diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..f769614 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,3 @@ +**/secrets.yaml diff=sops + +*.png filter=lfs diff=lfs merge=lfs -text diff --git a/.sops.yaml b/.sops.yaml index 475d0f6..e5aa242 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,11 +1,19 @@ keys: - - &jalr 7C207509562C208C4EC1676E87A8E5662DF00274 + - &jalr 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 - &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC - - &raven 2855242612275730D456C3F0DBF3508960495F3C + - &raven age1fleny85nvjh6g4arn2tkpju0smq2s4hawwpmnyvgcf0sy65wd3ks4lcvfa creation_rules: - path_regex: secrets\.yaml$ key_groups: - pgp: - *jalr - *simon + age: + - *raven + - path_regex: machines/raven/secrets\.yaml$ + key_groups: + - pgp: + - *jalr + - *simon + age: - *raven diff --git a/README.md b/README.md index 318b3f3..74c884e 100644 --- a/README.md +++ b/README.md @@ -1 +1,8 @@ # NixOS configurations of the FabLab Bad Windsheim + +## Quick start + +How to deploy to raven +``` +nix run .#deploy/raven +``` diff --git a/flake.lock b/flake.lock index 9a3849c..8d98ae2 100644 --- a/flake.lock +++ b/flake.lock @@ -1,12 +1,51 @@ { "nodes": { - "flake-utils": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, "locked": { - "lastModified": 1623875721, - "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=", + "lastModified": 1727196810, + "narHash": "sha256-xQzgXRlczZoFfrUdA4nD5qojCQVqpiIk82aYINQZd+U=", + "owner": "nix-community", + "repo": "disko", + "rev": "6d42596a35d34918a905e8539a44d3fc91f42b5b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -15,6 +54,27 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "nix-pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "krops": { "inputs": { "flake-utils": [ @@ -25,11 +85,11 @@ ] }, "locked": { - "lastModified": 1597485541, - "narHash": "sha256-+fqI9qh7zpC2WxinFZlaiDsbvMb/IJxFIiGfdA/xLps=", + "lastModified": 1644957911, + "narHash": "sha256-ggie/j7pdBqzDs4W7OiPmhqH9IGbXAbJxGqBdVxA8jA=", "owner": "Mic92", "repo": "krops", - "rev": "c3a1ffab03e8cfbb7ff532bdfa10b26b3dc76911", + "rev": "86fb3d2ee94fd8306231853b323ed8804edf26ec", "type": "github" }, "original": { @@ -38,21 +98,43 @@ "type": "github" } }, - "nix-pre-commit-hooks": { + "nix-github-actions": { "inputs": { - "flake-utils": [ - "flake-utils" - ], "nixpkgs": [ + "sbruder-overlay", + "poetry2nix", "nixpkgs" ] }, "locked": { - "lastModified": 1624971177, - "narHash": "sha256-Amf/nBj1E77RmbSSmV+hg6YOpR+rddCbbVgo5C7BS0I=", + "lastModified": 1703863825, + "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1726745158, + "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "397f0713d007250a2c7a745e555fa16c5dc8cadb", + "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74", "type": "github" }, "original": { @@ -64,11 +146,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1625333638, - "narHash": "sha256-M6J9RN60XJyv6nUfDFCwnz5aVjhe8+GJnV8Q9VpdQQQ=", + "lastModified": 1727040444, + "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "41775780a0b6b32b3d32dcc32bb9bc6df809062d", + "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac", "type": "github" }, "original": { @@ -80,27 +162,59 @@ }, "nixpkgs": { "locked": { - "lastModified": 1626489334, - "narHash": "sha256-WcQDF/JB3yWfO7E37M6rlUCKkqcMwG2UiWz+2Vsib9Y=", + "lastModified": 1726969270, + "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b2f87e0043aaf3f0f05cc983bd6aa80a616b8352", + "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-21.05", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1720386169, + "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1725762081, + "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1626464457, - "narHash": "sha256-u2PCh/+8vQSLwf0mPpKHKQ8hAPB3l4uNZR3r0TdK2Lg=", + "lastModified": 1726937504, + "narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c6c4a3d45ab200f17805d2d86a1ff1cc7ca2b186", + "rev": "9357f4f23713673f310988025d9dc261c20e70c6", "type": "github" }, "original": { @@ -110,29 +224,87 @@ "type": "github" } }, + "poetry2nix": { + "inputs": { + "flake-utils": [ + "sbruder-overlay", + "flake-utils" + ], + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "sbruder-overlay", + "nixpkgs" + ], + "systems": "systems_2", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1714509427, + "narHash": "sha256-YTcd6n7BeAVxBNhzOgUHMmsgBkfQ2Cz9ZcFotXrpEg8=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "184960be60652ca7f865123e8394ece988afb566", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, "root": { "inputs": { + "disko": "disko", "flake-utils": "flake-utils", "krops": "krops", "nix-pre-commit-hooks": "nix-pre-commit-hooks", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", + "sbruder-overlay": "sbruder-overlay", "sops-nix": "sops-nix" } }, + "sbruder-overlay": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nix-pre-commit-hooks": [ + "nix-pre-commit-hooks" + ], + "nixpkgs": [ + "nixpkgs" + ], + "poetry2nix": "poetry2nix" + }, + "locked": { + "lastModified": 1719952130, + "narHash": "sha256-j38XlExNwK4ycmoNEdH/dHUd1QGdNvD3gx/UuLY+04Q=", + "owner": "sbruder", + "repo": "nixpkgs-overlay", + "rev": "3487b8ce24d40cc898f3dba0a9af5e028e1d5844", + "type": "github" + }, + "original": { + "owner": "sbruder", + "repo": "nixpkgs-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ] + ], + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1625936460, - "narHash": "sha256-U6xlITKrYuhlHWe+poACaz4GJl3ZVN1BSUqZe2gFg+g=", + "lastModified": 1726524647, + "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ec2800174de5a7be8ec5b144819af2c7de77abe2", + "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", "type": "github" }, "original": { @@ -140,6 +312,57 @@ "repo": "sops-nix", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "id": "systems", + "type": "indirect" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "sbruder-overlay", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1714058656, + "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index a27213c..a3f323d 100644 --- a/flake.nix +++ b/flake.nix @@ -1,12 +1,15 @@ { inputs = { + disko.inputs.nixpkgs.follows = "nixpkgs"; + disko.url = "github:nix-community/disko"; + flake-utils.url = "github:numtide/flake-utils"; nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master"; nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; - nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs"; + nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; @@ -18,6 +21,11 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + + sbruder-overlay.url = "github:sbruder/nixpkgs-overlay"; + sbruder-overlay.inputs.flake-utils.follows = "flake-utils"; + sbruder-overlay.inputs.nix-pre-commit-hooks.follows = "nix-pre-commit-hooks"; + sbruder-overlay.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = @@ -30,7 +38,10 @@ }@inputs: flake-utils.lib.eachDefaultSystem (system: let - pkgs = nixpkgs.legacyPackages.${system}; + pkgs = import nixpkgs { + inherit system; + overlays = [ self.overlays.default ]; + }; inherit (pkgs) lib; in rec { @@ -45,7 +56,7 @@ }; }; - devShell = pkgs.mkShell { + devShells.default = pkgs.mkShell { name = "fablab-nixos-config"; buildInputs = (with pkgs; [ @@ -94,8 +105,15 @@ ${pkgs.gnupg}/bin/gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }' ''; }); + + packages = lib.filterAttrs + (n: v: lib.elem system v.meta.platforms) + (flake-utils.lib.flattenTree { + inherit (pkgs) + fablab; + }); }) // { - overlay = import ./pkgs; + overlays.default = import ./pkgs; nixosConfigurations = nixpkgs.lib.mapAttrs (hostname: { system @@ -128,6 +146,7 @@ }) ] ++ (with inputs; [ sops-nix.nixosModules.sops + disko.nixosModules.disko ]) ++ extraModules; }) (import ./machines inputs); diff --git a/keys/machines/raven.asc b/keys/machines/raven.asc index c1208ec..6bb0c08 100644 --- a/keys/machines/raven.asc +++ b/keys/machines/raven.asc @@ -1,28 +1,28 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -xsFNBAAAAAABEADJuRGmEF1kSUg8qjGCk2/lBaDa2FYKM77dTRh7z9dHIABG+jy2 -3VdQPwT/M94Vipb1m7vkF5qd1DnYFuyOrM38ql/9gq16tihq9EKTsJulv8IcKjY8 -+nVD76srojho09G6Y94xcE0np0chZVSVyDQ/o8Bj4b4TYfGcDg8GljL+X8MRQz3Y -W6E1oUjSraDS10DeApsBB//MtIMvzqjpvU7NfA6ny1zM6hrUnsDb+WLgouYONJI3 -ZZXuVSwmGYO8NkkdmTVSGA9iytwonceDT+GXt45agr0ry9i0txzji/HC8ma5nR1R -WitDIhYHl6eRNfqAxGhABdi/dmOm4c7w3AZ2hEUMHXjYpj2LTG82G/zS7Iuvdxcb -u+KptBWOXUe4ye54agQSTlCIbFKrDPKkk0gQACuJ5FZkp8VmoBL5gjW7TYOW06Re -iRS7TBAroebnssUOr/OU4zs3WTMJQd5psj4EcVFniSteleDhjo85wxFTIerCDclw -/cC2HU8yNn+6cDcA05MKC/ZusIopH1+WcfTt9wnEf9glRHT4NMuOgrDO/cZocRge -hg2kKgN8kVffCt7z3rHCrDvtQB7vIsATyRHWdJBe2WtC+Lv74vuldyYrrCe6XOAl -wCOTy6rRfQFijfa6zp/MBiXWv5Sy+jXnNbbgu9w6aZ4e40Uy6fft/zF1JwARAQAB +xsFNBAAAAAABEAC5RX7E07G3dOlgwYW7D/Cgq7xD288JWNTotXAnGTPQbF04yx62 +EUEjQ3ggxcTz4t/7Sv9WOfbWBvlRy48rhW+zxN9de8ld9FhPW0hG6GKfgN88LCSG +pVSY4WQ1wqry2ZF68n4YNdrXCZ6PG0EgbrTSSOHaxHVxiVsfZIGWrAUcTyIEhmka +60tenlQVXj8c45WTRAXQ7kLpXLZAfYmetlyDhUMGj1c46+551GXWnxTYnGZGXS2X +4gavMnGZWOG0mNtY0TPaDxfJ+1kgANUbtPc9UNIZuhWHuz/K6LdBybMKsDWv+8Of +962TXj8NlEjRs+t1bhalSWl2zFZ0gI3/gQc8RM4fO7yBht5oFAlSh9fUBuFjyp0c +KuCs1twQ32NNHlm2+RjVPUN+ITWKCRr0c05OGC2cE7M2ks44F/bMKRvH3v28biZC +6bj00novLw8dSQzya34nZttA7htySJTbyt7H9aBCyZhs22TxRNIed3UrkmFZr4QH +QiEzZ44SJ1QYOVtRVcAeLDRcyfJWjUqo7QxPnJS27iN4cjaeWkm6AFk+bsx2nIcb +10vM6Y5rMcwcWTwZnEbqmhTvO+l661yQAR+RrdeVl+J2MQHZ6fsxbDFyW0YdaSnZ +0geev9lqbg86nLIPdQANkFHtnYZIURliitxT9OahUce4xdUds3Iaep4pbwARAQAB zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQ2/NQiWBJXzwCGw8CGQEAABfaEAAjGpldJ2VsitBFkb7oqa0R -+JBLPlhPcdCFW7cDpzpaMoZ1DR04NR21vFg4IpIoxkqYWznepUPgYVE/SP56l/B0 -n7rapuIPg9VdxLSFoVNoFX7jXviBUsOrGKSXBp6hPugvh/0Vwt/L2F/9OsnWje3E -jM2mgFOR63G/rGQMn4sCs4UEXUz1sSmrSacpFgKNYZoMx9aYMMR3bHKMqLWU3zkW -ugRqjaxe9jOV73qhENSPYgMoXZEa1IahXC8aeV1Bznw2tQKD/ixMycN2W66/azAU -kdyEUoBE+gCBw0JAgHWZ/jcmiycUD2eZ9Yju/rz2YaDvkpP0rx4Z1s6eF3af0k6K -gMChTD0me8H1Cid7bAMdqcvd1hEmIGJviMXlSAZMJtDxF+QRzUAwP87M9lsu1BdR -WFRi45tLwRUwp9H32oFwu3l+qi/DGSVP1B/PWcG6uEmdcp+HEp7cyclCv7obc+4f -0ew0QPEkZ24aPWeH5mI/y4IJW8wC9cK8I0MYdNWUHLNKzTGEkqHIkY0hHfB8AmT7 -MNsSUBh0ozbLAZzYOWHXsRXndJ71OAg8auoxKWWmo7gE3BO1YDM4wxyTRDsmsQuY -OPoh/8kmJpVKvOEzchxz/xHmIBXOwImAMCUTMC+P+PPtWPXbVyOv12ZrPZz7wpI9 -+Djsrk2spQ4me4x/Lri+eQ== -=MFPD +AQgAFgUCAAAAAAkQyPdlz4rR+JICGw8CGQEAACCnEABp7v2daTeTU3kZJb5M3Le7 +pQpY4VxnAQtekhm3zLoUtjYS4jJIIxCKDwKCVlQvGJG7YQtH/kr6P6AN25me/zOu +vvPPTGwnfDN2yVNjV6f1odsLcDOdNHAh+/ZRhUd+nHNSxZ0ZNttHxNotgJJOCPxV +HkJzYzHZkePvK1ICmxFyWR4XwM/yHiBnWguxJ40a/iA6RCsPt+DpWGlF/3+rX1nA +tU7P+j1ENtkbZLUdRFHmNTBBwo9XEVsZ+U3r6gezncmA/D5OTq4MRS5yHSwAX0+o +PWK5LJogTUn82fZ6+0I90bifHlUID1JVAtif76EUNwqQ9e5LcCbgzw0W34djLpKd +vKWj2kp4FeqKlKCJD7xtqieC5F01rfgEjUKRYZMif9E6RBzvz4awC7KEw4k+LON2 +ApKz0S8QGSCTqfKCSJx8sevTvJ3dlDR9qiDv89pI7QaMr2VRgDeNFkS61X9Wb9kD +AADJkXdjwYovknk2SiHyFjSjDWjRR42HhHudD3D3GtTGlbsE8AI9bpc5P6zaQRXZ +IIFOu4/EytTS4BoJGhz0IOjQbhdvlug7DlUvxxUg64GQU3NOMYsQIfGffjf2yNyt +ZUNlkTBqgdWiES1o1Z2wlAFe/X+qcZuouYRLiqjL7arSGNyahSPRPferuY8YbZqR +xdV1XP8tYVK8ecb+OM2tsw== +=ar+A -----END PGP PUBLIC KEY BLOCK----- diff --git a/keys/users/jalr.asc b/keys/users/jalr.asc index 3ff80bd..329f049 100644 --- a/keys/users/jalr.asc +++ b/keys/users/jalr.asc @@ -1,52 +1,23 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -mQINBFalRtcBEADXqtNueywhXtjCy7WXAIzoxfmeCWe0+YzK79dHMz7TIqGQU1X4 -nYi9YJRAgIKvD/gY1i+hUoWrbc3s1YHKIbZsOqhHHuXSPgcpCG/xYWMroc6nsGT3 -iu2pbcxDAWRp0ib67SyCGwEQj/LLUpE0DkptZvUHOBgUGi8pohhbJJ1mAN0E7GJ3 -SjAeLKx59a4Q+S8HEKDJCmP6gCzixxIfS07ncG6TU4ppN8jaN/gEF40IIcTbds4C -L+ieCdz9ZVtlDvGKtNiSlT7XHnbjPMuQBlbPZaiVuylQIkJlyLEjZduhLNueag2V -NgcAfqt6HQCNnZ8B7K781rhb/rHtdk98lvOimOWUbNCXREEOHpoVIxZYYTnkVvLo -YokUncWTMym+6Pelfc7RvtfrK1EjjbblTDn/+Wo5YlBYfI02Vr6RUg1CF4s/FwCc -ogDtiG1eYAEpnHe9aV5lQrvJcgvmXF6cbIUnbaslApo0LH1uCYliInxuxKdOaxTT -qRHgug25/SA5XEH3Sc/WFPCun4LFwEElxcrrE4OeWYiixBYU06GMem7GLa+VAf0E -DxrzkGt16QODFyyJcWGQAp1SPxbBJ+E/QAe7KDK9vVocj31Ug4KA7LoqaLS6dW0e -5VJRqtej/bOzI6zJYJYPGV4XejPPTMpg0se6EvMYw775M+qAajAbFnHRHQARAQAB -tBxKYWtvYiBMZWNobmVyIDxtYWlsQGphbHIuZGU+iQJWBBMBCABAAhsjBwsJCAcD -AgEGFQgCCQoLBBYCAwECHgECF4AWIQR8IHUJViwgjE7BZ26HqOVmLfACdAUCYA2o -ywUJC0mVdAAKCRCHqOVmLfACdEJ+D/9iP3odbY9eNiiFw44BVKj/Y728V7p60/q2 -tCKtLSiF6DfPJ8z2zud6OcTUfn8NuD0bqs2peALhRi/MHRkJq7QuGVN6PNN/9fUa -o9gpjGrwOHISnNkwCmEPJWJ60ZAh9XGJCY466IBAcvYurkq/qDx1BSyEi+makymf -DP2UlyhmsspdOFAoN8+ggIRCWNr6mR1TAZO5O6ce7Wos3nxTlGD1MyPAirbKlAYv -e8zqOHkhijdcKYzSIm/E/9y85aSvwDySOS69JpWEMsmGkXxq/VSv9CNzYEy/+ebR -49aoIZgOr10uY4LLN5c0L+tLvVeSS1976dtwXwRECIplysCm0hZU9Wj9JmfOBACf -Y2kIvMcTL+gREX5CKsvpPk1RChNrpELaOk/EY0hAhH4Nx2WSd6b6Kw/MagApVwNi -zfMqOZsZmSd+RPHqn7hJWaI4hpN0HfjRFpVifjKQtR/Q25c1CzIllSkwGBXQ7AEM -LpHoP1fEzk2Au0v+6q32bY8JCoLwChhcPxDZFzKepHOzgf+8QKq+ZB7KPxjWWAET -lzmzgGhKmaQOnZZsBNYYj78opGXOMxkEThaHCBgKPDTBU6XPNgd/8LYUbai/JpA5 -wDOe6i5Z3c5TNXXOIMBpviUQ3BB1z4kd1YSV8DLPHwhY4q2d1oOGToKUZy39NvaZ -Ds/rHILCQrkCDQRWpUbXARAAwxN80JhEojDcNiDRZOHVM7C4hQSdAOUI3upJpFVi -0aJVRU5+w6yebh/2bMVUgL/UBFiEaKxgBtcy6snBsY5YzSZq6QneVhN0HLFyPAKX -j2zrw2MQAaVtJ+ufihdqpxgWELVfY1ycP5rX6pHXAbQA6kw0lg3FNsUi7q/qIPoO -8q8H656alz5fqvJcu1dBEbEQ+oWXUrROVcBkVjElX3Od2uKm2ZBQajcO5EEYj2Va -QtsBTdzehGnrsssEtr7yZz4d85a3uWU3pJ900Ugn22MCBHS9EOk2IuEArgPFE7eV -1S78D+QS7qjU71sJHsHoBeUg5uZoR0hNNnMWqokgYhHA9+A+Qt6KEBPLSb5Bp9Y0 -o5wqRBqjxaLPSGG1NryKkAKc3cvHiCwFW6DxsJzVML1aTH60R879256YCUmVMIUF -pCGjUf3ZkZsFCMKuUDLsBE7Kn2CMVW7yNn1wLOfOhkRfGCtHQNLhIiwTTWD84iDQ -DHQ5v5r2TfosbovSy+HGV0Bi0z3W5tk8x+aV3I67vk5BbSmp9bdC7MkfSuxOYdKA -c3zexmuledVMyjVZvL2DwaJaXYD3YY+ZIUc6N/0Ox/65DllH347022luWUnXjkip -vtM55ENKeGmk3z0368L4atubo2qV1l00UKs+2bdbz65uHDMgGebVBtNsExiO8pzd -1asAEQEAAYkCPAQYAQgAJgIbDBYhBHwgdQlWLCCMTsFnboeo5WYt8AJ0BQJgDai6 -BQkLSZVjAAoJEIeo5WYt8AJ0BxIP/A70jXPM6QKtWGs7xi8n916aVK43ODgCVmDq -vyduV5ywO8x8xljjVuAQm57Ei1thAGCmKzxn4rWmm81cVXBq/ZLRamrDSnP4rctZ -qZfRdsUiLJUimOTxqOn0cDqrJs8trBIIE40M20LX3TlEWueDAhpuO1gndupSb94k -U/PId1VZ1fyPz24tay/GgSfpBa7ZuXiSWr+QtQu2MlX9WXBo7gDo+BDUsZqyy4/w -Gqm1i7NVElW1lJK+KOGCAHC7JcBIjGsfxS3+MjxI0HQ2MeQyDYiwhF0xHDTCLBgv -nXAkFoCe2xB8q/+RZV1hfYGMDPILwFox6OZkpSRW/+a/j1fw+Hi4MidSoe7Xkxbr -zZVTBiFFIUbg46PCxrBdNDtba26vcS4iUZVefqcGa2ZuHQrDYRdYyeqPCZ5z9PLp -tVPYebApFnFSkd8pvcKkx6KPrItWBX5DFsGGTo6QzTg0s/w5WvqNWWHJ3NRFh1V/ -rz/E67uLfJGt3qOVyOkIKKOTzF473Wku9uTMz/BCaBRJ80VhGDYG7Vi5uvQwTte8 -CLhjpjF94XWhijOAIXXavCe+XhmX4QXBIjeDy4UtULi5uod2qCgT8hJRcRdC7T21 -x9o0CU3J3E0QdaVwulZJWEgT4JUTjBJwVRU6jwQNbq0l4FnRrcYULBcidCCAXXzR -GUBE0eMh -=PbMY +mDMEZbmOERYJKwYBBAHaRw8BAQdAarCLR2RvxBnRODJY8WM98gCRbsHzXFTYTIoR +ZlmbOQe0HEpha29iIExlY2huZXIgPGphbHJAamFsci5kZT6IjgQTFgoANhYhBDBE +5x497/SbWGz1gJv0/MuQhU2pBQJluY4RAhsBBAsJCAcEFQoJCAUWAgMBAAIeBQIX +gAAKCRCb9PzLkIVNqbmFAQDG8xNgbZsZx6N2ssVC9k98IUvuKuMZQ6Gju86EsnNY +dgD/eSVRfAKCtIPSGtoLvE5zL80hk117R4f8rbMEvrmt9gm4MwRluY53FgkrBgEE +AdpHDwEBB0DRonRUQIQSfkqX7yHFHewbEYnc/spaPufL6EnSPVLvZ4j1BBgWCgAm +FiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jncCGwIFCQHhM4AAgQkQm/T8y5CF +Tal2IAQZFgoAHRYhBDp0/wfiMHs2RqSZ6EYNR7hAgU8/BQJluY53AAoJEEYNR7hA +gU8/HikBAPOziBknk+WcsKODsdViFedagVgtnjW8J6mJZRKNcD2fAP4/42g9wU2i +KHKHypLlGdmgOVOpSGNcubkcPFcOOHH7AZevAQDUU/UNpIHe7R3rYq4sFT2iYa9T +ZKpmOostoAzyYOViZwD/RA2suqGyrSe96JLnxwzy3LccYgV3VwEbHDWeUTvOCAy4 +OARluY6pEgorBgEEAZdVAQUBAQdAAXZvPoXdFpBhYS8KgCeXweUMlSwsCnXmgiDh +neSFMwsDAQgHiH4EGBYKACYWIQQwROcePe/0m1hs9YCb9PzLkIVNqQUCZbmOqQIb +DAUJAeEzgAAKCRCb9PzLkIVNqbmEAQDSBggKtjGkLuYtIHBBCfBF4Dx7odOapasa +tYqZTU7twwD/VhDvRGPbTl7X7DYQ36bmyjTe6cZAj3/M0ueQhlTrJAW4MwRluY7E +FgkrBgEEAdpHDwEBB0B95fmIsa7I4c3ttAko71CuEI/wTam0zYrYJNtL7sz3o4h+ +BBgWCgAmFiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jsQCGyAFCQHhM4AACgkQ +m/T8y5CFTamxRwD6A9TAs2Ac2VUQDCGgIEgUeULB2fZ1i0s0zydXctKJf7wBAL64 +utFE0ryrkFHMGY4xHMwZfvWosYH/qfLlKadnb3cK +=WgEZ -----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/default.nix b/machines/default.nix index a8a11f3..6fd7ae9 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -4,7 +4,14 @@ let in { raven = { - targetHost = "10.105.255.242"; # FIXME + targetHost = "raven.fablab-nea.de"; + system = "x86_64-linux"; + extraModules = [ + hardware.common-cpu-intel + hardware.common-pc-ssd + ]; + }; + party = { system = "x86_64-linux"; extraModules = [ hardware.common-cpu-intel diff --git a/machines/party/configuration.nix b/machines/party/configuration.nix new file mode 100644 index 0000000..d28760c --- /dev/null +++ b/machines/party/configuration.nix @@ -0,0 +1,45 @@ +{ pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./services + ]; + + nixpkgs.config = { allowAliases = false; }; + + console.keyMap = "de"; + services.xserver.layout = "de"; + + services.xserver.enable = true; + services.xserver.desktopManager.gnome.enable = true; + services.xserver.displayManager.gdm = { + enable = true; + autoSuspend = false; + }; + + security.sudo.wheelNeedsPassword = false; + + users.users.party = { + isNormalUser = true; + password = "foobar"; + extraGroups = [ + "wheel" + "audio" + ]; + }; + + environment.systemPackages = with pkgs; [ + firefox + mpv + pavucontrol + ]; + + networking.firewall.enable = false; + + services.openssh.enable = true; + + networking.hostName = "party"; + + system.stateVersion = "21.11"; +} diff --git a/machines/party/hardware-configuration.nix b/machines/party/hardware-configuration.nix new file mode 100644 index 0000000..a07aa08 --- /dev/null +++ b/machines/party/hardware-configuration.nix @@ -0,0 +1,65 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + kernelModules = [ "kvm-intel" ]; + + initrd = { + availableKernelModules = [ + "xhci_pci" + "ehci_pci" + "ahci" + "usb_storage" + "usbhid" + "sd_mod" + ]; + }; + + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700"; + fsType = "btrfs"; + options = [ + "subvol=root" + "discard=async" + "compress=zstd" + ]; + }; + + "/home" = { + device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700"; + fsType = "btrfs"; + options = [ + "subvol=home" + "discard=async" + "compress=zstd" + ]; + }; + + "/nix" = { + device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700"; + fsType = "btrfs"; + options = [ + "subvol=nix" + "discard=async" + "compress=zstd" + "noatime" + ]; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/3e24b5cf-e59f-41b1-9eef-107f808b9242"; + fsType = "ext2"; + }; + }; +} diff --git a/machines/party/services/colorchord.nix b/machines/party/services/colorchord.nix new file mode 100644 index 0000000..95c87fa --- /dev/null +++ b/machines/party/services/colorchord.nix @@ -0,0 +1,89 @@ +{ inputs, lib, pkgs, ... }: +let + ledDevices = { + kanister = { + leds = 43; + host = "wled-Kanister"; + }; + bar = { + leds = 300; + host = "wled-Bar"; + }; + }; + soundDevices = { + sink = "alsa_output.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo.monitor"; + source = "alsa_input.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo"; + }; + + devicesProduct = lib.fold + (soundDevice: acc: acc // lib.mapAttrs' + (ledDevice: value: lib.nameValuePair "${ledDevice}-${soundDevice.name}" (value // { + source = soundDevice.id; + })) + ledDevices) + { } + (lib.attrValues (lib.mapAttrs (n: v: { name = n; id = v; }) soundDevices)); +in +{ + environment.systemPackages = with pkgs; [ + colorchord2 + ]; + + environment.etc = lib.mapAttrs' + (name: config: lib.nameValuePair + "colorchord/${name}.conf" + { + text = '' + # Basic + outdrivers = DisplayNetwork, OutputLinear + headless = 1 + + # Audio input + amplify = 10 + samplerate = 48000 + devrecord = ${config.source} + + # Visualiser + cpu_autolimit = 1 + satamp = 1 + + # LED config + leds = ${toString config.leds} + is_loop = ${if config ? loop && config.loop then "1" else "0"} + light_siding = 1.5 + led_floor = 0.1 + steady_bright = 1 + fliprg = 0 + + # WLED + wled_realtime = 1 + port = 19446 + address = ${config.host} + wled_timeout = 2 + skipfirst = 0 + ''; + }) + devicesProduct; + + systemd.user.services = builtins.listToAttrs (map + (soundDevice: lib.nameValuePair + "colorchord-${soundDevice}@" + { + partOf = [ "colorchord-${soundDevice}.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i-${soundDevice}.conf + ''; + Restart = "always"; + }; + }) + (lib.attrNames soundDevices)); + + systemd.user.targets = builtins.listToAttrs (map + (soundDevice: lib.nameValuePair + "colorchord-${soundDevice}" + { + wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices); + }) + (lib.attrNames soundDevices)); +} diff --git a/machines/party/services/default.nix b/machines/party/services/default.nix new file mode 100644 index 0000000..8dd7f39 --- /dev/null +++ b/machines/party/services/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./colorchord.nix + ./dmx.nix + ]; +} diff --git a/machines/party/services/dmx.nix b/machines/party/services/dmx.nix new file mode 100644 index 0000000..6f9cb9d --- /dev/null +++ b/machines/party/services/dmx.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + qlcplus + ]; + + services.udev.extraRules = '' + # uDMX + SUBSYSTEM=="usb", ATTR{idVendor}=="16c0", ATTR{idProduct}=="05dc", GROUP="users", MODE="0660" + ''; +} diff --git a/machines/raven/README.md b/machines/raven/README.md new file mode 100644 index 0000000..2799b0d --- /dev/null +++ b/machines/raven/README.md @@ -0,0 +1,15 @@ +# raven + +## Services + +### unifi-controller + +The unifi controller is used for managing the wireless network. It provides a [Web UI](https://raven.fablab-nea.de:8443). + +The following ports are opened in the firewall: + + - `3478/udp` used for STUN + - `6789/tcp` used for UniFi mobile speed test + - `8080/tcp` used for application GUI/API as seen in a web browser + - `8880/tcp` used for HTTP portal redirection + - `10001/udp` used for device discovery diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix index 4e00871..d16de7c 100644 --- a/machines/raven/configuration.nix +++ b/machines/raven/configuration.nix @@ -3,6 +3,7 @@ { imports = [ ./hardware-configuration.nix + ./disko.nix ./services ]; @@ -13,38 +14,56 @@ networking = { useDHCP = false; vlans = { - jt = { - id = 2; - interface = "enp0s25"; - }; labprod = { id = 1; - interface = "enp0s25"; + interface = "eno1"; }; - labdev = { + voip = { id = 5; - interface = "enp0s25"; + interface = "eno1"; + }; + pubevent = { + id = 6; + interface = "eno1"; }; }; interfaces = { - labprod.useDHCP = true; - jt.useDHCP = true; - labdev.ipv4.addresses = [{ + eno2.useDHCP = true; + labprod.ipv4.addresses = [{ address = "192.168.94.1"; prefixLength = 24; }]; + pubevent.ipv4.addresses = [{ + address = "10.10.0.1"; + prefixLength = 20; + }]; + voip.ipv4.addresses = [{ + address = "192.168.93.1"; + prefixLength = 24; + }]; }; nat = { enable = true; - externalInterface = "jt"; - internalInterfaces = lib.singleton "labdev"; + externalInterface = "eno2"; + internalInterfaces = [ + "labprod" + "pubevent" + "voip" + ]; }; }; i18n.defaultLocale = "en_US.UTF-8"; console.keyMap = "de"; - security.sudo.wheelNeedsPassword = false; + security = { + sudo.wheelNeedsPassword = false; + + acme = { + acceptTerms = true; + defaults.email = "accounts+letsencrypt.org@fablab-nea.de"; + }; + }; users.users = { simon = { @@ -54,7 +73,7 @@ }; jalr = { isNormalUser = true; - extraGroups = [ "wheel" "docker" ]; + extraGroups = [ "wheel" "docker" "audio" ]; openssh.authorizedKeys.keys = config.fablab.pubkeys.users.jalr; }; }; @@ -63,5 +82,14 @@ virtualisation.docker.enable = true; - system.stateVersion = "21.05"; + services.nginx.enable = true; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + # FIXME + networking.hosts = { + "192.168.94.1" = [ "raven.lab.fablab-nea.de" "labsync.lab.fablab-nea.de" ]; + }; + + system.stateVersion = "24.05"; } diff --git a/machines/raven/disko.nix b/machines/raven/disko.nix new file mode 100644 index 0000000..84ad2ea --- /dev/null +++ b/machines/raven/disko.nix @@ -0,0 +1,54 @@ +{ + disko.devices = { + disk = { + nvme = { + type = "disk"; + device = "/dev/disk/by-id/ata-WD_Green_2.5_240GB_232497451701"; + content = { + type = "gpt"; + partitions = { + esp = { + type = "EF00"; + size = "1024M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" "nodev" "nosuid" "noexec" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "raven-crypt"; + settings = { + allowDiscards = true; + }; + extraFormatArgs = [ "--hash sha512 --use-random --pbkdf argon2id --iter-time 5000 --pbkdf-memory ${builtins.toString (4*1024*1024)} --pbkdf-parallel 4" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" "nodev" "nosuid" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" "noatime" "nodev" ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/raven/hardware-configuration.nix b/machines/raven/hardware-configuration.nix index fab0cda..27292cd 100644 --- a/machines/raven/hardware-configuration.nix +++ b/machines/raven/hardware-configuration.nix @@ -19,26 +19,14 @@ "aesni_intel" "cryptd" ]; - - luks.devices."cryptroot".device = "/dev/disk/by-uuid/ad04bc72-bc84-42e3-856f-152c162ad88c"; + kernelModules = [ "dm-snapshot" ]; }; loader = { systemd-boot.enable = true; + systemd-boot.configurationLimit = 20; efi.efiSysMountPoint = "/boot"; efi.canTouchEfiVariables = true; }; }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/1ac13504-fb49-4739-a0e3-f87a3f840fb1"; - fsType = "btrfs"; - options = [ "discard=async" "noatime" "compress=zstd" ]; - }; - "/boot" = { - device = "/dev/disk/by-uuid/0FEA-FAF6"; - fsType = "vfat"; - }; - }; } diff --git a/machines/raven/luks-passfile.gpg b/machines/raven/luks-passfile.gpg new file mode 100644 index 0000000..3b3390b Binary files /dev/null and b/machines/raven/luks-passfile.gpg differ diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml new file mode 100644 index 0000000..872e6ea --- /dev/null +++ b/machines/raven/secrets.yaml @@ -0,0 +1,57 @@ +dyndns-password: ENC[AES256_GCM,data:Nm6ed/SvRGnOZAXCt64HAf/0xpAoSwNCCZ9d+KM4Fc1tl+rY,iv:TbGGjG55mksyW2eOkMb5JBOMvePpLlTotmEjZoiWBbQ=,tag:vNA0GLM28OloR90elj4SEQ==,type:str] +asterisk-pjsip: ENC[AES256_GCM,data:8nBg6SfWDOhuF4x5T0fz67jxXkIhzfX/FVbL98huIs9rdalGuKIOGeIBBYPzzH5cbLkfvG7ZW5p2r/I/jRoAKAu0airMJzZ2aHIFMjLUgzB+Rl5EbVF1kP8J8mwDVBMw1BFXELDNwnd+EniwWw1TwJcqWvZ3EhG00HIogzurn98l/FFMkNxWCXJ6msWBe6BHlGNpq/jPmyTVc2mlPXQ6uhqK4MWGe97tH3d+d7m7raXNjaTDruZLwKmNkONtVg5udzd1f2OP5GdoM9Tn+UHFkndqn0X6Dk3lH0dAoObRk9hDp57TnGZPrXNXktWroFk1QfsyobiB/Rj8uBRYa4BXHa/6OeQm1o/vRQhTY4e86N5fOdhwFHy/EQtp0sHa6kgiKHd8Koo/HOwAa69R44tKXvmJ/++cuBsfr71oLq+nrXIKcVv4ShmXV0kHNyaeSjCsWRcA57/FjS+uoaK/gKIGvX32TULAYGYHtIFhq43pL43PrS2j8qoDBrZQfkBXwUOW5iQr9c/aHloX7t/gDpFEi5XK7lFQsx/buamH9eWFkqhiDyu5EntSXXJb6UAbYmLREAyD/n3evyp6PTZak+TvhzLpXmol4L/IYOLqvbj8BS3ZfctqwPYtax3J0aglMsvbjCGWpiHywNt90SdPsMJi7s2KbQGbUmpOGWzq7TLByrT5MxXD//pmBXbSROxiKHTPyXpeg4SQuj0boDCIxcGG55rc5ouFMqJOJVdorIrgJ8Il1nTXHgzssuMP0/dFIYXj2gp9/XJ3S9N1acyNJCBhezeRS2PE0L3tCOHLY6IerQuW+1hmLEr8bMrzP6+70FvUb/FlfEfLwgq5AXPKE7l0cX9bn4pLAWkSreurpWE9xAIICJAkRNzcD2zMHaCiRnu4b5O+19ZnrfG1tVl0AQ6GckBFM5wcu0w6bA+YIaOngojUzPcMIynrXRdFEBB7rXiTi3JWN2nlJyTx9n+lXsgpgSf68mGcfEFdNp1hkFEUy65DEKiKQPK3aa0nVYPbAkfh/vcjkLO4X0gd0Ec+4XVda3ZyG2QzSYa2DQWmCYg3nwWg4eiKl4ppatp10soHfPSauRBLRrN5XmFtaH+Sp7Bwr565uVmyqYSgb+VTRY/25vK7VcT9rXpKX0PjOFOD9wFD2jQ4Ezs+tVieidZgvG2CjElxI8zmcsaZk93FUc4cw0lTy85cCo/IibTIlAd/uYrT+lxe47H51W2PtjovyZcH0XJW76BhJV6yMUron7qD9JTFGf3OagTgjoKh5InSsnxON52fy3GLUTvzO2vPg1c+iWg/mVYrPp1iCpK/G6LBh2k+Jj3OyQ8Z3GJZJ7khzI3E3MNOTvyXZJuXESMGTKmXWkHqvRrAvsW/CDBq3TmW0Jd0uMtFP+J4aL++BxAXKZLQ0g/RXwfOI/cQFQIPl3BePXl7VskxaFx5WWuKEbh9YMuF5FQ44vo386dvcDpfVNnRdFBOEltC7Ck6mJDUVPLAM3IhN+xQwobdWARR+baihGOUk9psP5boQrUvcBIx04RmXCLomHVD3Aw5jxh7N5TJ3BC2q6ZbkbpqwbH9UOg5PXrgXd8Eh6L+KhRjc6sl5itSsHK5iitWzfil8qcMpQPcLucZl+s1gISGlHaiE0MwkZj2fT9QZpw2+BmH1VU4tDpSotOue3H8MxK1j2mFnrEwi5sk5eHdBzBjyQ+SzmpbZTDk5eMlgfIKt8sErZ4ABI7iXQp3A8jusOYbZCQiBTPF/guhPOLuE3sWSBJLkpj4iHRrSVSAy/B1qy7fMlnVqqtXujXfy16pFG5IQKLUPGxyO5eotMuf5nkAigm5zn6q+eWpjDub9eBviXDjbemW4F7ncAdtiBzIWrak/hhp0fxMpzuh9h844Vou1brjKC9Xg5cf+IKyESjS8txHRSQhmZgab6iDv3X8Q0l0lRiKxzAOxM/2L14r6Gy03lMwaE1nUKgZjrtflrukeWgWA4EwDE69CdA7vbsX3zJ9d7cr+IlmiuTprldmV6EirJJaBNNdRealehhopGzDODIucUNp1PT3LQ/AidxOui6p6iP1PQG+TuIUtpM8AzxP3DbE+kMf9PNnb2E3JT5NrJz0BBWhhxr1KGBjniozh9CtSRq/JpfWYVLd8PA0P3abA1mW0A7IWaobI00qtPt1pcx/MtV5QzsQ5CPRVu10lFcF9AmKT3ekPySISkjcBtoe1FxO6j6cOqe6nbdx/lg0dnNBFBETVa8gAQwhmOAnqCURYDvbfjHjX99k0jwesiqxm1QH4PRjtbicd/JMiosWsiFBJohFI/0JIscxd0iZ8LvNPALWLeKfcqXulzjNKy4sB9QIxN75dGKaDZv2qInBDm9p8hDaqT+tdXsptXw2SkLfbRiWnim/r+VHKq0uYV9KlolmE4dOm/dWQ/6Ri4XBIFr5Ld9udSQ275GHZ5EHlcoPGEjZeNR6e0VMskcPH7tJXDEs4p/EoEWepVVWeuRidauFkcskSn2QMR7Yd+NAl2XxFYMiniGL0UzkZ5johxgw4WqopQua3Yff76f0oigR9VVHf1ZJlIC8IND1vLNRwbhVpW79SCeaHwp8jui18x//bn69eHMYjxRPvimnxRirSmjdCgCFAalgVtxfUt7WO8p2/Kzlu6kwPQrSMltLycNhkvrGinQcKGPtEkNfzCG4MAvyb3UW5rph/nui7ybCT0AnRW9xFpVURGuuGUhuKFMDhzBbiaB3i1cMdG+DJniwUc4rSg+o4YvrR3Q9w++hQUcfEbT3fJwoWCMOExCsu5O7vhZbdTd6tJzH9sxN72q4yDAXW5pqtnKU71AkWg87meuGv+W23s5IBJr42L0ubEXTEoZMBvjDVrVS+9yKptQz3pkPAIFaXoLUGlJw4XmtBL8wWSj08Zi3F+lnyR+YVFV19infI35Fi7keABHHCmWeNdrlgrcFR9bs/fxn/Oswwk+8gNXQBIGLIs3clnRd+4SggfLQvv1lud8ZBN8jV3j/czAnN8XdMtsqMGZJ31TvBWVuYmqijCpwbuA/hCXrbiyy+DG+6ZHO4sUpIBPB0uQ+TNfuR9FNNxImKZBaUAOMuQgBw3lWU5Weu2CnSfJdKlREX0mBk+1StDKSJmE40x9ACt17XGST+vu8lOwy8C/wjPzCfsVMCHxJURCGe6HMfYQAyclgfwE0knq82kOWulUPFjnIyjhHwr8xbTmm3e6j7wDkvaK5WHIIxamyv420b5Y/Mc0HqA5YrC6a/AWSuHpg6lpCuLP9femhiwtERyEgOWeOJOr5wj+ZgmhD8/RpeUJlCdjWjDB1zFdoF/9u3yNpxJxpqYTB87PkcgY1jRdTP1W9/oMpvsGF61TU1IOTnhVtUZZPWYmXvyv7bHf+wmPrDN8EnxU4gMRK0u2Knx9PPuYb/iDD8UkEgbBPo/oDrboMo4QVE8je76NlIEdPlsLCDWO7GitRvNkAfDqEFrWjh6LUeyIAKmjWgm2IKEBnwHcx1v/p6iU7rABtaDmZyq5hgnbDZtOFEVsZQEk0vYYQNyMuqfC6Kt/uukmZVePRKkGXwTPmNKr5vdUTZmbZa14j46pNiOTm6R/vVKZEzHYDwgpbSoK8yQ50QuuGU9aak+iYZB+CckEH+S3KLInzDSNsA99BthiHGhIpsbwR70gc783coYJoIipYieb//LaTvf8BDmafNKnOQVazP5T2pHeO4yePr1/dEN6x9fdFRVKv/Q73qVBm5S0Jqys6Oo81cdrmISboSLzxAm7V01dijQ6Juv+awBx0emFuUKDVgS8AfZ6pGhugwcJsAE8fKexMS2I29xGaBzeGeQzOYmlTA7RXngTXh/DaHEckgBXp84dcXjcrRiEG0wGRSvNMx1RffnUSoslLpgpMfwNYl0NMwbq+lt1ppH88tJnUXu0G3YyF+Me8lyYVlnQU9afd4u7nNTAamBlNx3QtMndWdK92X20kK2ij7kwefLc1pm6toOZE1vdSaIFXnpZCEh4of6vdNkFscpkxHtsURObPbtFsI4C8WXCypgWj3Po+YgbhMddKRu4BiQfQnopSHatFYYUM3xzTiuL496WwgCorp+Ak+wOhIE45o/iugS2xxfJIQKkMiP1JbzDw59qcaLdnRXOLqcv6nX6bMkwHuxNmVCTn2lk32FmraJdfyVhdTBPrCXx/TjoGISgEOc5w5oct1L7ERLiD6BCbxER2UkSsQb/rLoUYdfHh3bLXbZKLDGVRuf1JoImGHhtTE2R+o5o1dzWwNdHMGjVpMIV1ixxsFsMG27KhjIYUMBdrqVXH8wCXy2TOCxTqIhIOOg6lUMvEwUAh3ZaFRKGe3VaSRyVMcKE8dseHIS7MRq2g7jp9eyJkZqspBh6PEaPyTwYYv8f00VyHauZAV3UdWfWDsEZUYk194wiH2/j7O9+eF7jxPlmLuXUQGQBVTAFObpcoT988N24NalijJh/cuahhkSQYR1hMahBF5jwwVHS3vtN6pUwghTUV4HqeIrtur1cJRB6Qlm/YRgvcB1fX7xbhYyMUJUYEp1gK1xhY1c0A16V8HQPFheL8EV5tfsUT,iv:xh7XXUyLD68UDBBG5aKI/HWxjMZ0Tr4sLkIeQ8vQIso=,tag:FyLg1FhxUGjcNGD2sq4Oeg==,type:str] +asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKNA1ZVf4DTtm6d232LXKde54ACMSUEyQWTu1mU6oQ7W5P2VSK2HZvHzSrnC0dJVKPrYEnBWfyA6sjKBULQSyW6j1/c/k,iv:jE/Y1A3i8embrwJqN8TBO0E8nr5WhGDKPH0gXgWnsMQ=,tag:j8PH6tDeo2YTCI2BnVY24w==,type:str] +asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str] +prometheus-htpasswd: ENC[AES256_GCM,data:kUU0TqnVxQ8jLfjUpBje3eGxJw+ItD/YSNhiny1XPM0PDksnOO8Ecbyqm9W5p3WZIFc+h/FH1AsyNdhXdAhbgMNNxjebq2PNbJr/DeMWTxuf1D9q5iYpDrFGuK6r65DeCPvwN1tlTKkzJnLCqy3LLWbziANplMpmoUL7Ay3S2r5UQNgl4QIL,iv:o23da3kSbMAiF6H3zgja95As89aDK/+jWofvw9ZIjj8=,tag:VPB9YD33Xuk8IKxoBVEXdQ==,type:str] +unpoller-password: ENC[AES256_GCM,data:nvbKOzS657tfumP93kNAD2Edw3+BN3xQ,iv:FZ169TIyHrhazji+b2V4o0XvyzqwNelnR4TkKXuNqWg=,tag:62Y1LTlI+2KdSjq8dHiuSQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1fleny85nvjh6g4arn2tkpju0smq2s4hawwpmnyvgcf0sy65wd3ks4lcvfa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBML0wrQWtGbjhEY1BpT0lU + OXZZTlF5SzlWSGc4dzgvYnJ1QUtRUDM4a0QwCmU2bEVRUEZFTEw3QW9MUm16QVFk + bmlwMmN5eldzRis4czJNTkpGUUkyd3cKLS0tIFZ3TWswMnBXOW5xOW8zbTNiUGtS + T2VuTEpzYmhESnJZTW5IS3orRk44ODAK/KBOctiKRH5y/zuI4sIKNK9nze6aDOmc + Eg7zjCXX3hvmowFt45rMKODJ56Dy6uJEgu6OWMWV2M87CphyHKA5fg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-04T10:58:16Z" + mac: ENC[AES256_GCM,data:yRoKVClRcbqFYM06F+83kU9s0KcoiYEx0fpr4DL39YoDDx3ZdX2aYqOEtPCGHKEccFanDsZSI4Q9jG2NEa9IykI9DDjQtci1pcNkt9VaWgPTTo2KzP086ncQHaKHyy109CjugeC2oQYIOBfSiO5b+/SP5fml2N3rhIGzROz2NRA=,iv:JR2MVuIxVhCDsx8kelTu86x4Snf6yqJ7s9vb/3bj24o=,tag:V9BadPHshitupxnAzYF3Nw==,type:str] + pgp: + - created_at: "2024-09-24T19:30:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DY/xpNY5WhB0SAQdAyqAyhamC5ViSdA1B1b8fI2iaSIAfyVJEe2ZaDyFI82Uw + NPvBXNKx4u0KTnMG6tl63Tb2/6sC4uhkp3n/pM+cxKIMfTXodIenddK5siPs8MQI + 0l4BeIxec9DiNskvxTqnZ7jtVd7hWy494cDrr7Yb9J0GZWQ5mP2ZtqgcDkbzZnqb + E8glyIInDNAKedtpbE0waUWPwbA3XAgsQX6xijwe5q0j4Rqqc4rlvJuk9Xd7G+M9 + =77Op + -----END PGP MESSAGE----- + fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 + - created_at: "2024-09-24T19:30:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDgSONkM+d4AQ//VH43OoHprfVhgtPmGjP3dHvWxLkAtyEi2QOYWjGLGbuw + l5TAY8RAp3c34E0qp52a2a+GSJUwdxVusK4MSWGzzg0x1VKPFr5Dz11SRnjqyWuQ + sM7zo9AP1cIUoIaP4G/jnwYicEH+3ADjFEpNazfNw56cpjWL/1yQSKK4uk4x/m7e + AWWcRQHJa7j/sPuR2R24CQjZq6WfxoDDe2v1J+NTxBoZh16CJ8LDUWOCAgRDvEDn + d1WczY5cu0n/IAl8baKrvAtBoahEeF97lBmZ7BtXiFT2c6jvwjY0erj+BA0N4Jfc + WnJaU1y+a0RKxvH3AOo7R09NmvFtfWcUrFD6k5jLGhvbkuMd4+akEhDv98GeW77m + qjimf2gOLt0mR536JQP0pZ41O5hXLGVhPDESRWKMkeJcJ97+7wN9WkUnfW+AA0+y + TSqQ+KEsJMIYK1HCWJeW8oc+G+gEY7iutIxY+dL7NV8EzUWREhy0/1WzEIb3AfgH + XfzQufzXnKG844GUV0WKHiff7/Wmuhcz6+yFNLqdG2u7LM91eBB3B00ubFmfcz4U + OO4SopFeGHUo7xjQMDI3SzwPocRBsL3Fz+f2o5zsOGUPS/UebLwgN4UvaW0BKbZ5 + zRiC0v5OKWRMxZVbhpmfvfYFEjkflVfYuiTul6ajnaXarO+S9Sp8r+RSkkJx7ZXS + XgHjN92PHYzz8O0ls8NxJiMFdG5ozfims6VN3sC98LjhRsaCb5oEwh8ZoB6WDb7y + 0FeEsVM12vBGVF2oU8SVSJNnsgf4aMCTAPi+vdimq4UBKMEyxBwWkp62r2xXmoA= + =/jcl + -----END PGP MESSAGE----- + fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/raven/services/asterisk.nix b/machines/raven/services/asterisk.nix new file mode 100644 index 0000000..075024a --- /dev/null +++ b/machines/raven/services/asterisk.nix @@ -0,0 +1,138 @@ +{ config, lib, ... }: +let + cfg = config.services.asterisk; + secretConfigFiles = [ + "ari" + "pjsip" + "voicemail" + ]; + rtp = { + start = 10000; + end = 10200; + }; +in +{ + services.asterisk = { + enable = true; + confFiles = { + "extensions.conf" = '' + [sipgate-in] + exten => _2430207e0,1,Noop(Processing an incoming call) + same => n,Dial(PJSIP/100,20,tT) + same = n,VoiceMail(7929876@fablab,su) + same => n,Hangup() + + exten => _3529,1,Noop(Processing an incoming call) + same => n,Dial(PJSIP/100,60,tT) + same => n,Hangup() + + [dect] + exten = 99,1,Answer() + same = n,Wait(1) + same = n,VoiceMailMain(7929876@fablab) + same = n,Hangup() + + exten = 98,1,Answer() + same = n,Wait(1) + same = n,Playback(der_dude_ist_nicht) + same = n,Hangup() + + exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT) + same = n,Hangup() + + ; Kassen + exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT) + same = n,Hangup() + + ; weinturm + exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT) + same = n,Hangup() + ; /weinturm + + exten => _XXX.,1,Noop(Processing an outgoing call) + same => n,Dial(PJSIP/''${EXTEN}@sipgate,tT) + same => n,Hangup() + + [cisco] + exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT) + same = n,Hangup() + + exten = 420,1,Dial(PJSIP/101,30,tT) + same = n,Hangup() + + exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT) + same = n,Hangup() + + ; weinturm + exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT) + same = n,Hangup() + + ; Kleinturm + exten = _58X,1,Dial(PJSIP/''${EXTEN},30,tT) + same = n,Hangup() + + ; /weinturm + ''; + "http.conf" = '' + [general] + enabled=yes + bindaddr=127.0.0.1 + + ; Port to bind to for HTTP sessions (default is 8088) + ;bindport=8088 + + tlsdisablev1=yes + tlsdisablev11=yes + tlsdisablev12=yes + + tlsservercipherorder=yes + ''; + "rtp.conf" = '' + [general] + rtpstart=${toString rtp.start} + rtpend=${toString rtp.end} + ''; + "dnsmgr.conf" = '' + [general] + enable=yes + refreshinterval=60 + ''; + "prometheus.conf" = '' + [general] + enabled = yes + ''; + }; + useTheseDefaultConfFiles = [ ]; + }; + + system.activationScripts.copyAsteriskFiles = lib.stringAfter [ "var" ] '' + rm -f /var/lib/asterisk/documentation/core-en_US.xml + mkdir -p /var/lib/asterisk/documentation + ln -s ${cfg.package}/var/lib/asterisk/static-http/core-en_US.xml /var/lib/asterisk/documentation/core-en_US.xml + ''; + + sops.secrets = (lib.listToAttrs (map + (name: lib.nameValuePair "asterisk-${name}" { + sopsFile = ../secrets.yaml; + owner = config.users.users.asterisk.name; + }) + secretConfigFiles)); + environment.etc = lib.mapAttrs' + (name: _: lib.nameValuePair + "asterisk/${name}.conf" + { source = config.sops.secrets."asterisk-${name}".path; }) + (lib.listToAttrs (map (name: lib.nameValuePair name { }) secretConfigFiles)); + + networking.firewall = { + allowedUDPPorts = [ + 5060 + 5062 + ]; + allowedUDPPortRanges = [ + { + from = rtp.start; + to = rtp.end; + } + ]; + }; +} diff --git a/machines/raven/services/colorchord.nix b/machines/raven/services/colorchord.nix new file mode 100644 index 0000000..7194834 --- /dev/null +++ b/machines/raven/services/colorchord.nix @@ -0,0 +1,109 @@ +{ inputs, lib, pkgs, ... }: +let + ledDevices = { + workbench-1 = { + leds = 87 * 2; + host = "wled-Workbench-1"; + }; + workbench-2 = { + leds = 87 * 2; + host = "wled-Workbench-2"; + }; + elektrodecke = { + leds = 87 * 2; + host = "wled-Elektrodecke"; + }; + traverse = { + leds = 235; + host = "wled-Traverse"; + }; + nhecke = { + leds = 75; + host = "wled-Nhecke"; + }; + printerbench = { + leds = 80; + host = "wled-Printerbench"; + }; + resedaraum = { + leds = 285; + host = "wled-Resedaraum"; + loop = true; + }; + }; + soundDevices = { + sink = "alsa_output.usb-Burr-Brown_from_TI_USB_Audio_DAC-00.analog-stereo"; + }; + + devicesProduct = lib.fold + (soundDevice: acc: acc // lib.mapAttrs' + (ledDevice: value: lib.nameValuePair "${ledDevice}-${soundDevice.name}" (value // { + source = soundDevice.id; + })) + ledDevices) + { } + (lib.attrValues (lib.mapAttrs (n: v: { name = n; id = v; }) soundDevices)); +in +{ + environment.systemPackages = with pkgs; [ + colorchord2 + ]; + + environment.etc = lib.mapAttrs' + (name: config: lib.nameValuePair + "colorchord/${name}.conf" + { + text = '' + # Basic + outdrivers = DisplayNetwork, OutputLinear + headless = 1 + + # Audio input + amplify = 10 + samplerate = 48000 + devrecord = ${config.source} + + # Visualiser + cpu_autolimit = 1 + satamp = 1 + + # LED config + leds = ${toString config.leds} + is_loop = ${if config ? loop && config.loop then "1" else "0"} + light_siding = 1.5 + led_floor = 0.1 + steady_bright = 1 + fliprg = 0 + + # WLED + wled_realtime = 1 + port = 19446 + address = ${config.host} + wled_timeout = 2 + skipfirst = 0 + ''; + }) + devicesProduct; + + systemd.user.services = builtins.listToAttrs (map + (soundDevice: lib.nameValuePair + "colorchord-${soundDevice}@" + { + partOf = [ "colorchord-${soundDevice}.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i-${soundDevice}.conf + ''; + Restart = "always"; + }; + }) + (lib.attrNames soundDevices)); + + systemd.user.targets = builtins.listToAttrs (map + (soundDevice: lib.nameValuePair + "colorchord-${soundDevice}" + { + wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices); + }) + (lib.attrNames soundDevices)); +} diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix index c118dfb..d0b18c3 100644 --- a/machines/raven/services/default.nix +++ b/machines/raven/services/default.nix @@ -1,5 +1,15 @@ { imports = [ + ./asterisk.nix + ./colorchord.nix ./dnsmasq.nix + ./dyndns.nix + ./freeradius.nix + ./grafana.nix + ./labsync + ./mailhog.nix + ./prometheus.nix + ./unifi-controller.nix + ./wekan.nix ]; } diff --git a/machines/raven/services/dnsmasq.nix b/machines/raven/services/dnsmasq.nix index 1eeac78..8960eb2 100644 --- a/machines/raven/services/dnsmasq.nix +++ b/machines/raven/services/dnsmasq.nix @@ -1,36 +1,93 @@ { pkgs, ... }: +let + stateDir = "/var/lib/dnsmasq"; + dnsmasqEventsConf = pkgs.writeText "dnsmasq-events.conf" '' + dhcp-leasefile=${stateDir}/dnsmasq-events.leases + bind-dynamic + listen-address=10.10.0.1 + except-interface=lo + + domain=events.fablab-nea.de + dhcp-range=10.10.0.20,10.10.15.254,24h + + cache-size=10000 + dns-forward-max=1000 + + no-hosts + ''; +in { services.dnsmasq = { enable = true; - - extraConfig = '' - bind-dynamic - - expand-hosts - domain=lab.fablab-nea.de - dhcp-range=192.168.94.20,192.168.94.254,5m - - dhcp-boot=lpxelinux.0,raven,192.168.94.1 - - cache-size=10000 - dns-forward-max=1000 - - auth-zone=lab.fablab-nea.de,192.168.94.0/24 - auth-server=lab.fablab-nea.de,78.47.224.251 - - no-hosts - addn-hosts=${pkgs.writeText "hosts.dnsmasq" '' - 192.168.94.1 raven labsync + settings = { + server = [ + "142.250.185.78" # dns.as250.net + "2001:470:20::2" # ordns.he.net + "74.82.42.42" # ordns.he.net + ]; + bind-dynamic = true; + listen-address = [ + "192.168.93.1" + "192.168.94.1" + ]; + interface = "lo"; + expand-hosts = true; + domain = "lab.fablab-nea.de"; + dhcp-range = [ + "set:voice,192.168.93.20,192.168.93.254,4h" + "set:lab,192.168.94.20,192.168.94.254,4h" + ]; + dhcp-host = [ + "00:30:42:1b:23:ed,192.168.93.21,rfp-01" + "00:30:42:1b:21:c1,192.168.93.22,rfp-02" + "00:30:42:1b:26:f6,192.168.93.23,rfp-03" + "00:30:42:1b:22:3b,192.168.93.24,rfp-04" + "00:30:42:1b:22:7c,192.168.93.25,rfp-05" + ]; + dhcp-option = [ + "vendor:OpenMobility,10,192.168.93.21" + "vendor:OpenMobility,224,OpenMobilitySIP-DECT" + ]; + dhcp-boot = "lpxelinux.0,raven,192.168.94.1"; + cache-size = 10000; + dns-forward-max = 1000; + auth-zone = "lab.fablab-nea.de,192.168.94.0/24"; + auth-server = "lab.fablab-nea.de,78.47.224.251"; + no-hosts = true; + addn-hosts = "${pkgs.writeText "hosts.dnsmasq" '' + 192.168.94.1 raven labsync unifi 192.168.94.2 switch - ''} - ''; + 192.168.94.3 schneiderscheune-weinturm-ap + 192.168.94.4 schneiderscheune-weinturm-sta + 192.168.94.5 wechselbruecke-router + 192.168.94.6 wechselbruecke-ap + 192.168.94.7 helferbereich-sta + 192.168.94.8 helferbereich-switch + 192.168.94.9 kleinturmbuehne-router + ''}"; + }; + }; - servers = [ - "142.250.185.78" # dns.as250.net - "2001:470:20::2" # ordns.he.net - "74.82.42.42" # ordns.he.net - ]; + systemd.services."dnsmasq-events" = { + description = "dnsmasq daemon for public event network"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.dnsmasq ]; + preStart = '' + mkdir -m 755 -p ${stateDir} + dnsmasq --test -C ${dnsmasqEventsConf} + ''; + serviceConfig = { + Type = "dbus"; + BusName = "uk.org.thekelleys.dnsmasq-events"; + ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -k --enable-dbus --user=dnsmasq -C ${dnsmasqEventsConf}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + PrivateTmp = true; + ProtectSystem = true; + ProtectHome = true; + Restart = "on-failure"; + }; }; networking.firewall = { diff --git a/machines/raven/services/dyndns.nix b/machines/raven/services/dyndns.nix new file mode 100644 index 0000000..47795c1 --- /dev/null +++ b/machines/raven/services/dyndns.nix @@ -0,0 +1,16 @@ +{ config, ... }: +{ + sops.secrets.dyndns-password = { + sopsFile = ../secrets.yaml; + }; + services.ddclient = { + enable = true; + interval = "1min"; + server = "www.duckdns.org"; + protocol = "duckdns"; + username = "nouser"; + passwordFile = config.sops.secrets.dyndns-password.path; + domains = [ "fablab-nea" ]; + use = "web, web=freedns.afraid.org/dynamic/check.php"; + }; +} diff --git a/machines/raven/services/freeradius.nix b/machines/raven/services/freeradius.nix new file mode 100644 index 0000000..9fb95db --- /dev/null +++ b/machines/raven/services/freeradius.nix @@ -0,0 +1,17 @@ +# service for unifi wifi +# provides anonymous access via WPA2 enterprise (PEAP) +{ pkgs, ... }: + +{ + services.freeradius = { + enable = true; + configDir = "${pkgs.fablab.freeradius-anon-access}/raddb"; + debug = true; + }; + users.users.radius.group = "radius"; + users.groups.radius = { }; + networking.firewall.allowedUDPPorts = [ + 1812 + 1813 + ]; +} diff --git a/machines/raven/services/grafana.nix b/machines/raven/services/grafana.nix new file mode 100644 index 0000000..29558c2 --- /dev/null +++ b/machines/raven/services/grafana.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +let + domain = "grafana.fablab-nea.de"; + srv = config.services.grafana.settings.server; +in +{ + services.grafana = { + enable = true; + settings.server.domain = domain; + }; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://${srv.http_addr}:${toString srv.http_port}"; + recommendedProxySettings = true; + }; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + ''; + }; +} diff --git a/machines/raven/services/labsync/default.nix b/machines/raven/services/labsync/default.nix new file mode 100644 index 0000000..8a9250a --- /dev/null +++ b/machines/raven/services/labsync/default.nix @@ -0,0 +1,50 @@ +# legacy labsync, currently partly implemented in docker outside of this configuration +{ pkgs, ... }: + +let + generator_port = 8695; +in +{ + services.opentracker.enable = true; + + services.nginx.virtualHosts."labsync.fablab-nea.de" = { + addSSL = true; + enableACME = true; + locations = { + "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/"; + }; + }; + services.nginx.virtualHosts."labsync.lab.fablab-nea.de" = { + locations = { + "/" = { + root = "/opt/docker/tftpgen/data"; + extraConfig = '' + autoindex on; + ''; + }; + "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/"; + }; + }; + + services.atftpd = { + enable = true; + root = pkgs.runCommand "pxelinux-tftproot" { } '' + mkdir -p $out/pxelinux.cfg + cp ${pkgs.syslinux}/share/syslinux/{ldlinux.c32,libcom32.c32,libutil.c32,lpxelinux.0,vesamenu.c32} $out + cp ${./splash.png} $out/splash.png + cp ${./pxelinux.cfg} $out/pxelinux.cfg/default + # required to serve labsync/labsync.cfg, which is generated dynamically by a docker container + ln -s /opt/docker/tftpgen/data $out/labsync + ''; + }; + + networking.firewall.allowedTCPPorts = [ + 6881 # aria2 + 6969 # opentracker + ]; + networking.firewall.allowedUDPPorts = [ + 6882 # aria2 + 69 # tftpd + 6969 # opentracker + ]; +} diff --git a/machines/raven/services/labsync/pxelinux.cfg b/machines/raven/services/labsync/pxelinux.cfg new file mode 100644 index 0000000..0aa7cc9 --- /dev/null +++ b/machines/raven/services/labsync/pxelinux.cfg @@ -0,0 +1,21 @@ +# default menu settings +menu width 100 +menu height 24 +menu title labsync + +# can be overwriten by mounting another image; has to be 1024×768 in 16:9 +menu background splash.png +menu color border * #00000000 #00000000 none +menu color sel * #ffffffff #76a1d0ff * +menu color hotsel 1;7;37;40 #ffffffff #76a1d0ff * +menu cmdlinerow 16 +menu timeoutrow 16 +menu tabmsgrow 18 +# do not show “press tab to edit options…” entry (empty) +menu tabmsg + +include labsync/labsync.cfg +default vesamenu.c32 + +# disable timeout (explicitly) +timeout 0 diff --git a/machines/raven/services/labsync/splash.png b/machines/raven/services/labsync/splash.png new file mode 100644 index 0000000..8cd09d9 --- /dev/null +++ b/machines/raven/services/labsync/splash.