forked from c3d2/nix-config
Compare commits
5 Commits
master
...
container/
Author | SHA1 | Date |
---|---|---|
Eri - | 1d32924d85 | |
Eri - | 6946bbd224 | |
Eri - | a1490e209a | |
Eri - | fbe1f6c5b0 | |
Eri - | 0b59c8cf5b |
|
@ -1,9 +0,0 @@
|
|||
# This file contains a list of commits that are not likely what you
|
||||
# are looking for in a blame, such as mass reformatting or renaming.
|
||||
# You can set this file as a default ignore file for blame by running
|
||||
# the following command.
|
||||
#
|
||||
# $ git config blame.ignoreRevsFile .git-blame-ignore-revs
|
||||
|
||||
# big format
|
||||
aaddec81945750222721659be65ecd6bf2503c6a
|
|
@ -1,4 +0,0 @@
|
|||
.*.swp
|
||||
*.retry
|
||||
result
|
||||
result-*
|
|
@ -0,0 +1,3 @@
|
|||
[submodule "secrets"]
|
||||
path = secrets
|
||||
url = ssh://git@gitea.c3d2.de:2222/c3d2-admins/secrets.git
|
183
.sops.yaml
183
.sops.yaml
|
@ -1,183 +0,0 @@
|
|||
keys:
|
||||
# The PGP keys in keys/
|
||||
- &admins
|
||||
- A5EE826D645DBE35F9B0993358512AE87A69900F # astro
|
||||
#- 270DAEB0EC5A129CE1F38E2FCB5009A2DB4C5190 # blastmaster
|
||||
- D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A # deployer
|
||||
#- 844267BA729E32B3329B9DBF59E238FC65F349F2 # eri
|
||||
- A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 # winzlieb
|
||||
#- 9580391316684474BFBD41EC3E8C55248C19AF2A # xyrill
|
||||
- 4F9F44A64CC2E438979329E1F122F05437696FCE # poelzi
|
||||
#- B2918084D9BA194C66AE78769E5D7AAA5B6B2D79 # schmittlauch?
|
||||
- 4B12EFA69166CA8C23FC47E49CD3A46248B660CA # vv01f
|
||||
- 9EA68B7F21204979645182E4287B083353C3241C # j03
|
||||
- 53B26AEDC08246715E15504B236B6291555E8401 # sandro
|
||||
- 91EBE87016391323642A6803B966009D57E69CC6 # revol-xut
|
||||
|
||||
- &polygon-snowflake age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c # polygon
|
||||
|
||||
# Generate AGE keys from SSH keys with:
|
||||
# nix shell nixpkgs#ssh-to-age
|
||||
# ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub
|
||||
- &auth age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
|
||||
- &bind age1hfzpctkk5tz0ddc86ul9t0nf8c37jtngawepvgxk5rxlvv938vusx4kuc6
|
||||
- &blogs age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
|
||||
- &broker age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte
|
||||
- &c3d2-web age18h6vmfduhmj28wxdgur8wugn7scm5vwvwkj5sr4f7nl0czr2zvaqscsdsv
|
||||
- &dacbert age1hg0mmua5y82ct7l6q9gpc8w940ce5seqcjhm4dgx7tlzvflznyas7v3hf4
|
||||
- &direkthilfe age1qe8wvy8kdmfdxh505apkqnnquqgtvykd6x6qlxmzqp93cv6wjy4qlu5mpj
|
||||
- &dn42 age1726t33dl7pv3xrxxlafj2sexh7c0jm8pza84yu6l3wpz3fw5dauqxlass3
|
||||
- &factorio age1av4ww0zzyas0egzwkpdaj4crwz3vwnhpq0nfez2zad4me38zss7sjz5kw2
|
||||
- &freifunk age17rrjtdgzzwgjatyqqv27pftx42t8xhksls46jc3f78juzw4g04vsd7lr7e
|
||||
- &ftp age1lkr5rkf3z0976g8snmznf755gnexhjkwpzsw8xxwyesqmneawa4qgsqx77
|
||||
- &gitea age12n5k6c4rxp4mjnexw9uw83yp34sallt44kldupfmxr2xkppj8a8sdsmv8h
|
||||
- &glotzbert age1zqpep2vgfqeyvtj2jpxczfgrpjffwda429rnuztfp0vpqsrqdq8s8f4yua
|
||||
- &gnunet age1kk0thtx6mg5cs0gqm4ylc4r8w6klq660s3j04w7m8w0w084yrpcqh3tqwf
|
||||
- &grafana age1yahhqn2620300n20k68az5lr2u42wdgtjwysgqyr99a4cj52ay0qjw02pl
|
||||
- &hedgedoc age1jt5pj0c0fvmzg7quaucq4n2rzcx9ajzstp8ruwc8ewjpay5vqfqsdjaal8
|
||||
- &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
|
||||
- &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a
|
||||
- &leon age1cm0cjk2764s4pv5g7e67as34g9xtcltex96ga87wckndw62wqqlsvkscqc
|
||||
- &leoncloud age1aw9s4kcd6ys64ddzzfya9ajzln2tv8pm9uvz6d85v0r6eq4dudqq5vts86
|
||||
- &mailtngbert age1lgjvtszpds9flpwsstxdht00c7zlk3mz7nlc5qftyt8rhfdm330qqmhl72
|
||||
- &matemat age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6
|
||||
- &mediawiki age1xjvep7hsnfefgxvuwall8nq0486qu8yknhzwhf0cskw5xlpm8qws9txc56
|
||||
- &mucbot age1cqeh03zq0hvz5l78r678q93ey5mlw49lqy4whvgqxgenudth7g6skee6kh
|
||||
- &nfsroot age18yxgwpakrkzq8ca2enayf79py25se3d8dsed2q523869re30jcaqx6rjln
|
||||
- &nncp age15853dr2kd6r2329tkcanwnruh6zd2xvsu5twc7gnxeyu3h7t6q5scckaq8
|
||||
- &oparl age14aq8fscrwkgmu5yv86vj7p7kmxclzs6dp7fpvdhvrnmce83ztphqc4mr9q
|
||||
- &public-access-proxy age1xcj6peyaf5xvj2673vl9j0z7supwtw7hzuk782zk7gt69k2ykytqe65mg5
|
||||
- &pulsebert age12hdk2stter0cjexxwx3sqn9wx3vmptkxszvx7knq9zgm9uqzjs7suvkcqu
|
||||
- &radiobert age1lga6hjmxa95fmtdn3frlmy64ej3hyswxrcuz25qvw0kfsxkqeugs8gjw8q
|
||||
- &riscbert age148d87gqw59lmst5jv3vynhsu3tv4t4sj49s4lktvnplfcrjq2y5sjcwsu8
|
||||
- &scrape age1p60rg45qrzpv2hcfzxl8d8k9afkk7dtrhr98cngeyuhlega83ynssmtx5k
|
||||
- &sdrweb age1makkpv2t74lxmw0nk6m89nespva7j700pmt83pl5a4ldtj2k8fzqakw8h7
|
||||
- &server9 age15vrlmtckjf4j242juw7l5e0s6eunn67ejr9acaztnl3tmvwpufrsevntva
|
||||
- &server10 age15qj8latetnrmgzd7krq02y65kn7lhq2pcwv8cvzej2783u5a9scqs79nmf
|
||||
- &spaceapi age125k9uyqw5ae5jqkfsak4d6c6rcx9q63ywuusk62pmxdnhwzqxgqq2jsau7
|
||||
- &stream age1j5csp5v5s2g8am47dd85kcke8986e0qc88f0vfgd3kmvwu8azg3smslk92
|
||||
- &storage-ng age1qjvds58pedjdk9rj0yqfvad4xhpteapr9chvfucwcgwrsr8n7axqyhg2vu
|
||||
- &ticker age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl
|
||||
|
||||
creation_rules:
|
||||
- path_regex: config/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *polygon-snowflake
|
||||
- *auth
|
||||
- *bind
|
||||
- *blogs
|
||||
- *broker
|
||||
- *c3d2-web
|
||||
- *dacbert
|
||||
- *direkthilfe
|
||||
- *dn42
|
||||
- *factorio
|
||||
- *freifunk
|
||||
- *ftp
|
||||
- *gitea
|
||||
- *glotzbert
|
||||
- *gnunet
|
||||
- *grafana
|
||||
- *hedgedoc
|
||||
- *hydra
|
||||
- *jabber
|
||||
- *leon
|
||||
- *leoncloud
|
||||
- *mailtngbert
|
||||
- *matemat
|
||||
- *mediawiki
|
||||
- *mucbot
|
||||
- *nfsroot
|
||||
- *oparl
|
||||
- *public-access-proxy
|
||||
- *pulsebert
|
||||
- *radiobert
|
||||
- *riscbert
|
||||
- *scrape
|
||||
- *sdrweb
|
||||
- *server9
|
||||
- *server10
|
||||
- *spaceapi
|
||||
- *stream
|
||||
- *storage-ng
|
||||
- *ticker
|
||||
- path_regex: hosts/auth/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *auth
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/blogs/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *blogs
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/broker/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *broker
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/dn42/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *dn42
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/freifunk/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *freifunk
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/glotzbert/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *glotzbert
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/hedgedoc/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *hedgedoc
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/hydra/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *hydra
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/mailtngbert/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *mailtngbert
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/mediawiki/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *mediawiki
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/oparl/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *oparl
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/radiobert/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *radiobert
|
||||
- *polygon-snowflake
|
||||
- path_regex: hosts/storage-ng/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp: *admins
|
||||
age:
|
||||
- *storage-ng
|
||||
- *polygon-snowflake
|
222
README.md
222
README.md
|
@ -1,225 +1,17 @@
|
|||
---
|
||||
gitea: none
|
||||
title: Flockige Infrastruktur deklarativ
|
||||
include_toc: yes
|
||||
lang: en
|
||||
---
|
||||
|
||||
# Setup
|
||||
|
||||
## Add this repo to your local Nix registry
|
||||
|
||||
As an alternative to a local checkout, always pull the latest code
|
||||
from this repo.
|
||||
|
||||
```bash
|
||||
nix registry add c3d2 git+https://gitea.c3d2.de/C3D2/nix-config
|
||||
```
|
||||
|
||||
This enables `nix` commands to find this Flake given the `c3d2#`
|
||||
prefix in some arguments.
|
||||
|
||||
## Working with this repo
|
||||
|
||||
If you checked out this git repository for working on the code,
|
||||
replace `c3d2#` with `.#` and run commands from the repository root.
|
||||
|
||||
Don't forget to `git add` new files! Flakes require that.
|
||||
|
||||
## The secrets repo
|
||||
|
||||
Make sure you have access.
|
||||
|
||||
## Install Nix Flakes
|
||||
|
||||
> Nix Flakes ist gegenwärtig bei Nix (Version 20.09) noch keine standardmäßige Funktionalität für Nix. Die Bereitstellung der Kommandos für Nix Flakes müssen als experimentelle Funktionalität für das Kommando ''nix'' festgelegt werden, um sie verfügbar zu machen.
|
||||
|
||||
Set some configuration (do this only once):
|
||||
|
||||
```bash
|
||||
echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf
|
||||
```
|
||||
|
||||
### Permanent System with Nix Flakes
|
||||
|
||||
set this to your NixOS configuration:
|
||||
```nix
|
||||
{ pkgs, ... }: {
|
||||
nix = {
|
||||
extraOptions = "experimental-features = nix-command flakes";
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
# Deployment
|
||||
|
||||
## Deploy a NixOS system from this Flake locally
|
||||
Beide failen bei Activation des neuen Profils. (TODO)
|
||||
|
||||
Running `nixos-rebuild --flake c3d2 switch` on a machine should be sufficient
|
||||
to update that machine to the current configuration and Nixpkgs revision.
|
||||
|
||||
## Deploy to a remote NixOS system with this Flake
|
||||
|
||||
For every host that has a `nixosConfiguration` in our Flake, there are
|
||||
two scripts that can be run for deployment via ssh.
|
||||
|
||||
- `nix run .#glotzbert-nixos-rebuild switch`
|
||||
|
||||
Copies the current state to build on the target system. This may
|
||||
fail due to eg. container resource limits.
|
||||
|
||||
The target must already be a nixFlakes system.
|
||||
|
||||
- `nix run .#glotzbert-nixos-rebuild-local switch`
|
||||
|
||||
Builds locally, then uses `nix copy` to transfer the new NixOS
|
||||
system to the target.
|
||||
|
||||
**Help!** It's needlessly rebuilding stuff that already runs on the
|
||||
target? If so, use `nix copy` to transfer where
|
||||
`/run/current-system` points to to your build machine.
|
||||
|
||||
## Remote deployment from non-NixOS
|
||||
|
||||
A shell script that copies the current working tree, and runs
|
||||
`nixos-rebuild switch` on the target:
|
||||
## Mit `nixos-switch rebuild`
|
||||
|
||||
```shell
|
||||
./deploy-flake.sh hydra.hq.c3d2.de
|
||||
nixos-rebuild switch -I nixos-config=./hosts/containers/$HOST/configuration.nix --target-host "root@$HOST.hq.c3d2.de"
|
||||
```
|
||||
|
||||
It cannot not lookup hostnames in `host-registry.nix`. To avoid
|
||||
deploying the wrong container on the unrelated DNS records, the script
|
||||
always uses the hostname that is already configured on the target
|
||||
system.
|
||||
|
||||
## Checking for updates
|
||||
## Mit NixOps
|
||||
|
||||
```shell
|
||||
nix run .#list-upgradable
|
||||
```
|
||||
|
||||
![list-upgradable output](doc/list-upgradable.png)
|
||||
|
||||
Checks all hosts with a `nixosConfiguration` in `flake.nix`.
|
||||
|
||||
## Update from [Hydra build](https://hydra.hq.c3d2.de/jobset/c3d2/nix-config#tabs-jobs)
|
||||
|
||||
The fastest way to update a system, a manual alternative to setting
|
||||
`c3d2.autoUpdate = true;`
|
||||
|
||||
Just run:
|
||||
|
||||
```shell
|
||||
update-from-hydra
|
||||
```
|
||||
|
||||
## Deploy a MicroVM
|
||||
|
||||
### Building spaceapi remotely, and deploy
|
||||
|
||||
```shell
|
||||
nix run .#microvm-update-spaceapi
|
||||
```
|
||||
|
||||
### Building spaceapi locally, and deploy
|
||||
|
||||
```shell
|
||||
nix run .#microvm-update-spaceapi-local
|
||||
```
|
||||
|
||||
### Update MicroVM from our Hydra
|
||||
|
||||
Our Hydra runs `nix flake update` daily in the `updater.timer`,
|
||||
pushing it to the `flake-update` branch so that it can build fresh
|
||||
systems. This branch is setup as the source flake in all the MicroVMs,
|
||||
so the following is all that is needed on a MicroVM-hosting server:
|
||||
|
||||
```shell
|
||||
microvm -Ru $hostname
|
||||
```
|
||||
|
||||
## High Availability Deployment on Nomad
|
||||
|
||||
First, stop and delete `/var/lib/microvm/$NAME` where the
|
||||
systemd-managed MicroVMs live, or move the state to
|
||||
`/glusterfs/fast/microvms/$NAME`.
|
||||
|
||||
```sh
|
||||
nix run .#nomad-$NAME
|
||||
```
|
||||
|
||||
# Secrets management
|
||||
|
||||
## Secrets managment with PGP
|
||||
|
||||
Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
|
||||
Maybe this works for you, maybe not. I did it somehow:
|
||||
|
||||
```bash
|
||||
PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
|
||||
```
|
||||
|
||||
Your gpg key has to have the Authenticate flag set. If not update it and push it to a keyserver and wait.
|
||||
This is necessary, so you can login to any machine with your gpg key.
|
||||
|
||||
## Secrets Management Using `sops-nix`
|
||||
|
||||
### Adding a new host
|
||||
|
||||
Edit `secrets/.sops.yaml`:
|
||||
|
||||
1. Add an AGE key for this host. Comments in this file tell you how to
|
||||
do it.
|
||||
2. Add a `creation_rules` section for `host/$host/*yaml` files
|
||||
|
||||
### Editing a hosts secrets
|
||||
|
||||
Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
|
||||
|
||||
```bash
|
||||
# Enter the secrets flake
|
||||
cd secrets
|
||||
# Get sops
|
||||
nix develop
|
||||
# Decrypt, start en EDITOR, encrypt
|
||||
sops hosts/.../secrets.yaml
|
||||
# Push
|
||||
git commit -a -m YOLO
|
||||
git push origin HEAD:master
|
||||
# Go back to this flake
|
||||
cd ..
|
||||
# Update flake.lock file
|
||||
nix flake lock . --update-input secrets
|
||||
```
|
||||
|
||||
# Laptops / Desktops
|
||||
|
||||
This repository contains a NixOS module that can be used with personal machines
|
||||
as well. This module appends `/etc/ssh/ssh_known_hosts` with the host keys of
|
||||
registered HQ hosts, and optionally appends `/etc/hosts` with static IPv6
|
||||
addresses local to HQ. Simply import the `lib` directory to use the module. As
|
||||
an example:
|
||||
|
||||
```nix
|
||||
# /etc/nixos/configuration.nix
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
c3d2Config =
|
||||
builtins.fetchGit { url = "https://gitea.c3d2.de/C3D2/nix-config.git"; };
|
||||
in {
|
||||
imports = [
|
||||
# ...
|
||||
"${c3d2Config}/modules/c3d2.nix"
|
||||
];
|
||||
|
||||
c3d2 = {
|
||||
isInHq = false; # not in HQ, this is the default.
|
||||
mergeHostsFile = true; # Make entries in /etc/hosts form hosts.nix
|
||||
enableMotd = true; # Set the login shell message to the <<</>> logo.
|
||||
};
|
||||
|
||||
# ...
|
||||
}
|
||||
|
||||
nixops create hq.nixops -d hq
|
||||
nixops deploy -d hq --debug --include=dhcp --force-reboot
|
||||
nixops deploy -d hq --include=grafana -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-18.09.tar.gz --force-reboot
|
||||
```
|
||||
|
|
|
@ -1,50 +0,0 @@
|
|||
#! /usr/bin/env nix-shell
|
||||
#! nix-shell -i bash -p rsync
|
||||
|
||||
# shellcheck shell=bash
|
||||
|
||||
set -eou pipefail
|
||||
|
||||
function show_help() {
|
||||
echo "Usage:"
|
||||
echo "$0 [--build-local] <host.hq.c3d2.de>"
|
||||
echo "--help Show this help."
|
||||
echo "--build-local Build config locally and copy it to the target system via nix copy"
|
||||
exit 1
|
||||
}
|
||||
|
||||
if [[ $# == 0 ]]; then
|
||||
show_help
|
||||
fi
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case "${1:-}" in
|
||||
"" | "-h" | "--help")
|
||||
show_help
|
||||
;;
|
||||
"--build-local")
|
||||
build_local=true
|
||||
;;
|
||||
*)
|
||||
host=$1
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if [[ -v build_local ]]; then
|
||||
hostname=$(ssh root@"$host" hostname)
|
||||
echo "$hostname> nix build"
|
||||
nix --experimental-features 'nix-command flakes' -Lv build ".#nixosConfigurations.$hostname.config.system.build.toplevel"
|
||||
store_path=$(readlink -f result)
|
||||
echo "$hostname> nix copy"
|
||||
nix --experimental-features 'nix-command flakes' copy --to ssh://root@"$host" -v "$store_path"
|
||||
|
||||
echo "$hostname> switch-to-configuration switch"
|
||||
ssh root@"$host" "$store_path/bin/switch-to-configuration" switch
|
||||
else
|
||||
rsync -az "$(dirname "$0")" root@"$host":nix-config
|
||||
|
||||
echo "> nixos-rebuild switch"
|
||||
exec ssh root@"$host" 'nixos-rebuild --flake git+file://`pwd`/nix-config#`hostname` --override-input secrets git+file://`pwd`/nix-config/secrets switch'
|
||||
fi
|
Binary file not shown.
Before Width: | Height: | Size: 13 KiB |
887
flake.lock
887
flake.lock
|
@ -1,887 +0,0 @@
|
|||
{
|
||||
"nodes": {
|
||||
"affection-src": {
|
||||
"inputs": {
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1663176622,
|
||||
"narHash": "sha256-ahmQXwS2P34x7PxXt8Ve2ZVKJHW6yP1m/nZoo8sHwmE=",
|
||||
"ref": "master",
|
||||
"rev": "b56ed86e45b2a8cdf811f2659644192a69ab5818",
|
||||
"revCount": 293,
|
||||
"type": "git",
|
||||
"url": "https://gitea.nek0.eu/nek0/affection"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.nek0.eu/nek0/affection"
|
||||
}
|
||||
},
|
||||
"bevy-julia": {
|
||||
"inputs": {
|
||||
"naersk": "naersk",
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"rust-overlay": [
|
||||
"rust-overlay"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1663441942,
|
||||
"narHash": "sha256-KNKnxcD8mHfjCqI0FluGOY1gfDfOMo8K9upGnCGksGo=",
|
||||
"ref": "main",
|
||||
"rev": "7feee1b6c436230f2adea774aab14a74d862e355",
|
||||
"revCount": 3,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/bevy-julia.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "main",
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/bevy-julia.git"
|
||||
}
|
||||
},
|
||||
"bevy-mandelbrot": {
|
||||
"inputs": {
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"rust-overlay": [
|
||||
"rust-overlay"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1663194086,
|
||||
"narHash": "sha256-412sqKeKP8qm8Teno8xnl8/yMWxjZaRa7ujw5xaa5qw=",
|
||||
"ref": "main",
|
||||
"rev": "a37a6e16946f0515242a30699a9b34bdc45ef87e",
|
||||
"revCount": 9,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/bevy-mandelbrot.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "main",
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/bevy-mandelbrot.git"
|
||||
}
|
||||
},
|
||||
"fenix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"rust-analyzer-src": "rust-analyzer-src"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1666420537,
|
||||
"narHash": "sha256-0gPA6u4g/+9ZI15krn7qet0sN5XP6yMymDCgfV5BZKg=",
|
||||
"owner": "nix-community",
|
||||
"repo": "fenix",
|
||||
"rev": "cc541fd8c19048872161e53a3399a31c568fbd46",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "fenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1659877975,
|
||||
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"harmonia": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1666188194,
|
||||
"narHash": "sha256-WOgfXe3b4lZp5URZ+8TAtjX5VcaL8YMnpKaxYXHTCJY=",
|
||||
"owner": "helsinki-systems",
|
||||
"repo": "harmonia",
|
||||
"rev": "f97ecd55bb0c7ba846ba565938ad45981351b31d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "helsinki-systems",
|
||||
"repo": "harmonia",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"heliwatch": {
|
||||
"inputs": {
|
||||
"fenix": [
|
||||
"fenix"
|
||||
],
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1657923513,
|
||||
"narHash": "sha256-YzHPow09B9uSdybUxP5lQn2hXk90Q6oTDL6UXzD0/+k=",
|
||||
"ref": "master",
|
||||
"rev": "f7cf04a7ad47e388121f0771651fec0df91407f3",
|
||||
"revCount": 61,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/heliwatch.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/heliwatch.git"
|
||||
}
|
||||
},
|
||||
"hydra": {
|
||||
"inputs": {
|
||||
"nix": "nix",
|
||||
"nixpkgs": [
|
||||
"hydra",
|
||||
"nix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1666385840,
|
||||
"narHash": "sha256-ablHzPwN2Pvju0kyo8N5Wavqkl60gKHCPLnruwqvwTg=",
|
||||
"owner": "nixos",
|
||||
"repo": "hydra",
|
||||
"rev": "312cb42275e593eea5c44d8430ab09375fdb2fdb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"repo": "hydra",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"hydra-ca": {
|
||||
"inputs": {
|
||||
"newNixpkgs": "newNixpkgs",
|
||||
"nix": "nix_2",
|
||||
"nixpkgs": [
|
||||
"hydra-ca",
|
||||
"nix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1661851236,
|
||||
"narHash": "sha256-Om6uR2hszPvkZTzWRc0v0ZTm935QIzPSjGLzuhHUyJA=",
|
||||
"owner": "mlabs-haskell",
|
||||
"repo": "hydra",
|
||||
"rev": "8311b498e0e5f8ba4a01a0d7b97354617c73bf84",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "mlabs-haskell",
|
||||
"ref": "aciceri/ca-derivations",
|
||||
"repo": "hydra",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"lowdown-src": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1633514407,
|
||||
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
|
||||
"owner": "kristapsdz",
|
||||
"repo": "lowdown",
|
||||
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "kristapsdz",
|
||||
"repo": "lowdown",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"lowdown-src_2": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1633514407,
|
||||
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
|
||||
"owner": "kristapsdz",
|
||||
"repo": "lowdown",
|
||||
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "kristapsdz",
|
||||
"repo": "lowdown",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"microvm": {
|
||||
"inputs": {
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1666198611,
|
||||
"narHash": "sha256-MWGr+6MBwl0gOe1DqxsUH3WxUaFsS0Jt74jiKqCQHa4=",
|
||||
"owner": "astro",
|
||||
"repo": "microvm.nix",
|
||||
"rev": "1813be9f059eb73efed5d21aa9b8b4ae5fb0b812",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "microvm.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"naersk": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1662220400,
|
||||
"narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"naersk_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1662220400,
|
||||
"narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"naersk_3": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"ticker",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1659610603,
|
||||
"narHash": "sha256-LYgASYSPYo7O71WfeUOaEUzYfzuXm8c8eavJcel+pfI=",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "c6a45e4277fa58abd524681466d3450f896dc094",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "c6a45e4277fa58abd524681466d3450f896dc094",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"newNixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1647380550,
|
||||
"narHash": "sha256-909TI9poX7CIUiFx203WL29YON6m/I6k0ExbZvR7bLM=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6e3ee8957637a60f5072e33d78e05c0f65c54366",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable-small",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix": {
|
||||
"inputs": {
|
||||
"lowdown-src": "lowdown-src",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-regression": "nixpkgs-regression"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1661606874,
|
||||
"narHash": "sha256-9+rpYzI+SmxJn+EbYxjGv68Ucp22bdFUSy/4LkHkkDQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nix",
|
||||
"rev": "11e45768b34fdafdcf019ddbd337afa16127ff0f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "2.11.0",
|
||||
"repo": "nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix_2": {
|
||||
"inputs": {
|
||||
"lowdown-src": "lowdown-src_2",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs-regression": "nixpkgs-regression_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1654014617,
|
||||
"narHash": "sha256-qNL3lQPBsnStkru3j1ajN/H+knXI+X3dku8/dBfSw3g=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nix",
|
||||
"rev": "624e38aa43f304fbb78b4779172809add042b513",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "2.9.1",
|
||||
"repo": "nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos": {
|
||||
"locked": {
|
||||
"lastModified": 1666401273,
|
||||
"narHash": "sha256-AG3MoIjcWwz1SPjJ2nymWu4NmeVj9P40OpB1lsmxFtg=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "3933d8bb9120573c0d8d49dc5e890cb211681490",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-22.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-armv6": {
|
||||
"locked": {
|
||||
"lastModified": 1664701736,
|
||||
"narHash": "sha256-Va3NyZ+uyZztu506qM+sLxd69DBzN5CdoCAu1lzVk0U=",
|
||||
"owner": "rnhmjoj",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "10b75bee02bc7c25e596847357c70b277c534588",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "rnhmjoj",
|
||||
"ref": "pr-fix-armv6",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1665987993,
|
||||
"narHash": "sha256-MvlaIYTRiqefG4dzI5p6vVCfl+9V8A1cPniUjcn6Ngc=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "0e6593630071440eb89cd97a52921497482b22c6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1666377499,
|
||||
"narHash": "sha256-dZZCGvWcxc7oGnUgFVf0UeNHsJ4VhkTM0v5JRe8EwR8=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "301aada7a64812853f2e2634a530ef5d34505048",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1663264531,
|
||||
"narHash": "sha256-2ncO5chPXlTxaebDlhx7MhL0gOEIWxzSyfsl0r0hxQk=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "454887a35de6317a30be284e8adc2d2f6d8a07c4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-mobilizon": {
|
||||
"locked": {
|
||||
"lastModified": 1664466500,
|
||||
"narHash": "sha256-FvEUAKkf0PDZ2j2qIbI4+3oPTnuQq4HdX00iqBkvKOU=",
|
||||
"owner": "minijackson",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8a43afd5579f58092d4bf616a0206f83d8062e1f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "minijackson",
|
||||
"ref": "init-mobilizon",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-regression": {
|
||||
"locked": {
|
||||
"lastModified": 1643052045,
|
||||
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-regression_2": {
|
||||
"locked": {
|
||||
"lastModified": 1643052045,
|
||||
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1657693803,
|
||||
"narHash": "sha256-G++2CJ9u0E7NNTAi9n5G8TdDmGJXcIjkJ3NF8cetQB8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "365e1b3a859281cf11b94f87231adeabbdd878a2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-22.05-small",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1645296114,
|
||||
"narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-21.05-small",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"oparl-scraper": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1656290558,
|
||||
"narHash": "sha256-f9JRkxMWK4ONeCePB8UcQX8pAksQPF9YcxLbbcCgpFY=",
|
||||
"owner": "offenesdresden",
|
||||
"repo": "ratsinfo-scraper",
|
||||
"rev": "0bc947ef28a6b83943db6fd9abbe2ae21ced7d06",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "offenesdresden",
|
||||
"ref": "oparl",
|
||||
"repo": "ratsinfo-scraper",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"openwrt": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1666345565,
|
||||
"narHash": "sha256-TsEHFpYHP/9AXWtwGdLw9w64nwDJECx77VB/dJ2/73k=",
|
||||
"ref": "openwrt-21.02",
|
||||
"rev": "9cec59ca38a3600f175bd12e0620a1c7306aa813",
|
||||
"revCount": 51153,
|
||||
"type": "git",
|
||||
"url": "https://git.openwrt.org/openwrt/openwrt.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "openwrt-21.02",
|
||||
"type": "git",
|
||||
"url": "https://git.openwrt.org/openwrt/openwrt.git"
|
||||
}
|
||||
},
|
||||
"openwrt-imagebuilder": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1666455539,
|
||||
"narHash": "sha256-t9o9cjTcZWZj9SMr52TShTCZ2MNnRctylSqP+BUD6tk=",
|
||||
"owner": "astro",
|
||||
"repo": "nix-openwrt-imagebuilder",
|
||||
"rev": "3cc9edcc5625a7ef9721d65f2270242a695c69e5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "nix-openwrt-imagebuilder",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"affection-src": "affection-src",
|
||||
"bevy-julia": "bevy-julia",
|
||||
"bevy-mandelbrot": "bevy-mandelbrot",
|
||||
"fenix": "fenix",
|
||||
"flake-utils": "flake-utils",
|
||||
"harmonia": "harmonia",
|
||||
"heliwatch": "heliwatch",
|
||||
"hydra": "hydra",
|
||||
"hydra-ca": "hydra-ca",
|
||||
"microvm": "microvm",
|
||||
"naersk": "naersk_2",
|
||||
"nixos": "nixos",
|
||||
"nixos-armv6": "nixos-armv6",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixos-unstable": "nixos-unstable",
|
||||
"nixpkgs-mobilizon": "nixpkgs-mobilizon",
|
||||
"oparl-scraper": "oparl-scraper",
|
||||
"openwrt": "openwrt",
|
||||
"openwrt-imagebuilder": "openwrt-imagebuilder",
|
||||
"rust-overlay": "rust-overlay",
|
||||
"scrapers": "scrapers",
|
||||
"secrets": "secrets",
|
||||
"sops-nix": "sops-nix",
|
||||
"spacemsg": "spacemsg",
|
||||
"sshlogd": "sshlogd",
|
||||
"ticker": "ticker",
|
||||
"tigger": "tigger",
|
||||
"tracer": "tracer",
|
||||
"yammat": "yammat",
|
||||
"zentralwerk": "zentralwerk"
|
||||
}
|
||||
},
|
||||
"rust-analyzer-src": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1666361125,
|
||||
"narHash": "sha256-TMvuYDc1MOI8TvScsTioFKRaIH7G8RA4LZFc9v38Nvs=",
|
||||
"owner": "rust-lang",
|
||||
"repo": "rust-analyzer",
|
||||
"rev": "8ee23f4f0aebf344089bfc201f1dbf641534cf94",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "rust-lang",
|
||||
"ref": "nightly",
|
||||
"repo": "rust-analyzer",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"rust-overlay": {
|
||||
"inputs": {
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1666407365,
|
||||
"narHash": "sha256-eD1hN+Uez7oOKl9BgvfBydQOCEqfoLuezoGfR6t0nzI=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "8ffc63427df1dc7e53fb96cb13b130028c258202",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"scrapers": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1665446321,
|
||||
"narHash": "sha256-GuZr+BCAIe+UYmQrLHaVr8iRRajn5nSdWyqhjWDIX1Y=",
|
||||
"ref": "master",
|
||||
"rev": "3700761dd06f271ef26261ed2a90dce8c22b6dca",
|
||||
"revCount": 61,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/scrapers.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/scrapers.git"
|
||||
}
|
||||
},
|
||||
"secrets": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1659890996,
|
||||
"narHash": "sha256-xURgGoznCPmpX35dn5AXcyNYicVn5ruvUKxfIMMiu8o=",
|
||||
"ref": "master",
|
||||
"rev": "5ca106f648bef15d9954d956bda336eea28e8d75",
|
||||
"revCount": 149,
|
||||
"type": "git",
|
||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"nixpkgs-22_05": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1666078616,
|
||||
"narHash": "sha256-ifW3GhIxuKv5+AidKAPpmtS8M7TY2d7VS6eFnaCFdfU=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "8e470d4eac115aa793437e52e84e7f9abdce236b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"spacemsg": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1654295718,
|
||||
"narHash": "sha256-lO/mvXrFiJTWX5roRooHg3m6cozvWqJTOxgl5jZ5mGI=",
|
||||
"owner": "astro",
|
||||
"repo": "spacemsg",
|
||||
"rev": "64c714df0e64de23f77aeb05d74fecf5a7469f11",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "spacemsg",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"sshlogd": {
|
||||
"inputs": {
|
||||
"fenix": [
|
||||
"fenix"
|
||||
],
|
||||
"naersk": [
|
||||
"naersk"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1664381600,
|
||||
"narHash": "sha256-XGN/ZBolgT5OOZgGr6QP9VnyCOZ/Sjo79PwaWAYOFvE=",
|
||||
"ref": "main",
|
||||
"rev": "e1043a8c0a3f3f6b5be39188806754f3737580a7",
|
||||
"revCount": 22,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/sshlogd.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "main",
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/sshlogd.git"
|
||||
}
|
||||
},
|
||||
"ticker": {
|
||||
"inputs": {
|
||||
"fenix": [
|
||||
"fenix"
|
||||
],
|
||||
"naersk": "naersk_3",
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1665443266,
|
||||
"narHash": "sha256-rm9P+NnjnpFsoO5P42nuMzcion0Q9qTTru5Zc7MMqUY=",
|
||||
"ref": "master",
|
||||
"rev": "cee130ffb5ff4085793ee4ec0ff41b8fd54384fa",
|
||||
"revCount": 106,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/ticker.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/ticker.git"
|
||||
}
|
||||
},
|
||||
"tigger": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1661423826,
|
||||
"narHash": "sha256-IOOspJZYIk4zG4wZ7iIEizUFYYgeaWEXUwqWrFl2kaQ=",
|
||||
"owner": "astro",
|
||||
"repo": "tigger",
|
||||
"rev": "9fe2412717e6cebe32eccad9449a4568b472c725",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "tigger",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"tracer": {
|
||||
"inputs": {
|
||||
"affection-src": [
|
||||
"affection-src"
|
||||
],
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1663279525,
|
||||
"narHash": "sha256-lUq4CY//ISplh/4i33nOU7cchpxKrw5V8mVdRnHMBaA=",
|
||||
"ref": "master",
|
||||
"rev": "6d8d2cb1268d26add05baa3f21c325cfe051add3",
|
||||
"revCount": 342,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/tracer"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/tracer"
|
||||
}
|
||||
},
|
||||
"yammat": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1655412349,
|
||||
"narHash": "sha256-EFJLSOCajkfLteSWaEv5b16Xp2YhKa4CVdkC9ZjKowc=",
|
||||
"ref": "nix",
|
||||
"rev": "e7069228a87c42124e7762b1bfd663b684e24749",
|
||||
"revCount": 405,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/C3D2/yammat.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "nix",
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/C3D2/yammat.git"
|
||||
}
|
||||
},
|
||||
"zentralwerk": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
],
|
||||
"openwrt": [
|
||||
"openwrt"
|
||||
],
|
||||
"openwrt-imagebuilder": [
|
||||
"openwrt-imagebuilder"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1666481861,
