jpxczfgrpjffwda429rnuztfp0vpqsrqdq8s8f4yua
- &gnunet age1kk0thtx6mg5cs0gqm4ylc4r8w6klq660s3j04w7m8w0w084yrpcqh3tqwf
- &grafana age1yahhqn2620300n20k68az5lr2u42wdgtjwysgqyr99a4cj52ay0qjw02pl
- &hedgedoc age1jt5pj0c0fvmzg7quaucq4n2rzcx9ajzstp8ruwc8ewjpay5vqfqsdjaal8
- &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
- &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a
- &leon age1cm0cjk2764s4pv5g7e67as34g9xtcltex96ga87wckndw62wqqlsvkscqc
- &leoncloud age1aw9s4kcd6ys64ddzzfya9ajzln2tv8pm9uvz6d85v0r6eq4dudqq5vts86
- &mailtngbert age1lgjvtszpds9flpwsstxdht00c7zlk3mz7nlc5qftyt8rhfdm330qqmhl72
- &matemat age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6
- &mediawiki age1xjvep7hsnfefgxvuwall8nq0486qu8yknhzwhf0cskw5xlpm8qws9txc56
- &mucbot age1cqeh03zq0hvz5l78r678q93ey5mlw49lqy4whvgqxgenudth7g6skee6kh
- &nfsroot age18yxgwpakrkzq8ca2enayf79py25se3d8dsed2q523869re30jcaqx6rjln
- &nncp age15853dr2kd6r2329tkcanwnruh6zd2xvsu5twc7gnxeyu3h7t6q5scckaq8
- &oparl age14aq8fscrwkgmu5yv86vj7p7kmxclzs6dp7fpvdhvrnmce83ztphqc4mr9q
- &public-access-proxy age1xcj6peyaf5xvj2673vl9j0z7supwtw7hzuk782zk7gt69k2ykytqe65mg5
- &pulsebert age12hdk2stter0cjexxwx3sqn9wx3vmptkxszvx7knq9zgm9uqzjs7suvkcqu
- &radiobert age1lga6hjmxa95fmtdn3frlmy64ej3hyswxrcuz25qvw0kfsxkqeugs8gjw8q
- &riscbert age148d87gqw59lmst5jv3vynhsu3tv4t4sj49s4lktvnplfcrjq2y5sjcwsu8
- &scrape age1p60rg45qrzpv2hcfzxl8d8k9afkk7dtrhr98cngeyuhlega83ynssmtx5k
- &sdrweb age1makkpv2t74lxmw0nk6m89nespva7j700pmt83pl5a4ldtj2k8fzqakw8h7
- &server9 age15vrlmtckjf4j242juw7l5e0s6eunn67ejr9acaztnl3tmvwpufrsevntva
- &server10 age15qj8latetnrmgzd7krq02y65kn7lhq2pcwv8cvzej2783u5a9scqs79nmf
- &spaceapi age125k9uyqw5ae5jqkfsak4d6c6rcx9q63ywuusk62pmxdnhwzqxgqq2jsau7
- &stream age1j5csp5v5s2g8am47dd85kcke8986e0qc88f0vfgd3kmvwu8azg3smslk92
- &storage-ng age1qjvds58pedjdk9rj0yqfvad4xhpteapr9chvfucwcgwrsr8n7axqyhg2vu
- &ticker age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl
creation_rules:
- path_regex: config/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *polygon-snowflake
- *auth
- *bind
- *blogs
- *broker
- *c3d2-web
- *dacbert
- *direkthilfe
- *dn42
- *factorio
- *freifunk
- *ftp
- *gitea
- *glotzbert
- *gnunet
- *grafana
- *hedgedoc
- *hydra
- *jabber
- *leon
- *leoncloud
- *mailtngbert
- *matemat
- *mediawiki
- *mucbot
- *nfsroot
- *oparl
- *public-access-proxy
- *pulsebert
- *radiobert
- *riscbert
- *scrape
- *sdrweb
- *server9
- *server10
- *spaceapi
- *stream
- *storage-ng
- *ticker
- path_regex: hosts/auth/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *auth
- *polygon-snowflake
- path_regex: hosts/blogs/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *blogs
- *polygon-snowflake
- path_regex: hosts/broker/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *broker
- *polygon-snowflake
- path_regex: hosts/dn42/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *dn42
- *polygon-snowflake
- path_regex: hosts/freifunk/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *freifunk
- *polygon-snowflake
- path_regex: hosts/glotzbert/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *glotzbert
- *polygon-snowflake
- path_regex: hosts/hedgedoc/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *hedgedoc
- *polygon-snowflake
- path_regex: hosts/hydra/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *hydra
- *polygon-snowflake
- path_regex: hosts/mailtngbert/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *mailtngbert
- *polygon-snowflake
- path_regex: hosts/mediawiki/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *mediawiki
- *polygon-snowflake
- path_regex: hosts/oparl/secrets\.yaml$
key_groups:
- pgp: *admins
age:
- *oparl
- *polygon-snowflake
- path_regex: hosts/radiobert/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *radiobert
- *polygon-snowflake
- path_regex: hosts/storage-ng/[^/]+\.yaml$
key_groups:
- pgp: *admins
age:
- *storage-ng
- *polygon-snowflake

222
README.md
View File

@ -1,225 +1,17 @@
---
gitea: none
title: Flockige Infrastruktur deklarativ
include_toc: yes
lang: en
---
# Setup
## Add this repo to your local Nix registry
As an alternative to a local checkout, always pull the latest code
from this repo.
```bash
nix registry add c3d2 git+https://gitea.c3d2.de/C3D2/nix-config
```
This enables `nix` commands to find this Flake given the `c3d2#`
prefix in some arguments.
## Working with this repo
If you checked out this git repository for working on the code,
replace `c3d2#` with `.#` and run commands from the repository root.
Don't forget to `git add` new files! Flakes require that.
## The secrets repo
Make sure you have access.
## Install Nix Flakes
> Nix Flakes ist gegenwärtig bei Nix (Version 20.09) noch keine standardmäßige Funktionalität für Nix. Die Bereitstellung der Kommandos für Nix Flakes müssen als experimentelle Funktionalität für das Kommando ''nix'' festgelegt werden, um sie verfügbar zu machen.
Set some configuration (do this only once):
```bash
echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf
```
### Permanent System with Nix Flakes
set this to your NixOS configuration:
```nix
{ pkgs, ... }: {
nix = {
extraOptions = "experimental-features = nix-command flakes";
};
}
```
# Deployment
## Deploy a NixOS system from this Flake locally
Beide failen bei Activation des neuen Profils. (TODO)
Running `nixos-rebuild --flake c3d2 switch` on a machine should be sufficient
to update that machine to the current configuration and Nixpkgs revision.
## Deploy to a remote NixOS system with this Flake
For every host that has a `nixosConfiguration` in our Flake, there are
two scripts that can be run for deployment via ssh.
- `nix run .#glotzbert-nixos-rebuild switch`
Copies the current state to build on the target system. This may
fail due to eg. container resource limits.
The target must already be a nixFlakes system.
- `nix run .#glotzbert-nixos-rebuild-local switch`
Builds locally, then uses `nix copy` to transfer the new NixOS
system to the target.
**Help!** It's needlessly rebuilding stuff that already runs on the
target? If so, use `nix copy` to transfer where
`/run/current-system` points to to your build machine.
## Remote deployment from non-NixOS
A shell script that copies the current working tree, and runs
`nixos-rebuild switch` on the target:
## Mit `nixos-switch rebuild`
```shell
./deploy-flake.sh hydra.hq.c3d2.de
nixos-rebuild switch -I nixos-config=./hosts/containers/$HOST/configuration.nix --target-host "root@$HOST.hq.c3d2.de"
```
It cannot not lookup hostnames in `host-registry.nix`. To avoid
deploying the wrong container on the unrelated DNS records, the script
always uses the hostname that is already configured on the target
system.
## Checking for updates
## Mit NixOps
```shell
nix run .#list-upgradable
```
![list-upgradable output](doc/list-upgradable.png)
Checks all hosts with a `nixosConfiguration` in `flake.nix`.
## Update from [Hydra build](https://hydra.hq.c3d2.de/jobset/c3d2/nix-config#tabs-jobs)
The fastest way to update a system, a manual alternative to setting
`c3d2.autoUpdate = true;`
Just run:
```shell
update-from-hydra
```
## Deploy a MicroVM
### Building spaceapi remotely, and deploy
```shell
nix run .#microvm-update-spaceapi
```
### Building spaceapi locally, and deploy
```shell
nix run .#microvm-update-spaceapi-local
```
### Update MicroVM from our Hydra
Our Hydra runs `nix flake update` daily in the `updater.timer`,
pushing it to the `flake-update` branch so that it can build fresh
systems. This branch is setup as the source flake in all the MicroVMs,
so the following is all that is needed on a MicroVM-hosting server:
```shell
microvm -Ru $hostname
```
## High Availability Deployment on Nomad
First, stop and delete `/var/lib/microvm/$NAME` where the
systemd-managed MicroVMs live, or move the state to
`/glusterfs/fast/microvms/$NAME`.
```sh
nix run .#nomad-$NAME
```
# Secrets management
## Secrets managment with PGP
Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
Maybe this works for you, maybe not. I did it somehow:
```bash
PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
```
Your gpg key has to have the Authenticate flag set. If not update it and push it to a keyserver and wait.
This is necessary, so you can login to any machine with your gpg key.
## Secrets Management Using `sops-nix`
### Adding a new host
Edit `secrets/.sops.yaml`:
1. Add an AGE key for this host. Comments in this file tell you how to
do it.
2. Add a `creation_rules` section for `host/$host/*yaml` files
### Editing a hosts secrets
Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
```bash
# Enter the secrets flake
cd secrets
# Get sops
nix develop
# Decrypt, start en EDITOR, encrypt
sops hosts/.../secrets.yaml
# Push
git commit -a -m YOLO
git push origin HEAD:master
# Go back to this flake
cd ..
# Update flake.lock file
nix flake lock . --update-input secrets
```
# Laptops / Desktops
This repository contains a NixOS module that can be used with personal machines
as well. This module appends `/etc/ssh/ssh_known_hosts` with the host keys of
registered HQ hosts, and optionally appends `/etc/hosts` with static IPv6
addresses local to HQ. Simply import the `lib` directory to use the module. As
an example:
```nix
# /etc/nixos/configuration.nix
{ config, pkgs, lib, ... }:
let
c3d2Config =
builtins.fetchGit { url = "https://gitea.c3d2.de/C3D2/nix-config.git"; };
in {
imports = [
# ...
"${c3d2Config}/modules/c3d2.nix"
];
c3d2 = {
isInHq = false; # not in HQ, this is the default.
mergeHostsFile = true; # Make entries in /etc/hosts form hosts.nix
enableMotd = true; # Set the login shell message to the <<</>> logo.
};
# ...
}
nixops create hq.nixops -d hq
nixops deploy -d hq --debug --include=dhcp --force-reboot
nixops deploy -d hq --include=grafana -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-18.09.tar.gz --force-reboot
```

50
deploy-flake.sh
View File

@ -1,50 +0,0 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p rsync
# shellcheck shell=bash
set -eou pipefail
function show_help() {
echo "Usage:"
echo "$0 [--build-local] <host.hq.c3d2.de>"
echo "--help Show this help."
echo "--build-local Build config locally and copy it to the target system via nix copy"
exit 1
}
if [[ $# == 0 ]]; then
show_help
fi
while [[ $# -gt 0 ]]; do
case "${1:-}" in
"" | "-h" | "--help")
show_help
;;
"--build-local")
build_local=true
;;
*)
host=$1
;;
esac
shift
done
if [[ -v build_local ]]; then
hostname=$(ssh root@"$host" hostname)
echo "$hostname> nix build"
nix --experimental-features 'nix-command flakes' -Lv build ".#nixosConfigurations.$hostname.config.system.build.toplevel"
store_path=$(readlink -f result)
echo "$hostname> nix copy"
nix --experimental-features 'nix-command flakes' copy --to ssh://root@"$host" -v "$store_path"
echo "$hostname> switch-to-configuration switch"
ssh root@"$host" "$store_path/bin/switch-to-configuration" switch
else
rsync -az "$(dirname "$0")" root@"$host":nix-config
echo "> nixos-rebuild switch"
exec ssh root@"$host" 'nixos-rebuild --flake git+file://`pwd`/nix-config#`hostname` --override-input secrets git+file://`pwd`/nix-config/secrets switch'
fi

BIN
doc/list-upgradable.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

887
flake.lock
View File

@ -1,887 +0,0 @@
{
"nodes": {
"affection-src": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1663176622,
"narHash": "sha256-ahmQXwS2P34x7PxXt8Ve2ZVKJHW6yP1m/nZoo8sHwmE=",
"ref": "master",
"rev": "b56ed86e45b2a8cdf811f2659644192a69ab5818",
"revCount": 293,
"type": "git",
"url": "https://gitea.nek0.eu/nek0/affection"
},
"original": {
"type": "git",
"url": "https://gitea.nek0.eu/nek0/affection"
}
},
"bevy-julia": {
"inputs": {
"naersk": "naersk",
"nixpkgs": [
"nixos"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1663441942,
"narHash": "sha256-KNKnxcD8mHfjCqI0FluGOY1gfDfOMo8K9upGnCGksGo=",
"ref": "main",
"rev": "7feee1b6c436230f2adea774aab14a74d862e355",
"revCount": 3,
"type": "git",
"url": "https://gitea.c3d2.de/astro/bevy-julia.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://gitea.c3d2.de/astro/bevy-julia.git"
}
},
"bevy-mandelbrot": {
"inputs": {
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1663194086,
"narHash": "sha256-412sqKeKP8qm8Teno8xnl8/yMWxjZaRa7ujw5xaa5qw=",
"ref": "main",
"rev": "a37a6e16946f0515242a30699a9b34bdc45ef87e",
"revCount": 9,
"type": "git",
"url": "https://gitea.c3d2.de/astro/bevy-mandelbrot.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://gitea.c3d2.de/astro/bevy-mandelbrot.git"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"nixos"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1666420537,
"narHash": "sha256-0gPA6u4g/+9ZI15krn7qet0sN5XP6yMymDCgfV5BZKg=",
"owner": "nix-community",
"repo": "fenix",
"rev": "cc541fd8c19048872161e53a3399a31c568fbd46",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"harmonia": {
"flake": false,
"locked": {
"lastModified": 1666188194,
"narHash": "sha256-WOgfXe3b4lZp5URZ+8TAtjX5VcaL8YMnpKaxYXHTCJY=",
"owner": "helsinki-systems",
"repo": "harmonia",
"rev": "f97ecd55bb0c7ba846ba565938ad45981351b31d",
"type": "github"
},
"original": {
"owner": "helsinki-systems",
"repo": "harmonia",
"type": "github"
}
},
"heliwatch": {
"inputs": {
"fenix": [
"fenix"
],
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1657923513,
"narHash": "sha256-YzHPow09B9uSdybUxP5lQn2hXk90Q6oTDL6UXzD0/+k=",
"ref": "master",
"rev": "f7cf04a7ad47e388121f0771651fec0df91407f3",
"revCount": 61,
"type": "git",
"url": "https://gitea.c3d2.de/astro/heliwatch.git"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/astro/heliwatch.git"
}
},
"hydra": {
"inputs": {
"nix": "nix",
"nixpkgs": [
"hydra",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1666385840,
"narHash": "sha256-ablHzPwN2Pvju0kyo8N5Wavqkl60gKHCPLnruwqvwTg=",
"owner": "nixos",
"repo": "hydra",
"rev": "312cb42275e593eea5c44d8430ab09375fdb2fdb",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "hydra",
"type": "github"
}
},
"hydra-ca": {
"inputs": {
"newNixpkgs": "newNixpkgs",
"nix": "nix_2",
"nixpkgs": [
"hydra-ca",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1661851236,
"narHash": "sha256-Om6uR2hszPvkZTzWRc0v0ZTm935QIzPSjGLzuhHUyJA=",
"owner": "mlabs-haskell",
"repo": "hydra",
"rev": "8311b498e0e5f8ba4a01a0d7b97354617c73bf84",
"type": "github"
},
"original": {
"owner": "mlabs-haskell",
"ref": "aciceri/ca-derivations",
"repo": "hydra",
"type": "github"
}
},
"lowdown-src": {
"flake": false,
"locked": {
"lastModified": 1633514407,
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
"owner": "kristapsdz",
"repo": "lowdown",
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
"type": "github"
},
"original": {
"owner": "kristapsdz",
"repo": "lowdown",
"type": "github"
}
},
"lowdown-src_2": {
"flake": false,
"locked": {
"lastModified": 1633514407,
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
"owner": "kristapsdz",
"repo": "lowdown",
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
"type": "github"
},
"original": {
"owner": "kristapsdz",
"repo": "lowdown",
"type": "github"
}
},
"microvm": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1666198611,
"narHash": "sha256-MWGr+6MBwl0gOe1DqxsUH3WxUaFsS0Jt74jiKqCQHa4=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "1813be9f059eb73efed5d21aa9b8b4ae5fb0b812",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "microvm.nix",
"type": "github"
}
},
"naersk": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1662220400,
"narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
"owner": "nix-community",
"repo": "naersk",
"rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "naersk",
"type": "github"
}
},
"naersk_2": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1662220400,
"narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
"owner": "nix-community",
"repo": "naersk",
"rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "naersk",
"type": "github"
}
},
"naersk_3": {
"inputs": {
"nixpkgs": [
"ticker",
"nixpkgs"
]
},
"locked": {
"lastModified": 1659610603,
"narHash": "sha256-LYgASYSPYo7O71WfeUOaEUzYfzuXm8c8eavJcel+pfI=",
"owner": "nix-community",
"repo": "naersk",
"rev": "c6a45e4277fa58abd524681466d3450f896dc094",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "naersk",
"rev": "c6a45e4277fa58abd524681466d3450f896dc094",
"type": "github"
}
},
"newNixpkgs": {
"locked": {
"lastModified": 1647380550,
"narHash": "sha256-909TI9poX7CIUiFx203WL29YON6m/I6k0ExbZvR7bLM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6e3ee8957637a60f5072e33d78e05c0f65c54366",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nix": {
"inputs": {
"lowdown-src": "lowdown-src",
"nixpkgs": "nixpkgs_2",
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
"lastModified": 1661606874,
"narHash": "sha256-9+rpYzI+SmxJn+EbYxjGv68Ucp22bdFUSy/4LkHkkDQ=",
"owner": "NixOS",
"repo": "nix",
"rev": "11e45768b34fdafdcf019ddbd337afa16127ff0f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "2.11.0",
"repo": "nix",
"type": "github"
}
},
"nix_2": {
"inputs": {
"lowdown-src": "lowdown-src_2",
"nixpkgs": "nixpkgs_3",
"nixpkgs-regression": "nixpkgs-regression_2"
},
"locked": {
"lastModified": 1654014617,
"narHash": "sha256-qNL3lQPBsnStkru3j1ajN/H+knXI+X3dku8/dBfSw3g=",
"owner": "NixOS",
"repo": "nix",
"rev": "624e38aa43f304fbb78b4779172809add042b513",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "2.9.1",
"repo": "nix",
"type": "github"
}
},
"nixos": {
"locked": {
"lastModified": 1666401273,
"narHash": "sha256-AG3MoIjcWwz1SPjJ2nymWu4NmeVj9P40OpB1lsmxFtg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "3933d8bb9120573c0d8d49dc5e890cb211681490",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixos-armv6": {
"locked": {
"lastModified": 1664701736,
"narHash": "sha256-Va3NyZ+uyZztu506qM+sLxd69DBzN5CdoCAu1lzVk0U=",
"owner": "rnhmjoj",
"repo": "nixpkgs",
"rev": "10b75bee02bc7c25e596847357c70b277c534588",
"type": "github"
},
"original": {
"owner": "rnhmjoj",
"ref": "pr-fix-armv6",
"repo": "nixpkgs",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1665987993,
"narHash": "sha256-MvlaIYTRiqefG4dzI5p6vVCfl+9V8A1cPniUjcn6Ngc=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "0e6593630071440eb89cd97a52921497482b22c6",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixos-unstable": {
"locked": {
"lastModified": 1666377499,
"narHash": "sha256-dZZCGvWcxc7oGnUgFVf0UeNHsJ4VhkTM0v5JRe8EwR8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "301aada7a64812853f2e2634a530ef5d34505048",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1663264531,
"narHash": "sha256-2ncO5chPXlTxaebDlhx7MhL0gOEIWxzSyfsl0r0hxQk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "454887a35de6317a30be284e8adc2d2f6d8a07c4",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixpkgs-mobilizon": {
"locked": {
"lastModified": 1664466500,
"narHash": "sha256-FvEUAKkf0PDZ2j2qIbI4+3oPTnuQq4HdX00iqBkvKOU=",
"owner": "minijackson",
"repo": "nixpkgs",
"rev": "8a43afd5579f58092d4bf616a0206f83d8062e1f",
"type": "github"
},
"original": {
"owner": "minijackson",
"ref": "init-mobilizon",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
}
},
"nixpkgs-regression_2": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"id": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "indirect"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1657693803,
"narHash": "sha256-G++2CJ9u0E7NNTAi9n5G8TdDmGJXcIjkJ3NF8cetQB8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "365e1b3a859281cf11b94f87231adeabbdd878a2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1645296114,
"narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-21.05-small",
"type": "indirect"
}
},
"oparl-scraper": {
"flake": false,
"locked": {
"lastModified": 1656290558,
"narHash": "sha256-f9JRkxMWK4ONeCePB8UcQX8pAksQPF9YcxLbbcCgpFY=",
"owner": "offenesdresden",
"repo": "ratsinfo-scraper",
"rev": "0bc947ef28a6b83943db6fd9abbe2ae21ced7d06",
"type": "github"
},
"original": {
"owner": "offenesdresden",
"ref": "oparl",
"repo": "ratsinfo-scraper",
"type": "github"
}
},
"openwrt": {
"flake": false,
"locked": {
"lastModified": 1666345565,
"narHash": "sha256-TsEHFpYHP/9AXWtwGdLw9w64nwDJECx77VB/dJ2/73k=",
"ref": "openwrt-21.02",
"rev": "9cec59ca38a3600f175bd12e0620a1c7306aa813",
"revCount": 51153,
"type": "git",
"url": "https://git.openwrt.org/openwrt/openwrt.git"
},
"original": {
"ref": "openwrt-21.02",
"type": "git",
"url": "https://git.openwrt.org/openwrt/openwrt.git"
}
},
"openwrt-imagebuilder": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1666455539,
"narHash": "sha256-t9o9cjTcZWZj9SMr52TShTCZ2MNnRctylSqP+BUD6tk=",
"owner": "astro",
"repo": "nix-openwrt-imagebuilder",
"rev": "3cc9edcc5625a7ef9721d65f2270242a695c69e5",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "nix-openwrt-imagebuilder",
"type": "github"
}
},
"root": {
"inputs": {
"affection-src": "affection-src",
"bevy-julia": "bevy-julia",
"bevy-mandelbrot": "bevy-mandelbrot",
"fenix": "fenix",
"flake-utils": "flake-utils",
"harmonia": "harmonia",
"heliwatch": "heliwatch",
"hydra": "hydra",
"hydra-ca": "hydra-ca",
"microvm": "microvm",
"naersk": "naersk_2",
"nixos": "nixos",
"nixos-armv6": "nixos-armv6",
"nixos-hardware": "nixos-hardware",
"nixos-unstable": "nixos-unstable",
"nixpkgs-mobilizon": "nixpkgs-mobilizon",
"oparl-scraper": "oparl-scraper",
"openwrt": "openwrt",
"openwrt-imagebuilder": "openwrt-imagebuilder",
"rust-overlay": "rust-overlay",
"scrapers": "scrapers",
"secrets": "secrets",
"sops-nix": "sops-nix",
"spacemsg": "spacemsg",
"sshlogd": "sshlogd",
"ticker": "ticker",
"tigger": "tigger",
"tracer": "tracer",
"yammat": "yammat",
"zentralwerk": "zentralwerk"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1666361125,
"narHash": "sha256-TMvuYDc1MOI8TvScsTioFKRaIH7G8RA4LZFc9v38Nvs=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "8ee23f4f0aebf344089bfc201f1dbf641534cf94",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1666407365,
"narHash": "sha256-eD1hN+Uez7oOKl9BgvfBydQOCEqfoLuezoGfR6t0nzI=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "8ffc63427df1dc7e53fb96cb13b130028c258202",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"scrapers": {
"flake": false,
"locked": {
"lastModified": 1665446321,
"narHash": "sha256-GuZr+BCAIe+UYmQrLHaVr8iRRajn5nSdWyqhjWDIX1Y=",
"ref": "master",
"rev": "3700761dd06f271ef26261ed2a90dce8c22b6dca",
"revCount": 61,
"type": "git",
"url": "https://gitea.c3d2.de/astro/scrapers.git"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/astro/scrapers.git"
}
},
"secrets": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1659890996,
"narHash": "sha256-xURgGoznCPmpX35dn5AXcyNYicVn5ruvUKxfIMMiu8o=",
"ref": "master",
"rev": "5ca106f648bef15d9954d956bda336eea28e8d75",
"revCount": 149,
"type": "git",
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
},
"original": {
"type": "git",
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixos"
],
"nixpkgs-22_05": [
"nixos"
]
},
"locked": {
"lastModified": 1666078616,
"narHash": "sha256-ifW3GhIxuKv5+AidKAPpmtS8M7TY2d7VS6eFnaCFdfU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "8e470d4eac115aa793437e52e84e7f9abdce236b",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"spacemsg": {
"flake": false,
"locked": {
"lastModified": 1654295718,
"narHash": "sha256-lO/mvXrFiJTWX5roRooHg3m6cozvWqJTOxgl5jZ5mGI=",
"owner": "astro",
"repo": "spacemsg",
"rev": "64c714df0e64de23f77aeb05d74fecf5a7469f11",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "spacemsg",
"type": "github"
}
},
"sshlogd": {
"inputs": {
"fenix": [
"fenix"
],
"naersk": [
"naersk"
],
"nixpkgs": [
"nixos"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1664381600,
"narHash": "sha256-XGN/ZBolgT5OOZgGr6QP9VnyCOZ/Sjo79PwaWAYOFvE=",
"ref": "main",
"rev": "e1043a8c0a3f3f6b5be39188806754f3737580a7",
"revCount": 22,
"type": "git",
"url": "https://gitea.c3d2.de/astro/sshlogd.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://gitea.c3d2.de/astro/sshlogd.git"
}
},
"ticker": {
"inputs": {
"fenix": [
"fenix"
],
"naersk": "naersk_3",
"nixpkgs": [
"nixos"
],
"utils": [
"flake-utils"
]
},
"locked": {
"lastModified": 1665443266,
"narHash": "sha256-rm9P+NnjnpFsoO5P42nuMzcion0Q9qTTru5Zc7MMqUY=",
"ref": "master",
"rev": "cee130ffb5ff4085793ee4ec0ff41b8fd54384fa",
"revCount": 106,
"type": "git",
"url": "https://gitea.c3d2.de/astro/ticker.git"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/astro/ticker.git"
}
},
"tigger": {
"flake": false,
"locked": {
"lastModified": 1661423826,
"narHash": "sha256-IOOspJZYIk4zG4wZ7iIEizUFYYgeaWEXUwqWrFl2kaQ=",
"owner": "astro",
"repo": "tigger",
"rev": "9fe2412717e6cebe32eccad9449a4568b472c725",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "tigger",
"type": "github"
}
},
"tracer": {
"inputs": {
"affection-src": [
"affection-src"
],
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1663279525,
"narHash": "sha256-lUq4CY//ISplh/4i33nOU7cchpxKrw5V8mVdRnHMBaA=",
"ref": "master",
"rev": "6d8d2cb1268d26add05baa3f21c325cfe051add3",
"revCount": 342,
"type": "git",
"url": "https://gitea.c3d2.de/astro/tracer"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/astro/tracer"
}
},
"yammat": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1655412349,
"narHash": "sha256-EFJLSOCajkfLteSWaEv5b16Xp2YhKa4CVdkC9ZjKowc=",
"ref": "nix",
"rev": "e7069228a87c42124e7762b1bfd663b684e24749",
"revCount": 405,
"type": "git",
"url": "https://gitea.c3d2.de/C3D2/yammat.git"
},
"original": {
"ref": "nix",
"type": "git",
"url": "https://gitea.c3d2.de/C3D2/yammat.git"
}
},
"zentralwerk": {
"inputs": {
"nixpkgs": [
"nixos"
],
"openwrt": [
"openwrt"
],
"openwrt-imagebuilder": [
"openwrt-imagebuilder"
]
},
"locked": {
"lastModified": 1666481861,
"narHash": "sha256-GJS7nHYTcz/KPM9q+5YW+JV0JRVfD23Lgjr1LlB2dD4=",
"ref": "master",
"rev": "3e844866516a6d6d75d3e4c63ab4d198eded61ff",
"revCount": 1644,
"type": "git",
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
},
"original": {
"type": "git",
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
}
}
},
"root": "root",
"version": 7
}