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:59980cbbf0c87d3d5045c7434e294fc04a8b313181e079104881bf62589adf2c +size 878475 diff --git a/machines/raven/services/mailhog.nix b/machines/raven/services/mailhog.nix new file mode 100644 index 0000000..8ec4c7b --- /dev/null +++ b/machines/raven/services/mailhog.nix @@ -0,0 +1,4 @@ +{ config, ... }: +{ + services.mailhog.enable = true; +} diff --git a/machines/raven/services/prometheus.nix b/machines/raven/services/prometheus.nix new file mode 100644 index 0000000..5ec4a7a --- /dev/null +++ b/machines/raven/services/prometheus.nix @@ -0,0 +1,144 @@ +{ config, lib, pkgs, ... }: + +let + domain = "prometheus.fablab-nea.de"; + cfg = config.services.prometheus; + mkStaticTargets = targets: lib.singleton { inherit targets; }; + mkStaticTarget = target: mkStaticTargets (lib.singleton target); +in +{ + services.prometheus.exporters.node.enable = true; + + services.prometheus = { + enable = true; + listenAddress = "127.0.0.1"; + webExternalUrl = "https://${domain}"; + globalConfig = { + scrape_interval = "15s"; + evaluation_interval = "15s"; + }; + extraFlags = [ + "--storage.tsdb.retention.time=90d" + "--web.enable-admin-api" + ]; + alertmanagers = [ + { + static_configs = mkStaticTarget "${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}"; + path_prefix = "/alertmanager/"; + } + ]; + alertmanager = { + enable = true; + listenAddress = "127.0.0.1"; + webExternalUrl = "https://${domain}/alertmanager"; + configuration = { + global.resolve_timeout = "2m"; + + route = { + receiver = "matrix"; + group_by = [ "alertname" ]; + group_wait = "3m"; + }; + + receivers = [ + { + name = "matrix"; + webhook_configs = lib.singleton { + url = "http://localhost/webhook"; + }; + } + ]; + }; + }; + scrapeConfigs = [ + { + job_name = "prometheus"; + static_configs = mkStaticTargets [ + "localhost:${toString cfg.port}" + "kleinturmbuehne-router:9100" + ]; + } + { + job_name = "node"; + static_configs = mkStaticTargets [ + "127.0.0.1:9100" + ]; + } + { + job_name = "asterisk"; + metrics_path = "/"; + static_configs = mkStaticTargets [ + "127.0.0.1:8088" + ]; + } + { + job_name = "mikrotik"; + static_configs = mkStaticTargets [ + "${cfg.exporters.mikrotik.listenAddress}:${toString cfg.exporters.mikrotik.port}" + ]; + } + { + job_name = "unifi"; + static_configs = mkStaticTargets [ + "${cfg.exporters.unpoller.listenAddress}:${toString cfg.exporters.unpoller.port}" + ]; + } + ]; + rules = + let + mkAlert = { name, expr, for ? "1m", description ? null }: { + alert = name; + inherit expr for; + annotations = lib.optionalAttrs (description != null) { inherit description; }; + }; + in + [ + (lib.generators.toYAML { } { + groups = lib.singleton { + name = "alert.rules"; + rules = map mkAlert [ + { + name = "InstanceDown"; + expr = ''up == 0''; + description = "Instance {{ $labels.instance }} of job {{ $labels.job }} has been down for + more than 1 minutes."; + } + ]; + }; + }) + ]; + }; + + sops.secrets.prometheus-htpasswd = { + owner = "nginx"; + sopsFile = ../secrets.yaml; + }; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + + basicAuthFile = config.sops.secrets.prometheus-htpasswd.path; + + locations = { + "/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}"; + + "/alertmanager/".proxyPass = "http://${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}"; + }; + }; + + services.prometheus.exporters.mikrotik = { + enable = true; + listenAddress = "127.0.0.1"; + configuration = { + devices = [ + ]; + features = { + bgp = true; + dhcp = true; + routes = true; + optics = true; + }; + }; + }; +} diff --git a/machines/raven/services/unifi-controller.nix b/machines/raven/services/unifi-controller.nix new file mode 100644 index 0000000..6befce2 --- /dev/null +++ b/machines/raven/services/unifi-controller.nix @@ -0,0 +1,30 @@ +{ config, pkgs, ... }: + +let + promCfg = config.services.prometheus; +in +{ + services.unifi = { + enable = true; + openFirewall = true; + unifiPackage = pkgs.unifi8; + }; + networking.firewall.allowedTCPPorts = [ 8443 ]; + + sops.secrets.unpoller-password = { + #owner = promCfg.exporters.unpoller.user; + owner = config.services.prometheus.exporters.unpoller.user; + sopsFile = ../secrets.yaml; + }; + + services.prometheus.exporters.unpoller = { + enable = true; + controllers = [{ + user = "unpoller"; + pass = config.sops.secrets.unpoller-password.path; + verify_ssl = false; + hash_pii = true; + }]; + log.prometheusErrors = true; + }; +} diff --git a/machines/raven/services/wekan.nix b/machines/raven/services/wekan.nix new file mode 100644 index 0000000..3b9716d --- /dev/null +++ b/machines/raven/services/wekan.nix @@ -0,0 +1,123 @@ +{ config, lib, pkgs, ... }: +let + serviceName = "wekan"; + databaseName = "wekandb"; + networkName = "wekan-tier"; + port = 8001; + domain = "wekan.fablab-nea.de"; + url = "https://${domain}"; + + directories = { + db = "/var/lib/wekan/db"; + dbDump = "/var/lib/wekan/db-dump"; + data = "/var/lib/wekan/data"; + }; +in +{ + virtualisation.oci-containers = { + backend = "podman"; + containers = { + "${serviceName}" = { + autoStart = true; + image = "ghcr.io/wekan/wekan:latest"; + environment = { + WRITABLE_PATH = "/data"; + MONGO_URL = "mongodb://${databaseName}:27017/wekan"; + ROOT_URL = url; + #WITH_API = "true"; + RICHER_CARD_COMMENT_EDITOR = "false"; + CARD_OPENED_WEBHOOK_ENABLED = "false"; + BIGEVENTS_PATTERN = "NONE"; + BROWSER_POLICY_ENABLED = "true"; + }; + ports = [ + "127.0.0.1:${toString port}:8080" + ]; + dependsOn = [ databaseName ]; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "${directories.data}:/data:rw" + ]; + extraOptions = [ + "--network=${networkName}" + "--pull=newer" + ]; + }; + "${databaseName}" = { + autoStart = true; + image = "mongo:6"; + cmd = [ "mongod" "--logpath" "/dev/null" "--oplogSize" "128" "--quiet" ]; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + #"/etc/timezone:/etc/timezone:ro" + "${directories.db}:/data/db" + "${directories.dbDump}:/dump" + ]; + extraOptions = [ + "--network=${networkName}" + "--pull=newer" + ]; + }; + }; + }; + + # Create the netowrk + systemd.services.init-filerun-network-and-files = { + description = "Create the network bridge ${networkName} for WeKan."; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.Type = "oneshot"; + script = + let podmancli = "${pkgs.podman}/bin/podman"; + in '' + if ! ${podmancli} network ls --format '{{ .Name }}' | grep -qFx -- "${networkName}"; then + ${podmancli} network create "${networkName}" + else + echo "network already exists" + fi + ''; + }; + + systemd.services.wekan-restart = { + description = "Restart Wekan services."; + serviceConfig = { + Type = "oneshot"; + }; + script = '' + ${pkgs.systemd}/bin/systemctl restart "podman-${databaseName}.service" "podman-${serviceName}.service" + ''; + }; + + systemd.timers.wekan-restart = { + description = "Restart wekan containers"; + after = [ "network.target" ]; + wantedBy = [ "timers.target" ]; + timerConfig = { + Persistent = true; + OnCalendar = "*-*-* 04:00:00"; + Unit = "wekan-restart.service"; + }; + }; + + system.activationScripts.makeWekanDirectories = lib.stringAfter [ "var" ] '' + mkdir -p "${directories.db}" + mkdir -p "${directories.dbDump}" + mkdir -p "${directories.data}" + chown 999:999 "${directories.data}" + ''; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + ''; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + }; + }; +} diff --git a/modules/base.nix b/modules/base.nix index b233273..2755c93 100644 --- a/modules/base.nix +++ b/modules/base.nix @@ -1,3 +1,3 @@ { - boot.cleanTmpDir = true; + boot.tmp.cleanOnBoot = true; } diff --git a/modules/default.nix b/modules/default.nix index a70bbd3..244c94d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,7 +2,10 @@ imports = [ ./base.nix ./nix.nix + ./pipewire.nix ./pubkeys.nix + ./sops.nix ./tools.nix + ./unfree.nix ]; } diff --git a/modules/nix.nix b/modules/nix.nix index 408dd82..fc6d9da 100644 --- a/modules/nix.nix +++ b/modules/nix.nix @@ -21,9 +21,6 @@ let in { nix = { - # flake support - package = pkgs.nixUnstable; - extraOptions = '' experimental-features = nix-command flakes ''; @@ -37,20 +34,23 @@ in "nixpkgs-overlays=${overlaysCompat}" ]; - # sudoers are trusted nix users - trustedUsers = [ "@wheel" ]; + settings = { + # sudoers are trusted nix users + trusted-users = [ "@wheel" ]; - # On-the-fly optimisation of nix store - autoOptimiseStore = true; + # On-the-fly optimisation of nix store + auto-optimise-store = true; + }; # less noticeable nix builds - daemonNiceLevel = 10; - daemonIONiceLevel = 5; + daemonCPUSchedPolicy = "idle"; + daemonIOSchedClass = "idle"; + daemonIOSchedPriority = 7; }; nixpkgs.overlays = with inputs; [ - self.overlay - + self.overlays.default + sbruder-overlay.overlays.default (final: prev: { unstable = import nixpkgs-unstable { inherit (config.nixpkgs) diff --git a/modules/pipewire.nix b/modules/pipewire.nix new file mode 100644 index 0000000..9531e64 --- /dev/null +++ b/modules/pipewire.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: + +{ + sound.enable = true; + hardware.pulseaudio.enable = false; + + services.pipewire = { + enable = true; + pulse = { + enable = true; + }; + jack = { + enable = false; + }; + alsa = { + enable = true; + support32Bit = true; + }; + }; + + environment.systemPackages = with pkgs; [ + pulseaudio # pacmd and pactl + ]; +} diff --git a/modules/pubkeys.nix b/modules/pubkeys.nix index 9a45a8a..c515fe1 100644 --- a/modules/pubkeys.nix +++ b/modules/pubkeys.nix @@ -3,11 +3,11 @@ { options.fablab.pubkeys = with lib.types; { users = lib.mkOption { - type = attrsOf (listOf string); + type = attrsOf (listOf str); description = "pubkeys for a specific user"; }; groups = lib.mkOption { - type = attrsOf (listOf string); + type = attrsOf (listOf str); description = "pubkeys for a group of users"; }; }; @@ -16,7 +16,7 @@ fablab.pubkeys = { users = { jalr = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0f7+Y4QSUsSvd360eq0Q/ESVfE/s0WxJIrzvW8cazTcmld8/rKxGQR2xrxApu7pzZlZC3LDbQrx3B6nNVEZi0dPUgkJz9oEKRY5vSJ6x0H9cZ0iFfTcCTz5znflqGaFI6E6W6Vtl+DzIrmkFgaR0wNmV9DCcYAJreW4E32t8dKsG1Pv347N0eAZs3shokPYr7dmGoNiKzTOn/ILQ1Hxppzqy1ch2h8k2KL0+FM6wO76ijivBzfMZRJW0DVYsmebO6Je5HglkzYXvrNUtcD2gIrNE0YKByjorTjjf3336S+0uBGxetzhnl+XA2PxHB/3n9AzYC4DI/Nb9wgLBo6Ql+EYaPLKnGl3JHvtcOyAfoNVPdNDfbZz+tfe8cBUt1IPTlm26RYKgwCnJvcBD6dk/5mxu1ogjSfgEIqihJaq3j3+NfIY1CUFx1U6ISG40SWEXF5xV1qW3NZg5FqqA8sOfWLlkON/yFkPJ2shXUXmiZtjXMWM6XLIO054EN7cpUxHGPspjgynU9XLc45c4k5lKF1xQv13B8n8dHNEL01MU21svfdGcpuOsRvzagLX51+rVRJObYP1bZudyYVDgsxB6B/TiBHw3Xl3mwEs4KVi/cqVsPpaG3hwqCreDlV+NeCVtb0qb1WJ2Sae83CA6NEcUvRbrwAnU/vEhJepfo6j7WSw== jalr@jalr-tp" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3l+Yixrsjhze20CSjvUK4Qj/BNqbTNitgk20vuzPej cardno:25_750_479" ]; simon = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii" diff --git a/modules/sops.nix b/modules/sops.nix new file mode 100644 index 0000000..e8c615e --- /dev/null +++ b/modules/sops.nix @@ -0,0 +1,3 @@ +{ + sops.defaultSopsFile = ../secrets.yaml; +} diff --git a/modules/tools.nix b/modules/tools.nix index 5ec2282..982e167 100644 --- a/modules/tools.nix +++ b/modules/tools.nix @@ -23,7 +23,6 @@ compsize curl dnsutils - exa fd file git diff --git a/modules/unfree.nix b/modules/unfree.nix new file mode 100644 index 0000000..3394261 --- /dev/null +++ b/modules/unfree.nix @@ -0,0 +1,8 @@ +{ lib, ... }: + +{ + nixpkgs.config.allowUnfreePredicate = (pkg: lib.elem (lib.getName pkg) [ + "unifi-controller" + "mongodb" + ]); +} diff --git a/pkgs/default.nix b/pkgs/default.nix index ce16870..f9ac13a 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1 +1,7 @@ -final: prev: { } +final: prev: +let + inherit (prev) callPackage recurseIntoAttrs; +in +{ + fablab = recurseIntoAttrs (callPackage ./fablab { }); +} diff --git a/pkgs/fablab/default.nix b/pkgs/fablab/default.nix new file mode 100644 index 0000000..9d10179 --- /dev/null +++ b/pkgs/fablab/default.nix @@ -0,0 +1,6 @@ +{ callPackage }: + +{ + freeradius-anon-access = callPackage ./freeradius-anon-access { }; + mitgliedsantrag = callPackage ./mitgliedsantrag { }; +} diff --git a/pkgs/fablab/freeradius-anon-access/default.nix b/pkgs/fablab/freeradius-anon-access/default.nix new file mode 100644 index 0000000..7b56597 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/default.nix @@ -0,0 +1,18 @@ +{ lib, freeradius, stdenvNoCC, ... }: + +stdenvNoCC.mkDerivation { + name = "freeradius-anon-access"; + src = ./.; + dontBuild = true; + installPhase = '' + mkdir $out + cp -r raddb $out + sed -i 's#@PREFIX@#${freeradius}#' $out/raddb/radiusd.conf + ''; + nativeBuildInputs = [ + freeradius + ]; + meta = with lib; { + platforms = platforms.unix; + }; +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/README.rst b/pkgs/fablab/freeradius-anon-access/raddb/README.rst new file mode 100644 index 0000000..118dcdf --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/README.rst @@ -0,0 +1,665 @@ +Upgrading to Version 3.0 +======================== + +.. contents:: Sections + :depth: 2 + +.. important:: + The configuration for 3.0 is *largely* compatible with the 2.x.x + configuration. However, it is NOT possible to simply use the 2.x.x + configuration as-is. Instead, you should re-create it. + +Security +-------- + +A number of configuration items have moved into the "security" +subsection of radiusd.conf. If you use these, you should move them. +Otherwise, they can be ignored. + +The list of moved options is:: + + chroot + user + group + allow_core_dumps + reject_delay + status_server + +These entries should be moved from "radiusd.conf" to the "security" +subsection of that file. + +Naming +------ + +Many names used by configuration items were inconsistent in earlier +versions of the server. These names have been unified in version 3.0. + +If a file is being referenced or created the config item ``filename`` +is used. + +If a file is being created, the initial permissions are set by the +``permissions`` config item. + +If a directory hierarchy needs to be created, the permissions are set +by ``dir_permissions``. + +If an external host is referenced in the context of a module the +``server`` config item is used. + +Unless the config item is a well recognised portmanteau +(as ``filename`` is for example), it must be written as multiple +distinct words separated by underscores ``_``. + +The configuration items ``file``, ``script_file``, ``module``, +``detail``, ``detailfile``, ``attrsfile``, ``perm``, ``dirperm``, +``detailperm``, and ``hostname`` are deprecated. As well as any false +portmanteaus, and configuration items that used hyphens as word +delimiters. e.g. ``foo-bar`` has been changed to ``foo_bar``. Please +update your module configuration to use the new syntax. + +In most cases the server will tell you the replacement config item to +use. As always, run the server in debugging mode to see these +messages. + +Modules Directory +----------------- + +As of version 3.0, the ``modules/`` directory no longer exists. + +Instead, all "example" modules have been put into the +``mods-available/`` directory. Modules which can be loaded by the +server are placed in the ``mods-enabled/`` directory. All of the +modules in that directory will be loaded. This means that the +``instantiate`` section of radiusd.conf is less important. The only +reason to list a module in the ``instantiate`` section is to force +ordering when the modules are loaded. + +Modules can be enabled by creating a soft link. For module ``foo``, do:: + + $ cd raddb/mods-enabled + $ ln -s ../mods-available/foo + +To create "local" versions of the modules, we suggest copying the file +instead. This leaves the original file (with documentation) in the +``mods-available/`` directory. Local changes should go into the +``mods-enabled/`` directory. + +Module-specific configuration files are now in the ``mods-config/`` +directory. This change allows for better organization, and means that +there are fewer files in the main ``raddb`` directory. See +``mods-config/README.rst`` for more details. + +Changed Modules +--------------- + +The following modules have been changed. + + +rlm_sql +~~~~~~~ + +The SQL configuration has been moved from ``sql.conf`` to +``mods-available/sql``. The ``sqlippool.conf`` file has also been +moved to ``mods-available/sqlippool``. + +The SQL module configuration has been changed. The old connection +pool options are no longer accepted:: + + num_sql_socks + connect_failure_retry_delay + lifetime + max_queries + +Instead, a connection pool configuration is used. This configuration +contains all of the functionality of the previous configuration, but +in a more generic form. It also is used in multiple modules, meaning +that there are fewer different configuration items. The mapping +between the configuration items is:: + + num_sql_socks -> pool { max } + connect_failure_retry_delay -> pool { retry_delay } + lifetime -> pool { lifetime } + max_queries -> pool { uses } + +The pool configuration adds a number of new configuration options, +which allow the administrator to better control how FreeRADIUS uses +SQL connection pools. + +The following parameters have been changed:: + + trace -> removed + tracefile -> logfile + +The logfile is intended to log SQL queries performed. If you need to +debug the server, use debugging mode. If ``logfile`` is set, then +*all* SQL queries will go to ``logfile``. + +You can now use a NULL SQL database:: + + driver = rlm_sql_null + +This is an empty driver which will always return "success". It is +intended to be used to replace the ``sql_log`` module, and to work in +conjunction with the ``radsqlrelay`` program. Simply take your normal +configuration for raddb/mods-enabled/sql, and set:: + + driver = rlm_sql_null + ... + logfile = ${radacctdir}/sql.log + +All of the SQL queries will be logged to that file. The connection +pool does not need to be configured for the ``null`` SQL driver. It +can be left as-is, or deleted from the SQL configuration file. + +rlm_sql_sybase +~~~~~~~~~~~~~~ + +The ``rlm_sql_sybase`` module has been renamed to ``rlm_sql_freetds`` +and the old ``rlm_sql_freetds`` module has been removed. + +``rlm_sql_sybase`` used the newer ct-lib API, and ``rlm_sql_freetds`` +used an older API and was incomplete. + +The new ``rlm_sql_freetds`` module now also supports database +selection on connection startup so ``use`` statements no longer +have to be included in queries. + +sql/dialup.conf +~~~~~~~~~~~~~~~ + +Queries for post-auth and accounting calls have been re-arranged. The +SQL module will now expand the 'reference' configuration item in the +appropriate sub-section, and resolve this to a configuration +item. This behaviour is similar to rlm_linelog. This dynamic +expansion allows for a dynamic mapping between accounting types and +SQL queries. Previously, the mapping was fixed. Any "new" accounting +type was ignored by the module. Now, support for any accounting type +can be added by just adding a new target, as below. + +Queries from v2.x.x may be manually copied to the new v3.0 +``dialup.conf`` file (``raddb/mods-config/sql/main//queries.conf``). +When doing this you may also need to update references to the +accounting tables, as their definitions will now be outside of +the subsection containing the query. + +The mapping from old "fixed" query to new "dynamic" query is as follows:: + + accounting_onoff_query -> accounting.type.accounting-on.query + accounting_update_query -> accounting.type.interim-update.query + accounting_update_query_alt +> accounting.type.interim-update.query + accounting_start_query -> accounting.type.start.query + accounting_start_query_alt +> accounting.type.start.query + accounting_stop_query -> accounting.type.stop.query + accounting_stop_query_alt +> accounting.type.stop.query + postauth_query -> post-auth.query + +Alternatively a 2.x.x config may be patched to work with the +3.0 module by adding the following:: + + accounting { + reference = "%{tolower:type.%{Acct-Status-Type}.query}" + type { + accounting-on { + query = "${....accounting_onoff_query}" + } + accounting-off { + query = "${....accounting_onoff_query}" + } + start { + query = "${....accounting_start_query}" + query = "${....accounting_start_query_alt}" + } + interim-update { + query = "${....accounting_update_query}" + query = "${....accounting_update_query_alt}" + } + stop { + query = "${....accounting_stop_query}" + query = "${....accounting_stop_query_alt}" + } + } + } + + post-auth { + query = "${..postauth_query}" + } + +In general, it is safer to migrate the configuration rather than +trying to "patch" it, to make it look like a v2 configuration. + +Note that the sub-sections holding the queries are labelled +``accounting-on``, and not ``accounting_on``. The reason is that the +names of these sections are taken directly from the +``Accounting-Request`` packet, and the ``Acct-Status-Type`` field. +The ``sql`` module looks at the value of that field, and then looks +for a section of that name, in order to find the query to use. + +That process means that the server can be extended to support any new +value of ``Acct-Status-Type``, simply by adding a named sub-section, +and a query. This behavior is preferable to that of v2, which had +hard-coded queries for certain ``Acct-Status-Type`` values, and was +ignored all other values. + +rlm_ldap +~~~~~~~~ + +The LDAP module configuration has been substantially changed. Please +read ``raddb/mods-available/ldap``. It now uses a connection pool, +just like the SQL module. + +Many of the configuration items remain the same, but they have been +moved into subsections. This change is largely cosmetic, but it makes +the configuration clearer. Instead of having a large set of random +configuration items, they are now organized into logical groups. + +You will need to read your old LDAP configuration, and migrate it +manually to the new configuration. Simply copying the old +configuration WILL NOT WORK. + +Users upgrading from 2.x.x who used to call the ldap module in +``post-auth`` should now set ``edir_autz = yes``, and remove the ``ldap`` +module from the ``post-auth`` section. + +rlm_ldap and LDAP-Group +~~~~~~~~~~~~~~~~~~~~~~~ + +In 2.x.x the registration of the ``LDAP-Group`` pair comparison was done +by the last instance of rlm_ldap to be instantiated. In 3.0 this has +changed so that only the default ``ldap {}`` instance registers +``LDAP-Group``. + +If ``-LDAP-Group`` is already used throughout your configuration +no changes will be needed. + +rlm_ldap authentication +~~~~~~~~~~~~~~~~~~~~~~~ + +In 2.x.x the LDAP module had a ``set_auth_type`` configuration item, +which forced ``Auth-Type := ldap``. This was removed in 3.x.x as it +often did not work, and was not consistent with the rest of the +server. We generally recommend that LDAP should be used as a +database, and that FreeRADIUS should do authentication. + +The only reason to use ``Auth-Type := ldap`` is when the LDAP server +will not supply the "known good" password to FreeRADIUS, *and* where +the Access-Request contains User-Password. This situation happens +only for Active Directory. If you think you need to force ``Auth-Type +:= ldap`` in other situations, you are very likely to be wrong. + +The following is an example of what should be inserted into the +``authorize {}`` and ``authenticate {}`` sections of the relevant +virtual-servers, to get functionality equivalent to v2.x:: + + authorize { + ... + ldap + if ((ok || updated) && User-Password) { + update control { + Auth-Type := ldap + } + } + ... + } + + authenticate { + ... + Auth-Type ldap { + ldap + } + ... + } + +rlm_eap +~~~~~~~ + +The EAP configuration has been moved from ``eap.conf`` to +``mods-available/eap``. A new ``pwd`` subsection has been added for +EAP-PWD. + +rlm_expiration & rlm_logintime +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The rlm_expiration and rlm_logintime modules no longer add a ``Reply-Message``, +the same behaviour can be achieved checking the return code of the module and +adding the ``Reply-Message`` with unlang:: + + expiration + if (userlock) { + update reply { + Reply-Message := "Your account has expired" + } + } + +rlm_unix +~~~~~~~~ + +The ``unix`` module does not have an ``authenticate`` section. So you +cannot set ``Auth-Type := System``. The ``unix`` module has also been +deleted from the examples in ``sites-available/``. Listing it there +has been deprecated for many years. + +The PAP module can do crypt authentication. It should be used instead +of Unix authentication. + +The Unix module still can pull the passwords from ``/etc/passwd``, or +``/etc/shadow``. This is done by listing it in the ``authorize`` +section, as is done in the examples in ``sites-available/``. However, +some systems using NIS or NSS will not supply passwords to the +``unix`` module. For those systems, we recommend putting users and +passwords into a database, instead of relying on ``/etc/passwd``. + +rlm_preprocess +~~~~~~~~~~~~~~ + +In 2.x.x ``huntroups`` and ``users`` files were loaded from default locations +without being configured explicitly. Since 3.x.x you need to set +``huntgroups`` and ``users`` configuration item(s) in module section in order +to get them being processed. + +New Modules +----------- + +rlm_date +~~~~~~~~ + +Instances of rlm_date register an xlat method which can translate +integer and date values to an arbitrarily formatted date time +string, or an arbitrarily formated time string to an integer, +depending on the attribute type passed. + +rlm_rest +~~~~~~~~ + +The ``rest`` module is used to translate RADIUS requests into +RESTfull HTTP requests. Currently supported body types are JSON +and POST. + +rlm_unpack +~~~~~~~~~~ + +The ``unpack`` module is used to turn data buried inside of binary +attributes. e.g. if we have ``Class = 0x00000001020304`` then:: + + Tmp-Integer-0 := "%{unpack:&Class 4 short}" + +will unpack octets 4 and 5 as a "short", which has value 0x0304. +All integers are assumed to be in network byte order. + +rlm_yubikey +~~~~~~~~~~~ + +The ``yubikey`` module can be used to forward yubikey OTP token +values to a Yubico validation server, or decrypt the token +using a PSK. + +Deleted Modules +--------------- + +The following modules have been deleted, and are no longer supported +in Version 3. If you are using one of these modules, your +configuration can probably be changed to not need it. Otherwise email +the freeradius-devel list, and ask about the module. + +rlm_acct_unique +~~~~~~~~~~~~~~~ + +This module has been replaced by the "acct_unique" policy. See +raddb/policy.d/accounting. + +The method for calculating the value of acct_unique has changed. +However, as this method was configurable, this change should not +matter. The only issue is in having a v2 and v3 server writing to the +same database at the same time. They will calculate different values +for Acct-Unique-Id. + +rlm_acctlog +~~~~~~~~~~~ + +You should use rlm_linelog instead. That module has a superset of the +acctlog functionality. + +rlm_attr_rewrite +~~~~~~~~~~~~~~~~ + +The attr_rewrite module looked for an attribute, and then re-wrote it, +or created a new attribute. All of that can be done in "unlang". + +A sample configuration in "unlang" is:: + + if (request:Calling-Station-Id) { + update request { + Calling-Station-Id := "...." + } + } + +We suggest updating all uses of attr_rewrite to use unlang instead. + +rlm_checkval +~~~~~~~~~~~~ + +The checkval module compared two attributes. All of that can be done in "unlang":: + + if (&request:Calling-Station-Id == &control:Calling-Station-Id) { + ok + } + +We suggest updating all uses of checkval to use unlang instead. + +rlm_dbm +~~~~~~~ + +No one seems to use it. There is no sample configuration for it. +There is no speed advantage to using it over the "files" module. +Modern systems are fast enough that 10K entries can be read from the +"users" file in about 10ms. If you need more users than that, use a +real database such as SQL. + +rlm_fastusers +~~~~~~~~~~~~~ + +No one seems to use it. It has been deprecated since Version 2.0.0. +The "files" module was rewritten so that the "fastusers" module was no +longer necessary. + +rlm_policy +~~~~~~~~~~ + +No one seems to use it. Almost all of its functionality is available +via "unlang". + +rlm_sim_files +~~~~~~~~~~~~~ + +The rlm_sim_files module has been deleted. It was never marked "stable", +and was never used in a production environment. There are better ways +to test EAP. + +If you want similar functionality, see rlm_passwd. It can read CSV +files, and create attributes from them. + +rlm_sql_log +~~~~~~~~~~~ + +This has been replaced with the "null" sql driver. See +raddb/mods-available/sql for an example configuration. + +The main SQL module has more functionality than rlm_sql_log, and +results in less code in the server. + +Other Functionality +------------------- + +The following is a list of new / changed functionality. + +RadSec +~~~~~~ + +RadSec (or RADIUS over TLS) is now supported. RADIUS over bare TCP +is also supported, but is recommended only for secure networks. + +See ``sites-available/tls`` for complete details on using TLS. The server +can both receive incoming TLS connections, and also originate outgoing +TLS connections. + +The TLS configuration is taken from the old EAP-TLS configuration. It +is largely identical to the old EAP-TLS configuration, so it should be +simple to use and configure. It re-uses much of the EAP-TLS code, +so it is well-tested and reliable. + +Once RadSec is enabled, normal debugging mode will not work. This is +because the TLS code requires threading to work properly. Instead of doing:: + + $ radiusd -X + +you will need to do:: + + $ radiusd -fxx -l stdout + +That's the price to pay for using RadSec. This limitation may be +lifted in a future version of the server. + + +PAP and User-Password +~~~~~~~~~~~~~~~~~~~~~ + +From version 3.0 onwards the server no longer supports authenticating +against a cleartext password in the 'User-Password' attribute. Any +occurences of this (for instance, in the users file) should now be changed +to 'Cleartext-Password' instead. + +e.g. change entries like this:: + + bob User-Password == "hello" + +to ones like this:: + + bob Cleartext-Password := "hello" + + +If this is not done, authentication will likely fail. The server will +also print a helpful message in debugging mode. + +If it really is impossible to do this, the following unlang inserted above +the call to the pap module may be used to copy User-Password to the correct +attribute:: + + if (!control:Cleartext-Password && control:User-Password) { + update control { + Cleartext-Password := "%{control:User-Password}" + } + } + +However, this should only be seen as a temporary, not permanent, fix. +It is better to fix your databases to use the correct configuration. + +Unlang +~~~~~~ + +The unlang policy language is compatible with v2, but has a number of +new features. See ``man unlang`` for complete documentation. + +ERRORS + +Many more errors are caught when the server is starting up. Syntax +errors in ``unlang`` are caught, and a helpful error message is +printed. The error message points to the exact place where the error +occurred:: + + ./raddb/sites-enabled/default[230]: Parse error in condition + ERROR: if (User-Name ! "bob") { + ERROR: ^ Invalid operator + +``update`` sections are more generic. Instead of doing ``update +reply``, you can do the following:: + + update { + reply:Class := 0x0000 + control:Cleartext-Password := "hello" + } + +This change means that you need fewer ``update`` sections. + +COMPARISONS + +Attribute comparisons can be done via the ``&`` operator. When you +needed to compare two attributes, the old comparison style was:: + + if (User-Name == "%{control:Tmp-String-0}") { + +This syntax is inefficient, as the ``Tmp-String-0`` attribute would be +printed to an intermediate string, causing unnecessary work. You can +now instead compare the two attributes directly:: + + if (&User-Name == &control:Tmp-String-0) { + +See ``man unlang`` for more details. + +CASTS + +Casts are now permitted. This allows you to force type-specific +comparisons:: + + if ("%{sql: SELECT...}" == 127.0.0.1) { + +This forces the string returned by the SELECT to be treated as an IP +address, and compare to ``127.0.0.1``. Previously, the comparison +would have been done as a simple string comparison. + +NETWORKS + +IP networks are now supported:: + + if (127.0.0.1/32 == 127.0.0.1) { + +Will be ``true``. The various comparison operators can be used to +check IP network membership:: + + if (127/8 > 127.0.0.1) { + +Returns ``true``, because ``127.0.0.1`` is within the ``127/8`` +network. However, the following comparison will return ``false``:: + + if (127/8 > 192.168.0.1) { + +because ``192.168.0.1`` is outside of the ``127/8`` network. + +OPTIMIZATION + +As ``unlang`` is now pre-compiled, many compile-time optimizations are +done. This means that the debug output may not be exactly the same as +what is in the configuration files:: + + if (0 && (User-Name == "bob')) { + +The result will always be ``false``, as the ``if 0`` prevents the +following ``&& ...`` from being evaluated. + +Not only that, but the entire contents of that section will be ignored +entirely:: + + if (0) { + this_module_does_not_exist + and_this_one_does_not_exist_either + } + +In v2, that configuration would result in a parse error, as there is +no module called ``this_module_does_not_exist``. In v3, that text is +ignored. This ability allows you to have dynamic configurations where +certain parts are used (or not) depending on compile-time configuration. + +Similarly, conditions which always evaluate to ``true`` will be +optimized away:: + + if (1) { + files + } + +That configuration will never show the ``if (1)`` output in debugging mode. + + +Dialup_admin +------------ + +The dialup_admin directory has been removed. No one stepped forward +to maintain it, and the code had not been changed in many years. + diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.conf b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.conf new file mode 100644 index 0000000..d7c8b5b --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.conf @@ -0,0 +1,24 @@ +[ req ] +default_bits = 1024 +distinguished_name = req_DN +string_mask = nombstr + +[ req_DN ] +countryName = "1. Country Name (2 letter code)" +countryName_default = DE +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = "2. State or Province Name (full name) " +stateOrProvinceName_default = Berlin +localityName = "3. Locality Name (eg, city) " +localityName_default = Berlin +0.organizationName = "4. Organization Name (eg, company) " +0.organizationName_default = Mustermann +organizationalUnitName = "5. Organizational Unit Name (eg, section) " +organizationalUnitName_default = Certificate Authority +commonName = "6. Common Name (eg, CA name) " +commonName_max = 64 +commonName_default = Mustermann CA +emailAddress = "7. Email Address (eg, name@FQDN)" +emailAddress_max = 40 +emailAddress_default = ca@mustermann.de diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.crt b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.crt new file mode 100644 index 0000000..4bb725e --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL +BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl +cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg +QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB +FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0 +NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl +cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg +QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB +FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt +tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD +yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX +H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud +EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt +YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg +hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o +dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o +ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI +hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX +cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY +hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg= +-----END CERTIFICATE----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.csr b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.csr new file mode 100644 index 0000000..56b6bde --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.csr @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN +BgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2Vy +dGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJ +KoZIhvcNAQkBFhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD +269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFn +OyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABoAAw +DQYJKoZIhvcNAQELBQADgYEAK+Fbl3mG7m0gBkekWwU4BvC92eMs93GYCtYQECu7 +/Dc0J2K1ItGC7JrRVlQvStbEFCw3cXzlbSec2v+8rvvIbn6MB+StRRYjPUiIYS3h +qly2FpcAo3Cg5GcnNf4keDGBzClo37MF2wlT0DAQIVPHMlTbkfgAQYwQS+uKLBre +TwM= +-----END CERTIFICATE REQUEST----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.ext b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.ext new file mode 100644 index 0000000..cb5c705 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.ext @@ -0,0 +1,9 @@ +extensions = x509v3 + +[ x509v3 ] +basicConstraints = CA:true,pathlen:0 +crlDistributionPoints = URI:http://www.mustermann.de/ca/mustermann.crl +nsCertType = sslCA,emailCA,objCA +nsCaPolicyUrl = "http://www.mustermann.de/ca/policy.htm" +nsCaRevocationUrl = "http://www.mustermann.de/ca/heimpold.crl" +nsComment = "Mustermann CA" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.key b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.key new file mode 100644 index 0000000..0c7365b --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5 +OFlD269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrE +IvFnOyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQAB +AoGAQaCF2idVGbRSVF3ae1qHGOj3Hive3WcReKg/8EittAPpNuP3tqiLUQ/WjxZr +V1NTtZ4syvM+LXlDW186rU21iGpQqj9ce2zjxpWMco6GFf0qKBO1ZoYSyD6jW6ny +M82TtCOVjH1LnyAz5AKRH6Wv5sG99gndK5AriEZEYrsnjQECQQDmK5EU5yVzz2o0 +X02Lolz0dRDy5J3x3hlaYKLoszMv4L04MAZ9XaMtGjqmKSOWsbMkIvp/d5A+2uJm +42sULKC9AkEAwTN8+4Kd8d5qpNfaKiYU6x5I2qUwvkE6V7x+ttPoFzbzeHr5CM2z +jkpA+x5u1fCtbl319zOb3ApVsrJ3o0+XqQJASeIgPxJ3jjY9RDR3YuQqbHoLh7xl +CtedUcqFYKbtPmgotRmNa76b+4VY4C+CcgP2mhn0SOhrUBHY7OgBXkd5DQJBAIat +ksFtAxdZGXRB+BYLp+dinBy2rKzjoX0JrDdcrtyH9N8WskU9x544CuZDB7ZhaTSX +kV+6fTq9hZHlMNsKH8kCQQCGnlQIy3U3cN6E1O9UI4DRwPhSwl+xEfc3n0DB/Kcy +faIPo3HnlNw/+4cIyc/7i1Ilkrj4zHtdrnAjP+OvZD7+ +-----END RSA PRIVATE KEY----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.pem b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.pem new file mode 100644 index 0000000..4bb725e --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL +BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl +cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg +QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB +FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0 +NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl +cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg +QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB +FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt +tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD +yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX +H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud +EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt +YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg +hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o +dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o +ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI +hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX +cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY +hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg= +-----END CERTIFICATE----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.serial b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.serial new file mode 100644 index 0000000..75016ea --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.serial @@ -0,0 +1 @@ +03 diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.conf b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.conf new file mode 100644 index 0000000..0f78075 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.conf @@ -0,0 +1,24 @@ +[ req ] +default_bits = 1024 +distinguished_name = req_DN +string_mask = nombstr + +[ req_DN ] +countryName = "1. Country Name (2 letter code)" +countryName_default = DE +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = "2. State or Province Name (full name) " +stateOrProvinceName_default = Berlin +localityName = "3. Locality Name (eg, city) " +localityName_default = Berlin +0.organizationName = "4. Organization Name (eg, company) " +0.organizationName_default = Mustermann +organizationalUnitName = "5. Organizational Unit Name (eg, section) " +#organizationalUnitName_default = +commonName = "6. Common Name (eg, CA name) " +commonName_max = 64 +commonName_default = Max Mustermann +emailAddress = "7. Email Address (eg, name@FQDN)" +emailAddress_max = 40 +emailAddress_default = max@mustermann.de diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.crt b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.crt new file mode 100644 index 0000000..c804097 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx +DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0 +ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT +DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw +HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP +MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl +cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt +YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O +I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4 +jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6 +ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4 +QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB +R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0 +oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1 +/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw== +-----END CERTIFICATE----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.csr b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.csr new file mode 100644 index 0000000..316765d --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.csr @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0G +A1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0ZXJtYW5uMRcwFQYDVQQDEw5NYXgg +TXVzdGVybWFubjEgMB4GCSqGSIb3DQEJARYRbWF4QG11c3Rlcm1hbm4uZGUwgZ8w +DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANFPziPlydE+D1lKE+5Wh/aHDuQ4HBfF +2PDWetE7um2d06newc3RZn+1JjpedX3t0u38eI5bJ2mOPj6bfdhVQBoM0/6ZE+rf +l3EbjT69GqiAPYlA7ZlgMgz2TgO1lWwvyruMOnj2l3uHEZomY6hla9pxTjqJ7n8U +HVVTUvZihoQ/AgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQBX3obDa6757IR9ejEb +1cY0k6S1SioC8ufX0Z2veFKoDLXKHL4kCZ89ie74hBf7mqx6O9ZscASXNcyuKFBz +uaae2MSoh+DBJH6I7j23PMhs9ziaSJYLmawja0sWK/J8RaR7JNjVAzb/eU2zBQlq +GTc8H8je+e2+aRUFYNgdGxgQ0g== +-----END CERTIFICATE REQUEST----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.ext b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.ext new file mode 100644 index 0000000..8a509fe --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.ext @@ -0,0 +1,5 @@ +extensions = x509v3 + +[ x509v3 ] +nsCertType = client,email,objsign +keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.key b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.key new file mode 100644 index 0000000..52aa36f --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN +0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z +YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB +AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG +FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+ +MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn +s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF +B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo +fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q +VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B +aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi +fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb +tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8= +-----END RSA PRIVATE KEY----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.pem.crt b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.pem.crt new file mode 100644 index 0000000..752c0e7 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.pem.