|
||||
"narHash": "sha256-GJS7nHYTcz/KPM9q+5YW+JV0JRVfD23Lgjr1LlB2dD4=",
|
||||
"ref": "master",
|
||||
"rev": "3e844866516a6d6d75d3e4c63ab4d198eded61ff",
|
||||
"revCount": 1644,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
|
@ -1,80 +0,0 @@
|
|||
# Registry of C3D2 machines.
|
||||
|
||||
{
|
||||
dacbert = {
|
||||
serial = "3c271952";
|
||||
ip4 = "172.22.99.203";
|
||||
};
|
||||
|
||||
riscbert.ip4 = "riscbert.c3d2.zentralwerk.org";
|
||||
|
||||
dn42 = {
|
||||
ip4 = "172.22.99.253";
|
||||
};
|
||||
|
||||
freifunk = {
|
||||
ip4 = "172.20.72.40";
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMFbxHGfBMBjjior1FNRub56O62K++HVnqUH67BeKD7d";
|
||||
};
|
||||
|
||||
gitea.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8Q7kGF3Hh6HvmlSIgZOjgoIZRpyxKvMBTcPWHlecuh";
|
||||
|
||||
glotzbert = {
|
||||
ether = "ec:a8:6b:fe:b4:cb";
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG";
|
||||
wol = true;
|
||||
ip4 = "glotzbert.hq.c3d2.de";
|
||||
};
|
||||
|
||||
grafana = {
|
||||
ip6 = "2a00:8180:2c00:282:4042:fbff:fe4b:2de8";
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFB9fo01jzr2upEBEXiR7sSmeQoq9ll5Cf5/hjq5e4Y";
|
||||
};
|
||||
|
||||
mucbot = {
|
||||
ip4 = "172.20.73.27";
|
||||
ip6 = "2a00:8180:2c00:282:28db:dff:fe6b:e89a";
|
||||
};
|
||||
|
||||
matemat = {
|
||||
ip4 = "172.20.73.21";
|
||||
ip6 = "2a00:8180:2c00:282:f82b:1bff:fedc:8572";
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBa07c4NnU1TGX1SMNea9e1d4nMtc0OS4gJLmTA3g/fe";
|
||||
};
|
||||
|
||||
mpd-index = { };
|
||||
|
||||
nfs = { };
|
||||
|
||||
nncp = {
|
||||
ip6 = "2a00:8180:2c00:223:dcec:9aff:fe6f:3f63";
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQhxaeElmxO1UgaI/+qr+g13OFeY9qtJVxznNN+xs/e";
|
||||
};
|
||||
|
||||
public-access-proxy = {
|
||||
ip4 = "172.20.73.45";
|
||||
ip6 = "2a00:8180:2c00:282:1024:5fff:febd:9be7";
|
||||
};
|
||||
|
||||
pulsebert = {
|
||||
ether = "dc:a6:32:31:b6:32";
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQCsDss9Gq3/eTKqpgEwXK+nhnuARS4/kHqF2+laGnp";
|
||||
ip4 = "172.22.99.208";
|
||||
};
|
||||
|
||||
samba = { };
|
||||
|
||||
scrape = {
|
||||
ip4 = "172.20.73.32";
|
||||
ip6 = "2a00:8180:2c00:282:e073:50ff:fef5:eb6e";
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGxPgg6nswoij1fBzDPDu6h4+d458XL2+dBxAx9KVOh";
|
||||
};
|
||||
|
||||
schalter.ip4 = "schalter.hq.c3d2.de";
|
||||
|
||||
# Hack
|
||||
rpi-netboot.ip4 = "127.0.0.1";
|
||||
|
||||
server9.ip6 = "server9.cluster.zentralwerk.org";
|
||||
server10.ip6 = "server10.cluster.zentralwerk.org";
|
||||
}
|
|
@ -1,65 +0,0 @@
|
|||
{ zentralwerk, config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
c3d2 = {
|
||||
deployment = {
|
||||
server = "server10";
|
||||
mounts = [ "etc" "home" "var"];
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
networking = {
|
||||
hostName = "auth";
|
||||
hosts = {
|
||||
# required for ldaps connection over localhost
|
||||
"::1" = [ "auth.c3d2.de" ];
|
||||
"127.0.0.1" = [ "auth.c3d2.de" ];
|
||||
};
|
||||
firewall.allowedTCPPorts = [
|
||||
80 # http
|
||||
443 # https
|
||||
636 # ldaps
|
||||
];
|
||||
};
|
||||
|
||||
services = {
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts."auth.c3d2.de" = {
|
||||
default = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations = {
|
||||
"/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
|
||||
"/" = {
|
||||
proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
portunus = {
|
||||
enable = true;
|
||||
dex = {
|
||||
# enable = true;
|
||||
};
|
||||
domain = "auth.c3d2.de";
|
||||
ldap = {
|
||||
suffix = "dc=c3d2,dc=de";
|
||||
tls = true;
|
||||
};
|
||||
seedPath = config.sops.secrets."portunus/seed".path;
|
||||
};
|
||||
};
|
||||
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."portunus/seed" = {
|
||||
group = config.services.portunus.group;
|
||||
owner = config.services.portunus.user;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,183 +0,0 @@
|
|||
portunus:
|
||||
seed: ENC[AES256_GCM,data:bF4cxon5Wy9+i9jib+JfzW7++mMWYbt5U85S9b1YK6YYsvF2/4LKW8BwsCBsECKCqicSvejDID9DEGMXRhcojUWu07q/LBI8ADYhw8siBeTMYgb5V433Nt8EODJa8XUhpxWSl/PgLNZKw0+vSK4hQRZjAcmWl6Djy01LD0kyhU4rAwxY8FozlfaLtJN007LHhhGFA+r/l+nHuW+wBg7XVC3/7d0THS6krf44USBEyIdoYPbpLOhkyitcmGxHlT+AknUvgghyTnqxUIsPdhFq9LWPRSpxaCcH6mbFFsqBfQwfZ58BOW3Oqz3e7RDm4Z8LOJSL/3RDgEBJ3sNKHvPZp8x6lCaV9PZZGSKIOhp6534fY2s1LuPqIQGW+Qf+08j3XlpUuFkEURP+IdkEiJtk952cMN6SnN/QFhxM6Nr+s1JRzwbtuvmjQSPWQHC484XsizqVbyiLFMjX9QsKvnHeZeACspnZKdFSTWRZ2reRa1Lv6acIjWn+uv8S4sUt1o3zfcWFb5xG95NYhyBLFExsVzC/RWD/fD4jR/1ZAUF+vGl20SZzlj7MbRLg7JIwxVFoFgZLz915ZTbHbxDeX/OOhqd+GOBe8wsm+DJf8H939jNo+iPTWlHfY8zZOFQpdtkpt3uISpGBsBfMFtYInrBDXDNPr1SEbQPEAgjbYJWPC/FIgcIkGtRu4mN8Cl4IgPnTgSJ9WYpGkfuxb/PNvR4XN9bbjE4h9i7bCeA7nNPSFa3vItbVps0jM7TyWyha168K/gJ+nk9+iqK79m6SxaAHQ6A5P60V7XZpIDteWKuxV/I/1Tty1JLsN8khiHnrrqMqrxX3vyjXCwX1N16w7gMwLnQJkMO3M5pRhUsfaRm+lyBLWDVrN8o5PqZ+KZtldvqeZW+tknmvvUtYB6lYbcEdy9/4W6oNLBvINodKijQmOO66/RhiAu8q4qNI6JIpqdzl0CdKI86xoykfUGXbqm1heEloutcNxkEfR8D3Vn98rKc0IVB+uD8XROD53ZV1w2LbpzjHNJMITCebKufRjBZvVfMl8Q==,iv:xIAxj2D3HurNzQg/JjKCQ4KEwjKJ/PuDGM2RLRFuMX4=,tag:i5s0OMkvIgY4rgLQygVsaQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBia1BGY29QTEhEb0JaVXE3
|
||||
cktvbFNHclpGcVVXUTN4S2FxM0xLQVZKUkZ3CnVtVG5aRHRpUDR3ZkhOS1pwdGdR
|
||||
VXBCbE8wMFEzYmxCRG5Od1J0SnhGWFEKLS0tIGttU1RvMFJQNVc2azU1L1VocTJI
|
||||
U2JwaFI0SlprbUFJUjF0WElmSERSS1EKtrQUjrXaiCY45ySJR5gMBB09eNU73ZCA
|
||||
wePnt0MdM7ywiImfgaRZYka4fQffLHn/ZYY0X4sJ0rlji67lxdi40g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4eXdZT1VyY3daN2ROdm51
|
||||
My9KTlozaW1JNmYwVlc4eHhQYjd3d1Z1Z21ZClpGcnhLcENoMjNxbnRCcjRvTGhv
|
||||
S2toL055b2ZuU1Ezb0VaVzhQZTBuU1EKLS0tIE1jd3Yxd0xFN1VLRVlvQ2ZwRnNQ
|
||||
OHlKSmZ0WGpJNTNlbGJZdWsvV2JVSjQKChNZeeT4l/ZiBMC0SZXY8wsNnZBtM9vw
|
||||
WfVljqnQTMODkoLjfxcvET2xZjSHSI0wjULjMAgg67lRUEG2bxMp3g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-08-01T23:50:16Z"
|
||||
mac: ENC[AES256_GCM,data:P7fUSy+q+jXqKq3uYLVZmOIh4WT19bd59zPel6ltuq9SpUTkrybr+AFqRdQs+DhADKF45X98lNUCvsyAXaXyP2ADQCcCeuWx/AQNjUaGiZ39LnHXAfn9r3o2xml8sXD7yri6BHDnCoaCNA/caAsaOz+yKB3vJw3PU5hWmm4os7s=,iv:nFSPrHTl/lJQkFJktkgkAbQVdQ6sqxFWbwl+dPwSfag=,tag:vk44cvyxy89dh+nonnKe7A==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-07-31T16:18:25Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6j84+xkv3y7AQ//cox56OOXaP21Gcc31xkCLDyA4ZRvldGjlDgl+XP2/ATV
|
||||
6OjBjpbcd1F6m0MjfTFofUUJs/Kwb61b4bCrcBVD7nlJhr96CMLV5fPUzXo7ZcA+
|
||||
T+DFX0wPTlFWdyP2VdIgcntSAcVBeoTF/vUfW4edtFY/82Zl+csHcsy1K49YAJQe
|
||||
m8T3MJX+31cVdyQ25vdXmnMnTGRLU/oQU3RdpneGgeYS9sskntczKgP65PU65B7I
|
||||
zS2mAyMreDw/2V+mb69+PMMeznlDa/Qg3G7miA85R5vCjgl2BVW66B5MyupXlBF4
|
||||
ASBbIZ1oeWGJ+xAErXc67XUJSgGbh4JijbtspiJKKUCqe10gYjytnQkHvz4d6qMf
|
||||
SQsbNhJUNgq3UsBk9EubJnZXSIuYN6ZfxhTJgwtiVJojwVGltmg+Jsx0ya+53MPE
|
||||
Axs8apAb98oPRoojbThscc0DsVjt2+wS42x5Pl7qci54xqfftyHRhN9T3suo2fuC
|
||||
R4bJoCHmFM9681BZen+/XSj5h9gCw5HkXBZKM8vXxtJpa8CMnAlYqhYAvZFjwlk2
|
||||
YJg0TF8BPKTTyht4VlI5CJQSdsHurDCT2SXYmefuAtYr0MvU+QjypT6LczpDaMho
|
||||
lfibrAYp97DqlqAorV0PxLzLVfZsU0c6bJadhRBzPa8NMIBuhGPvv/6uO/xPzpnS
|
||||
XgFpafi6/MSg7jOCRQOXqwAOa1s2ca3K3Sf3gP4O5uq6WgnZWb4KoinlfP6DcXUN
|
||||
tJ6jRVv4qCj+GsP7/wA5zeGAiu6o0KYpz1WdlLJapHkcF6qrH+nGeLNYswvDlWc=
|
||||
=9P63
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2022-07-31T16:18:25Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA8zMZ+ak7y/zAQ/9FMOum2xOYa7nQO99A3dxo5Drdz7l1+bCEkGxPWXfcTCN
|
||||
lpS0+T/tyVPCp012HwUC4UxZM2nen+18lBlu0FJJTEqlQogGlmW5pekAbv7WXsTt
|
||||
lDKcyEX1JtjXhImc8DuN1Rx9SFbpwAUhCpqGzAsgmoUZQGMaS5AfFKuzGpD2u1va
|
||||
Mrcbp5ouQOjWijECbdjvcvtLljlNvHlW4W8Xh3WdBw8VwoxI35QdpZnSINk/F27U
|
||||
3t5Sxd+85xKXQ81WMol7iehNjilwTVfi71gaPhcKM8HxSfYbop7FnbTZ2karUflv
|
||||
COPwlrBVAfqhuA/RE29xKeK3xX5p34KEVrRWMe6tSTL4gygZi97Da5v/dU7PsCOr
|
||||
YhFNVgdS/zAARaNtSdM2e+QR1jR2Y5+7G4HiJ0cvp3yhqDTtz91ojqOFE+UgYKMr
|
||||
ckX92R9t+dq3HR+QcZq2OXpZ6cWJ9vBlOmDkz1ct9mvB3g2S81zqTbOnoDv23SlC
|
||||
W5iTFMHaKabRbHIxD/OgKKRKt5zBmt+vGgngNafKSZz3ftvLbmAulzqRhvxeAtiu
|
||||
MxL0aj4dPSncwXeaqAPrza4r2DXT3iXxnnaDbEoXi3GLrI2DmOcblWRGfnYouGmo
|
||||
R6CbwCIJ1i12i24EZPPmeWTTqNGp4ZroSKFJH8gqaBeeaHDMM3K5yiAYjyrDnw/S
|
||||
XgFsabN3bifV5Ue8f5izDCDifUJPS0rNPfeDnSui/yJMkj4ZNkJGGM25M1gKxXdF
|
||||
vKz5Jgipsz1eHbXnL7uELuuRH95AMt31AhY565zpZIOqiFPmVqe1ajawDNNDg8s=
|
||||
=zj9P
|
||||
-----END PGP MESSAGE-----
|
||||
fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
|
||||
- created_at: "2022-07-31T16:18:25Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA45bZkLXmBFpAQf+KCmtLOd7pOx0agWHhgQxtDIXDCn5PvxjU3p+TXQ4TGWA
|
||||
W2+4+17SFMlxyM02p/3nols+mUYQ0W7Dt9Pgkzh1hCN1nJl1JjWqc3Dg62hZS9V7
|
||||
y4yhakVhJ5vbrTfkp4TA4yWaHubjVbGgNuxghLcD/15RhUKWREBVS3qGG4sPOjF6
|
||||
vjwIutkclRUjIl+Dswzr3yQWVmL1k4Xq73pPPAzMFK+4RWqz+h0qUVFVV9CgeWy6
|
||||
JqD39wApRWrV68QhhCPJ6gHU18Zv8gk02F3HvMuUDKXWxsBuwk0+SDOBSs9H3VIz
|
||||
tu8uuVA2hFAb8D0HLK+eQ6CN1mdvcIucuDFd1kLVNNJeAZcWICQeLoNGJRlyxEKB
|
||||
/h+//E1MqBevUKcpZaWp6/I9AIyArNGJrsvGXYsykLrexxRt/0goyC3hwrluTdng
|
||||
Rn6kI6mhvikgO0qmeg+uNooyH5pBZseW2YzaTU6nbg==
|
||||
=CGxM
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
- created_at: "2022-07-31T16:18:25Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAwMCBBrc/JA6ARAAna4LxHXmrM+D8aarX+s2OPP9h8kaLHggbkBw3DgscaHG
|
||||
RvsDAcxcqWqU8mY4GZhM1qJMdxt4rcs4PeZPBKymmWR9CuxmaCChEKXcfBSqncM2
|
||||
BkUu7QbHfhIp6igfC8tZND/kWSLAfkB+ckXKotbusdJHUa0u44wJMr8FXolD95mz
|
||||
WqTWt49QfUD7JB+rPdNCNyHvmY+i7tOjxT0uDRtcOpo6VRwYVQl4fQQvJrz28p4E
|
||||
NfB5PIOdWsVR64v0epaVBci6Ed32OnTYZS9oXxDGed1Ns8ET9+PjFSzSaWc7aE3v
|
||||
V8V9raxh6E8jNsRayrE/B+aQdARHGQ5WfIsvX+yLVYlNS262uEL84guCj2kNBsZg
|
||||
2c0CYEKKj81M0fFMx5kyB6Kykd7jm3cVB0DEMt9eA7BIAc/Bu413UhqVVdUzAG/h
|
||||
AXubA61gmTb2RbojakdraSfbBrdEzkgOKnpXJP/MT4CQ7fXrgaPfeEjWyAW2Ubra
|
||||
k1RNhh1aWCi1ywls+mpx70g/dygmcHmxo+nkBhAvqcIagGY4fmpXJrR4snJByPZu
|
||||
7UUOVGkh22jyXfvKiBWxa0IV1YmtXsgMWYbU+06W/v5dXoYfLCZklsrMVca70v8B
|
||||
8MSroIESEDLNiyMvK3DUyTGzEnXY4mdq8XXn4OTXNAyShGl1JO7cRgUEqJat0g3S
|
||||
lwE2si/ktYjr0bBRFYS0ZnCU44LOKRkcGGcXqmgVGYnlRPSU9zdAHTC9tkeZLUE6
|
||||
waUTF79pemssbbWpGEG3YQcqU+UgoN8Atbf1W8e/ZLPx/UQsWNzLMe2gpHnv3sAb
|
||||
0WQ/YdM42Lj+lECNkwkWVn8Bbxb5hq53jZzJub5mJZ/x2QSk+HQvj6hTHpXI2S78
|
||||
GwGaOx70ayE=
|
||||
=htKz
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2022-07-31T16:18:25Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA9XEenRNYVGHAQ/9EqJahhid4UfKo8qfA1CvDXBNWPnnHib+lh73Omm/Q2ke
|
||||
k5wcdgjieXRAE0NxKZVyCqsbmcbXKMurCEFCdiIbzo330kp4Lxy1tHagZSg1hnu1
|
||||
MpFM/GbhwCVj77IYrhv+GAULRl3TOOUx9QKgql4VXKl3e5q3ORKmm6ymVtg5LDzj
|
||||
oSQU2WOEB+O/WxXo1wOnP3dFTUnfUx1oujgpnJjbuyjJc/wO0+m3nZ165o655Ol+
|
||||
ej6MXw4cU8kIwMsYIYWoyksgJCmlLCJ1m6iYUT0iOKmNVbLtZXSZYigKAyg/DLmx
|
||||
ycBgxE1+Ylr7GjEUVQL2TgMsZMgeLHahqrz7DjbVdRNIRaw5i3hyk1PBpszCwRLK
|
||||
5d0jHJ1SF2SE87zRIKKOvH+pkaJvyvOdBCrqXKCjELhV9kDnH+ZPI7VyEzj9qsOc
|
||||
C1DljDELgMnPbnHndCg7V8nxyg1Pl98HnQBOwr/FaXZZQZPJmC9fs3aioUTIdWu7
|
||||
tszYH5nsFVk3usbCU8WDcGFn5MLnDKxmdpdr/G8bwa1pXo/vznRNAd/NtK8rlSGd
|
||||
ogOgr8BIit7Bs6AZHyJLcfoTMzSZmipSIxMvq/BDPAIhPn0PRuz2QkVRHUwd0nYW
|
||||
G9aTizXC7UWJi0PhyyKVnZIlWFp4v2pWmBoivKR/C6cIF3WDY51gfZPjtv+B36bS
|
||||
XgELxQB8bR+TUTVxlU0HYA59MofiIatqyBH+WTI9EDBdOe9+Tr+wqu4seXkosY6Q
|
||||
XBsqRSVZBWzTvfCtqwgc4+Z7V1CxV+iMJDfvbRTBg213jDKiPPhfuBqhvtU2jN4=
|
||||
=LLlm
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2022-07-31T16:18:25Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcBMA/Z87ylQaotQAQf/c6nvx1MVEwbF/pZ7o5Dpj/r30GnL0zNpYyAMCgAwXaki
|
||||
5nwvx84vq2/NleaI8J6cbXB3h5NzGArDVWa5V6W/Jg+vbPnLTzhYWmGSRBb34QD5
|
||||
KSJ8C79b/Gv9i9a5my3j0Rpj7iJ9zFcHgbxYMlq6VInWJf9bH6owk/9iMaJfHM7R
|
||||
2J85ykc+5Hn6raAbo+OGoClGAT6rVH7jwuN8V3LQp0QJaBPEfFmF2rH++xUuxaaS
|
||||
Y/egu67yR0CooaiwxSyl/h7L8VtWTs5eRkWsAEFolfR4mCZ2eJwq7D7eljkxaNx8
|
||||
w6mEHgDHyWx9lt/7lZ3TAv7e4I/FnaRgTL6bPJUPKNJRAZQ9tbwpTFWNGsG3z/UT
|
||||
eQu1bhnOa6GEqy6iPSZr1ndJExS3mqq9UBvdKi4z88iKLrAfMgB1HzmkocYwDSvt
|
||||
7rprso1qslJzqpEJquz/I7GV
|
||||
=pz+t
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 9EA68B7F21204979645182E4287B083353C3241C
|
||||
- created_at: "2022-07-31T16:18:25Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7AQ/+LN9JY3vz5JIUVoYWaAE2kuSnd7sxwDAzRTA0yjYnvXLO
|
||||
ZDsDmkP9AdVg3pj7+HEse7+PfNgTbewoMoytbAzi7P44XACbHzP/4JjXmPaWGARu
|
||||
8PEp8patPvWPrHtSjpPkAjDj90KCOIy97SeTLzC589QgtN1oQlbERMtBkTV7Zhsq
|
||||
EvGPJvoyenrYOSuDgjJwtt0V/qHoT7MhumGYcoojPOV30rUE+mVuUeK+UysAdfPs
|
||||
3LGl1fIAfJNq1nqjOwH+y3PS1A2YJ604hsuzUnfuhkNbtQbu/mJfha1YcADkMAKD
|
||||
srti7pKMSim9wD/zIiqI68vlvFQgdH6IZ2mN513KCXnTxFzcnYH+8ioJR8Mudcv1
|
||||
ip2kBtQS4Dc+blD1usVSStcXZvfF69+Pxp3FgCIX4mKJx5iwppVA31voYiFH6gEA
|
||||
OpVdJCAmNJYc3k7EmABfA06MM9DMtZZkp8X1D+YUgJh3RxE2lwGLIQB9ECl2pa8s
|
||||
5GG9147jNLkuHFIjsfKtCtFHlSbKw+8WqbHZMj5FJNSGuJm04VpG14OGus23jQos
|
||||
SnLo4u0VgSKwYl+KkDZKxsEqPtkuZk6+5xQ5T756cDsYd8VmzGOFAIw+zLcH8M1I
|
||||
8KcBMd+f/pI7msvmbxcjcimCH+7TTEkQD1lwWJHp06czTskJNdeKM1iIdV9MRcTS
|
||||
UQGFKICoH3JboTzTFZZ1gA72+ecToZ5lRVLt/X2ljX9eRO/Hpm1LwQXfoTC/Mlh2
|
||||
4vkxF3en9dRzT2VMyPRvr4dxPVFn2weNpo7MxT3b6ohweQ==
|
||||
=ssEn
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2022-07-31T16:18:25Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA/YLzOYaRIJJAQ/9FsUGc5UUbFQQFrncWkknh1AqTJkozHRYBDhcQ2tZO8kY
|
||||
a54xy9tKub+cVO/f/T9fH6jeFkJtkGlaIoorHs2Pwnizz958BhfPHooW3IFohhmu
|
||||
E7VDjFOrUWYp9spjB71hHLWZ+FTFeT6M/+CfGJuJ+XqtLEOkeL4uFVd6gEDldt6Z
|
||||
qYIu8NFPfDoqk5VxJhmNxmcHEn1OO11ukvhghXXztZ/IKlfeWl7pkDweWuDHDqZq
|
||||
m+9ndgCxIFkbBcq3Xvb9DANdYJfrzF/4g9XApxpF9aPUDtKvlKYynX83Viu5Cbsi
|
||||
ALlmJ2DJIBtWXqm92dFuwJwKSh2RRQZpA5YiQWpnVYxPlER6HWTPIlhiQ6v+buV3
|
||||
6NfBbfwkhGU+9/W5iRD/yvl8wOnWzh7/e9R3Sjm5raKJq8pG8h0Ak6aMY+G+7NYu
|
||||
OOwis5BSqP7B1owvifQdjVjxKeJ2XyREU2EeNTo4eJvT24dRbgUF2DBhdI7jynKE
|
||||
PhI/OprouxCPnxw2oQdsYnKuVtJVph6hTj+UXJRMVR79TzS9JDR5dMCh15jDVGfc
|
||||
U/twQiCF2jaQu5RZWAUXr5DJ2XJXli+PIdS1E/+TC1yYTQY9cWHQ7elRBM+O79hn
|
||||
iEXVAZrFf9kiRWHv2tmfvpCrXG9UsywIN/RXvKT5s39eHEp4dtc0kps6brU+NgfS
|
||||
XgGd5FnZoDez7vDTGxka3DPJs4aUAFZd1kyNussml19b+PPYDil/9SYomXZdV6fx
|
||||
u1lMPZFK0QDME7NGKBO73lbXzs7StaiCXgydbuJ5bwlq/Gx0zeI0x6gs6/AlS58=
|
||||
=ostc
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
|
@ -1,197 +0,0 @@
|
|||
{ zentralwerk, config, pkgs, ... }:
|
||||
let
|
||||
systemctl = "${pkgs.systemd}/bin/systemctl";
|
||||
deployCommand = "${systemctl} start deploy-c3d2-dns";
|
||||
reloadCommand = "${systemctl} reload-or-restart bind";
|
||||
in
|
||||
{
|
||||
c3d2 = {
|
||||
isInHq = false;
|
||||
hq.statistics.enable = true;
|
||||
deployment = {
|
||||
server = "server10";
|
||||
mounts = [ "etc" "home" "var"];
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
networking.hostName = "bind";
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
# DNS
|
||||
53
|
||||
# HTTP(s)
|
||||
80 443
|
||||
];
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
# DNS
|
||||
53
|
||||
];
|
||||
|
||||
# DNS server
|
||||
services.bind = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
include "${config.users.users.c3d2-dns.home}/c3d2-dns/zones.conf";
|
||||
include "${zentralwerk.packages.${pkgs.system}.dns-slaves}";
|
||||
|
||||
# for collectd
|
||||
statistics-channels {
|
||||
inet 127.0.0.1 port 8053;
|
||||
};
|
||||
'';
|
||||
};
|
||||
systemd.services.bind = {
|
||||
serviceConfig = {
|
||||
Restart = "always";
|
||||
RestartSec = "1s";
|
||||
};
|
||||
};
|
||||
|
||||
# BIND statistics in Grafana
|
||||
services.collectd.plugins.bind = ''
|
||||
URL "http://127.0.0.1:8053/";
|
||||
ParseTime false
|
||||
OpCodes true
|
||||
QTypes true
|
||||
ServerStats true
|
||||
ZoneMaintStats true
|
||||
ResolverStats false
|
||||
MemoryStats true
|
||||
'';
|
||||
|
||||
# Build user
|
||||
users.groups.c3d2-dns = {};
|
||||
users.users.c3d2-dns = {
|
||||
isSystemUser = true;
|
||||
group = "c3d2-dns";
|
||||
home = "/var/lib/c3d2-dns";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -"
|
||||
"d /var/lib/bind/slave 0755 named nogroup - -"
|
||||
];
|
||||
|
||||
# Build script
|
||||
systemd.services.deploy-c3d2-dns = let
|
||||
inherit (pkgs.bind-secrets) giteaToken sshPrivkey;
|
||||
in {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
before = [ "bind.service" ];
|
||||
after = [ "network-online.target" ];
|
||||
path = with pkgs; [ git nix curl openssh ];
|
||||
script = ''
|
||||
mkdir -p .ssh
|
||||
cp ${builtins.toFile "id_ed25519" sshPrivkey} .ssh/id_ed25519
|
||||
echo "gitea.c3d2.de ${config.c3d2.hosts.gitea.publicKey}" > .ssh/known_hosts
|
||||
chmod 0600 .ssh/id_ed25519
|
||||
|
||||
# Build at least once
|
||||
touch deploy-pending
|
||||
|
||||
status() {
|
||||
curl -X POST \
|
||||
"https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \
|
||||
-H "accept: application/json" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "$1"
|
||||
}
|
||||
|
||||
[ -d c3d2-dns ] || git clone --depth=1 gitea@gitea.c3d2.de:c3d2-admins/c3d2-dns.git
|
||||
cd c3d2-dns
|
||||
|
||||
# Loop in case the webhook was called while we were building
|
||||
while [ -e ../deploy-pending ]; do
|
||||
rm ../deploy-pending
|
||||
git checkout .
|
||||
git pull
|
||||
REV=$(git rev-parse HEAD)
|
||||
|
||||
set +e
|
||||
status "{ \"context\": \"c3d2-dns\", \"description\": \"reloading...\", \"state\": \"pending\"}"
|
||||
|
||||
# Fix legacy paths (TODO)
|
||||
for f in *.conf ; do
|
||||
sed -e 's#/home/git/#${config.users.users.c3d2-dns.home}/#g' -i $f
|
||||
done
|
||||
# Allow creation of .jnl files by BIND for DynDNS
|
||||
chmod a+w zones
|
||||
# Clean up .jnl files
|
||||
rm -f zones/*.jnl
|
||||
# Take action
|
||||
if systemctl is-active -q bind; then
|
||||
/run/wrappers/bin/sudo ${reloadCommand}
|
||||
MSG=reload-or-restart
|
||||
fi
|
||||
|
||||
if [ $? = 0 ]; then
|
||||
status "{ \"context\": \"c3d2-dns\", \"description\": \""$MSG"ed\", \"state\": \"success\"}"
|
||||
else
|
||||
status "{ \"context\": \"c3d2-dns\", \"description\": \"$MSG failure\", \"state\": \"failure\"}"
|
||||
fi
|
||||
|
||||
set -e
|
||||
done
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "c3d2-dns";
|
||||
Group = config.users.users.c3d2-dns.group;
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "full";
|
||||
ReadWritePaths = config.users.users.c3d2-dns.home;
|
||||
WorkingDirectory = config.users.users.c3d2-dns.home;
|
||||
};
|
||||
};
|
||||
|
||||
# Privileged commands triggered by webhook/deploy-c3d2-dns
|
||||
security.sudo.extraRules = [ {
|
||||
users = [ "c3d2-dns" ];
|
||||
commands = [ {
|
||||
command = deployCommand;
|
||||
options = [ "NOPASSWD" ];
|
||||
} {
|
||||
command = reloadCommand;
|
||||
options = [ "NOPASSWD" ];
|
||||
} ];
|
||||
} ];
|
||||
|
||||
# Web server just for the webhook
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
# hooks, logs
|
||||
"bind.serv.zentralwerk.org" = {
|
||||
default = true;
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Webhook service
|
||||
systemd.services.webhook =
|
||||
let
|
||||
hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {
|
||||
id = "deploy-c3d2-dns";
|
||||
execute-command = pkgs.writeShellScript "deploy-c3d2-dns" ''
|
||||
# Request (re-)deployment
|
||||
touch ${config.users.users.c3d2-dns.home}/deploy-pending
|
||||
|
||||
# Start deploy-c3d2-dns.service if not already running
|
||||
exec /run/wrappers/bin/sudo ${deployCommand}
|
||||
'';
|
||||
} ]);
|
||||
in {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.webhook}/bin/webhook -hooks ${hooksJson} -verbose -ip 127.0.0.1";
|
||||
User = "c3d2-dns";
|
||||
Group = config.users.users.c3d2-dns.group;
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "full";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,36 +0,0 @@
|
|||
{ hostRegistry, zentralwerk, config, ... }:
|
||||
{
|
||||
microvm.mem = 2048;
|
||||
c3d2.deployment = {
|
||||
server = "server10";
|
||||
mounts = [ "etc" "home" "var"];
|
||||
};
|
||||
system.stateVersion = "22.05";
|
||||
networking = {
|
||||
hostName = "blogs";
|
||||
firewall.allowedTCPPorts = [
|
||||
80 443
|
||||
];
|
||||
};
|
||||
|
||||
# See secrets/hosts/blogs for the .env file with all settings
|
||||
services.plume = {
|
||||
enable = true;
|
||||
envFile = config.sops.secrets."plume/env".path;
|
||||
};
|
||||
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = {
|
||||
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts."blogs.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:7878";
|
||||
};
|
||||
}
|
|
@ -1,183 +0,0 @@
|
|||
plume:
|
||||
env: ENC[AES256_GCM,data:V7pEExE5jGT7JSCejzo1m0QlMgpKuaF5CnHvR7LCvTJSgoCeeNW9ImtVk8MtqtoRngH45jgseuC5wZNzXSMG/ltQ4c3ThDcxKP5ngLmEZ3tOqSlIdV/A3S4ww4f/UAx8YpNY4c/LlL9NuCcfpHyC4zwRFrD6odCSk7BUT0BU+zxOBDpQDAHscBz+YYTbb3cJ7iGYg1fXS6wLJHutf0eXYF5VNcc80SISEfbR+bs9t2f7Dg==,iv:3n+EDT9TO5VxCS6rXZiNKpxtCWeCDi6YT3dQsrECNmU=,tag:ysWwxhR1JNJ7WUM28TIQig==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cHMybGEzSkNJbHMrM3dU
|
||||
Z1JNZktKTDhYRWp2UG42RHRSVWk4ZHd5a1VNCk1YLzBEdkZJcVd4SU8yRzFYcnZz
|
||||
N0JWRFlaNDlmYTRodzl6YzlYSWFvZ2MKLS0tIGIraHBBM3B1Q3pSTHh1NjB1UlVo
|
||||
eFhuZGtmN3doRnJtaEtBQVVXZFF6dDgKbdF6mYi9L5jFRWoQ2gI9cf+gqcHzlTXY
|
||||
tLgbNyHPNgxDdhgZwfEWO2R5RBA6dDQ38FnkoNe7/UHRlkCO/PinGg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYeE55VzhsUjRHYStMN3l6
|
||||
OEtOQXFOVnBGcTBlK1djSlNSemJidTBzNlhnCnBOMnZjSjJFeUI5cytBUFM5aUds
|
||||
TWpnK094Wno0aGttVkhxdmJ4blJMcG8KLS0tIGgrUzRWcjIyS3BpRXcwOU9QOS8r
|
||||
KzVaYjdxMDBzemVhYnVzckZyUnp4NXMKCBgjoBgjhC5s8dvBlo5auBymEXnSXRWk
|
||||
g/dMA2ibHaR90DcAC//Tau9dZU64rxbKqmUXgBuT83yPM0J4FAR3NA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2021-12-25T00:52:22Z"
|
||||
mac: ENC[AES256_GCM,data:g6rMFoNx35MN495v1jKB13isssJ3GbKqyI7PdA796leFuRVgAlj6aUBI99vX+SpA1LpBYkUOu6OeV1EOHtpKlchbS4/FnO5oM0AOpoNux9yjQbeC3CM6soUzHn2+cJrnGMlgPC0sX0kcHVTFKF1aJsa+uLlkKD+F1SSJboz+P7c=,iv:i5I8FDU+j7l5UxgurA3Me2b/4zE7W1Ck3ckmQPqKWrM=,tag:gZCL8bo1YVoLZlxjyTupzw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-07-15T23:31:00Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6j84+xkv3y7AQ//fXotd1bN7Mu6+/bEq4mSKH83dnLG83iYknGQeoNA/R03
|
||||
O0y+QMlbOlmxdsot7gV6f9Ajnt7FTJmXBuIzo7Ji6lFWSu9ZUKk0JgXNTpap3kvz
|
||||
IQdBv3YTeYuJTJjPZ+xAfftlCbWhDL5kvvEK64QCLi5iLsAdW0wiAwONhgAflsWu
|
||||
UsiAqkla7JDmFRLu7AbybL0WPPIGbBj6eLws0b0VFSe2kxzs0ccgWUXuRQ3044qv
|
||||
jIg+HMsBiyYy8c2U7XeiJkFDBU5FYs69ipq0TukMfds21ow5/gH62PyNX0Yaqcy2
|
||||
T5tdW1N+/bRZYUgpQNusbHI5XO0dw+BXQlwOE3JsmgA2jYKomk/cPPxijrvnRtZC
|
||||
SuViKAtsrjZC4cOWNVtE1Qvt1rSIbvnV5agACypLp/RJv2bQ9zWFmRnhEkO+/j6+
|
||||
+Fe43/Fwc0GPastLWGGUXxWX6/fgXI1vOKWOunKrKyEabatjyyofXtEK27WRaygm
|
||||
wcVPilOkpk3ROmB3OLgrmWt812a2gP5pMIPvVcB8TiVibP6Ope/JpGdvGuQ2pOXE
|
||||
2vst1t8ScEW/NOfwVGVhbhZC21sozv2M7hCKnH00YE8uIFQnlC4GATazYWIx5LGx
|
||||
aNJZ+5BdSeuQC/8/jlbVVjKNZeZ6vvHeEJIq2+zD+s+moun+a70V0BaBwT5zCcTS
|
||||
XgGLutojrUDSR32vBJsIlBZutlb/VDKmEhJ46FbZqmgyEbROs4XXmE1Uarb6KVsc
|
||||
0MwpZc5YEhBqiBxX5WmWpSnnzRyBomqVIk/EiGjUiiUCRsqt33zgNxdyDJMG7LU=
|
||||
=n/8W
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2022-07-15T23:31:00Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA8zMZ+ak7y/zAQ//WSYieHrh+Ec9cVG+bMikwbfb2hmyxeR80QskX9iWTx2o
|
||||
DwonZfA3gD1Unwixeo7bghFSULGd319+Ojcptr7dV6xHszq/1ex844O4j02JU39J
|
||||
f5hG3flWw+K71b2hdT7kVvMs+FPuXnbMIVrVtUSM5H8KOy29Vu1CDUEzPU0HzeEz
|
||||
KKfGsZKp4sID7KqLMV1wO/yZEL2v4QMcGwPuZYP/iq1FX9/bTp8cQShTm99k5d6i
|
||||
5BO5IcfrFbY4TgtJg9yjz0aGTfnDZ5915Y5hRfc8vevrsvOeEfRzDEHy7C0/qZtk
|
||||
xF70PG29GuULqpYiIzY1HpeDWk52ZuIVrPTtqkrjf7ECxT9LckysLiuJi24nM22w
|
||||
UMilXQVdWVu73OdOukK3uEdHw0skR81x5cgHH/KDmbToIFE+ujA1di+RKBZup4vj
|
||||
dZkb7evi9oBRjFtrvi7Dg7Nz1DB3ihAWBRMp/jwlOnXbpJQc45snRqzsrF5I01zi
|
||||
2xalS7NukeykavqFK3QHCPJmmq7ByiuuVhX9BBroA37oit5f5guM8ohrer8fR62H
|
||||
b/eQEMhr4VRX7OziNO+Uo06rytwirSsdOfEarEN9qd0xqfTibXv95miAraKC0Q7d
|
||||
kDoJE1Vi0gCOHAkmLqP7KlWwD1bNZD3oT6zIPoPxPviay8vh/BHjo/dZ/VUA9R3S
|
||||
XgESoUbaDMYy57oWZ99XJk1vH9WgjSGASLb8LTnlnVXQRKk+jUFO0idKmZI0kEJR
|
||||
veujut++plGF+K2AFDVi7Xc0z8qneVgVbCpCIQ/0f3AIVaqATPbPq+bs+UJfqnE=
|
||||
=i5Td
|
||||
-----END PGP MESSAGE-----
|
||||
fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
|
||||
- created_at: "2022-07-15T23:31:00Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA45bZkLXmBFpAQgAietGjKoVeI7dRI+RnN2RIrRYaKcar7hjEp5OFXsICHGR
|
||||
FIZWtaXJQr0/Ds/Vk6n6Ynwj9vXEgIi6VKKfil/OKuwKcAj0Lh0B+xSyIywyWaEU