1017
flake.nix
View File

File diff suppressed because it is too large Load Diff

80
host-registry.nix
View File

@ -1,80 +0,0 @@
# Registry of C3D2 machines.
{
dacbert = {
serial = "3c271952";
ip4 = "172.22.99.203";
};
riscbert.ip4 = "riscbert.c3d2.zentralwerk.org";
dn42 = {
ip4 = "172.22.99.253";
};
freifunk = {
ip4 = "172.20.72.40";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMFbxHGfBMBjjior1FNRub56O62K++HVnqUH67BeKD7d";
};
gitea.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8Q7kGF3Hh6HvmlSIgZOjgoIZRpyxKvMBTcPWHlecuh";
glotzbert = {
ether = "ec:a8:6b:fe:b4:cb";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG";
wol = true;
ip4 = "glotzbert.hq.c3d2.de";
};
grafana = {
ip6 = "2a00:8180:2c00:282:4042:fbff:fe4b:2de8";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFB9fo01jzr2upEBEXiR7sSmeQoq9ll5Cf5/hjq5e4Y";
};
mucbot = {
ip4 = "172.20.73.27";
ip6 = "2a00:8180:2c00:282:28db:dff:fe6b:e89a";
};
matemat = {
ip4 = "172.20.73.21";
ip6 = "2a00:8180:2c00:282:f82b:1bff:fedc:8572";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBa07c4NnU1TGX1SMNea9e1d4nMtc0OS4gJLmTA3g/fe";
};
mpd-index = { };
nfs = { };
nncp = {
ip6 = "2a00:8180:2c00:223:dcec:9aff:fe6f:3f63";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQhxaeElmxO1UgaI/+qr+g13OFeY9qtJVxznNN+xs/e";
};
public-access-proxy = {
ip4 = "172.20.73.45";
ip6 = "2a00:8180:2c00:282:1024:5fff:febd:9be7";
};
pulsebert = {
ether = "dc:a6:32:31:b6:32";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQCsDss9Gq3/eTKqpgEwXK+nhnuARS4/kHqF2+laGnp";
ip4 = "172.22.99.208";
};
samba = { };
scrape = {
ip4 = "172.20.73.32";
ip6 = "2a00:8180:2c00:282:e073:50ff:fef5:eb6e";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGxPgg6nswoij1fBzDPDu6h4+d458XL2+dBxAx9KVOh";
};
schalter.ip4 = "schalter.hq.c3d2.de";
# Hack
rpi-netboot.ip4 = "127.0.0.1";
server9.ip6 = "server9.cluster.zentralwerk.org";
server10.ip6 = "server10.cluster.zentralwerk.org";
}

65
hosts/auth/default.nix
View File

@ -1,65 +0,0 @@
{ zentralwerk, config, lib, pkgs, ... }:
{
c3d2 = {
deployment = {
server = "server10";
mounts = [ "etc" "home" "var"];
};
};
system.stateVersion = "22.05";
networking = {
hostName = "auth";
hosts = {
# required for ldaps connection over localhost
"::1" = [ "auth.c3d2.de" ];
"127.0.0.1" = [ "auth.c3d2.de" ];
};
firewall.allowedTCPPorts = [
80 # http
443 # https
636 # ldaps
];
};
services = {
nginx = {
enable = true;
virtualHosts."auth.c3d2.de" = {
default = true;
forceSSL = true;
enableACME = true;
locations = {
"/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
"/" = {
proxyPass = "http://localhost:${toString config.services.portunus.port}";
};
};
};
};
portunus = {
enable = true;
dex = {
# enable = true;
};
domain = "auth.c3d2.de";
ldap = {
suffix = "dc=c3d2,dc=de";
tls = true;
};
seedPath = config.sops.secrets."portunus/seed".path;
};
};
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ./secrets.yaml;
secrets."portunus/seed" = {
group = config.services.portunus.group;
owner = config.services.portunus.user;
};
};
}

183
hosts/auth/secrets.yaml
View File

@ -1,183 +0,0 @@
portunus:
seed: ENC[AES256_GCM,data:bF4cxon5Wy9+i9jib+JfzW7++mMWYbt5U85S9b1YK6YYsvF2/4LKW8BwsCBsECKCqicSvejDID9DEGMXRhcojUWu07q/LBI8ADYhw8siBeTMYgb5V433Nt8EODJa8XUhpxWSl/PgLNZKw0+vSK4hQRZjAcmWl6Djy01LD0kyhU4rAwxY8FozlfaLtJN007LHhhGFA+r/l+nHuW+wBg7XVC3/7d0THS6krf44USBEyIdoYPbpLOhkyitcmGxHlT+AknUvgghyTnqxUIsPdhFq9LWPRSpxaCcH6mbFFsqBfQwfZ58BOW3Oqz3e7RDm4Z8LOJSL/3RDgEBJ3sNKHvPZp8x6lCaV9PZZGSKIOhp6534fY2s1LuPqIQGW+Qf+08j3XlpUuFkEURP+IdkEiJtk952cMN6SnN/QFhxM6Nr+s1JRzwbtuvmjQSPWQHC484XsizqVbyiLFMjX9QsKvnHeZeACspnZKdFSTWRZ2reRa1Lv6acIjWn+uv8S4sUt1o3zfcWFb5xG95NYhyBLFExsVzC/RWD/fD4jR/1ZAUF+vGl20SZzlj7MbRLg7JIwxVFoFgZLz915ZTbHbxDeX/OOhqd+GOBe8wsm+DJf8H939jNo+iPTWlHfY8zZOFQpdtkpt3uISpGBsBfMFtYInrBDXDNPr1SEbQPEAgjbYJWPC/FIgcIkGtRu4mN8Cl4IgPnTgSJ9WYpGkfuxb/PNvR4XN9bbjE4h9i7bCeA7nNPSFa3vItbVps0jM7TyWyha168K/gJ+nk9+iqK79m6SxaAHQ6A5P60V7XZpIDteWKuxV/I/1Tty1JLsN8khiHnrrqMqrxX3vyjXCwX1N16w7gMwLnQJkMO3M5pRhUsfaRm+lyBLWDVrN8o5PqZ+KZtldvqeZW+tknmvvUtYB6lYbcEdy9/4W6oNLBvINodKijQmOO66/RhiAu8q4qNI6JIpqdzl0CdKI86xoykfUGXbqm1heEloutcNxkEfR8D3Vn98rKc0IVB+uD8XROD53ZV1w2LbpzjHNJMITCebKufRjBZvVfMl8Q==,iv:xIAxj2D3HurNzQg/JjKCQ4KEwjKJ/PuDGM2RLRFuMX4=,tag:i5s0OMkvIgY4rgLQygVsaQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBia1BGY29QTEhEb0JaVXE3
cktvbFNHclpGcVVXUTN4S2FxM0xLQVZKUkZ3CnVtVG5aRHRpUDR3ZkhOS1pwdGdR
VXBCbE8wMFEzYmxCRG5Od1J0SnhGWFEKLS0tIGttU1RvMFJQNVc2azU1L1VocTJI
U2JwaFI0SlprbUFJUjF0WElmSERSS1EKtrQUjrXaiCY45ySJR5gMBB09eNU73ZCA
wePnt0MdM7ywiImfgaRZYka4fQffLHn/ZYY0X4sJ0rlji67lxdi40g==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4eXdZT1VyY3daN2ROdm51
My9KTlozaW1JNmYwVlc4eHhQYjd3d1Z1Z21ZClpGcnhLcENoMjNxbnRCcjRvTGhv
S2toL055b2ZuU1Ezb0VaVzhQZTBuU1EKLS0tIE1jd3Yxd0xFN1VLRVlvQ2ZwRnNQ
OHlKSmZ0WGpJNTNlbGJZdWsvV2JVSjQKChNZeeT4l/ZiBMC0SZXY8wsNnZBtM9vw
WfVljqnQTMODkoLjfxcvET2xZjSHSI0wjULjMAgg67lRUEG2bxMp3g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-08-01T23:50:16Z"
mac: ENC[AES256_GCM,data:P7fUSy+q+jXqKq3uYLVZmOIh4WT19bd59zPel6ltuq9SpUTkrybr+AFqRdQs+DhADKF45X98lNUCvsyAXaXyP2ADQCcCeuWx/AQNjUaGiZ39LnHXAfn9r3o2xml8sXD7yri6BHDnCoaCNA/caAsaOz+yKB3vJw3PU5hWmm4os7s=,iv:nFSPrHTl/lJQkFJktkgkAbQVdQ6sqxFWbwl+dPwSfag=,tag:vk44cvyxy89dh+nonnKe7A==,type:str]
pgp:
- created_at: "2022-07-31T16:18:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7AQ//cox56OOXaP21Gcc31xkCLDyA4ZRvldGjlDgl+XP2/ATV
6OjBjpbcd1F6m0MjfTFofUUJs/Kwb61b4bCrcBVD7nlJhr96CMLV5fPUzXo7ZcA+
T+DFX0wPTlFWdyP2VdIgcntSAcVBeoTF/vUfW4edtFY/82Zl+csHcsy1K49YAJQe
m8T3MJX+31cVdyQ25vdXmnMnTGRLU/oQU3RdpneGgeYS9sskntczKgP65PU65B7I
zS2mAyMreDw/2V+mb69+PMMeznlDa/Qg3G7miA85R5vCjgl2BVW66B5MyupXlBF4
ASBbIZ1oeWGJ+xAErXc67XUJSgGbh4JijbtspiJKKUCqe10gYjytnQkHvz4d6qMf
SQsbNhJUNgq3UsBk9EubJnZXSIuYN6ZfxhTJgwtiVJojwVGltmg+Jsx0ya+53MPE
Axs8apAb98oPRoojbThscc0DsVjt2+wS42x5Pl7qci54xqfftyHRhN9T3suo2fuC
R4bJoCHmFM9681BZen+/XSj5h9gCw5HkXBZKM8vXxtJpa8CMnAlYqhYAvZFjwlk2
YJg0TF8BPKTTyht4VlI5CJQSdsHurDCT2SXYmefuAtYr0MvU+QjypT6LczpDaMho
lfibrAYp97DqlqAorV0PxLzLVfZsU0c6bJadhRBzPa8NMIBuhGPvv/6uO/xPzpnS
XgFpafi6/MSg7jOCRQOXqwAOa1s2ca3K3Sf3gP4O5uq6WgnZWb4KoinlfP6DcXUN
tJ6jRVv4qCj+GsP7/wA5zeGAiu6o0KYpz1WdlLJapHkcF6qrH+nGeLNYswvDlWc=
=9P63
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2022-07-31T16:18:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA8zMZ+ak7y/zAQ/9FMOum2xOYa7nQO99A3dxo5Drdz7l1+bCEkGxPWXfcTCN
lpS0+T/tyVPCp012HwUC4UxZM2nen+18lBlu0FJJTEqlQogGlmW5pekAbv7WXsTt
lDKcyEX1JtjXhImc8DuN1Rx9SFbpwAUhCpqGzAsgmoUZQGMaS5AfFKuzGpD2u1va
Mrcbp5ouQOjWijECbdjvcvtLljlNvHlW4W8Xh3WdBw8VwoxI35QdpZnSINk/F27U
3t5Sxd+85xKXQ81WMol7iehNjilwTVfi71gaPhcKM8HxSfYbop7FnbTZ2karUflv
COPwlrBVAfqhuA/RE29xKeK3xX5p34KEVrRWMe6tSTL4gygZi97Da5v/dU7PsCOr
YhFNVgdS/zAARaNtSdM2e+QR1jR2Y5+7G4HiJ0cvp3yhqDTtz91ojqOFE+UgYKMr
ckX92R9t+dq3HR+QcZq2OXpZ6cWJ9vBlOmDkz1ct9mvB3g2S81zqTbOnoDv23SlC
W5iTFMHaKabRbHIxD/OgKKRKt5zBmt+vGgngNafKSZz3ftvLbmAulzqRhvxeAtiu
MxL0aj4dPSncwXeaqAPrza4r2DXT3iXxnnaDbEoXi3GLrI2DmOcblWRGfnYouGmo
R6CbwCIJ1i12i24EZPPmeWTTqNGp4ZroSKFJH8gqaBeeaHDMM3K5yiAYjyrDnw/S
XgFsabN3bifV5Ue8f5izDCDifUJPS0rNPfeDnSui/yJMkj4ZNkJGGM25M1gKxXdF
vKz5Jgipsz1eHbXnL7uELuuRH95AMt31AhY565zpZIOqiFPmVqe1ajawDNNDg8s=
=zj9P
-----END PGP MESSAGE-----
fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
- created_at: "2022-07-31T16:18:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQf+KCmtLOd7pOx0agWHhgQxtDIXDCn5PvxjU3p+TXQ4TGWA
W2+4+17SFMlxyM02p/3nols+mUYQ0W7Dt9Pgkzh1hCN1nJl1JjWqc3Dg62hZS9V7
y4yhakVhJ5vbrTfkp4TA4yWaHubjVbGgNuxghLcD/15RhUKWREBVS3qGG4sPOjF6
vjwIutkclRUjIl+Dswzr3yQWVmL1k4Xq73pPPAzMFK+4RWqz+h0qUVFVV9CgeWy6
JqD39wApRWrV68QhhCPJ6gHU18Zv8gk02F3HvMuUDKXWxsBuwk0+SDOBSs9H3VIz
tu8uuVA2hFAb8D0HLK+eQ6CN1mdvcIucuDFd1kLVNNJeAZcWICQeLoNGJRlyxEKB
/h+//E1MqBevUKcpZaWp6/I9AIyArNGJrsvGXYsykLrexxRt/0goyC3hwrluTdng
Rn6kI6mhvikgO0qmeg+uNooyH5pBZseW2YzaTU6nbg==
=CGxM
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
- created_at: "2022-07-31T16:18:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6ARAAna4LxHXmrM+D8aarX+s2OPP9h8kaLHggbkBw3DgscaHG
RvsDAcxcqWqU8mY4GZhM1qJMdxt4rcs4PeZPBKymmWR9CuxmaCChEKXcfBSqncM2
BkUu7QbHfhIp6igfC8tZND/kWSLAfkB+ckXKotbusdJHUa0u44wJMr8FXolD95mz
WqTWt49QfUD7JB+rPdNCNyHvmY+i7tOjxT0uDRtcOpo6VRwYVQl4fQQvJrz28p4E
NfB5PIOdWsVR64v0epaVBci6Ed32OnTYZS9oXxDGed1Ns8ET9+PjFSzSaWc7aE3v
V8V9raxh6E8jNsRayrE/B+aQdARHGQ5WfIsvX+yLVYlNS262uEL84guCj2kNBsZg
2c0CYEKKj81M0fFMx5kyB6Kykd7jm3cVB0DEMt9eA7BIAc/Bu413UhqVVdUzAG/h
AXubA61gmTb2RbojakdraSfbBrdEzkgOKnpXJP/MT4CQ7fXrgaPfeEjWyAW2Ubra
k1RNhh1aWCi1ywls+mpx70g/dygmcHmxo+nkBhAvqcIagGY4fmpXJrR4snJByPZu
7UUOVGkh22jyXfvKiBWxa0IV1YmtXsgMWYbU+06W/v5dXoYfLCZklsrMVca70v8B
8MSroIESEDLNiyMvK3DUyTGzEnXY4mdq8XXn4OTXNAyShGl1JO7cRgUEqJat0g3S
lwE2si/ktYjr0bBRFYS0ZnCU44LOKRkcGGcXqmgVGYnlRPSU9zdAHTC9tkeZLUE6
waUTF79pemssbbWpGEG3YQcqU+UgoN8Atbf1W8e/ZLPx/UQsWNzLMe2gpHnv3sAb
0WQ/YdM42Lj+lECNkwkWVn8Bbxb5hq53jZzJub5mJZ/x2QSk+HQvj6hTHpXI2S78
GwGaOx70ayE=
=htKz
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2022-07-31T16:18:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHAQ/9EqJahhid4UfKo8qfA1CvDXBNWPnnHib+lh73Omm/Q2ke
k5wcdgjieXRAE0NxKZVyCqsbmcbXKMurCEFCdiIbzo330kp4Lxy1tHagZSg1hnu1
MpFM/GbhwCVj77IYrhv+GAULRl3TOOUx9QKgql4VXKl3e5q3ORKmm6ymVtg5LDzj
oSQU2WOEB+O/WxXo1wOnP3dFTUnfUx1oujgpnJjbuyjJc/wO0+m3nZ165o655Ol+
ej6MXw4cU8kIwMsYIYWoyksgJCmlLCJ1m6iYUT0iOKmNVbLtZXSZYigKAyg/DLmx
ycBgxE1+Ylr7GjEUVQL2TgMsZMgeLHahqrz7DjbVdRNIRaw5i3hyk1PBpszCwRLK
5d0jHJ1SF2SE87zRIKKOvH+pkaJvyvOdBCrqXKCjELhV9kDnH+ZPI7VyEzj9qsOc
C1DljDELgMnPbnHndCg7V8nxyg1Pl98HnQBOwr/FaXZZQZPJmC9fs3aioUTIdWu7
tszYH5nsFVk3usbCU8WDcGFn5MLnDKxmdpdr/G8bwa1pXo/vznRNAd/NtK8rlSGd
ogOgr8BIit7Bs6AZHyJLcfoTMzSZmipSIxMvq/BDPAIhPn0PRuz2QkVRHUwd0nYW
G9aTizXC7UWJi0PhyyKVnZIlWFp4v2pWmBoivKR/C6cIF3WDY51gfZPjtv+B36bS
XgELxQB8bR+TUTVxlU0HYA59MofiIatqyBH+WTI9EDBdOe9+Tr+wqu4seXkosY6Q
XBsqRSVZBWzTvfCtqwgc4+Z7V1CxV+iMJDfvbRTBg213jDKiPPhfuBqhvtU2jN4=
=LLlm
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2022-07-31T16:18:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA/Z87ylQaotQAQf/c6nvx1MVEwbF/pZ7o5Dpj/r30GnL0zNpYyAMCgAwXaki
5nwvx84vq2/NleaI8J6cbXB3h5NzGArDVWa5V6W/Jg+vbPnLTzhYWmGSRBb34QD5
KSJ8C79b/Gv9i9a5my3j0Rpj7iJ9zFcHgbxYMlq6VInWJf9bH6owk/9iMaJfHM7R
2J85ykc+5Hn6raAbo+OGoClGAT6rVH7jwuN8V3LQp0QJaBPEfFmF2rH++xUuxaaS
Y/egu67yR0CooaiwxSyl/h7L8VtWTs5eRkWsAEFolfR4mCZ2eJwq7D7eljkxaNx8
w6mEHgDHyWx9lt/7lZ3TAv7e4I/FnaRgTL6bPJUPKNJRAZQ9tbwpTFWNGsG3z/UT
eQu1bhnOa6GEqy6iPSZr1ndJExS3mqq9UBvdKi4z88iKLrAfMgB1HzmkocYwDSvt
7rprso1qslJzqpEJquz/I7GV
=pz+t
-----END PGP MESSAGE-----
fp: 9EA68B7F21204979645182E4287B083353C3241C
- created_at: "2022-07-31T16:18:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7AQ/+LN9JY3vz5JIUVoYWaAE2kuSnd7sxwDAzRTA0yjYnvXLO
ZDsDmkP9AdVg3pj7+HEse7+PfNgTbewoMoytbAzi7P44XACbHzP/4JjXmPaWGARu
8PEp8patPvWPrHtSjpPkAjDj90KCOIy97SeTLzC589QgtN1oQlbERMtBkTV7Zhsq
EvGPJvoyenrYOSuDgjJwtt0V/qHoT7MhumGYcoojPOV30rUE+mVuUeK+UysAdfPs
3LGl1fIAfJNq1nqjOwH+y3PS1A2YJ604hsuzUnfuhkNbtQbu/mJfha1YcADkMAKD
srti7pKMSim9wD/zIiqI68vlvFQgdH6IZ2mN513KCXnTxFzcnYH+8ioJR8Mudcv1
ip2kBtQS4Dc+blD1usVSStcXZvfF69+Pxp3FgCIX4mKJx5iwppVA31voYiFH6gEA
OpVdJCAmNJYc3k7EmABfA06MM9DMtZZkp8X1D+YUgJh3RxE2lwGLIQB9ECl2pa8s
5GG9147jNLkuHFIjsfKtCtFHlSbKw+8WqbHZMj5FJNSGuJm04VpG14OGus23jQos
SnLo4u0VgSKwYl+KkDZKxsEqPtkuZk6+5xQ5T756cDsYd8VmzGOFAIw+zLcH8M1I
8KcBMd+f/pI7msvmbxcjcimCH+7TTEkQD1lwWJHp06czTskJNdeKM1iIdV9MRcTS
UQGFKICoH3JboTzTFZZ1gA72+ecToZ5lRVLt/X2ljX9eRO/Hpm1LwQXfoTC/Mlh2
4vkxF3en9dRzT2VMyPRvr4dxPVFn2weNpo7MxT3b6ohweQ==
=ssEn
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2022-07-31T16:18:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ/9FsUGc5UUbFQQFrncWkknh1AqTJkozHRYBDhcQ2tZO8kY
a54xy9tKub+cVO/f/T9fH6jeFkJtkGlaIoorHs2Pwnizz958BhfPHooW3IFohhmu
E7VDjFOrUWYp9spjB71hHLWZ+FTFeT6M/+CfGJuJ+XqtLEOkeL4uFVd6gEDldt6Z
qYIu8NFPfDoqk5VxJhmNxmcHEn1OO11ukvhghXXztZ/IKlfeWl7pkDweWuDHDqZq
m+9ndgCxIFkbBcq3Xvb9DANdYJfrzF/4g9XApxpF9aPUDtKvlKYynX83Viu5Cbsi
ALlmJ2DJIBtWXqm92dFuwJwKSh2RRQZpA5YiQWpnVYxPlER6HWTPIlhiQ6v+buV3
6NfBbfwkhGU+9/W5iRD/yvl8wOnWzh7/e9R3Sjm5raKJq8pG8h0Ak6aMY+G+7NYu
OOwis5BSqP7B1owvifQdjVjxKeJ2XyREU2EeNTo4eJvT24dRbgUF2DBhdI7jynKE
PhI/OprouxCPnxw2oQdsYnKuVtJVph6hTj+UXJRMVR79TzS9JDR5dMCh15jDVGfc
U/twQiCF2jaQu5RZWAUXr5DJ2XJXli+PIdS1E/+TC1yYTQY9cWHQ7elRBM+O79hn
iEXVAZrFf9kiRWHv2tmfvpCrXG9UsywIN/RXvKT5s39eHEp4dtc0kps6brU+NgfS
XgGd5FnZoDez7vDTGxka3DPJs4aUAFZd1kyNussml19b+PPYDil/9SYomXZdV6fx
u1lMPZFK0QDME7NGKBO73lbXzs7StaiCXgydbuJ5bwlq/Gx0zeI0x6gs6/AlS58=
=ostc
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
unencrypted_suffix: _unencrypted
version: 3.7.3