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx +DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0 +ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT +DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw +HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP +MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl +cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt +YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O +I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4 +jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6 +ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4 +QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB +R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0 +oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1 +/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw== +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN +0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z +YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB +AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG +FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+ +MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn +s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF +B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo +fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q +VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B +aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi +fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb +tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8= +-----END RSA PRIVATE KEY----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/dh b/pkgs/fablab/freeradius-anon-access/raddb/certs/dh new file mode 100644 index 0000000..cf3c118 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/dh @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAzQsuxnwr0ccOV+/wIsI4Kfj5eyBINjb5KjeFvdZec65Xj5IzJSqo +kw2JaBhqN4Jtsq60doyev3tPtZn6YmBoVH/71CWOtibeZeSBjk67zQj7O0VKHHaG +9OXyjGIyzUKtJl1VpD+mXvlrhZEjnnApf3fp4i8K8Ei7oHFu+6teEyei3qGKobEg +Y+aYse5noocftCOj7QOpqLZU5BjYn+j1CVnivB3kCEuqYYTJJvyvVpTbWhAWTibY +mZU2Sq7GCLn+hbX5R/d3hOAqISJXwloshipHv7pTvipEMF5Q9thbq/Lc8j+DQS1Y +3KZMuq5+aDV2DVeVI5HSNv/uJJsN48hRkwIBAg== +-----END DH PARAMETERS----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.conf b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.conf new file mode 100644 index 0000000..bc8f8f1 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.conf @@ -0,0 +1,24 @@ +[ req ] +default_bits = 1024 +distinguished_name = req_DN +string_mask = nombstr + +[ req_DN ] +countryName = "1. Country Name (2 letter code)" +countryName_default = DE +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = "2. State or Province Name (full name) " +#stateOrProvinceName_default = +localityName = "3. Locality Name (eg, city) " +localityName_default = Berlin +0.organizationName = "4. Organization Name (eg, company) " +0.organizationName_default = Mustermann +organizationalUnitName = "5. Organizational Unit Name (eg, section) " +organizationalUnitName_default = Server +commonName = "6. Common Name (eg, CA name) " +commonName_max = 64 +commonName_default = www.mustermann.de +emailAddress = "7. Email Address (eg, name@FQDN)" +emailAddress_max = 40 +emailAddress_default = webmaster@mustermann.de diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.crt b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.crt new file mode 100644 index 0000000..e56ad33 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6zCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx +DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0 +ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT +DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw +HhcNMjIwODAxMDEwNjQ1WhcNMjQwNzMxMDEwNjQ1WjCBiDELMAkGA1UEBhMCREUx +DzANBgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEPMA0GA1UECxMG +U2VydmVyMRowGAYDVQQDExF3d3cubXVzdGVybWFubi5kZTEmMCQGCSqGSIb3DQEJ +ARYXd2VibWFzdGVyQG11c3Rlcm1hbm4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A +MIGJAoGBAOGRdBwkcWMlXj5ZIez2OjadgD7JBVqXS06rZopONcFil9O4OvFHSeMP +mGDIeeggZvh1hpcpKq2+zgY6640zlTbXK7J0T8QUXs0XHDJd9uMI5nDovaG37tah +G83YIPKmLBB87p511amdUviPc4QJGaGRJeYnAC4ou2RX/ko6y4yfAgMBAAGjTjBM +MBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwKgYDVR0lBCMwIQYKKwYB +BAGCNwoDAwYJYIZIAYb4QgQBBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOBgQAQ +wU4rNIuiakUH60u9m983BHddCl81Fy4nf2BExbxXSW/B+yj3adHQ/0RF/xGCcVrI +ORtGlyt8OW83VEfGFFpNPMR6XdxPMyoSUEFaEyVbYGQigQUXoa5k5vINmUD6bgxF +5o5taGIFnfnjEncwRTHADFEIN5hKHjtIdXcNRue2kg== +-----END CERTIFICATE----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.csr b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.csr new file mode 100644 index 0000000..e504e6b --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.csr @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHEwZCZXJsaW4xEzAR +BgNVBAoTCk11c3Rlcm1hbm4xDzANBgNVBAsTBlNlcnZlcjEaMBgGA1UEAxMRd3d3 +Lm11c3Rlcm1hbm4uZGUxJjAkBgkqhkiG9w0BCQEWF3dlYm1hc3RlckBtdXN0ZXJt +YW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhkXQcJHFjJV4+WSHs +9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrxR0njD5hgyHnoIGb4dYaXKSqtvs4GOuuN +M5U21yuydE/EFF7NFxwyXfbjCOZw6L2ht+7WoRvN2CDypiwQfO6eddWpnVL4j3OE +CRmhkSXmJwAuKLtkV/5KOsuMnwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEADZZ5 ++z8oUdzM0aDxMt2KyNSc8+NUkL4u+h38ZuDasHMXCncfWqp7I42qev1FHqKaI1Rn +GWZsWd943kOeMjFgxGkQoesLsyuqRslyUHAACnqHit2ZKz51reiiakK7v/qYxiV6 +aZOZBv5s2eaG6iT1ea5f5j2SKKOyhuDwfs7q4hQ= +-----END CERTIFICATE REQUEST----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.ext b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.ext new file mode 100644 index 0000000..7e6d6b5 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.ext @@ -0,0 +1,6 @@ +extensions = x509v3 + +[ x509v3 ] +nsCertType = server +keyUsage = digitalSignature,nonRepudiation,keyEncipherment +extendedKeyUsage = msSGC,nsSGC,serverAuth diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.key b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.key new file mode 100644 index 0000000..97b5df9 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDhkXQcJHFjJV4+WSHs9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrx +R0njD5hgyHnoIGb4dYaXKSqtvs4GOuuNM5U21yuydE/EFF7NFxwyXfbjCOZw6L2h +t+7WoRvN2CDypiwQfO6eddWpnVL4j3OECRmhkSXmJwAuKLtkV/5KOsuMnwIDAQAB +AoGAO1kEvp7MAnUDfc3/whPqrxHzexFyyioCU1l/aiY3uIDTR44yW+cQxqAEzHoS +sQNNdFOfrMfVBc+s7zCzZvxKZpvapg2HGATkk9I8AFUTuSh7n3oUT/AZ1KGdd04G +wS/6QsLR3G8c+0RB9DPWpMVgg1OlQ1U3ESB+eaeQ28/hLFECQQD6LRHnLfLrGlz9 +0htFV3JD19qPNmwRCEa/bHeK4dICuEikgpQZ18nbOCrfUvR4GltkQA8w6CMGmebJ +5COHx+epAkEA5tG7fsnA8ut/AfA3HoBRi1YtoE4YLOE8b+Jdt72LDE6jaR9mBc0N +gwxDBhdgZf9HTSaWB65j1V1sik8DqkjfBwJABE5SSJBZ5gIGJ7g+D+t5ZAGLGXvu +UDy8Ov8674EDhFh3p503v1ofd054Lm/XFVoeyJLxr/3O3IY5mq/6jJO8QQJBANcC +V51rYojmRZEQqseG0G7y/91r4aksxpeSTapyravxNNcfoHGW6RdBvM1XyTw557k+ +UFMnZ2fBdvH/WHKvHtECQEvLTxtmdxKMrndFJiTObeItdl/iHU9JujW4ib64CysI +RdwEverbouogjHfyeDjazXIsgpIUSIbZNHL13bICpBg= +-----END RSA PRIVATE KEY----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/clients.conf b/pkgs/fablab/freeradius-anon-access/raddb/clients.conf new file mode 100644 index 0000000..9f2f752 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/clients.conf @@ -0,0 +1,4 @@ +client 0.0.0.0/0 { + secret = anonymous + require_message_authenticator = no +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/dictionary b/pkgs/fablab/freeradius-anon-access/raddb/dictionary new file mode 100644 index 0000000..1f7dc90 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/dictionary @@ -0,0 +1,49 @@ +# +# This is the local dictionary file which can be +# edited by local administrators. It will be loaded +# AFTER the main dictionary files are loaded. +# +# As of version 3.0.2, FreeRADIUS will automatically +# load the main dictionary files from +# +# ${prefix}/share/freeradius/dictionary +# +# It is no longer necessary for this file to $INCLUDE +# the main dictionaries. However, if the $INCLUDE +# line is here, nothing bad will happen. +# +# Any new/changed attributes MUST be placed in this file. +# The pre-defined dictionaries SHOULD NOT be edited. +# +# See "man dictionary" for documentation on its format. +# +# $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $ +# + +# +# All local attributes and $INCLUDE's should go into +# this file. +# + +# If you want to add entries to the dictionary file, +# which are NOT going to be placed in a RADIUS packet, +# add them to the 'dictionary.local' file. +# +# The numbers you pick should be between 3000 and 4000. +# These attributes will NOT go into a RADIUS packet. +# +# If you want that, you will need to use VSAs. This means +# requesting allocation of a Private Enterprise Code from +# http://iana.org. We STRONGLY suggest doing that only if +# you are a vendor of RADIUS equipment. +# +# See RFC 6158 for more details. +# http://ietf.org/rfc/rfc6158.txt +# + +# +# These attributes are examples +# +#ATTRIBUTE My-Local-String 3000 string +#ATTRIBUTE My-Local-IPAddr 3001 ipaddr +#ATTRIBUTE My-Local-Integer 3002 integer diff --git a/pkgs/fablab/freeradius-anon-access/raddb/experimental.conf b/pkgs/fablab/freeradius-anon-access/raddb/experimental.conf new file mode 100644 index 0000000..e5395f3 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/experimental.conf @@ -0,0 +1,116 @@ +# +# This file contains the configuration for experimental modules. +# +# By default, it is NOT included in the build. +# +# $Id: 87d9744a4f0fa7b9b06b4908ddd6b7d2f1a7fd62 $ +# + +# Configuration for the Python module. +# +# Where radiusd is a Python module, radiusd.py, and the +# function 'authorize' is called. Here is a dummy piece +# of code: +# +# def authorize(params): +# print params +# return (5, ('Reply-Message', 'banned')) +# +# The RADIUS value-pairs are passed as a tuple of tuple +# pairs as the first argument, e.g. (('attribute1', +# 'value1'), ('attribute2', 'value2')) +# +# The function return is a tuple with the first element +# being the return value of the function. +# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to +# write the return values as Python symbols to avoid +# confusion. +# +# The remaining tuple members are the string form of +# value-pairs which are passed on to pairmake(). +# +python { + mod_instantiate = radiusd_test + func_instantiate = instantiate + + mod_authorize = radiusd_test + func_authorize = authorize + + mod_accounting = radiusd_test + func_accounting = accounting + + mod_pre_proxy = radiusd_test + func_pre_proxy = pre_proxy + + mod_post_proxy = radiusd_test + func_post_proxy = post_proxy + + mod_post_auth = radiusd_test + func_post_auth = post_auth + + mod_recv_coa = radiusd_test + func_recv_coa = recv_coa + + mod_send_coa = radiusd_test + func_send_coa = send_coa + + mod_detach = radiusd_test + func_detach = detach +} + + +# Configuration for the example module. Uncommenting it will cause it +# to get loaded and initialised, but should have no real effect as long +# it is not referenced in one of the autz/auth/preacct/acct sections +example { + # Boolean variable. + # allowed values: {no, yes} + boolean = yes + + # An integer, of any value. + integer = 16 + + # A string. + string = "This is an example configuration string" + + # An IP address, either in dotted quad (1.2.3.4) or hostname + # (example.com) + ipaddr = 127.0.0.1 + + # A subsection + mysubsection { + anotherinteger = 1000 + # They nest + deeply nested { + string = "This is a different string" + } + } +} + +# +# To create a dbm users file, do: +# +# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db +# +# Then add 'dbm' in 'authorize' section. +# +# Note that even if the file has a ".db" or ".dbm" extension, +# you may have to specify it here without that extension. This +# is because the DBM libraries "helpfully" add a ".db" to the +# filename, but don't check if it's already there. +# +dbm { + usersfile = ${confdir}/users_db +} + +# Instantiate a couple instances of the idn module +idn { +} + +# ...more commonly known as... +idn idna { +} + +idn idna_lenient { + UseSTD3ASCIIRules = no +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/hints b/pkgs/fablab/freeradius-anon-access/raddb/hints new file mode 120000 index 0000000..d700878 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/hints @@ -0,0 +1 @@ +./mods-config/preprocess/hints \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/huntgroups b/pkgs/fablab/freeradius-anon-access/raddb/huntgroups new file mode 120000 index 0000000..40da471 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/huntgroups @@ -0,0 +1 @@ +./mods-config/preprocess/huntgroups \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/always b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/always new file mode 100644 index 0000000..e9a0d20 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/always @@ -0,0 +1,81 @@ +# -*- text -*- +# +# $Id: b77d00c55d46741a3ca1cfc135dee4615466e912 $ + +# +# The "always" module is here for debugging purposes, or +# for use in complex policies. +# Instance simply returns the same result, always, without +# doing anything. +# +# rcode may be one of the following values: +# - reject - Reject the user. +# - fail - Simulate or indicate a failure. +# - ok - Simulate or indicate a success. +# - handled - Indicate that the request has been handled, +# stop processing, and send response if set. +# - invalid - Indicate that the request is invalid. +# - userlock - Indicate that the user account has been +# locked out. +# - notfound - Indicate that a user account can't be found. +# - noop - Simulate a no-op. +# - updated - Indicate that the request has been updated. +# +# If an instance is listed in a session {} section, +# this simulates a user having sessions. +# +# simulcount = +# +# If an instance is listed in a session {} section, +# this simulates the user having multilink +# sessions. +# +# mpp = +# +# An xlat based on the instance name can be called to change the status +# returned by the instance, in this example "always db_status { ... }" +# +# Force the module status to be alive or dead: +# +# %{db_status:alive} +# %{db_status:dead} +# +# Update the rcode returned by an alive module (a dead module returns fail): +# +# %{db_status:ok} +# %{db_status:fail} +# %{db_status:notfound} +# ... +# +# The above xlats expand to the current status of the module. To fetch the +# current status without affecting it call the xlat with an empty argument: +# +# %{db_status:} +# +always reject { + rcode = reject +} +always fail { + rcode = fail +} +always ok { + rcode = ok +} +always handled { + rcode = handled +} +always invalid { + rcode = invalid +} +always userlock { + rcode = userlock +} +always notfound { + rcode = notfound +} +always noop { + rcode = noop +} +always updated { + rcode = updated +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter new file mode 100644 index 0000000..f464783 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter @@ -0,0 +1,61 @@ +# -*- text -*- +# +# $Id: a23d3c0f11267a6c0f1afca599f71a6a76c49a1a $ + +# +# This file defines a number of instances of the "attr_filter" module. +# + +# attr_filter - filters the attributes received in replies from +# proxied servers, to make sure we send back to our RADIUS client +# only allowed attributes. +attr_filter attr_filter.post-proxy { + key = "%{Realm}" + filename = ${modconfdir}/${.:name}/post-proxy +} + +# attr_filter - filters the attributes in the packets we send to +# the RADIUS home servers. +attr_filter attr_filter.pre-proxy { + key = "%{Realm}" + filename = ${modconfdir}/${.:name}/pre-proxy +} + +# Enforce RFC requirements on the contents of Access-Reject +# packets. See the comments at the top of the file for +# more details. +# +attr_filter attr_filter.access_reject { + key = "%{User-Name}" + filename = ${modconfdir}/${.:name}/access_reject +} + +# Enforce RFC requirements on the contents of Access-Challenge +# packets. See the comments at the top of the file for +# more details. +# +attr_filter attr_filter.access_challenge { + key = "%{User-Name}" + filename = ${modconfdir}/${.:name}/access_challenge +} + + +# Enforce RFC requirements on the contents of the +# Accounting-Response packets. See the comments at the +# top of the file for more details. +# +attr_filter attr_filter.accounting_response { + key = "%{User-Name}" + filename = ${modconfdir}/${.:name}/accounting_response +} + +# +# Enforce CoA or Disconnect packets. +# +# Note that you MUST edit the "coa" file below for your +# local configuration. Add in any attributes needed by the NAS. +# +attr_filter attr_filter.coa { + key = "%{User-Name}" + filename = ${modconfdir}/${.:name}/coa +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap new file mode 100644 index 0000000..376fc5b --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap @@ -0,0 +1,13 @@ +# +# Cache EAP responses for resiliency on intermediary proxy fail-over +# +cache cache_eap { + key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" + + ttl = 15 + + update reply { + reply: += &reply: + &control:State := &request:State + } +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap new file mode 100644 index 0000000..97d965b --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap @@ -0,0 +1,11 @@ +# -*- text -*- +# +# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $ + +# CHAP module +# +# To authenticate requests containing a CHAP-Password attribute. +# +chap { + # no configuration +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/date b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/date new file mode 100644 index 0000000..25a64da --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/date @@ -0,0 +1,35 @@ +# +# Registers xlat to convert between time formats. +# +# xlat input string is an attribute name. If this attribute is of date +# or integer type, the date xlat will convert it to a time string in +# the format of the format config item. +# +# If the attribute is a string type, date will attempt to parse it in +# the format specified by the format config item, and will expand +# to a Unix timestamp. +# +date { + format = "%b %e %Y %H:%M:%S %Z" + + # Use UTC instead of local time. + # + # default = no +# utc = yes +} + +# +# The WISPr-Session-Terminate-Time attribute is of type "string", +# and not "date". Use this expansion to create an attribute +# that holds an actual date: +# +# Tmp-Date-0 := "%{wispr2date:&reply:WISPr-Session-Terminate-Time}" +# +date wispr2date { + format = "%Y-%m-%dT%H:%M:%S" + + # Use UTC instead of local time. + # + # default = no +# utc = yes +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail new file mode 100644 index 0000000..1d6d5f6 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail @@ -0,0 +1,109 @@ +# -*- text -*- +# +# $Id: ccf65f9c839a6d9ea35fae4d9cd208ddca1a0acd $ + +# Write a detailed log of all accounting records received. +# +detail { + # Note that we do NOT use NAS-IP-Address here, as + # that attribute MAY BE from the originating NAS, and + # NOT from the proxy which actually sent us the + # request. + # + # The following line creates a new detail file for + # every radius client (by IP address or hostname). + # In addition, a new detail file is created every + # day, so that the detail file doesn't have to go + # through a 'log rotation' + # + # If your detail files are large, you may also want to add + # a ':%H' (see doc/configuration/variables.rst) to the end + # of it, to create a new detail file every hour, e.g.: + # + # ..../detail-%Y%m%d:%H + # + # This will create a new detail file for every hour. + # + # If you are reading detail files via the "listen" section + # (e.g. as in raddb/sites-available/robust-proxy-accounting), + # you MUST use a unique directory for each combination of a + # detail file writer, and reader. That is, there can only + # be ONE "listen" section reading detail files from a + # particular directory. + # + # The configuration below puts the detail files into separate + # directories for each client. If you are reading the detail + # files via the "listen" section, just use one directory. + # + # e.g. filename = ${radacctdir}/reader1/detail-%Y%m%d + # + # AND use a separate directory (reader2, reader3, etc.) for each + # reader. + # + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d + + # + # If you are using radrelay, delete the above line for "file", + # and use this one instead: + # +# filename = ${radacctdir}/detail + + # + # Most file systems can handly nearly the full range of UTF-8 + # characters. Ones that can deal with a limited range should + # set this to "yes". + # + escape_filenames = no + + # + # The Unix-style permissions on the 'detail' file. + # + # The detail file often contains secret or private + # information about users. So by keeping the file + # permissions restrictive, we can prevent unwanted + # people from seeing that information. + permissions = 0600 + + # The Unix group of the log file. + # + # The user that the server runs as must be in the specified + # system group otherwise this will fail to work. + # +# group = ${security.group} + + # + # Every entry in the detail file has a header which + # is a timestamp. By default, we use the ctime + # format (see "man ctime" for details). + # + # The header can be customised by editing this + # string. See "doc/configuration/variables.rst" for a + # description of what can be put here. + # + header = "%t" + + # + # Uncomment this line if the detail file reader will be + # reading this detail file. + # +# locking = yes + + # + # Log the Packet src/dst IP/port. This is disabled by + # default, as that information isn't used by many people. + # +# log_packet_header = yes + + # + # Certain attributes such as User-Password may be + # "sensitive", so they should not be printed in the + # detail file. This section lists the attributes + # that should be suppressed. + # + # The attributes should be listed one to a line. + # + #suppress { + # User-Password + #} + +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log new file mode 100644 index 0000000..f99566d --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log @@ -0,0 +1,75 @@ +# -*- text -*- +# +# $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $ + +# +# More examples of doing detail logs. + +# +# Many people want to log authentication requests. +# Rather than modifying the server core to print out more +# messages, we can use a different instance of the 'detail' +# module, to log the authentication requests to a file. +# +# You will also need to un-comment the 'auth_log' line +# in the 'authorize' section, below. +# +detail auth_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + permissions = 0600 + + # You may also strip out passwords completely + suppress { + User-Password + } +} + +# +# This module logs authentication reply packets sent +# to a NAS. Both Access-Accept and Access-Reject packets +# are logged. +# +# You will also need to un-comment the 'reply_log' line +# in the 'post-auth' section, below. +# +detail reply_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d + + permissions = 0600 +} + +# +# This module logs packets proxied to a home server. +# +# You will also need to un-comment the 'pre_proxy_log' line +# in the 'pre-proxy' section, below. +# +detail pre_proxy_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + permissions = 0600 + + # You may also strip out passwords completely + #suppress { + # User-Password + #} +} + +# +# This module logs response packets from a home server. +# +# You will also need to un-comment the 'post_proxy_log' line +# in the 'post-proxy' section, below. +# +detail post_proxy_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d + + permissions = 0600 +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest new file mode 100644 index 0000000..af52017 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest @@ -0,0 +1,13 @@ +# -*- text -*- +# +# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $ + +# +# The 'digest' module currently has no configuration. +# +# "Digest" authentication against a Cisco SIP server. +# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details +# on performing digest authentication for Cisco SIP servers. +# +digest { +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients new file mode 100644 index 0000000..c5c9c8a --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients @@ -0,0 +1,32 @@ +# -*- text -*- +# +# $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $ + +# This module loads RADIUS clients as needed, rather than when the server +# starts. +# +# There are no configuration entries for this module. Instead, it +# relies on the "client" configuration. You must: +# +# 1) link raddb/sites-enabled/dynamic_clients to +# raddb/sites-available/dynamic_clients +# +# 2) Define a client network/mask (see top of the above file) +# +# 3) uncomment the "directory" entry in that client definition +# +# 4) list "dynamic_clients" in the "authorize" section of the +# "dynamic_clients' virtual server. The default example already +# does this. +# +# 5) put files into the above directory, one per IP. +# e.g. file "192.0.2.1" should contain a normal client definition +# for a client with IP address 192.0.2.1. +# +# For more documentation, see the file: +# +# raddb/sites-available/dynamic-clients +# +dynamic_clients { + +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap new file mode 100644 index 0000000..73718ff --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap @@ -0,0 +1,1082 @@ +# -*- text -*- +## +## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) +## +## $Id: 61be516b1a686e7a1c83e61f9260960a5f01730d $ + +####################################################################### +# +# Whatever you do, do NOT set 'Auth-Type := EAP'. The server +# is smart enough to figure this out on its own. The most +# common side effect of setting 'Auth-Type := EAP' is that the +# users then cannot use ANY other authentication method. +# +eap { + # Invoke the default supported EAP type when + # EAP-Identity response is received. + # + # The incoming EAP messages DO NOT specify which EAP + # type they will be using, so it MUST be set here. + # + # For now, only one default EAP type may be used at a time. + # + # If the EAP-Type attribute is set by another module, + # then that EAP type takes precedence over the + # default type configured here. + # + default_eap_type = md5 + + # A list is maintained to correlate EAP-Response + # packets with EAP-Request packets. After a + # configurable length of time, entries in the list + # expire, and are deleted. + # + timer_expire = 60 + + # There are many EAP types, but the server has support + # for only a limited subset. If the server receives + # a request for an EAP type it does not support, then + # it normally rejects the request. By setting this + # configuration to "yes", you can tell the server to + # instead keep processing the request. Another module + # MUST then be configured to proxy the request to + # another RADIUS server which supports that EAP type. + # + # If another module is NOT configured to handle the + # request, then the request will still end up being + # rejected. + # + ignore_unknown_eap_types = no + + # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given + # a User-Name attribute in an Access-Accept, it copies one + # more byte than it should. + # + # We can work around it by configurably adding an extra + # zero byte. + # + cisco_accounting_username_bug = no + + # Help prevent DoS attacks by limiting the number of + # sessions that the server is tracking. For simplicity, + # this is taken from the "max_requests" directive in + # radiusd.conf. + # + max_sessions = ${max_requests} + + + ############################################################ + # + # Supported EAP-types + # + + + # EAP-MD5 + # + # We do NOT recommend using EAP-MD5 authentication + # for wireless connections. It is insecure, and does + # not provide for dynamic WEP keys. + # + md5 { + } + + + # EAP-pwd -- secure password-based authentication + # + #pwd { + # group = 19 + + # server_id = theserver@example.com + + # This has the same meaning as for TLS. + # + # fragment_size = 1020 + + # The virtual server which determines the + # "known good" password for the user. + # Note that unlike TLS, only the "authorize" + # section is processed. EAP-PWD requests can be + # distinguished by having a User-Name, but + # no User-Password, CHAP-Password, EAP-Message, etc. + # + # virtual_server = "inner-tunnel" + #} + + + # Cisco LEAP + # + # We do not recommend using LEAP in new deployments. See: + # http://www.securiteam.com/tools/5TP012ACKE.html + # + # As of 3.0.22, LEAP has been removed from the server. + # It is insecure, and no one should be using it. + # + + + # EAP-GTC -- Generic Token Card + # + # Currently, this is only permitted inside of EAP-TTLS, + # or EAP-PEAP. The module "challenges" the user with + # text, and the response from the user is taken to be + # the User-Password. + # + # Proxying the tunneled EAP-GTC session is a bad idea, + # the users password will go over the wire in plain-text, + # for anyone to see. + # + gtc { + # The default challenge, which many clients + # ignore.. + # + # challenge = "Password: " + + # The plain-text response which comes back + # is put into a User-Password attribute, + # and passed to another module for + # authentication. This allows the EAP-GTC + # response to be checked against plain-text, + # or crypt'd passwords. + # + # If you say "Local" instead of "PAP", then + # the module will look for a User-Password + # configured for the request, and do the + # authentication itself. + # + auth_type = PAP + } + + + # Common TLS configuration for TLS-based EAP types + # ------------------------------------------------ + # + # See raddb/certs/README.md for additional comments + # on certificates. + # + # If OpenSSL was not found at the time the server was + # built, the "tls", "ttls", and "peap" sections will + # be ignored. + # + # If you do not currently have certificates signed by + # a trusted CA you may use the 'snakeoil' certificates. + # Included with the server in raddb/certs. + # + # If these certificates have not been auto-generated: + # cd raddb/certs + # make + # + # These test certificates SHOULD NOT be used in a normal + # deployment. They are created only to make it easier + # to install the server, and to perform some simple + # tests with EAP-TLS, TTLS, or PEAP. + # + # Note that you should NOT use a globally known CA here! + # e.g. using a Verisign cert as a "known CA" means that + # ANYONE who has a certificate signed by them can + # authenticate via EAP-TLS! This is likely not what you want. + # + tls-config tls-common { + private_key_password = whatever + private_key_file = ${certdir}/server.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & + # certificate_file must contain the same file + # name. + # + # If ca_file (below) is not used, then the + # certificate_file below SHOULD also include all of + # the intermediate CA certificates used to sign the + # server certificate, but NOT the root CA. + # + # Including the ROOT CA certificate is not useful and + # merely inflates the exchanged data volume during + # the TLS negotiation. + # + # This file should contain the server certificate, + # followed by intermediate certificates, in order. + # i.e. If we have a server certificate signed by CA1, + # which is signed by CA2, which is signed by a root + # CA, then the "certificate_file" should contain + # server.pem, followed by CA1.pem, followed by + # CA2.pem. + # + # When using "ca_file" or "ca_dir", the + # "certificate_file" should contain only + # "server.pem". And then you may (or may not) need + # to set "auto_chain", depending on your version of + # OpenSSL. + # + # In short, SSL / TLS certificates are complex. + # There are many versions of software, each of which + # behave slightly differently. It is impossible to + # give advice which will work everywhere. Instead, + # we give general guidelines. + # + certificate_file = ${certdir}/server.crt + + # Trusted Root CA list + # + # This file can contain multiple CA certificates. + # ALL of the CA's in this list will be trusted to + # issue client certificates for authentication. + # + # In general, you should use self-signed + # certificates for 802.1x (EAP) authentication. + # In that case, this CA file should contain + # *one* CA certificate. + # + ca_file = ${cadir}/ca.pem + + # OpenSSL will automatically create certificate chains, + # unless we tell it to not do that. The problem is that + # it sometimes gets the chains right from a certificate + # signature view, but wrong from the clients view. + # + # When setting "auto_chain = no", the server certificate + # file MUST include the full certificate chain. + # + # auto_chain = yes + + # If OpenSSL supports TLS-PSK, then we can use a + # fixed PSK identity and (hex) password. As of + # 3.0.18, these can be used at the same time as the + # certificate configuration, but only for TLS 1.0 + # through 1.2. + # + # If PSK and certificates are configured at the same + # time for TLS 1.3, then the server will warn you, + # and will disable TLS 1.3, as it will not work. + # + # The work around is to have two modules (or for + # RadSec, two listen sections). One will have PSK + # configured, and the other will have certificates + # configured. + # + # psk_identity = "test" + # psk_hexphrase = "036363823" + + # Dynamic queries for the PSK. If TLS-PSK is used, + # and psk_query is set, then you MUST NOT use + # psk_identity or psk_hexphrase. + # + # Instead, use a dynamic expansion similar to the one + # below. It keys off of TLS-PSK-Identity. It should + # return a of string no more than 512 hex characters. + # That string will be converted to binary, and will + # be used as the dynamic PSK hexphrase. + # + # Note that this query is just an example. You will + # need to customize it for your installation. + # + # psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" + + # For DH cipher suites to work, you have to + # run OpenSSL to create the DH file first: + # + # openssl dhparam -out certs/dh 2048 + # + dh_file = ${certdir}/dh + + # If your system doesn't have /dev/urandom, + # you will need to create this file, and + # periodically change its contents. + # + # For security reasons, FreeRADIUS doesn't + # write to files in its configuration + # directory. + # + # random_file = /dev/urandom + + # This can never exceed the size of a RADIUS + # packet (4096 bytes), and is preferably half + # that, to accommodate other attributes in + # RADIUS packet. On most APs the MAX packet + # length is configured between 1500 - 1600 + # In these cases, fragment size should be + # 1024 or less. + # + # fragment_size = 1024 + + # include_length is a flag which is + # by default set to yes If set to + # yes, Total Length of the message is + # included in EVERY packet we send. + # If set to no, Total Length of the + # message is included ONLY in the + # First packet of a fragment series. + # + # include_length = yes + + + # Check the Certificate Revocation List + # + # 1) Copy CA certificates and CRLs to same directory. + # 2) Execute 'c_rehash '. + # 'c_rehash' is OpenSSL's command. + # 3) uncomment the lines below. + # 5) Restart radiusd + # check_crl = yes + + # Check if intermediate CAs have been revoked. + # check_all_crl = yes + + ca_path = ${cadir} + + # OpenSSL does not reload contents of ca_path dir over time. + # That means that if check_crl is enabled and CRLs are loaded + # from ca_path dir, at some point CRLs will expire and + # RADIUSd will stop authenticating users. + # If ca_path_reload_interval is non-zero, it will force OpenSSL + # to reload all data from ca_path periodically + # + # Flush ca_path each hour + # ca_path_reload_interval = 3600 + + + # Accept an expired Certificate Revocation List + # + # allow_expired_crl = no + + # If check_cert_issuer is set, the value will + # be checked against the DN of the issuer in + # the client certificate. If the values do not + # match, the certificate verification will fail, + # rejecting the user. + # + # This check can be done more generally by checking + # the value of the TLS-Client-Cert-Issuer attribute. + # This check can be done via any mechanism you + # choose. + # + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # + # This check is done only if the previous + # "check_cert_issuer" is not set, or if + # the check succeeds. + # + # This check can be done more generally by writing + # "unlang" statements to examine the value of the + # TLS-Client-Cert-Common-Name attribute. + # + # check_cert_cn = %{User-Name} + + # + # This configuration item only applies when there is + # an intermediate CA between the "root" CA, and the + # client certificate. If we trust the root CA, then + # by definition we also trust ANY intermediate CA + # which is signed by that root. This means ANOTHER + # intermediate CA can issue client certificates, and + # have them accepted by the EAP module. + # + # The solution is to list ONLY the trusted CAs in the + # FreeRADIUS configuration, and then set this + # configuration item to "yes". + # + # Then, when the server receives a client certificate + # from an untrusted CA, that authentication request + # can be rejected. + # + # It is possible to do these checks in "unlang", by + # checking for unknown names in the + # TLS-Cert-Common-Name attribute, but that is + # more complex. So we add a configuration option + # which can be set once, and which works for all + # possible intermediate CAs, no matter what their + # value. + # + # reject_unknown_intermediate_ca = no + + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". + # + cipher_list = "DEFAULT" + + # If enabled, OpenSSL will use server cipher list + # (possibly defined by cipher_list option above) + # for choosing right cipher suite rather than + # using client-specified list which is OpenSSl default + # behavior. Setting this to "yes" means that OpenSSL + # will choose the servers ciphers, even if they do not + # best match what the client sends. + # + # TLS negotiation is usually good, but can be imperfect. + # This setting allows administrators to "fine tune" it + # if necessary. + # + cipher_server_preference = no + + # You can selectively disable TLS versions for + # compatability with old client devices. + # + # If your system has OpenSSL 1.1.0 or greater, do NOT + # use these. Instead, set tls_min_version and + # tls_max_version. + # +# disable_tlsv1_2 = yes +# disable_tlsv1_1 = yes +# disable_tlsv1 = yes + + + # Set min / max TLS version. + # + # Generally speaking you should NOT use TLS 1.0 or + # TLS 1.1. They are old, possibly insecure, and + # deprecated. However, it is sometimes necessary to + # enable it for compatibility with legact systems. + # We recommend replacing those legacy systems, and + # using at least TLS 1.2. + # + # Some Debian versions disable older versions of TLS, + # and requires the application to manually enable + # them. + # + # If you are running such a distribution, you should + # set these options, otherwise older clients will not + # be able to connect. + # + # Allowed values are "1.0", "1.1", "1.2", and "1.3". + # + # As of 2021, it is STRONGLY RECOMMENDED to set + # + # tls_min_version = "1.2" + # + # Older TLS versions are insecure and deprecated. + # + # In order to enable TLS 1.0 and TLS 1.1, you may + # also need to update cipher_list below to: + # + # cipher_list = "DEFAULT@SECLEVEL=1" + # + # The values must be in quotes. + # + # We also STRONGLY RECOMMEND to set + # + # tls_max_version = "1.2" + # + # While the server will accept "1.3" as a value, + # most EAP supplicants WILL NOT DO TLS 1.3 PROPERLY. + # + # i.e. they WILL NOT WORK, SO DO NOT ASK QUESTIONS ON + # THE LIST ABOUT WHY IT DOES NOT WORK. + # + # The TLS 1.3 support is here for future + # compatibility, as clients get upgraded, and people + # don't upgrade their copies of FreeRADIUS. + # + # Also note that we only support TLS 1.3 for EAP-TLS. + # Other versions of EAP (PEAP, TTLS, FAST) DO NOT + # SUPPORT TLS 1.3. + # + tls_min_version = "1.2" + tls_max_version = "1.2" + + # Elliptical cryptography configuration + # + # This configuration should be one of the following: + # + # * a name of the curve to use, e.g. "prime256v1". + # + # * a colon separated list of curve NIDs or names. + # + # * an empty string, in which case OpenSSL will choose + # the "best" curve for the situation. + # + # For supported curve names, please run + # + # openssl ecparam -list_curves + # + ecdh_curve = "prime256v1" + + # Session resumption / fast reauthentication + # cache. + # + # The cache contains the following information: + # + # session Id - unique identifier, managed by SSL + # User-Name - from the Access-Accept + # Stripped-User-Name - from the Access-Request + # Cached-Session-Policy - from the Access-Accept + # + # See also the "store" subsection below for + # additional attributes which can be cached. + # + # The "Cached-Session-Policy" is the name of a + # policy which should be applied to the cached + # session. This policy can be used to assign + # VLANs, IP addresses, etc. It serves as a useful + # way to re-apply the policy from the original + # Access-Accept to the subsequent Access-Accept + # for the cached session. + # + # On session resumption, these attributes are + # copied from the cache, and placed into the + # reply list. + # + # You probably also want "use_tunneled_reply = yes" + # when using fast session resumption. + # + # You can check if a session has been resumed by + # looking for the existence of the EAP-Session-Resumed + # attribute. Note that this attribute will *only* + # exist in the "post-auth" section. + # + # CAVEATS: The cache is stored and reloaded BEFORE + # the "post-auth" section is run. This limitation + # makes caching more difficult than it should be. In + # practice, it means that the first authentication + # session must set the reply attributes before the + # post-auth section is run. + # + # When the session is resumed, the attributes are + # restored and placed into the session-state list. + # + cache { + # Enable it. The default is "no". Deleting the entire "cache" + # subsection also disables caching. + # + # The session cache requires the use of the + # "name" and "persist_dir" configuration + # items, below. + # + # The internal OpenSSL session cache has been permanently + # disabled. + # + # You can disallow resumption for a particular user by adding the + # following attribute to the control item list: + # + # Allow-Session-Resumption = No + # + # If "enable = no" below, you CANNOT enable resumption for just one + # user by setting the above attribute to "yes". + # + enable = no + + # Lifetime of the cached entries, in hours. The sessions will be + # deleted/invalidated after this time. + # + lifetime = 24 # hours + + # Internal "name" of the session cache. Used to + # distinguish which TLS context sessions belong to. + # + # The server will generate a random value if unset. + # This will change across server restart so you MUST + # set the "name" if you want to persist sessions (see + # below). + # + # name = "EAP module" + + # Simple directory-based storage of sessions. + # Two files per session will be written, the SSL + # state and the cached VPs. This will persist session + # across server restarts. + # + # The default directory is ${logdir}, for historical + # reasons. You should ${db_dir} instead. And check + # the value of db_dir in the main radiusd.conf file. + # It should not point to ${raddb} + # + # The server will need write perms, and the directory + # should be secured from anyone else. You might want + # a script to remove old files from here periodically: + # + # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; + # + # This feature REQUIRES "name" option be set above. + # + # persist_dir = "${logdir}/tlscache" + + # + # As of 3.0.20, it is possible to partially + # control which attributes exist in the + # session cache. This subsection lists + # attributes which are taken from the reply, + # and saved to the on-disk cache. When the + # session is resumed, these attributes are + # added to the "session-state" list. The + # default configuration will then take care + # of copying them to the reply. + # + store { + Tunnel-Private-Group-Id + } + } + + # Client certificates can be validated via an + # external command. This allows dynamic CRLs or OCSP + # to be used. + # + # This configuration is commented out in the + # default configuration. Uncomment it, and configure + # the correct paths below to enable it. + # + # If OCSP checking is enabled, and the OCSP checks fail, + # the verify section is not run. + # + # If OCSP checking is disabled, the verify section is + # run on successful certificate validation. + # + verify { + # If the OCSP checks succeed, the verify section + # is run to allow additional checks. + # + # If you want to skip verify on OCSP success, + # uncomment this configuration item, and set it + # to "yes". + # + # skip_if_ocsp_ok = no + + # A temporary directory where the client + # certificates are stored. This directory + # MUST be owned by the UID of the server, + # and MUST not be accessible by any other + # users. When the server starts, it will do + # "chmod go-rwx" on the directory, for + # security reasons. The directory MUST + # exist when the server starts. + # + # You should also delete all of the files + # in the directory when the server starts. + # + # tmpdir = /tmp/radiusd + + # The command used to verify the client cert. + # We recommend using the OpenSSL command-line + # tool. + # + # The ${..ca_path} text is a reference to + # the ca_path variable defined above. + # + # The %{TLS-Client-Cert-Filename} is the name + # of the temporary file containing the cert + # in PEM format. This file is automatically + # deleted by the server when the command + # returns. + # + # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + } + + # OCSP Configuration + # + # Certificates can be verified against an OCSP + # Responder. This makes it possible to immediately + # revoke certificates without the distribution of + # new Certificate Revocation Lists (CRLs). + # + ocsp { + # Enable it. The default is "no". + # Deleting the entire "ocsp" subsection + # also disables ocsp checking + # + enable = no + + # The OCSP Responder URL can be automatically + # extracted from the certificate in question. + # To override the OCSP Responder URL set + # "override_cert_url = yes". + # + override_cert_url = yes + + # If the OCSP Responder address is not extracted from + # the certificate, the URL can be defined here. + # + url = "http://127.0.0.1/ocsp/" + + # If the OCSP Responder can not cope with nonce + # in the request, then it can be disabled here. + # + # For security reasons, disabling this option + # is not recommended as nonce protects against + # replay attacks. + # + # Note that Microsoft AD Certificate Services OCSP + # Responder does not enable nonce by default. It is + # more secure to enable nonce on the responder than + # to disable it in the query here. + # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx + # + # use_nonce = yes + + # Number of seconds before giving up waiting + # for OCSP response. 