|
||||
ghZnf8HXlG4NQ424PEZnM3FbgWP8VkE95kvz7JpG4tAnZsdw2BNLrruW7WLqmfnT
|
||||
TKNf2K2Uja4fEKKymOOsF5m8Ch+W7ZBwZdkwfa+yj510ytDBfxuioKBR+5pmWLBT
|
||||
U5gNp32WwvEK2vmHmKh1HAg2I0DzdelIMWewIs5+RbNMQYqBG1UFEU6Gc1PJLOe0
|
||||
1zc7BTBRPsMDmlxWssxGnYIkidCWkKWVGYNAZP57F9JeAbnF8rBXAzEHiFaXtGxI
|
||||
wdd+6Z61Y9s5r8xlwac8cBw8XbOgQF1rkq1MbaTg52bn2K7Tt9qCvVNASb983l3M
|
||||
yn3AkV6uxcDODX1Fp3DBDY5+xQOq8rRr/VYTLJTC7A==
|
||||
=gHTB
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
- created_at: "2022-07-15T23:31:00Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAwMCBBrc/JA6ARAAoq0Xv9kV5puxY9AYzzSNClxaDoTrADq//TpfSanpZFoQ
|
||||
ji8h6sVWuU5mlXe8Mlw9B2Tra0fJoRJII78YVhn2h+/FEPtEQBZ1H6WxrQj50Ydh
|
||||
EHz8HtDKIZWBBiMaqYnEwhgdHWtbY8sAZXOSmjNON25gp/MAbpjlAlInwkG4AW4+
|
||||
gOq4UZ4WMkziWzIdUiq4y8+4pmZz2AxMj1VGB5jNIp2ljJGKmYPjRtcg2bIz8Ifo
|
||||
I7/7PEac/UChjEqgKeBPVOQo80+1cxNhZMeV8yGtW7izF/Y7E3AqjxH9HYwcN4N+
|
||||
w3lL7Pqsb/EJHjtdPj0EroxCbkXCRHjjYvk0FKX16TIeQ/W7GD1XPit+ACNM9UX0
|
||||
DNZek5GP7QFen7bxIppHjiUvY8BMW4dwXghXzwNgyvt22uYVnPCLFUXBTR1yyNZd
|
||||
8V5QYUvcYdnqCtoBc1P0MBlPDeLsjgeNPE4RMIVE5x5Y7ViMNvzMMsbUDaCZ6u+N
|
||||
abJVsQiTKrgFYMH3anc2S1a0uHsneGeVQ98lCSQOpkAZQQTazAhIBDDPfSRYacL2
|
||||
X3Nj6foYbwkx/Xq3viLYTPOUgOZdbeBS5PHED9Hp0xBngym9+hKuzkkBjKnnzib1
|
||||
ogXVBAY+z6gsVh7/vPMK8MEPUlKyOtBmw32P8whlWUIv5s73JeU7Iszm/07nKCDS
|
||||
mQHUQU2AfTlexyNNnoRrUtCF/X0lFYdpw/6RwZc4ZfwZ5jA2I30IgSLLrFbsRCCa
|
||||
oF8cp4Ayp1NMQF6fb6HeG0vZCO0Bc3O70J35BjEL3G2SE0xzSB2qDS7X0nIHoM/6
|
||||
w2DrDp42jW9+ptoAX3BdF/sBYMULgMUjWkr5KkwDhT3s8vJxwIPJbiMmWTNyKMpW
|
||||
Zi7P5ipGQ24JBw==
|
||||
=Itwc
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2022-07-15T23:31:00Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA9XEenRNYVGHAQ//QrGHh4qNuj4UnHdyqY9U4cr7nfTrlcpS7DxjfxSuBzIM
|
||||
GyONP3igncH3iPChogLsRRntzP1vkUpgxTXSsY6vRO+ptyncHN5NnAhf//dagh9R
|
||||
cCyGC2FIFwaee2zIoQroIdo5NWsp5ZS8qfQTjwVZjy3REwm4AGdG95ucU3tpXgc2
|
||||
pYZi1vcP22MdzTbmvtm7Zh4GJ2JXdFjj6G0UJa6V8NOL7RQYzCtgZI/46UzTgtOl
|
||||
PVwAzeRX0l0G3yTEhn7XE2tjCP6kKOz/7ORzMLF60Vdq6cBOLGKN8NiERxHuy4Af
|
||||
7fqLyE2sO7dCaCdRRlYd/on5tPdSDhu9eU2ff55M2xjEKWZ0Yztxivd/5/DCUo95
|
||||
3HrhAR0yLnbLftvd2ZL8ahXrZrInFKHbGhreHkSKu9/74j47Xy+tl75vrJboUG4g
|
||||
adzx8hrPX+1a1I+tJXSVKtpnFciKKzvHLK62dMetPcJvtldkRcfpY12TPcOvUsam
|
||||
cKAp3hGckf9l5Z3b5q4KLRrQ73VCmxNZ+lF8EuGpFZ5vqLFfG+Y6DyqDS0FNXGyR
|
||||
wBXx+Zfsx5pfBHhVxiXyzHhA3l5YgYkcuqgHYOIZXp8D9P7UE7R88Tm4f/knu7iB
|
||||
9yY1nV4w307QSm4xBDdFcPP0e+39sSrzZrpER5bhwB/D4VAMJVF+J+BbFilwgorS
|
||||
XgG3TJG835a9GbCZX1203DnjeKw59jw4WAhRpuyL2WN/3/y8M7fRWvQFsgQg8WTM
|
||||
pen8p+QyRhpjTNFlgHjFHAeyDaqsZRPjepuC5eMIWtNOYoswnL89eZDJ2rLb990=
|
||||
=GzQi
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2022-07-15T23:31:00Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcBMA/Z87ylQaotQAQf9Gu0JS7KLgGm0Gv83OAw5PqEIrTfqELE9e84WCGJVvoLb
|
||||
UKZwzzPwJNHA0EgH5phKOWtN4WvqJtUXZBFbYlky4FyDyCYBolniG2Bt3dlapYje
|
||||
gB8Oc1+OoMcK04o/jTmrN6XBk/Fsm52+zXS91VN6zmyBiUQRzwEaEjq7c80fXLLZ
|
||||
13nQwKlYvfRcKB0uuWXfIweHjJOuErAtCuDJ1mZGjnXjJBZdOrWJHk9T+yFLxIRv
|
||||
6QkJ2focYDDwPleaAmLasnTgXwGaPg3mMDA+TLbz5G4/pdAiFmeEdysQM986uVJp
|
||||
RpZW2HqOTYxpt66VsSfSuRPg9VhQucGmS/MurG93GNJRAROdyA+ngHCvJcfTnkjv
|
||||
M0AEhOOlX4eIiWPZR5SqVc4RQ8lRiDn90IW7Xx+DUvWadMct2iC99TT7VU45Atgg
|
||||
86TZYUxHzvAEmDrxRB3jQ+kH
|
||||
=shWD
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 9EA68B7F21204979645182E4287B083353C3241C
|
||||
- created_at: "2022-07-15T23:31:00Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7ARAAt25Epo+mAOtN81sTWco0wJe7ug5ttw4amOMjgZOYEpIa
|
||||
u5pPv4PBMKsJTMXSht6jWhSVUbNwFcHNdRVhGSz2BI7HfltwsKyd/IwazKC8ZNIf
|
||||
OX1tlQBIRtDFt3uJCxYyTW+PCaFrVQ9hRD/BkohOUBwhr+o2O1to+syhCXObr021
|
||||
GgJwYh4R5yMI8Xg8uOA+pJ0Nfrs2xPcmc1XEWfIoMGWHF6/qTXyM4WtZP0Z2R4R+
|
||||
fbjBYLvecPxtrt/q3hTQAQqspyDgiZv6EYJ0LwIlC/mB9sDYsVn4B32LrVh/VWiE
|
||||
u/8QByU/msAoXdih+1yLaW4CZuQcKjTS5MlkfBph8ThLYUIOtMFYGYRR6g7wp9jF
|
||||
NLR125hMxvSumU9INHF0Fx8M5Rwl0ThcKAxjaNno6G80TcZl91d9M0vbqA5To2bI
|
||||
r84nvDhUpHf1r3XDeq9TKF7uSHGe3XbYJoNV/oqY0s6urdLjfkeyADEMasY3U15Z
|
||||
RNbPzfWtZ0Cc+xspclB3KME1vMf0jdTsZ/NDENZIjDmfkEm9WjsJ00UhiBlCW9CL
|
||||
BfkQr+cY3yl9PR4IuWGtIHhbkf39xfHpPXKvH986eF823bLXwNZMX45Z4qO/vdqf
|
||||
zUxQf7igRXWIrNG0ajlJjc0laDwjF0kj9XliQWaGqXJqRIb13g1KiITejqX1UDfS
|
||||
UQFdCm8iMc+sUHo0xr1H/KsKl5PHMGAPCi7j7QL7ryvZIeBBOiKM6th+Zv5utKHp
|
||||
EM3PoOk60/t5cRT5CvndlJRBvKQc/34bw7WwRZGy+9oYyQ==
|
||||
=qJr9
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2022-07-15T23:31:00Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA/YLzOYaRIJJAQ/+MXAF0XruiPUMRxkok5VKbGQ8CEGbMWioZDg3RLAux4uO
|
||||
hJfrlA/BeKmCJvVNB884arkyZo8xIQPdl6dEWMyPvvcwANZivTFaHHZ8vetiEMjs
|
||||
UYb+pM485dogn40stdbfcLXUqXnWq7nGyJ09e4CdEnvcOGnnOpozg11ko/44rPkA
|
||||
Fqly2joKJZJXbeAlJFc1vnmnQxBWZzITK13IfJan0W1IyDHWrLn9q5+O6JgXpq5z
|
||||
8Y73px9ubl2IRU8+3IIJB3Nkp/NywdG6T0uhpFqLXuAkQ193cBA9l8Yrz9h+f8VJ
|
||||
l03Y89lEzAXKW0nsQMm9K1sXR7rRROoEMYelnqhGvCNxlQslIlDSZyxqDlD0yRsy
|
||||
uwKIjRb/w4dIaxF9KxI21xAadNF/pTI2Kz5LQ2xCaStH1QervjQjbYlFBquXr9KK
|
||||
NmHSv/3QD/jyKHQEWLBRfx7fYYyF+SFCp9LGDkkb4Dw27kwPHzJM52f0lKwY0dLY
|
||||
y5/gjFzjUqxTKlOPkPxrDbR7pXkA7IR2oq/6iik8otlUMg32EOG1+Mj5UBg4ggrd
|
||||
lesteD+x/3Op1AYB3NrDEK23+l0Vx06B5MMG4x/iHhgSI3ZdJguKHyXa0YMkkgL+
|
||||
7WI+Nsb2dFlcnVGzCxS5M4QwTPdpfNXihmpo/PpCe3Sjw98+csnDmlGoQMXOyZrS
|
||||
XgGsAxlIUusGvCusw+As/+Gstw7zN17XItmayjgtaNm+x0cuYAqhNe8n8ItP+J4r
|
||||
Pzsm5iqs2mrO68WKNaakzwEvLCreFJComBoifaUHeHd51gT4AMllDwPKmO9CHlw=
|
||||
=UmVj
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.1
|
|
@ -1,157 +0,0 @@
|
|||
{ config, pkgs, lib, zentralwerk, ... }:
|
||||
|
||||
let
|
||||
mymqttui = pkgs.writeScriptBin "mqttui" ''
|
||||
export MQTTUI_USERNAME=consumer
|
||||
export MQTTUI_PASSWORD=`cat ${(builtins.head config.services.mosquitto.listeners).users.consumer.passwordFile}`
|
||||
exec ${pkgs.mqttui}/bin/mqttui
|
||||
'';
|
||||
|
||||
fqdn = "broker.serv.zentralwerk.org";
|
||||
|
||||
mqttWebsocketPort = 9001;
|
||||
in
|
||||
{
|
||||
c3d2 = {
|
||||
deployment = {
|
||||
server = "server10";
|
||||
mounts = [ "etc" "var"];
|
||||
};
|
||||
};
|
||||
|
||||
microvm.mem = 1024;
|
||||
|
||||
networking = {
|
||||
hostName = "broker";
|
||||
firewall.allowedTCPPorts = [
|
||||
# nginx
|
||||
80 443
|
||||
# mosquitto
|
||||
1883 8883
|
||||
];
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
# runs mainly to obtain a TLS certificate
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.${fqdn} = {
|
||||
default = true;
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/mqtt" = {
|
||||
proxyPass = "http://localhost:${toString mqttWebsocketPort}/";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.mosquitto = {
|
||||
enable = true;
|
||||
listeners =
|
||||
let
|
||||
users = {
|
||||
"zentralwerk-network" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
|
||||
acl = [
|
||||
"write #"
|
||||
];
|
||||
};
|
||||
"services" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/services".path;
|
||||
acl = [
|
||||
"write #"
|
||||
];
|
||||
};
|
||||
"consumer" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
|
||||
acl = [
|
||||
"read #"
|
||||
];
|
||||
};
|
||||
"sensors" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/sensors".path;
|
||||
acl = [
|
||||
"write esp-sdk/#"
|
||||
"write esp-proc/#"
|
||||
];
|
||||
};
|
||||
};
|
||||
in [ {
|
||||
address = "0.0.0.0";
|
||||
port = 1883;
|
||||
inherit users;
|
||||
} {
|
||||
address = "::";
|
||||
port = 1883;
|
||||
inherit users;
|
||||
} {
|
||||
address = "0.0.0.0";
|
||||
port = 8883;
|
||||
settings = {
|
||||
certfile = "/run/credentials/mosquitto.service/cert.pem";
|
||||
keyfile = "/run/credentials/mosquitto.service/key.pem";
|
||||
};
|
||||
inherit users;
|
||||
} {
|
||||
address = "::";
|
||||
port = 8883;
|
||||
settings = {
|
||||
certfile = "/run/credentials/mosquitto.service/cert.pem";
|
||||
keyfile = "/run/credentials/mosquitto.service/key.pem";
|
||||
};
|
||||
inherit users;
|
||||
} {
|
||||
settings.protocol = "websockets";
|
||||
address = "::";
|
||||
port = mqttWebsocketPort;
|
||||
inherit users;
|
||||
} ];
|
||||
};
|
||||
systemd.services.mosquitto = {
|
||||
requires = [ "acme-finished-${fqdn}.target" ];
|
||||
serviceConfig.LoadCredential =
|
||||
let
|
||||
certDir = config.security.acme.certs.${fqdn}.directory;
|
||||
in [
|
||||
"cert.pem:${certDir}/fullchain.pem"
|
||||
"key.pem:${certDir}/key.pem"
|
||||
];
|
||||
};
|
||||
security.acme.certs.${fqdn}.postRun = ''
|
||||
systemctl restart mosquitto
|
||||
'';
|
||||
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = let
|
||||
perms = {
|
||||
owner = config.systemd.services.mosquitto.serviceConfig.User;
|
||||
group = config.systemd.services.mosquitto.serviceConfig.Group;
|
||||
mode = "0440";
|
||||
};
|
||||
in
|
||||
{
|
||||
"mosquitto/users/zentralwerk-network" = perms;
|
||||
"mosquitto/users/services" = perms;
|
||||
"mosquitto/users/consumer" = perms;
|
||||
"mosquitto/users/sensors" = perms;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
mymqttui
|
||||
];
|
||||
|
||||
users.motd = ''
|
||||
C3D2 MQTT Broker
|
||||
================
|
||||
|
||||
Use `mqttui` to inspect the data in mosquitto.
|
||||
|
||||
'';
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
}
|
|
@ -1,185 +0,0 @@
|
|||
mosquitto:
|
||||
users:
|
||||
zentralwerk-network: ENC[AES256_GCM,data:VeIDGMe0+YF6eLkTrBsQLg==,iv:h7KcZusBsP3QOWZWhOLOQM5ID1fWdvPkoEYLQn3XruQ=,tag:rcd6CiCauV/FQ8Y6+8FEwA==,type:str]
|
||||
services: ENC[AES256_GCM,data:IJlgEkiND/QjMqBbyXmBTw==,iv:sATxB+Tfr9pLqOCY/jwAjcxaKCcgGhd/vga4e3M9N3Q=,tag:TodfF26KquW3F1KY9R9Wvg==,type:str]
|
||||
consumer: ENC[AES256_GCM,data:m1ae+G/ZsDShSEWnHx4ShA==,iv:GBTRpJbSpnRYjWBttVZq1Qm8YFvhKZfmMwhCZqqBLJ4=,tag:/6uDJ6yRBuQwgPMVyXRQfg==,type:str]
|
||||
sensors: ENC[AES256_GCM,data:psezcKOTU371ec+4YQ9E6Q==,iv:VxD2x6m+gF2kenJ2Ekhe2IvrW0DVP7Ha6UAavaK8/uM=,tag:aTgC5gfWlsVDfo9RWC3FIA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMTM5QjVHYjhUR3BoRWQr
|
||||
dFp0ckQwamJibjhSSUt6d0tyYUR0QVQzNUZBCmJaQ2ZmUGtNTi91a214cjJOQXBh
|
||||
S1U4bkI1QVNJNFhUK3dQdVRuVEhDVUkKLS0tIDZsSFo5MTBoQjY3N2xIVThUczd2
|
||||
SXZGVDdrOEhoTVVFM0FNd0c4N2M2OEEK1iySJYxNPQWUmTz0HGyaQR+QpE8QBRz3
|
||||
cX1805lK2KsOvlxs109B4VA2kK0zGRdLBKyZO2zD7/2RUIPaLyssvg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOVhvOUtQdzJwbmtwL29G
|
||||
NWl4Q0EwVXFGUUdZMTFOZFZ5RG53MkpINGtBCnlvWWhWeU85Q0h6UUFIME1FanMz
|
||||
VGh3M2hGeXB0dzVFUTFjV2ZaRUUyUHcKLS0tIFpCdWo4WWRhdUYvcndjUGttWldh
|
||||
RFpaTGlGaEZrb0YxQzlWeENaTWE1QzQKR0a2MYJJKM1lYv7BJOzzb4ppS+BPnoWZ
|
||||
mVmiPq3CEzzzmus61dUd+i9m1uRn5cf1jmaYxV2desDsU8l08ZOnhA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-09-05T21:22:51Z"
|
||||
mac: ENC[AES256_GCM,data:sA4lWpltQNotBZldLxVALSb4Z7qD/cpVIkIEn0+9ouTSb66rEfEX1z7pQuZxRNkGHPwJ8MXDREplCPBqNMAPwh03OnqxuOKMVr9QZJSLuNlBi/12LOFHxY2AgWXebQlWvNDJXEp1fwrV2ztKg6iGHtD+kMsd/JMybmYPDTMj0VQ=,iv:bvwh0hg7kqQSpJav6i6g5/8FFT1Gs/6YjzZd2hpJSnc=,tag:E8lDOg6lTaX1aOp4vcSIHg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-07-15T23:45:57Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA6j84+xkv3y7ARAAqja72tbrlSZ0dvbXjQoHSThkoZw4fD9r/qGoHh0WgWij
|
||||
EC8TvA/EQgT0PM0LmeM5sbp1gDNmA4g3GuLWCuHryi5U2GibNDNjmx1eTPR5Ak6Y
|
||||
WgMkP8jIy/X0FxHX1d2Ee7RAYOxc7tkXhTjqCtiesGLzzzRna5Hl1huHbBYGxdsB
|
||||
rmieaRitx7jQFlTaox/Rpk5iNvZwxo+C7XJmtfY9gNn/lYn2lYQW8OATWP5uNhBH
|
||||
jG/II/2K7yQ+caK93C7fOFnzOD4TAAlyyLji/s72guZC5HLC+y3krOxDCaxVuzCb
|
||||
3VcvklJG0fmemVOuAvh7o0jazfEVsPPz2Dc2JFnliLQJzpP6N3I7OWTxNxQO9Dql
|
||||
X3oBY41/17muMGZEkr45rEnhFOajWUIFPgFr+u9q/XusjJ0vJpuGQL2s9UeZpFXl
|
||||
4YJgcS9bHhMUpmhDuLbTPWzSnpcRVTm+BahdrBLBcc1vOllclVySOcgHkil17bCY
|
||||
4ISYBv5XEUt7v1CqrmPm1Kvwl+uAbJ7K7Zt4IJGYU3Y0LrfzUwaa0f9d9pdmI8IX
|
||||
iAGsoJ7HLXka4GQ6eT8qKoBHGUchFHcN8T9/hC6ljuSrbZAD1c0TlC1JRmSdNdRd
|
||||
+dyh+aYGf4xIFYMU8mE8dLq0jeo6+YHPQnK2R6sosgPoZf97laHs9il12/BHTS/S
|
||||
UQG89GQQmyyJYzLipfg/MoT+HU0W8AuCwPA5ZRh5yhbeE8uQaKgYWe4VxTd0pB4Y
|
||||
gzRNbyku5KPuknO0jDPhkcK/D8IVBxQwANrCYwqNh844GA==
|
||||
=fNmY
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A5EE826D645DBE35F9B0993358512AE87A69900F
|
||||
- created_at: "2022-07-15T23:45:57Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA8zMZ+ak7y/zAQ//dKe9+VPLWfwnhq3gNfKoEPy1T/ra0yp4LDVO/qunoNRw
|
||||
Uxt/N8cs6y7MBO2cNAxiEPVT4eBBFjt4m2ziSBZ4fa9jhSBjRp+dM7aNj3ojBZjG
|
||||
v0sTDfebiNGHXSMypLMep5oRSbyKmYL+IJ0UdPCUOicIYYMCs2g3PJW3vwKGSBmc
|
||||
EncWZqQ7A5T6ZBbZQYj7bKFONqsP8IRxKJJ9CE1oRWJOugyuu4NnGUkvBniMINPQ
|
||||
j763R6oRXiSvFf12C3wGUOt82So+om8smBwNYupoYZQbpr7VFJgfAO9j4eLHvbXv
|
||||
ZnaKQupyCW3PcHjtBoduZ4IzRkdfXGwP0oW7XS2/oM5WyKvKu/G949ghHkD2ZNHW
|
||||
daFj3lEq1SqAiDMhyQKsEQpUTeGGKIyGu9pyEHuaSieqTBsLAZAPx/Pcz0p/+0Hk
|
||||
kyjhYbhWFDd1QQezsJqZi7DavKgzxdA7H4uQYEygCXzciFsT3TB3203CLthI6bHp
|
||||
7HvtWzXNfA7JHNYRm3XM1Au9qm/e3RvuX/r+0wDfNIP+9mlXaBnBtIdOenWJv7zK
|
||||
4+PLNSYxLRmm/YimGpSP2dB45lN3wHsyUIzRsiz2M44mkBlCKUFgMBMonSGw3kyA
|
||||
biEuntTQ2rbQvfxDhPk/XNrVBu73+CjcMKpmJ/AzwIEEUmSpQMzrckO0E+ADEyHS
|
||||
UQEIvmnMKBxGGpXakpwcTC7LrQjSWrbzjwBiGqGchoj2mfuKIXAWtjDuyrz9f8yJ
|
||||
o7c4Tmrzdr+KEZLri5kES3Cny+c0zDQzeI/FlpjLgtO4Cg==
|
||||
=65BK
|
||||
-----END PGP MESSAGE-----
|
||||
fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
|
||||
- created_at: "2022-07-15T23:45:57Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcBMA45bZkLXmBFpAQgApl5OISWFwp43XBMIJyw20UKl5TL/CpV8ctVD87z4e9RB
|
||||
cbgb8/phlJYMI2RhaDATDFwuKiL5R4lCJoUg3cQsHjg4q/DCyyIDNoXS2dIqT92N
|
||||
y3AqQvM2qOeVX/lX0gDKd2/mb/lQxN2s9/n/HOXDTTvbr68ygKa0YIq7oMhka4pd
|
||||
Zvw9ZUC6q3kU7IrhPB5UFQ2HYqcyTB/ufXAk0FwedRGTVU1783xv/iaBVfsCdraz
|
||||
8DK5mhOmE8Ul+zcCJd4pISmbqF5YAJ0oqfveDJnLC//sGx2MvnNSIsfOaK7UulgZ
|
||||
fU3sQfoYOaJnin4tpUtDTNn7p/gYBqzpyHOjl0EL+tJRAfoQBcEK930n8O8+ssCQ
|
||||
+N0mAudkaVz5wPQxKLF479uNMIKI2Q6DZJl4csJV+kdcCqN6d8QfzckGau5xiHta
|
||||
CqKJVCNE4d5ymecnLfUKFMpp
|
||||
=sOC0
|
||||
-----END PGP MESSAGE-----
|
||||
fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
|
||||
- created_at: "2022-07-15T23:45:57Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMAwMCBBrc/JA6ARAAvgT1bBC6OLZhPggmW9SgxHE3dfEObpCgXEzkeSRE0LDb
|
||||
ZSDx6GjiJ6c5YfMGVCA5fBTPBBr8WTmGwNK7LYErJA1sl+5L19Bn+d8tX5AOIPNk
|
||||
lFKytLAombJklB0IZM0+g9bKv0X56AgUjZYmbIikFnGWZGGVdRzLzP527LGDAuJ4
|
||||
gyeHYdvQqmjlAJpjMr/D879Ygcz/FxF2dzsZKJ8G2jaOY0Mi+B17IDzQ3wpUuOJW
|
||||
liOnzMx1bKnlAMm7I+q+YdKav6Jg38km8qCR9cWlpUM67Xjf34E9S4yZsZW+2V0K
|
||||
0ObsnJhtU7+9vs3VnxSnkAe+VcEOGvszjtBPjl6KcRVY6A0SqQq+X6Yj2ZzkuHJK
|
||||
C6va72MkCJOcDJASMqoe/zAJFE9zAaL3x3bpNhVRwdtOk2pcW63KOAMmUbsdcfpS
|
||||
eXhmHdm3D87QRvbCJgjp3zp9OlChrnGPT+uj72tdP5UNQnncjelBI8dCBDg2/Dnm
|
||||
vcTG0bOsuVUFbUR1zLL4K6KKHYIapb5w8tr+5dvNCAu9qjrVjzezxgT49wDF7Y6M
|
||||
34ZrnmnbjvOjVP1NcavAoIuHJ9Jx6SQ2a76A3IWno/IJIGUOH5nFphFn2Waq+ZH/
|
||||
Mo/e6EjZqKDNsDBBhhNNDbyrhc3PUW9Wm2uSVEn9cfvYpj1r7zSW9cKX4/TDerXS
|
||||
UQG6nc1I3Ckak81BKRDXBFZkTMczYogqnbM4FcowGNWkb7IQt0ppamk7d1W2/EwB
|
||||
LzRUDP+ddYb8Px6zmfETxhSeH/o/BBBbJOkvLNxGrbGZUA==
|
||||
=p+ZT
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
|
||||
- created_at: "2022-07-15T23:45:57Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9XEenRNYVGHAQ/8CeNT3oc9OIqlKB+2+gozhiJlA39Heepzw4UZMgPI+PSo
|
||||
uYVhX8lov9xmyk2tgCbwxl4mL4iCXq3MNpCO5H2zDUTKJxy4TBeRxHs8QjRrFk8h
|
||||
Eh8YKWoukjR/M46nLv4s5y+HTZAb671i5Yk5tgkLrjyGZUnDJIbjW0FafVbUFRYI
|
||||
ykGHxypw3bZ0PtI+PAQhh7GmsbNwX2HvASGFUc6oghGirJUPGn4tFLSDQQx/+JHg
|
||||
OWi8frVD9vPcJEgD3yyBI/RnYTnMQmzJM1wvhH7f29IS9+h9OvGQDhY9fKh9HFOe
|
||||
oVBcilRzl3IACFSc7wPcXQ9VzM+oNb4q1zo4ChejSRtU31F4Ufmgvu9wPKvDXkuI
|
||||
V6XmBx2AC5eDn5aU/4XE8gaA7lxFvP5xGPqv/QQJrV+L6mcbK1lxSLUy47ZSd/xl
|
||||
CaqJ5X9G3b1RvWhJTvOpZoIE3VUeZRVyhFpwFs06CnR+pxjBo9gHNPjwGcRAYkKT
|
||||
XSmGeV26o90YwdJE//RlUIKQ7nS2geFJWttwI8be8CL5eUBwOaBjEN9ttiGkBJCD
|
||||
cKH3SqjpyInwmXmiJLs6IWyDfcEKLP2wTaxeecRZsS5GjAa5aCOk2MNcpANZq43i
|
||||
hcXsfvhNNzHOio8+0qrOjVRqdPFrCM05UjDXrFAavQ/O7WMTDBhxvO8g1UcRFRPS
|
||||
UQHUPsBTibeIc7OI8w/xn1lTUtyJs8o37ZBqD6YgfmcA9ESvKRF3BRxtN+V4pMP9
|
||||
ZDUAU3EKk9pKNtMP1gkALZCFcNZVU1ej5bgoDRqowRq4ww==
|
||||
=TtKA
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
|
||||
- created_at: "2022-07-15T23:45:57Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcBMA/Z87ylQaotQAQf/Y9Ee7T6j2i4HKW7jejoUxv2b2pI80iCHeJ/olAvOUFi6
|
||||
bO7i5OcxDvs1gtOLxMZXnj09NQUXkMp8Pvzp4g4VkL+/wCyArE7vyVh2VW/AD1ia
|
||||
HAi3VNkVwiX+prZjvUUs7xumMGT4rJiGw601Ds8jVSdIyQt55hd/AKq3n4VMf5MZ
|
||||
BwDZbyuSXpSMYCRlTiH72i1c0lhBOG53W4BOEPGv0sRh4ngrZMDh7BtP2OAVgLE0
|
||||
mHKsTh5loKVsQSfQMGWzIwe/wXkRuiKeBqqgyanO/h8W7PGEj1hTxVRP6zOu4tn5
|
||||
kZWr2U9L5La5X4eSVYnJoHMyhvCOn5PCAODldtsrZ9JRAYBtCSriMIS39Qnu+1XX
|
||||
/Anejs4yrPXhj1Qf61E7IEaRx5us8d5ib831WsJ+Krheq/FUfrb16ebVpR0jdBRd
|
||||
1dVd2PCz7GP+O1jZIMEhDQSX
|
||||
=hsLA
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 9EA68B7F21204979645182E4287B083353C3241C
|
||||
- created_at: "2022-07-15T23:45:57Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA9qJIVK2WMV7AQ/+OJnw2yEBaestKxnyNeUlFR7uWXiCdOl6EC3AcxflnDBU
|
||||
OC6B2ujd2C2KsQPBVpfRTY5CvxpZ2YHu1wu6zTRYnoieMGhQ8FNDoqCY1Y2BtSOF
|
||||
Nn4BsXKDnbqaSJc5uxsIJDbeU8PEJuWGCeKwnMQlK9oOAivmXyWOJaPTLcQaoq3I
|
||||
2QEibE3dOk0qPunN1Ejiyi+wy6jT1WpZQJom80ntjUCNdSTPZhhCcNdsxhDev6Ok
|
||||
pF1ImfyReeDQojSByQ9zAC2dR9JiaJUJiL7P11Le71vFrWClDJ4Rdh7MNmMdu2Nh
|
||||
a6NsPmbe3hbAtVND7XPxAOIndl4PttJoaWj5u5gFwGd6+jmiiQV0p8Y0fB3Sh/3e
|
||||
JVauSnLAjYX3xUWvLtKecr4WJhUH35cXD9uGkF12XJE6KAxYku/TCAbG3xmBsvKI
|
||||
jd2eoWMTj6qyMXCGk2vjByq//M2HkKi5VFzuWgxOBkN9WbNZc8xVaZg+jAIBt90f
|
||||
xE4fLf6FqhMuHtCPq0LzVx/DNSB4+/p+ZdQz/TAvzsIt57l92tDKyHO1UYXn9LkI
|
||||
lNN0JMbUXYBQ5qMHSOxI4vP7Ct7VAn8ZHUsyo5wlFLuYgYvPajFbHeT/3GEH3YEr
|
||||
mkE6JBORTUn8jet29RXmWHs1/CFKYD9cEV1KvYJzuc+C+ADYBurEKej5IeeHZrfS
|
||||
UQECjRI5ggBF9lfvptswB8iVIavEeKztzOsZSgQm4u1Yr+ln21frn4Oq5s8ycKJe
|
||||
9VEN5FgmMQ9pWJXBlu/I0XjRODXIcUj1Rxr9Dt+RcYOqOg==
|
||||
=LHN4
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 53B26AEDC08246715E15504B236B6291555E8401
|
||||
- created_at: "2022-07-15T23:45:57Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
wcFMA/YLzOYaRIJJARAAnXdJXHrbl9k7W3MmwaLZP0fsOUQ5CUl6NAwP4sHTt95M
|
||||
36CeCskem1KAvT/5KlTnxi2O5FkMaYJGd9cqHCmQ1YLRWVGdZ4UAjuY0lr8VN8H0
|
||||
S20Cn7E7eBTJXUp04ndt6ghwZ6QmVPRbrk4fLtquyZduudnem4qdL7LigZ/NxGvd
|
||||
COWSCAhEYlWxDb7ZlYoogovp01qqK+d7LIj6IEL7+k3STi3OWQa2xYNFXMKYMALK
|
||||
MtGsJjKbmUS9UCnq/ccoIh4unpJwkaYVZ62PeNeYEm0slfPUPOI8n2N1F5ICnrpg
|
||||
sXlOaP0SoZ1bysTbNrghefziWnqwMocdQk6KyaqErhe9rnPXxPIEfQZSFvR7JvbC
|
||||
qxM5RFX2122lzD4qrgIC+82u6zEgyP/bjGLVLZZLsHVkLLJXkDTjrKmJrR4tcwPZ
|
||||
gK13HBNZRv92mi5CGBhH6k/J5400oI08QH4XN6lCAvSrWJ9hrOjBppzh+ZmbQjLN
|
||||
6UkBBom+sshyAWbdHAyAoT2uF0T0TQHvYA9IjixVb4Y9vzTkayy/KL+8NiHWhz+/
|
||||
1H/0Dhk6lY9sbYRUG+IzRzJIy4rOOibeGXMRI3GXLJQnZijxngNwmsJQMnszV2d4
|
||||
kBzFCYErx3zRwhMHkLOTqcQ9d/dYrnO1rLkq/pis1A3Bjy6dbq7De+xG440fr/zS
|
||||
UQHshLmiAAZapYqCEWFOzvOfC+kPM4NS4jel7xJ6Ji1jlg4SglEC0zYqVccSzrfy
|
||||
rSfJZyAAN9qFc1JDsdAyaJLxNURVwNpKj+ugPCVtLixzPA==
|
||||
=/TYd
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
|
@ -1,273 +0,0 @@
|
|||
{ zentralwerk, nixpkgs, config, lib, pkgs, ... }:
|
||||
let
|
||||
webroot = "/var/www";
|
||||
geminiRoot = "/var/gemini";
|
||||
deployCommand = "${pkgs.systemd}/bin/systemctl start deploy-c3d2-web.service";
|
||||
in
|
||||
{
|
||||
microvm.vcpu = 8;
|
||||
microvm.mem = 1024;
|
||||
c3d2.deployment = {
|
||||
server = "server10";
|
||||
mounts = [ "etc" "home" "var"];
|
||||
};
|
||||
boot.tmpOnTmpfs = true;
|
||||
system.stateVersion = "22.05";
|
||||
# Network setup
|
||||
networking.hostName = "c3d2-web";
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
# http/https
|
||||
80 443
|
||||
# gemini
|
||||
1965
|
||||
];
|
||||
|
||||
security.acme.certs = {
|
||||
# agate cannot load "ec256" keys
|
||||
"www.c3d2.de".keyType = "rsa4096";
|
||||
};
|
||||
|
||||
# Web server
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
# c3d2
|
||||
"www.c3d2.de" = {
|
||||
default = true;
|
||||
serverAliases = [
|
||||
"c3d2.de"
|
||||
"c3dd.de" "www.c3dd.de" "openpgpkey.c3d2.de"
|
||||
"cccdd.de" "www.cccdd.de"
|
||||
"dresden.ccc.de" "www.dresden.ccc.de"
|
||||
"netzbiotop.org" "www.netzbiotop.org"
|
||||
];
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "${webroot}/c3d2";
|
||||
extraConfig = ''
|
||||
index portal.html index.html;
|
||||
'';
|
||||
locations = {
|
||||
# SpaceAPI
|
||||
"/status.png".proxyPass = "http://[${config.c3d2.hosts.spaceapi.ip6}]:3000/status.png";
|
||||
"/spaceapi.json".proxyPass = "http://[${config.c3d2.hosts.spaceapi.ip6}]:3000/spaceapi.json";
|
||||
|
||||
# WKD: Web Key Directory for PGP Keys
|
||||
"/openpgp" = {
|
||||
extraConfig = ''
|
||||
autoindex off;
|
||||
default_type "application/octet-stream";
|
||||
add_header Access-Control-Allow-Origin "* always";
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# datenspuren
|
||||
"datenspuren.de" = {
|
||||
serverAliases = [
|
||||
"www.datenspuren.de"
|
||||
"ds.c3d2.de" "datenspuren.c3d2.de"
|
||||
];
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "${webroot}/c3d2/datenspuren";
|
||||
extraConfig = ''
|
||||
index index.html;
|
||||
rewrite ^/$ /2022/ redirect;
|
||||
'';
|
||||
};
|
||||
|
||||
# autotopia
|
||||
"autotopia.c3d2.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "${webroot}/c3d2/autotopia";
|
||||
extraConfig = ''
|
||||
index index.html;
|
||||
rewrite ^/$ /2020/ redirect;
|
||||
'';
|
||||
};
|
||||
|
||||
# hooks, logs
|
||||
"c3d2-web.serv.zentralwerk.org" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = webroot;
|
||||
locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
|
||||
};
|
||||
};
|
||||
};
|
||||
# Gemini server
|
||||
services.agate = {
|
||||
enable = true;
|
||||
addresses = [
|
||||
# sysctl net.ipv6.bindv6only = 0
|
||||
"[::]:1965"
|
||||
];
|
||||
certificatesDir = "/var/lib/agate/certificates";
|
||||
contentDir = geminiRoot;
|
||||
language = "de";
|
||||
};
|
||||
# let agate access the tls certs
|
||||
systemd.services.agate = {
|
||||
requires = [ "agate-keys.service" ];
|
||||
after = [ "agate-keys.service" ];
|
||||
serviceConfig = {
|
||||
Group = "keys";
|
||||
};
|
||||
};
|
||||
systemd.services.agate-keys = {
|
||||
path = with pkgs; [ openssl ];
|
||||
script = let
|
||||
stateDir = "/var/lib/agate/certificates";
|
||||
in ''
|
||||
mkdir -p ${stateDir}
|
||||
openssl x509 \
|
||||
-in /var/lib/acme/www.c3d2.de/cert.pem \
|
||||
-out ${stateDir}/cert.der \
|
||||
-outform DER
|
||||
openssl rsa \
|
||||
-in /var/lib/acme/www.c3d2.de/key.pem \
|
||||
-out ${stateDir}/key.der \
|
||||
-outform DER
|
||||
chown root:keys ${stateDir}/*
|
||||
chmod 0640 ${stateDir}/*
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
};
|
||||
};
|
||||
|
||||
# Build user
|
||||
users.groups.c3d2-web = {};
|
||||
users.users.c3d2-web = {
|
||||
isSystemUser = true;
|
||||
group = "c3d2-web";
|
||||
home = "/var/lib/c3d2-web";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${webroot}/c3d2 0755 c3d2-web ${config.users.users.c3d2-web.group} -"
|
||||
"d ${webroot}/log 0755 c3d2-web ${config.users.users.c3d2-web.group} -"
|
||||
"d ${geminiRoot} 0755 c3d2-web ${config.users.users.c3d2-web.group} -"
|
||||
"d ${config.users.users.c3d2-web.home} 0700 c3d2-web ${config.users.users.c3d2-web.group} -"
|
||||
];
|
||||
|
||||
# Build script
|
||||
systemd.services.deploy-c3d2-web = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
path = with pkgs; [
|
||||
git nix curl
|
||||
(libxslt.override {
|
||||
cryptoSupport = true;
|
||||
}) libxml2 wget rsync gnumake bash
|
||||
];
|
||||
script = ''
|
||||
# Build at least once
|
||||
touch ${config.users.users.c3d2-web.home}/deploy-pending
|
||||
|
||||
status() {
|
||||
curl -X POST \
|
||||
"https://gitea.c3d2.de/api/v1/repos/c3d2/c3d2-web/statuses/$REV?token=${pkgs.c3d2-web.giteaToken}" \
|
||||
-H "Accept: application/json" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "$1"
|
||||
}
|
||||
|
||||
if [ ! -d c3d2-web ]; then
|
||||
git clone --depth=1 https://gitea.c3d2.de/c3d2/c3d2-web.git
|
||||
cd c3d2-web
|
||||
else
|
||||
cd c3d2-web
|
||||
git fetch origin
|
||||
git reset --hard origin/master
|
||||
|
||||
# `make export` may have created read-only files,
|
||||
# fix that before cleaning up
|
||||
chmod -R u+w .