197
hosts/bind/default.nix
View File

@ -1,197 +0,0 @@
{ zentralwerk, config, pkgs, ... }:
let
systemctl = "${pkgs.systemd}/bin/systemctl";
deployCommand = "${systemctl} start deploy-c3d2-dns";
reloadCommand = "${systemctl} reload-or-restart bind";
in
{
c3d2 = {
isInHq = false;
hq.statistics.enable = true;
deployment = {
server = "server10";
mounts = [ "etc" "home" "var"];
};
};
system.stateVersion = "22.05";
networking.hostName = "bind";
networking.firewall.allowedTCPPorts = [
# DNS
53
# HTTP(s)
80 443
];
networking.firewall.allowedUDPPorts = [
# DNS
53
];
# DNS server
services.bind = {
enable = true;
extraConfig = ''
include "${config.users.users.c3d2-dns.home}/c3d2-dns/zones.conf";
include "${zentralwerk.packages.${pkgs.system}.dns-slaves}";
# for collectd
statistics-channels {
inet 127.0.0.1 port 8053;
};
'';
};
systemd.services.bind = {
serviceConfig = {
Restart = "always";
RestartSec = "1s";
};
};
# BIND statistics in Grafana
services.collectd.plugins.bind = ''
URL "http://127.0.0.1:8053/";
ParseTime false
OpCodes true
QTypes true
ServerStats true
ZoneMaintStats true
ResolverStats false
MemoryStats true
'';
# Build user
users.groups.c3d2-dns = {};
users.users.c3d2-dns = {
isSystemUser = true;
group = "c3d2-dns";
home = "/var/lib/c3d2-dns";
};
systemd.tmpfiles.rules = [
"d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -"
"d /var/lib/bind/slave 0755 named nogroup - -"
];
# Build script
systemd.services.deploy-c3d2-dns = let
inherit (pkgs.bind-secrets) giteaToken sshPrivkey;
in {
wantedBy = [ "multi-user.target" ];
before = [ "bind.service" ];
after = [ "network-online.target" ];
path = with pkgs; [ git nix curl openssh ];
script = ''
mkdir -p .ssh
cp ${builtins.toFile "id_ed25519" sshPrivkey} .ssh/id_ed25519
echo "gitea.c3d2.de ${config.c3d2.hosts.gitea.publicKey}" > .ssh/known_hosts
chmod 0600 .ssh/id_ed25519
# Build at least once
touch deploy-pending
status() {
curl -X POST \
"https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "$1"
}
[ -d c3d2-dns ] || git clone --depth=1 gitea@gitea.c3d2.de:c3d2-admins/c3d2-dns.git
cd c3d2-dns
# Loop in case the webhook was called while we were building
while [ -e ../deploy-pending ]; do
rm ../deploy-pending
git checkout .
git pull
REV=$(git rev-parse HEAD)
set +e
status "{ \"context\": \"c3d2-dns\", \"description\": \"reloading...\", \"state\": \"pending\"}"
# Fix legacy paths (TODO)
for f in *.conf ; do
sed -e 's#/home/git/#${config.users.users.c3d2-dns.home}/#g' -i $f
done
# Allow creation of .jnl files by BIND for DynDNS
chmod a+w zones
# Clean up .jnl files
rm -f zones/*.jnl
# Take action
if systemctl is-active -q bind; then
/run/wrappers/bin/sudo ${reloadCommand}
MSG=reload-or-restart
fi
if [ $? = 0 ]; then
status "{ \"context\": \"c3d2-dns\", \"description\": \""$MSG"ed\", \"state\": \"success\"}"
else
status "{ \"context\": \"c3d2-dns\", \"description\": \"$MSG failure\", \"state\": \"failure\"}"
fi
set -e
done
'';
serviceConfig = {
User = "c3d2-dns";
Group = config.users.users.c3d2-dns.group;
PrivateTmp = true;
ProtectSystem = "full";
ReadWritePaths = config.users.users.c3d2-dns.home;
WorkingDirectory = config.users.users.c3d2-dns.home;
};
};
# Privileged commands triggered by webhook/deploy-c3d2-dns
security.sudo.extraRules = [ {
users = [ "c3d2-dns" ];
commands = [ {
command = deployCommand;
options = [ "NOPASSWD" ];
} {
command = reloadCommand;
options = [ "NOPASSWD" ];
} ];
} ];
# Web server just for the webhook
services.nginx = {
enable = true;
virtualHosts = {
# hooks, logs
"bind.serv.zentralwerk.org" = {
default = true;
enableACME = true;
forceSSL = true;
locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
};
};
};
# Webhook service
systemd.services.webhook =
let
hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {
id = "deploy-c3d2-dns";
execute-command = pkgs.writeShellScript "deploy-c3d2-dns" ''
# Request (re-)deployment
touch ${config.users.users.c3d2-dns.home}/deploy-pending
# Start deploy-c3d2-dns.service if not already running
exec /run/wrappers/bin/sudo ${deployCommand}
'';
} ]);
in {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.webhook}/bin/webhook -hooks ${hooksJson} -verbose -ip 127.0.0.1";
User = "c3d2-dns";
Group = config.users.users.c3d2-dns.group;
PrivateTmp = true;
ProtectSystem = "full";
};
};
}

36
hosts/blogs/default.nix
View File

@ -1,36 +0,0 @@
{ hostRegistry, zentralwerk, config, ... }:
{
microvm.mem = 2048;
c3d2.deployment = {
server = "server10";
mounts = [ "etc" "home" "var"];
};
system.stateVersion = "22.05";
networking = {
hostName = "blogs";
firewall.allowedTCPPorts = [
80 443
];
};
# See secrets/hosts/blogs for the .env file with all settings
services.plume = {
enable = true;
envFile = config.sops.secrets."plume/env".path;
};
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ./secrets.yaml;
secrets = {
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."blogs.c3d2.de" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:7878";
};
}

183
hosts/blogs/secrets.yaml
View File

@ -1,183 +0,0 @@
plume:
env: ENC[AES256_GCM,data:V7pEExE5jGT7JSCejzo1m0QlMgpKuaF5CnHvR7LCvTJSgoCeeNW9ImtVk8MtqtoRngH45jgseuC5wZNzXSMG/ltQ4c3ThDcxKP5ngLmEZ3tOqSlIdV/A3S4ww4f/UAx8YpNY4c/LlL9NuCcfpHyC4zwRFrD6odCSk7BUT0BU+zxOBDpQDAHscBz+YYTbb3cJ7iGYg1fXS6wLJHutf0eXYF5VNcc80SISEfbR+bs9t2f7Dg==,iv:3n+EDT9TO5VxCS6rXZiNKpxtCWeCDi6YT3dQsrECNmU=,tag:ysWwxhR1JNJ7WUM28TIQig==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cHMybGEzSkNJbHMrM3dU
Z1JNZktKTDhYRWp2UG42RHRSVWk4ZHd5a1VNCk1YLzBEdkZJcVd4SU8yRzFYcnZz
N0JWRFlaNDlmYTRodzl6YzlYSWFvZ2MKLS0tIGIraHBBM3B1Q3pSTHh1NjB1UlVo
eFhuZGtmN3doRnJtaEtBQVVXZFF6dDgKbdF6mYi9L5jFRWoQ2gI9cf+gqcHzlTXY
tLgbNyHPNgxDdhgZwfEWO2R5RBA6dDQ38FnkoNe7/UHRlkCO/PinGg==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYeE55VzhsUjRHYStMN3l6
OEtOQXFOVnBGcTBlK1djSlNSemJidTBzNlhnCnBOMnZjSjJFeUI5cytBUFM5aUds
TWpnK094Wno0aGttVkhxdmJ4blJMcG8KLS0tIGgrUzRWcjIyS3BpRXcwOU9QOS8r
KzVaYjdxMDBzemVhYnVzckZyUnp4NXMKCBgjoBgjhC5s8dvBlo5auBymEXnSXRWk
g/dMA2ibHaR90DcAC//Tau9dZU64rxbKqmUXgBuT83yPM0J4FAR3NA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-12-25T00:52:22Z"
mac: ENC[AES256_GCM,data:g6rMFoNx35MN495v1jKB13isssJ3GbKqyI7PdA796leFuRVgAlj6aUBI99vX+SpA1LpBYkUOu6OeV1EOHtpKlchbS4/FnO5oM0AOpoNux9yjQbeC3CM6soUzHn2+cJrnGMlgPC0sX0kcHVTFKF1aJsa+uLlkKD+F1SSJboz+P7c=,iv:i5I8FDU+j7l5UxgurA3Me2b/4zE7W1Ck3ckmQPqKWrM=,tag:gZCL8bo1YVoLZlxjyTupzw==,type:str]
pgp:
- created_at: "2022-07-15T23:31:00Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6j84+xkv3y7AQ//fXotd1bN7Mu6+/bEq4mSKH83dnLG83iYknGQeoNA/R03
O0y+QMlbOlmxdsot7gV6f9Ajnt7FTJmXBuIzo7Ji6lFWSu9ZUKk0JgXNTpap3kvz
IQdBv3YTeYuJTJjPZ+xAfftlCbWhDL5kvvEK64QCLi5iLsAdW0wiAwONhgAflsWu
UsiAqkla7JDmFRLu7AbybL0WPPIGbBj6eLws0b0VFSe2kxzs0ccgWUXuRQ3044qv
jIg+HMsBiyYy8c2U7XeiJkFDBU5FYs69ipq0TukMfds21ow5/gH62PyNX0Yaqcy2
T5tdW1N+/bRZYUgpQNusbHI5XO0dw+BXQlwOE3JsmgA2jYKomk/cPPxijrvnRtZC
SuViKAtsrjZC4cOWNVtE1Qvt1rSIbvnV5agACypLp/RJv2bQ9zWFmRnhEkO+/j6+
+Fe43/Fwc0GPastLWGGUXxWX6/fgXI1vOKWOunKrKyEabatjyyofXtEK27WRaygm
wcVPilOkpk3ROmB3OLgrmWt812a2gP5pMIPvVcB8TiVibP6Ope/JpGdvGuQ2pOXE
2vst1t8ScEW/NOfwVGVhbhZC21sozv2M7hCKnH00YE8uIFQnlC4GATazYWIx5LGx
aNJZ+5BdSeuQC/8/jlbVVjKNZeZ6vvHeEJIq2+zD+s+moun+a70V0BaBwT5zCcTS
XgGLutojrUDSR32vBJsIlBZutlb/VDKmEhJ46FbZqmgyEbROs4XXmE1Uarb6KVsc
0MwpZc5YEhBqiBxX5WmWpSnnzRyBomqVIk/EiGjUiiUCRsqt33zgNxdyDJMG7LU=
=n/8W
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2022-07-15T23:31:00Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA8zMZ+ak7y/zAQ//WSYieHrh+Ec9cVG+bMikwbfb2hmyxeR80QskX9iWTx2o
DwonZfA3gD1Unwixeo7bghFSULGd319+Ojcptr7dV6xHszq/1ex844O4j02JU39J
f5hG3flWw+K71b2hdT7kVvMs+FPuXnbMIVrVtUSM5H8KOy29Vu1CDUEzPU0HzeEz
KKfGsZKp4sID7KqLMV1wO/yZEL2v4QMcGwPuZYP/iq1FX9/bTp8cQShTm99k5d6i
5BO5IcfrFbY4TgtJg9yjz0aGTfnDZ5915Y5hRfc8vevrsvOeEfRzDEHy7C0/qZtk
xF70PG29GuULqpYiIzY1HpeDWk52ZuIVrPTtqkrjf7ECxT9LckysLiuJi24nM22w
UMilXQVdWVu73OdOukK3uEdHw0skR81x5cgHH/KDmbToIFE+ujA1di+RKBZup4vj
dZkb7evi9oBRjFtrvi7Dg7Nz1DB3ihAWBRMp/jwlOnXbpJQc45snRqzsrF5I01zi
2xalS7NukeykavqFK3QHCPJmmq7ByiuuVhX9BBroA37oit5f5guM8ohrer8fR62H
b/eQEMhr4VRX7OziNO+Uo06rytwirSsdOfEarEN9qd0xqfTibXv95miAraKC0Q7d
kDoJE1Vi0gCOHAkmLqP7KlWwD1bNZD3oT6zIPoPxPviay8vh/BHjo/dZ/VUA9R3S
XgESoUbaDMYy57oWZ99XJk1vH9WgjSGASLb8LTnlnVXQRKk+jUFO0idKmZI0kEJR
veujut++plGF+K2AFDVi7Xc0z8qneVgVbCpCIQ/0f3AIVaqATPbPq+bs+UJfqnE=
=i5Td
-----END PGP MESSAGE-----
fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
- created_at: "2022-07-15T23:31:00Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA45bZkLXmBFpAQgAietGjKoVeI7dRI+RnN2RIrRYaKcar7hjEp5OFXsICHGR
FIZWtaXJQr0/Ds/Vk6n6Ynwj9vXEgIi6VKKfil/OKuwKcAj0Lh0B+xSyIywyWaEU
ghZnf8HXlG4NQ424PEZnM3FbgWP8VkE95kvz7JpG4tAnZsdw2BNLrruW7WLqmfnT
TKNf2K2Uja4fEKKymOOsF5m8Ch+W7ZBwZdkwfa+yj510ytDBfxuioKBR+5pmWLBT
U5gNp32WwvEK2vmHmKh1HAg2I0DzdelIMWewIs5+RbNMQYqBG1UFEU6Gc1PJLOe0
1zc7BTBRPsMDmlxWssxGnYIkidCWkKWVGYNAZP57F9JeAbnF8rBXAzEHiFaXtGxI
wdd+6Z61Y9s5r8xlwac8cBw8XbOgQF1rkq1MbaTg52bn2K7Tt9qCvVNASb983l3M
yn3AkV6uxcDODX1Fp3DBDY5+xQOq8rRr/VYTLJTC7A==
=gHTB
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
- created_at: "2022-07-15T23:31:00Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwMCBBrc/JA6ARAAoq0Xv9kV5puxY9AYzzSNClxaDoTrADq//TpfSanpZFoQ
ji8h6sVWuU5mlXe8Mlw9B2Tra0fJoRJII78YVhn2h+/FEPtEQBZ1H6WxrQj50Ydh
EHz8HtDKIZWBBiMaqYnEwhgdHWtbY8sAZXOSmjNON25gp/MAbpjlAlInwkG4AW4+
gOq4UZ4WMkziWzIdUiq4y8+4pmZz2AxMj1VGB5jNIp2ljJGKmYPjRtcg2bIz8Ifo
I7/7PEac/UChjEqgKeBPVOQo80+1cxNhZMeV8yGtW7izF/Y7E3AqjxH9HYwcN4N+
w3lL7Pqsb/EJHjtdPj0EroxCbkXCRHjjYvk0FKX16TIeQ/W7GD1XPit+ACNM9UX0
DNZek5GP7QFen7bxIppHjiUvY8BMW4dwXghXzwNgyvt22uYVnPCLFUXBTR1yyNZd
8V5QYUvcYdnqCtoBc1P0MBlPDeLsjgeNPE4RMIVE5x5Y7ViMNvzMMsbUDaCZ6u+N
abJVsQiTKrgFYMH3anc2S1a0uHsneGeVQ98lCSQOpkAZQQTazAhIBDDPfSRYacL2
X3Nj6foYbwkx/Xq3viLYTPOUgOZdbeBS5PHED9Hp0xBngym9+hKuzkkBjKnnzib1
ogXVBAY+z6gsVh7/vPMK8MEPUlKyOtBmw32P8whlWUIv5s73JeU7Iszm/07nKCDS
mQHUQU2AfTlexyNNnoRrUtCF/X0lFYdpw/6RwZc4ZfwZ5jA2I30IgSLLrFbsRCCa
oF8cp4Ayp1NMQF6fb6HeG0vZCO0Bc3O70J35BjEL3G2SE0xzSB2qDS7X0nIHoM/6
w2DrDp42jW9+ptoAX3BdF/sBYMULgMUjWkr5KkwDhT3s8vJxwIPJbiMmWTNyKMpW
Zi7P5ipGQ24JBw==
=Itwc
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2022-07-15T23:31:00Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA9XEenRNYVGHAQ//QrGHh4qNuj4UnHdyqY9U4cr7nfTrlcpS7DxjfxSuBzIM
GyONP3igncH3iPChogLsRRntzP1vkUpgxTXSsY6vRO+ptyncHN5NnAhf//dagh9R
cCyGC2FIFwaee2zIoQroIdo5NWsp5ZS8qfQTjwVZjy3REwm4AGdG95ucU3tpXgc2
pYZi1vcP22MdzTbmvtm7Zh4GJ2JXdFjj6G0UJa6V8NOL7RQYzCtgZI/46UzTgtOl
PVwAzeRX0l0G3yTEhn7XE2tjCP6kKOz/7ORzMLF60Vdq6cBOLGKN8NiERxHuy4Af
7fqLyE2sO7dCaCdRRlYd/on5tPdSDhu9eU2ff55M2xjEKWZ0Yztxivd/5/DCUo95
3HrhAR0yLnbLftvd2ZL8ahXrZrInFKHbGhreHkSKu9/74j47Xy+tl75vrJboUG4g
adzx8hrPX+1a1I+tJXSVKtpnFciKKzvHLK62dMetPcJvtldkRcfpY12TPcOvUsam
cKAp3hGckf9l5Z3b5q4KLRrQ73VCmxNZ+lF8EuGpFZ5vqLFfG+Y6DyqDS0FNXGyR
wBXx+Zfsx5pfBHhVxiXyzHhA3l5YgYkcuqgHYOIZXp8D9P7UE7R88Tm4f/knu7iB
9yY1nV4w307QSm4xBDdFcPP0e+39sSrzZrpER5bhwB/D4VAMJVF+J+BbFilwgorS
XgG3TJG835a9GbCZX1203DnjeKw59jw4WAhRpuyL2WN/3/y8M7fRWvQFsgQg8WTM
pen8p+QyRhpjTNFlgHjFHAeyDaqsZRPjepuC5eMIWtNOYoswnL89eZDJ2rLb990=
=GzQi
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2022-07-15T23:31:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA/Z87ylQaotQAQf9Gu0JS7KLgGm0Gv83OAw5PqEIrTfqELE9e84WCGJVvoLb
UKZwzzPwJNHA0EgH5phKOWtN4WvqJtUXZBFbYlky4FyDyCYBolniG2Bt3dlapYje
gB8Oc1+OoMcK04o/jTmrN6XBk/Fsm52+zXS91VN6zmyBiUQRzwEaEjq7c80fXLLZ
13nQwKlYvfRcKB0uuWXfIweHjJOuErAtCuDJ1mZGjnXjJBZdOrWJHk9T+yFLxIRv
6QkJ2focYDDwPleaAmLasnTgXwGaPg3mMDA+TLbz5G4/pdAiFmeEdysQM986uVJp
RpZW2HqOTYxpt66VsSfSuRPg9VhQucGmS/MurG93GNJRAROdyA+ngHCvJcfTnkjv
M0AEhOOlX4eIiWPZR5SqVc4RQ8lRiDn90IW7Xx+DUvWadMct2iC99TT7VU45Atgg
86TZYUxHzvAEmDrxRB3jQ+kH
=shWD
-----END PGP MESSAGE-----
fp: 9EA68B7F21204979645182E4287B083353C3241C
- created_at: "2022-07-15T23:31:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7ARAAt25Epo+mAOtN81sTWco0wJe7ug5ttw4amOMjgZOYEpIa
u5pPv4PBMKsJTMXSht6jWhSVUbNwFcHNdRVhGSz2BI7HfltwsKyd/IwazKC8ZNIf
OX1tlQBIRtDFt3uJCxYyTW+PCaFrVQ9hRD/BkohOUBwhr+o2O1to+syhCXObr021
GgJwYh4R5yMI8Xg8uOA+pJ0Nfrs2xPcmc1XEWfIoMGWHF6/qTXyM4WtZP0Z2R4R+
fbjBYLvecPxtrt/q3hTQAQqspyDgiZv6EYJ0LwIlC/mB9sDYsVn4B32LrVh/VWiE
u/8QByU/msAoXdih+1yLaW4CZuQcKjTS5MlkfBph8ThLYUIOtMFYGYRR6g7wp9jF
NLR125hMxvSumU9INHF0Fx8M5Rwl0ThcKAxjaNno6G80TcZl91d9M0vbqA5To2bI
r84nvDhUpHf1r3XDeq9TKF7uSHGe3XbYJoNV/oqY0s6urdLjfkeyADEMasY3U15Z
RNbPzfWtZ0Cc+xspclB3KME1vMf0jdTsZ/NDENZIjDmfkEm9WjsJ00UhiBlCW9CL
BfkQr+cY3yl9PR4IuWGtIHhbkf39xfHpPXKvH986eF823bLXwNZMX45Z4qO/vdqf
zUxQf7igRXWIrNG0ajlJjc0laDwjF0kj9XliQWaGqXJqRIb13g1KiITejqX1UDfS
UQFdCm8iMc+sUHo0xr1H/KsKl5PHMGAPCi7j7QL7ryvZIeBBOiKM6th+Zv5utKHp
EM3PoOk60/t5cRT5CvndlJRBvKQc/34bw7WwRZGy+9oYyQ==
=qJr9
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2022-07-15T23:31:00Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJAQ/+MXAF0XruiPUMRxkok5VKbGQ8CEGbMWioZDg3RLAux4uO
hJfrlA/BeKmCJvVNB884arkyZo8xIQPdl6dEWMyPvvcwANZivTFaHHZ8vetiEMjs
UYb+pM485dogn40stdbfcLXUqXnWq7nGyJ09e4CdEnvcOGnnOpozg11ko/44rPkA
Fqly2joKJZJXbeAlJFc1vnmnQxBWZzITK13IfJan0W1IyDHWrLn9q5+O6JgXpq5z
8Y73px9ubl2IRU8+3IIJB3Nkp/NywdG6T0uhpFqLXuAkQ193cBA9l8Yrz9h+f8VJ
l03Y89lEzAXKW0nsQMm9K1sXR7rRROoEMYelnqhGvCNxlQslIlDSZyxqDlD0yRsy
uwKIjRb/w4dIaxF9KxI21xAadNF/pTI2Kz5LQ2xCaStH1QervjQjbYlFBquXr9KK
NmHSv/3QD/jyKHQEWLBRfx7fYYyF+SFCp9LGDkkb4Dw27kwPHzJM52f0lKwY0dLY
y5/gjFzjUqxTKlOPkPxrDbR7pXkA7IR2oq/6iik8otlUMg32EOG1+Mj5UBg4ggrd
lesteD+x/3Op1AYB3NrDEK23+l0Vx06B5MMG4x/iHhgSI3ZdJguKHyXa0YMkkgL+
7WI+Nsb2dFlcnVGzCxS5M4QwTPdpfNXihmpo/PpCe3Sjw98+csnDmlGoQMXOyZrS
XgGsAxlIUusGvCusw+As/+Gstw7zN17XItmayjgtaNm+x0cuYAqhNe8n8ItP+J4r
Pzsm5iqs2mrO68WKNaakzwEvLCreFJComBoifaUHeHd51gT4AMllDwPKmO9CHlw=
=UmVj
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
unencrypted_suffix: _unencrypted
version: 3.7.1

157
hosts/broker/default.nix
View File

@ -1,157 +0,0 @@
{ config, pkgs, lib, zentralwerk, ... }:
let
mymqttui = pkgs.writeScriptBin "mqttui" ''
export MQTTUI_USERNAME=consumer
export MQTTUI_PASSWORD=`cat ${(builtins.head config.services.mosquitto.listeners).users.consumer.passwordFile}`
exec ${pkgs.mqttui}/bin/mqttui
'';
fqdn = "broker.serv.zentralwerk.org";
mqttWebsocketPort = 9001;
in
{
c3d2 = {
deployment = {
server = "server10";
mounts = [ "etc" "var"];
};
};
microvm.mem = 1024;
networking = {
hostName = "broker";
firewall.allowedTCPPorts = [
# nginx
80 443
# mosquitto
1883 8883
];
};
services.openssh.enable = true;
# runs mainly to obtain a TLS certificate
services.nginx = {
enable = true;
virtualHosts.${fqdn} = {
default = true;
enableACME = true;
forceSSL = true;
locations."/mqtt" = {
proxyPass = "http://localhost:${toString mqttWebsocketPort}/";
proxyWebsockets = true;
};
};
};
services.mosquitto = {
enable = true;
listeners =
let
users = {
"zentralwerk-network" = {
passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
acl = [
"write #"
];
};
"services" = {
passwordFile = config.sops.secrets."mosquitto/users/services".path;
acl = [
"write #"
];
};
"consumer" = {
passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
acl = [
"read #"
];
};
"sensors" = {
passwordFile = config.sops.secrets."mosquitto/users/sensors".path;
acl = [
"write esp-sdk/#"
"write esp-proc/#"
];
};
};
in [ {
address = "0.0.0.0";
port = 1883;
inherit users;
} {
address = "::";
port = 1883;
inherit users;
} {
address = "0.0.0.0";
port = 8883;
settings = {
certfile = "/run/credentials/mosquitto.service/cert.pem";
keyfile = "/run/credentials/mosquitto.service/key.pem";
};
inherit users;
} {
address = "::";
port = 8883;
settings = {
certfile = "/run/credentials/mosquitto.service/cert.pem";
keyfile = "/run/credentials/mosquitto.service/key.pem";
};
inherit users;
} {
settings.protocol = "websockets";
address = "::";
port = mqttWebsocketPort;
inherit users;
} ];
};
systemd.services.mosquitto = {
requires = [ "acme-finished-${fqdn}.target" ];
serviceConfig.LoadCredential =
let
certDir = config.security.acme.certs.${fqdn}.directory;
in [
"cert.pem:${certDir}/fullchain.pem"
"key.pem:${certDir}/key.pem"
];
};
security.acme.certs.${fqdn}.postRun = ''
systemctl restart mosquitto
'';
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ./secrets.yaml;
secrets = let
perms = {
owner = config.systemd.services.mosquitto.serviceConfig.User;
group = config.systemd.services.mosquitto.serviceConfig.Group;
mode = "0440";
};
in
{
"mosquitto/users/zentralwerk-network" = perms;
"mosquitto/users/services" = perms;
"mosquitto/users/consumer" = perms;
"mosquitto/users/sensors" = perms;
};
};
environment.systemPackages = with pkgs; [
mymqttui
];
users.motd = ''
C3D2 MQTT Broker
================
Use `mqttui` to inspect the data in mosquitto.
'';
system.stateVersion = "22.05";
}

185
hosts/broker/secrets.yaml
View File

@ -1,185 +0,0 @@
mosquitto:
users:
zentralwerk-network: ENC[AES256_GCM,data:VeIDGMe0+YF6eLkTrBsQLg==,iv:h7KcZusBsP3QOWZWhOLOQM5ID1fWdvPkoEYLQn3XruQ=,tag:rcd6CiCauV/FQ8Y6+8FEwA==,type:str]
services: ENC[AES256_GCM,data:IJlgEkiND/QjMqBbyXmBTw==,iv:sATxB+Tfr9pLqOCY/jwAjcxaKCcgGhd/vga4e3M9N3Q=,tag:TodfF26KquW3F1KY9R9Wvg==,type:str]
consumer: ENC[AES256_GCM,data:m1ae+G/ZsDShSEWnHx4ShA==,iv:GBTRpJbSpnRYjWBttVZq1Qm8YFvhKZfmMwhCZqqBLJ4=,tag:/6uDJ6yRBuQwgPMVyXRQfg==,type:str]
sensors: ENC[AES256_GCM,data:psezcKOTU371ec+4YQ9E6Q==,iv:VxD2x6m+gF2kenJ2Ekhe2IvrW0DVP7Ha6UAavaK8/uM=,tag:aTgC5gfWlsVDfo9RWC3FIA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMTM5QjVHYjhUR3BoRWQr
dFp0ckQwamJibjhSSUt6d0tyYUR0QVQzNUZBCmJaQ2ZmUGtNTi91a214cjJOQXBh
S1U4bkI1QVNJNFhUK3dQdVRuVEhDVUkKLS0tIDZsSFo5MTBoQjY3N2xIVThUczd2
SXZGVDdrOEhoTVVFM0FNd0c4N2M2OEEK1iySJYxNPQWUmTz0HGyaQR+QpE8QBRz3
cX1805lK2KsOvlxs109B4VA2kK0zGRdLBKyZO2zD7/2RUIPaLyssvg==
-----END AGE ENCRYPTED FILE-----
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOVhvOUtQdzJwbmtwL29G
NWl4Q0EwVXFGUUdZMTFOZFZ5RG53MkpINGtBCnlvWWhWeU85Q0h6UUFIME1FanMz
VGh3M2hGeXB0dzVFUTFjV2ZaRUUyUHcKLS0tIFpCdWo4WWRhdUYvcndjUGttWldh
RFpaTGlGaEZrb0YxQzlWeENaTWE1QzQKR0a2MYJJKM1lYv7BJOzzb4ppS+BPnoWZ
mVmiPq3CEzzzmus61dUd+i9m1uRn5cf1jmaYxV2desDsU8l08ZOnhA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-05T21:22:51Z"
mac: ENC[AES256_GCM,data:sA4lWpltQNotBZldLxVALSb4Z7qD/cpVIkIEn0+9ouTSb66rEfEX1z7pQuZxRNkGHPwJ8MXDREplCPBqNMAPwh03OnqxuOKMVr9QZJSLuNlBi/12LOFHxY2AgWXebQlWvNDJXEp1fwrV2ztKg6iGHtD+kMsd/JMybmYPDTMj0VQ=,iv:bvwh0hg7kqQSpJav6i6g5/8FFT1Gs/6YjzZd2hpJSnc=,tag:E8lDOg6lTaX1aOp4vcSIHg==,type:str]
pgp:
- created_at: "2022-07-15T23:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA6j84+xkv3y7ARAAqja72tbrlSZ0dvbXjQoHSThkoZw4fD9r/qGoHh0WgWij
EC8TvA/EQgT0PM0LmeM5sbp1gDNmA4g3GuLWCuHryi5U2GibNDNjmx1eTPR5Ak6Y
WgMkP8jIy/X0FxHX1d2Ee7RAYOxc7tkXhTjqCtiesGLzzzRna5Hl1huHbBYGxdsB
rmieaRitx7jQFlTaox/Rpk5iNvZwxo+C7XJmtfY9gNn/lYn2lYQW8OATWP5uNhBH
jG/II/2K7yQ+caK93C7fOFnzOD4TAAlyyLji/s72guZC5HLC+y3krOxDCaxVuzCb
3VcvklJG0fmemVOuAvh7o0jazfEVsPPz2Dc2JFnliLQJzpP6N3I7OWTxNxQO9Dql
X3oBY41/17muMGZEkr45rEnhFOajWUIFPgFr+u9q/XusjJ0vJpuGQL2s9UeZpFXl
4YJgcS9bHhMUpmhDuLbTPWzSnpcRVTm+BahdrBLBcc1vOllclVySOcgHkil17bCY
4ISYBv5XEUt7v1CqrmPm1Kvwl+uAbJ7K7Zt4IJGYU3Y0LrfzUwaa0f9d9pdmI8IX
iAGsoJ7HLXka4GQ6eT8qKoBHGUchFHcN8T9/hC6ljuSrbZAD1c0TlC1JRmSdNdRd
+dyh+aYGf4xIFYMU8mE8dLq0jeo6+YHPQnK2R6sosgPoZf97laHs9il12/BHTS/S
UQG89GQQmyyJYzLipfg/MoT+HU0W8AuCwPA5ZRh5yhbeE8uQaKgYWe4VxTd0pB4Y
gzRNbyku5KPuknO0jDPhkcK/D8IVBxQwANrCYwqNh844GA==
=fNmY
-----END PGP MESSAGE-----
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
- created_at: "2022-07-15T23:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA8zMZ+ak7y/zAQ//dKe9+VPLWfwnhq3gNfKoEPy1T/ra0yp4LDVO/qunoNRw
Uxt/N8cs6y7MBO2cNAxiEPVT4eBBFjt4m2ziSBZ4fa9jhSBjRp+dM7aNj3ojBZjG
v0sTDfebiNGHXSMypLMep5oRSbyKmYL+IJ0UdPCUOicIYYMCs2g3PJW3vwKGSBmc
EncWZqQ7A5T6ZBbZQYj7bKFONqsP8IRxKJJ9CE1oRWJOugyuu4NnGUkvBniMINPQ
j763R6oRXiSvFf12C3wGUOt82So+om8smBwNYupoYZQbpr7VFJgfAO9j4eLHvbXv
ZnaKQupyCW3PcHjtBoduZ4IzRkdfXGwP0oW7XS2/oM5WyKvKu/G949ghHkD2ZNHW
daFj3lEq1SqAiDMhyQKsEQpUTeGGKIyGu9pyEHuaSieqTBsLAZAPx/Pcz0p/+0Hk
kyjhYbhWFDd1QQezsJqZi7DavKgzxdA7H4uQYEygCXzciFsT3TB3203CLthI6bHp
7HvtWzXNfA7JHNYRm3XM1Au9qm/e3RvuX/r+0wDfNIP+9mlXaBnBtIdOenWJv7zK
4+PLNSYxLRmm/YimGpSP2dB45lN3wHsyUIzRsiz2M44mkBlCKUFgMBMonSGw3kyA
biEuntTQ2rbQvfxDhPk/XNrVBu73+CjcMKpmJ/AzwIEEUmSpQMzrckO0E+ADEyHS
UQEIvmnMKBxGGpXakpwcTC7LrQjSWrbzjwBiGqGchoj2mfuKIXAWtjDuyrz9f8yJ
o7c4Tmrzdr+KEZLri5kES3Cny+c0zDQzeI/FlpjLgtO4Cg==
=65BK
-----END PGP MESSAGE-----
fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
- created_at: "2022-07-15T23:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA45bZkLXmBFpAQgApl5OISWFwp43XBMIJyw20UKl5TL/CpV8ctVD87z4e9RB
cbgb8/phlJYMI2RhaDATDFwuKiL5R4lCJoUg3cQsHjg4q/DCyyIDNoXS2dIqT92N
y3AqQvM2qOeVX/lX0gDKd2/mb/lQxN2s9/n/HOXDTTvbr68ygKa0YIq7oMhka4pd
Zvw9ZUC6q3kU7IrhPB5UFQ2HYqcyTB/ufXAk0FwedRGTVU1783xv/iaBVfsCdraz
8DK5mhOmE8Ul+zcCJd4pISmbqF5YAJ0oqfveDJnLC//sGx2MvnNSIsfOaK7UulgZ
fU3sQfoYOaJnin4tpUtDTNn7p/gYBqzpyHOjl0EL+tJRAfoQBcEK930n8O8+ssCQ
+N0mAudkaVz5wPQxKLF479uNMIKI2Q6DZJl4csJV+kdcCqN6d8QfzckGau5xiHta
CqKJVCNE4d5ymecnLfUKFMpp
=sOC0
-----END PGP MESSAGE-----
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
- created_at: "2022-07-15T23:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAwMCBBrc/JA6ARAAvgT1bBC6OLZhPggmW9SgxHE3dfEObpCgXEzkeSRE0LDb
ZSDx6GjiJ6c5YfMGVCA5fBTPBBr8WTmGwNK7LYErJA1sl+5L19Bn+d8tX5AOIPNk
lFKytLAombJklB0IZM0+g9bKv0X56AgUjZYmbIikFnGWZGGVdRzLzP527LGDAuJ4
gyeHYdvQqmjlAJpjMr/D879Ygcz/FxF2dzsZKJ8G2jaOY0Mi+B17IDzQ3wpUuOJW
liOnzMx1bKnlAMm7I+q+YdKav6Jg38km8qCR9cWlpUM67Xjf34E9S4yZsZW+2V0K
0ObsnJhtU7+9vs3VnxSnkAe+VcEOGvszjtBPjl6KcRVY6A0SqQq+X6Yj2ZzkuHJK
C6va72MkCJOcDJASMqoe/zAJFE9zAaL3x3bpNhVRwdtOk2pcW63KOAMmUbsdcfpS
eXhmHdm3D87QRvbCJgjp3zp9OlChrnGPT+uj72tdP5UNQnncjelBI8dCBDg2/Dnm
vcTG0bOsuVUFbUR1zLL4K6KKHYIapb5w8tr+5dvNCAu9qjrVjzezxgT49wDF7Y6M
34ZrnmnbjvOjVP1NcavAoIuHJ9Jx6SQ2a76A3IWno/IJIGUOH5nFphFn2Waq+ZH/
Mo/e6EjZqKDNsDBBhhNNDbyrhc3PUW9Wm2uSVEn9cfvYpj1r7zSW9cKX4/TDerXS
UQG6nc1I3Ckak81BKRDXBFZkTMczYogqnbM4FcowGNWkb7IQt0ppamk7d1W2/EwB
LzRUDP+ddYb8Px6zmfETxhSeH/o/BBBbJOkvLNxGrbGZUA==
=p+ZT
-----END PGP MESSAGE-----
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
- created_at: "2022-07-15T23:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9XEenRNYVGHAQ/8CeNT3oc9OIqlKB+2+gozhiJlA39Heepzw4UZMgPI+PSo
uYVhX8lov9xmyk2tgCbwxl4mL4iCXq3MNpCO5H2zDUTKJxy4TBeRxHs8QjRrFk8h
Eh8YKWoukjR/M46nLv4s5y+HTZAb671i5Yk5tgkLrjyGZUnDJIbjW0FafVbUFRYI
ykGHxypw3bZ0PtI+PAQhh7GmsbNwX2HvASGFUc6oghGirJUPGn4tFLSDQQx/+JHg
OWi8frVD9vPcJEgD3yyBI/RnYTnMQmzJM1wvhH7f29IS9+h9OvGQDhY9fKh9HFOe
oVBcilRzl3IACFSc7wPcXQ9VzM+oNb4q1zo4ChejSRtU31F4Ufmgvu9wPKvDXkuI
V6XmBx2AC5eDn5aU/4XE8gaA7lxFvP5xGPqv/QQJrV+L6mcbK1lxSLUy47ZSd/xl
CaqJ5X9G3b1RvWhJTvOpZoIE3VUeZRVyhFpwFs06CnR+pxjBo9gHNPjwGcRAYkKT
XSmGeV26o90YwdJE//RlUIKQ7nS2geFJWttwI8be8CL5eUBwOaBjEN9ttiGkBJCD
cKH3SqjpyInwmXmiJLs6IWyDfcEKLP2wTaxeecRZsS5GjAa5aCOk2MNcpANZq43i
hcXsfvhNNzHOio8+0qrOjVRqdPFrCM05UjDXrFAavQ/O7WMTDBhxvO8g1UcRFRPS
UQHUPsBTibeIc7OI8w/xn1lTUtyJs8o37ZBqD6YgfmcA9ESvKRF3BRxtN+V4pMP9
ZDUAU3EKk9pKNtMP1gkALZCFcNZVU1ej5bgoDRqowRq4ww==
=TtKA
-----END PGP MESSAGE-----
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
- created_at: "2022-07-15T23:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA/Z87ylQaotQAQf/Y9Ee7T6j2i4HKW7jejoUxv2b2pI80iCHeJ/olAvOUFi6
bO7i5OcxDvs1gtOLxMZXnj09NQUXkMp8Pvzp4g4VkL+/wCyArE7vyVh2VW/AD1ia
HAi3VNkVwiX+prZjvUUs7xumMGT4rJiGw601Ds8jVSdIyQt55hd/AKq3n4VMf5MZ
BwDZbyuSXpSMYCRlTiH72i1c0lhBOG53W4BOEPGv0sRh4ngrZMDh7BtP2OAVgLE0
mHKsTh5loKVsQSfQMGWzIwe/wXkRuiKeBqqgyanO/h8W7PGEj1hTxVRP6zOu4tn5
kZWr2U9L5La5X4eSVYnJoHMyhvCOn5PCAODldtsrZ9JRAYBtCSriMIS39Qnu+1XX
/Anejs4yrPXhj1Qf61E7IEaRx5us8d5ib831WsJ+Krheq/FUfrb16ebVpR0jdBRd
1dVd2PCz7GP+O1jZIMEhDQSX
=hsLA
-----END PGP MESSAGE-----
fp: 9EA68B7F21204979645182E4287B083353C3241C
- created_at: "2022-07-15T23:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9qJIVK2WMV7AQ/+OJnw2yEBaestKxnyNeUlFR7uWXiCdOl6EC3AcxflnDBU
OC6B2ujd2C2KsQPBVpfRTY5CvxpZ2YHu1wu6zTRYnoieMGhQ8FNDoqCY1Y2BtSOF
Nn4BsXKDnbqaSJc5uxsIJDbeU8PEJuWGCeKwnMQlK9oOAivmXyWOJaPTLcQaoq3I
2QEibE3dOk0qPunN1Ejiyi+wy6jT1WpZQJom80ntjUCNdSTPZhhCcNdsxhDev6Ok
pF1ImfyReeDQojSByQ9zAC2dR9JiaJUJiL7P11Le71vFrWClDJ4Rdh7MNmMdu2Nh
a6NsPmbe3hbAtVND7XPxAOIndl4PttJoaWj5u5gFwGd6+jmiiQV0p8Y0fB3Sh/3e
JVauSnLAjYX3xUWvLtKecr4WJhUH35cXD9uGkF12XJE6KAxYku/TCAbG3xmBsvKI
jd2eoWMTj6qyMXCGk2vjByq//M2HkKi5VFzuWgxOBkN9WbNZc8xVaZg+jAIBt90f
xE4fLf6FqhMuHtCPq0LzVx/DNSB4+/p+ZdQz/TAvzsIt57l92tDKyHO1UYXn9LkI
lNN0JMbUXYBQ5qMHSOxI4vP7Ct7VAn8ZHUsyo5wlFLuYgYvPajFbHeT/3GEH3YEr
mkE6JBORTUn8jet29RXmWHs1/CFKYD9cEV1KvYJzuc+C+ADYBurEKej5IeeHZrfS
UQECjRI5ggBF9lfvptswB8iVIavEeKztzOsZSgQm4u1Yr+ln21frn4Oq5s8ycKJe
9VEN5FgmMQ9pWJXBlu/I0XjRODXIcUj1Rxr9Dt+RcYOqOg==
=LHN4
-----END PGP MESSAGE-----
fp: 53B26AEDC08246715E15504B236B6291555E8401
- created_at: "2022-07-15T23:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA/YLzOYaRIJJARAAnXdJXHrbl9k7W3MmwaLZP0fsOUQ5CUl6NAwP4sHTt95M
36CeCskem1KAvT/5KlTnxi2O5FkMaYJGd9cqHCmQ1YLRWVGdZ4UAjuY0lr8VN8H0
S20Cn7E7eBTJXUp04ndt6ghwZ6QmVPRbrk4fLtquyZduudnem4qdL7LigZ/NxGvd
COWSCAhEYlWxDb7ZlYoogovp01qqK+d7LIj6IEL7+k3STi3OWQa2xYNFXMKYMALK
MtGsJjKbmUS9UCnq/ccoIh4unpJwkaYVZ62PeNeYEm0slfPUPOI8n2N1F5ICnrpg
sXlOaP0SoZ1bysTbNrghefziWnqwMocdQk6KyaqErhe9rnPXxPIEfQZSFvR7JvbC
qxM5RFX2122lzD4qrgIC+82u6zEgyP/bjGLVLZZLsHVkLLJXkDTjrKmJrR4tcwPZ
gK13HBNZRv92mi5CGBhH6k/J5400oI08QH4XN6lCAvSrWJ9hrOjBppzh+ZmbQjLN
6UkBBom+sshyAWbdHAyAoT2uF0T0TQHvYA9IjixVb4Y9vzTkayy/KL+8NiHWhz+/
1H/0Dhk6lY9sbYRUG+IzRzJIy4rOOibeGXMRI3GXLJQnZijxngNwmsJQMnszV2d4
kBzFCYErx3zRwhMHkLOTqcQ9d/dYrnO1rLkq/pis1A3Bjy6dbq7De+xG440fr/zS
UQHshLmiAAZapYqCEWFOzvOfC+kPM4NS4jel7xJ6Ji1jlg4SglEC0zYqVccSzrfy
rSfJZyAAN9qFc1JDsdAyaJLxNURVwNpKj+ugPCVtLixzPA==
=/TYd
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
unencrypted_suffix: _unencrypted
version: 3.7.3

273
hosts/c3d2-web/default.nix
View File

@ -1,273 +0,0 @@
{ zentralwerk, nixpkgs, config, lib, pkgs, ... }:
let
webroot = "/var/www";
geminiRoot = "/var/gemini";
deployCommand = "${pkgs.systemd}/bin/systemctl start deploy-c3d2-web.service";
in
{
microvm.vcpu = 8;
microvm.mem = 1024;
c3d2.deployment = {
server = "server10";
mounts = [ "etc" "home" "var"];
};
boot.tmpOnTmpfs = true;
system.stateVersion = "22.05";
# Network setup
networking.hostName = "c3d2-web";
networking.firewall.allowedTCPPorts = [
# http/https
80 443
# gemini
1965
];
security.acme.certs = {
# agate cannot load "ec256" keys
"www.c3d2.de".keyType = "rsa4096";
};
# Web server
services.nginx = {
enable = true;
virtualHosts = {
# c3d2
"www.c3d2.de" = {
default = true;
serverAliases = [
"c3d2.de"
"c3dd.de" "www.c3dd.de" "openpgpkey.c3d2.de"
"cccdd.de" "www.cccdd.de"
"dresden.ccc.de" "www.dresden.ccc.de"
"netzbiotop.org" "www.netzbiotop.org"
];
enableACME = true;
forceSSL = true;
root = "${webroot}/c3d2";
extraConfig = ''
index portal.html index.html;
'';
locations = {
# SpaceAPI
"/status.png".proxyPass = "http://[${config.c3d2.hosts.spaceapi.ip6}]:3000/status.png";
"/spaceapi.json".proxyPass = "http://[${config.c3d2.hosts.spaceapi.ip6}]:3000/spaceapi.json";
# WKD: Web Key Directory for PGP Keys
"/openpgp" = {
extraConfig = ''
autoindex off;
default_type "application/octet-stream";
add_header Access-Control-Allow-Origin "* always";
'';
};
};
};
# datenspuren
"datenspuren.de" = {
serverAliases = [
"www.datenspuren.de"
"ds.c3d2.de" "datenspuren.c3d2.de"
];
enableACME = true;
forceSSL = true;
root = "${webroot}/c3d2/datenspuren";
extraConfig = ''
index index.html;
rewrite ^/$ /2022/ redirect;
'';
};
# autotopia
"autotopia.c3d2.de" = {
enableACME = true;
forceSSL = true;
root = "${webroot}/c3d2/autotopia";
extraConfig = ''
index index.html;
rewrite ^/$ /2020/ redirect;
'';
};
# hooks, logs
"c3d2-web.serv.zentralwerk.org" = {
enableACME = true;
forceSSL = true;
root = webroot;
locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
};
};
};
# Gemini server
services.agate = {
enable = true;
addresses = [
# sysctl net.ipv6.bindv6only = 0
"[::]:1965"
];
certificatesDir = "/var/lib/agate/certificates";
contentDir = geminiRoot;
language = "de";
};
# let agate access the tls certs
systemd.services.agate = {
requires = [ "agate-keys.service" ];
after = [ "agate-keys.service" ];
serviceConfig = {
Group = "keys";
};
};
systemd.services.agate-keys = {
path = with pkgs; [ openssl ];
script = let
stateDir = "/var/lib/agate/certificates";
in ''
mkdir -p ${stateDir}
openssl x509 \
-in /var/lib/acme/www.c3d2.de/cert.pem \
-out ${stateDir}/cert.der \
-outform DER
openssl rsa \
-in /var/lib/acme/www.c3d2.de/key.pem \
-out ${stateDir}/key.der \
-outform DER
chown root:keys ${stateDir}/*
chmod 0640 ${stateDir}/*
'';
serviceConfig = {
Type = "oneshot";
};
};
# Build user
users.groups.c3d2-web = {};
users.users.c3d2-web = {
isSystemUser = true;
group = "c3d2-web";
home = "/var/lib/c3d2-web";
};
systemd.tmpfiles.rules = [
"d ${webroot}/c3d2 0755 c3d2-web ${config.users.users.c3d2-web.group} -"
"d ${webroot}/log 0755 c3d2-web ${config.users.users.c3d2-web.group} -"
"d ${geminiRoot} 0755 c3d2-web ${config.users.users.c3d2-web.group} -"
"d ${config.users.users.c3d2-web.home} 0700 c3d2-web ${config.users.users.c3d2-web.group} -"
];
# Build script
systemd.services.deploy-c3d2-web = {
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
path = with pkgs; [
git nix curl
(libxslt.override {
cryptoSupport = true;
}) libxml2 wget rsync gnumake bash
];
script = ''
# Build at least once
touch ${config.users.users.c3d2-web.home}/deploy-pending
status() {
curl -X POST \
"https://gitea.c3d2.de/api/v1/repos/c3d2/c3d2-web/statuses/$REV?token=${pkgs.c3d2-web.giteaToken}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d "$1"
}
if [ ! -d c3d2-web ]; then
git clone --depth=1 https://gitea.c3d2.de/c3d2/c3d2-web.git
cd c3d2-web
else
cd c3d2-web
git fetch origin
git reset --hard origin/master
# `make export` may have created read-only files,
# fix that before cleaning up
chmod -R u+w .
git clean -d -f -x
fi
# Loop in case the webhook was called while we were building
while [ -e ${config.users.users.c3d2-web.home}/deploy-pending ]; do
rm ${config.users.users.c3d2-web.home}/deploy-pending
git pull
REV=$(git rev-parse HEAD)
# web
set +e
status "{ \"context\": \"c3d2-web\", \"description\": \"building...\", \"state\": \"pending\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-$REV.txt\"}"
make -j$(nproc) export DESTDIR=${webroot}/c3d2 \
&> ${webroot}/log/build-$REV.txt
if [ $? = 0 ]; then
status "{ \"context\": \"c3d2-web\", \"description\": \"deployed\", \"state\": \"success\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-$REV.txt\"}"
else
status "{ \"context\": \"c3d2-web\", \"description\": \"build failure\", \"state\": \"failure\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-$REV.txt\"}"
fi
git clean -fx
# gemini
status "{ \"context\": \"c3d2-gemini\", \"description\": \"building...\", \"state\": \"pending\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-gemini-$REV.txt\"}"
make -f Makefile.gemini -j$(nproc) export DESTDIR=${geminiRoot} \
&> ${webroot}/log/build-gemini-$REV.txt
if [ $? = 0 ]; then
status "{ \"context\": \"c3d2-gemini\", \"description\": \"deployed\", \"state\": \"success\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-gemini-$REV.txt\"}"
else
status "{ \"context\": \"c3d2-gemini\", \"description\": \"build failure\", \"state\": \"failure\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-gemini-$REV.txt\"}"
fi
set -e
done
'';
serviceConfig = {
User = "c3d2-web";
Group = config.users.users.c3d2-web.group;
PrivateTmp = true;
ProtectSystem = "full";
WorkingDirectory = config.users.users.c3d2-web.home;
ReadWritePaths = [ webroot config.users.users.c3d2-web.home ];
};
};
systemd.timers.deploy-c3d2-web = {
partOf = [ "deploy-c3d2-web.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "hourly";
};
security.sudo.extraRules = [ {
users = [ "c3d2-web" ];
commands = [ {
command = deployCommand;
options = [ "NOPASSWD" ];
} ];
} ];
systemd.services.webhook =
let
hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {
id = "deploy-c3d2-web";
execute-command = pkgs.writeShellScript "deploy-c3d2-web" ''
# Request (re-)deployment
touch ${config.users.users.c3d2-web.home}/deploy-pending
# Start deploy-c3d2-web.service if not already running
exec /run/wrappers/bin/sudo ${deployCommand}
'';
} ]);
in {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.webhook}/bin/webhook -hooks ${hooksJson} -verbose -ip 127.0.0.1";
User = "c3d2-web";
Group = config.users.users.c3d2-web.group;
PrivateTmp = true;
ProtectSystem = "full";
};
};
}

41
hosts/containers/dhcp/configuration.nix Normal file
View File

@ -0,0 +1,41 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
networking.hostName = "dhcp";
networking.defaultGateway = "172.22.99.1";
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
networking.interfaces.eth0 = {
ipv4.addresses = [ {
address = "172.22.99.254";
prefixLength = 24;
} ];
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
];
# dhcp
networking.firewall.allowedUDPPorts = [ 67 68 ];
networking.useDHCP = false;
services.dhcpd4 = {
enable = true;
interfaces = [ "eth0" ];
extraConfig = builtins.readFile ../../../secrets/hosts/dhcp/config;
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

207
hosts/containers/feile/configuration.nix Normal file
View File

@ -0,0 +1,207 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, strings, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
systemd = {
enableEmergencyMode = false;
};
# Use the GRUB 2 boot loader.
#boot.loader.grub.enable = true;
#boot.loader.grub.version = 2;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
#boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
# networking = {
# hostName = "storage2";
# interfaces.ens18.ipv4.addresses = [{
# address = "172.22.99.20";
# prefixLength = 24;
# }];
# };
networking = {
hostName = "storage-ng";
# usePredictableInterfacenames = false;
interfaces.ens18.ipv4.addresses = [{
address = "172.22.99.20";
prefixLength = 24;
}];
interfaces.ens18.ipv6.addresses = [{
address= "2a02:8106:208:5201::20";
prefixLength = 64;
}];
nameservers = [ "172.20.72.6" "9.9.9.9" "74.82.42.42" ];
defaultGateway = {
address = "172.22.99.1";
interface = "ens18";
};
#defaultGateway6 = {
# address = "fe80::a800:42ff:fe7a:3246";
# interface = "ens18";
#};
};
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Select internationalisation properties.
# i18n = {
# consoleFont = "Lat2-Terminus16";
# consoleKeyMap = "us";
# defaultLocale = "en_US.UTF-8";
# };
# Set your time zone.
time.timeZone = "Europe/Berlin";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget
vim
screen
zsh
lftp
# ceph
lsof
psmisc
gitAndTools.git-annex
gitAndTools.git
mpv
# libmagic how ?
];
services.ceph = {
# enable = true;
client.enable = true;
};
services.samba = {
enable = true;
enableNmbd = true;
shares = {
c3d2 = {
browseable = "yes";
comment = "Public samba share.";
# guest ok = "yes";
path = "/mnt/cephfs/c3d2/files";
# read only = false;
};
};
};
# fixme, we need a floating ip here
# correct is floating ip 172.22.99.21
# does not exist yet
# secretfile does not work :(
fileSystems."/mnt/cephfs" = {
device = "172.22.99.13:6789:/";
fsType = "ceph";
options = [ "name=storage2" ("secret=" + (builtins.readFile("/etc/nixos/storage-secret.key"))) "noatime,_netdev" "noauto" "x-systemd.automount" "x-systemd.device-timeout=175" "users" ];
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
programs.bash.enableCompletion = true;
programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.atftpd = {
enable = true;
root = "/mnt/cephfs/c3d2/tftp";
};
services.nginx = {
enable = true;
package = pkgs.nginx.override {
modules = with pkgs.nginxModules; [ fancyindex ];
};
virtualHosts = {
"storage-ng.hq.c3d2.de" = {
root = "/etc/nixos/www";
serverAliases = [ "storage" "storage2" "storageng" ];
http2 = true;
# addSSL = true;
locations = {
"/c3d2" = {
alias = "/mnt/cephfs/c3d2/files/";
extraConfig = ''
fancyindex on;
# autoindex on;
'';
};
};
};
};
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
23
80
443
137 138 445 139 # samba
];
networking.firewall.allowedUDPPorts = [
69
137 138 445 139 # samba
];
# Or disable the firewall altogether.
networking.firewall.enable = false;
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable the X11 windowing system.
# services.xserver.enable = true;
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable touchpad support.
# services.xserver.libinput.enable = true;
# Enable the KDE Desktop Environment.
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.extraUsers.k-ot = {
isNormalUser = true;
uid = 1000;
extraGroups = [ "wheel" ];
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

12
hosts/containers/feile/www/index.html Normal file
View File

@ -0,0 +1,12 @@
<html>
<head><title>storage.hq.c3d2.de</title></head>
<body>
<h1>storage-ng</h1>
services available:
<ul>
<li><a href="/c3d2">c3d2 files http</a></li>
<li>SAMBA/Windows Access: storage-ng.hq.c3d2.de</li>
<li>tftp</li>
</ul>
</body>
</html>

76
hosts/containers/grafana/configuration.nix Normal file
View File

@ -0,0 +1,76 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
networking.hostName = "grafana";
networking.useNetworkd = true;
networking.defaultGateway = "172.22.99.4";
# Needs IPv4 for obtaining certs?
networking.useDHCP = lib.mkForce true;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
];
# http https
networking.firewall.allowedTCPPorts = [ 80 443 ];
# collectd
networking.firewall.allowedUDPPorts = [ 25826 ];
services.caddy = {
enable = true;
agree = true;
config = ''
grafana.hq.c3d2.de
proxy / localhost:3000
'';
};
services.grafana = {
enable = true;
auth.anonymous = {
enable = true;
org_name = "Chaos";
};
users.allowSignUp = true;
};
services.influxdb =
let
collectdTypes = pkgs.stdenv.mkDerivation {
name = "collectd-types";
src = ./.;
buildInputs = [ pkgs.collectd ];
buildPhase = ''
mkdir -p $out/share/collectd
cat ${pkgs.collectd}/share/collectd/types.db >> $out/share/collectd/types.db
echo "stations value:GAUGE:0:U" >> $out/share/collectd/types.db
'';
installPhase = ''
cp -r . $out
'';
};
in {
enable = true;
extraConfig = {
logging.level = "debug";
collectd = [{
enabled = true;
database = "collectd";
typesdb = "${collectdTypes}/share/collectd/types.db";
}];
};
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

27
hosts/containers/lxc-template.nix Normal file
View File

@ -0,0 +1,27 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[ ../../lib/lxc-container.nix
../../lib/shared.nix
];
networking.hostName = "nixbert"; # Define your hostname.
networking.useNetworkd = false;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim
];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

3
hosts/containers/lxc-template.sh Executable file
View File

@ -0,0 +1,3 @@
#!/usr/bin/env bash
nix-build -I nixos-config=./lxc-template.nix '<nixpkgs/nixos>' -A config.system.build.tarball

31
hosts/containers/mucbot/configuration.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, pkgs, lib, ... }:
let
tiggerGit = builtins.fetchTarball https://github.com/astro/tigger/archive/master.tar.gz;
in
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
"${tiggerGit}/module.nix"
];
networking.hostName = "mucbot";
networking.useNetworkd = true;
networking.defaultGateway = "172.22.99.4";
networking.useDHCP = lib.mkForce true;
services.tigger = {
enable = true;
jid = import ../../../secrets/hosts/mucbot/jabber-jid.nix;
password = import ../../../secrets/hosts/mucbot/jabber-password.nix;
muc = "c3d2@chat.c3d2.de/Astrobot";
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

52
hosts/containers/public-access-proxy/configuration.nix Normal file
View File

@ -0,0 +1,52 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
./proxy.nix
];
nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 2;
nix.buildCores = lib.mkDefault 16;
boot.isContainer = true;
# /sbin/init
boot.loader.initScript.enable = true;
boot.loader.grub.enable = false;
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
networking.hostName = "public-access-proxy";
networking.defaultGateway = { address = "172.22.99.4"; interface = "eth0"; };
# Set your time zone.
time.timeZone = "Europe/Berlin";
services.openssh = {
enable = true;
permitRootLogin = "yes";
ports = [ 1122 ];
};
my.services.proxy = {
enable = true;
proxyHosts = [
{
hostNames = [ "arkom.men" "c3d2.arkom.men" "test.arkom.men" ];
proxyTo = { host = "cloud.bombenverleih.de"; httpPort = 80; httpsPort = 443; };
}
];
};
networking.firewall.allowedTCPPorts = [
80
443
];
system.stateVersion = "18.09"; # Did you read the comment?
}

125
hosts/containers/public-access-proxy/proxy.nix Normal file
View File

@ -0,0 +1,125 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.my.services.proxy;
in {
options.my.services.proxy = {
enable = mkOption {
default = false;
description = "whether to enable proxy";
type = types.bool;
};
proxyHosts = mkOption {
type = types.listOf (types.submodule (
{
options = {
hostNames = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Proxy these hostNames.
'';
};
proxyTo = mkOption {
type = types.submodule (
{
options = {
host = mkOption {
type = types.nullOr types.string;
default = null;
description = ''
Host to forward traffic to.
Any hostname may only be used once
'';
};
httpPort = mkOption {
type = types.int;
default = 80;
description = ''
Port to forward http to.
'';
};
httpsPort = mkOption {
type = types.int;
default = 443;
description = ''
Port to forward http to.
'';
};
};
});
description = ''
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
'';
default = {};
};
};
}));
default = [];
example = [
{ hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
}
];
};
};
config = mkIf cfg.enable {
services.haproxy = {
enable = true;
config = ''
resolvers dns
nameserver quad9 9.9.9.9:53
hold valid 1s
frontend http-in
bind :::80 v4v6
default_backend proxy-backend-http
backend proxy-backend-http
timeout connect 5000
timeout check 5000
timeout client 30000
timeout server 30000
${concatMapStringsSep "\n" (proxyHost:
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
concatMapStringsSep "\n" (hostname: ''
use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
server ${hostname}-http ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpPort} resolvers dns check inter 1000
''
) (proxyHost.hostNames)
)
) (cfg.proxyHosts)
}
frontend https-in
bind :::443 v4v6
default_backend proxy-backend-https
backend proxy-backend-https
timeout connect 5000
timeout check 5000
timeout client 30000
timeout server 30000
${concatMapStringsSep "\n" (proxyHost:
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
concatMapStringsSep "\n" (hostname: ''
use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
server ${hostname}-https ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpsPort} resolvers dns check inter 1000
''
) (proxyHost.hostNames)
)
) (cfg.proxyHosts)
}
'';
};
};
}

71
hosts/containers/radius/configuration.nix Normal file
View File

@ -0,0 +1,71 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
c3d2 = {
isInHq = true;
hq.interface = "eth0";
};
networking = {
hostName = "radius";
interfaces.eth0.useDHCP = lib.mkForce true;
};
imports =
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
];
nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 4;
boot.isContainer = true;
# /sbin/init
boot.loader.initScript.enable = true;
boot.loader.grub.enable = false;
#boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
networking.hostName = "nixbert"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.useNetworkd = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim
git freeradius
];
services.freeradius.enable = true;
services.freeradius.configDir = "/root/nix-config/hosts/containers/radius/freeradius";
services.openssh.enable = true;
# Create a few files early before packing tarball for Proxmox
# architecture/OS detection.
system.extraSystemBuilderCmds =
''
mkdir -m 0755 -p $out/bin
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
mkdir -m 0755 -p $out/sbin
ln -s ../init $out/sbin/init
'';
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

23
hosts/containers/radius/freeradius/acct_users Normal file
View File

@ -0,0 +1,23 @@
#
# $Id: fafac849a0f0519cdaf7acf2ef51c8b36a5a6255 $
#
# This is like the 'users' file, but it is processed only for
# accounting packets.
#
# Select between different accounting methods based for example on the
# Realm, the Huntgroup-Name or any combinaison of the attribute/value
# pairs contained in an accounting packet.
#
#DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo
#
#DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi
#
#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other
#
#DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start
# Replace the User-Name with the Stripped-User-Name, if it exists.
#
#DEFAULT
# User-Name := "%{Stripped-User-Name:-%{User-Name}}"

129
hosts/containers/radius/freeradius/attrs Normal file
View File

@ -0,0 +1,129 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 76c644b100656f8bd45e768b13cbcf140ce5a770 $
#
# This file contains security and configuration information
# for each realm. The first field is the realm name and
# can be up to 253 characters in length. This is followed (on
# the next line) with the list of filter rules to be used to
# decide what attributes and/or values we allow proxy servers
# to pass to the NAS for this realm.
#
# When a proxy-reply packet is received from a home server,
# these attributes and values are tested. Only the first match
# is used unless the "Fall-Through" variable is set to "Yes".
# In that case the rules defined in the DEFAULT case are
# processed as well.
#
# A special realm named "DEFAULT" matches on all realm names.
# You can have only one DEFAULT entry. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# Indented (with the tab character) lines following the first
# line indicate the filter rules.
#
# You can include another `attrs' file with `$INCLUDE attrs.other'
#
#
# This is a complete entry for realm "fisp". Note that there is no
# Fall-Through entry so that no DEFAULT entry will be used, and the
# server will NOT allow any other a/v pairs other than the ones
# listed here.
#
# These rules allow:
# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
# o PPP sessions ( no SLIP, CSLIP, etc. )
# o dynamic ip assignment ( can't assign a static ip )
# o an idle timeout value set to 600 seconds (10 min) or less
# o a max session time set to 28800 seconds (8 hours) or less
#
#fisp
# Service-Type == Framed-User,
# Framed-Protocol == PPP,
# Framed-IP-Address == 255.255.255.254,
# Idle-Timeout <= 600,
# Session-Timeout <= 28800
#
# This is a complete entry for realm "tisp". Note that there is no
# Fall-Through entry so that no DEFAULT entry will be used, and the
# server will NOT allow any other a/v pairs other than the ones
# listed here.
#
# These rules allow:
# o Only Login-User Service-Type ( no framed/ppp sessions )
# o Telnet sessions only ( no rlogin, tcp-clear )
# o Login hosts of either 192.168.1.1 or 192.168.1.2
#
#tisp
# Service-Type == Login-User,
# Login-Service == Telnet,
# Login-TCP-Port == 23,
# Login-IP-Host == 192.168.1.1,
# Login-IP-Host == 192.168.1.2
#
# The following example can be used for a home server which is only
# allowed to supply a Reply-Message, a Session-Timeout attribute of
# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
# Acct-Interim-Interval attribute between 300 and 3600.
# All other attributes sent back will be filtered out.
#
#strictrealm
# Reply-Message =* ANY,
# Session-Timeout <= 86400,
# Idle-Timeout <= 600,
# Acct-Interim-Interval >= 300,
# Acct-Interim-Interval <= 3600
#
# This is a complete entry for realm "spamrealm". Fall-Through is used,
# so that the DEFAULT filter rules are used in addition to these.
#
# These rules allow:
# o Force the application of Filter-ID attribute to be returned
# in the proxy reply, whether the proxy sent it or not.
# o The standard DEFAULT rules as defined below
#
#spamrealm
# Framed-Filter-Id := "nosmtp.in",
# Fall-Through = Yes
#
# The rest of this file contains the DEFAULT entry.
# DEFAULT matches with all realm names. (except if the realm previously
# matched an entry with no Fall-Through)
#
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
MS-MPPE-Recv-Key =* ANY,
MS-MPPE-Send-Key =* ANY,
MS-CHAP-MPPE-Keys =* ANY,
State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Calling-Station-Id =* ANY,
Operator-Name =* ANY,
Port-Limit <= 2

19
hosts/containers/radius/freeradius/attrs.access_challenge Normal file
View File

@ -0,0 +1,19 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 78ea54e83f4a998797f16a8c564b5c2f32642adc $
#
# This configuration file is used to remove almost all of the
# attributes From an Access-Challenge message. The RFC's say
# that an Access-Challenge packet can contain only a few
# attributes. We enforce that here.
#
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY

17
hosts/containers/radius/freeradius/attrs.access_reject Normal file
View File

@ -0,0 +1,17 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: e263d504cfdc5cf5db00fa6aacf2bd148a7623fc $
#
# This configuration file is used to remove almost all of the attributes
# From an Access-Reject message. The RFC's say that an Access-Reject
# packet can contain only a few attributes. We enforce that here.
#
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
MS-CHAP-Error =* ANY,
Proxy-State =* ANY

15
hosts/containers/radius/freeradius/attrs.accounting_response Normal file
View File

@ -0,0 +1,15 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 3746ce4da3d58fcdd0b777a93e599045353c27ac $
#
# This configuration file is used to remove almost all of the attributes
# From an Accounting-Response message. The RFC's say that an
# Accounting-Response packet can contain only a few attributes.
# We enforce that here.
#
DEFAULT
Vendor-Specific =* ANY,
Message-Authenticator =* ANY,
Proxy-State =* ANY

62
hosts/containers/radius/freeradius/attrs.pre-proxy Normal file
View File

@ -0,0 +1,62 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 8c601cf205f9d85b75c1ec7fc8e816e7341a5ba4 $
#
# This file contains security and configuration information
# for each realm. It can be used be an rlm_attr_filter module
# instance to filter attributes before sending packets to the
# home server of a realm.
#
# When a packet is sent to a home server, these attributes
# and values are tested. Only the first match is used unless
# the "Fall-Through" variable is set to "Yes". In that case
# the rules defined in the DEFAULT case are processed as well.
#
# A special realm named "DEFAULT" matches on all realm names.
# You can have only one DEFAULT entry. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# The first line indicates the realm to which the rules apply.
# Indented (with the tab character) lines following the first
# line indicate the filter rules.
#
# This is a complete entry for 'nochap' realm. It allows to send very
# basic attributes to the home server. Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used. Only the listed attributes
# will be sent in the packet, all other attributes will be filtered out.
#
#nochap
# User-Name =* ANY,
# User-Password =* ANY,
# NAS-Ip-Address =* ANY,
# NAS-Identifier =* ANY
# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type
# if its value is different from 'Ethernet'. Then the default rules are
# applied.
#
#brokenas
# NAS-Port-Type == Ethernet
# Fall-Through = Yes
# The rest of this file contains the DEFAULT entry.
# DEFAULT matches with all realm names.
DEFAULT
User-Name =* ANY,
User-Password =* ANY,
CHAP-Password =* ANY,
CHAP-Challenge =* ANY,
MS-CHAP-Challenge =* ANY,
MS-CHAP-Response =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
State =* ANY,
NAS-IP-Address =* ANY,
NAS-Identifier =* ANY,
Proxy-State =* ANY

30
hosts/containers/radius/freeradius/certs/ca.key Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,3AD0523FFE8CE8B72DF17107DF07836B
e0kcoXFr/E2N762180rPOSAeXsWDY2Ej2iv3XD7VYblSK0ChdXfdGmIqoauUlwIn
K6WQ9E6tZFkYtnjFK3Sf7npjqqH8vYA0JewEBoLgA5/upA/ZYXZNXGqF5Xqs0q78
314bOFsCy3Mb034OBPemQ8QY2zjsKvQJBQkzEujNDUfnSE7nKP7lZHIVhIeO8ec0
GfjQ1sE4hACGhINdLdjZAT0UIxYgW8LARbaGt23H6SKOlVvCobCjzetRckVYBdt5
8+m6Unx6z9L938koqUgbN8CJVv6FT5Sgk0fYJCRCEMKuMTDluSEAPFctKetn7eVy
mZY7WaxkbUZhGv4v9+VPuKmCfjlquMK9nKBQskOJNF4fiiWH17920K1hye513+iY
Q7GyTMywZqgirIjzusbeacXQ7MtZmlVlbIlwx2mh0edD73wQ1u42Wbhnxv1Sd4+M
57WGefprxh7XtX3G92joVIRt8Em+tsYnhZ0LdKEChIX6Fnrewr/uWdKcCjazksLX
fi1KVyDa4VVfZzgYRBxMXLBRY4l8g/JMRXI6pOEigzkpfnhVQS/pVWTTf35cJyMw
YSsWs9J8WzNb37SuZqNnKPcZCaf8F66TEeu4jigMtjgt1LwXo2biPUwsyiVq/VCT
pnfJho9OHVfDmplETeanpXTn902Z4ji173iFGe8E1MCqUARiHwtSFIHyCKCKvX7Z
9MnydV75V/JlvL4Tp+x/+h6HKjeDkdQW1kL469DOtvVJLN2nxq969m0ztIntj98B
UVNNQjIbwbVq2JQBdd3jDiDtFGPu+cZmX5/+boxb/Q0hHthf9Z/XfMiQUHyTOUI1
LSOaH2tp0r1N0/C5BxNaqPaauyXEK4S96/YR071rjjWQBiF2qXQHOC3pjSFdrvVb
tZaqNbSvNgxqJhU8u5gf/fKOtMK2XMjzkk8E8jcwAY4gU3c72N17xlBRA2H9FM7B
DfjzNRcyCD39jyM+gfiudczBgarmonMQlTt153cR7UvZ3zZ7YmVWvSQ1hxy0deuT
OqfpSR/lgoIaXEW1igdyaMlXPetnTCMi1CaTzD7A80yJeWpK6abOxGk5O9mwwpUu
02YMas9ETsbnElMscQTYPpDui/0ZXX9gjNEpP03ZEkixr++QUkN3EA76A+i06GDE
3R+4W1GFn8uRrnruyciSR+e/S7g4M5Q99c7QCp9CdsPGKKMe681hj7SqylToNSwB
9DKNo+3QIIRupxkYcpyZBLnofRqiKbd3pcdnAUO6/15WBoiz0sqDnSbUIKf4eWmO
nzRVaA9cJ/6RF3hZ7++om/vbX7rskthZeGGvwZpRNIqwBsA0lHLZ5inB/dsChRTy
oMBX6zcPIyUWo9e0NOJqYTMmsBVA1QeAywzAJo/jRWL6mA8NT/97KizqYS1ZlcjU
PhT/v80l5hWrOzB+URZkBOo3ygkntScj/gxqLsisdrHP9YbOIkhRWSBWzWXGywXy
8PqoOZF1NB2pTuSP7z0THtxKn4B/mq15Lg+26YZgauVWlf8MY8FOOaDBeRGyJ9W7
pbqktLIQ0zPRfF+CGVmTC62Bfcsb+DNXowvgU5DlN8hJ0rMmJYbcyJyWmwyWWKtX
-----END RSA PRIVATE KEY-----

23
hosts/containers/radius/freeradius/certs/ca.pem Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID5TCCAs2gAwIBAgIJAKA5akuqlUzKMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD
VQQGEwJERTEQMA4GA1UECAwHU2FjaHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsG
A1UECgwEQzNEMjENMAsGA1UECwwEQzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMz
ZDIuZGUxGzAZBgkqhkiG9w0BCQEWDG1haWxAYzNkMi5kZTAeFw0xNTA2MDYxOTA5
MjFaFw0yNTA2MDMxOTA5MjFaMIGIMQswCQYDVQQGEwJERTEQMA4GA1UECAwHU2Fj
aHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsGA1UECgwEQzNEMjENMAsGA1UECwwE
QzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMzZDIuZGUxGzAZBgkqhkiG9w0BCQEW
DG1haWxAYzNkMi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPRR
Xf+pocIFjZGeSuo+LM7/lqnQ96Pc2g9cTXlxoeCFP1akwYUzDl1ZqvUZsC3hKKkB
EjmI2VB4rjIgT9Z/57aQ7jYYp1B6ivQDapKSqpKFL6s0VzDljrzOmxvGQFXyV88X
TiMkwmtmS2Bj62poWhSlpQk9sPaioz8SDrJtBxM9fNSbM1ED9rRXGWlSwEVBzeUp
YaNWYCc3CPYLIhNZmtFhAhNmzw/tIx5+MRa/hkEarbyToZ7EceTMJ4KflBBLXQzY
s2PLYkRbZMBUlRM7HDZVx6F8OPusnG1luB2LX/kQCvYuFk6BiBdussOFLD0swdtd
rK820j6dIAJbbxSfy90CAwEAAaNQME4wHQYDVR0OBBYEFDHshd+TNUAwSY0+cpaH
HDQaOXwnMB8GA1UdIwQYMBaAFDHshd+TNUAwSY0+cpaHHDQaOXwnMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBADc7I4dtsIhSN0jDs0iavwBT13a1sslp
e2gwDdcTh0xAVmmrq84JY6uIoMjLrx+roE3vn+oLHP8qrlw4snbOc0mo04o2lMza
DepLQoBtnMNaUTSOHt1avvP8bhFTE0c0MlFAInC1MpqO5mtRwpays/f1Hc+iEOmx
o3iHLpdKpeEfFxFZVNsJKva/A2DlLVqTdH/UvTdnoxwvSRzzEBP3plqdNSFsg5XZ
oGNSsoNT6k2cFjQtxRdrKk+qggbPuPbTC5fXWOTlu4A2eVmW0XfT4eZ9z8QRe7dA
uGOcC1XiDLmIon9q5KIH3k3TiL5hELJu2BvatxJaOpwGR1pbcooZaI0=
-----END CERTIFICATE-----

5
hosts/containers/radius/freeradius/certs/dh Normal file
View File

@ -0,0 +1,5 @@
-----BEGIN DH PARAMETERS-----
MIGHAoGBAKNmmoE+doPb+VmQlXOqsXcVX5ciwWyf+QsdEVyyic6fZUMWbAvFwDN1
hnT5HbpWkCnwU5H27st8+SluOMGfjiwmhtn5TZqX1b0bOWH+UeT1iRLBaClZNNCx
MDWIVbk1cpnNszsMPGhjMrQwN06bZFPwFBS8+smgrDnQoN1BkPPjAgEC
-----END DH PARAMETERS-----

18
hosts/containers/radius/freeradius/certs/server.csr Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC1jCCAb4CAQAwgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAw
DgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIw
IAYDVQQDDBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkB
FgxtYWlsQGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm
yrdjj+J2xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZM
w/0bnHRkzubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCY
rtJX/Yqk/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3
NBR5yyA2Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lO
yK3CYl2i2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrn
ukPf/XhKQp3pPKctUUBBAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAE4GoYZ/w
Jf4rSuS6j/Sq4v4pUIoU3tZd3UvjG5jj34XZFvTNzKHdazS7VYyFjukMPSv+WljV
v2v6xn62RjRHXvRu4/fXBvyAcxdQngf892BYGTVxB3OMVE1JCyc2xARh6gcOvrfC
wwOIYw4Wc5xZ8JjmhK/9zyuVVSOEcV03LY7kSYFrwTgs/k/+Cv2Myimlc+n0r76/
iDHU+8R0O/yD5dkDdJ/GFr9d09OoF+6WQc9pRVloHxQut9YS0C5P03+Xw9CUhRGB
L7n+k6eqzE2Fi43nTqb9KrBaTi/RdYht1DdaVxgJ1n/INqaeORqiAjyAmvuooBTF
jSbFtdKfURnjOQ==
-----END CERTIFICATE REQUEST-----

30
hosts/containers/radius/freeradius/certs/server.key Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,D5409971E41EA7511A983B7756144C03
77B64GyVzF3TkltnC8nZaZENB1zCl626Bi3NcjpszsIw/LnOC8bn2MjiEQwoNXOI
GxcjUSyzB9v++/qMbvPIQ2hJXd7aayu0OWbLoFjyISqQDZhxMNwTlr0ZPppH2LoC
HXQV8BKSMkxN2SMNyLdZt6pfpKtyOBUKoy7jDCCiaTEamvGtGKyhgQZVpyPrz8lS
BFpUR2czPggFu8WsJ5jov7k7rEkuUMFvsNDRajRMwSzr9z6ESmEc9AavB9/t1TZ8
M9eEgp65QUBcDzDVvP05pjwF+4wgqabC41k3EMiA2LLlFIn5Bvamq1Sj3DLdWIQE
fzgw8NM2JRF3CZdFt/rAVoCIcpNx7kcWu8UCpdHYmlB+VwIYnrUWngT5kaMp2vvu
B235/QffgANfB560dIP4Z2CnZI1SLyhTJPLTmwO/XWOtuoQso5nfxtHNq/IwrUA1
jxedKG9AkBQQPsHAErZnxoFotK//zyggx6S41SjnMFWr1PrscU3mA+A+UvwLP7Bu
gmw1oIDWL3sZ5B7KQJ2FC6ryjyoQiSI/AK8Gk0Ryhf1oUhgguxUDnWSKqrxEoeHJ
S635pYjlDVyhU3ct9BWbFBOzdYPZBIQHPfB/lvmbl6lsFA5oOgCvZHDrBSytiSIc
0k5cjhhQanvPRVu8ulIiHNnMFGuvX1rzh0im4IrITK7YtHj65I1gCIU4gFrfXk6T
QtPZoaa5F4VV5BdyljF7t+yFzVthrbPb/MVjWJgC4j40fICmA8x5TTl//HGg41AN
yJcn3295GlTQ/EagxEfWAiy38+1IGwTsNFFHxaTYGoIMON06HTegFH39MmTOBl2G
mmk4d+m/A3KEZ1Le16xZCc7QjQRwMUMzHk4w3FfvkKSDj4Li8xFbKv4zUrXx++Q7
mm5owtMWrit7bAbDli9hpGe+AsQGXIsHPC3i/wsm64niWiTcBK3TO5sF/3n0nNVb
MkdVA9OaBpXG8XjHdK62HylaOHpyNB7kEhRjcTT2EKZZ10DcQpPDvJhx8lkvauww
ubVZHBPqIXdI/L7H/6hqyxe0S0IPtoQpgEr/1lyUWQZtiDyFrQ1ySCY1HGwXtmWa
fUP6TyZQogdND8GhzhEFY4J/FWUM8k5VowzuxYnUGEKKERDwDaQwNRoi+L9fiiKh
nNmTOHCIoxCfN9+H8sVtPiliPr1x4G3aeegsEJfKnmDP5gyj02tOYb2IpqhSsdCZ
qXQ2AuUq42dq5YeQA0KVRD6hiK9L+sO5BSCrr2dtF6SAK+00/CL42EP2ee+C65kW
ksxGssmtGrcjcIW9niHx9acGTgDJ6nBK9zawQkNkF8pr8GUNyAsY5+nGy3H4EsO0
XtszaUyT/xnSwZV+OGLIRP10lCiWPtU+Axay3DjUrxmbzzWZ3XmIbNRrYN2gxZ3b
eA1QJE2kFwmZfngDqTu9uACHINwegj9juCDCOHLYF3shiOgqEsRypCaTYfZKoZY6
feelUSD5Xs86ezKO2KxU1Pan9pZCnKUtJ+lpmlqyQIB+DEKJpNabHIXECMIwnxzK
ftpahPFJDFWqguh1BeFZTCtb9qlDcXLMFac9aTMoK5KWQ3ed9gucvKHUm6G57zB8
-----END RSA PRIVATE KEY-----

22
hosts/containers/radius/freeradius/certs/server.pem Normal file
View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDjjCCAnYCAQEwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAkRFMRAwDgYD
VQQIDAdTYWNoc2VuMRAwDgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0w
CwYDVQQLDARDM0QyMRowGAYDVQQDDBFyYWRpdXMuaHEuYzNkMi5kZTEbMBkGCSqG
SIb3DQEJARYMbWFpbEBjM2QyLmRlMB4XDTE1MDYwNjE5MTAzNloXDTI1MDYwMzE5
MTAzNlowgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAwDgYDVQQH
DAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIwIAYDVQQD
DBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkBFgxtYWls
QGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmyrdjj+J2
xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZMw/0bnHRk
zubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCYrtJX/Yqk
/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3NBR5yyA2
Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lOyK3CYl2i
2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrnukPf/XhK
Qp3pPKctUUBBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJdpPd8HTJwOfjD0COUw
NBlPh7amQeASg0Gzz6w1NFZtVkUrnlp638pjsMsi6ldwwmNyWY5VA9TwwDTOxm9X
CacG2tEirGwIHsrOo4BBMSrMu7V2ts+IIv92C5kgmFU2vbs2jKquepKt4zsOfwd2
X+5qF/5qr3BkOIE6pc00IE9rRyzcE0KvaEEVHlvc/oS8f2F8lYRpJNjFNmW1jKs9
TaLQWG7a0Wy97IWk1kcW5XymjAq4UJjcbPWm+zZVUJq21wlHHLnkbP6KeqY0RE7R
wyq3yVAZTzXimfmwiQgGFA8P5pwrYkXcA342J+IgeblRgsT/6Lirfyd05ctQc3yL
NBU=
-----END CERTIFICATE-----

247
hosts/containers/radius/freeradius/clients.conf Normal file
View File

@ -0,0 +1,247 @@
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
client localhost {
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
ipaddr = 127.0.0.1
# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost
#
# A note on DNS: We STRONGLY recommend using IP addresses
# rather than host names. Using host names means that the
# server will do DNS lookups when it starts, making it
# dependent on DNS. i.e. If anything goes wrong with DNS,
# the server won't start!
#
# The server also looks up the IP address from DNS once, and
# only once, when it starts. If the DNS record is later
# updated, the server WILL NOT see that update.
#
# One client definition can be applied to an entire network.
# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
# "netmask = 8"
#
# If not specified, the default netmask is 32 (i.e. /32)
#
# We do NOT recommend using anything other than 32. There
# are usually other, better ways to achieve the same goal.
# Using netmasks of other than 32 can cause security issues.
#
# You can specify overlapping networks (127/8 and 127.0/16)
# In that case, the smallest possible network will be used
# as the "best match" for the client.
#
# Clients can also be defined dynamically at run time, based
# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
# etc.
# See raddb/sites-available/dynamic-clients for details.
#
# netmask = 32
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 8k characters in length.
#
# Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
# A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
# shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
# And is at LEAST 8 characters long, preferably 16 characters in
# length. The secret MUST be random, and should not be words,
# phrase, or anything else that is recognizable.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
#
secret = testing123
#
# Old-style clients do not send a Message-Authenticator
# in an Access-Request. RFC 5080 suggests that all clients
# SHOULD include it in an Access-Request. The configuration
# item below allows the server to require it. If a client
# is required to include a Message-Authenticator and it does
# not, then the packet will be silently discarded.
#
# allowed values: yes, no
require_message_authenticator = no
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
# It is accepted for compatibility with 1.x, but it is no
# longer necessary in 2.0
#
# shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# juniper
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
#
# As of 2.0, clients can also be tied to a virtual server.
# This is done by setting the "virtual_server" configuration
# item, as in the example below.
#
# virtual_server = home1
#
# A pointer to the "home_server_pool" OR a "home_server"
# section that contains the CoA configuration for this
# client. For an example of a coa home server or pool,
# see raddb/sites-available/originate-coa
# coa_server = coa
}
# IPv6 Client
#client ::1 {
# secret = testing123
# shortname = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
# secret = testing123
# shortname = localhost
#}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
# secret = testing123-1
# shortname = private-network-1
#}
#
#client 192.168.0.0/16 {
# secret = testing123-2
# shortname = private-network-2
#}
#client 10.10.10.10 {
# # secret and password are mapped through the "secrets" file.
# secret = testing123
# shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password = someadminpas
#}
#######################################################################
#
# Per-socket client lists. The configuration entries are exactly
# the same as above, but they are nested inside of a section.
#
# You can have as many per-socket client lists as you have "listen"
# sections, or you can re-use a list among multiple "listen" sections.
#
# Un-comment this section, and edit a "listen" section to add:
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
# }
#}
### ### ### C3D2 ### ### ###
client any {
ipaddr 0.0.0.0/0
secret = public
nastype = other
require_message_authenticator = no
}
### ### ### C3D2 ### ### ###
# EOF

32
hosts/containers/radius/freeradius/dictionary Normal file
View File

@ -0,0 +1,32 @@
#
# This is the master dictionary file, which references the
# pre-defined dictionary files included with the server.
#
# Any new/changed attributes MUST be placed in this file, as
# the pre-defined dictionaries SHOULD NOT be edited.
#
# $Id: ceb31c82feb869972588f60fe6ace2fc1db70224 $
#
#
# The filename given here should be an absolute path.
#
$INCLUDE /usr/share/freeradius/dictionary
#
# Place additional attributes or $INCLUDEs here. They will
# over-ride the definitions in the pre-defined dictionaries.
#
# See the 'man' page for 'dictionary' for information on
# the format of the dictionary files.
#
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them here. The numbers you pick should be between
# 3000 and 4000.
#
#ATTRIBUTE My-Local-String 3000 string
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer

688
hosts/containers/radius/freeradius/eap.conf Normal file
View File

@ -0,0 +1,688 @@
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id: 95bebe4d25ef13871fb201ba540ed008078dab07 $
#######################################################################
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# EAP types NOT listed here may be supported via the "eap2" module.
# See experimental.conf for documentation.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = ttls
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
#
# Help prevent DoS attacks by limiting the number of
# sessions that the server is tracking. For simplicity,
# this is taken from the "max_requests" directive in
# radiusd.conf.
max_sessions = ${max_requests}
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# See raddb/certs/README for additional comments
# on certificates.
#
# If OpenSSL was not found at the time the server was
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
# Otherwise, when the server first starts in debugging
# mode, test certificates will be created. See the
# "make_cert_command" below for details, and the README
# file in raddb/certs
#
# These test certificates SHOULD NOT be used in a normal
# deployment. They are created only to make it easier
# to install the server, and to perform some simple
# tests with EAP-TLS, TTLS, or PEAP.
#
# See also:
#
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
# Note that you should NOT use a globally known CA here!
# e.g. using a Verisign cert as a "known CA" means that
# ANYONE who has a certificate signed by them can
# authenticate via EAP-TLS! This is likely not what you want.
tls {
#
# These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = c3d2
private_key_file = ${certdir}/server.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/ca.pem
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = /dev/urandom
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
CA_path = ${cadir}
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-Issuer attribute. This check
# can be done via any mechanism you choose.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-CN attribute. This check
# can be done via any mechanism you choose.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
#
# As part of checking a client certificate, the EAP-TLS
# sets some attributes such as TLS-Client-Cert-CN. This
# virtual server has access to these attributes, and can
# be used to accept or reject the request.
#
# virtual_server = check-eap-tls
# This command creates the initial "snake oil"
# certificates when the server is run as root,
# and via "radiusd -X".
#
# As of 2.1.11, it *also* checks the server
# certificate for validity, including expiration.
# This means that radiusd will refuse to start
# when the certificate has expired. The alternative
# is to have the 802.1X clients refuse to connect
# when they discover the certificate has expired.
#
# Debugging client issues is hard, so it's better
# for the server to print out an error message,
# and refuse to start.
#
make_cert_command = "${certdir}/bootstrap"
#
# Elliptical cryptography configuration
#
# Only for OpenSSL >= 0.9.8.f
#
ecdh_curve = "prime256v1"
#
# Session resumption / fast reauthentication
# cache.
#
# The cache contains the following information:
#
# session Id - unique identifier, managed by SSL
# User-Name - from the Access-Accept
# Stripped-User-Name - from the Access-Request
# Cached-Session-Policy - from the Access-Accept
#
# The "Cached-Session-Policy" is the name of a
# policy which should be applied to the cached
# session. This policy can be used to assign
# VLANs, IP addresses, etc. It serves as a useful
# way to re-apply the policy from the original
# Access-Accept to the subsequent Access-Accept
# for the cached session.
#
# On session resumption, these attributes are
# copied from the cache, and placed into the
# reply list.
#
# You probably also want "use_tunneled_reply = yes"
# when using fast session resumption.
#
cache {
#
# Enable it. The default is "no".
# Deleting the entire "cache" subsection
# Also disables caching.
#
# You can disallow resumption for a
# particular user by adding the following
# attribute to the control item list:
#
# Allow-Session-Resumption = No
#
# If "enable = no" below, you CANNOT
# enable resumption for just one user
# by setting the above attribute to "yes".
#
enable = no
#
# Lifetime of the cached entries, in hours.
# The sessions will be deleted after this
# time.
#
lifetime = 24 # hours
#
# The maximum number of entries in the
# cache. Set to "0" for "infinite".
#
# This could be set to the number of users
# who are logged in... which can be a LOT.
#
max_entries = 255
}
#
# As of version 2.1.10, client certificates can be
# validated via an external command. This allows
# dynamic CRLs or OCSP to be used.
#
# This configuration is commented out in the
# default configuration. Uncomment it, and configure
# the correct paths below to enable it.
#
verify {
# A temporary directory where the client
# certificates are stored. This directory
# MUST be owned by the UID of the server,
# and MUST not be accessible by any other
# users. When the server starts, it will do
# "chmod go-rwx" on the directory, for
# security reasons. The directory MUST
# exist when the server starts.
#
# You should also delete all of the files
# in the directory when the server starts.
# tmpdir = /tmp/radiusd
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
# tool.
#
# The ${..CA_path} text is a reference to
# the CA_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
# client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
}
#
# OCSP Configuration
# Certificates can be verified against an OCSP
# Responder. This makes it possible to immediately
# revoke certificates without the distribution of
# new Certificate Revokation Lists (CRLs).
#
ocsp {
#
# Enable it. The default is "no".
# Deleting the entire "ocsp" subsection
# Also disables ocsp checking
#
enable = no
#
# The OCSP Responder URL can be automatically
# extracted from the certificate in question.
# To override the OCSP Responder URL set
# "override_cert_url = yes".
#
override_cert_url = yes
#
# If the OCSP Responder address is not
# extracted from the certificate, the
# URL can be defined here.
#
# Limitation: Currently the HTTP
# Request is not sending the "Host: "
# information to the web-server. This
# can be a problem if the OCSP
# Responder is running as a vhost.
#
url = "http://127.0.0.1/ocsp/"
#
# If the OCSP Responder can not cope with nonce
# in the request, then it can be disabled here.
#
# For security reasons, disabling this option
# is not recommended as nonce protects against
# replay attacks.
#
# Note that Microsoft AD Certificate Services OCSP
# Responder does not enable nonce by default. It is
# more secure to enable nonce on the responder than
# to disable it in the query here.
# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
#
# use_nonce = yes
#
# Number of seconds before giving up waiting
# for OCSP response. 0 uses system default.
#
# timeout = 0
#
# Normally an error in querying the OCSP
# responder (no response from server, server did
# not understand the request, etc) will result in
# a validation failure.
#
# To treat these errors as 'soft' failures and
# still accept the certificate, enable this
# option.
#
# Warning: this may enable clients with revoked
# certificates to connect if the OCSP responder
# is not available. Use with caution.
#
# softfail = no
}
}
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
# The TTLS module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-TTLS does not
# require a client certificate.
#
# You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
default_eap_type = md5
# The tunneled authentication request does
# not usually contain useful attributes
# like 'Calling-Station-Id', etc. These
# attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
# 'yes', any attribute which NOT in the
# tunneled authentication request, but
# which IS available outside of the tunnel,
# is copied to the tunneled request.
#
# allowed values: {no, yes}
copy_request_to_tunnel = no
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = no
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
# This has the same meaning as the
# same field in the "tls" module, above.
# The default value here is "yes".
# include_length = yes
}
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-us
#
# For additional Windows XP SP2 issues, see:
#
# http://support.microsoft.com/kb/885453/en-us
#
#
# If is still doesn't work, and you're using Samba,
# you may be encountering a Samba bug. See:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
# Note that we do not necessarily agree with their
# explanation... but the fix does appear to work.
#
##################################################
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
#
# You can make PEAP require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
# This option enables support for MS-SoH
# see doc/SoH.txt for more info.
# It is disabled by default.
#
# soh = yes
#
# The SoH reply will be turned into a request which
# can be sent to a specific virtual server:
#
# soh_virtual_server = "soh-server"
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
# Prior to version 2.1.11, the module never
# sent the MS-CHAP-Error message to the
# client. This worked, but it had issues
# when the cached password was wrong. The
# server *should* send "E=691 R=0" to the
# client, which tells it to prompt the user
# for a new password.
#
# The default is to behave as in 2.1.10 and
# earlier, which is known to work. If you
# set "send_error = yes", then the error
# message will be sent back to the client.
# This *may* help some clients work better,
# but *may* also cause other clients to stop
# working.
#
# send_error = no
}
}

450
hosts/containers/radius/freeradius/experimental.conf Normal file
View File

@ -0,0 +1,450 @@
#
# This file contains the configuration for experimental modules.
#
# By default, it is NOT included in the build.
#
# $Id: 3db2f300329829b4810b00d3181f13bbac10ccd0 $
#
# Configuration for the Python module.
#
# Where radiusd is a Python module, radiusd.py, and the
# function 'authorize' is called. Here is a dummy piece
# of code:
#
# def authorize(params):
# print params
# return (5, ('Reply-Message', 'banned'))
#
# The RADIUS value-pairs are passed as a tuple of tuple
# pairs as the first argument, e.g. (('attribute1',
# 'value1'), ('attribute2', 'value2'))
#
# The function return is a tuple with the first element
# being the return value of the function.
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
# write the return values as Python symbols to avoid
# confusion.
#
# The remaining tuple members are the string form of
# value-pairs which are passed on to pairmake().
#
python {
mod_instantiate = radiusd_test
func_instantiate = instantiate
mod_authorize = radiusd_test
func_authorize = authorize
mod_accounting = radiusd_test
func_accounting = accounting
mod_pre_proxy = radiusd_test
func_pre_proxy = pre_proxy
mod_post_proxy = radiusd_test
func_post_proxy = post_proxy
mod_post_auth = radiusd_test
func_post_auth = post_auth
mod_recv_coa = radiusd_test
func_recv_coa = recv_coa
mod_send_coa = radiusd_test
func_send_coa = send_coa
mod_detach = radiusd_test
func_detach = detach
}
# Configuration for the example module. Uncommenting it will cause it
# to get loaded and initialized, but should have no real effect as long
# it is not referencened in one of the autz/auth/preacct/acct sections
example {
# Boolean variable.
# allowed values: {no, yes}
boolean = yes
# An integer, of any value.
integer = 16
# A string.
string = "This is an example configuration string"
# An IP address, either in dotted quad (1.2.3.4) or hostname
# (example.com)
ipaddr = 127.0.0.1
# A subsection
mysubsection {
anotherinteger = 1000
# They nest
deeply nested {
string = "This is a different string"
}
}
}
#
# To create a dbm users file, do:
#
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
#
# Then add 'dbm' in 'authorize' section.
#
# Note that even if the file has a ".db" or ".dbm" extension,
# you may have to specify it here without that extension. This
# is because the DBM libraries "helpfully" add a ".db" to the
# filename, but don't check if it's already there.
#
dbm {
usersfile = ${confdir}/users_db
}
#
# Perform NT-Domain authentication. This only works
# with PAP authentication. That is, Authentication-Request
# packets containing a User-Password attribute.
#
# To use it, add 'smb' into the 'authenticate' section,
# and then in another module (usually the 'users' file),
# set 'Auth-Type := SMB'
#
# WARNING: this module is not only experimental, it's also
# a security threat. It's not recommended to use it until
# it gets fixed.
#
smb {
server = ntdomain.server.example.com
backup = backup.server.example.com
domain = NTDOMAIN
}
# See doc/rlm_fastusers before using this
# module or changing these values.
#
fastusers {
usersfile = ${confdir}/users_fast
hashsize = 1000
compat = no
# Reload the hash every 600 seconds (10mins)
hash_reload = 600
}
# Caching module
#
# Should be added in the post-auth section (after all other modules)
# and in the authorize section (before any other modules)
#
# authorize {
# caching {
# ok = return
# }
# [... other modules ...]
# }
# post-auth {
# [... other modules ...]
# caching
# }
#
# The caching module will cache the Auth-Type and reply items
# and send them back on any subsequent requests for the same key
#
# Configuration:
#
# filename: The gdbm file to use for the cache database
# (can be memory mapped for more speed)
#
# key: A string to xlat and use as a key. For instance,
# "%{Acct-Unique-Session-Id}"
#
# post-auth: If we find a cached entry, set the post-auth to that value
#
# cache-ttl: The time to cache the entry. The same time format
# as the counter module apply here.
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed.
# e.g. 1d == one day
#
# cache-size: The gdbm cache size to request (default 1000)
#
# hit-ratio: If set to non-zero we print out statistical
# information after so many cache requests
#
# cache-rejects: Do we also cache rejects, or not? (default 'yes')
#
caching {
filename = ${db_dir}/db.cache
cache-ttl = 1d
hit-ratio = 1000
key = "%{Acct-Unique-Session-Id}"
#post-auth = ""
# cache-size = 2000
# cache-rejects = yes
}
# Simple module for logging of Account packets to radiusd.log
# You need to declare it in the accounting section for it to work
acctlog {
acctlog_update = ""
acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online"
acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline"
}
# Another implementation of the EAP module.
#
# This module requires the libeap.so file from the hostap
# software (http://hostap.epitest.fi/hostapd/). It has been
# tested on the development version of hostapd (0.6.1) ONLY.
#
# In order to use it, you MUST build a "libeap.so" in hostapd,
# which is not done by default.
#
# You MUST also edit the file: src/modules/rlm_eap2/Makefile
# to point to the location of the hostap include files.
#
# This module CANNOT be used in the same way as the current
# FreeRADIUS "eap" module. There is NO way to look inside of
# a tunneled request. There is NO way to proxy a tunneled
# request. There is NO way to even look at the user name inside
# of the tunneled request. There is NO way to control the
# choice of EAP types inside of the tunnel. You MUST force
# the server to choose "eap2" for authentication, because this
# module has no "authorize" section.
#
# If you want to use this module for experimentation, please
# post your comments to the freeradius-devel list:
#
# http://lists.freeradius.org/mailman/listinfo/freeradius-devel
#
# If you want to use this module in a production (i.e. real-world)
# environment:
#
# !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
#
# The module needs additional work to make it ready for
# production use.. Please supply patches, or sponsor the
# work by hiring a developer. Do NOT ask when the work will
# be done, because there is no plan to finish this module
# unless there is demand for it.
#
eap2 {
# EAP types are chosen in the order that they are
# listed in this section. There is no "default_eap_type"
# as with rlm_eap. Instead, the *first* EAP type is
# used as the default type.
#
peap {
}
ttls {
}
# This is the ONLY EAP type that has any configuration.
# All other EAP types have no configuration.
#
tls {
ca_cert = ${confdir}/certs/ca.pem
server_cert = ${confdir}/certs/server.pem
private_key_file = ${confdir}/certs/server.pem
private_key_password = whatever
}
#
# These next two methods do not supply keying material.
#
md5 {
}
mschapv2 {
}
fast {
pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
eap_fast_a_id = xxxxxx
eap_fast_a_id_info = my_server
eap_fast_prov = 3
pac_key_lifetime = 604800 # 7 days
pac_key_refresh_tim = 86400
}
# LEAP is NOT supported by this module.
# Use the "eap" module instead.
# For other methods that MIGHT work, see the
# configuration of hostap. The methods are statically
# linked in at compile time, and cannot be controlled
# here.
}
# Configuration for experimental EAP types. The sub-sections
# can be copied into eap.conf.
eap {
ikev2 {
# Server auth type
# Allowed values are:
# cert - for certificate based server authentication,
# other required settings for this type are
# 'private_key_file' and 'certificate_file'
# secret - for shared secret based server authentication,
# other required settings for this type is 'id'
# Default value of this option is 'secret'
# server_authtype=cert
# Allowed default client auth types
# Allowed values are:
# secret - for shared secret based client authentication
# cert - for certificate based client authentication
# both - shared secret and certificate is allowed
# none - authentication will always fail
# Default value for this option is 'both'. This option could
# be overwritten within 'usersfile' file by EAP-IKEv2-Auth
# option.
# default_authtype = both
# path to trusted CA certificate file
CA_file="/path/to/CA/cacert.pem"
# path to CRL file, if not set, then there will be no
# checks against CRL
# crl_file="/path/to/crl.pem"
# path to file with user settings
#
# Note that this file is read ONLY on module initialization!
#
# default ${confdir}/eap_ikev2_users
# usersfile=${confdir}/eap_ikev2_users
#
# Sample "eap_ikev2_users" file entry:
#
#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
## where:
## username - client user name from IKE-AUTH (IDr) or CommonName
## from x509 certificate
## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
## allowable attributes for EAP-IKEv2-IDType:
## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
## DER_ASN1_GN KEY_ID
## EAP-IKEv2-Secret - shared secret
## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
## type. Allowed values are: secret,cert,both,none.
## For the meaning of this values, please see the
## description of 'default_authtype'.
## This attribute can overwrite 'default_authtype' value.
# path to file with server private key
private_key_file="/path/to/srv-private-key.pem"
# password to private key file
private_key_password="passwd"
# path to file with server certificate
certificate_file="/path/to/srv-cert.pem"
# server identity string
id="deMaio"
# Server identity type. Allowed values are:
# IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
# KEY_ID
# Default value is: KEY_ID
# id_type = KEY_ID
# MTU (default: 1398)
# fragment_size = 1398
# maximal allowed number of resends SA_INIT after receiving
# 'invalid KEY' notification (default 3)
# DH_counter_max = 3
# option which is used to control whenever send CERT REQ
# payload or not.
# Allowed values for this option are "yes" or "no".
#Default value is "no".
# certreq = "yes"
# option which cotrols fast reconnect capability.
# Allowed valuse for this option are "yes" or "no".
# Default value is "yes".
# enable_fast_reauth = "no"
# option which is used to control performing of DH exchange
# during fast rekeying protocol run.
# Allowed values for this option are "yes" or "no".
# Default value is "no"
# fast_DH_exchange = "yes"
# Option which is used to set up expiration time of inactive
# IKEv2 session.
# After selected period of time (in seconds), inactive
# session data will be deleted.
# Default value of this option is set to 900 seconds
# fast_timer_expire = 900
# list of server proposals of available cryptographic
# suites
proposals {
# proposal number #1
proposal {
# Supported transforms types: encryption,
# prf, integrity, dhgroup. For multiple
# transforms just simple repeat key (i.e.
# integity).
# encryption algorithm
# supported algorithms:
# null,3des,aes_128_cbc,aes_192_cbc,
# aes_256_cbc,idea
# blowfish:n, where n range from 8 to 448 bits,
# step 8 bits
# cast:n, where n range from 40 to 128 bits,
# step 8 bits
encryption = 3des
# pseudo random function. Supported prf's:
# hmac_md5, hmac_sha1, hmac_tiger
prf = hmac_sha1
# integrity algorithm. Supported algorithms:
# hmac_md5_96, hmac_sha1_96,des_mac
integrity = hmac_sha1_96
integrity = hmac_md5_96
# Diffie-Hellman groups:
# modp768, modp1024, modp1536, modp2048,
# modp3072, modp4096, modp6144, modp8192
dhgroup = modp2048
}
# proposal number #2
proposal {
encryption = 3des
prf = hmac_md5
integrity = hmac_md5_96
dhgroup = modp1024
}
# proposal number #3
proposal {
encryption=3des
prf=hmac_md5
integrity=hmac_md5_96
dhgroup=modp2048
}
}
}
}

77
hosts/containers/radius/freeradius/hints Normal file
View File

@ -0,0 +1,77 @@
# hints
#
# The hints file. This file is used to match
# a request, and then add attributes to it. This
# process allows a user to login as "bob.ppp" (for example),
# and receive a PPP connection, even if the NAS doesn't
# ask for PPP. The "hints" file is used to match the
# ".ppp" portion of the username, and to add a set of
# "user requested PPP" attributes to the request.
#
# Matching can take place with the the Prefix and Suffix
# attributes, just like in the "users" file.
# These attributes operate ONLY on the username, though.
#
# Note that the attributes that are set for each
# entry are _NOT_ passed back to the terminal server.
# Instead they are added to the information that has
# been _SENT_ by the terminal server.
#
# This extra information can be used in the users file to
# match on. Usually this is done in the DEFAULT entries,
# of which there can be more than one.
#
# In addition a matching entry can transform a username
# for authentication purposes if the "Strip-User-Name"
# variable is set to Yes in an entry (default is Yes).
#
# A special non-protocol name-value pair called "Hint"
# can be set to match on in the "users" file.
#
# The following is how most ISPs want to set this up.
#
# Version: $Id: f92ffb9f1e5bd0509b2e0e5e015001fda52bdfc3 $
#
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes
Hint = "PPP",
Service-Type = Framed-User,
Framed-Protocol = PPP
DEFAULT Suffix == ".slip", Strip-User-Name = Yes
Hint = "SLIP",
Service-Type = Framed-User,
Framed-Protocol = SLIP
DEFAULT Suffix == ".cslip", Strip-User-Name = Yes
Hint = "CSLIP",
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
######################################################################
#
# These entries are old, and commented out by default.
# They confuse too many people when "Peter" logs in, and the
# server thinks that the user "eter" is asking for PPP.
#
#DEFAULT Prefix == "U", Strip-User-Name = No
# Hint = "UUCP"
#DEFAULT Prefix == "P", Strip-User-Name = Yes
# Hint = "PPP",
# Service-Type = Framed-User,
# Framed-Protocol = PPP
#DEFAULT Prefix == "S", Strip-User-Name = Yes
# Hint = "SLIP",
# Service-Type = Framed-User,
# Framed-Protocol = SLIP
#DEFAULT Prefix == "C", Strip-User-Name = Yes
# Hint = "CSLIP",
# Service-Type = Framed-User,
# Framed-Protocol = SLIP,
# Framed-Compression = Van-Jacobson-TCP-IP

46
hosts/containers/radius/freeradius/huntgroups Normal file
View File

@ -0,0 +1,46 @@
#
# huntgroups This file defines the `huntgroups' that you have. A
# huntgroup is defined by specifying the IP address of
# the NAS and possibly a port range. Port can be identified
# as just one port, or a range (from-to), and multiple ports
# or ranges of ports must be seperated by a comma. For
# example: 1,2,3-8
#
# Matching is done while RADIUS scans the user file; if it
# includes the selection criterium "Huntgroup-Name == XXX"
# the huntgroup is looked up in this file to see if it
# matches. There can be multiple definitions of the same
# huntgroup; the first one that matches will be used.
#
# This file can also be used to define restricted access
# to certain huntgroups. The second and following lines
# define the access restrictions (based on username and
# UNIX usergroup) for the huntgroup.
#
#
# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
# called Alphen that matches on all three terminal servers.
#
#alphen NAS-IP-Address == 192.168.2.5
#alphen NAS-IP-Address == 192.168.2.6
#alphen NAS-IP-Address == 192.168.2.7
#
# The POP in Delft consists of only one terminal server.
#
#delft NAS-IP-Address == 192.168.3.5
#
# Ports 0-7 on the first terminal server in Alphen are connected to
# a huntgroup that is for business users only. Note that only one
# of the username or groupname has to match to get access (OR/OR).
#
# Note that this huntgroup is a subset of the "alphen" huntgroup.
#
#business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7
# User-Name = rogerl,
# User-Name = henks,
# Group = business,
# Group = staff

76
hosts/containers/radius/freeradius/ldap.attrmap Normal file
View File

@ -0,0 +1,76 @@
#
# Mapping of RADIUS dictionary attributes to LDAP directory attributes
# to be used by LDAP authentication and authorization module (rlm_ldap)
#
# Format:
# ItemType RADIUS-Attribute-Name ldapAttributeName [operator]
#
# Where:
# ItemType = checkItem or replyItem
# RADIUS-Attribute-Name = attribute name in RADIUS dictionary
# ldapAttributeName = attribute name in LDAP schema
# operator = optional, and may not be present.
# If not present, defaults to "==" for checkItems,
# and "=" for replyItems.
# If present, the operator here should be one
# of the same operators as defined in the "users"3
# file ("man users", or "man 5 users").
# If an operator is present in the value of the
# LDAP entry (i.e. ":=foo"), then it over-rides
# both the default, and any operator given here.
#
# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies
# a LDAP attribute which can be used to store any RADIUS
# attribute/value-pair in LDAP directory.
#
# You should edit this file to suit it to your needs.
#
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
checkItem Auth-Type radiusAuthType
checkItem Simultaneous-Use radiusSimultaneousUse
checkItem Called-Station-Id radiusCalledStationId
checkItem Calling-Station-Id radiusCallingStationId
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword
checkItem LM-Password dBCSPwd
checkitem Password-With-Header userPassword
checkItem SMB-Account-CTRL-TEXT acctFlags
checkItem Expiration radiusExpiration
checkItem NAS-IP-Address radiusNASIpAddress
replyItem Service-Type radiusServiceType
replyItem Framed-Protocol radiusFramedProtocol
replyItem Framed-IP-Address radiusFramedIPAddress
replyItem Framed-IP-Netmask radiusFramedIPNetmask
replyItem Framed-Route radiusFramedRoute
replyItem Framed-Routing radiusFramedRouting
replyItem Filter-Id radiusFilterId
replyItem Framed-MTU radiusFramedMTU
replyItem Framed-Compression radiusFramedCompression
replyItem Login-IP-Host radiusLoginIPHost
replyItem Login-Service radiusLoginService
replyItem Login-TCP-Port radiusLoginTCPPort
replyItem Callback-Number radiusCallbackNumber
replyItem Callback-Id radiusCallbackId
replyItem Framed-IPX-Network radiusFramedIPXNetwork
replyItem Class radiusClass
replyItem Session-Timeout radiusSessionTimeout
replyItem Idle-Timeout radiusIdleTimeout
replyItem Termination-Action radiusTerminationAction
replyItem Login-LAT-Service radiusLoginLATService
replyItem Login-LAT-Node radiusLoginLATNode
replyItem Login-LAT-Group radiusLoginLATGroup
replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
replyItem Port-Limit radiusPortLimit
replyItem Login-LAT-Port radiusLoginLATPort
replyItem Reply-Message radiusReplyMessage
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId

17
hosts/containers/radius/freeradius/modules/acct_unique Normal file
View File

@ -0,0 +1,17 @@
# -*- text -*-
#
# $Id: cfd89eb1bf690b605892969ebd922e6885f24fcc $
#
# Create a unique accounting session Id. Many NASes re-use
# or repeat values for Acct-Session-Id, causing no end of
# confusion.
#
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. See doc/rlm_acct_unique for
# more information.
#
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}

31
hosts/containers/radius/freeradius/modules/always Normal file
View File

@ -0,0 +1,31 @@
# -*- text -*-
#
# $Id: c28187f05d4f0416442203b016feb7e2b818716f $
#
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}

48
hosts/containers/radius/freeradius/modules/attr_filter Normal file
View File

@ -0,0 +1,48 @@
# -*- text -*-
#
# $Id: acb28a9c587526a22f9310ade21d6a480a0bfe28 $
#
# This file defines a number of instances of the "attr_filter" module.
#
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_reject
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_challenge {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_challenge
}
# Enforce RFC requirements on the contents of the
# Accounting-Response packets. See the comments at the
# top of the file for more details.
#
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile = ${confdir}/attrs.accounting_response
}

46
hosts/containers/radius/freeradius/modules/attr_rewrite Normal file
View File

@ -0,0 +1,46 @@
# -*- text -*-
#
# $Id: 8fb93224288061781980a156d541f5283abee1a0 $
# rewrite arbitrary packets. Useful in accounting and authorization.
#
# As of 2.0, much of the functionality of this module is in "unlang".
# You should probably investigate using that before trying to use
# the "attr_rewrite" module.
#
#
# The module can also use the Rewrite-Rule attribute. If it
# is set and matches the name of the module instance, then
# that module instance will be the only one which runs.
#
# Also if new_attribute is set to yes then a new attribute
# will be created containing the value replacewith and it
# will be added to searchin (packet, reply, proxy,
# proxy_reply or config).
#
# searchfor,ignore_case and max_matches will be ignored in that case.
#
# Backreferences are supported.
# %{0} will contain the string the whole match
# %{1} to %{8} will contain the contents of the 1st to
# the 8th parentheses
#
# If max_matches is greater than one, the backreferences will
# correspond to the first attributed that matched.
#
attr_rewrite sanecallerid {
attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
searchin = packet
searchfor = "[+ ]"
replacewith = ""
ignore_case = no
new_attribute = no
max_matches = 10
## If set to yes then the replace string will be
## appended to the original string
append = no
}

77
hosts/containers/radius/freeradius/modules/cache Normal file
View File

@ -0,0 +1,77 @@
# -*- text -*-
#
# $Id: da4a099beae8eeb3bfe5f70f20523a4258f7f0cd $
#
# A module to cache attributes. The idea is that you can look
# up information in a database, and then cache it. Repeated
# requests for the same information will then have the cached
# values added to the request.
#
# The module can cache a fixed set of attributes per key.
# It can be listed in "authorize", "post-auth", "pre-proxy"
# and "post-proxy".
#
# If you want different things cached for authorize and post-auth,
# you will need to define two instances of the "cache" module.
#
# The module returns "ok" if it found a cache entry.
# The module returns "updated" if it added a new cache entry.
# The module returns "noop" if it did nothing.
#
cache {
# The key used to index the cache. It is dynamically expanded
# at run time.
key = "%{User-Name}"
# The TTL of cache entries, in seconds. Entries older than this
# will be expired.
#
# You can set the TTL per cache entry, but adding a control
# variable "Cache-TTL". The value there will over-ride this one.
# Setting a Cache-TTL of 0 means "delete this entry".
#
# This value should be between 10 and 86400.
ttl = 10
# A timestamp used to flush the cache, via
#
# radmin -e "set module config cache epoch 123456789"
#
# Where last value is a 32-bit Unix timestamp. Cache entries
# older than this are expired, and new entries added.
#
# You should ALWAYS leave it as "epoch = 0" here.
epoch = 0
# The module can also operate in status-only mode where it will
# not add new cache entries, or merge existing ones.
#
# To enable set the control variable "Cache-Status-Only" to "yes"
# The module will return "ok" if it found a cache entry.
# The module will return "notfound" if it failed to find a cache entry,
# or the entry had expired.
#
# Note: expired entries will still be removed.
# If yes the following attributes will be added to the request list:
# * Cache-Entry-Hits - The number of times this entry has been
# retrieved.
add-stats = no
# The list of attributes to cache for a particular key.
# Each key gets the same set of cached attributes.
# The attributes are dynamically expanded at run time.
#
# You can specify which list the attribute goes into by
# prefixing the attribute name with the list. This allows
# you to update multiple lists with one configuration.
#
# If no list is specified the request list will be updated.
update {
# list:Attr-Name
reply:Reply-Message += "I'm the cached reply from %t"
control:Class := 0x010203
}
}

11
hosts/containers/radius/freeradius/modules/chap Normal file
View File

@ -0,0 +1,11 @@
# -*- text -*-
#
# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
# no configuration
}

44
hosts/containers/radius/freeradius/modules/checkval Normal file
View File

@ -0,0 +1,44 @@
# -*- text -*-
#
# $Id: ed26e571e8f0bcf3bf586ceb16d0cdff182f5017 $
# A simple value checking module
#
# As of 2.0, much of the functionality of this module is in "unlang".
# You should probably investigate using that before trying to use
# the "checkval" module.
#
# It can be used to check if an attribute value in the request
# matches a (possibly multi valued) attribute in the check
# items This can be used for example for caller-id
# authentication. For the module to run, both the request
# attribute and the check items attribute must exist
#
# i.e.
# A user has an ldap entry with 2 radiusCallingStationId
# attributes with values "12345678" and "12345679". If we
# enable rlm_checkval, then any request which contains a
# Calling-Station-Id with one of those two values will be
# accepted. Requests with other values for
# Calling-Station-Id will be rejected.
#
# Regular expressions in the check attribute value are allowed
# as long as the operator is '=~'
#
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}

82
hosts/containers/radius/freeradius/modules/counter Normal file
View File

@ -0,0 +1,82 @@
# -*- text -*-
#
# $Id: 2dad39a25c676821c6e602881e5bec52d738abfd $
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add
# the value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
#
# If the count attribute is Acct-Session-Time then on each
# login we send back the remaining online time as a
# Session-Timeout attribute ELSE and if the reply-name is
# set, we send back that attribute. The reply-name attribute
# MUST be of an integer type.
#
# The counter-name can also be used instead of using the check-name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
allowed-servicetype = Framed-User
cache-size = 5000
}

25
hosts/containers/radius/freeradius/modules/cui Normal file
View File

@ -0,0 +1,25 @@
# -*- text -*-
#
# $Id: 246461369a25c17feae3168bb66050203d4b8a34 $
#
# Write Chargeable-User-Identity to the database.
#
# Schema raddb/sql/mysql/cui.sql
# Queries raddb/sql/mysql/cui.conf
#
sql cui {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "db_login_name"
password = "db_password"
radius_db = "db_name"
# sqltrace = yes
# sqltracefile = ${logdir}/cuitrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
cui_table = "cui"
sql_user_name = "%{User-Name}"
#$INCLUDE sql/${database}/cui.conf
}

93
hosts/containers/radius/freeradius/modules/detail Normal file
View File

@ -0,0 +1,93 @@
# -*- text -*-
#
# $Id: 2e68d065ec93d0644cf7e931d97fdfac4e2be552 $
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
#
# If you are using radrelay, delete the above line for "detailfile",
# and use this one instead:
#
# detailfile = ${radacctdir}/detail
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0600
# The Unix group of the log file.
#
# The user that the server runs as must be in the specified
# system group otherwise this will fail to work.
#
# group = freerad
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customized by editing this
# string. See "doc/variables.txt" for a description
# of what can be put here.
#
header = "%t"
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
# locking = yes
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
# log_packet_header = yes
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
}

27
hosts/containers/radius/freeradius/modules/detail.example.com Normal file
View File

@ -0,0 +1,27 @@
# -*- text -*-
#
# Detail file writer, used in the following examples:
#
# raddb/sites-available/robust-proxy-accounting
# raddb/sites-available/decoupled-accounting
#
# Note that this module can write detail files that are read by
# only ONE "listen" section. If you use BOTH of the examples
# above, you will need to define TWO "detail" modules.
#
# e.g. detail1.example.com && detail2.example.com
#
#
# We write *multiple* detail files here. They will be processed by
# the detail "listen" section in the order that they were created.
# The directory containing these files should NOT be used for any
# other purposes. i.e. It should have NO other files in it.
#
# Writing multiple detail enables the server to process the pieces
# in smaller chunks. This helps in certain catastrophic corner cases.
#
# $Id: af7e3452fdd49ed6a3cd379c2a4d90e17f34532f $
#
detail detail.example.com {
detailfile = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G
}

75
hosts/containers/radius/freeradius/modules/detail.log Normal file
View File

@ -0,0 +1,75 @@
# -*- text -*-
#
# $Id: c36dce75c6d41b7470bd177a27ed96d3fe3dafe5 $
#
# More examples of doing detail logs.
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
detail auth_log {
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
# You may also strip out passwords completely
suppress {
User-Password
}
}
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
detail reply_log {
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
detailperm = 0600
}
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
detail pre_proxy_log {
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
}
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
detail post_proxy_log {
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
detailperm = 0600
}

33
hosts/containers/radius/freeradius/modules/dhcp_sqlippool Normal file
View File

@ -0,0 +1,33 @@
## Configuration for DHCP to use SQL IP Pools.
##
## See sqlippool.conf for common configuration explanation
##
## $Id: 39358b222d016d62e5cf6e8c77fd214cc7614feb $
sqlippool dhcp_sqlippool {
sql-instance-name = "sql"
ippool_table = "radippool"
lease-duration = 7200
# Client's MAC address is mapped to Calling-Station-Id in policy.conf
pool-key = "%{Calling-Station-Id}"
# For now, it only works with MySQL.
# This line is commented by default to enable clean startup when you
# don't have freeradius-mysql installed. Uncomment this line if you
# use this module.
#$INCLUDE ${confdir}/sql/mysql/ippool-dhcp.conf
sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_nopool = "DHCP: No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}

13
hosts/containers/radius/freeradius/modules/digest Normal file
View File

@ -0,0 +1,13 @@
# -*- text -*-
#
# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}

32
hosts/containers/radius/freeradius/modules/dynamic_clients Normal file
View File

@ -0,0 +1,32 @@
# -*- text -*-
#
# $Id: bf047be5c7b48f2f021981a6abf4199d888fc3ee $
# This module loads RADIUS clients as needed, rather than when the server
# starts.
#
# There are no configuration entries for this module. Instead, it
# relies on the "client" configuration. You must:
#
# 1) link raddb/sites-enabled/dyanmic_clients to
# raddb/sites-available/dyanmic_clients
#
# 2) Define a client network/mask (see top of the above file)
#
# 3) uncomment the "directory" entry in that client definition
#
# 4) list "dynamic_clients" in the "authorize" section of the
# "dynamic_clients' virtual server. The default example already
# does this.
#
# 5) put files into the above directory, one per IP.
# e.g. file "192.168.1.1" should contain a normal client definition
# for a client with IP address 192.168.1.1.
#
# For more documentation, see the file:
#
# raddb/sites-available/dynamic-clients
#
dynamic_clients {
}

123
hosts/containers/radius/freeradius/modules/echo Normal file
View File

@ -0,0 +1,123 @@
# -*- text -*-
#
# $Id: 0ca6bd8d27c25bf4f84fd27f97323b8961814d77 $
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
# The return value of the program run determines the result
# of the exec instance call as follows:
# (See doc/configurable_failover for details)
#
# < 0 : fail the module failed
# = 0 : ok the module succeeded
# = 1 : reject the module rejected the user
# = 2 : fail the module failed
# = 3 : ok the module succeeded
# = 4 : handled the module has done everything to handle the request
# = 5 : invalid the user's configuration entry was invalid
# = 6 : userlock the user was locked out
# = 7 : notfound the user was not found
# = 8 : noop the module did nothing
# = 9 : updated the module updated information in the request
# > 9 : fail the module failed
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
#
# Should we escape the environment variables?
#
# If this is set, all the RADIUS attributes
# are capitalised and dashes replaced with
# underscores. Also, RADIUS values are surrounded
# with double-quotes.
#
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
shell_escape = yes
#
# How long should we wait for the program to finish?
#
# Default is 10 seconds, which should be plenty for nearly
# anything. Range is 1 to 30 seconds. You are strongly
# encouraged to NOT increase this value. Decreasing can
# be used to cause authentication to fail sooner when you
# know it's going to fail anyway due to the time taken,
# thereby saving resources.
#
#timeout = 10
}

28
hosts/containers/radius/freeradius/modules/etc_group Normal file
View File

@ -0,0 +1,28 @@
# -*- text -*-
#
# $Id: 614c52b82b3e12fab54313aecb5c1120559781f3 $
# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name
# attribute for every group that the user is member of.
#
# You will have to define the Etc-Group-Name in the 'dictionary' file
# as a 'string' type.
#
# The Group and Group-Name attributes are automatically created by
# the Unix module, and do checking against /etc/group automatically.
# This means that you CANNOT use Group or Group-Name to do any other
# kind of grouping in the server. You MUST define a new group
# attribute.
#
# i.e. this module should NOT be used as-is, but should be edited to
# point to a different group file.
#
passwd etc_group {
filename = /etc/group
format = "=Etc-Group-Name:::*,User-Name"
hashsize = 50
ignorenislike = yes
allowmultiplekeys = yes
delimiter = ":"
}

30
hosts/containers/radius/freeradius/modules/exec Normal file
View File

@ -0,0 +1,30 @@
# -*- text -*-
#
# $Id: 5f21e4350f091ed51813865a31b2796c4b487f9f $
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in "man unlang" and in doc/variables.txt
#
# See also "echo" for more sample configuration.
#
exec {
wait = no
input_pairs = request
shell_escape = yes
output = none
timeout = 10
}

19
hosts/containers/radius/freeradius/modules/expiration Normal file
View File

@ -0,0 +1,19 @@
# -*- text -*-
#
# $Id: 8bbd88973459d82f3967135c66a5b566fffc130a $
#
# The expiration module. This handles the Expiration attribute
# It should be included in the *end* of the authorize section
# in order to handle user Expiration. It should also be included
# in the instantiate section in order to register the Expiration
# compare function
#
expiration {
#
# The Reply-Message which will be sent back in case the
# account has expired. Dynamic substitution is supported
#
reply-message = "Password Has Expired\r\n"
#reply-message = "Your account has expired, %{User-Name}\r\n"
}

20
hosts/containers/radius/freeradius/modules/expr Normal file
View File

@ -0,0 +1,20 @@
# -*- text -*-
#
# $Id: 6caeb9bccb3310d76f0c527afa58d10432359ee5 $
#
# The 'expression' module currently has no configuration.
#
# This module is useful only for 'xlat'. To use it,
# put 'expr' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The module also registers a few paircompare functions
expr {
}

46
hosts/containers/radius/freeradius/modules/files Normal file
View File

@ -0,0 +1,46 @@
# -*- text -*-
#
# $Id: e0198d85b2d14fa7b75b0e8c1bf6427c4bd89058 $
# Livingston-style 'users' file
#
files {
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# An example which defines a second instance of the "files" module.
# This instance is named "second_files". In order for it to be used
# in a virtual server, it needs to be listed as "second_files"
# inside of the "authorize" section (or other section). If you just
# list "files", that will refer to the configuration defined above.
#
# The two names here mean:
# "files" - this is a configuration for the "rlm_files" module
# "second_files" - this is a named configuration, which isn't
# the default configuration.
files second_files {
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
# The names here don't matter. They just need to be different
# from the names for the "files" configuration above. If they
# are the same, then this configuration will end up being the
# same as the one above.
usersfile = ${confdir}/second_users
acctusersfile = ${confdir}/second_acct_users
preproxy_usersfile = ${confdir}/second_preproxy_users
}

161
hosts/containers/radius/freeradius/modules/inner-eap Normal file
View File

@ -0,0 +1,161 @@
# -*- text -*-
#
# $Id: 0a26c9c1672823e46219d831e2be18890450c2a7 $
#
# Sample configuration for an EAP module that occurs *inside*
# of a tunneled method. It is used to limit the EAP types that
# can occur inside of the inner tunnel.
#
# See also raddb/sites-available/inner-tunnel
#
# To use this module, edit raddb/sites-available/inner-tunnel, and
# replace the references to "eap" with "inner-eap".
#
# See raddb/eap.conf for full documentation on the meaning of the
# configuration entries here.
#
eap inner-eap {
# This is the best choice for PEAP.
default_eap_type = mschapv2
timer_expire = 60
# This should be the same as the outer eap "max sessions"
max_sessions = 2048
# Supported EAP-types
md5 {
}
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
auth_type = PAP
}
mschapv2 {
}
# No TTLS or PEAP configuration should be listed here.
## EAP-TLS
#
# You SHOULD use different certificates than are used
# for the outer EAP configuration!
#
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
#
tls {
#
# These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/ca.pem
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = ${certdir}/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
# CA_path = /path/to/directory/with/ca_certs/and/crls/
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
#
# The session resumption / fast reauthentication
# cache CANNOT be used for inner sessions.
#
}
}

75
hosts/containers/radius/freeradius/modules/ippool Normal file
View File

@ -0,0 +1,75 @@
# -*- text -*-
#
# $Id: 05561cf37fe71142adc97410daba3ae08a1cb68c $
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
#
# The module also requires the existance of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools for
# different users. The Pool-Name attribute is a *check* item
# not a reply item.
#
# The Pool-Name should be set to the ippool module instance
# name or to DEFAULT to match any module.
#
# Example:
# radiusd.conf: ippool students { [...] }
# ippool teachers { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
# DEFAULT Group == teachers, Pool-Name := "teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
# ********* THEN ERASE THE DB FILES *********
#
ippool main_pool {
# range-start,range-stop:
# The start and end ip addresses for this pool.
range-start = 192.168.1.1
range-stop = 192.168.3.254
# netmask:
# The network mask used for this pool.
netmask = 255.255.255.0
# cache-size:
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
cache-size = 800
# session-db:
# The main db file used to allocate addresses.
session-db = ${db_dir}/db.ippool
# ip-index:
# Helper db index file used in multilink
ip-index = ${db_dir}/db.ipindex
# override:
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# with a Framed-IP-Address assigned here.
override = no
# maximum-timeout:
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum-timeout = 0
# key:
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
#key = "%{NAS-IP-Address} %{NAS-Port}"
}

11
hosts/containers/radius/freeradius/modules/krb5 Normal file
View File

@ -0,0 +1,11 @@
# -*- text -*-
#
# $Id: 81d1cf2cad2c5dd919acdc993f4484673d80121e $
#
# Kerberos. See doc/rlm_krb5 for minimal docs.
#
krb5 {
keytab = /path/to/keytab
service_principal = name_of_principle
}

197
hosts/containers/radius/freeradius/modules/ldap Normal file
View File

@ -0,0 +1,197 @@
# -*- text -*-
#
# $Id: d13892634e4a8458c942ce170f59f98521dce500 $
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
# See raddb/sites-available/default for reference to the
# ldap module in the authorize and authenticate sections.
#
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
#
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "ldap.your.domain"
#identity = "cn=admin,o=My Org,c=UA"
#password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# How many times the connection can be used before
# being re-established. This is useful for things
# like load balancers, which may exhibit sticky
# behaviour without it. (0) is unlimited.
max_uses = 0
# Port to connect on, defaults to 389. Setting this to
# 636 will enable LDAPS if start_tls (see below) is not
# able to be used.
#port = 389
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
# chase_referrals = yes
# rebind = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
#
# Keepalive configuration. This MAY NOT be supported by your
# LDAP library. If these configuration entries appear in the
# output of "radiusd -X", then they are supported. Otherwise,
# they are unsupported, and changing them will do nothing.
#
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}

105
hosts/containers/radius/freeradius/modules/linelog Normal file
View File

@ -0,0 +1,105 @@
# -*- text -*-
#
# $Id: a57741ac3fa5f884ed64d896da3807af5d2a6b99 $
#
# The "linelog" module will log one line of text to a file.
# Both the filename and the line of text are dynamically expanded.
#
# We STRONGLY suggest that you do not use data from the
# packet as part of the filename.
#
linelog {
#
# The file where the logs will go.
#
# If the filename is "syslog", then the log messages will
# go to syslog.
filename = ${logdir}/linelog
#
# The Unix-style permissions on the log file.
#
# Depending on format string, the log file may contain secret or
# private information about users. Keep the file permissions as
# restrictive as possible.
permissions = 0600
#
# The Unix group of the log file.
#
# The user that freeradius runs as must be in the specified
# group, otherwise it will not be possible to set the group.
#
# group = freerad
#
# If logging via syslog, the facility can be set here. Otherwise
# the syslog_facility option in radiusd.conf will be used.
#
# syslog_facility = daemon
#
# The default format string.
format = "This is a log message for %{User-Name}"
#
# This next line can be omitted. If it is omitted, then
# the log message is static, and is always given by "format",
# above.
#
# If it is defined, then the string is dynamically expanded,
# and the result is used to find another configuration entry
# here, with the given name. That name is then used as the
# format string.
#
# If the configuration entry cannot be found, then no log
# message is printed.
#
# i.e. You can have many log messages in one "linelog" module.
# If this two-step expansion did not exist, you would have
# needed to configure one "linelog" module for each log message.
#
# Reference the Packet-Type (Access-Request, etc.) If it doesn't
# exist, reference the "format" entry, above.
reference = "%{%{Packet-Type}:-format}"
#
# Followed by a series of log messages.
Access-Request = "Requested access: %{User-Name}"
Access-Reject = "Rejected access: %{User-Name}"
Access-Challenge = "Sent challenge: %{User-Name}"
#
# The log messages can be grouped into sections and
# sub-sections, too. The "reference" item needs to have a "."
# for every section. e.g. reference = foo.bar will reference
# the "foo" section, "bar" configuration item.
#
#
# Used if: reference = "foo.bar".
foo {
bar = "Example log. Please ignore"
}
#
# Another example:
# reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
#
Accounting-Request {
Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
# Don't log anything for these packets.
Alive = ""
Accounting-On = "NAS %C (%{NAS-IP-Address}) just came online"
Accounting-Off = "NAS %C (%{NAS-IP-Address}) just went offline"
# don't log anything for other Acct-Status-Types.
unknown = ""
}
}

31
hosts/containers/radius/freeradius/modules/logintime Normal file
View File

@ -0,0 +1,31 @@
# -*- text -*-
#
# $Id: 26691a93664c464f49394773e04d3b2ed565d142 $
# The logintime module. This handles the Login-Time,
# Current-Time, and Time-Of-Day attributes. It should be
# included in the *end* of the authorize section in order to
# handle Login-Time checks. It should also be included in the
# instantiate section in order to register the Current-Time
# and Time-Of-Day comparison functions.
#
# When the Login-Time attribute is set to some value, and the
# user has bene permitted to log in, a Session-Timeout is
# calculated based on the remaining time. See "doc/README".
#
logintime {
#
# The Reply-Message which will be sent back in case
# the account is calling outside of the allowed
# timespan. Dynamic substitution is supported.
#
reply-message = "You are calling outside your allowed timespan\r\n"
#reply-message = "Outside allowed timespan (%{control:Login-Time}), %{User-Name}\r\n"
# The minimum timeout (in seconds) a user is allowed
# to have. If the calculated timeout is lower we don't
# allow the logon. Some NASes do not handle values
# lower than 60 seconds well.
minimum-timeout = 60
}

25
hosts/containers/radius/freeradius/modules/mac2ip Normal file
View File

@ -0,0 +1,25 @@
# -*- text -*-
#
# $Id: 793d5690e1d4520bb3db1d9900d6be09da2587ae $
######################################################################
#
# This next section is a sample configuration for the "passwd"
# module, that reads flat-text files.
#
# The file is in the format <mac>,<ip>
#
# 00:01:02:03:04:05,192.168.1.100
# 01:01:02:03:04:05,192.168.1.101
# 02:01:02:03:04:05,192.168.1.102
#
# This lets you perform simple static IP assignments from a flat-text
# file. You will have to define lease times yourself.
#
######################################################################
passwd mac2ip {
filename = ${confdir}/mac2ip
format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
delimiter = ","
}

18
hosts/containers/radius/freeradius/modules/mac2vlan Normal file
View File

@ -0,0 +1,18 @@
# -*- text -*-
#
# $Id: bdfef238076bb1ea16c494bf6e22f1d2af848b62 $
# A simple file to map a MAC address to a VLAN.
#
# The file should be in the format MAC,VLAN
# the VLAN name cannot have spaces in it, for example:
#
# 00:01:02:03:04:05,VLAN1
# 03:04:05:06:07:08,VLAN2
# ...
#
passwd mac2vlan {
filename = ${confdir}/mac2vlan
format = "*VMPS-Mac:=VMPS-VLAN-Name"
delimiter = ","
}

87
hosts/containers/radius/freeradius/modules/mschap Normal file
View File

@ -0,0 +1,87 @@
# -*- text -*-
#
# $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
# use_mppe = no
# if mppe is enabled require_encryption makes
# encryption moderate
#
# require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
# require_strong = yes
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
# with_ntdomain_hack = no
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# If ntlm_auth is configured below, then the mschap
# module will call ntlm_auth for every MS-CHAP
# authentication request. If there is a cleartext
# or NT hashed password available, you can set
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
# and the mschap module will do the authentication itself,
# without calling ntlm_auth.
#
# Be VERY careful when editing the following line!
#
# You can also try setting the user name as:
#
# ... --username=%{mschap:User-Name} ...
#
# In that case, the mschap module will look at the User-Name
# attribute, and do prefix/suffix checks in order to obtain
# the "best" user name for the request.
#
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
# The default is to wait 10 seconds for ntlm_auth to
# complete. This is a long time, and if it's taking that
# long then you likely have other problems in your domain.
# The length of time can be decreased with the following
# option, which can save clients waiting if your ntlm_auth
# usually finishes quicker. Range 1 to 10 seconds.
#
# ntlm_auth_timeout = 10
# For Apple Server, when running on the same machine as
# Open Directory. It has no effect on other systems.
#
# use_open_directory = yes
# On failure, set (or not) the MS-CHAP error code saying
# "retries allowed".
# allow_retry = yes
# An optional retry message.
# retry_msg = "Re-enter (or reset) the password"
}

12
hosts/containers/radius/freeradius/modules/ntlm_auth Normal file
View File

@ -0,0 +1,12 @@
#
# For testing ntlm_auth authentication with PAP.
#
# If you have problems with authentication failing, even when the
# password is good, it may be a bug in Samba:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}

13
hosts/containers/radius/freeradius/modules/opendirectory Normal file
View File

@ -0,0 +1,13 @@
# -*- text -*-
#
# $Id: 2a44ef695f4eaf6f1c461b3d92fda54e9b910f9e $
# This module is only used when the server is running on the same
# system as OpenDirectory. The configuration of the module is hard-coded
# by Apple, and cannot be changed here.
#
# There are no configuration entries for this module.
#
opendirectory {
}

78
hosts/containers/radius/freeradius/modules/otp Normal file
View File

@ -0,0 +1,78 @@
#
# Configuration for the OTP module.
#
# This module allows you to use various handheld OTP tokens
# for authentication (Auth-Type := otp). These tokens are
# available from various vendors.
#
# It works in conjunction with otpd, which implements token
# management and OTP verification functions; and lsmd or gsmd,
# which implements synchronous state management functions.
# otpd, lsmd and gsmd are available from TRI-D Systems:
# <http://www.tri-dsystems.com/>
# You must list this module in BOTH the authorize and authenticate
# sections in order to use it.
otp {
# otpd rendezvous point.
# (default: /var/run/otpd/socket)
#otpd_rp = /var/run/otpd/socket
# Text to use for the challenge. The '%' character is
# disallowed, except that you MUST have a single "%s"
# sequence in the string; the challenge itself is
# inserted there. (default "Challenge: %s\n Response: ")
#challenge_prompt = "Challenge: %s\n Response: "
# Length of the challenge. Most tokens probably support a
# max of 8 digits. (range: 5-32 digits, default 6)
#challenge_length = 6
# Maximum time, in seconds, that a challenge is valid.
# (The user must respond to a challenge within this time.)
# It is also the minimal time between consecutive async mode
# authentications, a necessary restriction due to an inherent
# weakness of the RADIUS protocol which allows replay attacks.
# (default: 30)
#challenge_delay = 30
# Whether or not to allow asynchronous ("pure" challenge/
# response) mode authentication. Since sync mode is much more
# usable, and all reasonable tokens support it, the typical
# use of async mode is to allow resync of event based tokens.
# But because of the vulnerability of async mode with some tokens,
# you probably want to disable this and require that out-of-sync
# users resync from specifically secured terminals.
# See the otpd docs for more info.
# (default: no)
#allow_async = no
# Whether or not to allow synchronous mode authentication.
# When using otpd with lsmd, it is *CRITICALLY IMPORTANT*
# that if your OTP users can authenticate to multiple RADIUS
# servers, this must be "yes" for the primary/default server,
# and "no" for the others. This is because lsmd does not
# share state information across multiple servers. Using "yes"
# on all your RADIUS servers would allow replay attacks!
# Also, for event based tokens, the user will be out of sync
# on the "other" servers. In order to use "yes" on all your
# servers, you must either use gsmd, which synchronizes state
# globally, or implement your own state synchronization method.
# (default: yes)
#allow_sync = yes
# If both allow_async and allow_sync are "yes", a challenge is
# always presented to the user. This is incompatible with NAS's
# that can't present or don't handle Access-Challenge's, e.g.
# PPTP servers. Even though a challenge is presented, the user
# can still enter their synchronous passcode.
# The following are MPPE settings. Note that MS-CHAP (v1) is
# strongly discouraged. All possible values are listed as
# {value = meaning}. Default values are first.
#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}
#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}
#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}
#mschap_mppe_bits = {2 = 128}
}

26
hosts/containers/radius/freeradius/modules/pam Normal file
View File

@ -0,0 +1,26 @@
# -*- text -*-
#
# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}

22
hosts/containers/radius/freeradius/modules/pap Normal file
View File

@ -0,0 +1,22 @@
# -*- text -*-
#
# $Id: 5c7d29d654bea9c076d6434f32795c2b2d002757 $
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption/hash schemes. See "man rlm_pap"
# for details.
#
# The "auto_header" configuration item can be set to "yes".
# In this case, the module will look inside of the User-Password
# attribute for the headers {crypt}, {clear}, etc., and will
# automatically create the attribute on the right-hand side,
# with the correct value. It will also automatically handle
# Base-64 encoded data, hex strings, and binary data.
#
# For instructions on creating the various types of passwords, see:
#
# http://www.openldap.org/faq/data/cache/347.html
pap {
auto_header = no
}

55
hosts/containers/radius/freeradius/modules/passwd Normal file
View File

@ -0,0 +1,55 @@
# -*- text -*-
#
# $Id: cc37ca0d7eaf9887720eccc2de0ecb75a51117c8 $
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these files.
#
# See the "smbpasswd" and "etc_group" files for more examples.
#
# parameters are:
# filename - path to filename
#
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is a key field. That is, the parameter
# with this name from the request is used to search for
# the record from passwd file
#
# Attributes marked as '=' are added to reply_items instead
# of default configure_itmes
#
# Attributes marked as '~' are added to request_items
#
# Field marked as ',' may contain a comma separated list
# of attributes.
#
# hashsize - hashtable size. Setting it to 0 is no longer permitted
# A future version of the server will have the module
# automatically determine the hash size. Having it set
# manually should not be necessary.
#
# allowmultiplekeys - if many records for a key are allowed
#
# ignorenislike - ignore NIS-related records
#
# delimiter - symbol to use as a field separator in passwd file,
# for format ':' symbol is always used. '\0', '\n' are
# not allowed
#
# An example configuration for using /etc/passwd.
#
# This is an example which will NOT WORK if you have shadow passwords,
# NIS, etc. The "unix" module is normally responsible for reading
# system passwords. You should use it instead of this example.
#
passwd etc_passwd {
filename = /etc/passwd
format = "*User-Name:Crypt-Password:"
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}

58
hosts/containers/radius/freeradius/modules/perl Normal file
View File

@ -0,0 +1,58 @@
# -*- text -*-
#
# $Id: 69ad3076119ec814518a6db45eec4bc41dc090f7 $
# Persistent, embedded Perl interpreter.
#
perl {
#
# The Perl script to execute on authorize, authenticate,
# accounting, xlat, etc. This is very similar to using
# 'rlm_exec' module, but it is persistent, and therefore
# faster.
#
module = ${confdir}/example.pl
#
# The following hashes are given to the module and
# filled with value-pairs (Attribute names and values)
#
# %RAD_CHECK Check items
# %RAD_REQUEST Attributes from the request
# %RAD_REPLY Attributes for the reply
#
# The return codes from functions in the perl_script
# are passed directly back to the server. These
# codes are defined in doc/configurable_failover,
# src/include/modules.h (RLM_MODULE_REJECT, etc),
# and are pre-defined in the 'example.pl' program
# which is included.
#
#
# List of functions in the module to call.
# Uncomment and change if you want to use function
# names other than the defaults.
#
#func_authenticate = authenticate
#func_authorize = authorize
#func_preacct = preacct
#func_accounting = accounting
#func_checksimul = checksimul
#func_pre_proxy = pre_proxy
#func_post_proxy = post_proxy
#func_post_auth = post_auth
#func_recv_coa = recv_coa
#func_send_coa = send_coa
#func_xlat = xlat
#func_detach = detach
#
# Uncomment the following lines if you wish
# to use separate functions for Start and Stop
# accounting packets. In that case, the
# func_accounting function is not called.
#
#func_start_accounting = accounting_start
#func_stop_accounting = accounting_stop
}

21
hosts/containers/radius/freeradius/modules/policy Normal file
View File

@ -0,0 +1,21 @@
# -*- text -*-
#
# $Id: 9b1b111ce70dbfd4ce25cdd2774d5878dbea7023 $
#
# Module implementing a DIFFERENT policy language.
# The syntax here is NOT "unlang", but something else.
#
# See the "raddb/policy.txt" file for documentation and examples.
# There isn't much else in the way of documentation, sorry.
#
policy {
# The only configuration item is a filename containing
# the policies to execute.
#
# When "policy" is listed in a section (e.g. "authorize"),
# it will run a policy named for that section.
#
filename = ${confdir}/policy.txt
}

58
hosts/containers/radius/freeradius/modules/preprocess Normal file
View File

@ -0,0 +1,58 @@
# -*- text -*-
#
# $Id: e00aa85a9bd924b3a79c034f6f5d4d7d9a98c208 $
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NASes, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}

26
hosts/containers/radius/freeradius/modules/radrelay Normal file
View File

@ -0,0 +1,26 @@
# -*- text -*-
#
# $Id: dede42698a19413b524a1a68b7ea312aa8a506aa $
# Write "detail" files which can be read by radrelay.
# This module should be used only by a server which receives
# Accounting-Request packets from the network.
#
# It should NOT be used in the radrelay.conf file.
#
# Use it by adding "radrelay" to the "accounting" section:
#
# accounting {
# ...
# radrelay
# ...
# }
#
detail radrelay {
detailfile = ${radacctdir}/detail
locking = yes
# The other directives from the main detail module
# can be used here, but they're not required.
}

53
hosts/containers/radius/freeradius/modules/radutmp Normal file
View File

@ -0,0 +1,53 @@
# -*- text -*-
#
# $Id: 3ad88cde616ce041f0dcc87858950daafdd3d336 $
# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
callerid = "yes"
}

46
hosts/containers/radius/freeradius/modules/realm Normal file
View File

@ -0,0 +1,46 @@
# -*- text -*-
#
# $Id: 95d9f2b98de1b33346c6129aa7e88a901248cd4d $
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined by the order that the modules are listed
# in the authorize and preacct sections.
#
# Four config options:
# format - must be "prefix" or "suffix"
# The special cases of "DEFAULT"
# and "NULL" are allowed, too.
# delimiter - must be a single character
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
format = prefix
delimiter = "/"
}
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
}

35
hosts/containers/radius/freeradius/modules/redis Normal file
View File

@ -0,0 +1,35 @@
# -*- text -*-
#
# $Id: d7605d9888607aa6451ab24450cebfd7bc9d4437 $
#
# Configuration file for the "redis" module. This module does nothing
# Other than provide connections to a redis database, and a %{redis: ...}
# expansion.
#
redis {
# Host where the redis server is located.
# We recommend using ONLY 127.0.0.1 !
hostname = 127.0.0.1
# The default port.
port = 6379
# The password used to authenticate to the server.
# We recommend using a strong password.
# password = thisisreallysecretandhardtoguess
# The number of connections to open to the database.
num_connections = 20
# If a connection fails, retry after this time.
connect_failure_retry_delay = 60
# Set the maximum lifetime for one connection.
# Use 0 for "lives forever"
lifetime = 86400
# Set the maximum queries used for one connection.
# Use 0 for "no limit"
max_queries = 0
}

28
hosts/containers/radius/freeradius/modules/rediswho Normal file
View File

@ -0,0 +1,28 @@
# -*- text -*-
#
# $Id: e16550c9991a5e76a77f349cfa5b82d5163f172e $
#
# Configuration file for the "rediswho" module.
#
rediswho {
# How many sessions to keep track of per user.
# If there are more than this number, older sessions are deleted.
trim-count = 15
# Expiry time in seconds. Any sessions which have not received
# an update in this time will be automatically expired.
expire-time = 86400
start-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
start-trim = "LTRIM %{User-Name} 0 ${trim-count}"
start-expire = "EXPIRE %{User-Name} ${expire-time}"
alive-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
alive-trim = "LTRIM %{User-Name} 0 ${trim-count}"
alive-expire = "EXPIRE %{User-Name} ${expire-time}"
stop-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
stop-trim = "LTRIM %{User-Name} 0 ${trim-count}"
stop-expire = "EXPIRE %{User-Name} ${expire-time}"
}

40
hosts/containers/radius/freeradius/modules/replicate Normal file
View File

@ -0,0 +1,40 @@
# Replicate packet(s) to a home server.
#
# This module will open a new socket for each packet, and "clone"
# the incoming packet to the destination realm (i.e. home server).
#
# Use it by setting "Replicate-To-Realm = name" in the control list,
# just like Proxy-To-Realm. The configurations for the two attributes
# are identical. The realm must exist, the home_server_pool must exist,
# and the home_server must exist.
#
# The only difference is that the "replicate" module sends requests
# and does not expect a reply. Any reply is ignored.
#
# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time.
#
# To use this module, list "replicate" in the "authorize" or
# "accounting" section. Then, ensure that Replicate-To-Realm is set.
# The contents of the "packet" attribute list will be sent to the
# home server. The usual load-balancing, etc. features of the home
# server will be used.
#
# "radmin" can be used to mark home servers alive/dead, in order to
# enable/disable replication to specific servers.
#
# Packets can be replicated to multiple destinations. Just set
# Replicate-To-Realm multiple times. One packet will be sent for
# each of the Replicate-To-Realm attribute in the "control" list.
#
# If no packets are sent, the module returns "noop". If at least one
# packet is sent, the module returns "ok". If an error occurs, the
# module returns "fail"
#
# Note that replication does NOT change any of the packet statistics.
# If you use "radmin" to look at the statistics for a home server,
# the replicated packets will cause NO counters to increment. This
# is not a bug, this is how replication works.
#
replicate {
}

16
hosts/containers/radius/freeradius/modules/smbpasswd Normal file
View File

@ -0,0 +1,16 @@
# -*- text -*-
#
# $Id: 74e64047302d7d8f575672617e8a213aaf5a32d3 $
# An example configuration for using /etc/smbpasswd.
#
# See the "passwd" file for documentation on the configuration items
# for this module.
#
passwd smbpasswd {
filename = /etc/smbpasswd
format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}

50
hosts/containers/radius/freeradius/modules/smsotp Normal file
View File

@ -0,0 +1,50 @@
# -*- text -*-
#
# $Id: 0a339b4a1b9f1eafeb05992f2643497e802e2a49 $
# SMS One-time Password system.
#
# This module will extend FreeRadius with a socks interface to create and
# validate One-Time-Passwords. The program for that creates the socket
# and interacts with this module is not included here.
#
# The module does not check the User-Password, this should be done with
# the "pap" module. See the example below.
#
# The module must be used in the "authorize" section to set
# Auth-Type properly. The first time through, the module is called
# in the "authenticate" section to authenticate the user password, and
# to send the challenge. The second time through, it authenticates
# the response to the challenge. e.g.:
#
# authorize {
# ...
# smsotp
# ...
# }
#
# authenticate {
# ...
# Auth-Type smsotp {
# pap
# smsotp
# }
#
# Auth-Type smsotp-reply {
# smsotp
# }
# ...
# }
#
smsotp {
# The location of the socket.
socket = "/var/run/smsotp_socket"
# Defines the challenge message that will be send to the
# NAS. Default is "Enter Mobile PIN" }
challenge_message = "Enter Mobile PIN:"
# Defines the Auth-Type section that is run for the response to
# the challenge. Default is "smsotp-reply".
challenge_type = "smsotp-reply"
}

4
hosts/containers/radius/freeradius/modules/soh Normal file
View File

@ -0,0 +1,4 @@
# SoH module
soh {
dhcp = yes
}

92
hosts/containers/radius/freeradius/modules/sql_log Normal file
View File

@ -0,0 +1,92 @@
# -*- text -*-
#
# $Id: 3e6bf2104f74ffad8866eb69459a94f623601130 $
#
# The rlm_sql_log module appends the SQL queries in a log
# file which is read later by the radsqlrelay program.
#
# This module only performs the dynamic expansion of the
# variables found in the SQL statements. No operation is
# executed on the database server. (this could be done
# later by an external program) That means the module is
# useful only with non-"SELECT" statements.
#
# See rlm_sql_log(5) manpage.
#
# This same functionality could also be implemented by logging
# to a "detail" file, reading that, and then writing to SQL.
# See raddb/sites-available/buffered-sql for an example.
#
sql_log {
path = "${radacctdir}/sql-relay"
acct_table = "radacct"
postauth_table = "radpostauth"
sql_user_name = "%{%{User-Name}:-DEFAULT}"
#
# Setting this to "yes" will allow UTF-8 characters to be
# written to the log file. Otherwise, they are escaped
# as being potentially invalid.
#
utf8 = no
#
# The names here are taken from the Acct-Status-Type names.
# Just add another entry here for Accounting-On,
# Accounting-Off, etc.
#
Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES \
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '%S', '0', '0', '');"
Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES \
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
'%{Acct-Terminate-Cause}');"
Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES \
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
# The same as "Alive"
Interim-Update = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES \
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
Post-Auth = "INSERT INTO ${postauth_table} \
(username, pass, reply, authdate) VALUES \
('%{User-Name}', '%{User-Password:-Chap-Password}', \
'%{reply:Packet-Type}', '%S');"
Accounting-On = "UPDATE ${acct_table} \
SET \
acctstoptime = '%S', \
acctsessiontime = unix_timestamp('%S') - \
unix_timestamp(acctstarttime), \
acctterminatecause = '%{Acct-Terminate-Cause}', \
acctstopdelay = %{%{Acct-Delay-Time}:-0} \
WHERE acctstoptime IS NULL \
AND nasipaddress = '%{NAS-IP-Address}' \
AND acctstarttime <= '%S'""
Accounting-Off = "UPDATE ${acct_table} \
SET \
acctstoptime = '%S', \
acctsessiontime = unix_timestamp('%S') - \
unix_timestamp(acctstarttime), \
acctterminatecause = '%{Acct-Terminate-Cause}', \
acctstopdelay = %{%{Acct-Delay-Time}:-0} \
WHERE acctstoptime IS NULL \
AND nasipaddress = '%{NAS-IP-Address}' \
AND acctstarttime <= '%S'""
}

37
hosts/containers/radius/freeradius/modules/sqlcounter_expire_on_login Normal file
View File

@ -0,0 +1,37 @@
# -*- text -*-
#
# $Id: c950169307009b088b2c31274f496ffe38e8a793 $
#
# Set an account to expire T seconds after first login.
# Requires the Expire-After attribute to be set, in seconds.
# You may need to edit raddb/dictionary to add the Expire-After
# attribute.
#
# This example is for MySQL. Other SQL variants should be similar.
#
# For versions prior to 2.1.11, this module defined the following
# expansion strings:
#
# %k key_name
# %S sqlmod_inst
#
# These SHOULD NOT be used. If these are used in your configuration,
# they should be replaced by the following strings, which will work
# identically to the previous ones:
#
# %k ${key}
# %S ${sqlmod-inst}
#
sqlcounter expire_on_login {
counter-name = Expire-After-Initial-Login
check-name = Expire-After
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
FROM radacct \
WHERE UserName='%{${key}}' \
ORDER BY acctstarttime \
LIMIT 1;"
}

16
hosts/containers/radius/freeradius/modules/sradutmp Normal file
View File

@ -0,0 +1,16 @@
# -*- text -*-
#
# $Id: a7700bac6aaa93940c784f1b6df08b61eb77a1a3 $
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}

25
hosts/containers/radius/freeradius/modules/unix Normal file
View File

@ -0,0 +1,25 @@
# -*- text -*-
#
# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $
# Unix /etc/passwd style authentication
#
# This module calls the system functions to get the "known good"
# password. This password is usually in the "crypt" form, and is
# incompatible with CHAP, MS-CHAP, PEAP, etc.
#
# If passwords are in /etc/shadow, you will need to set the "group"
# configuration in radiusd.conf. Look for "shadow", and follow the
# instructions there.
#
unix {
#
# The location of the "wtmp" file.
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
# Note that the radwtmp file may get large! You should
# rotate it (cp /dev/null radwtmp), or just not use it.
#
radwtmp = ${logdir}/radwtmp
}

112
hosts/containers/radius/freeradius/modules/wimax Normal file
View File

@ -0,0 +1,112 @@
#
# The WiMAX module currently takes no configuration.
#
# It should be listed in the "authorize" and "preacct" sections.
# This enables the module to fix the horrible binary version
# of Calling-Station-Id to the normal format, as specified in
# RFC 3580, Section 3.21.
#
# In order to calculate the various WiMAX keys, the module should
# be listed in the "post-auth" section. If EAP authentication
# has been used, AND the EAP method derives MSK and EMSK, then
# the various WiMAX keys can be calculated.
#
# Some useful things to remember:
#
# WiMAX-MSK = EAP MSK, but is 64 octets.
#
# MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001)
# MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002)
# MIP-RK = MIP-RK-1 | MIP-RK-2
#
# MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP")
# plus some magic... you've got to track *all* MIP-SPI's
# on your system!
#
# SPI-CMIP4 = MIP-SPI
# SPI-PMIP4 = MIP-SPI + 1
# SPI-CMIP6 = MIP-SPI + 2
#
# MN-NAI is the Mobile node NAI. You have to create it, and put
# it into the request or reply as something like:
#
# WiMAX-MN-NAI = "%{User-Name}"
#
# You will also have to have the appropriate IP address (v4 or v6)
# in order to calculate the keys below.
#
# Lifetimes are derived from Session-Timeout. It needs to be set
# to some useful number.
#
# The hash function below H() is HMAC-SHA1.
#
#
# MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI)
#
# Where HA-IPv4 is WiMAX-hHA-IP-MIP4
# or maybe WiMAX-vHA-IP-MIP4
#
# Which goes into WiMAX-MN-hHA-MIP4-Key
# or maybe WiMAX-RRQ-MN-HA-Key
# or maybe even WiMAX-vHA-MIP4-Key
#
# The corresponding SPI is SPI-CMIP4, which is MIP-SPI,
#
# which goes into WiMAX-MN-hHA-MIP4-SPI
# or maybe WiMAX-RRQ-MN-HA-SPI
# or even WiMAX-MN-vHA-MIP4-SPI
#
# MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI)
# MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI)
#
# both with similar comments to above for MN-HA-CMIP4.
#
# In order to tell which one to use (CMIP4, PMIP4, or CMIP6),
# you have to set WiMAX-IP-Technology in the reply to one of
# the appropriate values.
#
#
# FA-RK = H(MIP-RK, "FA-RK")
#
# MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI)
#
# Where does the FA-IP come from? No idea...
#
#
# The next two keys (HA-RK and FA-HA) are not generated
# for every authentication request, but only on demand.
#
# HA-RK = 160-bit random number assigned by the AAA server
# to a specific HA.
#
# FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI)
#
# where HA-IPv4 is as above.
# and FA-CoAv4 address of the FA as seen by the HA
# and SPI is the relevant SPI for the HA-RK.
#
# DHCP-RK = 160-bit random number assigned by the AAA server
# to a specific DHCP server. vDHCP-RK is the same
# thing.
#
wimax {
#
# Some WiMAX equipement requires that the MS-MPPE-*-Key
# attributes are sent in the Access-Accept, in addition to
# the WiMAX-MSK attribute.
#
# Other WiMAX equipment request that the MS-MPPE-*-Key
# attributes are NOT sent in the Access-Accept.
#
# By default, the EAP modules sends MS-MPPE-*-Key attributes.
# The default virtual server (raddb/sites-available/default)
# contains examples of adding the WiMAX-MSK.
#
# This configuration option makes the WiMAX module delete
# the MS-MPPE-*-Key attributes. The default is to leave
# them in place.
#
# If the keys are deleted (by setting this to "yes"), then
# the WiMAX-MSK attribute is automatically added to the reply.
delete_mppe_keys = no
}

Some files were not shown because too many files have changed in this diff Show More