0 uses system default. + # + # timeout = 0 + + # Normally an error in querying the OCSP + # responder (no response from server, server did + # not understand the request, etc) will result in + # a validation failure. + # + # To treat these errors as 'soft' failures and + # still accept the certificate, enable this + # option. + # + # Warning: this may enable clients with revoked + # certificates to connect if the OCSP responder + # is not available. Use with caution. + # + # softfail = no + } + } + + + # EAP-TLS + # + # The TLS configuration for TLS-based EAP types is held in + # the "tls-config" section, above. + # + tls { + # Point to the common TLS configuration + # + tls = tls-common + + # As part of checking a client certificate, the EAP-TLS + # sets some attributes such as TLS-Client-Cert-Common-Name. This + # virtual server has access to these attributes, and can + # be used to accept or reject the request. + # + # virtual_server = check-eap-tls + + # You can control whether or not EAP-TLS requires a + # client certificate by setting + # + # configurable_client_cert = yes + # + # Once that setting has been changed, you can then set + # + # EAP-TLS-Require-Client-Cert = No + # + # in the control items for a request, and the EAP-TLS + # module will not require a client certificate from + # the supplicant. + # + # WARNING: This configuration should only be used + # when the users are placed into a "captive portal" + # or "walled garden", where they have limited network + # access. Otherwise the configuraton will allow + # anyone on the network, without authenticating them! + # +# configurable_client_cert = no + } + + + # EAP-TTLS -- Tunneled TLS + # + # The TTLS module implements the EAP-TTLS protocol, + # which can be described as EAP inside of Diameter, + # inside of TLS, inside of EAP, inside of RADIUS... + # + # Surprisingly, it works quite well. + # + ttls { + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # + tls = tls-common + + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TTLS tunnel, we recommend + # using EAP-MD5. If the request does not contain an + # EAP conversation, then this configuration entry is + # ignored. + # + default_eap_type = md5 + + # The tunneled authentication request does not usually + # contain useful attributes like 'Calling-Station-Id', + # etc. These attributes are outside of the tunnel, + # and normally unavailable to the tunneled + # authentication request. + # + # By setting this configuration entry to 'yes', + # any attribute which is NOT in the tunneled + # authentication request, but which IS available + # outside of the tunnel, is copied to the tunneled + # request. + # + # allowed values: {no, yes} + # + copy_request_to_tunnel = no + + # This configuration item is deprecated. Instead, + # you should use: + # + # update outer.session-state { + # ... + # } + # + # This will cache attributes for the final Access-Accept. + # + # See "update outer.session-state" in the "post-auth" + # sections of sites-available/default, and of + # sites-available/inner-tunnel + # + # The reply attributes sent to the NAS are usually + # based on the name of the user 'outside' of the + # tunnel (usually 'anonymous'). If you want to send + # the reply attributes based on the user name inside + # of the tunnel, then set this configuration entry to + # 'yes', and the reply to the NAS will be taken from + # the reply to the tunneled request. + # + # allowed values: {no, yes} + # + use_tunneled_reply = yes + + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # A virtual server MUST be specified. + # + virtual_server = "inner-tunnel" + + # This has the same meaning, and overwrites, the + # same field in the "tls" configuration, above. + # The default value here is "yes". + # + # include_length = yes + + # Unlike EAP-TLS, EAP-TTLS does not require a client + # certificate. However, you can require one by setting the + # following option. You can also override this option by + # setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + # Note that the majority of supplicants do not support using a + # client certificate with EAP-TTLS, so this option is unlikely + # to be usable for most people. + # + # require_client_cert = yes + } + + + # EAP-PEAP + # + + ################################################## + # + # !!!!! WARNINGS for Windows compatibility !!!!! + # + ################################################## + # + # If you see the server send an Access-Challenge, + # and the client never sends another Access-Request, + # then + # + # STOP! + # + # The server certificate has to have special OID's + # in it, or else the Microsoft clients will silently + # fail. See the "scripts/xpextensions" file for + # details, and the following page: + # + # https://support.microsoft.com/en-us/help/814394/ + # + # If is still doesn't work, and you're using Samba, + # you may be encountering a Samba bug. See: + # + # https://bugzilla.samba.org/show_bug.cgi?id=6563 + # + # Note that we do not necessarily agree with their + # explanation... but the fix does appear to work. + # + ################################################## + + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TLS/PEAP tunnel, we + # recommend using EAP-MS-CHAPv2. + # + peap { + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # + tls = tls-common + + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # PEAP tunnel, we recommend using MS-CHAPv2, + # as that is the default type supported by + # Windows clients. + # + default_eap_type = mschapv2 + + # The PEAP module also has these configuration + # items, which are the same as for TTLS. + # + copy_request_to_tunnel = no + + # This configuration item is deprecated. Instead, + # you should use: + # + # update outer.session-state { + # ... + # } + # + # This will cache attributes for the final Access-Accept. + # + # See "update outer.session-state" in the "post-auth" + # sections of sites-available/default, and of + # sites-available/inner-tunnel + # + use_tunneled_reply = yes + + # When the tunneled session is proxied, the + # home server may not understand EAP-MSCHAP-V2. + # Set this entry to "no" to proxy the tunneled + # EAP-MSCHAP-V2 as normal MSCHAPv2. + # + # This setting can be over-ridden on a packet by + # packet basis by setting + # + # &control:Proxy-Tunneled-Request-As-EAP = yes + # + # proxy_tunneled_request_as_eap = yes + + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # A virtual server MUST be specified. + # + virtual_server = "inner-tunnel" + + # This option enables support for MS-SoH + # see doc/SoH.txt for more info. + # It is disabled by default. + # + # soh = yes + + # The SoH reply will be turned into a request which + # can be sent to a specific virtual server: + # + # soh_virtual_server = "soh-server" + + # Unlike EAP-TLS, PEAP does not require a client certificate. + # However, you can require one by setting the following + # option. You can also override this option by setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + # Note that the majority of supplicants do not support using a + # client certificate with PEAP, so this option is unlikely to + # be usable for most people. + # + # require_client_cert = yes + } + + + # EAP-MSCHAPv2 + # + # Note that it is the EAP MS-CHAPv2 sub-module, not + # the main 'mschap' module. + # + # Note also that in order for this sub-module to work, + # the main 'mschap' module MUST ALSO be configured. + # + # This module is the *Microsoft* implementation of MS-CHAPv2 + # in EAP. There is another (incompatible) implementation + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not + # currently support. + # + mschapv2 { + # In earlier versions of the server, this module + # never sent the MS-CHAP-Error message to the client. + # This worked, but it had issues when the cached + # password was wrong. The server *should* send + # "E=691 R=0" to the client, which tells it to prompt + # the user for a new password. + # + # The default is to use that functionality. which is + # known to work. If you set "send_error = yes", then + # the error message will be sent back to the client. + # This *may* help some clients work better, but *may* + # also cause other clients to stop working. + # + # send_error = no + + # Server identifier to send back in the challenge. + # This should generally be the host name of the + # RADIUS server. Or, some information to uniquely + # identify it. + # + # identity = "FreeRADIUS" + } + + + # EAP-FAST + # + # The FAST module implements the EAP-FAST protocol + # + #fast { + # Point to the common TLS configuration + # + # tls = tls-common + + # If 'cipher_list' is set here, it will over-ride the + # 'cipher_list' configuration from the 'tls-common' + # configuration. The EAP-FAST module has it's own + # over-ride for 'cipher_list' because the + # specifications mandata a different set of ciphers + # than are used by the other EAP methods. + # + # cipher_list though must include "ADH" for anonymous provisioning. + # This is not as straight forward as appending "ADH" alongside + # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is + # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used + # + # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" + + # PAC lifetime in seconds (default: seven days) + # + # pac_lifetime = 604800 + + # Authority ID of the server + # + # If you are running a cluster of RADIUS servers, you should make + # the value chosen here (and for "pac_opaque_key") the same on all + # your RADIUS servers. This value should be unique to your + # installation. We suggest using a domain name. + # + # authority_identity = "1234" + + # PAC Opaque encryption key (must be exactly 32 bytes in size) + # + # This value MUST be secret, and MUST be generated using + # a secure method, such as via 'openssl rand -hex 32' + # + # pac_opaque_key = "0123456789abcdef0123456789ABCDEF" + + # Same as for TTLS, PEAP, etc. + # + # virtual_server = inner-tunnel + #} +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo new file mode 100644 index 0000000..c21a8ff --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo @@ -0,0 +1,123 @@ +# -*- text -*- +# +# $Id: ad3e15933f9e85c5566810432a5fec8f23d877c1 $ + +# +# This is a more general example of the execute module. +# +# This one is called "echo". +# +# Attribute-Name = `%{echo:/path/to/program args}` +# +# If you wish to execute an external program in more than +# one section (e.g. 'authorize', 'pre_proxy', etc), then it +# is probably best to define a different instance of the +# 'exec' module for every section. +# +# The return value of the program run determines the result +# of the exec instance call as follows: +# (See doc/configurable_failover for details) +# +# < 0 : fail the module failed +# = 0 : ok the module succeeded +# = 1 : reject the module rejected the user +# = 2 : fail the module failed +# = 3 : ok the module succeeded +# = 4 : handled the module has done everything to handle the request +# = 5 : invalid the user's configuration entry was invalid +# = 6 : userlock the user was locked out +# = 7 : notfound the user was not found +# = 8 : noop the module did nothing +# = 9 : updated the module updated information in the request +# > 9 : fail the module failed +# +exec echo { + # + # Wait for the program to finish. + # + # If we do NOT wait, then the program is "fire and + # forget", and any output attributes from it are ignored. + # + # If we are looking for the program to output + # attributes, and want to add those attributes to the + # request, then we MUST wait for the program to + # finish, and therefore set 'wait=yes' + # + # allowed values: {no, yes} + wait = yes + + # + # The name of the program to execute, and it's + # arguments. Dynamic translation is done on this + # field, so things like the following example will + # work. + # + program = "/bin/echo %{User-Name}" + + # + # The attributes which are placed into the + # environment variables for the program. + # + # Allowed values are: + # + # request attributes from the request + # config attributes from the configuration items list + # reply attributes from the reply + # proxy-request attributes from the proxy request + # proxy-reply attributes from the proxy reply + # + # Note that some attributes may not exist at some + # stages. e.g. There may be no proxy-reply + # attributes if this module is used in the + # 'authorize' section. + # + input_pairs = request + + # + # Where to place the output attributes (if any) from + # the executed program. The values allowed, and the + # restrictions as to availability, are the same as + # for the input_pairs. + # + output_pairs = reply + + # + # When to execute the program. If the packet + # type does NOT match what's listed here, then + # the module does NOT execute the program. + # + # For a list of allowed packet types, see + # the 'dictionary' file, and look for VALUEs + # of the Packet-Type attribute. + # + # By default, the module executes on ANY packet. + # Un-comment out the following line to tell the + # module to execute only if an Access-Accept is + # being sent to the NAS. + # + #packet_type = Access-Accept + + # + # Should we escape the environment variables? + # + # If this is set, all the RADIUS attributes + # are capitalised and dashes replaced with + # underscores. Also, RADIUS values are surrounded + # with double-quotes. + # + # That is to say: User-Name=BobUser => USER_NAME="BobUser" + shell_escape = yes + + # + # How long should we wait for the program to finish? + # + # Default is 10 seconds, which should be plenty for nearly + # anything. Range is 1 to 30 seconds. You are strongly + # encouraged to NOT increase this value. Decreasing can + # be used to cause authentication to fail sooner when you + # know it's going to fail anyway due to the time taken, + # thereby saving resources. + # + #timeout = 10 + +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec new file mode 100644 index 0000000..8f07a82 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec @@ -0,0 +1,29 @@ +# -*- text -*- +# +# $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $ + +# +# Execute external programs +# +# This module is useful only for 'xlat'. To use it, +# put 'exec' into the 'instantiate' section. You can then +# do dynamic translation of attributes like: +# +# Attribute-Name = `%{exec:/path/to/program args}` +# +# The value of the attribute will be replaced with the output +# of the program which is executed. Due to RADIUS protocol +# limitations, any output over 253 bytes will be ignored. +# +# The RADIUS attributes from the user request will be placed +# into environment variables of the executed program, as +# described in "man unlang" and in doc/configuration/variables.rst +# +# See also "echo" for more sample configuration. +# +exec { + wait = no + input_pairs = request + shell_escape = yes + timeout = 10 +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration new file mode 100644 index 0000000..dfc0550 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration @@ -0,0 +1,13 @@ +# -*- text -*- +# +# $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $ + +# +# The expiration module. This handles the Expiration attribute +# It should be included in the *end* of the authorize section +# in order to handle user Expiration. It should also be included +# in the instantiate section in order to register the Expiration +# compare function +# +expiration { +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr new file mode 100644 index 0000000..b0bfc73 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr @@ -0,0 +1,146 @@ +# -*- text -*- +# +# $Id: 43dbea35e41698f8ced22c1cf4ad128b08dee7ca $ + +# +# This module performs mathematical calculations: +# +# Attribute-Name = "%{expr:2 + 3 + &NAS-Port}" +# +# It supports the following operators (in order of precedence) +# +# & binary AND +# | binary OR +# << left shift +# >> right shift +# + addition +# - subtraction +# * multiply +# / divide +# %% remainder +# ^ exponentiation +# (...) sub-expression +# +# Operator precedence follows the normal rules. +# Division by zero means that the entire expression is invalid. +# +# Note that in versions before 3.0.5, the expression +# was parsed strictly left to right, and ignored operator +# precedence. +# +# It also allows unary negation: -1 +# And twos complement: ~1 +# +# All calculations are done on signed 63-bit integers. +# e.g. int64_t. This should be sufficient for all normal +# purposes. +# +# Hex numbers are supported: 0xabcdef +# +# As with all string expansions, you can nest the expansions: +# +# %{expr: %{NAS-Port} + 1} +# %{expr: %{sql:SELECT ... } + 1} +# +# Attribute references are supported for integer attributes. +# e.g. &NAS-Port. The benefit of using attribute references +# is that the expression is calculated directly on the +# attribute. It skips the step of "print to string, and then +# parse to number". This means it's a little faster. +# +# Otherwise, all numbers are decimal. +# + +# +# The module also registers a few paircompare functions, and +# many string manipulation functions, including: +# +# rand get random number from 0 to n-1 +# "%{rand:10}" == "9" +# +# randstr get random string built from character classes: +# c lowercase letters +# C uppercase letters +# n numbers +# a alphanumeric +# ! punctuation +# . alphanumeric + punctuation +# s alphanumeric + "./" +# o characters suitable for OTP (easily confused removed) +# h binary data as lowercase hex +# H binary data as uppercase hex +# +# "%{randstr:CCCC!!cccnnn}" == "IPFL>{saf874" +# "%{randstr:oooooooo}" == "rfVzyA4y" +# "%{randstr:hhhh}" == "68d60de3" +# +# urlquote quote special characters in URI +# "%{urlquote:http://example.org/}" == "http%3A%47%47example.org%47" +# +# urlunquote unquote URL special characters +# "%{urlunquote:http%%3A%%47%%47example.org%%47}" == "http://example.org/" +# +# escape escape string similar to rlm_sql safe_characters +# "%{escape:foo.jpg}" == "=60img=62foo.jpg=60/img=62" +# +# unescape reverse of escape +# "%{unescape:=60img=62foo.jpg=60/img=62}" == "foo.jpg" +# +# tolower convert to lowercase +# "%{tolower:Bar}" == "bar" +# +# toupper convert to uppercase +# "%{toupper:Foo}" == "FOO" +# +# md5 get md5sum hash +# "%{md5:foo}" == "acbd18db4cc2f85cedef654fccc4a4d8" +# +# sha1 get sha1 hash +# "%{sha1:foo}" == "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33" +# +# sha256 get sha256 hash +# "%{sha256:foo}" == "2c26b46b68ffc68ff99b453c1d30413413422d706..." +# +# sha512 get sha512 hash +# "%{sha512:foo}" == "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae29838..." +# +# hmacmd5 generate HMAC-MD5 of string +# "%{hmacmd5:foo bar}" == "31b6db9e5eb4addb42f1a6ca07367adc" +# +# hmacsha1 generate HMAC-SHA1 of string +# "%{hmacsha1:foo bar}" == "85d155c55ed286a300bd1cf124de08d87e914f3a" +# +# crypt encrypt with a salt: %{crypt:salt:password} +# "%{crypt:aa:foo}" == "aaKNIEDOaueR6" +# "%{crypt:$1$abcdefgh:foo}" == "$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0" +# "%{crypt:$5$%{randstr:aaaaaaaaaaaaaaaa}:foo}" == "$1$fu4P2fcAdo9gM..." +# +# pairs serialize attributes as comma-delimited string +# "%{pairs:request:}" == "User-Name = 'foo', User-Password = 'bar', ..." +# +# base64 encode string as base64 +# "%{base64:foo}" == "Zm9v" +# +# base64tohex convert base64 to hex +# "%{base64tohex:Zm9v}" == "666f6f" +# +# explode split an attribute into multiple new attributes based on a delimiter +# "%{explode:&ref }" +# +# nexttime calculate number of seconds until next n hour(s), day(s), week(s), year(s) +# if it were 16:18, %{nexttime:1h} would expand to 2520 +# +# lpad left-pad a string +# if User-Name is "foo": "%{lpad:&User-Name 6 x}" == "xxxfoo" +# +# rpad right-pad a string +# if User-Name is "foo": "%{rpad:&User-Name 5 -}" == "foo--" +# + +expr { + # + # Characters that will not be encoded by the %{escape} + # xlat function. + # + safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/files b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/files new file mode 100644 index 0000000..bf968c5 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/files @@ -0,0 +1,30 @@ +# -*- text -*- +# +# $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $ + +# Livingston-style 'users' file +# +# See "man users" for more information. +# +files { + # Search for files in a subdirectory of mods-config which + # matches this instance of the files module. + moddir = ${modconfdir}/${.:instance} + + # The default key attribute to use for matches. The content + # of this attribute is used to match the "name" of the + # entry. + #key = "%{%{Stripped-User-Name}:-%{User-Name}}" + + # The old "users" style file is now located here. + filename = ${moddir}/authorize + + # This is accepted for backwards compatibility + # It will be removed in a future release. +# usersfile = ${moddir}/authorize + + # These are accepted for backwards compatibility. + # They will be renamed in a future release. + acctusersfile = ${moddir}/accounting + preproxy_usersfile = ${moddir}/pre-proxy +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog new file mode 100644 index 0000000..37e5f0d --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog @@ -0,0 +1,161 @@ +# -*- text -*- +# +# $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $ + +# +# The "linelog" module will log one line of text to a file. +# Both the filename and the line of text are dynamically expanded. +# +# We STRONGLY suggest that you do not use data from the +# packet as part of the filename. +# +linelog { + # + # The file where the logs will go. + # + # If the filename is "syslog", then the log messages will + # go to syslog. + filename = ${logdir}/linelog + + # + # Most file systems can handly nearly the full range of UTF-8 + # characters. Ones that can deal with a limited range should + # set this to "yes". + # + escape_filenames = no + + # + # The Unix-style permissions on the log file. + # + # Depending on format string, the log file may contain secret or + # private information about users. Keep the file permissions as + # restrictive as possible. + permissions = 0600 + + # The Unix group which owns the log file. + # + # The user that freeradius runs as must be in the specified + # group, otherwise it will not be possible to set the group. +# group = ${security.group} + + # Syslog facility (if logging via syslog). + # Defaults to the syslog_facility config item in radiusd.conf. + # Standard facilities are: + # - kern Messages generated by the kernel. These cannot + # be generated by any user processes. + # - user Messages generated by random user processes. + # This is the default facility identifier if + # none is specified. + # - mail The mail system. + # - daemon System daemons, such as routed(8), that are not + # provided for explicitly by other facilities. + # - auth The authorization system: login(1), su(1), + # getty(8), etc. + # - lpr The line printer spooling system: cups-lpd(8), + # cupsd(8), etc. + # - news The network news system. + # - uucp The uucp system. + # - cron The cron daemon: cron(8). + # - authpriv The same as LOG_AUTH, but logged to a file + # readable only by selected individuals. + # - ftp The file transfer protocol daemons: ftpd(8), + # tftpd(8). + # - local[0-7] Reserved for local use. +# syslog_facility = daemon + + # Syslog severity (if logging via syslog). Defaults to info. + # Possible values are: + # - emergency A panic condition. This is normally broadcast + # to all users. + # - alert A condition that should be corrected immediately, + # such as a corrupted system database. + # - critical Critical conditions, e.g., hard device errors. + # - error Errors. + # - warning Warning messages. + # - notice Conditions that are not error conditions, but + # should possibly be handled specially. + # - info Informational messages. + # - debug Messages that contain information normally of use + # only when debugging a program. +# syslog_severity = info + + # If logging via syslog, the severity can be set here. + # Defaults to info. + # + # The default format string. + format = "This is a log message for %{User-Name}" + + # + # This next line can be omitted. If it is omitted, then + # the log message is static, and is always given by "format", + # above. + # + # If it is defined, then the string is dynamically expanded, + # and the result is used to find another configuration entry + # here, with the given name. That name is then used as the + # format string. + # + # If the configuration entry cannot be found, then no log + # message is printed. + # + # i.e. You can have many log messages in one "linelog" module. + # If this two-step expansion did not exist, you would have + # needed to configure one "linelog" module for each log message. + + # + # Reference the Packet-Type (Access-Accept, etc.) If it doesn't + # exist, reference the "default" entry. + # + # This is for "linelog" being used in the post-auth section + # If you want to use it in "authorize", you need to change + # the reference to "messages.%{%{Packet-Type}:-default}", + # and then add the appropriate messages. + # + reference = "messages.%{%{reply:Packet-Type}:-default}" + + # + # The messages defined here are taken from the "reference" + # expansion, above. + # + messages { + default = "Unknown packet type %{Packet-Type}" + + Access-Accept = "Accepted user: %{User-Name}" + Access-Reject = "Rejected user: %{User-Name}" + Access-Challenge = "Sent challenge: %{User-Name}" + } +} + +# +# Another example, for accounting packets. +# +linelog log_accounting { + # + # Used if the expansion of "reference" fails. + # + format = "" + + filename = ${logdir}/linelog-accounting + + permissions = 0600 + + reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" + + # + # Another example: + # + # + Accounting-Request { + Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})" + Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds" + + # Don't log anything for these packets. + Alive = "" + + Accounting-On = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just came online" + Accounting-Off = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just went offline" + + # don't log anything for other Acct-Status-Types. + unknown = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) sent unknown Acct-Status-Type %{Acct-Status-Type}" + } +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime new file mode 100644 index 0000000..d4f6f3e --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime @@ -0,0 +1,23 @@ +# -*- text -*- +# +# $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $ + +# The logintime module. This handles the Login-Time, +# Current-Time, and Time-Of-Day attributes. It should be +# included in the *end* of the authorize section in order to +# handle Login-Time checks. It should also be included in the +# instantiate section in order to register the Current-Time +# and Time-Of-Day comparison functions. +# +# When the Login-Time attribute is set to some value, and the +# user has been permitted to log in, a Session-Timeout is +# calculated based on the remaining time. See "doc/README". +# +logintime { + # The minimum timeout (in seconds) a user is allowed + # to have. If the calculated timeout is lower we don't + # allow the login. Some NAS do not handle values + # lower than 60 seconds well. + minimum_timeout = 60 +} + diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap new file mode 100644 index 0000000..44440bd --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap @@ -0,0 +1,253 @@ +# -*- text -*- +# +# $Id: 1748d5747f5b2fda08a017ad3095d9b96b0c2ee0 $ + +# +# Microsoft CHAP authentication +# +# This module supports MS-CHAP and MS-CHAPv2 authentication. +# It also enforces the SMB-Account-Ctrl attribute. +# +mschap { + # + # If you are using /etc/smbpasswd, see the 'passwd' + # module for an example of how to use /etc/smbpasswd + # + + # + # If use_mppe is not set to no mschap, will + # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and + # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 + # +# use_mppe = no + + # + # If MPPE is enabled, require_encryption makes + # encryption moderate + # +# require_encryption = yes + + # + # require_strong always requires 128 bit key + # encryption + # +# require_strong = yes + + # + # This module can perform authentication itself, OR + # use a Windows Domain Controller. This configuration + # directive tells the module to call the ntlm_auth + # program, which will do the authentication, and return + # the NT-Key. Note that you MUST have "winbindd" and + # "nmbd" running on the local machine for ntlm_auth + # to work. See the ntlm_auth program documentation + # for details. + # + # If ntlm_auth is configured below, then the mschap + # module will call ntlm_auth for every MS-CHAP + # authentication request. If there is a cleartext + # or NT hashed password available, you can set + # "MS-CHAP-Use-NTLM-Auth := No" in the control items, + # and the mschap module will do the authentication itself, + # without calling ntlm_auth. + # + # Be VERY careful when editing the following line! + # + # You can also try setting the user name as: + # + # ... --username=%{mschap:User-Name} ... + # + # In that case, the mschap module will look at the User-Name + # attribute, and do prefix/suffix checks in order to obtain + # the "best" user name for the request. + # + # For Samba 4, you should also set the "ntlm auth" parameter + # in the Samba configuration: + # + # ntlm auth = yes + # + # or + # + # ntlm auth = mschapv2-and-ntlmv2-only + # + # This will let Samba 4 accept the MS-CHAP authentication + # method that is needed by FreeRADIUS. + # + # Depending on the Samba version, you may also need to add: + # + # --allow-mschapv2 + # + # to the command-line parameters. + # +# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" + + # + # The default is to wait 10 seconds for ntlm_auth to + # complete. This is a long time, and if it's taking that + # long then you likely have other problems in your domain. + # The length of time can be decreased with the following + # option, which can save clients waiting if your ntlm_auth + # usually finishes quicker. Range 1 to 10 seconds. + # +# ntlm_auth_timeout = 10 + + # + # An alternative to using ntlm_auth is to connect to the + # winbind daemon directly for authentication. This option + # is likely to be faster and may be useful on busy systems, + # but is less well tested. + # + # Using this option requires libwbclient from Samba 4.2.1 + # or later to be installed. Make sure that ntlm_auth above is + # commented out. + # +# winbind_username = "%{mschap:User-Name}" +# winbind_domain = "%{mschap:NT-Domain}" + + # + # When using single sign-on with a winbind connection and the + # client uses a different casing for the username than the + # casing is according to the backend, reauth may fail because + # of some Windows internals. This switch tries to find the + # user in the correct casing in the backend, and retry + # authentication with that username. + # +# winbind_retry_with_normalised_username = no + + # + # Information for the winbind connection pool. The configuration + # items below are the same for all modules which use the new + # connection pool. + # + pool { + # + # Connections to create during module instantiation. + # If the server cannot create specified number of + # connections during instantiation it will exit. + # Set to 0 to allow the server to start without the + # winbind daemon being available. + # + start = ${thread[pool].start_servers} + + # + # Minimum number of connections to keep open + # + min = ${thread[pool].min_spare_servers} + + # + # Maximum number of connections + # + # If these connections are all in use and a new one + # is requested, the request will NOT get a connection. + # + # Setting 'max' to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like 'No connections available and at max connection limit' + # + # Setting 'max' to MORE than the number of threads means + # that there are more connections than necessary. + # + max = ${thread[pool].max_servers} + + # + # Spare connections to be left idle + # + # NOTE: Idle connections WILL be closed if "idle_timeout" + # is set. This should be less than or equal to "max" above. + # + spare = ${thread[pool].max_spare_servers} + + # + # Number of uses before the connection is closed + # + # 0 means "infinite" + # + uses = 0 + + # + # The number of seconds to wait after the server tries + # to open a connection, and fails. During this time, + # no new connections will be opened. + # + retry_delay = 30 + + # + # The lifetime (in seconds) of the connection + # + # NOTE: A setting of 0 means infinite (no limit). + # + lifetime = 86400 + + # + # The pool is checked for free connections every + # "cleanup_interval". If there are free connections, + # then one of them is closed. + # + cleanup_interval = 300 + + # + # The idle timeout (in seconds). A connection which is + # unused for this length of time will be closed. + # + # NOTE: A setting of 0 means infinite (no timeout). + # + idle_timeout = 600 + + # + # NOTE: All configuration settings are enforced. If a + # connection is closed because of "idle_timeout", + # "uses", or "lifetime", then the total number of + # connections MAY fall below "min". When that + # happens, it will open a new connection. It will + # also log a WARNING message. + # + # The solution is to either lower the "min" connections, + # or increase lifetime/idle_timeout. + # + } + + passchange { + # + # This support MS-CHAPv2 (not v1) password change + # requests. See doc/mschap.rst for more IMPORTANT + # information. + # + # Samba/ntlm_auth - if you are using ntlm_auth to + # validate passwords, you will need to use ntlm_auth + # to change passwords. Uncomment the three lines + # below, and change the path to ntlm_auth. + # +# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" +# ntlm_auth_username = "username: %{mschap:User-Name}" +# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}" + + # + # To implement a local password change, you need to + # supply a string which is then expanded, so that the + # password can be placed somewhere. e.g. passed to a + # script (exec), or written to SQL (UPDATE/INSERT). + # We give both examples here, but only one will be + # used. + # +# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}" + # +# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}" + } + + # + # For Apple Server, when running on the same machine as + # Open Directory. It has no effect on other systems. + # +# use_open_directory = yes + + # + # On failure, set (or not) the MS-CHAP error code saying + # "retries allowed". + # +# allow_retry = yes + + # + # An optional retry message. + # +# retry_msg = "Re-enter (or reset) the password" +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth new file mode 100644 index 0000000..ab0017c --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth @@ -0,0 +1,18 @@ +# +# For testing ntlm_auth authentication with PAP. +# +# If you have problems with authentication failing, even when the +# password is good, it may be a bug in Samba: +# +# https://bugzilla.samba.org/show_bug.cgi?id=6563 +# +# Depending on the AD / Samba configuration, you may also need to add: +# +# --allow-mschapv2 +# +# to the list of command-line options. +# +exec ntlm_auth { + wait = yes + program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap new file mode 100644 index 0000000..f766843 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap @@ -0,0 +1,18 @@ +# -*- text -*- +# +# $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $ + +# PAP module to authenticate users based on their stored password +# +# Supports multiple encryption/hash schemes. See "man rlm_pap" +# for details. +# +# For instructions on creating the various types of passwords, see: +# +# http://www.openldap.org/faq/data/cache/347.html +pap { + # By default the server will use heuristics to try and automatically + # handle base64 or hex encoded passwords. This behaviour can be + # stopped by setting the following to "no". +# normalise = yes +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd new file mode 100644 index 0000000..bf77f3a --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd @@ -0,0 +1,55 @@ +# -*- text -*- +# +# $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $ + +# passwd module allows to do authorization via any passwd-like +# file and to extract any attributes from these files. +# +# See the "smbpasswd" and "etc_group" files for more examples. +# +# parameters are: +# filename - path to file +# +# format - format for filename record. This parameters +# correlates record in the passwd file and RADIUS +# attributes. +# +# Field marked as '*' is a key field. That is, the parameter +# with this name from the request is used to search for +# the record from passwd file +# +# Attributes marked as '=' are added to reply_items instead +# of default configure_items +# +# Attributes marked as '~' are added to request_items +# +# Field marked as ',' may contain a comma separated list +# of attributes. +# +# hash_size - hashtable size. Setting it to 0 is no longer permitted +# A future version of the server will have the module +# automatically determine the hash size. Having it set +# manually should not be necessary. +# +# allow_multiple_keys - if many records for a key are allowed +# +# ignore_nislike - ignore NIS-related records +# +# delimiter - symbol to use as a field separator in passwd file, +# for format ':' symbol is always used. '\0', '\n' are +# not allowed +# + +# An example configuration for using /etc/passwd. +# +# This is an example which will NOT WORK if you have shadow passwords, +# NIS, etc. The "unix" module is normally responsible for reading +# system passwords. You should use it instead of this example. +# +passwd etc_passwd { + filename = /etc/passwd + format = "*User-Name:Crypt-Password:" + hash_size = 100 + ignore_nislike = no + allow_multiple_keys = no +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess new file mode 100644 index 0000000..ae349e9 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess @@ -0,0 +1,62 @@ +# -*- text -*- +# +# $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $ + +# Preprocess the incoming RADIUS request, before handing it off +# to other modules. +# +# This module processes the 'huntgroups' and 'hints' files. +# In addition, it re-writes some weird attributes created +# by some NAS, and converts the attributes into a form which +# is a little more standard. +# +preprocess { + # Search for files in a subdirectory of mods-config which + # matches this instance of the preprocess module. + moddir = ${modconfdir}/${.:instance} + + huntgroups = ${moddir}/huntgroups + hints = ${moddir}/hints + + # This hack changes Ascend's weird port numbering + # to standard 0-??? port numbers so that the "+" works + # for IP address assignments. + with_ascend_hack = no + ascend_channels_per_line = 23 + + # Windows NT machines often authenticate themselves as + # NT_DOMAIN\username + # + # If this is set to 'yes', then the NT_DOMAIN portion + # of the user-name is silently discarded. + # + # This configuration entry SHOULD NOT be used. + # See the "realms" module for a better way to handle + # NT domains. + with_ntdomain_hack = no + + # Specialix Jetstream 8500 24 port access server. + # + # If the user name is 10 characters or longer, a "/" + # and the excess characters after the 10th are + # appended to the user name. + # + # If you're not running that NAS, you don't need + # this hack. + with_specialix_jetstream_hack = no + + # Cisco (and Quintum in Cisco mode) sends it's VSA attributes + # with the attribute name *again* in the string, like: + # + # H323-Attribute = "h323-attribute=value". + # + # If this configuration item is set to 'yes', then + # the redundant data in the the attribute text is stripped + # out. The result is: + # + # H323-Attribute = "value" + # + # If you're not running a Cisco or Quintum NAS, you don't + # need this hack. + with_cisco_vsa_hack = no +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp new file mode 100644 index 0000000..8430fc1 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp @@ -0,0 +1,53 @@ +# -*- text -*- +# +# $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $ + +# Write a 'utmp' style file, of which users are currently +# logged in, and where they've logged in from. +# +# This file is used mainly for Simultaneous-Use checking, +# and also 'radwho', to see who's currently logged in. +# +radutmp { + # Where the file is stored. It's not a log file, + # so it doesn't need rotating. + # + filename = ${logdir}/radutmp + + # The field in the packet to key on for the + # 'user' name, If you have other fields which you want + # to use to key on to control Simultaneous-Use, + # then you can use them here. + # + # Note, however, that the size of the field in the + # 'utmp' data structure is small, around 32 + # characters, so that will limit the possible choices + # of keys. + # + # You may want instead: %{%{Stripped-User-Name}:-%{User-Name}} + username = %{User-Name} + + + # Whether or not we want to treat "user" the same + # as "USER", or "User". Some systems have problems + # with case sensitivity, so this should be set to + # 'no' to enable the comparisons of the key attribute + # to be case insensitive. + # + case_sensitive = yes + + # Accounting information may be lost, so the user MAY + # have logged off of the NAS, but we haven't noticed. + # If so, we can verify this information with the NAS, + # + # If we want to believe the 'utmp' file, then this + # configuration entry can be set to 'no'. + # + check_with_nas = yes + + # Set the file permissions, as the contents of this file + # are usually private. + permissions = 0600 + + caller_id = "yes" +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm new file mode 100644 index 0000000..fb014f7 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm @@ -0,0 +1,75 @@ +# -*- text -*- +# +# $Id: 8ff95a9e9a652c2df9f992b0eb528084b6a7a2dc $ + +# Realm module, for proxying. +# +# You can have multiple instances of the realm module to +# support multiple realm syntaxes at the same time. The +# search order is defined by the order that the modules are listed +# in the authorize and preacct sections. +# +# Four config options: +# format - must be "prefix" or "suffix" +# The special cases of "DEFAULT" +# and "NULL" are allowed, too. +# delimiter - must be a single character + +# 'realm/username' +# +# Using this entry, IPASS users have their realm set to "IPASS". +realm IPASS { + format = prefix + delimiter = "/" +} + +# 'username@realm' +# +realm suffix { + format = suffix + delimiter = "@" + + # The next configuration items are valid ONLY for a trust-router. + # For all other realms, they are ignored. +# trust_router = "localhost" +# tr_port = 12309 +# rp_realm = "realm.example.com" +# default_community = "apc.communities.example.com" +# # if rekey_enabled is enabled, dynamic realms are automatically rekeyed +# # before they expire to avoid having to recreate them from scrach on +# # demand (implying lengthy authentications) +# rekey_enabled = no +# # if realm_lifetime is > 0, the rekey is scheduled to happen the +# # specified number of seconds after its creation or rekeying. Otherwise, +# # the key material expiration timestamp is used +# realm_lifetime = 0 +} + +# 'realm!username' +# +realm bangpath { + format = prefix + delimiter = "!" + +# trust_router = "localhost" +# tr_port = 12309 +# rp_realm = "realm.example.com" +# default_community = "apc.communities.example.com" +# rekey_enabled = no +# realm_lifetime = 0 +} + +# 'username%realm' +# +realm realmpercent { + format = suffix + delimiter = "%" +} + +# +# 'domain\user' +# +realm ntdomain { + format = prefix + delimiter = "\\" +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate new file mode 100644 index 0000000..3ba88c1 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate @@ -0,0 +1,42 @@ +# Replicate packet(s) to a home server. +# +# This module will open a new socket for each packet, and "clone" +# the incoming packet to the destination realm (i.e. home server). +# These packets are only sent to UDP home servers. TCP and TLS +# are not supported. +# +# Use it by setting "Replicate-To-Realm = name" in the control list, +# just like Proxy-To-Realm. The configurations for the two attributes +# are identical. The realm must exist, the home_server_pool must exist, +# and the home_server must exist. +# +# The only difference is that the "replicate" module sends requests +# and does not expect a reply. Any reply is ignored. +# +# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time. +# +# To use this module, list "replicate" in the "authorize" or +# "accounting" section. Then, ensure that Replicate-To-Realm is set. +# The contents of the "packet" attribute list will be sent to the +# home server. The usual load-balancing, etc. features of the home +# server will be used. +# +# "radmin" can be used to mark home servers alive/dead, in order to +# enable/disable replication to specific servers. +# +# Packets can be replicated to multiple destinations. Just set +# Replicate-To-Realm multiple times. One packet will be sent for +# each of the Replicate-To-Realm attribute in the "control" list. +# +# If no packets are sent, the module returns "noop". If at least one +# packet is sent, the module returns "ok". If an error occurs, the +# module returns "fail" +# +# Note that replication does NOT change any of the packet statistics. +# If you use "radmin" to look at the statistics for a home server, +# the replicated packets will cause NO counters to increment. This +# is not a bug, this is how replication works. +# +replicate { + +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh new file mode 100644 index 0000000..d125ce4 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh @@ -0,0 +1,4 @@ +# SoH module +soh { + dhcp = yes +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp new file mode 100644 index 0000000..8e28704 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp @@ -0,0 +1,16 @@ +# -*- text -*- +# +# $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $ + +# "Safe" radutmp - does not contain caller ID, so it can be +# world-readable, and radwho can work for normal users, without +# exposing any information that isn't already exposed by who(1). +# +# This is another 'instance' of the radutmp module, but it is given +# then name "sradutmp" to identify it later in the "accounting" +# section. +radutmp sradutmp { + filename = ${logdir}/sradutmp + permissions = 0644 + caller_id = "no" +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp new file mode 100644 index 0000000..b06946a --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp @@ -0,0 +1,40 @@ +# -*- text -*- +# +# $Id: 695365f7d2c05a34da935ea2a9ca0dec55518195 $ + +# +# Time-based One-Time Passwords (TOTP) +# +# Defined in RFC 6238, and used in Google Authenticator. +# +# This module can only be used in the "authenticate" section. +# +# The Base32-encoded secret should be placed into: +# +# &control:TOTP-Secret +# +# The TOTP password entered by the user should be placed into: +# +# &request:TOTP-Password +# +# The module will return "ok" if the passwords match, and "fail" +# if the passwords do not match. +# +# Note that this module will NOT interact with Google. The module is +# intended to be used where the local administrator knows the TOTP +# secret key, and user has an authenticator app on their phone. +# +# Note also that while you can use the Google "chart" APIs to +# generate a QR code, doing this will give the secret to Google! +# +# Administrators should instead install a tool such as "qrcode" +# +# https://linux.die.net/man/1/qrencode +# +# and then run that locally to get an image. +# +# +# The module takes no configuration items. +# +totp { +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix new file mode 100644 index 0000000..a5798d5 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix @@ -0,0 +1,25 @@ +# -*- text -*- +# +# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $ + +# Unix /etc/passwd style authentication +# +# This module calls the system functions to get the "known good" +# password. This password is usually in the "crypt" form, and is +# incompatible with CHAP, MS-CHAP, PEAP, etc. +# +# If passwords are in /etc/shadow, you will need to set the "group" +# configuration in radiusd.conf. Look for "shadow", and follow the +# instructions there. +# +unix { + # + # The location of the "wtmp" file. + # The only use for 'radlast'. If you don't use + # 'radlast', then you can comment out this item. + # + # Note that the radwtmp file may get large! You should + # rotate it (cp /dev/null radwtmp), or just not use it. + # + radwtmp = ${logdir}/radwtmp +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack new file mode 100644 index 0000000..1cd95d2 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack @@ -0,0 +1,105 @@ +# -*- text -*- +# +# $Id: 89ef1699a1af78374b1af0a3787a088af3ba320c $ + +# +# This module is useful only for 'xlat'. +# To use it, add it to the raddb/mods-enabled/ directory. +# +# Two xlat functions are provided by this module: +# - unpack +# - substring +# +# Both are for use on the right-hand side of a variable assignment. +# +# unpack +# ====== +# +# ... = "%{unpack:data 1 integer}" +# +# The arguments are three fields: +# +# data +# Either &Attribute-Name +# the name of the attribute to unpack. +# MUST be a "string" or "octets" type. +# +# or 0xabcdef +# e.g. hex data. +# +# 1 +# The offset into the string from which +# it starts unpacking. The offset starts +# at zero, for the first attribute. +# +# integer +# the data type to unpack at that offset. +# e.g. integer, ipaddr, byte, short, etc. +# +# e.g. if we have Class = 0x0000000102030405, then +# +# %{unpack:&Class 4 short} +# +# will unpack octets 4 and 5 as a "short", which has +# value 0x0304. +# +# This module is used when vendors put multiple fields +# into one attribute of type "octets". +# +# The module can also be used to unpack substrings, by specifing a +# data type of "string(len)" or "octets(len)". Where "len" is an +# actual number. For example: +# +# %{unpack:&User-Name 1 string(2)} +# +# When given a User-Name of "hello", it will start taking the +# substring at offset 1 (i.e. "e"), and it will take two characters +# from that offset, i.e. "el". +# +# As a special case, you can unpack an entire string by specifying +# the offset, and nothing for the length: +# +# %{unpack:&User-Name 1 string()} +# +# When "octets(len)" is used, the output is printed as hex. e.g. for +# the above example with Class: +# +# %{unpack:&Class 4 octets(4)} +# +# Will return the hex string "02030405" +# +# +# substring +# ========= +# +# substring will return a substring of a string or attribute using +# the syntax +# +# %{substring:data start len} +# +# data +# Either an attribute name or string data. String data +# can have leading or trailing spaces. Only a single +# space before "start" is taken as the separator. +# +# start +# the zero based offset for the start of the substring. +# A negative value will count in from the end of the +# string. +# +# len +# the number of characters to return. A Negative value +# will remove that number of characters from the end. +# If len is more than the available number of characters +# then only the available number will be returned. +# +# Examples: +# +# "%{substring:foobar 2 3}" == "oba" +# "%{substring:foobar -3 2}" == "ba" +# "%{substring:foobar 1 -1}" == "ooba" +# if User-Name is "foobar" "%{substring:&User-Name 1 -2}" == "oob" +# + +unpack { +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8 b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8 new file mode 100644 index 0000000..00812fa --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8 @@ -0,0 +1,14 @@ +# +# Enforces UTF-8 on strings coming in from the NAS. +# +# An attribute of type "string" containing UTF-8 makes +# the module return NOOP. +# +# An attribute of type "string" containing non-UTF-8 data +# makes the module return FAIL. +# +# This module takes no configuration. +# +utf8 { + +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_challenge b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_challenge new file mode 100644 index 0000000..528670c --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_challenge @@ -0,0 +1,19 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 12ed619cf16f7322221ef2dfaf28f9c36c616e3c $ +# +# This configuration file is used to remove almost all of the +# attributes From an Access-Challenge message. The RFCs say +# that an Access-Challenge packet can contain only a few +# attributes. We enforce that here. +# +DEFAULT + EAP-Message =* ANY, + State =* ANY, + Message-Authenticator =* ANY, + Reply-Message =* ANY, + Proxy-State =* ANY, + Session-Timeout =* ANY, + Idle-Timeout =* ANY diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_reject b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_reject new file mode 100644 index 0000000..54668f7 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_reject @@ -0,0 +1,18 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 47f167b085c2a4e22701fe9fe74b8fe0b9575421 $ +# +# This configuration file is used to remove almost all of the attributes +# From an Access-Reject message. The RFCs say that an Access-Reject +# packet can contain only a few attributes. We enforce that here. +# +DEFAULT + EAP-Message =* ANY, + State =* ANY, + Message-Authenticator =* ANY, + Error-Cause =* ANY, + Reply-Message =* ANY, + MS-CHAP-Error =* ANY, + Proxy-State =* ANY diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/accounting_response b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/accounting_response new file mode 100644 index 0000000..23456b8 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/accounting_response @@ -0,0 +1,16 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 01e9c6f5bda7a138f45da5010c624d92b6d398a0 $ +# +# This configuration file is used to remove almost all of the attributes +# From an Accounting-Response message. The RFC's say that an +# Accounting-Response packet can contain only a few attributes. +# We enforce that here. +# +DEFAULT + Vendor-Specific =* ANY, + Message-Authenticator =* ANY, + Error-Cause =* ANY, + Proxy-State =* ANY diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/coa b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/coa new file mode 100644 index 0000000..2d28a45 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/coa @@ -0,0 +1,22 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 89cea2ea97dea10b82a8146cfeeeb1d7dd33b2f8 $ +# +# This configuration file is used to remove attributes From an +# CoA-Request or Disconnect-Request message. We have specified +# a sample list here. This will have to be modified to add +# attributes needed by your local configuration. +# +DEFAULT + User-Name =* ANY, + NAS-IP-Address =* ANY, + NAS-IPv6-Address =* ANY, + NAS-Port =* ANY, + NAS-Identifier =* ANY, + NAS-Port-Type =* ANY, + Calling-Station-Id =* ANY, + State =* ANY, + Message-Authenticator =* ANY, + Proxy-State =* ANY diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/post-proxy b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/post-proxy new file mode 100644 index 0000000..3ecddaf --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/post-proxy @@ -0,0 +1,119 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 5d889ea733ec8e6b246335f86bf6e122b54f23aa $ +# +# This file contains security and configuration information +# for each realm. The first field is the realm name and +# can be up to 253 characters in length. This is followed (on +# the next line) with the list of filter rules to be used to +# decide what attributes and/or values we allow proxy servers +# to pass to the NAS for this realm. +# +# When a proxy-reply packet is received from a home server, +# these attributes and values are tested. Only the first match +# is used unless the "Fall-Through" variable is set to "Yes". +# In that case the rules defined in the DEFAULT case are +# processed as well. +# +# A special realm named "DEFAULT" matches on all realm names. +# You can have only one DEFAULT entry. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# Indented (with the tab character) lines following the first +# line indicate the filter rules. +# +# You can include another `attrs' file with `$INCLUDE attrs.other' +# + +# +# This is a complete entry for realm "fisp". Note that there is no +# Fall-Through entry so that no DEFAULT entry will be used, and the +# server will NOT allow any other a/v pairs other than the ones +# listed here. +# +# These rules allow: +# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear ) +# o PPP sessions ( no SLIP, CSLIP, etc. ) +# o dynamic ip assignment ( can't assign a static ip ) +# o an idle timeout value set to 600 seconds (10 min) or less +# o a max session time set to 28800 seconds (8 hours) or less +# +#fisp +# Service-Type == Framed-User, +# Framed-Protocol == PPP, +# Framed-IP-Address == 255.255.255.254, +# Idle-Timeout <= 600, +# Session-Timeout <= 28800 + +# +# This is a complete entry for realm "tisp". Note that there is no +# Fall-Through entry so that no DEFAULT entry will be used, and the +# server will NOT allow any other a/v pairs other than the ones +# listed here. +# +# These rules allow: +# o Only Login-User Service-Type ( no framed/ppp sessions ) +# o Telnet sessions only ( no rlogin, tcp-clear ) +# o Login host of 192.0.2.1 +# +#tisp +# Service-Type == Login-User, +# Login-Service == Telnet, +# Login-TCP-Port == 23, +# Login-IP-Host == 192.0.2.1 + +# +# The following example can be used for a home server which is only +# allowed to supply a Reply-Message, a Session-Timeout attribute of +# maximum 86400, a Idle-Timeout attribute of maximum 600 and a +# Acct-Interim-Interval attribute between 300 and 3600. +# All other attributes sent back will be filtered out. +# +#strictrealm +# Reply-Message =* ANY, +# Session-Timeout <= 86400, +# Idle-Timeout <= 600, +# Acct-Interim-Interval >= 300, +# Acct-Interim-Interval <= 3600 + +# +# This is a complete entry for realm "spamrealm". Fall-Through is used, +# so that the DEFAULT filter rules are used in addition to these. +# +# These rules allow: +# o Force the application of Filter-ID attribute to be returned +# in the proxy reply, whether the proxy sent it or not. +# o The standard DEFAULT rules as defined below +# +#spamrealm +# Framed-Filter-Id := "nosmtp.in", +# Fall-Through = Yes + +# +# The rest of this file contains the DEFAULT entry. +# DEFAULT matches with all realm names. (except if the realm previously +# matched an entry with no Fall-Through) +# + +DEFAULT + Framed-IP-Address == 255.255.255.254, + Framed-IP-Netmask == 255.255.255.255, + Framed-MTU >= 576, + Framed-Filter-ID =* ANY, + Reply-Message =* ANY, + Proxy-State =* ANY, + EAP-Message =* ANY, + Message-Authenticator =* ANY, + MS-MPPE-Recv-Key =* ANY, + MS-MPPE-Send-Key =* ANY, + MS-CHAP-MPPE-Keys =* ANY, + State =* ANY, + Session-Timeout <= 28800, + Idle-Timeout <= 600, + Calling-Station-Id =* ANY, + Operator-Name =* ANY, + Port-Limit <= 2 diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/pre-proxy b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/pre-proxy new file mode 100644 index 0000000..7144d70 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/pre-proxy @@ -0,0 +1,65 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 47b01266f44d0475261c6ea16f74ca17d8838749 $ +# +# This file contains security and configuration information +# for each realm. It can be used be an rlm_attr_filter module +# instance to filter attributes before sending packets to the +# home server of a realm. +# +# When a packet is sent to a home server, these attributes +# and values are tested. Only the first match is used unless +# the "Fall-Through" variable is set to "Yes". In that case +# the rules defined in the DEFAULT case are processed as well. +# +# A special realm named "DEFAULT" matches on all realm names. +# You can have only one DEFAULT entry. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# The first line indicates the realm to which the rules apply. +# Indented (with the tab character) lines following the first +# line indicate the filter rules. +# + +# This is a complete entry for 'nochap' realm. It allows to send very +# basic attributes to the home server. Note that there is no Fall-Through +# entry so that no DEFAULT entry will be used. Only the listed attributes +# will be sent in the packet, all other attributes will be filtered out. +# +#nochap +# User-Name =* ANY, +# User-Password =* ANY, +# NAS-IP-Address =* ANY, +# NAS-Identifier =* ANY + +# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type +# if its value is different from 'Ethernet'. Then the default rules are +# applied. +# +#brokenas +# NAS-Port-Type == Ethernet +# Fall-Through = Yes + +# The rest of this file contains the DEFAULT entry. +# DEFAULT matches with all realm names. + +DEFAULT + User-Name =* ANY, + User-Password =* ANY, + CHAP-Password =* ANY, + CHAP-Challenge =* ANY, + MS-CHAP-Challenge =* ANY, + MS-CHAP-Response =* ANY, + EAP-Message =* ANY, + Message-Authenticator =* ANY, + State =* ANY, + NAS-IP-Address =* ANY, + NAS-Identifier =* ANY, + Operator-Name =* ANY, + Calling-Station-Id =* ANY, + Chargeable-User-Identity =* ANY, + Proxy-State =* ANY diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/accounting b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/accounting new file mode 100644 index 0000000..db75515 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/accounting @@ -0,0 +1,27 @@ +# +# $Id: eaf952a72dc9d19387af4d2056d7f7027b2435e8 $ +# +# This is like the 'users' file, but it is processed only for +# accounting packets. +# + +# Select between different accounting methods based for example on the +# Realm, the Huntgroup-Name or any combinaison of the attribute/value +# pairs contained in an accounting packet. +# +# You will need to add an "Acct-Type foo {...}" subsection to the +# main "accounting" section in order for these sample configurations +# to work. +# +#DEFAULT Realm == "foo.net", Acct-Type := foo +# +#DEFAULT Huntgroup-Name == "wifi", Acct-Type := wifi +# +#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := other +# +#DEFAULT Acct-Status-Type == Start, Acct-Type := start + +# Replace the User-Name with the Stripped-User-Name, if it exists. +# +#DEFAULT +# User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/authorize b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/authorize new file mode 100644 index 0000000..b78dbc8 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/authorize @@ -0,0 +1,13 @@ +anonymous Cleartext-Password := "anonymous" + +#/ wildcard, accept any credentials +DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Accept + Tunnel-Type = VLAN, + Tunnel-Medium-Type = IEEE-802, + Tunnel-Private-Group-ID = 6 + +#DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Accept +# session-timeout = 14400, +# Termination-Action = RADIUS-Request, +# Tunnel-Private-Group-ID := 1, +# Reply-Message := "Hello %{User-Name}, You are assigned vlan 1" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/dhcp b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/dhcp new file mode 100644 index 0000000..04f37b5 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/dhcp @@ -0,0 +1,153 @@ +# +# This configuration file that may be used by multiple instances of rlm_files +# to set reply and control options for defining DHCP replies. +# +# The content of this file is all made up and needs to be set appropriate to +# the network being served. +# + +############################################ +# Global and network-specific parameters # +############################################ + +# +# Note: This section is matched by calling the dhcp_network instance of the +# files module. +# + + +# +# Default options that can be overridden by subsequent matches. +# +network + DHCP-Domain-Name-Server := 192.0.1.100, + DHCP-Domain-Name-Server += 192.0.1.101, + DHCP-Time-Server := 192.0.1.200, + DHCP-Domain-Name := "example.org", + DHCP-IP-Address-Lease-Time := 7200, + Fall-Through := yes + + +# +# The following examples set options specific to the Layer 2 network, matched +# on whether the internal attribute DHCP-Network-Subnet (that acts as a +# network identifier) is within the indicated range. This is equivalent to a +# "shared-network" or "multinet" configuration (i.e. one that is possibly +# composed of multiple subnets) as defined by some other DHCP servers. +# + +# +# Here is an example for a network containing a single IP subnet. We can set +# the network-specific options *and* we directly set the DHCP-Subnet-Mask, +# DHCP-Router-Address and DHCP-Broadcast-Address since it is a common reply +# parameter for all DHCP requests originating from this network. +# +# The use of the ^= "prepend" operator for setting DHCP-Domain-Name-Server +# results in this new value being inserted at the start of the list, meaning +# this will become the first DNS server presented in the reply. +# +# Note: If the architecture has only a single subnet for each Layer 2 network +# then by placing all subnet-related options here we can avoid calling the +# dhcp_subnet policy after IP allocation. +# +network DHCP-Network-Subnet < 10.20.0.0/16, Pool-Name := "smalldept" + DHCP-IP-Address-Lease-Time := 3600, + DHCP-Domain-Name := "smalldept.example.org", + DHCP-Subnet-Mask := 255.255.0.0, + DHCP-Router-Address := 10.20.0.1, + DHCP-Domain-Name-Server ^= 10.20.0.2, + DHCP-Broadcast-Address := 10.20.255.255 + +# +# Here is an example for a network that consists of multiple IP subnets, each +# of which is valid for a DHCP request originating from the network. We set +# the Pool-Name parameter to identify a single pool that contains the IP +# address within each subnet, any of which is suitable. +# +# We set the options that are common to the network but we defer the setting +# of DHCP-Subnet-Mask, DHCP-Router-Address and DHCP-Broadcast-Address until an +# address has been allocated. Only then do we know which subnet parameters are +# required. See the next section. +# +network DHCP-Network-Subnet < 10.30.0.0/16, Pool-Name := "bigdept" + DHCP-Domain-Name := "bigdept.example.org" + + +# +# Here is an example for a network that has a dedicated pool for admin staff +# and a seperate pool for everything else. +# +network DHCP-Network-Subnet < 192.0.2.0/24, DHCP-Group-Name == "admin", Pool-Name := "admin-only" +network DHCP-Network-Subnet < 192.0.2.0/24, Pool-Name := "general" + + +################################ +# Subnet-specific parameters # +################################ + +# +# Note: This section is matched by calling the dhcp_subnet policy which sets +# DHCP-Network-Subnet to the allocated IP address of the device and then +# calls the dhcp_subnet instance of the files module. +# +# Layer 2 networks many contain multiple subnets, each with their own gateway. +# We call this section *after* the allocation of an IP address (e.g. from a +# single pool containing addresses within multiple equally-valid subnets for +# the network) so that we then know which subnet-specific parameters to +# return. +# + +# +# Subnet-specific options, matched on whether the allocated IP address is +# within the indicated range. +# +subnet DHCP-Network-Subnet < 10.30.10.0/24 + DHCP-Subnet-Mask := 255.255.255.0, + DHCP-Router-Address := 10.30.10.1, + DHCP-Broadcast-Address := 10.30.10.255 + +subnet DHCP-Network-Subnet < 10.30.20.0/24 + DHCP-Subnet-Mask := 255.255.255.0, + DHCP-Router-Address := 10.30.20.1, + DHCP-Broadcast-Address := 10.30.20.255 + + +############################### +# Group-specific parameters # +############################### + +# +# Note: This section is matched by calling the dhcp_group_options policy. +# +# It should be called *after* defining the device's group memberships in +# DHCP-Group-Name request attributes. In the default dhcp virtual server this +# is demonstrated with the help of the dhcp_group_membership instance of the +# passwd module. +# + +# +# Group-specific options, keyed by DHCP-Group-Name +# +group1 + DHCP-Server-Host-Name := "terminal-booter.example.org", + DHCP-Boot-Filename := "bootfile.pxe" + + +############################## +# Host-specific parameters # +############################## + +# +# Note: This section is matched by calling the dhcp_hosts instance of the +# files module. +# + +# +# Host-specific options, keyed by DHCP-Client-Hardware-Address +# +host-00:10:20:30:40:50 + DHCP-Boot-Filename := "customboot.pxe" + +host-10:90:80:70:aa:bb + DHCP-X-Window-Font-Server := 10.20.1.10, + DHCP-Impress-Server := 10.20.1.20 diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/pre-proxy b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/pre-proxy new file mode 100644 index 0000000..9c848fd --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/pre-proxy @@ -0,0 +1,31 @@ +# +# Configuration file for the rlm_files module. +# Please see rlm_files(5) manpage for more information. +# +# $Id: 7292e23ea51717ee5cb50c4b9b609e91ebe4a41c $ +# +# This file is similar to the "users" file. The check items +# are compared against the request, but the "reply" items are +# used to update the proxied packet, not the reply to the NAS. +# +# You can use this file to re-write requests which are about to +# be sent to a home server. +# + +# +# Requests destinated to realm "extisp" are sent to a RADIUS +# home server hosted by an other company which doesn't know about +# the IP addresses of our NASes. Therefore we replace the value of +# the NAS-IP-Address attribute by a unique value we communicated +# to them. +# +#DEFAULT Realm == "extisp" +# NAS-IP-Address := 10.1.2.3 + +# +# For all proxied packets, set the User-Name in the proxied packet +# to the Stripped-User-Name, if it exists. If not, set it to the +# User-Name from the original request. +# +#DEFAULT +# User-Name := `%{%{Stripped-User-Name}:-%{User-Name}}` diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/hints b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/hints new file mode 100644 index 0000000..a785879 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/hints @@ -0,0 +1,86 @@ +# +# hints +# +# The hints file. This file is used to match +# a request, and then add attributes to it. This +# process allows a user to login as "bob.ppp" (for example), +# and receive a PPP connection, even if the NAS doesn't +# ask for PPP. The "hints" file is used to match the +# ".ppp" portion of the username, and to add a set of +# "user requested PPP" attributes to the request. +# +# Matching can take place with the the Prefix and Suffix +# attributes, just like in the "users" file. +# These attributes operate ONLY on the username, though. +# +# Note that the attributes that are set for each entry are +# NOT added to the reply attributes passed back to the NAS. +# Instead they are added to the list of attributes in the +# request that has been SENT by the NAS. +# +# This extra information can be used in the users file to +# match on. Usually this is done in the DEFAULT entries, +# of which there can be more than one. +# +# In addition a matching entry can transform a username +# for authentication purposes if the "Strip-User-Name" +# variable is set to Yes in an entry (default is Yes). +# +# A special non-protocol name-value pair called "Hint" +# can be set to match on in the "users" file. +# +# As with the "users" file, the first entry that matches the +# incoming request will cause the server to stop looking for +# more hints. If the "Fall-Through" attribute is set to +# "Yes" in an entry then the server will not stop, but +# continue to process further hints from the file. Matches +# on subsequent hints will be against the altered request +# from the previous hints, not against the original request. +# +# The following is how most dial-up ISPs want to set this up. +# +# Version: $Id: 84d4d78d5dc8613f6205fc2ef48f454101caaf33 $ +# + + +DEFAULT Suffix == ".ppp", Strip-User-Name = Yes + Hint = "PPP", + Service-Type = Framed-User, + Framed-Protocol = PPP + +DEFAULT Suffix == ".slip", Strip-User-Name = Yes + Hint = "SLIP", + Service-Type = Framed-User, + Framed-Protocol = SLIP + +DEFAULT Suffix == ".cslip", Strip-User-Name = Yes + Hint = "CSLIP", + Service-Type = Framed-User, + Framed-Protocol = SLIP, + Framed-Compression = Van-Jacobson-TCP-IP + +###################################################################### +# +# These entries are old, and commented out by default. +# They confuse too many people when "Peter" logs in, and the +# server thinks that the user "eter" is asking for PPP. +# +#DEFAULT Prefix == "U", Strip-User-Name = No +# Hint = "UUCP" + +#DEFAULT Prefix == "P", Strip-User-Name = Yes +# Hint = "PPP", +# Service-Type = Framed-User, +# Framed-Protocol = PPP + +#DEFAULT Prefix == "S", Strip-User-Name = Yes +# Hint = "SLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP + +#DEFAULT Prefix == "C", Strip-User-Name = Yes +# Hint = "CSLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP, +# Framed-Compression = Van-Jacobson-TCP-IP + diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/huntgroups b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/huntgroups new file mode 100644 index 0000000..da28dba --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/huntgroups @@ -0,0 +1,43 @@ +# +# huntgroups This file defines the `huntgroups' that you have. A +# huntgroup is defined by specifying the IP address of +# the NAS and possibly a port. +# +# Matching is done while RADIUS scans the user file; if it +# includes the selection criteria "Huntgroup-Name == XXX" +# the huntgroup is looked up in this file to see if it +# matches. There can be multiple definitions of the same +# huntgroup; the first one that matches will be used. +# +# This file can also be used to define restricted access +# to certain huntgroups. The second and following lines +# define the access restrictions (based on username and +# UNIX usergroup) for the huntgroup. +# + +# +# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name +# called Alphen that matches on all three terminal servers. +# +#alphen NAS-IP-Address == 192.0.2.5 +#alphen NAS-IP-Address == 192.0.2.6 +#alphen NAS-IP-Address == 192.0.2.7 + +# +# The POP in Delft consists of only one terminal server. +# +#delft NAS-IP-Address == 198.51.100.5 + +# +# Port 0 on the first terminal server in Alphen are connected to +# a huntgroup that is for business users only. Note that only one +# of the username or groupname has to match to get access (OR/OR). +# +# Note that this huntgroup is a subset of the "alphen" huntgroup. +# +#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0 +# User-Name == rogerl, +# User-Name == henks, +# Group == business, +# Group == staff + diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/always b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/always new file mode 120000 index 0000000..2cc1029 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/always @@ -0,0 +1 @@ +../mods-available/always \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/attr_filter b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/attr_filter new file mode 120000 index 0000000..400dfd1 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/attr_filter @@ -0,0 +1 @@ +../mods-available/attr_filter \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/cache_eap b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/cache_eap new file mode 120000 index 0000000..22cfe44 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/cache_eap @@ -0,0 +1 @@ +../mods-available/cache_eap \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/chap b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/chap new file mode 120000 index 0000000..6ccd392 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/chap @@ -0,0 +1 @@ +../mods-available/chap \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/date b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/date new file mode 120000 index 0000000..75aeb64 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/date @@ -0,0 +1 @@ +../mods-available/date \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail new file mode 120000 index 0000000..ad00d0e --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail @@ -0,0 +1 @@ +../mods-available/detail \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail.log b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail.log new file mode 120000 index 0000000..155062d --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail.log @@ -0,0 +1 @@ +../mods-available/detail.log \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/digest b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/digest new file mode 120000 index 0000000..95d3d36 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/digest @@ -0,0 +1 @@ +../mods-available/digest \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/dynamic_clients b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/dynamic_clients new file mode 120000 index 0000000..7b030ba --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/dynamic_clients @@ -0,0 +1 @@ +../mods-available/dynamic_clients \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/eap b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/eap new file mode 120000 index 0000000..37bab92 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/eap @@ -0,0 +1 @@ +../mods-available/eap \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/echo b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/echo new file mode 120000 index 0000000..a436e68 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/echo @@ -0,0 +1 @@ +../mods-available/echo \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/exec b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/exec new file mode 120000 index 0000000..a42a481 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/exec @@ -0,0 +1 @@ +../mods-available/exec \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expiration b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expiration new file mode 120000 index 0000000..340f641 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expiration @@ -0,0 +1 @@ +../mods-available/expiration \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expr b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expr new file mode 120000 index 0000000..64dd3ab --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expr @@ -0,0 +1 @@ +../mods-available/expr \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/files b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/files new file mode 120000 index 0000000..372bc86 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/files @@ -0,0 +1 @@ +../mods-available/files \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/linelog b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/linelog new file mode 120000 index 0000000..d6acab4 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/linelog @@ -0,0 +1 @@ +../mods-available/linelog \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/logintime b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/logintime new file mode 120000 index 0000000..99b698e --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/logintime @@ -0,0 +1 @@ +../mods-available/logintime \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/mschap b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/mschap new file mode 120000 index 0000000..c7523de --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/mschap @@ -0,0 +1 @@ +../mods-available/mschap \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/ntlm_auth b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/ntlm_auth new file mode 120000 index 0000000..3d68f67 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/ntlm_auth @@ -0,0 +1 @@ +../mods-available/ntlm_auth \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/pap b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/pap new file mode 120000 index 0000000..07f986f --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/pap @@ -0,0 +1 @@ +../mods-available/pap \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/passwd b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/passwd new file mode 120000 index 0000000..be64f8b --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/passwd @@ -0,0 +1 @@ +../mods-available/passwd \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/preprocess b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/preprocess new file mode 120000 index 0000000..266822a --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/preprocess @@ -0,0 +1 @@ +../mods-available/preprocess \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/radutmp b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/radutmp new file mode 120000 index 0000000..e3c390c --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/radutmp @@ -0,0 +1 @@ +../mods-available/radutmp \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/realm b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/realm new file mode 120000 index 0000000..acc66be --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/realm @@ -0,0 +1 @@ +../mods-available/realm \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/replicate b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/replicate new file mode 120000 index 0000000..b03d8de --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/replicate @@ -0,0 +1 @@ +../mods-available/replicate \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/soh b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/soh new file mode 120000 index 0000000..af88216 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/soh @@ -0,0 +1 @@ +../mods-available/soh \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/sradutmp b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/sradutmp new file mode 120000 index 0000000..ac90674 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/sradutmp @@ -0,0 +1 @@ +../mods-available/sradutmp \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/totp b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/totp new file mode 120000 index 0000000..88dbfb1 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/totp @@ -0,0 +1 @@ +../mods-available/totp \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unix b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unix new file mode 120000 index 0000000..599fdef --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unix @@ -0,0 +1 @@ +../mods-available/unix \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unpack b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unpack new file mode 120000 index 0000000..dad4563 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unpack @@ -0,0 +1 @@ +../mods-available/unpack \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/utf8 b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/utf8 new file mode 120000 index 0000000..7979255 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/utf8 @@ -0,0 +1 @@ +../mods-available/utf8 \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/panic.gdb b/pkgs/fablab/freeradius-anon-access/raddb/panic.gdb new file mode 100644 index 0000000..3ae253a --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/panic.gdb @@ -0,0 +1,4 @@ +info locals +info args +thread apply all bt full +quit diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/abfab-tr b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/abfab-tr new file mode 100644 index 0000000..834ac2e --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/abfab-tr @@ -0,0 +1,106 @@ +# +# ABFAB Trust router policies. +# +# $Id: 3a088538b5acc09aebc80b40391febf1d57a617a $ +# + + +# +# Verify rp parameters +# +psk_authorize { + if (&TLS-PSK-Identity) { + # TODO: may need to check trust-router-apc as well + if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}") { + # do things here + } + else { + update reply { + Reply-Message = "RP not authorized for this ABFAB request" + } + reject + } + } +} + +abfab_client_check { + # check that GSS-Acceptor-Host-Name is correct + if ("%{client:gss_acceptor_host_name}") { + if (&request:GSS-Acceptor-Host-Name) { + if (&request:GSS-Acceptor-Host-Name != "%{client:gss_acceptor_host_name}") { + update reply { + Reply-Message = "GSS-Acceptor-Host-Name incorrect" + } + reject + } + } + else { + # set GSS-Acceptor-Host-Name if it is not set by the mechanism + # but it is defined in the client configuration + update request { + GSS-Acceptor-Host-Name = "%{client:gss_acceptor_host_name}" + } + } + } + + # set Trust-Router-COI attribute from the client configuration + if ("%{client:trust_router_coi}") { + update request { + Trust-Router-COI := "%{client:trust_router_coi}" + } + } + + # set GSS-Acceptor-Realm-Name attribute from the client configuration + if ("%{client:gss_acceptor_realm_name}") { + update request { + GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}" + } + } + + # set GSS-Acceptor-Service-Name attribute from the client configuration + if ("%{client:gss_acceptor_service_name}") { + update request { + GSS-Acceptor-Service-Name = "%{client:gss_acceptor_service_name}" + } + } + +} + +# A policy which is used to validate channel-bindings. +# +abfab_channel_bindings { + if (&GSS-Acceptor-Service-Name && (&outer.request:GSS-Acceptor-Service-Name != &GSS-Acceptor-Service-Name)) { + reject + } + + if (&GSS-Acceptor-Host-Name && &outer.request:GSS-Acceptor-Host-Name != &GSS-Acceptor-Host-Name ) { + reject + } + + if (&GSS-Acceptor-Realm-Name && &outer.request:GSS-Acceptor-Realm-Name != &GSS-Acceptor-Realm-Name ) { + reject + } + + if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) { + update control { + &Chbind-Response-Code := success + } + + # + # ACK the attributes in the request. + # + # If any one of these attributes don't exist in the request, + # then they won't be copied to the reply. + # + update reply { + &GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name + &GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name + &GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name + } + } + + # + # Return "handled" so that the "authenticate" section isn't used. + # + handled +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/accounting b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/accounting new file mode 100644 index 0000000..7672e1b --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/accounting @@ -0,0 +1,130 @@ +# We check for this prefix to determine whether the class value was +# generated by this server. It should be changed so that it is +# globally unique. +class_value_prefix = 'ai:' + +# +# Replacement for the old rlm_acct_unique module +# +acct_unique { + # + # If we have a class attribute in the format + # 'auth_id:[0-9a-f]{32}' it'll have a local value + # (defined by insert_acct_class), this ensures + # uniqueness and suitability. + # + # We could just use the Class attribute as + # Acct-Unique-Session-Id, but this may cause problems + # with NAS that carry Class values across between + # multiple linked sessions. So we rehash class with + # Acct-Session-ID to provide a truely unique session + # identifier. + # + # Using a Class/Session-ID combination is more robust + # than using elements in the Accounting-Request, + # which may be subject to change, such as + # NAS-IP-Address, Client-IP-Address and + # NAS-Port-ID/NAS-Port. + # + # This policy should ensure that session data is not + # affected if NAS IP addresses change, or the client + # roams to a different 'port' whilst maintaining its + # initial authentication session (Common in a + # wireless environment). + # + update request { + &Tmp-String-9 := "${policy.class_value_prefix}" + } + + if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && \ + ("%{string:&Class}" =~ /^${policy.class_value_prefix}([0-9a-f]{32})/i)) { + update request { + &Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}" + } + } + + # + # Not All devices respect RFC 2865 when dealing with + # the class attribute, so be prepared to use the + # older style of hashing scheme if a class attribute + # is not included + # + else { + update request { + &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}" + } + } +} + +# +# Insert a (hopefully unique) value into class +# +insert_acct_class { + update reply { + &Class = "${policy.class_value_prefix}%{md5:%t,%{Packet-Src-Port},%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name},%{session-state:User-Name} }" + } +} + +# +# Merges Acct-[Input|Output]-Octets and Acct-[Input|Output]-Gigawords into Acct-[Input|Output]-Octets64 +# +# If the &Attr-Foo doesn't exist, it's value is taken as zero. +# +acct_counters64.preacct { + update request { + &Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}" + &Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}" + } +} + +# +# There is a delay between sending the Access-Accept and receiving +# the corresponding Accounting-Request "start" packet. This delay +# can be leveraged by a user to bypass Simultaneous-Use checks. +# +# The user can start up multiple sessions at the same time. When +# that happens, both Simultaneous-Use checks are performed before any +# Accounting-Request packet is received. Both Simultaneous-Use +# checks will result in "no user session" in the radacct table, and +# both sessions will be allowed. At some point later in time, the +# Accounting-Request packets are received. But by then it's too +# late. +# +# The solution is to insert a temporary session into the "radacct" +# table, during the "post-auth" section. This is done by +# uncommenting the "sql_session_start" entry in +# sites-enabled/default. Then, reading +# raddb/mods-config/sql/main/*/queries.conf, and looking for the +# "sql_session_start" comments. Follow the instructions there to +# finalize the configuration. +# +# The server will then create a temporary entry in "radacct" before +# it returns the Access-Request. Any other Access-Request which is +# received at the same time will then have it's Simultaneous-Use +# check see that entry, and will be rejected. +# +# Subsequent Accounting-Request packets for the first session will +# then UPDATE (not INSERT) the data for the session. +# +# There is still a small race condition as the Simultaneous-Use +# checks are not done at the same time as updating radacct. But the +# window of opportunity is much smaller. i.e. milliseconds, instead +# of seconds. +# +# This policy can also be used to "bootstrap" accounting sessions. +# If there is data which is only available in the Access-Request, +# it can be placed in the accounting table. Then, when accounting +# packets are received, they will update the row which contains +# the session information. +# +sql_session_start.post-auth { + acct_unique + + # + # The SQL accounting queries need an Acct-Status-Type attribute + # + update request { + Acct-Status-Type := Start + } + sql.accounting +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/canonicalization b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/canonicalization new file mode 100644 index 0000000..6d90e37 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/canonicalization @@ -0,0 +1,113 @@ +# +# Split User-Name in NAI format (RFC 4282) into components +# +# This policy writes the Username and Domain portions of the +# NAI into the Stripped-User-Name and Stripped-User-Domain +# attributes. +# +# The regular expression to do this is not strictly compliant +# with the standard, but it is not possible to write a +# compliant regexp without perl style regular expressions (or +# at least not a legible one). +# +nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$' + +split_username_nai { + if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) { + update request { + &Stripped-User-Name := "%{1}" + } + + # Only add the Stripped-User-Domain attribute if + # we have a domain. This means presence checks + # for Stripped-User-Domain work. + if ("%{3}" != '') { + update request { + &Stripped-User-Domain = "%{3}" + } + } + + # If any of the expansions result in a null + # string, the update section may return + # something other than updated... + updated + } + else { + noop + } +} + +# +# If called in post-proxy we modify the proxy-reply message +# +split_username_nai.post-proxy { + if (&proxy-reply:User-Name && (&proxy-reply:User-Name =~ /${policy.nai_regexp}/)) { + update proxy-reply { + &Stripped-User-Name := "%{1}" + } + + # Only add the Stripped-User-Domain attribute if + # we have a domain. This means presence checks + # for Stripped-User-Domain work. + if ("%{3}" != '') { + update proxy-reply { + &Stripped-User-Domain = "%{3}" + } + } + updated + } + else { + noop + } +} + +# +# Normalize the MAC Addresses in the Calling/Called-Station-Id +# +mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})' + +# +# Add "rewrite_called_station_id" in the "authorize" and +# "preacct" sections. +# +# Makes Called-Station-ID conform to what RFC3580 says should +# be provided by 802.1X authenticators. +# +rewrite_called_station_id { + if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) { + update request { + &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + } + + # SSID component? + if ("%{8}") { + update request { + &Called-Station-SSID := "%{8}" + } + } + updated + } + else { + noop + } +} + +# +# Add "rewrite_calling_station_id" in the "authorize" and +# "preacct" sections. +# +# Makes Calling-Station-ID conform to what RFC3580 says should +# be provided by 802.1X authenticators. +# +rewrite_calling_station_id { + if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) { + update request { + &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + } + updated + } + else { + noop + } +} + diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/control b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/control new file mode 100644 index 0000000..b3f1e03 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/control @@ -0,0 +1,40 @@ +# +# If you want the server to pretend that it is dead, +# then use the "do_not_respond" policy. +# +do_not_respond { + update control { + &Response-Packet-Type := Do-Not-Respond + } + handled +} + +# +# Send Access-Accept immediately +# +accept { + update control { + &Response-Packet-Type = Access-Accept + } + handled +} + +# +# Send Access-Challenge immediately +# +challenge { + update control { + &Response-Packet-Type = Access-Challenge + } + handled +} + +# +# Send an Accounting-Response immediately +# +acct_response { + update control { + &Response-Packet-Type = Accounting-Response + } + handled +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/cui b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/cui new file mode 100644 index 0000000..08b2c91 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/cui @@ -0,0 +1,131 @@ +# +# The following policies are for the Chargeable-User-Identity +# (CUI) configuration. +# +# The policies below can be called as just 'cui' (not +# cui.authorize etc..) from the various config sections. +# + +# +# cui_hash_key definition +# This key serves the purpose of protecting CUI values against +# dictionary attacks, therefore should be chosen as a "random" +# string and kept secret. +# +cui_hash_key = "changeme" + +# +# cui_require_operator_name switch +# If this is set to nonzero value then CUI will only be added +# when a non-empty Operator-Name value is present in the request +# +cui_require_operator_name = "no" + +# +# The client indicates it can do CUI by sending a CUI attribute +# containing one zero byte. +# A non-empty value in Operator-Name can be an additional requirement. +# Normally CUI support is turned on only for such requests. +# CUI support can be used for local clients which do not +# supports CUI themselves, the server can simulate a CUI request +# adding the missing NUL CUI value and the Operator-Name attribute. +# Clients which are supposed to get this treatment should +# be marked by add_cui flag in clients.conf +# We assume that local clients are marked in the client.conf with +# add_cui flag, e.g. +# client xxxx { +# ... +# add_cui = yes +# } +# +cui.authorize { + if ("%{client:add_cui}" == 'yes') { + update request { + &Chargeable-User-Identity := 0x00 + } + } +} + +# +# Before proxing an Access-Request to a remote server, a NUL CUI +# attribute should be added, unless it is already present in the request. +# +cui.pre-proxy { + if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add_cui}" == 'yes')) { + update proxy-request { + &Chargeable-User-Identity = 0x00 + } + } +} + + +# +# Add a CUI attribute based on the User-Name, and a secret key +# known only to this server. +# For EAP-TTLS and EAP-PEAP methods +# use_tunneled_reply parameter MUST be set to yes +# +cui.post-auth { + if (!&control:Proxy-To-Realm && &Chargeable-User-Identity && !&reply:Chargeable-User-Identity && \ + (&Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) { + update reply { + &Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}" + } + } + + # + # The section below will store a CUI for the User in the DB and remove the + # User-Name attribute from the reply if a CUI is present. + # + # You need to configure the cuisql module and your database for this to work. + # If your NAS can do CUI based accounting themselves or you do not care about + # accounting, comment out the 'cuisql' line below. + # + if (&reply:Chargeable-User-Identity) { + # Force User-Name to be the User-Name from the request + update { + &reply:User-Name := &request:User-Name + } + cuisql + } +} + + +cui-inner.post-auth { + if (&outer.request:Chargeable-User-Identity && \ + (&outer.request:Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) { + update reply { + &Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request:Operator-Name}:-}}}" + } + } +} + +# +# If your NAS can do CUI based accounting or you do not care about +# accounting then just comment out the call to cui in ...... +# +# If we had stored a CUI for the User, add it to the request. +# +cui.accounting { + # + # If the CUI isn't in the packet, see if we can find it + # in the DB. + # + if (!