|
||||
git clean -d -f -x
|
||||
fi
|
||||
|
||||
# Loop in case the webhook was called while we were building
|
||||
while [ -e ${config.users.users.c3d2-web.home}/deploy-pending ]; do
|
||||
rm ${config.users.users.c3d2-web.home}/deploy-pending
|
||||
git pull
|
||||
REV=$(git rev-parse HEAD)
|
||||
|
||||
# web
|
||||
set +e
|
||||
status "{ \"context\": \"c3d2-web\", \"description\": \"building...\", \"state\": \"pending\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-$REV.txt\"}"
|
||||
|
||||
make -j$(nproc) export DESTDIR=${webroot}/c3d2 \
|
||||
&> ${webroot}/log/build-$REV.txt
|
||||
|
||||
if [ $? = 0 ]; then
|
||||
status "{ \"context\": \"c3d2-web\", \"description\": \"deployed\", \"state\": \"success\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-$REV.txt\"}"
|
||||
else
|
||||
status "{ \"context\": \"c3d2-web\", \"description\": \"build failure\", \"state\": \"failure\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-$REV.txt\"}"
|
||||
fi
|
||||
|
||||
git clean -fx
|
||||
# gemini
|
||||
status "{ \"context\": \"c3d2-gemini\", \"description\": \"building...\", \"state\": \"pending\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-gemini-$REV.txt\"}"
|
||||
|
||||
make -f Makefile.gemini -j$(nproc) export DESTDIR=${geminiRoot} \
|
||||
&> ${webroot}/log/build-gemini-$REV.txt
|
||||
|
||||
if [ $? = 0 ]; then
|
||||
status "{ \"context\": \"c3d2-gemini\", \"description\": \"deployed\", \"state\": \"success\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-gemini-$REV.txt\"}"
|
||||
else
|
||||
status "{ \"context\": \"c3d2-gemini\", \"description\": \"build failure\", \"state\": \"failure\", \"target_url\": \"https://c3d2-web.serv.zentralwerk.org/log/build-gemini-$REV.txt\"}"
|
||||
fi
|
||||
set -e
|
||||
done
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "c3d2-web";
|
||||
Group = config.users.users.c3d2-web.group;
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "full";
|
||||
WorkingDirectory = config.users.users.c3d2-web.home;
|
||||
ReadWritePaths = [ webroot config.users.users.c3d2-web.home ];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.timers.deploy-c3d2-web = {
|
||||
partOf = [ "deploy-c3d2-web.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "hourly";
|
||||
};
|
||||
|
||||
security.sudo.extraRules = [ {
|
||||
users = [ "c3d2-web" ];
|
||||
commands = [ {
|
||||
command = deployCommand;
|
||||
options = [ "NOPASSWD" ];
|
||||
} ];
|
||||
} ];
|
||||
|
||||
systemd.services.webhook =
|
||||
let
|
||||
hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {
|
||||
id = "deploy-c3d2-web";
|
||||
execute-command = pkgs.writeShellScript "deploy-c3d2-web" ''
|
||||
# Request (re-)deployment
|
||||
touch ${config.users.users.c3d2-web.home}/deploy-pending
|
||||
|
||||
# Start deploy-c3d2-web.service if not already running
|
||||
exec /run/wrappers/bin/sudo ${deployCommand}
|
||||
'';
|
||||
} ]);
|
||||
in {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.webhook}/bin/webhook -hooks ${hooksJson} -verbose -ip 127.0.0.1";
|
||||
User = "c3d2-web";
|
||||
Group = config.users.users.c3d2-web.group;
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "full";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,41 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ ../../../lib/lxc-container.nix
|
||||
../../../lib/shared.nix
|
||||
../../../lib/admins.nix
|
||||
];
|
||||
|
||||
networking.hostName = "dhcp";
|
||||
networking.defaultGateway = "172.22.99.1";
|
||||
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
|
||||
networking.interfaces.eth0 = {
|
||||
ipv4.addresses = [ {
|
||||
address = "172.22.99.254";
|
||||
prefixLength = 24;
|
||||
} ];
|
||||
};
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
];
|
||||
|
||||
# dhcp
|
||||
networking.firewall.allowedUDPPorts = [ 67 68 ];
|
||||
networking.useDHCP = false;
|
||||
|
||||
services.dhcpd4 = {
|
||||
enable = true;
|
||||
interfaces = [ "eth0" ];
|
||||
extraConfig = builtins.readFile ../../../secrets/hosts/dhcp/config;
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
}
|
|
@ -0,0 +1,207 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, strings, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
systemd = {
|
||||
enableEmergencyMode = false;
|
||||
};
|
||||
# Use the GRUB 2 boot loader.
|
||||
#boot.loader.grub.enable = true;
|
||||
#boot.loader.grub.version = 2;
|
||||
# boot.loader.grub.efiSupport = true;
|
||||
# boot.loader.grub.efiInstallAsRemovable = true;
|
||||
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
||||
# Define on which hard drive you want to install Grub.
|
||||
#boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
|
||||
|
||||
# networking = {
|
||||
# hostName = "storage2";
|
||||
# interfaces.ens18.ipv4.addresses = [{
|
||||
# address = "172.22.99.20";
|
||||
# prefixLength = 24;
|
||||
# }];
|
||||
# };
|
||||
|
||||
|
||||
networking = {
|
||||
hostName = "storage-ng";
|
||||
# usePredictableInterfacenames = false;
|
||||
interfaces.ens18.ipv4.addresses = [{
|
||||
address = "172.22.99.20";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
interfaces.ens18.ipv6.addresses = [{
|
||||
address= "2a02:8106:208:5201::20";
|
||||
prefixLength = 64;
|
||||
}];
|
||||
|
||||
nameservers = [ "172.20.72.6" "9.9.9.9" "74.82.42.42" ];
|
||||
|
||||
defaultGateway = {
|
||||
address = "172.22.99.1";
|
||||
interface = "ens18";
|
||||
};
|
||||
#defaultGateway6 = {
|
||||
# address = "fe80::a800:42ff:fe7a:3246";
|
||||
# interface = "ens18";
|
||||
#};
|
||||
};
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
|
||||
# Select internationalisation properties.
|
||||
# i18n = {
|
||||
# consoleFont = "Lat2-Terminus16";
|
||||
# consoleKeyMap = "us";
|
||||
# defaultLocale = "en_US.UTF-8";
|
||||
# };
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget
|
||||
vim
|
||||
screen
|
||||
zsh
|
||||
lftp
|
||||
# ceph
|
||||
lsof
|
||||
psmisc
|
||||
gitAndTools.git-annex
|
||||
gitAndTools.git
|
||||
|
||||
mpv
|
||||
# libmagic how ?
|
||||
];
|
||||
|
||||
services.ceph = {
|
||||
# enable = true;
|
||||
client.enable = true;
|
||||
};
|
||||
|
||||
services.samba = {
|
||||
enable = true;
|
||||
enableNmbd = true;
|
||||
shares = {
|
||||
c3d2 = {
|
||||
browseable = "yes";
|
||||
comment = "Public samba share.";
|
||||
# guest ok = "yes";
|
||||
path = "/mnt/cephfs/c3d2/files";
|
||||
# read only = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# fixme, we need a floating ip here
|
||||
# correct is floating ip 172.22.99.21
|
||||
# does not exist yet
|
||||
|
||||
# secretfile does not work :(
|
||||
|
||||
fileSystems."/mnt/cephfs" = {
|
||||
device = "172.22.99.13:6789:/";
|
||||
fsType = "ceph";
|
||||
options = [ "name=storage2" ("secret=" + (builtins.readFile("/etc/nixos/storage-secret.key"))) "noatime,_netdev" "noauto" "x-systemd.automount" "x-systemd.device-timeout=175" "users" ];
|
||||
};
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
programs.bash.enableCompletion = true;
|
||||
programs.mtr.enable = true;
|
||||
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
|
||||
|
||||
# List services that you want to enable:
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
|
||||
services.atftpd = {
|
||||
enable = true;
|
||||
root = "/mnt/cephfs/c3d2/tftp";
|
||||
};
|
||||
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
package = pkgs.nginx.override {
|
||||
modules = with pkgs.nginxModules; [ fancyindex ];
|
||||
};
|
||||
|
||||
virtualHosts = {
|
||||
"storage-ng.hq.c3d2.de" = {
|
||||
root = "/etc/nixos/www";
|
||||
serverAliases = [ "storage" "storage2" "storageng" ];
|
||||
http2 = true;
|
||||
# addSSL = true;
|
||||
locations = {
|
||||
"/c3d2" = {
|
||||
alias = "/mnt/cephfs/c3d2/files/";
|
||||
extraConfig = ''
|
||||
fancyindex on;
|
||||
# autoindex on;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
# Open ports in the firewall.
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
23
|
||||
80
|
||||
443
|
||||
137 138 445 139 # samba
|
||||
];
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
69
|
||||
137 138 445 139 # samba
|
||||
];
|
||||
# Or disable the firewall altogether.
|
||||
networking.firewall.enable = false;
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
# services.printing.enable = true;
|
||||
|
||||
# Enable sound.
|
||||
# sound.enable = true;
|
||||
# hardware.pulseaudio.enable = true;
|
||||
|
||||
# Enable the X11 windowing system.
|
||||
# services.xserver.enable = true;
|
||||
# services.xserver.layout = "us";
|
||||
# services.xserver.xkbOptions = "eurosign:e";
|
||||
|
||||
# Enable touchpad support.
|
||||
# services.xserver.libinput.enable = true;
|
||||
|
||||
# Enable the KDE Desktop Environment.
|
||||
# services.xserver.displayManager.sddm.enable = true;
|
||||
# services.xserver.desktopManager.plasma5.enable = true;
|
||||
|
||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||
users.extraUsers.k-ot = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups = [ "wheel" ];
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
|
||||
}
|
|
@ -0,0 +1,12 @@
|
|||
<html>
|
||||
<head><title>storage.hq.c3d2.de</title></head>
|
||||
<body>
|
||||
<h1>storage-ng</h1>
|
||||
services available:
|
||||
<ul>
|
||||
<li><a href="/c3d2">c3d2 files http</a></li>
|
||||
<li>SAMBA/Windows Access: storage-ng.hq.c3d2.de</li>
|
||||
<li>tftp</li>
|
||||
</ul>
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1,76 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ ../../../lib/lxc-container.nix
|
||||
../../../lib/shared.nix
|
||||
../../../lib/admins.nix
|
||||
];
|
||||
|
||||
networking.hostName = "grafana";
|
||||
networking.useNetworkd = true;
|
||||
networking.defaultGateway = "172.22.99.4";
|
||||
# Needs IPv4 for obtaining certs?
|
||||
networking.useDHCP = lib.mkForce true;
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
];
|
||||
|
||||
# http https
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
# collectd
|
||||
networking.firewall.allowedUDPPorts = [ 25826 ];
|
||||
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
agree = true;
|
||||
config = ''
|
||||
grafana.hq.c3d2.de
|
||||
proxy / localhost:3000
|
||||
'';
|
||||
};
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
auth.anonymous = {
|
||||
enable = true;
|
||||
org_name = "Chaos";
|
||||
};
|
||||
users.allowSignUp = true;
|
||||
};
|
||||
services.influxdb =
|
||||
let
|
||||
collectdTypes = pkgs.stdenv.mkDerivation {
|
||||
name = "collectd-types";
|
||||
src = ./.;
|
||||
buildInputs = [ pkgs.collectd ];
|
||||
buildPhase = ''
|
||||
mkdir -p $out/share/collectd
|
||||
cat ${pkgs.collectd}/share/collectd/types.db >> $out/share/collectd/types.db
|
||||
echo "stations value:GAUGE:0:U" >> $out/share/collectd/types.db
|
||||
'';
|
||||
installPhase = ''
|
||||
cp -r . $out
|
||||
'';
|
||||
};
|
||||
in {
|
||||
enable = true;
|
||||
extraConfig = {
|
||||
logging.level = "debug";
|
||||
collectd = [{
|
||||
enabled = true;
|
||||
database = "collectd";
|
||||
typesdb = "${collectdTypes}/share/collectd/types.db";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
}
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ ../../lib/lxc-container.nix
|
||||
../../lib/shared.nix
|
||||
];
|
||||
|
||||
networking.hostName = "nixbert"; # Define your hostname.
|
||||
networking.useNetworkd = false;
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget vim
|
||||
];
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
nix-build -I nixos-config=./lxc-template.nix '<nixpkgs/nixos>' -A config.system.build.tarball
|
|
@ -0,0 +1,31 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
tiggerGit = builtins.fetchTarball https://github.com/astro/tigger/archive/master.tar.gz;
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[ ../../../lib/lxc-container.nix
|
||||
../../../lib/shared.nix
|
||||
../../../lib/admins.nix
|
||||
"${tiggerGit}/module.nix"
|
||||
];
|
||||
|
||||
networking.hostName = "mucbot";
|
||||
networking.useNetworkd = true;
|
||||
networking.defaultGateway = "172.22.99.4";
|
||||
networking.useDHCP = lib.mkForce true;
|
||||
|
||||
services.tigger = {
|
||||
enable = true;
|
||||
jid = import ../../../secrets/hosts/mucbot/jabber-jid.nix;
|
||||
password = import ../../../secrets/hosts/mucbot/jabber-password.nix;
|
||||
muc = "c3d2@chat.c3d2.de/Astrobot";
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
}
|
|
@ -0,0 +1,52 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
./proxy.nix
|
||||
];
|
||||
nix.useSandbox = false;
|
||||
nix.maxJobs = lib.mkDefault 2;
|
||||
nix.buildCores = lib.mkDefault 16;
|
||||
|
||||
boot.isContainer = true;
|
||||
# /sbin/init
|
||||
boot.loader.initScript.enable = true;
|
||||
boot.loader.grub.enable = false;
|
||||
|
||||
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
|
||||
|
||||
networking.hostName = "public-access-proxy";
|
||||
networking.defaultGateway = { address = "172.22.99.4"; interface = "eth0"; };
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "yes";
|
||||
ports = [ 1122 ];
|
||||
};
|
||||
|
||||
my.services.proxy = {
|
||||
enable = true;
|
||||
proxyHosts = [
|
||||
{
|
||||
hostNames = [ "arkom.men" "c3d2.arkom.men" "test.arkom.men" ];
|
||||
proxyTo = { host = "cloud.bombenverleih.de"; httpPort = 80; httpsPort = 443; };
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
|
||||
}
|
|
@ -0,0 +1,125 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.my.services.proxy;
|
||||
|
||||
in {
|
||||
|
||||
options.my.services.proxy = {
|
||||
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
description = "whether to enable proxy";
|
||||
type = types.bool;
|
||||
};
|
||||
|
||||
proxyHosts = mkOption {
|
||||
type = types.listOf (types.submodule (
|
||||
{
|
||||
options = {
|
||||
hostNames = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Proxy these hostNames.
|
||||
'';
|
||||
};
|
||||
proxyTo = mkOption {
|
||||
type = types.submodule (
|
||||
{
|
||||
options = {
|
||||
host = mkOption {
|
||||
type = types.nullOr types.string;
|
||||
default = null;
|
||||
description = ''
|
||||
Host to forward traffic to.
|
||||
Any hostname may only be used once
|
||||
'';
|
||||
};
|
||||
httpPort = mkOption {
|
||||
type = types.int;
|
||||
default = 80;
|
||||
description = ''
|
||||
Port to forward http to.
|
||||
'';
|
||||
};
|
||||
httpsPort = mkOption {
|
||||
type = types.int;
|
||||
default = 443;
|
||||
description = ''
|
||||
Port to forward http to.
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
description = ''
|
||||
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
|
||||
'';
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
|
||||
}));
|
||||
default = [];
|
||||
example = [
|
||||
{ hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
|
||||
proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
services.haproxy = {
|
||||
enable = true;
|
||||
config = ''
|
||||
resolvers dns
|
||||
nameserver quad9 9.9.9.9:53
|
||||
hold valid 1s
|
||||
|
||||
frontend http-in
|
||||
bind :::80 v4v6
|
||||
default_backend proxy-backend-http
|
||||
|
||||
backend proxy-backend-http
|
||||
timeout connect 5000
|
||||
timeout check 5000
|
||||
timeout client 30000
|
||||
timeout server 30000
|
||||
${concatMapStringsSep "\n" (proxyHost:
|
||||
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
|
||||
concatMapStringsSep "\n" (hostname: ''
|
||||
use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
|
||||
server ${hostname}-http ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpPort} resolvers dns check inter 1000
|
||||
''
|
||||
) (proxyHost.hostNames)
|
||||
)
|
||||
) (cfg.proxyHosts)
|
||||
}
|
||||
|
||||
frontend https-in
|
||||
bind :::443 v4v6
|
||||
default_backend proxy-backend-https
|
||||
|
||||
backend proxy-backend-https
|
||||
timeout connect 5000
|
||||
timeout check 5000
|
||||
timeout client 30000
|
||||
timeout server 30000
|
||||
${concatMapStringsSep "\n" (proxyHost:
|
||||
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
|
||||
concatMapStringsSep "\n" (hostname: ''
|
||||
use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
|
||||
server ${hostname}-https ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpsPort} resolvers dns check inter 1000
|
||||
''
|
||||
) (proxyHost.hostNames)
|
||||
)
|
||||
) (cfg.proxyHosts)
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,71 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
c3d2 = {
|
||||
isInHq = true;
|
||||
hq.interface = "eth0";
|
||||
};
|
||||
networking = {
|
||||
hostName = "radius";
|
||||
interfaces.eth0.useDHCP = lib.mkForce true;
|
||||
};
|
||||
|
||||
imports =
|
||||
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
];
|
||||
nix.useSandbox = false;
|
||||
nix.maxJobs = lib.mkDefault 4;
|
||||
|
||||
boot.isContainer = true;
|
||||
# /sbin/init
|
||||
boot.loader.initScript.enable = true;
|
||||
boot.loader.grub.enable = false;
|
||||
#boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
|
||||
|
||||
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
|
||||
|
||||
networking.hostName = "nixbert"; # Define your hostname.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
networking.useNetworkd = true;
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
# Select internationalisation properties.
|
||||
i18n = {
|
||||
defaultLocale = "en_US.UTF-8";
|
||||
supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
|
||||
};
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
wget vim
|
||||
git freeradius
|
||||
];
|
||||
|
||||
services.freeradius.enable = true;
|
||||
services.freeradius.configDir = "/root/nix-config/hosts/containers/radius/freeradius";
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
# Create a few files early before packing tarball for Proxmox
|
||||
# architecture/OS detection.
|
||||
system.extraSystemBuilderCmds =
|
||||
''
|
||||
mkdir -m 0755 -p $out/bin
|
||||
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
|
||||
mkdir -m 0755 -p $out/sbin
|
||||
ln -s ../init $out/sbin/init
|
||||
'';
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "18.09"; # Did you read the comment?
|
||||
}
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
#
|
||||
# $Id: fafac849a0f0519cdaf7acf2ef51c8b36a5a6255 $
|
||||
#
|
||||
# This is like the 'users' file, but it is processed only for
|
||||
# accounting packets.
|
||||
#
|
||||
|
||||
# Select between different accounting methods based for example on the
|
||||
# Realm, the Huntgroup-Name or any combinaison of the attribute/value
|
||||
# pairs contained in an accounting packet.
|
||||
#
|
||||
#DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo
|
||||
#
|
||||
#DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi
|
||||
#
|
||||
#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other
|
||||
#
|
||||
#DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start
|
||||
|
||||
# Replace the User-Name with the Stripped-User-Name, if it exists.
|
||||
#
|
||||
#DEFAULT
|
||||
# User-Name := "%{Stripped-User-Name:-%{User-Name}}"
|
|
@ -0,0 +1,129 @@
|
|||
#
|
||||
# Configuration file for the rlm_attr_filter module.
|
||||
# Please see rlm_attr_filter(5) manpage for more information.
|
||||
#
|
||||
# $Id: 76c644b100656f8bd45e768b13cbcf140ce5a770 $
|
||||
#
|
||||
# This file contains security and configuration information
|
||||
# for each realm. The first field is the realm name and
|
||||
# can be up to 253 characters in length. This is followed (on
|
||||
# the next line) with the list of filter rules to be used to
|
||||
# decide what attributes and/or values we allow proxy servers
|
||||
# to pass to the NAS for this realm.
|
||||
#
|
||||
# When a proxy-reply packet is received from a home server,
|
||||
# these attributes and values are tested. Only the first match
|
||||
# is used unless the "Fall-Through" variable is set to "Yes".
|
||||
# In that case the rules defined in the DEFAULT case are
|
||||
# processed as well.
|
||||
#
|
||||
# A special realm named "DEFAULT" matches on all realm names.
|
||||
# You can have only one DEFAULT entry. All entries are processed
|
||||
# in the order they appear in this file. The first entry that
|
||||
# matches the login-request will stop processing unless you use
|
||||
# the Fall-Through variable.
|
||||
#
|
||||
# Indented (with the tab character) lines following the first
|
||||
# line indicate the filter rules.
|
||||
#
|
||||
# You can include another `attrs' file with `$INCLUDE attrs.other'
|
||||
#
|
||||
|
||||
#
|
||||
# This is a complete entry for realm "fisp". Note that there is no
|
||||
# Fall-Through entry so that no DEFAULT entry will be used, and the
|
||||
# server will NOT allow any other a/v pairs other than the ones
|
||||
# listed here.
|
||||
#
|
||||
# These rules allow:
|
||||
# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
|
||||
# o PPP sessions ( no SLIP, CSLIP, etc. )
|
||||
# o dynamic ip assignment ( can't assign a static ip )
|
||||
# o an idle timeout value set to 600 seconds (10 min) or less
|
||||
# o a max session time set to 28800 seconds (8 hours) or less
|
||||
#
|
||||
#fisp
|
||||
# Service-Type == Framed-User,
|
||||
# Framed-Protocol == PPP,
|
||||
# Framed-IP-Address == 255.255.255.254,
|
||||
# Idle-Timeout <= 600,
|
||||
# Session-Timeout <= 28800
|
||||
|
||||
#
|
||||
# This is a complete entry for realm "tisp". Note that there is no
|
||||
# Fall-Through entry so that no DEFAULT entry will be used, and the
|
||||
# server will NOT allow any other a/v pairs other than the ones
|
||||
# listed here.
|
||||
#
|
||||
# These rules allow:
|
||||
# o Only Login-User Service-Type ( no framed/ppp sessions )
|
||||
# o Telnet sessions only ( no rlogin, tcp-clear )
|
||||
# o Login hosts of either 192.168.1.1 or 192.168.1.2
|
||||
#
|
||||
#tisp
|
||||
# Service-Type == Login-User,
|
||||
# Login-Service == Telnet,
|
||||
# Login-TCP-Port == 23,
|
||||
# Login-IP-Host == 192.168.1.1,
|
||||
# Login-IP-Host == 192.168.1.2
|
||||
|
||||
#
|
||||
# The following example can be used for a home server which is only
|
||||
# allowed to supply a Reply-Message, a Session-Timeout attribute of
|
||||
# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
|
||||
# Acct-Interim-Interval attribute between 300 and 3600.
|
||||
# All other attributes sent back will be filtered out.
|
||||
#
|
||||
#strictrealm
|
||||
# Reply-Message =* ANY,
|
||||
# Session-Timeout <= 86400,
|
||||
# Idle-Timeout <= 600,
|
||||
# Acct-Interim-Interval >= 300,
|
||||
# Acct-Interim-Interval <= 3600
|
||||
|
||||
#
|
||||
# This is a complete entry for realm "spamrealm". Fall-Through is used,
|
||||
# so that the DEFAULT filter rules are used in addition to these.
|
||||
#
|
||||
# These rules allow:
|
||||
# o Force the application of Filter-ID attribute to be returned
|
||||
# in the proxy reply, whether the proxy sent it or not.
|
||||
# o The standard DEFAULT rules as defined below
|
||||
#
|
||||
#spamrealm
|
||||
# Framed-Filter-Id := "nosmtp.in",
|
||||
# Fall-Through = Yes
|
||||
|
||||
#
|
||||
# The rest of this file contains the DEFAULT entry.
|
||||
# DEFAULT matches with all realm names. (except if the realm previously
|
||||
# matched an entry with no Fall-Through)
|
||||
#
|
||||
|
||||
DEFAULT
|
||||
Service-Type == Framed-User,
|
||||
Service-Type == Login-User,
|
||||
Login-Service == Telnet,
|
||||
Login-Service == Rlogin,
|
||||
Login-Service == TCP-Clear,
|
||||
Login-TCP-Port <= 65536,
|
||||
Framed-IP-Address == 255.255.255.254,
|
||||
Framed-IP-Netmask == 255.255.255.255,
|
||||
Framed-Protocol == PPP,
|
||||
Framed-Protocol == SLIP,
|
||||
Framed-Compression == Van-Jacobson-TCP-IP,
|
||||
Framed-MTU >= 576,
|
||||
Framed-Filter-ID =* ANY,
|
||||
Reply-Message =* ANY,
|
||||
Proxy-State =* ANY,
|
||||
EAP-Message =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
MS-MPPE-Recv-Key =* ANY,
|
||||
MS-MPPE-Send-Key =* ANY,
|
||||
MS-CHAP-MPPE-Keys =* ANY,
|
||||
State =* ANY,
|
||||
Session-Timeout <= 28800,
|
||||
Idle-Timeout <= 600,
|
||||
Calling-Station-Id =* ANY,
|
||||
Operator-Name =* ANY,
|
||||
Port-Limit <= 2
|
|
@ -0,0 +1,19 @@
|
|||
#
|
||||
# Configuration file for the rlm_attr_filter module.
|
||||
# Please see rlm_attr_filter(5) manpage for more information.
|
||||
#
|
||||
# $Id: 78ea54e83f4a998797f16a8c564b5c2f32642adc $
|
||||
#
|
||||
# This configuration file is used to remove almost all of the
|
||||
# attributes From an Access-Challenge message. The RFC's say
|
||||
# that an Access-Challenge packet can contain only a few
|
||||
# attributes. We enforce that here.
|
||||
#
|
||||
DEFAULT
|
||||
EAP-Message =* ANY,
|
||||
State =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
Reply-Message =* ANY,
|
||||
Proxy-State =* ANY,
|
||||
Session-Timeout =* ANY,
|
||||
Idle-Timeout =* ANY
|
|
@ -0,0 +1,17 @@
|
|||
#
|
||||
# Configuration file for the rlm_attr_filter module.
|
||||
# Please see rlm_attr_filter(5) manpage for more information.
|
||||
#
|
||||
# $Id: e263d504cfdc5cf5db00fa6aacf2bd148a7623fc $
|
||||
#
|
||||
# This configuration file is used to remove almost all of the attributes
|
||||
# From an Access-Reject message. The RFC's say that an Access-Reject
|
||||
# packet can contain only a few attributes. We enforce that here.
|
||||
#
|
||||
DEFAULT
|
||||
EAP-Message =* ANY,
|
||||
State =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
Reply-Message =* ANY,
|
||||
MS-CHAP-Error =* ANY,
|
||||
Proxy-State =* ANY
|
|
@ -0,0 +1,15 @@
|
|||
#
|
||||
# Configuration file for the rlm_attr_filter module.
|
||||
# Please see rlm_attr_filter(5) manpage for more information.
|
||||
#
|
||||
# $Id: 3746ce4da3d58fcdd0b777a93e599045353c27ac $
|
||||
#
|
||||
# This configuration file is used to remove almost all of the attributes
|
||||
# From an Accounting-Response message. The RFC's say that an
|
||||
# Accounting-Response packet can contain only a few attributes.
|
||||
# We enforce that here.
|
||||
#
|
||||
DEFAULT
|
||||
Vendor-Specific =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
Proxy-State =* ANY
|
|
@ -0,0 +1,62 @@
|
|||
#
|
||||
# Configuration file for the rlm_attr_filter module.
|
||||
# Please see rlm_attr_filter(5) manpage for more information.
|
||||
#
|
||||
# $Id: 8c601cf205f9d85b75c1ec7fc8e816e7341a5ba4 $
|
||||
#
|
||||
# This file contains security and configuration information
|
||||
# for each realm. It can be used be an rlm_attr_filter module
|
||||
# instance to filter attributes before sending packets to the
|
||||
# home server of a realm.
|
||||
#
|
||||
# When a packet is sent to a home server, these attributes
|
||||
# and values are tested. Only the first match is used unless
|
||||
# the "Fall-Through" variable is set to "Yes". In that case
|
||||
# the rules defined in the DEFAULT case are processed as well.
|
||||
#
|
||||
# A special realm named "DEFAULT" matches on all realm names.
|
||||
# You can have only one DEFAULT entry. All entries are processed
|
||||
# in the order they appear in this file. The first entry that
|
||||
# matches the login-request will stop processing unless you use
|
||||
# the Fall-Through variable.
|
||||
#
|
||||
# The first line indicates the realm to which the rules apply.
|
||||
# Indented (with the tab character) lines following the first
|
||||
# line indicate the filter rules.
|
||||
#
|
||||
|
||||
# This is a complete entry for 'nochap' realm. It allows to send very
|
||||
# basic attributes to the home server. Note that there is no Fall-Through
|
||||
# entry so that no DEFAULT entry will be used. Only the listed attributes
|
||||
# will be sent in the packet, all other attributes will be filtered out.
|
||||
#
|
||||
#nochap
|
||||
# User-Name =* ANY,
|
||||
# User-Password =* ANY,
|
||||
# NAS-Ip-Address =* ANY,
|
||||
# NAS-Identifier =* ANY
|
||||
|
||||
# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type
|
||||
# if its value is different from 'Ethernet'. Then the default rules are
|
||||
# applied.
|
||||
#
|
||||
#brokenas
|
||||
# NAS-Port-Type == Ethernet
|
||||
# Fall-Through = Yes
|
||||
|
||||
# The rest of this file contains the DEFAULT entry.
|
||||
# DEFAULT matches with all realm names.
|
||||
|
||||
DEFAULT
|
||||
User-Name =* ANY,
|
||||
User-Password =* ANY,
|
||||
CHAP-Password =* ANY,
|
||||
CHAP-Challenge =* ANY,
|
||||
MS-CHAP-Challenge =* ANY,
|
||||
MS-CHAP-Response =* ANY,
|
||||
EAP-Message =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
State =* ANY,
|
||||
NAS-IP-Address =* ANY,
|
||||
NAS-Identifier =* ANY,
|
||||
Proxy-State =* ANY
|
|
@ -0,0 +1,30 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-256-CBC,3AD0523FFE8CE8B72DF17107DF07836B
|
||||
|
||||
e0kcoXFr/E2N762180rPOSAeXsWDY2Ej2iv3XD7VYblSK0ChdXfdGmIqoauUlwIn
|
||||
K6WQ9E6tZFkYtnjFK3Sf7npjqqH8vYA0JewEBoLgA5/upA/ZYXZNXGqF5Xqs0q78
|
||||
314bOFsCy3Mb034OBPemQ8QY2zjsKvQJBQkzEujNDUfnSE7nKP7lZHIVhIeO8ec0
|
||||
GfjQ1sE4hACGhINdLdjZAT0UIxYgW8LARbaGt23H6SKOlVvCobCjzetRckVYBdt5
|
||||
8+m6Unx6z9L938koqUgbN8CJVv6FT5Sgk0fYJCRCEMKuMTDluSEAPFctKetn7eVy
|
||||
mZY7WaxkbUZhGv4v9+VPuKmCfjlquMK9nKBQskOJNF4fiiWH17920K1hye513+iY
|
||||
Q7GyTMywZqgirIjzusbeacXQ7MtZmlVlbIlwx2mh0edD73wQ1u42Wbhnxv1Sd4+M
|
||||
57WGefprxh7XtX3G92joVIRt8Em+tsYnhZ0LdKEChIX6Fnrewr/uWdKcCjazksLX
|
||||
fi1KVyDa4VVfZzgYRBxMXLBRY4l8g/JMRXI6pOEigzkpfnhVQS/pVWTTf35cJyMw
|
||||
YSsWs9J8WzNb37SuZqNnKPcZCaf8F66TEeu4jigMtjgt1LwXo2biPUwsyiVq/VCT
|
||||
pnfJho9OHVfDmplETeanpXTn902Z4ji173iFGe8E1MCqUARiHwtSFIHyCKCKvX7Z
|
||||
9MnydV75V/JlvL4Tp+x/+h6HKjeDkdQW1kL469DOtvVJLN2nxq969m0ztIntj98B
|
||||
UVNNQjIbwbVq2JQBdd3jDiDtFGPu+cZmX5/+boxb/Q0hHthf9Z/XfMiQUHyTOUI1
|
||||
LSOaH2tp0r1N0/C5BxNaqPaauyXEK4S96/YR071rjjWQBiF2qXQHOC3pjSFdrvVb
|
||||
tZaqNbSvNgxqJhU8u5gf/fKOtMK2XMjzkk8E8jcwAY4gU3c72N17xlBRA2H9FM7B
|
||||
DfjzNRcyCD39jyM+gfiudczBgarmonMQlTt153cR7UvZ3zZ7YmVWvSQ1hxy0deuT
|
||||
OqfpSR/lgoIaXEW1igdyaMlXPetnTCMi1CaTzD7A80yJeWpK6abOxGk5O9mwwpUu
|
||||
02YMas9ETsbnElMscQTYPpDui/0ZXX9gjNEpP03ZEkixr++QUkN3EA76A+i06GDE
|
||||
3R+4W1GFn8uRrnruyciSR+e/S7g4M5Q99c7QCp9CdsPGKKMe681hj7SqylToNSwB
|
||||
9DKNo+3QIIRupxkYcpyZBLnofRqiKbd3pcdnAUO6/15WBoiz0sqDnSbUIKf4eWmO
|
||||
nzRVaA9cJ/6RF3hZ7++om/vbX7rskthZeGGvwZpRNIqwBsA0lHLZ5inB/dsChRTy
|
||||
oMBX6zcPIyUWo9e0NOJqYTMmsBVA1QeAywzAJo/jRWL6mA8NT/97KizqYS1ZlcjU
|
||||
PhT/v80l5hWrOzB+URZkBOo3ygkntScj/gxqLsisdrHP9YbOIkhRWSBWzWXGywXy
|
||||
8PqoOZF1NB2pTuSP7z0THtxKn4B/mq15Lg+26YZgauVWlf8MY8FOOaDBeRGyJ9W7
|
||||
pbqktLIQ0zPRfF+CGVmTC62Bfcsb+DNXowvgU5DlN8hJ0rMmJYbcyJyWmwyWWKtX
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,23 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIID5TCCAs2gAwIBAgIJAKA5akuqlUzKMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD
|
||||
VQQGEwJERTEQMA4GA1UECAwHU2FjaHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsG
|
||||
A1UECgwEQzNEMjENMAsGA1UECwwEQzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMz
|
||||
ZDIuZGUxGzAZBgkqhkiG9w0BCQEWDG1haWxAYzNkMi5kZTAeFw0xNTA2MDYxOTA5
|
||||
MjFaFw0yNTA2MDMxOTA5MjFaMIGIMQswCQYDVQQGEwJERTEQMA4GA1UECAwHU2Fj
|
||||
aHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsGA1UECgwEQzNEMjENMAsGA1UECwwE
|
||||
QzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMzZDIuZGUxGzAZBgkqhkiG9w0BCQEW
|
||||
DG1haWxAYzNkMi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPRR
|
||||
Xf+pocIFjZGeSuo+LM7/lqnQ96Pc2g9cTXlxoeCFP1akwYUzDl1ZqvUZsC3hKKkB
|
||||
EjmI2VB4rjIgT9Z/57aQ7jYYp1B6ivQDapKSqpKFL6s0VzDljrzOmxvGQFXyV88X
|
||||
TiMkwmtmS2Bj62poWhSlpQk9sPaioz8SDrJtBxM9fNSbM1ED9rRXGWlSwEVBzeUp
|
||||
YaNWYCc3CPYLIhNZmtFhAhNmzw/tIx5+MRa/hkEarbyToZ7EceTMJ4KflBBLXQzY
|
||||
s2PLYkRbZMBUlRM7HDZVx6F8OPusnG1luB2LX/kQCvYuFk6BiBdussOFLD0swdtd
|
||||
rK820j6dIAJbbxSfy90CAwEAAaNQME4wHQYDVR0OBBYEFDHshd+TNUAwSY0+cpaH
|
||||
HDQaOXwnMB8GA1UdIwQYMBaAFDHshd+TNUAwSY0+cpaHHDQaOXwnMAwGA1UdEwQF
|
||||
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBADc7I4dtsIhSN0jDs0iavwBT13a1sslp
|
||||
e2gwDdcTh0xAVmmrq84JY6uIoMjLrx+roE3vn+oLHP8qrlw4snbOc0mo04o2lMza
|
||||
DepLQoBtnMNaUTSOHt1avvP8bhFTE0c0MlFAInC1MpqO5mtRwpays/f1Hc+iEOmx
|
||||
o3iHLpdKpeEfFxFZVNsJKva/A2DlLVqTdH/UvTdnoxwvSRzzEBP3plqdNSFsg5XZ
|
||||
oGNSsoNT6k2cFjQtxRdrKk+qggbPuPbTC5fXWOTlu4A2eVmW0XfT4eZ9z8QRe7dA
|
||||
uGOcC1XiDLmIon9q5KIH3k3TiL5hELJu2BvatxJaOpwGR1pbcooZaI0=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIGHAoGBAKNmmoE+doPb+VmQlXOqsXcVX5ciwWyf+QsdEVyyic6fZUMWbAvFwDN1
|
||||
hnT5HbpWkCnwU5H27st8+SluOMGfjiwmhtn5TZqX1b0bOWH+UeT1iRLBaClZNNCx
|
||||
MDWIVbk1cpnNszsMPGhjMrQwN06bZFPwFBS8+smgrDnQoN1BkPPjAgEC
|
||||
-----END DH PARAMETERS-----
|
|
@ -0,0 +1,18 @@
|
|||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIC1jCCAb4CAQAwgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAw
|
||||
DgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIw
|
||||
IAYDVQQDDBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkB
|
||||
FgxtYWlsQGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm
|
||||
yrdjj+J2xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZM
|
||||
w/0bnHRkzubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCY
|
||||
rtJX/Yqk/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3
|
||||
NBR5yyA2Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lO
|
||||
yK3CYl2i2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrn
|
||||
ukPf/XhKQp3pPKctUUBBAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAE4GoYZ/w
|
||||
Jf4rSuS6j/Sq4v4pUIoU3tZd3UvjG5jj34XZFvTNzKHdazS7VYyFjukMPSv+WljV
|
||||
v2v6xn62RjRHXvRu4/fXBvyAcxdQngf892BYGTVxB3OMVE1JCyc2xARh6gcOvrfC
|
||||
wwOIYw4Wc5xZ8JjmhK/9zyuVVSOEcV03LY7kSYFrwTgs/k/+Cv2Myimlc+n0r76/
|
||||
iDHU+8R0O/yD5dkDdJ/GFr9d09OoF+6WQc9pRVloHxQut9YS0C5P03+Xw9CUhRGB
|
||||
L7n+k6eqzE2Fi43nTqb9KrBaTi/RdYht1DdaVxgJ1n/INqaeORqiAjyAmvuooBTF
|
||||
jSbFtdKfURnjOQ==
|
||||
-----END CERTIFICATE REQUEST-----
|
|
@ -0,0 +1,30 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-256-CBC,D5409971E41EA7511A983B7756144C03
|
||||
|
||||
77B64GyVzF3TkltnC8nZaZENB1zCl626Bi3NcjpszsIw/LnOC8bn2MjiEQwoNXOI
|
||||
GxcjUSyzB9v++/qMbvPIQ2hJXd7aayu0OWbLoFjyISqQDZhxMNwTlr0ZPppH2LoC
|
||||
HXQV8BKSMkxN2SMNyLdZt6pfpKtyOBUKoy7jDCCiaTEamvGtGKyhgQZVpyPrz8lS
|
||||
BFpUR2czPggFu8WsJ5jov7k7rEkuUMFvsNDRajRMwSzr9z6ESmEc9AavB9/t1TZ8
|
||||
M9eEgp65QUBcDzDVvP05pjwF+4wgqabC41k3EMiA2LLlFIn5Bvamq1Sj3DLdWIQE
|
||||
fzgw8NM2JRF3CZdFt/rAVoCIcpNx7kcWu8UCpdHYmlB+VwIYnrUWngT5kaMp2vvu
|
||||
B235/QffgANfB560dIP4Z2CnZI1SLyhTJPLTmwO/XWOtuoQso5nfxtHNq/IwrUA1
|
||||
jxedKG9AkBQQPsHAErZnxoFotK//zyggx6S41SjnMFWr1PrscU3mA+A+UvwLP7Bu
|
||||
gmw1oIDWL3sZ5B7KQJ2FC6ryjyoQiSI/AK8Gk0Ryhf1oUhgguxUDnWSKqrxEoeHJ
|
||||
S635pYjlDVyhU3ct9BWbFBOzdYPZBIQHPfB/lvmbl6lsFA5oOgCvZHDrBSytiSIc
|
||||
0k5cjhhQanvPRVu8ulIiHNnMFGuvX1rzh0im4IrITK7YtHj65I1gCIU4gFrfXk6T
|
||||
QtPZoaa5F4VV5BdyljF7t+yFzVthrbPb/MVjWJgC4j40fICmA8x5TTl//HGg41AN
|
||||
yJcn3295GlTQ/EagxEfWAiy38+1IGwTsNFFHxaTYGoIMON06HTegFH39MmTOBl2G
|
||||
mmk4d+m/A3KEZ1Le16xZCc7QjQRwMUMzHk4w3FfvkKSDj4Li8xFbKv4zUrXx++Q7
|
||||
mm5owtMWrit7bAbDli9hpGe+AsQGXIsHPC3i/wsm64niWiTcBK3TO5sF/3n0nNVb
|
||||
MkdVA9OaBpXG8XjHdK62HylaOHpyNB7kEhRjcTT2EKZZ10DcQpPDvJhx8lkvauww
|
||||
ubVZHBPqIXdI/L7H/6hqyxe0S0IPtoQpgEr/1lyUWQZtiDyFrQ1ySCY1HGwXtmWa
|
||||
fUP6TyZQogdND8GhzhEFY4J/FWUM8k5VowzuxYnUGEKKERDwDaQwNRoi+L9fiiKh
|
||||
nNmTOHCIoxCfN9+H8sVtPiliPr1x4G3aeegsEJfKnmDP5gyj02tOYb2IpqhSsdCZ
|
||||
qXQ2AuUq42dq5YeQA0KVRD6hiK9L+sO5BSCrr2dtF6SAK+00/CL42EP2ee+C65kW
|
||||
ksxGssmtGrcjcIW9niHx9acGTgDJ6nBK9zawQkNkF8pr8GUNyAsY5+nGy3H4EsO0
|
||||
XtszaUyT/xnSwZV+OGLIRP10lCiWPtU+Axay3DjUrxmbzzWZ3XmIbNRrYN2gxZ3b
|
||||
eA1QJE2kFwmZfngDqTu9uACHINwegj9juCDCOHLYF3shiOgqEsRypCaTYfZKoZY6
|
||||
feelUSD5Xs86ezKO2KxU1Pan9pZCnKUtJ+lpmlqyQIB+DEKJpNabHIXECMIwnxzK
|
||||
ftpahPFJDFWqguh1BeFZTCtb9qlDcXLMFac9aTMoK5KWQ3ed9gucvKHUm6G57zB8
|
||||
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,22 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDjjCCAnYCAQEwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAkRFMRAwDgYD
|
||||
VQQIDAdTYWNoc2VuMRAwDgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0w
|
||||
CwYDVQQLDARDM0QyMRowGAYDVQQDDBFyYWRpdXMuaHEuYzNkMi5kZTEbMBkGCSqG
|
||||
SIb3DQEJARYMbWFpbEBjM2QyLmRlMB4XDTE1MDYwNjE5MTAzNloXDTI1MDYwMzE5
|
||||
MTAzNlowgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAwDgYDVQQH
|
||||
DAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIwIAYDVQQD
|
||||
DBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkBFgxtYWls
|
||||
QGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmyrdjj+J2
|
||||
xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZMw/0bnHRk
|
||||
zubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCYrtJX/Yqk
|
||||
/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3NBR5yyA2
|
||||
Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lOyK3CYl2i
|
||||
2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrnukPf/XhK
|
||||
Qp3pPKctUUBBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJdpPd8HTJwOfjD0COUw
|
||||
NBlPh7amQeASg0Gzz6w1NFZtVkUrnlp638pjsMsi6ldwwmNyWY5VA9TwwDTOxm9X
|
||||
CacG2tEirGwIHsrOo4BBMSrMu7V2ts+IIv92C5kgmFU2vbs2jKquepKt4zsOfwd2
|
||||
X+5qF/5qr3BkOIE6pc00IE9rRyzcE0KvaEEVHlvc/oS8f2F8lYRpJNjFNmW1jKs9
|
||||
TaLQWG7a0Wy97IWk1kcW5XymjAq4UJjcbPWm+zZVUJq21wlHHLnkbP6KeqY0RE7R
|
||||
wyq3yVAZTzXimfmwiQgGFA8P5pwrYkXcA342J+IgeblRgsT/6Lirfyd05ctQc3yL
|
||||
NBU=
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,247 @@
|
|||
# -*- text -*-
|
||||
##
|
||||
## clients.conf -- client configuration directives
|
||||
##
|
||||
## $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# Define RADIUS clients (usually a NAS, Access Point, etc.).
|
||||
|
||||
#
|
||||
# Defines a RADIUS client.
|
||||
#
|
||||
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
|
||||
# to allow testing of the server after an initial installation. If you
|
||||
# are not going to be permitting RADIUS queries from localhost, we suggest
|
||||
# that you delete, or comment out, this entry.
|
||||
#
|
||||
#
|
||||
|
||||
#
|
||||
# Each client has a "short name" that is used to distinguish it from
|
||||
# other clients.
|
||||
#
|
||||
# In version 1.x, the string after the word "client" was the IP
|
||||
# address of the client. In 2.0, the IP address is configured via
|
||||
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
|
||||
# format is still accepted.
|
||||
#
|
||||
client localhost {
|
||||
# Allowed values are:
|
||||
# dotted quad (1.2.3.4)
|
||||
# hostname (radius.example.com)
|
||||
ipaddr = 127.0.0.1
|
||||
|
||||
# OR, you can use an IPv6 address, but not both
|
||||
# at the same time.
|
||||
# ipv6addr = :: # any. ::1 == localhost
|
||||
|
||||
#
|
||||
# A note on DNS: We STRONGLY recommend using IP addresses
|
||||
# rather than host names. Using host names means that the
|
||||
# server will do DNS lookups when it starts, making it
|
||||
# dependent on DNS. i.e. If anything goes wrong with DNS,
|
||||
# the server won't start!
|
||||
#
|
||||
# The server also looks up the IP address from DNS once, and
|
||||
# only once, when it starts. If the DNS record is later
|
||||
# updated, the server WILL NOT see that update.
|
||||
#
|
||||
|
||||
# One client definition can be applied to an entire network.
|
||||
# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
|
||||
# "netmask = 8"
|
||||
#
|
||||
# If not specified, the default netmask is 32 (i.e. /32)
|
||||
#
|
||||
# We do NOT recommend using anything other than 32. There
|
||||
# are usually other, better ways to achieve the same goal.
|
||||
# Using netmasks of other than 32 can cause security issues.
|
||||
#
|
||||
# You can specify overlapping networks (127/8 and 127.0/16)
|
||||
# In that case, the smallest possible network will be used
|
||||
# as the "best match" for the client.
|
||||
#
|
||||
# Clients can also be defined dynamically at run time, based
|
||||
# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
|
||||
# etc.
|
||||
# See raddb/sites-available/dynamic-clients for details.
|
||||
#
|
||||
|
||||
# netmask = 32
|
||||
|
||||
#
|
||||
# The shared secret use to "encrypt" and "sign" packets between
|
||||
# the NAS and FreeRADIUS. You MUST change this secret from the
|
||||
# default, otherwise it's not a secret any more!
|
||||
#
|
||||
# The secret can be any string, up to 8k characters in length.
|
||||
#
|
||||
# Control codes can be entered vi octal encoding,
|
||||
# e.g. "\101\102" == "AB"
|
||||
# Quotation marks can be entered by escaping them,
|
||||
# e.g. "foo\"bar"
|
||||
#
|
||||
# A note on security: The security of the RADIUS protocol
|
||||
# depends COMPLETELY on this secret! We recommend using a
|
||||
# shared secret that is composed of:
|
||||
#
|
||||
# upper case letters
|
||||
# lower case letters
|
||||
# numbers
|
||||
#
|
||||
# And is at LEAST 8 characters long, preferably 16 characters in
|
||||
# length. The secret MUST be random, and should not be words,
|
||||
# phrase, or anything else that is recognizable.
|
||||
#
|
||||
# The default secret below is only for testing, and should
|
||||
# not be used in any real environment.
|
||||
#
|
||||
secret = testing123
|
||||
|
||||
#
|
||||
# Old-style clients do not send a Message-Authenticator
|
||||
# in an Access-Request. RFC 5080 suggests that all clients
|
||||
# SHOULD include it in an Access-Request. The configuration
|
||||
# item below allows the server to require it. If a client
|
||||
# is required to include a Message-Authenticator and it does
|
||||
# not, then the packet will be silently discarded.
|
||||
#
|
||||
# allowed values: yes, no
|
||||
require_message_authenticator = no
|
||||
|
||||
#
|
||||
# The short name is used as an alias for the fully qualified
|
||||
# domain name, or the IP address.
|
||||
#
|
||||
# It is accepted for compatibility with 1.x, but it is no
|
||||
# longer necessary in 2.0
|
||||
#
|
||||
# shortname = localhost
|
||||
|
||||
#
|
||||
# the following three fields are optional, but may be used by
|
||||
# checkrad.pl for simultaneous use checks
|
||||
#
|
||||
|
||||
#
|
||||
# The nastype tells 'checkrad.pl' which NAS-specific method to
|
||||
# use to query the NAS for simultaneous use.
|
||||
#
|
||||
# Permitted NAS types are:
|
||||
#
|
||||
# cisco
|
||||
# computone
|
||||
# livingston
|
||||
# juniper
|
||||
# max40xx
|
||||
# multitech
|
||||
# netserver
|
||||
# pathras
|
||||
# patton
|
||||
# portslave
|
||||
# tc
|
||||
# usrhiper
|
||||
# other # for all other types
|
||||
|
||||
#
|
||||
nastype = other # localhost isn't usually a NAS...
|
||||
|
||||
#
|
||||
# The following two configurations are for future use.
|
||||
# The 'naspasswd' file is currently used to store the NAS
|
||||
# login name and password, which is used by checkrad.pl
|
||||
# when querying the NAS for simultaneous use.
|
||||
#
|
||||
# login = !root
|
||||
# password = someadminpas
|
||||
|
||||
#
|
||||
# As of 2.0, clients can also be tied to a virtual server.
|
||||
# This is done by setting the "virtual_server" configuration
|
||||
# item, as in the example below.
|
||||
#
|
||||
# virtual_server = home1
|
||||
|
||||
#
|
||||
# A pointer to the "home_server_pool" OR a "home_server"
|
||||
# section that contains the CoA configuration for this
|
||||
# client. For an example of a coa home server or pool,
|
||||
# see raddb/sites-available/originate-coa
|
||||
# coa_server = coa
|
||||
}
|
||||
|
||||
# IPv6 Client
|
||||
#client ::1 {
|
||||
# secret = testing123
|
||||
# shortname = localhost
|
||||
#}
|
||||
#
|
||||
# All IPv6 Site-local clients
|
||||
#client fe80::/16 {
|
||||
# secret = testing123
|
||||
# shortname = localhost
|
||||
#}
|
||||
|
||||
#client some.host.org {
|
||||
# secret = testing123
|
||||
# shortname = localhost
|
||||
#}
|
||||
|
||||
#
|
||||
# You can now specify one secret for a network of clients.
|
||||
# When a client request comes in, the BEST match is chosen.
|
||||
# i.e. The entry from the smallest possible network.
|
||||
#
|
||||
#client 192.168.0.0/24 {
|
||||
# secret = testing123-1
|
||||
# shortname = private-network-1
|
||||
#}
|
||||
#
|
||||
#client 192.168.0.0/16 {
|
||||
# secret = testing123-2
|
||||
# shortname = private-network-2
|
||||
#}
|
||||
|
||||
|
||||
#client 10.10.10.10 {
|
||||
# # secret and password are mapped through the "secrets" file.
|
||||
# secret = testing123
|
||||
# shortname = liv1
|
||||
# # the following three fields are optional, but may be used by
|
||||
# # checkrad.pl for simultaneous usage checks
|
||||
# nastype = livingston
|
||||
# login = !root
|
||||
# password = someadminpas
|
||||
#}
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# Per-socket client lists. The configuration entries are exactly
|
||||
# the same as above, but they are nested inside of a section.
|
||||
#
|
||||
# You can have as many per-socket client lists as you have "listen"
|
||||
# sections, or you can re-use a list among multiple "listen" sections.
|
||||
#
|
||||
# Un-comment this section, and edit a "listen" section to add:
|
||||
# "clients = per_socket_clients". That IP address/port combination
|
||||
# will then accept ONLY the clients listed in this section.
|
||||
#
|
||||
#clients per_socket_clients {
|
||||
# client 192.168.3.4 {
|
||||
# secret = testing123
|
||||
# }
|
||||
#}
|
||||
|
||||
### ### ### C3D2 ### ### ###
|
||||
|
||||
client any {
|
||||
ipaddr 0.0.0.0/0
|
||||
secret = public
|
||||
nastype = other
|
||||
require_message_authenticator = no
|
||||
}
|
||||
|
||||
### ### ### C3D2 ### ### ###
|
||||
# EOF
|
|
@ -0,0 +1,32 @@
|
|||
#
|
||||
# This is the master dictionary file, which references the
|
||||
# pre-defined dictionary files included with the server.
|
||||
#
|
||||
# Any new/changed attributes MUST be placed in this file, as
|
||||
# the pre-defined dictionaries SHOULD NOT be edited.
|
||||
#
|
||||
# $Id: ceb31c82feb869972588f60fe6ace2fc1db70224 $
|
||||
#
|
||||
|
||||
#
|
||||
# The filename given here should be an absolute path.
|
||||
#
|
||||
$INCLUDE /usr/share/freeradius/dictionary
|
||||
|
||||
#
|
||||
# Place additional attributes or $INCLUDEs here. They will
|
||||
# over-ride the definitions in the pre-defined dictionaries.
|
||||
#
|
||||
# See the 'man' page for 'dictionary' for information on
|
||||
# the format of the dictionary files.
|
||||
|
||||
#
|
||||
# If you want to add entries to the dictionary file,
|
||||
# which are NOT going to be placed in a RADIUS packet,
|
||||
# add them here. The numbers you pick should be between
|
||||
# 3000 and 4000.
|
||||
#
|
||||
|
||||
#ATTRIBUTE My-Local-String 3000 string
|
||||
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
|
||||
#ATTRIBUTE My-Local-Integer 3002 integer
|
|
@ -0,0 +1,688 @@
|
|||
# -*- text -*-
|
||||
##
|
||||
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
|
||||
##
|
||||
## $Id: 95bebe4d25ef13871fb201ba540ed008078dab07 $
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
|
||||
# is smart enough to figure this out on its own. The most
|
||||
# common side effect of setting 'Auth-Type := EAP' is that the
|
||||
# users then cannot use ANY other authentication method.
|
||||
#
|
||||
# EAP types NOT listed here may be supported via the "eap2" module.
|
||||
# See experimental.conf for documentation.
|
||||
#
|
||||
eap {
|
||||
# Invoke the default supported EAP type when
|
||||
# EAP-Identity response is received.
|
||||
#
|
||||
# The incoming EAP messages DO NOT specify which EAP
|
||||
# type they will be using, so it MUST be set here.
|
||||
#
|
||||
# For now, only one default EAP type may be used at a time.
|
||||
#
|
||||
# If the EAP-Type attribute is set by another module,
|
||||
# then that EAP type takes precedence over the
|
||||
# default type configured here.
|
||||
#
|
||||
default_eap_type = ttls
|
||||
|
||||
# A list is maintained to correlate EAP-Response
|
||||
# packets with EAP-Request packets. After a
|
||||
# configurable length of time, entries in the list
|
||||
# expire, and are deleted.
|
||||
#
|
||||
timer_expire = 60
|
||||
|
||||
# There are many EAP types, but the server has support
|
||||
# for only a limited subset. If the server receives
|
||||
# a request for an EAP type it does not support, then
|
||||
# it normally rejects the request. By setting this
|
||||
# configuration to "yes", you can tell the server to
|
||||
# instead keep processing the request. Another module
|
||||
# MUST then be configured to proxy the request to
|
||||
# another RADIUS server which supports that EAP type.
|
||||
#
|
||||
# If another module is NOT configured to handle the
|
||||
# request, then the request will still end up being
|
||||
# rejected.
|
||||
ignore_unknown_eap_types = no
|
||||
|
||||
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
|
||||
# a User-Name attribute in an Access-Accept, it copies one
|
||||
# more byte than it should.
|
||||
#
|
||||
# We can work around it by configurably adding an extra
|
||||
# zero byte.
|
||||
cisco_accounting_username_bug = no
|
||||
|
||||
#
|
||||
# Help prevent DoS attacks by limiting the number of
|
||||
# sessions that the server is tracking. For simplicity,
|
||||
# this is taken from the "max_requests" directive in
|
||||
# radiusd.conf.
|
||||
max_sessions = ${max_requests}
|
||||
|
||||
# Supported EAP-types
|
||||
|
||||
#
|
||||
# We do NOT recommend using EAP-MD5 authentication
|
||||
# for wireless connections. It is insecure, and does
|
||||
# not provide for dynamic WEP keys.
|
||||
#
|
||||
md5 {
|
||||
}
|
||||
|
||||
# Cisco LEAP
|
||||
#
|
||||
# We do not recommend using LEAP in new deployments. See:
|
||||
# http://www.securiteam.com/tools/5TP012ACKE.html
|
||||
#
|
||||
# Cisco LEAP uses the MS-CHAP algorithm (but not
|
||||
# the MS-CHAP attributes) to perform it's authentication.
|
||||
#
|
||||
# As a result, LEAP *requires* access to the plain-text
|
||||
# User-Password, or the NT-Password attributes.
|
||||
# 'System' authentication is impossible with LEAP.
|
||||
#
|
||||
leap {
|
||||
}
|
||||
|
||||
# Generic Token Card.
|
||||
#
|
||||
# Currently, this is only permitted inside of EAP-TTLS,
|
||||
# or EAP-PEAP. The module "challenges" the user with
|
||||
# text, and the response from the user is taken to be
|
||||
# the User-Password.
|
||||
#
|
||||
# Proxying the tunneled EAP-GTC session is a bad idea,
|
||||
# the users password will go over the wire in plain-text,
|
||||
# for anyone to see.
|
||||
#
|
||||
gtc {
|
||||
# The default challenge, which many clients
|
||||
# ignore..
|
||||
#challenge = "Password: "
|
||||
|
||||
# The plain-text response which comes back
|
||||
# is put into a User-Password attribute,
|
||||
# and passed to another module for
|
||||
# authentication. This allows the EAP-GTC
|
||||
# response to be checked against plain-text,
|
||||
# or crypt'd passwords.
|
||||
#
|
||||
# If you say "Local" instead of "PAP", then
|
||||
# the module will look for a User-Password
|
||||
# configured for the request, and do the
|
||||
# authentication itself.
|
||||
#
|
||||
auth_type = PAP
|
||||
}
|
||||
|
||||
## EAP-TLS
|
||||
#
|
||||
# See raddb/certs/README for additional comments
|
||||
# on certificates.
|
||||
#
|
||||
# If OpenSSL was not found at the time the server was
|
||||
# built, the "tls", "ttls", and "peap" sections will
|
||||
# be ignored.
|
||||
#
|
||||
# Otherwise, when the server first starts in debugging
|
||||
# mode, test certificates will be created. See the
|
||||
# "make_cert_command" below for details, and the README
|
||||
# file in raddb/certs
|
||||
#
|
||||
# These test certificates SHOULD NOT be used in a normal
|
||||
# deployment. They are created only to make it easier
|
||||
# to install the server, and to perform some simple
|
||||
# tests with EAP-TLS, TTLS, or PEAP.
|
||||
#
|
||||
# See also:
|
||||
#
|
||||
# http://www.dslreports.com/forum/remark,9286052~mode=flat
|
||||
#
|
||||
# Note that you should NOT use a globally known CA here!
|
||||
# e.g. using a Verisign cert as a "known CA" means that
|
||||
# ANYONE who has a certificate signed by them can
|
||||
# authenticate via EAP-TLS! This is likely not what you want.
|
||||
tls {
|
||||
#
|
||||
# These is used to simplify later configurations.
|
||||
#
|
||||
certdir = ${confdir}/certs
|
||||
cadir = ${confdir}/certs
|
||||
|
||||
private_key_password = c3d2
|
||||
private_key_file = ${certdir}/server.key
|
||||
|
||||
# If Private key & Certificate are located in
|
||||
# the same file, then private_key_file &
|
||||
# certificate_file must contain the same file
|
||||
# name.
|
||||
#
|
||||
# If CA_file (below) is not used, then the
|
||||
# certificate_file below MUST include not
|
||||
# only the server certificate, but ALSO all
|
||||
# of the CA certificates used to sign the
|
||||
# server certificate.
|
||||
certificate_file = ${certdir}/server.pem
|
||||
|
||||
# Trusted Root CA list
|
||||
#
|
||||
# ALL of the CA's in this list will be trusted
|
||||
# to issue client certificates for authentication.
|
||||
#
|
||||
# In general, you should use self-signed
|
||||
# certificates for 802.1x (EAP) authentication.
|
||||
# In that case, this CA file should contain
|
||||
# *one* CA certificate.
|
||||
#
|
||||
# This parameter is used only for EAP-TLS,
|
||||
# when you issue client certificates. If you do
|
||||
# not use client certificates, and you do not want
|
||||
# to permit EAP-TLS authentication, then delete
|
||||
# this configuration item.
|
||||
CA_file = ${cadir}/ca.pem
|
||||
|
||||
#
|
||||
# For DH cipher suites to work, you have to
|
||||
# run OpenSSL to create the DH file first:
|
||||
#
|
||||
# openssl dhparam -out certs/dh 1024
|
||||
#
|
||||
dh_file = ${certdir}/dh
|
||||
random_file = /dev/urandom
|
||||
|
||||
|
||||
#
|
||||
# This can never exceed the size of a RADIUS
|
||||
# packet (4096 bytes), and is preferably half
|
||||
# that, to accomodate other attributes in
|
||||
# RADIUS packet. On most APs the MAX packet
|
||||
# length is configured between 1500 - 1600
|
||||
# In these cases, fragment size should be
|
||||
# 1024 or less.
|
||||
#
|
||||
fragment_size = 1024
|
||||
|
||||
# include_length is a flag which is
|
||||
# by default set to yes If set to
|
||||
# yes, Total Length of the message is
|
||||
# included in EVERY packet we send.
|
||||
# If set to no, Total Length of the
|
||||
# message is included ONLY in the
|
||||
# First packet of a fragment series.
|
||||
#
|
||||
# include_length = yes
|
||||
|
||||
# Check the Certificate Revocation List
|
||||
#
|
||||
# 1) Copy CA certificates and CRLs to same directory.
|
||||
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
||||
# 'c_rehash' is OpenSSL's command.
|
||||
# 3) uncomment the line below.
|
||||
# 5) Restart radiusd
|
||||
# check_crl = yes
|
||||
CA_path = ${cadir}
|
||||
|
||||
#
|
||||
# If check_cert_issuer is set, the value will
|
||||
# be checked against the DN of the issuer in
|
||||
# the client certificate. If the values do not
|
||||
# match, the cerficate verification will fail,
|
||||
# rejecting the user.
|
||||
#
|
||||
# In 2.1.10 and later, this check can be done
|
||||
# more generally by checking the value of the
|
||||
# TLS-Client-Cert-Issuer attribute. This check
|
||||
# can be done via any mechanism you choose.
|
||||
#
|
||||
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
|
||||
|
||||
#
|
||||
# If check_cert_cn is set, the value will
|
||||
# be xlat'ed and checked against the CN
|
||||
# in the client certificate. If the values
|
||||
# do not match, the certificate verification
|
||||
# will fail rejecting the user.
|
||||
#
|
||||
# This check is done only if the previous
|
||||
# "check_cert_issuer" is not set, or if
|
||||
# the check succeeds.
|
||||
#
|
||||
# In 2.1.10 and later, this check can be done
|
||||
# more generally by checking the value of the
|
||||
# TLS-Client-Cert-CN attribute. This check
|
||||
# can be done via any mechanism you choose.
|
||||
#
|
||||
# check_cert_cn = %{User-Name}
|
||||
#
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
cipher_list = "DEFAULT"
|
||||
|
||||
#
|
||||
# As part of checking a client certificate, the EAP-TLS
|
||||
# sets some attributes such as TLS-Client-Cert-CN. This
|
||||
# virtual server has access to these attributes, and can
|
||||
# be used to accept or reject the request.
|
||||
#
|
||||
# virtual_server = check-eap-tls
|
||||
|
||||
# This command creates the initial "snake oil"
|
||||
# certificates when the server is run as root,
|
||||
# and via "radiusd -X".
|
||||
#
|
||||
# As of 2.1.11, it *also* checks the server
|
||||
# certificate for validity, including expiration.
|
||||
# This means that radiusd will refuse to start
|
||||
# when the certificate has expired. The alternative
|
||||
# is to have the 802.1X clients refuse to connect
|
||||
# when they discover the certificate has expired.
|
||||
#
|
||||
# Debugging client issues is hard, so it's better
|
||||
# for the server to print out an error message,
|
||||
# and refuse to start.
|
||||
#
|
||||
make_cert_command = "${certdir}/bootstrap"
|
||||
|
||||
#
|
||||
# Elliptical cryptography configuration
|
||||
#
|
||||
# Only for OpenSSL >= 0.9.8.f
|
||||
#
|
||||
ecdh_curve = "prime256v1"
|
||||
|
||||
#
|
||||
# Session resumption / fast reauthentication
|
||||
# cache.
|
||||
#
|
||||
# The cache contains the following information:
|
||||
#
|
||||
# session Id - unique identifier, managed by SSL
|
||||
# User-Name - from the Access-Accept
|
||||
# Stripped-User-Name - from the Access-Request
|
||||
# Cached-Session-Policy - from the Access-Accept
|
||||
#
|
||||
# The "Cached-Session-Policy" is the name of a
|
||||
# policy which should be applied to the cached
|
||||
# session. This policy can be used to assign
|
||||
# VLANs, IP addresses, etc. It serves as a useful
|
||||
# way to re-apply the policy from the original
|
||||
# Access-Accept to the subsequent Access-Accept
|
||||
# for the cached session.
|
||||
#
|
||||
# On session resumption, these attributes are
|
||||
# copied from the cache, and placed into the
|
||||
# reply list.
|
||||
#
|
||||
# You probably also want "use_tunneled_reply = yes"
|
||||
# when using fast session resumption.
|
||||
#
|
||||
cache {
|
||||
#
|
||||
# Enable it. The default is "no".
|
||||
# Deleting the entire "cache" subsection
|
||||
# Also disables caching.
|
||||
#
|
||||
# You can disallow resumption for a
|
||||
# particular user by adding the following
|
||||
# attribute to the control item list:
|
||||
#
|
||||
# Allow-Session-Resumption = No
|
||||
#
|
||||
# If "enable = no" below, you CANNOT
|
||||
# enable resumption for just one user
|
||||
# by setting the above attribute to "yes".
|
||||
#
|
||||
enable = no
|
||||
|
||||
#
|
||||
# Lifetime of the cached entries, in hours.
|
||||
# The sessions will be deleted after this
|
||||
# time.
|
||||
#
|
||||
lifetime = 24 # hours
|
||||
|
||||
#
|
||||
# The maximum number of entries in the
|
||||
# cache. Set to "0" for "infinite".
|
||||
#
|
||||
# This could be set to the number of users
|
||||
# who are logged in... which can be a LOT.
|
||||
#
|
||||
max_entries = 255
|
||||
}
|
||||
|
||||
#
|
||||
# As of version 2.1.10, client certificates can be
|
||||
# validated via an external command. This allows
|
||||
# dynamic CRLs or OCSP to be used.
|
||||
#
|
||||
# This configuration is commented out in the
|
||||
# default configuration. Uncomment it, and configure
|
||||
# the correct paths below to enable it.
|
||||
#
|
||||
verify {
|
||||
# A temporary directory where the client
|
||||
# certificates are stored. This directory
|
||||
# MUST be owned by the UID of the server,
|
||||
# and MUST not be accessible by any other
|
||||
# users. When the server starts, it will do
|
||||
# "chmod go-rwx" on the directory, for
|
||||
# security reasons. The directory MUST
|
||||
# exist when the server starts.
|
||||
#
|
||||
# You should also delete all of the files
|
||||
# in the directory when the server starts.
|
||||
# tmpdir = /tmp/radiusd
|
||||
|
||||
# The command used to verify the client cert.
|
||||
# We recommend using the OpenSSL command-line
|
||||
# tool.
|
||||
#
|
||||
# The ${..CA_path} text is a reference to
|
||||
# the CA_path variable defined above.
|
||||
#
|
||||
# The %{TLS-Client-Cert-Filename} is the name
|
||||
# of the temporary file containing the cert
|
||||
# in PEM format. This file is automatically
|
||||
# deleted by the server when the command
|
||||
# returns.
|
||||
# client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
|
||||
}
|
||||
|
||||
#
|
||||
# OCSP Configuration
|
||||
# Certificates can be verified against an OCSP
|
||||
# Responder. This makes it possible to immediately
|
||||
# revoke certificates without the distribution of
|
||||
# new Certificate Revokation Lists (CRLs).
|
||||
#
|
||||
ocsp {
|
||||
#
|
||||
# Enable it. The default is "no".
|
||||
# Deleting the entire "ocsp" subsection
|
||||
# Also disables ocsp checking
|
||||
#
|
||||
enable = no
|
||||
|
||||
#
|
||||
# The OCSP Responder URL can be automatically
|
||||
# extracted from the certificate in question.
|
||||
# To override the OCSP Responder URL set
|
||||
# "override_cert_url = yes".
|
||||
#
|
||||
override_cert_url = yes
|
||||
|
||||
#
|
||||
# If the OCSP Responder address is not
|
||||
# extracted from the certificate, the
|
||||
# URL can be defined here.
|
||||
|
||||
#
|
||||
# Limitation: Currently the HTTP
|
||||
# Request is not sending the "Host: "
|
||||
# information to the web-server. This
|
||||
# can be a problem if the OCSP
|
||||
# Responder is running as a vhost.
|
||||
#
|
||||
url = "http://127.0.0.1/ocsp/"
|
||||
|
||||
#
|
||||
# If the OCSP Responder can not cope with nonce
|
||||
# in the request, then it can be disabled here.
|
||||
#
|
||||
# For security reasons, disabling this option
|
||||
# is not recommended as nonce protects against
|
||||
# replay attacks.
|
||||
#
|
||||
# Note that Microsoft AD Certificate Services OCSP
|
||||
# Responder does not enable nonce by default. It is
|
||||
# more secure to enable nonce on the responder than
|
||||
# to disable it in the query here.
|
||||
# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
|
||||
#
|
||||
# use_nonce = yes
|
||||
|
||||
#
|
||||
# Number of seconds before giving up waiting
|
||||
# for OCSP response. 0 uses system default.
|
||||
#
|
||||
# timeout = 0
|
||||
|
||||
#
|
||||
# Normally an error in querying the OCSP
|
||||
# responder (no response from server, server did
|
||||
# not understand the request, etc) will result in
|
||||
# a validation failure.
|
||||
#
|
||||
# To treat these errors as 'soft' failures and
|
||||
# still accept the certificate, enable this
|
||||
# option.
|
||||
#
|
||||
# Warning: this may enable clients with revoked
|
||||
# certificates to connect if the OCSP responder
|
||||
# is not available. Use with caution.
|
||||
#
|
||||
# softfail = no
|
||||
}
|
||||
}
|
||||
|
||||
# The TTLS module implements the EAP-TTLS protocol,
|
||||
# which can be described as EAP inside of Diameter,
|
||||
# inside of TLS, inside of EAP, inside of RADIUS...
|
||||
#
|
||||
# Surprisingly, it works quite well.
|
||||
#
|
||||
# The TTLS module needs the TLS module to be installed
|
||||
# and configured, in order to use the TLS tunnel
|
||||
# inside of the EAP packet. You will still need to
|
||||
# configure the TLS module, even if you do not want
|
||||
# to deploy EAP-TLS in your network. Users will not
|
||||
# be able to request EAP-TLS, as it requires them to
|
||||
# have a client certificate. EAP-TTLS does not
|
||||
# require a client certificate.
|
||||
#
|
||||
# You can make TTLS require a client cert by setting
|
||||
#
|
||||
# EAP-TLS-Require-Client-Cert = Yes
|
||||
#
|
||||
# in the control items for a request.
|
||||
#
|
||||
ttls {
|
||||
# The tunneled EAP session needs a default
|
||||
# EAP type which is separate from the one for
|
||||
# the non-tunneled EAP module. Inside of the
|
||||
# TTLS tunnel, we recommend using EAP-MD5.
|
||||
# If the request does not contain an EAP
|
||||
# conversation, then this configuration entry
|
||||
# is ignored.
|
||||
default_eap_type = md5
|
||||
|
||||
# The tunneled authentication request does
|
||||
# not usually contain useful attributes
|
||||
# like 'Calling-Station-Id', etc. These
|
||||
# attributes are outside of the tunnel,
|
||||
# and normally unavailable to the tunneled
|
||||
# authentication request.
|
||||
#
|
||||
# By setting this configuration entry to
|
||||
# 'yes', any attribute which NOT in the
|
||||
# tunneled authentication request, but
|
||||
# which IS available outside of the tunnel,
|
||||
# is copied to the tunneled request.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
copy_request_to_tunnel = no
|
||||
|
||||
# The reply attributes sent to the NAS are
|
||||
# usually based on the name of the user
|
||||
# 'outside' of the tunnel (usually
|
||||
# 'anonymous'). If you want to send the
|
||||
# reply attributes based on the user name
|
||||
# inside of the tunnel, then set this
|
||||
# configuration entry to 'yes', and the reply
|
||||
# to the NAS will be taken from the reply to
|
||||
# the tunneled request.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
use_tunneled_reply = no
|
||||
|
||||
#
|
||||
# The inner tunneled request can be sent
|
||||
# through a virtual server constructed
|
||||
# specifically for this purpose.
|
||||
#
|
||||
# If this entry is commented out, the inner
|
||||
# tunneled request will be sent through
|
||||
# the virtual server that processed the
|
||||
# outer requests.
|
||||
#
|
||||
virtual_server = "inner-tunnel"