&Chargeable-User-Identity) { + update request { + &Chargeable-User-Identity := "%{cuisql:\ + SELECT cui FROM cui \ + WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ + AND callingstationid = '%{Calling-Station-Id}' \ + AND username = '%{User-Name}'}" + } + } + + # + # If it exists now, then write out when we last saw + # this CUI. + # + if (&Chargeable-User-Identity && (&Chargeable-User-Identity != '')) { + cuisql + } +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/debug b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/debug new file mode 100644 index 0000000..26583f1 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/debug @@ -0,0 +1,64 @@ +# +# Outputs the contents of the control list in debugging (-X) mode +# +debug_control { + if("%{debug_attr:control:}" == '') { + noop + } +} + +# +# Outputs the contents of the request list in debugging (-X) mode +# +debug_request { + if("%{debug_attr:request:}" == '') { + noop + } +} + +# +# Outputs the contents of the coa list in debugging (-X) mode +# +debug_coa { + if("%{debug_attr:coa:}" == '') { + noop + } +} + +# +# Outputs the contents of the reply list in debugging (-X) mode +# +debug_reply { + if("%{debug_attr:reply:}" == '') { + noop + } +} + +# +# Outputs the contents of the session state list in debugging (-X) mode +# +debug_session_state { + if("%{debug_attr:session-state:}" == '') { + noop + } +} + +# +# Outputs the contents of the proxy-request state list in debugging (-X) mode +# +debug_proxy_request { + if("%{debug_attr:proxy-request:}" == '') { + noop + } +} + +# +# Outputs the contents of the main lists in debugging (-X) mode +# +debug_all { + debug_control + debug_request + debug_coa + debug_reply + debug_session_state +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/dhcp b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/dhcp new file mode 100644 index 0000000..1752acb --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/dhcp @@ -0,0 +1,327 @@ +# Assign common DHCP reply packet options +dhcp_common { + # The contents here are invented. Change them! + update reply { + &DHCP-Domain-Name-Server = 127.0.0.1 + &DHCP-Domain-Name-Server += 127.0.0.2 + &DHCP-Subnet-Mask = 255.255.255.0 + &DHCP-Router-Address = 192.0.2.1 + &DHCP-Broadcast-Address = 192.0.2.255 + &DHCP-IP-Address-Lease-Time = 7200 + &DHCP-DHCP-Server-Identifier = &control:DHCP-DHCP-Server-Identifier + } +} + +# Lookup DHCP group based options. This policy allows for membership +# of multiple groups so can cover the ISC concepts of "group" and "class" +# To use this enable the "dhcp_files" module +#dhcp_group_options { +# foreach &request:DHCP-Group-Name { +# dhcp_set_group_options +# } +#} + +# Policy to override DHCP-Network-Subnet +# +# Some networks have a "shared-network" or "multinet" configuration (as +# defined by some other DHCP servers) in which multiple IP subnets may +# co-exist in a single Layer 2 network (or VLAN). +# +# In enterprise environments this is often for the purpose of providing loose +# segregation between classes of devices such as local network-attached +# storage or IP telephony. There are valid reasons why each of the subnets is +# not seperately VLANed, such as to enable the use of ICMP redirects to avoid +# hairpinning of cross-subnet traffic via a gateway. +# +# In ISP environments this is a common configuration for edge networks whose +# access is provided by DOCSIS cable modems that share a VLAN with the devices +# they provide a service to but are seperately addressed. +# +# Where it is necessary to force the selection of a particular subnet for a +# device, multiple pools must be configured for each subnet and referenced +# with unique identifiers in the *network-specific* section of +# mods-config/files/dhcp. +# +# By default DHCP-Network-Subnet is populated such that it normally +# refers to the Layer 2 network from which the DHCP query originates - we +# cannot know the intended subnet for the device without additional input to +# the policy. +# +# Override DHCP-Network-Subnet to be an address within the desired +# network to force selection of a particular address pool and/or network +# parameters. +# +# Note: If each subnet within a network is equally valid for the DHCP requests +# originating from that network then you do not need to call this policy, +# rather look at the examples concerning dhcp_subnet in +# mods-config/files/dhcp instead, which use a single pool containing addresses +# from all subnets then set the correct subnet-specific options based on the +# randomly assigned IP address. +# +#dhcp_override_network { +# if (&DHCP-Vendor-Class-Identifier && &DHCP-Vendor-Class-Identifier == "SIP100") +# update request { +# DHCP-Network-Subnet := 10.10.0.0 +# } +# } +#} + + +# Policy that calls the files instance of the same name after first making +# DHCP-Network-Subnet specific to the allocated IP address of the client. +#dhcp_subnet { +# update { +# &DHCP-Network-Subnet := "%{%{reply:DHCP-Your-IP-Address}:-%{DHCP-Client-IP-Address}}" +# } +# +# # Call the dhcp_subnet instance of the files module +# dhcp_subnet +#} + +# Assign compatibility data to request for sqlippool for DHCP Request +dhcp_sqlippool_request { + + # + # During initial address selection (DORA) the REQUEST is broadcast and + # requested-ip must be provided. We revoke any active offers for addresses + # not matching the requested-ip, i.e. those made by other servers when + # processing the DISCOVER. + # + # If there is only a single server then this optimisation can be disabled. + # + if (&DHCP-Requested-IP-Address) { + update request { + &Acct-Status-Type := Start + } + dhcp_sqlippool.accounting + } + + # Extend an existing offer or active lease + update request { + &Acct-Status-Type := Alive + } + dhcp_sqlippool.accounting { + notfound = return + } + + update reply { + &DHCP-Your-IP-Address := "%{%{DHCP-Requested-IP-Address}:-%{DHCP-Client-IP-Address}}" + } + +} + +# Assign compatibility data to request for sqlippool for DHCP Release +dhcp_sqlippool_release { + + # Do some minor hacks to the request so that it looks + # like a RADIUS Accounting Stop request to the SQL IP Pool module. + update request { + &Acct-Status-Type = Stop + } + + # Call the actual module in accounting context + dhcp_sqlippool.accounting + +} + +# Assign compatibility data to request for sqlippool for DHCP Decline +dhcp_sqlippool_decline { + + # Do a minor hack to the request so that it looks + # like a RADIUS Accounting Off request to the SQL IP Pool module. + update request { + &Acct-Status-Type = Accounting-Off + } + + # Call the actual module in accounting context + dhcp_sqlippool.accounting + +} + +# Example policy for fetching option data from SQL +dhcp_policy_sql { + + # + # Network-specific options + # + + # + # We want to lookup the Layer 2 network specific DHCP options to + # include in the reply. For this we need a stable identifier for the + # network from which the request is originating (based on + # DHCP-Network-Subnet) which can be used as the lookup key + # (DHCP-SQL-Option-Identifier) for the network options. + # + # Here we fabricate an example for the purpose of placing all + # configuration elements into SQL. We use a PostgreSQL query that + # returns the network identifier in the row containing the smallest + # enclosing CIDR, which assumes a schema such as the following: + # + # CREATE TABLE fr_network_to_identifier (network CIDR, network_id TEXT) + # + # Note: An rlm_files based lookup of the network_identifier (as per + # the examples in the dhcp virtual server) may be preferable to an ad + # hoc SQL query assuming that the network topology does not change + # frequently. + # +# update control { +# &control:Tmp-String-0 := "%{dhcp_sql:SELECT network_id \ +# FROM fr_network_to_identifier \ +# WHERE '%{DHCP-Network-Subnet}'::inet << network \ +# ORDER BY MASKLEN(network) DESC LIMIT 1;}" +# } + + # + # Use the network identifer to lookup the options specific to the + # originating network, using "network" context. Common network + # settings can be placed into a group and shared, with individual + # networks mapped to one or more option groups. + # + # - Place network-specific options in the dhcpreply table with + # "context = 'network'". + # - Add "Fall-Through := Yes" to the network options in the dhcpreply + # table to trigger group lookups for the network, which are + # disabled by default. + # - Place "identifier = , groupname = , + # priority = , context = 'network'" in the dhcpgroup + # table to map a network to a shared set of network options. + # - Place group-specific options in the dhcpgroupreply table with + # "context = 'network'". + # + # Note: In "shared-network" or "multinet" topologies you can instead + # just set all of the network options once in the subnet-specific + # options (after obtaining an IP address), below. + # +# update control { +# &DHCP-SQL-Option-Context := "network" +# &DHCP-SQL-Option-Identifier := &control:Tmp-String-0 +# } +# dhcp_sql.authorize + + + # + # Allocate IPs from the DHCP pool in SQL. + # + # Here we simply reuse the network_id (obtained previously) as the + # Pool-Name. + # +# update control { +# &Pool-Name := &control:Tmp-String-0 +# } +# dhcp_sqlippool + + + # + # Subnet-specific options + # + + # + # In "shared-network" or "multinet" topologies (in which a Layer 2 + # network has a single pool that contains addresses from multiple + # subnets) it is necessary to set subnet-specific options based on the + # address that has just been allocated. + # + # Again, for this we need to derive a stable identifier for the subnet + # to which the IP address we are issuing belongs that will serve as a + # lookup key for the network options. + # + # Continuing our previous example, we can use a PostgreSQL query to + # find the subnet identifer in the row with the closest enclosing + # CIDR, which assumes a schema such as the following: + # + # CREATE TABLE fr_subnet_to_identifier (subnet CIDR, subnet_id TEXT) + # + # Note: An rlm_files based lookup of the subnet_identifier (as per the + # examples in the dhcp virtual server) is preferable to an ad hoc SQL + # query assuming that the network topology does not change frequently. + # +# update control { +# &control:Tmp-String-0 := "%{dhcp_sql:SELECT subnet_id \ +# FROM fr_subnet_to_identifier \ +# WHERE '%{reply:DHCP-Your-IP-Address}'::inet << subnet \ +# ORDER BY MASKLEN(subnet) DESC LIMIT 1;}" +# } + + # + # Use the subnet identifer to lookup the options specific to the + # subnet for the IP we are allocating, using "subnet" context. Common + # subnet settings can be placed into a group and shared, with + # individual subnets mapped to one or more option groups. + # + # - Place subnet-specific options in the dhcpreply table with + # "context = 'subnet'". + # - Add "Fall-Through := Yes" to the subnet options in the dhcpreply + # table to trigger group lookups for the subnet, which are + # disabled by default. + # - Place "identifier = , groupname = , + # priority = , context = 'subnet'" in the dhcpgroup + # table to map a subnet to a shared set of subnet options. + # - Place group-specific options in the dhcpgroupreply table with + # "context = 'subnet'". + # +# update control { +# &DHCP-SQL-Option-Context := "subnet" +# &DHCP-SQL-Option-Identifier := &control:Tmp-String-0 +# } +# dhcp_sql.authorize + + + # + # Host-specific and group-specific options + # + + # "Groups" conventionally differentiate devices based on manual + # groupings using a device-specific identifier such as the MAC + # address. + # + # - Place host-specific options in the dhcpreply table with + # "context = 'group'". + # - Add "Fall-Through := Yes" to the device options in the dhcpreply + # table to trigger group lookups, which are disabled by default. + # - Place "identifier = , groupname = , + # priority = , context='group'" in the dhcpgroup table + # to map a device to its groups. + # - Place group-specific options in the dhcpgroupreply table with + # "context = 'group'". + # +# update control { +# &DHCP-SQL-Option-Context := "group" +# &DHCP-SQL-Option-Identifier := &request:DHCP-Client-Hardware-Address +# } +# dhcp_sql.authorize + + + # + # Class/subclass-specific options + # + + # + # "Classes" conventionally differentiate devices based on all or part + # of one or more DHCP request options, or any combination of + # information that is available in the request or has already looked + # up from some datastore. + # + # Create multiple instances of the following block, one for each + # class. Differentiate between classes by setting + # DHCP-SQL-Option-Context uniquely. + # + # - Place "subclass"-specific options (i.e. each member of a class) + # in the dhcpreply table with "context = ". + # - For class-level options common to every member of a class, + # either: + # - Duplicate the options for each member of the subclass. + # or: + # - Add "Fall-Through := Yes" to each members options to trigger + # group lookups, which are disabled by default. + # - Map each member of the class to a group in the dhcpgroup + # table with context = ''; + # - Create the corresponding class in the dhcpgroupreply table + # with "context = ''". + # +# update control { +# &DHCP-SQL-Option-Context := "class-vci-substring" +# &DHCP-SQL-Option-Identifier := "%{substring %{request:DHCP-Vendor-Class-Identifier} 5 4}" +# } +# dhcp_sql.authorize + +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/eap b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/eap new file mode 100644 index 0000000..17cf873 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/eap @@ -0,0 +1,97 @@ +# +# Response caching to handle proxy failovers +# +Xeap.authorize { + cache_eap + if (ok) { + # + # Expire previous cache entry + # + if (&control:State) { + update control { + &Cache-TTL := 0 + } + cache_eap + + update control { + &State !* ANY + } + } + + handled + } + else { + eap.authorize + } +} + +# +# Populate cache with responses from the EAP module +# +Xeap.authenticate { + eap { + handled = 1 + } + if (handled) { + cache_eap.authorize + + handled + } + + cache_eap.authorize +} + +# +# Forbid all EAP types. Enable this by putting "forbid_eap" +# into the "authorize" section. +# +forbid_eap { + if (&EAP-Message) { + reject + } +} + +# +# Forbid all non-EAP types outside of an EAP tunnel. +# +permit_only_eap { + if (!&EAP-Message) { + # We MAY be inside of a TTLS tunnel. + # PEAP and EAP-FAST require EAP inside of + # the tunnel, so this check is OK. + # If so, then there MUST be an outer EAP message. + if (!&outer.request || !&outer.request:EAP-Message) { + reject + } + } +} + +# +# Remove Reply-Message from response if were doing EAP +# +# Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should +# not be present in the same response. +# +remove_reply_message_if_eap { + if (&reply:EAP-Message && &reply:Reply-Message) { + update reply { + &Reply-Message !* ANY + } + } + else { + noop + } +} + +verify_tls_client_common_name { + # + # If the User-Name is anonymized, then don't check it. + # + # But if User-Name is realm AND there's a certificate name, then check + # if they match. This is not always the case, but it is the case + # often enough that it matters. + # + if ((&User-Name !~ /^@/) && &TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) { + reject + } +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/filter b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/filter new file mode 100644 index 0000000..ff8f531 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/filter @@ -0,0 +1,211 @@ +# +# Example of forbidding all attempts to login via +# realms. +# +deny_realms { + if (&User-Name && (&User-Name =~ /@|\\/)) { + reject + } +} + +# +# Filter the username +# +# Force some sanity on User-Name. This helps to avoid issues +# issues where the back-end database is "forgiving" about +# what constitutes a user name. +# +filter_username { + if (&User-Name) { + # + # reject mixed case e.g. "UseRNaMe" + # + #if (&User-Name != "%{tolower:%{User-Name}}") { + # reject + #} + + # + # reject all whitespace + # e.g. "user@ site.com", or "us er", or " user", or "user " + # + if (&User-Name =~ / /) { + update request { + &Module-Failure-Message += 'Rejected: User-Name contains whitespace' + } + reject + } + + # + # reject Multiple @'s + # e.g. "user@site.com@site.com" + # + if (&User-Name =~ /@[^@]*@/ ) { + update request { + &Module-Failure-Message += 'Rejected: Multiple @ in User-Name' + } + reject + } + + # + # reject double dots + # e.g. "user@site..com" + # + if (&User-Name =~ /\.\./ ) { + update request { + &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s' + } + reject + } + + # + # must have at least 1 string-dot-string after @ + # e.g. "user@site.com" + # + if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { + update request { + &Module-Failure-Message += 'Rejected: Realm does not have at least one dot separator' + } + reject + } + + # + # Realm ends with a dot + # e.g. "user@site.com." + # + if (&User-Name =~ /\.$/) { + update request { + &Module-Failure-Message += 'Rejected: Realm ends with a dot' + } + reject + } + + # + # Realm begins with a dot + # e.g. "user@.site.com" + # + if (&User-Name =~ /@\./) { + update request { + &Module-Failure-Message += 'Rejected: Realm begins with a dot' + } + reject + } + } +} + +# +# Filter the User-Password +# +# Some equipment sends passwords with embedded zeros. +# This policy filters them out. +# +filter_password { + if (&User-Password && \ + (&User-Password != "%{string:User-Password}")) { + update request { + &Tmp-String-0 := "%{string:User-Password}" + &User-Password := "%{string:Tmp-String-0}" + &Tmp-String-0 !* "" + } + } +} + +filter_inner_identity { + # + # No names, reject. + # + if (!&outer.request:User-Name || !&User-Name) { + update request { + Module-Failure-Message = "User-Name is required for tunneled authentication" + } + reject + } + + # + # Do detailed checks only if the inner and outer + # NAIs are different. + # + # If the NAIs are the same, it violates user privacy, + # but is allowed. + # + if (&outer.request:User-Name != &User-Name) { + # + # Get the outer realm. + # + if (&outer.request:User-Name =~ /@([^@]+)$/) { + update request { + Outer-Realm-Name = "%{1}" + } + + # + # When we have an outer realm name, the user portion + # MUST either be empty, or begin with "anon". + # + # We don't check for the full "anonymous", because + # some vendors don't follow the standards. + # + if (&outer.request:User-Name !~ /^(anon|@)/) { + update request { + Module-Failure-Message = "User-Name is not anonymized" + } + reject + } + } + + # + # There's no outer realm. The outer NAI is different from the + # inner NAI. The User-Name MUST be anonymized. + # + # Otherwise, you could log in as outer "bob", and inner "doug", + # and we'd have no idea which one was correct. + # + elsif (&outer.request:User-Name !~ /^anon/) { + update request { + Module-Failure-Message = "User-Name is not anonymized" + } + reject + } + + # + # Get the inner realm. + # + if (&User-Name =~ /@([^@]+)$/) { + update request { + Inner-Realm-Name = "%{1}" + } + + # + # Note that we do EQUALITY checks for realm names. + # There is no simple way to do case insensitive checks + # on internationalized domain names. There is no reason + # to allow outer "anonymous@EXAMPLE.COM" and inner + # "user@example.com". The user should enter the same + # realm for both identities. + # + # If the inner realm isn't the same as the outer realm, + # the inner realm MUST be a subdomain of the outer realm. + # + if (&Outer-Realm-Name && \ + (&Inner-Realm-Name != &Outer-Realm-Name) && \ + (&Inner-Realm-Name !~ /\.%{Outer-Realm-Name}$/)) { + update request { + Module-Failure-Message = "Inner realm '%{Inner-Realm-Name}' and outer realm '%{Outer-Realm-Name}' are not from the same domain." + } + reject + } + + # + # It's OK to have an inner realm and no outer realm. + # + # That won't work for roaming, but the local RADIUS server + # can still authenticate the user. + # + } + + # + # It's OK to have an outer realm and no inner realm. + # + # It will work for roaming, and the local RADIUS server + # can authenticate the user without the realm. + # + } +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/moonshot-targeted-ids b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/moonshot-targeted-ids new file mode 100644 index 0000000..98ae4a1 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/moonshot-targeted-ids @@ -0,0 +1,249 @@ +# +# The following policies generate targeted IDs for ABFAB (Moonshot) +# +# This policy requires that the UUID package is installed on your platform +# and that this is called from the inner-tunnel +# +# The following string attributes need to exist in the UKERNA dictionary +# Moonshot-Host-TargetedId (138) +# Moonshot-Realm-TargetedId (139) +# Moonshot-TR-COI-TargetedId (140) +# Moonshot-MSTID-GSS-Acceptor (141) +# Moonshot-MSTID-Namespace (142) +# Moonshot-MSTID-TargetedId (143) +# +# These attributes should also be listed in the attr_filter policies +# post-proxy and pre-proxy when you use attribute filtering: +# Moonshot-Host-TargetedId =* ANY, +# Moonshot-Realm-TargetedId =* ANY, +# Moonshot-TR-COI-TargetedId =* ANY, +# + +# +# targeted_id_salt definition +# This salt serves the purpose of protecting targeted IDs against +# dictionary attacks, therefore should be chosen as a "random" +# string and kept secret. +# +# If you use special characters %, { and }, escape them with a \ first +# +targeted_id_salt = 'changeme' + +# +# Moonshot namespaces +# These namespaces are used for UUID generation. +# They should not be changed by implementors +# +moonshot_host_namespace = 'a574a04e-b7ff-4850-aa24-a8599c7de1c6' +moonshot_realm_namespace = 'dea5f26d-a013-4444-977d-d09fc990d2e6' +moonshot_coi_namespace = '145d7e7e-7d54-43ee-bbcb-3c6ad9428247' + + +# This policy generates a host-specific TargetedId +# +moonshot_host_tid.post-auth { + # retrieve or generate a UUID for Moonshot-Host-TargetedId + if (&outer.request:GSS-Acceptor-Host-Name) { + # prep some variables (used regardless of SQL backing or not!) + update control { + Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}" + Moonshot-MSTID-Namespace := "${policy.moonshot_host_namespace}" + } + + # if you want to use SQL-based backing, remove the comment from + # this line. You also have to configure and enable the + # moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_get_targeted_id + + # generate a UUID for Moonshot-Host-TargetedId + if (!&control:Moonshot-MSTID-TargetedId) { + # generate the TID + moonshot_make_targeted_id + + # if you want to store your TargetedId in SQL-based backing, + # remove the comment from this line. You also have to configure + # and enable the moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_tid_sql + } + + # set the actual TargetedId in the session-state list + if (&control:Moonshot-MSTID-TargetedId) { + update outer.session-state { + Moonshot-Host-TargetedId := &control:Moonshot-MSTID-TargetedId + } + update control { + Moonshot-MSTID-TargetedId !* ANY + } + } + + # Sanitise the control list to remove the internal attributes + update control { + Moonshot-MSTID-GSS-Acceptor !* ANY + Moonshot-MSTID-Namespace !* ANY + } + } +} + +# This policy generates a realm-specific TargetedId +# +moonshot_realm_tid.post-auth { + # retrieve or generate a UUID for Moonshot-Realm-TargetedId + if (&outer.request:GSS-Acceptor-Realm-Name) { + # prep some variables (used regardless of SQL backing or not!) + update control { + Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}" + Moonshot-MSTID-Namespace := "${policy.moonshot_realm_namespace}" + } + + # if you want to use SQL-based backing, remove the comment from + # this line. You also have to configure and enable the + # moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_get_targeted_id + + # generate a UUID for Moonshot-Realm-TargetedId + if (!&control:Moonshot-MSTID-TargetedId) { + # generate the TID + moonshot_make_targeted_id + + # if you want to store your TargetedId in SQL-based backing, + # remove the comment from this line. You also have to configure + # and enable the moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_tid_sql + } + + # set the actual TargetedId in the session-state list + if (&control:Moonshot-MSTID-TargetedId) { + update outer.session-state { + Moonshot-Realm-TargetedId := &control:Moonshot-MSTID-TargetedId + } + update control { + Moonshot-MSTID-TargetedId !* ANY + } + } + + # Sanitise the control list to remove the internal attributes + update control { + Moonshot-MSTID-GSS-Acceptor !* ANY + Moonshot-MSTID-Namespace !* ANY + } + } +} + +# This policy generates a COI-specific targeted ID +# +moonshot_coi_tid.post-auth { + # retrieve or generate a UUID for Moonshot-TR-COI-TargetedId + if (&outer.request:Trust-Router-COI) { + # prep some variables (used regardless of SQL backing or not!) + update control { + Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:Trust-Router-COI}}" + Moonshot-MSTID-Namespace := "${policy.moonshot_coi_namespace}" + } + + # if you want to use SQL-based backing, remove the comment from + # this line. You also have to configure and enable the + # moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_get_targeted_id + + # generate a UUID for Moonshot-TR-COI-TargetedId + if (!&control:Moonshot-MSTID-TargetedId) { + # generate the TID + moonshot_make_targeted_id + + # if you want to store your TargetedId in SQL-based backing, + # remove the comment from this line. You also have to configure + # and enable the moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_tid_sql + } + + # set the actual TargetedId in the session-state list + if (&control:Moonshot-MSTID-TargetedId) { + update outer.session-state { + Moonshot-TR-COI-TargetedId := &control:Moonshot-MSTID-TargetedId + } + update control { + Moonshot-MSTID-TargetedId !* ANY + } + } + + # Sanitise the control list to remove the internal attributes + update control { + Moonshot-MSTID-GSS-Acceptor !* ANY + Moonshot-MSTID-Namespace !* ANY + } + } +} + +# This is the generic generation policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables +# +moonshot_make_targeted_id.post-auth { + # uses variables set in the control list + # + if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) { + # targeted id = (uuid -v 5 [namespace] [username][salt][GSS acceptor value])@[IdP realm name] + # + if ("%{echo:/usr/bin/uuid -v 5 %{control:Moonshot-MSTID-Namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{control:Moonshot-MSTID-GSS-Acceptor}}" =~ /^([^ ]+)([ ]*)$/) { + update control { + Moonshot-MSTID-TargetedId := "%{1}@%{tolower:%{request:Realm}}" + } + if (&control:Moonshot-MSTID-TargetedId =~ /([\%\{\}]+)/) { + update control { + Moonshot-MSTID-TargetedId !* ANY + } + update outer.session-state { + Module-Failure-Message = 'Invalid TargetedId generated, check your targeted_id_salt!' + } + reject + } + } + else { + # we simply return the 'echo' error message as the Module-Failure-Message, usually a lack of 'uuid' + reject + } + } + else { + # Our variables were not set, so we'll throw an error because there's no point in continuing! + update outer.session-state { + Module-Failure-Message = 'Required variables for moonshot_make_targeted_id not set!' + } + reject + } +} + +# This is the generic retrieval policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables +# +moonshot_get_targeted_id.post-auth { + # uses variables set in the control list + # + if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) { + # retrieve the TargetedId + # + update control { + Moonshot-MSTID-TargetedId := "%{moonshot_tid_sql:\ + SELECT targeted_id FROM moonshot_targeted_ids \ + WHERE gss_acceptor = '%{control:Moonshot-MSTID-GSS-Acceptor}' \ + AND namespace = '%{control:Moonshot-MSTID-Namespace}' \ + AND username = '%{tolower:%{User-Name}}'}" + } + + # if the value is empty, there's no point in setting it and delete it from the control list! + if (&control:Moonshot-MSTID-TargetedId == '') { + update control { + Moonshot-MSTID-TargetedId !* ANY + } + } + } + else { + # Our variables were not set, so we'll throw an error because there's no point in continuing! + update outer.session-state { + Module-Failure-Message = 'Required variables for moonshot_get_targeted_id not set!' + } + reject + } +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/operator-name b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/operator-name new file mode 100644 index 0000000..6d042d4 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/operator-name @@ -0,0 +1,46 @@ +# +# The following policies are for the Operator-Name +# configuration. +# +# The policies below can be called as just 'operator-name' (not +# operator-name.authorize etc..) from the various config sections. +# + +# If you require that the Operator-Name be set +# for local clients then call the 'operator-name' policy +# in the authorize section of the virtual-server for your clients in clients.conf + +# To inject an Operator-Name whilst proxying, call the +# 'operator-name' policy in the pre-proxy section of the virtual server +# No need to call this if you have already enabled this in +# the authorize section. + +# +# We assume that clients can have the operator-name definition +# in the client.conf, e.g. +# client xxxx { +# ... +# Operator-Name = 1your.domain +# } +# If this parameter is found for a client, then we add +# an Operator-Name attribute +# +operator-name.authorize { + if ("%{client:Operator-Name}") { + update request { + &Operator-Name = "%{client:Operator-Name}" + } + } +} + +# +# Before proxing the client add an Operator-Name +# attribute identifying this site if the operator-name is found for this client +# +operator-name.pre-proxy { + if (("%{request:Packet-Type}" == 'Access-Request') && "%{client:Operator-Name}") { + update proxy-request { + &Operator-Name := "%{client:Operator-Name}" + } + } +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/rfc7542 b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/rfc7542 new file mode 100644 index 0000000..97935a5 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/rfc7542 @@ -0,0 +1,46 @@ +# +# The following policy is for RFC7542-style bang path +# management. +# +# It hands control from the standard 'suffix' realm +# processor to the 'bangpath' processer, allowing the +# definition of specific routing information in the +# decoration of the User-Name. +# +# Use this with caution. In particular, read the following +# RFC document sections for reasons why you shouldn't use +# this, and also why this is used: +# +# 1. https://tools.ietf.org/html/rfc4282#section-2.7 +# 2. https://tools.ietf.org/html/rfc7542#section-3.3.1 +# +# $Id: 84a5c17d2623ca622884c835bb7906e63c417e77 $ +# + +# This is a |-separated list of realms this specific service +# is responsible for. We cannot read this from the proxy.conf +# file, so we turn this into an 'or list' regex. +# Examples: rfc7542_realms = 'example.com' +# rfc7542_realms = 'example.com|another.net|this.org' +# +rfc7542_realms = 'changeme' + +# This policy checks the User-Name attribute whether it is in +# RFC7542 bang-path format. If it is, it lets the bangpath realm +# processor handle it, otherwise it leaves it for suffix to handle +# +rfc7542.authorize { + # Format: not_local_realm!...@local_realm: Handle with bangpath + if ( (&request:User-Name =~ /(.+)!(.*)\@(${policy.rfc7542_realms})/) && \ + !(&request:User-Name =~ /(${policy.rfc7542_realms})!(.*)\@(.+)/) ) { + bangpath + updated + } + + # Format: local_realm!...@not_local_realm: Handle with bangpath + elsif ( (&request:User-Name =~ /(${policy.rfc7542_realms})!(.*)\@(.+)/) && \ + !(&request:User-Name =~ /(.+)!(.*)\@(${policy.rfc7542_realms})/) ) { + bangpath + updated + } +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/proxy.conf b/pkgs/fablab/freeradius-anon-access/raddb/proxy.conf new file mode 100644 index 0000000..a12d332 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/proxy.conf @@ -0,0 +1,846 @@ +# -*- text -*- +## +## proxy.conf -- proxy radius and realm configuration directives +## +## $Id: ac90a273522ed36a100d10dd91c62b99db450689 $ + +####################################################################### +# +# Proxy server configuration +# +# This entry controls the servers behaviour towards ALL other servers +# to which it sends proxy requests. +# +proxy server { + # + # Note that as of 2.0, the "synchronous", "retry_delay", + # "retry_count", and "dead_time" have all been deprecated. + # For backwards compatibility, they are are still accepted + # by the server, but they ONLY apply to the old-style realm + # configuration. i.e. realms with "authhost" and/or "accthost" + # entries. + # + # i.e. "retry_delay" and "retry_count" have been replaced + # with per-home-server configuration. See the "home_server" + # example below for details. + # + # i.e. "dead_time" has been replaced with a per-home-server + # "revive_interval". We strongly recommend that this not + # be used, however. The new method is much better. + + # + # In 2.0, the server is always "synchronous", and setting + # "synchronous = no" is impossible. This simplifies the + # server and increases the stability of the network. + # However, it means that the server (i.e. proxy) NEVER + # originates packets. It proxies packets ONLY when it receives + # a packet or a re-transmission from the NAS. If the NAS never + # re-transmits, the proxy never re-transmits, either. This can + # affect fail-over, where a packet does *not* fail over to a + # second home server.. because the NAS never retransmits the + # packet. + # + # If you need to set "synchronous = no", please send a + # message to the list + # explaining why this feature is vital for your network. + + # + # If a realm exists, but there are no live home servers for + # it, we can fall back to using the "DEFAULT" realm. This is + # most useful for accounting, where the server can proxy + # accounting requests to home servers, but if they're down, + # use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL), + # and then store the packets in the "detail" file. That data + # can be later proxied to the home servers by radrelay, when + # those home servers come back up again. + + # Setting this to "yes" may have issues for authentication. + # i.e. If you are proxying for two different ISP's, and then + # act as a general dial-up for Gric. If one of the first two + # ISP's has their RADIUS server go down, you do NOT want to + # proxy those requests to GRIC. Instead, you probably want + # to just drop the requests on the floor. In that case, set + # this value to 'no'. + # + # allowed values: {yes, no} + # + default_fallback = no + + # + # Whether or not we allow dynamic home servers. + # + # This setting should be "no" by default. If set to "yes", + # it can slow the server down, due to mutex locking across + # multiple threads. + # + # Dynamic servers will work ONLY with the "directory" + # configuration below. + # +# dynamic = yes + + # + # The directory which contains dynamic home servers. Each + # file in the directory should be a normal "home_server" + # definitions. This directory does not exist by default. + # + # e.g: The content of ${raddbdir}/home_servers/example.com should be: + # + # home_server example.com { + # ... + # } + # + # For complete documentation, please see + # + # doc/configuration/dynamic_home_servers.md + # +# directory = ${raddbdir}/home_servers + +} + +####################################################################### +# +# Configuration for the proxy realms. +# +# As of 2.0, the "realm" configuration has changed. Instead of +# specifying "authhost" and "accthost" in a realm section, the home +# servers are specified separately in a "home_server" section. For +# backwards compatibility, you can still use the "authhost" and +# "accthost" directives. If you only have one home server for a +# realm, it is easier to use the old-style configuration. +# +# However, if you have multiple servers for a realm, we STRONGLY +# suggest moving to the new-style configuration. +# +# +# Load-balancing and failover between home servers is handled via +# a "home_server_pool" section. +# +# Finally, The "realm" section defines the realm, some options, and +# indicates which server pool should be used for the realm. +# +# This change means that simple configurations now require multiple +# sections to define a realm. However, complex configurations +# are much simpler than before, as multiple realms can share the same +# server pool. +# +# That is, realms point to server pools, and server pools point to +# home servers. Multiple realms can point to one server pool. One +# server pool can point to multiple home servers. Each home server +# can appear in one or more pools. +# +# See sites-available/tls for an example of configuring home servers, +# pools, and realms with TLS. +# + +###################################################################### +# +# This section defines a "Home Server" which is another RADIUS +# server that gets sent proxied requests. In earlier versions +# of FreeRADIUS, home servers were defined in "realm" sections, +# which was awkward. In 2.0, they have been made independent +# from realms, which is better for a number of reasons. +# +# You can proxy to a specific home server by doing: +# +# update control { +# Home-Server-Name = "name of home server" +# } +# +home_server localhost { + # + # Home servers can be sent Access-Request packets + # or Accounting-Request packets. + # + # Allowed values are: + # auth - Handles Access-Request packets + # acct - Handles Accounting-Request packets + # auth+acct - Handles Access-Request packets at "port", + # and Accounting-Request packets at "port + 1" + # coa - Handles CoA-Request and Disconnect-Request packets. + # See also raddb/sites-available/originate-coa + type = auth + + # + # Configure ONE OF the following entries: + # + # IPv4 address + # + ipaddr = 127.0.0.1 + + # OR IPv6 address + # ipv6addr = ::1 + + # OR virtual server + # virtual_server = foo + + # Note that while both ipaddr and ipv6addr will accept + # both addresses and host names, we do NOT recommend + # using host names. When you specify a host name, the + # server has to do a DNS lookup to find the IP address + # of the home server. If the DNS server is slow or + # unresponsive, it means that FreeRADIUS will NOT be + # able to determine the address, and will therefore NOT + # start. + # + # Also, the mapping of host name to address is done ONCE + # when the server starts. If DNS is later updated to + # change the address, FreeRADIUS will NOT discover that + # until after a re-start, or a HUP. + # + # If you specify a virtual_server here, then requests + # will be proxied internally to that virtual server. + # These requests CANNOT be proxied again, however. The + # intent is to have the local server handle packets + # when all home servers are dead. + # + # Requests proxied to a virtual server will be passed + # through the pre-proxy and post-proxy sections, just + # like any other request. See also the sample "realm" + # configuration, below. + # + # None of the rest of the home_server configuration is used + # for the "virtual_server" configuration. + + # + # The port to which packets are sent. + # + # Usually 1812 for type "auth", and 1813 for type "acct". + # Older servers may use 1645 and 1646. + # Use 3799 for type "coa" + # + port = 1812 + + # + # The transport protocol. + # + # If unspecified, defaults to "udp", which is the traditional + # RADIUS transport. It may also be "tcp", in which case TCP + # will be used to talk to this home server. + # + # When home servers are put into pools, the pool can contain + # home servers with both UDP and TCP transports. + # + #proto = udp + + # + # The shared secret use to "encrypt" and "sign" packets between + # FreeRADIUS and the home server. + # + # The secret can be any string, up to 8k characters in length. + # + # Control codes can be entered vi octal encoding, + # e.g. "\101\102" == "AB" + # Quotation marks can be entered by escaping them, + # e.g. "foo\"bar" + # Spaces or other "special" characters can be entered + # by putting quotes around the string. + # e.g. "foo bar" + # "foo;bar" + # + secret = testing123 + + ############################################################ + # + # The rest of the configuration items listed here are optional, + # and do not have to appear in every home server definition. + # + ############################################################ + + # + # You can optionally specify the source IP address used when + # proxying requests to this home server. When the src_ipaddr + # it set, the server will automatically create a proxy + # listener for that IP address. + # + # If you specify this field for one home server, you will + # likely need to specify it for ALL home servers. + # + # If you don't care about the source IP address, leave this + # entry commented. + # +# src_ipaddr = 127.0.0.1 + + # + # If the home server does not respond to a request within + # this time, the server marks the request as timed out. + # After "response_timeouts", the home server is marked + # as being "zombie", and "zombie_period" starts. + # + # The response window can be a number between 0.001 and 60.000 + # Values on the low end are discouraged, as they will likely + # not work due to limitations of operating system timers. + # + # The default response window is large because responses may + # be slow, especially when proxying across the Internet. + # + # Useful range of values: 5 to 60 + response_window = 20 + + # + # Start "zombie_period" after this many responses have + # timed out. + # +# response_timeouts = 1 + + # + # If the home server does not respond to ANY packets during + # the "zombie period", it will be considered to be dead. + # + # A home server that is marked "zombie" will be used for + # proxying as a low priority. If there are live servers, + # they will always be preferred to a zombie. Requests will + # be proxied to a zombie server ONLY when there are no + # live servers. + # + # Any request that is proxied to a home server will continue + # to be sent to that home server until the home server is + # marked dead. At that point, it will fail over to another + # server, if a live server is available. If none is available, + # then the "post-proxy-type fail" handler will be called. + # + # If "status_check" below is something other than "none", then + # the server will start sending status checks at the start of + # the zombie period. It will continue sending status checks + # until the home server is marked "alive". + # + # Useful range of values: 20 to 120 + zombie_period = 40 + + ############################################################ + # + # As of 2.0, FreeRADIUS supports RADIUS layer "status + # checks". These are used by a proxy server to see if a home + # server is alive. + # + # These status packets are sent ONLY if the proxying server + # believes that the home server is dead. They are NOT sent + # if the proxying server believes that the home server is + # alive. They are NOT sent if the proxying server is not + # proxying packets. + # + # If the home server responds to the status check packet, + # then it is marked alive again, and is returned to use. + # + ############################################################ + + # + # Some home servers do not support status checks via the + # Status-Server packet. Others may not have a "test" user + # configured that can be used to query the server, to see if + # it is alive. For those servers, we have NO WAY of knowing + # when it becomes alive again. Therefore, after the server + # has been marked dead, we wait a period of time, and mark + # it alive again, in the hope that it has come back to + # life. + # + # If it has NOT come back to life, then FreeRADIUS will wait + # for "zombie_period" before marking it dead again. During + # the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because + # the home server is still dead. There is NOTHING that can + # be done about this, other than to enable the status checks, + # as documented below. + # + # e.g. if "zombie_period" is 40 seconds, and "revive_interval" + # is 300 seconds, the for 40 seconds out of every 340, or about + # 10% of the time, all authentications will fail. + # + # If the "zombie_period" and "revive_interval" configurations + # are set smaller, than it is possible for up to 50% of + # authentications to fail. + # + # As a result, we recommend enabling status checks, and + # we do NOT recommend using "revive_interval". + # + # The "revive_interval" is used ONLY if the "status_check" + # entry below is "none". Otherwise, it will not be used, + # and should be deleted. + # + # Useful range of values: 10 to 3600 + revive_interval = 120 + + # + # The proxying server (i.e. this one) can do periodic status + # checks to see if a dead home server has come back alive. + # + # If set to "none", then the other configuration items listed + # below are not used, and the "revive_interval" time is used + # instead. + # + # If set to "status-server", the Status-Server packets are + # sent. Many RADIUS servers support Status-Server. If a + # server does not support it, please contact the server + # vendor and request that they add it. With status-server if + # the home server is marked as a zombie and a status-server + # response is received, it will be immediately marked as live. + # + # This prevents spurious failovers in federations such as + # eduroam, where intermediary proxy servers may be functional + # but the servers of a home institution may not be, + # + # If set to "request", then Access-Request, or Accounting-Request + # packets are sent, depending on the "type" entry above (auth/acct). + # + # Allowed values: none, status-server, request + status_check = status-server + + # + # If the home server does not support Status-Server packets, + # then the server can still send Access-Request or + # Accounting-Request packets, with a pre-defined user name. + # + # This practice is NOT recommended, as it may potentially let + # users gain network access by using these "test" accounts! + # + # If it is used, we recommend that the home server ALWAYS + # respond to these Access-Request status checks with + # Access-Reject. The status check just needs an answer, it + # does not need an Access-Accept. + # + # For Accounting-Request status checks, only the username + # needs to be set. The rest of the accounting attribute are + # set to default values. The home server that receives these + # accounting packets SHOULD NOT treat them like normal user + # accounting packets. i.e It should probably NOT log them to + # a database. + # + # username = "test_user_please_reject_me" + # password = "this is really secret" + + # + # Configure the interval between sending status check packets. + # + # Setting it too low increases the probability of spurious + # fail-over and fallback attempts. + # + # Useful range of values: 6 to 120 + check_interval = 30 + + # + # Wait "check_timeout" seconds for a reply to a status check + # packet. + # + check_timeout = 4 + + # + # Configure the number of status checks in a row that the + # home server needs to respond to before it is marked alive. + # + # If you want to mark a home server as alive after a short + # time period of being responsive, it is best to use a small + # "check_interval", and a large value for + # "num_answers_to_alive". Using a long "check_interval" and + # a small number for "num_answers_to_alive" increases the + # probability of spurious fail-over and fallback attempts. + # + # Useful range of values: 3 to 10 + num_answers_to_alive = 3 + + # + # Limit the total number of outstanding packets to the home + # server. + # + # if ((#request sent) - (#requests received)) > max_outstanding + # then stop sending more packets to the home server + # + # This lets us gracefully fall over when the home server + # is overloaded. + max_outstanding = 65536 + + # + # The configuration items in the next sub-section are used ONLY + # when "type = coa". It is ignored for all other type of home + # servers. + # + # See RFC 5080 for the definitions of the following terms. + # RAND is a function (internal to FreeRADIUS) returning + # random numbers between -0.1 and +0.1 + # + # First Re-transmit occurs after: + # + # RT = IRT + RAND*IRT + # + # Subsequent Re-transmits occur after: + # + # RT = 2 * RTprev + RAND * RTprev + # + # Re-transmits are capped at: + # + # if (MRT && (RT > MRT)) RT = MRT + RAND * MRT + # + # For a maximum number of attempts: MRC + # + # For a maximum (total) period of time: MRD. + # + coa { + # Initial retransmit interval: 1..5 + irt = 2 + + # Maximum Retransmit Timeout: 1..30 (0 == no maximum) + mrt = 16 + + # Maximum Retransmit Count: 1..20 (0 == retransmit forever) + mrc = 5 + + # Maximum Retransmit Duration: 5..60 + mrd = 30 + } + + # + # Connection limiting for home servers with "proto = tcp". + # + # This section is ignored for other home servers. + # + limit { + # + # Limit the number of TCP connections to the home server. + # + # The default is 16. + # Setting this to 0 means "no limit" + max_connections = 16 + + # + # Limit the total number of requests sent over one + # TCP connection. After this number of requests, the + # connection will be closed. Any new packets that are + # proxied to the home server will result in a new TCP + # connection being made. + # + # Setting this to 0 means "no limit" + max_requests = 0 + + # + # The lifetime, in seconds, of a TCP connection. After + # this lifetime, the connection will be closed. + # + # Setting this to 0 means "forever". + lifetime = 0 + + # + # The idle timeout, in seconds, of a TCP connection. + # If no packets have been sent over the connection for + # this time, the connection will be closed. + # + # Setting this to 0 means "no timeout". + idle_timeout = 0 + } + +} + +# Sample virtual home server. +# +# +#home_server virtual.example.com { +# virtual_server = virtual.example.com +#} + +###################################################################### +# +# This section defines a pool of home servers that is used +# for fail-over and load-balancing. In earlier versions of +# FreeRADIUS, fail-over and load-balancing were defined per-realm. +# As a result, if a server had 5 home servers, each of which served +# the same 10 realms, you would need 50 "realm" entries. +# +# In version 2.0, you would need 5 "home_server" sections, +# 10 'realm" sections, and one "home_server_pool" section to tie the +# two together. +# +# You can proxy to a specific home server pool by doing: +# +# update control { +# Home-Server-Pool = "name of pool" +# } +# +home_server_pool my_auth_failover { + # + # The type of this pool controls how home servers are chosen. + # + # fail-over - the request is sent to the first live + # home server in the list. i.e. If the first home server + # is marked "dead", the second one is chosen, etc. + # + # load-balance - the least busy home server is chosen, + # where "least busy" is counted by taking the number of + # requests sent to that home server, and subtracting the + # number of responses received from that home server. + # + # If there are two or more servers with the same low + # load, then one of those servers is chosen at random. + # This configuration is most similar to the old + # "round-robin" method, though it is not exactly the same. + # + # Note that load balancing does not work well with EAP, + # as EAP requires packets for an EAP conversation to be + # sent to the same home server. The load balancing method + # does not keep state in between packets, meaning that + # EAP packets for the same conversation may be sent to + # different home servers. This will prevent EAP from + # working. + # + # For non-EAP authentication methods, and for accounting + # packets, we recommend using "load-balance". It will + # ensure the highest availability for your network. + # + # client-balance - the home server is chosen by hashing the + # source IP address of the packet. If that home server + # is down, the next one in the list is used, just as + # with "fail-over". + # + # There is no way of predicting which source IP will map + # to which home server. + # + # This configuration is most useful to do simple load + # balancing for EAP sessions, as the EAP session will + # always be sent to the same home server. + # + # client-port-balance - the home server is chosen by hashing + # the source IP address and source port of the packet. + # If that home server is down, the next one in the list + # is used, just as with "fail-over". + # + # This method provides slightly better load balancing + # for EAP sessions than "client-balance". However, it + # also means that authentication and accounting packets + # for the same session MAY go to different home servers. + # + # keyed-balance - the home server is chosen by hashing (FNV) + # the contents of the Load-Balance-Key attribute from the + # control items. The request is then sent to home server + # chosen by taking: + # + # server = (hash % num_servers_in_pool). + # + # If there is no Load-Balance-Key in the control items, + # the load balancing method is identical to "load-balance". + # + # For most non-EAP authentication methods, The User-Name + # attribute provides a good key. An "unlang" policy can + # be used to copy the User-Name to the Load-Balance-Key + # attribute. This method may not work for EAP sessions, + # as the User-Name outside of the TLS tunnel is often + # static, e.g. "anonymous@realm". + # + # + # The default type is fail-over. + type = fail-over + + # + # A virtual_server may be specified here. If so, the + # "pre-proxy" and "post-proxy" sections are called when + # the request is proxied, and when a response is received. + # + # This lets you have one policy for all requests that are proxied + # to a home server. This policy is completely independent of + # any policies used to receive, or process the request. + # + #virtual_server = pre_post_proxy_for_pool + + # + # Next, a list of one or more home servers. The names + # of the home servers are NOT the hostnames, but the names + # of the sections. (e.g. home_server foo {...} has name "foo". + # + # Note that ALL home servers listed here have to be of the same + # type. i.e. they all have to be "auth", or they all have to + # be "acct", or the all have to be "auth+acct". + # + home_server = localhost + + # Additional home servers can be listed. + # There is NO LIMIT to the number of home servers that can + # be listed, though using more than 10 or so will become + # difficult to manage. + # + # home_server = foo.example.com + # home_server = bar.example.com + # home_server = baz.example.com + # home_server = ... + + + # + # If ALL home servers are dead, then this "fallback" home server + # is used. If set, it takes precedence over any realm-based + # fallback, such as the DEFAULT realm. + # + # For reasons of stability, this home server SHOULD be a virtual + # server. Otherwise, the fallback may itself be dead! + # + #fallback = virtual.example.com +} + +###################################################################### +# +# +# This section defines a new-style "realm". Note the in version 2.0, +# there are many fewer configuration items than in 1.x for a realm. +# +# Automatic proxying is done via the "realms" module (see "man +# rlm_realm"). To manually proxy the request put this entry in the +# "users" file: + +# +# +#DEFAULT Proxy-To-Realm := "realm_name" +# +# +realm example.com { + # + # Realms point to pools of home servers. +# + # For authentication, the "auth_pool" configuration item + # should point to a "home_server_pool" that was previously + # defined. All of the home servers in the "auth_pool" must + # be of type "auth". + # + # For accounting, the "acct_pool" configuration item + # should point to a "home_server_pool" that was previously + # defined. All of the home servers in the "acct_pool" must + # be of type "acct". + # + # If you have a "home_server_pool" where all of the home servers + # are of type "auth+acct", you can just use the "pool" + # configuration item, instead of specifying both "auth_pool" + # and "acct_pool". + + auth_pool = my_auth_failover +# acct_pool = acct + + # The server can proxy CoA packets based on the Operator-Name + # attribute. This requires that the "suffix" module be + # listed in the "recv-coa" section. + # + # See raddb/sites-available/coa + # +# coa_pool = name_of_coa_pool + + # + # Normally, when an incoming User-Name is matched against the + # realm, the realm name is "stripped" off, and the "stripped" + # user name is used to perform matches. + # + # e.g. User-Name = "bob@example.com" will result in two new + # attributes being created by the "realms" module: + # + # Stripped-User-Name = "bob" + # Realm = "example.com" + # + # The Stripped-User-Name is then used as a key in the "users" + # file, for example. + # + # If you do not want this to happen, uncomment "nostrip" below. + # + # nostrip + + # There are no more configuration entries for a realm. +} + + +# +# This is a sample entry for iPass. +# Note that you have to define "ipass_auth_pool" and +# "ipass_acct_pool", along with home_servers for them, too. +# +#realm IPASS { +# nostrip +# +# auth_pool = ipass_auth_pool +# acct_pool = ipass_acct_pool +#} + +# +# This realm is used mainly to cancel proxying. You can have +# the "realm suffix" module configured to proxy all requests for +# a realm, and then later cancel the proxying, based on other +# configuration. +# +# For example, you want to terminate PEAP or EAP-TTLS locally, +# you can add the following to the "users" file: +# +# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL +# +realm LOCAL { + # If we do not specify a server pool, the realm is LOCAL, and + # requests are not proxied to it. +} + +# +# This realm is for requests which don't have an explicit realm +# prefix or suffix. User names like "bob" will match this one. +# +#realm NULL { +# authhost = radius.example.com:1600 +# accthost = radius.example.com:1601 +# secret = testing123 +#} + +# +# This realm is for ALL OTHER requests. +# +#realm DEFAULT { +# authhost = radius.example.com:1600 +# accthost = radius.example.com:1601 +# secret = testing123 +#} + + +# This realm "proxies" requests internally to a virtual server. +# The pre-proxy and post-proxy sections are run just as with any +# other kind of home server. The virtual server then receives +# the request, and replies, just as with any other packet. +# +# Once proxied internally like this, the request CANNOT be proxied +# internally or externally. +# +#realm virtual.example.com { +# virtual_server = virtual.example.com +#} +# + +# +# Regular expressions may also be used as realm names. If these are used, +# then the "find matching realm" process is as follows: +# +# 1) Look for a non-regex realm with an *exact* match for the name. +# If found, it is used in preference to any regex matching realm. +# +# 2) Look for a regex realm, in the order that they are listed +# in the configuration files. Any regex match is performed in +# a case-insensitive fashion. +# +# 3) If no realm is found, return the DEFAULT realm, if any. +# +# The order of the realms matters in step (2). For example, defining +# two realms ".*\.example.net$" and ".*\.test\.example\.net$" will result in +# the second realm NEVER matching. This is because all of the realms +# which match the second regex also match the first one. Since the +# first regex matches, it is returned. +# +# The solution is to list the realms in the opposite order,. e.g. +# ".*\.test\.example.net$", followed by ".*\.example\.net$". +# +# +# Some helpful rules: +# +# - always place a '~' character at the start of the realm name. +# This signifies that it is a regex match, and not an exact match +# for the realm. +# +# - place the regex in double quotes. This helps the configuration +# file parser ignore any "special" characters in the regex. +# Yes, this rule is different than the normal "unlang" rules for +# regular expressions. That may be fixed in a future release. +# +# - If you are matching domain names, put a '$' at the end of the regex +# that matches the domain name. This tells the regex matching code +# that the realm ENDS with the domain name, so it does not match +# realms with the domain name in the middle. e.g. "~.*\.example\.net" +# will match "test.example.netFOO", which is likely not what you want. +# Using "~(.*\.)example\.net$" is better. +# +# The more regex realms that are defined, the more time it takes to +# process them. You should define as few regex realms as possible +# in order to maximize server performance. +# +#realm "~(.*\.)*example\.net$" { +# auth_pool = my_auth_failover +#} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/radiusd.conf b/pkgs/fablab/freeradius-anon-access/raddb/radiusd.conf new file mode 100644 index 0000000..965a495 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/radiusd.conf @@ -0,0 +1,931 @@ +# -*- text -*- +## +## radiusd.conf -- FreeRADIUS server configuration file - 3.0.25 +## +## http://www.freeradius.org/ +## $Id: 70c0c32547eb6b68d6362430f66e27fc105fe2b2 $ +## + +###################################################################### +# +# The format of this (and other) configuration file is +# documented in "man unlang". There are also READMEs in many +# subdirectories: +# +# raddb/README.rst +# How to upgrade from v2. +# +# raddb/mods-available/README.rst +# How to use mods-available / mods-enabled. +# All of the modules are in individual files, +# along with configuration items and full documentation. +# +# raddb/sites-available/README +# virtual servers, "listen" sections, clients, etc. +# The "sites-available" directory contains many +# worked examples of common configurations. +# +# raddb/certs/README.md +# How to create certificates for EAP or RadSec. +# +# Every configuration item in the server is documented +# extensively in the comments in the example configuration +# files. +# +# Before editing this (or any other) configuration file, PLEASE +# read "man radiusd". See the section titled DEBUGGING. It +# outlines a method where you can quickly create the +# configuration you want, with minimal effort. +# +# Run the server in debugging mode, and READ the output. +# +# $ radiusd -X +# +# We cannot emphasize this point strongly enough. The vast +# majority of problems can be solved by carefully reading the +# debugging output, which includes warnings about common issues, +# and suggestions for how they may be fixed. +# +# There may be a lot of output, but look carefully for words like: +# "warning", "error", "reject", or "failure". The messages there +# will usually be enough to guide you to a solution. +# +# More documentation on "radiusd -X" is available on the wiki: +# https://wiki.freeradius.org/radiusd-X +# +# If you are going to ask a question on the mailing list, then +# explain what you are trying to do, and include the output from +# debugging mode (radiusd -X). Failure to do so means that all +# of the responses to your question will be people telling you +# to "post the output of radiusd -X". +# +# Guidelines for posting to the mailing list are on the wiki: +# https://wiki.freeradius.org/list-help +# +# Please read those guidelines before posting to the list. +# +# Further documentation is available in the "doc" directory +# of the server distribution, or on the wiki at: +# https://wiki.freeradius.org/ +# +# New users to RADIUS should read the Technical Guide. That guide +# explains how RADIUS works, how FreeRADIUS works, and what each +# part of a RADIUS system does. It is not just "configure FreeRADIUS"! +# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf +# +# More documentation on dictionaries, modules, unlang, etc. is also +# available on the Network RADIUS web site: +# https://networkradius.com/freeradius-documentation/ +# + +###################################################################### + +prefix = @PREFIX@ +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${confdir}/certs +cadir = ${confdir}/certs +run_dir = ${localstatedir}/run/${name} + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# +# libdir: Where to find the rlm_* modules. +# +# This should be automatically set at configuration time. +# +# If the server builds and installs, but fails at execution time +# with an 'undefined symbol' error, then you can use the libdir +# directive to work around the problem. +# +# The cause is usually that a library has been installed on your +# system in a place where the dynamic linker CANNOT find it. When +# executing as root (or another user), your personal environment MAY +# be set up to allow the dynamic linker to find the library. When +# executing as a daemon, FreeRADIUS MAY NOT have the same +# personalized configuration. +# +# To work around the problem, find out which library contains that symbol, +# and add the directory containing that library to the end of 'libdir', +# with a colon separating the directory names. NO spaces are allowed. +# +# e.g. libdir = /usr/local/lib:/opt/package/lib +# +# You can also try setting the LD_LIBRARY_PATH environment variable +# in a script which starts the server. +# +# If that does not work, then you can re-configure and re-build the +# server to NOT use shared libraries, via: +# +# ./configure --disable-shared +# make +# make install +# +libdir = ${prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +# +# The server may be signalled while it's running by using this +# file. +# +# This file is written when ONLY running in daemon mode. +# +# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` +# +pidfile = ${run_dir}/${name}.pid + +# +# correct_escapes: use correct backslash escaping +# +# Prior to version 3.0.5, the handling of backslashes was a little +# awkward, i.e. "wrong". In some cases, to get one backslash into +# a regex, you had to put 4 in the config files. +# +# Version 3.0.5 fixes that. However, for backwards compatibility, +# the new method of escaping is DISABLED BY DEFAULT. This means +# that upgrading to 3.0.5 won't break your configuration. +# +# If you don't have double backslashes (i.e. \\) in your configuration, +# this won't matter to you. If you do have them, fix that to use only +# one backslash, and then set "correct_escapes = true". +# +# You can check for this by doing: +# +# $ grep '\\\\' $(find raddb -type f -print) +# +correct_escapes = true + +# panic_action: Command to execute if the server dies unexpectedly. +# +# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. +# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. +# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. +# +# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE +# PATTACH CAN BE USED AS AN ATTACK VECTOR. +# +# The panic action is a command which will be executed if the server +# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, +# SIGABRT or SIGFPE. +# +# This can be used to start an interactive debugging session so +# that information regarding the current state of the server can +# be acquired. +# +# The following string substitutions are available: +# - %e The currently executing program e.g. /sbin/radiusd +# - %p The PID of the currently executing program e.g. 12345 +# +# Standard ${} substitutions are also allowed. +# +# An example panic action for opening an interactive session in GDB would be: +# +#panic_action = "gdb %e %p" +# +# Again, don't use that on a production system. +# +# An example panic action for opening an automated session in GDB would be: +# +#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" +# +# That command can be used on a production system. +# + +# max_request_time: The maximum time (in seconds) to handle a request. +# +# Requests which take more time than this to process may be killed, and +# a REJECT message is returned. +# +# WARNING: If you notice that requests take a long time to be handled, +# then this MAY INDICATE a bug in the server, in one of the modules +# used to handle a request, OR in your local configuration. +# +# This problem is most often seen when using an SQL database. If it takes +# more than a second or two to receive an answer from the SQL database, +# then it probably means that you haven't indexed the database. See your +# SQL server documentation for more information. +# +# Useful range of values: 5 to 120 +# +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +# a reply which was sent to the NAS. +# +# The RADIUS request is normally cached internally for a short period +# of time, after the reply is sent to the NAS. The reply packet may be +# lost in the network, and the NAS will not see it. The NAS will then +# re-send the request, and the server will respond quickly with the +# cached reply. +# +# If this value is set too low, then duplicate requests from the NAS +# MAY NOT be detected, and will instead be handled as separate requests. +# +# If this value is set too high, then the server will cache too many +# requests, and some new requests may get blocked. (See 'max_requests'.) +# +# Useful range of values: 2 to 30 +# +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +# track of. This should be 256 multiplied by the number of clients. +# e.g. With 4 clients, this number should be 1024. +# +# If this number is too low, then when the server becomes busy, +# it will not respond to any new requests, until the 'cleanup_delay' +# time has passed, and it has removed the old requests. +# +# If this number is set too high, then the server will use a bit more +# memory for no real benefit. +# +# If you aren't sure what it should be set to, it's better to set it +# too high than too low. Setting it to 1000 per client is probably +# the highest it should be. +# +# Useful range of values: 256 to infinity +# +max_requests = 16384 + +# hostname_lookups: Log the names of clients or just their IP addresses +# e.g., www.freeradius.org (on) or 206.47.27.232 (off). +# +# The default is 'off' because it would be overall better for the net +# if people had to knowingly turn this feature on, since enabling it +# means that each client request will result in AT LEAST one lookup +# request to the nameserver. Enabling hostname_lookups will also +# mean that your server may stop randomly for 30 seconds from time +# to time, if the DNS requests take too long. +# +# Turning hostname lookups off also means that the server won't block +# for 30 seconds, if it sees an IP address which has no name associated +# with it. +# +# allowed values: {no, yes} +# +hostname_lookups = no + +# +# Run a "Post-Auth-Type Client-Lost" section. This ONLY happens when +# the server sends an Access-Challenge, and then client does not +# respond to it. The goal is to allow administrators to log +# something when the client does not respond. +# +# See sites-available/default, "Post-Auth-Type Client-Lost" for more +# information. +# +#postauth_client_lost = no + +# +# Logging section. The various "log_*" configuration items +# will eventually be moved here. +# +log { + # + # Destination for log messages. This can be one of: + # + # files - log to "file", as defined below. + # syslog - to syslog (see also the "syslog_facility", below. + # stdout - standard output + # stderr - standard error. + # + # The command-line option "-X" over-rides this option, and forces + # logging to go to stdout. + # + destination = files + + # + # Highlight important messages sent to stderr and stdout. + # + # Option will be ignored (disabled) if output if TERM is not + # an xterm or output is not to a TTY. + # + colourise = yes + + # + # The logging messages for the server are appended to the + # tail of this file if destination == "files" + # + # If the server is running in debugging mode, this file is + # NOT used. + # + file = ${logdir}/radius.log + + # + # Which syslog facility to use, if ${destination} == "syslog" + # + # The exact values permitted here are OS-dependent. You probably + # don't want to change this. + # + syslog_facility = daemon + + # Log the full User-Name attribute, as it was found in the request. + # + # allowed values: {no, yes} + # + stripped_names = no + + # Log all (accept and reject) authentication results to the log file. + # + # This is the same as setting "auth_accept = yes" and + # "auth_reject = yes" + # + # allowed values: {no, yes} + # + auth = yes + + # Log Access-Accept results to the log file. + # + # This is only used if "auth = no" + # + # allowed values: {no, yes} + # +# auth_accept = no + + # Log Access-Reject results to the log file. + # + # This is only used if "auth = no" + # + # allowed values: {no, yes} + # +# auth_reject = no + + # Log passwords with the authentication requests. + # auth_badpass - logs password if it's rejected + # auth_goodpass - logs password if it's correct + # + # allowed values: {no, yes} + # + auth_badpass = yes + auth_goodpass = yes + + # Log additional text at the end of the "Login OK" messages. + # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" + # configurations above have to be set to "yes". + # + # The strings below are dynamically expanded, which means that + # you can put anything you want in them. However, note that + # this expansion can be slow, and can negatively impact server + # performance. + # +# msg_goodpass = "" +# msg_badpass = "" + + # The message when the user exceeds the Simultaneous-Use limit. + # + msg_denied = "You are already logged in - access denied" + + # Suppress "secret" attributes when printing them in debug mode. + # + # Secrets are NOT tracked across xlat expansions. If your + # configuration puts secrets into other strings, they will + # still get printed. + # + # Setting this to "yes" means that the server prints + # + # <<< secret >>> + # + # instead of the value, for attriburtes which contain secret + # information. e.g. User-Name, Tunnel-Password, etc. + # + # This configuration is disabled by default. It is extremely + # important for administrators to be able to debug user logins + # by seeing what is actually being sent. + # +# suppress_secrets = no +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# +# ENVIRONMENT VARIABLES +# +# You can reference environment variables using an expansion like +# `$ENV{PATH}`. However it is sometimes useful to be able to also set +# environment variables. This section lets you do that. +# +# The main purpose of this section is to allow administrators to keep +# RADIUS-specific configuration in the RADIUS configuration files. +# For example, if you need to set an environment variable which is +# used by a module. You could put that variable into a shell script, +# but that's awkward. Instead, just list it here. +# +# Note that these environment variables are set AFTER the +# configuration file is loaded. So you cannot set FOO here, and +# expect to reference it via `$ENV{FOO}` in another configuration file. +# You should instead just use a normal configuration variable for +# that. +# +ENV { + # + # Set environment varable `FOO` to value '/bar/baz'. + # + # NOTE: Note that you MUST use '='. You CANNOT use '+=' to append + # values. + # +# FOO = '/bar/baz' + + # + # Delete environment variable `BAR`. + # +# BAR + + # + # `LD_PRELOAD` is special. It is normally set before the + # application runs, and is interpreted by the dynamic linker. + # Which means you cannot set it inside of an application, and + # expect it to load libraries. + # + # Since this functionality is useful, we extend it here. + # + # You can set + # + # LD_PRELOAD = /path/to/library.so + # + # and the server will load the named libraries. Multiple + # libraries can be loaded by specificing multiple individual + # `LD_PRELOAD` entries. + # + # +# LD_PRELOAD = /path/to/library1.so +# LD_PRELOAD = /path/to/library2.so +} + +# SECURITY CONFIGURATION +# +# There may be multiple methods of attacking on the server. This +# section holds the configuration items which minimize the impact +# of those attacks +# +security { + # chroot: directory where the server does "chroot". + # + # The chroot is done very early in the process of starting + # the server. After the chroot has been performed it + # switches to the "user" listed below (which MUST be + # specified). If "group" is specified, it switches to that + # group, too. Any other groups listed for the specified + # "user" in "/etc/group" are also added as part of this + # process. + # + # The current working directory (chdir / cd) is left + # *outside* of the chroot until all of the modules have been + # initialized. This allows the "raddb" directory to be left + # outside of the chroot. Once the modules have been + # initialized, it does a "chdir" to ${logdir}. This means + # that it should be impossible to break out of the chroot. + # + # If you are worried about security issues related to this + # use of chdir, then simply ensure that the "raddb" directory + # is inside of the chroot, end be sure to do "cd raddb" + # BEFORE starting the server. + # + # If the server is statically linked, then the only files + # that have to exist in the chroot are ${run_dir} and + # ${logdir}. If you do the "cd raddb" as discussed above, + # then the "raddb" directory has to be inside of the chroot + # directory, too. + # +# chroot = /path/to/chroot/directory + + # user/group: The name (or #number) of the user/group to run radiusd as. + # + # If these are commented out, the server will run as the + # user/group that started it. In order to change to a + # different user/group, you MUST be root ( or have root + # privileges ) to start the server. + # + # We STRONGLY recommend that you run the server with as few + # permissions as possible. That is, if you're not using + # shadow passwords, the user and group items below should be + # set to radius'. + # + # NOTE that some kernels refuse to setgid(group) when the + # value of (unsigned)group is above 60000; don't use group + # "nobody" on these systems! + # + # On systems with shadow passwords, you might have to set + # 'group = shadow' for the server to be able to read the + # shadow password file. If you can authenticate users while + # in debug mode, but not in daemon mode, it may be that the + # debugging mode server is running as a user that can read + # the shadow info, and the user listed below can not. + # + # The server will also try to use "initgroups" to read + # /etc/groups. It will join all groups where "user" is a + # member. This can allow for some finer-grained access + # controls. + # +# user = radius +# group = radius + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. + # + # allowed values: {no, yes} + # + allow_core_dumps = no + + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 + + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # This number can be a decimal, e.g. 3.4 + # + # Useful ranges: 1 to 5 + reject_delay = 1 + + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept or Accounting-Response packet. + # + # This is mainly useful for administrators who want to "ping" + # the server, without adding test users, or creating fake + # accounting packets. + # + # It's also useful when a NAS marks a RADIUS server "dead". + # The NAS can periodically "ping" the server with a Status-Server + # packet. If the server responds, it must be alive, and the + # NAS can start using it for real requests. + # + # See also raddb/sites-available/status + # + status_server = yes + + # + # allow_vulnerable_openssl: Allow the server to start with + # versions of OpenSSL known to have critical vulnerabilities. + # + # This check is based on the version number reported by libssl + # and may not reflect patches applied to libssl by + # distribution maintainers. + # + allow_vulnerable_openssl = no +} + +# PROXY CONFIGURATION +# +# proxy_requests: Turns proxying of RADIUS requests on or off. +# +# The server has proxying turned on by default. If your system is NOT +# set up to proxy requests to another server, then you can turn proxying +# off here. This will save a small amount of resources on the server. +# +# If you have proxying turned off, and your configuration files say +# to proxy a request, then an error message will be logged. +# +# To disable proxying, change the "yes" to "no", and comment the +# $INCLUDE line. +# +# allowed values: {no, yes} +# +proxy_requests = yes +$INCLUDE proxy.conf + + +# CLIENTS CONFIGURATION +# +# Client configuration is defined in "clients.conf". +# + +# The 'clients.conf' file contains all of the information from the old +# 'clients' and 'naslist' configuration files. We recommend that you +# do NOT use 'client's or 'naslist', although they are still +# supported. +# +# Anything listed in 'clients.conf' will take precedence over the +# information from the old-style configuration files. +# +$INCLUDE clients.conf + + +# THREAD POOL CONFIGURATION +# +# The thread pool is a long-lived group of threads which +# take turns (round-robin) handling any incoming requests. +# +# You probably want to have a few spare threads around, +# so that high-load situations can be handled immediately. If you +# don't have any spare threads, then the request handling will +# be delayed while a new thread is created, and added to the pool. +# +# You probably don't want too many spare threads around, +# otherwise they'll be sitting there taking up resources, and +# not doing anything productive. +# +# The numbers given below should be adequate for most situations. +# +thread pool { + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 + + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 + + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 + + # When the server receives a packet, it places it onto an + # internal queue, where the worker threads (configured above) + # pick it up for processing. The maximum size of that queue + # is given here. + # + # When the queue is full, any new packets will be silently + # discarded. + # + # The most common cause of the queue being full is that the + # server is dependent on a slow database, and it has received + # a large "spike" of traffic. When that happens, there is + # very little you can do other than make sure the server + # receives less traffic, or make sure that the database can + # handle the load. + # +# max_queue_size = 65536 + + # Clean up old threads periodically. For no reason other than + # it might be useful. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 + + # Automatically limit the number of accounting requests. + # This configuration item tracks how many requests per second + # the server can handle. It does this by tracking the + # packets/s received by the server for processing, and + # comparing that to the packets/s handled by the child + # threads. + # + + # If the received PPS is larger than the processed PPS, *and* + # the queue is more than half full, then new accounting + # requests are probabilistically discarded. This lowers the + # number of packets that the server needs to process. Over + # time, the server will "catch up" with the traffic. + # + # Throwing away accounting packets is usually safe and low + # impact. The NAS will retransmit them in a few seconds, or + # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 + # to see how accounting packets should be retransmitted. Using + # any other method is likely to cause network meltdowns. + # + auto_limit_acct = no +} + +###################################################################### +# +# SNMP notifications. Uncomment the following line to enable +# snmptraps. Note that you MUST also configure the full path +# to the "snmptrap" command in the "trigger.conf" file. +# +#$INCLUDE trigger.conf + +# MODULE CONFIGURATION +# +# The names and configuration of each module is located in this section. +# +# After the modules are defined here, they may be referred to by name, +# in other sections of this configuration file. +# +modules { + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # for an example. + # + + # + # Some modules have ordering issues. e.g. "sqlippool" uses + # the configuration from "sql". In that case, the "sql" + # module must be read off of disk before the "sqlippool". + # However, the directory inclusion below just reads the + # directory from start to finish. Which means that the + # modules are read off of disk randomly. + # + # You can list individual modules *before* the directory + # inclusion. Those modules will be loaded first. Then, when + # the directory is read, those modules will be skipped and + # not read twice. + # +# $INCLUDE mods-enabled/sql + + # + # All modules are in ther mods-enabled/ directory. Files + # matching the regex /[a-zA-Z0-9_.]+/ are read. The + # modules are initialized ONLY if they are referenced in a + # processing section, such as authorize, authenticate, + # accounting, pre/post-proxy, etc. + # + $INCLUDE mods-enabled/ +} + +# Instantiation +# +# This section sets the instantiation order of the modules. listed +# here will get started up BEFORE the sections like authorize, +# authenticate, etc. get examined. +# +# This section is not strictly needed. When a section like authorize +# refers to a module, the module is automatically loaded and +# initialized. However, some modules may not be listed in any of the +# processing sections, so they should be listed here. +# +# Also, listing modules here ensures that you have control over +# the order in which they are initialized. If one module needs +# something defined by another module, you can list them in order +# here, and ensure that the configuration will be OK. +# +# After the modules listed here have been loaded, all of the modules +# in the "mods-enabled" directory will be loaded. Loading the +# "mods-enabled" directory means that unlike Version 2, you usually +# don't need to list modules here. +# +instantiate { + # + # We list the counter module here so that it registers + # the check_name attribute before any module which sets + # it +# daily + + # subsections here can be thought of as "virtual" modules. + # + # e.g. If you have two redundant SQL servers, and you want to + # use them in the authorize and accounting sections, you could + # place a "redundant" block in each section, containing the + # exact same text. Or, you could uncomment the following + # lines, and list "redundant_sql" in the authorize and + # accounting sections. + # + # The "virtual" module defined here can also be used with + # dynamic expansions, under a few conditions: + # + # * The section is "redundant", or "load-balance", or + # "redundant-load-balance" + # * The section contains modules ONLY, and no sub-sections + # * all modules in the section are using the same rlm_ + # driver, e.g. They are all sql, or all ldap, etc. + # + # When those conditions are satisfied, the server will + # automatically register a dynamic expansion, using the + # name of the "virtual" module. In the example below, + # it will be "redundant_sql". You can then use this expansion + # just like any other: + # + # update reply { + # Filter-Id := "%{redundant_sql: ... }" + # } + # + # In this example, the expansion is done via module "sql1", + # and if that expansion fails, using module "sql2". + # + # For best results, configure the "pool" subsection of the + # module so that "retry_delay" is non-zero. That will allow + # the redundant block to quickly ignore all "down" SQL + # databases. If instead we have "retry_delay = 0", then + # every time the redundant block is used, the server will try + # to open a connection to every "down" database, causing + # problems. + # + #redundant redundant_sql { + # sql1 + # sql2 + #} +} + +###################################################################### +# +# Policies are virtual modules, similar to those defined in the +# "instantiate" section above. +# +# Defining a policy in one of the policy.d files means that it can be +# referenced in multiple places as a *name*, rather than as a series of +# conditions to match, and actions to take. +# +# Policies are something like subroutines in a normal language, but +# they cannot be called recursively. They MUST be defined in order. +# If policy A calls policy B, then B MUST be defined before A. +# +###################################################################### +policy { + $INCLUDE policy.d/ +} + +###################################################################### +# +# Load virtual servers. +# +# This next $INCLUDE line loads files in the directory that +# match the regular expression: /[a-zA-Z0-9_.]+/ +# +# It allows you to define new virtual servers simply by placing +# a file into the raddb/sites-enabled/ directory. +# +$INCLUDE sites-enabled/ + +###################################################################### +# +# All of the other configuration sections like "authorize {}", +# "authenticate {}", "accounting {}", have been moved to the +# the file: +# +# raddb/sites-available/default +# +# This is the "default" virtual server that has the same +# configuration as in version 1.0.x and 1.1.x. The default +# installation enables this virtual server. You should +# edit it to create policies for your local site. +# +# For more documentation on virtual servers, see: +# +# raddb/sites-available/README +# +###################################################################### diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/default b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/default new file mode 100644 index 0000000..05d7a38 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/default @@ -0,0 +1,1138 @@ +###################################################################### +# +# As of 2.0.0, FreeRADIUS supports virtual hosts using the +# "server" section, and configuration directives. +# +# Virtual hosts should be put into the "sites-available" +# directory. Soft links should be created in the "sites-enabled" +# directory to these files. This is done in a normal installation. +# +# If you are using 802.1X (EAP) authentication, please see also +# the "inner-tunnel" virtual server. You will likely have to edit +# that, too, for authentication to work. +# +# $Id: 1926b7cd6e381cebfb809c7e89f8db0808124625 $ +# +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. See also "man unlang", which documents the format +# of this file. +# +# This configuration is designed to work in the widest possible +# set of circumstances, with the widest possible number of +# authentication methods. This means that in general, you should +# need to make very few changes to this file. +# +# The best way to configure the server for your local system +# is to CAREFULLY edit this file. Most attempts to make large +# edits to this file will BREAK THE SERVER. Any edits should +# be small, and tested by running the server with "radiusd -X". +# Once the edits have been verified to work, save a copy of these +# configuration files somewhere. (e.g. as a "tar" file). Then, +# make more edits, and test, as above. +# +# There are many "commented out" references to modules such +# as ldap, sql, etc. These references serve as place-holders. +# If you need the functionality of that module, then configure +# it in radiusd.conf, and un-comment the references to it in +# this file. In most cases, those small changes will result +# in the server being able to connect to the DB, and to +# authenticate users. +# +###################################################################### + +server default { +# +# If you want the server to listen on additional addresses, or on +# additional ports, you can use multiple "listen" sections. +# +# Each section make the server listen for only one type of packet, +# therefore authentication and accounting have to be configured in +# different sections. +# +# The server ignore all "listen" section if you are using '-i' and '-p' +# on the command line. +# +listen { + # Type of packets to listen for. + # Allowed values are: + # auth listen for authentication packets + # acct listen for accounting packets + # auth+acct listen for both authentication and accounting packets + # proxy IP to use for sending proxied packets + # detail Read from the detail file. For examples, see + # raddb/sites-available/copy-acct-to-home-server + # status listen for Status-Server packets. For examples, + # see raddb/sites-available/status + # coa listen for CoA-Request and Disconnect-Request + # packets. For examples, see the file + # raddb/sites-available/coa + # + type = auth + + # Note: "type = proxy" lets you control the source IP used for + # proxying packets, with some limitations: + # + # * A proxy listener CANNOT be used in a virtual server section. + # * You should probably set "port = 0". + # * Any "clients" configuration will be ignored. + # + # See also proxy.conf, and the "src_ipaddr" configuration entry + # in the sample "home_server" section. When you specify the + # source IP address for packets sent to a home server, the + # proxy listeners are automatically created. + + # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. + # If multiple ones are listed, only the first one will + # be used, and the others will be ignored. + # + # The configuration options accept the following syntax: + # + # ipv4addr - IPv4 address (e.g.192.0.2.3) + # - wildcard (i.e. *) + # - hostname (radius.example.com) + # Only the A record for the host name is used. + # If there is no A record, an error is returned, + # and the server fails to start. + # + # ipv6addr - IPv6 address (e.g. 2001:db8::1) + # - wildcard (i.e. *) + # - hostname (radius.example.com) + # Only the AAAA record for the host name is used. + # If there is no AAAA record, an error is returned, + # and the server fails to start. + # + # ipaddr - IPv4 address as above + # - IPv6 address as above + # - wildcard (i.e. *), which means IPv4 wildcard. + # - hostname + # If there is only one A or AAAA record returned + # for the host name, it is used. + # If multiple A or AAAA records are returned + # for the host name, only the first one is used. + # If both A and AAAA records are returned + # for the host name, only the A record is used. + # + # ipv4addr = * + # ipv6addr = * + ipaddr = * + + # Port on which to listen. + # Allowed values are: + # integer port number (1812) + # 0 means "use /etc/services for the proper port" + port = 0 + + # Some systems support binding to an interface, in addition + # to the IP address. This feature isn't strictly necessary, + # but for sites with many IP addresses on one interface, + # it's useful to say "listen on all addresses for eth0". + # + # If your system does not support this feature, you will + # get an error if you try to use it. + # +# interface = eth0 + + # Per-socket lists of clients. This is a very useful feature. + # + # The name here is a reference to a section elsewhere in + # radiusd.conf, or clients.conf. Having the name as + # a reference allows multiple sockets to use the same + # set of clients. + # + # If this configuration is used, then the global list of clients + # is IGNORED for this "listen" section. Take care configuring + # this feature, to ensure you don't accidentally disable a + # client you need. + # + # See clients.conf for the configuration of "per_socket_clients". + # +# clients = per_socket_clients + + # + # Set the default UDP receive buffer size. In most cases, + # the default values set by the kernel are fine. However, in + # some cases the NASes will send large packets, and many of + # them at a time. It is then possible to overflow the + # buffer, causing the kernel to drop packets before they + # reach FreeRADIUS. Increasing the size of the buffer will + # avoid these packet drops. + # +# recv_buff = 65536 + + # + # Connection limiting for sockets with "proto = tcp". + # + # This section is ignored for other kinds of sockets. + # + limit { + # + # Limit the number of simultaneous TCP connections to the socket + # + # The default is 16. + # Setting this to 0 means "no limit" + max_connections = 16 + + # The per-socket "max_requests" option does not exist. + + # + # The lifetime, in seconds, of a TCP connection. After + # this lifetime, the connection will be closed. + # + # Setting this to 0 means "forever". + lifetime = 0 + + # + # The idle timeout, in seconds, of a TCP connection. + # If no packets have been received over the connection for + # this time, the connection will be closed. + # + # Setting this to 0 means "no timeout". + # + # We STRONGLY RECOMMEND that you set an idle timeout. + # + idle_timeout = 30 + } +} + +# +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + ipaddr = * +# ipv6addr = :: + port = 0 + type = acct +# interface = eth0 +# clients = per_socket_clients + + limit { + # The number of packets received can be rate limited via the + # "max_pps" configuration item. When it is set, the server + # tracks the total number of packets received in the previous + # second. If the count is greater than "max_pps", then the + # new packet is silently discarded. This helps the server + # deal with overload situations. + # + # The packets/s counter is tracked in a sliding window. This + # means that the pps calculation is done for the second + # before the current packet was received. NOT for the current + # wall-clock second, and NOT for the previous wall-clock second. + # + # Useful values are 0 (no limit), or 100 to 10000. + # Values lower than 100 will likely cause the server to ignore + # normal traffic. Few systems are capable of handling more than + # 10K packets/s. + # + # It is most useful for accounting systems. Set it to 50% + # more than the normal accounting load, and you can be sure that + # the server will never get overloaded + # +# max_pps = 0 + + # Only for "proto = tcp". These are ignored for "udp" sockets. + # +# idle_timeout = 0 +# lifetime = 0 +# max_connections = 0 + } +} + +# IPv6 versions of the above - read their full config to understand options +listen { + type = auth + ipv6addr = :: # any. ::1 == localhost + port = 0 +# interface = eth0 +# clients = per_socket_clients + limit { + max_connections = 16 + lifetime = 0 + idle_timeout = 30 + } +} + +listen { + ipv6addr = :: + port = 0 + type = acct +# interface = eth0 +# clients = per_socket_clients + + limit { +# max_pps = 0 +# idle_timeout = 0 +# lifetime = 0 +# max_connections = 0 + } +} + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# Any changes made here should also be made to the "inner-tunnel" +# virtual server. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # Take a User-Name, and perform some checks on it, for spaces and other + # invalid characters. If the User-Name appears invalid, reject the + # request. + # + # See policy.d/filter for the definition of the filter_username policy. + # + filter_username + + # + # Some broken equipment sends passwords with embedded zeros. + # i.e. the debug output will show + # + # User-Password = "password\000\000" + # + # This policy will fix it to just be "password". + # +# filter_password + + # + # The preprocess module takes care of sanitizing some bizarre + # attributes in the request, and turning them into attributes + # which are more standard. + # + # It takes care of processing the 'raddb/mods-config/preprocess/hints' + # and the 'raddb/mods-config/preprocess/huntgroups' files. + preprocess + + # If you intend to use CUI and you require that the Operator-Name + # be set for CUI generation and you want to generate CUI also + # for your local clients then uncomment the operator-name + # below and set the operator-name for your clients in clients.conf +# operator-name + + # + # If you want to generate CUI for some clients that do not + # send proper CUI requests, then uncomment the + # cui below and set "add_cui = yes" for these clients in clients.conf +# cui + + # + # If you want to have a log of authentication requests, + # un-comment the following line. +# auth_log + + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authenticate' section. + digest + + # + # The WiMAX specification says that the Calling-Station-Id + # is 6 octets of the MAC. This definition conflicts with + # RFC 3580, and all common RADIUS practices. If you are using + # old style WiMAX (non LTE) the un-commenting the "wimax" module + # here means that it will fix the Calling-Station-Id attribute to + # the normal format as specified in RFC 3580 Section 3.21. + # + # If you are using WiMAX 2.1 (LTE) then un-commenting will allow + # the module to handle SQN resyncronisation. Prior to calling the + # module it is necessary to populate the following attributes + # with the relevant keys: + # control:WiMAX-SIM-Ki + # control:WiMAX-SIM-OPc + # + # If WiMAX-Re-synchronization-Info is found in the request then + # the module will attempt to extract SQN and store it in + # control:WiMAX-SIM-SQN. Also a copy of RAND is extracted to + # control:WiMAX-SIM-RAND. + # + # If the SIM cannot be authenticated using Ki and OPc then reject + # will be returned. +# wimax + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # Look for realms in user@domain format + suffix +# ntdomain + + # + # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP + # authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # The EAP module returns "ok" or "updated" if it is not yet ready + # to authenticate the user. The configuration below checks for + # "ok", and stops processing the "authorize" section if so. + # + # Any LDAP and/or SQL servers will not be queried for the + # initial set of packets that go back and forth to set up + # TTLS or PEAP. + # + # The "updated" check is commented out for compatibility with + # previous versions of this configuration, but you may wish to + # uncomment it as well; this will further reduce the number of + # LDAP and/or SQL queries for TTLS or PEAP. + # + eap { + ok = return +# updated = return + } + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # mods-available/passwd module. + # +# unix + + # + # Read the 'users' file. In v3, this is located in + # raddb/mods-config/files/authorize + files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in mods-available/sql + -sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'smbpasswd' module. +# smbpasswd + + # + # The ldap module reads passwords from the LDAP database. + -ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + # + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap + + # + # If "status_server = yes", then Status-Server messages are passed + # through the following section, and ONLY the following section. + # This permits you to do DB queries, for example. If the modules + # listed here return "fail", then NO response is sent. + # +# Autz-Type Status-Server { +# +# } + + # + # RADIUS/TLS (or RadSec) connections are processed through + # this section. See sites-available/tls, and the configuration + # item "check_client_connections" for more information. + # + # The request contains TLS client certificate attributes, + # and nothing else. The debug output will print which + # attributes are available on your system. + # + # If the section returns "ok" or "updated", then the + # connection is accepted. Otherwise the connection is + # terminated. + # + Autz-Type New-TLS-Connection { + ok + } +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the appropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user (Auth-Type := Reject), +# or to or forcibly accept the user (Auth-Type := Accept). +# +# Note that Auth-Type := Accept will NOT work with EAP. +# +# Please do not put "unlang" configurations into the "authenticate" +# section. Put them in the "post-auth" section instead. That's what +# the post-auth section is for. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # For old names, too. + # + mschap + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authorize' section. + digest + + # + # Pluggable Authentication Modules. +# pam + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. + # + # We do NOT recommend using this. LDAP servers are databases. + # They are NOT authentication servers. FreeRADIUS is an + # authentication server, and knows what to do with authentication. + # LDAP servers do not. + # +# Auth-Type LDAP { +# ldap +# } + + # + # Allow EAP authentication. + eap + + # + # The older configurations sent a number of attributes in + # Access-Challenge packets, which wasn't strictly correct. + # If you want to filter out these attributes, uncomment + # the following lines. + # +# Auth-Type eap { +# eap { +# handled = 1 +# } +# if (handled && (Response-Packet-Type == Access-Challenge)) { +# attr_filter.access_challenge.post-auth +# handled # override the "updated" code from attr_filter +# } +# } +} + + +# +# Pre-accounting. Decide which accounting type to use. +# +preacct { + preprocess + + # + # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets + # into a single 64bit counter Acct-[Input|Output]-Octets64. + # +# acct_counters64 + + # + # Session start times are *implied* in RADIUS. + # The NAS never sends a "start time". Instead, it sends + # a start packet, *possibly* with an Acct-Delay-Time. + # The server is supposed to conclude that the start time + # was "Acct-Delay-Time" seconds in the past. + # + # The code below creates an explicit start time, which can + # then be used in other modules. It will be *mostly* correct. + # Any errors are due to the 1-second resolution of RADIUS, + # and the possibility that the time on the NAS may be off. + # + # The start time is: NOW - delay - session_length + # + +# update request { +# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" +# } + + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. + acct_unique + + # + # Look for IPASS-style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. + # + # Accounting requests are generally proxied to the same + # home server as authentication requests. +# IPASS + suffix +# ntdomain + + # + # Read the 'acct_users' file + files +} + +# +# Accounting. Log the accounting data. +# +accounting { + # Update accounting packet by adding the CUI attribute + # recorded from the corresponding Access-Accept + # use it only if your NAS boxes do not support CUI themselves +# cui + # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. + detail +# daily + + # Update the wtmp file + # + # If you don't use "radlast", you can delete this line. + unix + + # + # For Simultaneous-Use tracking. + # + # Due to packet losses in the network, the data here + # may be incorrect. There is little we can do about it. +# radutmp +# sradutmp + + # + # Return an address to the IP Pool when we see a stop record. + # + # Ensure that &control:Pool-Name is set to determine which + # pool of IPs are used. +# sqlippool + + # + # Log traffic to an SQL database. + # + # See "Accounting queries" in mods-available/sql + -sql + + # + # If you receive stop packets with zero session length, + # they will NOT be logged in the database. The SQL module + # will print a message (only in debugging mode), and will + # return "noop". + # + # You can ignore these packets by uncommenting the following + # three lines. Otherwise, the server will not respond to the + # accounting request, and the NAS will retransmit. + # +# if (noop) { +# ok +# } + + # Cisco VoIP specific bulk accounting +# pgsql-voip + + # For Exec-Program and Exec-Program-Wait + exec + + # Filter attributes from the accounting response. + attr_filter.accounting_response + + # + # See "Autz-Type Status-Server" for how this works. + # +# Acct-Type Status-Server { +# +# } +} + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { +# radutmp + + # + # See "Simultaneous Use Checking Queries" in mods-available/sql +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + # + # If you need to have a State attribute, you can + # add it here. e.g. for later CoA-Request with + # State, and Service-Type = Authorize-Only. + # +# if (!&reply:State) { +# update reply { +# State := "0x%{randstr:16h}" +# } +# } + + # + # Reject packets where User-Name != TLS-Client-Cert-Common-Name + # There is no reason for users to lie about their names. + # + # In general, User-Name == EAP Identity == TLS-Client-Cert-Common-Name + # +# verify_tls_client_common_name + + # + # If there is no Stripped-User-Name in the request, AND we have a client cert, + # then create a Stripped-User-Name from the TLS client certificate information. + # + # Note that this policy MUST be edited for your local system! + # We do not know which fields exist in which certificate, as + # there is no standard here. There is no way for us to have + # a default configuration which "just works" everywhere. We + # can only make recommendations. + # + # The Stripped-User-Name is updated so that it is logged in + # the various "username" fields. This logging means that you + # can associate a particular session with a particular client + # certificate. + # +# if (&EAP-Message && !&Stripped-User-Name && &TLS-Client-Cert-Serial) { +# update request { +# &Stripped-User-Name := "%{%{TLS-Client-Cert-Subject-Alt-Name-Email}:-%{%{TLS-Client-Cert-Common-Name}:-%{TLS-Client-Cert-Serial}}}" +# } +# + # + # Create a Class attribute which is a hash of a bunch + # of information which we hope exists. This + # attribute should be echoed back in + # Accounting-Request packets, which will let the + # administrator correlate authentication and + # accounting. + # +# update reply { +# Class += "%{md5:%{Calling-Station-Id}%{Called-Station-Id}%{TLS-Client-Cert-Subject-Alt-Name-Email}%{TLS-Client-Cert-Common-Name}%{TLS-Client-Cert-Serial}%{NAS-IPv6-Address}%{NAS-IP-Address}%{NAS-Identifier}%{NAS-Port}" +# } +# +# } + + # + # For EAP-TTLS and PEAP, add the cached attributes to the reply. + # The "session-state" attributes are automatically cached when + # an Access-Challenge is sent, and automatically retrieved + # when an Access-Request is received. + # + # The session-state attributes are automatically deleted after + # an Access-Reject or Access-Accept is sent. + # + # If both session-state and reply contain a User-Name attribute, remove + # the one in the reply if it is just a copy of the one in the request, so + # we don't end up with two User-Name attributes. + + if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { + update reply { + &User-Name !* ANY + } + } + update { + &reply: += &session-state: + } + + # + # Refresh leases when we see a start or alive. Return an address to + # the IP Pool when we see a stop record. + # + # Ensure that &control:Pool-Name is set to determine which + # pool of IPs are used. +# sqlippool + + + # Create the CUI value and add the attribute to Access-Accept. + # Uncomment the line below if *returning* the CUI. +# cui + + # Create empty accounting session to make simultaneous check + # more robust. See the accounting queries configuration in + # raddb/mods-config/sql/main/*/queries.conf for details. + # + # The "sql_session_start" policy is defined in + # raddb/policy.d/accounting. See that file for more details. +# sql_session_start + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and enable the + # 'detail reply_log' module. +# reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in mods-available/sql + -sql + + # + # Un-comment the following if you want to modify the user's object + # in LDAP after a successful login. + # +# ldap + + # For Exec-Program and Exec-Program-Wait + exec + + # + # In order to calcualate the various keys for old style WiMAX + # (non LTE) you will need to define the WiMAX NAI, usually via + # + # update request { + # &WiMAX-MN-NAI = "%{User-Name}" + # } + # + # If you want various keys to be calculated, you will need to + # update the reply with "template" values. The module will see + # this, and replace the template values with the correct ones + # taken from the cryptographic calculations. e.g. + # + # update reply { + # &WiMAX-FA-RK-Key = 0x00 + # &WiMAX-MSK = "%{reply:EAP-MSK}" + # } + # + # You may want to delete the MS-MPPE-*-Keys from the reply, + # as some WiMAX clients behave badly when those attributes + # are included. See "raddb/modules/wimax", configuration + # entry "delete_mppe_keys" for more information. + # + # For LTE style WiMAX you need to populate the following with the + # relevant values: + # control:WiMAX-SIM-Ki + # control:WiMAX-SIM-OPc + # control:WiMAX-SIM-AMF + # control:WiMAX-SIM-SQN + # +# wimax + + # If there is a client certificate (EAP-TLS, sometimes PEAP + # and TTLS), then some attributes are filled out after the + # certificate verification has been performed. These fields + # MAY be available during the authentication, or they may be + # available only in the "post-auth" section. + # + # The first set of attributes contains information about the + # issuing certificate which is being used. The second + # contains information about the client certificate (if + # available). +# +# update reply { +# Reply-Message += "%{TLS-Cert-Serial}" +# Reply-Message += "%{TLS-Cert-Expiration}" +# Reply-Message += "%{TLS-Cert-Subject}" +# Reply-Message += "%{TLS-Cert-Issuer}" +# Reply-Message += "%{TLS-Cert-Common-Name}" +# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" +# +# Reply-Message += "%{TLS-Client-Cert-Serial}" +# Reply-Message += "%{TLS-Client-Cert-Expiration}" +# Reply-Message += "%{TLS-Client-Cert-Subject}" +# Reply-Message += "%{TLS-Client-Cert-Issuer}" +# Reply-Message += "%{TLS-Client-Cert-Common-Name}" +# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" +# } + + # Insert class attribute (with unique value) into response, + # aids matching auth and acct records, and protects against duplicate + # Acct-Session-Id. Note: Only works if the NAS has implemented + # RFC 2865 behaviour for the class attribute, AND if the NAS + # supports long Class attributes. Many older or cheap NASes + # only support 16-octet Class attributes. +# insert_acct_class + + # MacSEC requires the use of EAP-Key-Name. However, we don't + # want to send it for all EAP sessions. Therefore, the EAP + # modules put required data into the EAP-Session-Id attribute. + # This attribute is never put into a request or reply packet. + # + # Uncomment the next few lines to copy the required data into + # the EAP-Key-Name attribute +# if (&reply:EAP-Session-Id) { +# update reply { +# EAP-Key-Name := &reply:EAP-Session-Id +# } +# } + + # Remove reply message if the response contains an EAP-Message + remove_reply_message_if_eap + + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir = yes' in the ldap module configuration + # + # The "session-state" attributes are not available here. + # + Post-Auth-Type REJECT { + # log failed authentications in SQL, too. + -sql + attr_filter.access_reject + + # Insert EAP-Failure message if the request was + # rejected by policy instead of because of an + # authentication failure + eap + + # Remove reply message if the response contains an EAP-Message + remove_reply_message_if_eap + } + + # + # Filter access challenges. + # + Post-Auth-Type Challenge { +# remove_reply_message_if_eap +# attr_filter.access_challenge.post-auth + } + + # + # The Client-Lost section will be run for a request when + # FreeRADIUS has given up waiting for an end-users client to + # respond. This is most useful for logging EAP sessions where + # the client stopped responding (likely because the + # certificate was not acceptable.) i.e. this is not for + # RADIUS clients, but for end-user systems. + # + # This will only be triggered by new packets arriving, + # and will be run at some point in the future *after* the + # original request has been discarded. + # + # Therefore the *ONLY* attributes that are available here + # are those in the session-state list. If you want data + # to log, make sure it is copied to &session-state: + # before the client stops responding. NONE of the other + # original attributes (request, reply, etc) will be + # available. + # + # This section will only be run if `postauth_client_lost` + # is enabled in the main configuration in `radiusd.conf`. + # + # Note that there are MANY reasons why an end users system + # might not respond: + # + # * it could not get the packet due to firewall issues + # * it could not get the packet due to a lossy network + # * the users system might not like the servers cert + # * the users system might not like something else... + # + # In some cases, the client is helpful enough to send us a + # TLS Alert message, saying what it doesn't like about the + # certificate. In other cases, no such message is available. + # + # All that we can know on the FreeRADIUS side is that we sent + # an Access-Challenge, and the client never sent anything + # else. The reasons WHY this happens are buried inside of + # the logs on the client system. No amount of looking at the + # FreeRADIUS logs, or poking the FreeRADIUS configuration + # will tell you why the client gave up. The answers are in + # the logs on the client side. And no, the FreeRADIUS team + # didn't write the client, so we don't know where those logs + # are, or how to get at them. + # + # Information about the TLS state changes is in the + # &session-state:TLS-Session-Information attribute. + # + Post-Auth-Type Client-Lost { + # + # Debug ALL of the TLS state changes done during the + # EAP negotiation. + # +# %{debug_attr:&session-state:TLS-Session-Information[*]} + + # + # Debug the LAST TLS state change done during the EAP + # negotiation. For errors, this is usually a TLS + # alert from the client saying something like + # "unknown CA". + # +# %{debug_attr:&session-state:TLS-Session-Information[n]} + + # + # Debug the last module failure message. This may be + # useful, or it may refer to a server-side failure + # which did not cause the client to stop talking to the server. + # +# %{debug_attr:&session-state:Module-Failure-Message} + } + + # + # If the client sends EAP-Key-Name in the request, + # then echo the real value back in the reply. + # + if (EAP-Key-Name && &reply:EAP-Session-Id) { + update reply { + &EAP-Key-Name := &reply:EAP-Session-Id + } + } +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { + # Before proxing the request add an Operator-Name attribute identifying + # if the operator-name is found for this client. + # No need to uncomment this if you have already enabled this in + # the authorize section. +# operator-name + + # The client requests the CUI by sending a CUI attribute + # containing one zero byte. + # Uncomment the line below if *requesting* the CUI. +# cui + + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap + + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # See the "mods-available/detail.example.com" file for more + # details on writing a detail file specifically for one + # destination. + # + # See the "sites-available/robust-proxy-accounting" virtual + # server for more details on reading this "detail" file. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +# Post-Proxy-Type Fail-Accounting { +# detail.example.com +# } +} +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/inner-tunnel b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/inner-tunnel new file mode 100644 index 0000000..5ad63ae --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/inner-tunnel @@ -0,0 +1,438 @@ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles *only* inner tunnel +# requests for EAP-TTLS and PEAP types. +# +# $Id: 10eeb55db7a1129ea62f2195c17b286eb4acd1d2 $ +# +###################################################################### + +server inner-tunnel { + +# +# This next section is here to allow testing of the "inner-tunnel" +# authentication methods, independently from the "default" server. +# It is listening on "localhost", so that it can only be used from +# the same machine. +# +# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If it works, you have configured the inner tunnel correctly. To check +# if PEAP will work, use: +# +# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If that works, PEAP should work. If that command doesn't work, then +# +# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS. +# +# Do NOT do any PEAP tests. It won't help. Instead, concentrate +# on fixing the inner tunnel configuration. DO NOTHING ELSE. +# +listen { + ipaddr = 127.0.0.1 + port = 18120 + type = auth +} + + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # Take a User-Name, and perform some checks on it, for spaces and other + # invalid characters. If the User-Name appears invalid, reject the + # request. + # + # See policy.d/filter for the definition of the filter_username policy. + # + filter_username + + # + # Do checks on outer / inner User-Name, so that users + # can't spoof us by using incompatible identities + # +# filter_inner_identity + + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module, above. + # +# unix + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # Look for realms in user@domain format + # + # Note that proxying the inner tunnel authentication means + # that the user MAY use one identity in the outer session + # (e.g. "anonymous", and a different one here + # (e.g. "user@example.com"). The inner session will then be + # proxied elsewhere for authentication. If you are not + # careful, this means that the user can cause you to forward + # the authentication to another RADIUS server, and have the + # accounting logs *not* sent to the other server. This makes + # it difficult to bill people for their network activity. + # + suffix +# ntdomain + + # + # The "suffix" module takes care of stripping the domain + # (e.g. "@example.com") from the User-Name attribute, and the + # next few lines ensure that the request is not proxied. + # + # If you want the inner tunnel request to be proxied, delete + # the next few lines. + # + update control { + &Proxy-To-Realm := LOCAL + } + + # + # This module takes care of EAP-MSCHAPv2 authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + eap { + ok = return + } + + # + # Read the 'users' file + files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in `mods-config/sql/main/$driver/queries.conf` + -sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # enable the "smbpasswd" module. +# smbpasswd + + # + # The ldap module reads passwords from the LDAP database. + -ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the appropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # For old names, too. + # + mschap + + # + # Pluggable Authentication Modules. +# pam + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. + # + # We do NOT recommend using this. LDAP servers are databases. + # They are NOT authentication servers. FreeRADIUS is an + # authentication server, and knows what to do with authentication. + # LDAP servers do not. + # +# Auth-Type LDAP { +# ldap +# } + + # + # Allow EAP authentication. + eap +} + +###################################################################### +# +# There are no accounting requests inside of EAP-TTLS or PEAP +# tunnels. +# +###################################################################### + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Queries" in `mods-config/sql/main/$driver/queries.conf` +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +# +# Note that the last packet of the inner-tunnel authentication +# MAY NOT BE the last packet of the outer session. So updating +# the outer reply MIGHT work, and sometimes MIGHT NOT. The +# exact functionality depends on both the inner and outer +# authentication methods. +# +# If you need to send a reply attribute in the outer session, +# the ONLY safe way is to set "use_tunneled_reply = yes", and +# then update the inner-tunnel reply. +post-auth { + # If you want privacy to remain, see the + # Chargeable-User-Identity attribute from RFC 4372. + # If you want to use it just uncomment the line below. +# cui-inner + + # + # If you want the Access-Accept to contain the inner + # User-Name, uncomment the following lines. + # +# update outer.session-state { +# User-Name := &User-Name +# } + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and enable the + # 'detail reply_log' module. +# reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf` + -sql + + # + # Un-comment the following if you have set + # 'edir = yes' in the ldap module sub-section of + # the 'modules' section. + # +# ldap + + + # + # Un-comment the following if you want to generate Moonshot (ABFAB) TargetedIds + # + # IMPORTANT: This requires the UUID package to be installed, and a targeted_id_salt + # to be configured. + # + # This functionality also supports SQL backing. To use this functionality, enable + # and configure the moonshot-targeted-ids SQL module in the mods-enabled directory. + # Then remove the comments from the appropriate lines in each of the below + # policies in the policy.d/moonshot-targeted-ids file. + # +# moonshot_host_tid +# moonshot_realm_tid +# moonshot_coi_tid + + # + # Instead of "use_tunneled_reply", change this "if (0)" to an + # "if (1)". + # + if (0) { + # + # These attributes are for the inner-tunnel only, + # and MUST NOT be copied to the outer reply. + # + update reply { + User-Name !* ANY + Message-Authenticator !* ANY + EAP-Message !* ANY + Proxy-State !* ANY + MS-MPPE-Encryption-Types !* ANY + MS-MPPE-Encryption-Policy !* ANY + MS-MPPE-Send-Key !* ANY + MS-MPPE-Recv-Key !* ANY + } + + # + # Copy the inner reply attributes to the outer + # session-state list. The post-auth policy will take + # care of copying the outer session-state list to the + # outer reply. + # + update { + &outer.session-state: += &reply: + } + } + + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir = yes' in the ldap module configuration + # + Post-Auth-Type REJECT { + # log failed authentications in SQL, too. + -sql + attr_filter.access_reject + + # + # Let the outer session know which module failed, and why. + # + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap +} + +} # inner-tunnel server block diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/default b/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/default new file mode 120000 index 0000000..6d9ba33 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/default @@ -0,0 +1 @@ +../sites-available/default \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/inner-tunnel b/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/inner-tunnel new file mode 120000 index 0000000..55aba6e --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/inner-tunnel @@ -0,0 +1 @@ +../sites-available/inner-tunnel \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/templates.conf b/pkgs/fablab/freeradius-anon-access/raddb/templates.conf new file mode 100644 index 0000000..22c0a09 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/templates.conf @@ -0,0 +1,108 @@ +# -*- text -*- +## +## templates.conf -- configurations to be used in multiple places +## +## $Id: 7b8b44e051c974c1a0a6e27a0cff50e621835df2 $ + +###################################################################### +# +# Version 2.0 has a useful new feature called "templates". +# +# Use templates by adding a line in radiusd.conf: +# +# $INCLUDE templates.conf +# +# The goal of the templates is to have common configuration located +# in this file, and to list only the *differences* in the individual +# sections. This feature is most useful for sections like "clients" +# or "home_servers", where many may be defined, and each one has +# similar repeated configuration. +# +# Something similar to templates can be done by putting common +# configuration into separate files, and using "$INCLUDE file...", +# but this is more flexible, and simpler to understand. It's also +# cheaper for the server, because "$INCLUDE" makes a copy of the +# configuration for inclusion, and templates are simply referenced. +# +# The templates are defined in the "templates" section, so that they +# do not affect the rest of the server configuration. +# +# A section can reference a template by using "$template name" +# +templates { + # + # The contents of the templates section are other + # configuration sections that would normally go into + # the configuration files. + # + + # + # This is a default template for the "home_server" section. + # Note that there is no name for the section. + # + # Any configuration item that is valid for a "home_server" + # section is also valid here. When a "home_server" section + # is defined in proxy.conf, this section is referenced as + # the template. + # + # Configuration items that are explicitly listed in a + # "home_server" section of proxy.conf are used in + # preference to the configuration items listed here. + # + # However, if a configuration item is NOT listed in a + # "home_server" section of proxy.conf, then the value here + # is used. + # + # This functionality lets you put common configuration into + # a template, and to put only the unique configuration + # items in "proxy.conf". Each section in proxy.conf can + # then contain a line "$template home_server", which will + # cause it to reference this template. + # + home_server { + response_window = 20 + zombie_period = 40 + revive_interval = 120 + # + # Etc. + } + + # + # You can also have named templates. For example, if you + # are proxying to 3 different home servers all at the same + # site, with identical configurations (other than IP + # addresses), you can use this named template. + # + + # Then, each "home_server" section in "proxy.conf" would + # only list the IP address of that home server, and a + # line saying + # + # $template example_com + # + # That would tell FreeRADIUS to look in the section below + # for the rest of the configuration items. + # + # For various reasons, you shouldn't have a "." in the template + # name. Doing so means that the server will be unable to find + # the template. + # + example_com { + type = auth + port = 1812 + secret = testing123 + response_window = 20 + # + # Etc... + } + + # + # You can have templates for other sections, too, but they + # seem to be most useful for home_servers. + # + # For now, you can use templates only for sections in + # radiusd.conf, not sub-sections. So you still have to use + # the "$INCLUDE file.." method for things like defining + # multiple "sql" modules, each with similar configuration. + # +} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/trigger.conf b/pkgs/fablab/freeradius-anon-access/raddb/trigger.conf new file mode 100644 index 0000000..f13dbed --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/trigger.conf @@ -0,0 +1,281 @@ +# -*- text -*- +## +## trigger.conf -- Events in the server can trigger a hook to be executed. +## +## $Id: 413a182eec6a193ef8ffd284295e181962265395 $ + +# +# The triggers are named as "type.subtype.value". These names refer +# to subsections and then configuration items in the "trigger" +# section below. When an event occurs, the trigger is executed. The +# trigger is simply a program that is run, with optional arguments. +# +# The server does not wait when a trigger is executed. It is simply +# a "one-shot" event that is sent. +# +# The trigger names should be self-explanatory. +# + +# +# SNMP configuration. +# +# For now, this is only for SNMP traps. +# +# They are enabled by uncommenting (or adding) "$INCLUDE trigger.conf" +# in the main "radiusd.conf" file. +# +# The traps *REQUIRE* that the files in the "mibs" directory be copied +# to the global mibs directory, usually /usr/share/snmp/mibs/. +# If this is not done, the "snmptrap" program has no idea what information +# to send, and will not work. The MIB installation is *NOT* done as +# part of the default installation, so that step *MUST* be done manually. +# +# The global MIB directory can be found by running the following command: +# +# snmptranslate -Dinit_mib .1.3 2>&1 | grep MIBDIR | sed "s/' .*//;s/.* '//;s/.*://" +# +# Or maybe just: +# +# snmptranslate -Dinit_mib .1.3 2>&1 | grep MIBDIR +# +# If you have copied the MIBs to that directory, you can test the +# FreeRADIUS MIBs by running the following command: +# +# snmptranslate -m +FREERADIUS-NOTIFICATION-MIB -IR -On serverStart +# +# It should print out: +# +# .1.3.6.1.4.1.11344.4.1.1 +# +# As always, run the server in debugging mode after enabling the +# traps. You will see the "snmptrap" command being run, and it will +# print out any errors or issues that it encounters. Those need to +# be fixed before running the server in daemon mode. +# +# We also suggest running in debugging mode as the "radiusd" user, if +# you have "user/group" set in radiusd.conf. The "snmptrap" program +# may behave differently when run as "root" or as the "radiusd" user. +# +snmp { + # + # Configuration for SNMP traps / notifications + # + # To disable traps, edit "radiusd.conf", and delete the line + # which says "$INCUDE trigger.conf" + # + trap { + # + # Absolute path for the "snmptrap" command, and + # default command-line arguments. + # + # You can disable traps by changing the command to + # "/bin/echo". + # + cmd = "/usr/bin/snmptrap -v2c" + + # + # Community string + # + community = "public" + + # + # Agent configuration. + # + agent = "localhost ''" + } +} + +# +# The "snmptrap" configuration defines the full command used to run the traps. +# +# This entry should not be edited. Instead, edit the "trap" section above. +# +snmptrap = "${snmp.trap.cmd} -c ${snmp.trap.community} ${snmp.trap.agent} FREERADIUS-NOTIFICATION-MIB" + +# +# The individual triggers are defined here. You can disable one by +# deleting it, or by commenting it out. You can disable an entire +# section of traps by deleting the section. +# +# The entries below should not be edited. For example, the double colons +# *must* immediately follow the ${snmptrap} reference. Adding a space +# before the double colons will break all SNMP traps. +# +# However... the traps are just programs which are run when +# particular events occur. If you want to replace a trap with +# another program, you can. Just edit the definitions below, so that +# they run a program of your choice. +# +# For example, you can leverage the "start/stop" triggers to run a +# program when the server starts, or when it stops. But that will +# prevent the start/stop SNMP traps from working, of course. +# +trigger { + # + # Events in the server core + # + server { + # the server has just started + start = "${snmptrap}::serverStart" + + # the server is about to stop + stop = "${snmptrap}::serverStop" + + # The "max_requests" condition has been reached. + # This will trigger only once per 60 seconds. + max_requests = "${snmptrap}::serverMaxRequests" + + # For events related to clients + client { + # Added a new dynamic client + add = "/path/to/file %{Packet-Src-IP-Address}" + + # There is no event for when dynamic clients expire + } + + # Events related to signals received. + signal { + # a HUP signal + hup = "${snmptrap}::signalHup" + + # a TERM signal + term = "${snmptrap}::signalTerm" + } + + + # Events related to the thread pool + thread { + # A new thread has been started + start = "${snmptrap}::threadStart" + + # an existing thread has been stopped + stop = "${snmptrap}::threadStop" + + # an existing thread is unresponsive + unresponsive = "${snmptrap}::threadUnresponsive" + + # the "max_threads" limit has been reached + max_threads = "${snmptrap}::threadMaxThreads" + } + } + + # When a home server changes state. + # These traps are edge triggered. + home_server { + # common arguments: IP, port, identifier + args = "radiusAuthServerAddress a %{proxy-request:Packet-Dst-IP-Address} radiusAuthClientServerPortNumber i %{proxy-request:Packet-Dst-Port} radiusAuthServIdent s '%{home_server:instance}'" + + # The home server has been marked "alive" + alive = "${snmptrap}::homeServerAlive ${args}" + + # The home server has been marked "zombie" + zombie = "${snmptrap}::homeServerZombie ${args}" + + # The home server has been marked "dead" + dead = "${snmptrap}::homeServerDead ${args}" + } + + # When a pool of home servers changes state. + home_server_pool { + # common arguments + args = "radiusdConfigName s %{home_server:instance}" + + # It has reverted to "normal" mode, where at least one + # home server is alive. + normal = "${snmptrap}::homeServerPoolNormal ${args}" + + # It is in "fallback" mode, with all home servers "dead" + fallback = "${snmptrap}::homeServerPoolFallback ${args}" + } + + # Triggers for specific modules. These are NOT in the module + # configuration because they are global to all instances of the + # module. You can have module-specific triggers, by placing a + # "trigger" subsection in the module configuration. + modules { + # Common arguments + args = "radiusdModuleInstance s ''" + + # The files module + files { + # Common arguments + args = "radiusdModuleName s files ${..args}" + + # The module has been HUP'd via radmin + hup = "${snmptrap}::serverModuleHup ${args}" + + # Note that "hup" can be used for every module + # which can be HUP'd via radmin + } + + # The LDAP module + # If the server does "bind as user", it will open and close + # an LDAP connection ofr every "bind as user". Be aware that + # this will likely produce a lot of triggers. + ldap { + # Common arguments + args = "radiusdModuleName s ldap ${..args}" + + # A new connection to the DB has been opened + open = "${snmptrap}::serverModuleConnectionUp ${args}" + + # A connection to the DB has been closed + close = "${snmptrap}::serverModuleConnectionDown ${args}" + + # The module has been HUP'd via radmin + hup = "${snmptrap}::serverModuleHup ${args}" + } + + # The SQL module + sql { + # Common arguments + args = "radiusdModuleName s sql ${..args}" + + # A new connection to the DB has been opened + open = "${snmptrap}::serverModuleConnectionUp ${args}" + + # A connection to the DB has been closed + close = "${snmptrap}::serverModuleConnectionDown ${args}" + + # Failed to open a new connection to the DB + fail = "${snmptrap}::serverModuleConnectionFail ${args}" + + # The module has been HUP'd via radmin + hup = "${snmptrap}::serverModuleHup ${args}" + } + + # You can also use connection pool's start/stop/open/close triggers + # for any module which uses the "pool" section, here and under + # pool.trigger in module configuration. + } +} + +# +# The complete list of triggers as generated from the source code is below. +# +# These are the ONLY traps which are generated. You CANNOT add new traps +# by defining them in one of the sections above. New traps can be created +# only by edited both the source code to the server, *and* the MIBs. +# If you are not an expert in C and SNMP, then adding new traps will be +# difficult to create. +# +# home_server.alive +# home_server.dead +# home_server.zombie +# home_server_pool.fallback +# home_server_pool.normal +# modules.*.hup +# modules.ldap.timeout +# modules.sql.close +# modules.sql.fail +# modules.sql.open +# server.client.add +# server.max_requests +# server.signal.hup +# server.signal.term +# server.start +# server.stop +# server.thread.max_threads +# server.thread.start +# server.thread.stop +# server.thread.unresponsive diff --git a/pkgs/fablab/freeradius-anon-access/raddb/users b/pkgs/fablab/freeradius-anon-access/raddb/users new file mode 120000 index 0000000..458cce2 --- /dev/null +++ b/pkgs/fablab/freeradius-anon-access/raddb/users @@ -0,0 +1 @@ +./mods-config/files/authorize \ No newline at end of file diff --git a/pkgs/fablab/mitgliedsantrag/.gitignore b/pkgs/fablab/mitgliedsantrag/.gitignore new file mode 100644 index 0000000..cb21dce --- /dev/null +++ b/pkgs/fablab/mitgliedsantrag/.gitignore @@ -0,0 +1,8 @@ +mitgliedsantrag.aux +mitgliedsantrag.fdb_latexmk +mitgliedsantrag.fls +mitgliedsantrag.log +mitgliedsantrag.out +mitgliedsantrag.pdf +mitgliedsantrag.synctex.gz +mitgliedsantrag.xdv diff --git a/pkgs/fablab/mitgliedsantrag/Makefile b/pkgs/fablab/mitgliedsantrag/Makefile new file mode 100644 index 0000000..758936a --- /dev/null +++ b/pkgs/fablab/mitgliedsantrag/Makefile @@ -0,0 +1,4 @@ +all: mitgliedsantrag.pdf + +mitgliedsantrag.pdf: mitgliedsantrag.tex + latexmk -xelatex $< diff --git a/pkgs/fablab/mitgliedsantrag/default.nix b/pkgs/fablab/mitgliedsantrag/default.nix new file mode 100644 index 0000000..6e14966 --- /dev/null +++ b/pkgs/fablab/mitgliedsantrag/default.nix @@ -0,0 +1,30 @@ +{ lib, stdenvNoCC, texlive }: + +stdenvNoCC.mkDerivation { + name = "mitgliedsantrag.pdf"; + + src = ./.; + + nativeBuildInputs = [ + (import ./tex-env.nix { + inherit texlive; + extraTexPackages = { + inherit (texlive) latexmk; + }; + }) + ]; + + installPhase = '' + runHook preInstall + cp mitgliedsantrag.pdf $out + runHook postInstall + ''; + + meta = with lib; { + description = "Mitgliedsantrag Verein zur Förderung des FabLab im Landkreis Neustadt/Aisch – Bad Windsheim e. V."; + homepage = "https://fablab-nea.de"; + license = licenses.mit; + maintainers = with maintainers; [ sbruder ]; + platforms = platforms.all; + }; +} diff --git a/pkgs/fablab/mitgliedsantrag/logo.pdf b/pkgs/fablab/mitgliedsantrag/logo.pdf new file mode 100644 index 0000000..ef24b22 Binary files /dev/null and b/pkgs/fablab/mitgliedsantrag/logo.pdf differ diff --git a/pkgs/fablab/mitgliedsantrag/mitgliedsantrag.tex b/pkgs/fablab/mitgliedsantrag/mitgliedsantrag.tex new file mode 100644 index 0000000..2ecd494 --- /dev/null +++ b/pkgs/fablab/mitgliedsantrag/mitgliedsantrag.tex @@ -0,0 +1,81 @@ +%! TEX program = xelatex +\documentclass[DIV=20, parskip=half]{scrartcl} + +\usepackage{array} +\usepackage[ngerman]{babel} +\usepackage{enumitem} +\usepackage{graphicx} +\usepackage[unicode, hidelinks]{hyperref} +\usepackage{MnSymbol} +\usepackage{tabularx} + +% no page numbers +\pagenumbering{gobble} + +\newcommand\vereinsname{Verein zur Förderung des FabLab im Landkreis Neustadt/Aisch -- Bad Windsheim e.\,V.} + +\newcommand{\signaturefield}{ + \vspace{15mm} + {\setlength\extrarowheight{0mm} + \begin{tabularx}{\textwidth}{>{\centering\arraybackslash}p{6cm} X >{\centering\arraybackslash}p{6cm}} + \dotfill & & \dotfill \\ + \small Ort, Datum & & \small Unterschrift + \end{tabularx}} +} + +\setlength{\extrarowheight}{3mm} + +\begin{document} + \hypersetup{ + pdftitle={Mitgliedsantrag \vereinsname}, + pdfauthor={FabLab Bad Windsheim}, + } + \begin{tabularx}{\textwidth}{m{5cm} X r} + \includegraphics[width=5cm]{logo} & & {\Huge\textsf{Mitgliedsantrag}} + \end{tabularx} + \begin{center} + {\small \textsf{(gemäß Satzung und Beitragsordnung des \vereinsname)}} + \end{center} + + \subsection*{Persönliche Informationen} + + \begin{tabularx}{\textwidth}{p{3cm} X} + Vorname & \dotfill \\ + Nachname & \dotfill \\ + Firmenname & \dotfill \\ + Adresse & \dotfill \\ + E-Mail-Adresse & \dotfill + \end{tabularx} + + \subsection*{Mitgliedschaft} + + \begin{itemize}[label={$\bigcircle$}] + \item Einzelmitgliedschaft (Jahresbeitrag 60\,€) + \item Mitgliedschaft für Kinder und Jugendliche (Jahresbeitrag 24\,€) + \item Familienmitgliedschaft (2 Erwachsene, Kinder) (Jahresbeitrag 100\,€) + \item Fördermitgliedschaft (Jahresbeitrag 300\,€) + \end{itemize} + + Ich bin damit einverstanden, dass Einladungen zu Mitgliederversammlungen und + zur Jahreshauptversammlung nicht per Post, sondern an die oben genannte + E-Mail-Adresse verstandt werden. Änderungen der E-Mail-Adresse, der + Bankverbindung oder der Anschrift müssen dem Vorstand unverzüglich mitgeteilt + werden. Die Mitgliedschaft kann mit einer Frist von einem Monat zum Ende des + Geschäftsjahres gekündigt werden. + + \signaturefield + + \subsection*{Bankverbindung} + + \begin{tabularx}{\textwidth}{p{3cm} X} + IBAN & \dotfill \\ + BIC & \dotfill + \end{tabularx} + + \vspace{1em} + + Die Beiträge werden jährlich per Lastschrift eingezogen. Hierzu erteile ich + eine Einzugsermächtigung von meinem Konto. + + \signaturefield +\end{document} diff --git a/pkgs/fablab/mitgliedsantrag/mk-env.sh b/pkgs/fablab/mitgliedsantrag/mk-env.sh new file mode 100755 index 0000000..c089fec --- /dev/null +++ b/pkgs/fablab/mitgliedsantrag/mk-env.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +nix run github:Mic92/tex2nix mitgliedsantrag.tex diff --git a/pkgs/fablab/mitgliedsantrag/shell.nix b/pkgs/fablab/mitgliedsantrag/shell.nix new file mode 100644 index 0000000..bf0337e --- /dev/null +++ b/pkgs/fablab/mitgliedsantrag/shell.nix @@ -0,0 +1,3 @@ +{ pkgs ? import { } }: + +pkgs.callPackage ./default.nix { } diff --git a/pkgs/fablab/mitgliedsantrag/tex-env.nix b/pkgs/fablab/mitgliedsantrag/tex-env.nix new file mode 100644 index 0000000..397510b --- /dev/null +++ b/pkgs/fablab/mitgliedsantrag/tex-env.nix @@ -0,0 +1,33 @@ +# Generated with tex2nix 0.0.0 and MnSymbol manually added +{ texlive, extraTexPackages ? { } }: +(texlive.combine ({ + inherit (texlive) scheme-small; + "atbegshi" = texlive."atbegshi"; + "atveryend" = texlive."atveryend"; + "auxhook" = texlive."auxhook"; + "babel" = texlive."babel"; + "bitset" = texlive."bitset"; + "enumitem" = texlive."enumitem"; + "etexcmds" = texlive."etexcmds"; + "gettitlestring" = texlive."gettitlestring"; + "hopatch" = texlive."hopatch"; + "hycolor" = texlive."hycolor"; + "hyperref" = texlive."hyperref"; + "iftex" = texlive."iftex"; + "infwarerr" = texlive."infwarerr"; + "intcalc" = texlive."intcalc"; + "kvdefinekeys" = texlive."kvdefinekeys"; + "kvoptions" = texlive."kvoptions"; + "kvsetkeys" = texlive."kvsetkeys"; + "letltxmacro" = texlive."letltxmacro"; + "ltxcmds" = texlive."ltxcmds"; + "minitoc" = texlive."minitoc"; + "mnsymbol" = texlive."mnsymbol"; + "ntheorem" = texlive."ntheorem"; + "pdfescape" = texlive."pdfescape"; + "pdftexcmds" = texlive."pdftexcmds"; + "refcount" = texlive."refcount"; + "rerunfilecheck" = texlive."rerunfilecheck"; + "uniquecounter" = texlive."uniquecounter"; + "url" = texlive."url"; +} // extraTexPackages)) diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..e69de29