|
||||
|
||||
# This has the same meaning as the
|
||||
# same field in the "tls" module, above.
|
||||
# The default value here is "yes".
|
||||
# include_length = yes
|
||||
}
|
||||
|
||||
##################################################
|
||||
#
|
||||
# !!!!! WARNINGS for Windows compatibility !!!!!
|
||||
#
|
||||
##################################################
|
||||
#
|
||||
# If you see the server send an Access-Challenge,
|
||||
# and the client never sends another Access-Request,
|
||||
# then
|
||||
#
|
||||
# STOP!
|
||||
#
|
||||
# The server certificate has to have special OID's
|
||||
# in it, or else the Microsoft clients will silently
|
||||
# fail. See the "scripts/xpextensions" file for
|
||||
# details, and the following page:
|
||||
#
|
||||
# http://support.microsoft.com/kb/814394/en-us
|
||||
#
|
||||
# For additional Windows XP SP2 issues, see:
|
||||
#
|
||||
# http://support.microsoft.com/kb/885453/en-us
|
||||
#
|
||||
#
|
||||
# If is still doesn't work, and you're using Samba,
|
||||
# you may be encountering a Samba bug. See:
|
||||
#
|
||||
# https://bugzilla.samba.org/show_bug.cgi?id=6563
|
||||
#
|
||||
# Note that we do not necessarily agree with their
|
||||
# explanation... but the fix does appear to work.
|
||||
#
|
||||
##################################################
|
||||
|
||||
#
|
||||
# The tunneled EAP session needs a default EAP type
|
||||
# which is separate from the one for the non-tunneled
|
||||
# EAP module. Inside of the TLS/PEAP tunnel, we
|
||||
# recommend using EAP-MS-CHAPv2.
|
||||
#
|
||||
# The PEAP module needs the TLS module to be installed
|
||||
# and configured, in order to use the TLS tunnel
|
||||
# inside of the EAP packet. You will still need to
|
||||
# configure the TLS module, even if you do not want
|
||||
# to deploy EAP-TLS in your network. Users will not
|
||||
# be able to request EAP-TLS, as it requires them to
|
||||
# have a client certificate. EAP-PEAP does not
|
||||
# require a client certificate.
|
||||
#
|
||||
#
|
||||
# You can make PEAP require a client cert by setting
|
||||
#
|
||||
# EAP-TLS-Require-Client-Cert = Yes
|
||||
#
|
||||
# in the control items for a request.
|
||||
#
|
||||
peap {
|
||||
# The tunneled EAP session needs a default
|
||||
# EAP type which is separate from the one for
|
||||
# the non-tunneled EAP module. Inside of the
|
||||
# PEAP tunnel, we recommend using MS-CHAPv2,
|
||||
# as that is the default type supported by
|
||||
# Windows clients.
|
||||
default_eap_type = mschapv2
|
||||
|
||||
# the PEAP module also has these configuration
|
||||
# items, which are the same as for TTLS.
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = no
|
||||
|
||||
# When the tunneled session is proxied, the
|
||||
# home server may not understand EAP-MSCHAP-V2.
|
||||
# Set this entry to "no" to proxy the tunneled
|
||||
# EAP-MSCHAP-V2 as normal MSCHAPv2.
|
||||
# proxy_tunneled_request_as_eap = yes
|
||||
|
||||
#
|
||||
# The inner tunneled request can be sent
|
||||
# through a virtual server constructed
|
||||
# specifically for this purpose.
|
||||
#
|
||||
# If this entry is commented out, the inner
|
||||
# tunneled request will be sent through
|
||||
# the virtual server that processed the
|
||||
# outer requests.
|
||||
#
|
||||
virtual_server = "inner-tunnel"
|
||||
|
||||
# This option enables support for MS-SoH
|
||||
# see doc/SoH.txt for more info.
|
||||
# It is disabled by default.
|
||||
#
|
||||
# soh = yes
|
||||
|
||||
#
|
||||
# The SoH reply will be turned into a request which
|
||||
# can be sent to a specific virtual server:
|
||||
#
|
||||
# soh_virtual_server = "soh-server"
|
||||
}
|
||||
|
||||
#
|
||||
# This takes no configuration.
|
||||
#
|
||||
# Note that it is the EAP MS-CHAPv2 sub-module, not
|
||||
# the main 'mschap' module.
|
||||
#
|
||||
# Note also that in order for this sub-module to work,
|
||||
# the main 'mschap' module MUST ALSO be configured.
|
||||
#
|
||||
# This module is the *Microsoft* implementation of MS-CHAPv2
|
||||
# in EAP. There is another (incompatible) implementation
|
||||
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
|
||||
# currently support.
|
||||
#
|
||||
mschapv2 {
|
||||
# Prior to version 2.1.11, the module never
|
||||
# sent the MS-CHAP-Error message to the
|
||||
# client. This worked, but it had issues
|
||||
# when the cached password was wrong. The
|
||||
# server *should* send "E=691 R=0" to the
|
||||
# client, which tells it to prompt the user
|
||||
# for a new password.
|
||||
#
|
||||
# The default is to behave as in 2.1.10 and
|
||||
# earlier, which is known to work. If you
|
||||
# set "send_error = yes", then the error
|
||||
# message will be sent back to the client.
|
||||
# This *may* help some clients work better,
|
||||
# but *may* also cause other clients to stop
|
||||
# working.
|
||||
#
|
||||
# send_error = no
|
||||
}
|
||||
}
|
|
@ -0,0 +1,450 @@
|
|||
#
|
||||
# This file contains the configuration for experimental modules.
|
||||
#
|
||||
# By default, it is NOT included in the build.
|
||||
#
|
||||
# $Id: 3db2f300329829b4810b00d3181f13bbac10ccd0 $
|
||||
#
|
||||
|
||||
# Configuration for the Python module.
|
||||
#
|
||||
# Where radiusd is a Python module, radiusd.py, and the
|
||||
# function 'authorize' is called. Here is a dummy piece
|
||||
# of code:
|
||||
#
|
||||
# def authorize(params):
|
||||
# print params
|
||||
# return (5, ('Reply-Message', 'banned'))
|
||||
#
|
||||
# The RADIUS value-pairs are passed as a tuple of tuple
|
||||
# pairs as the first argument, e.g. (('attribute1',
|
||||
# 'value1'), ('attribute2', 'value2'))
|
||||
#
|
||||
# The function return is a tuple with the first element
|
||||
# being the return value of the function.
|
||||
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
|
||||
# write the return values as Python symbols to avoid
|
||||
# confusion.
|
||||
#
|
||||
# The remaining tuple members are the string form of
|
||||
# value-pairs which are passed on to pairmake().
|
||||
#
|
||||
python {
|
||||
mod_instantiate = radiusd_test
|
||||
func_instantiate = instantiate
|
||||
|
||||
mod_authorize = radiusd_test
|
||||
func_authorize = authorize
|
||||
|
||||
mod_accounting = radiusd_test
|
||||
func_accounting = accounting
|
||||
|
||||
mod_pre_proxy = radiusd_test
|
||||
func_pre_proxy = pre_proxy
|
||||
|
||||
mod_post_proxy = radiusd_test
|
||||
func_post_proxy = post_proxy
|
||||
|
||||
mod_post_auth = radiusd_test
|
||||
func_post_auth = post_auth
|
||||
|
||||
mod_recv_coa = radiusd_test
|
||||
func_recv_coa = recv_coa
|
||||
|
||||
mod_send_coa = radiusd_test
|
||||
func_send_coa = send_coa
|
||||
|
||||
mod_detach = radiusd_test
|
||||
func_detach = detach
|
||||
}
|
||||
|
||||
|
||||
# Configuration for the example module. Uncommenting it will cause it
|
||||
# to get loaded and initialized, but should have no real effect as long
|
||||
# it is not referencened in one of the autz/auth/preacct/acct sections
|
||||
example {
|
||||
# Boolean variable.
|
||||
# allowed values: {no, yes}
|
||||
boolean = yes
|
||||
|
||||
# An integer, of any value.
|
||||
integer = 16
|
||||
|
||||
# A string.
|
||||
string = "This is an example configuration string"
|
||||
|
||||
# An IP address, either in dotted quad (1.2.3.4) or hostname
|
||||
# (example.com)
|
||||
ipaddr = 127.0.0.1
|
||||
|
||||
# A subsection
|
||||
mysubsection {
|
||||
anotherinteger = 1000
|
||||
# They nest
|
||||
deeply nested {
|
||||
string = "This is a different string"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# To create a dbm users file, do:
|
||||
#
|
||||
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
|
||||
#
|
||||
# Then add 'dbm' in 'authorize' section.
|
||||
#
|
||||
# Note that even if the file has a ".db" or ".dbm" extension,
|
||||
# you may have to specify it here without that extension. This
|
||||
# is because the DBM libraries "helpfully" add a ".db" to the
|
||||
# filename, but don't check if it's already there.
|
||||
#
|
||||
dbm {
|
||||
usersfile = ${confdir}/users_db
|
||||
}
|
||||
|
||||
#
|
||||
# Perform NT-Domain authentication. This only works
|
||||
# with PAP authentication. That is, Authentication-Request
|
||||
# packets containing a User-Password attribute.
|
||||
#
|
||||
# To use it, add 'smb' into the 'authenticate' section,
|
||||
# and then in another module (usually the 'users' file),
|
||||
# set 'Auth-Type := SMB'
|
||||
#
|
||||
# WARNING: this module is not only experimental, it's also
|
||||
# a security threat. It's not recommended to use it until
|
||||
# it gets fixed.
|
||||
#
|
||||
smb {
|
||||
server = ntdomain.server.example.com
|
||||
backup = backup.server.example.com
|
||||
domain = NTDOMAIN
|
||||
}
|
||||
|
||||
# See doc/rlm_fastusers before using this
|
||||
# module or changing these values.
|
||||
#
|
||||
fastusers {
|
||||
usersfile = ${confdir}/users_fast
|
||||
hashsize = 1000
|
||||
compat = no
|
||||
# Reload the hash every 600 seconds (10mins)
|
||||
hash_reload = 600
|
||||
}
|
||||
|
||||
# Caching module
|
||||
#
|
||||
# Should be added in the post-auth section (after all other modules)
|
||||
# and in the authorize section (before any other modules)
|
||||
#
|
||||
# authorize {
|
||||
# caching {
|
||||
# ok = return
|
||||
# }
|
||||
# [... other modules ...]
|
||||
# }
|
||||
# post-auth {
|
||||
# [... other modules ...]
|
||||
# caching
|
||||
# }
|
||||
#
|
||||
# The caching module will cache the Auth-Type and reply items
|
||||
# and send them back on any subsequent requests for the same key
|
||||
#
|
||||
# Configuration:
|
||||
#
|
||||
# filename: The gdbm file to use for the cache database
|
||||
# (can be memory mapped for more speed)
|
||||
#
|
||||
# key: A string to xlat and use as a key. For instance,
|
||||
# "%{Acct-Unique-Session-Id}"
|
||||
#
|
||||
# post-auth: If we find a cached entry, set the post-auth to that value
|
||||
#
|
||||
# cache-ttl: The time to cache the entry. The same time format
|
||||
# as the counter module apply here.
|
||||
# num[hdwm] where:
|
||||
# h: hours, d: days, w: weeks, m: months
|
||||
# If the letter is ommited days will be assumed.
|
||||
# e.g. 1d == one day
|
||||
#
|
||||
# cache-size: The gdbm cache size to request (default 1000)
|
||||
#
|
||||
# hit-ratio: If set to non-zero we print out statistical
|
||||
# information after so many cache requests
|
||||
#
|
||||
# cache-rejects: Do we also cache rejects, or not? (default 'yes')
|
||||
#
|
||||
caching {
|
||||
filename = ${db_dir}/db.cache
|
||||
cache-ttl = 1d
|
||||
hit-ratio = 1000
|
||||
key = "%{Acct-Unique-Session-Id}"
|
||||
#post-auth = ""
|
||||
# cache-size = 2000
|
||||
# cache-rejects = yes
|
||||
}
|
||||
|
||||
|
||||
# Simple module for logging of Account packets to radiusd.log
|
||||
# You need to declare it in the accounting section for it to work
|
||||
acctlog {
|
||||
acctlog_update = ""
|
||||
acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
|
||||
acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
|
||||
acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online"
|
||||
acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline"
|
||||
}
|
||||
|
||||
# Another implementation of the EAP module.
|
||||
#
|
||||
# This module requires the libeap.so file from the hostap
|
||||
# software (http://hostap.epitest.fi/hostapd/). It has been
|
||||
# tested on the development version of hostapd (0.6.1) ONLY.
|
||||
#
|
||||
# In order to use it, you MUST build a "libeap.so" in hostapd,
|
||||
# which is not done by default.
|
||||
#
|
||||
# You MUST also edit the file: src/modules/rlm_eap2/Makefile
|
||||
# to point to the location of the hostap include files.
|
||||
#
|
||||
# This module CANNOT be used in the same way as the current
|
||||
# FreeRADIUS "eap" module. There is NO way to look inside of
|
||||
# a tunneled request. There is NO way to proxy a tunneled
|
||||
# request. There is NO way to even look at the user name inside
|
||||
# of the tunneled request. There is NO way to control the
|
||||
# choice of EAP types inside of the tunnel. You MUST force
|
||||
# the server to choose "eap2" for authentication, because this
|
||||
# module has no "authorize" section.
|
||||
#
|
||||
# If you want to use this module for experimentation, please
|
||||
# post your comments to the freeradius-devel list:
|
||||
#
|
||||
# http://lists.freeradius.org/mailman/listinfo/freeradius-devel
|
||||
#
|
||||
# If you want to use this module in a production (i.e. real-world)
|
||||
# environment:
|
||||
#
|
||||
# !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
|
||||
#
|
||||
# The module needs additional work to make it ready for
|
||||
# production use.. Please supply patches, or sponsor the
|
||||
# work by hiring a developer. Do NOT ask when the work will
|
||||
# be done, because there is no plan to finish this module
|
||||
# unless there is demand for it.
|
||||
#
|
||||
eap2 {
|
||||
# EAP types are chosen in the order that they are
|
||||
# listed in this section. There is no "default_eap_type"
|
||||
# as with rlm_eap. Instead, the *first* EAP type is
|
||||
# used as the default type.
|
||||
#
|
||||
peap {
|
||||
}
|
||||
|
||||
ttls {
|
||||
}
|
||||
|
||||
# This is the ONLY EAP type that has any configuration.
|
||||
# All other EAP types have no configuration.
|
||||
#
|
||||
tls {
|
||||
ca_cert = ${confdir}/certs/ca.pem
|
||||
server_cert = ${confdir}/certs/server.pem
|
||||
private_key_file = ${confdir}/certs/server.pem
|
||||
private_key_password = whatever
|
||||
}
|
||||
|
||||
#
|
||||
# These next two methods do not supply keying material.
|
||||
#
|
||||
md5 {
|
||||
}
|
||||
|
||||
mschapv2 {
|
||||
}
|
||||
|
||||
fast {
|
||||
pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
|
||||
eap_fast_a_id = xxxxxx
|
||||
eap_fast_a_id_info = my_server
|
||||
eap_fast_prov = 3
|
||||
pac_key_lifetime = 604800 # 7 days
|
||||
pac_key_refresh_tim = 86400
|
||||
}
|
||||
|
||||
# LEAP is NOT supported by this module.
|
||||
# Use the "eap" module instead.
|
||||
|
||||
# For other methods that MIGHT work, see the
|
||||
# configuration of hostap. The methods are statically
|
||||
# linked in at compile time, and cannot be controlled
|
||||
# here.
|
||||
}
|
||||
|
||||
# Configuration for experimental EAP types. The sub-sections
|
||||
# can be copied into eap.conf.
|
||||
eap {
|
||||
ikev2 {
|
||||
|
||||
# Server auth type
|
||||
# Allowed values are:
|
||||
# cert - for certificate based server authentication,
|
||||
# other required settings for this type are
|
||||
# 'private_key_file' and 'certificate_file'
|
||||
# secret - for shared secret based server authentication,
|
||||
# other required settings for this type is 'id'
|
||||
# Default value of this option is 'secret'
|
||||
# server_authtype=cert
|
||||
|
||||
# Allowed default client auth types
|
||||
# Allowed values are:
|
||||
# secret - for shared secret based client authentication
|
||||
# cert - for certificate based client authentication
|
||||
# both - shared secret and certificate is allowed
|
||||
# none - authentication will always fail
|
||||
# Default value for this option is 'both'. This option could
|
||||
# be overwritten within 'usersfile' file by EAP-IKEv2-Auth
|
||||
# option.
|
||||
# default_authtype = both
|
||||
|
||||
# path to trusted CA certificate file
|
||||
CA_file="/path/to/CA/cacert.pem"
|
||||
|
||||
# path to CRL file, if not set, then there will be no
|
||||
# checks against CRL
|
||||
# crl_file="/path/to/crl.pem"
|
||||
|
||||
# path to file with user settings
|
||||
#
|
||||
# Note that this file is read ONLY on module initialization!
|
||||
#
|
||||
# default ${confdir}/eap_ikev2_users
|
||||
# usersfile=${confdir}/eap_ikev2_users
|
||||
|
||||
#
|
||||
# Sample "eap_ikev2_users" file entry:
|
||||
#
|
||||
#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
|
||||
|
||||
## where:
|
||||
## username - client user name from IKE-AUTH (IDr) or CommonName
|
||||
## from x509 certificate
|
||||
## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
|
||||
## allowable attributes for EAP-IKEv2-IDType:
|
||||
## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
|
||||
## DER_ASN1_GN KEY_ID
|
||||
## EAP-IKEv2-Secret - shared secret
|
||||
## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
|
||||
## type. Allowed values are: secret,cert,both,none.
|
||||
## For the meaning of this values, please see the
|
||||
## description of 'default_authtype'.
|
||||
## This attribute can overwrite 'default_authtype' value.
|
||||
|
||||
|
||||
|
||||
# path to file with server private key
|
||||
private_key_file="/path/to/srv-private-key.pem"
|
||||
|
||||
# password to private key file
|
||||
private_key_password="passwd"
|
||||
|
||||
# path to file with server certificate
|
||||
certificate_file="/path/to/srv-cert.pem"
|
||||
|
||||
# server identity string
|
||||
id="deMaio"
|
||||
|
||||
# Server identity type. Allowed values are:
|
||||
# IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
|
||||
# KEY_ID
|
||||
# Default value is: KEY_ID
|
||||
# id_type = KEY_ID
|
||||
|
||||
|
||||
# MTU (default: 1398)
|
||||
# fragment_size = 1398
|
||||
|
||||
# maximal allowed number of resends SA_INIT after receiving
|
||||
# 'invalid KEY' notification (default 3)
|
||||
# DH_counter_max = 3
|
||||
|
||||
# option which is used to control whenever send CERT REQ
|
||||
# payload or not.
|
||||
# Allowed values for this option are "yes" or "no".
|
||||
#Default value is "no".
|
||||
# certreq = "yes"
|
||||
|
||||
# option which cotrols fast reconnect capability.
|
||||
# Allowed valuse for this option are "yes" or "no".
|
||||
# Default value is "yes".
|
||||
# enable_fast_reauth = "no"
|
||||
|
||||
# option which is used to control performing of DH exchange
|
||||
# during fast rekeying protocol run.
|
||||
# Allowed values for this option are "yes" or "no".
|
||||
# Default value is "no"
|
||||
# fast_DH_exchange = "yes"
|
||||
|
||||
# Option which is used to set up expiration time of inactive
|
||||
# IKEv2 session.
|
||||
# After selected period of time (in seconds), inactive
|
||||
# session data will be deleted.
|
||||
# Default value of this option is set to 900 seconds
|
||||
# fast_timer_expire = 900
|
||||
|
||||
# list of server proposals of available cryptographic
|
||||
# suites
|
||||
proposals {
|
||||
# proposal number #1
|
||||
proposal {
|
||||
|
||||
# Supported transforms types: encryption,
|
||||
# prf, integrity, dhgroup. For multiple
|
||||
# transforms just simple repeat key (i.e.
|
||||
# integity).
|
||||
|
||||
# encryption algorithm
|
||||
# supported algorithms:
|
||||
# null,3des,aes_128_cbc,aes_192_cbc,
|
||||
# aes_256_cbc,idea
|
||||
# blowfish:n, where n range from 8 to 448 bits,
|
||||
# step 8 bits
|
||||
# cast:n, where n range from 40 to 128 bits,
|
||||
# step 8 bits
|
||||
encryption = 3des
|
||||
|
||||
# pseudo random function. Supported prf's:
|
||||
# hmac_md5, hmac_sha1, hmac_tiger
|
||||
prf = hmac_sha1
|
||||
|
||||
# integrity algorithm. Supported algorithms:
|
||||
# hmac_md5_96, hmac_sha1_96,des_mac
|
||||
integrity = hmac_sha1_96
|
||||
integrity = hmac_md5_96
|
||||
|
||||
# Diffie-Hellman groups:
|
||||
# modp768, modp1024, modp1536, modp2048,
|
||||
# modp3072, modp4096, modp6144, modp8192
|
||||
dhgroup = modp2048
|
||||
}
|
||||
|
||||
# proposal number #2
|
||||
proposal {
|
||||
encryption = 3des
|
||||
prf = hmac_md5
|
||||
integrity = hmac_md5_96
|
||||
dhgroup = modp1024
|
||||
}
|
||||
|
||||
# proposal number #3
|
||||
proposal {
|
||||
encryption=3des
|
||||
prf=hmac_md5
|
||||
integrity=hmac_md5_96
|
||||
dhgroup=modp2048
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,77 @@
|
|||
# hints
|
||||
#
|
||||
# The hints file. This file is used to match
|
||||
# a request, and then add attributes to it. This
|
||||
# process allows a user to login as "bob.ppp" (for example),
|
||||
# and receive a PPP connection, even if the NAS doesn't
|
||||
# ask for PPP. The "hints" file is used to match the
|
||||
# ".ppp" portion of the username, and to add a set of
|
||||
# "user requested PPP" attributes to the request.
|
||||
#
|
||||
# Matching can take place with the the Prefix and Suffix
|
||||
# attributes, just like in the "users" file.
|
||||
# These attributes operate ONLY on the username, though.
|
||||
#
|
||||
# Note that the attributes that are set for each
|
||||
# entry are _NOT_ passed back to the terminal server.
|
||||
# Instead they are added to the information that has
|
||||
# been _SENT_ by the terminal server.
|
||||
#
|
||||
# This extra information can be used in the users file to
|
||||
# match on. Usually this is done in the DEFAULT entries,
|
||||
# of which there can be more than one.
|
||||
#
|
||||
# In addition a matching entry can transform a username
|
||||
# for authentication purposes if the "Strip-User-Name"
|
||||
# variable is set to Yes in an entry (default is Yes).
|
||||
#
|
||||
# A special non-protocol name-value pair called "Hint"
|
||||
# can be set to match on in the "users" file.
|
||||
#
|
||||
# The following is how most ISPs want to set this up.
|
||||
#
|
||||
# Version: $Id: f92ffb9f1e5bd0509b2e0e5e015001fda52bdfc3 $
|
||||
#
|
||||
|
||||
|
||||
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes
|
||||
Hint = "PPP",
|
||||
Service-Type = Framed-User,
|
||||
Framed-Protocol = PPP
|
||||
|
||||
DEFAULT Suffix == ".slip", Strip-User-Name = Yes
|
||||
Hint = "SLIP",
|
||||
Service-Type = Framed-User,
|
||||
Framed-Protocol = SLIP
|
||||
|
||||
DEFAULT Suffix == ".cslip", Strip-User-Name = Yes
|
||||
Hint = "CSLIP",
|
||||
Service-Type = Framed-User,
|
||||
Framed-Protocol = SLIP,
|
||||
Framed-Compression = Van-Jacobson-TCP-IP
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# These entries are old, and commented out by default.
|
||||
# They confuse too many people when "Peter" logs in, and the
|
||||
# server thinks that the user "eter" is asking for PPP.
|
||||
#
|
||||
#DEFAULT Prefix == "U", Strip-User-Name = No
|
||||
# Hint = "UUCP"
|
||||
|
||||
#DEFAULT Prefix == "P", Strip-User-Name = Yes
|
||||
# Hint = "PPP",
|
||||
# Service-Type = Framed-User,
|
||||
# Framed-Protocol = PPP
|
||||
|
||||
#DEFAULT Prefix == "S", Strip-User-Name = Yes
|
||||
# Hint = "SLIP",
|
||||
# Service-Type = Framed-User,
|
||||
# Framed-Protocol = SLIP
|
||||
|
||||
#DEFAULT Prefix == "C", Strip-User-Name = Yes
|
||||
# Hint = "CSLIP",
|
||||
# Service-Type = Framed-User,
|
||||
# Framed-Protocol = SLIP,
|
||||
# Framed-Compression = Van-Jacobson-TCP-IP
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
#
|
||||
# huntgroups This file defines the `huntgroups' that you have. A
|
||||
# huntgroup is defined by specifying the IP address of
|
||||
# the NAS and possibly a port range. Port can be identified
|
||||
# as just one port, or a range (from-to), and multiple ports
|
||||
# or ranges of ports must be seperated by a comma. For
|
||||
# example: 1,2,3-8
|
||||
#
|
||||
# Matching is done while RADIUS scans the user file; if it
|
||||
# includes the selection criterium "Huntgroup-Name == XXX"
|
||||
# the huntgroup is looked up in this file to see if it
|
||||
# matches. There can be multiple definitions of the same
|
||||
# huntgroup; the first one that matches will be used.
|
||||
#
|
||||
# This file can also be used to define restricted access
|
||||
# to certain huntgroups. The second and following lines
|
||||
# define the access restrictions (based on username and
|
||||
# UNIX usergroup) for the huntgroup.
|
||||
#
|
||||
|
||||
#
|
||||
# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
|
||||
# called Alphen that matches on all three terminal servers.
|
||||
#
|
||||
#alphen NAS-IP-Address == 192.168.2.5
|
||||
#alphen NAS-IP-Address == 192.168.2.6
|
||||
#alphen NAS-IP-Address == 192.168.2.7
|
||||
|
||||
#
|
||||
# The POP in Delft consists of only one terminal server.
|
||||
#
|
||||
#delft NAS-IP-Address == 192.168.3.5
|
||||
|
||||
#
|
||||
# Ports 0-7 on the first terminal server in Alphen are connected to
|
||||
# a huntgroup that is for business users only. Note that only one
|
||||
# of the username or groupname has to match to get access (OR/OR).
|
||||
#
|
||||
# Note that this huntgroup is a subset of the "alphen" huntgroup.
|
||||
#
|
||||
#business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7
|
||||
# User-Name = rogerl,
|
||||
# User-Name = henks,
|
||||
# Group = business,
|
||||
# Group = staff
|
||||
|
|
@ -0,0 +1,76 @@
|
|||
#
|
||||
# Mapping of RADIUS dictionary attributes to LDAP directory attributes
|
||||
# to be used by LDAP authentication and authorization module (rlm_ldap)
|
||||
#
|
||||
# Format:
|
||||
# ItemType RADIUS-Attribute-Name ldapAttributeName [operator]
|
||||
#
|
||||
# Where:
|
||||
# ItemType = checkItem or replyItem
|
||||
# RADIUS-Attribute-Name = attribute name in RADIUS dictionary
|
||||
# ldapAttributeName = attribute name in LDAP schema
|
||||
# operator = optional, and may not be present.
|
||||
# If not present, defaults to "==" for checkItems,
|
||||
# and "=" for replyItems.
|
||||
# If present, the operator here should be one
|
||||
# of the same operators as defined in the "users"3
|
||||
# file ("man users", or "man 5 users").
|
||||
# If an operator is present in the value of the
|
||||
# LDAP entry (i.e. ":=foo"), then it over-rides
|
||||
# both the default, and any operator given here.
|
||||
#
|
||||
# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies
|
||||
# a LDAP attribute which can be used to store any RADIUS
|
||||
# attribute/value-pair in LDAP directory.
|
||||
#
|
||||
# You should edit this file to suit it to your needs.
|
||||
#
|
||||
|
||||
checkItem $GENERIC$ radiusCheckItem
|
||||
replyItem $GENERIC$ radiusReplyItem
|
||||
|
||||
checkItem Auth-Type radiusAuthType
|
||||
checkItem Simultaneous-Use radiusSimultaneousUse
|
||||
checkItem Called-Station-Id radiusCalledStationId
|
||||
checkItem Calling-Station-Id radiusCallingStationId
|
||||
checkItem LM-Password lmPassword
|
||||
checkItem NT-Password ntPassword
|
||||
checkItem LM-Password sambaLmPassword
|
||||
checkItem NT-Password sambaNtPassword
|
||||
checkItem LM-Password dBCSPwd
|
||||
checkitem Password-With-Header userPassword
|
||||
checkItem SMB-Account-CTRL-TEXT acctFlags
|
||||
checkItem Expiration radiusExpiration
|
||||
checkItem NAS-IP-Address radiusNASIpAddress
|
||||
|
||||
replyItem Service-Type radiusServiceType
|
||||
replyItem Framed-Protocol radiusFramedProtocol
|
||||
replyItem Framed-IP-Address radiusFramedIPAddress
|
||||
replyItem Framed-IP-Netmask radiusFramedIPNetmask
|
||||
replyItem Framed-Route radiusFramedRoute
|
||||
replyItem Framed-Routing radiusFramedRouting
|
||||
replyItem Filter-Id radiusFilterId
|
||||
replyItem Framed-MTU radiusFramedMTU
|
||||
replyItem Framed-Compression radiusFramedCompression
|
||||
replyItem Login-IP-Host radiusLoginIPHost
|
||||
replyItem Login-Service radiusLoginService
|
||||
replyItem Login-TCP-Port radiusLoginTCPPort
|
||||
replyItem Callback-Number radiusCallbackNumber
|
||||
replyItem Callback-Id radiusCallbackId
|
||||
replyItem Framed-IPX-Network radiusFramedIPXNetwork
|
||||
replyItem Class radiusClass
|
||||
replyItem Session-Timeout radiusSessionTimeout
|
||||
replyItem Idle-Timeout radiusIdleTimeout
|
||||
replyItem Termination-Action radiusTerminationAction
|
||||
replyItem Login-LAT-Service radiusLoginLATService
|
||||
replyItem Login-LAT-Node radiusLoginLATNode
|
||||
replyItem Login-LAT-Group radiusLoginLATGroup
|
||||
replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
|
||||
replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
|
||||
replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
|
||||
replyItem Port-Limit radiusPortLimit
|
||||
replyItem Login-LAT-Port radiusLoginLATPort
|
||||
replyItem Reply-Message radiusReplyMessage
|
||||
replyItem Tunnel-Type radiusTunnelType
|
||||
replyItem Tunnel-Medium-Type radiusTunnelMediumType
|
||||
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
|
|
@ -0,0 +1,17 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: cfd89eb1bf690b605892969ebd922e6885f24fcc $
|
||||
|
||||
#
|
||||
# Create a unique accounting session Id. Many NASes re-use
|
||||
# or repeat values for Acct-Session-Id, causing no end of
|
||||
# confusion.
|
||||
#
|
||||
# This module will add a (probably) unique session id
|
||||
# to an accounting packet based on the attributes listed
|
||||
# below found in the packet. See doc/rlm_acct_unique for
|
||||
# more information.
|
||||
#
|
||||
acct_unique {
|
||||
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: c28187f05d4f0416442203b016feb7e2b818716f $
|
||||
|
||||
#
|
||||
# The "always" module is here for debugging purposes. Each
|
||||
# instance simply returns the same result, always, without
|
||||
# doing anything.
|
||||
always fail {
|
||||
rcode = fail
|
||||
}
|
||||
always reject {
|
||||
rcode = reject
|
||||
}
|
||||
always noop {
|
||||
rcode = noop
|
||||
}
|
||||
always handled {
|
||||
rcode = handled
|
||||
}
|
||||
always updated {
|
||||
rcode = updated
|
||||
}
|
||||
always notfound {
|
||||
rcode = notfound
|
||||
}
|
||||
always ok {
|
||||
rcode = ok
|
||||
simulcount = 0
|
||||
mpp = no
|
||||
}
|
|
@ -0,0 +1,48 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: acb28a9c587526a22f9310ade21d6a480a0bfe28 $
|
||||
|
||||
#
|
||||
# This file defines a number of instances of the "attr_filter" module.
|
||||
#
|
||||
|
||||
# attr_filter - filters the attributes received in replies from
|
||||
# proxied servers, to make sure we send back to our RADIUS client
|
||||
# only allowed attributes.
|
||||
attr_filter attr_filter.post-proxy {
|
||||
attrsfile = ${confdir}/attrs
|
||||
}
|
||||
|
||||
# attr_filter - filters the attributes in the packets we send to
|
||||
# the RADIUS home servers.
|
||||
attr_filter attr_filter.pre-proxy {
|
||||
attrsfile = ${confdir}/attrs.pre-proxy
|
||||
}
|
||||
|
||||
# Enforce RFC requirements on the contents of Access-Reject
|
||||
# packets. See the comments at the top of the file for
|
||||
# more details.
|
||||
#
|
||||
attr_filter attr_filter.access_reject {
|
||||
key = %{User-Name}
|
||||
attrsfile = ${confdir}/attrs.access_reject
|
||||
}
|
||||
|
||||
# Enforce RFC requirements on the contents of Access-Reject
|
||||
# packets. See the comments at the top of the file for
|
||||
# more details.
|
||||
#
|
||||
attr_filter attr_filter.access_challenge {
|
||||
key = %{User-Name}
|
||||
attrsfile = ${confdir}/attrs.access_challenge
|
||||
}
|
||||
|
||||
|
||||
# Enforce RFC requirements on the contents of the
|
||||
# Accounting-Response packets. See the comments at the
|
||||
# top of the file for more details.
|
||||
#
|
||||
attr_filter attr_filter.accounting_response {
|
||||
key = %{User-Name}
|
||||
attrsfile = ${confdir}/attrs.accounting_response
|
||||
}
|
|
@ -0,0 +1,46 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 8fb93224288061781980a156d541f5283abee1a0 $
|
||||
|
||||
# rewrite arbitrary packets. Useful in accounting and authorization.
|
||||
#
|
||||
# As of 2.0, much of the functionality of this module is in "unlang".
|
||||
# You should probably investigate using that before trying to use
|
||||
# the "attr_rewrite" module.
|
||||
#
|
||||
#
|
||||
# The module can also use the Rewrite-Rule attribute. If it
|
||||
# is set and matches the name of the module instance, then
|
||||
# that module instance will be the only one which runs.
|
||||
#
|
||||
# Also if new_attribute is set to yes then a new attribute
|
||||
# will be created containing the value replacewith and it
|
||||
# will be added to searchin (packet, reply, proxy,
|
||||
# proxy_reply or config).
|
||||
#
|
||||
# searchfor,ignore_case and max_matches will be ignored in that case.
|
||||
#
|
||||
# Backreferences are supported.
|
||||
# %{0} will contain the string the whole match
|
||||
# %{1} to %{8} will contain the contents of the 1st to
|
||||
# the 8th parentheses
|
||||
#
|
||||
# If max_matches is greater than one, the backreferences will
|
||||
# correspond to the first attributed that matched.
|
||||
|
||||
#
|
||||
attr_rewrite sanecallerid {
|
||||
attribute = Called-Station-Id
|
||||
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
|
||||
searchin = packet
|
||||
searchfor = "[+ ]"
|
||||
replacewith = ""
|
||||
ignore_case = no
|
||||
new_attribute = no
|
||||
max_matches = 10
|
||||
|
||||
## If set to yes then the replace string will be
|
||||
## appended to the original string
|
||||
append = no
|
||||
}
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: da4a099beae8eeb3bfe5f70f20523a4258f7f0cd $
|
||||
|
||||
#
|
||||
# A module to cache attributes. The idea is that you can look
|
||||
# up information in a database, and then cache it. Repeated
|
||||
# requests for the same information will then have the cached
|
||||
# values added to the request.
|
||||
#
|
||||
# The module can cache a fixed set of attributes per key.
|
||||
# It can be listed in "authorize", "post-auth", "pre-proxy"
|
||||
# and "post-proxy".
|
||||
#
|
||||
# If you want different things cached for authorize and post-auth,
|
||||
# you will need to define two instances of the "cache" module.
|
||||
#
|
||||
# The module returns "ok" if it found a cache entry.
|
||||
# The module returns "updated" if it added a new cache entry.
|
||||
# The module returns "noop" if it did nothing.
|
||||
#
|
||||
cache {
|
||||
# The key used to index the cache. It is dynamically expanded
|
||||
# at run time.
|
||||
key = "%{User-Name}"
|
||||
|
||||
# The TTL of cache entries, in seconds. Entries older than this
|
||||
# will be expired.
|
||||
#
|
||||
# You can set the TTL per cache entry, but adding a control
|
||||
# variable "Cache-TTL". The value there will over-ride this one.
|
||||
# Setting a Cache-TTL of 0 means "delete this entry".
|
||||
#
|
||||
# This value should be between 10 and 86400.
|
||||
ttl = 10
|
||||
|
||||
# A timestamp used to flush the cache, via
|
||||
#
|
||||
# radmin -e "set module config cache epoch 123456789"
|
||||
#
|
||||
# Where last value is a 32-bit Unix timestamp. Cache entries
|
||||
# older than this are expired, and new entries added.
|
||||
#
|
||||
# You should ALWAYS leave it as "epoch = 0" here.
|
||||
epoch = 0
|
||||
|
||||
# The module can also operate in status-only mode where it will
|
||||
# not add new cache entries, or merge existing ones.
|
||||
#
|
||||
# To enable set the control variable "Cache-Status-Only" to "yes"
|
||||
# The module will return "ok" if it found a cache entry.
|
||||
# The module will return "notfound" if it failed to find a cache entry,
|
||||
# or the entry had expired.
|
||||
#
|
||||
# Note: expired entries will still be removed.
|
||||
|
||||
# If yes the following attributes will be added to the request list:
|
||||
# * Cache-Entry-Hits - The number of times this entry has been
|
||||
# retrieved.
|
||||
add-stats = no
|
||||
|
||||
# The list of attributes to cache for a particular key.
|
||||
# Each key gets the same set of cached attributes.
|
||||
# The attributes are dynamically expanded at run time.
|
||||
#
|
||||
# You can specify which list the attribute goes into by
|
||||
# prefixing the attribute name with the list. This allows
|
||||
# you to update multiple lists with one configuration.
|
||||
#
|
||||
# If no list is specified the request list will be updated.
|
||||
update {
|
||||
# list:Attr-Name
|
||||
reply:Reply-Message += "I'm the cached reply from %t"
|
||||
|
||||
control:Class := 0x010203
|
||||
}
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
|
||||
|
||||
# CHAP module
|
||||
#
|
||||
# To authenticate requests containing a CHAP-Password attribute.
|
||||
#
|
||||
chap {
|
||||
# no configuration
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: ed26e571e8f0bcf3bf586ceb16d0cdff182f5017 $
|
||||
|
||||
# A simple value checking module
|
||||
#
|
||||
# As of 2.0, much of the functionality of this module is in "unlang".
|
||||
# You should probably investigate using that before trying to use
|
||||
# the "checkval" module.
|
||||
#
|
||||
# It can be used to check if an attribute value in the request
|
||||
# matches a (possibly multi valued) attribute in the check
|
||||
# items This can be used for example for caller-id
|
||||
# authentication. For the module to run, both the request
|
||||
# attribute and the check items attribute must exist
|
||||
#
|
||||
# i.e.
|
||||
# A user has an ldap entry with 2 radiusCallingStationId
|
||||
# attributes with values "12345678" and "12345679". If we
|
||||
# enable rlm_checkval, then any request which contains a
|
||||
# Calling-Station-Id with one of those two values will be
|
||||
# accepted. Requests with other values for
|
||||
# Calling-Station-Id will be rejected.
|
||||
#
|
||||
# Regular expressions in the check attribute value are allowed
|
||||
# as long as the operator is '=~'
|
||||
#
|
||||
checkval {
|
||||
# The attribute to look for in the request
|
||||
item-name = Calling-Station-Id
|
||||
|
||||
# The attribute to look for in check items. Can be multi valued
|
||||
check-name = Calling-Station-Id
|
||||
|
||||
# The data type. Can be
|
||||
# string,integer,ipaddr,date,abinary,octets
|
||||
data-type = string
|
||||
|
||||
# If set to yes and we dont find the item-name attribute in the
|
||||
# request then we send back a reject
|
||||
# DEFAULT is no
|
||||
#notfound-reject = no
|
||||
}
|
||||
|
|
@ -0,0 +1,82 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 2dad39a25c676821c6e602881e5bec52d738abfd $
|
||||
|
||||
# counter module:
|
||||
# This module takes an attribute (count-attribute).
|
||||
# It also takes a key, and creates a counter for each unique
|
||||
# key. The count is incremented when accounting packets are
|
||||
# received by the server. The value of the increment depends
|
||||
# on the attribute type.
|
||||
# If the attribute is Acct-Session-Time or of an integer type we add
|
||||
# the value of the attribute. If it is anything else we increase the
|
||||
# counter by one.
|
||||
#
|
||||
# The 'reset' parameter defines when the counters are all reset to
|
||||
# zero. It can be hourly, daily, weekly, monthly or never.
|
||||
#
|
||||
# hourly: Reset on 00:00 of every hour
|
||||
# daily: Reset on 00:00:00 every day
|
||||
# weekly: Reset on 00:00:00 on sunday
|
||||
# monthly: Reset on 00:00:00 of the first day of each month
|
||||
#
|
||||
# It can also be user defined. It should be of the form:
|
||||
# num[hdwm] where:
|
||||
# h: hours, d: days, w: weeks, m: months
|
||||
# If the letter is ommited days will be assumed. In example:
|
||||
# reset = 10h (reset every 10 hours)
|
||||
# reset = 12 (reset every 12 days)
|
||||
#
|
||||
#
|
||||
# The check-name attribute defines an attribute which will be
|
||||
# registered by the counter module and can be used to set the
|
||||
# maximum allowed value for the counter after which the user
|
||||
# is rejected.
|
||||
# Something like:
|
||||
#
|
||||
# DEFAULT Max-Daily-Session := 36000
|
||||
# Fall-Through = 1
|
||||
#
|
||||
# You should add the counter module in the instantiate
|
||||
# section so that it registers check-name before the files
|
||||
# module reads the users file.
|
||||
#
|
||||
# If check-name is set and the user is to be rejected then we
|
||||
# send back a Reply-Message and we log a Failure-Message in
|
||||
# the radius.log
|
||||
#
|
||||
# If the count attribute is Acct-Session-Time then on each
|
||||
# login we send back the remaining online time as a
|
||||
# Session-Timeout attribute ELSE and if the reply-name is
|
||||
# set, we send back that attribute. The reply-name attribute
|
||||
# MUST be of an integer type.
|
||||
#
|
||||
# The counter-name can also be used instead of using the check-name
|
||||
# like below:
|
||||
#
|
||||
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
|
||||
# Reply-Message = "You've used up more than one hour today"
|
||||
#
|
||||
# The allowed-servicetype attribute can be used to only take
|
||||
# into account specific sessions. For example if a user first
|
||||
# logs in through a login menu and then selects ppp there will
|
||||
# be two sessions. One for Login-User and one for Framed-User
|
||||
# service type. We only need to take into account the second one.
|
||||
#
|
||||
# The module should be added in the instantiate, authorize and
|
||||
# accounting sections. Make sure that in the authorize
|
||||
# section it comes after any module which sets the
|
||||
# 'check-name' attribute.
|
||||
#
|
||||
counter daily {
|
||||
filename = ${db_dir}/db.daily
|
||||
key = User-Name
|
||||
count-attribute = Acct-Session-Time
|
||||
reset = daily
|
||||
counter-name = Daily-Session-Time
|
||||
check-name = Max-Daily-Session
|
||||
reply-name = Session-Timeout
|
||||
allowed-servicetype = Framed-User
|
||||
cache-size = 5000
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 246461369a25c17feae3168bb66050203d4b8a34 $
|
||||
|
||||
#
|
||||
# Write Chargeable-User-Identity to the database.
|
||||
#
|
||||
# Schema raddb/sql/mysql/cui.sql
|
||||
# Queries raddb/sql/mysql/cui.conf
|
||||
#
|
||||
sql cui {
|
||||
database = "mysql"
|
||||
driver = "rlm_sql_${database}"
|
||||
server = "localhost"
|
||||
login = "db_login_name"
|
||||
password = "db_password"
|
||||
radius_db = "db_name"
|
||||
# sqltrace = yes
|
||||
# sqltracefile = ${logdir}/cuitrace.sql
|
||||
num_sql_socks = 5
|
||||
connect_failure_retry_delay = 60
|
||||
cui_table = "cui"
|
||||
sql_user_name = "%{User-Name}"
|
||||
#$INCLUDE sql/${database}/cui.conf
|
||||
}
|
|
@ -0,0 +1,93 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 2e68d065ec93d0644cf7e931d97fdfac4e2be552 $
|
||||
|
||||
# Write a detailed log of all accounting records received.
|
||||
#
|
||||
detail {
|
||||
# Note that we do NOT use NAS-IP-Address here, as
|
||||
# that attribute MAY BE from the originating NAS, and
|
||||
# NOT from the proxy which actually sent us the
|
||||
# request.
|
||||
#
|
||||
# The following line creates a new detail file for
|
||||
# every radius client (by IP address or hostname).
|
||||
# In addition, a new detail file is created every
|
||||
# day, so that the detail file doesn't have to go
|
||||
# through a 'log rotation'
|
||||
#
|
||||
# If your detail files are large, you may also want
|
||||
# to add a ':%H' (see doc/variables.txt) to the end
|
||||
# of it, to create a new detail file every hour, e.g.:
|
||||
#
|
||||
# ..../detail-%Y%m%d:%H
|
||||
#
|
||||
# This will create a new detail file for every hour.
|
||||
#
|
||||
# If you are reading detail files via the "listen" section
|
||||
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
|
||||
# you MUST use a unique directory for each combination of a
|
||||
# detail file writer, and reader. That is, there can only
|
||||
# be ONE "listen" section reading detail files from a
|
||||
# particular directory.
|
||||
#
|
||||
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
|
||||
|
||||
#
|
||||
# If you are using radrelay, delete the above line for "detailfile",
|
||||
# and use this one instead:
|
||||
#
|
||||
# detailfile = ${radacctdir}/detail
|
||||
|
||||
#
|
||||
# The Unix-style permissions on the 'detail' file.
|
||||
#
|
||||
# The detail file often contains secret or private
|
||||
# information about users. So by keeping the file
|
||||
# permissions restrictive, we can prevent unwanted
|
||||
# people from seeing that information.
|
||||
detailperm = 0600
|
||||
|
||||
# The Unix group of the log file.
|
||||
#
|
||||
# The user that the server runs as must be in the specified
|
||||
# system group otherwise this will fail to work.
|
||||
#
|
||||
# group = freerad
|
||||
|
||||
#
|
||||
# Every entry in the detail file has a header which
|
||||
# is a timestamp. By default, we use the ctime
|
||||
# format (see "man ctime" for details).
|
||||
#
|
||||
# The header can be customized by editing this
|
||||
# string. See "doc/variables.txt" for a description
|
||||
# of what can be put here.
|
||||
#
|
||||
header = "%t"
|
||||
|
||||
#
|
||||
# Uncomment this line if the detail file reader will be
|
||||
# reading this detail file.
|
||||
#
|
||||
# locking = yes
|
||||
|
||||
#
|
||||
# Log the Packet src/dst IP/port. This is disabled by
|
||||
# default, as that information isn't used by many people.
|
||||
#
|
||||
# log_packet_header = yes
|
||||
|
||||
#
|
||||
# Certain attributes such as User-Password may be
|
||||
# "sensitive", so they should not be printed in the
|
||||
# detail file. This section lists the attributes
|
||||
# that should be suppressed.
|
||||
#
|
||||
# The attributes should be listed one to a line.
|
||||
#
|
||||
#suppress {
|
||||
# User-Password
|
||||
#}
|
||||
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# Detail file writer, used in the following examples:
|
||||
#
|
||||
# raddb/sites-available/robust-proxy-accounting
|
||||
# raddb/sites-available/decoupled-accounting
|
||||
#
|
||||
# Note that this module can write detail files that are read by
|
||||
# only ONE "listen" section. If you use BOTH of the examples
|
||||
# above, you will need to define TWO "detail" modules.
|
||||
#
|
||||
# e.g. detail1.example.com && detail2.example.com
|
||||
#
|
||||
#
|
||||
# We write *multiple* detail files here. They will be processed by
|
||||
# the detail "listen" section in the order that they were created.
|
||||
# The directory containing these files should NOT be used for any
|
||||
# other purposes. i.e. It should have NO other files in it.
|
||||
#
|
||||
# Writing multiple detail enables the server to process the pieces
|
||||
# in smaller chunks. This helps in certain catastrophic corner cases.
|
||||
#
|
||||
# $Id: af7e3452fdd49ed6a3cd379c2a4d90e17f34532f $
|
||||
#
|
||||
detail detail.example.com {
|
||||
detailfile = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: c36dce75c6d41b7470bd177a27ed96d3fe3dafe5 $
|
||||
|
||||
#
|
||||
# More examples of doing detail logs.
|
||||
|
||||
#
|
||||
# Many people want to log authentication requests.
|
||||
# Rather than modifying the server core to print out more
|
||||
# messages, we can use a different instance of the 'detail'
|
||||
# module, to log the authentication requests to a file.
|
||||
#
|
||||
# You will also need to un-comment the 'auth_log' line
|
||||
# in the 'authorize' section, below.
|
||||
#
|
||||
detail auth_log {
|
||||
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
|
||||
|
||||
#
|
||||
# This MUST be 0600, otherwise anyone can read
|
||||
# the users passwords!
|
||||
detailperm = 0600
|
||||
|
||||
# You may also strip out passwords completely
|
||||
suppress {
|
||||
User-Password
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# This module logs authentication reply packets sent
|
||||
# to a NAS. Both Access-Accept and Access-Reject packets
|
||||
# are logged.
|
||||
#
|
||||
# You will also need to un-comment the 'reply_log' line
|
||||
# in the 'post-auth' section, below.
|
||||
#
|
||||
detail reply_log {
|
||||
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
|
||||
|
||||
detailperm = 0600
|
||||
}
|
||||
|
||||
#
|
||||
# This module logs packets proxied to a home server.
|
||||
#
|
||||
# You will also need to un-comment the 'pre_proxy_log' line
|
||||
# in the 'pre-proxy' section, below.
|
||||
#
|
||||
detail pre_proxy_log {
|
||||
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
|
||||
|
||||
#
|
||||
# This MUST be 0600, otherwise anyone can read
|
||||
# the users passwords!
|
||||
detailperm = 0600
|
||||
|
||||
# You may also strip out passwords completely
|
||||
#suppress {
|
||||
# User-Password
|
||||
#}
|
||||
}
|
||||
|
||||
#
|
||||
# This module logs response packets from a home server.
|
||||
#
|
||||
# You will also need to un-comment the 'post_proxy_log' line
|
||||
# in the 'post-proxy' section, below.
|
||||
#
|
||||
detail post_proxy_log {
|
||||
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
|
||||
|
||||
detailperm = 0600
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
## Configuration for DHCP to use SQL IP Pools.
|
||||
##
|
||||
## See sqlippool.conf for common configuration explanation
|
||||
##
|
||||
## $Id: 39358b222d016d62e5cf6e8c77fd214cc7614feb $
|
||||
|
||||
sqlippool dhcp_sqlippool {
|
||||
sql-instance-name = "sql"
|
||||
|
||||
ippool_table = "radippool"
|
||||
|
||||
lease-duration = 7200
|
||||
|
||||
# Client's MAC address is mapped to Calling-Station-Id in policy.conf
|
||||
pool-key = "%{Calling-Station-Id}"
|
||||
|
||||
# For now, it only works with MySQL.
|
||||
# This line is commented by default to enable clean startup when you
|
||||
# don't have freeradius-mysql installed. Uncomment this line if you
|
||||
# use this module.
|
||||
#$INCLUDE ${confdir}/sql/mysql/ippool-dhcp.conf
|
||||
|
||||
sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||
|
||||
sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||
|
||||
sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
|
||||
|
||||
sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||
|
||||
sqlippool_log_nopool = "DHCP: No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||
|
||||
}
|
|
@ -0,0 +1,13 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
|
||||
|
||||
#
|
||||
# The 'digest' module currently has no configuration.
|
||||
#
|
||||
# "Digest" authentication against a Cisco SIP server.
|
||||
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
|
||||
# on performing digest authentication for Cisco SIP servers.
|
||||
#
|
||||
digest {
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: bf047be5c7b48f2f021981a6abf4199d888fc3ee $
|
||||
|
||||
# This module loads RADIUS clients as needed, rather than when the server
|
||||
# starts.
|
||||
#
|
||||
# There are no configuration entries for this module. Instead, it
|
||||
# relies on the "client" configuration. You must:
|
||||
#
|
||||
# 1) link raddb/sites-enabled/dyanmic_clients to
|
||||
# raddb/sites-available/dyanmic_clients
|
||||
#
|
||||
# 2) Define a client network/mask (see top of the above file)
|
||||
#
|
||||
# 3) uncomment the "directory" entry in that client definition
|
||||
#
|
||||
# 4) list "dynamic_clients" in the "authorize" section of the
|
||||
# "dynamic_clients' virtual server. The default example already
|
||||
# does this.
|
||||
#
|
||||
# 5) put files into the above directory, one per IP.
|
||||
# e.g. file "192.168.1.1" should contain a normal client definition
|
||||
# for a client with IP address 192.168.1.1.
|
||||
#
|
||||
# For more documentation, see the file:
|
||||
#
|
||||
# raddb/sites-available/dynamic-clients
|
||||
#
|
||||
dynamic_clients {
|
||||
|
||||
}
|
|
@ -0,0 +1,123 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 0ca6bd8d27c25bf4f84fd27f97323b8961814d77 $
|
||||
|
||||
#
|
||||
# This is a more general example of the execute module.
|
||||
#
|
||||
# This one is called "echo".
|
||||
#
|
||||
# Attribute-Name = `%{echo:/path/to/program args}`
|
||||
#
|
||||
# If you wish to execute an external program in more than
|
||||
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
|
||||
# is probably best to define a different instance of the
|
||||
# 'exec' module for every section.
|
||||
#
|
||||
# The return value of the program run determines the result
|
||||
# of the exec instance call as follows:
|
||||
# (See doc/configurable_failover for details)
|
||||
#
|
||||
# < 0 : fail the module failed
|
||||
# = 0 : ok the module succeeded
|
||||
# = 1 : reject the module rejected the user
|
||||
# = 2 : fail the module failed
|
||||
# = 3 : ok the module succeeded
|
||||
# = 4 : handled the module has done everything to handle the request
|
||||
# = 5 : invalid the user's configuration entry was invalid
|
||||
# = 6 : userlock the user was locked out
|
||||
# = 7 : notfound the user was not found
|
||||
# = 8 : noop the module did nothing
|
||||
# = 9 : updated the module updated information in the request
|
||||
# > 9 : fail the module failed
|
||||
#
|
||||
exec echo {
|
||||
#
|
||||
# Wait for the program to finish.
|
||||
#
|
||||
# If we do NOT wait, then the program is "fire and
|
||||
# forget", and any output attributes from it are ignored.
|
||||
#
|
||||
# If we are looking for the program to output
|
||||
# attributes, and want to add those attributes to the
|
||||
# request, then we MUST wait for the program to
|
||||
# finish, and therefore set 'wait=yes'
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
wait = yes
|
||||
|
||||
#
|
||||
# The name of the program to execute, and it's
|
||||
# arguments. Dynamic translation is done on this
|
||||
# field, so things like the following example will
|
||||
# work.
|
||||
#
|
||||
program = "/bin/echo %{User-Name}"
|
||||
|
||||
#
|
||||
# The attributes which are placed into the
|
||||
# environment variables for the program.
|
||||
#
|
||||
# Allowed values are:
|
||||
#
|
||||
# request attributes from the request
|
||||
# config attributes from the configuration items list
|
||||
# reply attributes from the reply
|
||||
# proxy-request attributes from the proxy request
|
||||
# proxy-reply attributes from the proxy reply
|
||||
#
|
||||
# Note that some attributes may not exist at some
|
||||
# stages. e.g. There may be no proxy-reply
|
||||
# attributes if this module is used in the
|
||||
# 'authorize' section.
|
||||
#
|
||||
input_pairs = request
|
||||
|
||||
#
|
||||
# Where to place the output attributes (if any) from
|
||||
# the executed program. The values allowed, and the
|
||||
# restrictions as to availability, are the same as
|
||||
# for the input_pairs.
|
||||
#
|
||||
output_pairs = reply
|
||||
|
||||
#
|
||||
# When to execute the program. If the packet
|
||||
# type does NOT match what's listed here, then
|
||||
# the module does NOT execute the program.
|
||||
#
|
||||
# For a list of allowed packet types, see
|
||||
# the 'dictionary' file, and look for VALUEs
|
||||
# of the Packet-Type attribute.
|
||||
#
|
||||
# By default, the module executes on ANY packet.
|
||||
# Un-comment out the following line to tell the
|
||||
# module to execute only if an Access-Accept is
|
||||
# being sent to the NAS.
|
||||
#
|
||||
#packet_type = Access-Accept
|
||||
|
||||
#
|
||||
# Should we escape the environment variables?
|
||||
#
|
||||
# If this is set, all the RADIUS attributes
|
||||
# are capitalised and dashes replaced with
|
||||
# underscores. Also, RADIUS values are surrounded
|
||||
# with double-quotes.
|
||||
#
|
||||
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
|
||||
shell_escape = yes
|
||||
|
||||
|
||||
#
|
||||
# How long should we wait for the program to finish?
|
||||
#
|
||||
# Default is 10 seconds, which should be plenty for nearly
|
||||
# anything. Range is 1 to 30 seconds. You are strongly
|
||||
# encouraged to NOT increase this value. Decreasing can
|
||||
# be used to cause authentication to fail sooner when you
|
||||
# know it's going to fail anyway due to the time taken,
|
||||
# thereby saving resources.
|
||||
#
|
||||
#timeout = 10
|
||||
}
|
|
@ -0,0 +1,28 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 614c52b82b3e12fab54313aecb5c1120559781f3 $
|
||||
|
||||
# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name
|
||||
# attribute for every group that the user is member of.
|
||||
#
|
||||
# You will have to define the Etc-Group-Name in the 'dictionary' file
|
||||
# as a 'string' type.
|
||||
#
|
||||
# The Group and Group-Name attributes are automatically created by
|
||||
# the Unix module, and do checking against /etc/group automatically.
|
||||
# This means that you CANNOT use Group or Group-Name to do any other
|
||||
# kind of grouping in the server. You MUST define a new group
|
||||
# attribute.
|
||||
#
|
||||
# i.e. this module should NOT be used as-is, but should be edited to
|
||||
# point to a different group file.
|
||||
#
|
||||
passwd etc_group {
|
||||
filename = /etc/group
|
||||
format = "=Etc-Group-Name:::*,User-Name"
|
||||
hashsize = 50
|
||||
ignorenislike = yes
|
||||
allowmultiplekeys = yes
|
||||
delimiter = ":"
|
||||
}
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 5f21e4350f091ed51813865a31b2796c4b487f9f $
|
||||
|
||||
#
|
||||
# Execute external programs
|
||||
#
|
||||
# This module is useful only for 'xlat'. To use it,
|
||||
# put 'exec' into the 'instantiate' section. You can then
|
||||
# do dynamic translation of attributes like:
|
||||
#
|
||||
# Attribute-Name = `%{exec:/path/to/program args}`
|
||||
#
|
||||
# The value of the attribute will be replaced with the output
|
||||
# of the program which is executed. Due to RADIUS protocol
|
||||
# limitations, any output over 253 bytes will be ignored.
|
||||
#
|
||||
# The RADIUS attributes from the user request will be placed
|
||||
# into environment variables of the executed program, as
|
||||
# described in "man unlang" and in doc/variables.txt
|
||||
#
|
||||
# See also "echo" for more sample configuration.
|
||||
#
|
||||
exec {
|
||||
wait = no
|
||||
input_pairs = request
|
||||
shell_escape = yes
|
||||
output = none
|
||||
timeout = 10
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 8bbd88973459d82f3967135c66a5b566fffc130a $
|
||||
|
||||
#
|
||||
# The expiration module. This handles the Expiration attribute
|
||||
# It should be included in the *end* of the authorize section
|
||||
# in order to handle user Expiration. It should also be included
|
||||
# in the instantiate section in order to register the Expiration
|
||||
# compare function
|
||||
#
|
||||
expiration {
|
||||
#
|
||||
# The Reply-Message which will be sent back in case the
|
||||
# account has expired. Dynamic substitution is supported
|
||||
#
|
||||
reply-message = "Password Has Expired\r\n"
|
||||
#reply-message = "Your account has expired, %{User-Name}\r\n"
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 6caeb9bccb3310d76f0c527afa58d10432359ee5 $
|
||||
|
||||
#
|
||||
# The 'expression' module currently has no configuration.
|
||||
#
|
||||
# This module is useful only for 'xlat'. To use it,
|
||||
# put 'expr' into the 'instantiate' section. You can then
|
||||
# do dynamic translation of attributes like:
|
||||
#
|
||||
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
|
||||
#
|
||||
# The value of the attribute will be replaced with the output
|
||||
# of the program which is executed. Due to RADIUS protocol
|
||||
# limitations, any output over 253 bytes will be ignored.
|
||||
#
|
||||
# The module also registers a few paircompare functions
|
||||
expr {
|
||||
}
|
|
@ -0,0 +1,46 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: e0198d85b2d14fa7b75b0e8c1bf6427c4bd89058 $
|
||||
|
||||
# Livingston-style 'users' file
|
||||
#
|
||||
files {
|
||||
# The default key attribute to use for matches. The content
|
||||
# of this attribute is used to match the "name" of the
|
||||
# entry.
|
||||
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
|
||||
|
||||
usersfile = ${confdir}/users
|
||||
acctusersfile = ${confdir}/acct_users
|
||||
preproxy_usersfile = ${confdir}/preproxy_users
|
||||
|
||||
# If you want to use the old Cistron 'users' file
|
||||
# with FreeRADIUS, you should change the next line
|
||||
# to 'compat = cistron'. You can the copy your 'users'
|
||||
# file from Cistron.
|
||||
compat = no
|
||||
}
|
||||
|
||||
# An example which defines a second instance of the "files" module.
|
||||
# This instance is named "second_files". In order for it to be used
|
||||
# in a virtual server, it needs to be listed as "second_files"
|
||||
# inside of the "authorize" section (or other section). If you just
|
||||
# list "files", that will refer to the configuration defined above.
|
||||
#
|
||||
|
||||
# The two names here mean:
|
||||
# "files" - this is a configuration for the "rlm_files" module
|
||||
# "second_files" - this is a named configuration, which isn't
|
||||
# the default configuration.
|
||||
files second_files {
|
||||
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
|
||||
|
||||
# The names here don't matter. They just need to be different
|
||||
# from the names for the "files" configuration above. If they
|
||||
# are the same, then this configuration will end up being the
|
||||
# same as the one above.
|
||||
usersfile = ${confdir}/second_users
|
||||
acctusersfile = ${confdir}/second_acct_users
|
||||
preproxy_usersfile = ${confdir}/second_preproxy_users
|
||||
}
|
||||
|
|
@ -0,0 +1,161 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 0a26c9c1672823e46219d831e2be18890450c2a7 $
|
||||
|
||||
#
|
||||
# Sample configuration for an EAP module that occurs *inside*
|
||||
# of a tunneled method. It is used to limit the EAP types that
|
||||
# can occur inside of the inner tunnel.
|
||||
#
|
||||
# See also raddb/sites-available/inner-tunnel
|
||||
#
|
||||
# To use this module, edit raddb/sites-available/inner-tunnel, and
|
||||
# replace the references to "eap" with "inner-eap".
|
||||
#
|
||||
# See raddb/eap.conf for full documentation on the meaning of the
|
||||
# configuration entries here.
|
||||
#
|
||||
eap inner-eap {
|
||||
# This is the best choice for PEAP.
|
||||
default_eap_type = mschapv2
|
||||
timer_expire = 60
|
||||
|
||||
# This should be the same as the outer eap "max sessions"
|
||||
max_sessions = 2048
|
||||
|
||||
# Supported EAP-types
|
||||
md5 {
|
||||
}
|
||||
|
||||
gtc {
|
||||
# The default challenge, which many clients
|
||||
# ignore..
|
||||
#challenge = "Password: "
|
||||
|
||||
auth_type = PAP
|
||||
}
|
||||
|
||||
mschapv2 {
|
||||
}
|
||||
|
||||
# No TTLS or PEAP configuration should be listed here.
|
||||
|
||||
## EAP-TLS
|
||||
#
|
||||
# You SHOULD use different certificates than are used
|
||||
# for the outer EAP configuration!
|
||||
#
|
||||
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
|
||||
#
|
||||
tls {
|
||||
#
|
||||
# These is used to simplify later configurations.
|
||||
#
|
||||
certdir = ${confdir}/certs
|
||||
cadir = ${confdir}/certs
|
||||
|
||||
private_key_password = whatever
|
||||
private_key_file = ${certdir}/server.pem
|
||||
|
||||
# If Private key & Certificate are located in
|
||||
# the same file, then private_key_file &
|
||||
# certificate_file must contain the same file
|
||||
# name.
|
||||
#
|
||||
# If CA_file (below) is not used, then the
|
||||
# certificate_file below MUST include not
|
||||
# only the server certificate, but ALSO all
|
||||
# of the CA certificates used to sign the
|
||||
# server certificate.
|
||||
certificate_file = ${certdir}/server.pem
|
||||
|
||||
# Trusted Root CA list
|
||||
#
|
||||
# ALL of the CA's in this list will be trusted
|
||||
# to issue client certificates for authentication.
|
||||
#
|
||||
# In general, you should use self-signed
|
||||
# certificates for 802.1x (EAP) authentication.
|
||||
# In that case, this CA file should contain
|
||||
# *one* CA certificate.
|
||||
#
|
||||
# This parameter is used only for EAP-TLS,
|
||||
# when you issue client certificates. If you do
|
||||
# not use client certificates, and you do not want
|
||||
# to permit EAP-TLS authentication, then delete
|
||||
# this configuration item.
|
||||
CA_file = ${cadir}/ca.pem
|
||||
|
||||
#
|
||||
# For DH cipher suites to work, you have to
|
||||
# run OpenSSL to create the DH file first:
|
||||
#
|
||||
# openssl dhparam -out certs/dh 1024
|
||||
#
|
||||
dh_file = ${certdir}/dh
|
||||
random_file = ${certdir}/random
|
||||
|
||||
#
|
||||
# This can never exceed the size of a RADIUS
|
||||
# packet (4096 bytes), and is preferably half
|
||||
# that, to accomodate other attributes in
|
||||
# RADIUS packet. On most APs the MAX packet
|
||||
# length is configured between 1500 - 1600
|
||||
# In these cases, fragment size should be
|
||||
# 1024 or less.
|
||||
#
|
||||
# fragment_size = 1024
|
||||
|
||||
# include_length is a flag which is
|
||||
# by default set to yes If set to
|
||||
# yes, Total Length of the message is
|
||||
# included in EVERY packet we send.
|
||||
# If set to no, Total Length of the
|
||||
# message is included ONLY in the
|
||||
# First packet of a fragment series.
|
||||
#
|
||||
# include_length = yes
|
||||
|
||||
# Check the Certificate Revocation List
|
||||
#
|
||||
# 1) Copy CA certificates and CRLs to same directory.
|
||||
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
||||
# 'c_rehash' is OpenSSL's command.
|
||||
# 3) uncomment the line below.
|
||||
# 5) Restart radiusd
|
||||
# check_crl = yes
|
||||
# CA_path = /path/to/directory/with/ca_certs/and/crls/
|
||||
|
||||
#
|
||||
# If check_cert_issuer is set, the value will
|
||||
# be checked against the DN of the issuer in
|
||||
# the client certificate. If the values do not
|
||||
# match, the cerficate verification will fail,
|
||||
# rejecting the user.
|
||||
#
|
||||
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
|
||||
|
||||
#
|
||||
# If check_cert_cn is set, the value will
|
||||
# be xlat'ed and checked against the CN
|
||||
# in the client certificate. If the values
|
||||
# do not match, the certificate verification
|
||||
# will fail rejecting the user.
|
||||
#
|
||||
# This check is done only if the previous
|
||||
# "check_cert_issuer" is not set, or if
|
||||
# the check succeeds.
|
||||
#
|
||||
# check_cert_cn = %{User-Name}
|
||||
#
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
cipher_list = "DEFAULT"
|
||||
|
||||
#
|
||||
# The session resumption / fast reauthentication
|
||||
# cache CANNOT be used for inner sessions.
|
||||
#
|
||||
}
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 05561cf37fe71142adc97410daba3ae08a1cb68c $
|
||||
|
||||
# Do server side ip pool management. Should be added in
|
||||
# post-auth and accounting sections.
|
||||
#
|
||||
# The module also requires the existance of the Pool-Name
|
||||
# attribute. That way the administrator can add the Pool-Name
|
||||
# attribute in the user profiles and use different pools for
|
||||
# different users. The Pool-Name attribute is a *check* item
|
||||
# not a reply item.
|
||||
#
|
||||
# The Pool-Name should be set to the ippool module instance
|
||||
# name or to DEFAULT to match any module.
|
||||
|
||||
#
|
||||
# Example:
|
||||
# radiusd.conf: ippool students { [...] }
|
||||
# ippool teachers { [...] }
|
||||
# users file : DEFAULT Group == students, Pool-Name := "students"
|
||||
# DEFAULT Group == teachers, Pool-Name := "teachers"
|
||||
# DEFAULT Group == other, Pool-Name := "DEFAULT"
|
||||
#
|
||||
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
|
||||
# ********* THEN ERASE THE DB FILES *********
|
||||
#
|
||||
ippool main_pool {
|
||||
|
||||
# range-start,range-stop:
|
||||
# The start and end ip addresses for this pool.
|
||||
range-start = 192.168.1.1
|
||||
range-stop = 192.168.3.254
|
||||
|
||||
# netmask:
|
||||
# The network mask used for this pool.
|
||||
netmask = 255.255.255.0
|
||||
|
||||
# cache-size:
|
||||
# The gdbm cache size for the db files. Should
|
||||
# be equal to the number of ip's available in
|
||||
# the ip pool
|
||||
cache-size = 800
|
||||
|
||||
# session-db:
|
||||
# The main db file used to allocate addresses.
|
||||
session-db = ${db_dir}/db.ippool
|
||||
|
||||
# ip-index:
|
||||
# Helper db index file used in multilink
|
||||
ip-index = ${db_dir}/db.ipindex
|
||||
|
||||
# override:
|
||||
# If set, the Framed-IP-Address already in the
|
||||
# reply (if any) will be discarded, and replaced
|
||||
# with a Framed-IP-Address assigned here.
|
||||
override = no
|
||||
|
||||
# maximum-timeout:
|
||||
# Specifies the maximum time in seconds that an
|
||||
# entry may be active. If set to zero, means
|
||||
# "no timeout". The default value is 0
|
||||
maximum-timeout = 0
|
||||
|
||||
# key:
|
||||
# The key to use for the session database (which
|
||||
# holds the allocated ip's) normally it should
|
||||
# just be the nas ip/port (which is the default).
|
||||
#
|
||||
# If your NAS sends the same value of NAS-Port
|
||||
# all requests, the key should be based on some
|
||||
# other attribute that is in ALL requests, AND
|
||||
# is unique to each machine needing an IP address.
|
||||
#key = "%{NAS-IP-Address} %{NAS-Port}"
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 81d1cf2cad2c5dd919acdc993f4484673d80121e $
|
||||
|
||||
#
|
||||
# Kerberos. See doc/rlm_krb5 for minimal docs.
|
||||
#
|
||||
krb5 {
|
||||
keytab = /path/to/keytab
|
||||
service_principal = name_of_principle
|
||||
}
|
|
@ -0,0 +1,197 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: d13892634e4a8458c942ce170f59f98521dce500 $
|
||||
|
||||
# Lightweight Directory Access Protocol (LDAP)
|
||||
#
|
||||
# This module definition allows you to use LDAP for
|
||||
# authorization and authentication.
|
||||
#
|
||||
# See raddb/sites-available/default for reference to the
|
||||
# ldap module in the authorize and authenticate sections.
|
||||
#
|
||||
# However, LDAP can be used for authentication ONLY when the
|
||||
# Access-Request packet contains a clear-text User-Password
|
||||
# attribute. LDAP authentication will NOT work for any other
|
||||
# authentication method.
|
||||
#
|
||||
# This means that LDAP servers don't understand EAP. If you
|
||||
# force "Auth-Type = LDAP", and then send the server a
|
||||
# request containing EAP authentication, then authentication
|
||||
# WILL NOT WORK.
|
||||
#
|
||||
# The solution is to use the default configuration, which does
|
||||
# work.
|
||||
#
|
||||
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
|
||||
# really can't emphasize this enough.
|
||||
#
|
||||
ldap {
|
||||
#
|
||||
# Note that this needs to match the name in the LDAP
|
||||
# server certificate, if you're using ldaps.
|
||||
server = "ldap.your.domain"
|
||||
#identity = "cn=admin,o=My Org,c=UA"
|
||||
#password = mypass
|
||||
basedn = "o=My Org,c=UA"
|
||||
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
|
||||
#base_filter = "(objectclass=radiusprofile)"
|
||||
|
||||
# How many connections to keep open to the LDAP server.
|
||||
# This saves time over opening a new LDAP socket for
|
||||
# every authentication request.
|
||||
ldap_connections_number = 5
|
||||
|
||||
# How many times the connection can be used before
|
||||
# being re-established. This is useful for things
|
||||
# like load balancers, which may exhibit sticky
|
||||
# behaviour without it. (0) is unlimited.
|
||||
max_uses = 0
|
||||
|
||||
# Port to connect on, defaults to 389. Setting this to
|
||||
# 636 will enable LDAPS if start_tls (see below) is not
|
||||
# able to be used.
|
||||
#port = 389
|
||||
|
||||
# seconds to wait for LDAP query to finish. default: 20
|
||||
timeout = 4
|
||||
|
||||
# seconds LDAP server has to process the query (server-side
|
||||
# time limit). default: 20
|
||||
#
|
||||
# LDAP_OPT_TIMELIMIT is set to this value.
|
||||
timelimit = 3
|
||||
|
||||
#
|
||||
# seconds to wait for response of the server. (network
|
||||
# failures) default: 10
|
||||
#
|
||||
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
|
||||
net_timeout = 1
|
||||
|
||||
#
|
||||
# This subsection configures the tls related items
|
||||
# that control how FreeRADIUS connects to an LDAP
|
||||
# server. It contains all of the "tls_*" configuration
|
||||
# entries used in older versions of FreeRADIUS. Those
|
||||
# configuration entries can still be used, but we recommend
|
||||
# using these.
|
||||
#
|
||||
tls {
|
||||
# Set this to 'yes' to use TLS encrypted connections
|
||||
# to the LDAP database by using the StartTLS extended
|
||||
# operation.
|
||||
#
|
||||
# The StartTLS operation is supposed to be
|
||||
# used with normal ldap connections instead of
|
||||
# using ldaps (port 636) connections
|
||||
start_tls = no
|
||||
|
||||
# cacertfile = /path/to/cacert.pem
|
||||
# cacertdir = /path/to/ca/dir/
|
||||
# certfile = /path/to/radius.crt
|
||||
# keyfile = /path/to/radius.key
|
||||
# randfile = /path/to/rnd
|
||||
|
||||
# Certificate Verification requirements. Can be:
|
||||
# "never" (don't even bother trying)
|
||||
# "allow" (try, but don't fail if the cerificate
|
||||
# can't be verified)
|
||||
# "demand" (fail if the certificate doesn't verify.)
|
||||
#
|
||||
# The default is "allow"
|
||||
# require_cert = "demand"
|
||||
}
|
||||
|
||||
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
|
||||
# profile_attribute = "radiusProfileDn"
|
||||
# access_attr = "dialupAccess"
|
||||
|
||||
# Mapping of RADIUS dictionary attributes to LDAP
|
||||
# directory attributes.
|
||||
dictionary_mapping = ${confdir}/ldap.attrmap
|
||||
|
||||
# Set password_attribute = nspmPassword to get the
|
||||
# user's password from a Novell eDirectory
|
||||
# backend. This will work ONLY IF FreeRADIUS has been
|
||||
# built with the --with-edir configure option.
|
||||
#
|
||||
# See also the following links:
|
||||
#
|
||||
# http://www.novell.com/coolsolutions/appnote/16745.html
|
||||
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
|
||||
#
|
||||
# Novell may require TLS encrypted sessions before returning
|
||||
# the user's password.
|
||||
#
|
||||
# password_attribute = userPassword
|
||||
|
||||
# Un-comment the following to disable Novell
|
||||
# eDirectory account policy check and intruder
|
||||
# detection. This will work *only if* FreeRADIUS is
|
||||
# configured to build with --with-edir option.
|
||||
#
|
||||
edir_account_policy_check = no
|
||||
|
||||
#
|
||||
# Group membership checking. Disabled by default.
|
||||
#
|
||||
# groupname_attribute = cn
|
||||
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
|
||||
# groupmembership_attribute = radiusGroupName
|
||||
|
||||
# compare_check_items = yes
|
||||
# do_xlat = yes
|
||||
# access_attr_used_for_allow = yes
|
||||
|
||||
#
|
||||
# The following two configuration items are for Active Directory
|
||||
# compatibility. If you see the helpful "operations error"
|
||||
# being returned to the LDAP module, uncomment the next
|
||||
# two lines.
|
||||
#
|
||||
# chase_referrals = yes
|
||||
# rebind = yes
|
||||
|
||||
#
|
||||
# By default, if the packet contains a User-Password,
|
||||
# and no other module is configured to handle the
|
||||
# authentication, the LDAP module sets itself to do
|
||||
# LDAP bind for authentication.
|
||||
#
|
||||
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
|
||||
#
|
||||
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
|
||||
#
|
||||
# You can disable this behavior by setting the following
|
||||
# configuration entry to "no".
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
# set_auth_type = yes
|
||||
|
||||
# ldap_debug: debug flag for LDAP SDK
|
||||
# (see OpenLDAP documentation). Set this to enable
|
||||
# huge amounts of LDAP debugging on the screen.
|
||||
# You should only use this if you are an LDAP expert.
|
||||
#
|
||||
# default: 0x0000 (no debugging messages)
|
||||
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
|
||||
#ldap_debug = 0x0028
|
||||
|
||||
#
|
||||
# Keepalive configuration. This MAY NOT be supported by your
|
||||
# LDAP library. If these configuration entries appear in the
|
||||
# output of "radiusd -X", then they are supported. Otherwise,
|
||||
# they are unsupported, and changing them will do nothing.
|
||||
#
|
||||
keepalive {
|
||||
# LDAP_OPT_X_KEEPALIVE_IDLE
|
||||
idle = 60
|
||||
|
||||
# LDAP_OPT_X_KEEPALIVE_PROBES
|
||||
probes = 3
|
||||
|
||||
# LDAP_OPT_X_KEEPALIVE_INTERVAL
|
||||
interval = 3
|
||||
}
|
||||
}
|
|
@ -0,0 +1,105 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: a57741ac3fa5f884ed64d896da3807af5d2a6b99 $
|
||||
|
||||
#
|
||||
# The "linelog" module will log one line of text to a file.
|
||||
# Both the filename and the line of text are dynamically expanded.
|
||||
#
|
||||
# We STRONGLY suggest that you do not use data from the
|
||||
# packet as part of the filename.
|
||||
#
|
||||
linelog {
|
||||
#
|
||||
# The file where the logs will go.
|
||||
#
|
||||
# If the filename is "syslog", then the log messages will
|
||||
# go to syslog.
|
||||
filename = ${logdir}/linelog
|
||||
|
||||
#
|
||||
# The Unix-style permissions on the log file.
|
||||
#
|
||||
# Depending on format string, the log file may contain secret or
|
||||
# private information about users. Keep the file permissions as
|
||||
# restrictive as possible.
|
||||
permissions = 0600
|
||||
|
||||
#
|
||||
# The Unix group of the log file.
|
||||
#
|
||||
# The user that freeradius runs as must be in the specified
|
||||
# group, otherwise it will not be possible to set the group.
|
||||
#
|
||||
# group = freerad
|
||||
|
||||
#
|
||||
# If logging via syslog, the facility can be set here. Otherwise
|
||||
# the syslog_facility option in radiusd.conf will be used.
|
||||
#
|
||||
# syslog_facility = daemon
|
||||
|
||||
#
|
||||
# The default format string.
|
||||
format = "This is a log message for %{User-Name}"
|
||||
|
||||
#
|
||||
# This next line can be omitted. If it is omitted, then
|
||||
# the log message is static, and is always given by "format",
|
||||
# above.
|
||||
#
|
||||
# If it is defined, then the string is dynamically expanded,
|
||||
# and the result is used to find another configuration entry
|
||||
# here, with the given name. That name is then used as the
|
||||
# format string.
|
||||
#
|
||||
# If the configuration entry cannot be found, then no log
|
||||
# message is printed.
|
||||
#
|
||||
# i.e. You can have many log messages in one "linelog" module.
|
||||
# If this two-step expansion did not exist, you would have
|
||||
# needed to configure one "linelog" module for each log message.
|
||||
|
||||
#
|
||||
# Reference the Packet-Type (Access-Request, etc.) If it doesn't
|
||||
# exist, reference the "format" entry, above.
|
||||
reference = "%{%{Packet-Type}:-format}"
|
||||
|
||||
#
|
||||
# Followed by a series of log messages.
|
||||
Access-Request = "Requested access: %{User-Name}"
|
||||
Access-Reject = "Rejected access: %{User-Name}"
|
||||
Access-Challenge = "Sent challenge: %{User-Name}"
|
||||
|
||||
#
|
||||
# The log messages can be grouped into sections and
|
||||
# sub-sections, too. The "reference" item needs to have a "."
|
||||
# for every section. e.g. reference = foo.bar will reference
|
||||
# the "foo" section, "bar" configuration item.
|
||||
#
|
||||
|
||||
#
|
||||
# Used if: reference = "foo.bar".
|
||||
foo {
|
||||
bar = "Example log. Please ignore"
|
||||
}
|
||||
|
||||
#
|
||||
# Another example:
|
||||
# reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
|
||||
#
|
||||
Accounting-Request {
|
||||
Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
|
||||
Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
|
||||
|
||||
# Don't log anything for these packets.
|
||||
Alive = ""
|
||||
|
||||
Accounting-On = "NAS %C (%{NAS-IP-Address}) just came online"
|
||||
Accounting-Off = "NAS %C (%{NAS-IP-Address}) just went offline"
|
||||
|
||||
# don't log anything for other Acct-Status-Types.
|
||||
unknown = ""
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 26691a93664c464f49394773e04d3b2ed565d142 $
|
||||
|
||||
# The logintime module. This handles the Login-Time,
|
||||
# Current-Time, and Time-Of-Day attributes. It should be
|
||||
# included in the *end* of the authorize section in order to
|
||||
# handle Login-Time checks. It should also be included in the
|
||||
# instantiate section in order to register the Current-Time
|
||||
# and Time-Of-Day comparison functions.
|
||||
#
|
||||
# When the Login-Time attribute is set to some value, and the
|
||||
# user has bene permitted to log in, a Session-Timeout is
|
||||
# calculated based on the remaining time. See "doc/README".
|
||||
#
|
||||
logintime {
|
||||
#
|
||||
# The Reply-Message which will be sent back in case
|
||||
# the account is calling outside of the allowed
|
||||
# timespan. Dynamic substitution is supported.
|
||||
#
|
||||
reply-message = "You are calling outside your allowed timespan\r\n"
|
||||
#reply-message = "Outside allowed timespan (%{control:Login-Time}), %{User-Name}\r\n"
|
||||
|
||||
# The minimum timeout (in seconds) a user is allowed
|
||||
# to have. If the calculated timeout is lower we don't
|
||||
# allow the logon. Some NASes do not handle values
|
||||
# lower than 60 seconds well.
|
||||
minimum-timeout = 60
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 793d5690e1d4520bb3db1d9900d6be09da2587ae $
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# This next section is a sample configuration for the "passwd"
|
||||
# module, that reads flat-text files.
|
||||
#
|
||||
# The file is in the format <mac>,<ip>
|
||||
#
|
||||
# 00:01:02:03:04:05,192.168.1.100
|
||||
# 01:01:02:03:04:05,192.168.1.101
|
||||
# 02:01:02:03:04:05,192.168.1.102
|
||||
#
|
||||
# This lets you perform simple static IP assignments from a flat-text
|
||||
# file. You will have to define lease times yourself.
|
||||
#
|
||||
######################################################################
|
||||
|
||||
passwd mac2ip {
|
||||
filename = ${confdir}/mac2ip
|
||||
format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
|
||||
delimiter = ","
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: bdfef238076bb1ea16c494bf6e22f1d2af848b62 $
|
||||
|
||||
# A simple file to map a MAC address to a VLAN.
|
||||
#
|
||||
# The file should be in the format MAC,VLAN
|
||||
# the VLAN name cannot have spaces in it, for example:
|
||||
#
|
||||
# 00:01:02:03:04:05,VLAN1
|
||||
# 03:04:05:06:07:08,VLAN2
|
||||
# ...
|
||||
#
|
||||
passwd mac2vlan {
|
||||
filename = ${confdir}/mac2vlan
|
||||
format = "*VMPS-Mac:=VMPS-VLAN-Name"
|
||||
delimiter = ","
|
||||
}
|
|
@ -0,0 +1,87 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $
|
||||
|
||||
# Microsoft CHAP authentication
|
||||
#
|
||||
# This module supports MS-CHAP and MS-CHAPv2 authentication.
|
||||
# It also enforces the SMB-Account-Ctrl attribute.
|
||||
#
|
||||
mschap {
|
||||
#
|
||||
# If you are using /etc/smbpasswd, see the 'passwd'
|
||||
# module for an example of how to use /etc/smbpasswd
|
||||
|
||||
# if use_mppe is not set to no mschap will
|
||||
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
|
||||
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
|
||||
#
|
||||
# use_mppe = no
|
||||
|
||||
# if mppe is enabled require_encryption makes
|
||||
# encryption moderate
|
||||
#
|
||||
# require_encryption = yes
|
||||
|
||||
# require_strong always requires 128 bit key
|
||||
# encryption
|
||||
#
|
||||
# require_strong = yes
|
||||
|
||||
# Windows sends us a username in the form of
|
||||
# DOMAIN\user, but sends the challenge response
|
||||
# based on only the user portion. This hack
|
||||
# corrects for that incorrect behavior.
|
||||
#
|
||||
# with_ntdomain_hack = no
|
||||
|
||||
# The module can perform authentication itself, OR
|
||||
# use a Windows Domain Controller. This configuration
|
||||
# directive tells the module to call the ntlm_auth
|
||||
# program, which will do the authentication, and return
|
||||
# the NT-Key. Note that you MUST have "winbindd" and
|
||||
# "nmbd" running on the local machine for ntlm_auth
|
||||
# to work. See the ntlm_auth program documentation
|
||||
# for details.
|
||||
#
|
||||
# If ntlm_auth is configured below, then the mschap
|
||||
# module will call ntlm_auth for every MS-CHAP
|
||||
# authentication request. If there is a cleartext
|
||||
# or NT hashed password available, you can set
|
||||
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
|
||||
# and the mschap module will do the authentication itself,
|
||||
# without calling ntlm_auth.
|
||||
#
|
||||
# Be VERY careful when editing the following line!
|
||||
#
|
||||
# You can also try setting the user name as:
|
||||
#
|
||||
# ... --username=%{mschap:User-Name} ...
|
||||
#
|
||||
# In that case, the mschap module will look at the User-Name
|
||||
# attribute, and do prefix/suffix checks in order to obtain
|
||||
# the "best" user name for the request.
|
||||
#
|
||||
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
|
||||
|
||||
# The default is to wait 10 seconds for ntlm_auth to
|
||||
# complete. This is a long time, and if it's taking that
|
||||
# long then you likely have other problems in your domain.
|
||||
# The length of time can be decreased with the following
|
||||
# option, which can save clients waiting if your ntlm_auth
|
||||
# usually finishes quicker. Range 1 to 10 seconds.
|
||||
#
|
||||
# ntlm_auth_timeout = 10
|
||||
|
||||
# For Apple Server, when running on the same machine as
|
||||
# Open Directory. It has no effect on other systems.
|
||||
#
|
||||
# use_open_directory = yes
|
||||
|
||||
# On failure, set (or not) the MS-CHAP error code saying
|
||||
# "retries allowed".
|
||||
# allow_retry = yes
|
||||
|
||||
# An optional retry message.
|
||||
# retry_msg = "Re-enter (or reset) the password"
|
||||
}
|
|
@ -0,0 +1,12 @@
|
|||
#
|
||||
# For testing ntlm_auth authentication with PAP.
|
||||
#
|
||||
# If you have problems with authentication failing, even when the
|
||||
# password is good, it may be a bug in Samba:
|
||||
#
|
||||
# https://bugzilla.samba.org/show_bug.cgi?id=6563
|
||||
#
|
||||
exec ntlm_auth {
|
||||
wait = yes
|
||||
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
|
||||
}
|
|
@ -0,0 +1,13 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 2a44ef695f4eaf6f1c461b3d92fda54e9b910f9e $
|
||||
|
||||
# This module is only used when the server is running on the same
|
||||
# system as OpenDirectory. The configuration of the module is hard-coded
|
||||
# by Apple, and cannot be changed here.
|
||||
#
|
||||
# There are no configuration entries for this module.
|
||||
#
|
||||
opendirectory {
|
||||
|
||||
}
|
|
@ -0,0 +1,78 @@
|
|||
#
|
||||
# Configuration for the OTP module.
|
||||
#
|
||||
|
||||
# This module allows you to use various handheld OTP tokens
|
||||
# for authentication (Auth-Type := otp). These tokens are
|
||||
# available from various vendors.
|
||||
#
|
||||
# It works in conjunction with otpd, which implements token
|
||||
# management and OTP verification functions; and lsmd or gsmd,
|
||||
# which implements synchronous state management functions.
|
||||
# otpd, lsmd and gsmd are available from TRI-D Systems:
|
||||
# <http://www.tri-dsystems.com/>
|
||||
|
||||
# You must list this module in BOTH the authorize and authenticate
|
||||
# sections in order to use it.
|
||||
otp {
|
||||
# otpd rendezvous point.
|
||||
# (default: /var/run/otpd/socket)
|
||||
#otpd_rp = /var/run/otpd/socket
|
||||
|
||||
# Text to use for the challenge. The '%' character is
|
||||
# disallowed, except that you MUST have a single "%s"
|
||||
# sequence in the string; the challenge itself is
|
||||
# inserted there. (default "Challenge: %s\n Response: ")
|
||||
#challenge_prompt = "Challenge: %s\n Response: "
|
||||
|
||||
# Length of the challenge. Most tokens probably support a
|
||||
# max of 8 digits. (range: 5-32 digits, default 6)
|
||||
#challenge_length = 6
|
||||
|
||||
# Maximum time, in seconds, that a challenge is valid.
|
||||
# (The user must respond to a challenge within this time.)
|
||||
# It is also the minimal time between consecutive async mode
|
||||
# authentications, a necessary restriction due to an inherent
|
||||
# weakness of the RADIUS protocol which allows replay attacks.
|
||||
# (default: 30)
|
||||
#challenge_delay = 30
|
||||
|
||||
# Whether or not to allow asynchronous ("pure" challenge/
|
||||
# response) mode authentication. Since sync mode is much more
|
||||
# usable, and all reasonable tokens support it, the typical
|
||||
# use of async mode is to allow resync of event based tokens.
|
||||
# But because of the vulnerability of async mode with some tokens,
|
||||
# you probably want to disable this and require that out-of-sync
|
||||
# users resync from specifically secured terminals.
|
||||
# See the otpd docs for more info.
|
||||
# (default: no)
|
||||
#allow_async = no
|
||||
|
||||
# Whether or not to allow synchronous mode authentication.
|
||||
# When using otpd with lsmd, it is *CRITICALLY IMPORTANT*
|
||||
# that if your OTP users can authenticate to multiple RADIUS
|
||||
# servers, this must be "yes" for the primary/default server,
|
||||
# and "no" for the others. This is because lsmd does not
|
||||
# share state information across multiple servers. Using "yes"
|
||||
# on all your RADIUS servers would allow replay attacks!
|
||||
# Also, for event based tokens, the user will be out of sync
|
||||
# on the "other" servers. In order to use "yes" on all your
|
||||
# servers, you must either use gsmd, which synchronizes state
|
||||
# globally, or implement your own state synchronization method.
|
||||
# (default: yes)
|
||||
#allow_sync = yes
|
||||
|
||||
# If both allow_async and allow_sync are "yes", a challenge is
|
||||
# always presented to the user. This is incompatible with NAS's
|
||||
# that can't present or don't handle Access-Challenge's, e.g.
|
||||
# PPTP servers. Even though a challenge is presented, the user
|
||||
# can still enter their synchronous passcode.
|
||||
|
||||
# The following are MPPE settings. Note that MS-CHAP (v1) is
|
||||
# strongly discouraged. All possible values are listed as
|
||||
# {value = meaning}. Default values are first.
|
||||
#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}
|
||||
#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}
|
||||
#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}
|
||||
#mschap_mppe_bits = {2 = 128}
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $
|
||||
|
||||
|
||||
# Pluggable Authentication Modules
|
||||
#
|
||||
# For Linux, see:
|
||||
# http://www.kernel.org/pub/linux/libs/pam/index.html
|
||||
#
|
||||
# WARNING: On many systems, the system PAM libraries have
|
||||
# memory leaks! We STRONGLY SUGGEST that you do not
|
||||
# use PAM for authentication, due to those memory leaks.
|
||||
#
|
||||
pam {
|
||||
#
|
||||
# The name to use for PAM authentication.
|
||||
# PAM looks in /etc/pam.d/${pam_auth_name}
|
||||
# for it's configuration. See 'redhat/radiusd-pam'
|
||||
# for a sample PAM configuration file.
|
||||
#
|
||||
# Note that any Pam-Auth attribute set in the 'authorize'
|
||||
# section will over-ride this one.
|
||||
#
|
||||
pam_auth = radiusd
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 5c7d29d654bea9c076d6434f32795c2b2d002757 $
|
||||
|
||||
# PAP module to authenticate users based on their stored password
|
||||
#
|
||||
# Supports multiple encryption/hash schemes. See "man rlm_pap"
|
||||
# for details.
|
||||
#
|
||||
# The "auto_header" configuration item can be set to "yes".
|
||||
# In this case, the module will look inside of the User-Password
|
||||
# attribute for the headers {crypt}, {clear}, etc., and will
|
||||
# automatically create the attribute on the right-hand side,
|
||||
# with the correct value. It will also automatically handle
|
||||
# Base-64 encoded data, hex strings, and binary data.
|
||||
#
|
||||
# For instructions on creating the various types of passwords, see:
|
||||
#
|
||||
# http://www.openldap.org/faq/data/cache/347.html
|
||||
pap {
|
||||
auto_header = no
|
||||
}
|
|
@ -0,0 +1,55 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: cc37ca0d7eaf9887720eccc2de0ecb75a51117c8 $
|
||||
|
||||
# passwd module allows to do authorization via any passwd-like
|
||||
# file and to extract any attributes from these files.
|
||||
#
|
||||
# See the "smbpasswd" and "etc_group" files for more examples.
|
||||
#
|
||||
# parameters are:
|
||||
# filename - path to filename
|
||||
#
|
||||
# format - format for filename record. This parameters
|
||||
# correlates record in the passwd file and RADIUS
|
||||
# attributes.
|
||||
#
|
||||
# Field marked as '*' is a key field. That is, the parameter
|
||||
# with this name from the request is used to search for
|
||||
# the record from passwd file
|
||||
#
|
||||
# Attributes marked as '=' are added to reply_items instead
|
||||
# of default configure_itmes
|
||||
#
|
||||
# Attributes marked as '~' are added to request_items
|
||||
#
|
||||
# Field marked as ',' may contain a comma separated list
|
||||
# of attributes.
|
||||
#
|
||||
# hashsize - hashtable size. Setting it to 0 is no longer permitted
|
||||
# A future version of the server will have the module
|
||||
# automatically determine the hash size. Having it set
|
||||
# manually should not be necessary.
|
||||
#
|
||||
# allowmultiplekeys - if many records for a key are allowed
|
||||
#
|
||||
# ignorenislike - ignore NIS-related records
|
||||
#
|
||||
# delimiter - symbol to use as a field separator in passwd file,
|
||||
# for format ':' symbol is always used. '\0', '\n' are
|
||||
# not allowed
|
||||
#
|
||||
|
||||
# An example configuration for using /etc/passwd.
|
||||
#
|
||||
# This is an example which will NOT WORK if you have shadow passwords,
|
||||
# NIS, etc. The "unix" module is normally responsible for reading
|
||||
# system passwords. You should use it instead of this example.
|
||||
#
|
||||
passwd etc_passwd {
|
||||
filename = /etc/passwd
|
||||
format = "*User-Name:Crypt-Password:"
|
||||
hashsize = 100
|
||||
ignorenislike = no
|
||||
allowmultiplekeys = no
|
||||
}
|
|
@ -0,0 +1,58 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 69ad3076119ec814518a6db45eec4bc41dc090f7 $
|
||||
|
||||
# Persistent, embedded Perl interpreter.
|
||||
#
|
||||
perl {
|
||||
#
|
||||
# The Perl script to execute on authorize, authenticate,
|
||||
# accounting, xlat, etc. This is very similar to using
|
||||
# 'rlm_exec' module, but it is persistent, and therefore
|
||||
# faster.
|
||||
#
|
||||
module = ${confdir}/example.pl
|
||||
|
||||
#
|
||||
# The following hashes are given to the module and
|
||||
# filled with value-pairs (Attribute names and values)
|
||||
#
|
||||
# %RAD_CHECK Check items
|
||||
# %RAD_REQUEST Attributes from the request
|
||||
# %RAD_REPLY Attributes for the reply
|
||||
#
|
||||
# The return codes from functions in the perl_script
|
||||
# are passed directly back to the server. These
|
||||
# codes are defined in doc/configurable_failover,
|
||||
# src/include/modules.h (RLM_MODULE_REJECT, etc),
|
||||
# and are pre-defined in the 'example.pl' program
|
||||
# which is included.
|
||||
#
|
||||
|
||||
#
|
||||
# List of functions in the module to call.
|
||||
# Uncomment and change if you want to use function
|
||||
# names other than the defaults.
|
||||
#
|
||||
#func_authenticate = authenticate
|
||||
#func_authorize = authorize
|
||||
#func_preacct = preacct
|
||||
#func_accounting = accounting
|
||||
#func_checksimul = checksimul
|
||||
#func_pre_proxy = pre_proxy
|
||||
#func_post_proxy = post_proxy
|
||||
#func_post_auth = post_auth
|
||||
#func_recv_coa = recv_coa
|
||||
#func_send_coa = send_coa
|
||||
#func_xlat = xlat
|
||||
#func_detach = detach
|
||||
|
||||
#
|
||||
# Uncomment the following lines if you wish
|
||||
# to use separate functions for Start and Stop
|
||||
# accounting packets. In that case, the
|
||||
# func_accounting function is not called.
|
||||
#
|
||||
#func_start_accounting = accounting_start
|
||||
#func_stop_accounting = accounting_stop
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 9b1b111ce70dbfd4ce25cdd2774d5878dbea7023 $
|
||||
|
||||
#
|
||||
# Module implementing a DIFFERENT policy language.
|
||||
# The syntax here is NOT "unlang", but something else.
|
||||
#
|
||||
# See the "raddb/policy.txt" file for documentation and examples.
|
||||
# There isn't much else in the way of documentation, sorry.
|
||||
#
|
||||
policy {
|
||||
# The only configuration item is a filename containing
|
||||
# the policies to execute.
|
||||
#
|
||||
# When "policy" is listed in a section (e.g. "authorize"),
|
||||
# it will run a policy named for that section.
|
||||
#
|
||||
filename = ${confdir}/policy.txt
|
||||
}
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: e00aa85a9bd924b3a79c034f6f5d4d7d9a98c208 $
|
||||
|
||||
# Preprocess the incoming RADIUS request, before handing it off
|
||||
# to other modules.
|
||||
#
|
||||
# This module processes the 'huntgroups' and 'hints' files.
|
||||
# In addition, it re-writes some weird attributes created
|
||||
# by some NASes, and converts the attributes into a form which
|
||||
# is a little more standard.
|
||||
#
|
||||
preprocess {
|
||||
huntgroups = ${confdir}/huntgroups
|
||||
hints = ${confdir}/hints
|
||||
|
||||
# This hack changes Ascend's wierd port numberings
|
||||
# to standard 0-??? port numbers so that the "+" works
|
||||
# for IP address assignments.
|
||||
with_ascend_hack = no
|
||||
ascend_channels_per_line = 23
|
||||
|
||||
# Windows NT machines often authenticate themselves as
|
||||
# NT_DOMAIN\username
|
||||
#
|
||||
# If this is set to 'yes', then the NT_DOMAIN portion
|
||||
# of the user-name is silently discarded.
|
||||
#
|
||||
# This configuration entry SHOULD NOT be used.
|
||||
# See the "realms" module for a better way to handle
|
||||
# NT domains.
|
||||
with_ntdomain_hack = no
|
||||
|
||||
# Specialix Jetstream 8500 24 port access server.
|
||||
#
|
||||
# If the user name is 10 characters or longer, a "/"
|
||||
# and the excess characters after the 10th are
|
||||
# appended to the user name.
|
||||
#
|
||||
# If you're not running that NAS, you don't need
|
||||
# this hack.
|
||||
with_specialix_jetstream_hack = no
|
||||
|
||||
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
|
||||
# with the attribute name *again* in the string, like:
|
||||
#
|
||||
# H323-Attribute = "h323-attribute=value".
|
||||
#
|
||||
# If this configuration item is set to 'yes', then
|
||||
# the redundant data in the the attribute text is stripped
|
||||
# out. The result is:
|
||||
#
|
||||
# H323-Attribute = "value"
|
||||
#
|
||||
# If you're not running a Cisco or Quintum NAS, you don't
|
||||
# need this hack.
|
||||
with_cisco_vsa_hack = no
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: dede42698a19413b524a1a68b7ea312aa8a506aa $
|
||||
|
||||
# Write "detail" files which can be read by radrelay.
|
||||
# This module should be used only by a server which receives
|
||||
# Accounting-Request packets from the network.
|
||||
#
|
||||
# It should NOT be used in the radrelay.conf file.
|
||||
#
|
||||
# Use it by adding "radrelay" to the "accounting" section:
|
||||
#
|
||||
# accounting {
|
||||
# ...
|
||||
# radrelay
|
||||
# ...
|
||||
# }
|
||||
#
|
||||
detail radrelay {
|
||||
detailfile = ${radacctdir}/detail
|
||||
|
||||
locking = yes
|
||||
|
||||
# The other directives from the main detail module
|
||||
# can be used here, but they're not required.
|
||||
}
|
|
@ -0,0 +1,53 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 3ad88cde616ce041f0dcc87858950daafdd3d336 $
|
||||
|
||||
# Write a 'utmp' style file, of which users are currently
|
||||
# logged in, and where they've logged in from.
|
||||
#
|
||||
# This file is used mainly for Simultaneous-Use checking,
|
||||
# and also 'radwho', to see who's currently logged in.
|
||||
#
|
||||
radutmp {
|
||||
# Where the file is stored. It's not a log file,
|
||||
# so it doesn't need rotating.
|
||||
#
|
||||
filename = ${logdir}/radutmp
|
||||
|
||||
# The field in the packet to key on for the
|
||||
# 'user' name, If you have other fields which you want
|
||||
# to use to key on to control Simultaneous-Use,
|
||||
# then you can use them here.
|
||||
#
|
||||
# Note, however, that the size of the field in the
|
||||
# 'utmp' data structure is small, around 32
|
||||
# characters, so that will limit the possible choices
|
||||
# of keys.
|
||||
#
|
||||
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
|
||||
username = %{User-Name}
|
||||
|
||||
|
||||
# Whether or not we want to treat "user" the same
|
||||
# as "USER", or "User". Some systems have problems
|
||||
# with case sensitivity, so this should be set to
|
||||
# 'no' to enable the comparisons of the key attribute
|
||||
# to be case insensitive.
|
||||
#
|
||||
case_sensitive = yes
|
||||
|
||||
# Accounting information may be lost, so the user MAY
|
||||
# have logged off of the NAS, but we haven't noticed.
|
||||
# If so, we can verify this information with the NAS,
|
||||
#
|
||||
# If we want to believe the 'utmp' file, then this
|
||||
# configuration entry can be set to 'no'.
|
||||
#
|
||||
check_with_nas = yes
|
||||
|
||||
# Set the file permissions, as the contents of this file
|
||||
# are usually private.
|
||||
perm = 0600
|
||||
|
||||
callerid = "yes"
|
||||
}
|
|
@ -0,0 +1,46 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 95d9f2b98de1b33346c6129aa7e88a901248cd4d $
|
||||
|
||||
# Realm module, for proxying.
|
||||
#
|
||||
# You can have multiple instances of the realm module to
|
||||
# support multiple realm syntaxs at the same time. The
|
||||
# search order is defined by the order that the modules are listed
|
||||
# in the authorize and preacct sections.
|
||||
#
|
||||
# Four config options:
|
||||
# format - must be "prefix" or "suffix"
|
||||
# The special cases of "DEFAULT"
|
||||
# and "NULL" are allowed, too.
|
||||
# delimiter - must be a single character
|
||||
|
||||
# 'realm/username'
|
||||
#
|
||||
# Using this entry, IPASS users have their realm set to "IPASS".
|
||||
realm IPASS {
|
||||
format = prefix
|
||||
delimiter = "/"
|
||||
}
|
||||
|
||||
# 'username@realm'
|
||||
#
|
||||
realm suffix {
|
||||
format = suffix
|
||||
delimiter = "@"
|
||||
}
|
||||
|
||||
# 'username%realm'
|
||||
#
|
||||
realm realmpercent {
|
||||
format = suffix
|
||||
delimiter = "%"
|
||||
}
|
||||
|
||||
#
|
||||
# 'domain\user'
|
||||
#
|
||||
realm ntdomain {
|
||||
format = prefix
|
||||
delimiter = "\\"
|
||||
}
|
|
@ -0,0 +1,35 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: d7605d9888607aa6451ab24450cebfd7bc9d4437 $
|
||||
|
||||
#
|
||||
# Configuration file for the "redis" module. This module does nothing
|
||||
# Other than provide connections to a redis database, and a %{redis: ...}
|
||||
# expansion.
|
||||
#
|
||||
redis {
|
||||
# Host where the redis server is located.
|
||||
# We recommend using ONLY 127.0.0.1 !
|
||||
hostname = 127.0.0.1
|
||||
|
||||
# The default port.
|
||||
port = 6379
|
||||
|
||||
# The password used to authenticate to the server.
|
||||
# We recommend using a strong password.
|
||||
# password = thisisreallysecretandhardtoguess
|
||||
|
||||
# The number of connections to open to the database.
|
||||
num_connections = 20
|
||||
|
||||
# If a connection fails, retry after this time.
|
||||
connect_failure_retry_delay = 60
|
||||
|
||||
# Set the maximum lifetime for one connection.
|
||||
# Use 0 for "lives forever"
|
||||
lifetime = 86400
|
||||
|
||||
# Set the maximum queries used for one connection.
|
||||
# Use 0 for "no limit"
|
||||
max_queries = 0
|
||||
}
|
|
@ -0,0 +1,28 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: e16550c9991a5e76a77f349cfa5b82d5163f172e $
|
||||
|
||||
#
|
||||
# Configuration file for the "rediswho" module.
|
||||
#
|
||||
rediswho {
|
||||
# How many sessions to keep track of per user.
|
||||
# If there are more than this number, older sessions are deleted.
|
||||
trim-count = 15
|
||||
|
||||
# Expiry time in seconds. Any sessions which have not received
|
||||
# an update in this time will be automatically expired.
|
||||
expire-time = 86400
|
||||
|
||||
start-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
|
||||
start-trim = "LTRIM %{User-Name} 0 ${trim-count}"
|
||||
start-expire = "EXPIRE %{User-Name} ${expire-time}"
|
||||
|
||||
alive-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
|
||||
alive-trim = "LTRIM %{User-Name} 0 ${trim-count}"
|
||||
alive-expire = "EXPIRE %{User-Name} ${expire-time}"
|
||||
|
||||
stop-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
|
||||
stop-trim = "LTRIM %{User-Name} 0 ${trim-count}"
|
||||
stop-expire = "EXPIRE %{User-Name} ${expire-time}"
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
# Replicate packet(s) to a home server.
|
||||
#
|
||||
# This module will open a new socket for each packet, and "clone"
|
||||
# the incoming packet to the destination realm (i.e. home server).
|
||||
#
|
||||
# Use it by setting "Replicate-To-Realm = name" in the control list,
|
||||
# just like Proxy-To-Realm. The configurations for the two attributes
|
||||
# are identical. The realm must exist, the home_server_pool must exist,
|
||||
# and the home_server must exist.
|
||||
#
|
||||
# The only difference is that the "replicate" module sends requests
|
||||
# and does not expect a reply. Any reply is ignored.
|
||||
#
|
||||
# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time.
|
||||
#
|
||||
# To use this module, list "replicate" in the "authorize" or
|
||||
# "accounting" section. Then, ensure that Replicate-To-Realm is set.
|
||||
# The contents of the "packet" attribute list will be sent to the
|
||||
# home server. The usual load-balancing, etc. features of the home
|
||||
# server will be used.
|
||||
#
|
||||
# "radmin" can be used to mark home servers alive/dead, in order to
|
||||
# enable/disable replication to specific servers.
|
||||
#
|
||||
# Packets can be replicated to multiple destinations. Just set
|
||||
# Replicate-To-Realm multiple times. One packet will be sent for
|
||||
# each of the Replicate-To-Realm attribute in the "control" list.
|
||||
#
|
||||
# If no packets are sent, the module returns "noop". If at least one
|
||||
# packet is sent, the module returns "ok". If an error occurs, the
|
||||
# module returns "fail"
|
||||
#
|
||||
# Note that replication does NOT change any of the packet statistics.
|
||||
# If you use "radmin" to look at the statistics for a home server,
|
||||
# the replicated packets will cause NO counters to increment. This
|
||||
# is not a bug, this is how replication works.
|
||||
#
|
||||
replicate {
|
||||
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 74e64047302d7d8f575672617e8a213aaf5a32d3 $
|
||||
|
||||
# An example configuration for using /etc/smbpasswd.
|
||||
#
|
||||
# See the "passwd" file for documentation on the configuration items
|
||||
# for this module.
|
||||
#
|
||||
passwd smbpasswd {
|
||||
filename = /etc/smbpasswd
|
||||
format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
|
||||
hashsize = 100
|
||||
ignorenislike = no
|
||||
allowmultiplekeys = no
|
||||
}
|
|
@ -0,0 +1,50 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 0a339b4a1b9f1eafeb05992f2643497e802e2a49 $
|
||||
|
||||
# SMS One-time Password system.
|
||||
#
|
||||
# This module will extend FreeRadius with a socks interface to create and
|
||||
# validate One-Time-Passwords. The program for that creates the socket
|
||||
# and interacts with this module is not included here.
|
||||
#
|
||||
# The module does not check the User-Password, this should be done with
|
||||
# the "pap" module. See the example below.
|
||||
#
|
||||
# The module must be used in the "authorize" section to set
|
||||
# Auth-Type properly. The first time through, the module is called
|
||||
# in the "authenticate" section to authenticate the user password, and
|
||||
# to send the challenge. The second time through, it authenticates
|
||||
# the response to the challenge. e.g.:
|
||||
#
|
||||
# authorize {
|
||||
# ...
|
||||
# smsotp
|
||||
# ...
|
||||
# }
|
||||
#
|
||||
# authenticate {
|
||||
# ...
|
||||
# Auth-Type smsotp {
|
||||
# pap
|
||||
# smsotp
|
||||
# }
|
||||
#
|
||||
# Auth-Type smsotp-reply {
|
||||
# smsotp
|
||||
# }
|
||||
# ...
|
||||
# }
|
||||
#
|
||||
smsotp {
|
||||
# The location of the socket.
|
||||
socket = "/var/run/smsotp_socket"
|
||||
|
||||
# Defines the challenge message that will be send to the
|
||||
# NAS. Default is "Enter Mobile PIN" }
|
||||
challenge_message = "Enter Mobile PIN:"
|
||||
|
||||
# Defines the Auth-Type section that is run for the response to
|
||||
# the challenge. Default is "smsotp-reply".
|
||||
challenge_type = "smsotp-reply"
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
# SoH module
|
||||
soh {
|
||||
dhcp = yes
|
||||
}
|
|
@ -0,0 +1,92 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 3e6bf2104f74ffad8866eb69459a94f623601130 $
|
||||
|
||||
#
|
||||
# The rlm_sql_log module appends the SQL queries in a log
|
||||
# file which is read later by the radsqlrelay program.
|
||||
#
|
||||
# This module only performs the dynamic expansion of the
|
||||
# variables found in the SQL statements. No operation is
|
||||
# executed on the database server. (this could be done
|
||||
# later by an external program) That means the module is
|
||||
# useful only with non-"SELECT" statements.
|
||||
#
|
||||
# See rlm_sql_log(5) manpage.
|
||||
#
|
||||
# This same functionality could also be implemented by logging
|
||||
# to a "detail" file, reading that, and then writing to SQL.
|
||||
# See raddb/sites-available/buffered-sql for an example.
|
||||
#
|
||||
sql_log {
|
||||
path = "${radacctdir}/sql-relay"
|
||||
acct_table = "radacct"
|
||||
postauth_table = "radpostauth"
|
||||
sql_user_name = "%{%{User-Name}:-DEFAULT}"
|
||||
|
||||
#
|
||||
# Setting this to "yes" will allow UTF-8 characters to be
|
||||
# written to the log file. Otherwise, they are escaped
|
||||
# as being potentially invalid.
|
||||
#
|
||||
utf8 = no
|
||||
|
||||
#
|
||||
# The names here are taken from the Acct-Status-Type names.
|
||||
# Just add another entry here for Accounting-On,
|
||||
# Accounting-Off, etc.
|
||||
#
|
||||
Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
|
||||
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
|
||||
AcctSessionTime, AcctTerminateCause) VALUES \
|
||||
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
|
||||
'%{Framed-IP-Address}', '%S', '0', '0', '');"
|
||||
|
||||
Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
|
||||
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
|
||||
AcctSessionTime, AcctTerminateCause) VALUES \
|
||||
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
|
||||
'%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
|
||||
'%{Acct-Terminate-Cause}');"
|
||||
|
||||
Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
|
||||
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
|
||||
AcctSessionTime, AcctTerminateCause) VALUES \
|
||||
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
|
||||
'%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
|
||||
|
||||
# The same as "Alive"
|
||||
Interim-Update = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
|
||||
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
|
||||
AcctSessionTime, AcctTerminateCause) VALUES \
|
||||
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
|
||||
'%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
|
||||
|
||||
Post-Auth = "INSERT INTO ${postauth_table} \
|
||||
(username, pass, reply, authdate) VALUES \
|
||||
('%{User-Name}', '%{User-Password:-Chap-Password}', \
|
||||
'%{reply:Packet-Type}', '%S');"
|
||||
|
||||
Accounting-On = "UPDATE ${acct_table} \
|
||||
SET \
|
||||
acctstoptime = '%S', \
|
||||
acctsessiontime = unix_timestamp('%S') - \
|
||||
unix_timestamp(acctstarttime), \
|
||||
acctterminatecause = '%{Acct-Terminate-Cause}', \
|
||||
acctstopdelay = %{%{Acct-Delay-Time}:-0} \
|
||||
WHERE acctstoptime IS NULL \
|
||||
AND nasipaddress = '%{NAS-IP-Address}' \
|
||||
AND acctstarttime <= '%S'""
|
||||
|
||||
Accounting-Off = "UPDATE ${acct_table} \
|
||||
SET \
|
||||
acctstoptime = '%S', \
|
||||
acctsessiontime = unix_timestamp('%S') - \
|
||||
unix_timestamp(acctstarttime), \
|
||||
acctterminatecause = '%{Acct-Terminate-Cause}', \
|
||||
acctstopdelay = %{%{Acct-Delay-Time}:-0} \
|
||||
WHERE acctstoptime IS NULL \
|
||||
AND nasipaddress = '%{NAS-IP-Address}' \
|
||||
AND acctstarttime <= '%S'""
|
||||
}
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: c950169307009b088b2c31274f496ffe38e8a793 $
|
||||
|
||||
#
|
||||
# Set an account to expire T seconds after first login.
|
||||
# Requires the Expire-After attribute to be set, in seconds.
|
||||
# You may need to edit raddb/dictionary to add the Expire-After
|
||||
# attribute.
|
||||
#
|
||||
# This example is for MySQL. Other SQL variants should be similar.
|
||||
#
|
||||
# For versions prior to 2.1.11, this module defined the following
|
||||
# expansion strings:
|
||||
#
|
||||
# %k key_name
|
||||
# %S sqlmod_inst
|
||||
#
|
||||
# These SHOULD NOT be used. If these are used in your configuration,
|
||||
# they should be replaced by the following strings, which will work
|
||||
# identically to the previous ones:
|
||||
#
|
||||
# %k ${key}
|
||||
# %S ${sqlmod-inst}
|
||||
#
|
||||
sqlcounter expire_on_login {
|
||||
counter-name = Expire-After-Initial-Login
|
||||
check-name = Expire-After
|
||||
sqlmod-inst = sql
|
||||
key = User-Name
|
||||
reset = never
|
||||
query = "SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
|
||||
FROM radacct \
|
||||
WHERE UserName='%{${key}}' \
|
||||
ORDER BY acctstarttime \
|
||||
LIMIT 1;"
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: a7700bac6aaa93940c784f1b6df08b61eb77a1a3 $
|
||||
|
||||
# "Safe" radutmp - does not contain caller ID, so it can be
|
||||
# world-readable, and radwho can work for normal users, without
|
||||
# exposing any information that isn't already exposed by who(1).
|
||||
#
|
||||
# This is another 'instance' of the radutmp module, but it is given
|
||||
# then name "sradutmp" to identify it later in the "accounting"
|
||||
# section.
|
||||
radutmp sradutmp {
|
||||
filename = ${logdir}/sradutmp
|
||||
perm = 0644
|
||||
callerid = "no"
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
# -*- text -*-
|
||||
#
|
||||
# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $
|
||||
|
||||
# Unix /etc/passwd style authentication
|
||||
#
|
||||
# This module calls the system functions to get the "known good"
|
||||
# password. This password is usually in the "crypt" form, and is
|
||||
# incompatible with CHAP, MS-CHAP, PEAP, etc.
|
||||
#
|
||||
# If passwords are in /etc/shadow, you will need to set the "group"
|
||||
# configuration in radiusd.conf. Look for "shadow", and follow the
|
||||
# instructions there.
|
||||
#
|
||||
unix {
|
||||
#
|
||||
# The location of the "wtmp" file.
|
||||
# The only use for 'radlast'. If you don't use
|
||||
# 'radlast', then you can comment out this item.
|
||||
#
|
||||
# Note that the radwtmp file may get large! You should
|
||||
# rotate it (cp /dev/null radwtmp), or just not use it.
|
||||
#
|
||||
radwtmp = ${logdir}/radwtmp
|
||||
}
|
|
@ -0,0 +1,112 @@
|
|||
#
|
||||
# The WiMAX module currently takes no configuration.
|
||||
#
|
||||
# It should be listed in the "authorize" and "preacct" sections.
|
||||
# This enables the module to fix the horrible binary version
|
||||
# of Calling-Station-Id to the normal format, as specified in
|
||||
# RFC 3580, Section 3.21.
|
||||
#
|
||||
# In order to calculate the various WiMAX keys, the module should
|
||||
# be listed in the "post-auth" section. If EAP authentication
|
||||
# has been used, AND the EAP method derives MSK and EMSK, then
|
||||
# the various WiMAX keys can be calculated.
|
||||
#
|
||||
# Some useful things to remember:
|
||||
#
|
||||
# WiMAX-MSK = EAP MSK, but is 64 octets.
|
||||
#
|
||||
# MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001)
|
||||
# MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002)
|
||||
# MIP-RK = MIP-RK-1 | MIP-RK-2
|
||||
#
|
||||
# MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP")
|
||||
# plus some magic... you've got to track *all* MIP-SPI's
|
||||
# on your system!
|
||||
#
|
||||
# SPI-CMIP4 = MIP-SPI
|
||||
# SPI-PMIP4 = MIP-SPI + 1
|
||||
# SPI-CMIP6 = MIP-SPI + 2
|
||||
#
|
||||
# MN-NAI is the Mobile node NAI. You have to create it, and put
|
||||
# it into the request or reply as something like:
|
||||
#
|
||||
# WiMAX-MN-NAI = "%{User-Name}"
|
||||
#
|
||||
# You will also have to have the appropriate IP address (v4 or v6)
|
||||
# in order to calculate the keys below.
|
||||
#
|
||||
# Lifetimes are derived from Session-Timeout. It needs to be set
|
||||
# to some useful number.
|
||||
#
|
||||
# The hash function below H() is HMAC-SHA1.
|
||||
#
|
||||
#
|
||||
# MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI)
|
||||
#
|
||||
# Where HA-IPv4 is WiMAX-hHA-IP-MIP4
|
||||
# or maybe WiMAX-vHA-IP-MIP4
|
||||
#
|
||||
# Which goes into WiMAX-MN-hHA-MIP4-Key
|
||||
# or maybe WiMAX-RRQ-MN-HA-Key
|
||||
# or maybe even WiMAX-vHA-MIP4-Key
|
||||
#
|
||||
# The corresponding SPI is SPI-CMIP4, which is MIP-SPI,
|
||||
#
|
||||
# which goes into WiMAX-MN-hHA-MIP4-SPI
|
||||
# or maybe WiMAX-RRQ-MN-HA-SPI
|
||||
# or even WiMAX-MN-vHA-MIP4-SPI
|
||||
#
|
||||
# MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI)
|
||||
# MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI)
|
||||
#
|
||||
# both with similar comments to above for MN-HA-CMIP4.
|
||||
#
|
||||
# In order to tell which one to use (CMIP4, PMIP4, or CMIP6),
|
||||
# you have to set WiMAX-IP-Technology in the reply to one of
|
||||
# the appropriate values.
|
||||
#
|
||||
#
|
||||
# FA-RK = H(MIP-RK, "FA-RK")
|
||||
#
|
||||
# MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI)
|
||||
#
|
||||
# Where does the FA-IP come from? No idea...
|
||||
#
|
||||
#
|
||||
# The next two keys (HA-RK and FA-HA) are not generated
|
||||
# for every authentication request, but only on demand.
|
||||
#
|
||||
# HA-RK = 160-bit random number assigned by the AAA server
|
||||
# to a specific HA.
|
||||
#
|
||||
# FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI)
|
||||
#
|
||||
# where HA-IPv4 is as above.
|
||||
# and FA-CoAv4 address of the FA as seen by the HA
|
||||
# and SPI is the relevant SPI for the HA-RK.
|
||||
#
|
||||
# DHCP-RK = 160-bit random number assigned by the AAA server
|
||||
# to a specific DHCP server. vDHCP-RK is the same
|
||||
# thing.
|
||||
#
|
||||
wimax {
|
||||
#
|
||||
# Some WiMAX equipement requires that the MS-MPPE-*-Key
|
||||
# attributes are sent in the Access-Accept, in addition to
|
||||
# the WiMAX-MSK attribute.
|
||||
#
|
||||
# Other WiMAX equipment request that the MS-MPPE-*-Key
|
||||
# attributes are NOT sent in the Access-Accept.
|
||||
#
|
||||
# By default, the EAP modules sends MS-MPPE-*-Key attributes.
|
||||
# The default virtual server (raddb/sites-available/default)
|
||||
# contains examples of adding the WiMAX-MSK.
|
||||
#
|
||||
# This configuration option makes the WiMAX module delete
|
||||
# the MS-MPPE-*-Key attributes. The default is to leave
|
||||
# them in place.
|
||||
#
|
||||
# If the keys are deleted (by setting this to "yes"), then
|
||||
# the WiMAX-MSK attribute is automatically added to the reply.
|
||||
delete_mppe_keys = no
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue