From 48ec7a731afa7e7d02d42a5f17f30bf44e1d8fd6 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Wed, 3 Aug 2022 02:13:21 +0000 Subject: [PATCH 01/59] Add static ip addresses for weinturm link devices --- machines/raven/services/dnsmasq.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/machines/raven/services/dnsmasq.nix b/machines/raven/services/dnsmasq.nix index 9663d29..2610096 100644 --- a/machines/raven/services/dnsmasq.nix +++ b/machines/raven/services/dnsmasq.nix @@ -44,6 +44,8 @@ in addn-hosts=${pkgs.writeText "hosts.dnsmasq" '' 192.168.94.1 raven labsync unifi 192.168.94.2 switch + 192.168.94.3 schneiderscheune-weinturm-ap + 192.168.94.4 schneiderscheune-weinturm-sta ''} ''; From 2c13e0d224c441dd7e9601a5f53665b65a60dfb7 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 4 Aug 2022 03:02:35 +0000 Subject: [PATCH 02/59] Remove unused modules --- .../raddb/mods-available/README.rst | 116 --- .../raddb/mods-available/abfab_psk_sql | 15 - .../raddb/mods-available/cache | 132 ---- .../raddb/mods-available/couchbase | 205 ------ .../raddb/mods-available/counter | 82 --- .../raddb/mods-available/cui | 53 -- .../raddb/mods-available/detail.example.com | 27 - .../raddb/mods-available/dhcp | 19 - .../raddb/mods-available/dhcp_files | 56 -- .../raddb/mods-available/dhcp_passwd | 20 - .../raddb/mods-available/dhcp_sql | 92 --- .../raddb/mods-available/dhcp_sqlippool | 101 --- .../raddb/mods-available/etc_group | 28 - .../raddb/mods-available/idn | 28 - .../raddb/mods-available/inner-eap | 107 --- .../raddb/mods-available/ippool | 66 -- .../raddb/mods-available/krb5 | 82 --- .../raddb/mods-available/ldap | 666 ------------------ .../raddb/mods-available/mac2ip | 25 - .../raddb/mods-available/mac2vlan | 18 - .../mods-available/moonshot-targeted-ids | 57 -- .../raddb/mods-available/opendirectory | 26 - .../raddb/mods-available/otp | 75 -- .../raddb/mods-available/pam | 26 - .../raddb/mods-available/perl | 94 --- .../raddb/mods-available/python | 65 -- .../raddb/mods-available/python3 | 65 -- .../raddb/mods-available/redis | 99 --- .../raddb/mods-available/rediswho | 52 -- .../raddb/mods-available/rest | 290 -------- .../raddb/mods-available/smbpasswd | 16 - .../raddb/mods-available/smsotp | 94 --- .../raddb/mods-available/sometimes | 12 - .../raddb/mods-available/sql | 366 ---------- .../raddb/mods-available/sql_map | 49 -- .../raddb/mods-available/sqlcounter | 115 --- .../raddb/mods-available/sqlippool | 115 --- .../raddb/mods-available/unbound | 4 - .../raddb/mods-available/wimax | 165 ----- .../raddb/mods-available/yubikey | 158 ----- 40 files changed, 3881 deletions(-) delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/README.rst delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/abfab_psk_sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/couchbase delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/counter delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/cui delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.example.com delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_files delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_passwd delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sqlippool delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/etc_group delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/idn delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/inner-eap delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/ippool delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/krb5 delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/ldap delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2ip delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2vlan delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/moonshot-targeted-ids delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/opendirectory delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/otp delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/pam delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/perl delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/python delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/python3 delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/redis delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/rediswho delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/rest delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/smbpasswd delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/smsotp delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/sometimes delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql_map delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlcounter delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlippool delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/unbound delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/wimax delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/yubikey diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/README.rst b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/README.rst deleted file mode 100644 index 79ed5c3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/README.rst +++ /dev/null @@ -1,116 +0,0 @@ -Modules in Version 3 -==================== - -As of Version 3, all of the modules have been placed in the -"mods-available/" directory. This practice follows that used by other -servers such as Nginx, Apache, etc. The "modules" directory should -not be used. - -Modules are enabled by creating a file in the mods-enabled/ directory. -You can also create a soft-link from one directory to another:: - - $ cd raddb/mods-enabled - $ ln -s ../mods-available/foo - -This will enable module "foo". Be sure that you have configured the -module correctly before enabling it, otherwise the server will not -start. You can verify the server configuration by running -"radiusd -XC". - -A large number of modules are enabled by default. This allows the -server to work with the largest number of authentication protocols. -Please be careful when disabling modules. You will likely need to -edit the "sites-enabled/" files to remove references to any disabled -modules. - -Conditional Modules -------------------- - -Version 3 allows modules to be conditionally loaded. This is useful -when you want to have a virtual server which references a module, but -does not require it. Instead of editing the virtual server file, you -can just conditionally enable the module. - -Modules are conditionally enabled by adding a "-" before their name in -a virtual server. For example, you can do:: - - server { - authorize { - ... - ldap - -sql - ... - } - } - -This says "require the LDAP module, but use the SQL module only if it -is configured." - -This feature is not very useful for production configurations. It is, -however, very useful for the default examples that ship with the -server. - -Ignoring module ---------------- - -If you see this message:: - - Ignoring module (see raddb/mods-available/README.rst) - -Then you are in the right place. Most of the time this message can be -ignored. The message can be fixed by finding the references to "-module" -in the virtual server, and deleting them. - -Another way to fix it is to configure the module, as described above. - -Simplification --------------- - -Allowing conditional modules simplifies the default virtual servers -that are shipped with FreeRADIUS. This means that if you want to -enable LDAP (for example), you no longer need to edit the files in -raddb/sites-available/ in order to enable it. - -Instead, you should edit the raddb/mods-available/ldap file to point -to your local LDAP server. Then, enable the module via the soft-link -method described above. - -Once the module is enabled, it will automatically be used in the -default configuration. - -Multiple Instances ------------------- - -It is sometimes necessary to have the same module do two different -things. The server supports this functionality via "instances" of -modules. - -Normally, a module configuration looks like this: - - sql { - ... sql stuff ... - } - -This module is then refereed to as the "sql" module. - - -But what happens if you want to connect to two different SQL -databases? The solution is simple; copy the "sql" module -configuration, and add an instance name after the "sql" string: - - sql mysql1 { - ... configuration for connecting to mysql11 ... - } - - sql mysql2 { - ... configuration for connecting to mysql12 ... - } - -This configuration says "load the SQL module, but create two copies of -it, with different configurations". The different configurations can -be referred to by name, as "mysql1" and "mysql2". That is, anywhere -you would normally use "sql", you could use either "mysql1" or -"mysql2". - -For further examples of using module instances, see the "attr_filter" -module configuration in this directory. diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/abfab_psk_sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/abfab_psk_sql deleted file mode 100644 index d02e3b7..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/abfab_psk_sql +++ /dev/null @@ -1,15 +0,0 @@ -# -*- text -*- -## -## Module for PSK authorizations from ABFAB trust router -## -## $Id: d75130da8a9faeb9712619bf49e68afadc30b73a $ - -sql psksql { - - driver = "rlm_sql_sqlite" - - sqlite { - filename = "/var/lib/trust_router/keys" - } - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache deleted file mode 100644 index 565bdf5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache +++ /dev/null @@ -1,132 +0,0 @@ -# -*- text -*- -# -# $Id: 8bd4730cf570fdfedc9c516dc6974eab39981600 $ - -# -# A module to cache attributes. The idea is that you can look -# up information in a database, and then cache it. Repeated -# requests for the same information will then have the cached -# values added to the request. -# -# The module can cache a fixed set of attributes per key. -# It can be listed in "authorize", "post-auth", "pre-proxy" -# and "post-proxy". -# -# If you want different things cached for authorize and post-auth, -# you will need to define two instances of the "cache" module. -# -# The module returns "ok" if it found or created a cache entry. -# The module returns "updated" if it merged a cached entry. -# The module returns "noop" if it did nothing. -# The module returns "fail" on error. -# -cache { - # The backend datastore used to store the cache entries. - # Current datastores are - # rlm_cache_rbtree - An in memory, non persistent rbtree based datastore. - # Useful for caching data locally. - # rlm_cache_memcached - A non persistent "webscale" distributed datastore. - # Useful if the cached data need to be shared between - # a cluster of RADIUS servers. -# driver = "rlm_cache_rbtree" - - # - # Some drivers accept specific options, to set them a - # config section with the the name as the driver should be added - # to the cache instance. - # - # Driver specific options are: - # -# memcached { -# # Memcached configuration options, as documented here: -# # http://docs.libmemcached.org/libmemcached_configuration.html#memcached -# options = "--SERVER=localhost" -# -# pool { -# start = ${thread[pool].start_servers} -# min = ${thread[pool].min_spare_servers} -# max = ${thread[pool].max_servers} -# spare = ${thread[pool].max_spare_servers} -# uses = 0 -# lifetime = 0 -# idle_timeout = 60 -# } -# } - - # The key used to index the cache. It is dynamically expanded - # at run time. - key = "%{User-Name}" - - # The TTL of cache entries, in seconds. Entries older than this - # will be expired. - # - # This value should be between 10 and 86400. - ttl = 10 - - # If yes the following attributes will be added to the request: - # * &request:Cache-Entry-Hits - The number of times this entry - # has been retrieved. - # - # Note: Not supported by the rlm_cache_memcached module. - add_stats = no - - # - # The list of attributes to cache for a particular key. - # - # Each key gets the same set of cached attributes. The attributes - # are dynamically expanded at run time. - # - # The semantics of this construct are identical to an unlang - # update block, except the left hand side of the expression - # represents the cache entry. see man unlang for more information - # on update blocks. - # - # Note: Only request, reply, control and session-state lists - # are available in cache entries. Attempting to store attributes - # in other lists will raise an error during config validation. - # - update { - # : - - # Cache all instances of Reply-Message in the reply list - &reply:Reply-Message += &reply:Reply-Message[*] - - # Add our own to show when the cache was last updated - &reply:Reply-Message += "Cache last updated at %t" - - &reply:Class := "%{randstr:ssssssssssssssssssssssssssssssss}" - } - - # This module supports a number of runtime configuration parameters - # represented by attributes in the &control: list. - # - # &control:Cache-TTL - Sets the TTL of an entry to be created, or - # modifies the TTL of an existing entry. - # - Setting a Cache-TTL of > 0 means set the TTL of the entry to - # the new value (and reset the expiry timer). - # - Setting a Cache-TTL of < 0 means expire the existing entry - # (without merging) and create a new one with TTL set to - # value * -1. - # - Setting a Cache-TTL of 0 means expire the existing entry - # (without merging) and don't create a new one. - # - # &control:Cache-Status-Only - If present and set to 'yes' will - # prevent a new entry from being created, and existing entries from - # being merged. It will also alter the module's return codes. - # - The module will return "ok" if a cache entry was found. - # - The module will return "notfound" if no cache entry was found. - # - # &control:Cache-Read-Only - If present and set to 'yes' will - # prevent a new entry from being created, but will allow existing - # entries to be merged. It will also alter the module's return codes. - # - The module will return "updated" if a cache entry was found. - # - The module will return "notfound" if no cache was found. - # - # &control:Cache-Merge - If present and set to 'yes' will merge new - # cache entries into the current request. Useful if results - # of execs or expansions are stored directly in the cache. - # - # All runtime configuration attributes will be removed from the - # &control: list after the cache module is called. - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/couchbase b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/couchbase deleted file mode 100644 index b83daea..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/couchbase +++ /dev/null @@ -1,205 +0,0 @@ -couchbase { - # - # List of Couchbase hosts (hosts may be space, tab, comma or semi-colon separated). - # Ports are optional if servers are listening on the standard port. - # Complete pool urls are preferred. - # - server = "http://cb01.blargs.com:8091/pools/ http://cb04.blargs.com:8091/pools/" - - # Couchbase bucket name - bucket = "radius" - - # Couchbase bucket password (optional) - #password = "password" - - # Couchbase accounting document key (unlang supported) - acct_key = "radacct_%{%{Acct-Unique-Session-Id}:-%{Acct-Session-Id}}" - - # Value for the 'docType' element in the json body for accounting documents - doctype = "radacct" - - ## Accounting document expire time in seconds (0 = never) - expire = 2592000 - - # - # Map attribute names to json element names for accounting. - # - # Configuration items are in the format: - # = '' - # - # Element names should be single quoted. - # - # Note: Attributes not in this map will not be recorded. - # - update { - Acct-Session-Id = 'sessionId' - Acct-Unique-Session-Id = 'uniqueId' - Acct-Status-Type = 'lastStatus' - Acct-Authentic = 'authentic' - User-Name = 'userName' - Stripped-User-Name = 'strippedUserName' - Stripped-User-Domain = 'strippedUserDomain' - Realm = 'realm' - NAS-IP-Address = 'nasIpAddress' - NAS-Identifier = 'nasIdentifier' - NAS-Port = 'nasPort' - Called-Station-Id = 'calledStationId' - Called-Station-SSID = 'calledStationSSID' - Calling-Station-Id = 'callingStationId' - Framed-Protocol = 'framedProtocol' - Framed-IP-Address = 'framedIpAddress' - NAS-Port-Type = 'nasPortType' - Connect-Info = 'connectInfo' - Acct-Session-Time = 'sessionTime' - Acct-Input-Packets = 'inputPackets' - Acct-Output-Packets = 'outputPackets' - Acct-Input-Octets = 'inputOctets' - Acct-Output-Octets = 'outputOctets' - Acct-Input-Gigawords = 'inputGigawords' - Acct-Output-Gigawords = 'outputGigawords' - Event-Timestamp = 'lastUpdated' - } - - # Couchbase document key for user documents (unlang supported) - user_key = "raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}" - - # Set to 'yes' to read radius clients from the Couchbase view specified below. - # NOTE: Clients will ONLY be read on server startup. - #read_clients = no - - # - # Map attribute names to json element names when loading clients. - # - # Configuration follows the same rules as the accounting map above. - # - client { - # Couchbase view that should return all available client documents. - view = "_design/client/_view/by_id" - - # - # Sets default values (not obtained from couchbase) for new client entries - # - template { -# login = 'test' -# password = 'test' -# proto = tcp -# require_message_authenticator = yes - - # Uncomment to add a home_server with the same - # attributes as the client. -# coa_server { -# response_window = 2.0 -# } - } - - # - # Client mappings are in the format: - # = '' - # - # Element names should be single quoted. - # - # The following attributes are required: - # * ipaddr | ipv4addr | ipv6addr - Client IP Address. - # * secret - RADIUS shared secret. - # - # All attributes usually supported in a client - # definition are also supported here. - # - attribute { - ipaddr = 'clientIdentifier' - secret = 'clientSecret' - shortname = 'clientShortname' - nas_type = 'nasType' - virtual_server = 'virtualServer' - require_message_authenticator = 'requireMessageAuthenticator' - limit { - max_connections = 'maxConnections' - lifetime = 'clientLifetime' - idle_timeout = 'idleTimeout' - } - } - } - - # Set to 'yes' to enable simultaneous use checking (multiple logins). - # NOTE: This will cause the execution of a view request on every check - # and may be a performance penalty. -# check_simul = no - - # Couchbase view that should return all account documents keyed by username. -# simul_view = "_design/acct/_view/by_user" - - # The key to the above view. - # NOTE: This will need to match EXACTLY what you emit from your view. -# simul_vkey = "%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}" - - # Set to 'yes' to enable verification of the results returned from the above view. - # NOTE: This may be an additional performance penalty to the actual check and - # should be avoided unless absolutely neccessary. -# verify_simul = no - - # Remove stale session if checkrad does not see a double login. - # NOTE: This will only be executed if both check_simul and verify_simul - # are set to 'yes' above. -# delete_stale_sessions = yes - - # - # The connection pool is new for 3.0, and will be used in many - # modules, for all kinds of connection-related activity. - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # couchbase being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The lifetime (in seconds) of the connection - # - # NOTE: A setting of 0 means infinite (no limit). - lifetime = 0 - - # The idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - # - # NOTE: A setting of 0 means infinite (no timeout). - idle_timeout = 1200 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/counter b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/counter deleted file mode 100644 index 54a1e00..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/counter +++ /dev/null @@ -1,82 +0,0 @@ -# -*- text -*- -# -# $Id: a5ac1e60ef117a2c59ace1a9d061d8f70d1da538 $ - -# counter module: -# This module takes an attribute (count-attribute). -# It also takes a key, and creates a counter for each unique -# key. The count is incremented when accounting packets are -# received by the server. The value of the increment depends -# on the attribute type. -# If the attribute is Acct-Session-Time or of an integer type we add -# the value of the attribute. If it is anything else we increase the -# counter by one. -# -# The 'reset' parameter defines when the counters are all reset to -# zero. It can be hourly, daily, weekly, monthly or never. -# -# hourly: Reset on 00:00 of every hour -# daily: Reset on 00:00:00 every day -# weekly: Reset on 00:00:00 on sunday -# monthly: Reset on 00:00:00 of the first day of each month -# -# It can also be user defined. It should be of the form: -# num[hdwm] where: -# h: hours, d: days, w: weeks, m: months -# If the letter is omitted days will be assumed. In example: -# reset = 10h (reset every 10 hours) -# reset = 12 (reset every 12 days) -# -# -# The check_name attribute defines an attribute which will be -# registered by the counter module and can be used to set the -# maximum allowed value for the counter after which the user -# is rejected. -# Something like: -# -# DEFAULT Max-Daily-Session := 36000 -# Fall-Through = 1 -# -# You should add the counter module in the instantiate -# section so that it registers check_name before the files -# module reads the users file. -# -# If check_name is set and the user is to be rejected then we -# send back a Reply-Message and we log a Failure-Message in -# the radius.log -# -# If the count attribute is Acct-Session-Time then on each -# login we send back the remaining online time as a -# Session-Timeout attribute ELSE and if the reply_name is -# set, we send back that attribute. The reply_name attribute -# MUST be of an integer type. -# -# The counter-name can also be used instead of using the check_name -# like below: -# -# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject -# Reply-Message = "You've used up more than one hour today" -# -# The allowed_service_type attribute can be used to only take -# into account specific sessions. For example if a user first -# logs in through a login menu and then selects ppp there will -# be two sessions. One for Login-User and one for Framed-User -# service type. We only need to take into account the second one. -# -# The module should be added in the instantiate, authorize and -# accounting sections. Make sure that in the authorize -# section it comes after any module which sets the -# 'check_name' attribute. -# -counter daily { - filename = ${db_dir}/db.daily - key = User-Name - count_attribute = Acct-Session-Time - reset = daily - counter_name = Daily-Session-Time - check_name = Max-Daily-Session - reply_name = Session-Timeout - allowed_service_type = Framed-User - cache_size = 5000 -} - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cui b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cui deleted file mode 100644 index b7c4392..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cui +++ /dev/null @@ -1,53 +0,0 @@ -# -*- text -*- -# -# $Id: 54842d4106800babe8db1d58d2e8b7a5cad017db $ - -# -# Write Chargeable-User-Identity to the database. -# -# Schema raddb/mods-config/sql/cui//schema.sql -# Queries raddb/mods-config/sql/cui//queries.conf -# -sql cuisql { - - # The dialect of SQL you want to use, this should usually match - # the driver below. - # - # If you're using rlm_sql_null, then it should be the type of - # database the logged queries are going to be executed against. - dialect = "sqlite" - - # The sub-module to use to execute queries. This should match - # the database you're attempting to connect to. - # - # There are CUI queries available for: - # * rlm_sql_mysql - # * rlm_sql_postgresql - # * rlm_sql_sqlite - # * rlm_sql_null (log queries to disk) - # - driver = "rlm_sql_${dialect}" - - sqlite { - filename = ${radacctdir}/cui.sqlite - bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql - } - - # Write CUI queries to a logfile. Useful for debugging. -# logfile = ${logdir}/cuilog.sql - - pool { - start = 5 - min = 4 - max = 10 - spare = 3 - uses = 0 - lifetime = 0 - idle_timeout = 60 - } - - cui_table = "cui" - sql_user_name = "%{User-Name}" - - $INCLUDE ${modconfdir}/${.:name}/cui/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.example.com b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.example.com deleted file mode 100644 index 745e1f1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.example.com +++ /dev/null @@ -1,27 +0,0 @@ -# -*- text -*- -# -# Detail file writer, used in the following examples: -# -# raddb/sites-available/robust-proxy-accounting -# raddb/sites-available/decoupled-accounting -# -# Note that this module can write detail files that are read by -# only ONE "listen" section. If you use BOTH of the examples -# above, you will need to define TWO "detail" modules. -# -# e.g. detail1.example.com && detail2.example.com -# -# -# We write *multiple* detail files here. They will be processed by -# the detail "listen" section in the order that they were created. -# The directory containing these files should NOT be used for any -# other purposes. i.e. It should have NO other files in it. -# -# Writing multiple detail enables the server to process the pieces -# in smaller chunks. This helps in certain catastrophic corner cases. -# -# $Id: 827cdf57e70dc2ff2252016194f4bb846eecead2 $ -# -detail detail.example.com { - filename = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp deleted file mode 100644 index d4e9c85..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp +++ /dev/null @@ -1,19 +0,0 @@ -# -*- text -*- -# -# $Id: a4316335d7f73b37ec5aa9278de91d37dd28eddc $ - -# -# This module is useful only for 'xlat'. To use it, -# put 'dhcp' into the 'instantiate' section. -# -# %{dhcp_options:} may be used to decode -# DHCP options data included in RADIUS packets by vendors -# of DHCP to RADIUS gateways. -# -# This is known to work with the following VSAs: -# * Juniper - ERX-Dhcp-Options -# * Alcatel lucent SR - Alc-ToServer-Dhcp-Options -# - Alc-ToClient-Dhcp-Options -# -dhcp { -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_files b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_files deleted file mode 100644 index 58717d5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_files +++ /dev/null @@ -1,56 +0,0 @@ -# -*- text -*- -# -# $Id: 243a241a8d28d8de9696e5364c59e25558789219 $ - -# Instances of the "files" module for managing DHCP options -# -files dhcp_network { - # The file containing network-specific DHCP options mapping - filename = ${modconfdir}/files/dhcp - - # For network lookups we use a fixed key. Matching - # actual networks is done by additional filtering within - # the file - key = "network" -} - -files dhcp_subnet { - # The file containing subnet-specific DHCP options mapping - filename = ${modconfdir}/files/dhcp - - # For subnet lookups we use a fixed key. Matching - # actual subnets is done by additional filtering within - # the file - key = "subnet" -} - -files dhcp_set_group_options { - # An example of looking up DHCP group options. This - # is designed to be called from a policy configured in - # policy.d/dhcp. - # - # If clients are never members of more than one group, - # then this could be simplified such that DHCP-Group-Name - # is used here in place of Foreach-Variable-0 and this - # module instance called directly rather than the policy - - # Use the same file as for subnets - could be split - # for large, complex installations - filename = ${modconfdir}/files/dhcp - - # The key is a temporary string populated by the calling policy - # which uses a foreach loop. - key = "%{Foreach-Variable-0}" -} - -files dhcp_hosts { - # An example of a DHCP host mapping for option setting - - # Use the same file as for subnets - could be split - # for large, complex installations - filename = ${modconfdir}/files/dhcp - - # If a different identifier is needed for looking up - # host specific entries then amend this key. - key = "host-%{DHCP-Client-Hardware-Address}" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_passwd b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_passwd deleted file mode 100644 index e2adab2..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_passwd +++ /dev/null @@ -1,20 +0,0 @@ -# -*- text -*- -# -# $Id: 7884a00298935db8e33fd9f850c2619e61d9b5a9 $ - -# An instance of the passwd module designed for looking up -# DHCP client membership. This example is based on hardware -# address. -# The "groups" file should be of the format: -# |,, -# |,, -# -# See the passwd module for more details. - -passwd dhcp_group_membership { - filename = "${modconfdir}/files/dhcp_groups" - format = "~DHCP-Group-Name:*,DHCP-Client-Hardware-Address" - hash_size = 100 - allow_multiple_keys = yes - delimiter = "|" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sql deleted file mode 100644 index f2d7446..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sql +++ /dev/null @@ -1,92 +0,0 @@ -# -*- text -*- -## -## mods-available/sql -- SQL modules -## -## $Id: 20dbe3a35be942acaaec8ee0ced7e85786fc46a7 $ - -###################################################################### -# -# Configuration for the DHCP-specific instance of the SQL module -# -# The database schemas and queries are located in subdirectories: -# -# sql/dhcp//schema.sql Schema -# sql/dhcp//queries.conf Reply options lookup queries -# -# Where "DB" is mysql, mssql, oracle, or postgresql. -# - -# -# See raddb/mods-available/sql for a description of the configuration items -# for the sql module. -# -sql dhcp_sql { - dialect = "sqlite" - driver = "rlm_sql_null" -# driver = "rlm_sql_${dialect}" - - sqlite { - filename = "/tmp/freeradius.db" - busy_timeout = 200 - bootstrap = "${modconfdir}/${..:name}/dhcp/sqlite/schema.sql" - } - - mysql { - tls { - ca_file = "/etc/ssl/certs/my_ca.crt" - ca_path = "/etc/ssl/certs/" - certificate_file = "/etc/ssl/certs/private/client.crt" - private_key_file = "/etc/ssl/certs/private/client.key" - cipher = "DHE-RSA-AES256-SHA:AES128-SHA" - - tls_required = yes - tls_check_cert = no - tls_check_cert_cn = no - } - warnings = auto - } - - postgresql { - send_application_name = yes - } - - mongo { - appname = "freeradius" - tls { - certificate_file = /path/to/file - certificate_password = "password" - ca_file = /path/to/file - ca_dir = /path/to/directory - crl_file = /path/to/file - weak_cert_validation = false - allow_invalid_hostname = false - } - } - -# server = "localhost" -# port = 3306 -# login = "radius" -# password = "radpass" - - radius_db = "radius" - - dhcpreply_table = "dhcpreply" - groupreply_table = "dhcpgroupreply" - dhcpgroup_table = "dhcpgroup" - read_groups = no - - pool { - start = ${thread[pool].start_servers} - min = ${thread[pool].min_spare_servers} - max = ${thread[pool].max_servers} - spare = ${thread[pool].max_spare_servers} - uses = 0 - retry_delay = 30 - lifetime = 0 - idle_timeout = 60 - } - - group_attribute = "${.:instance}-SQL-Group" - - $INCLUDE ${modconfdir}/${.:name}/dhcp/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sqlippool b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sqlippool deleted file mode 100644 index fa2db00..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sqlippool +++ /dev/null @@ -1,101 +0,0 @@ -# Configuration for DHCP for the SQL based IP Pools module (rlm_sqlippool). -# -# See raddb/mods-available/sqlippool for common configuration explanation -# -# See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows -# the RADIUS based "sqlippool" module to be used for DHCP. -# -# See raddb/sites-available/dhcp for instructions on how to configure -# the DHCP server. -# -# The database schemas are available at: -# -# raddb/mods-config/sql/ippool-dhcp//schema.sql -# -# $Id: 909b93c7ebcbbeb16b123ca38e696790b5771dda $ - -sqlippool dhcp_sqlippool { - # SQL instance to use (from mods-available/sql) - # - # If you have multiple sql instances, such as "sql sql1 {...}", - # use the *instance* name here: sql1. - sql_module_instance = "dhcp_sql" - - # This is duplicative of info available in the SQL module, but - # we have to list it here as we do not yet support nested - # reference expansions. - dialect = "mysql" - - # Name of the check item attribute to be used as a key in the SQL queries - pool_name = "Pool-Name" - - # SQL table to use for ippool range and lease info - ippool_table = "dhcpippool" - - # The duration for which a lease is reserved whilst under offer - offer_duration = 10 - - # IP lease duration. (Leases expire even if no DHCP-Release packet is received) - # Either use the value to be sent to the client or a hard coded one. - lease_duration = "%{reply:DHCP-IP-Address-Lease-Time}" - #lease_duration = 7200 - - # The attribute in which the IP address is returned in the reply - attribute_name = "DHCP-Your-IP-Address" - - # Assign the IP address, even if the above attribute already exists in - # the reply. - # -# allow_duplicates = no - - # The attribute in which an IP address hint may be supplied - req_attribute_name = "DHCP-Requested-IP-Address" - - # - # RFC 2132 allows the DHCP client to supply a unique - # identifier ("uid") using Option 61 (DHCP-Client-Identifier) - # in which case it must be used as the lookup key for - # configuration data. - # - pool_key = "%{%{DHCP-Client-Identifier}:-%{DHCP-Client-Hardware-Address}}" - # - # The "uid" is generated by the OS which means that clients - # whose BMC piggybacks on the main interface (sharing its MAC, - # but generating a distinct uid) and dual-booting clients can - # be allocated multiple IPs, consuming more pool entries. To - # avoid this you can ignore the RFCs and key the configuration - # data based only on the client MAC address. - # - # pool_key = "%{DHCP-Client-Hardware-Address}" - - ################################################################ - # - # WARNING: MySQL (MyISAM) has certain limitations that means it can - # hand out the same IP address to 2 different users. - # - # We suggest using an SQL DB with proper transaction - # support, such as PostgreSQL, or using MySQL - # with InnoDB. - # - ################################################################ - - # These messages are added to the "control" items, as - # Module-Success-Message. They are not logged anywhere else, - # unlike previous versions. If you want to have them logged - # to a file, see the "linelog" module, and create an entry - # which writes Module-Success-Message message. - # - messages { - exists = "DHCP: Existing IP: %{reply:${..attribute_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - success = "DHCP: Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - clear = "DHCP: Released IP %{DHCP-Client-IP-Address} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - failed = "DHCP: IP Allocation FAILED from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - } - - $INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/etc_group b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/etc_group deleted file mode 100644 index 6aea41b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/etc_group +++ /dev/null @@ -1,28 +0,0 @@ -# -*- text -*- -# -# $Id: f58b72f560ba067991d67295b546691bcd992d44 $ - -# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name -# attribute for every group that the user is member of. -# -# You will have to define the Etc-Group-Name in the 'dictionary' file -# as a 'string' type. -# -# The Group and Group-Name attributes are automatically created by -# the Unix module, and do checking against /etc/group automatically. -# This means that you CANNOT use Group or Group-Name to do any other -# kind of grouping in the server. You MUST define a new group -# attribute. -# -# i.e. this module should NOT be used as-is, but should be edited to -# point to a different group file. -# -passwd etc_group { - filename = /etc/group - format = "=Etc-Group-Name:::*,User-Name" - hash_size = 50 - ignore_nislike = yes - allow_multiple_keys = yes - delimiter = ":" -} - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/idn b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/idn deleted file mode 100644 index 31874c5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/idn +++ /dev/null @@ -1,28 +0,0 @@ -# -*- text -*- -# -# $Id: 534054077d52a7bb0bf8e02c1e861e5c86b76df9 $ - -# -# Internationalised domain names. -# - -# The expansion string: %{idn: example.com} results in an ASCII -# punycode version of the domain name. That version can then be used -# for name comparisons. Using an i18n version of the name is NOT -# RECOMMENDED, as that version is not canonical. -# -# i.e. the "same" domain name can be represented in many, many, -# different ways. Only the idn version has *one* representation. -# -idn { - # - # Allow use of unassigned Unicode code points. - # - allow_unassigned = no - - # - # Prohibit underscores and other invalid characters in domain - # names. - use_std3_ascii_rules = yes - -} \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/inner-eap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/inner-eap deleted file mode 100644 index 83bf460..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/inner-eap +++ /dev/null @@ -1,107 +0,0 @@ -# -*- text -*- -# -# $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $ - -# -# Sample configuration for an EAP module that occurs *inside* -# of a tunneled method. It is used to limit the EAP types that -# can occur inside of the inner tunnel. -# -# See also raddb/sites-available/inner-tunnel -# -# See raddb/mods-available/eap for full documentation on the meaning of these -# configuration entries. -# -eap inner-eap { - # This is the best choice for PEAP. - default_eap_type = mschapv2 - - timer_expire = 60 - - # This should be the same as the outer eap "max sessions" - max_sessions = 2048 - - # Supported EAP-types - md5 { - } - - gtc { - # The default challenge, which many clients - # ignore.. - #challenge = "Password: " - - auth_type = PAP - } - - mschapv2 { - # See eap for documentation -# send_error = no - } - - # No TTLS or PEAP configuration should be listed here. - - ## EAP-TLS - # - # You SHOULD use different certificates than are used - # for the outer EAP configuration! - # - # You can create the "inner-server.pem" file by doing: - # - # cd raddb/certs - # vi inner-server.cnf - # make inner-server - # - # The certificate MUST be different from the "server.cnf" - # file. - # - # Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. - # It might work, or it might not. - # - tls { - private_key_password = whatever - private_key_file = ${certdir}/inner-server.pem - - # If Private key & Certificate are located in - # the same file, then private_key_file & - # certificate_file must contain the same file - # name. - # - # If ca_file (below) is not used, then the - # certificate_file below MUST include not - # only the server certificate, but ALSO all - # of the CA certificates used to sign the - # server certificate. - certificate_file = ${certdir}/inner-server.pem - - # You may want different CAs for inner and outer - # certificates. If so, edit this file. - ca_file = ${cadir}/ca.pem - - cipher_list = "DEFAULT" - - # You may want to set a very small fragment size. - # The TLS data here needs to go inside of the - # outer EAP-TLS protocol. - # - # Try values and see if they work... - # fragment_size = 1024 - - # Other needful things - dh_file = ${certdir}/dh - random_file = /dev/urandom - - # CRL and OCSP things go here. See the main "eap" - # file for details. - # check_crl = yes - # ca_path = /path/to/directory/with/ca_certs/and/crls/ - - # Accept an expired Certificate Revocation List - # -# allow_expired_crl = no - - # - # The session resumption / fast re-authentication - # cache CANNOT be used for inner sessions. - # - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ippool b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ippool deleted file mode 100644 index 8b263bd..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ippool +++ /dev/null @@ -1,66 +0,0 @@ -# -*- text -*- -# -# $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $ - -# Do server side ip pool management. Should be added in -# post-auth and accounting sections. -# -# The module also requires the existence of the Pool-Name -# attribute. That way the administrator can add the Pool-Name -# attribute in the user profiles and use different pools for -# different users. The Pool-Name attribute is a *check* item -# not a reply item. -# -# The Pool-Name should be set to the ippool module instance -# name or to DEFAULT to match any module. - -# -# Example: -# radiusd.conf: ippool students { [...] } -# ippool teachers { [...] } -# users file : DEFAULT Group == students, Pool-Name := "students" -# DEFAULT Group == teachers, Pool-Name := "teachers" -# DEFAULT Group == other, Pool-Name := "DEFAULT" -# -# Note: If you change the range parameters you must then erase the -# db files. -# -ippool main_pool { - # The main db file used to allocate addresses. - filename = ${db_dir}/db.ippool - - # The start and end ip addresses for this pool. - range_start = 192.0.2.1 - range_stop = 192.0.2.254 - - # The network mask used for this pool. - netmask = 255.255.255.0 - - # The gdbm cache size for the db files. Should - # be equal to the number of ip's available in - # the ip pool - cache_size = 800 - - # Helper db index file used in multilink - ip_index = ${db_dir}/db.ipindex - - # If set, the Framed-IP-Address already in the - # reply (if any) will be discarded, and replaced - # ith a Framed-IP-Address assigned here. - override = no - - # Specifies the maximum time in seconds that an - # entry may be active. If set to zero, means - # "no timeout". The default value is 0 - maximum_timeout = 0 - - # The key to use for the session database (which - # holds the allocated ip's) normally it should - # just be the nas ip/port (which is the default). - # - # If your NAS sends the same value of NAS-Port - # all requests, the key should be based on some - # other attribute that is in ALL requests, AND - # is unique to each machine needing an IP address. -# key = "%{NAS-IP-Address} %{NAS-Port}" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/krb5 b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/krb5 deleted file mode 100644 index 1e13225..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/krb5 +++ /dev/null @@ -1,82 +0,0 @@ -# -*- text -*- -# -# $Id: c88b5fbb4b35cc4e61bfb93a616d891fb79ebc0c $ - -# -# Kerberos. See doc/modules/rlm_krb5 for minimal docs. -# -krb5 { - # - # The keytab file MUST be owned by the UID/GID used by the server. - # The keytab file MUST be writable by the server. - # The keytab file MUST NOT be readable by other users on the system. - # The keytab file MUST exist before the server is started. - # - keytab = ${localstatedir}/lib/radiusd/keytab - service_principal = name_of_principle - - # Pool of krb5 contexts, this allows us to make the module multithreaded - # and to avoid expensive operations like resolving and opening keytabs - # on every request. It may also allow TCP connections to the KDC to be - # cached if that is supported by the version of libkrb5 used. - # - # The context pool is only used if the underlying libkrb5 reported - # that it was thread safe at compile time. - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # KDC being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The lifetime (in seconds) of the connection - # - # NOTE: A setting of 0 means infinite (no limit). - lifetime = 0 - - # The idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - # - # NOTE: A setting of 0 means infinite (no timeout). - idle_timeout = 0 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ldap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ldap deleted file mode 100644 index 289444f..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ldap +++ /dev/null @@ -1,666 +0,0 @@ -# -*- text -*- -# -# $Id: 015ae6907b8113771691ae3a3c1d53b05756d143 $ - -# -# Lightweight Directory Access Protocol (LDAP) -# -ldap { - # Note that this needs to match the name(s) in the LDAP server - # certificate, if you're using ldaps. See OpenLDAP documentation - # for the behavioral semantics of specifying more than one host. - # - # Depending on the libldap in use, server may be an LDAP URI. - # In the case of OpenLDAP this allows additional the following - # additional schemes: - # - ldaps:// (LDAP over SSL) - # - ldapi:// (LDAP over Unix socket) - # - ldapc:// (Connectionless LDAP) - server = 'localhost' -# server = 'ldap.rrdns.example.org' -# server = 'ldap.rrdns.example.org' - - # Port to connect on, defaults to 389, will be ignored for LDAP URIs. -# port = 389 - - # Administrator account for searching and possibly modifying. - # If using SASL + KRB5 these should be commented out. -# identity = 'cn=admin,dc=example,dc=org' -# password = mypass - - # Unless overridden in another section, the dn from which all - # searches will start from. - base_dn = 'dc=example,dc=org' - - # - # You can run the 'ldapsearch' command line tool using the - # parameters from this module's configuration. - # - # ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}' - # - # That will give you the LDAP information for 'user'. - # - # Group membership can be queried by using the above "ldapsearch" string, - # and adding "memberof" qualifiers. For ActiveDirectory, use: - # - # ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))' - # - # Where 'user' is the user as above, and 'group' is the group you are querying for. - # - - # - # SASL parameters to use for admin binds - # - # When we're prompted by the SASL library, these control - # the responses given, as well as the identity and password - # directives above. - # - # If any directive is commented out, a NULL response will be - # provided to cyrus-sasl. - # - # Unfortunately the only way to control Keberos here is through - # environmental variables, as cyrus-sasl provides no API to - # set the krb5 config directly. - # - # Full documentation for MIT krb5 can be found here: - # - # http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html - # - # At a minimum you probably want to set KRB5_CLIENT_KTNAME. - # - sasl { - # SASL mechanism -# mech = 'PLAIN' - - # SASL authorisation identity to proxy. -# proxy = 'autz_id' - - # SASL realm. Used for kerberos. -# realm = 'example.org' - } - - # - # Generic valuepair attribute - # - - # If set, this will attribute will be retrieved in addition to any - # mapped attributes. - # - # Values should be in the format: - # - # - # Where: - # : Is the attribute you wish to create - # with any valid list and request qualifiers. - # : Is any assignment operator (=, :=, +=, -=). - # : Is the value to parse into the new valuepair. - # If the value is wrapped in double quotes it - # will be xlat expanded. -# valuepair_attribute = 'radiusAttribute' - - # - # Mapping of LDAP directory attributes to RADIUS dictionary attributes. - # - - # WARNING: Although this format is almost identical to the unlang - # update section format, it does *NOT* mean that you can use other - # unlang constructs in module configuration files. - # - # Configuration items are in the format: - # - # - # Where: - # : Is the destination RADIUS attribute - # with any valid list and request qualifiers. - # : Is any assignment attribute (=, :=, +=, -=). - # : Is the attribute associated with user or - # profile objects in the LDAP directory. - # If the attribute name is wrapped in double - # quotes it will be xlat expanded. - # - # Request and list qualifiers may also be placed after the 'update' - # section name to set defaults destination requests/lists - # for unqualified RADIUS attributes. - # - # Note: LDAP attribute names should be single quoted unless you want - # the name value to be derived from an xlat expansion, or an - # attribute ref. - update { - control:Password-With-Header += 'userPassword' -# control:NT-Password := 'ntPassword' -# reply:Reply-Message := 'radiusReplyMessage' -# reply:Tunnel-Type := 'radiusTunnelType' -# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' -# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' - - # Where only a list is specified as the RADIUS attribute, - # the value of the LDAP attribute is parsed as a valuepair - # in the same format as the 'valuepair_attribute' (above). - control: += 'radiusControlAttribute' - request: += 'radiusRequestAttribute' - reply: += 'radiusReplyAttribute' - } - - # Set to yes if you have eDirectory and want to use the universal - # password mechanism. -# edir = no - - # Set to yes if you want to bind as the user after retrieving the - # Cleartext-Password. This will consume the login grace, and - # verify user authorization. -# edir_autz = no - - # Note: set_auth_type was removed in v3.x.x - # - # Equivalent functionality can be achieved by adding the - # following "if" statement to the authorize {} section of - # the virtual server, after the "ldap" module. For example: - # - # ... - # ldap - # if ((ok || updated) && User-Password && !control:Auth-Type) { - # update { - # control:Auth-Type := ldap - # } - # } - # ... - # - # You will also need to uncomment the "Auth-Type LDAP" block in the - # "authenticate" section. - # - - # - # Name of the attribute that contains the user DN. - # The default name is LDAP-UserDn. - # - # If you have multiple LDAP instances, you should - # change this configuration item to: - # - # ${.:instance}-LDAP-UserDn - # - # That change allows the modules to set their own - # User DN, and to not conflict with each other. - # - user_dn = "LDAP-UserDn" - - # - # User object identification. - # - user { - # Where to start searching in the tree for users - base_dn = "${..base_dn}" - - # Filter for user objects, should be specific enough - # to identify a single user object. - # - # For Active Directory, you should use - # "samaccountname=" instead of "uid=" - # - filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" - - # For Active Directory nested group, you should comment out the previous 'filter = ...' - # and use the below. Where 'group' is the group you are querying for. - # - # NOTE: The string '1.2.840.113556.1.4.1941' specifies LDAP_MATCHING_RULE_IN_CHAIN. - # This applies only to DN attributes. This is an extended match operator that walks - # the chain of ancestry in objects all the way to the root until it finds a match. - # This reveals group nesting. It is available only on domain controllers with - # Windows Server 2003 SP2 or Windows Server 2008 (or above). - # - # See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx - # -# filter = "(&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))" - - # SASL parameters to use for user binds - # - # When we're prompted by the SASL library, these control - # the responses given. - # - # Any of the config items below may be an attribute ref - # or and expansion, so different SASL mechs, proxy IDs - # and realms may be used for different users. - sasl { - # SASL mechanism -# mech = 'PLAIN' - - # SASL authorisation identity to proxy. -# proxy = &User-Name - - # SASL realm. Used for kerberos. -# realm = 'example.org' - } - - # Search scope, may be 'base', 'one', sub' or 'children' -# scope = 'sub' - - # Server side result sorting - # - # A list of space delimited attributes to order the result - # set by, if the filter matches multiple objects. - # Only the first result in the set will be processed. - # - # If the attribute name is prefixed with a hyphen '-' the - # sorting order will be reversed for that attribute. - # - # If sort_by is set, and the server does not support sorting - # the search will fail. -# sort_by = '-uid' - - # If this is undefined, anyone is authorised. - # If it is defined, the contents of this attribute - # determine whether or not the user is authorised -# access_attribute = 'dialupAccess' - - # Control whether the presence of 'access_attribute' - # allows access, or denys access. - # - # If 'yes', and the access_attribute is present, or - # 'no' and the access_attribute is absent then access - # will be allowed. - # - # If 'yes', and the access_attribute is absent, or - # 'no' and the access_attribute is present, then - # access will not be allowed. - # - # If the value of the access_attribute is 'false', it - # will negate the result. - # - # e.g. - # access_positive = yes - # access_attribute = userAccessAllowed - # - # With an LDAP object containing: - # userAccessAllowed: false - # - # Will result in the user being locked out. -# access_positive = yes - } - - # - # User membership checking. - # - group { - # Where to start searching in the tree for groups - base_dn = "${..base_dn}" - - # Filter for group objects, should match all available - # group objects a user might be a member of. - # - # If using Active Directory you are likely to need "group" - # instead of "posixGroup". - filter = '(objectClass=posixGroup)' - - # Search scope, may be 'base', 'one', sub' or 'children' -# scope = 'sub' - - # Attribute that uniquely identifies a group. - # Is used when converting group DNs to group - # names. -# name_attribute = cn - - # Filter to find all group objects a user is a member of. - # That is, group objects with attributes that - # identify members (the inverse of membership_attribute). - # - # Note that this configuration references the "user_dn" - # configuration defined above. - # -# membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" - - # The attribute, in user objects, which contain the names - # or DNs of groups a user is a member of. - # - # Unless a conversion between group name and group DN is - # needed, there's no requirement for the group objects - # referenced to actually exist. - # - # If the LDAP server does not support the "memberOf" - # attribute (or equivalent), then you will need to use the - # membership_filter option above instead. If you can't see - # the memberOf attribute then it is also possible that the - # LDAP bind user does not have the correct permissions to - # view it. - membership_attribute = 'memberOf' - - # If cacheable_name or cacheable_dn are enabled, - # all group information for the user will be - # retrieved from the directory and written to LDAP-Group - # attributes appropriate for the instance of rlm_ldap. - # - # For group comparisons these attributes will be checked - # instead of querying the LDAP directory directly. - # - # This feature is intended to be used with rlm_cache. - # - # If you wish to use this feature, you should enable - # the type that matches the format of your check items - # i.e. if your groups are specified as DNs then enable - # cacheable_dn else enable cacheable_name. -# cacheable_name = 'no' -# cacheable_dn = 'no' - - # Override the normal cache attribute (-LDAP-Group or - # LDAP-Group if using the default instance) and create a - # custom attribute. This can help if multiple module instances - # are used in fail-over. -# cache_attribute = 'LDAP-Cached-Membership' - - # If the group being checked is specified as a name, but - # the user's groups are referenced by DN, and one of those - # group DNs is invalid, the whole group check is treated as - # invalid, and a negative result will be returned. - # When set to 'yes', this option ignores invalid DN - # references. -# allow_dangling_group_ref = 'no' - } - - # - # User profiles. RADIUS profile objects contain sets of attributes - # to insert into the request. These attributes are mapped using - # the same mapping scheme applied to user objects (the update section above). - # - profile { - # Filter for RADIUS profile objects -# filter = '(objectclass=radiusprofile)' - - # The default profile. This may be a DN or an attribute - # reference. - # To get old v2.2.x style behaviour, or to use the - # &User-Profile attribute to specify the default profile, - # set this to &control:User-Profile. -# default = 'cn=radprofile,dc=example,dc=org' - - # The LDAP attribute containing profile DNs to apply - # in addition to the default profile above. These are - # retrieved from the user object, at the same time as the - # attributes from the update section, are are applied - # if authorization is successful. -# attribute = 'radiusProfileDn' - } - - # - # Bulk load clients from the directory - # - client { - # Where to start searching in the tree for clients - base_dn = "${..base_dn}" - - # - # Filter to match client objects - # - filter = '(objectClass=radiusClient)' - - # Search scope, may be 'base', 'one', 'sub' or 'children' -# scope = 'sub' - - # - # Sets default values (not obtained from LDAP) for new client entries - # - template { -# login = 'test' -# password = 'test' -# proto = tcp -# require_message_authenticator = yes - - # Uncomment to add a home_server with the same - # attributes as the client. -# coa_server { -# response_window = 2.0 -# } - } - - # - # Client attribute mappings are in the format: - # = - # - # The following attributes are required: - # * ipaddr | ipv4addr | ipv6addr - Client IP Address. - # * secret - RADIUS shared secret. - # - # All other attributes usually supported in a client - # definition are also supported here. - # - # Schemas are available in doc/schemas/ldap for openldap and eDirectory - # - attribute { - ipaddr = 'radiusClientIdentifier' - secret = 'radiusClientSecret' -# shortname = 'radiusClientShortname' -# nas_type = 'radiusClientType' -# virtual_server = 'radiusClientVirtualServer' -# require_message_authenticator = 'radiusClientRequireMa' - } - } - - # Load clients on startup -# read_clients = no - - # - # Modify user object on receiving Accounting-Request - # - - # Useful for recording things like the last time the user logged - # in, or the Acct-Session-ID for CoA/DM. - # - # LDAP modification items are in the format: - # - # - # Where: - # : The LDAP attribute to add modify or delete. - # : One of the assignment operators: - # (:=, +=, -=, ++). - # Note: '=' is *not* supported. - # : The value to add modify or delete. - # - # WARNING: If using the ':=' operator with a multi-valued LDAP - # attribute, all instances of the attribute will be removed and - # replaced with a single attribute. - accounting { - reference = "%{tolower:type.%{Acct-Status-Type}}" - - type { - start { - update { - description := "Online at %S" - } - } - - interim-update { - update { - description := "Last seen at %S" - } - } - - stop { - update { - description := "Offline at %S" - } - } - } - } - - # - # Post-Auth can modify LDAP objects too - # - post-auth { - update { - description := "Authenticated at %S" - } - } - - # - # LDAP connection-specific options. - # - # These options set timeouts, keep-alives, etc. for the connections. - # - options { - # Control under which situations aliases are followed. - # May be one of 'never', 'searching', 'finding' or 'always' - # default: libldap's default which is usually 'never'. - # - # LDAP_OPT_DEREF is set to this value. -# dereference = 'always' - - # - # The following two configuration items control whether the - # server follows references returned by LDAP directory. - # They are mostly for Active Directory compatibility. - # If you set these to 'no', then searches will likely return - # 'operations error', instead of a useful result. - # - chase_referrals = yes - rebind = yes - - # SASL Security Properties (see SASL_SECPROPS in ldap.conf man page). - # Note - uncomment when using GSS-API sasl mechanism along with TLS - # encryption against Active-Directory LDAP servers (this disables - # sealing and signing at the GSS level as required by AD). - #sasl_secprops = 'noanonymous,noplain,maxssf=0' - - # Seconds to wait for LDAP query to finish. default: 20 - res_timeout = 10 - - # Seconds LDAP server has to process the query (server-side - # time limit). default: 20 - # - # LDAP_OPT_TIMELIMIT is set to this value. - srv_timelimit = 3 - - # Seconds to wait for response of the server. (network - # failures) default: 10 - # - # LDAP_OPT_NETWORK_TIMEOUT is set to this value. - net_timeout = 1 - - # LDAP_OPT_X_KEEPALIVE_IDLE - idle = 60 - - # LDAP_OPT_X_KEEPALIVE_PROBES - probes = 3 - - # LDAP_OPT_X_KEEPALIVE_INTERVAL - interval = 3 - - # ldap_debug: debug flag for LDAP SDK - # (see OpenLDAP documentation). Set this to enable - # huge amounts of LDAP debugging on the screen. - # You should only use this if you are an LDAP expert. - # - # default: 0x0000 (no debugging messages) - # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) - ldap_debug = 0x0028 - } - - # - # This subsection configures the tls related items - # that control how FreeRADIUS connects to an LDAP - # server. It contains all of the 'tls_*' configuration - # entries used in older versions of FreeRADIUS. Those - # configuration entries can still be used, but we recommend - # using these. - # - tls { - # Set this to 'yes' to use TLS encrypted connections - # to the LDAP database by using the StartTLS extended - # operation. - # - # The StartTLS operation is supposed to be - # used with normal ldap connections instead of - # using ldaps (port 636) connections -# start_tls = yes - -# ca_file = ${certdir}/cacert.pem - -# ca_path = ${certdir} -# certificate_file = /path/to/radius.crt -# private_key_file = /path/to/radius.key -# random_file = /dev/urandom - - # Certificate Verification requirements. Can be: - # 'never' (do not even bother trying) - # 'allow' (try, but don't fail if the certificate - # cannot be verified) - # 'demand' (fail if the certificate does not verify) - # 'hard' (similar to 'demand' but fails if TLS - # cannot negotiate) - # - # The default is libldap's default, which varies based - # on the contents of ldap.conf. - -# require_cert = 'demand' - - # - # Minimum TLS version to accept. We STRONGLY recommend - # setting this to "1.2" - # -# tls_min_version = "1.2" - } - - # As of version 3.0, the 'pool' section has replaced the - # following configuration items: - # - # ldap_connections_number - - # The connection pool is new for 3.0, and will be used in many - # modules, for all kinds of connection-related activity. - # - # When the server is not threaded, the connection pool - # limits are ignored, and only one connection is used. - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # directory being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The number of seconds to wait after the server tries - # to open a connection, and fails. During this time, - # no new connections will be opened. - retry_delay = 30 - - # The lifetime (in seconds) of the connection - lifetime = 0 - - # Idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - idle_timeout = 60 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of 'idle_timeout', - # 'uses', or 'lifetime', then the total number of - # connections MAY fall below 'min'. When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the 'min' connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2ip b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2ip deleted file mode 100644 index 5d646af..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2ip +++ /dev/null @@ -1,25 +0,0 @@ -# -*- text -*- -# -# $Id: a4ead1d64e8220344b483718ece4712bef5e9e36 $ - -###################################################################### -# -# This next section is a sample configuration for the "passwd" -# module, that reads flat-text files. -# -# The file is in the format , -# -# 00:01:02:03:04:05,192.0.2.100 -# 01:01:02:03:04:05,192.0.2.101 -# 02:01:02:03:04:05,192.0.2.102 -# -# This lets you perform simple static IP assignments from a flat-text -# file. You will have to define lease times yourself. -# -###################################################################### - -passwd mac2ip { - filename = ${modconfdir}/${.:name}/${.:instance} - format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" - delimiter = "," -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2vlan b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2vlan deleted file mode 100644 index ee8e4b3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2vlan +++ /dev/null @@ -1,18 +0,0 @@ -# -*- text -*- -# -# $Id: a1db803a71cddbb98daeeeda515cff2fc77ea318 $ - -# A simple file to map a MAC address to a VLAN. -# -# The file should be in the format MAC,VLAN -# the VLAN name cannot have spaces in it, for example: -# -# 00:01:02:03:04:05,VLAN1 -# 03:04:05:06:07:08,VLAN2 -# ... -# -passwd mac2vlan { - filename = ${modconfdir}/${.:name}/${.:instance} - format = "*VMPS-Mac:=VMPS-VLAN-Name" - delimiter = "," -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/moonshot-targeted-ids b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/moonshot-targeted-ids deleted file mode 100644 index 4503a56..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/moonshot-targeted-ids +++ /dev/null @@ -1,57 +0,0 @@ -# -*- text -*- -# -# $Id: 1b27b44b5a2d82e23d67c07ba19f0ef3293960d2 $ - -# -# Write Moonshot-*-TargetedId (MSTID) to the database. -# -# Schema raddb/mods-config/sql/moonshot-targeted-ids//schema.sql -# Queries raddb/mods-config/sql/moonshot-targeted-ids//queries.conf -# -sql moonshot_tid_sql { - - # The dialect of SQL you want to use, this should usually match - # the driver below. - # - # If you're using rlm_sql_null, then it should be the type of - # database the logged queries are going to be executed against. - dialect = "sqlite" - - # The sub-module to use to execute queries. This should match - # the database you're attempting to connect to. - # - # There are MSTID queries available for: - # * rlm_sql_mysql - # * rlm_sql_postgresql - # * rlm_sql_sqlite - # * rlm_sql_null (log queries to disk) - # - driver = "rlm_sql_${dialect}" - - sqlite { - filename = ${radacctdir}/moonshot-targeted-ids.sqlite - bootstrap = ${modconfdir}/${..:name}/moonshot-targeted-ids/sqlite/schema.sql - } - - # Write MSTID queries to a logfile. Useful for debugging. -# logfile = ${logdir}/moonshot-targeted-id-log.sql - - pool { - start = 5 - min = 4 - max = 10 - spare = 3 - uses = 0 - lifetime = 0 - idle_timeout = 60 - } - - # If you adjust the table name here, you must also modify the table name in - # the moonshot_get_targeted_id.post-auth policy in policy.d/moonshot-targeted-ids - # and the schema.sql files in the mods-config/sql/moonshot-targeted-ids tree. - # - moonshot_tid_table = "moonshot_targeted_ids" - sql_user_name = "%{User-Name}" - - $INCLUDE ${modconfdir}/${.:name}/moonshot-targeted-ids/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/opendirectory b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/opendirectory deleted file mode 100644 index 4bd6a18..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/opendirectory +++ /dev/null @@ -1,26 +0,0 @@ -# -*- text -*- -# -# $Id: 443d74dc08f19ddb59ea342f756c90066623e1c6 $ - -# This module is only used when the server is running on the same -# system as OpenDirectory. The configuration of the module is hard-coded -# by Apple, and cannot be changed here. -# -# There are no configuration entries for this module. -# -# The MS-CHAP module will automatically talk to OpenDirectory, if the -# server is built on an OSX machine. However, you must also set -# dsAttrTypeNative:apple-enabled-auth-mech attribute in the -# /config/dirserv OpenDirectory record. You will probably also need -# to change the user passwords in order to re-generate the -# appropriate hashes. -# -# Complete OSX configuration information is available on Apple's web site: -# -# https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf -# -# See also https://discussions.apple.com/thread/6053980?tstart=0 -# -opendirectory { - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/otp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/otp deleted file mode 100644 index aa5c612..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/otp +++ /dev/null @@ -1,75 +0,0 @@ -# -# Configuration for the OTP module. -# - -# This module allows you to use various handheld OTP tokens -# for authentication (Auth-Type := otp). These tokens are -# available from various vendors. -# -# It works in conjunction with otpd, which implements token -# management and OTP verification functions; and lsmd or gsmd, -# which implements synchronous state management functions. - -# You must list this module in BOTH the authorize and authenticate -# sections in order to use it. -otp { - # otpd rendezvous point. - # (default: /var/run/otpd/socket) - #otpd_rp = /var/run/otpd/socket - - # Text to use for the challenge. - # Default "Challenge: %{reply:OTP-Challenge}\n Response: " - - challenge_prompt = "Challenge: %{reply:OTP-Challenge} \n Response: " - - # Length of the challenge. Most tokens probably support a - # max of 8 digits. (range: 5-32 digits, default 6) - #challenge_length = 6 - - # Maximum time, in seconds, that a challenge is valid. - # (The user must respond to a challenge within this time.) - # It is also the minimal time between consecutive async mode - # authentications, a necessary restriction due to an inherent - # weakness of the RADIUS protocol which allows replay attacks. - # (default: 30) - #challenge_delay = 30 - - # Whether or not to allow asynchronous ("pure" challenge/ - # response) mode authentication. Since sync mode is much more - # usable, and all reasonable tokens support it, the typical - # use of async mode is to allow re-sync of event based tokens. - # But because of the vulnerability of async mode with some tokens, - # you probably want to disable this and require that out-of-sync - # users re-sync from specifically secured terminals. - # See the otpd docs for more info. - # (default: no) - #allow_async = no - - # Whether or not to allow synchronous mode authentication. - # When using otpd with lsmd, it is *CRITICALLY IMPORTANT* - # that if your OTP users can authenticate to multiple RADIUS - # servers, this must be "yes" for the primary/default server, - # and "no" for the others. This is because lsmd does not - # share state information across multiple servers. Using "yes" - # on all your RADIUS servers would allow replay attacks! - # Also, for event based tokens, the user will be out of sync - # on the "other" servers. In order to use "yes" on all your - # servers, you must either use gsmd, which synchronises state - # globally, or implement your own state synchronisation method. - # (default: yes) - #allow_sync = yes - - # If both allow_async and allow_sync are "yes", a challenge is - # always presented to the user. This is incompatible with NAS - # that can't present or don't handle Access-Challenge's, e.g. - # PPTP servers. Even though a challenge is presented, the user - # can still enter their synchronous passcode. - - # The following are MPPE settings. Note that MS-CHAP (v1) is - # strongly discouraged. All possible values are listed as - # {value = meaning}. Default values are first. - #mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden} - #mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40} - #mschap_mppe = {2 = required, 1 = optional, 0 = forbidden} - #mschap_mppe_bits = {2 = 128} -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pam b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pam deleted file mode 100644 index a31dfda..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pam +++ /dev/null @@ -1,26 +0,0 @@ -# -*- text -*- -# -# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $ - - -# Pluggable Authentication Modules -# -# For Linux, see: -# http://www.kernel.org/pub/linux/libs/pam/index.html -# -# WARNING: On many systems, the system PAM libraries have -# memory leaks! We STRONGLY SUGGEST that you do not -# use PAM for authentication, due to those memory leaks. -# -pam { - # - # The name to use for PAM authentication. - # PAM looks in /etc/pam.d/${pam_auth_name} - # for it's configuration. See 'redhat/radiusd-pam' - # for a sample PAM configuration file. - # - # Note that any Pam-Auth attribute set in the 'authorize' - # section will over-ride this one. - # - pam_auth = radiusd -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/perl b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/perl deleted file mode 100644 index d3b0c99..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/perl +++ /dev/null @@ -1,94 +0,0 @@ -# -*- text -*- -# -# $Id: fa04cdabb71767050aaa0664da792fd6086adb19 $ - -# Persistent, embedded Perl interpreter. -# -perl { - # - # The Perl script to execute on authorize, authenticate, - # accounting, xlat, etc. This is very similar to using - # 'rlm_exec' module, but it is persistent, and therefore - # faster. - # - filename = ${modconfdir}/${.:instance}/example.pl - - # - # Options which are passed to the Perl interpreter. - # These are (mostly) the same options as are passed - # to the "perl" command line. - # - # The most useful flag is "-T". This sets tainting on. And - # as of 3.0.18, makes it impossible to leverage bad - # User-Names into local command execution. - # - perl_flags = "-T" - - # - # The following hashes are given to the module and - # filled with value-pairs (Attribute names and values) - # - # %RAD_CHECK Check items - # %RAD_REQUEST Attributes from the request - # %RAD_REPLY Attributes for the reply - # %RAD_REQUEST_PROXY Attributes from the proxied request - # %RAD_REQUEST_PROXY_REPLY Attributes from the proxy reply - # - # The interface between FreeRADIUS and Perl is strings. - # That is, attributes of type "octets" are converted to - # printable strings, such as "0xabcdef". If you want to - # access the binary values of the attributes, you should - # call the Perl "pack" function. Then to send any binary - # data back to FreeRADIUS, call the Perl "unpack" function, - # so that the contents of the hashes are printable strings. - # - # IP addresses are sent as strings, e.g. "192.0.2.25", and - # not as a 4-byte binary value. The same applies to other - # attribute data types. - # - # Attributes of type "string" are copied to Perl as-is. - # They are not escaped or interpreted. - # - # The return codes from functions in the perl_script - # are passed directly back to the server. These - # codes are defined in mods-config/example.pl - # - - # You can define configuration items (and nested sub-sections) in perl "config" section. - # These items will be accessible in the perl script through %RAD_PERLCONF hash. - # For instance: $RAD_PERLCONF{'name'} $RAD_PERLCONF{'sub-config'}->{'name'} - # - #config { - # name = "value" - # sub-config { - # name = "value of name from config.sub-config" - # } - #} - - # - # List of functions in the module to call. - # Uncomment and change if you want to use function - # names other than the defaults. - # - #func_authenticate = authenticate - #func_authorize = authorize - #func_preacct = preacct - #func_accounting = accounting - #func_checksimul = checksimul - #func_pre_proxy = pre_proxy - #func_post_proxy = post_proxy - #func_post_auth = post_auth - #func_recv_coa = recv_coa - #func_send_coa = send_coa - #func_xlat = xlat - #func_detach = detach - - # - # Uncomment the following lines if you wish - # to use separate functions for Start and Stop - # accounting packets. In that case, the - # func_accounting function is not called. - # - #func_start_accounting = accounting_start - #func_stop_accounting = accounting_stop -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python deleted file mode 100644 index 371a56d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python +++ /dev/null @@ -1,65 +0,0 @@ -# -# Make sure the PYTHONPATH environmental variable contains the -# directory(s) for the modules listed below. -# -# Uncomment any func_* which are included in your module. If -# rlm_python is called for a section which does not have -# a function defined, it will return NOOP. -# -python { - # Path to the python modules - # - # Note that due to limitations on Python, this configuration - # item is GLOBAL TO THE SERVER. That is, you cannot have two - # instances of the python module, each with a different path. - # -# python_path="${modconfdir}/${.:name}:/path/to/python/files:/another_path/to/python_files/" - - module = example - - # Pass all VPS lists as a 6-tuple to the callbacks - # (request, reply, config, state, proxy_req, proxy_reply) -# pass_all_vps = no - - # Pass all VPS lists as a dictionary to the callbacks - # Keys: "request", "reply", "config", "session-state", "proxy-request", - # "proxy-reply" - # This option prevales over "pass_all_vps" -# pass_all_vps_dict = no - -# mod_instantiate = ${.module} -# func_instantiate = instantiate - -# mod_detach = ${.module} -# func_detach = detach - -# mod_authorize = ${.module} -# func_authorize = authorize - -# mod_authenticate = ${.module} -# func_authenticate = authenticate - -# mod_preacct = ${.module} -# func_preacct = preacct - -# mod_accounting = ${.module} -# func_accounting = accounting - -# mod_checksimul = ${.module} -# func_checksimul = checksimul - -# mod_pre_proxy = ${.module} -# func_pre_proxy = pre_proxy - -# mod_post_proxy = ${.module} -# func_post_proxy = post_proxy - -# mod_post_auth = ${.module} -# func_post_auth = post_auth - -# mod_recv_coa = ${.module} -# func_recv_coa = recv_coa - -# mod_send_coa = ${.module} -# func_send_coa = send_coa -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python3 b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python3 deleted file mode 100644 index f0e0424..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python3 +++ /dev/null @@ -1,65 +0,0 @@ -# -# Make sure the PYTHONPATH environmental variable contains the -# directory(s) for the modules listed below. -# -# Uncomment any func_* which are included in your module. If -# rlm_python is called for a section which does not have -# a function defined, it will return NOOP. -# -python3 { - # Path to the python modules - # - # Note that due to limitations on Python, this configuration - # item is GLOBAL TO THE SERVER. That is, you cannot have two - # instances of the python module, each with a different path. - # -# python_path="${modconfdir}/${.:name}:/another_path/to/python_files" - - module = example - - # Pass all VPS lists as a 6-tuple to the callbacks - # (request, reply, config, state, proxy_req, proxy_reply) -# pass_all_vps = no - - # Pass all VPS lists as a dictionary to the callbacks - # Keys: "request", "reply", "config", "session-state", "proxy-request", - # "proxy-reply" - # This option prevales over "pass_all_vps" -# pass_all_vps_dict = no - -# mod_instantiate = ${.module} -# func_instantiate = instantiate - -# mod_detach = ${.module} -# func_detach = detach - -# mod_authorize = ${.module} -# func_authorize = authorize - -# mod_authenticate = ${.module} -# func_authenticate = authenticate - -# mod_preacct = ${.module} -# func_preacct = preacct - -# mod_accounting = ${.module} -# func_accounting = accounting - -# mod_checksimul = ${.module} -# func_checksimul = checksimul - -# mod_pre_proxy = ${.module} -# func_pre_proxy = pre_proxy - -# mod_post_proxy = ${.module} -# func_post_proxy = post_proxy - -# mod_post_auth = ${.module} -# func_post_auth = post_auth - -# mod_recv_coa = ${.module} -# func_recv_coa = recv_coa - -# mod_send_coa = ${.module} -# func_send_coa = send_coa -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/redis b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/redis deleted file mode 100644 index 0b28c57..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/redis +++ /dev/null @@ -1,99 +0,0 @@ -# -*- text -*- -# -# $Id: 64789f58a7f937b7b9f4c7ff783153fb5194ba25 $ - -# -# Configuration file for the "redis" module. This module does nothing -# Other than provide connections to a redis database, and a %{redis: ...} -# expansion. -# -redis { - # Host where the redis server is located. - # We recommend using ONLY 127.0.0.1 ! - server = 127.0.0.1 - - # Select the Redis logical database having the specified zero-based numeric index. -# database = 0 - - # The default port. - port = 6379 - - # The password used to authenticate to the server. - # We recommend using a strong password. -# password = thisisreallysecretandhardtoguess - - # Set connection and query timeout for rlm_redis - query_timeout = 5 - - # - # Information for the connection pool. The configuration items - # below are the same for all modules which use the new - # connection pool. - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # web service being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The number of seconds to wait after the server tries - # to open a connection, and fails. During this time, - # no new connections will be opened. - retry_delay = 30 - - # The lifetime (in seconds) of the connection - # - # NOTE: A setting of 0 means infinite (no limit). - lifetime = 86400 - - # The pool is checked for free connections every - # "cleanup_interval". If there are free connections, - # then one of them is closed. - cleanup_interval = 300 - - # The idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - # - # NOTE: A setting of 0 means infinite (no timeout). - idle_timeout = 600 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rediswho b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rediswho deleted file mode 100644 index 5f835e8..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rediswho +++ /dev/null @@ -1,52 +0,0 @@ -# -*- text -*- -# -# $Id: d303550fa48460f9583c051795ad7f179fcbd36b $ - -# -# Configuration file for the "rediswho" module. -# -# This module tracks the last set of login sessions for a user. -# -rediswho { - # REDIS instance to use (from mods-available/redis) - # - # If you have multiple redis instances, such as "redis redis1 {...}", - # use the *instance* name here: redis1. -# redis_module_instance = redis - - # How many sessions to keep track of per user. - # If there are more than this number, older sessions are deleted. - trim_count = 15 - - # Expiry time in seconds. Any sessions which have not received - # an update in this time will be automatically expired. - expire_time = 86400 - - # - # Each subsection contains insert / trim / expire queries. - # The subsections are named after the contents of the - # Acct-Status-Type attribute. See dictionary.rfc2866 for names - # of the various Acct-Status-Type values, or look at the output - # of debug mode. - # - # This module supports *any* Acct-Status-Type. Just add a subsection - # of the appropriate name, along with insert / trim / expire queries. - # - Start { - insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" - trim = "LTRIM %{User-Name} 0 ${..trim_count}" - expire = "EXPIRE %{User-Name} ${..expire_time}" - } - - Interim-Update { - insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" - trim = "LTRIM %{User-Name} 0 ${..trim_count}" - expire = "EXPIRE %{User-Name} ${..expire_time}" - } - - Stop { - insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" - trim = "LTRIM %{User-Name} 0 ${..trim_count}" - expire = "EXPIRE %{User-Name} ${..expire_time}" - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rest b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rest deleted file mode 100644 index ac163f0..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rest +++ /dev/null @@ -1,290 +0,0 @@ -rest { - # - # This subsection configures the tls related items - # that control how FreeRADIUS connects to a HTTPS - # server. - # - tls { - # Certificate Authorities: - # "ca_file" (libcurl option CURLOPT_ISSUERCERT). - # File containing a single CA, which is the issuer of the server - # certificate. - # "ca_info_file" (libcurl option CURLOPT_CAINFO). - # File containing a bundle of certificates, which allow to handle - # certificate chain validation. - # "ca_path" (libcurl option CURLOPT_CAPATH). - # Directory holding CA certificates to verify the peer with. -# ca_file = ${certdir}/cacert.pem -# ca_info_file = ${certdir}/cacert_bundle.pem -# ca_path = ${certdir} - -# certificate_file = /path/to/radius.crt -# private_key_file = /path/to/radius.key -# private_key_password = "supersecret" -# random_file = /dev/urandom - - # Server certificate verification requirements. Can be: - # "no" (don't even bother trying) - # "yes" (verify the cert was issued by one of the - # trusted CAs) - # - # The default is "yes" -# check_cert = yes - - # Server certificate CN verification requirements. Can be: - # "no" (don't even bother trying) - # "yes" (verify the CN in the certificate matches the host - # in the URI) - # - # The default is "yes" -# check_cert_cn = yes - } - - # rlm_rest will open a connection to the server specified in connect_uri - # to populate the connection cache, ready for the first request. - # The server will not start if the server specified is unreachable. - # - # If you wish to disable this pre-caching and reachability check, - # comment out the configuration item below. - connect_uri = "http://127.0.0.1/" - - # - # How long before new connection attempts timeout, defaults to 4.0 seconds. - # -# connect_timeout = 4.0 - - # - # Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto', - # '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION) - # -# http_negotiation = 1.1 - - # - # The following config items can be used in each of the sections. - # The sections themselves reflect the sections in the server. - # For example if you list rest in the authorize section of a virtual server, - # the settings from the authorize section here will be used. - # - # The following config items may be listed in any of the sections: - # uri - to send the request to. - # method - HTTP method to use, one of 'get', 'post', 'put', 'patch', - # 'delete' or any custom HTTP method. - # body - The format of the HTTP body sent to the remote server. - # May be 'none', 'post' or 'json', defaults to 'none'. - # attr_num - If true, the attribute number is supplied for each attribute. - # Defaults to false. - # raw_value - If true, enumerated attribute values are provided as numeric - # values. Defaults to false. - # data - Send custom freeform data in the HTTP body. Content-type - # may be specified with 'body'. Will be expanded. - # Values from expansion will not be escaped, this should be - # done using the appropriate xlat method e.g. %{urlencode:}. - # force_to - Force the response to be decoded with this decoder. - # May be 'plain' (creates reply:REST-HTTP-Body), 'post' - # or 'json'. - # tls - TLS settings for HTTPS. - # auth - HTTP auth method to use, one of 'none', 'srp', 'basic', - # 'digest', 'digest-ie', 'gss-negotiate', 'ntlm', - # 'ntlm-winbind', 'any', 'safe'. defaults to 'none'. - # username - User to authenticate as, will be expanded. - # password - Password to use for authentication, will be expanded. - # require_auth - Require HTTP authentication. - # timeout - HTTP request timeout in seconds, defaults to 4.0. - # chunk - Chunk size to use. If set, HTTP chunked encoding is used to - # send data to the REST server. Make sure that this is large - # enough to fit your largest attribute value's text - #  representation. - # A number like 8192 is good. - # - # Additional HTTP headers may be specified with control:REST-HTTP-Header. - # The values of those attributes should be in the format: - # - # control:REST-HTTP-Header := ": " - # - # The control:REST-HTTP-Header attributes will be consumed - # (i.e. deleted) after each call to the rest module, and each - # %{rest:} expansion. This is so that headers from one REST - # call do not affect headers from a different REST call. - # - # Body encodings are the same for requests and responses - # - # POST - All attributes and values are urlencoded - # [outer.][:]=&[outer.][:]= - # - # JSON - All attributes and values are escaped according to the JSON specification - # - attribute Name of the attribute. - # - attr_num Number of the attribute. Only available if the configuration item - # 'attr_num' is enabled. - # - type Type of the attribute (e.g. "integer", "string", "ipaddr", "octets", ...). - # - value Attribute value, for enumerated attributes the human readable value is - # provided and not the numeric value (Depends on the 'raw_value' config item). - # { - # "":{ - # "attr_num":, - # "type":"", - # "value":[,,] - # }, - # "":{ - # "attr_num":, - # "type":"", - # "value":[...] - # }, - # "":{ - # "attr_num":, - # "type":"", - # "value":[...] - # }, - # } - # - # The response format adds three optional fields: - # - do_xlat If true, any values will be xlat expanded. Defaults to true. - # - is_json If true, any nested JSON data will be copied to the attribute - # in string form. Defaults to true. - # - op Controls how the attribute is inserted into the target list. - # Defaults to ':='. To create multiple attributes from multiple - # values, this should be set to '+=', otherwise only the last - # value will be used, and it will be assigned to a single - # attribute. - # { - # "":{ - # "is_json":, - # "do_xlat":, - # "op":"", - # "value":[,,] - # }, - # "":"value", - # "":{ - # "value":[,,], - # "op":"+=" - # } - # } - - # - # Module return codes are determined by HTTP response codes. These vary depending on the - # section. - # - # If the body is processed and found to be malformed or unsupported fail will be returned. - # If the body is processed and found to contain attribute updated will be returned, - # except in the case of a 401 code. - # - - # Authorize/Authenticate - # - # Code Meaning Process body Module code - # 404 not found no notfound - # 410 gone no notfound - # 403 forbidden no userlock - # 401 unauthorized yes reject - # 204 no content no ok - # 2xx successful yes ok/updated - # 5xx server error no fail - # xxx - no invalid - # - # The status code is held in %{reply:REST-HTTP-Status-Code}. - # - authorize { - uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize" - method = 'get' - tls = ${..tls} - } - authenticate { - uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate" - method = 'get' - tls = ${..tls} - } - - # Preacct/Accounting/Post-auth/Pre-Proxy/Post-Proxy - # - # Code Meaning Process body Module code - # 204 no content no ok - # 2xx successful yes ok/updated - # 5xx server error no fail - # xxx - no invalid - preacct { - uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=preacct" - method = 'post' - tls = ${..tls} - } - accounting { - uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=accounting" - method = 'post' - tls = ${..tls} - } - post-auth { - uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth" - method = 'post' - tls = ${..tls} - } - pre-proxy { - uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=pre-proxy" - method = 'post' - tls = ${..tls} - } - post-proxy { - uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-proxy" - method = 'post' - tls = ${..tls} - } - - # - # The connection pool is new for 3.0, and will be used in many - # modules, for all kinds of connection-related activity. - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # web service being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The number of seconds to wait after the server tries - # to open a connection, and fails. During this time, - # no new connections will be opened. - retry_delay = 30 - - # The lifetime (in seconds) of the connection - lifetime = 0 - - # idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - idle_timeout = 60 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smbpasswd b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smbpasswd deleted file mode 100644 index de400ee..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smbpasswd +++ /dev/null @@ -1,16 +0,0 @@ -# -*- text -*- -# -# $Id: d5ad2a06c767f07722dc9b9c4b13d00c26b5a280 $ - -# An example configuration for using /etc/smbpasswd. -# -# See the "passwd" file for documentation on the configuration items -# for this module. -# -passwd smbpasswd { - filename = /etc/smbpasswd - format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" - hash_size = 100 - ignore_nislike = no - allow_multiple_keys = no -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smsotp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smsotp deleted file mode 100644 index 876931c..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smsotp +++ /dev/null @@ -1,94 +0,0 @@ -# -*- text -*- -# -# $Id: 3be32b85f56a84725fe1a6bf508e459dbe6c4e02 $ - -# SMS One-time Password system. -# -# This module will extend FreeRadius with a socks interface to create and -# validate One-Time-Passwords. The program for that creates the socket -# and interacts with this module is not included here. -# -# The module does not check the User-Password, this should be done with -# the "pap" module. See the example below. -# -# The module must be used in the "authorize" section to set -# Auth-Type properly. The first time through, the module is called -# in the "authenticate" section to authenticate the user password, and -# to send the challenge. The second time through, it authenticates -# the response to the challenge. e.g.: -# -# authorize { -# ... -# smsotp -# ... -# } -# -# authenticate { -# ... -# Auth-Type smsotp { -# pap -# smsotp -# } -# -# Auth-Type smsotp-reply { -# smsotp -# } -# ... -# } -# -smsotp { - # The location of the socket. - socket = "/var/run/smsotp_socket" - - # Defines the challenge message that will be send to the - # NAS. Default is "Enter Mobile PIN" } - challenge_message = "Enter Mobile PIN:" - - # Defines the Auth-Type section that is run for the response to - # the challenge. Default is "smsotp-reply". - challenge_type = "smsotp-reply" - - # Control how many sockets are used to talk to the SMSOTPd - # - pool { - # Number of connections to start - start = 5 - - # Minimum number of connections to keep open - min = 4 - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - max = 10 - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. - spare = 3 - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The lifetime (in seconds) of the connection - lifetime = 0 - - # idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - idle_timeout = 60 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sometimes b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sometimes deleted file mode 100644 index 094426d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sometimes +++ /dev/null @@ -1,12 +0,0 @@ -# -*- text -*- -# -# $Id: 3a96622cc938f558b023e1110769a46861716a12 $ - -# -# The "sometimes" module is here for debugging purposes. Each instance -# randomly returns the configured result, or "noop". -# -# It is based on the "always" module. -sometimes { - rcode = fail -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql deleted file mode 100644 index 341cdf3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql +++ /dev/null @@ -1,366 +0,0 @@ -# -*- text -*- -## -## mods-available/sql -- SQL modules -## -## $Id: cfeac63ea87c30fead8457af6d10f5c3a0f48aef $ - -###################################################################### -# -# Configuration for the SQL module -# -# The database schemas and queries are located in subdirectories: -# -# sql//main/schema.sql Schema -# sql//main/queries.conf Authorisation and Accounting queries -# -# Where "DB" is mysql, mssql, oracle, or postgresql. -# -# The name used to query SQL is sql_user_name, which is set in the file -# -# raddb/mods-config/sql/main/${dialect}/queries.conf -# -# If you are using realms, that configuration should be changed to use -# the Stripped-User-Name attribute. See the comments around sql_user_name -# for more information. -# - -sql { - # - # The dialect of SQL being used. - # - # Allowed dialects are: - # - # mssql - # mysql - # oracle - # postgresql - # sqlite - # mongo - # - dialect = "sqlite" - - # - # The driver module used to execute the queries. Since we - # don't know which SQL drivers are being used, the default is - # "rlm_sql_null", which just logs the queries to disk via the - # "logfile" directive, below. - # - # In order to talk to a real database, delete the next line, - # and uncomment the one after it. - # - # If the dialect is "mssql", then the driver should be set to - # one of the following values, depending on your system: - # - # rlm_sql_db2 - # rlm_sql_firebird - # rlm_sql_freetds - # rlm_sql_iodbc - # rlm_sql_unixodbc - # - driver = "rlm_sql_null" -# driver = "rlm_sql_${dialect}" - - # - # Driver-specific subsections. They will only be loaded and - # used if "driver" is something other than "rlm_sql_null". - # When a real driver is used, the relevant driver - # configuration section is loaded, and all other driver - # configuration sections are ignored. - # - sqlite { - # Path to the sqlite database - filename = "/tmp/freeradius.db" - - # How long to wait for write locks on the database to be - # released (in ms) before giving up. - busy_timeout = 200 - - # If the file above does not exist and bootstrap is set - # a new database file will be created, and the SQL statements - # contained within the bootstrap file will be executed. - bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql" - } - - mysql { - # If any of the files below are set, TLS encryption is enabled - tls { - ca_file = "/etc/ssl/certs/my_ca.crt" - ca_path = "/etc/ssl/certs/" - certificate_file = "/etc/ssl/certs/private/client.crt" - private_key_file = "/etc/ssl/certs/private/client.key" - cipher = "DHE-RSA-AES256-SHA:AES128-SHA" - - tls_required = yes - tls_check_cert = no - tls_check_cert_cn = no - } - - # If yes, (or auto and libmysqlclient reports warnings are - # available), will retrieve and log additional warnings from - # the server if an error has occured. Defaults to 'auto' - warnings = auto - } - - postgresql { - - # unlike MySQL, which has a tls{} connection configuration, postgresql - # uses its connection parameters - see the radius_db option below in - # this file - - # Send application_name to the postgres server - # Only supported in PG 9.0 and greater. Defaults to no. - send_application_name = yes - } - - # - # Configuration for Mongo. - # - # Note that the Mongo driver is experimental. The FreeRADIUS developers - # are unable to help with the syntax of the Mongo queries. Please see - # the Mongo documentation for that syntax. - # - # The Mongo driver supports only the following methods: - # - # aggregate - # findAndModify - # findOne - # insert - # - # For examples, see the query files: - # - # raddb/mods-config/sql/main/mongo/queries.conf - # raddb/mods-config/sql/main/ippool/queries.conf - # - # In order to use findAndModify with an aggretation pipleline, make - # sure that you are running MongoDB version 4.2 or greater. FreeRADIUS - # assumes that the paramaters passed to the methods are supported by the - # version of MongoDB which it is connected to. - # - mongo { - # - # The application name to use. - # - appname = "freeradius" - - # - # The TLS parameters here map directly to the Mongo TLS configuration - # - tls { - certificate_file = /path/to/file - certificate_password = "password" - ca_file = /path/to/file - ca_dir = /path/to/directory - crl_file = /path/to/file - weak_cert_validation = false - allow_invalid_hostname = false - } - } - - # Connection info: - # -# server = "localhost" -# port = 3306 -# login = "radius" -# password = "radpass" - - # Connection info for Mongo - # Authentication Without SSL - # server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=false" - - # Authentication With SSL - # server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=true" - - # Authentication with Certificate - # Use this command for retrieve Derived username: - # openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253 - # server = mongodb://@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509 - - # Database table configuration for everything except Oracle - radius_db = "radius" - - # If you are using Oracle then use this instead -# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))" - - # If you're using postgresql this can also be used instead of the connection info parameters -# radius_db = "dbname=radius host=localhost user=radius password=raddpass" - - # Postgreql doesn't take tls{} options in its module config like mysql does - if you want to - # use SSL connections then use this form of connection info parameter -# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt" - - # If you want both stop and start records logged to the - # same SQL table, leave this as is. If you want them in - # different tables, put the start table in acct_table1 - # and stop table in acct_table2 - acct_table1 = "radacct" - acct_table2 = "radacct" - - # Allow for storing data after authentication - postauth_table = "radpostauth" - - # Tables containing 'check' items - authcheck_table = "radcheck" - groupcheck_table = "radgroupcheck" - - # Tables containing 'reply' items - authreply_table = "radreply" - groupreply_table = "radgroupreply" - - # Table to keep group info - usergroup_table = "radusergroup" - - # If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table. - # If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table. -# read_groups = yes - - # If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table. - # If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table. -# read_profiles = yes - - # Remove stale session if checkrad does not see a double login - delete_stale_sessions = yes - - # Write SQL queries to a logfile. This is potentially useful for tracing - # issues with authorization queries. See also "logfile" directives in - # mods-config/sql/main/*/queries.conf. You can enable per-section logging - # by enabling "logfile" there, or global logging by enabling "logfile" here. - # - # Per-section logging can be disabled by setting "logfile = ''" -# logfile = ${logdir}/sqllog.sql - - # Set the maximum query duration and connection timeout - # for rlm_sql_mysql. -# query_timeout = 5 - - # As of version 3.0, the "pool" section has replaced the - # following configuration items: - # - # num_sql_socks - # connect_failure_retry_delay - # lifetime - # max_queries - - # - # The connection pool is new for 3.0, and will be used in many - # modules, for all kinds of connection-related activity. - # - # When the server is not threaded, the connection pool - # limits are ignored, and only one connection is used. - # - # If you want to have multiple SQL modules re-use the same - # connection pool, use "pool = name" instead of a "pool" - # section. e.g. - # - # sql sql1 { - # ... - # pool { - # ... - # } - # } - # - # # sql2 will use the connection pool from sql1 - # sql sql2 { - # ... - # pool = sql1 - # } - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # database being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The number of seconds to wait after the server tries - # to open a connection, and fails. During this time, - # no new connections will be opened. - retry_delay = 30 - - # The lifetime (in seconds) of the connection - lifetime = 0 - - # idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - idle_timeout = 60 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } - - # Set to 'yes' to read radius clients from the database ('nas' table) - # Clients will ONLY be read on server startup. - # - # A client can be link to a virtual server via the SQL - # module. This link is done via the following process: - # - # If there is no listener in a virtual server, SQL clients - # are added to the global list for that virtual server. - # - # If there is a listener, and the first listener does not - # have a "clients=..." configuration item, SQL clients are - # added to the global list. - # - # If there is a listener, and the first one does have a - # "clients=..." configuration item, SQL clients are added to - # that list. The client { ...} ` configured in that list are - # also added for that listener. - # - # The only issue is if you have multiple listeners in a - # virtual server, each with a different client list, then - # the SQL clients are added only to the first listener. - # -# read_clients = yes - - # Table to keep radius client info - client_table = "nas" - - # - # The group attribute specific to this instance of rlm_sql - # - - # This entry should be used for additional instances (sql foo {}) - # of the SQL module. -# group_attribute = "${.:instance}-SQL-Group" - - # This entry should be used for the default instance (sql {}) - # of the SQL module. - group_attribute = "SQL-Group" - - # Read database-specific queries - $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql_map b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql_map deleted file mode 100644 index 93b2636..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql_map +++ /dev/null @@ -1,49 +0,0 @@ -# Configuration for the SQL based Map (rlm_sql_map) -sql_map { - # SQL instance to use (from mods-available/sql) - # - # If you have multiple sql instances, such as "sql sql1 {...}", - # use the *instance* name here: sql1. - sql_module_instance = "sql" - - # This is duplicative of info available in the SQL module, but - # we have to list it here as we do not yet support nested - # reference expansions. - dialect = "mysql" - - # Name of the check item attribute to be used as a key in the SQL queries - query = "SELECT ... FROM ... " - - # - # Mapping of SQL columns to RADIUS dictionary attributes. - # - - # WARNING: Although this format is almost identical to the unlang - # update section format, it does *NOT* mean that you can use other - # unlang constructs in module configuration files. - # - # Configuration items are in the format: - # - # - # Where: - # : Is the destination RADIUS attribute - # with any valid list and request qualifiers. - # : Is any assignment attribute (=, :=, +=, -=). - # : The column number (not name), starting from 0 - # - # Request and list qualifiers may also be placed after the 'update' - # section name to set defaults destination requests/lists - # for unqualified RADIUS attributes. - # - update { - control:Password-With-Header += 0 -# control:NT-Password := 1 -# reply:Reply-Message := 2 -# reply:Tunnel-Type := 3 -# reply:Tunnel-Medium-Type := 4 -# reply:Tunnel-Private-Group-ID := 5 - } - - # If the 'query' results in multiple rows, it creates the [*] array entry. -# multiple_rows = yes -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlcounter b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlcounter deleted file mode 100644 index f616a80..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlcounter +++ /dev/null @@ -1,115 +0,0 @@ -# Rather than maintaining separate (GDBM) databases of -# accounting info for each counter, this module uses the data -# stored in the raddacct table by the sql modules. This -# module NEVER does any database INSERTs or UPDATEs. It is -# totally dependent on the SQL module to process Accounting -# packets. -# -# The sql-module-instance' parameter holds the instance of the sql -# module to use when querying the SQL database. Normally it -# is just "sql". If you define more and one SQL module -# instance (usually for failover situations), you can -# specify which module has access to the Accounting Data -# (radacct table). -# -# The 'reset' parameter defines when the counters are all -# reset to zero. It can be hourly, daily, weekly, monthly or -# never. It can also be user defined. It should be of the -# form: -# num[hdwm] where: -# h: hours, d: days, w: weeks, m: months -# If the letter is ommited days will be assumed. In example: -# reset = 10h (reset every 10 hours) -# reset = 12 (reset every 12 days) -# -# The 'key' parameter specifies the unique identifier for the -# counter records (usually 'User-Name'). -# -# The 'query' parameter specifies the SQL query used to get -# the current Counter value from the database. There are 2 -# parameters that can be used in the query: -# %%b unix time value of beginning of reset period -# %%e unix time value of end of reset period -# -# The 'check_name' parameter is the name of the 'check' -# attribute to use to access the counter in the 'users' file -# or SQL radcheck or radgroupcheck tables. -# -# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject -# Reply-Message = "You've used up more than one hour today" -# -# The "dailycounter" (or any other sqlcounter module) should be added -# to "post-auth" section. It will then update the Session-Timeout -# attribute in the reply. If there is no Session-Timeout attribute, -# the module will add one. If there is an attribute, the sqlcounter -# module will make sure that the value is no higher than the limit. -# -sqlcounter dailycounter { - sql_module_instance = sql - dialect = ${modules.sql.dialect} - - counter_name = Daily-Session-Time - check_name = Max-Daily-Session - reply_name = Session-Timeout - - key = User-Name - reset = daily - - $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf -} - -sqlcounter weeklycounter { - sql_module_instance = sql - dialect = ${modules.sql.dialect} - - counter_name = Weekly-Session-Time - check_name = Max-Weekly-Session - reply_name = Session-Timeout - - key = User-Name - reset = weekly - - $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf -} - -sqlcounter monthlycounter { - sql_module_instance = sql - dialect = ${modules.sql.dialect} - - counter_name = Monthly-Session-Time - check_name = Max-Monthly-Session - reply_name = Session-Timeout - key = User-Name - reset = monthly - - $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf -} - -sqlcounter noresetcounter { - sql_module_instance = sql - dialect = ${modules.sql.dialect} - - counter_name = Max-All-Session-Time - check_name = Max-All-Session - key = User-Name - reset = never - - $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf -} - -# -# Set an account to expire T seconds after first login. -# Requires the Expire-After attribute to be set, in seconds. -# You may need to edit raddb/dictionary to add the Expire-After -# attribute. -sqlcounter expire_on_login { - sql_module_instance = sql - dialect = ${modules.sql.dialect} - - counter_name = Expire-After-Initial-Login - check_name = Expire-After - key = User-Name - reset = never - - $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlippool b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlippool deleted file mode 100644 index 7d63a3b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlippool +++ /dev/null @@ -1,115 +0,0 @@ -# Configuration for the SQL based IP Pool module (rlm_sqlippool) -# -# The database schemas are available at: -# -# raddb/mods-config/sql/ippool//schema.sql -# -# $Id: 3d98ca9e0fca4f8df2657d53a15a2c52756b45e1 $ - -sqlippool { - # SQL instance to use (from mods-available/sql) - # - # If you have multiple sql instances, such as "sql sql1 {...}", - # use the *instance* name here: sql1. - sql_module_instance = "sql" - - # This is duplicative of info available in the SQL module, but - # we have to list it here as we do not yet support nested - # reference expansions. - dialect = "mysql" - - # Name of the check item attribute to be used as a key in the SQL queries - pool_name = "Pool-Name" - - # SQL table to use for ippool range and lease info - ippool_table = "radippool" - - # IP lease duration. (Leases expire even if Acct Stop packet is lost) - # - # Note that you SHOULD also set Session-Timeout to this value! - # That way the NAS will automatically kick the user offline when the - # lease expires. - # - lease_duration = 3600 - - # - # Timeout between each consecutive 'allocate_clear' queries (default: 1s) - # This will avoid having too many deadlock issues, especially on MySQL backend. - # - allocate_clear_timeout = 1 - - # - # As of 3.0.16, the 'ipv6 = yes' configuration is deprecated. - # You should use the "attribute_name" configuration item - # below, instead. - # - - # - # The attribute to use for IP address assignment. The - # default is Framed-IP-Address. You can change this to any - # attribute which is IPv4 or IPv6. - # - # e.g. Framed-IPv6-Prefix, or Delegated-IPv6-Prefix. - # - # As of 3.0.16, all of the default queries have been updated to use - # this attribute_name. So you can do IPv6 address assignment simply - # by putting IPv6 addresses into the pool, and changing the following - # line to "Framed-IPv6-Prefix" - # - # Note that you MUST use separate pools for each attribute. i.e. one pool - # for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc. - # - # This means configuring separate "sqlippool" instances, and different - # "ippool_table" in SQL. Then, populate the pool with addresses and - # it will all just work. - # - attribute_name = Framed-IP-Address - - # - # Assign the IP address, even if the above attribute already exists - # in the reply. - # -# allow_duplicates = no - - # The attribute in which an IP address hint may be supplied - req_attribute_name = Framed-IP-Address - - # Attribute which should be considered unique per NAS - # - # Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS) - # Using Calling-Station-Id works for NAS that send fixed NAS-Port - # ONLY change this if you know what you are doing! - pool_key = "%{NAS-Port}" - # pool_key = "%{Calling-Station-Id}" - - ################################################################ - # - # WARNING: MySQL (MyISAM) has certain limitations that means it can - # hand out the same IP address to 2 different users. - # - # We suggest using an SQL DB with proper transaction - # support, such as PostgreSQL, or using MySQL - # with InnoDB. - # - ################################################################ - - # These messages are added to the "control" items, as - # Module-Success-Message. They are not logged anywhere else, - # unlike previous versions. If you want to have them logged - # to a file, see the "linelog" module, and create an entry - # which writes Module-Success-Message message. - # - messages { - exists = "Existing IP: %{reply:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - - success = "Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - - clear = "Released IP %{request:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" - - failed = "IP Allocation FAILED from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - - nopool = "No ${..pool_name} defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - } - - $INCLUDE ${modconfdir}/sql/ippool/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unbound b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unbound deleted file mode 100644 index 9fd9b1f..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unbound +++ /dev/null @@ -1,4 +0,0 @@ -unbound dns { - # filename = "${raddbdir}/mods-config/unbound/default.conf" - # timeout = 3000 -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/wimax b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/wimax deleted file mode 100644 index 3add59e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/wimax +++ /dev/null @@ -1,165 +0,0 @@ -# -# The WiMAX module currently takes no configuration. -# -# ## Instructions for v1 and v2.0 WiMAX -# -# It should be listed in the "authorize" and "preacct" sections. -# This enables the module to fix the horrible binary version -# of Calling-Station-Id to the normal format, as specified in -# RFC 3580, Section 3.21. -# -# In order to calculate the various WiMAX keys, the module should -# be listed in the "post-auth" section. If EAP authentication -# has been used, AND the EAP method derives MSK and EMSK, then -# the various WiMAX keys can be calculated. -# -# Some useful things to remember: -# -# WiMAX-MSK = EAP MSK, but is 64 octets. -# -# MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001) -# MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002) -# MIP-RK = MIP-RK-1 | MIP-RK-2 -# -# MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP") -# plus some magic... you've got to track *all* MIP-SPI's -# on your system! -# -# SPI-CMIP4 = MIP-SPI -# SPI-PMIP4 = MIP-SPI + 1 -# SPI-CMIP6 = MIP-SPI + 2 -# -# MN-NAI is the Mobile node NAI. You have to create it, and put -# it into the request or reply as something like: -# -# WiMAX-MN-NAI = "%{User-Name}" -# -# You will also have to have the appropriate IP address (v4 or v6) -# in order to calculate the keys below. -# -# Lifetimes are derived from Session-Timeout. It needs to be set -# to some useful number. -# -# The hash function below H() is HMAC-SHA1. -# -# -# MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI) -# -# Where HA-IPv4 is WiMAX-hHA-IP-MIP4 -# or maybe WiMAX-vHA-IP-MIP4 -# -# Which goes into WiMAX-MN-hHA-MIP4-Key -# or maybe WiMAX-RRQ-MN-HA-Key -# or maybe even WiMAX-vHA-MIP4-Key -# -# The corresponding SPI is SPI-CMIP4, which is MIP-SPI, -# -# which goes into WiMAX-MN-hHA-MIP4-SPI -# or maybe WiMAX-RRQ-MN-HA-SPI -# or even WiMAX-MN-vHA-MIP4-SPI -# -# MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI) -# MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI) -# -# both with similar comments to above for MN-HA-CMIP4. -# -# In order to tell which one to use (CMIP4, PMIP4, or CMIP6), -# you have to set WiMAX-IP-Technology in the reply to one of -# the appropriate values. -# -# -# FA-RK = H(MIP-RK, "FA-RK") -# -# MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI) -# -# Where does the FA-IP come from? No idea... -# -# -# The next two keys (HA-RK and FA-HA) are not generated -# for every authentication request, but only on demand. -# -# HA-RK = 160-bit random number assigned by the AAA server -# to a specific HA. -# -# FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI) -# -# where HA-IPv4 is as above. -# and FA-CoAv4 address of the FA as seen by the HA -# and SPI is the relevant SPI for the HA-RK. -# -# DHCP-RK = 160-bit random number assigned by the AAA server -# to a specific DHCP server. vDHCP-RK is the same -# thing. -# -# -# -# ## Instructions for v2.1 (LTE) WiMAX: -# -# When called from the "authorize" this module will detect the -# presence of the following attributes: -# -# request:WiMAX-Re-synchronization-Info -# control:WiMAX-SIM-Ki -# control:WiMAX-SIM-OPc -# -# If all attributes are present, (i.e. a known SIM is requesting a -# resync) then the module will attempt to extract the new SQN and -# save it in control:WiMAX-SIM-SQN. It will also save a copy of -# RAND from the request in control:WiMAX-SIM-RAND. -# -# The resulting value of SQN can then be saved in a database -# e.g. via a call to the sql module using some unlang -# -# When called in the "post_auth" section it looks for: -# -# control:WiMAX-SIM-Ki -# control:WiMAX-SIM-OPc -# control:WiMAX-SIM-AMF -# control:WiMAX-SIM-SQN -# request:WiMAX-Visited-PLMN-ID -# -# If all these are present then it will attempt to generate the -# keys for EPS AKA. -# -# First it checks for the presence of control:WiMAX-SIM-RAND and -# if it is not present it generates a new RAND value which is -# stored in reply:WiMAX-E-UTRAN-Vector-RAND. If it is present then -# the value is simply copied to the reply attribute. -# -# Then it calls the Milenage algorithm to generate: -# -# reply:WiMAX-E-UTRAN-Vector-XRES -# reply:WiMAX-E-UTRAN-Vector-AUTN -# -# And finally generates KASME which is stored in: -# reply:WiMAX-E-UTRAN-Vector-KASME -# -# -# NOTE: It is up to the system administrator to make sure that all -# the necessary "control" attributes are populated with the -# required values. The IMSI is likely to be found in User-Name in -# the request and this can be used as the key to grab the values -# from a database. -# -# -wimax { - # - # Some WiMAX equipment requires that the MS-MPPE-*-Key - # attributes are sent in the Access-Accept, in addition to - # the WiMAX-MSK attribute. - # - # Other WiMAX equipment request that the MS-MPPE-*-Key - # attributes are NOT sent in the Access-Accept. - # - # By default, the EAP modules sends MS-MPPE-*-Key attributes. - # The default virtual server (raddb/sites-available/default) - # contains examples of adding the WiMAX-MSK. - # - # This configuration option makes the WiMAX module delete - # the MS-MPPE-*-Key attributes. The default is to leave - # them in place. - # - # If the keys are deleted (by setting this to "yes"), then - # the WiMAX-MSK attribute is automatically added to the reply. - delete_mppe_keys = no -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/yubikey b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/yubikey deleted file mode 100644 index 9ba61ef..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/yubikey +++ /dev/null @@ -1,158 +0,0 @@ -# -# This module decrypts and validates Yubikey static and dynamic -# OTP tokens. -# -yubikey { - # - # The length (number of ASCII bytes) of the Public-ID portion - # of the OTP string. - # - # Yubikey defaults to a 6 byte ID (2 * 6 = 12) -# id_length = 12 - - # - # If true, the authorize method of rlm_yubikey will attempt to split the - # value of User-Password, into the user's password, and the OTP token. - # - # If enabled and successful, the value of &request:User-Password will be - # truncated and &request:Yubikey-OTP will be added. - # -# split = yes - - # - # Decrypt mode - Tokens will be decrypted and processed locally - # - # The module itself does not provide persistent storage as this - # would be duplicative of functionality already in the server. - # - # Yubikey authentication needs two attributes retrieved from - # persistent storage: - # * &control:Yubikey-Key - The AES key used to decrypt the OTP data. - # The Yubikey-Public-Id and/or User-Name - # attributes may be used to retrieve the key. - # * &control:Yubikey-Counter - This is compared with the counter in the OTP - # data and used to prevent replay attacks. - # This attribute will also be available in - # the request list after successful - # decryption. - # - # Yubikey-Counter isn't strictly required, but the server will - # generate warnings if it's not present when yubikey.authenticate - # is called. - # - # These attributes are available after authorization: - # * &request:Yubikey-Public-ID - The public portion of the OTP string. - # and additionally if 'split' is set: - # * &request:Yubikey-OTP - The OTP portion of User-Password. - # - # These attributes are available after authentication (if successful): - # * &request:Yubikey-Private-ID - The encrypted ID included in OTP data, - # must be verified if tokens share keys. - # * &request:Yubikey-Counter - The last counter value (should be recorded). - # * &request:Yubikey-Timestamp - Token's internal clock (mainly useful for - # debugging). - # * &request:Yubikey-Random - Randomly generated value from the token. - # - decrypt = no - - # - # Validation mode - Tokens will be validated against a Yubicloud server - # - validate = no - - # - # Settings for validation mode. - # - validation { - # - # URL of validation server, multiple URL config items may be used - # to list multiple servers. - # - # - %d is a placeholder for public ID of the token - # - %s is a placeholder for the token string itself - # - # If no URLs are listed, will default to the default URLs in the - # ykclient library, which point to the yubico validation servers. - servers { -# uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s' -# uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s' - } - - # - # API Client ID - # - # Must be set to your client id for the validation server. - # -# client_id = 00000 - - # - # API Secret key (Base64 encoded) - # - # Must be set to your API key for the validation server. - # -# api_key = '000000000000000000000000' - - # - # Connection pool parameters - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # yubikey server being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Number of uses before the connection is closed - # - # NOTE: A setting of 0 means infinite (no limit). - uses = 0 - - # The number of seconds to wait after the server tries - # to open a connection, and fails. During this time, - # no new connections will be opened. - retry_delay = 30 - - # The lifetime (in seconds) of the connection - # - # NOTE: A setting of 0 means infinite (no limit). - lifetime = 0 - - # The idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - # - # NOTE: A setting of 0 means infinite (no timeout). - idle_timeout = 60 - - # Cycle over all connections in a pool instead of concentrating - # connection use on a few connections. - spread = yes - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } - } -} From 115ae30929aeb4b9ea63c62cbc1dbdfbcfce41a8 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 4 Aug 2022 03:03:55 +0000 Subject: [PATCH 03/59] Remove unused sites --- .../raddb/sites-available/README | 335 --------- .../raddb/sites-available/abfab-tls | 118 ---- .../raddb/sites-available/abfab-tr-idp | 198 ------ .../raddb/sites-available/buffered-sql | 161 ----- .../raddb/sites-available/challenge | 123 ---- .../raddb/sites-available/channel_bindings | 17 - .../raddb/sites-available/check-eap-tls | 135 ---- .../raddb/sites-available/coa | 49 -- .../raddb/sites-available/coa-relay | 331 --------- .../raddb/sites-available/control-socket | 92 --- .../sites-available/copy-acct-to-home-server | 202 ------ .../sites-available/decoupled-accounting | 139 ---- .../raddb/sites-available/dhcp | 584 ---------------- .../raddb/sites-available/dhcp.relay | 44 -- .../raddb/sites-available/dynamic-clients | 222 ------ .../raddb/sites-available/example | 122 ---- .../raddb/sites-available/originate-coa | 185 ----- .../raddb/sites-available/proxy-inner-tunnel | 47 -- .../raddb/sites-available/resource-check | 140 ---- .../sites-available/robust-proxy-accounting | 167 ----- .../raddb/sites-available/soh | 34 - .../raddb/sites-available/status | 127 ---- .../raddb/sites-available/tls | 651 ------------------ .../raddb/sites-available/totp | 85 --- .../raddb/sites-available/virtual.example.com | 32 - .../raddb/sites-available/vmps | 98 --- 26 files changed, 4438 deletions(-) delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/README delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/abfab-tls delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/abfab-tr-idp delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/buffered-sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/challenge delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/channel_bindings delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/check-eap-tls delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/coa delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/coa-relay delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/control-socket delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/copy-acct-to-home-server delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/decoupled-accounting delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/dhcp delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/dhcp.relay delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/dynamic-clients delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/example delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/originate-coa delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/proxy-inner-tunnel delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/resource-check delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/robust-proxy-accounting delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/soh delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/status delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/tls delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/totp delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/virtual.example.com delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/sites-available/vmps diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/README b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/README deleted file mode 100644 index 7e0f27c..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/README +++ /dev/null @@ -1,335 +0,0 @@ -1. Virtual Servers. - - FreeRADIUS 3.0 supports virtual servers. This is probably the -single largest change that is NOT backwards compatible with 1.x. - - The virtual servers do NOT have to be set up with the -"sites-available" and "sites-enabled" directories. You can still have -one "radiusd.conf" file, and put the server configuration there: - - ... - server { - authorize { - ... - } - authenticate { - ... - } - ... - } - ... - - The power of virtual servers lies in their ability to separate -policies. A policy can be placed into a virtual server, where it is -guaranteed to affect only the requests that are passed through that -virtual server. In 1.x, the policies were global, and it sometimes -took much effort to write a policy so that it only applied in certain -limited situations. - - -2. What do we mean by "virtual server"? - - - A virtual server is a (nearly complete) RADIUS server, just like a -configuration for FreeRADIUS 1.x. However, FreeRADIUS can now run -multiple virtual servers at the same time. The virtual servers can -even proxy requests to each other! - - The simplest way to create a virtual server is to take the all of -the request processing sections from radius.conf, ("authorize" , -"authenticate", etc.) and wrap them in a "server {}" block, as above. - - You can create another virtual server by: - - 1) defining a new "server foo {...}" section in radiusd.conf - 2) Putting the normal "authorize", etc. sections inside of it - 3) Adding a "listen" section *inside* of the "server" section. - - e.g. - - ... - server foo { - listen { - ipaddr = 127.0.0.1 - port = 2000 - type = auth - } - - authorize { - update control { - Cleartext-Password := "bob" - } - pap - } - - authenticate { - pap - } - } - ... - - With that text added to "radiusd.conf", run the server in debugging -mode (radiusd -X), and in another terminal window, type: - -$ radtest bob bob localhost:2000 0 testing123 - - You should see the server return an Access-Accept. - - -3. Capabilities and limitations - - - The only sub-sections that can appear in a virtual server section -are: - - listen - client - authorize - authenticate - post-auth - pre-proxy - post-proxy - preacct - accounting - session - - All other configuration parameters (modules, etc.) are global. - - Inside of a virtual server, the authorize, etc. sections have their -normal meaning, and can contain anything that an authorize section -could contain in 1.x. - - When a "listen" section is inside of a virtual server definition, it -means that all requests sent to that IP/port will be processed through -the virtual server. There cannot be two "listen" sections with the -same IP address and port number. - - When a "client" section is inside of a virtual server definition, it -means that that client is known only to the "listen" sections that are -also inside of that virtual server. Not only is this client -definition available only to this virtual server, but the details of -the client configuration is also available only to this virtual -server. - - i.e. Two virtual servers can listen on different IP address and -ports, but both can have a client with IP address 127.0.0.1. The -shared secret for that client can be different for each virtual -server. - - -4. More complex "listen" capabilities - - The "listen" sections have a few additional configuration items that -were not in 1.x, and were not mentioned above. These configuration -items enable almost any mapping of IP / port to clients to virtual -servers. - - The configuration items are: - - virtual_server = - - If set, all requests sent to this IP / port are processed - through the named virtual server. - - This directive can be used only for "listen" sections - that are global. i.e. It CANNOT be used if the - "listen" section is inside of a virtual server. - - clients = - - If set, the "listen" section looks for a "clients" section: - - clients { - ... - } - - It looks inside of that named "clients" section for - "client" subsections, at least one of which must - exist. Each client in that section is added to the - list of known clients for this IP / port. No other - clients are known. - - If it is set, it over-rides the list of clients (if - any) in the same virtual server. Note that the - clients are NOT additive! - - If it is not set, then the clients from the current - virtual server (if any) are used. If there are no - clients in this virtual server, then the global - clients are used. - - i.e. The most specific directive is used: - * configuration in this "listen" section - * clients in the same virtual server - * global clients - - The directives are also *exclusive*, not *additive*. - If you have one client in a virtual server, and - another client referenced from a "listen" section, - then that "listen" section will ONLY use the second - client. It will NOT use both clients. - - -5. More complex "client" capabilities - - The "client" sections have a few additional configuration items that -were not in 1.x, and were not mentioned above. These configuration -items enable almost any mapping of IP / port to clients to virtual -servers. - - The configuration items are: - - virtual_server = - - If set, all requests from this client are processed - through the named virtual server. - - This directive can be used only for "client" sections - that are global. i.e. It CANNOT be used if the - "client" section is inside of a virtual server. - - If the "listen" section has a "server" entry, and a matching -client is found ALSO with a "server" entry, then the clients server is -used for that request. - - -6. Worked examples - - - Listening on one socket, and mapping requests from two clients to -two different servers. - - listen { - ... - } - client one { - ... - virtual_server = server_one - } - client two { - ... - virtual_server = server_two - } - server server_one { - authorize { - ... - } - ... - } - server server_two { - authorize { - ... - } - ... - } - - This could also be done as: - - - listen { - ... - virtual_server = server_one - } - client one { - ... - } - client two { - ... - virtual_server = server_two - } - server server_one { - authorize { - ... - } - ... - } - server server_two { - authorize { - ... - } - ... - } - - In this case, the default server for the socket is "server_one", so -there is no need to set that in the client "one" configuration. The -"server_two" configuration for client "two" over-rides the default -setting for the socket. - - Note that the following configuration will NOT work: - - listen { - ... - virtual_server = server_one - } - client one { - ... - } - server server_one { - authorize { - ... - } - ... - } - server server_two { - client two { - ... - } - authorize { - ... - } - ... - } - - In this example, client "two" is hidden inside of the virtual -server, where the "listen" section cannot find it. - - -7. Outlined examples - - This section outlines a number of examples, with alternatives. - - One server, multiple sockets - - multiple "listen" sections in a "server" section - - one server per client - - define multiple servers - - have a global "listen" section - - have multiple global "clients", each with "virtual_server = X" - - two servers, each with their own sockets - - define multiple servers - - put "client" sections into each "server" - - put a "listen" section into each "server" - - Each server can list the same client IP, and the secret - can be different - - two sockets, sharing a list of clients, but pointing to different servers - - define global "listen" sections - - in each, set "virtual_server = X" - - in each, set "clients = Y" - - define "clients Y" section, containing multiple clients. - - This also means that you can have a third socket, which - doesn't share any of these clients. - - -8. How to decide what to do - - - If you want *completely* separate policies for a socket or a client, -then create a separate virtual server. Then, map the request to that -server by setting configuration entries in a "listen" section or in a -"client" section. - - Start off with the common cases first. If most of the clients -and/or sockets get a particular policy, make that policy the default. -Configure it without paying attention to the sockets or clients you -want to add later, and without adding a second virtual server. Once -it works, then add the second virtual server. - - If you want to re-use the previously defined sockets with the second -virtual server, then you will need one or more global "client" -sections. Those clients will contain a "virtual_server = ..." entry -that will direct requests from those clients to the appropriate -virtual server. diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/abfab-tls b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/abfab-tls deleted file mode 100644 index b4384ad..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/abfab-tls +++ /dev/null @@ -1,118 +0,0 @@ -# -# Example configuration for ABFAB listening on TLS. -# -# $Id: b8d0626bbe8923a97506b7410e83f88e3af4c42a $ -# -listen { - ipaddr = * - port = 2083 - type = auth - proto = tcp - - tls { - tls_min_version = "1.2" - private_key_password = whatever - - # Moonshot tends to distribute certs separate from keys - private_key_file = ${certdir}/server.key - certificate_file = ${certdir}/server.pem - ca_file = ${cadir}/ca.pem - dh_file = ${certdir}/dh - fragment_size = 8192 - ca_path = ${cadir} - cipher_list = "DEFAULT" - cache { - enable = no - lifetime = 24 # hours - name = "abfab-tls" - # persist_dir = ${logdir}/abfab-tls - } - require_client_cert = yes - verify { - } - - psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" - } - - virtual_server = abfab-idp - clients = radsec-abfab -} - -# There needs to be a separated "listen" section for IPv6. -# Typically it will be identical to the IPv4 one above, but there might be -# some differences (e.g. if a different certificate or port is desired) -listen { - ipaddr = :: - port = 2083 - type = auth - proto = tcp - - tls { - tls_min_version = "1.2" - private_key_password = whatever - - # Moonshot tends to distribute certs separate from keys - private_key_file = ${certdir}/server.key - certificate_file = ${certdir}/server.pem - ca_file = ${cadir}/ca.pem - dh_file = ${certdir}/dh - fragment_size = 8192 - ca_path = ${cadir} - cipher_list = "DEFAULT" - cache { - enable = no - lifetime = 24 # hours - name = "abfab-tls" - # persist_dir = ${logdir}/abfab-tls - } - require_client_cert = yes - verify { - } - - psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" - } - - virtual_server = abfab-idp - clients = radsec-abfab -} - -clients radsec-abfab { - # - # Allow all clients, but require TLS. - # This client stanza will match other RP proxies from other - # realms established via the trustrouter. In general - # additional client stanzas are also required for local services. - # - client default { - ipaddr = 0.0.0.0/0 - proto = tls - } - - client default_ip6 { - ipaddr = ::/0 - proto = tls - } - - # An example local service - # client service_1 { - # ipaddr = 192.0.2.20 - # # You should either set gss_acceptor_host_name below - # # or set up policy to confirm that a client claims - # # the right acceptor hostname when using ABFAB. If - # # set, the RADIUS server will confirm that all - # # requests have this value for the acceptor host name - # gss_acceptor_host_name = "server.example.com" - # # If set, this acceptor realm name will be included. - # # Foreign realms will typically reject a request if this is not - # # properly set. - # gss_acceptor_realm_name = "example.com" - # # Additionally, trust_router_coi can be set; if set - # # it will override the default_community in the realm - # # module - # trust_router_coi = "community1.example.net" - # # In production depployments it is important to set - # # up certificate verification so that even if - # # clients spoof IP addresses, one client cannot - # # impersonate another. - # } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/abfab-tr-idp b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/abfab-tr-idp deleted file mode 100644 index d820a85..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/abfab-tr-idp +++ /dev/null @@ -1,198 +0,0 @@ -# -# This file represents a server that is implementing an identity -# provider for GSS-EAP (RFC 7055) using the trust router -# protocol for dynamic realm discovery. Any ABFAB identity -# provider is also an ABFAB relying party proxy. -# -# This file does not include a TLS listener; see abfab-tls for a simple -# example of a RADSEC listener for ABFAB. -# -# $Id: be98568d3b16a163fdcd1803b171450a7b7d42da $ -# - -server abfab-idp { -authorize { - psk_authorize - abfab_client_check - filter_username - preprocess - - # If you intend to use CUI and you require that the Operator-Name - # be set for CUI generation and you want to generate CUI also - # for your local clients then uncomment the operator-name - # below and set the operator-name for your clients in clients.conf -# operator-name - - # - # If you want to generate CUI for some clients that do not - # send proper CUI requests, then uncomment the - # cui below and set "add_cui = yes" for these clients in clients.conf -# cui - - # - # Do RFC 7542 bang path routing. If you want to only do standard - # RADIUS NAI routing, comment out the below line. - rfc7542 - - # Standard RADIUS NAI routing - if (!updated) { - suffix { - updated = 1 - noop = reject - } - } - - eap { - ok = return - } - - expiration - logintime -} - -authenticate { - # - # Allow EAP authentication. - eap -} - -# Post-Authentication -# Once we KNOW that the user has been authenticated, there are -# additional steps we can take. -post-auth { - # - # For EAP-TTLS and PEAP, add the cached attributes to the reply. - # The "session-state" attributes are automatically cached when - # an Access-Challenge is sent, and automatically retrieved - # when an Access-Request is received. - # - # The session-state attributes are automatically deleted after - # an Access-Reject or Access-Accept is sent. - # - # If both session-state and reply contain a User-Name attribute, remove - # the one in the reply if it is just a copy of the one in the request, so - # we don't end up with two User-Name attributes. - - if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { - update reply { - &User-Name !* ANY - } - } - update { - &reply: += &session-state: - } - - # Create the CUI value and add the attribute to Access-Accept. - # Uncomment the line below if *returning* the CUI. -# cui - - # - # If you want to have a log of authentication replies, - # un-comment the following line, and enable the - # 'detail reply_log' module. -# reply_log - - # - # After authenticating the user, do another SQL query. - # - # See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf` - -sql - - # - # Un-comment the following if you want to modify the user's object - # in LDAP after a successful login. - # -# ldap - - # For Exec-Program and Exec-Program-Wait - exec - # Remove reply message if the response contains an EAP-Message - remove_reply_message_if_eap - # Access-Reject packets are sent through the REJECT sub-section of the - # post-auth section. - # - # Add the ldap module name (or instance) if you have set - # 'edir = yes' in the ldap module configuration - # - Post-Auth-Type REJECT { - # log failed authentications in SQL, too. - -sql - attr_filter.access_reject - - # Insert EAP-Failure message if the request was - # rejected by policy instead of because of an - # authentication failure And already has an EAP message - # For non-ABFAB, we insert the failure all the time, but for ABFAB - # It's more desirable to preserve reply-message when we can - if (&reply:Eap-Message) { - eap - } - - # Remove reply message if the response contains an EAP-Message - remove_reply_message_if_eap - } -} -# -# When the server decides to proxy a request to a home server, -# the proxied request is first passed through the pre-proxy -# stage. This stage can re-write the request, or decide to -# cancel the proxy. -# -# Only a few modules currently have this method. -# -pre-proxy { - # Before proxing the request add an Operator-Name attribute identifying - # if the operator-name is found for this client. - # No need to uncomment this if you have already enabled this in - # the authorize section. -# operator-name - - # The client requests the CUI by sending a CUI attribute - # containing one zero byte. - # Uncomment the line below if *requesting* the CUI. -# cui - - # Uncomment the following line if you want to change attributes - # as defined in the preproxy_users file. -# files - - # Uncomment the following line if you want to filter requests - # sent to remote servers based on the rules defined in the - # 'attrs.pre-proxy' file. -# attr_filter.pre-proxy - - # If you want to have a log of packets proxied to a home - # server, un-comment the following line, and the - # 'detail pre_proxy_log' section, above. -# pre_proxy_log -} -# -# When the server receives a reply to a request it proxied -# to a home server, the request may be massaged here, in the -# post-proxy stage. -# -post-proxy { - - # If you want to have a log of replies from a home server, - # un-comment the following line, and the 'detail post_proxy_log' - # section, above. -# post_proxy_log - - # Uncomment the following line if you want to filter replies from - # remote proxies based on the rules defined in the 'attrs' file. -# attr_filter.post-proxy - - # - # If you are proxying LEAP, you MUST configure the EAP - # module, and you MUST list it here, in the post-proxy - # stage. - # - # You MUST also use the 'nostrip' option in the 'realm' - # configuration. Otherwise, the User-Name attribute - # in the proxied request will not match the user name - # hidden inside of the EAP packet, and the end server will - # reject the EAP request. - # - eap -} -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/buffered-sql b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/buffered-sql deleted file mode 100644 index 43d5b46..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/buffered-sql +++ /dev/null @@ -1,161 +0,0 @@ -# -*- text -*- -###################################################################### -# -# In 2.0.0, radrelay functionality is integrated into the -# server core. This virtual server gives an example of -# using radrelay functionality inside of the server. -# -# In this example, the detail file is read, and the data -# is put into SQL. This configuration is used when a RADIUS -# server on this machine is receiving accounting packets, -# and writing them to the detail file. -# -# The purpose of this virtual server is to de-couple the storage -# of long-term accounting data in SQL from "live" information -# needed by the RADIUS server as it is running. -# -# The benefit of this approach is that for a busy server, the -# overhead of performing SQL queries may be significant. Also, -# if the SQL databases are large (as is typical for ones storing -# months of data), the INSERTs and UPDATEs may take a relatively -# long time. Rather than slowing down the RADIUS server by -# having it interact with a database, you can just log the -# packets to a detail file, and then read that file later at a -# time when the RADIUS server is typically lightly loaded. -# -# If you use on virtual server to log to the detail file, -# and another virtual server (i.e. this one) to read from -# the detail file, then this process will happen automatically. -# A sudden spike of RADIUS traffic means that the detail file -# will grow in size, and the server will be able to handle -# large volumes of traffic quickly. When the traffic dies down, -# the server will have time to read the detail file, and insert -# the data into a long-term SQL database. -# -# $Id: 74574ac5a36d446b2a72dcae64d1c0a1992014c8 $ -# -###################################################################### - -server buffered-sql { - listen { - type = detail - - # The location where the detail file is located. - # This should be on local disk, and NOT on an NFS - # mounted location! - # - # On most systems, this should support file globbing - # e.g. "${radacctdir}/detail-*:*" - # This lets you write many smaller detail files as in - # the example in radiusd.conf: ".../detail-%Y%m%d:%H" - # Writing many small files is often better than writing - # one large file. File globbing also means that with - # a common naming scheme for detail files, then you can - # have many detail file writers, and only one reader. - # - filename = "${radacctdir}/detail-*" - - # - # The server can read accounting packets from the - # detail file much more quickly than those packets - # can be written to a database. If the database is - # overloaded, then bad things can happen. - # - # The server will keep track of how long it takes to - # process an entry from the detail file. It will - # then pause between handling entries. This pause - # allows databases to "catch up", and gives the - # server time to notice that other packets may have - # arrived. - # - # The pause is calculated dynamically, to ensure that - # the load due to reading the detail files is limited - # to a small percentage of CPU time. The - # "load_factor" configuration item is a number - # between 1 and 100. The server will try to keep the - # percentage of time taken by "detail" file entries - # to "load_factor" percentage of the CPU time. - # - # If the "load_factor" is set to 100, then the server - # will read packets as fast as it can, usually - # causing databases to go into overload. - # - load_factor = 10 - - # - # Set the interval for polling the detail file. - # If the detail file doesn't exist, the server will - # wake up, and poll for it every N seconds. - # - # Useful range of values: 1 to 60 - # - poll_interval = 1 - - # - # Set the retry interval for when the home server - # does not respond. The current packet will be - # sent repeatedly, at this interval, until the - # home server responds. - # - # Useful range of values: 5 to 30 - # - retry_interval = 30 - - # - # Track progress through the detail file. When the detail - # file is large, and the server is re-started, it will - # read from the START of the file. - # - # Setting "track = yes" means it will skip packets which - # have already been processed. The default is "no". - # - # track = yes - - # - # In some circumstances it may be desirable for the - # server to start up, process a detail file, and - # immediately quit. To do this enable the "one_shot" - # option below. - # - # Do not enable this for normal server operation. The - # default is "no". - # - # one_shot = no - } - - # - # Pre-accounting. Decide which accounting type to use. - # - preacct { - preprocess - - # - # Ensure that we have a semi-unique identifier for every - # request, and many NAS boxes are broken. - acct_unique - - # - # Read the 'acct_users' file. This isn't always - # necessary, and can be deleted if you do not use it. - files - } - - # - # Accounting. Log the accounting data. - # - accounting { - # - # Log traffic to an SQL database. - # - # See "Accounting queries" in mods-config/sql/main/$driver/queries.conf - # sql - - - # Cisco VoIP specific bulk accounting - # pgsql-voip - - } - - # The requests are not being proxied, so no pre/post-proxy - # sections are necessary. -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/challenge b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/challenge deleted file mode 100644 index 10dcbc4..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/challenge +++ /dev/null @@ -1,123 +0,0 @@ -# -# This file gives an example of using Challenge-Response -# -# In this example, the user logs in with a password, which has -# to be "hello". The server will send them a challenge -# consisting of a random number 0..9. The user has to respond -# with that number. -# -# -# $Id: c3aeb0865bbfc52be9690e396196b89a2e1ae761 $ -# -listen { - type = auth - ipaddr = * - port = 2000 - virtual_server = challenge -} - -server challenge { -authorize { - # - # OTP requires a password. - # - if (!User-Password) { - reject - } - - # - # If there's no State attribute, then this is the first - # request from the user. - # - if (!State) { - # - # Set the authentication to use step 1. - update control { - Auth-Type := Step1 - - # - # For testing we will just set the password to "hello". - # - # Normally the password comes from "ldap" or "sql". - # - Cleartext-Password := "hello" - -# ldap -# sql -# ... - } - } - else { - # - # Check that the password looks like an OTP - # - if (User-Password !~ /[0-9]{6}/) { - reject - } - - # - # Set the authentication to use step 2. - # Set the "known good" password to the number - # saved in the session-state list. - # - update control { - Auth-Type := Step2 - - # - # For testing, ensure that the user enters the same password. - # - # Normally this section should look up a TOTP-Secret, and - # - Cleartext-Password := &session-state:Tmp-Integer-0 - - # - # Normally this section should also set &control:TOTP-Secret, too. - # - TOTP-Password := &User-Password - } - } -} - -authenticate { - Auth-Type Step1 { - # If the password doesn't match, the user is rejected - # immediately. - pap - - # - # For testing, just use a 6 digit random OTP. - # - update session-state { - Tmp-Integer-0 := "%{randstr:nnnnnn}" - } - - # - # For testing, tell the user what OTP to enter. - # - # Don't do this in production... - # - update reply { - Reply-Message := "Please enter OTP %{session-state:Tmp-Integer-0}" - } - - # - # Send an Access-Challenge. - # See raddb/policy.d/control for the definition - # of "challenge" - # - challenge - } - - Auth-Type Step2 { - # - # For testing, do PAP authentication with the password. - # - pap - - # - # Normally you'd do TOTP checks via the TOTP module. - # -# totp - } -} -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/channel_bindings b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/channel_bindings deleted file mode 100644 index 449c69c..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/channel_bindings +++ /dev/null @@ -1,17 +0,0 @@ -# -# A virtual server which is used to validate channel-bindings. -# -# $Id: b9f0ac791511903e4be8794203d324446e7a949c $ -# -server channel_bindings { - # - # Only the "authorize" section is needed. - # - authorize { - # In general this section should include a policy for each type - # of channel binding that may be in use. For example each lower - # layer such as GSS-EAP (RFC 7055) or IEEE 802.11I is likely to - # need a separate channel binding policy. - abfab_channel_bindings - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/check-eap-tls b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/check-eap-tls deleted file mode 100644 index 69065e1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/check-eap-tls +++ /dev/null @@ -1,135 +0,0 @@ -# This virtual server allows EAP-TLS to reject access requests -# based on some attributes of the certificates involved. -# -# To use this virtual server, you must enable it in the tls -# section of mods-enabled/eap as well as adding a link to this -# file in sites-enabled/. -# -# -# Value-pairs that are available for checking include: -# -# TLS-Client-Cert-Subject -# TLS-Client-Cert-Issuer -# TLS-Client-Cert-Common-Name -# TLS-Client-Cert-Subject-Alt-Name-Email -# -# To see a full list of attributes, run the server in debug mode -# with this virtual server configured, and look at the attributes -# passed in to this virtual server. -# -# -# This virtual server is also useful when using EAP-TLS as it is -# only called once, just before the final Accept is about to be -# returned from eap, whereas the outer authorize section is called -# multiple times for each challenge / response. For this reason, -# here may be a good location to put authentication logging, and -# modules that check for further authorization, especially if they -# hit external services such as sql or ldap. - - -server check-eap-tls { - - -# Authorize - this is the only section required. -# -# To accept the access request, set Auth-Type = Accept, otherwise -# set it to Reject. - -authorize { - - # - # By default, we just accept the request: - # - update config { - &Auth-Type := Accept - } - - - # - # Check the client certificate matches a string, and reject otherwise - # - -# if ("%{TLS-Client-Cert-Common-Name}" == 'client.example.com') { -# update config { -# &Auth-Type := Accept -# } -# } -# else { -# update config { -# &Auth-Type := Reject -# } -# update reply { -# &Reply-Message := "Your certificate is not valid." -# } -# } - - - # - # Check the client certificate common name against the supplied User-Name - # -# if (&User-Name == "host/%{TLS-Client-Cert-Common-Name}") { -# update config { -# &Auth-Type := Accept -# } -# } -# else { -# update config { -# &Auth-Type := Reject -# } -# } - - - # - # This is a convenient place to call LDAP, for example, when using - # EAP-TLS, as it will only be called once, after all certificates as - # part of the EAP-TLS challenge process have been verified. - # - # An example could be to use LDAP to check that the connecting host, as - # well as presenting a valid certificate, is also in a group based on - # the User-Name (assuming this contains the service principal name). - # Settings such as the following could be used in the ldap module - # configuration: - # - # basedn = "dc=example, dc=com" - # filter = "(servicePrincipalName=%{User-Name})" - # base_filter = "(objectClass=computer)" - # groupname_attribute = cn - # groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))" - -# ldap - - # Now let's test membership of an LDAP group (the ldap bind user will - # need permission to read this group membership): - -# if (!(Ldap-Group == "Permitted-Laptops")) { -# update config { -# &Auth-Type := Reject -# } -# } - - # or, to be more specific, you could use the group's full DN: - # if (!(Ldap-Group == "CN=Permitted-Laptops,OU=Groups,DC=example,DC=org")) { - - - # - # This may be a better place to call the files modules when using - # EAP-TLS, as it will only be called once, after the challenge-response - # iteration has completed. - # - -# files - - - # - # Log all request attributes, plus TLS certificate details, to the - # auth_log file. Again, this is just once per connection request, so - # may be preferable than in the outer authorize section. It is - # suggested that 'auth_log' also be in the outer post-auth and - # Post-Auth REJECT sections to log reply packet details, too. - # - - auth_log - -} -} - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/coa b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/coa deleted file mode 100644 index c10f88e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/coa +++ /dev/null @@ -1,49 +0,0 @@ -# -*- text -*- -###################################################################### -# -# Sample virtual server for receiving a CoA or Disconnect-Request packet. -# - -# Listen on the CoA port. -# -# This uses the normal set of clients, with the same secret as for -# authentication and accounting. -# -listen { - type = coa - ipaddr = * - port = 3799 - virtual_server = coa -} - -server coa { - # When a packet is received, it is processed through the - # recv-coa section. This applies to *both* CoA-Request and - # Disconnect-Request packets. - recv-coa { - # CoA && Disconnect packets can be proxied in the same - # way as authentication or accounting packets. - # Just set Proxy-To-Realm, or Home-Server-Pool, and the - # packets will be proxied. - - # Do proxying based on realms here. You don't need - # "IPASS" or "ntdomain", as the proxying is based on - # the Operator-Name attribute. It contains the realm, - # and ONLY the realm (prefixed by a '1') - suffix - - # Insert your own policies here. - ok - } - - # When a packet is sent, it is processed through the - # send-coa section. This applies to *both* CoA-Request and - # Disconnect-Request packets. - send-coa { - # Sample module. - ok - } - - # You can use pre-proxy and post-proxy sections here, too. - # They will be processed for sending && receiving proxy packets. -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/coa-relay b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/coa-relay deleted file mode 100644 index 05fd6bc..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/coa-relay +++ /dev/null @@ -1,331 +0,0 @@ -# -*- text -*- -###################################################################### -# -# This virtual server simplifies the process of sending CoA-Request or -# Disconnect-Request packets to a NAS. -# -# This virtual server will receive CoA-Request or Disconnect-Request -# packets that contain *minimal* identifying information. e.g. Just -# a User-Name, or maybe just an Acct-Session-Id attribute. It will -# look up that information in a database in order to find the rest of -# the session data. e.g. NAS-IP-Address, NAS-Identifier, NAS-Port, -# etc. That information will be added to the packet, which will then -# be sent to the NAS. -# -# This process is useful because NASes require the CoA packets to -# contain "session identification" attributes in order to to do CoA -# or Disconnect. If the attributes aren't in the packet, then the -# NAS will NAK the request. This NAK happens even if you ask to -# disconnect "User-Name = bob", and there is only one session with a -# "bob" active. -# -# Using this virtual server makes the CoA or Disconnect process -# easier. Just tell FreeRADIUS to disconnect "User-Name = bob", and -# FreeRADIUS will take care of adding the "session identification" -# attributes. -# -# The process is as follows: -# -# - A CoA/Disconnect-Request is received by FreeRADIUS. -# - The radacct table is searched for active sessions that match each of -# the provided identifier attributes: User-Name, Acct-Session-Id. The -# search returns the owning NAS and Acct-Unique-Id for the matching -# session/s. -# - The original CoA/Disconnect-Request content is written to a detail file -# with custom attributes representing the NAS and Acct-Session-Id. -# - A detail reader follows the file and originates CoA/Disconenct-Requests -# containing the original content, relayed to the corresponding NAS for -# each session using the custom attributes. -# -# This simplifies scripting directly against a set of NAS devices since a -# script need only send a single CoA/Disconnect to FreeRADIUS which will -# then: -# -# - Lookup all active sessions belonging to a user, in the case that only a -# User-Name attribute is provided in the request -# - Handle routing of the request to the correct NAS, in the case of a -# multi-NAS setup -# -# For example, to disconnect a specific session: -# -# $ echo 'Acct-Session-Id = "769df3 312343"' | \ -# radclient 127.0.0.1 disconnect testing123 -# -# To perform a CoA update of all active sessions belonging to a user: -# -# $ cat <, -# -# 00:01:02:03:04:05,192.0.2.100 -# 01:01:02:03:04:05,192.0.2.101 -# 02:01:02:03:04:05,192.0.2.102 -# -# This lets you perform simple static IP assignment. -# -# There is a preconfigured "mac2ip" module setup in -# mods-available/mac2ip. To use it do: -# -# # cd raddb/ -# # ln -s ../mods-available/mac2ip mods-enabled/mac2ip -# # mkdir mods-config/passwd -# -# Then create the file mods-config/passwd/mac2ip with the above -# format. -# -###################################################################### - - -# This is an example only - see mods-available/mac2ip instead; do -# not uncomment these lines here. -# -#passwd mac2ip { -# filename = ${confdir}/mac2ip -# format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" -# delimiter = "," -#} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/dhcp.relay b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/dhcp.relay deleted file mode 100644 index 76d1e10..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/dhcp.relay +++ /dev/null @@ -1,44 +0,0 @@ -# -*- text -*- -###################################################################### -# -# This is a virtual server that handles DHCP relaying -# -# Only one server can listen on a socket, so you cannot -# do DHCP relaying && run a DHCP server at the same time. -# -###################################################################### - -server dhcp.eth1 { - listen { - ipaddr = * - port = 67 - type = dhcp - interface = eth1 - } - - # Packets received on the socket will be processed through one - # of the following sections, named after the DHCP packet type. - # See dictionary.dhcp for the packet types. - dhcp DHCP-Discover { - update config { - # IP Address of the DHCP server - &DHCP-Relay-To-IP-Address := 192.0.2.2 - } - update request { - # IP Address of the DHCP relay (ourselves) - &DHCP-Gateway-IP-Address := 192.0.2.1 - } - ok - } - - dhcp DHCP-Request { - update config { - # IP Address of the DHCP server - &DHCP-Relay-To-IP-Address := 192.0.2.2 - } - update request { - &DHCP-Gateway-IP-Address := 192.0.2.2 - } - ok - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/dynamic-clients b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/dynamic-clients deleted file mode 100644 index b86ba4b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/dynamic-clients +++ /dev/null @@ -1,222 +0,0 @@ -# -*- text -*- -###################################################################### -# -# Sample configuration file for dynamically updating the list -# of RADIUS clients at run time. -# -# Everything is keyed off of a client "network". (e.g. 192.0.2/24) -# This configuration lets the server know that clients within -# that network are defined dynamically. -# -# When the server receives a packet from an unknown IP address -# within that network, it tries to find a dynamic definition -# for that client. If the definition is found, the IP address -# (and other configuration) is added to the server's internal -# cache of "known clients", with a configurable lifetime. -# -# Further packets from that IP address result in the client -# definition being found in the cache. Once the lifetime is -# reached, the client definition is deleted, and any new requests -# from that client are looked up as above. -# -# If the dynamic definition is not found, then the request is -# treated as if it came from an unknown client. i.e. It is -# silently discarded. -# -# As part of protection from Denial of Service (DoS) attacks, -# the server will add only one new client per second. This CANNOT -# be changed, and is NOT configurable. -# -# $Id: 0459a7f4b1dc824b1684e9d220a0410c69b3248a $ -# -###################################################################### - -# -# Define a network where clients may be dynamically defined. -client dynamic { - # - # You MUST specify a netmask! - # IPv4 /32 or IPv6 /128 are NOT allowed! - ipaddr = 192.0.2.0/24 - - # - # Any other configuration normally found in a "client" - # entry can be used here. - - # - # A shared secret does NOT have to be defined. It can - # be left out. - - # - # Define the virtual server used to discover dynamic clients. - dynamic_clients = dynamic_clients - - # - # The directory where client definitions are stored. This - # needs to be used ONLY if the client definitions are stored - # in flat-text files. Each file in that directory should be - # ONE and only one client definition. The name of the file - # should be the IP address of the client. - # - # If you are storing clients in SQL, this entry should not - # be used. -# directory = ${confdir}/dynamic-clients/ - - # - # Define the lifetime (in seconds) for dynamic clients. - # They will be cached for this lifetime, and deleted afterwards. - # - # If the lifetime is "0", then the dynamic client is never - # deleted. The only way to delete the client is to re-start - # the server. - lifetime = 3600 -} - -# -# This is the virtual server referenced above by "dynamic_clients". -server dynamic_clients { - - # - # The only contents of the virtual server is the "authorize" section. - authorize { - - # - # Put any modules you want here. SQL, LDAP, "exec", - # Perl, etc. The only requirements is that the - # attributes MUST go into the control item list. - # - # The request that is processed through this section - # is EMPTY. There are NO attributes. The request is fake, - # and is NOT the packet that triggered the lookup of - # the dynamic client. - # - # The ONLY piece of useful information is either - # - # Packet-Src-IP-Address (IPv4 clients) - # Packet-Src-IPv6-Address (IPv6 clients) - # - # The attributes used to define a dynamic client mirror - # the configuration items in the "client" structure. - # - - # - # Example 1: Hard-code a client IP. This example is - # useless, but it documents the attributes - # you need. - # - update control { - - # - # Echo the IP address of the client. - &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" - - # require_message_authenticator - &FreeRADIUS-Client-Require-MA = no - - # secret - &FreeRADIUS-Client-Secret = "testing123" - - # shortname - &FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}" - - # nas_type - &FreeRADIUS-Client-NAS-Type = "other" - - # virtual_server - # - # This can ONLY be used if the network client - # definition (e.g. "client dynamic" above) has - # NO virtual_server defined. - # - # If the network client definition does have a - # virtual_server defined, then that is used, - # and there is no need to define this attribute. - # - &FreeRADIUS-Client-Virtual-Server = "something" - - } - - # - # Example 2: Read the clients from "clients" files - # in a directory. - # - - # This requires you to uncomment the - # "directory" configuration in the - # "client dynamic" configuration above, - # and then put one file per IP address in - # that directory. - # - dynamic_clients - - # - # Example 3: Look the clients up in SQL. - # - # This requires the SQL module to be configured, of course. - if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") { - update control { - # - # Echo the IP. - &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" - - # - # Do multiple SELECT statements to grab - # the various definitions. - &FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" - - &FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" - - &FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" - - &FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" - } - - } - - # Do an LDAP lookup in the elements OU, check to see if - # the Packet-Src-IP-Address object has a "ou" - # attribute, if it does continue. Change "ACME.COM" to - # the real OU of your organization. - # - # Assuming the following schema: - # - # OU=Elements,OU=Radius,DC=ACME,DC=COM - # - # Elements will hold a record of every NAS in your - # Network. Create Group objects based on the IP - # Address of the NAS and set the "Location" or "l" - # attribute to the NAS Huntgroup the NAS belongs to - # allow them to be centrally managed in LDAP. - # - # e.g. CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM - # - # With a "l" value of "CiscoRTR" for a Cisco Router - # that has a NAS-IP-Address or Source-IP-Address of - # 10.1.2.3. - # - # And with a "ou" value of the shared secret password - # for the NAS element. ie "password" - if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") { - update control { - &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" - - # Set the Client-Shortname to be the Location - # "l" just like in the Huntgroups, but this - # time to the shortname. - - &FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}" - - # Lookup and set the Shared Secret based on - # the "ou" attribute. - &FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}" - } - } - - # - # Tell the caller that the client was defined properly. - # - # If the authorize section does NOT return "ok", then - # the new client is ignored. - ok - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/example b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/example deleted file mode 100644 index fdc1c46..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/example +++ /dev/null @@ -1,122 +0,0 @@ -###################################################################### -# -# An example virtual server configuration. -# -# $Id: 5f204aaa6fc87e487b8542e1e4781623ff7f4a73 $ -# -###################################################################### - - -# -# This client will be available to any "listen" section that -# are defined outside of a virtual server section. However, -# when the server receives a packet from this client, the -# request will be processed through the "example" virtual -# server, as the "client" section contains a configuration item -# to that effect. -# -# Note that this client will be able to send requests to any -# port defined in a global "listen" section. It will NOT, -# however, be able to send requests to a port defined in a -# "listen" section that is contained in a "server" section. -# -# With careful matching of configurations, you should be able -# to: -# -# - Define one authentication port, but process each client -# through a separate virtual server. -# -# - define multiple authentication ports, each with a private -# list of clients. -# -# - define multiple authentication ports, each of which may -# have the same client listed, but with different shared -# secrets -# -# FYI: We use an address in the 192.0.2.* space for this example, -# as RFC 3330 says that that /24 range is used for documentation -# and examples, and should not appear on the net. You shouldn't -# use it for anything, either. -# -client 192.0.2.10 { - shortname = example-client - secret = testing123 - virtual_server = example -} - -###################################################################### -# -# An example virtual server. It starts off with "server name {" -# The "name" is used to reference this server from a "listen" -# or "client" section. -# -###################################################################### -server example { - # - # Listen on 192.0.2.1:1812 for Access-Requests - # - # When the server receives a packet, it is processed - # through the "authorize", etc. sections listed here, - # NOT the global ones the "default" site. - # - listen { - ipaddr = 192.0.2.1 - port = 1821 - type = auth - } - - # - # This client is listed within the "server" section, - # and is therefore known ONLY to the socket defined - # in the "listen" section above. If the client IP - # sends a request to a different socket, the server - # will treat it as an unknown client, and will not - # respond. - # - # In contrast, the client listed at the top of this file - # is outside of any "server" section, and is therefore - # global in scope. It can send packets to any port - # defined in a global "listen" section. It CANNOT send - # packets to the listen section defined above, though. - # - # Note that you don't have to have a "virtual_server = example" - # line here, as the client is encapsulated within - # the "server" section. - # - client 192.0.2.9 { - shortname = example-client - secret = testing123 - } - - authorize { - # - # Some example policies. See "man unlang" for more. - # - if (&User-Name == 'bob') { - update control { - &Cleartext-Password := 'bob' - } - } - - # - # And then reject the user. The next line requires - # that the "always reject {}" section is defined in - # the "modules" section of radiusd.conf. - # - reject - } - - authenticate { - - } - - post-auth { - - Post-Auth-Type Reject { - update reply { - &Reply-Message = 'This is only an example.' - } - } - } - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/originate-coa b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/originate-coa deleted file mode 100644 index 3325b88..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/originate-coa +++ /dev/null @@ -1,185 +0,0 @@ -# -*- text -*- -###################################################################### -# -# The server can originate Change of Authorization (CoA) or -# Disconnect request packets. These packets are used to dynamically -# change the parameters of a users session (bandwidth, etc.), or -# to forcibly disconnect the user. -# -# There are some caveats. Not all NAS vendors support this -# functionality. Even for the ones that do, it may be difficult to -# find out what needs to go into a CoA-Request or Disconnect-Request -# packet. All we can suggest is to read the NAS documentation -# available from the vendor. That documentation SHOULD describe -# what information their equipment needs to see in a CoA packet. -# -# This information is usually a list of attributes such as: -# -# NAS-IP-Address (or NAS-IPv6 address) -# NAS-Identifier -# User-Name -# Acct-Session-Id -# -# CoA packets can be originated when a normal Access-Request or -# Accounting-Request packet is received. Simply update the -# "coa" list: -# -# update coa { -# &User-Name = "%{User-Name}" -# &Acct-Session-Id = "%{Acct-Session-Id}" -# &NAS-IP-Address = "%{NAS-IP-Address}" -# } -# -# And the CoA packet will be sent. You can also send Disconnect -# packets by using "update disconnect { ...". -# -# This "update coa" entry can be placed in any section (authorize, -# preacct, etc.), EXCEPT for pre-proxy and post-proxy. The CoA -# packets CANNOT be sent if the original request has been proxied. -# -# The CoA functionality works best when the RADIUS server and -# the NAS receiving CoA packets are on the same network. -# -# If "update coa { ... " is used, and then later it becomes necessary -# to not send a CoA request, the following example can suppress the -# CoA packet: -# -# update control { -# &Send-CoA-Request = No -# } -# -# The default destination of a CoA packet is the NAS (or client) -# the sent the original Access-Request or Accounting-Request. See -# raddb/clients.conf for a "coa_server" configuration that ties -# a client to a specific home server, or to a home server pool. -# -# If you need to send the packet to a different destination, update -# the "coa" list with one of: -# -# Packet-Dst-IP-Address = ... -# Packet-Dst-IPv6-Address = ... -# Home-Server-Pool = ... -# -# That specifies an Ipv4 or IPv6 address, or a home server pool -# (such as the "coa" pool example below). This use is not -# recommended, however, It is much better to point the client -# configuration directly at the CoA server/pool, as outlined -# earlier. -# -# If the CoA port is non-standard, you can also set: -# -# Packet-Dst-Port -# -# to have the value of the port. -# -###################################################################### - -# -# When CoA packets are sent to a NAS, the NAS is acting as a -# server (see RFC 5176). i.e. it has a type (accepts CoA and/or -# Disconnect packets), an IP address (or IPv6 address), a -# destination port, and a shared secret. -# -home_server example-coa { - type = coa - - # - # Note that a home server of type "coa" MUST be a real NAS, - # with an ipaddr or ipv6addr. It CANNOT point to a virtual - # server. - # - # Change this IP address to the IP address of the NAS. - # - ipaddr = 192.0.2.42 - port = 3799 - - # This secret SHOULD NOT be the same as the shared - # secret in a "client" section. - secret = testing1234 - - # CoA specific parameters. See raddb/proxy.conf for details. - coa { - irt = 2 - mrt = 16 - mrc = 5 - mrd = 30 - } -} - -# -# CoA servers can be put into pools, just like normal servers. -# -home_server_pool coa { - type = fail-over - - # Point to the CoA server above. - home_server = example-coa - - # CoA requests are run through the pre-proxy section. - # CoA responses are run through the post-proxy section. - virtual_server = originate-coa.example.com - - # - # Home server pools of type "coa" cannot (currently) have - # a "fallback" configuration. - # -} - -# -# When this virtual server is run, the original request has FINISHED -# processing. i.e. the reply has already been sent to the NAS. -# You can access the attributes in the original packet, reply, and -# control items, but changing them will have NO EFFECT. -# -# The CoA packet is in the "proxy-request" attribute list. -# The CoA reply (if any) is in the "proxy-reply" attribute list. -# -server originate-coa.example.com { - pre-proxy { - update proxy-request { - NAS-IP-Address = 192.0.2.42 - } - } - - # - # Handle the responses here. - # - post-proxy { - switch &proxy-reply:Packet-Type { - case CoA-ACK { - ok - } - - case CoA-NAK { - # the NAS didn't like the CoA request - ok - } - - case Disconnect-ACK { - ok - } - - case Disconnect-NAK { - # the NAS didn't like the Disconnect request - ok - } - - # Invalid packet type. This shouldn't happen. - case { - fail - } - } - - # - # These methods are run when there is NO response - # to the request. - # - Post-Proxy-Type Fail-CoA { - ok - } - - Post-Proxy-Type Fail-Disconnect { - ok - } - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/proxy-inner-tunnel b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/proxy-inner-tunnel deleted file mode 100644 index f77f9cb..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/proxy-inner-tunnel +++ /dev/null @@ -1,47 +0,0 @@ -# -*- text -*- -###################################################################### -# -# This is a virtual server that handles *only* inner tunnel -# requests for EAP-TTLS and PEAP types. -# -# $Id: 938d954592d3824e4d51e3315d0f7e0b5cfde824 $ -# -###################################################################### - -server proxy-inner-tunnel { - -# -# This example is very simple. All inner tunnel requests get -# proxied to another RADIUS server. -# -authorize { - # - # Do other things here, as necessary. - # - # e.g. run the "realms" module, to decide how to proxy - # the inner tunnel request. - # - - update control { - # You should update this to be one of your realms. - &Proxy-To-Realm := "example.com" - } -} - -authenticate { - # - # This is necessary so that the inner tunnel EAP-MSCHAPv2 - # method can be called. That method takes care of turning - # EAP-MSCHAPv2 into plain MS-CHAPv2, if necessary. - eap -} - -post-proxy { - # - # This is necessary for LEAP, or if you set: - # - # proxy_tunneled_request_as_eap = no - # - eap -} -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/resource-check b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/resource-check deleted file mode 100644 index 486c3b8..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/resource-check +++ /dev/null @@ -1,140 +0,0 @@ -# -*- text -*- -###################################################################### -# -# This virtual server provides an example of how to dynamically amend the -# control flow within some virtual server's policy on the basis of the status -# of some resource, such as an external database. -# -# This resource-check virtual server receives periodic dummy server-status -# requests that trigger an arbitrary set of checks. On the basis of those -# checks the status of an instance of the rlm_always module, that we refer to -# as the "control module", is updated to reflect the system status. -# -# Elsewhere, some other virtual server (the "controlled virtual server") uses -# the control module to make decisions during the processing of incoming -# requests. By amending the status of the control module in response to the -# system status this virtual server is able to manipulate the outcome of the -# controlled virtual server. -# -# Firstly, the authorize section of this virtual server will need to be -# amended to check the status of the external resources and to set the status -# of the control module appropriately, as described in the inline comments -# below... -# -# In addition to configuring and activating this virtual server, a control -# module must be configured as an instance of rlm_always in mods-enabled, for -# example: -# -# always db_online { -# # Default to online -# rcode = ok -# } -# -# Now trigger the resource checks by sending a server-status request to this -# virtual server, as follows: -# -# echo "Message-Authenticator = 0x00" | \ -# radclient -r 1 -t 3 -q 127.0.0.1:18122 status testing123 -# -# The trigger could be invoked by a cron job or if more frequent checks than -# once per minute are required a systemd timer might be used. -# -# The current status of the control module can be examined at any time using -# radmin: -# -# radmin -e 'show module status db_online' -# -# For radmin to work requires that the control-socket virtual server is -# configured and enabled. -# -# The controlled virtual server will contain some control flow decision that -# uses the control module, for example: -# -# server default { -# -# ... -# -# authorize { -# -# # If the database is not healthy then remain silent to trigger -# # NAS failover -# # -# db_online { -# fail = 1 -# } -# if (fail) { -# do_not_respond -# } -# -# sql -# -# pap -# } -# -# ... -# -# -# The configuration for this virtual server follows and should be amended as -# required... -# - - -# -# Listen on a local port for Server-Status requests that trigger the resource -# checks. -# -# This uses the normal set of clients, with the same secret as for -# authentication and accounting. -# -listen { - type = status - ipaddr = 127.0.0.1 - port = 18122 - virtual_server = resource_check -} - - -# -# Within this virual server we provide only an Autz-Type Status-Server section -# whose task is to perform the resource checks and sets the status of the -# "control module" -# -server resource-check { - -authorize { - -Autz-Type Status-Server { - - # - # In this example we check whether a PostgreSQL database is in - # recovery (or inaccessible) and when this is the case we fail the - # db_online control module. - # - # Other modules could be used here. - # - # You can even invoke synchronous checks using the %{exec:...} xlat in - # which case timeout should be set to less than the check trigger - # interval to avoid buildup of checks when resources do not respond. - # See rlm_exec for details. - # - if ("%{sql:SELECT pg_is_in_recovery()}" != "f") { - - # Fail the db_online module, if it isn't already - if ("%{db_online:}" != "fail") { - %{db_online:fail} - } - - } else { - - # Set the db_online module status to alive, if it isn't already - if ("%{db_online:}" != "alive") { - %{db_online:alive} - } - - } - -} - -} - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/robust-proxy-accounting b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/robust-proxy-accounting deleted file mode 100644 index b0a3ca9..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/robust-proxy-accounting +++ /dev/null @@ -1,167 +0,0 @@ -# -*- text -*- -###################################################################### -# -# This is a sample configuration for robust proxy accounting. -# accounting packets are proxied, OR logged locally if all -# home servers are down. When the home servers come back up, -# the accounting packets are forwarded. -# -# This method enables the server to proxy all packets to the -# home servers when they're up, AND to avoid writing to the -# detail file in most situations. -# -# In most situations, proxying of accounting messages is done -# in a "pass-through" fashion. If the home server does not -# respond, then the proxy server does not respond to the NAS. -# That means that the NAS must retransmit packets, sometimes -# forever. This example shows how the proxy server can still -# respond to the NAS, even if all home servers are down. -# -# This configuration could be done MUCH more simply if ALL -# packets were written to the detail file. But that would -# involve a lot more disk writes, which may not be a good idea. -# -# This file is NOT meant to be used as-is. It needs to be -# edited to match your local configuration. -# -# Please see the sites-available/default file, in the -# "Post-Proxy-Type Fail-Accounting" section. That should be -# configured to write packets to the "detail.example.com" -# file when proxying fails. The "listen" section below will -# then read packets from that file, and proxy them. -# -# See also mods-available/detail.example.com, which is the -# module that writes the "detail.example.com" file. -# -# -# $Id: 85f2f9dcc06ed2cc2c14d371c7cfc5a086b4c6cf $ -# -###################################################################### - -# (1) Define two home servers. -home_server home1.example.com { - type = acct - ipaddr = 192.0.2.10 - port = 1813 - secret = testing123 - - # Mark this home server alive ONLY when it starts being responsive - status_check = request - username = "test_user_status_check" - - # Set the response timeout aggressively low. - # You MAY have to increase this, depending on tests with - # your local installation. - response_window = 6 -} - -home_server home2.example.com { - type = acct - ipaddr = 192.0.2.20 - port = 1813 - secret = testing123 - - # Mark this home server alive ONLY when it starts being responsive - status_check = request - username = "test_user_status_check" - - # Set the response timeout aggressively low. - # You MAY have to increase this, depending on tests with - # your local installation. - response_window = 6 -} - -# (2) Put all of the servers into a pool. -home_server_pool acct_pool.example.com { - type = load-balance # other types are OK, too. - - home_server = home1.example.com - home_server = home2.example.com - # add more home_server's here. - - # for pre/post-proxy policies - virtual_server = home.example.com -} - -# (3) Define a realm for these home servers. -# It should NOT be used as part of normal proxying decisions! -realm acct_realm.example.com { - acct_pool = acct_pool.example.com -} - -# (4) Define a detail file writer. -# See raddb/modules/detail.example.com - -# (5) Define a virtual server to handle pre/post-proxy re-writing -server home.example.com { - pre-proxy { - # Insert pre-proxy rules here - } - - post-proxy { - # Insert post-proxy rules here - - # This will be called when the CURRENT packet failed - # to be proxied. This may happen when one home server - # suddenly goes down, even though another home server - # may be alive. - # - # i.e. the current request has run out of time, so it - # cannot fail over to another (possibly) alive server. - # - # We want to respond to the NAS, so that it can stop - # re-sending the packet. We write the packet to the - # "detail" file, where it will be read, and sent to - # another home server. - # - Post-Proxy-Type Fail-Accounting { - detail.example.com - } - - # - # This section is run when there are problems - # proxying Access-Request packets - # - Post-Proxy-Type Fail-Authentication { - # add policies here - } - - } - - - # Read accounting packets from the detail file(s) for - # the home server. - # - # Note that you can have only ONE "listen" section reading - # detail files from a particular directory. That is why the - # destination host name is used as part of the directory name - # below. Having two "listen" sections reading detail files - # from the same directory WILL cause problems. The packets - # may be read by one, the other, or both "listen" sections. - listen { - type = detail - filename = "${radacctdir}/detail.example.com/detail-*:*" - load_factor = 10 - } - - # All packets read from the detail file are proxied back to - # the home servers. - # - # The normal pre/post-proxy rules are applied to them, too. - # - # If the home servers are STILL down, then the server stops - # reading the detail file, and queues the packets for a later - # retransmission. The Post-Proxy-Type "Fail" handler is NOT - # called. - # - # When the home servers come back up, the packets are forwarded, - # and the detail file processed as normal. - accounting { - # You may want accounting policies here... - - update control { - &Proxy-To-Realm := 'acct_realm.example.com' - } - } - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/soh b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/soh deleted file mode 100644 index 86748b6..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/soh +++ /dev/null @@ -1,34 +0,0 @@ -# This is a simple server for the MS SoH requests generated by the -# peap module - see "eap.conf" for more info - -# Requests are ONLY passed through the authorize section, and cannot -# current be proxied (in any event, the radius attributes used are -# internal). - -server soh-server { - authorize { - if (&SoH-Supported == no) { - # client NAKed our request for SoH - not supported, or turned off - update config { - &Auth-Type = Accept - } - } - else { - # client replied; check something - this is a local policy issue! - if (&SoH-MS-Windows-Health-Status =~ /antivirus (warn|error) /) { - update config { - &Auth-Type = Reject - } - update reply { - &Reply-Message = 'You must have antivirus enabled & installed!' - } - } - else { - update config { - &Auth-Type = Accept - } - } - } - } -} - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/status b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/status deleted file mode 100644 index 5432203..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/status +++ /dev/null @@ -1,127 +0,0 @@ -# -*- text -*- -###################################################################### -# -# A virtual server to handle ONLY Status-Server packets. -# -# Server statistics can be queried with a properly formatted -# Status-Server request. See dictionary.freeradius for comments. -# -# If radiusd.conf has "status_server = yes", then any client -# will be able to send a Status-Server packet to any port -# (listen section type "auth", "acct", or "status"), and the -# server will respond. -# -# If radiusd.conf has "status_server = no", then the server will -# ignore Status-Server packets to "auth" and "acct" ports. It -# will respond only if the Status-Server packet is sent to a -# "status" port. -# -# The server statistics are available ONLY on socket of type -# "status". Queries for statistics sent to any other port -# are ignored. -# -# Similarly, a socket of type "status" will not process -# authentication or accounting packets. This is for security. -# -# $Id: e7d4346310b837d56bffe4c991b4e5680742ebc0 $ -# -###################################################################### - -server status { - listen { - # ONLY Status-Server is allowed to this port. - # ALL other packets are ignored. - type = status - - ipaddr = 127.0.0.1 - port = 18121 - } - - # - # We recommend that you list ONLY management clients here. - # i.e. NOT your NASes or Access Points, and for an ISP, - # DEFINITELY not any RADIUS servers that are proxying packets - # to you. - # - # If you do NOT list a client here, then any client that is - # globally defined (i.e. all of them) will be able to query - # these statistics. - # - # Do you really want your partners seeing the internal details - # of what your RADIUS server is doing? - # - client admin { - ipaddr = 127.0.0.1 - secret = adminsecret - } - - # - # Simple authorize section. The "Autz-Type Status-Server" - # section will work here, too. See "raddb/sites-available/default". - authorize { - ok - - # respond to the Status-Server request. - Autz-Type Status-Server { - ok - } - } -} - -# Statistics can be queried via a number of methods: -# -# All packets received/sent by the server (1 = auth, 2 = acct) -# FreeRADIUS-Statistics-Type = 3 -# -# All packets proxied by the server (4 = proxy-auth, 8 = proxy-acct) -# FreeRADIUS-Statistics-Type = 12 -# -# All packets sent && received: -# FreeRADIUS-Statistics-Type = 15 -# -# Internal server statistics: -# FreeRADIUS-Statistics-Type = 16 -# -# All packets for a particular client (globally defined) -# FreeRADIUS-Statistics-Type = 35 -# FreeRADIUS-Stats-Client-IP-Address = 192.0.2.1 -# -# All packets for a client attached to a "listen" ip/port -# FreeRADIUS-Statistics-Type = 35 -# FreeRADIUS-Stats-Client-IP-Address = 192.0.2.1 -# FreeRADIUS-Stats-Server-IP-Address = 127.0.0.1 -# FreeRADIUS-Stats-Server-Port = 1812 -# -# All packets for a "listen" IP/port -# FreeRADIUS-Statistics-Type = 67 -# FreeRADIUS-Stats-Server-IP-Address = 127.0.0.1 -# FreeRADIUS-Stats-Server-Port = 1812 -# -# All packets for a home server IP / port -# FreeRADIUS-Statistics-Type = 131 -# FreeRADIUS-Stats-Server-IP-Address = 192.0.2.2 -# FreeRADIUS-Stats-Server-Port = 1812 - -# -# You can also get exponentially weighted moving averages of -# response times (in usec) of home servers. Just set the config -# item "historic_average_window" in a home_server section. -# -# By default it is zero (don't calculate it). Useful values -# are between 100, and 10,000. The server will calculate and -# remember the moving average for this window, and for 10 times -# that window. -# - -# -# Some of this could have been simplified. e.g. the proxy-auth and -# proxy-acct bits aren't completely necessary. But using them permits -# the server to be queried for ALL inbound && outbound packets at once. -# This gives a good snapshot of what the server is doing. -# -# Due to internal limitations, the statistics might not be exactly up -# to date. Do not expect all of the numbers to add up perfectly. -# The Status-Server packets are also counted in the total requests && -# responses. The responses are counted only AFTER the response has -# been sent. -# diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/tls b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/tls deleted file mode 100644 index d52c785..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/tls +++ /dev/null @@ -1,651 +0,0 @@ -###################################################################### -# -# RADIUS over TLS (radsec) -# -# When a new client connects, the various TLS parameters for the -# connection are available as dynamic expansions, e.g. -# -# %{listen:TLS-Client-Cert-Common-Name} -# -# Along with other TLS-Client-Cert-... attributes. -# These expansions will only exist if the relevant fields -# are in the client certificate. Read the debug output to see -# which fields are available. Look for output like the following: -# -# (0) TLS - Creating attributes from certificate OIDs -# (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "one.example.org" -# (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "two.example.org" -# ... -# -# It is also possible to distinguish between connections which have -# TLS enables, and ones which do not. The expansion: -# -# %{listen:tls} -# -# Will return "yes" if the connection has TLS enabled. It will -# return "no" if TLS is not enabled for a particular listen section. -# -# A number of TLS-Client-Cert-.. attributes holds X509v3 extensions -# data, attributes named the way OpenSSL names them. It is possible -# to extract data for an extension not known to OpenSSL by defining -# a custom string attribute which contains extension OID in it's -# name after 'TLS-Client-Cert-' prefix. E.g.: -# -# ATTRIBUTE TLS-Client-Cert-1.3.6.1.4.1.311.21.7 3002 string -# -# which will yield something simmilar to: -# -# (0) eap_tls: TLS - Creating attributes from certificate OIDs -# (0) eap_tls: TLS-Client-Cert-1.3.6.1.4.1.311.21.7 += "0x302e06" -# ... -# -###################################################################### - -listen { - ipaddr = * - port = 2083 - - # - # TCP and TLS sockets can accept Access-Request and - # Accounting-Request on the same socket. - # - # auth = only Access-Request - # acct = only Accounting-Request - # auth+acct = both - # coa = only CoA / Disconnect requests - # - type = auth+acct - - # For now, only TCP transport is allowed. - proto = tcp - - # Send packets to the default virtual server - virtual_server = default - - clients = radsec - - # - # Use the haproxy "PROXY protocol". - # - # This configuration allows for many FreeRADIUS servers to be - # behind a haproxy server. The "PROXY protocol" allows - # haproxy to send the actual client IP to FreeRADIUS. - # - # This will work ONLY for RadSec (TLS). Both the haproxy AND - # the RadSec client MUST be listed as allowed RADIUS clients. - # - # haproxy needs to have "send-proxy" configured for this server. - # Health checks should be turned off, as haproxy does not - # support RADIUS health checks. - # - # The main use of this feature is for scalability. There is no - # longer any need to have a RADIUS proxy as a load balancer. - # haproxy is fast, stable, and supports dynamic reloads! - # - # The only problem is that many RADIUS clients do not support - # RadSec. That situation will hopefully change over time. - # -# proxy_protocol = no - - # - # When this is set to "yes", new TLS connections - # are processed through a section called - # - # Autz-Type New-TLS-Connection { - # ... - # } - # - # The request contains TLS client certificate attributes, - # and nothing else. The debug output will print which - # attributes are available on your system. - # - # If the section returns "ok" or "updated", then the - # connection is accepted. Otherwise the connection is - # terminated. - # -# check_client_connections = yes - - # - # Connection limiting for sockets with "proto = tcp". - # - limit { - # - # Limit the number of simultaneous TCP connections to the socket - # - # The default is 16. - # Setting this to 0 means "no limit" - max_connections = 16 - - # The per-socket "max_requests" option does not exist. - - # - # The lifetime, in seconds, of a TCP connection. After - # this lifetime, the connection will be closed. - # - # Setting this to 0 means "forever". - lifetime = 0 - - # - # The idle timeout, in seconds, of a TCP connection. - # If no packets have been received over the connection for - # this time, the connection will be closed. - # - # Setting this to 0 means "no timeout". - # - # We STRONGLY RECOMMEND that you set an idle timeout. - # - idle_timeout = 30 - } - - # This is *exactly* the same configuration as used by the EAP-TLS - # module. It's OK for testing, but for production use it's a good - # idea to use different server certificates for EAP and for RADIUS - # transport. - # - # If you want only one TLS configuration for multiple sockets, - # then we suggest putting "tls { ...}" into radiusd.conf. - # The subsection below can then be changed into a reference: - # - # tls = ${tls} - # - # Which means "the tls sub-section is not here, but instead is in - # the top-level section called 'tls'". - # - # If you have multiple tls configurations, you can put them into - # sub-sections of a top-level "tls" section. There's no need to - # call them all "tls". You can then use: - # - # tls = ${tls.site1} - # - # to refer to the "site1" sub-section of the "tls" section. - # - tls { - private_key_password = whatever - private_key_file = ${certdir}/server.pem - - # Accept an expired Certificate Revocation List - # - # allow_expired_crl = no - - # If Private key & Certificate are located in - # the same file, then private_key_file & - # certificate_file must contain the same file - # name. - # - # If ca_file (below) is not used, then the - # certificate_file below MUST include not - # only the server certificate, but ALSO all - # of the CA certificates used to sign the - # server certificate. - certificate_file = ${certdir}/server.pem - - # Trusted Root CA list - # - # ALL of the CA's in this list will be trusted - # to issue client certificates for authentication. - # - # In general, you should use self-signed - # certificates for 802.1x (EAP) authentication. - # In that case, this CA file should contain - # *one* CA certificate. - # - # This parameter is used only for EAP-TLS, - # when you issue client certificates. If you do - # not use client certificates, and you do not want - # to permit EAP-TLS authentication, then delete - # this configuration item. - ca_file = ${cadir}/ca.pem - - # - # For DH cipher suites to work, you have to - # run OpenSSL to create the DH file first: - # - # openssl dhparam -out certs/dh 1024 - # - dh_file = ${certdir}/dh - - # - # If your system doesn't have /dev/urandom, - # you will need to create this file, and - # periodically change its contents. - # - # For security reasons, FreeRADIUS doesn't - # write to files in its configuration - # directory. - # -# random_file = /dev/urandom - - # - # The default fragment size is 1K. - # However, it's possible to send much more data than - # that over a TCP connection. The upper limit is 64K. - # Setting the fragment size to more than 1K means that - # there are fewer round trips when setting up a TLS - # connection. But only if the certificates are large. - # - fragment_size = 8192 - - # include_length is a flag which is - # by default set to yes If set to - # yes, Total Length of the message is - # included in EVERY packet we send. - # If set to no, Total Length of the - # message is included ONLY in the - # First packet of a fragment series. - # - # include_length = yes - - # Check the Certificate Revocation List - # - # 1) Copy CA certificates and CRLs to same directory. - # 2) Execute 'c_rehash '. - # 'c_rehash' is OpenSSL's command. - # 3) uncomment the line below. - # 5) Restart radiusd - # check_crl = yes - ca_path = ${cadir} - - # OpenSSL does not reload contents of ca_path dir over time. - # That means that if check_crl is enabled and CRLs are loaded - # from ca_path dir, at some point CRLs will expire and - # RADIUSd will stop authenticating NASes. - # If ca_path_reload_interval is non-zero, it will force OpenSSL - # to reload all data from ca_path periodically - # - # Flush ca_path each hour - ca_path_reload_interval = 3600 - - # - # If check_cert_issuer is set, the value will - # be checked against the DN of the issuer in - # the client certificate. If the values do not - # match, the certificate verification will fail, - # rejecting the user. - # - # This check can be done more generally by checking - # the value of the TLS-Client-Cert-Issuer attribute. - # This check can be done via any mechanism you choose. - # - # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" - - # - # If check_cert_cn is set, the value will - # be xlat'ed and checked against the CN - # in the client certificate. If the values - # do not match, the certificate verification - # will fail rejecting the user. - # - # This check is done only if the previous - # "check_cert_issuer" is not set, or if - # the check succeeds. - # - # In 2.1.10 and later, this check can be done - # more generally by checking the value of the - # TLS-Client-Cert-Common-Name attribute. This check - # can be done via any mechanism you choose. - # - # check_cert_cn = %{User-Name} - # - # Set this option to specify the allowed - # TLS cipher suites. The format is listed - # in "man 1 ciphers". - cipher_list = "DEFAULT" - - # If enabled, OpenSSL will use server cipher list - # (possibly defined by cipher_list option above) - # for choosing right cipher suite rather than - # using client-specified list which is OpenSSl default - # behavior. Having it set to yes is a current best practice - # for TLS - cipher_server_preference = no - - # - # Older TLS versions are deprecated. But for RadSec, - # we CAN allow TLS 1.3. - # - tls_min_version = "1.2" - tls_max_version = "1.3" - - # - # Session resumption / fast reauthentication - # cache. - # - # The cache contains the following information: - # - # session Id - unique identifier, managed by SSL - # User-Name - from the Access-Accept - # Stripped-User-Name - from the Access-Request - # Cached-Session-Policy - from the Access-Accept - # - # The "Cached-Session-Policy" is the name of a - # policy which should be applied to the cached - # session. This policy can be used to assign - # VLANs, IP addresses, etc. It serves as a useful - # way to re-apply the policy from the original - # Access-Accept to the subsequent Access-Accept - # for the cached session. - # - # On session resumption, these attributes are - # copied from the cache, and placed into the - # reply list. - # - # You probably also want "use_tunneled_reply = yes" - # when using fast session resumption. - # - cache { - # - # Enable it. The default is "no". - # Deleting the entire "cache" subsection - # Also disables caching. - # - # - # As of version 3.0.14, the session cache requires the use - # of the "name" and "persist_dir" configuration items, below. - # - # The internal OpenSSL session cache has been permanently - # disabled. - # - # You can disallow resumption for a - # particular user by adding the following - # attribute to the control item list: - # - # Allow-Session-Resumption = No - # - # If "enable = no" below, you CANNOT - # enable resumption for just one user - # by setting the above attribute to "yes". - # - enable = no - - # - # Lifetime of the cached entries, in hours. - # The sessions will be deleted after this - # time. - # - lifetime = 24 # hours - - # - # Internal "name" of the session cache. - # Used to distinguish which TLS context - # sessions belong to. - # - # The server will generate a random value - # if unset. This will change across server - # restart so you MUST set the "name" if you - # want to persist sessions (see below). - # - # If you use IPv6, change the "ipaddr" below - # to "ipv6addr" - # - #name = "TLS ${..ipaddr} ${..port} ${..proto}" - - # - # Simple directory-based storage of sessions. - # Two files per session will be written, the SSL - # state and the cached VPs. This will persist session - # across server restarts. - # - # The server will need write perms, and the directory - # should be secured from anyone else. You might want - # a script to remove old files from here periodically: - # - # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; - # - # This feature REQUIRES "name" option be set above. - # - #persist_dir = "${logdir}/tlscache" - } - - # - # Require a client certificate. - # - require_client_cert = yes - - # - # As of version 2.1.10, client certificates can be - # validated via an external command. This allows - # dynamic CRLs or OCSP to be used. - # - # This configuration is commented out in the - # default configuration. Uncomment it, and configure - # the correct paths below to enable it. - # - verify { - # A temporary directory where the client - # certificates are stored. This directory - # MUST be owned by the UID of the server, - # and MUST not be accessible by any other - # users. When the server starts, it will do - # "chmod go-rwx" on the directory, for - # security reasons. The directory MUST - # exist when the server starts. - # - # You should also delete all of the files - # in the directory when the server starts. - # tmpdir = /tmp/radiusd - - # The command used to verify the client cert. - # We recommend using the OpenSSL command-line - # tool. - # - # The ${..ca_path} text is a reference to - # the ca_path variable defined above. - # - # The %{TLS-Client-Cert-Filename} is the name - # of the temporary file containing the cert - # in PEM format. This file is automatically - # deleted by the server when the command - # returns. - # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" - } - } -} - -clients radsec { - client 127.0.0.1 { - ipaddr = 127.0.0.1 - - # - # Ensure that this client is TLS *only*. - # - proto = tls - - # - # TCP clients can have any shared secret. - # - # TLS clients MUST have the shared secret - # set to "radsec". Or, for "proto = tls", - # you can omit the secret, and it will - # automatically be set to "radsec". - # - secret = radsec - - # - # You can also use a "limit" section here. - # See raddb/clients.conf for examples. - # - # Note that BOTH limits are applied. You - # should therefore set the "listen" limits - # higher than the ones for each individual - # client. - # - } -} - -# -# When a request is proxied to a TLS-enabled home server, -# the TLS parameters are available via the expansion: -# -# %{proxy_listen: ... } -# -# The contents of the expansion are the same as described -# above with the %{listen: ... } expansion, and have similar -# meanings. "client" in this case is the proxy (this system) -# and "server" is the remote system (home server). -# -# Note that the %{proxy_listen: ... } parameters are available -# only AFTER the connection has been made to the home server. -# -home_server tls { - ipaddr = 127.0.0.1 - port = 2083 - - # type can be the same types as for the "listen" section/ - # e.g. auth, acct, auth+acct, coa - type = auth - secret = radsec - proto = tcp - status_check = none - - tls { - # - # Similarly to HTTP, the client can use Server Name - # Indication to inform the RadSec server of which - # domain it is requesting. This selection allows - # multiple sites to exist at the same IP address. - # - # For example, and identity provider could host - # multiple sites, but present itself with one public - # IP address. - # - # SNI also permits the use of a load balancer such as - # haproxy. That load balancer can terminate the TLS - # connection, and then use SNI to route the - # underlying RADIUS TCP traffic to a particular host. - # - # Note that "hostname" here is only for SNI, and is NOT - # the hostname or IP address we connect to. For that, - # see "ipaddr", above. - # - # hostname = "example.com" - - private_key_password = whatever - private_key_file = ${certdir}/client.pem - - # If Private key & Certificate are located in - # the same file, then private_key_file & - # certificate_file must contain the same file - # name. - # - # If ca_file (below) is not used, then the - # certificate_file below MUST include not - # only the server certificate, but ALSO all - # of the CA certificates used to sign the - # server certificate. - certificate_file = ${certdir}/client.pem - - # Trusted Root CA list - # - # ALL of the CA's in this list will be trusted - # to issue client certificates for authentication. - # - # In general, you should use self-signed - # certificates for 802.1x (EAP) authentication. - # In that case, this CA file should contain - # *one* CA certificate. - # - # This parameter is used only for EAP-TLS, - # when you issue client certificates. If you do - # not use client certificates, and you do not want - # to permit EAP-TLS authentication, then delete - # this configuration item. - ca_file = ${cadir}/ca.pem - - # - # For TLS-PSK, the key should be specified - # dynamically, instead of using a hard-coded - # psk_identity and psk_hexphrase. - # - # The input to the dynamic expansion will be the PSK - # identity supplied by the client, in the - # TLS-PSK-Identity attribute. The output of the - # expansion should be a hex string, of no more than - # 512 characters. The string should not be prefixed - # with "0x". e.g. "abcdef" is OK. "0xabcdef" is not. - # - # psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" - - # - # For DH cipher suites to work, you have to - # run OpenSSL to create the DH file first: - # - # openssl dhparam -out certs/dh 1024 - # - dh_file = ${certdir}/dh - random_file = /dev/urandom - - # - # The default fragment size is 1K. - # However, TLS can send 64K of data at once. - # It can be useful to set it higher. - # - fragment_size = 8192 - - # include_length is a flag which is - # by default set to yes If set to - # yes, Total Length of the message is - # included in EVERY packet we send. - # If set to no, Total Length of the - # message is included ONLY in the - # First packet of a fragment series. - # - # include_length = yes - - # Check the Certificate Revocation List - # - # 1) Copy CA certificates and CRLs to same directory. - # 2) Execute 'c_rehash '. - # 'c_rehash' is OpenSSL's command. - # 3) uncomment the line below. - # 5) Restart radiusd - # check_crl = yes - ca_path = ${cadir} - - # - # If check_cert_issuer is set, the value will - # be checked against the DN of the issuer in - # the client certificate. If the values do not - # match, the certificate verification will fail, - # rejecting the user. - # - # In 2.1.10 and later, this check can be done - # more generally by checking the value of the - # TLS-Client-Cert-Issuer attribute. This check - # can be done via any mechanism you choose. - # - # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" - - # - # If check_cert_cn is set, the value will - # be xlat'ed and checked against the CN - # in the client certificate. If the values - # do not match, the certificate verification - # will fail rejecting the user. - # - # This check is done only if the previous - # "check_cert_issuer" is not set, or if - # the check succeeds. - # - # In 2.1.10 and later, this check can be done - # more generally by checking the value of the - # TLS-Client-Cert-Common-Name attribute. This check - # can be done via any mechanism you choose. - # - # check_cert_cn = %{User-Name} - # - # Set this option to specify the allowed - # TLS cipher suites. The format is listed - # in "man 1 ciphers". - cipher_list = "DEFAULT" - } - -} - -home_server_pool tls { - type = fail-over - home_server = tls -} - -realm tls { - auth_pool = tls -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/totp b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/totp deleted file mode 100644 index 59f0f85..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/totp +++ /dev/null @@ -1,85 +0,0 @@ -###################################################################### -# -# $Id: e42bf05e189b6272426927173033c4d6d6eae237 $ -# -###################################################################### -# -# Simple server to do TOTP and not much else. -# -server totp { -authorize { - # - # TOTP only works for PAP - # - if (!&User-Password) { - reject - } - - # - # The 6-digit TOTP password should be at the end of the - # User-Password attribute. It can be at the beginning or at - # the end, it doesn't really make any difference. Just - # update the regular expression for whatever you want. - # - # If the password doesn't have 6 digits at the end, reject. - # - if (User-Password !~ /^(.*)([0-9]{6})$/) { - reject - } - - # - # Separate the two fields - # - update request { - User-Password := "%{1}" - TOTP-Password := "%{2}" - } - - # - # Get the users' real password and authorization credentials - # from somewhere, such as a database. This should also set - # - # &control:TOTP-Secret - # - -ldap - -sql - - # - # As an example, fake out the TOTP secret - # - # The value should be the base-32 version of the TOTP secret. - # - # Note that the TOTP secret is effectively a password, and - # should be kept secret! At this time, there is no way to - # "hide" or "encrypt" the TOTP secret for a user. Even if it - # was encrypted, the server would still need a key to decrypt - # it. So encrypying this field does not offer much benefit. - # - if (&User-Name == "bob") { - &control:TOTP-Secret := 12345678901234567890 - } - - # - # Verify the 6-digit TOTP password. If the module does not - # return "ok", then the TOTP password is wrong. - # - totp.authenticate - if (!ok) { - reject - } - - # - # Set Auth-Type = PAP - # - pap -} - -authenticate { - # - # Check the User-Password against whatever we found in LDAP - # or SQL. - # - pap -} - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/virtual.example.com b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/virtual.example.com deleted file mode 100644 index d25f031..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/virtual.example.com +++ /dev/null @@ -1,32 +0,0 @@ -# -*- text -*- -###################################################################### -# -# Sample virtual server for internally proxied requests. -# -# See the "realm virtual.example.com" example in "proxy.conf". -# -# $Id: 3c4aea7458cca50c9f43f33e6aebd5ca08180de7 $ -# -###################################################################### - -# -# You will want to edit this to your local needs. We suggest copying -# the text from the "default" file here, and then editing the text. -# That way, any changes to the "default" file will not affect this -# virtual server, and vice-versa. -# -# When this virtual server receives the request, the original -# attributes can be accessed as "outer.request", "outer.control", etc. -# See "man unlang" for more details. -# -server virtual.example.com { -authorize { - # insert policies here -} - -authenticate { - # insert policies here -} - -# etc. -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/vmps b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/vmps deleted file mode 100644 index 4470586..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/vmps +++ /dev/null @@ -1,98 +0,0 @@ -# -*- text -*- -###################################################################### -# -# As of version 2.0.0, the server also supports the VMPS -# protocol. -# -# $Id: c5c50786f4f5563d27218c70bf98c3898f47e5ba $ -# -###################################################################### - -server vmps { - listen { - # VMPS sockets only support IPv4 addresses. - ipaddr = * - - # Port on which to listen. - # Allowed values are: - # integer port number - # 1589 is the default VMPS port. - port = 1589 - - # Type of packets to listen for. Here, it is VMPS. - type = vmps - - # Some systems support binding to an interface, in addition - # to the IP address. This feature isn't strictly necessary, - # but for sites with many IP addresses on one interface, - # it's useful to say "listen on all addresses for - # eth0". - # - # If your system does not support this feature, you will - # get an error if you try to use it. - # - # interface = eth0 - } - - # If you have switches that are allowed to send VMPS, but NOT - # RADIUS packets, then list them here as "client" sections. - # - # Note that for compatibility with RADIUS, you still have to - # list a "secret" for each client, though that secret will not - # be used for anything. - - - # And the REAL contents. This section is just like the - # "post-auth" section of radiusd.conf. In fact, it calls the - # "post-auth" component of the modules that are listed here. - # But it's called "vmps" to highlight that it's for VMPS. - # - vmps { - # - # Some requests may not have a MAC address. Try to - # create one using other attributes. - if (!&VMPS-Mac) { - if (&VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) { - update request { - &VMPS-Mac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}" - } - } - else { - update request { - &VMPS-Mac = &VMPS-Cookie - } - } - } - - # Do a simple mapping of MAC to VLAN. - # - # See radiusd.conf for the definition of the "mac2vlan" - # module. - # - #mac2vlan - - # required VMPS reply attributes - update reply { - &VMPS-Packet-Type = VMPS-Join-Response - &VMPS-Cookie = &VMPS-Mac - - &VMPS-VLAN-Name = "please_use_real_vlan_here" - - # - # If you have VLAN's in a database, you can select - # the VLAN name based on the MAC address. - # - #&VMPS-VLAN-Name = "%{sql:select ... where mac='%{VMPS-Mac}'}" - } - - # correct reply packet type for reconfirmation requests - # - if (&VMPS-Packet-Type == VMPS-Reconfirm-Request){ - update reply { - &VMPS-Packet-Type := VMPS-Reconfirm-Response - } - } - } - - # Proxying of VMPS requests is NOT supported. -} From dc7dcf104a15bec5e26d85a959691794acd96618 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 4 Aug 2022 03:05:52 +0000 Subject: [PATCH 04/59] Remove unused mod-config --- .../raddb/mods-config/README.rst | 22 - .../raddb/mods-config/perl/example.pl | 230 ------ .../sql/counter/mysql/dailycounter.conf | 33 - .../sql/counter/mysql/expire_on_login.conf | 6 - .../sql/counter/mysql/monthlycounter.conf | 34 - .../sql/counter/mysql/noresetcounter.conf | 4 - .../sql/counter/mysql/weeklycounter.conf | 11 - .../sql/counter/postgresql/dailycounter.conf | 34 - .../counter/postgresql/expire_on_login.conf | 6 - .../counter/postgresql/monthlycounter.conf | 31 - .../counter/postgresql/noresetcounter.conf | 4 - .../sql/counter/postgresql/weeklycounter.conf | 12 - .../sql/counter/sqlite/dailycounter.conf | 33 - .../sql/counter/sqlite/expire_on_login.conf | 6 - .../sql/counter/sqlite/monthlycounter.conf | 34 - .../sql/counter/sqlite/noresetcounter.conf | 4 - .../sql/counter/sqlite/weeklycounter.conf | 12 - .../mods-config/sql/cui/mysql/queries.conf | 50 -- .../mods-config/sql/cui/mysql/schema.sql | 9 - .../sql/cui/postgresql/queries.conf | 47 -- .../mods-config/sql/cui/postgresql/schema.sql | 14 - .../mods-config/sql/cui/sqlite/queries.conf | 47 -- .../mods-config/sql/cui/sqlite/schema.sql | 9 - .../mods-config/sql/dhcp/mssql/queries.conf | 52 -- .../mods-config/sql/dhcp/mssql/schema.sql | 91 --- .../mods-config/sql/dhcp/mysql/queries.conf | 75 -- .../mods-config/sql/dhcp/mysql/schema.sql | 47 -- .../mods-config/sql/dhcp/mysql/setup.sql | 21 - .../mods-config/sql/dhcp/oracle/queries.conf | 47 -- .../mods-config/sql/dhcp/oracle/schema.sql | 81 -- .../sql/dhcp/postgresql/queries.conf | 76 -- .../sql/dhcp/postgresql/schema.sql | 44 -- .../mods-config/sql/dhcp/postgresql/setup.sql | 28 - .../mods-config/sql/dhcp/sqlite/queries.conf | 52 -- .../mods-config/sql/dhcp/sqlite/schema.sql | 46 -- .../sql/ippool-dhcp/mssql/procedure.sql | 159 ---- .../sql/ippool-dhcp/mssql/queries.conf | 257 ------- .../sql/ippool-dhcp/mssql/schema.sql | 40 - .../mysql/procedure-no-skip-locked.sql | 160 ---- .../sql/ippool-dhcp/mysql/procedure.sql | 144 ---- .../sql/ippool-dhcp/mysql/queries.conf | 221 ------ .../sql/ippool-dhcp/mysql/schema.sql | 21 - .../sql/ippool-dhcp/oracle/procedure.sql | 217 ------ .../sql/ippool-dhcp/oracle/queries.conf | 200 ----- .../sql/ippool-dhcp/oracle/schema.sql | 28 - .../sql/ippool-dhcp/postgresql/procedure.sql | 119 --- .../sql/ippool-dhcp/postgresql/queries.conf | 291 -------- .../sql/ippool-dhcp/postgresql/schema.sql | 23 - .../sql/ippool-dhcp/sqlite/queries.conf | 236 ------ .../sql/ippool-dhcp/sqlite/schema.sql | 25 - .../mods-config/sql/ippool/mongo/queries.conf | 109 --- .../sql/ippool/mssql/procedure.sql | 137 ---- .../mods-config/sql/ippool/mssql/queries.conf | 176 ----- .../mods-config/sql/ippool/mssql/schema.sql | 25 - .../ippool/mysql/procedure-no-skip-locked.sql | 149 ---- .../sql/ippool/mysql/procedure.sql | 139 ---- .../mods-config/sql/ippool/mysql/queries.conf | 156 ---- .../mods-config/sql/ippool/mysql/schema.sql | 18 - .../sql/ippool/oracle/procedure.sql | 129 ---- .../sql/ippool/oracle/queries.conf | 172 ----- .../mods-config/sql/ippool/oracle/schema.sql | 27 - .../sql/ippool/postgresql/procedure.sql | 111 --- .../sql/ippool/postgresql/queries.conf | 207 ------ .../sql/ippool/postgresql/schema.sql | 22 - .../sql/ippool/sqlite/queries.conf | 148 ---- .../mods-config/sql/ippool/sqlite/schema.sql | 18 - .../mods-config/sql/main/mongo/queries.conf | 289 -------- .../sql/main/mssql/process-radacct.sql | 151 ---- .../mods-config/sql/main/mssql/queries.conf | 581 --------------- .../mods-config/sql/main/mssql/schema.sql | 299 -------- .../sql/main/mysql/extras/wimax/queries.conf | 40 - .../sql/main/mysql/extras/wimax/schema.sql | 16 - .../sql/main/mysql/process-radacct.sql | 152 ---- .../mods-config/sql/main/mysql/queries.conf | 650 ---------------- .../mods-config/sql/main/mysql/schema.sql | 170 ----- .../mods-config/sql/main/mysql/setup.sql | 23 - .../raddb/mods-config/sql/main/ndb/README | 5 - .../raddb/mods-config/sql/main/ndb/schema.sql | 144 ---- .../raddb/mods-config/sql/main/ndb/setup.sql | 25 - .../sql/main/oracle/process-radacct.sql | 147 ---- .../mods-config/sql/main/oracle/queries.conf | 684 ----------------- .../mods-config/sql/main/oracle/schema.sql | 204 ----- .../extras/cisco_h323_db_schema.sql | 295 -------- .../main/postgresql/extras/voip-postpaid.conf | 70 -- .../sql/main/postgresql/process-radacct.sql | 138 ---- .../sql/main/postgresql/queries.conf | 699 ------------------ .../sql/main/postgresql/schema.sql | 174 ----- .../mods-config/sql/main/postgresql/setup.sql | 45 -- .../main/sqlite/process-radacct-refresh.sh | 112 --- .../main/sqlite/process-radacct-schema.sql | 52 -- .../mods-config/sql/main/sqlite/queries.conf | 599 --------------- .../mods-config/sql/main/sqlite/schema.sql | 156 ---- .../moonshot-targeted-ids/mysql/queries.conf | 15 - .../moonshot-targeted-ids/mysql/schema.sql | 8 - .../postgresql/queries.conf | 15 - .../postgresql/schema.sql | 8 - .../moonshot-targeted-ids/sqlite/queries.conf | 15 - .../moonshot-targeted-ids/sqlite/schema.sql | 8 - .../raddb/mods-config/unbound/default.conf | 2 - 99 files changed, 11227 deletions(-) delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/README.rst delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/perl/example.pl delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/dailycounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/expire_on_login.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/monthlycounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/noresetcounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/weeklycounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/dailycounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/weeklycounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/dailycounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/mysql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/mysql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/postgresql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/postgresql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/sqlite/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/sqlite/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mssql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mssql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/setup.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/oracle/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/oracle/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/setup.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/sqlite/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/sqlite/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/procedure.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/procedure-no-skip-locked.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/procedure.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/procedure.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/procedure.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/sqlite/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mongo/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/procedure.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/procedure-no-skip-locked.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/procedure.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/procedure.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/procedure.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/sqlite/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/sqlite/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mongo/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/process-radacct.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/process-radacct.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/setup.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/README delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/setup.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/process-radacct.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/extras/cisco_h323_db_schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/process-radacct.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/setup.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/process-radacct-schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/mysql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/postgresql/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/postgresql/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/sqlite/queries.conf delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/sqlite/schema.sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-config/unbound/default.conf diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/README.rst b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/README.rst deleted file mode 100644 index abb4c8d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/README.rst +++ /dev/null @@ -1,22 +0,0 @@ -The mods-config Directory -========================= - -This directory contains module-specific configuration files. These -files are in a format different from the one used by the main -`radiusd.conf` files. Earlier versions of the server had many -module-specific files in the main `raddb` directory. The directory -contained many files, and it was not clear which files did what. - -For Version 3 of FreeRADIUS, we have moved to a consistent naming -scheme. Each module-specific configuration file is placed in this -directory, in a subdirectory named for the module. Where necessary, -files in the subdirectory have been named for the processing section -where they are used. - -For example, the `users` file is now located in -`mods-config/files/authorize`. That filename tells us three things: - -1. The file is used in the `authorize` section. -2. The file is used by the `files` module. -3. It is a "module configuration" file, which is a specific format. - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/perl/example.pl b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/perl/example.pl deleted file mode 100644 index f00b17b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/perl/example.pl +++ /dev/null @@ -1,230 +0,0 @@ - -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA -# -# Copyright 2002 The FreeRADIUS server project -# Copyright 2002 Boian Jordanov -# - -# -# Example code for use with rlm_perl -# -# You can use every module that comes with your perl distribution! -# -# If you are using DBI and do some queries to DB, please be sure to -# use the CLONE function to initialize the DBI connection to DB. -# - -use strict; -use warnings; - -# use ... -use Data::Dumper; - -# Bring the global hashes into the package scope -our (%RAD_REQUEST, %RAD_REPLY, %RAD_CHECK, %RAD_STATE, %RAD_PERLCONF); - -# This is hash wich hold original request from radius -#my %RAD_REQUEST; -# In this hash you add values that will be returned to NAS. -#my %RAD_REPLY; -#This is for check items -#my %RAD_CHECK; -# This is the session-sate -#my %RAD_STATE; -# This is configuration items from "config" perl module configuration section -#my %RAD_PERLCONF; - -# Multi-value attributes are mapped to perl arrayrefs. -# -# update request { -# Filter-Id := 'foo' -# Filter-Id += 'bar' -# } -# -# This results to the following entry in %RAD_REQUEST: -# -# $RAD_REQUEST{'Filter-Id'} = [ 'foo', 'bar' ]; -# -# Likewise, you can assign an arrayref to return multi-value attributes - -# -# This the remapping of return values -# -use constant { - RLM_MODULE_REJECT => 0, # immediately reject the request - RLM_MODULE_OK => 2, # the module is OK, continue - RLM_MODULE_HANDLED => 3, # the module handled the request, so stop - RLM_MODULE_INVALID => 4, # the module considers the request invalid - RLM_MODULE_USERLOCK => 5, # reject the request (user is locked out) - RLM_MODULE_NOTFOUND => 6, # user not found - RLM_MODULE_NOOP => 7, # module succeeded without doing anything - RLM_MODULE_UPDATED => 8, # OK (pairs modified) - RLM_MODULE_NUMCODES => 9 # How many return codes there are -}; - -# Same as src/include/log.h -use constant { - L_AUTH => 2, # Authentication message - L_INFO => 3, # Informational message - L_ERR => 4, # Error message - L_WARN => 5, # Warning - L_PROXY => 6, # Proxy messages - L_ACCT => 7, # Accounting messages - L_DBG => 16, # Only displayed when debugging is enabled - L_DBG_WARN => 17, # Warning only displayed when debugging is enabled - L_DBG_ERR => 18, # Error only displayed when debugging is enabled - L_DBG_WARN_REQ => 19, # Less severe warning only displayed when debugging is enabled - L_DBG_ERR_REQ => 20, # Less severe error only displayed when debugging is enabled -}; - -# Global variables can persist across different calls to the module. -# -# -# { -# my %static_global_hash = (); -# -# sub post_auth { -# ... -# } -# ... -# } - - -# Function to handle authorize -sub authorize { - # For debugging purposes only -# &log_request_attributes; - - # Here's where your authorization code comes - # You can call another function from here: - &test_call; - - return RLM_MODULE_OK; -} - -# Function to handle authenticate -sub authenticate { - # For debugging purposes only -# &log_request_attributes; - - if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { - # Reject user and tell him why - $RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl function"; - return RLM_MODULE_REJECT; - } else { - # Accept user and set some attribute - if (&radiusd::xlat("%{client:group}") eq 'UltraAllInclusive') { - # User called from NAS with unlim plan set, set higher limits - $RAD_REPLY{'h323-credit-amount'} = "1000000"; - } else { - $RAD_REPLY{'h323-credit-amount'} = "100"; - } - return RLM_MODULE_OK; - } -} - -# Function to handle preacct -sub preacct { - # For debugging purposes only -# &log_request_attributes; - - return RLM_MODULE_OK; -} - -# Function to handle accounting -sub accounting { - # For debugging purposes only -# &log_request_attributes; - - # You can call another subroutine from here - &test_call; - - return RLM_MODULE_OK; -} - -# Function to handle checksimul -sub checksimul { - # For debugging purposes only -# &log_request_attributes; - - return RLM_MODULE_OK; -} - -# Function to handle pre_proxy -sub pre_proxy { - # For debugging purposes only -# &log_request_attributes; - - return RLM_MODULE_OK; -} - -# Function to handle post_proxy -sub post_proxy { - # For debugging purposes only -# &log_request_attributes; - - return RLM_MODULE_OK; -} - -# Function to handle post_auth -sub post_auth { - # For debugging purposes only -# &log_request_attributes; - - return RLM_MODULE_OK; -} - -# Function to handle xlat -sub xlat { - # For debugging purposes only -# &log_request_attributes; - - # Loads some external perl and evaluate it - my ($filename,$a,$b,$c,$d) = @_; - &radiusd::radlog(L_DBG, "From xlat $filename "); - &radiusd::radlog(L_DBG,"From xlat $a $b $c $d "); - local *FH; - open FH, $filename or die "open '$filename' $!"; - local($/) = undef; - my $sub = ; - close FH; - my $eval = qq{ sub handler{ $sub;} }; - eval $eval; - eval {main->handler;}; -} - -# Function to handle detach -sub detach { - # For debugging purposes only -# &log_request_attributes; -} - -# -# Some functions that can be called from other functions -# - -sub test_call { - # Some code goes here -} - -sub log_request_attributes { - # This shouldn't be done in production environments! - # This is only meant for debugging! - for (keys %RAD_REQUEST) { - &radiusd::radlog(L_DBG, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}"); - } -} - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/dailycounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/dailycounter.conf deleted file mode 100644 index dbfb097..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/dailycounter.conf +++ /dev/null @@ -1,33 +0,0 @@ -# -# This query properly handles calls that span from the -# previous reset period into the current period but -# involves more work for the SQL server than those -# below -# -query = "\ - SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \ - FROM radacct \ - WHERE username = '%{${key}}' \ - AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'" - -# -# This query ignores calls that started in a previous -# reset period and continue into into this one. But it -# is a little easier on the SQL server -# -#query = "\ -# SELECT SUM(acctsessiontime) \ -# FROM radacct \ -# WHERE username = '%{${key}}' \ -# AND acctstarttime > FROM_UNIXTIME('%%b')" - -# -# This query is the same as above, but demonstrates an -# additional counter parameter '%%e' which is the -# timestamp for the end of the period -# -#query = "\ -# SELECT SUM(acctsessiontime) \ -# FROM radacct \ -# WHERE username = '%{${key}}' \ -# AND acctstarttime BETWEEN FROM_UNIXTIME('%%b') AND FROM_UNIXTIME('%%e')" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/expire_on_login.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/expire_on_login.conf deleted file mode 100644 index 73e2ca3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/expire_on_login.conf +++ /dev/null @@ -1,6 +0,0 @@ -query = "\ - SELECT IFNULL( MAX(TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime))),0) \ - FROM radacct \ - WHERE UserName='%{${key}}' \ - ORDER BY acctstarttime \ - LIMIT 1;" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/monthlycounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/monthlycounter.conf deleted file mode 100644 index 8999765..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/monthlycounter.conf +++ /dev/null @@ -1,34 +0,0 @@ -# -# This query properly handles calls that span from the -# previous reset period into the current period but -# involves more work for the SQL server than those -# below -# -query = "\ - SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \ - FROM radacct \ - WHERE username='%{${key}}' \ - AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'" - -# -# This query ignores calls that started in a previous -# reset period and continue into into this one. But it -# is a little easier on the SQL server -# -#query = "\ -# SELECT SUM(acctsessiontime) \ -# FROM radacct\ -# WHERE username='%{${key}}' \ -# AND acctstarttime > FROM_UNIXTIME('%%b')" - -# -# This query is the same as above, but demonstrates an -# additional counter parameter '%%e' which is the -# timestamp for the end of the period -# -#query = "\ -# SELECT SUM(acctsessiontime) \ -# FROM radacct \ -# WHERE username='%{${key}}' \ -# AND acctstarttime BETWEEN FROM_UNIXTIME('%%b') \ -# AND FROM_UNIXTIME('%%e')" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/noresetcounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/noresetcounter.conf deleted file mode 100644 index abcb21b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/noresetcounter.conf +++ /dev/null @@ -1,4 +0,0 @@ -query = "\ - SELECT IFNULL(SUM(AcctSessionTime),0) \ - FROM radacct \ - WHERE UserName='%{${key}}'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/weeklycounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/weeklycounter.conf deleted file mode 100644 index bf8a4c4..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/weeklycounter.conf +++ /dev/null @@ -1,11 +0,0 @@ -# -# This query properly handles calls that span from the -# previous reset period into the current period but -# involves more work for the SQL server than those -# below -# -query = "\ - SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \ - FROM radacct \ - WHERE username = '%{${key}}' \ - AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/dailycounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/dailycounter.conf deleted file mode 100644 index 1e2f7fa..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/dailycounter.conf +++ /dev/null @@ -1,34 +0,0 @@ -# -# This query properly handles calls that span from the -# previous reset period into the current period but -# involves more work for the SQL server than those -# below -# -query = "\ - SELECT SUM(AcctSessionTime - GREATEST((%%b - EXTRACT(epoch FROM AcctStartTime)), 0)) \ - FROM radacct \ - WHERE UserName='%{${key}}' \ - AND EXTRACT(epoch FROM AcctStartTime) + AcctSessionTime > '%%b'" - -# -# This query ignores calls that started in a previous -# reset period and continue into into this one. But it -# is a little easier on the SQL server -# -#query = "\ -# SELECT SUM(AcctSessionTime) \ -# FROM radacct \ -# WHERE UserName='%{${key}}' \ -# AND EXTRACT(epoch FROM AcctStartTime) > '%%b'" - -# -# This query is the same as above, but demonstrates an -# additional counter parameter '%%e' which is the -# timestamp for the end of the period -# -#query = "\ -# SELECT SUM(AcctSessionTime) \ -# FROM radacct \ -# WHERE UserName='%{${key}}' \ -# AND EXTRACT(epoch FROM AcctStartTime) BETWEEN '%%b' \ -# AND '%%e'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf deleted file mode 100644 index 6ec4c4e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf +++ /dev/null @@ -1,6 +0,0 @@ -query = "\ - SELECT EXTRACT(EPOCH FROM (NOW() - acctstarttime)) \ - FROM radacct \ - WHERE UserName='%{${key}}' \ - ORDER BY acctstarttime \ - LIMIT 1;" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf deleted file mode 100644 index cdaf83a..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf +++ /dev/null @@ -1,31 +0,0 @@ -# This query properly handles calls that span from the -# previous reset period into the current period but -# involves more work for the SQL server than those -# below -query = "\ - SELECT SUM(AcctSessionTime - GREATEST((%%b - EXTRACT(epoch FROM AcctStartTime)), 0)) \ - FROM radacct \ - WHERE UserName='%{${key}}' \ - AND EXTRACT(epoch FROM AcctStartTime) + AcctSessionTime > '%%b'" - -# -# This query ignores calls that started in a previous -# reset period and continue into into this one. But it -# is a little easier on the SQL server -# -#query = "\ -# SELECT SUM(AcctSessionTime) \ -# FROM radacct \ -# WHERE UserName='%{${key}}' \ -# AND EXTRACT(epoch FROM AcctStartTime) > '%%b'" - -# -# This query is the same as above, but demonstrates an -# additional counter parameter '%%e' which is the -# timestamp for the end of the period -# -#query = "\ -# SELECT SUM(AcctSessionTime) \ -# FROM radacct \ -# WHERE UserName='%{${key}}' \ -# AND EXTRACT(epoch FROM AcctStartTime) BETWEEN '%%b' AND '%%e'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf deleted file mode 100644 index ac5182e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf +++ /dev/null @@ -1,4 +0,0 @@ -query = "\ - SELECT SUM(AcctSessionTime) \ - FROM radacct \ - WHERE UserName='%{${key}}'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/weeklycounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/weeklycounter.conf deleted file mode 100644 index 0d809c1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/weeklycounter.conf +++ /dev/null @@ -1,12 +0,0 @@ -# -# This query properly handles calls that span from the -# previous reset period into the current period but -# involves more work for the SQL server than those -# below -# -query = "\ - SELECT SUM(AcctSessionTime - GREATEST((%%b - EXTRACT(epoch FROM AcctStartTime)), 0)) \ - FROM radacct \ - WHERE UserName='%{${key}}' \ - AND EXTRACT(epoch FROM AcctStartTime) + AcctSessionTime > '%%b'" - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/dailycounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/dailycounter.conf deleted file mode 100644 index 9a2ec38..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/dailycounter.conf +++ /dev/null @@ -1,33 +0,0 @@ -# -# This query properly handles calls that span from the -# previous reset period into the current period but -# involves more work for the SQL server than those -# below -# -query = "\ - SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \ - FROM radacct \ - WHERE username = '%{${key}}' \ - AND (strftime('%%s', acctstarttime) + acctsessiontime) > %%b" - -# -# This query ignores calls that started in a previous -# reset period and continue into into this one. But it -# is a little easier on the SQL server -# -#query = "\ -# SELECT SUM(acctsessiontime) \ -# FROM radacct \ -# WHERE \username = '%{${key}}' \ -# AND acctstarttime > %%b" - -# -# This query is the same as above, but demonstrates an -# additional counter parameter '%%e' which is the -# timestamp for the end of the period -# -#query = "\ -# SELECT SUM(acctsessiontime) FROM radacct \ -# WHERE username = '%{${key}}' \ -# AND acctstarttime BETWEEN %%b \ -# AND %%e" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf deleted file mode 100644 index f4e95a5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf +++ /dev/null @@ -1,6 +0,0 @@ -query = "\ - SELECT GREATEST(strftime('%%s', NOW()) - strftime('%%s', acctstarttime), 0) AS expires \ - FROM radacct \ - WHERE username = '%{${key}}' \ - ORDER BY acctstarttime \ - LIMIT 1;" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf deleted file mode 100644 index 5262097..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf +++ /dev/null @@ -1,34 +0,0 @@ -# -# This query properly handles calls that span from the -# previous reset period into the current period but -# involves more work for the SQL server than those -# below -# -query = "\ - SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \ - FROM radacct \ - WHERE username = '%{${key}}' AND \ - (strftime('%%s', acctstarttime) + acctsessiontime) > %%b" - -# -# This query ignores calls that started in a previous -# reset period and continue into into this one. But it -# is a little easier on the SQL server -# -#query = "\ -# SELECT SUM(acctsessiontime) \ -# FROM radacct \ -# WHERE username = '%{${key}}' \ -# AND acctstarttime > %%b" - -# -# This query is the same as above, but demonstrates an -# additional counter parameter '%%e' which is the -# timestamp for the end of the period -# -#query = "\ -# SELECT SUM(acctsessiontime) \ -# FROM radacct \ -# WHERE username = '%{${key}}' \ -# AND acctstarttime BETWEEN %%b \ -# AND %%e" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf deleted file mode 100644 index ac2d869..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf +++ /dev/null @@ -1,4 +0,0 @@ -query = "\ - SELECT IFNULL(SUM(acctsessiontime),0) \ - FROM radacct \ - WHERE username = '%{${key}}'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf deleted file mode 100644 index 06ce3b6..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf +++ /dev/null @@ -1,12 +0,0 @@ -# -# This query properly handles calls that span from the -# previous reset period into the current period but -# involves more work for the SQL server than those -# below -# -query = "\ - SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \ - FROM radacct \ - WHERE username = '%{${key}}' \ - AND (strftime('%%s', acctstarttime) + acctsessiontime) > %%b" - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/mysql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/mysql/queries.conf deleted file mode 100644 index 415c416..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/mysql/queries.conf +++ /dev/null @@ -1,50 +0,0 @@ -# -*- text -*- -# -# cui/mysql/queries.conf -- Queries to update a MySQL CUI table. -# -# $Id: f8f18cab562e7321756cd1f3411bbc9897ef3377 $ - -post-auth { - query = "\ - INSERT IGNORE INTO ${..cui_table} \ - (clientipaddress, callingstationid, username, cui, lastaccounting) \ - VALUES \ - ('%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}', '%{Calling-Station-Id}', \ - '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) \ - ON DUPLICATE KEY UPDATE \ - lastaccounting='0000-00-00 00:00:00', \ - cui='%{reply:Chargeable-User-Identity}'" - -} - -accounting { - reference = "%{tolower:type.%{Acct-Status-Type}.query}" - type { - start { - query = "\ - UPDATE ${....cui_table} SET \ - lastaccounting = CURRENT_TIMESTAMP \ - WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND username = '%{User-Name}' \ - AND cui = '%{Chargeable-User-Identity}'" - } - interim-update { - query ="\ - UPDATE ${....cui_table} SET \ - lastaccounting = CURRENT_TIMESTAMP \ - WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND username = '%{User-Name}' \ - AND cui = '%{Chargeable-User-Identity}'" - } - stop { - query ="\ - DELETE FROM ${....cui_table} \ - WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND username = '%{User-Name}' \ - AND cui = '%{Chargeable-User-Identity}'" - } - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/mysql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/mysql/schema.sql deleted file mode 100644 index da9b2f7..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/mysql/schema.sql +++ /dev/null @@ -1,9 +0,0 @@ -CREATE TABLE `cui` ( - `clientipaddress` varchar(46) NOT NULL default '', - `callingstationid` varchar(50) NOT NULL default '', - `username` varchar(64) NOT NULL default '', - `cui` varchar(32) NOT NULL default '', - `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, - `lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00', - PRIMARY KEY (`username`,`clientipaddress`,`callingstationid`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/postgresql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/postgresql/queries.conf deleted file mode 100644 index 0e985b3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/postgresql/queries.conf +++ /dev/null @@ -1,47 +0,0 @@ -# -*- text -*- -# -# cui/postgresql/queries.conf -- Queries to update a PostgreSQL CUI table. -# -# $Id: 6c2215f0abbe5cb30658ea541d525fd7a274c547 $ - -post-auth { - query = "\ - INSERT INTO ${..cui_table} \ - (clientipaddress, callingstationid, username, cui) \ - VALUES \ - ('%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}', '%{Calling-Station-Id}', \ - '%{User-Name}', '%{reply:Chargeable-User-Identity}')" - -} - -accounting { - reference = "%{tolower:type.%{Acct-Status-Type}.query}" - type { - start { - query = "\ - UPDATE ${....cui_table} SET \ - lastaccounting = now() \ - WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND username = '%{User-Name}' \ - AND cui = '%{Chargeable-User-Identity}'" - } - interim-update { - query ="\ - UPDATE ${....cui_table} SET \ - lastaccounting = now() \ - WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND username = '%{User-Name}' \ - AND cui = '%{Chargeable-User-Identity}'" - } - stop { - query ="\ - DELETE FROM ${....cui_table} \ - WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND username = '%{User-Name}' \ - AND cui = '%{Chargeable-User-Identity}'" - } - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/postgresql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/postgresql/schema.sql deleted file mode 100644 index 3b24401..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/postgresql/schema.sql +++ /dev/null @@ -1,14 +0,0 @@ -CREATE TABLE cui ( - clientipaddress INET NOT NULL DEFAULT '0.0.0.0', - callingstationid varchar(50) NOT NULL DEFAULT '', - username varchar(64) NOT NULL DEFAULT '', - cui varchar(32) NOT NULL DEFAULT '', - creationdate TIMESTAMP with time zone NOT NULL default 'now()', - lastaccounting TIMESTAMP with time zone NOT NULL default '-infinity'::timestamp, - PRIMARY KEY (username, clientipaddress, callingstationid) -); - -CREATE RULE postauth_query AS ON INSERT TO cui - WHERE EXISTS(SELECT 1 FROM cui WHERE (username, clientipaddress, callingstationid)=(NEW.username, NEW.clientipaddress, NEW.callingstationid)) - DO INSTEAD UPDATE cui SET lastaccounting ='-infinity'::timestamp with time zone, cui=NEW.cui WHERE (username, clientipaddress, callingstationid)=(NEW.username, NEW.clientipaddress, NEW.callingstationid); - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/sqlite/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/sqlite/queries.conf deleted file mode 100644 index defc591..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/sqlite/queries.conf +++ /dev/null @@ -1,47 +0,0 @@ -# -*- text -*- -# -# cui/sqlite/queries.conf -- Queries to update a sqlite CUI table. -# -# $Id: 41741eb70ae9c428ba5230aaf9d9b84f95c050a9 $ - -post-auth { - query = "\ - INSERT OR REPLACE INTO ${..cui_table} \ - (clientipaddress, callingstationid, username, cui, lastaccounting) \ - VALUES \ - ('%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}', '%{Calling-Station-Id}', \ - '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL)" - -} - -accounting { - reference = "%{tolower:type.%{Acct-Status-Type}.query}" - type { - start { - query = "\ - UPDATE ${....cui_table} SET \ - lastaccounting = CURRENT_TIMESTAMP \ - WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND username = '%{User-Name}' \ - AND cui = '%{Chargeable-User-Identity}'" - } - interim-update { - query ="\ - UPDATE ${....cui_table} SET \ - lastaccounting = CURRENT_TIMESTAMP \ - WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND username = '%{User-Name}' \ - AND cui = '%{Chargeable-User-Identity}'" - } - stop { - query ="\ - DELETE FROM ${....cui_table} \ - WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND username = '%{User-Name}' \ - AND cui = '%{Chargeable-User-Identity}'" - } - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/sqlite/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/sqlite/schema.sql deleted file mode 100644 index 8473534..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/cui/sqlite/schema.sql +++ /dev/null @@ -1,9 +0,0 @@ -CREATE TABLE `cui` ( - `clientipaddress` varchar(46) NOT NULL default '', - `callingstationid` varchar(50) NOT NULL default '', - `username` varchar(64) NOT NULL default '', - `cui` varchar(32) NOT NULL default '', - `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, - `lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00', - PRIMARY KEY (`username`,`clientipaddress`,`callingstationid`) -); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mssql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mssql/queries.conf deleted file mode 100644 index 6d5d250..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mssql/queries.conf +++ /dev/null @@ -1,52 +0,0 @@ -# -*- text -*- -# -# dhcp/mssql/queries.conf -- MSSQL configuration for DHCP schema (schema.sql) -# -# $Id: 8345c700465325f3cc99ad88f318f6730b07c648 $ - -# Safe characters list for sql queries. Everything else is replaced -# with their mime-encoded equivalents. -# The default list should be ok -# safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" - -####################################################################### -# Query config: Identifier -####################################################################### -# This is the identifier that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used -# below everywhere an identifier substitution is needed so you you can -# be sure the identifier passed from the client is escaped properly. -# -sql_user_name = "%{control:DHCP-SQL-Option-Identifier}" - -####################################################################### -# Attribute Lookup Queries -####################################################################### -# These queries setup the reply items in ${dhcpreply_table} and -# ${group_reply_query}. You can use any query/tables you want, but -# the return data for each row MUST be in the following order: -# -# 0. Row ID (currently unused) -# 1. Identifier -# 2. Item Attr Name -# 3. Item Attr Value -# 4. Item Attr Operation -####################################################################### - -authorize_reply_query = "\ - SELECT id, Identifier, Attribute, Value, op \ - FROM ${dhcpreply_table} \ - WHERE Identifier = '%{SQL-User-Name}' AND Context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - -authorize_group_reply_query = "\ - SELECT id, GroupName, Attribute, Value, op \ - FROM ${groupreply_table} \ - WHERE GroupName = '%{${group_attribute}}' AND Context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - -group_membership_query = "\ - SELECT GroupName \ - FROM ${dhcpgroup_table} \ - WHERE Identifier='%{SQL-User-Name}' AND Context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY priority" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mssql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mssql/schema.sql deleted file mode 100644 index 06ac209..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mssql/schema.sql +++ /dev/null @@ -1,91 +0,0 @@ --- $Id: 8584949f50d0e5a7c736e9ad52ad95d1e1ebc28d $ --- --- MSSQL schema for DHCP for FreeRADIUS --- --- To load: --- isql -S db_ip_addr -d db_name -U db_login -P db_passwd -i schema.sql - --- --- Table structure for table 'dhcpgroupreply' --- -CREATE TABLE [dhcpgroupreply] ( - [id] [int] IDENTITY (1, 1) NOT NULL, - [GroupName] [varchar] (64) NOT NULL, - [Attribute] [varchar] (32) NOT NULL, - [Value] [varchar] (253) NOT NULL, - [op] [char] (2) NULL, - [prio] [int] NOT NULL, - [Context] [varchar] (16) NOT NULL -) ON [PRIMARY] -GO - -ALTER TABLE [dhcpgroupreply] WITH NOCHECK ADD - CONSTRAINT [DF_dhcpgroupreply_GroupName] DEFAULT ('') FOR [GroupName], - CONSTRAINT [DF_dhcpgroupreply_Attribute] DEFAULT ('') FOR [Attribute], - CONSTRAINT [DF_dhcpgroupreply_Value] DEFAULT ('') FOR [Value], - CONSTRAINT [DF_dhcpgroupreply_op] DEFAULT (null) FOR [op], - CONSTRAINT [DF_dhcpgroupreply_prio] DEFAULT (0) FOR [prio], - CONSTRAINT [DF_dhcpgroupreply_context] DEFAULT ('') FOR [Context], - CONSTRAINT [PK_dhcpgroupreply] PRIMARY KEY NONCLUSTERED - ( - [id] - ) ON [PRIMARY] -GO - -CREATE INDEX [GroupName] ON [dhcpgroupreply]([Context],[GroupName]) ON [PRIMARY] -GO - - --- --- Table structure for table 'dhcpreply' --- -CREATE TABLE [dhcpreply] ( - [id] [int] IDENTITY (1, 1) NOT NULL, - [Identifier] [varchar] (64) NOT NULL, - [Attribute] [varchar] (32) NOT NULL, - [Value] [varchar] (253) NOT NULL, - [op] [char] (2) NULL, - [Context] [varchar] (16) NOT NULL -) ON [PRIMARY] -GO - -ALTER TABLE [dhcpreply] WITH NOCHECK ADD - CONSTRAINT [DF_dhcpreply_Identifier] DEFAULT ('') FOR [Identifier], - CONSTRAINT [DF_dhcpreply_Attribute] DEFAULT ('') FOR [Attribute], - CONSTRAINT [DF_dhcpreply_Value] DEFAULT ('') FOR [Value], - CONSTRAINT [DF_dhcpreply_op] DEFAULT (null) FOR [op], - CONSTRAINT [DF_dhcpreply_Context] DEFAULT ('') FOR [Context], - CONSTRAINT [PK_dhcpreply] PRIMARY KEY NONCLUSTERED - ( - [id] - ) ON [PRIMARY] -GO - -CREATE INDEX [Identifier] ON [dhcpreply]([Context],[Identifier]) ON [PRIMARY] -GO - - --- --- Table structure for table 'dhcpgroup' --- -CREATE TABLE [dhcpgroup] ( - [id] [int] IDENTITY (1, 1) NOT NULL, - [Identifier] [varchar] (64) NOT NULL, - [GroupName] [varchar] (64) NULL, - [Priority] [int] NULL, - [Context] [varchar] (16) NULL -) ON [PRIMARY] -GO - -ALTER TABLE [dhcpgroup] WITH NOCHECK ADD - CONSTRAINT [DF_dhcpgroup_Identifier] DEFAULT ('') FOR [Identifier], - CONSTRAINT [DF_dhcpgroup_GroupName] DEFAULT ('') FOR [GroupName], - CONSTRAINT [DF_dhcpgroup_Context] DEFAULT ('') FOR [Context], - CONSTRAINT [PK_dhcpgroup] PRIMARY KEY NONCLUSTERED - ( - [id] - ) ON [PRIMARY] -GO - -CREATE INDEX [Identifier] ON [dhcpgroup]([Context],[Identifier]) ON [PRIMARY] -GO diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/queries.conf deleted file mode 100644 index 1d741df..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/queries.conf +++ /dev/null @@ -1,75 +0,0 @@ -# -*- text -*- -# -# dhcp/mysql/queries.conf -- MySQL configuration for DHCP schema (schema.sql) -# -# $Id: a28037bd5e273cfc59297e86484be666b09f2f6d $ - -# Use the driver specific SQL escape method. -# -# If you enable this configuration item, the "safe_characters" -# configuration is ignored. FreeRADIUS then uses the PostgreSQL escape -# functions to escape input strings. The only downside to making this -# change is that the PostgreSQL escaping method is not the same the one -# used by FreeRADIUS. So characters which are NOT in the -# "safe_characters" list will now be stored differently in the database. -# -#auto_escape = yes - -# Safe characters list for sql queries. Everything else is replaced -# with their mime-encoded equivalents. -# The default list should be ok -# Using 'auto_escape' is preferred -safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" - -####################################################################### -# Connection config -####################################################################### -# The character set is not configurable. The default character set of -# the mysql client library is used. To control the character set, -# create/edit my.cnf (typically in /etc/mysql/my.cnf or /etc/my.cnf) -# and enter -# [client] -# default-character-set = utf8 -# - -####################################################################### -# Query config: Identifier -####################################################################### -# This is the identifier that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used -# below everywhere an identifier substitution is needed so you you can -# be sure the identifier passed from the client is escaped properly. -# -sql_user_name = "%{control:DHCP-SQL-Option-Identifier}" - -####################################################################### -# Attribute Lookup Queries -####################################################################### -# These queries setup the reply items in ${dhcpreply_table} and -# ${group_reply_query}. You can use any query/tables you want, but -# the return data for each row MUST be in the following order: -# -# 0. Row ID (currently unused) -# 1. Identifier -# 2. Item Attr Name -# 3. Item Attr Value -# 4. Item Attr Operation -####################################################################### - -authorize_reply_query = "\ - SELECT id, identifier, attribute, value, Op \ - FROM ${dhcpreply_table} \ - WHERE identifier = '%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - -authorize_group_reply_query = "\ - SELECT id, groupname, attribute, value, op \ - FROM ${groupreply_table} \ - WHERE groupname = '%{${group_attribute}}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - -group_membership_query = "\ - SELECT groupnme \ - FROM ${dhcpgroup_table} \ - WHERE identifier='%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY priority" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/schema.sql deleted file mode 100644 index ab56a5d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/schema.sql +++ /dev/null @@ -1,47 +0,0 @@ -# -# $Id: 85a121a9bed9e2bb2c2d24068dca259c5c547e73 $ -# -# PostgreSQL schema for DHCP for FreeRADIUS -# -# - -# -# Table structure for table 'dhcpgroupreply' -# -CREATE TABLE IF NOT EXISTS dhcpgroupreply ( - id int(11) unsigned NOT NULL auto_increment, - groupname varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default '', - context varchar(16) NOT NULL default '', - PRIMARY KEY (id), - KEY groupname (context,groupname(32)) -); - -# -# Table structure for table 'dhcpreply' -# -CREATE TABLE IF NOT EXISTS dhcpreply ( - id int(11) unsigned NOT NULL auto_increment, - identifier varchar(253) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default '', - context varchar(16) NOT NULL default '', - PRIMARY KEY (id), - KEY identifier (context,identifier(32)) -); - -# -# Table structure for table 'dhcpgroup' -# -CREATE TABLE IF NOT EXISTS dhcpgroup ( - id int(11) unsigned NOT NULL auto_increment, - identifier varchar(253) NOT NULL default '', - groupname varchar(64) NOT NULL default '', - priority int(11) NOT NULL default '1', - context varchar(16) NOT NULL default '', - PRIMARY KEY (id), - KEY identifier (context,identifier(32)) -); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/setup.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/setup.sql deleted file mode 100644 index 3d007a2..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/mysql/setup.sql +++ /dev/null @@ -1,21 +0,0 @@ -/* - * setup.sql -- MySQL commands for creating the RADIUS user. - * - * WARNING: You should change 'localhost' and 'radpass' - * to something else. Also update raddb/mods-available/sql - * with the new RADIUS password. - * - * WARNING: This example file is untested. Use at your own risk. - * Please send any bug fixes to the mailing list. - * - * $Id: d20a82c9ccb94cc1ec609a761b6a8f44d30e48c3 $ - */ - -/* - * Create default administrator for RADIUS - */ -CREATE USER 'radius'@'localhost' IDENTIFIED BY 'radpass'; - -GRANT SELECT ON radius.dhcpreply TO 'radius'@'localhost'; -GRANT SELECT ON radius.dhcpgroupreply TO 'radius'@'localhost'; -GRANT SELECT ON radius.dhcpgroup TO 'radius'@'localhost'; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/oracle/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/oracle/queries.conf deleted file mode 100644 index b0f697f..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/oracle/queries.conf +++ /dev/null @@ -1,47 +0,0 @@ -# -*- text -*- -# -# dhcp/oracle/queries.conf -- Oracle configuration for DHCP schema (schema.sql) -# -# $Id: dd312d57575677b1d0c7abcdaf41c5b47d1d0f2b $ - -####################################################################### -# Query config: Identifier -####################################################################### -# This is the identifier that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used -# below everywhere an identifier substitution is needed so you you can -# be sure the identifier passed from the client is escaped properly. -# -sql_user_name = "%{control:DHCP-SQL-Option-Identifier}" - -####################################################################### -# Attribute Lookup Queries -####################################################################### -# These queries setup the reply items in ${dhcpreply_table} and -# ${group_reply_query}. You can use any query/tables you want, but -# the return data for each row MUST be in the following order: -# -# 0. Row ID (currently unused) -# 1. Identifier -# 2. Item Attr Name -# 3. Item Attr Value -# 4. Item Attr Operation -####################################################################### - -authorize_reply_query = "\ - SELECT id, identifier, attribute, value, op \ - FROM ${dhcpreply_table} \ - WHERE identifier = '%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - -authorize_group_reply_query = "\ - SELECT id, groupname, attribute, value, op \ - FROM ${groupreply_table} \ - WHERE groupname = '%{${group_attribute}}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - -group_membership_query = "\ - SELECT groupname \ - FROM ${dhcpgroup_table} \ - WHERE identifier='%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY priority" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/oracle/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/oracle/schema.sql deleted file mode 100644 index 9f4c521..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/oracle/schema.sql +++ /dev/null @@ -1,81 +0,0 @@ -/* - * $Id: 085e3463745b000fe9feca0466c591dfa5c1fb59 $ - * - * Oracle schema for DHCP for FreeRADIUS - * - */ - -/* - * Table structure for table 'dhcpgroupreply' - */ -CREATE TABLE dhcpgroupreply ( - id INT PRIMARY KEY, - groupname VARCHAR(64) NOT NULL, - attribute VARCHAR(64) NOT NULL, - op CHAR(2) NOT NULL, - value VARCHAR(253) NOT NULL, - context VARCHAR(16) NOT NULL -); -CREATE INDEX dhcpgroupreply_idx1 ON dhcpgroupreply(context,groupname); -CREATE SEQUENCE dhcpgroupreply_seq START WITH 1 INCREMENT BY 1; - -/* Trigger to emulate a serial # on the primary key */ -CREATE OR REPLACE TRIGGER dhcpgroupreply_serialnumber - BEFORE INSERT OR UPDATE OF id ON dhcpgroupreply - FOR EACH ROW - BEGIN - if ( :new.id = 0 or :new.id is null ) then - SELECT dhcpgroupreply_seq.nextval into :new.id from dual; - end if; - END; -/ - -/* - * Table structure for table 'dhcpreply' - */ -CREATE TABLE dhcpreply ( - id INT PRIMARY KEY, - identifier VARCHAR(253) NOT NULL, - attribute VARCHAR(64) NOT NULL, - op CHAR(2) NOT NULL, - value VARCHAR(253) NOT NULL, - context VARCHAR(16) NOT NULL -); -CREATE INDEX dhcpreply_idx1 ON dhcpreply(context,identifier); -CREATE SEQUENCE dhcpreply_seq START WITH 1 INCREMENT BY 1; - -/* Trigger to emulate a serial # on the primary key */ -CREATE OR REPLACE TRIGGER dhcpreply_serialnumber - BEFORE INSERT OR UPDATE OF id ON dhcpreply - FOR EACH ROW - BEGIN - if ( :new.id = 0 or :new.id is null ) then - SELECT dhcpreply_seq.nextval into :new.id from dual; - end if; - END; -/ - -/* - * Table structure for table 'dhcpgroup' - */ -CREATE TABLE dhcpgroup ( - id INT PRIMARY KEY, - identifier VARCHAR(253) NOT NULL, - groupname VARCHAR(64) NOT NULL, - priority INT NOT NULL, - context VARCHAR(16) NOT NULL -); -CREATE INDEX dhcpgroup_idx1 ON dhcpgroup(context,identifier); -CREATE SEQUENCE dhcpgroup_seq START WITH 1 INCREMENT BY 1; - -/* Trigger to emulate a serial # on the primary key */ -CREATE OR REPLACE TRIGGER dhcpgroup_serialnumber - BEFORE INSERT OR UPDATE OF id ON dhcpgroup - FOR EACH ROW - BEGIN - if ( :new.id = 0 or :new.id is null ) then - SELECT dhcpgroup_seq.nextval into :new.id from dual; - end if; - END; -/ - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/queries.conf deleted file mode 100644 index 245ded3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/queries.conf +++ /dev/null @@ -1,76 +0,0 @@ -# -*- text -*- -# -# dhcp/postgresql/queries.conf -- PostgreSQL configuration for DHCP schema (schema.sql) -# -# $Id: 14ca79a2432c60e658df0334963c42caadbc361c $ - -# Use the driver specific SQL escape method. -# -# If you enable this configuration item, the "safe_characters" -# configuration is ignored. FreeRADIUS then uses the PostgreSQL escape -# functions to escape input strings. The only downside to making this -# change is that the PostgreSQL escaping method is not the same the one -# used by FreeRADIUS. So characters which are NOT in the -# "safe_characters" list will now be stored differently in the database. -# -#auto_escape = yes - -# Safe characters list for sql queries. Everything else is replaced -# with their mime-encoded equivalents. -# The default list should be ok -# Using 'auto_escape' is preferred -# safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" - -####################################################################### -# Query config: Identifier -####################################################################### -# This is the identifier that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used -# below everywhere an identifier substitution is needed so you you can -# be sure the identifier passed from the client is escaped properly. -# -sql_user_name = "%{control:DHCP-SQL-Option-Identifier}" - -####################################################################### -# Open Query -####################################################################### -# This query is run whenever a new connection is opened. -# It is commented out by default. -# -# If you have issues with connections hanging for too long, uncomment -# the next line, and set the timeout in milliseconds. As a general -# rule, if the queries take longer than a second, something is wrong -# with the database. -#open_query = "set statement_timeout to 1000" - -####################################################################### -# Attribute Lookup Queries -####################################################################### -# These queries setup the reply items in ${dhcpreply_table} and -# ${group_reply_query}. You can use any query/tables you want, but -# the return data for each row MUST be in the following order: -# -# 0. Row ID (currently unused) -# 1. Identifier -# 2. Item Attr Name -# 3. Item Attr Value -# 4. Item Attr Operation -####################################################################### - -authorize_reply_query = "\ - SELECT id, Identifier, Attribute, Value, Op \ - FROM ${dhcpreply_table} \ - WHERE Identifier = '%{SQL-User-Name}' AND Context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - -authorize_group_reply_query = "\ - SELECT id, GroupName, Attribute, Value, op \ - FROM ${groupreply_table} \ - WHERE GroupName = '%{${group_attribute}}' AND Context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - -group_membership_query = "\ - SELECT GroupName \ - FROM ${dhcpgroup_table} \ - WHERE Identifier='%{SQL-User-Name}' AND Context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY priority" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/schema.sql deleted file mode 100644 index 235df30..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/schema.sql +++ /dev/null @@ -1,44 +0,0 @@ -/* - * $Id: 0d1727fd96c982ecbda5355361ccd7c30a4c1948 $ - * - * PostgreSQL schema for DHCP for FreeRADIUS - * - */ - -/* - * Table structure for table 'dhcpgroupreply' - */ -CREATE TABLE IF NOT EXISTS dhcpgroupreply ( - id serial PRIMARY KEY, - GroupName text NOT NULL DEFAULT '', - Attribute text NOT NULL DEFAULT '', - op VARCHAR(2) NOT NULL DEFAULT '=', - Value text NOT NULL DEFAULT '', - Context text NOT NULL DEFAULT '' -); -CREATE INDEX dhcpgroupreply_GroupName ON dhcpgroupreply (Context,GroupName,Attribute); - -/* - * Table structure for table 'dhcpreply' - */ -CREATE TABLE IF NOT EXISTS dhcpreply ( - id serial PRIMARY KEY, - Identifier text NOT NULL DEFAULT '', - Attribute text NOT NULL DEFAULT '', - op VARCHAR(2) NOT NULL DEFAULT '=', - Value text NOT NULL DEFAULT '', - Context text NOT NULL DEFAULT '' -); -CREATE INDEX dhcpreply_Identifier ON dhcpreply (Context,Identifier,Attribute); - -/* - * Table structure for table 'dhcpgroup' - */ -CREATE TABLE IF NOT EXISTS dhcpgroup ( - id serial PRIMARY KEY, - Identifier text NOT NULL DEFAULT '', - GroupName text NOT NULL DEFAULT '', - Priority integer NOT NULL DEFAULT 0, - Context text NOT NULL DEFAULT '' -); -CREATE INDEX dhcpgroup_Identifier ON dhcpgroup (Context,Identifier); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/setup.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/setup.sql deleted file mode 100644 index c106b02..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/postgresql/setup.sql +++ /dev/null @@ -1,28 +0,0 @@ -/* - * admin.sql -- PostgreSQL commands for creating the RADIUS user. - * - * WARNING: You should change 'localhost' and 'radpass' - * to something else. Also update raddb/mods-available/sql - * with the new RADIUS password. - * - * WARNING: This example file is untested. Use at your own risk. - * Please send any bug fixes to the mailing list. - * - * $Id: 884aa5a5ede1cdc37c55c7d06d52410b3826e135 $ - */ - -/* - * Create default administrator for RADIUS - */ -CREATE USER radius WITH PASSWORD 'radpass'; - -/* - * The server can read any table in SQL - */ -GRANT SELECT ON dhcpreply TO radius; -GRANT SELECT ON dhcpgroupreply TO radius; -GRANT SELECT ON dhcpgroup TO radius; - -GRANT USAGE, SELECT ON SEQUENCE dhcpgroupreply_id_seq TO radius; -GRANT USAGE, SELECT ON SEQUENCE dhcpreply_id_seq TO radius; -GRANT USAGE, SELECT ON SEQUENCE dhcpgroup_id_seq TO radius; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/sqlite/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/sqlite/queries.conf deleted file mode 100644 index a68827d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/sqlite/queries.conf +++ /dev/null @@ -1,52 +0,0 @@ -# -*- text -*- -# -# dhcp/sqlite/queries.conf -- SQLite configuration for DHCP schema (schema.sql) -# -# $Id: 0cc720220d237d98934dd23173ccb4e09bd0cb01 $ - -# Safe characters list for sql queries. Everything else is replaced -# with their mime-encoded equivalents. -# The default list should be ok -# safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" - -####################################################################### -# Query config: Identifier -####################################################################### -# This is the identifier that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used -# below everywhere an identifier substitution is needed so you you can -# be sure the identifier passed from the client is escaped properly. -# -sql_user_name = "%{control:DHCP-SQL-Option-Identifier}" - -####################################################################### -# Attribute Lookup Queries -####################################################################### -# These queries setup the reply items in ${dhcpreply_table} and -# ${group_reply_query}. You can use any query/tables you want, but -# the return data for each row MUST be in the following order: -# -# 0. Row ID (currently unused) -# 1. Identifier -# 2. Item Attr Name -# 3. Item Attr Value -# 4. Item Attr Operation -####################################################################### - -authorize_reply_query = "\ - SELECT id, identifier, attribute, value, op \ - FROM ${dhcpreply_table} \ - WHERE identifier = '%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - -authorize_group_reply_query = "\ - SELECT id, groupname, attribute, value, op \ - FROM ${groupreply_table} \ - WHERE groupname = '%{${group_attribute}}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - -group_membership_query = "\ - SELECT groupname \ - FROM ${dhcpgroup_table} \ - WHERE identifier='%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY priority" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/sqlite/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/sqlite/schema.sql deleted file mode 100644 index fdbc326..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/dhcp/sqlite/schema.sql +++ /dev/null @@ -1,46 +0,0 @@ ------------------------------------------------------------------------------ --- $Id: 54a9abbf01d4161cadb304cdd3755856c6f15442 $ ␉···· -- --- -- --- schema.sql rlm_sql - FreeRADIUS SQLite Module -- --- -- --- Database schema for SQLite rlm_sql module for DHCP -- --- -- ------------------------------------------------------------------------------ - --- --- Table structure for table 'dhcpgroupreply' --- -CREATE TABLE IF NOT EXISTS dhcpgroupreply ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - groupname varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default '', - context varchar(16) NOT NULL default '' -); -CREATE INDEX dhcpgroupreply_groupname ON dhcpgroupreply(context,groupname); - --- --- Table structure for table 'dhcpreply' --- -CREATE TABLE IF NOT EXISTS dhcpreply ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - identifier varchar(253) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default '', - context varchar(16) NOT NULL default '' -); -CREATE INDEX dhcpreply_identifier ON dhcpreply(context,identifier); - --- --- Table structure for table 'dhcpgroup' --- -CREATE TABLE IF NOT EXISTS dhcpgroup ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - identifier varchar(253) NOT NULL default '', - groupname varchar(64) NOT NULL default '', - priority int(11) NOT NULL default '1', - context varchar(16) NOT NULL default '' -); -CREATE INDEX dhcpgroup_identifier ON dhcpgroup(context,identifier); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/procedure.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/procedure.sql deleted file mode 100644 index 4cfbe1c..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/procedure.sql +++ /dev/null @@ -1,159 +0,0 @@ --- --- A stored procedure to reallocate a user's previous address, otherwise --- provide a free address. --- --- Using this SP reduces the usual set dialogue of queries to a single --- query: --- --- BEGIN TRAN; "SELECT FOR UPDATE"; UPDATE; COMMIT TRAN; -> EXEC sp --- --- The stored procedure is executed on an database instance within a single --- round trip which often leads to reduced deadlocking and significant --- performance improvements especially on multi-master clusters, perhaps even --- by an order of magnitude or more. --- --- To use this stored procedure the corresponding queries.conf statements must --- be configured as follows: --- --- allocate_begin = "" --- allocate_find = "\ --- EXEC fr_dhcp_allocate_previous_or_new_framedipaddress \ --- @v_pool_name = '%{control:${pool_name}}', \ --- @v_gateway = '%{DHCP-Gateway-IP-Address}', \ --- @v_pool_key = '${pool_key}', \ --- @v_lease_duration = ${lease_duration}, \ --- @v_requested_address = '%{%{${req_attribute_name}}:-0.0.0.0}' \ --- " --- allocate_update = "" --- allocate_commit = "" --- - -CREATE OR ALTER PROCEDURE fr_dhcp_allocate_previous_or_new_framedipaddress - @v_pool_name VARCHAR(64), - @v_gateway VARCHAR(15), - @v_pool_key VARCHAR(64), - @v_lease_duration INT, - @v_requested_address VARCHAR(15) -AS - BEGIN - - -- MS SQL lacks a "SELECT FOR UPDATE" statement, and its table - -- hints do not provide a direct means to implement the row-level - -- read lock needed to guarentee that concurrent queries do not - -- select the same Framed-IP-Address for allocation to distinct - -- users. - -- - -- The "WITH cte AS ( SELECT ... ) UPDATE cte ... OUTPUT INTO" - -- patterns in this procedure body compensate by wrapping - -- the SELECT in a synthetic UPDATE which locks the row. - - DECLARE @r_address_tab TABLE(id VARCHAR(15)); - DECLARE @r_address VARCHAR(15); - - BEGIN TRAN; - - -- Reissue an existing IP address lease when re-authenticating a session - -- - WITH cte AS ( - SELECT TOP(1) FramedIPAddress - FROM dhcpippool WITH (rowlock, readpast) - JOIN dhcpstatus - ON dhcpstatus.status_id = dhcpippool.status_id - WHERE pool_name = @v_pool_name - AND expiry_time > CURRENT_TIMESTAMP - AND pool_key = @v_pool_key - AND dhcpstatus.status IN ('dynamic', 'static') - ) - UPDATE cte - SET FramedIPAddress = FramedIPAddress - OUTPUT INSERTED.FramedIPAddress INTO @r_address_tab; - SELECT @r_address = id FROM @r_address_tab; - - -- Reissue an user's previous IP address, provided that the lease is - -- available (i.e. enable sticky IPs) - -- - -- When using this SELECT you should delete the one above. You must also - -- set allocate_clear = "" in queries.conf to persist the associations - -- for expired leases. - -- - -- WITH cte AS ( - -- SELECT TOP(1) FramedIPAddress - -- FROM dhcpippool WITH (rowlock, readpast) - -- JOIN dhcpstatus - -- ON dhcpstatus.status_id = dhcpippool.status_id - -- WHERE pool_name = @v_pool_name - -- AND pool_key = @v_pool_key - -- AND dhcpstatus.status IN ('dynamic', 'static') - -- ) - -- UPDATE cte - -- SET FramedIPAddress = FramedIPAddress - -- OUTPUT INSERTED.FramedIPAddress INTO @r_address_tab; - -- SELECT @r_address = id FROM @r_address_tab; - - -- Issue the requested IP address if it is available - -- - IF @r_address IS NULL AND @v_requested_address <> '0.0.0.0' - BEGIN - WITH cte AS ( - SELECT TOP(1) FramedIPAddress - FROM dhcpippool WITH (rowlock, readpast) - JOIN dhcpstatus - ON dhcpstatus.status_id = dhcpippool.status_id - WHERE pool_name = @v_pool_name - AND framedipaddress = @v_requested_address - AND dhcpstatus.status = 'dynamic' - AND ( pool_key = @v_pool_name OR expiry_time < CURRENT_TIMESTAMP ) - ) - UPDATE cte - SET FramedIPAddress = FramedIPAddress - OUTPUT INSERTED.FramedIPAddress INTO @r_address_tab; - SELECT @r_address = id FROM @r_address_tab; - END - - -- If we didn't reallocate a previous address then pick the least - -- recently used address from the pool which maximises the likelihood - -- of re-assigning the other addresses to their recent user - -- - IF @r_address IS NULL - BEGIN - WITH cte AS ( - SELECT TOP(1) FramedIPAddress - FROM dhcpippool WITH (rowlock, readpast) - JOIN dhcpstatus - ON dhcpstatus.status_id = dhcpippool.status_id - WHERE pool_name = @v_pool_name - AND expiry_time < CURRENT_TIMESTAMP - AND dhcpstatus.status = 'dynamic' - ORDER BY - expiry_time - ) - UPDATE cte - SET FramedIPAddress = FramedIPAddress - OUTPUT INSERTED.FramedIPAddress INTO @r_address_tab; - SELECT @r_address = id FROM @r_address_tab; - END - - -- Return nothing if we failed to allocated an address - -- - IF @r_address IS NULL - BEGIN - COMMIT TRAN; - RETURN; - END - - -- Update the pool having allocated an IP address - -- - UPDATE dhcpippool - SET - gateway = @v_gateway, - pool_key = @v_pool_key, - expiry_time = DATEADD(SECOND,@v_lease_duration,CURRENT_TIMESTAMP) - WHERE framedipaddress = @r_address; - - COMMIT TRAN; - - -- Return the address that we allocated - SELECT @r_address; - - END -GO diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/queries.conf deleted file mode 100644 index 9d301f4..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/queries.conf +++ /dev/null @@ -1,257 +0,0 @@ -# -*- text -*- -# -# ippool-dhcp/mssql/queries.conf -- MSSQL queries for rlm_sqlippool -# -# $Id: c919e2d34a66f0c5c9b407f54739c59af902ddc0 $ - -# ***************** -# * DHCP DISCOVER * -# ***************** - -# -# This series of queries allocates an IP address -# - -# -# MSSQL-specific syntax - required if finding the address and updating -# it are separate queries -# -#allocate_begin = "BEGIN TRAN" -#allocate_commit = "COMMIT TRAN" - -allocate_begin = "" -allocate_commit = "" - -# -# Attempt to find the most recent existing IP address for the client -# -allocate_existing = "\ - WITH cte AS ( \ - SELECT TOP(1) framedipaddress, expiry_time, gateway \ - FROM ${ippool_table} WITH (xlock rowlock readpast) \ - JOIN dhcpstatus ON ${ippool_table}.status_id = dhcpstatus.status_id \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND dhcpstatus.status IN ('dynamic', 'static') \ - ORDER BY expiry_time DESC \ - ) \ - UPDATE cte \ - SET expiry_time = DATEADD(SECOND,${offer_duration},CURRENT_TIMESTAMP), \ - gateway = '%{DHCP-Gateway-IP-Address}' \ - OUTPUT INSERTED.FramedIPAddress \ - FROM ${ippool_table}" - -# -# Determine whether the requested IP address is available -# -allocate_requested = "\ - WITH cte AS ( \ - SELECT TOP(1) framedipaddress, expiry_time, gateway \ - FROM ${ippool_table} WITH (xlock rowlock readpast) \ - JOIN dhcpstatus ON ${ippool_table}.status_id = dhcpstatus.status_id \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ - AND dhcpstatus.status = 'dynamic' \ - AND expiry_time < CURRENT_TIMESTAMP \ - ) \ - UPDATE cte \ - SET expiry_time = DATEADD(SECOND,${offer_duration},CURRENT_TIMESTAMP), \ - gateway = '%{DHCP-Gateway-IP-Address}', \ - pool_key = '${pool_key}' \ - OUTPUT INSERTED.FramedIPAddress \ - FROM ${ippool_table}" - -# -# If the existing address can't be found this query will be run to -# find a free address -# -allocate_find = "\ - WITH cte AS ( \ - SELECT TOP(1) framedipaddress, expiry_time, gateway, pool_key \ - FROM ${ippool_table} WITH (xlock rowlock readpast) \ - JOIN dhcpstatus ON ${ippool_table}.status_id = dhcpstatus.status_id \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND expiry_time < CURRENT_TIMESTAMP \ - AND dhcpstatus.status = 'dynamic' \ - ORDER BY expiry_time \ - ) \ - UPDATE cte \ - SET expiry_time = DATEADD(SECOND,${offer_duration},CURRENT_TIMESTAMP), \ - gateway = '%{DHCP-Gateway-IP-Address}', \ - pool_key = '${pool_key}' \ - OUTPUT INSERTED.FramedIPAddress \ - FROM ${ippool_table}" - -# -# Alternatively attempt all in one, more complex, query -# -# The ORDER BY clause of this query tries to allocate the same IP-address -# which user had last session. Ensure that pool_key is unique to the user -# within a given pool. -# -#allocate_find = "\ -# UPDATE TOP(1) ${ippool_table} \ -# SET FramedIPAddress = FramedIPAddress, \ -# pool_key = '${pool_key}', \ -# expiry_time = DATEADD(SECOND,${offer_duration},CURRENT_TIMESTAMP), \ -# GatewayIPAddress = '%{DHCP-Gateway-IP-Address}' \ -# OUTPUT INSERTED.FramedIPAddress \ -# FROM ${ippool_table} \ -# WHERE ${ippool_table}.id IN ( \ -# SELECT TOP (1) id FROM ( \ -# (SELECT TOP(1) id, 1 AS o FROM ${ippool_table} WITH (xlock rowlock readpast) \ -# JOIN dhcpstatus ON ${ippool_table}.status_id = dhcpstatus.status_id \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND pool_key = '${pool_key}' \ -# AND dhcpstatus.status IN ('dynamic', 'static')) \ -# UNION \ -# (SELECT TOP(1) id, 2 AS o FROM ${ippool_table} WITH (xlock rowlock readpast) \ -# JOIN dhcpstatus ON ${ippool_table}.status_id = dhcpstatus.status_id \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ -# AND dhcpstatus.status = 'dynamic' \ -# AND ( pool_key = '%{pool_key}' OR expiry_time < CURRENT_TIMESTAMP )) \ -# UNION \ -# (SELECT TOP(1) id, 3 AS o FROM ${ippool_table} WITH (xlock rowlock readpast) \ -# JOIN dhcpstatus ON ${ippool_table}.status_id = dhcpstatus.status_id \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < CURRENT_TIMESTAMP \ -# AND dhcpstatus.status = 'dynamic' \ -# ORDER BY expiry_time) \ -# ) AS q ORDER BY q.o \ -# )" - -# -# If you prefer to allocate a random IP address every time, use this query instead. -# Note: This is very slow if you have a lot of free IPs. -# -#allocate_find = "\ -# WITH cte AS ( \ -# SELECT TOP(1) FramedIPAddress FROM ${ippool_table} \ -# JOIN dhcpstatus ON ${ippool_table}.status_id = dhcpstatus.status_id \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < CURRENT_TIMESTAMP \ -# AND dhcpstatus.status = 'dynamic' \ -# ORDER BY \ -# newid() \ -# ) \ -# UPDATE cte WITH (rowlock, readpast) \ -# SET FramedIPAddress = FramedIPAddress \ -# OUTPUT INSERTED.FramedIPAddress" - -# -# If an IP could not be allocated, check to see if the pool exists or not -# This allows the module to differentiate between a full pool and no pool -# Note: If you are not running redundant pool modules this query may be -# commented out to save running this query every time an ip is not allocated. -# -pool_check = "\ - SELECT TOP(1) id \ - FROM ${ippool_table} \ - WHERE pool_name='%{control:${pool_name}}'" - -# -# This is the final IP Allocation query, which saves the allocated ip details. -# Only needed if the initial "find" query is not storing the allocation. -# -#allocate_update = "\ -# UPDATE ${ippool_table} \ -# SET \ -# gateway = '%{DHCP-Gateway-IP-Address}', pool_key = '${pool_key}', \ -# expiry_time = DATEADD(SECOND,${offer_duration},CURRENT_TIMESTAMP) \ -# WHERE FramedIPAddress = '%I'" - -# -# Use a stored procedure to find AND allocate the address. Read and customise -# `procedure.sql` in this directory to determine the optimal configuration. -# -#allocate_begin = "" -#allocate_find = "\ -# EXEC fr_dhcp_allocate_previous_or_new_framedipaddress \ -# @v_pool_name = '%{control:${pool_name}}', \ -# @v_gateway = '%{DHCP-Gateway-IP-Address}', \ -# @v_pool_key = '${pool_key}', \ -# @v_lease_duration = ${offer_duration}, \ -# @v_requested_address = '%{%{${req_attribute_name}}:-0.0.0.0}' \ -# " -#allocate_update = "" -#allocate_commit = "" - - -# **************** -# * DHCP REQUEST * -# **************** - -# -# This query revokes any active offers for addresses that a client is not -# requesting when a DHCP REQUEST packet arrives -# -start_update = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '', \ - pool_key = '', \ - expiry_time = CURRENT_TIMESTAMP \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress <> '%{DHCP-Requested-IP-Address}' \ - AND expiry_time > CURRENT_TIMESTAMP \ - AND ${ippool_table}.status_id IN \ - (SELECT status_id FROM dhcpstatus WHERE status = 'dynamic')" - -# -# This query extends an existing lease (or offer) when a DHCP REQUEST packet -# arrives. This query must update a row when a lease is succesfully requested -# - queries that update no rows will result in a "notfound" response to -# the module which by default will give a DHCP-NAK reply. In this example -# incrementing "counter" is used to achieve this. -# -alive_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = DATEADD(SECOND,${lease_duration},CURRENT_TIMESTAMP), \ - counter = counter + 1 \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{%{DHCP-Requested-IP-Address}:-%{DHCP-Client-IP-Address}}'" - - -# **************** -# * DHCP RELEASE * -# **************** - -# -# This query frees an IP address when a DHCP RELEASE packet arrives -# -stop_clear = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '', \ - pool_key = '', \ - expiry_time = CURRENT_TIMESTAMP \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND FramedIPAddress = '%{DHCP-Client-IP-Address}' \ - AND ${ippool_table}.status_id IN \ - (SELECT status_id FROM dhcpstatus WHERE status = 'dynamic')" - -# -# This query is not applicable to DHCP -# -on_clear = "" - - -# **************** -# * DHCP DECLINE * -# **************** - -# -# This query marks an IP address as declined when a DHCP Decline -# packet arrives -# -off_clear = "\ - UPDATE ${ippool_table} \ - SET status_id = (SELECT status_id FROM dhcpstatus WHERE status = 'declined') \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{DHCP-Requested-IP-Address}'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/schema.sql deleted file mode 100644 index dae4eff..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mssql/schema.sql +++ /dev/null @@ -1,40 +0,0 @@ --- --- Table structure for table 'dhcpippool' --- --- See also "procedure.sql" in this directory for --- a stored procedure that gives much faster response. --- - -CREATE TABLE dhcpstatus ( - status_id int NOT NULL, - status varchar(10) NOT NULL, - PRIMARY KEY (status_id) -) -GO - -INSERT INTO dhcpstatus (status_id, status) VALUES (1, 'dynamic'), (2, 'static'), (3, 'declined'), (4, 'disabled') -GO - -CREATE TABLE dhcpippool ( - id int IDENTITY (1,1) NOT NULL, - pool_name varchar(30) NOT NULL, - FramedIPAddress varchar(15) NOT NULL default '', - pool_key varchar(30) NOT NULL default '', - gateway varchar(15) NOT NULL default '', - expiry_time DATETIME NOT NULL default CURRENT_TIMESTAMP, - status_id int NOT NULL default 1, - counter int NOT NULL default 0, - CONSTRAINT fk_status_id FOREIGN KEY (status_id) REFERENCES dhcpstatus (status_id), - PRIMARY KEY (id) -) -GO - -CREATE INDEX dhcp_poolname_expire ON dhcpippool(pool_name, expiry_time) -GO - -CREATE INDEX dhcp_FramedIPAddress ON dhcpippool(FramedIPAddress) -GO - -CREATE INDEX dhcp_poolname_poolkey_FramedIPAddress ON dhcpippool(pool_name, pool_key, FramedIPAddress) -GO - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/procedure-no-skip-locked.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/procedure-no-skip-locked.sql deleted file mode 100644 index bee37de..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/procedure-no-skip-locked.sql +++ /dev/null @@ -1,160 +0,0 @@ --- --- A stored procedure to reallocate a user's previous address, otherwise --- provide a free address. --- --- NOTE: This version of the SP is intended for MySQL variants that do not --- support the SKIP LOCKED pragma, i.e. MariaDB and versions of MySQL --- prior to 8.0. It should be a lot faster than using the default SP --- without the SKIP LOCKED pragma under highly concurrent workloads --- and not result in thread starvation. --- --- It is however a *useful hack* which should not be used if SKIP --- LOCKED is available. --- --- WARNING: This query uses server-local, "user locks" (GET_LOCK and --- RELEASE_LOCK), without the need for a transaction, to emulate --- row locking with locked-row skipping. User locks are not --- supported on clusters such as Galera and MaxScale. --- --- Using this SP reduces the usual set dialogue of queries to a single --- query: --- --- START TRANSACTION; SELECT FOR UPDATE; UPDATE; COMMIT; -> CALL sp() --- --- The stored procedure is executed within a single round trip which often --- leads to reduced deadlocking and significant performance improvements. --- --- To use this stored procedure the corresponding queries.conf statements must --- be configured as follows: --- --- allocate_begin = "" --- allocate_find = "\ --- CALL fr_dhcp_allocate_previous_or_new_framedipaddress( \ --- '%{control:${pool_name}}', \ --- '%{DHCP-Gateway-IP-Address}', \ --- '${pool_key}', \ --- ${lease_duration}, \ --- '%{%{${req_attribute_name}}:-0.0.0.0}' \ --- )" --- allocate_update = "" --- allocate_commit = "" --- - -DELIMITER $$ - -DROP PROCEDURE IF EXISTS fr_dhcp_allocate_previous_or_new_framedipaddress; -CREATE PROCEDURE fr_allocate_previous_or_new_framedipaddress ( - IN v_pool_name VARCHAR(64), - IN v_gateway VARCHAR(15), - IN v_pool_key VARCHAR(64), - IN v_lease_duration INT, - IN v_requested_address VARCHAR(15) -) -SQL SECURITY INVOKER -proc:BEGIN - DECLARE r_address VARCHAR(15); - - -- Reissue an existing IP address lease when re-authenticating a session - -- - -- Note: In this query we get away without the need for FOR UPDATE - -- becase: - -- - -- (a) Each existing lease only belongs to a single device, so - -- no two devices will be racing over a single address. - -- (b) The set of existing leases (not yet expired) are - -- disjoint from the set of free leases, so not subject to - -- reallocation. - -- - SELECT framedipaddress INTO r_address - FROM dhcpippool - WHERE pool_name = v_pool_name - AND expiry_time > NOW() - AND pool_key = v_pool_key - AND `status` IN ('dynamic', 'static') - LIMIT 1; - - -- Reissue an user's previous IP address, provided that the lease is - -- available (i.e. enable sticky IPs) - -- - -- When using this SELECT you should delete the one above. You must also - -- set allocate_clear = "" in queries.conf to persist the associations - -- for expired leases. - -- - -- SELECT framedipaddress INTO r_address - -- FROM dhcpippool - -- WHERE pool_name = v_pool_name - -- AND pool_key = v_pool_key - -- AND `status` IN ('dynamic', 'static') - -- LIMIT 1; - - -- - -- Normally here we would honour an IP address hint if the IP were - -- available, however we cannot do that without taking a lock which - -- defeats the purpose of this version of the stored procedure. - -- - -- It you need to honour an IP address hint then use a database with - -- support for SKIP LOCKED and use the normal stored procedure. - -- - - IF r_address IS NOT NULL THEN - UPDATE dhcpippool - SET - gateway = v_gateway, - pool_key = v_pool_key, - expiry_time = NOW() + INTERVAL v_lease_duration SECOND - WHERE - framedipaddress = r_address; - SELECT r_address; - LEAVE proc; - END IF; - - REPEAT - - -- If we didn't reallocate a previous address then pick the least - -- recently used address from the pool which maximises the likelihood - -- of re-assigning the other addresses to their recent user - -- - SELECT framedipaddress INTO r_address - FROM dhcpippool - WHERE pool_name = v_pool_name - AND expiry_time < NOW() - AND `status` = 'dynamic' - -- - -- WHERE ... GET_LOCK(...,0) = 1 is a poor man's SKIP LOCKED that simulates - -- a row-level lock using a "user lock" that allows the locked "rows" to be - -- skipped. After the user lock is acquired and the SELECT retired it does - -- not mean that the entirety of the WHERE clause is still true: Another - -- thread may have updated the expiry time and released the lock after we - -- checked the expiry_time but before we acquired the lock since SQL is free - -- to reorder the WHERE condition. Therefore we must recheck the condition - -- in the UPDATE statement below to detect this race. - -- - AND GET_LOCK(CONCAT('dhcpippool_', framedipaddress), 0) = 1 - LIMIT 1; - - IF r_address IS NULL THEN - DO RELEASE_LOCK(CONCAT('dhcpippool_', r_address)); - LEAVE proc; - END IF; - - UPDATE dhcpippool - SET - gateway = v_gateway, - pool_key = v_pool_key, - expiry_time = NOW() + INTERVAL v_lease_duration SECOND - WHERE - framedipaddress = r_address - -- - -- Here we re-evaluate the original condition for selecting the address - -- to detect a race, in which case we try again... - -- - AND expiry_time 0 END REPEAT; - - DO RELEASE_LOCK(CONCAT('dhcpippool_', r_address)); - SELECT r_address; - -END$$ - -DELIMITER ; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/procedure.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/procedure.sql deleted file mode 100644 index b5dfae0..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/procedure.sql +++ /dev/null @@ -1,144 +0,0 @@ --- --- A stored procedure to reallocate a user's previous address, otherwise --- provide a free address. --- --- Using this SP reduces the usual set dialogue of queries to a single --- query: --- --- START TRANSACTION; SELECT FOR UPDATE; UPDATE; COMMIT; -> CALL sp() --- --- The stored procedure is executed on an database instance within a single --- round trip which often leads to reduced deadlocking and significant --- performance improvements especially on multi-master clusters, perhaps even --- by an order of magnitude or more. --- --- To use this stored procedure the corresponding queries.conf statements must --- be configured as follows: --- --- allocate_begin = "" --- allocate_find = "\ --- CALL fr_dhcp_allocate_previous_or_new_framedipaddress( \ --- '%{control:${pool_name}}', \ --- '%{DHCP-Gateway-IP-Address}', \ --- '${pool_key}', \ --- ${lease_duration}, \ --- '%{%{${req_attribute_name}}:-0.0.0.0}' \ --- )" --- allocate_update = "" --- allocate_commit = "" --- - -DELIMITER $$ - -DROP PROCEDURE IF EXISTS fr_dhcp_allocate_previous_or_new_framedipaddress; -CREATE PROCEDURE fr_dhcp_allocate_previous_or_new_framedipaddress ( - IN v_pool_name VARCHAR(30), - IN v_gateway VARCHAR(15), - IN v_pool_key VARCHAR(30), - IN v_lease_duration INT, - IN v_requested_address VARCHAR(15) -) -SQL SECURITY INVOKER -proc:BEGIN - DECLARE r_address VARCHAR(15); - - DECLARE EXIT HANDLER FOR SQLEXCEPTION - BEGIN - ROLLBACK; - RESIGNAL; - END; - - SET TRANSACTION ISOLATION LEVEL READ COMMITTED; - - START TRANSACTION; - - -- Reissue an existing IP address lease when re-authenticating a session - -- - SELECT framedipaddress INTO r_address - FROM dhcpippool - WHERE pool_name = v_pool_name - AND expiry_time > NOW() - AND pool_key = v_pool_key - AND `status` IN ('dynamic', 'static') - LIMIT 1 - FOR UPDATE; --- FOR UPDATE SKIP LOCKED; -- Better performance, but limited support - - -- NOTE: You should enable SKIP LOCKED here (as well as any other - -- instances) if your database server supports it. If it is not - -- supported and you are not running a multi-master cluster (e.g. - -- Galera or MaxScale) then you should instead consider using the - -- SP in procedure-no-skip-locked.sql which will be faster and - -- less likely to result in thread starvation under highly - -- concurrent load. - - -- Reissue an user's previous IP address, provided that the lease is - -- available (i.e. enable sticky IPs) - -- - -- When using this SELECT you should delete the one above. You must also - -- set allocate_clear = "" in queries.conf to persist the associations - -- for expired leases. - -- - -- SELECT framedipaddress INTO r_address - -- FROM dhcpippool - -- WHERE pool_name = v_pool_name - -- AND pool_key = v_pool_key - -- AND `status` IN ('dynamic', 'static') - -- LIMIT 1 - -- FOR UPDATE; - -- -- FOR UPDATE SKIP LOCKED; -- Better performance, but limited support - - -- Issue the requested IP address if it is available - -- - IF r_address IS NULL AND v_requested_address <> '0.0.0.0' THEN - SELECT framedipaddress INTO r_address - FROM dhcpippool - WHERE pool_name = v_pool_name - AND framedipaddress = v_requested_address - AND `status` = 'dynamic' - AND ( pool_key = v_pool_key OR expiry_time < NOW() ) - FOR UPDATE; --- FOR UPDATE SKIP LOCKED; -- Better performance, but limited support - END IF; - - -- If we didn't reallocate a previous address then pick the least - -- recently used address from the pool which maximises the likelihood - -- of re-assigning the other addresses to their recent user - -- - IF r_address IS NULL THEN - SELECT framedipaddress INTO r_address - FROM dhcpippool - WHERE pool_name = v_pool_name - AND expiry_time < NOW() - AND `status` = 'dynamic' - ORDER BY - expiry_time - LIMIT 1 - FOR UPDATE; --- FOR UPDATE SKIP LOCKED; -- Better performance, but limited support - END IF; - - -- Return nothing if we failed to allocated an address - -- - IF r_address IS NULL THEN - COMMIT; - LEAVE proc; - END IF; - - -- Update the pool having allocated an IP address - -- - UPDATE dhcpippool - SET - gateway = v_gateway, - pool_key = v_pool_key, - expiry_time = NOW() + INTERVAL v_lease_duration SECOND - WHERE framedipaddress = r_address; - - COMMIT; - - -- Return the address that we allocated - SELECT r_address; - -END$$ - -DELIMITER ; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf deleted file mode 100644 index 827b412..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf +++ /dev/null @@ -1,221 +0,0 @@ -# -*- text -*- -# -# ippool-dhcp/mysql/queries.conf -- MySQL queries for rlm_sqlippool -# -# $Id: 6aaecb1b2075f32ca9eacd32872f6c771885030a $ - -# ***************** -# * DHCP DISCOVER * -# ***************** - -# -# This series of queries allocates an IP address - -# If using MySQL < 8.0.1 then remove SKIP LOCKED -# -# Attempt to find the most recent existing IP address for the client -# -allocate_existing = "\ - SELECT framedipaddress FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND `status` IN ('dynamic', 'static') \ - ORDER BY expiry_time DESC LIMIT 1 FOR UPDATE SKIP LOCKED" - -# -# Determine whether the requested IP address is available -# -allocate_requested = "\ - SELECT framedipaddress FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ - AND `status` = 'dynamic' \ - AND expiry_time < NOW() \ - FOR UPDATE SKIP LOCKED" - -# -# If the existing address can't be found this query will be run to -# find a free address -# -allocate_find = "\ - SELECT framedipaddress FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND expiry_time < NOW() \ - AND `status` = 'dynamic' \ - ORDER BY expiry_time LIMIT 1 FOR UPDATE SKIP LOCKED" - -# -# The ORDER BY clause of this query tries to allocate the same IP-address -# which the user last had. Ensure that pool_key is unique to the user -# within a given pool. -# - -# -# Alternatively do the operations in one query. Depending on transaction -# isolation mode, this can cause deadlocks -# -#allocate_find = "\ -# (SELECT framedipaddress, 1 AS o FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND pool_key = '${pool_key}' \ -# AND `status` IN ('dynamic', 'static') \ -# ORDER BY expiry_time DESC LIMIT 1 FOR UPDATE SKIP LOCKED \ -# ) UNION ( \ -# SELECT framedipaddress, 2 AS o FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ -# AND `status` = 'dynamic' \ -# AND ( pool_key = '${pool_key}' OR expiry_time < NOW() ) \ -# FOR UPDATE SKIP LOCKED \ -# ) UNION ( \ -# SELECT framedipaddress, 3 AS o FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < NOW() \ -# AND `status` = 'dynamic' \ -# ORDER BY expiry_time LIMIT 1 FOR UPDATE SKIP LOCKED \ -# ) ORDER BY o \ -# LIMIT 1" - -# -# If you prefer to allocate a random IP address every time, use this query instead. -# Note: This is very slow if you have a lot of free IPs. -# -#allocate_find = "\ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < NOW() \ -# AND `status` = 'dynamic' \ -# ORDER BY \ -# RAND() \ -# LIMIT 1 \ -# FOR UPDATE" - -# -# The above query again, but with SKIP LOCKED. This requires MySQL >= 8.0.1, -# and InnoDB. -# -#allocate_find = "\ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < NOW() \ -# AND `status` = 'dynamic' \ -# ORDER BY \ -# RAND() \ -# LIMIT 1 \ -# FOR UPDATE SKIP LOCKED" - -# -# If an IP could not be allocated, check to see if the pool exists or not -# This allows the module to differentiate between a full pool and no pool -# Note: If you are not running redundant pool modules this query may be -# commented out to save running this query every time an ip is not allocated. -# -pool_check = "\ - SELECT id \ - FROM ${ippool_table} \ - WHERE pool_name='%{control:${pool_name}}' \ - LIMIT 1" - -# -# This is the final IP Allocation query, which saves the allocated ip details. -# -allocate_update = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '%{DHCP-Gateway-IP-Address}', pool_key = '${pool_key}', \ - expiry_time = NOW() + INTERVAL ${offer_duration} SECOND \ - WHERE framedipaddress = '%I'" - -# -# Use a stored procedure to find AND allocate the address. Read and customise -# `procedure.sql` in this directory to determine the optimal configuration. -# -#allocate_begin = "" -#allocate_find = "\ -# CALL fr_dhcp_allocate_previous_or_new_framedipaddress( \ -# '%{control:${pool_name}}', \ -# '%{DHCP-Gateway-IP-Address}', \ -# '${pool_key}', \ -# ${offer_duration}, \ -# '%{%{${req_attribute_name}}:-0.0.0.0}' \ -# )" -#allocate_update = "" -#allocate_commit = "" - - -# **************** -# * DHCP REQUEST * -# **************** - -# -# This query revokes any active offers for addresses that a client is not -# requesting when a DHCP REQUEST packet arrives -# -start_update = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '', \ - pool_key = '', \ - expiry_time = NOW() \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress <> '%{DHCP-Requested-IP-Address}' \ - AND expiry_time > NOW() \ - AND `status` = 'dynamic'" - -# -# This query extends an existing lease (or offer) when a DHCP REQUEST packet -# arrives. This query must update a row when a lease is succesfully requested -# - queries that update no rows will result in a "notfound" response to -# the module which by default will give a DHCP-NAK reply. In this example -# incrementing "counter" is used to achieve this. -# -alive_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = NOW() + INTERVAL ${lease_duration} SECOND, \ - counter = counter + 1 \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{%{DHCP-Requested-IP-Address}:-%{DHCP-Client-IP-Address}}'" - - -# **************** -# * DHCP RELEASE * -# **************** - -# -# This query frees an IP address when a DHCP RELEASE packet arrives -# -stop_clear = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '', \ - pool_key = '', \ - expiry_time = NOW() \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{DHCP-Client-IP-Address}' \ - AND `status` = 'dynamic'" - - -# -# This query is not applicable to DHCP -# -on_clear = "" - - -# **************** -# * DHCP DECLINE * -# **************** - -# -# This query marks an IP address as declined when a DHCP Decline -# packet arrives -# -off_clear = "\ - UPDATE ${ippool_table} \ - SET status = 'declined' \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{DHCP-Requested-IP-Address}'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql deleted file mode 100644 index d8b1219..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql +++ /dev/null @@ -1,21 +0,0 @@ --- --- Table structure for table 'dhcpippool' --- --- See also "procedure.sql" in this directory for a stored procedure --- that is much faster. --- - -CREATE TABLE dhcpippool ( - id int unsigned NOT NULL auto_increment, - pool_name varchar(30) NOT NULL, - framedipaddress varchar(15) NOT NULL default '', - pool_key varchar(30) NOT NULL default '', - gateway varchar(15) NOT NULL default '', - expiry_time DATETIME NOT NULL default NOW(), - `status` ENUM('dynamic', 'static', 'declined', 'disabled') DEFAULT 'dynamic', - counter int unsigned NOT NULL default 0, - PRIMARY KEY (id), - KEY dhcpippool_poolname_expire (pool_name, expiry_time), - KEY framedipaddress (framedipaddress), - KEY dhcpippool_poolname_poolkey_ipaddress (pool_name, pool_key, framedipaddress) -) ENGINE=InnoDB; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/procedure.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/procedure.sql deleted file mode 100644 index 84b4596..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/procedure.sql +++ /dev/null @@ -1,217 +0,0 @@ --- --- A stored procedure to reallocate a user's previous address, otherwise --- provide a free address. --- --- Using this SP reduces the usual set dialogue of queries to a single --- query: --- --- BEGIN; SELECT FOR UPDATE; UPDATE; COMMIT; -> SELECT sp() FROM dual --- --- The stored procedure is executed on an database instance within a single --- round trip which often leads to reduced deadlocking and significant --- performance improvements especially on multi-master clusters, perhaps even --- by an order of magnitude or more. --- --- To use this stored procedure the corresponding queries.conf statements must --- be configured as follows: --- --- allocate_begin = "" --- allocate_find = "\ --- SELECT fr_dhcp_allocate_previous_or_new_framedipaddress( \ --- '%{control:${pool_name}}', \ --- '%{DHCP-Gateway-IP-Address}', \ --- '${pool_key}', \ --- ${lease_duration}, \ --- '%{%{${req_attribute_name}}:-0.0.0.0}' \ --- ) FROM dual" --- allocate_update = "" --- allocate_commit = "" --- - -CREATE OR REPLACE FUNCTION fr_dhcp_allocate_previous_or_new_framedipaddress ( - v_pool_name IN VARCHAR2, - v_gateway IN VARCHAR2, - v_pool_key IN VARCHAR2, - v_lease_duration IN INTEGER, - v_requested_address IN VARCHAR2 -) -RETURN varchar2 IS - PRAGMA AUTONOMOUS_TRANSACTION; - r_address varchar2(15); -BEGIN - - -- Reissue an existing IP address lease when re-authenticating a session - -- - BEGIN - SELECT framedipaddress INTO r_address FROM dhcpippool WHERE id IN ( - SELECT id FROM ( - SELECT * - FROM dhcpippool - JOIN dhcpstatus - ON dhcpstatus.status_id = dhcpippool.status_id - WHERE pool_name = v_pool_name - AND expiry_time > current_timestamp - AND pool_key = v_pool_key - AND dhcpstatus.status IN ('dynamic', 'static') - ) WHERE ROWNUM <= 1 - ) FOR UPDATE SKIP LOCKED; - EXCEPTION - WHEN NO_DATA_FOUND THEN - r_address := NULL; - END; - - -- Oracle >= 12c version of the above query - -- - -- BEGIN - -- SELECT framedipaddress INTO r_address FROM dhcpippool WHERE id IN ( - -- SELECT id FROM dhcpippool - -- JOIN dhcpstatus - -- ON dhcpstatus.status_id = dhcpippool.status_id - -- WHERE pool_name = v_pool_name - -- AND expiry_time > current_timestamp - -- AND pool_key = v_pool_key - -- AND dhcpstatus.status IN ('dynamic', 'static') - -- FETCH FIRST 1 ROWS ONLY - -- ) FOR UPDATE SKIP LOCKED; - -- EXCEPTION - -- WHEN NO_DATA_FOUND THEN - -- r_address := NULL; - -- END; - - - - -- Reissue an user's previous IP address, provided that the lease is - -- available (i.e. enable sticky IPs) - -- - -- When using this SELECT you should delete the one above. You must also - -- set allocate_clear = "" in queries.conf to persist the associations - -- for expired leases. - -- - -- BEGIN - -- SELECT framedipaddress INTO r_address FROM dhcpippool WHERE id IN ( - -- SELECT id FROM ( - -- SELECT * - -- FROM dhcpippool - -- JOIN dhcpstatus - -- ON dhcpstatus.status_id = dhcpippool.status_id - -- WHERE pool_name = v_pool_name - -- AND pool_key = v_pool_key - -- AND dhcpstatus.status IN ('dynamic', 'static') - -- ) WHERE ROWNUM <= 1 - -- ) FOR UPDATE SKIP LOCKED; - -- EXCEPTION - -- WHEN NO_DATA_FOUND THEN - -- r_address := NULL; - -- END; - - -- Oracle >= 12c version of the above query - -- - -- BEGIN - -- SELECT framedipaddress INTO r_address FROM dhcpippool WHERE id IN ( - -- SELECT id FROM dhcpippool - -- JOIN dhcpstatus - -- ON dhcpstatus.status_id = dhcpippool.status_id - -- WHERE pool_name = v_pool_name - -- AND pool_key = v_pool_key - -- AND dhcpstatus.status IN ('dynamic', 'static') - -- FETCH FIRST 1 ROWS ONLY - -- ) FOR UPDATE SKIP LOCKED; - -- EXCEPTION - -- WHEN NO_DATA_FOUND THEN - -- r_address := NULL; - -- END; - - - - -- Issue the requested IP address if it is available - -- - IF r_address IS NULL AND v_requested_address <> '0.0.0.0' THEN - BEGIN - SELECT framedipaddress INTO r_address FROM dhcpippool WHERE id IN ( - SELECT id FROM ( - SELECT * - FROM dhcpippool - JOIN dhcpstatus - ON dhcpstatus.status_id = dhcpippool.status_id - WHERE pool_name = v_pool_name - AND framedipaddress = v_requested_address - AND dhcpstatus.status = 'dynamic' - AND expiry_time < CURRENT_TIMESTAMP - ) WHERE ROWNUM <= 1 - ) FOR UPDATE SKIP LOCKED; - EXCEPTION - WHEN NO_DATA_FOUND THEN - r_address := NULL; - END; - END IF; - - -- Oracle >= 12c version of the above query - -- - -- IF r_address IS NULL AND v_requested_address <> '0.0.0.0' THEN - -- BEGIN - -- SELECT framedipaddress INTO r_address FROM dhcpippool WHERE id IN ( - -- SELECT id FROM dhcpippool - -- JOIN dhcpstatus - -- ON dhcpstatus.status_id = dhcpippool.status_id - -- WHERE pool_name = v_pool_name - -- AND framedipaddress = v_requested_address - -- AND dhcpstatus.status = 'dynamic' - -- AND expiry_time < CURRENT_TIMESTAMP - -- FETCH FIRST 1 ROWS ONLY - -- ) FOR UPDATE SKIP LOCKED; - -- EXCEPTION - -- WHEN NO_DATA_FOUND THEN - -- r_address := NULL; - -- END; - -- END IF; - - - - -- If we didn't reallocate a previous address then pick the least - -- recently used address from the pool which maximises the likelihood - -- of re-assigning the other addresses to their recent user - -- - IF r_address IS NULL THEN - DECLARE - l_cursor sys_refcursor; - BEGIN - OPEN l_cursor FOR - SELECT framedipaddress - FROM dhcpippool - JOIN dhcpstatus - ON dhcpstatus.status_id = dhcpippool.status_id - WHERE pool_name = v_pool_name - AND expiry_time < CURRENT_TIMESTAMP - AND dhcpstatus.status = 'dynamic' - ORDER BY expiry_time - FOR UPDATE SKIP LOCKED; - FETCH l_cursor INTO r_address; - CLOSE l_cursor; - EXCEPTION - WHEN NO_DATA_FOUND THEN - r_address := NULL; - END; - END IF; - - -- Return nothing if we failed to allocated an address - -- - IF r_address IS NULL THEN - COMMIT; - RETURN r_address; - END IF; - - -- Update the pool having allocated an IP address - -- - UPDATE dhcpippool - SET - gateway = v_gateway, - pool_key = v_pool_key, - expiry_time = CURRENT_TIMESTAMP + v_lease_duration * INTERVAL '1' SECOND(1) - WHERE framedipaddress = r_address; - - -- Return the address that we allocated - COMMIT; - RETURN r_address; - -END; - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/queries.conf deleted file mode 100644 index c337fcf..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/queries.conf +++ /dev/null @@ -1,200 +0,0 @@ -# -*- text -*- -# -# ippool-dhcp/oracle/queries.conf -- Oracle queries for rlm_sqlippool -# -# $Id: 0fcffc3af787d696cf8641c4aca39bc36401033c $ - -start_begin = "commit" -alive_begin = "commit" -stop_begin = "commit" -on_begin = "commit" -off_begin = "commit" - - -# ***************** -# * DHCP DISCOVER * -# ***************** - -# -# Use a stored procedure to find AND allocate the address. Read and customise -# `procedure.sql` in this directory to determine the optimal configuration. -# Oracle's locking mechanism limitations prevents the use of single queries -# that can either find a client's existing address or the first available one. -# -allocate_begin = "" -allocate_find = "\ - SELECT fr_dhcp_allocate_previous_or_new_framedipaddress( \ - '%{control:${pool_name}}', \ - '%{DHCP-Gateway-IP-Address}', \ - '${pool_key}', \ - '${offer_duration}', \ - '%{%{${req_attribute_name}}:-0.0.0.0}' \ - ) FROM dual" -allocate_update = "" -allocate_commit = "" - - -# -# If you prefer to allocate a random IP address every time, use this query instead -# Note: This is very slow if you have a lot of free IPs. -# -#allocate_find = "\ -# SELECT framedipaddress FROM ${ippool_table} WHERE id IN ( \ -# SELECT id FROM ( \ -# SELECT * \ -# FROM ${ippool_table} \ -# JOIN dhcpstatus \ -# ON ${ippool_table}.status_id = dhcpstatus.status_id \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < current_timestamp \ -# AND dhcpstatus.status = 'dynamic' \ -# ORDER BY DBMS_RANDOM.VALUE \ -# ) WHERE ROWNUM <= 1 \ -# ) FOR UPDATE" - -# -# The above query again, but with SKIP LOCKED. This requires Oracle > 11g. -# It may work in 9i and 10g, but is not documented, so YMMV. -# -#allocate_find = "\ -# SELECT framedipaddress FROM ${ippool_table} WHERE id IN ( \ -# SELECT id FROM (\ -# SELECT * \ -# FROM ${ippool_table} \ -# JOIN dhcpstatus \ -# ON ${ippool_table}.status_id = dhcpstatus.status_id \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < current_timestamp \ -# AND dhcpstatus.status = 'dynamic' \ -# ORDER BY DBMS_RANDOM.VALUE \ -# ) WHERE ROWNUM <= 1 \ -# ) FOR UPDATE SKIP LOCKED" - -# -# A tidier version that needs Oracle >= 12c -# -#allocate_find = "\ -# SELECT framedipaddress FROM ${ippool_table} WHERE id IN ( -# SELECT id FROM ${ippool_table} \ -# JOIN dhcpstatus \ -# ON ${ippool_table}.status_id = dhcpstatus.status_id \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < current_timestamp \ -# AND dhcpstatus.status = 'dynamic' \ -# ORDER BY DBMS_RANDOM.VALUE \ -# FETCH FIRST 1 ROWS ONLY -# ) FOR UPDATE SKIP LOCKED" - -# -# If an IP could not be allocated, check to see whether the pool exists or not -# This allows the module to differentiate between a full pool and no pool -# Note: If you are not running redundant pool modules this query may be commented -# out to save running this query every time an ip is not allocated. -# -pool_check = "\ - SELECT id \ - FROM (\ - SELECT id \ - FROM ${ippool_table} \ - WHERE pool_name='%{control:${pool_name}}'\ - ) \ - WHERE ROWNUM = 1" - -# -# This query marks the IP address handed out by "allocate-find" as used -# for the period of "offer_duration" after which time it may be reused. -# Only needed if allocate_find is not using the stored procedure and therefore -# not updating the lease -# -#allocate_update = "\ -# UPDATE ${ippool_table} \ -# SET \ -# gateway = '%{DHCP-Gateway-IP-Address}', \ -# pool_key = '${pool_key}', \ -# expiry_time = current_timestamp + INTERVAL '${offer_duration}' second(1) \ -# WHERE framedipaddress = '%I'" - - -# **************** -# * DHCP REQUEST * -# **************** - -# -# This query revokes any active offers for addresses that a client is not -# requesting when a DHCP REQUEST packet arrives -# -start_update = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '', \ - pool_key = '0', \ - expiry_time = current_timestamp - INTERVAL '1' second(1) \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress <> '%{DHCP-Requested-IP-Address}' \ - AND expiry_time > current_timestamp \ - AND ${ippool_table}.status_id IN \ - (SELECT status_id FROM dhcpstatus WHERE status = 'dynamic')" -start_commit = "COMMIT" - -# -# This query extends an existing lease (or offer) when a DHCP REQUEST packet -# arrives. This query must update a row when a lease is succesfully requested -# - queries that update no rows will result in a "notfound" response to -# the module which by default will give a DHCP-NAK reply. In this example -# incrementing "counter" is used to achieve this. -# -alive_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = current_timestamp + INTERVAL '${lease_duration}' second(1), \ - counter = counter + 1 \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{%{DHCP-Requested-IP-Address}:-%{DHCP-Client-IP-Address}}'" -alive_commit = "COMMIT" - - -# **************** -# * DHCP RELEASE * -# **************** - -# -# This query frees an IP address when a DHCP RELEASE packet arrives -# -stop_clear = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '', \ - pool_key = '0', \ - expiry_time = current_timestamp - INTERVAL '1' second(1) \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{DHCP-Client-IP-Address}' \ - AND ${ippool_table}.status_id IN \ - (SELECT status_id FROM dhcpstatus WHERE status = 'dynamic')" -stop_commit = "COMMIT" - - -# -# This query is not applicable to DHCP -# -on_clear = "" - - -# **************** -# * DHCP DECLINE * -# **************** - -# -# This query marks an IP address as declined when a DHCP Decline -# packet arrives -# -off_clear = "\ - UPDATE ${ippool_table} \ - SET status_id = (SELECT status_id FROM dhcpstatus WHERE status = 'declined') \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{DHCP-Requested-IP-Address}'" -off_commit = "COMMIT" - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/schema.sql deleted file mode 100644 index 32d28bb..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/oracle/schema.sql +++ /dev/null @@ -1,28 +0,0 @@ -CREATE TABLE dhcpstatus ( - status_id INT PRIMARY KEY, - status VARCHAR(10) NOT NULL -); - -INSERT INTO dhcpstatus (status_id, status) VALUES (1, 'dynamic'); -INSERT INTO dhcpstatus (status_id, status) VALUES (2, 'static'); -INSERT INTO dhcpstatus (status_id, status) VALUES (3, 'declined'); -INSERT INTO dhcpstatus (status_id, status) VALUES (4, 'disabled'); - -CREATE SEQUENCE dhcpippool_seq START WITH 1 INCREMENT BY 1; - -CREATE TABLE dhcpippool ( - id INT DEFAULT ON NULL dhcpippool_seq.NEXTVAL PRIMARY KEY, - pool_name VARCHAR(30) NOT NULL, - framedipaddress VARCHAR(15) NOT NULL, - pool_key VARCHAR(30) DEFAULT '', - gateway VARCHAR(15) DEFAULT '', - expiry_time timestamp(0) DEFAULT CURRENT_TIMESTAMP, - status_id INT DEFAULT 1, - counter INT DEFAULT 0, - FOREIGN KEY (status_id) REFERENCES dhcpstatus(status_id) -); - -CREATE INDEX dhcpippool_poolname_expire ON dhcpippool (pool_name, expiry_time); -CREATE INDEX dhcpippool_framedipaddress ON dhcpippool (framedipaddress); -CREATE INDEX dhcpippool_poolname_poolkey_ipaddress ON dhcpippool (pool_name, pool_key, framedipaddress); - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/procedure.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/procedure.sql deleted file mode 100644 index 379a349..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/procedure.sql +++ /dev/null @@ -1,119 +0,0 @@ --- --- A stored procedure to reallocate a user's previous address, otherwise --- provide a free address. --- --- Using this SP reduces the usual set dialogue of queries to a single --- query: --- --- START TRANSACTION; SELECT FOR UPDATE; UPDATE; COMMIT; -> SELECT sp() --- --- The stored procedure is executed on an database instance within a single --- round trip which often leads to reduced deadlocking and significant --- performance improvements especially on multi-master clusters, perhaps even --- by an order of magnitude or more. --- --- To use this stored procedure the corresponding queries.conf statements must --- be configured as follows: --- --- allocate_begin = "" --- allocate_find = "\ --- SELECT fr_dhcp_allocate_previous_or_new_framedipaddress( \ --- '%{control:${pool_name}}', \ --- '%{DHCP-Gateway-IP-Address}', \ --- '${pool_key}', \ --- ${lease_duration}, \ --- '%{%{${req_attribute_name}}:-0.0.0.0}' \ --- )" --- allocate_update = "" --- allocate_commit = "" --- - -CREATE OR REPLACE FUNCTION fr_dhcp_allocate_previous_or_new_framedipaddress ( - v_pool_name VARCHAR(64), - v_gateway VARCHAR(16), - v_pool_key VARCHAR(64), - v_lease_duration INT, - v_requested_address INET -) -RETURNS inet -LANGUAGE plpgsql -AS $$ -DECLARE - r_address INET; -BEGIN - - -- Reissue an existing IP address lease when re-authenticating a session - -- - WITH ips AS ( - SELECT framedipaddress FROM dhcpippool - WHERE pool_name = v_pool_name - AND pool_key = v_pool_key - AND expiry_time > NOW() - AND status IN ('dynamic', 'static') - LIMIT 1 FOR UPDATE SKIP LOCKED ) - UPDATE dhcpippool - SET expiry_time = NOW() + v_lease_duration * interval '1 sec' - FROM ips WHERE dhcpippool.framedipaddress = ips.framedipaddress - RETURNING dhcpippool.framedipaddress INTO r_address; - - -- Reissue an user's previous IP address, provided that the lease is - -- available (i.e. enable sticky IPs) - -- - -- When using this SELECT you should delete the one above. You must also - -- set allocate_clear = "" in queries.conf to persist the associations - -- for expired leases. - -- - -- WITH ips AS ( - -- SELECT framedipaddress FROM dhcpippool - -- WHERE pool_name = v_pool_name - -- AND pool_key = v_pool_key - -- AND status IN ('dynamic', 'static') - -- LIMIT 1 FOR UPDATE SKIP LOCKED ) - -- UPDATE dhcpippool - -- SET expiry_time = NOW + v_lease_duration * interval '1 sec' - -- FROM ips WHERE dhcpippool.framedipaddress = ips.framedipaddress - -- RETURNING dhcpippool.framedipaddress INTO r_address; - - -- Issue the requested IP address if it is available - -- - IF r_address IS NULL AND v_requested_address != '0.0.0.0' THEN - WITH ips AS ( - SELECT framedipaddress FROM dhcpippool - WHERE pool_name = v_pool_name - AND framedipaddress = v_requested_address - AND status = 'dynamic' - AND ( pool_key = v_pool_key OR expiry_time < NOW() ) - LIMIT 1 FOR UPDATE SKIP LOCKED ) - UPDATE dhcpippool - SET pool_key = v_pool_key, - expiry_time = NOW() + v_lease_duration * interval '1 sec', - gateway = v_gateway - FROM ips WHERE dhcpippool.framedipaddress = ips.framedipaddress - RETURNING dhcpippool.framedipaddress INTO r_address; - END IF; - - -- If we didn't reallocate a previous address then pick the least - -- recently used address from the pool which maximises the likelihood - -- of re-assigning the other addresses to their recent user - -- - IF r_address IS NULL THEN - WITH ips AS ( - SELECT framedipaddress FROM dhcpippool - WHERE pool_name = v_pool_name - AND expiry_time < NOW() - AND status = 'dynamic' - ORDER BY expiry_time - LIMIT 1 FOR UPDATE SKIP LOCKED ) - UPDATE dhcpippool - SET pool_key = v_pool_key, - expiry_time = NOW() + v_lease_duration * interval '1 sec', - gateway = v_gateway - FROM ips WHERE dhcpippool.framedipaddress = ips.framedipaddress - RETURNING dhcpippool.framedipaddress INTO r_address; - END IF; - - -- Return the address that we allocated - RETURN r_address; - -END -$$; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/queries.conf deleted file mode 100644 index 18a86ba..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/queries.conf +++ /dev/null @@ -1,291 +0,0 @@ -# -*- text -*- -# -# ippool-dhcp/postgresql/queries.conf -- PostgreSQL queries for rlm_sqlippool -# -# $Id: 632fc7040f5912a289641440faba8accc9d27a0e $ - -# ***************** -# * DHCP DISCOVER * -# ***************** - -# -# Use a stored procedure to find AND allocate the address. Read and customise -# `procedure.sql` in this directory to determine the optimal configuration. -# -# This requires PostgreSQL >= 9.5 as SKIP LOCKED is used. -# -# The "NO LOAD BALANCE" comment is included here to indicate to a PgPool -# system that this needs to be a write transaction. PgPool itself cannot -# detect this from the statement alone. If you are using PgPool and do not -# have this comment, the query may go to a read only server, and will fail. -# This has no negative effect if you are not using PgPool. -# -allocate_begin = "" -allocate_find = "\ - /*NO LOAD BALANCE*/ \ - SELECT fr_dhcp_allocate_previous_or_new_framedipaddress( \ - '%{control:${pool_name}}', \ - '%{DHCP-Gateway-IP-Address}', \ - '${pool_key}', \ - '${offer_duration}', \ - '%{%{${req_attribute_name}}:-0.0.0.0}' \ - )" -allocate_update = "" -allocate_commit = "" - -# -# If stored procedures are not able to be used, the following queries can -# be used. -# Comment out all the above queries and choose the appropriate "allocate_find" -# to match the desired outcome and also the version of "allocate_update" below. -# - -# -# This sequence of queries allocates an IP address from the Pool -# -#allocate_begin = "BEGIN" - - -# Attempt to find the most recent existing IP address for the client -# -#allocate_existing = "\ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND pool_key = '${pool_key}' \ -# AND status IN ('dynamic', 'static') \ -# ORDER BY expiry_time DESC \ -# LIMIT 1 \ -# FOR UPDATE" - -# The same query with SKIP LOCKED - requires PostgreSQL >= 9.5 -# allocate_existing = "\ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND pool_key = '${pool_key}' \ -# AND status IN ('dynamic', 'static') \ -# ORDER BY expiry_time DESC \ -# LIMIT 1 \ -# FOR UPDATE SKIP LOCKED" - - -# -# Determine whether the requested IP address is available -# -#allocate_requested = "\ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ -# AND status = 'dynamic' \ -# AND expiry_time < 'now'::timestamp(0) \ -# FOR UPDATE" - -# The same query with SKIP LOCKED - requires PostgreSQL >= 9.5 -#allocate_requested = "\ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ -# AND status = 'dynamic' \ -# AND expiry_time < 'now'::timestamp(0) \ -# FOR UPDATE SKIP LOCKED" - - -# -# If the existing address can't be found this query will be run to -# find a free address -# -#allocate_find = "\ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < 'now'::timestamp(0) \ -# AND status = 'dynamic' \ -# ORDER BY expiry_time \ -# LIMIT 1 \ -# FOR UPDATE" - -# The same query with SKIP LOCKED - requires PostgreSQL >= 9.5 -#allocate_find = "\ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < 'now'::timestamp(0) \ -# AND status = 'dynamic' \ -# ORDER BY expiry_time \ -# LIMIT 1 \ -# FOR UPDATE SKIP LOCKED" - -# -# If you prefer to allocate a random IP address every time, use this query instead -# Note: This is very slow if you have a lot of free IPs. -# Use of either of these next two queries should have the allocate_begin line commented out -# and allocate_update below un-commented. -# -#allocate_find = "\ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' AND expiry_time < 'now'::timestamp(0) \ -# AND status = 'dynamic' \ -# ORDER BY RANDOM() \ -# LIMIT 1 \ -# FOR UPDATE" - -# -# The above query again, but with SKIP LOCKED. This requires PostgreSQL >= 9.5. -# -#allocate_find = "\ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' AND expiry_time < 'now'::timestamp(0) \ -# AND status = 'dynamic' \ -# ORDER BY RANDOM() \ -# LIMIT 1 \ -# FOR UPDATE SKIP LOCKED" - -# -# This query marks the IP address handed out by "allocate-find" as used -# for the period of "lease_duration" after which time it may be reused. -# -#allocate_update = "\ -# UPDATE ${ippool_table} \ -# SET \ -# gateway = '%{DHCP-Gateway-IP-Address}', \ -# pool_key = '${pool_key}', \ -# expiry_time = 'now'::timestamp(0) + '${offer_duration} second'::interval \ -# WHERE framedipaddress = '%I'" - - -# -# Alternatively, merge the matching of existing IP and free IP into a single query -# This version does the update as well - so allocate_begin, allocate_update and -# allocate_commit should be blank -# -#allocate_begin = "" -#allocate_find = "\ -# WITH found AS ( \ -# WITH existing AS ( \ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND pool_key = '${pool_key}' \ -# ORDER BY expiry_time DESC \ -# LIMIT 1 \ -# FOR UPDATE SKIP LOCKED \ -# ), requested AS ( \ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ -# AND status = 'dynamic' \ -# AND ( pool_key = '${pool_key}' OR expiry_time < 'now'::timestamp(0) ) \ -# FOR UPDATE SKIP LOCKED \ -# ), new AS ( \ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < 'now'::timestamp(0) \ -# AND status = 'dynamic' \ -# ORDER BY expiry_time \ -# LIMIT 1 \ -# FOR UPDATE SKIP LOCKED \ -# ) \ -# SELECT framedipaddress, 1 AS o FROM existing \ -# UNION ALL \ -# SELECT framedipaddress, 2 AS o FROM requested \ -# UNION ALL \ -# SELECT framedipaddress, 3 AS o FROM new \ -# ORDER BY o LIMIT 1 \ -# ) \ -# UPDATE ${ippool_table} \ -# SET pool_key = '${pool_key}', \ -# expiry_time = 'now'::timestamp(0) + '${offer_duration} second'::interval, \ -# gateway = '%{DHCP-Gateway-IP-Address}' \ -# FROM found \ -# WHERE found.framedipaddress = ${ippool_table}.framedipaddress \ -# RETURNING found.framedipaddress" -#allocate_update = "" -#allocate_commit = "" - - -# -# If an IP could not be allocated, check to see whether the pool exists or not -# This allows the module to differentiate between a full pool and no pool -# Note: If you are not running redundant pool modules this query may be commented -# out to save running this query every time an ip is not allocated. -# -pool_check = "\ - SELECT id \ - FROM ${ippool_table} \ - WHERE pool_name='%{control:${pool_name}}' \ - LIMIT 1" - - -# **************** -# * DHCP REQUEST * -# **************** - -# -# This query revokes any active offers for addresses that a client is not -# requesting when a DHCP REQUEST packet arrives, i.e, each server (sharing the -# same database) may have simultaneously offered a unique address. -# -start_update = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '', \ - pool_key = '', \ - expiry_time = 'now'::timestamp(0) - '1 second'::interval \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress <> '%{DHCP-Requested-IP-Address}' \ - AND expiry_time > 'now'::timestamp(0) \ - AND status = 'dynamic'" - -# -# This query extends an existing lease (or offer) when a DHCP REQUEST packet -# arrives. This query must update a row when a lease is succesfully requested -# - queries that update no rows will result in a "notfound" response to -# the module which by default will give a DHCP-NAK reply. In this example -# incrementing "counter" is used to achieve this. -# -alive_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = 'now'::timestamp(0) + '${lease_duration} second'::interval, \ - counter = counter + 1 \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{%{DHCP-Requested-IP-Address}:-%{DHCP-Client-IP-Address}}'" - - -# **************** -# * DHCP RELEASE * -# **************** - -# -# This query frees an IP address when a DHCP RELEASE packet arrives -# -stop_clear = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '', \ - pool_key = '', \ - expiry_time = 'now'::timestamp(0) - '1 second'::interval \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{DHCP-Client-IP-Address}' \ - AND status = 'dynamic'" - - -# -# This query is not applicable to DHCP -# -on_clear = "" - - -# **************** -# * DHCP DECLINE * -# **************** - -# -# This query marks an IP address as declined when a DHCP DECLINE packet -# arrives -# -off_clear = "\ - UPDATE ${ippool_table} \ - SET status = 'declined' \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{DHCP-Requested-IP-Address}'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/schema.sql deleted file mode 100644 index af86889..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/postgresql/schema.sql +++ /dev/null @@ -1,23 +0,0 @@ --- --- Table structure for table 'dhcpippool' --- --- See also "procedure.sql" in this directory for --- a stored procedure that gives much faster response. --- - -CREATE TYPE dhcp_status AS ENUM ('dynamic', 'static', 'declined', 'disabled'); - -CREATE TABLE dhcpippool ( - id BIGSERIAL PRIMARY KEY, - pool_name varchar(64) NOT NULL, - FramedIPAddress INET NOT NULL, - pool_key VARCHAR(64) NOT NULL default '0', - gateway VARCHAR(16) NOT NULL default '', - expiry_time TIMESTAMP(0) without time zone NOT NULL default NOW(), - status dhcp_status DEFAULT 'dynamic', - counter INT NOT NULL default 0 -); - -CREATE INDEX dhcpippool_poolname_expire ON dhcpippool USING btree (pool_name, expiry_time); -CREATE INDEX dhcpippool_framedipaddress ON dhcpippool USING btree (framedipaddress); -CREATE INDEX dhcpippool_poolname_poolkey_ipaddress ON dhcpippool USING btree (pool_name, pool_key, framedipaddress); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/sqlite/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/sqlite/queries.conf deleted file mode 100644 index a2e0023..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/sqlite/queries.conf +++ /dev/null @@ -1,236 +0,0 @@ -# -*- text -*- -# -# ippool-dhcp/sqlite/queries.conf -- SQLite queries for rlm_sqlippool -# -# $Id: d99e09bfc8559eaf5584c32fb6a94c99e689fee3 $ - -# ***************** -# * DHCP DISCOVER * -# ***************** - -# -# SQLite does not implement SELECT FOR UPDATE which is normally used to place -# an exclusive lock over rows to prevent the same address from being -# concurrently selected for allocation to multiple users. -# -# The most granular read-blocking lock that SQLite has is an exclusive lock -# over the database, so that's what we use. All locking in SQLite is performed -# over the entire database and we perform a row update for any IP that we -# allocate, requiring an exclusive lock. Taking the exclusive lock from the -# start of the transaction (even if it were not required to guard the SELECT) -# is actually quicker than if we deferred it causing SQLite to "upgrade" the -# automatic shared lock for the transaction to an exclusive lock for the -# subsequent UPDATE. -# -allocate_begin = "BEGIN EXCLUSIVE" -allocate_commit = "COMMIT" - -# -# Attempt to find the most recent existing IP address for the client -# -allocate_existing = "\ - SELECT framedipaddress \ - FROM ${ippool_table} \ - JOIN dhcpstatus \ - ON ${ippool_table}.status_id = dhcpstatus.status_id \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND status IN ('dynamic', 'static') \ - ORDER BY expiry_time DESC \ - LIMIT 1" - -# -# Determine whether the requested IP address is available -# -allocate_requested = "\ - SELECT framedipaddress \ - FROM ${ippool_table} \ - JOIN dhcpstatus \ - ON ${ippool_table}.status_id = dhcpstatus.status_id \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ - AND status = 'dynamic' \ - AND expiry_time < datetime('now')" - -# -# If the existing address can't be found this query will be run to -# find a free address -# -allocate_find = "\ - SELECT framedipaddress \ - FROM ${ippool_table} \ - JOIN dhcpstatus \ - ON ${ippool_table}.status_id = dhcpstatus.status_id \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND expiry_time < datetime('now') \ - AND status = 'dynamic' \ - ORDER BY expiry_time LIMIT 1" - -# -# This series of queries allocates an IP address -# -# Either pull the most recent allocated IP for this client or the -# oldest expired one. The first sub query returns the most recent -# lease for the client (if there is one), the second returns the -# oldest expired one. -# Sorting the result by expiry_time DESC will return the client specific -# IP if it exists, otherwise an expired one. -# -#allocate_find = "\ -# SELECT framedipaddress, 1 AS o \ -# FROM ( \ -# SELECT framedipaddress \ -# FROM ${ippool_table} \ -# JOIN dhcpstatus \ -# ON ${ippool_table}.status_id = dhcpstatus.status_id \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND pool_key = '${pool_key}' \ -# AND status IN ('dynamic', 'static') \ -# ORDER BY expiry_time DESC \ -# LIMIT 1 \ -# ) UNION \ -# SELECT framedipaddress, 2 AS o \ -# FROM ( \ -# SELECT framedipaddress \ -# FROM ${ippool_table} \ -# JOIN dhcpstatus \ -# ON ${ippool_table}.status_id = dhcpstatus.status_id \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ -# AND status = 'dynamic' \ -# AND ( pool_key = '${pool_key}' OR expiry_time < datetime('now') ) \ -# ) UNION \ -# SELECT framedipaddress, 3 AS o \ -# FROM ( \ -# SELECT framedipaddress \ -# FROM ${ippool_table} \ -# JOIN dhcpstatus \ -# ON ${ippool_table}.status_id = dhcpstatus.status_id \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < datetime('now') \ -# AND status = 'dynamic' \ -# ORDER BY expiry_time LIMIT 1 \ -# ) \ -# ORDER BY o \ -# LIMIT 1" - -# -# If you prefer to allocate a random IP address every time, i -# use this query instead -# Note: This is very slow if you have a lot of free IPs. -# - -#allocate_find = "\ -# SELECT framedipaddress \ -# FROM ${ippool_table} \ -# JOIN dhcpstatus \ -# ON ${ippool_table}.status_id = dhcpstatus.status_id \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < datetime('now') \ -# AND status = 'dynamic' \ -# ORDER BY RAND() \ - - -# -# If an IP could not be allocated, check to see if the pool exists or not -# This allows the module to differentiate between a full pool and no pool -# Note: If you are not running redundant pool modules this query may be -# commented out to save running this query every time an ip is not allocated. -# -pool_check = "\ - SELECT id \ - FROM ${ippool_table} \ - WHERE pool_name='%{control:${pool_name}}' \ - LIMIT 1" - -# -# This is the final IP Allocation query, which saves the allocated ip details -# -allocate_update = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '%{DHCP-Gateway-IP-Address}', \ - pool_key = '${pool_key}', \ - expiry_time = datetime(strftime('%%s', 'now') + ${offer_duration}, 'unixepoch') \ - WHERE framedipaddress = '%I'" - - -# **************** -# * DHCP REQUEST * -# **************** - -# -# This query revokes any active offers for addresses that a client is not -# requesting when a DHCP REQUEST packet arrives -# -start_update = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '', \ - pool_key = '', \ - expiry_time = datetime('now') \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress <> '%{DHCP-Requested-IP-Address}' \ - AND expiry_time > datetime('now') \ - AND ${ippool_table}.status_id IN \ - (SELECT status_id FROM dhcpstatus WHERE status = 'dynamic')" - -# -# This query extends an existing lease (or offer) when a DHCP REQUEST packet -# arrives. This query must update a row when a lease is succesfully requested -# - queries that update no rows will result in a "notfound" response to -# the module which by default will give a DHCP-NAK reply. In this example -# incrementing "counter" is used to achieve this. -# -alive_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch'), \ - counter = counter + 1 \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{%{DHCP-Requested-IP-Address}:-%{DHCP-Client-IP-Address}}'" - - -# **************** -# * DHCP RELEASE * -# **************** - -# -# This query frees an IP address when a DHCP RELEASE packet arrives -# -stop_clear = "\ - UPDATE ${ippool_table} \ - SET \ - gateway = '', \ - pool_key = '', \ - expiry_time = datetime('now') \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{DHCP-Client-IP-Address}' \ - AND ${ippool_table}.status_id IN \ - (SELECT status_id FROM dhcpstatus WHERE status = 'dynamic')" - - -# -# This query is not applicable to DHCP -# -on_clear = "" - - -# **************** -# * DHCP DECLINE * -# **************** - -# -# This query marks an IP address as declined when a DHCP Decline -# packet arrives -# -off_clear = "\ - UPDATE ${ippool_table} \ - SET status_id = (SELECT status_id FROM dhcpstatus WHERE status = 'declined') \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{DHCP-Requested-IP-Address}'" - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql deleted file mode 100644 index 339d58d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql +++ /dev/null @@ -1,25 +0,0 @@ --- --- Table structure for table 'dhcpippool' --- -CREATE TABLE dhcpstatus ( - status_id int PRIMARY KEY, - status varchar(10) NOT NULL -); - -INSERT INTO dhcpstatus (status_id, status) VALUES (1, 'dynamic'), (2, 'static'), (3, 'declined'), (4, 'disabled'); - -CREATE TABLE dhcpippool ( - id int(11) PRIMARY KEY, - pool_name varchar(30) NOT NULL, - framedipaddress varchar(15) NOT NULL default '', - pool_key varchar(30) NOT NULL default '', - gateway varchar(15) NOT NULL default '', - expiry_time DATETIME NOT NULL default (DATETIME('now')), - status_id int NOT NULL default 1, - counter int NOT NULL default 0, - FOREIGN KEY(status_id) REFERENCES dhcpstatus(status_id) -); - -CREATE INDEX dhcpippool_poolname_expire ON dhcpippool(pool_name, expiry_time); -CREATE INDEX dhcpippool_framedipaddress ON dhcpippool(framedipaddress); -CREATE INDEX dhcpippool_poolname_poolkey_ipaddress ON dhcpippool(pool_name, pool_key, framedipaddress); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mongo/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mongo/queries.conf deleted file mode 100644 index ef21801..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mongo/queries.conf +++ /dev/null @@ -1,109 +0,0 @@ -# -*- text -*- -# -# ippool/mongo/queries.conf -- Mongo queries for rlm_sqlippool -# -# $Id: 9d7d07079741236ca74f8b09b1f7948833197c47 $ - -# -# The IP Pool queries expect a result like: -# -# { -# pool_key: "bob" -# pool_name: "my_pool" -# expiry_time: xxx -# value: "192.168.1.1" -# } -# -# i.e. the results are in "value", and not "framed_ip_address". -# -# When using dynamic expansions such as "%{sql:... mongo query ...}", -# Mongo uses a lot of curly brackets, {..}. Any closing braces have -# to be escaped as %}. Sorry, that is a limitation of the FreeRADIUS -# parser. -# - -# -# TBD -# -on_begin = "" -off_begin = "" - -allocate_begin = "" - -# -# This query allocates an IP address from the Pool -# -allocate_find = "db.mypool_collection.findAndModify( \ - { \ - 'query': {' \ - '$and': [ \ - { \ - 'pool_name': '%{control:Pool-Name}' \ - }, \ - { \ - 'nas_ip': '%{Nas-IP-Address}' \ - }, \ - { \ - '$or': [ \ - { \ - 'calling_station_id': '%{Calling-Station-Id}' \ - }, \ - { \ - 'locked': 0 \ - } \ - ] \ - } \ - ] \ - }, \ - 'update': { \ - 'locked': 1', \ - 'calling_station_id': '%{Calling-Station-Id'}' \ - }, \ - 'fields': { \ - '_id': 0, 'framed_ip_address': 1 \ - } \ - })" - -allocate_update = "" - -allocate_clear = "db.mypool_collection.findAndModify( \ - { \ - 'query': { \ - '$and': [ \ - { \ - 'pool_name': '%{Control:Pool-Name}' \ - }, \ - { \ - 'nas_ip': '%{Nas-IP-Address}' \ - }, \ - { \ - 'calling_station_id': '%{Calling-Station-Id}' \ - }, \ - { \ - 'locked': 1 \ - } \ - ] \ - }, \ - 'update': { \ - 'locked': 0, \ - 'calling_station_id': '' \ - } \ - })" - -allocate_commit = "" - -start_begin = "" -start_update = "" -start_commit = "" - -stop_begin = "" -stop_clear = "" -stop_commit = "" - -alive_begin = "" -alive_update = "" -alive_commit = "" - -on_clear = "" -off_clear = "" - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/procedure.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/procedure.sql deleted file mode 100644 index 5c621fb..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/procedure.sql +++ /dev/null @@ -1,137 +0,0 @@ --- --- A stored procedure to reallocate a user's previous address, otherwise --- provide a free address. --- --- Using this SP reduces the usual set dialogue of queries to a single --- query: --- --- BEGIN TRAN; "SELECT FOR UPDATE"; UPDATE; COMMIT TRAN; -> EXEC sp --- --- The stored procedure is executed on an database instance within a single --- round trip which often leads to reduced deadlocking and significant --- performance improvements especially on multi-master clusters, perhaps even --- by an order of magnitude or more. --- --- To use this stored procedure the corresponding queries.conf statements must --- be configured as follows: --- --- allocate_begin = "" --- allocate_find = "\ --- EXEC fr_allocate_previous_or_new_framedipaddress \ --- @v_pool_name = '%{control:${pool_name}}', \ --- @v_username = '%{User-Name}', \ --- @v_callingstationid = '%{Calling-Station-Id}', \ --- @v_nasipaddress = '%{NAS-IP-Address}', \ --- @v_pool_key = '${pool_key}', \ --- @v_lease_duration = ${lease_duration} \ --- " --- allocate_update = "" --- allocate_commit = "" --- - -CREATE INDEX UserName_CallingStationId ON radippool(pool_name,UserName,CallingStationId) -GO - -CREATE OR ALTER PROCEDURE fr_allocate_previous_or_new_framedipaddress - @v_pool_name VARCHAR(64), - @v_username VARCHAR(64), - @v_callingstationid VARCHAR(64), - @v_nasipaddress VARCHAR(15), - @v_pool_key VARCHAR(64), - @v_lease_duration INT -AS - BEGIN - - -- MS SQL lacks a "SELECT FOR UPDATE" statement, and its table - -- hints do not provide a direct means to implement the row-level - -- read lock needed to guarentee that concurrent queries do not - -- select the same Framed-IP-Address for allocation to distinct - -- users. - -- - -- The "WITH cte AS ( SELECT ... ) UPDATE cte ... OUTPUT INTO" - -- patterns in this procedure body compensate by wrapping - -- the SELECT in a synthetic UPDATE which locks the row. - - DECLARE @r_address_tab TABLE(id VARCHAR(15)); - DECLARE @r_address VARCHAR(15); - - BEGIN TRAN; - - -- Reissue an existing IP address lease when re-authenticating a session - -- - WITH cte AS ( - SELECT TOP(1) FramedIPAddress - FROM radippool WITH (xlock rowlock readpast) - WHERE pool_name = @v_pool_name - AND expiry_time > CURRENT_TIMESTAMP - AND NASIPAddress = @v_nasipaddress AND pool_key = @v_pool_key - ) - UPDATE cte - SET FramedIPAddress = FramedIPAddress - OUTPUT INSERTED.FramedIPAddress INTO @r_address_tab; - SELECT @r_address = id FROM @r_address_tab; - - -- Reissue an user's previous IP address, provided that the lease is - -- available (i.e. enable sticky IPs) - -- - -- When using this SELECT you should delete the one above. You must also - -- set allocate_clear = "" in queries.conf to persist the associations - -- for expired leases. - -- - -- WITH cte AS ( - -- SELECT TOP(1) FramedIPAddress - -- FROM radippool WITH (xlock rowlock readpast) - -- WHERE pool_name = @v_pool_name - -- AND NASIPAddress = @v_nasipaddress AND pool_key = @v_pool_key - -- ) - -- UPDATE cte - -- SET FramedIPAddress = FramedIPAddress - -- OUTPUT INSERTED.FramedIPAddress INTO @r_address_tab; - -- SELECT @r_address = id FROM @r_address_tab; - - -- If we didn't reallocate a previous address then pick the least - -- recently used address from the pool which maximises the likelihood - -- of re-assigning the other addresses to their recent user - -- - IF @r_address IS NULL - BEGIN - WITH cte AS ( - SELECT TOP(1) FramedIPAddress - FROM radippool WITH (xlock rowlock readpast) - WHERE pool_name = @v_pool_name - AND expiry_time < CURRENT_TIMESTAMP - ORDER BY - expiry_time - ) - UPDATE cte - SET FramedIPAddress = FramedIPAddress - OUTPUT INSERTED.FramedIPAddress INTO @r_address_tab; - SELECT @r_address = id FROM @r_address_tab; - END - - -- Return nothing if we failed to allocated an address - -- - IF @r_address IS NULL - BEGIN - COMMIT TRAN; - RETURN; - END - - -- Update the pool having allocated an IP address - -- - UPDATE radippool - SET - NASIPAddress = @v_nasipaddress, - pool_key = @v_pool_key, - CallingStationId = @v_callingstationid, - UserName = @v_username, - expiry_time = DATEADD(SECOND,@v_lease_duration,CURRENT_TIMESTAMP) - WHERE framedipaddress = @r_address; - - COMMIT TRAN; - - -- Return the address that we allocated - SELECT @r_address; - - END -GO diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/queries.conf deleted file mode 100644 index 2ac2619..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/queries.conf +++ /dev/null @@ -1,176 +0,0 @@ -# -*- text -*- -# -# ippool/mssql/queries.conf -- MSSQL queries for rlm_sqlippool -# -# $Id: eaef95fa592e8c1902ff877d241fcd5f166e30eb $ - -# -# MSSQL-specific syntax - required if finding the address and updating -# it are separate queries -# -#allocate_begin = "BEGIN TRAN" -#allocate_commit = "COMMIT TRAN" - -allocate_begin = "" -allocate_commit = "" - -# -# This series of queries allocates an IP address -# - -# -# Attempt to allocate the address a client previously had. This is based on pool_key -# and nasipaddress. Change the criteria if the identifier for "stickyness" is different. -# If different criteria are used, check the indexes on the IP pool table to ensure the fields -# are appropriately indexed. To disable stickyness comment out this query. -# -allocate_existing = "\ - WITH cte AS ( \ - SELECT TOP(1) FramedIPAddress, CallingStationId, UserName, expiry_time \ - FROM ${ippool_table} WITH (xlock rowlock readpast) \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND NASIPAddress = '%{NAS-IP-Address}' AND pool_key = '${pool_key}' \ - ORDER BY expiry_time DESC \ - ) \ - UPDATE cte \ - SET \ - CallingStationId = '%{Calling-Station-Id}', \ - UserName = '%{User-Name}', expiry_time = DATEADD(SECOND,${lease_duration},CURRENT_TIMESTAMP) \ - SET FramedIPAddress = FramedIPAddress \ - OUTPUT INSERTED.FramedIPAddress" - -# -# Find a free IP address from the pool, choosing the oldest expired one. -# -allocate_find = "\ - WITH cte AS ( \ - SELECT TOP(1) FramedIPAddress, NASIPAddress, pool_key, \ - CallingStationId, UserName, expiry_time \ - FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND expiry_time < CURRENT_TIMESTAMP \ - ORDER BY expiry_time \ - ) \ - UPDATE cte WITH (rowlock, readpast) \ - SET \ - NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \ - CallingStationId = '%{Calling-Station-Id}', \ - UserName = '%{User-Name}', expiry_time = DATEADD(SECOND,${lease_duration},CURRENT_TIMESTAMP) \ - OUTPUT INSERTED.FramedIPAddress" - -# -# If you prefer to allocate a random IP address every time, use this query instead. -# Note: This is very slow if you have a lot of free IPs. -# -#allocate_find = "\ -# WITH cte AS ( \ -# SELECT TOP(1) FramedIPAddress, NASIPAddress, pool_key, \ -# CallingStationId, UserName, expiry_time \ -# FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < CURRENT_TIMESTAMP \ -# ORDER BY newid() \ -# ) \ -# UPDATE cte WITH (rowlock, readpast) \ -# SET \ -# NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \ -# CallingStationId = '%{Calling-Station-Id}', \ -# UserName = '%{User-Name}', expiry_time = DATEADD(SECOND,${lease_duration},CURRENT_TIMESTAMP) \ -# OUTPUT INSERTED.FramedIPAddress" - -# -# If an IP could not be allocated, check to see if the pool exists or not -# This allows the module to differentiate between a full pool and no pool -# Note: If you are not running redundant pool modules this query may be -# commented out to save running this query every time an ip is not allocated. -# -pool_check = "\ - SELECT TOP(1) id \ - FROM ${ippool_table} \ - WHERE pool_name='%{control:${pool_name}}'" - -# -# This is the final IP Allocation query, which saves the allocated ip details. -# Only needed if allocate_existing / allocate_find do not also update the pool. -# -#allocate_update = "\ -# UPDATE ${ippool_table} \ -# SET \ -# NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \ -# CallingStationId = '%{Calling-Station-Id}', \ -# UserName = '%{User-Name}', expiry_time = DATEADD(SECOND,${lease_duration},CURRENT_TIMESTAMP) \ -# WHERE FramedIPAddress = '%I'" - -# -# Use a stored procedure to find AND allocate the address. Read and customise -# `procedure.sql` in this directory to determine the optimal configuration. -# -#allocate_begin = "" -#allocate_find = "\ -# EXEC fr_allocate_previous_or_new_framedipaddress \ -# @v_pool_name = '%{control:${pool_name}}', \ -# @v_username = '%{User-Name}', \ -# @v_callingstationid = '%{Calling-Station-Id}', \ -# @v_nasipaddress = '%{NAS-IP-Address}', \ -# @v_pool_key = '${pool_key}', \ -# @v_lease_duration = ${lease_duration} \ -# " -#allocate_update = "" -#allocate_commit = "" - -# -# This series of queries frees an IP number when an accounting START record arrives. -# -start_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = DATEADD(SECOND,${lease_duration},CURRENT_TIMESTAMP) \ - WHERE NASIPAddress = '%{NAS-IP-Address}' \ - AND pool_key = '${pool_key}' \ - AND UserName = '%{User-Name}' \ - AND CallingStationId = '%{Calling-Station-Id}' \ - AND FramedIPAddress = '%{${attribute_name}}'" - -# -# Expire an IP when an accounting STOP record arrives -# -stop_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = CURRENT_TIMESTAMP \ - WHERE NASIPAddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ - AND pool_key = '${pool_key}' \ - AND UserName = '%{User-Name}' \ - AND CallingStationId = '%{Calling-Station-Id}' \ - AND FramedIPAddress = '%{${attribute_name}}'" - -# -# Update the expiry time for an IP when an accounting ALIVE record arrives -# -alive_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = DATEADD(SECOND,${lease_duration},CURRENT_TIMESTAMP) \ - WHERE NASIPAddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ - AND pool_key = '${pool_key}' \ - AND UserName = '%{User-Name}' \ - AND CallingStationId = '%{Calling-Station-Id}' \ - AND FramedIPAddress = '%{${attribute_name}}'" - -# -# Expires all IPs allocated to a NAS when an accounting ON record arrives -# -on_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = CURRENT_TIMESTAMP \ - WHERE NASIPAddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" - -# -# Expires all IPs allocated to a NAS when an accounting OFF record arrives -# -off_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = CURRENT_TIMESTAMP \ - WHERE NASIPAddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/schema.sql deleted file mode 100644 index d4bff44..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mssql/schema.sql +++ /dev/null @@ -1,25 +0,0 @@ --- --- Table structure for table 'radippool' --- -CREATE TABLE radippool ( - id int IDENTITY (1,1) NOT NULL, - pool_name varchar(30) NOT NULL, - FramedIPAddress varchar(15) NOT NULL default '', - NASIPAddress varchar(15) NOT NULL default '', - CalledStationId VARCHAR(32) NOT NULL default '', - CallingStationId VARCHAR(30) NOT NULL default '', - expiry_time DATETIME NOT NULL default CURRENT_TIMESTAMP, - UserName varchar(64) NOT NULL default '', - pool_key varchar(30) NOT NULL default '', - PRIMARY KEY (id) -) -GO - -CREATE INDEX poolname_expire ON radippool(pool_name, expiry_time) -GO - -CREATE INDEX FramedIPAddress ON radippool(FramedIPAddress) -GO - -CREATE INDEX NASIPAddress_poolkey_FramedIPAddress ON radippool(NASIPAddress, pool_key, FramedIPAddress) -GO diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/procedure-no-skip-locked.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/procedure-no-skip-locked.sql deleted file mode 100644 index 1c88446..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/procedure-no-skip-locked.sql +++ /dev/null @@ -1,149 +0,0 @@ --- --- A stored procedure to reallocate a user's previous address, otherwise --- provide a free address. --- --- NOTE: This version of the SP is intended for MySQL variants that do not --- support the SKIP LOCKED pragma, i.e. MariaDB and versions of MySQL --- prior to 8.0. It should be a lot faster than using the default SP --- without the SKIP LOCKED pragma under highly concurrent workloads --- and not result in thread starvation. --- --- It is however a *useful hack* which should not be used if SKIP --- LOCKED is available. --- --- WARNING: This query uses server-local, "user locks" (GET_LOCK and --- RELEASE_LOCK), without the need for a transaction, to emulate --- row locking with locked-row skipping. User locks are not --- supported on clusters such as Galera and MaxScale. --- --- Using this SP reduces the usual set dialogue of queries to a single --- query: --- --- START TRANSACTION; SELECT FOR UPDATE; UPDATE; COMMIT; -> CALL sp() --- --- The stored procedure is executed within a single round trip which often --- leads to reduced deadlocking and significant performance improvements. --- --- To use this stored procedure the corresponding queries.conf statements must --- be configured as follows: --- --- allocate_begin = "" --- allocate_find = "\ --- CALL fr_allocate_previous_or_new_framedipaddress( \ --- '%{control:${pool_name}}', \ --- '%{User-Name}', \ --- '%{Calling-Station-Id}', \ --- '%{NAS-IP-Address}', \ --- '${pool_key}', \ --- ${lease_duration} \ --- )" --- allocate_update = "" --- allocate_commit = "" --- - -CREATE INDEX poolname_username_callingstationid ON radippool(pool_name,username,callingstationid); - -DELIMITER $$ - -DROP PROCEDURE IF EXISTS fr_allocate_previous_or_new_framedipaddress; -CREATE PROCEDURE fr_allocate_previous_or_new_framedipaddress ( - IN v_pool_name VARCHAR(64), - IN v_username VARCHAR(64), - IN v_callingstationid VARCHAR(64), - IN v_nasipaddress VARCHAR(15), - IN v_pool_key VARCHAR(64), - IN v_lease_duration INT -) -SQL SECURITY INVOKER -proc:BEGIN - DECLARE r_address VARCHAR(15); - - -- Reissue an existing IP address lease when re-authenticating a session - -- - SELECT framedipaddress INTO r_address - FROM radippool - WHERE pool_name = v_pool_name - AND expiry_time > NOW() - AND nasipaddress = v_nasipaddress - AND pool_key = v_pool_key - LIMIT 1; - - -- Reissue an user's previous IP address, provided that the lease is - -- available (i.e. enable sticky IPs) - -- - -- When using this SELECT you should delete the one above. You must also - -- set allocate_clear = "" in queries.conf to persist the associations - -- for expired leases. - -- - -- SELECT framedipaddress INTO r_address - -- FROM radippool - -- WHERE pool_name = v_pool_name - -- AND nasipaddress = v_nasipaddress - -- AND pool_key = v_pool_key - -- LIMIT 1; - - IF r_address IS NOT NULL THEN - UPDATE radippool - SET - nasipaddress = v_nasipaddress, - pool_key = v_pool_key, - callingstationid = v_callingstationid, - username = v_username, - expiry_time = NOW() + INTERVAL v_lease_duration SECOND - WHERE - framedipaddress = r_address; - SELECT r_address; - LEAVE proc; - END IF; - - REPEAT - - -- If we didn't reallocate a previous address then pick the least - -- recently used address from the pool which maximises the likelihood - -- of re-assigning the other addresses to their recent user - -- - SELECT framedipaddress INTO r_address - FROM radippool - WHERE pool_name = v_pool_name - AND expiry_time < NOW() - -- - -- WHERE ... GET_LOCK(...,0) = 1 is a poor man's SKIP LOCKED that simulates - -- a row-level lock using a "user lock" that allows the locked "rows" to be - -- skipped. After the user lock is acquired and the SELECT retired it does - -- not mean that the entirety of the WHERE clause is still true: Another - -- thread may have updated the expiry time and released the lock after we - -- checked the expiry_time but before we acquired the lock since SQL is free - -- to reorder the WHERE condition. Therefore we must recheck the condition - -- in the UPDATE statement below to detect this race. - -- - AND GET_LOCK(CONCAT('radippool_', framedipaddress), 0) = 1 - LIMIT 1; - - IF r_address IS NULL THEN - DO RELEASE_LOCK(CONCAT('radippool_', r_address)); - LEAVE proc; - END IF; - - UPDATE radippool - SET - nasipaddress = v_nasipaddress, - pool_key = v_pool_key, - callingstationid = v_callingstationid, - username = v_username, - expiry_time = NOW() + INTERVAL v_lease_duration SECOND - WHERE - framedipaddress = r_address - -- - -- Here we re-evaluate the original condition for selecting the address - -- to detect a race, in which case we try again... - -- - AND expiry_time 0 END REPEAT; - - DO RELEASE_LOCK(CONCAT('radippool_', r_address)); - SELECT r_address; - -END$$ - -DELIMITER ; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/procedure.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/procedure.sql deleted file mode 100644 index 2a52566..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/procedure.sql +++ /dev/null @@ -1,139 +0,0 @@ --- --- A stored procedure to reallocate a user's previous address, otherwise --- provide a free address. --- --- Using this SP reduces the usual set dialogue of queries to a single --- query: --- --- START TRANSACTION; SELECT FOR UPDATE; UPDATE; COMMIT; -> CALL sp() --- --- The stored procedure is executed on an database instance within a single --- round trip which often leads to reduced deadlocking and significant --- performance improvements especially on multi-master clusters, perhaps even --- by an order of magnitude or more. --- --- To use this stored procedure the corresponding queries.conf statements must --- be configured as follows: --- --- allocate_begin = "" --- allocate_find = "\ --- CALL fr_allocate_previous_or_new_framedipaddress( \ --- '%{control:${pool_name}}', \ --- '%{User-Name}', \ --- '%{Calling-Station-Id}', \ --- '%{Called-Station-Id}', \ --- '%{NAS-IP-Address}', \ --- '${pool_key}', \ --- ${lease_duration} \ --- )" --- allocate_update = "" --- allocate_commit = "" --- - -CREATE INDEX poolname_username_callingstationid ON radippool(pool_name,username,callingstationid); - -DELIMITER $$ - -DROP PROCEDURE IF EXISTS fr_allocate_previous_or_new_framedipaddress; -CREATE PROCEDURE fr_allocate_previous_or_new_framedipaddress ( - IN v_pool_name VARCHAR(64), - IN v_username VARCHAR(64), - IN v_callingstationid VARCHAR(64), - IN v_calledstationid VARCHAR(64), - IN v_nasipaddress VARCHAR(15), - IN v_pool_key VARCHAR(64), - IN v_lease_duration INT -) -SQL SECURITY INVOKER -proc:BEGIN - DECLARE r_address VARCHAR(15); - - DECLARE EXIT HANDLER FOR SQLEXCEPTION - BEGIN - ROLLBACK; - RESIGNAL; - END; - - SET TRANSACTION ISOLATION LEVEL READ COMMITTED; - - START TRANSACTION; - - -- Reissue an existing IP address lease when re-authenticating a session - -- - SELECT framedipaddress INTO r_address - FROM radippool - WHERE pool_name = v_pool_name - AND expiry_time > NOW() - AND nasipaddress = v_nasipaddress - AND pool_key = v_pool_key - LIMIT 1 - FOR UPDATE; --- FOR UPDATE SKIP LOCKED; -- Better performance, but limited support - - -- NOTE: You should enable SKIP LOCKED here (as well as any other - -- instances) if your database server supports it. If it is not - -- supported and you are not running a multi-master cluster (e.g. - -- Galera or MaxScale) then you should instead consider using the - -- SP in procedure-no-skip-locked.sql which will be faster and - -- less likely to result in thread starvation under highly - -- concurrent load. - - -- Reissue an user's previous IP address, provided that the lease is - -- available (i.e. enable sticky IPs) - -- - -- When using this SELECT you should delete the one above. You must also - -- set allocate_clear = "" in queries.conf to persist the associations - -- for expired leases. - -- - -- SELECT framedipaddress INTO r_address - -- FROM radippool - -- WHERE pool_name = v_pool_name - -- AND nasipaddress = v_nasipaddress - -- AND pool_key = v_pool_key - -- LIMIT 1 - -- FOR UPDATE; - -- -- FOR UPDATE SKIP LOCKED; -- Better performance, but limited support - - -- If we didn't reallocate a previous address then pick the least - -- recently used address from the pool which maximises the likelihood - -- of re-assigning the other addresses to their recent user - -- - IF r_address IS NULL THEN - SELECT framedipaddress INTO r_address - FROM radippool - WHERE pool_name = v_pool_name - AND expiry_time < NOW() - ORDER BY - expiry_time - LIMIT 1 - FOR UPDATE; --- FOR UPDATE SKIP LOCKED; -- Better performance, but limited support - END IF; - - -- Return nothing if we failed to allocated an address - -- - IF r_address IS NULL THEN - COMMIT; - LEAVE proc; - END IF; - - -- Update the pool having allocated an IP address - -- - UPDATE radippool - SET - nasipaddress = v_nasipaddress, - pool_key = v_pool_key, - callingstationid = v_callingstationid, - calledstationid = v_calledstationid, - username = v_username, - expiry_time = NOW() + INTERVAL v_lease_duration SECOND - WHERE framedipaddress = r_address; - - COMMIT; - - -- Return the address that we allocated - SELECT r_address; - -END$$ - -DELIMITER ; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/queries.conf deleted file mode 100644 index 5eb90c5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/queries.conf +++ /dev/null @@ -1,156 +0,0 @@ -# -*- text -*- -# -# ippool/mysql/queries.conf -- MySQL queries for rlm_sqlippool -# -# $Id: c4210204b16925bc623482ac5d1e7bbcdaf5b029 $ - - -# Using SKIP LOCKED speeds up selection queries -# However, it requires MySQL >= 8.0.1 or MariaDB >= 10.6. -# Uncomment the following if you are running a suitable -# version of MySQL -# -#skip_locked = "SKIP LOCKED" -skip_locked = "" - -# -# This series of queries allocates an IP address -# - -# -# Attempt to allocate the address a client previously had. This is based on pool_key -# and nasipaddress. Change the criteria if the identifier for "stickyness" is different. -# If different criteria are used, check the indexes on the IP pool table to ensure the fields -# are appropriately indexed. To disable stickyness comment out this query. -# -allocate_existing = "\ - SELECT framedipaddress FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND nasipaddress = '%{NAS-IP-Address}' AND pool_key = '${pool_key}' \ - ORDER BY expiry_time DESC \ - LIMIT 1 \ - FOR UPDATE ${skip_locked}" - -# -# Find a free IP address from the pool, choosing the oldest expired one. -# -allocate_find = "\ - SELECT framedipaddress FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND expiry_time < NOW() \ - ORDER BY expiry_time \ - LIMIT 1 \ - FOR UPDATE ${skip_locked}" - -# -# If you prefer to allocate a random IP address every time, use this query instead. -# Note: This is very slow if you have a lot of free IPs. -# -#allocate_find = "\ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < NOW() \ -# ORDER BY \ -# RAND() \ -# LIMIT 1 \ -# FOR UPDATE ${skip_locked}" - -# -# If an IP could not be allocated, check to see if the pool exists or not -# This allows the module to differentiate between a full pool and no pool -# Note: If you are not running redundant pool modules this query may be -# commented out to save running this query every time an ip is not allocated. -# -pool_check = "\ - SELECT id \ - FROM ${ippool_table} \ - WHERE pool_name='%{control:${pool_name}}' \ - LIMIT 1" - -# -# This is the final IP Allocation query, which saves the allocated ip details. -# -allocate_update = "\ - UPDATE ${ippool_table} \ - SET \ - nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \ - callingstationid = '%{Calling-Station-Id}', \ - username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \ - WHERE framedipaddress = '%I'" - -# -# Use a stored procedure to find AND allocate the address. Read and customise -# `procedure.sql` in this directory to determine the optimal configuration. -# -#allocate_begin = "" -#allocate_find = "\ -# CALL fr_allocate_previous_or_new_framedipaddress( \ -# '%{control:${pool_name}}', \ -# '%{User-Name}', \ -# '%{Calling-Station-Id}', \ -# '%{Called-Station-Id}', \ -# '%{NAS-IP-Address}', \ -# '${pool_key}', \ -# ${lease_duration} \ -# )" -#allocate_update = "" -#allocate_commit = "" - -# -# This series of queries frees an IP number when an accounting START record arrives. -# -start_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \ - WHERE nasipaddress = '%{NAS-IP-Address}' \ - AND pool_key = '${pool_key}' \ - AND username = '%{User-Name}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{${attribute_name}}'" - -# -# This query expires an IP number when an accounting STOP record arrives. -# -stop_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = NOW() \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ - AND pool_key = '${pool_key}' \ - AND username = '%{User-Name}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{${attribute_name}}'" - -# -# This series of queries frees an IP number when an accounting ALIVE record arrives. -# -alive_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ - AND pool_key = '${pool_key}' \ - AND username = '%{User-Name}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{${attribute_name}}'" - -# -# This series of queries expires the IP numbers allocate to a -# NAS when an accounting ON record arrives -# -on_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = NOW() \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" - -# -# This series of queries expires the IP numbers allocate to a -# NAS when an accounting OFF record arrives -# -off_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = NOW() \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/schema.sql deleted file mode 100644 index f79d1b1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/mysql/schema.sql +++ /dev/null @@ -1,18 +0,0 @@ -# -# Table structure for table 'radippool' -# -CREATE TABLE IF NOT EXISTS radippool ( - id int(11) unsigned NOT NULL auto_increment, - pool_name varchar(30) NOT NULL, - framedipaddress varchar(15) NOT NULL default '', - nasipaddress varchar(15) NOT NULL default '', - calledstationid VARCHAR(30) NOT NULL default '', - callingstationid VARCHAR(30) NOT NULL default '', - expiry_time DATETIME NOT NULL default NOW(), - username varchar(64) NOT NULL default '', - pool_key varchar(30) NOT NULL default '', - PRIMARY KEY (id), - KEY radippool_poolname_expire (pool_name, expiry_time), - KEY framedipaddress (framedipaddress), - KEY radippool_nasip_poolkey_ipaddress (nasipaddress, pool_key, framedipaddress) -) ENGINE=InnoDB; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/procedure.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/procedure.sql deleted file mode 100644 index e483236..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/procedure.sql +++ /dev/null @@ -1,129 +0,0 @@ --- --- A stored procedure to reallocate a user's previous address, otherwise --- provide a free address. --- --- Using this SP reduces the usual set dialogue of queries to a single --- query: --- --- BEGIN; SELECT FOR UPDATE; UPDATE; COMMIT; -> SELECT sp() FROM dual --- --- The stored procedure is executed on an database instance within a single --- round trip which often leads to reduced deadlocking and significant --- performance improvements especially on multi-master clusters, perhaps even --- by an order of magnitude or more. --- --- To use this stored procedure the corresponding queries.conf statements must --- be configured as follows: --- --- allocate_begin = "" --- allocate_find = "\ --- SELECT fr_allocate_previous_or_new_framedipaddress( \ --- '%{control:${pool_name}}', \ --- '%{User-Name}', \ --- '%{%{Calling-Station-Id}:-0}', \ --- '%{NAS-IP-Address}', \ --- '${pool_key}', \ --- ${lease_duration} \ --- ) FROM dual" --- allocate_update = "" --- allocate_commit = "" --- - -CREATE OR REPLACE FUNCTION fr_allocate_previous_or_new_framedipaddress ( - v_pool_name IN VARCHAR2, - v_username IN VARCHAR2, - v_callingstationid IN VARCHAR2, - v_nasipaddress IN VARCHAR2, - v_pool_key IN VARCHAR2, - v_lease_duration IN INTEGER -) -RETURN varchar2 IS - PRAGMA AUTONOMOUS_TRANSACTION; - r_address varchar2(15); -BEGIN - - -- Reissue an existing IP address lease when re-authenticating a session - -- - BEGIN - SELECT framedipaddress INTO r_address FROM radippool WHERE id IN ( - SELECT id FROM ( - SELECT * - FROM radippool - WHERE pool_name = v_pool_name - AND expiry_time > current_timestamp - AND username = v_username - AND callingstationid = v_callingstationid - ) WHERE ROWNUM <= 1 - ) FOR UPDATE SKIP LOCKED; - EXCEPTION - WHEN NO_DATA_FOUND THEN - r_address := NULL; - END; - - -- Reissue an user's previous IP address, provided that the lease is - -- available (i.e. enable sticky IPs) - -- - -- When using this SELECT you should delete the one above. You must also - -- set allocate_clear = "" in queries.conf to persist the associations - -- for expired leases. - -- - -- BEGIN - -- SELECT framedipaddress INTO r_address FROM radippool WHERE id IN ( - -- SELECT id FROM ( - -- SELECT * - -- FROM radippool - -- WHERE pool_name = v_pool_name - -- AND username = v_username - -- AND callingstationid = v_callingstationid - -- ) WHERE ROWNUM <= 1 - -- ) FOR UPDATE SKIP LOCKED; - -- EXCEPTION - -- WHEN NO_DATA_FOUND THEN - -- r_address := NULL; - -- END; - - -- If we didn't reallocate a previous address then pick the least - -- recently used address from the pool which maximises the likelihood - -- of re-assigning the other addresses to their recent user - -- - IF r_address IS NULL THEN - BEGIN - SELECT framedipaddress INTO r_address FROM radippool WHERE id IN ( - SELECT id FROM ( - SELECT * - FROM radippool - WHERE pool_name = v_pool_name - AND expiry_time < CURRENT_TIMESTAMP - ORDER BY expiry_time - ) WHERE ROWNUM <= 1 - ) FOR UPDATE SKIP LOCKED; - EXCEPTION - WHEN NO_DATA_FOUND THEN - r_address := NULL; - END; - END IF; - - -- Return nothing if we failed to allocated an address - -- - IF r_address IS NULL THEN - COMMIT; - RETURN r_address; - END IF; - - -- Update the pool having allocated an IP address - -- - UPDATE radippool - SET - nasipaddress = v_nasipaddress, - pool_key = v_pool_key, - callingstationid = v_callingstationid, - username = v_username, - expiry_time = CURRENT_TIMESTAMP + v_lease_duration * INTERVAL '1' SECOND(1) - WHERE framedipaddress = r_address; - - -- Return the address that we allocated - COMMIT; - RETURN r_address; - -END; -/ diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/queries.conf deleted file mode 100644 index 8ab827b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/queries.conf +++ /dev/null @@ -1,172 +0,0 @@ -# -*- text -*- -# -# ippool/oracle/queries.conf -- Oracle queries for rlm_sqlippool -# -# $Id: 1a64b28bd7773dd45023aa6bfe5aff39e26fd8bb $ - -# Using SKIP LOCKED speeds up selection queries -# However, it requires Oracle > 11g. It MAY work in 9i and 10g -# but is not documented. Uncomment the following if you are -# running a suitable version of Oracle -# -#skip_locked = "SKIP LOCKED" -skip_locked = "" - -allocate_begin = "commit" -start_begin = "commit" -alive_begin = "commit" -stop_begin = "commit" -on_begin = "commit" -off_begin = "commit" - -# -# Attempt to allocate the address a client previously had. This is based on pool_key -# and nasipaddress. Change the criteria if the identifier for "stickyness" is different. -# If different criteria are used, check the indexes on the IP pool table to ensure the fields -# are appropriately indexed. To disable stickyness comment out this query. -# -allocate_existing = "\ - SELECT framedipaddress FROM ${ippool_table} WHERE id IN ( \ - SELECT id FROM ( \ - SELECT * \ - FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND nasipaddress = '%{NAS-IP-Address}' AND pool_key = '${pool_key}' \ - ) \ - ORDER BY expiry_time DESC \ - ) WHERE ROWNUM <= 1 \ - ) FOR UPDATE ${skip_locked}" - -# -# Find a free IP address from the pool, choosing the oldest expired one. -# -allocate_find = "\ - SELECT framedipaddress FROM ${ippool_table} WHERE id IN ( \ - SELECT id FROM ( \ - SELECT * \ - FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND expiry_time < current_timestamp \ - ) \ - ORDER BY expiry_time \ - ) WHERE ROWNUM <= 1 \ - ) FOR UPDATE ${skip_locked}" - -# -# If you prefer to allocate a random IP address every time, use this query instead -# Note: This is very slow if you have a lot of free IPs. -# -#allocate_find = "\ -# SELECT framedipaddress FROM ${ippool_table} WHERE id IN ( \ -# SELECT id FROM ( \ -# SELECT * \ -# FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < current_timestamp \ -# ORDER BY DBMS_RANDOM.VALUE \ -# ) WHERE ROWNUM <= 1 \ -# ) FOR UPDATE ${skip_locked}" - -# -# If an IP could not be allocated, check to see whether the pool exists or not -# This allows the module to differentiate between a full pool and no pool -# Note: If you are not running redundant pool modules this query may be commented -# out to save running this query every time an ip is not allocated. -# -pool_check = "\ - SELECT id \ - FROM (\ - SELECT id \ - FROM ${ippool_table} \ - WHERE pool_name='%{control:${pool_name}}'\ - ) \ - WHERE ROWNUM = 1" - -# -# This query marks the IP address handed out by "allocate-find" as used -# for the period of "lease_duration" after which time it may be reused. -# -allocate_update = "\ - UPDATE ${ippool_table} \ - SET \ - nasipaddress = '%{NAS-IP-Address}', \ - pool_key = '${pool_key}', \ - callingstationid = '%{%{Calling-Station-Id}:-0}', \ - username = '%{SQL-User-Name}', \ - expiry_time = current_timestamp + INTERVAL '${lease_duration}' second(1) \ - WHERE framedipaddress = '%I'" - -# -# Use a stored procedure to find AND allocate the address. Read and customise -# `procedure.sql` in this directory to determine the optimal configuration. -# -#allocate_begin = "" -#allocate_find = "\ -# SELECT fr_allocate_previous_or_new_framedipaddress( \ -# '%{control:${pool_name}}', \ -# '%{SQL-User-Name}', \ -# '%{%{Calling-Station-Id}:-0}', \ -# '%{NAS-IP-Address}', \ -# '${pool_key}', \ -# '${lease_duration}' \ -# )" -#allocate_update = "" -#allocate_commit = "" - -# -# This query extends an IP address lease by "lease_duration" when an accounting -# START record arrives -# -start_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = current_timestamp + INTERVAL '${lease_duration}' second(1) \ - WHERE nasipaddress = '%{NAS-IP-Address}' \ - AND pool_key = '${pool_key}'" - -# -# This query expires an IP address when an accounting STOP record arrives -# -stop_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = current_timestamp - INTERVAL '1' second(1) \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ - AND pool_key = '${pool_key}' \ - AND username = '%{SQL-User-Name}' \ - AND callingstationid = '%{%{Calling-Station-Id}:-0}' \ - AND framedipaddress = '%{${attribute_name}}'" - -# -# This query extends an IP address lease by "lease_duration" when an accounting -# ALIVE record arrives -# -alive_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = current_timestamp + INTERVAL '${lease_duration}' second(1) \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{${attribute_name}}' \ - AND username = '%{SQL-User-Name}' \ - AND callingstationid = '%{%{Calling-Station-Id}:-0}'" - -# -# This query expires all IP addresses allocated to a NAS when an -# accounting ON record arrives from that NAS -# -on_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = current_timestamp - INTERVAL '1' second(1) \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" - -# -# This query expires all IP addresses allocated to a NAS when an -# accounting OFF record arrives from that NAS -# -off_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = current_timestamp - INTERVAL '1' second(1) \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/schema.sql deleted file mode 100644 index adf1419..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/oracle/schema.sql +++ /dev/null @@ -1,27 +0,0 @@ -CREATE TABLE radippool ( - id INT PRIMARY KEY, - pool_name VARCHAR(30) NOT NULL, - framedipaddress VARCHAR(15) NOT NULL, - nasipaddress VARCHAR(15) NOT NULL, - pool_key VARCHAR(30) DEFAULT '', - CalledStationId VARCHAR(64) DEFAULT '', - CallingStationId VARCHAR(64) DEFAULT '', - expiry_time timestamp(0) DEFAULT CURRENT_TIMESTAMP, - username VARCHAR(64) DEFAULT '' -); - -CREATE INDEX radippool_poolname_expire ON radippool (pool_name, expiry_time); -CREATE INDEX radippool_framedipaddress ON radippool (framedipaddress); -CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool (nasipaddress, pool_key, framedipaddress); - -CREATE SEQUENCE radippool_seq START WITH 1 INCREMENT BY 1; - -CREATE OR REPLACE TRIGGER radippool_serialnumber - BEFORE INSERT OR UPDATE OF id ON radippool - FOR EACH ROW - BEGIN - if ( :new.id = 0 or :new.id is null ) then - SELECT radippool_seq.nextval into :new.id from dual; - end if; - END; -/ diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/procedure.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/procedure.sql deleted file mode 100644 index b1d580c..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/procedure.sql +++ /dev/null @@ -1,111 +0,0 @@ --- --- A stored procedure to reallocate a user's previous address, otherwise --- provide a free address. --- --- Using this SP reduces the usual set dialogue of queries to a single --- query: --- --- START TRANSACTION; SELECT FOR UPDATE; UPDATE; COMMIT; -> SELECT sp() --- --- The stored procedure is executed on an database instance within a single --- round trip which often leads to reduced deadlocking and significant --- performance improvements especially on multi-master clusters, perhaps even --- by an order of magnitude or more. --- --- To use this stored procedure the corresponding queries.conf statements must --- be configured as follows: --- --- allocate_begin = "" --- allocate_find = "\ --- SELECT fr_allocate_previous_or_new_framedipaddress( \ --- '%{control:${pool_name}}', \ --- '%{User-Name}', \ --- '%{Calling-Station-Id}', \ --- '%{NAS-IP-Address}', \ --- '${pool_key}', \ --- ${lease_duration} \ --- )" --- allocate_update = "" --- allocate_commit = "" --- - -CREATE INDEX radippool_poolname_username_callingstationid ON radippool(pool_name,username,callingstationid); - -CREATE OR REPLACE FUNCTION fr_allocate_previous_or_new_framedipaddress ( - v_pool_name VARCHAR(64), - v_username VARCHAR(64), - v_callingstationid VARCHAR(64), - v_nasipaddress VARCHAR(16), - v_pool_key VARCHAR(64), - v_lease_duration INT -) -RETURNS inet -LANGUAGE plpgsql -AS $$ -DECLARE - r_address inet; -BEGIN - - -- Reissue an existing IP address lease when re-authenticating a session - -- - SELECT framedipaddress INTO r_address - FROM radippool - WHERE pool_name = v_pool_name - AND expiry_time > NOW() - AND username = v_username - AND callingstationid = v_callingstationid - LIMIT 1 - FOR UPDATE SKIP LOCKED; - - -- Reissue an user's previous IP address, provided that the lease is - -- available (i.e. enable sticky IPs) - -- - -- When using this SELECT you should delete the one above. You must also - -- set allocate_clear = "" in queries.conf to persist the associations - -- for expired leases. - -- - -- SELECT framedipaddress INTO r_address - -- FROM radippool - -- WHERE pool_name = v_pool_name - -- AND username = v_username - -- AND callingstationid = v_callingstationid - -- LIMIT 1 - -- FOR UPDATE SKIP LOCKED; - - -- If we didn't reallocate a previous address then pick the least - -- recently used address from the pool which maximises the likelihood - -- of re-assigning the other addresses to their recent user - -- - IF r_address IS NULL THEN - SELECT framedipaddress INTO r_address - FROM radippool - WHERE pool_name = v_pool_name - AND expiry_time < NOW() - ORDER BY - expiry_time - LIMIT 1 - FOR UPDATE SKIP LOCKED; - END IF; - - -- Return nothing if we failed to allocated an address - -- - IF r_address IS NULL THEN - RETURN r_address; - END IF; - - -- Update the pool having allocated an IP address - -- - UPDATE radippool - SET - nasipaddress = v_nasipaddress, - pool_key = v_pool_key, - callingstationid = v_callingstationid, - username = v_username, - expiry_time = NOW() + v_lease_duration * interval '1 sec' - WHERE framedipaddress = r_address; - - -- Return the address that we allocated - RETURN r_address; - -END -$$; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/queries.conf deleted file mode 100644 index 12babb7..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/queries.conf +++ /dev/null @@ -1,207 +0,0 @@ -# -*- text -*- -# -# ippool/postgresql/queries.conf -- PostgreSQL queries for rlm_sqlippool -# -# $Id: ce6f355dda1241f28c98bf36b5ad9a1429d00b35 $ - - -# Using SKIP LOCKED speeds up selection queries -# However, it requires PostgreSQL >= 9.5 Uncomment the -# following if you are running a suitable version of PostgreSQL -# -#skip_locked = "SKIP LOCKED" -skip_locked = "" - -# -# This series of queries allocates an IP address -# - -# -# The suggested queries locate IPs and update them in one query -# so no need for transaction wrappers -# -allocate_begin = "" -allocate_commit = "" - -# -# Attempt to allocate the address a client previously had. This is based on pool_key -# and nasipaddress. Change the criteria if the identifier for "stickyness" is different. -# If different criteria are used, check the indexes on the IP pool table to ensure the fields -# are appropriately indexed. To disable stickyness comment out this query. -# -allocate_existing = "\ - WITH cte AS ( \ - SELECT framedipaddress FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND nasipaddress = '%{NAS-IP-Address}' AND pool_key = '${pool_key}' \ - ORDER BY expiry_time DESC \ - LIMIT 1 \ - FOR UPDATE ${skip_locked} \ - ) \ - UPDATE ${ippool_table} \ - SET \ - nasipaddress = '%{NAS-IP-Address}', \ - pool_key = '${pool_key}', \ - callingstationid = '%{Calling-Station-Id}', \ - username = '%{SQL-User-Name}', \ - expiry_time = 'now'::timestamp(0) + '${lease_duration} second'::interval \ - FROM cte WHERE cte.framedipaddress = ${ippool_table}.framedipaddress \ - RETURNING cte.framedipaddress" - -# -# Find a free IP address from the pool, choosing the oldest expired one. -# -allocate_find = "\ - WITH cte AS ( \ - SELECT framedipaddress FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND expiry_time < 'now'::timestamp(0) \ - ORDER BY expiry_time \ - LIMIT 1 \ - FOR UPDATE ${skip_locked} \ - ) \ - UPDATE ${ippool_table} \ - SET \ - nasipaddress = '%{NAS-IP-Address}', \ - pool_key = '${pool_key}', \ - callingstationid = '%{Calling-Station-Id}', \ - username = '%{SQL-User-Name}', \ - expiry_time = 'now'::timestamp(0) + '${lease_duration} second'::interval \ - FROM cte WHERE cte.framedipaddress = ${ippool_table}.framedipaddress \ - RETURNING cte.framedipaddress" - -# -# If you prefer to allocate a random IP address every time, use this query instead -# Note: This is very slow if you have a lot of free IPs. -# -#allocate_find = "\ -# WITH cte AS ( \ -# SELECT framedipaddress FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time < 'now'::timestamp(0) \ -# ORDER BY RANDOM() \ -# LIMIT 1 \ -# FOR UPDATE ${skip_locked} \ -# ) \ -# UPDATE ${ippool_table} \ -# SET \ -# nasipaddress = '%{NAS-IP-Address}', \ -# pool_key = '${pool_key}', \ -# callingstationid = '%{Calling-Station-Id}', \ -# username = '%{SQL-User-Name}', \ -# expiry_time = 'now'::timestamp(0) + '${lease_duration} second'::interval \ -# FROM cte WHERE cte.framedipaddress = ${ippool_table}.framedipaddress \ -# RETURNING cte.framedipaddress" - -# -# If an IP could not be allocated, check to see whether the pool exists or not -# This allows the module to differentiate between a full pool and no pool -# Note: If you are not running redundant pool modules this query may be commented -# out to save running this query every time an ip is not allocated. -# -pool_check = "\ - SELECT id \ - FROM ${ippool_table} \ - WHERE pool_name='%{control:${pool_name}}' \ - LIMIT 1" - -# -# This query marks the IP address handed out by "allocate-find" as used -# for the period of "lease_duration" after which time it may be reused. -# This is only needed if the allocate_existing / allocate_find queries -# do not update the pool -# -#allocate_update = "\ -# UPDATE ${ippool_table} \ -# SET \ -# nasipaddress = '%{NAS-IP-Address}', \ -# pool_key = '${pool_key}', \ -# callingstationid = '%{Calling-Station-Id}', \ -# username = '%{SQL-User-Name}', \ -# expiry_time = 'now'::timestamp(0) + '${lease_duration} second'::interval \ -# WHERE framedipaddress = '%I'" - -# -# Use a stored procedure to find AND allocate the address. Read and customise -# `procedure.sql` in this directory to determine the optimal configuration. -# -# This requires PostgreSQL >= 9.5 as SKIP LOCKED is used. -# -# The "NO LOAD BALANCE" comment is included here to indicate to a PgPool -# system that this needs to be a write transaction. PgPool itself cannot -# detect this from the statement alone. If you are using PgPool and do not -# have this comment, the query may go to a read only server, and will fail. -# This has no negative effect if you are not using PgPool. -# -#allocate_begin = "" -#allocate_find = "\ -# /*NO LOAD BALANCE*/ \ -# SELECT fr_allocate_previous_or_new_framedipaddress( \ -# '%{control:${pool_name}}', \ -# '%{SQL-User-Name}', \ -# '%{Calling-Station-Id}', \ -# '%{NAS-IP-Address}', \ -# '${pool_key}', \ -# '${lease_duration}' \ -# )" -#allocate_update = "" -#allocate_commit = "" - -# -# This query extends an IP address lease by "lease_duration" when an accounting -# START record arrives -# -start_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = 'now'::timestamp(0) + '${lease_duration} second'::interval \ - WHERE nasipaddress = '%{NAS-IP-Address}' \ - AND pool_key = '${pool_key}'" - -# -# This query expires an IP address when an accounting -# STOP record arrives -# -stop_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = 'now'::timestamp(0) - '1 second'::interval \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ - AND pool_key = '${pool_key}' \ - AND username = '%{SQL-User-Name}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{${attribute_name}}'" - -# -# This query extends an IP address lease by "lease_duration" when an accounting -# ALIVE record arrives -# -alive_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = 'now'::timestamp(0) + '${lease_duration} seconds'::interval \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{${attribute_name}}' \ - AND username = '%{SQL-User-Name}' \ - AND callingstationid = '%{Calling-Station-Id}'" - -# -# This query expires all IP addresses allocated to a NAS when an -# accounting ON record arrives from that NAS -# -on_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = 'now'::timestamp(0) - '1 second'::interval \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" - -# -# This query expires all IP addresses allocated to a NAS when an -# accounting OFF record arrives from that NAS -# -off_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = 'now'::timestamp(0) - '1 second'::interval \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/schema.sql deleted file mode 100644 index 1ef57b7..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/postgresql/schema.sql +++ /dev/null @@ -1,22 +0,0 @@ --- --- Table structure for table 'radippool' --- --- See also "procedure.sql" in this directory for additional --- indices and a stored procedure that is much faster. --- - -CREATE TABLE radippool ( - id BIGSERIAL PRIMARY KEY, - pool_name text NOT NULL, - FramedIPAddress INET NOT NULL, - NASIPAddress text NOT NULL default '', - pool_key text NOT NULL default '', - CalledStationId text NOT NULL default '', - CallingStationId text NOT NULL default ''::text, - expiry_time TIMESTAMP(0) without time zone NOT NULL default NOW(), - username text DEFAULT ''::text -); - -CREATE INDEX radippool_poolname_expire ON radippool USING btree (pool_name, expiry_time); -CREATE INDEX radippool_framedipaddress ON radippool USING btree (framedipaddress); -CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool USING btree (nasipaddress, pool_key, framedipaddress); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/sqlite/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/sqlite/queries.conf deleted file mode 100644 index bab86d1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/sqlite/queries.conf +++ /dev/null @@ -1,148 +0,0 @@ -# -*- text -*- -# -# ippool/sqlite/queries.conf -- SQLite queries for rlm_sqlippool -# -# $Id: 46ce58e9bdb574acf24ecb2307ac5bd5583382fb $ - -# -# SQLite does not implement SELECT FOR UPDATE which is normally used to place -# an exclusive lock over rows to prevent the same address from being -# concurrently selected for allocation to multiple users. -# -# The most granular read-blocking lock that SQLite has is an exclusive lock -# over the database, so that's what we use. All locking in SQLite is performed -# over the entire database and we perform a row update for any IP that we -# allocate, requiring an exclusive lock. Taking the exclusive lock from the -# start of the transaction (even if it were not required to guard the SELECT) -# is actually quicker than if we deferred it causing SQLite to "upgrade" the -# automatic shared lock for the transaction to an exclusive lock for the -# subsequent UPDATE. -# -allocate_begin = "BEGIN EXCLUSIVE" -allocate_commit = "COMMIT" - -# -# This series of queries allocates an IP address -# - -# -# Attempt to allocate the address a client previously had. This is based on pool_key -# and nasipaddress. Change the criteria if the identifier for "stickyness" is different. -# If different criteria are used, check the indexes on the IP pool table to ensure the fields -# are appropriately indexed. To disable stickyness comment out this query. -# -allocate_existing = "\ - SELECT framedipaddress \ - FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - AND nasipaddress = '%{NAS-IP-Address}' AND pool_key = '${pool_key}' \ - ORDER BY expiry_time DESC \ - LIMIT 1" - -# -# Find a free IP address from the pool, choosing the oldest expired one. -# -allocate_find = "\ - SELECT framedipaddress \ - FROM ${ippool_table} \ - WHERE pool_name = '%{control:${pool_name}}' \ - expiry_time < datetime('now') \ - ORDER BY expiry_time \ - LIMIT 1" - -# -# If you prefer to allocate a random IP address every time, i -# use this query instead -# Note: This is very slow if you have a lot of free IPs. -# - -#allocate_find = "\ -# SELECT framedipaddress \ -# FROM ${ippool_table} \ -# WHERE pool_name = '%{control:${pool_name}}' \ -# AND expiry_time IS NULL \ -# ORDER BY RAND() \ -# LIMIT 1" - -# -# If an IP could not be allocated, check to see if the pool exists or not -# This allows the module to differentiate between a full pool and no pool -# Note: If you are not running redundant pool modules this query may be -# commented out to save running this query every time an ip is not allocated. -# -pool_check = "\ - SELECT id \ - FROM ${ippool_table} \ - WHERE pool_name='%{control:${pool_name}}' \ - LIMIT 1" - -# -# This is the final IP Allocation query, which saves the allocated ip details -# -allocate_update = "\ - UPDATE ${ippool_table} \ - SET \ - nasipaddress = '%{NAS-IP-Address}', \ - pool_key = '${pool_key}', \ - callingstationid = '%{Calling-Station-Id}', \ - username = '%{User-Name}', \ - expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \ - WHERE framedipaddress = '%I'" - -# -# Extend an IP expiry time when an accounting START record arrives -# -start_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \ - WHERE nasipaddress = '%{NAS-IP-Address}' \ - AND pool_key = '${pool_key}' \ - AND username = '%{User-Name}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{${attribute_name}}'" - -# -# Expire an IP when an accounting STOP record arrives -# -stop_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = datetime('now') \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ - AND pool_key = '${pool_key}' \ - AND username = '%{User-Name}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{${attribute_name}}'" - -# -# Update the expiry time for an IP when an accounting ALIVE record arrives -# -alive_update = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ - AND pool_key = '${pool_key}' \ - AND username = '%{User-Name}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{${attribute_name}}'" - -# -# Expires all IPs allocated to a NAS when an accounting ON record arrives -# -on_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = datetime('now') \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" - -# -# Expires all IPs allocated to a NAS when an accounting OFF record arrives -# -off_clear = "\ - UPDATE ${ippool_table} \ - SET \ - expiry_time = datetime('now') \ - WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/sqlite/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/sqlite/schema.sql deleted file mode 100644 index b020c62..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/ippool/sqlite/schema.sql +++ /dev/null @@ -1,18 +0,0 @@ --- --- Table structure for table 'radippool' --- -CREATE TABLE radippool ( - id int(11) PRIMARY KEY, - pool_name varchar(30) NOT NULL, - framedipaddress varchar(15) NOT NULL default '', - nasipaddress varchar(15) NOT NULL default '', - calledstationid VARCHAR(30) NOT NULL default '', - callingstationid VARCHAR(30) NOT NULL default '', - expiry_time DATETIME NOT NULL default (DATETIME('now')), - username varchar(64) NOT NULL default '', - pool_key varchar(30) NOT NULL default '' -); - -CREATE INDEX radippool_poolname_expire ON radippool(pool_name, expiry_time); -CREATE INDEX radippool_framedipaddress ON radippool(framedipaddress); -CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool(nasipaddress, pool_key, framedipaddress); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mongo/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mongo/queries.conf deleted file mode 100644 index 2dd21ef..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mongo/queries.conf +++ /dev/null @@ -1,289 +0,0 @@ -# -*- text -*- -# -# main/mongo/queries.conf -- Mongo configuration queries -# -# Note that as Mongo is a "schemaless" database, there is no -# default schema. -# -# Note also that the Mongo driver is a work in progress. If it works -# for you, great. If the queries do not work, please send a patch. -# But the FreeRADIUS team are not experts in Mongo, and cannot help -# with creating Mongo queries. -# -# $Id: 732e1e802856ce288a90805838669b34b63cbbaa $ - -####################################################################### -# Query config: Username -####################################################################### -# This is the username that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used -# below everywhere a username substitution is needed so you you can -# be sure the username passed from the client is escaped properly. -# -# Uncomment the next line, if you want the sql_user_name to mean: -# -# Use Stripped-User-Name, if it's there. -# Else use User-Name, if it's there, -# Else use hard-coded string "none" as the user name. -# -#sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}" - -sql_user_name = "%{User-Name}" - -####################################################################### -# Authorization Queries -####################################################################### -# These queries compare the check items for the user -# in ${authcheck_table} and setup the reply items in -# ${authreply_table}. You can use any query/tables -# you want, but the return data for each row MUST -# be in the following order: -# -# 0. Row ID (currently unused) -# 1. UserName/GroupName -# 2. Item Attr Name -# 3. Item Attr Value -# 4. Item Attr Operation -####################################################################### - -# -# Aggregate query that return like for SQL standard N rows with columns ,,,, -# -# Example of Result: -# -# { "id" : 0, "username": "bob", "attribute" : "User-Name", "Value" : "pippo", "op" : "==" } -# { "id" : 0, "username": "bob", "attribute" : "ClearText-Password", "value" : "pwd1", "op" : ":=" } -# { "id" : 0, "username": "bob", "attribute" : "Cache-TTL", "value" : 1000, "op" : ":=" } -# -authorize_check_query = "db.${authcheck_table}.aggregate([ \ - { \ - '$match': { \ - 'calling_station_id': '%{Calling-Station-id}', \ - 'auth_blocked': 'false' \ - } \ - }, \ - { \ - '$addFields': { \ - 'attributes.User-Name': '$usr', \ - 'attributes.ClearText-Password': '$pwd', \ - 'attributes.Cache-TTL': '$ttlcache', \ - 'attributes.Enable-Roaming': '$roaming', \ - 'attributes.Pool-Name': '$pool_name' \ - } \ - }, \ - { \ - '$project': { \ - 'calling_station_id': 1, \ - 'attributes': { \ - '$objectToArray': '$attributes' \ - } \ - } \ - }, \ - { \ - '$unwind': '$attributes' \ - }, \ - { \ - '$project': { \ - '_id': 0, \ - 'username': '', \ - 'attribute': '$attributes.k', \ - 'value': '$attributes.v', \ - 'op': ':=' \ - } \ - } \ -])" \ - -# TBD: fill in things here -authorize_reply_query = "" - -################################################################## - -# -# TBD: fill in things here -# -#authorize_group_check_query = "" -#authorize_group_reply_query = "" - -####################################################################### -# Group Membership Queries -####################################################################### -# group_membership_query - Check user group membership -####################################################################### - -# -# TBD: Fill in things here. -# -#group_membership_query = "" - - -####################################################################### -# Accounting and Post-Auth Queries -####################################################################### -# These queries insert/update accounting and authentication records. -# The query to use is determined by the value of 'reference'. -# This value is used as a configuration path and should resolve to one -# or more 'query's. If reference points to multiple queries, and a query -# fails, the next query is executed. -# -# Behaviour is identical to the old 1.x/2.x module, except we can now -# fail between N queries, and query selection can be based on any -# combination of attributes, or custom 'Acct-Status-Type' values. -####################################################################### - -accounting { - reference = "%{tolower:type.%{Acct-Status-Type}.query}" - - type { - - start { - query = "db.connections.findAndModify({ \ - 'query': { \ - 'calling_station_id': '%{Calling-Station-Id}', \ - 'pgw_node': '%{NAS-Identifier}', \ - 'acct_session_id': '%{Acct-Session-Id}', \ - }, \ - 'update': { \ - '$set': { \ - 'update_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } }, \ - 'ip': '%{Framed-IP-Address}', \ - 'start_time': '%{Packet-Original-Timestamp}', \ - }, \ - '$push': { \ - 'events_data': { \ - 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}', \ - 'event_type': 'Accounting-Start', \ - 'event_time': '%{Packet-Original-Timestamp}', \ - 'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \ - } \ - }, \ - '$setOnInsert': { \ - 'pool_name': '%{Control:Pool-Name}', \ - 'ip': '%{Framed-IP-Address}', \ - 'closed': false, \ - 'update_counter': 0, \ - 'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \ - } \ - }, \ - 'upsert': true \ - })" - - query = "db.simultaneous_connections.findAndModify({ \ - 'query': { \ - 'pool_name': '%{Control:Pool-Name}' \ - }, \ - 'update': { \ - '$inc': { \ - 'conns_counter': 1 \ - } \ - '$setOnInsert': { \ - 'pool_name': '%{Control:Pool-Name}', \ - 'conns_counter': 1 \ - }, \ - }, \ - 'upsert': true \ - })" - # End Start - } - - interim-update { - query = "db.connections.findAndModify({ \ - 'query': { \ - 'calling_station_id': '%{Calling-Station-Id}', \ - 'pgw_node': '%{NAS-Identifier}', \ - 'acct_session_id': '%{Acct-Session-Id}' \ - }, \ - 'update': { \ - '$set': { \ - 'update_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } }, \ - 'last_upd_interim': '%{Packet-Original-Timestamp}' \ - }, \ - '$inc': { \ - 'update_counter': 1 \ - }, \ - '$push': { \ - 'events_data': { \ - 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}', \ - 'event_type': 'Accounting-Interim-Update', \ - 'event_time': '%{Packet-Original-Timestamp}', \ - 'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \ - } \ - }, \ - '$setOnInsert': { \ - 'pool_name': '%{Control:Pool-Name}', \ - 'ip': '%{Framed-IP-Address}', \ - 'closed': false, \ - 'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \ - } \ - }, - 'upsert': true \ - })" - # End Interim-Update - } - - stop { - query = "db.connections.findAndModify({ \ - 'query': { \ - 'calling_station_id': '%{Calling-Station-Id}', \ - 'pgw_node': '%{NAS-Identifier}', \ - 'acct_session_id': '%{Acct-Session-Id}' \ - }, \ - 'update': { \ - '$set': { \ - 'update_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } }, \ - 'stop_time': '%{Packet-Original-Timestamp}', \ - 'closed': true \ - }, \ - '$push': { \ - 'events_data': { \ - 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}', \ - 'event_type': 'Accounting-Stop', \ - 'event_time': '%{Packet-Original-Timestamp}', \ - 'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \ - } \ - }, \ - '$setOnInsert': { \ - 'pool_name': '%{Control:Pool-Name}', \ - 'ip': '%{Framed-IP-Address}', \ - 'update_counter': 0, \ - 'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \ - } \ - }, \ - 'upsert': true \ - })" - - # End Stop - } - - } -} - - -####################################################################### -# Authentication Logging Queries -####################################################################### -# postauth_query - Insert some info after authentication -####################################################################### - -post-auth { - query = "db.post_auth.findAndModify({ \ - 'query': { \ - 'calling_station_id': '%{Calling-Station-Id}', \ - 'nas_ip': '%{NAS-Identifier}' \ - }, \ - 'update': { \ - '$set': { \ - 'update_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } }, \ - 'last_event_ts': '%{Packet-Original-Timestamp}' \ - }, \ - '$inc': { \ - 'reject_counter': 1 \ - }, \ - '$setOnInsert': { \ - 'calling_station_id': '%{Calling-Station-Id}', \ - 'nas_ip': '%{NAS-Identifier}', \ - 'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \ - } \ - }, \ - 'upsert': true \ - })" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/process-radacct.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/process-radacct.sql deleted file mode 100644 index cf6c413..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/process-radacct.sql +++ /dev/null @@ -1,151 +0,0 @@ -# -*- text -*- -# -# main/mssql/process-radacct.sql -- Schema extensions for processing radacct entries -# -# $Id: a3a64451d56979369f177cf971dd173c6670bd84 $ - --- --------------------------------- --- - Per-user data usage over time - --- --------------------------------- --- --- An extension to the standard schema to hold per-user data usage statistics --- for arbitrary periods. --- --- The data_usage_by_period table is populated by periodically calling the --- fr_new_data_usage_period stored procedure. --- --- This table can be queried in various ways to produce reports of aggregate --- data use over time. For example, if the fr_new_data_usage_period SP is --- invoked one per day just after midnight, to produce usage data with daily --- granularity, then a reasonably accurate monthly bandwidth summary for a --- given user could be obtained with: --- --- SELECT --- FORMAT(period_start, 'yyyy-MMMM') AS month, --- SUM(acctinputoctets)/1000/1000/1000 AS GB_in, --- SUM(acctoutputoctets)/1000/1000/1000 AS GB_out --- FROM --- data_usage_by_period --- WHERE --- username='bob' AND --- period_end <> 0 --- GROUP BY --- FORMAT(period_start, 'yyyy-MMMM'); --- --- +----------------+----------+-----------+ --- | month | GB_in | GB_out | --- +----------------+----------+-----------+ --- | 2019-July | 5.782279 | 50.545664 | --- | 2019-August | 4.230543 | 48.523096 | --- | 2019-September | 4.847360 | 48.631835 | --- | 2019-October | 6.456763 | 51.686231 | --- | 2019-November | 6.362537 | 52.385710 | --- | 2019-December | 4.301524 | 50.762240 | --- | 2020-January | 5.436280 | 49.067775 | --- +----------------+----------+-----------+ --- -CREATE TABLE data_usage_by_period ( - username VARCHAR(64) NOT NULL, - period_start DATETIME NOT NULL, - period_end DATETIME NOT NULL, - acctinputoctets NUMERIC(19), - acctoutputoctets NUMERIC(19), - PRIMARY KEY (username, period_start) -); -GO - -CREATE INDEX idx_data_usage_by_period_period_end ON data_usage_by_period(period_end); -GO - --- --- Stored procedure that when run with some arbitrary frequency, say --- once per day by cron, will process the recent radacct entries to extract --- time-windowed data containing acct{input,output}octets ("data usage") per --- username, per period. --- --- Each invocation will create new rows in the data_usage_by_period tables --- containing the data used by each user since the procedure was last invoked. --- The intervals do not need to be identical but care should be taken to --- ensure that the start/end of each period aligns well with any intended --- reporting intervals. --- --- It can be invoked by running: --- --- EXEC fr_new_data_usage_period; --- --- -CREATE OR ALTER PROCEDURE fr_new_data_usage_period -AS -BEGIN - - DECLARE @v_start DATETIME; - DECLARE @v_end DATETIME; - - SELECT @v_start = COALESCE(DATEADD(ss, 1, MAX(period_end)), CAST('1970-01-01' AS DATETIME)) FROM data_usage_by_period; - SELECT @v_end = CAST(CURRENT_TIMESTAMP AS DATETIME2(0)); - - BEGIN TRAN; - - -- - -- Add the data usage for the sessions that were active in the current - -- period to the table. Include all sessions that finished since the start - -- of this period as well as those still ongoing. - -- - MERGE INTO data_usage_by_period d - USING ( - SELECT - username, - @v_start AS period_start, - @v_end AS period_end, - SUM(acctinputoctets) AS acctinputoctets, - SUM(acctoutputoctets) AS acctoutputoctets - FROM - radacct - WHERE - acctstoptime > @v_start OR - acctstoptime=0 - GROUP BY - username - ) s - ON ( d.username = s.username AND d.period_start = s.period_start ) - WHEN MATCHED THEN - UPDATE SET - acctinputoctets = d.acctinputoctets + s.acctinputoctets, - acctoutputoctets = d.acctoutputoctets + s.acctoutputoctets, - period_end = @v_end - WHEN NOT MATCHED THEN - INSERT - (username, period_start, period_end, acctinputoctets, acctoutputoctets) - VALUES - (s.username, s.period_start, s.period_end, s.acctinputoctets, s.acctoutputoctets); - - -- - -- Create an open-ended "next period" for all ongoing sessions and carry a - -- negative value of their data usage to avoid double-accounting when we - -- process the next period. Their current data usage has already been - -- allocated to the current and possibly previous periods. - -- - -- MSSQL doesn't allow a DATETIME to be NULL so we use "0" (1900-01-01) to - -- indicate the open-ended interval. - -- - INSERT INTO data_usage_by_period (username, period_start, period_end, acctinputoctets, acctoutputoctets) - SELECT * - FROM ( - SELECT - username, - DATEADD(ss,1,@v_end) AS period_start, - 0 AS period_end, - 0 - SUM(acctinputoctets) AS acctinputoctets, - 0 - SUM(acctoutputoctets) AS acctoutputoctets - FROM - radacct - WHERE - acctstoptime=0 - GROUP BY - username - ) s; - - COMMIT; - -END -GO diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/queries.conf deleted file mode 100644 index 4093bbc..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/queries.conf +++ /dev/null @@ -1,581 +0,0 @@ -# -*- text -*- -# -# main/mssql/queries.conf -- MSSQL configuration for default schema (schema.sql) -# -# $Id: 3001b73ac97166f63838a7d661a085cd7d274006 $ - -# Safe characters list for sql queries. Everything else is replaced -# with their mime-encoded equivalents. -# The default list should be ok -#safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" - -####################################################################### -# Query config: Username -####################################################################### -# This is the username that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used -# below everywhere a username substitution is needed so you you can -# be sure the username passed from the client is escaped properly. -# -# Uncomment the next line, if you want the sql_user_name to mean: -# -# Use Stripped-User-Name, if it's there. -# Else use User-Name, if it's there, -# Else use hard-coded string "none" as the user name. -#sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}" -# -sql_user_name = "%{User-Name}" - -####################################################################### -# Query config: Event-Timestamp -####################################################################### -# event_timestamp_epoch is the basis for the time inserted into -# accounting records. Typically this will be the Event-Timestamp of the -# accounting request, which is usually provided by a NAS. -# -# Uncomment the next line, if you want the timestamp to be based on the -# request reception time recorded by this server, for example if you -# distrust the provided Event-Timestamp. -#event_timestamp_epoch = "%l" - -event_timestamp_epoch = "%{%{integer:Event-Timestamp}:-%l}" - -# event_timestamp is the SQL snippet for converting an epoch timestamp -# to an SQL date. - -event_timestamp = "DATEADD(SS, ${event_timestamp_epoch}, '19700101')" - -####################################################################### -# Query config: Class attribute -####################################################################### -# -# 3.0.22 and later have a "class" column in the accounting table. -# -# However, we do NOT want to break existing configurations by adding -# the Class attribute to the default queries. If we did that, then -# systems using newer versions of the server would fail, because -# there is no "class" column in their accounting tables. -# -# The solution to that is the following "class" subsection. If your -# database has a "class" column for the various tables, then you can -# uncomment the configuration items here. The queries below will -# then automatically insert the Class attribute into radacct, -# radpostauth, etc. -# -class { - # - # Delete the '#' character from each of the configuration - # items in this section. This change puts the Class - # attribute into the various tables. Leave the double-quoted - # string there, as the value for the configuration item. - # - # See also policy.d/accounting, and the "insert_acct_class" - # policy. You will need to list (or uncomment) - # "insert_acct_class" in the "post-auth" section in order to - # create a Class attribute. - # - column_name = # ", class" - packet_xlat = # ", '%{Class}'" - reply_xlat = # ", '%{reply:Class}'" -} - -####################################################################### -# Authorization Queries -####################################################################### -# These queries compare the check items for the user -# in ${authcheck_table} and setup the reply items in -# ${authreply_table}. You can use any query/tables -# you want, but the return data for each row MUST -# be in the following order: -# -# 0. Row ID (currently unused) -# 1. UserName/GroupName -# 2. Item Attr Name -# 3. Item Attr Value -# 4. Item Attr Operation -####################################################################### -# Query for case sensitive usernames was removed. Please contact with me, -# if you know analog of STRCMP functions for MS SQL. - -authorize_check_query = "\ - SELECT id, UserName, Attribute, Value, op \ - FROM ${authcheck_table} \ - WHERE Username = '%{SQL-User-Name}' \ - ORDER BY id" - -authorize_reply_query = "\ - SELECT id, UserName, Attribute, Value, op \ - FROM ${authreply_table} \ - WHERE Username = '%{SQL-User-Name}' \ - ORDER BY id" - -authorize_group_check_query = "\ - SELECT \ - ${groupcheck_table}.id,${groupcheck_table}.GroupName, \ - ${groupcheck_table}.Attribute,${groupcheck_table}.Value, \ - ${groupcheck_table}.op \ - FROM ${groupcheck_table},${usergroup_table} \ - WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' \ - AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName \ - ORDER BY ${groupcheck_table}.id" - -authorize_group_reply_query = "\ - SELECT \ - ${groupreply_table}.id, ${groupreply_table}.GroupName, \ - ${groupreply_table}.Attribute,${groupreply_table}.Value, \ - ${groupreply_table}.op \ - FROM ${groupreply_table},${usergroup_table} \ - WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' \ - AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName \ - ORDER BY ${groupreply_table}.id" - -group_membership_query = "\ - SELECT groupname \ - FROM ${usergroup_table} \ - WHERE username = '%{SQL-User-Name}' \ - ORDER BY priority" - -####################################################################### -# Accounting and Post-Auth Queries -####################################################################### -# These queries insert/update accounting and authentication records. -# The query to use is determined by the value of 'reference'. -# This value is used as a configuration path and should resolve to one -# or more 'query's. If reference points to multiple queries, and a query -# fails, the next query is executed. -# -# Behaviour is identical to the old 1.x/2.x module, except we can now -# fail between N queries, and query selection can be based on any -# combination of attributes, or custom 'Acct-Status-Type' values. -####################################################################### -accounting { - reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}" - - # Write SQL queries to a logfile. This is potentially useful for bulk inserts - # when used with the rlm_sql_null driver. -# logfile = ${logdir}/accounting.sql - - type { - accounting-on { - query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctStopTime=${....event_timestamp}, \ - AcctSessionTime=${....event_timestamp_epoch} - \ - DATEDIFF(SS, '1970-01-01', AcctStartTime), \ - AcctTerminateCause='%{%{Acct-Terminate-Cause}:-NAS-Reboot}', \ - AcctStopDelay = %{%{Acct-Delay-Time}:-0} \ - WHERE AcctStopTime = 0 \ - AND NASIPAddress = '%{NAS-IP-Address}' \ - AND AcctStartTime <= ${....event_timestamp}" - } - - accounting-off { - query = "${..accounting-on.query}" - } - - # - # Implement the "sql_session_start" policy. - # See raddb/policy.d/accounting for more details. - # - # You also need to fix the other queries as - # documented below. Look for "sql_session_start". - # - post-auth { - query = "\ - INSERT INTO ${....acct_table1} \ - INSERT INTO ${....acct_table1} ( \ - AcctSessionId, \ - AcctUniqueId, \ - UserName, \ - Realm, \ - NASIPAddress, \ - NASPort, \ - NASPortType, \ - AcctStartTime, \ - AcctSessionTime, \ - AcctAuthentic, \ - ConnectInfo_start, \ - ConnectInfo_stop, \ - AcctInputOctets, \ - AcctOutputOctets, \ - CalledStationId, \ - CallingStationId, \ - AcctTerminateCause, \ - ServiceType, \ - FramedProtocol, \ - FramedIPAddress, \ - FramedIPv6Address, \ - FramedIPv6Prefix, \ - FramedInterfaceId, \ - DelegatedIPv6Prefix \ - ${..class.column_name}) \ - VALUES(\ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - '%S', \ - 0, \ - '', \ - '%{Connect-Info}', \ - '', \ - 0, \ - 0, \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '', \ - '%{Service-Type}', \ - '', \ - '', \ - '', \ - '', \ - '', \ - '' \ - ${....class.packet_xlat})" - - query = "\ - UPDATE ${....acct_table1} SET \ - AcctStartTime = '%S', \ - ConnectInfo_start = '%{Connect-Info}', \ - AcctSessionId = '%{Acct-Session-Id}' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - } - - start { - query = "\ - INSERT INTO ${....acct_table1} ( \ - AcctSessionId, \ - AcctUniqueId, \ - UserName, \ - Realm, \ - NASIPAddress, \ - NASPort, \ - NASPortType, \ - AcctStartTime, \ - AcctSessionTime, \ - AcctAuthentic, \ - ConnectInfo_start, \ - ConnectInfo_stop, \ - AcctInputOctets, \ - AcctOutputOctets, \ - CalledStationId, \ - CallingStationId, \ - AcctTerminateCause, \ - ServiceType, \ - FramedProtocol, \ - FramedIPAddress, \ - FramedIPv6Address, \ - FramedIPv6Prefix, \ - FramedInterfaceId, \ - DelegatedIPv6Prefix, \ - AcctStartDelay, \ - AcctStopDelay, \ - XAscendSessionSvrKey \ - ${..class.column_name}) \ - VALUES(\ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - ${....event_timestamp}, \ - '0', \ - '%{Acct-Authentic}', \ - '%{Connect-Info}', \ - '', \ - '0', \ - '0', \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}', \ - '%{Acct-Delay-Time}', \ - '0', \ - '%{X-Ascend-Session-Svr-Key}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - FramedIpAddress = '%{Framed-IP-Address}', \ - FramedIpv6Address = '%{Framed-IPv6-Address}', \ - FramedIpv6Prefix = '%{Framed-IPv6-Prefix}', \ - FramedInterfaceId = '%{Framed-Interface-Id}', \ - DelegatedIpv6Prefix = '%{Delegated-IPv6-Prefix}', \ - AcctStartTime = '%S' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - - query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctStartTime = ${....event_timestamp}, \ - AcctStartDelay = '%{%{Acct-Delay-Time}:-0}', \ - ConnectInfo_start = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-ID}' \ - AND AcctStopTime = 0" - } - - interim-update { - query = "\ - UPDATE ${....acct_table1} \ - SET \ - FramedIPAddress = '%{Framed-IP-Address}', \ - FramedIPv6Address = '%{Framed-IPv6-Address}', \ - FramedIPv6Prefix = '%{Framed-IPv6-Prefix}', \ - FramedInterfaceId = '%{Framed-Interface-Id}', \ - DelegatedIPv6Prefix = '%{Delegated-IPv6-Prefix}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-ID}' \ - AND AcctStopTime = 0" - - query = "\ - INSERT INTO ${....acct_table1} ( \ - AcctSessionId, \ - AcctUniqueId, \ - UserName, \ - Realm, \ - NASIPAddress, \ - NASPort, \ - NASPortType, \ - AcctSessionTime, \ - AcctAuthentic, \ - ConnectInfo_start, \ - AcctInputOctets, \ - AcctOutputOctets, \ - CalledStationId, \ - CallingStationId, \ - ServiceType, \ - FramedProtocol, \ - FramedIPAddress, \ - FramedIPv6Address, \ - FramedIPv6Prefix, \ - FramedInterfaceId, \ - DelegatedIPv6Prefix, \ - AcctStartDelay, \ - XAscendSessionSvrKey \ - ${..class.column_name}) \ - VALUES(\ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - '%{Acct-Session-Time}', \ - '%{Acct-Authentic}', \ - '', \ - '%{Acct-Input-Octets}', \ - '%{Acct-Output-Octets}', \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}', \ - '0', \ - '%{X-Ascend-Session-Svr-Key}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - FramedIPAddress = '%{Framed-IP-Address}', \ - FramedIPv6Address = '%{Framed-IPv6-Address}', \ - FramedIPv6Prefix = '%{Framed-IPv6-Prefix}', \ - FramedInterfaceId = '%{Framed-Interface-Id}', \ - DelegatedIPv6Prefix = '%{Delegated-IPv6-Prefix}', \ - AcctInputOctets = convert(bigint, '%{%{Acct-Input-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Input-Octets}:-0}', \ - AcctOutputOctets = convert(bigint, '%{%{Acct-Output-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Output-Octets}:-0}' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - } - - stop { - query = "\ - UPDATE ${....acct_table2} \ - SET \ - AcctStopTime = ${....event_timestamp}, \ - AcctSessionTime = '%{Acct-Session-Time}', \ - AcctInputOctets = convert(bigint, '%{%{Acct-Input-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Input-Octets}:-0}', \ - AcctOutputOctets = convert(bigint, '%{%{Acct-Output-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Output-Octets}:-0}', \ - AcctTerminateCause = '%{Acct-Terminate-Cause}', \ - AcctStopDelay = '%{%{Acct-Delay-Time}:-0}', \ - ConnectInfo_stop = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-ID}' \ - AND AcctStopTime = 0" - - query = "\ - INSERT into ${....acct_table2} (\ - AcctSessionId, \ - AcctUniqueId, \ - UserName, \ - Realm, \ - NASIPAddress, \ - NASPort, \ - NASPortType, \ - AcctStopTime, \ - AcctSessionTime, \ - AcctAuthentic, \ - ConnectInfo_start, \ - ConnectInfo_stop, \ - AcctInputOctets, \ - AcctOutputOctets, \ - CalledStationId, \ - CallingStationId, \ - AcctTerminateCause, \ - ServiceType, \ - FramedProtocol, \ - FramedIPAddress, \ - FramedIPv6Address, \ - FramedIPv6Prefix, \ - FramedInterfaceId, \ - DelegatedIPv6Prefix, \ - AcctStartDelay, \ - AcctStopDelay \ - ${..class.column_name}) \ - VALUES(\ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - ${....event_timestamp}, \ - '%{Acct-Session-Time}', \ - '%{Acct-Authentic}', \ - '', \ - '%{Connect-Info}', \ - NULL, \ - convert(bigint, '%{%{Acct-Input-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Input-Octets}:-0}', \ - convert(bigint, '%{%{Acct-Output-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Output-Octets}:-0}', \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '%{Acct-Terminate-Cause}', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}', \ - '0', \ - '%{%{Acct-Delay-Time}:-0}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - FramedIPAddress = '%{Framed-IP-Address}', \ - FramedIPv6Address = '%{Framed-IPv6-Address}', \ - FramedIPv6Prefix = '%{Framed-IPv6-Prefix}', \ - FramedInterfaceId = '%{Framed-Interface-Id}', \ - DelegatedIPv6Prefix = '%{Delegated-IPv6-Prefix}', \ - AcctStopTime = '%S', \ - AcctSessionTime = %{Acct-Session-Time}, \ - AcctInputOctets = convert(bigint, '%{%{Acct-Input-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Input-Octets}:-0}', \ - AcctOutputOctets = convert(bigint, '%{%{Acct-Output-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Output-Octets}:-0}', \ - AcctTerminateCause = '%{Acct-Terminate-Cause}', \ - ConnectInfo_stop = '%{Connect-Info}' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - } - - # - # No Acct-Status-Type == ignore the packet - # - accounting { - query = "SELECT true" - } - } -} - -post-auth { - # Write SQL queries to a logfile. This is potentially useful for bulk inserts - # when used with the rlm_sql_null driver. -# logfile = ${logdir}/post-auth.sql - - query = "\ - INSERT INTO ${..postauth_table} \ - (userName, pass, reply, authdate ${..class.column_name}) \ - VALUES(\ - '%{User-Name}', \ - '%{%{User-Password}:-CHAP-PASSWORD}', \ - '%{reply:Packet-Type}', \ - '%S.%{expr:%M / 1000}' \ - ${..class.reply_xlat})" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/schema.sql deleted file mode 100644 index bc4c4e7..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mssql/schema.sql +++ /dev/null @@ -1,299 +0,0 @@ --- $Id: 6338c1d1744078cabac25a9768725d4e71863a60 $d$ --- --- schela.sql rlm_sql - FreeRADIUS SQL Module --- --- Database schema for MSSQL rlm_sql module --- --- To load: --- isql -S db_ip_addr -d db_name -U db_login -P db_passwd -i db_mssql.sql --- --- Based on: db_mysql.sql (Mike Machado ) --- --- Dmitri Ageev --- - - --- --- Table structure for table 'radacct' --- - -CREATE TABLE [radacct] ( - [RadAcctId] [numeric](21, 0) IDENTITY (1, 1) NOT NULL, - [AcctSessionId] [varchar] (64) NOT NULL, - [AcctUniqueId] [varchar] (32) NOT NULL, - [UserName] [varchar] (64) NOT NULL, - [GroupName] [varchar] (64) NOT NULL, - [Realm] [varchar] (64) NOT NULL, - [NASIPAddress] [varchar] (15) NOT NULL, - [NASPortId] [varchar] (32) NULL, - [NASPortType] [varchar] (32) NULL, - [AcctStartTime] [datetime] NOT NULL, - [AcctStopTime] [datetime] NOT NULL, - [AcctSessionTime] [bigint] NULL, - [AcctAuthentic] [varchar] (32) NULL, - [ConnectInfo_start] [varchar] (128) NULL, - [ConnectInfo_stop] [varchar] (128) NULL, - [AcctInputOctets] [bigint] NULL, - [AcctOutputOctets] [bigint] NULL, - [CalledStationId] [varchar] (50) NOT NULL, - [CallingStationId] [varchar] (50) NOT NULL, - [AcctTerminateCause] [varchar] (32) NOT NULL, - [ServiceType] [varchar] (32) NULL, - [FramedProtocol] [varchar] (32) NULL, - [FramedIPAddress] [varchar] (15) NOT NULL, - [FramedIPv6Address] [varchar] (45) NOT NULL, - [FramedIPv6Prefix] [varchar] (45) NOT NULL, - [FramedInterfaceId] [varchar] (44) NOT NULL, - [DelegatedIPv6Prefix] [varchar] (45) NOT NULL, - [AcctStartDelay] [int] NULL, - [AcctStopDelay] [int] NULL, - [Class] [varchar] (64) NULL -) ON [PRIMARY] -GO - -ALTER TABLE [radacct] WITH NOCHECK ADD - CONSTRAINT [DF_radacct_GroupName] DEFAULT ('') FOR [GroupName], - CONSTRAINT [DF_radacct_AcctSessionId] DEFAULT ('') FOR [AcctSessionId], - CONSTRAINT [DF_radacct_AcctUniqueId] DEFAULT ('') FOR [AcctUniqueId], - CONSTRAINT [DF_radacct_UserName] DEFAULT ('') FOR [UserName], - CONSTRAINT [DF_radacct_Realm] DEFAULT ('') FOR [Realm], - CONSTRAINT [DF_radacct_NASIPAddress] DEFAULT ('') FOR [NASIPAddress], - CONSTRAINT [DF_radacct_NASPortId] DEFAULT (null) FOR [NASPortId], - CONSTRAINT [DF_radacct_NASPortType] DEFAULT (null) FOR [NASPortType], - CONSTRAINT [DF_radacct_AcctStartTime] DEFAULT ('1900-01-01 00:00:00') FOR [AcctStartTime], - CONSTRAINT [DF_radacct_AcctStopTime] DEFAULT ('1900-01-01 00:00:00') FOR [AcctStopTime], - CONSTRAINT [DF_radacct_AcctSessionTime] DEFAULT (null) FOR [AcctSessionTime], - CONSTRAINT [DF_radacct_AcctAuthentic] DEFAULT (null) FOR [AcctAuthentic], - CONSTRAINT [DF_radacct_ConnectInfo_start] DEFAULT (null) FOR [ConnectInfo_start], - CONSTRAINT [DF_radacct_ConnectInfo_stop] DEFAULT (null) FOR [ConnectInfo_stop], - CONSTRAINT [DF_radacct_AcctInputOctets] DEFAULT (null) FOR [AcctInputOctets], - CONSTRAINT [DF_radacct_AcctOutputOctets] DEFAULT (null) FOR [AcctOutputOctets], - CONSTRAINT [DF_radacct_CalledStationId] DEFAULT ('') FOR [CalledStationId], - CONSTRAINT [DF_radacct_CallingStationId] DEFAULT ('') FOR [CallingStationId], - CONSTRAINT [DF_radacct_AcctTerminateCause] DEFAULT ('') FOR [AcctTerminateCause], - CONSTRAINT [DF_radacct_ServiceType] DEFAULT (null) FOR [ServiceType], - CONSTRAINT [DF_radacct_FramedProtocol] DEFAULT (null) FOR [FramedProtocol], - CONSTRAINT [DF_radacct_FramedIPAddress] DEFAULT ('') FOR [FramedIPAddress], - CONSTRAINT [DF_radacct_FramedIPv6Address] DEFAULT ('') FOR [FramedIPv6Address], - CONSTRAINT [DF_radacct_FramedIPv6Prefix] DEFAULT ('') FOR [FramedIPv6Prefix], - CONSTRAINT [DF_radacct_FramedInterfaceId] DEFAULT ('') FOR [FramedInterfaceId], - CONSTRAINT [DF_radacct_DelegatedIPv6Prefix] DEFAULT ('') FOR [DelegatedIPv6Prefix], - CONSTRAINT [DF_radacct_AcctStartDelay] DEFAULT (null) FOR [AcctStartDelay], - CONSTRAINT [DF_radacct_AcctStopDelay] DEFAULT (null) FOR [AcctStopDelay], - CONSTRAINT [DF_radacct_Class] DEFAULT (null) FOR [Class], - CONSTRAINT [PK_radacct] PRIMARY KEY NONCLUSTERED - ( - [RadAcctId] - ) ON [PRIMARY] -GO - -CREATE INDEX [UserName] ON [radacct]([UserName]) ON [PRIMARY] -GO - -CREATE INDEX [FramedIPAddress] ON [radacct]([FramedIPAddress]) ON [PRIMARY] -GO - -CREATE INDEX [FramedIPv6Address] ON [radacct]([FramedIPv6Address]) ON [PRIMARY] -GO - -CREATE INDEX [FramedIPv6Prefix] ON [radacct]([FramedIPv6Prefix]) ON [PRIMARY] -GO - -CREATE INDEX [FramedInterfaceId] ON [radacct]([FramedInterfaceId]) ON [PRIMARY] -GO - -CREATE INDEX [DelegatedIPv6Prefix] ON [radacct]([DelegatedIPv6Prefix]) ON [PRIMARY] -GO - -CREATE INDEX [AcctSessionId] ON [radacct]([AcctSessionId]) ON [PRIMARY] -GO - -CREATE UNIQUE INDEX [AcctUniqueId] ON [radacct]([AcctUniqueId]) ON [PRIMARY] -GO - -CREATE INDEX [AcctStartTime] ON [radacct]([AcctStartTime]) ON [PRIMARY] -GO - -CREATE INDEX [AcctStopTime] ON [radacct]([AcctStopTime]) ON [PRIMARY] -GO - -CREATE INDEX [NASIPAddress] ON [radacct]([NASIPAddress]) ON [PRIMARY] -GO - -CREATE INDEX [Class] ON [radacct]([Class]) ON [PRIMARY] -GO - -/* For use by onoff */ -CREATE INDEX [RadacctBulkClose] ON [radacct]([NASIPAddress],[AcctStartTime]) WHERE [AcctStopTime] IS NULL ON [PRIMARY] -GO - - --- --- Table structure for table 'radacct' --- - -CREATE TABLE [radcheck] ( - [id] [int] IDENTITY (1, 1) NOT NULL , - [UserName] [varchar] (64) NOT NULL , - [Attribute] [varchar] (32) NOT NULL , - [Value] [varchar] (253) NOT NULL , - [op] [char] (2) NULL -) ON [PRIMARY] -GO - -ALTER TABLE [radcheck] WITH NOCHECK ADD - CONSTRAINT [DF_radcheck_UserName] DEFAULT ('') FOR [UserName], - CONSTRAINT [DF_radcheck_Attribute] DEFAULT ('') FOR [Attribute], - CONSTRAINT [DF_radcheck_Value] DEFAULT ('') FOR [Value], - CONSTRAINT [DF_radcheck_op] DEFAULT (null) FOR [op], - CONSTRAINT [PK_radcheck] PRIMARY KEY NONCLUSTERED - ( - [id] - ) ON [PRIMARY] -GO - -CREATE INDEX [UserName] ON [radcheck]([UserName]) ON [PRIMARY] -GO - - --- --- Table structure for table 'radacct' --- - -CREATE TABLE [radgroupcheck] ( - [id] [int] IDENTITY (1, 1) NOT NULL , - [GroupName] [varchar] (64) NOT NULL , - [Attribute] [varchar] (32) NOT NULL , - [Value] [varchar] (253) NOT NULL , - [op] [char] (2) NULL -) ON [PRIMARY] -GO - -ALTER TABLE [radgroupcheck] WITH NOCHECK ADD - CONSTRAINT [DF_radgroupcheck_GroupName] DEFAULT ('') FOR [GroupName], - CONSTRAINT [DF_radgroupcheck_Attribute] DEFAULT ('') FOR [Attribute], - CONSTRAINT [DF_radgroupcheck_Value] DEFAULT ('') FOR [Value], - CONSTRAINT [DF_radgroupcheck_op] DEFAULT (null) FOR [op], - CONSTRAINT [PK_radgroupcheck] PRIMARY KEY NONCLUSTERED - ( - [id] - ) ON [PRIMARY] -GO - -CREATE INDEX [GroupName] ON [radgroupcheck]([GroupName]) ON [PRIMARY] -GO - - --- --- Table structure for table 'radacct' --- - -CREATE TABLE [radgroupreply] ( - [id] [int] IDENTITY (1, 1) NOT NULL , - [GroupName] [varchar] (64) NOT NULL , - [Attribute] [varchar] (32) NOT NULL , - [Value] [varchar] (253) NOT NULL , - [op] [char] (2) NULL , - [prio] [int] NOT NULL -) ON [PRIMARY] -GO - -ALTER TABLE [radgroupreply] WITH NOCHECK ADD - CONSTRAINT [DF_radgroupreply_GroupName] DEFAULT ('') FOR [GroupName], - CONSTRAINT [DF_radgroupreply_Attribute] DEFAULT ('') FOR [Attribute], - CONSTRAINT [DF_radgroupreply_Value] DEFAULT ('') FOR [Value], - CONSTRAINT [DF_radgroupreply_op] DEFAULT (null) FOR [op], - CONSTRAINT [DF_radgroupreply_prio] DEFAULT (0) FOR [prio], - CONSTRAINT [PK_radgroupreply] PRIMARY KEY NONCLUSTERED - ( - [id] - ) ON [PRIMARY] -GO - -CREATE INDEX [GroupName] ON [radgroupreply]([GroupName]) ON [PRIMARY] -GO - - --- --- Table structure for table 'radacct' --- - -CREATE TABLE [radreply] ( - [id] [int] IDENTITY (1, 1) NOT NULL , - [UserName] [varchar] (64) NOT NULL , - [Attribute] [varchar] (32) NOT NULL , - [Value] [varchar] (253) NOT NULL , - [op] [char] (2) NULL -) ON [PRIMARY] -GO - -ALTER TABLE [radreply] WITH NOCHECK ADD - CONSTRAINT [DF_radreply_UserName] DEFAULT ('') FOR [UserName], - CONSTRAINT [DF_radreply_Attribute] DEFAULT ('') FOR [Attribute], - CONSTRAINT [DF_radreply_Value] DEFAULT ('') FOR [Value], - CONSTRAINT [DF_radreply_op] DEFAULT (null) FOR [op], - CONSTRAINT [PK_radreply] PRIMARY KEY NONCLUSTERED - ( - [id] - ) ON [PRIMARY] -GO - -CREATE INDEX [UserName] ON [radreply]([UserName]) ON [PRIMARY] -GO - - --- --- Table structure for table 'radacct' --- - -CREATE TABLE [radusergroup] ( - [id] [int] IDENTITY (1, 1) NOT NULL , - [UserName] [varchar] (64) NOT NULL , - [GroupName] [varchar] (64) NULL , - [Priority] [int] NULL -) ON [PRIMARY] -GO - -ALTER TABLE [radusergroup] WITH NOCHECK ADD - CONSTRAINT [DF_radusergroup_UserName] DEFAULT ('') FOR [UserName], - CONSTRAINT [DF_radusergroup_GroupName] DEFAULT ('') FOR [GroupName], - CONSTRAINT [PK_radusergroup] PRIMARY KEY NONCLUSTERED - ( - [id] - ) ON [PRIMARY] -GO - -CREATE INDEX [UserName] ON [radusergroup]([UserName]) ON [PRIMARY] -GO - - --- --- Table structure for table 'radacct' --- - -CREATE TABLE [radpostauth] ( - [id] [int] IDENTITY (1, 1) NOT NULL , - [userName] [varchar] (64) NOT NULL , - [pass] [varchar] (64) NOT NULL , - [reply] [varchar] (32) NOT NULL , - [authdate] [datetime] NOT NULL, - [Class] [varchar] (64) NULL -) -GO - -CREATE INDEX [userName] ON [radpostauth]([userName]) ON [PRIMARY] -GO - -CREATE INDEX [Class] ON [radpostauth]([Class]) ON [PRIMARY] -GO - -ALTER TABLE [radpostauth] WITH NOCHECK ADD - CONSTRAINT [DF_radpostauth_userName] DEFAULT ('') FOR [userName], - CONSTRAINT [DF_radpostauth_pass] DEFAULT ('') FOR [pass], - CONSTRAINT [DF_radpostauth_reply] DEFAULT ('') FOR [reply], - CONSTRAINT [DF_radpostauth_authdate] DEFAULT (getdate()) FOR [authdate], - CONSTRAINT [PK_radpostauth] PRIMARY KEY NONCLUSTERED - ( - [id] - ) ON [PRIMARY] -GO diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf deleted file mode 100644 index 4087cb5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf +++ /dev/null @@ -1,40 +0,0 @@ -# -*- text -*- -## -## wimax.conf -- MySQL configuration for WiMAX keying -## -## $Id: 26942305017c59d4589d0645cfc79405b98b4c6a $ - -# Safe characters list for sql queries. Everything else is replaced -# with their mime-encoded equivalents. -# The default list should be ok -#safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" - -####################################################################### -# Query config: Username -####################################################################### -# This is the username that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below -# everywhere a username substitution is needed so you you can be sure -# the username passed from the client is escaped properly. -# -# Uncomment the next line, if you want the sql_user_name to mean: -# -# Use Stripped-User-Name, if it's there. -# Else use User-Name, if it's there, -# Else use hard-coded string "DEFAULT" as the user name. -#sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" -# -sql_user_name = "%{User-Name}" - -####################################################################### -# Logging of WiMAX SPI -> key mappings -####################################################################### -# postauth_query - Insert some info after authentication -####################################################################### - -postauth_query = "INSERT INTO wimax \ - (username, authdate, spi, mipkey, lifetime) \ - VALUES ( \ - '%{User-Name}', '%S' \ - '%{%{reply:WiMAX-MN-hHA-MIP4-SPI}:-%{reply:WiMAX-MN-hHA-MIP6-SPI}}', \ - '%{%{reply:WiMAX-MN-hHA-MIP4-Key}:-%{reply:WiMAX-MN-hHA-MIP6-Key}}', '%{%{reply:Session-Timeout}:-86400}' )" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql deleted file mode 100644 index e32224a..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql +++ /dev/null @@ -1,16 +0,0 @@ -# -# WiMAX Table structure for table 'wimax', -# which replaces the "radpostauth" table. -# - -CREATE TABLE wimax ( - id int(11) NOT NULL auto_increment, - username varchar(64) NOT NULL default '', - authdate timestamp NOT NULL, - spi varchar(16) NOT NULL default '', - mipkey varchar(400) NOT NULL default '', - lifetime int(12) default NULL, - PRIMARY KEY (id), - KEY username (username), - KEY spi (spi) -) ; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/process-radacct.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/process-radacct.sql deleted file mode 100644 index dc8c334..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/process-radacct.sql +++ /dev/null @@ -1,152 +0,0 @@ -# -*- text -*- -# -# main/mysql/process-radacct.sql -- Schema extensions for processing radacct entries -# -# $Id: 8cd0bd25dcc9a17ec50f947f909b79d2e448bdc4 $ - --- --------------------------------- --- - Per-user data usage over time - --- --------------------------------- --- --- An extension to the standard schema to hold per-user data usage statistics --- for arbitrary periods. --- --- The data_usage_by_period table is populated by periodically calling the --- fr_new_data_usage_period stored procedure. --- --- This table can be queried in various ways to produce reports of aggregate --- data use over time. For example, if the fr_new_data_usage_period SP is --- invoked one per day just after midnight, to produce usage data with daily --- granularity, then a reasonably accurate monthly bandwidth summary for a --- given user could be obtained with: --- --- SELECT --- DATE_FORMAT(period_start, '%Y-%M') AS month, --- SUM(acctinputoctets)/1000/1000/1000 AS GB_in, --- SUM(acctoutputoctets)/1000/1000/1000 AS GB_out --- FROM --- data_usage_by_period --- WHERE --- username='bob' AND --- period_end IS NOT NULL --- GROUP BY --- YEAR(period_start), MONTH(period_start); --- --- +----------------+----------------+-----------------+ --- | month | GB_in | GB_out | --- +----------------+----------------+-----------------+ --- | 2019-July | 5.782279230000 | 50.545664820000 | --- | 2019-August | 4.230543340000 | 48.523096420000 | --- | 2019-September | 4.847360590000 | 48.631835480000 | --- | 2019-October | 6.456763250000 | 51.686231930000 | --- | 2019-November | 6.362537730000 | 52.385710570000 | --- | 2019-December | 4.301524440000 | 50.762240270000 | --- | 2020-January | 5.436280540000 | 49.067775280000 | --- +----------------+----------------+-----------------+ --- 7 rows in set (0.000 sec) --- -CREATE TABLE data_usage_by_period ( - username VARCHAR(64), - period_start DATETIME, - period_end DATETIME, - acctinputoctets BIGINT(20), - acctoutputoctets BIGINT(20), - PRIMARY KEY (username,period_start) -); -CREATE INDEX idx_data_usage_by_period_period_start ON data_usage_by_period (period_start); -CREATE INDEX idx_data_usage_by_period_period_end ON data_usage_by_period (period_end); - - --- --- Stored procedure that when run with some arbitrary frequency, say --- once per day by cron, will process the recent radacct entries to extract --- time-windowed data containing acct{input,output}octets ("data usage") per --- username, per period. --- --- Each invocation will create new rows in the data_usage_by_period tables --- containing the data used by each user since the procedure was last invoked. --- The intervals do not need to be identical but care should be taken to --- ensure that the start/end of each period aligns well with any intended --- reporting intervals. --- --- It can be invoked by running: --- --- CALL fr_new_data_usage_period(); --- --- -DELIMITER $$ - -DROP PROCEDURE IF EXISTS fr_new_data_usage_period; -CREATE PROCEDURE fr_new_data_usage_period () -SQL SECURITY INVOKER -BEGIN - - DECLARE v_start DATETIME; - DECLARE v_end DATETIME; - - DECLARE EXIT HANDLER FOR SQLEXCEPTION - BEGIN - ROLLBACK; - RESIGNAL; - END; - - SELECT IFNULL(DATE_ADD(MAX(period_end), INTERVAL 1 SECOND), FROM_UNIXTIME(0)) INTO v_start FROM data_usage_by_period; - SELECT NOW() INTO v_end; - - START TRANSACTION; - - -- - -- Add the data usage for the sessions that were active in the current - -- period to the table. Include all sessions that finished since the start - -- of this period as well as those still ongoing. - -- - INSERT INTO data_usage_by_period (username, period_start, period_end, acctinputoctets, acctoutputoctets) - SELECT * - FROM ( - SELECT - username, - v_start, - v_end, - SUM(acctinputoctets) AS acctinputoctets, - SUM(acctoutputoctets) AS acctoutputoctets - FROM - radacct - WHERE - acctstoptime > v_start OR - acctstoptime IS NULL - GROUP BY - username - ) AS s - ON DUPLICATE KEY UPDATE - acctinputoctets = data_usage_by_period.acctinputoctets + s.acctinputoctets, - acctoutputoctets = data_usage_by_period.acctoutputoctets + s.acctoutputoctets, - period_end = v_end; - - -- - -- Create an open-ended "next period" for all ongoing sessions and carry a - -- negative value of their data usage to avoid double-accounting when we - -- process the next period. Their current data usage has already been - -- allocated to the current and possibly previous periods. - -- - INSERT INTO data_usage_by_period (username, period_start, period_end, acctinputoctets, acctoutputoctets) - SELECT * - FROM ( - SELECT - username, - DATE_ADD(v_end, INTERVAL 1 SECOND), - NULL, - 0 - SUM(acctinputoctets), - 0 - SUM(acctoutputoctets) - FROM - radacct - WHERE - acctstoptime IS NULL - GROUP BY - username - ) AS s; - - COMMIT; - -END$$ - -DELIMITER ; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/queries.conf deleted file mode 100644 index 2322a07..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/queries.conf +++ /dev/null @@ -1,650 +0,0 @@ -# -*- text -*- -# -# main/mysql/queries.conf-- MySQL configuration for default schema (schema.sql) -# -# $Id: 31f93a018f1224ec297d7df8e197bffd7c076036 $ - -# Use the driver specific SQL escape method. -# -# If you enable this configuration item, the "safe_characters" -# configuration is ignored. FreeRADIUS then uses the MySQL escape -# functions to escape input strings. The only downside to making this -# change is that the MySQL escaping method is not the same the one -# used by FreeRADIUS. So characters which are NOT in the -# "safe_characters" list will now be stored differently in the database. -# -#auto_escape = yes - -# Safe characters list for sql queries. Everything else is replaced -# with their mime-encoded equivalents. -# The default list should be ok -# Using 'auto_escape' is preferred -safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" - -####################################################################### -# Connection config -####################################################################### -# The character set is not configurable. The default character set of -# the mysql client library is used. To control the character set, -# create/edit my.cnf (typically in /etc/mysql/my.cnf or /etc/my.cnf) -# and enter -# [client] -# default-character-set = utf8 -# - -####################################################################### -# Query config: Username -####################################################################### -# This is the username that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below -# everywhere a username substitution is needed so you you can be sure -# the username passed from the client is escaped properly. -# -# Uncomment the next line, if you want the sql_user_name to mean: -# -# Use Stripped-User-Name, if it's there. -# Else use User-Name, if it's there, -# Else use hard-coded string "DEFAULT" as the user name. -#sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" -# -sql_user_name = "%{User-Name}" - -####################################################################### -# Query config: Event-Timestamp -####################################################################### -# event_timestamp_epoch is the basis for the time inserted into -# accounting records. Typically this will be the Event-Timestamp of the -# accounting request, which is usually provided by a NAS. -# -# Uncomment the next line, if you want the timestamp to be based on the -# request reception time recorded by this server, for example if you -# distrust the provided Event-Timestamp. -#event_timestamp_epoch = "%l" - -event_timestamp_epoch = "%{%{integer:Event-Timestamp}:-%l}" - -# event_timestamp is the SQL snippet for converting an epoch timestamp -# to an SQL date. - -event_timestamp = "FROM_UNIXTIME(${event_timestamp_epoch})" - -####################################################################### -# Query config: Class attribute -####################################################################### -# -# 3.0.22 and later have a "class" column in the accounting table. -# -# However, we do NOT want to break existing configurations by adding -# the Class attribute to the default queries. If we did that, then -# systems using newer versions of the server would fail, because -# there is no "class" column in their accounting tables. -# -# The solution to that is the following "class" subsection. If your -# database has a "class" column for the various tables, then you can -# uncomment the configuration items here. The queries below will -# then automatically insert the Class attribute into radacct, -# radpostauth, etc. -# -class { - # - # Delete the '#' character from each of the configuration - # items in this section. This change puts the Class - # attribute into the various tables. Leave the double-quoted - # string there, as the value for the configuration item. - # - # See also policy.d/accounting, and the "insert_acct_class" - # policy. You will need to list (or uncomment) - # "insert_acct_class" in the "post-auth" section in order to - # create a Class attribute. - # - column_name = # ", class" - packet_xlat = # ", '%{Class}'" - reply_xlat = # ", '%{reply:Class}'" -} - -####################################################################### -# Default profile -####################################################################### -# This is the default profile. It is found in SQL by group membership. -# That means that this profile must be a member of at least one group -# which will contain the corresponding check and reply items. -# This profile will be queried in the authorize section for every user. -# The point is to assign all users a default profile without having to -# manually add each one to a group that will contain the profile. -# The SQL module will also honor the User-Profile attribute. This -# attribute can be set anywhere in the authorize section (ie the users -# file). It is found exactly as the default profile is found. -# If it is set then it will *overwrite* the default profile setting. -# The idea is to select profiles based on checks on the incoming packets, -# not on user group membership. For example: -# -- users file -- -# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" -# DEFAULT Service-Type == Framed-User, User-Profile := "framed" -# -# By default the default_user_profile is not set -# -#default_user_profile = "DEFAULT" - -####################################################################### -# NAS Query -####################################################################### -# This query retrieves the radius clients -# -# 0. Row ID (currently unused) -# 1. Name (or IP address) -# 2. Shortname -# 3. Type -# 4. Secret -# 5. Server -####################################################################### - -client_query = "\ - SELECT id, nasname, shortname, type, secret, server \ - FROM ${client_table}" - -####################################################################### -# Authorization Queries -####################################################################### -# These queries compare the check items for the user -# in ${authcheck_table} and setup the reply items in -# ${authreply_table}. You can use any query/tables -# you want, but the return data for each row MUST -# be in the following order: -# -# 0. Row ID (currently unused) -# 1. UserName/GroupName -# 2. Item Attr Name -# 3. Item Attr Value -# 4. Item Attr Operation -####################################################################### -# Use these for case sensitive usernames. - -#authorize_check_query = "\ -# SELECT id, username, attribute, value, op \ -# FROM ${authcheck_table} \ -# WHERE username = BINARY '%{SQL-User-Name}' \ -# ORDER BY id" - -#authorize_reply_query = "\ -# SELECT id, username, attribute, value, op \ -# FROM ${authreply_table} \ -# WHERE username = BINARY '%{SQL-User-Name}' \ -# ORDER BY id" - -# -# The default queries are case insensitive. (for compatibility with -# older versions of FreeRADIUS) -# -authorize_check_query = "\ - SELECT id, username, attribute, value, op \ - FROM ${authcheck_table} \ - WHERE username = '%{SQL-User-Name}' \ - ORDER BY id" - -authorize_reply_query = "\ - SELECT id, username, attribute, value, op \ - FROM ${authreply_table} \ - WHERE username = '%{SQL-User-Name}' \ - ORDER BY id" - -# -# Use these for case sensitive usernames. -# -#group_membership_query = "\ -# SELECT groupname \ -# FROM ${usergroup_table} \ -# WHERE username = BINARY '%{SQL-User-Name}' \ -# ORDER BY priority" - -group_membership_query = "\ - SELECT groupname \ - FROM ${usergroup_table} \ - WHERE username = '%{SQL-User-Name}' \ - ORDER BY priority" - -authorize_group_check_query = "\ - SELECT id, groupname, attribute, \ - Value, op \ - FROM ${groupcheck_table} \ - WHERE groupname = '%{${group_attribute}}' \ - ORDER BY id" - -authorize_group_reply_query = "\ - SELECT id, groupname, attribute, \ - value, op \ - FROM ${groupreply_table} \ - WHERE groupname = '%{${group_attribute}}' \ - ORDER BY id" - -####################################################################### -# Simultaneous Use Checking Queries -####################################################################### -# simul_count_query - query for the number of current connections -# - If this is not defined, no simultaneous use checking -# - will be performed by this module instance -# simul_verify_query - query to return details of current connections -# for verification -# - Leave blank or commented out to disable verification step -# - Note that the returned field order should not be changed. -####################################################################### - -simul_count_query = "\ - SELECT COUNT(*) \ - FROM ${acct_table1} \ - WHERE username = '%{SQL-User-Name}' \ - AND acctstoptime IS NULL" - -simul_verify_query = "\ - SELECT \ - radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, \ - callingstationid, framedprotocol \ - FROM ${acct_table1} \ - WHERE username = '%{SQL-User-Name}' \ - AND acctstoptime IS NULL" - -####################################################################### -# Accounting and Post-Auth Queries -####################################################################### -# These queries insert/update accounting and authentication records. -# The query to use is determined by the value of 'reference'. -# This value is used as a configuration path and should resolve to one -# or more 'query's. If reference points to multiple queries, and a query -# fails, the next query is executed. -# -# Behaviour is identical to the old 1.x/2.x module, except we can now -# fail between N queries, and query selection can be based on any -# combination of attributes, or custom 'Acct-Status-Type' values. -####################################################################### -accounting { - reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}" - - # Write SQL queries to a logfile. This is potentially useful for bulk inserts - # when used with the rlm_sql_null driver. -# logfile = ${logdir}/accounting.sql - - column_list = "\ - acctsessionid, acctuniqueid, username, \ - realm, nasipaddress, nasportid, \ - nasporttype, acctstarttime, acctupdatetime, \ - acctstoptime, acctsessiontime, acctauthentic, \ - connectinfo_start, connectinfo_stop, acctinputoctets, \ - acctoutputoctets, calledstationid, callingstationid, \ - acctterminatecause, servicetype, framedprotocol, \ - framedipaddress, framedipv6address, framedipv6prefix, \ - framedinterfaceid, delegatedipv6prefix ${..class.column_name}" - - type { - accounting-on { - # - # Bulk terminate all sessions associated with a given NAS - # - query = "\ - UPDATE ${....acct_table1} \ - SET \ - acctstoptime = ${....event_timestamp}, \ - acctsessiontime = '${....event_timestamp_epoch}' \ - - UNIX_TIMESTAMP(acctstarttime), \ - acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' \ - WHERE acctstoptime IS NULL \ - AND nasipaddress = '%{NAS-IP-Address}' \ - AND acctstarttime <= ${....event_timestamp}" - } - - accounting-off { - query = "${..accounting-on.query}" - } - - # - # Implement the "sql_session_start" policy. - # See raddb/policy.d/accounting for more details. - # - # You also need to fix the other queries as - # documented below. Look for "sql_session_start". - # - post-auth { - query = "\ - INSERT INTO ${....acct_table1} \ - (${...column_list}) \ - VALUES(\ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \ - NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), \ - '%{NAS-Port-Type}', \ - ${....event_timestamp}, \ - NULL, \ - NULL, \ - 0, \ - '', \ - '%{Connect-Info}', \ - NULL, \ - 0, \ - 0, \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '', \ - '%{Service-Type}', \ - NULL, \ - '', \ - '', \ - '', \ - '', \ - '' \ - ${....class.packet_xlat})" - - query = "\ - UPDATE ${....acct_table1} SET \ - AcctStartTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp}, \ - ConnectInfo_start = '%{Connect-Info}', \ - AcctSessionId = '%{Acct-Session-Id}' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - } - - start { - # - # Insert a new record into the sessions table - # - query = "\ - INSERT INTO ${....acct_table1} \ - (${...column_list}) \ - VALUES \ - ('%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - ${....event_timestamp}, \ - ${....event_timestamp}, \ - NULL, \ - '0', \ - '%{Acct-Authentic}', \ - '%{Connect-Info}', \ - '', \ - '0', \ - '0', \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - framedipaddress = '%{Framed-IP-Address}', \ - framedipv6address = '%{Framed-IPv6-Address}', \ - framedipv6prefix = '%{Framed-IPv6-Prefix}', \ - framedinterfaceid = '%{Framed-Interface-Id}', \ - delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ - AcctStartTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp} \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - - # - # Key constraints prevented us from inserting a new session, - # use the alternate query to update an existing session. - # - query = "\ - UPDATE ${....acct_table1} SET \ - acctstarttime = ${....event_timestamp}, \ - acctupdatetime = ${....event_timestamp}, \ - connectinfo_start = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" - - } - - interim-update { - # - # Update an existing session and calculate the interval - # between the last data we received for the session and this - # update. This can be used to find stale sessions. - # - query = "\ - UPDATE ${....acct_table1} \ - SET \ - acctupdatetime = (@acctupdatetime_old:=acctupdatetime), \ - acctupdatetime = ${....event_timestamp}, \ - acctinterval = ${....event_timestamp_epoch} - \ - UNIX_TIMESTAMP(@acctupdatetime_old), \ - framedipaddress = '%{Framed-IP-Address}', \ - framedipv6address = '%{Framed-IPv6-Address}', \ - framedipv6prefix = '%{Framed-IPv6-Prefix}', \ - framedinterfaceid = '%{Framed-Interface-Id}', \ - delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ - acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \ - acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Input-Octets}:-0}', \ - acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Output-Octets}:-0}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" - - # - # The update condition matched no existing sessions. Use - # the values provided in the update to create a new session. - # - query = "\ - INSERT INTO ${....acct_table1} \ - (${...column_list}) \ - VALUES \ - ('%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - FROM_UNIXTIME(${....event_timestamp_epoch} - %{%{Acct-Session-Time}:-0}), \ - ${....event_timestamp}, \ - NULL, \ - %{%{Acct-Session-Time}:-NULL}, \ - '%{Acct-Authentic}', \ - '%{Connect-Info}', \ - '', \ - '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \ - '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - framedipaddress = '%{Framed-IP-Address}', \ - framedipv6address = '%{Framed-IPv6-Address}', \ - framedipv6prefix = '%{Framed-IPv6-Prefix}', \ - framedinterfaceid = '%{Framed-Interface-Id}', \ - delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ - AcctUpdateTime = ${....event_timestamp}, \ - AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, \ - AcctInputOctets = '%{%{Acct-Input-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Input-Octets}:-0}', \ - AcctOutputOctets = '%{%{Acct-Output-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Output-Octets}:-0}' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - - } - - stop { - # - # Session has terminated, update the stop time and statistics. - # - query = "\ - UPDATE ${....acct_table2} SET \ - acctstoptime = ${....event_timestamp}, \ - acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \ - acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Input-Octets}:-0}', \ - acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Output-Octets}:-0}', \ - acctterminatecause = '%{Acct-Terminate-Cause}', \ - connectinfo_stop = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" - - # - # The update condition matched no existing sessions. Use - # the values provided in the update to create a new session. - # - query = "\ - INSERT INTO ${....acct_table2} \ - (${...column_list}) \ - VALUES \ - ('%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - FROM_UNIXTIME(${....event_timestamp_epoch} - %{%{Acct-Session-Time}:-0}), \ - ${....event_timestamp}, \ - ${....event_timestamp}, \ - %{%{Acct-Session-Time}:-NULL}, \ - '%{Acct-Authentic}', \ - '', \ - '%{Connect-Info}', \ - '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \ - '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '%{Acct-Terminate-Cause}', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - framedipaddress = '%{Framed-IP-Address}', \ - framedipv6address = '%{Framed-IPv6-Address}', \ - framedipv6prefix = '%{Framed-IPv6-Prefix}', \ - framedinterfaceid = '%{Framed-Interface-Id}', \ - delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ - AcctStopTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp}, \ - AcctSessionTime = %{Acct-Session-Time}, \ - AcctInputOctets = '%{%{Acct-Input-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Input-Octets}:-0}', \ - AcctOutputOctets = '%{%{Acct-Output-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Output-Octets}:-0}', \ - AcctTerminateCause = '%{Acct-Terminate-Cause}', \ - ConnectInfo_stop = '%{Connect-Info}' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - - } - - # - # No Acct-Status-Type == ignore the packet - # - accounting { - query = "SELECT true" - } - } -} - - -####################################################################### -# Authentication Logging Queries -####################################################################### -# postauth_query - Insert some info after authentication -####################################################################### - -post-auth { - # Write SQL queries to a logfile. This is potentially useful for bulk inserts - # when used with the rlm_sql_null driver. -# logfile = ${logdir}/post-auth.sql - - query = "\ - INSERT INTO ${..postauth_table} \ - (username, pass, reply, authdate ${..class.column_name}) \ - VALUES ( \ - '%{SQL-User-Name}', \ - '%{%{User-Password}:-%{Chap-Password}}', \ - '%{reply:Packet-Type}', \ - '%S.%M' \ - ${..class.reply_xlat})" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/schema.sql deleted file mode 100644 index 6a5ddd7..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/schema.sql +++ /dev/null @@ -1,170 +0,0 @@ -########################################################################### -# $Id: 41fcccad1c012226d12cc721518fe91e311e55e2 $ # -# # -# schema.sql rlm_sql - FreeRADIUS SQL Module # -# # -# Database schema for MySQL rlm_sql module # -# # -# To load: # -# mysql -uroot -prootpass radius < schema.sql # -# # -# Mike Machado # -########################################################################### -# -# Table structure for table 'radacct' -# - -CREATE TABLE IF NOT EXISTS radacct ( - radacctid bigint(21) NOT NULL auto_increment, - acctsessionid varchar(64) NOT NULL default '', - acctuniqueid varchar(32) NOT NULL default '', - username varchar(64) NOT NULL default '', - realm varchar(64) default '', - nasipaddress varchar(15) NOT NULL default '', - nasportid varchar(32) default NULL, - nasporttype varchar(32) default NULL, - acctstarttime datetime NULL default NULL, - acctupdatetime datetime NULL default NULL, - acctstoptime datetime NULL default NULL, - acctinterval int(12) default NULL, - acctsessiontime int(12) unsigned default NULL, - acctauthentic varchar(32) default NULL, - connectinfo_start varchar(128) default NULL, - connectinfo_stop varchar(128) default NULL, - acctinputoctets bigint(20) default NULL, - acctoutputoctets bigint(20) default NULL, - calledstationid varchar(50) NOT NULL default '', - callingstationid varchar(50) NOT NULL default '', - acctterminatecause varchar(32) NOT NULL default '', - servicetype varchar(32) default NULL, - framedprotocol varchar(32) default NULL, - framedipaddress varchar(15) NOT NULL default '', - framedipv6address varchar(45) NOT NULL default '', - framedipv6prefix varchar(45) NOT NULL default '', - framedinterfaceid varchar(44) NOT NULL default '', - delegatedipv6prefix varchar(45) NOT NULL default '', - class varchar(64) default NULL, - PRIMARY KEY (radacctid), - UNIQUE KEY acctuniqueid (acctuniqueid), - KEY username (username), - KEY framedipaddress (framedipaddress), - KEY framedipv6address (framedipv6address), - KEY framedipv6prefix (framedipv6prefix), - KEY framedinterfaceid (framedinterfaceid), - KEY delegatedipv6prefix (delegatedipv6prefix), - KEY acctsessionid (acctsessionid), - KEY acctsessiontime (acctsessiontime), - KEY acctstarttime (acctstarttime), - KEY acctinterval (acctinterval), - KEY acctstoptime (acctstoptime), - KEY nasipaddress (nasipaddress), - KEY class (class) -) ENGINE = INNODB; - -# -# Table structure for table 'radcheck' -# - -CREATE TABLE IF NOT EXISTS radcheck ( - id int(11) unsigned NOT NULL auto_increment, - username varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '==', - value varchar(253) NOT NULL default '', - PRIMARY KEY (id), - KEY username (username(32)) -); - -# -# Table structure for table 'radgroupcheck' -# - -CREATE TABLE IF NOT EXISTS radgroupcheck ( - id int(11) unsigned NOT NULL auto_increment, - groupname varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '==', - value varchar(253) NOT NULL default '', - PRIMARY KEY (id), - KEY groupname (groupname(32)) -); - -# -# Table structure for table 'radgroupreply' -# - -CREATE TABLE IF NOT EXISTS radgroupreply ( - id int(11) unsigned NOT NULL auto_increment, - groupname varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default '', - PRIMARY KEY (id), - KEY groupname (groupname(32)) -); - -# -# Table structure for table 'radreply' -# - -CREATE TABLE IF NOT EXISTS radreply ( - id int(11) unsigned NOT NULL auto_increment, - username varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default '', - PRIMARY KEY (id), - KEY username (username(32)) -); - - -# -# Table structure for table 'radusergroup' -# - -CREATE TABLE IF NOT EXISTS radusergroup ( - id int(11) unsigned NOT NULL auto_increment, - username varchar(64) NOT NULL default '', - groupname varchar(64) NOT NULL default '', - priority int(11) NOT NULL default '1', - PRIMARY KEY (id), - KEY username (username(32)) -); - -# -# Table structure for table 'radpostauth' -# -# Note: MySQL versions since 5.6.4 support fractional precision timestamps -# which we use here. Replace the authdate definition with the following -# if your software is too old: -# -# authdate timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP -# -CREATE TABLE IF NOT EXISTS radpostauth ( - id int(11) NOT NULL auto_increment, - username varchar(64) NOT NULL default '', - pass varchar(64) NOT NULL default '', - reply varchar(32) NOT NULL default '', - authdate timestamp(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6), - class varchar(64) default NULL, - PRIMARY KEY (id), - KEY username (username), - KEY class (class) -) ENGINE = INNODB; - -# -# Table structure for table 'nas' -# -CREATE TABLE IF NOT EXISTS nas ( - id int(10) NOT NULL auto_increment, - nasname varchar(128) NOT NULL, - shortname varchar(32), - type varchar(30) DEFAULT 'other', - ports int(5), - secret varchar(60) DEFAULT 'secret' NOT NULL, - server varchar(64), - community varchar(50), - description varchar(200) DEFAULT 'RADIUS Client', - PRIMARY KEY (id), - KEY nasname (nasname) -); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/setup.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/setup.sql deleted file mode 100644 index 6a55ec8..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/mysql/setup.sql +++ /dev/null @@ -1,23 +0,0 @@ -# -*- text -*- -## -## admin.sql -- MySQL commands for creating the RADIUS user. -## -## WARNING: You should change 'localhost' and 'radpass' -## to something else. Also update raddb/mods-available/sql -## with the new RADIUS password. -## -## $Id: cd44117def3283fd94e0b956a52c67bebfde529a $ - -# -# Create default administrator for RADIUS -# -CREATE USER 'radius'@'localhost' IDENTIFIED BY 'radpass'; - -# The server can read any table in SQL -GRANT SELECT ON radius.* TO 'radius'@'localhost'; - -# The server can write to the accounting and post-auth logging table. -# -# i.e. -GRANT ALL on radius.radacct TO 'radius'@'localhost'; -GRANT ALL on radius.radpostauth TO 'radius'@'localhost'; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/README b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/README deleted file mode 100644 index 71f5aa3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/README +++ /dev/null @@ -1,5 +0,0 @@ - The SQL schema and 'create admin user" scripts are here in order to -simplify the process of using MySQL cluster. - - The queries are NOT located here, because the database driver for -MySQL cluster is just "mysql", and not "ndb". diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/schema.sql deleted file mode 100644 index 36c4909..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/schema.sql +++ /dev/null @@ -1,144 +0,0 @@ -########################################################################### -# $Id: d115d0643d96cc852d5b28d7f68fdf8a95acbe82 $ # -# # -# schema.sql rlm_sql - FreeRADIUS SQL Module # -# # -# Database schema for MySQL Cluster. # -# The only difference between this file and ../mysql/schema.sql # -# is the definition of the storage engine. # -# # -# To load: # -# mysql -uroot -prootpass radius < schema.sql # -# # -# Mike Machado # -########################################################################### -# -# Table structure for table 'radacct' -# - -CREATE TABLE radacct ( - radacctid bigint(21) NOT NULL auto_increment, - acctsessionid varchar(64) NOT NULL default '', - acctuniqueid varchar(32) NOT NULL default '', - username varchar(64) NOT NULL default '', - realm varchar(64) default '', - nasipaddress varchar(15) NOT NULL default '', - nasportid varchar(32) default NULL, - nasporttype varchar(32) default NULL, - acctstarttime datetime NULL default NULL, - acctupdatetime datetime NULL default NULL, - acctstoptime datetime NULL default NULL, - acctinterval int(12) default NULL, - acctsessiontime int(12) unsigned default NULL, - acctauthentic varchar(32) default NULL, - connectinfo_start varchar(128) default NULL, - connectinfo_stop varchar(128) default NULL, - acctinputoctets bigint(20) default NULL, - acctoutputoctets bigint(20) default NULL, - calledstationid varchar(50) NOT NULL default '', - callingstationid varchar(50) NOT NULL default '', - acctterminatecause varchar(32) NOT NULL default '', - servicetype varchar(32) default NULL, - framedprotocol varchar(32) default NULL, - framedipaddress varchar(15) NOT NULL default '', - framedipv6address varchar(45) NOT NULL default '', - framedipv6prefix varchar(45) NOT NULL default '', - framedinterfaceid varchar(44) NOT NULL default '', - delegatedipv6prefix varchar(45) NOT NULL default '', - class varchar(64) default NULL, - PRIMARY KEY (radacctid), - UNIQUE KEY acctuniqueid (acctuniqueid), - KEY username (username), - KEY framedipaddress (framedipaddress), - KEY framedipv6address (framedipv6address), - KEY framedipv6prefix (framedipv6prefix), - KEY framedinterfaceid (framedinterfaceid), - KEY delegatedipv6prefix (delegatedipv6prefix), - KEY acctsessionid (acctsessionid), - KEY acctsessiontime (acctsessiontime), - KEY acctstarttime (acctstarttime), - KEY acctinterval (acctinterval), - KEY acctstoptime (acctstoptime), - KEY nasipaddress (nasipaddress) -) ENGINE=ndbcluster; - -# -# Table structure for table 'radcheck' -# - -CREATE TABLE radcheck ( - id int(11) unsigned NOT NULL auto_increment, - username varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '==', - value varchar(253) NOT NULL default '', - PRIMARY KEY (id), - KEY username (username(32)) -) ENGINE=ndbcluster; - -# -# Table structure for table 'radgroupcheck' -# - -CREATE TABLE radgroupcheck ( - id int(11) unsigned NOT NULL auto_increment, - groupname varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '==', - value varchar(253) NOT NULL default '', - PRIMARY KEY (id), - KEY groupname (groupname(32)) -) ENGINE=ndbcluster; - -# -# Table structure for table 'radgroupreply' -# - -CREATE TABLE radgroupreply ( - id int(11) unsigned NOT NULL auto_increment, - groupname varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default '', - PRIMARY KEY (id), - KEY groupname (groupname(32)) -) ENGINE=ndbcluster; - -# -# Table structure for table 'radreply' -# - -CREATE TABLE radreply ( - id int(11) unsigned NOT NULL auto_increment, - username varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default '', - PRIMARY KEY (id), - KEY username (username(32)) -) ENGINE=ndbcluster; - - -# -# Table structure for table 'radusergroup' -# - -CREATE TABLE radusergroup ( - username varchar(64) NOT NULL default '', - groupname varchar(64) NOT NULL default '', - priority int(11) NOT NULL default '1', - KEY username (username(32)) -) ENGINE=ndbcluster; - -# -# Table structure for table 'radpostauth' -# - -CREATE TABLE radpostauth ( - id int(11) NOT NULL auto_increment, - username varchar(64) NOT NULL default '', - pass varchar(64) NOT NULL default '', - reply varchar(32) NOT NULL default '', - authdate timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6), - PRIMARY KEY (id) -) ENGINE=ndbcluster; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/setup.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/setup.sql deleted file mode 100644 index 20b5d2e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/ndb/setup.sql +++ /dev/null @@ -1,25 +0,0 @@ -# -*- text -*- -## -## admin.sql -- MySQL commands for creating the RADIUS user. -## -## WARNING: You should change 'localhost' and 'radpass' -## to something else. Also update raddb/mods-available/sql -## with the new RADIUS password. -## -## $Id: 003fc1082b2507f9b85aae6cf04a5e37523d6002 $ - -# -# Create default administrator for RADIUS -# -CREATE USER 'radius'@'localhost'; -SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass'); - -# The server can read any table in SQL -GRANT ALL ON radius.* TO 'radius'@'localhost' identified by 'radpass'; -GRANT ALL ON radius.* TO 'radius'@'radsrvr' identified by 'radpass'; - -# The server can write to the accounting and post-auth logging table. -# -# i.e. -#GRANT ALL on radius.radacct TO 'radius'@'localhost' identified by 'radpass'; -#GRANT ALL on radius.radacct TO 'radius'@'radsrvr' identified by 'radpass'; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/process-radacct.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/process-radacct.sql deleted file mode 100644 index 438fc24..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/process-radacct.sql +++ /dev/null @@ -1,147 +0,0 @@ -# -*- text -*- -# -# main/oracle/process-radacct.sql -- Schema extensions for processing radacct entries -# -# $Id: 858d9464fa81f2c9680dac8fd21dc0f687917d3c $ - --- --------------------------------- --- - Per-user data usage over time - --- --------------------------------- --- --- An extension to the standard schema to hold per-user data usage statistics --- for arbitrary periods. --- --- The data_usage_by_period table is populated by periodically calling the --- fr_new_data_usage_period stored procedure. --- --- This table can be queried in various ways to produce reports of aggregate --- data use over time. For example, if the fr_new_data_usage_period SP is --- invoked one per day just after midnight, to produce usage data with daily --- granularity, then a reasonably accurate monthly bandwidth summary for a --- given user could be obtained with: --- --- SELECT --- MIN(TO_CHAR(period_start, 'YYYY-Month')) AS month, --- SUM(acctinputoctets)/1000/1000/1000 AS GB_in, --- SUM(acctoutputoctets)/1000/1000/1000 AS GB_out --- FROM --- data_usage_by_period --- WHERE --- username='bob' AND --- period_end IS NOT NULL --- GROUP BY --- TRUNC(period_start,'month'); --- --- +----------------+----------------+-----------------+ --- | MONTH | GB_IN | GB_OUT | --- +----------------+----------------+-----------------+ --- | 2019-July | 5.782279230000 | 50.545664820000 | --- | 2019-August | 4.230543340000 | 48.523096420000 | --- | 2019-September | 4.847360590000 | 48.631835480000 | --- | 2019-October | 6.456763250000 | 51.686231930000 | --- | 2019-November | 6.362537730000 | 52.385710570000 | --- | 2019-December | 4.301524440000 | 50.762240270000 | --- | 2020-January | 5.436280540000 | 49.067775280000 | --- +----------------+----------------+-----------------+ --- -CREATE TABLE data_usage_by_period ( - id NUMBER GENERATED BY DEFAULT AS IDENTITY, - username VARCHAR(64) NOT NULL, - period_start TIMESTAMP WITH TIME ZONE NOT NULL, - period_end TIMESTAMP WITH TIME ZONE, - acctinputoctets NUMERIC(19), - acctoutputoctets NUMERIC(19), - PRIMARY KEY (id) -); -CREATE UNIQUE INDEX idx_data_usage_by_period_username_period_start ON data_usage_by_period (username,period_start); -CREATE INDEX idx_data_usage_by_period_period_start ON data_usage_by_period (period_start); -CREATE INDEX idx_data_usage_by_period_period_end ON data_usage_by_period (period_end); - --- --- Stored procedure that when run with some arbitrary frequency, say --- once per day by cron, will process the recent radacct entries to extract --- time-windowed data containing acct{input,output}octets ("data usage") per --- username, per period. --- --- Each invocation will create new rows in the data_usage_by_period tables --- containing the data used by each user since the procedure was last invoked. --- The intervals do not need to be identical but care should be taken to --- ensure that the start/end of each period aligns well with any intended --- reporting intervals. --- --- It can be invoked by running: --- --- CALL fr_new_data_usage_period(); --- --- -CREATE OR REPLACE PROCEDURE fr_new_data_usage_period -AS - v_start TIMESTAMP WITH TIME ZONE; - v_end TIMESTAMP WITH TIME ZONE; -BEGIN - - SELECT COALESCE(MAX(period_end) + NUMTODSINTERVAL(1,'SECOND'), TO_DATE('1970-01-01','YYYY-MM-DD')) INTO v_start FROM data_usage_by_period; - SELECT CAST(CURRENT_TIMESTAMP AS DATE) INTO v_end FROM dual; - - BEGIN - - -- - -- Add the data usage for the sessions that were active in the current - -- period to the table. Include all sessions that finished since the start - -- of this period as well as those still ongoing. - -- - MERGE INTO data_usage_by_period d - USING ( - SELECT - username, - MIN(v_start) period_start, - MIN(v_end) period_end, - SUM(acctinputoctets) AS acctinputoctets, - SUM(acctoutputoctets) AS acctoutputoctets - FROM - radacct - WHERE - acctstoptime > v_start OR - acctstoptime IS NULL - GROUP BY - username - ) s - ON ( d.username = s.username AND d.period_start = s.period_start ) - WHEN MATCHED THEN - UPDATE SET - acctinputoctets = d.acctinputoctets + s.acctinputoctets, - acctoutputoctets = d.acctoutputoctets + s.acctoutputoctets, - period_end = v_end - WHEN NOT MATCHED THEN - INSERT - (username, period_start, period_end, acctinputoctets, acctoutputoctets) - VALUES - (s.username, s.period_start, s.period_end, s.acctinputoctets, s.acctoutputoctets); - - -- - -- Create an open-ended "next period" for all ongoing sessions and carry a - -- negative value of their data usage to avoid double-accounting when we - -- process the next period. Their current data usage has already been - -- allocated to the current and possibly previous periods. - -- - INSERT INTO data_usage_by_period (username, period_start, period_end, acctinputoctets, acctoutputoctets) - SELECT * - FROM ( - SELECT - username, - v_end + NUMTODSINTERVAL(1,'SECOND'), - NULL, - 0 - SUM(acctinputoctets), - 0 - SUM(acctoutputoctets) - FROM - radacct - WHERE - acctstoptime IS NULL - GROUP BY - username - ) s; - - END; - -END; -/ diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/queries.conf deleted file mode 100644 index 3f07452..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/queries.conf +++ /dev/null @@ -1,684 +0,0 @@ -# -*- text -*- -# -# main/oracle/queries.conf -- Oracle configuration for default schema (schema.sql) -# -# $Id: 77eb618ac3251b16c808a83e012b22093d371638 $ - -####################################################################### -# Query config: Username -####################################################################### -# This is the username that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below -# everywhere a username substitution is needed so you you can be sure -# the username passed from the client is escaped properly. -# -# Uncomment the next line, if you want the sql_user_name to mean: -# -# Use Stripped-User-Name, if it's there. -# Else use User-Name, if it's there, -# Else use hard-coded string "DEFAULT" as the user name. -#sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" -# -sql_user_name = "%{User-Name}" - -####################################################################### -# Query config: Event-Timestamp -####################################################################### -# event_timestamp_epoch is the basis for the time inserted into -# accounting records. Typically this will be the Event-Timestamp of the -# accounting request, which is provided by a NAS. -# -# Uncomment the next line, if you want the timestamp to be based on the -# request reception time recorded by this server, for example if you -# distrust the provided Event-Timestamp. -#event_timestamp_epoch = "%l" - -event_timestamp_epoch = "%{%{integer:Event-Timestamp}:-%l}" - -# event_timestamp is the SQL snippet for converting an epoch timestamp -# to an SQL date. - -event_timestamp = "TO_DATE('1970-01-01','YYYY-MM-DD') + NUMTODSINTERVAL(${event_timestamp_epoch},'SECOND')" - -####################################################################### -# Query config: Class attribute -####################################################################### -# -# 3.0.22 and later have a "class" column in the accounting table. -# -# However, we do NOT want to break existing configurations by adding -# the Class attribute to the default queries. If we did that, then -# systems using newer versions of the server would fail, because -# there is no "class" column in their accounting tables. -# -# The solution to that is the following "class" subsection. If your -# database has a "class" column for the various tables, then you can -# uncomment the configuration items here. The queries below will -# then automatically insert the Class attribute into radacct, -# radpostauth, etc. -# -class { - # - # Delete the '#' character from each of the configuration - # items in this section. This change puts the Class - # attribute into the various tables. Leave the double-quoted - # string there, as the value for the configuration item. - # - # See also policy.d/accounting, and the "insert_acct_class" - # policy. You will need to list (or uncomment) - # "insert_acct_class" in the "post-auth" section in order to - # create a Class attribute. - # - column_name = # ", class" - packet_xlat = # ", '%{Class}'" - reply_xlat = # ", '%{reply:Class}'" -} - -####################################################################### -# Default profile -####################################################################### -# This is the default profile. It is found in SQL by group membership. -# That means that this profile must be a member of at least one group -# which will contain the corresponding check and reply items. -# This profile will be queried in the authorize section for every user. -# The point is to assign all users a default profile without having to -# manually add each one to a group that will contain the profile. -# The SQL module will also honor the User-Profile attribute. This -# attribute can be set anywhere in the authorize section (ie the users -# file). It is found exactly as the default profile is found. -# If it is set then it will *overwrite* the default profile setting. -# The idea is to select profiles based on checks on the incoming packets, -# not on user group membership. For example: -# -- users file -- -# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" -# DEFAULT Service-Type == Framed-User, User-Profile := "framed" -# -# By default the default_user_profile is not set -# -#default_user_profile = "DEFAULT" -# -# Determines if we will query the default_user_profile or the User-Profile -# if the user is not found. If the profile is found then we consider the user -# found. By default this is set to 'no'. -# -#query_on_not_found = no - - -####################################################################### -# NAS Query -####################################################################### -# This query retrieves the radius clients -# -# 0. Row ID (currently unused) -# 1. Name (or IP address) -# 2. Shortname -# 3. Type -# 4. Secret -# 5. Virtual server -####################################################################### - -client_query = "\ - SELECT id, nasname, shortname, type, secret, server \ - FROM ${client_table}" - -####################################################################### -# Authorization Queries -####################################################################### -# These queries compare the check items for the user -# in ${authcheck_table} and setup the reply items in -# ${authreply_table}. You can use any query/tables -# you want, but the return data for each row MUST -# be in the following order: -# -# 0. Row ID (currently unused) -# 1. UserName/GroupName -# 2. Item Attr Name -# 3. Item Attr Value -# 4. Item Attr Operation -####################################################################### -# -# WARNING: Oracle is case sensitive -# -# The main difference between MySQL and Oracle queries is the date format. -# You must use the TO_DATE function to transform the radius date format to -# the Oracle date format, and put NULL otherwise '0' in a void date field. -# -####################################################################### - -authorize_check_query = "\ - SELECT id, UserName, Attribute, Value, op \ - FROM ${authcheck_table} \ - WHERE Username = '%{SQL-User-Name}' \ - ORDER BY id" - -authorize_reply_query = "\ - SELECT id, UserName, Attribute, Value, op \ - FROM ${authreply_table} \ - WHERE Username = '%{SQL-User-Name}' \ - ORDER BY id" - -authorize_group_check_query = "\ - SELECT \ - ${groupcheck_table}.id, ${groupcheck_table}.GroupName, ${groupcheck_table}.Attribute, \ - ${groupcheck_table}.Value,${groupcheck_table}.op \ - FROM ${groupcheck_table}, ${usergroup_table} \ - WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' \ - AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName \ - ORDER BY ${groupcheck_table}.id" - -authorize_group_reply_query = "\ - SELECT \ - ${groupreply_table}.id, ${groupreply_table}.GroupName, ${groupreply_table}.Attribute, \ - ${groupreply_table}.Value, ${groupreply_table}.op \ - FROM ${groupreply_table}, ${usergroup_table} \ - WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' \ - AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName \ - ORDER BY ${groupreply_table}.id" - -####################################################################### -# Simultaneous Use Checking Queries -####################################################################### -# simul_count_query - query for the number of current connections -# - If this is not defined, no simultaneous use checking -# - will be performed by this module instance -# simul_verify_query - query to return details of current connections for verification -# - Leave blank or commented out to disable verification step -# - Note that the returned field order should not be changed. -####################################################################### - -simul_count_query = "\ - SELECT COUNT(*) \ - FROM ${acct_table1} \ - WHERE UserName = '%{SQL-User-Name}' \ - AND AcctStopTime IS NULL" - -simul_verify_query = "\ - SELECT \ - RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, \ - FramedIPAddress, CallingStationId, FramedProtocol \ - FROM ${acct_table1} \ - WHERE UserName='%{SQL-User-Name}' \ - AND AcctStopTime IS NULL" - -####################################################################### -# Group Membership Queries -####################################################################### -# group_membership_query - Check user group membership -####################################################################### - -group_membership_query = "\ - SELECT GroupName \ - FROM ${usergroup_table} \ - WHERE UserName='%{SQL-User-Name}'" - -####################################################################### -# Accounting and Post-Auth Queries -####################################################################### -# These queries insert/update accounting and authentication records. -# The query to use is determined by the value of 'reference'. -# This value is used as a configuration path and should resolve to one -# or more 'query's. If reference points to multiple queries, and a query -# fails, the next query is executed. -# -# Behaviour is identical to the old 1.x/2.x module, except we can now -# fail between N queries, and query selection can be based on any -# combination of attributes, or custom 'Acct-Status-Type' values. -####################################################################### -accounting { - reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}" - - # Write SQL queries to a logfile. This is potentially useful for bulk inserts - # when used with the rlm_sql_null driver. -# logfile = ${logdir}/accounting.sql - - type { - accounting-on { - query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctStopTime = ${....event_timestamp}, \ - AcctSessionTime = ROUND((${....event_timestamp} - \ - TO_DATE(TO_CHAR(acctstarttime, 'yyyy-mm-dd hh24:mi:ss'),'yyyy-mm-dd hh24:mi:ss'))*86400), \ - AcctTerminateCause='%{%{Acct-Terminate-Cause}:-NAS-Reboot}', \ - AcctStopDelay = %{%{Acct-Delay-Time}:-0} \ - WHERE AcctStopTime IS NULL \ - AND NASIPAddress = '%{NAS-IP-Address}' \ - AND AcctStartTime <= ${....event_timestamp}" - } - - accounting-off { - query = "${..accounting-on.query}" - } - - # - # Implement the "sql_session_start" policy. - # See raddb/policy.d/accounting for more details. - # - # You also need to fix the other queries as - # documented below. Look for "sql_session_start". - # - post-auth { - query = "\ - INSERT INTO ${....acct_table1} (\ - AcctSessionId, \ - AcctUniqueId, \ - UserName, \ - Realm, \ - NASIPAddress, \ - NASPortId, \ - NASPortType, \ - AcctStartTime, \ - AcctStopTime, \ - AcctSessionTime, \ - AcctAuthentic, \ - ConnectInfo_start, \ - ConnectInfo_stop, \ - AcctInputOctets, \ - AcctOutputOctets, \ - CalledStationId, \ - CallingStationId, \ - AcctTerminateCause, \ - ServiceType, \ - FramedProtocol, \ - FramedIPAddress, \ - FramedIPv6Address, \ - FramedIPv6Prefix, \ - FramedInterfaceId, \ - DelegatedIPv6Prefix) \ - VALUES(\ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - TO_DATE('%S','yyyy-mm-dd hh24:mi:ss'), \ - NULL, \ - 0, \ - '', \ - '%{Connect-Info}', \ - NULL, \ - 0, \ - 0, \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - NULL, \ - '%{Service-Type}', \ - NULL, \ - '', \ - '', \ - '', \ - '', \ - '')" - - query = "\ - UPDATE ${....acct_table1} SET \ - AcctStartTime = TO_DATE('%S','yyyy-mm-dd hh24:mi:ss'), \ - ConnectInfo_start = '%{Connect-Info}', \ - AcctSessionId = '%{Acct-Session-Id}' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - } - - start { - query = "\ - INSERT INTO ${....acct_table1} (\ - RadAcctId, \ - AcctSessionId, \ - AcctUniqueId, \ - UserName, \ - Realm, \ - NASIPAddress, \ - NASPortId, \ - NASPortType, \ - AcctStartTime, \ - AcctStopTime, \ - AcctSessionTime, \ - AcctAuthentic, \ - ConnectInfo_start, \ - ConnectInfo_stop, \ - AcctInputOctets, \ - AcctOutputOctets, \ - CalledStationId, \ - CallingStationId, \ - AcctTerminateCause, \ - ServiceType, \ - FramedProtocol, \ - FramedIPAddress, \ - FramedIPv6Address, \ - FramedIPv6Prefix, \ - FramedInterfaceId, \ - DelegatedIPv6Prefix, \ - AcctStartDelay, \ - AcctStopDelay, \ - XAscendSessionSvrKey \ - ${..class.column_name}) \ - VALUES(\ - '', \ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - ${....event_timestamp}, \ - NULL, \ - '0', \ - '%{Acct-Authentic}', \ - '%{Connect-Info}', \ - '', \ - '0', \ - '0', \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}', \ - '%{Acct-Delay-Time}', \ - '0', \ - '%{X-Ascend-Session-Svr-Key}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - FramedIPAddress = NULLIF('%{Framed-IP-Address}', ''), \ - FramedIPv6Address = NULLIF('%{Framed-IPv6-Address}', ''), \ - FramedIPv6Prefix = NULLIF('%{Framed-IPv6-Prefix}', ''), \ - FramedInterfaceId = NULLIF('%{Framed-Interface-Id}', ''), \ - DelegatedIPv6Prefix = NULLIF('%{Delegated-IPv6-Prefix}', ''), \ - AcctStartTime = TO_DATE('%S','yyyy-mm-dd hh24:mi:ss'), \ - AcctSessionTime = '0' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - - query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctStartTime = ${....event_timestamp}, \ - AcctStartDelay = '%{%{Acct-Delay-Time}:-0}', \ - ConnectInfo_start = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-ID}' \ - AND AcctStopTime IS NULL" - } - - interim-update { - query = "\ - UPDATE ${....acct_table1} \ - SET \ - FramedIPAddress = NULLIF('%{Framed-IP-Address}', ''), \ - FramedIPv6Address = NULLIF('%{Framed-IPv6-Address}', ''), \ - FramedIPv6Prefix = NULLIF('%{Framed-IPv6-Prefix}', ''), \ - FramedInterfaceId = NULLIF('%{Framed-Interface-Id}', ''), \ - DelegatedIPv6Prefix = NULLIF('%{Delegated-IPv6-Prefix}', ''), \ - AcctSessionTime = '%{Acct-Session-Time}', \ - AcctInputOctets = '%{Acct-Input-Octets}' + \ - ('%{%{Acct-Input-Gigawords}:-0}' * 4294967296), \ - AcctOutputOctets = '%{Acct-Output-Octets}' + \ - ('%{%{Acct-Output-Gigawords}:-0}' * 4294967296) \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-ID}' \ - AND AcctStopTime IS NULL" - - query = "\ - INSERT into ${....acct_table1} (\ - RadAcctId, \ - AcctSessionId, \ - AcctUniqueId, \ - UserName, \ - Realm, \ - NASIPAddress, \ - NASPortId, \ - NASPortType, \ - AcctStartTime, \ - AcctSessionTime, \ - AcctAuthentic, \ - ConnectInfo_start, \ - AcctInputOctets, \ - AcctOutputOctets, \ - CalledStationId, \ - CallingStationId, \ - ServiceType, \ - FramedProtocol, \ - FramedIPAddress, \ - FramedIPv6Address, \ - FramedIPv6Prefix, \ - FramedInterfaceId, \ - DelegatedIPv6Prefix, \ - AcctStartDelay, \ - XAscendSessionSvrKey \ - ${..class.column_name}) \ - VALUES(\ - '', \ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - NULL, \ - '%{Acct-Session-Time}', \ - '%{Acct-Authentic}', \ - '', \ - '%{Acct-Input-Octets}' + \ - ('%{%{Acct-Input-Gigawords}:-0}' * 4294967296), \ - '%{Acct-Output-Octets}' + \ - ('%{%{Acct-Output-Gigawords}:-0}' * 4294967296), \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}', \ - '0', \ - '%{X-Ascend-Session-Svr-Key}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - FramedIPAddress = NULLIF('%{Framed-IP-Address}', ''), \ - FramedIPv6Address = NULLIF('%{Framed-IPv6-Address}', ''), \ - FramedIPv6Prefix = NULLIF('%{Framed-IPv6-Prefix}', ''), \ - FramedInterfaceId = NULLIF('%{Framed-Interface-Id}', ''), \ - DelegatedIPv6Prefix = NULLIF('%{Delegated-IPv6-Prefix}', ''), \ - AcctSessionTime = '%{Acct-Session-Time}', \ - AcctInputOctets = '%{Acct-Input-Octets}' + \ - ('%{%{Acct-Input-Gigawords}:-0}' * 4294967296), \ - AcctOutputOctets = '%{Acct-Output-Octets}' + \ - ('%{%{Acct-Output-Gigawords}:-0}' * 4294967296) \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - - } - - stop { - query = "\ - UPDATE ${....acct_table2} \ - SET \ - AcctStopTime = ${....event_timestamp}, \ - AcctSessionTime = '%{Acct-Session-Time}', \ - AcctInputOctets = '%{Acct-Input-Octets}' + \ - ('%{%{Acct-Input-Gigawords}:-0}' * 4294967296), \ - AcctOutputOctets = '%{Acct-Output-Octets}' + \ - ('%{%{Acct-Output-Gigawords}:-0}' * 4294967296), \ - AcctTerminateCause = '%{Acct-Terminate-Cause}', \ - AcctStopDelay = '%{%{Acct-Delay-Time}:-0}', \ - ConnectInfo_stop = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-ID}' \ - AND AcctStopTime IS NULL" - - query = "\ - INSERT into ${....acct_table2} (\ - RadAcctId, \ - AcctSessionId, \ - AcctUniqueId, \ - UserName, \ - Realm, \ - NASIPAddress, \ - NASPortId, \ - NASPortType, \ - AcctStartTime, \ - AcctStopTime, \ - AcctSessionTime, \ - AcctAuthentic, \ - ConnectInfo_start, \ - ConnectInfo_stop, \ - AcctInputOctets, \ - AcctOutputOctets, \ - CalledStationId, \ - CallingStationId, \ - AcctTerminateCause, \ - ServiceType, \ - FramedProtocol, \ - FramedIPAddress, \ - FramedIPv6Address, \ - FramedIPv6Prefix, \ - FramedInterfaceId, \ - DelegatedIPv6Prefix, \ - AcctStartDelay, \ - AcctStopDelay \ - ${..class.column_name}) \ - VALUES(\ - '', \ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - NULL, \ - ${....event_timestamp}, \ - '%{Acct-Session-Time}', \ - '%{Acct-Authentic}', \ - NULL, \ - '%{Connect-Info}', \ - '%{Acct-Input-Octets}' + \ - ('%{%{Acct-Input-Gigawords}:-0}' * 4294967296), \ - '%{Acct-Output-Octets}' + \ - ('%{%{Acct-Output-Gigawords}:-0}' * 4294967296), \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '%{Acct-Terminate-Cause}', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}', \ - '0', \ - '%{%{Acct-Delay-Time}:-0}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - FramedIPAddress = NULLIF('%{Framed-IP-Address}', ''), \ - FramedIPv6Address = NULLIF('%{Framed-IPv6-Address}', ''), \ - FramedIPv6Prefix = NULLIF('%{Framed-IPv6-Prefix}', ''), \ - FramedInterfaceId = NULLIF('%{Framed-Interface-Id}', ''), \ - DelegatedIPv6Prefix = NULLIF('%{Delegated-IPv6-Prefix}', ''), \ - AcctStopTime = TO_DATE('%S','yyyy-mm-dd hh24:mi:ss'), \ - AcctSessionTime = '%{Acct-Session-Time}', \ - AcctInputOctets = '%{Acct-Input-Octets}' + \ - ('%{%{Acct-Input-Gigawords}:-0}' * 4294967296), \ - AcctOutputOctets = '%{Acct-Output-Octets}' + \ - ('%{%{Acct-Output-Gigawords}:-0}' * 4294967296), \ - AcctTerminateCause = '%{Acct-Terminate-Cause}', \ - ConnectInfo_stop = '%{Connect-Info}' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - - } - } -} - -####################################################################### -# Authentication Logging Queries -####################################################################### -# postauth_query - Insert some info after authentication -####################################################################### - -post-auth { - # Write SQL queries to a logfile. This is potentially useful for bulk inserts - # when used with the rlm_sql_null driver. -# logfile = ${logdir}/post-auth.sql - query = "\ - INSERT INTO ${..postauth_table} \ - (username, pass, reply, authdate ${..class.column_name}) \ - VALUES (\ - '%{User-Name}', \ - '%{%{User-Password}:-%{Chap-Password}}', \ - '%{reply:Packet-Type}', \ - TO_TIMESTAMP('%S.%M','YYYY-MM-DDHH24:MI:SS.FF') \ - ${..class.reply_xlat})" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/schema.sql deleted file mode 100644 index 02d631e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/oracle/schema.sql +++ /dev/null @@ -1,204 +0,0 @@ -/* - * $Id: 96cde18d1c42057dfff65df9fff5f664790c4fcb $ - * - * Oracle schema for FreeRADIUS - * - * - * NOTE: Which columns are NULLable?? - */ - -/* - * Table structure for table 'radacct' - */ -CREATE TABLE radacct ( - radacctid INT PRIMARY KEY, - acctsessionid VARCHAR(96) NOT NULL, - acctuniqueid VARCHAR(32), - username VARCHAR(64) NOT NULL, - realm VARCHAR(64), - nasipaddress VARCHAR(15) NOT NULL, - nasportid VARCHAR(32), - nasporttype VARCHAR(32), - acctstarttime TIMESTAMP WITH TIME ZONE, - acctstoptime TIMESTAMP WITH TIME ZONE, - acctsessiontime NUMERIC(19), - acctauthentic VARCHAR(32), - connectinfo_start VARCHAR(128), - connectinfo_stop VARCHAR(128), - acctinputoctets NUMERIC(19), - acctoutputoctets NUMERIC(19), - calledstationid VARCHAR(50), - callingstationid VARCHAR(50), - acctterminatecause VARCHAR(32), - servicetype VARCHAR(32), - framedprotocol VARCHAR(32), - framedipaddress VARCHAR(15), - framedipv6address VARCHAR(45), - framedipv6prefix VARCHAR(45), - framedinterfaceid VARCHAR(44), - delegatedipv6prefix VARCHAR(45), - acctstartdelay NUMERIC(12), - acctstopdelay NUMERIC(12), - XAscendSessionSvrKey VARCHAR(10), - Class VARCHAR(64) -); - -CREATE UNIUQE INDEX radacct_idx0 - ON radacct(acctuniqueid); -CREATE UNIQUE INDEX radacct_idx1 - ON radacct(acctsessionid,username,acctstarttime, - acctstoptime,nasipaddress,framedipaddress,framedipv6address,framedipv6prefix,framedinterfaceid,delegatedipv6prefix); -CREATE INDEX radacct_idx2 - ON radacct(class); - -CREATE SEQUENCE radacct_seq START WITH 1 INCREMENT BY 1; - -/* Trigger to emulate a serial # on the primary key */ -CREATE OR REPLACE TRIGGER radacct_serialnumber - BEFORE INSERT OR UPDATE OF radacctid ON radacct - FOR EACH ROW - BEGIN - if ( :new.radacctid = 0 or :new.radacctid is null ) then - SELECT radacct_seq.nextval into :new.radacctid from dual; - end if; - END; -/ - -/* - * Table structure for table 'radcheck' - */ -CREATE TABLE radcheck ( - id INT PRIMARY KEY, - username VARCHAR(30) NOT NULL, - attribute VARCHAR(64), - op VARCHAR(2) NOT NULL, - value VARCHAR(40) -); -CREATE SEQUENCE radcheck_seq START WITH 1 INCREMENT BY 1; - -/* Trigger to emulate a serial # on the primary key */ -CREATE OR REPLACE TRIGGER radcheck_serialnumber - BEFORE INSERT OR UPDATE OF id ON radcheck - FOR EACH ROW - BEGIN - if ( :new.id = 0 or :new.id is null ) then - SELECT radcheck_seq.nextval into :new.id from dual; - end if; - END; -/ - -/* - * Table structure for table 'radgroupcheck' - */ -CREATE TABLE radgroupcheck ( - id INT PRIMARY KEY, - groupname VARCHAR(20) NOT NULL, - attribute VARCHAR(64), - op CHAR(2) NOT NULL, - value VARCHAR(40) -); -CREATE SEQUENCE radgroupcheck_seq START WITH 1 INCREMENT BY 1; - -/* - * Table structure for table 'radgroupreply' - */ -CREATE TABLE radgroupreply ( - id INT PRIMARY KEY, - GroupName VARCHAR(20) NOT NULL, - Attribute VARCHAR(64), - op CHAR(2) NOT NULL, - Value VARCHAR(40) -); -CREATE SEQUENCE radgroupreply_seq START WITH 1 INCREMENT BY 1; - -/* - * Table structure for table 'radreply' - */ -CREATE TABLE radreply ( - id INT PRIMARY KEY, - UserName VARCHAR(30) NOT NULL, - Attribute VARCHAR(64), - op CHAR(2) NOT NULL, - Value VARCHAR(40) -); -CREATE INDEX radreply_idx1 ON radreply(UserName); -CREATE SEQUENCE radreply_seq START WITH 1 INCREMENT BY 1; - -/* Trigger to emulate a serial # on the primary key */ -CREATE OR REPLACE TRIGGER radreply_serialnumber - BEFORE INSERT OR UPDATE OF id ON radreply - FOR EACH ROW - BEGIN - if ( :new.id = 0 or :new.id is null ) then - SELECT radreply_seq.nextval into :new.id from dual; - end if; - END; -/ - -/* - * Table structure for table 'radusergroup' - */ -CREATE TABLE radusergroup ( - id INT PRIMARY KEY, - UserName VARCHAR(30) NOT NULL, - GroupName VARCHAR(30) -); -CREATE SEQUENCE radusergroup_seq START WITH 1 INCREMENT BY 1; - -/* Trigger to emulate a serial # on the primary key */ -CREATE OR REPLACE TRIGGER radusergroup_serialnumber - BEFORE INSERT OR UPDATE OF id ON radusergroup - FOR EACH ROW - BEGIN - if ( :new.id = 0 or :new.id is null ) then - SELECT radusergroup_seq.nextval into :new.id from dual; - end if; - END; -/ - - -CREATE TABLE radpostauth ( - id INT PRIMARY KEY, - UserName VARCHAR(64) NOT NULL, - Pass VARCHAR(64), - Reply VARCHAR(64), - AuthDate TIMESTAMP(6) WITH TIME ZONE, - Class VARCHAR(64) -); -CREATE INDEX radpostauth_idx0 - ON radpostauth(UserName); -CREATE INDEX radpostauth_idx1 - ON radpostauth(class); - -CREATE SEQUENCE radpostauth_seq START WITH 1 INCREMENT BY 1; - -CREATE OR REPLACE TRIGGER radpostauth_TRIG - BEFORE INSERT OR UPDATE OF id ON radpostauth - FOR EACH ROW - BEGIN - if ( :new.id = 0 or :new.id is null ) then - SELECT radpostauth_seq.nextval into :new.id from dual; - end if; - if (:new.AuthDate is null) then - select systimestamp into :new.AuthDate from dual; - end if; - END; - -/ - -/* - * Table structure for table 'nas' - */ -CREATE TABLE nas ( - id INT PRIMARY KEY, - nasname VARCHAR(128), - shortname VARCHAR(32), - type VARCHAR(30), - ports INT, - secret VARCHAR(60), - server VARCHAR(64), - community VARCHAR(50), - description VARCHAR(200) -); -CREATE SEQUENCE nas_seq START WITH 1 INCREMENT BY 1; - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/extras/cisco_h323_db_schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/extras/cisco_h323_db_schema.sql deleted file mode 100644 index 83ce90e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/extras/cisco_h323_db_schema.sql +++ /dev/null @@ -1,295 +0,0 @@ -/* - * $Id: 0fabd43981d1622013811200ea73bc08e11b057d $ - * - * --- Peter Nixon [ codemonkey@peternixon.net ] - * - * This is a custom SQL schema for doing H323 and SIP VoIP accounting - * with FreeRadius and Cisco equipment. It is currently known to work - * with 3640, 5300 and 5350 series as well as CSPS (Cisco SIP Proxy - * Server). It will scale A LOT better than the default radius schema - * which is designed for simple dialup installations of FreeRadius. - * - * For this schema to work properly you MUST use - * raddb/mods-config/sql/postgresql/voip-postpaid.conf rather than - * raddb/mods-config/sql/postgresql/dialup.conf - * - * If you wish to do RADIUS Authentication using the same database, - * you MUST use use raddb/mods-config/sql/postgresql/schema.sql as well as this schema. - */ - -/* - * Table structure for 'Start' tables - */ - -CREATE TABLE StartVoIP ( - RadAcctId BIGSERIAL PRIMARY KEY, - AcctTime TIMESTAMP with time zone NOT NULL, - h323SetupTime TIMESTAMP with time zone, - H323ConnectTime TIMESTAMP with time zone, - UserName VARCHAR(64), - RadiusServerName VARCHAR(32), - NASIPAddress INET NOT NULL, - CalledStationId VARCHAR(80), - CallingStationId VARCHAR(80), - AcctDelayTime INTEGER, - H323GWID VARCHAR(32), - h323CallOrigin VARCHAR(10), - CallID VARCHAR(80) NOT NULL, - processed BOOLEAN DEFAULT false -); -create index startvoipcombo on startvoip (AcctTime, nasipaddress); - - -CREATE TABLE StartTelephony ( - RadAcctId BIGSERIAL PRIMARY KEY, - AcctTime TIMESTAMP with time zone NOT NULL, - h323SetupTime TIMESTAMP with time zone, - H323ConnectTime TIMESTAMP with time zone, - UserName VARCHAR(64), - RadiusServerName VARCHAR(32), - NASIPAddress INET NOT NULL, - CalledStationId VARCHAR(80), - CallingStationId VARCHAR(80), - AcctDelayTime INTEGER, - H323GWID VARCHAR(32), - h323CallOrigin VARCHAR(10), - CallID VARCHAR(80) NOT NULL, - processed BOOLEAN DEFAULT false -); -create index starttelephonycombo on starttelephony (AcctTime, nasipaddress); - - - -/* - * Table structure for 'Stop' tables - */ -CREATE TABLE StopVoIP ( - RadAcctId BIGSERIAL PRIMARY KEY, - AcctTime TIMESTAMP with time zone NOT NULL, - H323SetupTime TIMESTAMP with time zone, - H323ConnectTime TIMESTAMP with time zone, - H323DisconnectTime TIMESTAMP with time zone, - UserName VARCHAR(32), - RadiusServerName VARCHAR(32), - NASIPAddress INET NOT NULL, - AcctSessionTime BIGINT, - AcctInputOctets BIGINT, - AcctOutputOctets BIGINT, - CalledStationId VARCHAR(80), - CallingStationId VARCHAR(80), - AcctDelayTime SMALLINT, - CiscoNASPort VARCHAR(1), - H323GWID VARCHAR(32), - H323CallOrigin VARCHAR(10), - H323DisconnectCause VARCHAR(20), - H323RemoteAddress INET, - H323VoiceQuality INTEGER, - CallID VARCHAR(80) NOT NULL, - processed BOOLEAN DEFAULT false -); -create UNIQUE index stopvoipcombo on stopvoip (AcctTime, nasipaddress, CallID); - - -CREATE TABLE StopTelephony ( - RadAcctId BIGSERIAL PRIMARY KEY, - AcctTime TIMESTAMP with time zone NOT NULL, - H323SetupTime TIMESTAMP with time zone NOT NULL, - H323ConnectTime TIMESTAMP with time zone NOT NULL, - H323DisconnectTime TIMESTAMP with time zone NOT NULL, - UserName VARCHAR(32) DEFAULT '' NOT NULL, - RadiusServerName VARCHAR(32), - NASIPAddress INET NOT NULL, - AcctSessionTime BIGINT, - AcctInputOctets BIGINT, - AcctOutputOctets BIGINT, - CalledStationId VARCHAR(80), - CallingStationId VARCHAR(80), - AcctDelayTime SMALLINT, - CiscoNASPort VARCHAR(16), - H323GWID VARCHAR(32), - H323CallOrigin VARCHAR(10), - H323DisconnectCause VARCHAR(20), - H323RemoteAddress INET, - H323VoiceQuality INTEGER, - CallID VARCHAR(80) NOT NULL, - processed BOOLEAN DEFAULT false -); --- You can have more than one record that is identical except for CiscoNASPort if you have a dial peer hungroup --- configured for multiple PRIs. -create UNIQUE index stoptelephonycombo on stoptelephony (AcctTime, nasipaddress, CallID, CiscoNASPort); - -/* - * Table structure for 'gateways' - * - * This table should list the IP addresses, names and locations of all your gateways - * This can be used to make more useful reports. - * - * Note: This table should be removed in favour of using the "nas" table. - */ - -CREATE TABLE gateways ( - gw_ip INET NOT NULL, - gw_name VARCHAR(32) NOT NULL, - gw_city VARCHAR(32) -); - - -/* - * Table structure for 'customers' - * - * This table should list your Customers names and company - * This can be used to make more useful reports. - */ - -CREATE TABLE customers ( - cust_id SERIAL NOT NULL, - company VARCHAR(32), - customer VARCHAR(32) -); - -/* - * Table structure for 'cust_gw' - * - * This table should list the IP addresses and Customer IDs of all your Customers gateways - * This can be used to make more useful reports. - */ - -CREATE TABLE cust_gw ( - cust_gw INET PRIMARY KEY, - cust_id INTEGER NOT NULL, - "location" VARCHAR(32) -); - - -CREATE VIEW customerip AS - SELECT gw.cust_gw AS ipaddr, cust.company, cust.customer, gw."location" FROM customers cust, cust_gw gw WHERE (cust.cust_id = gw.cust_id); - - --- create plpgsql language (You need to be a database superuser to be able to do this) -CREATE FUNCTION "plpgsql_call_handler" () RETURNS LANGUAGE_HANDLER AS '$libdir/plpgsql' LANGUAGE C; -CREATE TRUSTED LANGUAGE "plpgsql" HANDLER "plpgsql_call_handler"; - -/* - * Function 'strip_dot' - * removes "." from the start of cisco timestamps - * - * From the cisco website: - * "A timestamp that is preceded by an asterisk (*) or a dot (.) may not be accurate. - * An asterisk (*) means that after a gateway reboot, the gateway clock was not manually set - * and the gateway has not synchronized with an NTP server yet. A dot (.) means the gateway - * NTP has lost synchronization with an NTP server." - * - * We therefore do not bother to strip asterisks (*) from timestamps, as you NEED ntp setup - * unless you don't care about billing at all! - * - * * Example useage: - * insert into mytable values (strip_dot('.16:46:02.356 EET Wed Dec 11 2002')); - * - */ - - -CREATE OR REPLACE FUNCTION strip_dot (VARCHAR) RETURNS TIMESTAMPTZ AS ' - DECLARE - original_timestamp ALIAS FOR $1; - BEGIN - IF original_timestamp = '''' THEN - RETURN NULL; - END IF; - IF substring(original_timestamp from 1 for 1) = ''.'' THEN - RETURN substring(original_timestamp from 2); - ELSE - RETURN original_timestamp; - END IF; - END; -' LANGUAGE 'plpgsql'; - - -CREATE OR REPLACE FUNCTION pick_id (VARCHAR, VARCHAR) RETURNS VARCHAR AS ' - DECLARE - h323confid ALIAS FOR $1; - callid ALIAS FOR $2; - BEGIN - IF h323confid <> '''' THEN - RETURN h323confid; - END IF; - IF callid <> '''' THEN - RETURN callid; - END IF; - RETURN NULL; - END; -' LANGUAGE 'plpgsql'; - - - -/* - * Table structure for 'isdn_error_codes' table - * - * Taken from cisco.com this data can be JOINED against h323DisconnectCause to - * give human readable error reports. - * - */ - - -CREATE TABLE isdn_error_codes ( - error_code VARCHAR(2) PRIMARY KEY, - desc_short VARCHAR(90), - desc_long TEXT -); - -/* - * Data for 'isdn_error_codes' table - */ - -INSERT INTO isdn_error_codes VALUES ('1', 'Unallocated (unassigned) number', 'The ISDN number was sent to the switch in the correct format; however, the number is not assigned to any destination equipment.'); -INSERT INTO isdn_error_codes VALUES ('10', 'Normal call clearing', 'Normal call clearing has occurred.'); -INSERT INTO isdn_error_codes VALUES ('11', 'User busy', 'The called system acknowledges the connection request but is unable to accept the call because all B channels are in use.'); -INSERT INTO isdn_error_codes VALUES ('12', 'No user responding', 'The connection cannot be completed because the destination does not respond to the call.'); -INSERT INTO isdn_error_codes VALUES ('13', 'No answer from user (user alerted)', 'The destination responds to the connection request but fails to complete the connection within the prescribed time. The problem is at the remote end of the connection.'); -INSERT INTO isdn_error_codes VALUES ('15', 'Call rejected', 'The destination is capable of accepting the call but rejected the call for an unknown reason.'); -INSERT INTO isdn_error_codes VALUES ('16', 'Number changed', 'The ISDN number used to set up the call is not assigned to any system.'); -INSERT INTO isdn_error_codes VALUES ('1A', 'Non-selected user clearing', 'The destination is capable of accepting the call but rejected the call because it was not assigned to the user.'); -INSERT INTO isdn_error_codes VALUES ('1B', 'Designation out of order', 'The destination cannot be reached because the interface is not functioning correctly, and a signaling message cannot be delivered. This might be a temporary condition, but it could last for an extended period of time. For example, the remote equipment might be turned off.'); -INSERT INTO isdn_error_codes VALUES ('1C', 'Invalid number format', 'The connection could be established because the destination address was presented in an unrecognizable format or because the destination address was incomplete.'); -INSERT INTO isdn_error_codes VALUES ('1D', 'Facility rejected', 'The facility requested by the user cannot be provided by the network.'); -INSERT INTO isdn_error_codes VALUES ('1E', 'Response to STATUS ENQUIRY', 'The status message was generated in direct response to the prior receipt of a status enquiry message.'); -INSERT INTO isdn_error_codes VALUES ('1F', 'Normal, unspecified', 'Reports the occurrence of a normal event when no standard cause applies. No action required.'); -INSERT INTO isdn_error_codes VALUES ('2', 'No route to specified transit network', 'The ISDN exchange is asked to route the call through an unrecognized intermediate network.'); -INSERT INTO isdn_error_codes VALUES ('22', 'No circuit/channel available', 'The connection cannot be established because no appropriate channel is available to take the call.'); -INSERT INTO isdn_error_codes VALUES ('26', 'Network out of order', 'The destination cannot be reached because the network is not functioning correctly, and the condition might last for an extended period of time. An immediate reconnect attempt will probably be unsuccessful.'); -INSERT INTO isdn_error_codes VALUES ('29', 'Temporary failure', 'An error occurred because the network is not functioning correctly. The problem will be resolved shortly.'); -INSERT INTO isdn_error_codes VALUES ('2A', 'Switching equipment congestion', 'The destination cannot be reached because the network switching equipment is temporarily overloaded.'); -INSERT INTO isdn_error_codes VALUES ('2B', 'Access information discarded', 'The network cannot provide the requested access information.'); -INSERT INTO isdn_error_codes VALUES ('2C', 'Requested circuit/channel not available', 'The remote equipment cannot provide the requested channel for an unknown reason. This might be a temporary problem.'); -INSERT INTO isdn_error_codes VALUES ('2F', 'Resources unavailable, unspecified', 'The requested channel or service is unavailable for an unknown reason. This might be a temporary problem.'); -INSERT INTO isdn_error_codes VALUES ('3', 'No route to destination', 'The call was routed through an intermediate network that does not serve the destination address.'); -INSERT INTO isdn_error_codes VALUES ('31', 'Quality of service unavailable', 'The requested quality of service cannot be provided by the network. This might be a subscription problem.'); -INSERT INTO isdn_error_codes VALUES ('32', 'Requested facility not subscribed', 'The remote equipment supports the requested supplementary service by subscription only.'); -INSERT INTO isdn_error_codes VALUES ('39', 'Bearer capability not authorized', 'The user requested a bearer capability that the network provides, but the user is not authorized to use it. This might be a subscription problem.'); -INSERT INTO isdn_error_codes VALUES ('3A', 'Bearer capability not presently available', 'The network normally provides the requested bearer capability, but it is unavailable at the present time. This might be due to a temporary network problem or to a subscription problem.'); -INSERT INTO isdn_error_codes VALUES ('3F', 'Service or option not available, unspecified', 'The network or remote equipment was unable to provide the requested service option for an unspecified reason. This might be a subscription problem.'); -INSERT INTO isdn_error_codes VALUES ('41', 'Bearer capability not implemented', 'The network cannot provide the bearer capability requested by the user.'); -INSERT INTO isdn_error_codes VALUES ('42', 'Channel type not implemented', 'The network or the destination equipment does not support the requested channel type.'); -INSERT INTO isdn_error_codes VALUES ('45', 'Requested facility not implemented', 'The remote equipment does not support the requested supplementary service.'); -INSERT INTO isdn_error_codes VALUES ('46', 'Only restricted digital information bearer capability is available', 'The network is unable to provide unrestricted digital information bearer capability.'); -INSERT INTO isdn_error_codes VALUES ('4F', 'Service or option not implemented, unspecified', 'The network or remote equipment is unable to provide the requested service option for an unspecified reason. This might be a subscription problem.'); -INSERT INTO isdn_error_codes VALUES ('51', 'Invalid call reference value', 'The remote equipment received a call with a call reference that is not currently in use on the user-network interface.'); -INSERT INTO isdn_error_codes VALUES ('52', 'Identified channel does not exist', 'The receiving equipment is requested to use a channel that is not activated on the interface for calls.'); -INSERT INTO isdn_error_codes VALUES ('53', 'A suspended call exists, but this call identity does not', 'The network received a call resume request. The call resume request contained a Call Identify information element that indicates that the call identity is being used for a suspended call.'); -INSERT INTO isdn_error_codes VALUES ('54', 'Call identity in use', 'The network received a call resume request. The call resume request contained a Call Identify information element that indicates that it is in use for a suspended call.'); -INSERT INTO isdn_error_codes VALUES ('55', 'No call suspended', 'The network received a call resume request when there was not a suspended call pending. This might be a transient error that will be resolved by successive call retries.'); -INSERT INTO isdn_error_codes VALUES ('56', 'Call having the requested call identity has been cleared', 'The network received a call resume request. The call resume request contained a Call Identity information element, which once indicated a suspended call. However, the suspended call was cleared either by timeout or by the remote user.'); -INSERT INTO isdn_error_codes VALUES ('58', 'Incompatible destination', 'Indicates that an attempt was made to connect to non-ISDN equipment. For example, to an analog line.'); -INSERT INTO isdn_error_codes VALUES ('5B', 'Invalid transit network selection', 'The ISDN exchange was asked to route the call through an unrecognized intermediate network.'); -INSERT INTO isdn_error_codes VALUES ('5F', 'Invalid message, unspecified', 'An invalid message was received, and no standard cause applies. This is usually due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.'); -INSERT INTO isdn_error_codes VALUES ('6', 'Channel unacceptable', 'The service quality of the specified channel is insufficient to accept the connection.'); -INSERT INTO isdn_error_codes VALUES ('60', 'Mandatory information element is missing', 'The receiving equipment received a message that did not include one of the mandatory information elements. This is usually due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.'); -INSERT INTO isdn_error_codes VALUES ('61', 'Message type non-existent or not implemented', 'The receiving equipment received an unrecognized message, either because the message type was invalid or because the message type was valid but not supported. The cause is due to either a problem with the remote configuration or a problem with the local D channel.'); -INSERT INTO isdn_error_codes VALUES ('62', 'Message not compatible with call state or message type non-existent or not implemented', 'The remote equipment received an invalid message, and no standard cause applies. This cause is due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.'); -INSERT INTO isdn_error_codes VALUES ('63', 'Information element non-existent or not implemented', 'The remote equipment received a message that includes information elements, which were not recognized. This is usually due to a D-channel error. If this error occurs systematically, report it to your ISDN service provider.'); -INSERT INTO isdn_error_codes VALUES ('64', 'Invalid information element contents', 'The remote equipment received a message that includes invalid information in the information element. This is usually due to a D-channel error.'); -INSERT INTO isdn_error_codes VALUES ('65', 'Message not compatible with call state', 'The remote equipment received an unexpected message that does not correspond to the current state of the connection. This is usually due to a D-channel error.'); -INSERT INTO isdn_error_codes VALUES ('66', 'Recovery on timer expires', 'An error-handling (recovery) procedure was initiated by a timer expiry. This is usually a temporary problem.'); -INSERT INTO isdn_error_codes VALUES ('6F', 'Protocol error, unspecified', 'An unspecified D-channel error when no other standard cause applies.'); -INSERT INTO isdn_error_codes VALUES ('7', 'Call awarded and being delivered in an established channel', 'The user is assigned an incoming call that is being connected to an already-established call channel.'); -INSERT INTO isdn_error_codes VALUES ('7F', 'Internetworking, unspecified', 'An event occurred, but the network does not provide causes for the action that it takes. The precise problem is unknown.'); - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf deleted file mode 100644 index 6ae361d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf +++ /dev/null @@ -1,70 +0,0 @@ -# -*- text -*- -## -## voip-postpaid.conf -- PostgreSQL configuration for H323 VoIP billingx -## (cisco_h323_db_schema.sql) -## -## $Id: 9f1449cc37d80e37025bdfd08fbd4d028aa0c800 $ - - - ####################################################################### - # Query config: Username - ####################################################################### - # This is the username that will get substituted, escaped, and added - # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below - # everywhere a username substitution is needed so you you can be sure - # the username passed from the client is escaped properly. - # - # Uncomment the next line, if you want the sql_user_name to mean: - # - # Use Stripped-User-Name, if it's there. - # Else use User-Name, if it's there, - # Else use hard-coded string "none" as the user name. - # - #sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}" - # - sql_user_name = "%{User-Name}" - - accounting { - reference = "%{tolower:type.%{Acct-Status-Type}.query}" - - # Write SQL queries to a logfile. This is potentially useful for bulk inserts - # when used with the rlm_sql_null driver. -# logfile = ${logdir}/accounting.sql - - type { - start { - query = "INSERT INTO ${....acct_table1}%{h323-call-type} \ - (RadiusServerName, UserName, NASIPAddress, AcctTime, CalledStationId, \ - CallingStationId, AcctDelayTime, h323gwid, h323callorigin, \ - h323setuptime, H323ConnectTime, callid) \ - VALUES(\ - '${radius_server_name}', '%{SQL-User-Name}', \ - '%{NAS-IP-Address}', now(), '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', '%{%{Acct-Delay-Time}:-0}', '%{h323-gw-id}', \ - '%{h323-call-origin}', strip_dot('%{h323-setup-time}'), \ - strip_dot('%{h323-connect-time}'), pick_id('%{h323-conf-id}', \ - '%{call-id}'))" - } - - stop { - query = "INSERT INTO $....acct_table2}%{h323-call-type} \ - (RadiusServerName, UserName, NASIPAddress, AcctTime, \ - AcctSessionTime, AcctInputOctets, AcctOutputOctets, CalledStationId, \ - CallingStationId, AcctDelayTime, H323RemoteAddress, H323VoiceQuality, \ - CiscoNASPort, h323callorigin, callid, h323connecttime, \ - h323disconnectcause, h323disconnecttime, h323gwid, h323setuptime) \ - VALUES(\ - '${radius_server_name}', '%{SQL-User-Name}', '%{NAS-IP-Address}', \ - NOW(), '%{%{Acct-Session-Time}:-0}', \ - '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Octets}:-0}', \ - '%{Called-Station-Id}', '%{Calling-Station-Id}', \ - '%{%{Acct-Delay-Time}:-0}', NULLIF('%{h323-remote-address}', '')::inet, \ - NULLIF('%{h323-voice-quality}','')::integer, \ - NULLIF('%{Cisco-NAS-Port}', ''), \ - '%{h323-call-origin}', pick_id('%{h323-conf-id}', '%{call-id}'), \ - strip_dot('%{h323-connect-time}'), '%{h323-disconnect-cause}', \ - strip_dot('%{h323-disconnect-time}'), '%{h323-gw-id}', \ - strip_dot('%{h323-setup-time}'))" - } - } - } diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/process-radacct.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/process-radacct.sql deleted file mode 100644 index ba93f0e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/process-radacct.sql +++ /dev/null @@ -1,138 +0,0 @@ -# -*- text -*- -# -# main/postgresql/process-radacct.sql -- Schema extensions for processing radacct entries -# -# $Id: 19c79578329f5de63f7e3248131e413ee6e0038d $ - --- --------------------------------- --- - Per-user data usage over time - --- --------------------------------- --- --- An extension to the standard schema to hold per-user data usage statistics --- for arbitrary periods. --- --- The data_usage_by_period table is populated by periodically calling the --- fr_new_data_usage_period stored procedure. --- --- This table can be queried in various ways to produce reports of aggregate --- data use over time. For example, if the fr_new_data_usage_period SP is --- invoked one per day just after midnight, to produce usage data with daily --- granularity, then a reasonably accurate monthly bandwidth summary for a --- given user could be obtained by queriing this table with: --- --- SELECT --- TO_CHAR(CURRENT_TIMESTAMP, 'YYYY-Month') AS month, --- TRUNC(SUM(acctinputoctets)/1000/1000/1000,9) AS gb_in, --- TRUNC(SUM(acctoutputoctets)/1000/1000/1000,9) AS gb_out --- FROM --- data_usage_by_period --- WHERE --- username='bob' AND --- period_end IS NOT NULL --- GROUP BY --- month; --- --- month | gb_in | gb_out --- ----------------+-------------+-------------- --- 2019-July | 5.782279231 | 50.545664824 --- 2019-August | 4.230543344 | 48.523096424 --- 2019-September | 4.847360599 | 48.631835488 --- 2019-October | 6.456763254 | 51.686231937 --- 2019-November | 6.362537735 | 52.385710572 --- 2019-December | 4.301524442 | 50.762240277 --- 2020-January | 5.436280545 | 49.067775286 --- (7 rows) --- -CREATE TABLE data_usage_by_period ( - username text, - period_start timestamp with time zone, - period_end timestamp with time zone, - acctinputoctets bigint, - acctoutputoctets bigint -); -ALTER TABLE data_usage_by_period ADD CONSTRAINT data_usage_by_period_pkey PRIMARY KEY (username, period_start); -CREATE INDEX data_usage_by_period_pkey_period_end ON data_usage_by_period(period_end); - - --- --- Stored procedure that when run with some arbitrary frequency, say --- once per day by cron, will process the recent radacct entries to extract --- time-windowed data containing acct{input,output}octets ("data usage") per --- username, per period. --- --- Each invocation will create new rows in the data_usage_by_period tables --- containing the data used by each user since the procedure was last invoked. --- The intervals do not need to be identical but care should be taken to --- ensure that the start/end of each period aligns well with any intended --- reporting intervals. --- --- It can be invoked by running: --- --- SELECT fr_new_data_usage_period(); --- --- -CREATE OR REPLACE FUNCTION fr_new_data_usage_period () -RETURNS void -LANGUAGE plpgsql -AS $$ -DECLARE v_start timestamp; -DECLARE v_end timestamp; -BEGIN - - SELECT COALESCE(MAX(period_end) + INTERVAL '1 SECOND', TO_TIMESTAMP(0)) INTO v_start FROM data_usage_by_period; - SELECT DATE_TRUNC('second',CURRENT_TIMESTAMP) INTO v_end; - - -- - -- Add the data usage for the sessions that were active in the current - -- period to the table. Include all sessions that finished since the start - -- of this period as well as those still ongoing. - -- - INSERT INTO data_usage_by_period (username, period_start, period_end, acctinputoctets, acctoutputoctets) - SELECT * - FROM ( - SELECT - username, - v_start, - v_end, - SUM(acctinputoctets) AS acctinputoctets, - SUM(acctoutputoctets) AS acctoutputoctets - FROM - radacct - WHERE - acctstoptime > v_start OR - acctstoptime IS NULL - GROUP BY - username - ) AS s - ON CONFLICT ON CONSTRAINT data_usage_by_period_pkey - DO UPDATE - SET - acctinputoctets = data_usage_by_period.acctinputoctets + EXCLUDED.acctinputoctets, - acctoutputoctets = data_usage_by_period.acctoutputoctets + EXCLUDED.acctoutputoctets, - period_end = v_end; - - -- - -- Create an open-ended "next period" for all ongoing sessions and carry a - -- negative value of their data usage to avoid double-accounting when we - -- process the next period. Their current data usage has already been - -- allocated to the current and possibly previous periods. - -- - INSERT INTO data_usage_by_period (username, period_start, period_end, acctinputoctets, acctoutputoctets) - SELECT * - FROM ( - SELECT - username, - v_end + INTERVAL '1 SECOND', - NULL::timestamp, - 0 - SUM(acctinputoctets), - 0 - SUM(acctoutputoctets) - FROM - radacct - WHERE - acctstoptime IS NULL - GROUP BY - username - ) AS s; - -END -$$; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/queries.conf deleted file mode 100644 index 3403125..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/queries.conf +++ /dev/null @@ -1,699 +0,0 @@ -# -*- text -*- -# -# main/postgresql/queries.conf -- PostgreSQL configuration for default schema (schema.sql) -# -# $Id: 2f0f463e6fdc5b72b33fbbd5211da509e85ed08e $ - -# Use the driver specific SQL escape method. -# -# If you enable this configuration item, the "safe_characters" -# configuration is ignored. FreeRADIUS then uses the PostgreSQL escape -# functions to escape input strings. The only downside to making this -# change is that the PostgreSQL escaping method is not the same the one -# used by FreeRADIUS. So characters which are NOT in the -# "safe_characters" list will now be stored differently in the database. -# -#auto_escape = yes - -# Safe characters list for sql queries. Everything else is replaced -# with their mime-encoded equivalents. -# The default list should be ok -# Using 'auto_escape' is preferred -# safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" - -####################################################################### -# Query config: Username -####################################################################### -# This is the username that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used -# below everywhere a username substitution is needed so you you can -# be sure the username passed from the client is escaped properly. -# -# Uncomment the next line, if you want the sql_user_name to mean: -# -# Use Stripped-User-Name, if it's there. -# Else use User-Name, if it's there, -# Else use hard-coded string "none" as the user name. -# -#sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}" - -sql_user_name = "%{User-Name}" - -####################################################################### -# Query config: Event-Timestamp -####################################################################### -# event_timestamp_epoch is the basis for the time inserted into -# accounting records. Typically this will be the Event-Timestamp of the -# accounting request, which is usually provided by a NAS. -# -# Uncomment the next line, if you want the timestamp to be based on the -# request reception time recorded by this server, for example if you -# distrust the provided Event-Timestamp. -#event_timestamp_epoch = "%l" - -event_timestamp_epoch = "%{%{integer:Event-Timestamp}:-%l}" - -# event_timestamp is the SQL snippet for converting an epoch timestamp -# to an SQL date. - -event_timestamp = "TO_TIMESTAMP(${event_timestamp_epoch})" - -####################################################################### -# Query config: Class attribute -####################################################################### -# -# 3.0.22 and later have a "class" column in the accounting table. -# -# However, we do NOT want to break existing configurations by adding -# the Class attribute to the default queries. If we did that, then -# systems using newer versions of the server would fail, because -# there is no "class" column in their accounting tables. -# -# The solution to that is the following "class" subsection. If your -# database has a "class" column for the various tables, then you can -# uncomment the configuration items here. The queries below will -# then automatically insert the Class attribute into radacct, -# radpostauth, etc. -# -class { - # - # Delete the '#' character from each of the configuration - # items in this section. This change puts the Class - # attribute into the various tables. Leave the double-quoted - # string there, as the value for the configuration item. - # - # See also policy.d/accounting, and the "insert_acct_class" - # policy. You will need to list (or uncomment) - # "insert_acct_class" in the "post-auth" section in order to - # create a Class attribute. - # - column_name = # ", Class" - packet_xlat = # ", '%{Class}'" - reply_xlat = # ", '%{reply:Class}'" -} - -####################################################################### -# Default profile -####################################################################### -# This is the default profile. It is found in SQL by group membership. -# That means that this profile must be a member of at least one group -# which will contain the corresponding check and reply items. -# This profile will be queried in the authorize section for every user. -# The point is to assign all users a default profile without having to -# manually add each one to a group that will contain the profile. -# The SQL module will also honor the User-Profile attribute. This -# attribute can be set anywhere in the authorize section (ie the users -# file). It is found exactly as the default profile is found. -# If it is set then it will *overwrite* the default profile setting. -# The idea is to select profiles based on checks on the incoming -# packets, not on user group membership. For example: -# -- users file -- -# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" -# DEFAULT Service-Type == Framed-User, User-Profile := "framed" -# -# By default the default_user_profile is not set -# -# default_user_profile = "DEFAULT" - -####################################################################### -# Open Query -####################################################################### -# This query is run whenever a new connection is opened. -# It is commented out by default. -# -# If you have issues with connections hanging for too long, uncomment -# the next line, and set the timeout in milliseconds. As a general -# rule, if the queries take longer than a second, something is wrong -# with the database. -#open_query = "set statement_timeout to 1000" - -####################################################################### -# NAS Query -####################################################################### -# This query retrieves the radius clients -# -# 0. Row ID (currently unused) -# 1. Name (or IP address) -# 2. Shortname -# 3. Type -# 4. Secret -# 5. Server -####################################################################### - -client_query = "\ - SELECT id, nasname, shortname, type, secret, server \ - FROM ${client_table}" - -####################################################################### -# Authorization Queries -####################################################################### -# These queries compare the check items for the user -# in ${authcheck_table} and setup the reply items in -# ${authreply_table}. You can use any query/tables -# you want, but the return data for each row MUST -# be in the following order: -# -# 0. Row ID (currently unused) -# 1. UserName/GroupName -# 2. Item Attr Name -# 3. Item Attr Value -# 4. Item Attr Operation -####################################################################### - -# -# Use these for case insensitive usernames. WARNING: Slower queries! -# -#authorize_check_query = "\ -# SELECT id, UserName, Attribute, Value, Op \ -# FROM ${authcheck_table} \ -# WHERE LOWER(UserName) = LOWER('%{SQL-User-Name}') \ -# ORDER BY id" - -#authorize_reply_query = "\ -# SELECT id, UserName, Attribute, Value, Op \ -# FROM ${authreply_table} \ -# WHERE LOWER(UserName) = LOWER('%{SQL-User-Name}') \ -# ORDER BY id" - -authorize_check_query = "\ - SELECT id, UserName, Attribute, Value, Op \ - FROM ${authcheck_table} \ - WHERE Username = '%{SQL-User-Name}' \ - ORDER BY id" - -authorize_reply_query = "\ - SELECT id, UserName, Attribute, Value, Op \ - FROM ${authreply_table} \ - WHERE Username = '%{SQL-User-Name}' \ - ORDER BY id" - -# -# Use these for case insensitive usernames. WARNING: Slower queries! -# -#authorize_group_check_query = "\ -# SELECT \ -# ${groupcheck_table}.id, ${groupcheck_table}.GroupName, ${groupcheck_table}.Attribute, \ -# ${groupcheck_table}.Value, ${groupcheck_table}.Op \ -# FROM ${groupcheck_table}, ${usergroup_table} \ -# WHERE LOWER(${usergroup_table}.UserName) = LOWER('%{SQL-User-Name}') \ -# AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName \ -# ORDER BY ${groupcheck_table}.id" - -#authorize_group_reply_query = "\ -# SELECT \ -# ${groupreply_table}.id, ${groupreply_table}.GroupName, \ -# ${groupreply_table}.Attribute, ${groupreply_table}.Value, ${groupreply_table}.Op \ -# FROM ${groupreply_table}, ${usergroup_table} \ -# WHERE LOWER(${usergroup_table}.UserName) = LOWER('%{SQL-User-Name}') \ -# AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName \ -# ORDER BY ${groupreply_table}.id" - -authorize_group_check_query = "\ - SELECT id, GroupName, Attribute, Value, op \ - FROM ${groupcheck_table} \ - WHERE GroupName = '%{${group_attribute}}' \ - ORDER BY id" - -authorize_group_reply_query = "\ - SELECT id, GroupName, Attribute, Value, op \ - FROM ${groupreply_table} \ - WHERE GroupName = '%{${group_attribute}}' \ - ORDER BY id" - -####################################################################### -# Simultaneous Use Checking Queries -####################################################################### -# simul_count_query - query for the number of current connections -# - If this is not defined, no simultaneous use checking -# - will be performed by this module instance -# simul_verify_query - query to return details of current connections for verification -# - Leave blank or commented out to disable verification step -# - Note that the returned field order should not be changed. -####################################################################### - -simul_count_query = "\ - SELECT COUNT(*) \ - FROM ${acct_table1} \ - WHERE UserName='%{SQL-User-Name}' \ - AND AcctStopTime IS NULL" - -simul_verify_query = "\ - SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, \ - FramedProtocol \ - FROM ${acct_table1} \ - WHERE UserName='%{SQL-User-Name}' \ - AND AcctStopTime IS NULL" - -####################################################################### -# Group Membership Queries -####################################################################### -# group_membership_query - Check user group membership -####################################################################### - -# Use these for case insensitive usernames. WARNING: Slower queries! -#group_membership_query = "\ -# SELECT GroupName \ -# FROM ${usergroup_table} \ -# WHERE LOWER(UserName) = LOWER('%{SQL-User-Name}') \ -# ORDER BY priority" - -group_membership_query = "\ - SELECT GroupName \ - FROM ${usergroup_table} \ - WHERE UserName='%{SQL-User-Name}' \ - ORDER BY priority" - -####################################################################### -# Accounting and Post-Auth Queries -####################################################################### -# These queries insert/update accounting and authentication records. -# The query to use is determined by the value of 'reference'. -# This value is used as a configuration path and should resolve to one -# or more 'query's. If reference points to multiple queries, and a query -# fails, the next query is executed. -# -# Behaviour is identical to the old 1.x/2.x module, except we can now -# fail between N queries, and query selection can be based on any -# combination of attributes, or custom 'Acct-Status-Type' values. -####################################################################### - -accounting { - reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}" - - # Write SQL queries to a logfile. This is potentially useful for bulk inserts - # when used with the rlm_sql_null driver. -# logfile = ${logdir}/accounting.sql - - column_list = "\ - AcctSessionId, \ - AcctUniqueId, \ - UserName, \ - Realm, \ - NASIPAddress, \ - NASPortId, \ - NASPortType, \ - AcctStartTime, \ - AcctUpdateTime, \ - AcctStopTime, \ - AcctSessionTime, \ - AcctAuthentic, \ - ConnectInfo_start, \ - ConnectInfo_Stop, \ - AcctInputOctets, \ - AcctOutputOctets, \ - CalledStationId, \ - CallingStationId, \ - AcctTerminateCause, \ - ServiceType, \ - FramedProtocol, \ - FramedIpAddress, \ - FramedIpv6Address, \ - FramedIpv6Prefix, \ - FramedInterfaceId, \ - DelegatedIpv6Prefix \ - ${..class.column_name}" - - type { - accounting-on { - query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctStopTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp}, \ - AcctSessionTime = (${....event_timestamp_epoch} - EXTRACT(EPOCH FROM(AcctStartTime))), \ - AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' \ - WHERE AcctStopTime IS NULL \ - AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND AcctStartTime <= ${....event_timestamp}" - } - - accounting-off { - query = "${..accounting-on.query}" - } - - # - # Implement the "sql_session_start" policy. - # See raddb/policy.d/accounting for more details. - # - # You also need to fix the other queries as - # documented below. Look for "sql_session_start". - # - post-auth { - query = "\ - INSERT INTO ${....acct_table1} \ - (${...column_list}) \ - VALUES(\ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - NULLIF('%{Realm}', ''), \ - '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \ - NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), \ - '%{NAS-Port-Type}', \ - ${....event_timestamp}, \ - NULL, \ - NULL, \ - 0, \ - '', \ - '%{Connect-Info}', \ - NULL, \ - 0, \ - 0, \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - NULL, \ - '%{Service-Type}', \ - '', \ - NULL, \ - NULL, \ - NULL, \ - NULL, \ - NULL \ - ${....class.reply_xlat})" - - query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctStartTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp}, \ - ConnectInfo_start = '%{Connect-Info}', \ - AcctSessionId = '%{Acct-Session-Id}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' \ - AND AcctStopTime IS NULL" - } - - start { - query = "\ - INSERT INTO ${....acct_table1} \ - (${...column_list}) \ - VALUES(\ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - NULLIF('%{Realm}', ''), \ - '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \ - NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), \ - '%{NAS-Port-Type}', \ - ${....event_timestamp}, \ - ${....event_timestamp}, \ - NULL, \ - 0, \ - '%{Acct-Authentic}', \ - '%{Connect-Info}', \ - NULL, \ - 0, \ - 0, \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - NULL, \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - NULLIF('%{Framed-IP-Address}', '')::inet, \ - NULLIF('%{Framed-IPv6-Address}', '')::inet, \ - NULLIF('%{Framed-IPv6-Prefix}', '')::inet, \ - NULLIF('%{Framed-Interface-Id}', ''), \ - NULLIF('%{Delegated-IPv6-Prefix}', '')::inet \ - ${....class.packet_xlat} ) \ - ON CONFLICT (AcctUniqueId) \ - DO UPDATE \ - SET \ - AcctStartTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp}, \ - ConnectInfo_start = '%{Connect-Info}' \ - WHERE ${....acct_table1}.AcctUniqueId = '%{Acct-Unique-Session-Id}' \ - AND ${....acct_table1}.AcctStopTime IS NULL" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \ - FramedIPv6Address = NULLIF('%{Framed-IPv6-Address}', '')::inet, \ - FramedIPv6Prefix = NULLIF('%{Framed-IPv6-Prefix}', '')::inet, \ - FramedInterfaceId = NULLIF('%{Framed-Interface-Id}', ''), \ - DelegatedIPv6Prefix = NULLIF('%{Delegated-IPv6-Prefix}', '')::inet, \ - AcctStartTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp} \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' \ - AND AcctStopTime IS NULL" - - # and again where we don't have "AND AcctStopTime IS NULL" - query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctStartTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp}, \ - ConnectInfo_start = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" - } - - interim-update { - query = "\ - UPDATE ${....acct_table1} \ - SET \ - FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \ - FramedIPv6Address = NULLIF('%{Framed-IPv6-Address}', '')::inet, \ - FramedIPv6Prefix = NULLIF('%{Framed-IPv6-Prefix}', '')::inet, \ - FramedInterfaceId = NULLIF('%{Framed-Interface-Id}', ''), \ - DelegatedIPv6Prefix = NULLIF('%{Delegated-IPv6-Prefix}', '')::inet, \ - AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, \ - AcctInterval = (${....event_timestamp_epoch} - EXTRACT(EPOCH FROM (COALESCE(AcctUpdateTime, AcctStartTime)))), \ - AcctUpdateTime = ${....event_timestamp}, \ - AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Input-Octets}:-0}'::bigint), \ - AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Output-Octets}:-0}'::bigint) \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' \ - AND AcctStopTime IS NULL" - - query = "\ - INSERT INTO ${....acct_table1} \ - (${...column_list}) \ - VALUES(\ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - NULLIF('%{Realm}', ''), \ - '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \ - NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), \ - '%{NAS-Port-Type}', \ - ${....event_timestamp}, \ - ${....event_timestamp}, \ - NULL, \ - %{%{Acct-Session-Time}:-NULL}, \ - '%{Acct-Authentic}', \ - '%{Connect-Info}', \ - NULL, \ - (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Input-Octets}:-0}'::bigint), \ - (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Output-Octets}:-0}'::bigint), \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - NULL, \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - NULLIF('%{Framed-IP-Address}', '')::inet, \ - NULLIF('%{Framed-IPv6-Address}', '')::inet, \ - NULLIF('%{Framed-IPv6-Prefix}', '')::inet, \ - NULLIF('%{Framed-Interface-Id}', ''), \ - NULLIF('%{Delegated-IPv6-Prefix}', '')::inet \ - ${....class.packet_xlat}) \ - ON CONFLICT (AcctUniqueId) \ - DO NOTHING" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \ - FramedIPv6Address = NULLIF('%{Framed-IPv6-Address}', '')::inet, \ - FramedIPv6Prefix = NULLIF('%{Framed-IPv6-Prefix}', '')::inet, \ - FramedInterfaceId = NULLIF('%{Framed-Interface-Id}', ''), \ - DelegatedIPv6Prefix = NULLIF('%{Delegated-IPv6-Prefix}', '')::inet, \ - AcctUpdateTime = ${....event_timestamp}, \ - AcctSessionTime = COALESCE(%{%{Acct-Session-Time}:-NULL}, \ - (${....event_timestamp_epoch} - EXTRACT(EPOCH FROM(AcctStartTime)))), \ - AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Input-Octets}:-0}'::bigint), \ - AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Output-Octets}:-0}'::bigint) \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' \ - AND AcctStopTime IS NULL" - } - - stop { - query = "\ - UPDATE ${....acct_table2} \ - SET \ - AcctStopTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp}, \ - AcctSessionTime = COALESCE(%{%{Acct-Session-Time}:-NULL}, \ - (${....event_timestamp_epoch} - EXTRACT(EPOCH FROM(AcctStartTime)))), \ - AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Input-Octets}:-0}'::bigint), \ - AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Output-Octets}:-0}'::bigint), \ - AcctTerminateCause = '%{Acct-Terminate-Cause}', \ - FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \ - FramedIPv6Address = NULLIF('%{Framed-IPv6-Address}', '')::inet, \ - FramedIPv6Prefix = NULLIF('%{Framed-IPv6-Prefix}', '')::inet, \ - FramedInterfaceId = NULLIF('%{Framed-Interface-Id}', ''), \ - DelegatedIPv6Prefix = NULLIF('%{Delegated-IPv6-Prefix}', '')::inet, \ - ConnectInfo_stop = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' \ - AND AcctStopTime IS NULL" - - query = "\ - INSERT INTO ${....acct_table1} \ - (${...column_list}) \ - VALUES(\ - '%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - NULLIF('%{Realm}', ''), \ - '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \ - NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), \ - '%{NAS-Port-Type}', \ - TO_TIMESTAMP(${....event_timestamp_epoch} - %{%{Acct-Session-Time}:-0}), \ - ${....event_timestamp}, \ - ${....event_timestamp}, \ - NULLIF('%{Acct-Session-Time}', '')::bigint, \ - '%{Acct-Authentic}', \ - '%{Connect-Info}', \ - NULL, \ - (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Input-Octets}:-0}'::bigint), \ - (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Output-Octets}:-0}'::bigint), \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '%{Acct-Terminate-Cause}', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - NULLIF('%{Framed-IP-Address}', '')::inet, \ - NULLIF('%{Framed-IPv6-Address}', '')::inet, \ - NULLIF('%{Framed-IPv6-Prefix}', '')::inet, \ - NULLIF('%{Framed-Interface-Id}', ''), \ - NULLIF('%{Delegated-IPv6-Prefix}', '')::inet \ - ${....class.packet_xlat}) \ - ON CONFLICT (AcctUniqueId) \ - DO NOTHING" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \ - FramedIPv6Address = NULLIF('%{Framed-IPv6-Address}', '')::inet, \ - FramedIPv6Prefix = NULLIF('%{Framed-IPv6-Prefix}', '')::inet, \ - FramedInterfaceId = NULLIF('%{Framed-Interface-Id}', ''), \ - DelegatedIPv6Prefix = NULLIF('%{Delegated-IPv6-Prefix}', '')::inet, \ - AcctStopTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp}, \ - AcctSessionTime = COALESCE(%{%{Acct-Session-Time}:-NULL}, \ - (${....event_timestamp_epoch} - EXTRACT(EPOCH FROM(AcctStartTime)))), \ - AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Input-Octets}:-0}'::bigint), \ - AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Output-Octets}:-0}'::bigint), \ - AcctTerminateCause = '%{Acct-Terminate-Cause}', \ - ConnectInfo_stop = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' \ - AND AcctStopTime IS NULL" - - # and again where we don't have "AND AcctStopTime IS NULL" - query = "\ - UPDATE ${....acct_table2} \ - SET \ - AcctStopTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp}, \ - AcctSessionTime = COALESCE(%{%{Acct-Session-Time}:-NULL}, \ - (${....event_timestamp_epoch} - EXTRACT(EPOCH FROM(AcctStartTime)))), \ - AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Input-Octets}:-0}'::bigint), \ - AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + \ - '%{%{Acct-Output-Octets}:-0}'::bigint), \ - AcctTerminateCause = '%{Acct-Terminate-Cause}', \ - FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \ - FramedIPv6Address = NULLIF('%{Framed-IPv6-Address}', '')::inet, \ - FramedIPv6Prefix = NULLIF('%{Framed-IPv6-Prefix}', '')::inet, \ - FramedInterfaceId = NULLIF('%{Framed-Interface-Id}', ''), \ - DelegatedIPv6Prefix = NULLIF('%{Delegated-IPv6-Prefix}', '')::inet, \ - ConnectInfo_stop = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" - } - - # - # No Acct-Status-Type == ignore the packet - # - accounting { - query = "SELECT true" - } - } -} - - -####################################################################### -# Authentication Logging Queries -####################################################################### -# postauth_query - Insert some info after authentication -####################################################################### - -post-auth { - # Write SQL queries to a logfile. This is potentially useful for bulk inserts - # when used with the rlm_sql_null driver. -# logfile = ${logdir}/post-auth.sql - - query = "\ - INSERT INTO ${..postauth_table} \ - (username, pass, reply, authdate ${..class.column_name}) \ - VALUES(\ - '%{User-Name}', \ - '%{%{User-Password}:-%{Chap-Password}}', \ - '%{reply:Packet-Type}', \ - '%S.%M' \ - ${..class.reply_xlat})" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/schema.sql deleted file mode 100644 index 6963e39..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/schema.sql +++ /dev/null @@ -1,174 +0,0 @@ -/* - * $Id: 73b059f26bd08eda209ecb2ba1b8d5ccbfdebc09 $ - * - * Postgresql schema for FreeRADIUS - * - * All field lengths need checking as some are still suboptimal. -pnixon 2003-07-13 - * - */ - -/* - * Table structure for table 'radacct' - * - * Note: Column type bigserial does not exist prior to Postgres 7.2 - * If you run an older version you need to change this to serial - */ -CREATE TABLE IF NOT EXISTS radacct ( - RadAcctId bigserial PRIMARY KEY, - AcctSessionId text NOT NULL, - AcctUniqueId text NOT NULL UNIQUE, - UserName text, - Realm text, - NASIPAddress inet NOT NULL, - NASPortId text, - NASPortType text, - AcctStartTime timestamp with time zone, - AcctUpdateTime timestamp with time zone, - AcctStopTime timestamp with time zone, - AcctInterval bigint, - AcctSessionTime bigint, - AcctAuthentic text, - ConnectInfo_start text, - ConnectInfo_stop text, - AcctInputOctets bigint, - AcctOutputOctets bigint, - CalledStationId text, - CallingStationId text, - AcctTerminateCause text, - ServiceType text, - FramedProtocol text, - FramedIPAddress inet, - FramedIPv6Address inet, - FramedIPv6Prefix inet, - FramedInterfaceId text, - DelegatedIPv6Prefix inet, - Class text -); --- This index may be useful.. --- CREATE UNIQUE INDEX radacct_whoson on radacct (AcctStartTime, nasipaddress); - --- For use by update-, stop- and simul_* queries -CREATE INDEX radacct_active_session_idx ON radacct (AcctUniqueId) WHERE AcctStopTime IS NULL; - --- Add if you you regularly have to replay packets --- CREATE INDEX radacct_session_idx ON radacct (AcctUniqueId); - --- For backwards compatibility --- CREATE INDEX radacct_active_user_idx ON radacct (AcctSessionId, UserName, NASIPAddress) WHERE AcctStopTime IS NULL; - --- For use by onoff- -CREATE INDEX radacct_bulk_close ON radacct (NASIPAddress, AcctStartTime) WHERE AcctStopTime IS NULL; - --- and for common statistic queries: -CREATE INDEX radacct_start_user_idx ON radacct (AcctStartTime, UserName); - --- and, optionally --- CREATE INDEX radacct_stop_user_idx ON radacct (acctStopTime, UserName); - --- and for Class -CREATE INDEX radacct_calss_idx ON radacct (Class); - - -/* - * Table structure for table 'radcheck' - */ -CREATE TABLE IF NOT EXISTS radcheck ( - id serial PRIMARY KEY, - UserName text NOT NULL DEFAULT '', - Attribute text NOT NULL DEFAULT '', - op VARCHAR(2) NOT NULL DEFAULT '==', - Value text NOT NULL DEFAULT '' -); -create index radcheck_UserName on radcheck (UserName,Attribute); -/* - * Use this index if you use case insensitive queries - */ --- create index radcheck_UserName_lower on radcheck (lower(UserName),Attribute); - -/* - * Table structure for table 'radgroupcheck' - */ -CREATE TABLE IF NOT EXISTS radgroupcheck ( - id serial PRIMARY KEY, - GroupName text NOT NULL DEFAULT '', - Attribute text NOT NULL DEFAULT '', - op VARCHAR(2) NOT NULL DEFAULT '==', - Value text NOT NULL DEFAULT '' -); -create index radgroupcheck_GroupName on radgroupcheck (GroupName,Attribute); - -/* - * Table structure for table 'radgroupreply' - */ -CREATE TABLE IF NOT EXISTS radgroupreply ( - id serial PRIMARY KEY, - GroupName text NOT NULL DEFAULT '', - Attribute text NOT NULL DEFAULT '', - op VARCHAR(2) NOT NULL DEFAULT '=', - Value text NOT NULL DEFAULT '' -); -create index radgroupreply_GroupName on radgroupreply (GroupName,Attribute); - -/* - * Table structure for table 'radreply' - */ -CREATE TABLE IF NOT EXISTS radreply ( - id serial PRIMARY KEY, - UserName text NOT NULL DEFAULT '', - Attribute text NOT NULL DEFAULT '', - op VARCHAR(2) NOT NULL DEFAULT '=', - Value text NOT NULL DEFAULT '' -); -create index radreply_UserName on radreply (UserName,Attribute); -/* - * Use this index if you use case insensitive queries - */ --- create index radreply_UserName_lower on radreply (lower(UserName),Attribute); - -/* - * Table structure for table 'radusergroup' - */ -CREATE TABLE IF NOT EXISTS radusergroup ( - id serial PRIMARY KEY, - UserName text NOT NULL DEFAULT '', - GroupName text NOT NULL DEFAULT '', - priority integer NOT NULL DEFAULT 0 -); -create index radusergroup_UserName on radusergroup (UserName); -/* - * Use this index if you use case insensitive queries - */ --- create index radusergroup_UserName_lower on radusergroup (lower(UserName)); - --- --- Table structure for table 'radpostauth' --- - -CREATE TABLE IF NOT EXISTS radpostauth ( - id bigserial PRIMARY KEY, - username text NOT NULL, - pass text, - reply text, - CalledStationId text, - CallingStationId text, - authdate timestamp with time zone NOT NULL default now(), - Class text -); -CREATE INDEX radpostauth_username_idx ON radpostauth (username); -CREATE INDEX radpostauth_class_idx ON radpostauth (Class); - -/* - * Table structure for table 'nas' - */ -CREATE TABLE IF NOT EXISTS nas ( - id serial PRIMARY KEY, - nasname text NOT NULL, - shortname text NOT NULL, - type text NOT NULL DEFAULT 'other', - ports integer, - secret text NOT NULL, - server text, - community text, - description text -); -create index nas_nasname on nas (nasname); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/setup.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/setup.sql deleted file mode 100644 index 9dc72f9..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/postgresql/setup.sql +++ /dev/null @@ -1,45 +0,0 @@ -/* - * admin.sql -- PostgreSQL commands for creating the RADIUS user. - * - * WARNING: You should change 'localhost' and 'radpass' - * to something else. Also update raddb/mods-available/sql - * with the new RADIUS password. - * - * WARNING: This example file is untested. Use at your own risk. - * Please send any bug fixes to the mailing list. - * - * $Id: cfa38b054c4d05aec9109d45115e0fd396545cbe $ - */ - -/* - * Create default administrator for RADIUS - */ -CREATE USER radius WITH PASSWORD 'radpass'; - -/* - * The server can read any table in SQL - */ -GRANT SELECT ON radcheck TO radius; -GRANT SELECT ON radreply TO radius; -GRANT SELECT ON radgroupcheck TO radius; -GRANT SELECT ON radgroupreply TO radius; -GRANT SELECT ON radusergroup TO radius; -GRANT SELECT ON nas TO radius; - -/* - * The server can write to the accounting and post-auth logging table. - */ -GRANT SELECT, INSERT, UPDATE on radacct TO radius; -GRANT SELECT, INSERT, UPDATE on radpostauth TO radius; - -/* - * Grant permissions on sequences - */ -GRANT USAGE, SELECT ON SEQUENCE nas_id_seq TO radius; -GRANT USAGE, SELECT ON SEQUENCE radacct_radacctid_seq TO radius; -GRANT USAGE, SELECT ON SEQUENCE radcheck_id_seq TO radius; -GRANT USAGE, SELECT ON SEQUENCE radgroupcheck_id_seq TO radius; -GRANT USAGE, SELECT ON SEQUENCE radgroupreply_id_seq TO radius; -GRANT USAGE, SELECT ON SEQUENCE radpostauth_id_seq TO radius; -GRANT USAGE, SELECT ON SEQUENCE radreply_id_seq TO radius; -GRANT USAGE, SELECT ON SEQUENCE radusergroup_id_seq TO radius; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh deleted file mode 100644 index a491a2b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh +++ /dev/null @@ -1,112 +0,0 @@ -#!/bin/sh -# -# main/sqlite/process-radacct-refresh.sh -- Schema extensions and script for processing radacct entries -# -# $Id: c32fd438d6428c2acb8124712a90721043edaa69 $ - -# -# See process-radacct-schema.sql for details. -# - -if [ "$#" -ne 1 ]; then - echo "Usage: process-radacct-refresh.sh SQLITE_DB_FILE" 2>&1 - exit 1 -fi - -if [ ! -r "$1" ]; then - echo "The SQLite database must exist: $1" 1>&2 - exit 1 -fi - -cat < (SELECT value FROM vars WHERE key='v_start') OR - acctstoptime IS NULL; - - - -- - -- Add the data usage for the sessions that were active in the current - -- period to the table. Include all sessions that finished since the start - -- of this period as well as those still ongoing. - -- - INSERT INTO data_usage_by_period (username, period_start, period_end, acctinputoctets, acctoutputoctets) - SELECT - username, - (SELECT value FROM vars WHERE key='v_start'), - (SELECT value FROM vars WHERE key='v_end'), - SUM(acctinputoctets) AS acctinputoctets, - SUM(acctoutputoctets) AS acctoutputoctets - FROM - radacct_sessions - GROUP BY - username - ON CONFLICT(username,period_start) DO UPDATE - SET - acctinputoctets = data_usage_by_period.acctinputoctets + EXCLUDED.acctinputoctets, - acctoutputoctets = data_usage_by_period.acctoutputoctets + EXCLUDED.acctoutputoctets, - period_end = (SELECT value FROM vars WHERE key='v_end'); - - -- - -- Create an open-ended "next period" for all ongoing sessions and carry a - -- negative value of their data usage to avoid double-accounting when we - -- process the next period. Their current data usage has already been - -- allocated to the current and possibly previous periods. - -- - INSERT INTO data_usage_by_period (username, period_start, period_end, acctinputoctets, acctoutputoctets) - SELECT - username, - (SELECT DATETIME(value, '+1 seconds') FROM vars WHERE key='v_end'), - NULL, - 0 - SUM(acctinputoctets), - 0 - SUM(acctoutputoctets) - FROM - radacct_sessions - WHERE - acctstoptime IS NULL - GROUP BY - username; - - DROP TABLE vars; - DROP TABLE radacct_sessions; - -EOF diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/process-radacct-schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/process-radacct-schema.sql deleted file mode 100644 index 987d71c..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/process-radacct-schema.sql +++ /dev/null @@ -1,52 +0,0 @@ -# -*- text -*- -# -# main/sqlite/process-radacct.sql -- Schema extensions and script for processing radacct entries -# -# $Id: 5c667a4e460c5b369cdfc4c113fcca76120c5ce3 $ - --- --------------------------------- --- - Per-user data usage over time - --- --------------------------------- --- --- An extension to the standard schema to hold per-user data usage statistics --- for arbitrary periods. --- --- The data_usage_by_period table is populated by periodically calling the --- process-radacct-refresh.sh script. --- --- This table can be queried in various ways to produce reports of aggregate --- data use over time. For example, if the refresh script is invoked once per --- day just after midnight, to produce usage data with daily granularity, then --- a reasonably accurate monthly bandwidth summary for a given user could be --- obtained by queriing this table with: --- --- SELECT --- STRFTIME('%Y-%m',CURRENT_TIMESTAMP) AS month, --- SUM(acctinputoctets)*1.0/1000/1000/1000 AS gb_in, --- SUM(acctoutputoctets)*1.0/1000/1000/1000 AS gb_out --- FROM --- data_usage_by_period --- WHERE --- username='bob' AND --- period_end IS NOT NULL --- GROUP BY --- month; --- --- 2019-07|5.782279231|50.545664824 --- 2019-08|4.230543344|48.523096424 --- 2019-09|4.847360599|48.631835488 --- 2019-10|6.456763254|51.686231937 --- 2019-11|6.362537735|52.385710572 --- 2019-12|4.301524442|50.762240277 --- 2020-01|5.436280545|49.067775286 --- -CREATE TABLE data_usage_by_period ( - username text, - period_start datetime, - period_end datetime, - acctinputoctets bigint, - acctoutputoctets bigint, - PRIMARY KEY (username, period_start) -); -CREATE INDEX idx_data_usage_by_period_period_start ON data_usage_by_period(period_start); -CREATE INDEX idx_data_usage_by_period_period_end ON data_usage_by_period(period_end); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/queries.conf deleted file mode 100644 index 4a968d3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/queries.conf +++ /dev/null @@ -1,599 +0,0 @@ -# -*- text -*- -# -# main/sqlite/queries.conf -- SQLite configuration for default schema (schema.sql) -# -# Id: e1e83bf94814ed8be6239977b7bacfed21c0cd6a $ - -# Safe characters list for sql queries. Everything else is replaced -# with their mime-encoded equivalents. -# The default list should be ok -#safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" - -####################################################################### -# Query config: Username -####################################################################### -# This is the username that will get substituted, escaped, and added -# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below -# everywhere a username substitution is needed so you you can be sure -# the username passed from the client is escaped properly. -# -# Uncomment the next line, if you want the sql_user_name to mean: -# -# Use Stripped-User-Name, if it's there. -# Else use User-Name, if it's there, -# Else use hard-coded string "DEFAULT" as the user name. -#sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" -# -sql_user_name = "%{User-Name}" - -####################################################################### -# Query config: Event-Timestamp -####################################################################### -# event_timestamp_epoch is the basis for the time inserted into -# accounting records. Typically this will be the Event-Timestamp of the -# accounting request, which is usually provided by a NAS. -# -# Uncomment the next line, if you want the timestamp to be based on the -# request reception time recorded by this server, for example if you -# distrust the provided Event-Timestamp. -#event_timestamp_epoch = "%l" - -event_timestamp_epoch = "%{%{integer:Event-Timestamp}:-%l}" - -# event_timestamp is the SQL snippet for converting an epoch timestamp -# to an SQL date. - -event_timestamp = "${event_timestamp_epoch}" - -# NOTE: Recent SQLite versions allow proper arithmetic with dates -# stored as strings including comparison using an index, so we keep -# these variables differentiated in preparation for switching away from -# integer storage. - -####################################################################### -# Query config: Class attribute -####################################################################### -# -# 3.0.22 and later have a "class" column in the accounting table. -# -# However, we do NOT want to break existing configurations by adding -# the Class attribute to the default queries. If we did that, then -# systems using newer versions of the server would fail, because -# there is no "class" column in their accounting tables. -# -# The solution to that is the following "class" subsection. If your -# database has a "class" column for the various tables, then you can -# uncomment the configuration items here. The queries below will -# then automatically insert the Class attribute into radacct, -# radpostauth, etc. -# -class { - # - # Delete the '#' character from each of the configuration - # items in this section. This change puts the Class - # attribute into the various tables. Leave the double-quoted - # string there, as the value for the configuration item. - # - # See also policy.d/accounting, and the "insert_acct_class" - # policy. You will need to list (or uncomment) - # "insert_acct_class" in the "post-auth" section in order to - # create a Class attribute. - # - column_name = # ", class" - packet_xlat = # ", '%{Class}'" - reply_xlat = # ", '%{reply:Class}'" -} - -####################################################################### -# Default profile -####################################################################### -# This is the default profile. It is found in SQL by group membership. -# That means that this profile must be a member of at least one group -# which will contain the corresponding check and reply items. -# This profile will be queried in the authorize section for every user. -# The point is to assign all users a default profile without having to -# manually add each one to a group that will contain the profile. -# The SQL module will also honor the User-Profile attribute. This -# attribute can be set anywhere in the authorize section (ie the users -# file). It is found exactly as the default profile is found. -# If it is set then it will *overwrite* the default profile setting. -# The idea is to select profiles based on checks on the incoming packets, -# not on user group membership. For example: -# -- users file -- -# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" -# DEFAULT Service-Type == Framed-User, User-Profile := "framed" -# -# By default the default_user_profile is not set -# -#default_user_profile = "DEFAULT" - -####################################################################### -# NAS Query -####################################################################### -# This query retrieves the radius clients -# -# 0. Row ID (currently unused) -# 1. Name (or IP address) -# 2. Shortname -# 3. Type -# 4. Secret -# 5. Server -####################################################################### - -client_query = "\ - SELECT id, nasname, shortname, type, secret, server \ - FROM ${client_table}" - -####################################################################### -# Authorization Queries -####################################################################### -# These queries compare the check items for the user -# in ${authcheck_table} and setup the reply items in -# ${authreply_table}. You can use any query/tables -# you want, but the return data for each row MUST -# be in the following order: -# -# 0. Row ID (currently unused) -# 1. UserName/GroupName -# 2. Item Attr Name -# 3. Item Attr Value -# 4. Item Attr Operation -####################################################################### - -# -# Use these for case sensitive usernames. -# -#authorize_check_query = "\ -# SELECT id, username, attribute, value, op \ -# FROM ${authcheck_table} \ -# WHERE username = BINARY '%{SQL-User-Name}' \ -# ORDER BY id" - -#authorize_reply_query = "\ -# SELECT id, username, attribute, value, op \ -# FROM ${authreply_table} \ -# WHERE username = BINARY '%{SQL-User-Name}' \ -# ORDER BY id" - -# -# The default queries are case insensitive. (for compatibility with older versions of FreeRADIUS) -# -authorize_check_query = "\ - SELECT id, username, attribute, value, op \ - FROM ${authcheck_table} \ - WHERE username = '%{SQL-User-Name}' \ - ORDER BY id" - -authorize_reply_query = "\ - SELECT id, username, attribute, value, op \ - FROM ${authreply_table} \ - WHERE username = '%{SQL-User-Name}' \ - ORDER BY id" - -# -# Use these for case sensitive usernames. -# -#group_membership_query = "\ -# SELECT groupname \ -# FROM ${usergroup_table} \ -# WHERE username = BINARY '%{SQL-User-Name}' \ -# ORDER BY priority" - -group_membership_query = "\ - SELECT groupname \ - FROM ${usergroup_table} \ - WHERE username = '%{SQL-User-Name}' \ - ORDER BY priority" - -authorize_group_check_query = "\ - SELECT id, groupname, attribute, \ - Value, op \ - FROM ${groupcheck_table} \ - WHERE groupname = '%{${group_attribute}}' \ - ORDER BY id" - -authorize_group_reply_query = "\ - SELECT id, groupname, attribute, \ - value, op \ - FROM ${groupreply_table} \ - WHERE groupname = '%{${group_attribute}}' \ - ORDER BY id" - -####################################################################### -# Simultaneous Use Checking Queries -####################################################################### -# simul_count_query - query for the number of current connections -# - If this is not defined, no simultaneous use checking -# - will be performed by this module instance -# simul_verify_query - query to return details of current connections -# for verification -# - Leave blank or commented out to disable verification step -# - Note that the returned field order should not be changed. -####################################################################### - -simul_count_query = "\ - SELECT COUNT(*) \ - FROM ${acct_table1} \ - WHERE username = '%{SQL-User-Name}' \ - AND acctstoptime IS NULL" - -simul_verify_query = "\ - SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, \ - callingstationid, framedprotocol \ - FROM ${acct_table1} \ - WHERE username = '%{${group_attribute}}' \ - AND acctstoptime IS NULL" - -####################################################################### -# Accounting and Post-Auth Queries -####################################################################### -# These queries insert/update accounting and authentication records. -# The query to use is determined by the value of 'reference'. -# This value is used as a configuration path and should resolve to one -# or more 'query's. If reference points to multiple queries, and a query -# fails, the next query is executed. -# -# Behaviour is identical to the old 1.x/2.x module, except we can now -# fail between N queries, and query selection can be based on any -# combination of attributes, or custom 'Acct-Status-Type' values. -####################################################################### -accounting { - reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}" - - # Write SQL queries to a logfile. This is potentially useful for bulk inserts - # when used with the rlm_sql_null driver. -# logfile = ${logdir}/accounting.sql - - column_list = "\ - acctsessionid, \ - acctuniqueid, \ - username, \ - realm, \ - nasipaddress, \ - nasportid, \ - nasporttype, \ - acctstarttime, \ - acctupdatetime, \ - acctstoptime, \ - acctsessiontime, \ - acctauthentic, \ - connectinfo_start, \ - connectinfo_stop, \ - acctinputoctets, \ - acctoutputoctets, \ - calledstationid, \ - callingstationid, \ - acctterminatecause, \ - servicetype, \ - framedprotocol, \ - framedipaddress, \ - framedipv6address, \ - framedipv6prefix, \ - framedinterfaceid, \ - delegatedipv6prefix \ - ${..class.column_name}" - - type { - accounting-on { - # - # Bulk terminate all sessions associated with a given NAS - # - query = "\ - UPDATE ${....acct_table1} \ - SET \ - acctstoptime = ${....event_timestamp}, \ - acctsessiontime = \ - (${....event_timestamp_epoch} \ - - acctstarttime), \ - acctterminatecause = '%{Acct-Terminate-Cause}' \ - WHERE acctstoptime IS NULL \ - AND nasipaddress = '%{NAS-IP-Address}' \ - AND acctstarttime <= ${....event_timestamp}" - } - - accounting-off { - query = "${..accounting-on.query}" - } - - start { - # - # Insert a new record into the sessions table - # - query = "\ - INSERT INTO ${....acct_table1} \ - (${...column_list}) \ - VALUES \ - ('%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - ${....event_timestamp}, \ - ${....event_timestamp}, \ - NULL, \ - '0', \ - '%{Acct-Authentic}', \ - '%{Connect-Info}', \ - '', \ - '0', \ - '0', \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - framedipaddress = '%{Framed-IP-Address}', \ - framedipv6address = '%{Framed-IPv6-Address}', \ - framedipv6prefix = '%{Framed-IPv6-Prefix}', \ - framedinterfaceid = '%{Framed-Interface-Id}', \ - delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ - AcctStartTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp} \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - - # - # Key constraints prevented us from inserting a new session, - # use the alternate query to update an existing session. - # - query = "\ - UPDATE ${....acct_table1} SET \ - acctstarttime = ${....event_timestamp}, \ - acctupdatetime = ${....event_timestamp}, \ - connectinfo_start = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" - } - - interim-update { - # - # Update an existing session and calculate the interval - # between the last data we received for the session and this - # update. This can be used to find stale sessions. - # - query = "\ - UPDATE ${....acct_table1} \ - SET \ - acctupdatetime = ${....event_timestamp}, \ - acctinterval = 0, \ - framedipaddress = '%{Framed-IP-Address}', \ - framedipv6address = '%{Framed-IPv6-Address}', \ - framedipv6prefix = '%{Framed-IPv6-Prefix}', \ - framedinterfaceid = '%{Framed-Interface-Id}', \ - delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ - acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \ - acctinputoctets = %{%{Acct-Input-Gigawords}:-0} \ - << 32 | %{%{Acct-Input-Octets}:-0}, \ - acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} \ - << 32 | %{%{Acct-Output-Octets}:-0} \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" - - # - # The update condition matched no existing sessions. Use - # the values provided in the update to create a new session. - # - query = "\ - INSERT INTO ${....acct_table1} \ - (${...column_list}) \ - VALUES \ - ('%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - (${....event_timestamp_epoch} - %{%{Acct-Session-Time}:-0}), \ - ${....event_timestamp}, \ - NULL, \ - %{%{Acct-Session-Time}:-NULL}, \ - '%{Acct-Authentic}', \ - '%{Connect-Info}', \ - '', \ - %{%{Acct-Input-Gigawords}:-0} << 32 | \ - %{%{Acct-Input-Octets}:-0}, \ - %{%{Acct-Output-Gigawords}:-0} << 32 | \ - %{%{Acct-Output-Octets}:-0}, \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - framedipaddress = '%{Framed-IP-Address}', \ - framedipv6address = '%{Framed-IPv6-Address}', \ - framedipv6prefix = '%{Framed-IPv6-Prefix}', \ - framedinterfaceid = '%{Framed-Interface-Id}', \ - delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ - AcctUpdateTime = ${....event_timestamp}, \ - AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, \ - AcctInputOctets = '%{%{Acct-Input-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Input-Octets}:-0}', \ - AcctOutputOctets = '%{%{Acct-Output-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Output-Octets}:-0}' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - - } - - stop { - # - # Session has terminated, update the stop time and statistics. - # - query = "\ - UPDATE ${....acct_table2} SET \ - acctstoptime = ${....event_timestamp}, \ - acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \ - acctinputoctets = %{%{Acct-Input-Gigawords}:-0} \ - << 32 | %{%{Acct-Input-Octets}:-0}, \ - acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} \ - << 32 | %{%{Acct-Output-Octets}:-0}, \ - acctterminatecause = '%{Acct-Terminate-Cause}', \ - connectinfo_stop = '%{Connect-Info}' \ - WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" - - # - # The update condition matched no existing sessions. Use - # the values provided in the update to create a new session. - # - query = "\ - INSERT INTO ${....acct_table2} \ - (${...column_list}) \ - VALUES \ - ('%{Acct-Session-Id}', \ - '%{Acct-Unique-Session-Id}', \ - '%{SQL-User-Name}', \ - '%{Realm}', \ - '%{NAS-IP-Address}', \ - '%{%{NAS-Port-ID}:-%{NAS-Port}}', \ - '%{NAS-Port-Type}', \ - (${....event_timestamp_epoch} - %{%{Acct-Session-Time}:-0}), \ - ${....event_timestamp}, \ - ${....event_timestamp}, \ - %{%{Acct-Session-Time}:-NULL}, \ - '%{Acct-Authentic}', \ - '', \ - '%{Connect-Info}', \ - %{%{Acct-Input-Gigawords}:-0} << 32 | \ - %{%{Acct-Input-Octets}:-0}, \ - %{%{Acct-Output-Gigawords}:-0} << 32 | \ - %{%{Acct-Output-Octets}:-0}, \ - '%{Called-Station-Id}', \ - '%{Calling-Station-Id}', \ - '%{Acct-Terminate-Cause}', \ - '%{Service-Type}', \ - '%{Framed-Protocol}', \ - '%{Framed-IP-Address}', \ - '%{Framed-IPv6-Address}', \ - '%{Framed-IPv6-Prefix}', \ - '%{Framed-Interface-Id}', \ - '%{Delegated-IPv6-Prefix}' \ - ${....class.packet_xlat})" - - # - # When using "sql_session_start", you should comment out - # the previous query, and enable this one. - # - # Just change the previous query to "-query", - # and this one to "query". The previous one - # will be ignored, and this one will be - # enabled. - # - -query = "\ - UPDATE ${....acct_table1} \ - SET \ - AcctSessionId = '%{Acct-Session-Id}', \ - AcctUniqueId = '%{Acct-Unique-Session-Id}', \ - AcctAuthentic = '%{Acct-Authentic}', \ - ConnectInfo_start = '%{Connect-Info}', \ - ServiceType = '%{Service-Type}', \ - FramedProtocol = '%{Framed-Protocol}', \ - framedipaddress = '%{Framed-IP-Address}', \ - framedipv6address = '%{Framed-IPv6-Address}', \ - framedipv6prefix = '%{Framed-IPv6-Prefix}', \ - framedinterfaceid = '%{Framed-Interface-Id}', \ - delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \ - AcctStopTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp}, \ - AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, \ - AcctInputOctets = '%{%{Acct-Input-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Input-Octets}:-0}', \ - AcctOutputOctets = '%{%{Acct-Output-Gigawords}:-0}' \ - << 32 | '%{%{Acct-Output-Octets}:-0}', \ - AcctTerminateCause = '%{Acct-Terminate-Cause}', \ - ConnectInfo_stop = '%{Connect-Info}' \ - WHERE UserName = '%{SQL-User-Name}' \ - AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \ - AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \ - AND NASPortType = '%{NAS-Port-Type}' \ - AND AcctStopTime IS NULL" - - } - - - # - # No Acct-Status-Type == ignore the packet - # - accounting { - query = "SELECT true" - } - } -} - -####################################################################### -# Authentication Logging Queries -####################################################################### -# postauth_query - Insert some info after authentication -####################################################################### - -post-auth { - # Write SQL queries to a logfile. This is potentially useful for bulk inserts - # when used with the rlm_sql_null driver. -# logfile = ${logdir}/post-auth.sql - - query = "\ - INSERT INTO ${..postauth_table} \ - (username, pass, reply, authdate ${..class.column_name}) \ - VALUES ( \ - '%{SQL-User-Name}', \ - '%{%{User-Password}:-%{Chap-Password}}', \ - '%{reply:Packet-Type}', \ - '%S.%M' \ - ${..class.reply_xlat})" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/schema.sql deleted file mode 100644 index 5bac576..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/main/sqlite/schema.sql +++ /dev/null @@ -1,156 +0,0 @@ ------------------------------------------------------------------------------ --- $Id: 9bdaf71f34013de79504b9bf6e090c8cf0e38979 $ -- --- -- --- schema.sql rlm_sql - FreeRADIUS SQLite Module -- --- -- --- Database schema for SQLite rlm_sql module -- --- -- ------------------------------------------------------------------------------ - --- --- Table structure for table 'radacct' --- -CREATE TABLE IF NOT EXISTS radacct ( - radacctid INTEGER PRIMARY KEY AUTOINCREMENT, - acctsessionid varchar(64) NOT NULL default '', - acctuniqueid varchar(32) NOT NULL default '', - username varchar(64) NOT NULL default '', - realm varchar(64) default '', - nasipaddress varchar(15) NOT NULL default '', - nasportid varchar(32) default NULL, - nasporttype varchar(32) default NULL, - acctstarttime datetime NULL default NULL, - acctupdatetime datetime NULL default NULL, - acctstoptime datetime NULL default NULL, - acctinterval int(12) default NULL, - acctsessiontime int(12) default NULL, - acctauthentic varchar(32) default NULL, - connectinfo_start varchar(128) default NULL, - connectinfo_stop varchar(128) default NULL, - acctinputoctets bigint(20) default NULL, - acctoutputoctets bigint(20) default NULL, - calledstationid varchar(50) NOT NULL default '', - callingstationid varchar(50) NOT NULL default '', - acctterminatecause varchar(32) NOT NULL default '', - servicetype varchar(32) default NULL, - framedprotocol varchar(32) default NULL, - framedipaddress varchar(15) NOT NULL default '', - framedipv6address varchar(45) NOT NULL default '', - framedipv6prefix varchar(45) NOT NULL default '', - framedinterfaceid varchar(44) NOT NULL default '', - delegatedipv6prefix varchar(45) NOT NULL default '', - class varchar(64) default NULL -); - --- --- You might not need all of these indexes. It should be safe to --- delete indexes you do not use. For example, if you're not using --- IPv6, you can delete the indexes on IPv6 attributes. --- --- You MUST however leave the indexes needed by the server, which --- include username, acctstoptime, nasipaddress, acctstarttime, and --- acctuniqueid. --- -CREATE UNIQUE INDEX acctuniqueid ON radacct(acctuniqueid); -CREATE INDEX username ON radacct(username); -CREATE INDEX framedipaddress ON radacct (framedipaddress); -CREATE INDEX framedipv6address ON radacct (framedipv6address); -CREATE INDEX framedipv6prefix ON radacct (framedipv6prefix); -CREATE INDEX framedinterfaceid ON radacct (framedinterfaceid); -CREATE INDEX delegatedipv6prefix ON radacct (delegatedipv6prefix); -CREATE INDEX acctsessionid ON radacct(acctsessionid); -CREATE INDEX acctsessiontime ON radacct(acctsessiontime); -CREATE INDEX acctstarttime ON radacct(acctstarttime); -CREATE INDEX acctinterval ON radacct(acctinterval); -CREATE INDEX acctstoptime ON radacct(acctstoptime); -CREATE INDEX nasipaddress ON radacct(nasipaddress); -CREATE INDEX class ON radacct(class); - --- --- Table structure for table 'radcheck' --- -CREATE TABLE IF NOT EXISTS radcheck ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - username varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '==', - value varchar(253) NOT NULL default '' -); -CREATE INDEX check_username ON radcheck(username); - --- --- Table structure for table 'radgroupcheck' --- -CREATE TABLE IF NOT EXISTS radgroupcheck ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - groupname varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '==', - value varchar(253) NOT NULL default '' -); -CREATE INDEX check_groupname ON radgroupcheck(groupname); - --- --- Table structure for table 'radgroupreply' --- -CREATE TABLE IF NOT EXISTS radgroupreply ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - groupname varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default '' -); -CREATE INDEX reply_groupname ON radgroupreply(groupname); - --- --- Table structure for table 'radreply' --- -CREATE TABLE IF NOT EXISTS radreply ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - username varchar(64) NOT NULL default '', - attribute varchar(64) NOT NULL default '', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default '' -); -CREATE INDEX reply_username ON radreply(username); - --- --- Table structure for table 'radusergroup' --- -CREATE TABLE IF NOT EXISTS radusergroup ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - username varchar(64) NOT NULL default '', - groupname varchar(64) NOT NULL default '', - priority int(11) NOT NULL default '1' -); -CREATE INDEX usergroup_username ON radusergroup(username); - --- --- Table structure for table 'radpostauth' --- -CREATE TABLE IF NOT EXISTS radpostauth ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - username varchar(64) NOT NULL default '', - pass varchar(64) NOT NULL default '', - reply varchar(32) NOT NULL default '', - authdate timestamp NOT NULL, - class varchar(64) default NULL -); -CREATE INDEX radpostauth_username ON radpostauth(username); -CREATE INDEX radpostauth_class ON radpostauth(class); - --- --- Table structure for table 'nas' --- -CREATE TABLE IF NOT EXISTS nas ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - nasname varchar(128) NOT NULL, - shortname varchar(32), - type varchar(30) DEFAULT 'other', - ports int(5), - secret varchar(60) DEFAULT 'secret' NOT NULL, - server varchar(64), - community varchar(50), - description varchar(200) DEFAULT 'RADIUS Client' -); -CREATE INDEX nasname ON nas(nasname); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/mysql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/mysql/queries.conf deleted file mode 100644 index 89c8e36..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/mysql/queries.conf +++ /dev/null @@ -1,15 +0,0 @@ -# -*- text -*- -# -# moonshot-targeted-ids/mysql/queries.conf -- Queries to update a MySQL Moonshot-Targeted-Ids table. -# -# $Id: 68306db5a6c67f70804dc019e19daba5e938b4a9 $ - -post-auth { - # Query to store the Moonshot-*-TargetedId - query = "\ - INSERT IGNORE INTO ${..moonshot_tid_table} \ - (gss_acceptor, namespace, username, targeted_id) \ - VALUES \ - ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ - '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql deleted file mode 100644 index 8a33dc1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql +++ /dev/null @@ -1,8 +0,0 @@ -CREATE TABLE `moonshot_targeted_ids` ( - `gss_acceptor` varchar(254) NOT NULL default '', - `namespace` varchar(36) NOT NULL default '', - `username` varchar(64) NOT NULL default '', - `targeted_id` varchar(128) NOT NULL default '', - `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, - PRIMARY KEY (`username`,`gss_acceptor`,`namespace`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/postgresql/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/postgresql/queries.conf deleted file mode 100644 index ca6320d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/postgresql/queries.conf +++ /dev/null @@ -1,15 +0,0 @@ -# -*- text -*- -# -# moonshot-targeted-ids/postgresql/queries.conf -- Queries to update a PostgreSQL Moonshot-*-Targeted-Ids table. -# -# $Id: f757a870a0b68c5dc3827c00bb501082fc7e03e9 $ - -post-auth { - # Query to store the Moonshot-*-TargetedId - query = "\ - INSERT INTO ${..moonshot_tid_table} \ - (gss_acceptor, namespace, username, targeted_id) \ - VALUES \ - ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ - '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/postgresql/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/postgresql/schema.sql deleted file mode 100644 index 649c627..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/postgresql/schema.sql +++ /dev/null @@ -1,8 +0,0 @@ -CREATE TABLE moonshot_targeted_ids ( - gss_acceptor varchar(254) NOT NULL DEFAULT '', - namespace varchar(36) NOT NULL DEFAULT '', - username varchar(64) NOT NULL DEFAULT '', - targeted_id varchar(128) NOT NULL DEFAULT '', - creationdate TIMESTAMP with time zone NOT NULL default 'now()', - PRIMARY KEY (username, gss_acceptor, namespace) -); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/sqlite/queries.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/sqlite/queries.conf deleted file mode 100644 index 0692076..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/sqlite/queries.conf +++ /dev/null @@ -1,15 +0,0 @@ -# -*- text -*- -# -# moonshot-targeted-ids/sqlite/queries.conf -- Queries to update a sqlite Moonshot-*-Targeted-Ids table. -# -# $Id: 8cdb80382db6e94067a75c0428b375847eb04ad8 $ - -post-auth { - # Query to store the Moonshot-*-TargetedId - query = "\ - INSERT INTO ${..moonshot_tid_table} \ - (gss_acceptor, namespace, username, targeted_id) \ - VALUES \ - ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ - '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/sqlite/schema.sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/sqlite/schema.sql deleted file mode 100644 index 71195ad..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/moonshot-targeted-ids/sqlite/schema.sql +++ /dev/null @@ -1,8 +0,0 @@ -CREATE TABLE `moonshot_targeted_ids` ( - `gss_acceptor` varchar(254) NOT NULL default '', - `namespace` varchar(36) NOT NULL default '', - `username` varchar(64) NOT NULL default '', - `targeted_id` varchar(128) NOT NULL default '', - `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, - PRIMARY KEY (`username`,`gss_acceptor`,`namespace`) -); diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/unbound/default.conf b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/unbound/default.conf deleted file mode 100644 index 9aac368..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/unbound/default.conf +++ /dev/null @@ -1,2 +0,0 @@ -server: - num-threads: 2 From b78e67c4f99b9d2db131568292ce9fb2a0b37b2d Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Nov 2022 18:08:20 +0000 Subject: [PATCH 05/59] Add weinturm extensions --- machines/raven/secrets.yaml | 8 ++++---- machines/raven/services/asterisk.nix | 6 ++++++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml index 323eab0..308c67d 100644 --- a/machines/raven/secrets.yaml +++ b/machines/raven/secrets.yaml @@ -1,5 +1,5 @@ dyndns-password: ENC[AES256_GCM,data:FXAuhhVqs1cD8r1SKaY2pbAdzDU=,iv:t1wj201txdfPXRVBrX8bZbemEDNY9JoCQzKnw/VhW1I=,tag:E1XgN73DME1qKZD7qzkxCg==,type:str] -asterisk-pjsip: ENC[AES256_GCM,data:XLEWeD3tTU4ccmj3lOyIxg9Tx0oFX02UbnpLcyIJO4oTYnMpb8GxdHz1MZ72XGKv98/fi4oQr0vnKqxXSoAzJML+E5xR7bRtimPuwd7tyWQypgFHYchGiBz5MKmHhxQ6QqcAN4HnPQ2hzKd3WewQ7elo6WKoL/K5t+4JyRDBJGPH52ihukjZ4pMITHk7VHqGa3RTHLJjExk8U06bc53TAl/UqgOwaiyUfiit1SIk4nR1rq2U1zVzt0dektIxIx4fjkh0AtVVRmdAPyC6PpPqjlpCk27w1JP0JWs6SJuJ3roL8T0rBbJmQizCrzySCceFeKDMXq0R2UtVQ2BYwOh+BosBlHhAtL8OHH8MsYlN3zIJehEwHmpwzxSzbMiK5j/r0aeCdQHSpko6iVgejthkFXOvX1F+HR/lj9nSTLWKD1QZHpAbxt7V93v6eHXUhqq1OHEdhYp+ykPSo+kmG8CkwXu1HPT/GEkZrSiIriVMAnhLWWa83Fq1S72QTpTEXTdzxCToqywJAdF8YIbFtTOMcRnTO5LBtQ/AqwWNksCwPAdeCsWnr6rGeqi5ord95EJaqdwk8kVwzXboTym+ldomBWhlMIzt76GKW6DNGsvqau8bm35TG4tC2nSJujOcnVSHwaYBaqWPHr3pnPyWRNK/7fafJv+sSNI7fo0xQj4Bx5LBXrjjLim5MIwAvD+HkIG2O5AQmGoqpA+9XDAGT7TQj2/RnrocSIggUuzBoXubxcZzUzxygxCvvHZMikbSTaOvH8I52FgCdhWtVk7RXIfgfA7ClJ3+QTVw1pN+80DZmDxF0Y40Ag9opS0M1mc3EKcmSMKdiyuJa83fm0jolImzuOugnxyo551Yl/OQMsUu60MMs+ntrZhL1ndM9bAEsU+SeT/Rck/8BI4I0J6QEjPulSwukvqhDG1S1SqmGuzugYXQooXvNqJR8O3VSEK0KnAe/bxZBewWZBcTawMXY5/9LfQ8bOTK5qw4JwGxVFUDeoTvGkK9wiJzCTYRsmyvc6JCl2LtMdFb9hrOniQmMliWqqji55gYIHgmIQA9g7D1KSCXDfkbbnHCZ/0Q6hZaZZQ8c+TtCpvVEMcr8Ed7CAvQrkqu+BRW1e2DUk7f3TMJpupHs/x1exAhc/DLnrf4LefsTFIDYmUR5D5nRxOVrY+14C7bcSz9I5OAeaBxHx5gEPykjUrLnPsqs8nzij98PN6CwEmSS3Qd8m/Xb71+YK8alh3U0NfVrOUElY/hKvK2PfEZ6YuHkJFuMCkfjfcivSOQNoQ8d2hoBZz8WDYzj+PKdXoo0Sm979+sebwDtQsnQg20v/bO+RwYqNcPuHQB+j/aoD4Wp+OdFZN8ddLi2wa/jgdWw1cBekDUV1w5keLQ4ET4UlBbGQboccwpSceqho51nkPfEG4JmaW28OHMxpoveUJ0v3iOjNdy2xvATdtu77mTuvHrvxMCA7wypznwesHFezibEeNsiqWWJROijDa4ADZN3kCCGy0pfS70DgZcYjOI14GB3FhuPLS1QroSzc6TYusavxnLe9TDezHVol6GItpHW2ARV7aMQY0c9fjOzuVCIfGQR7NSun2YUG8evWnFMyQ5TTTM52PamIc9dmk0d+qDKc2KGZBd7oPbY8s4gnw4xV2wJLhoMkV4yNklMUMm62lc9/4QVCpzUPRuWm189E6gUIoRK7aFvdX8YPKqaqcmgX86SDHfgcSTrZXczW9w17HVKusxmA0VChdWwq+jXRXphWfWtMB2iAE+lgQPu0bB1fKZ8rQo1XN8PX+FNySbybE8oZFEpZ/FO8j67kNdCtDK7AU51jAwuQP6Srj3CzJGub4RcPnB2be1O4S1dUKltsupqXBWe9Ol+zXKUF2TSezuMHja5bI0Z1mSdSaSpGpAcQGUTPZFNydg06nsAo9wWeCqrB1HHzVXGBp4wDY5WGEpBsnKOYuY/2IWjYgCBYU3unL8kgKtQqvm017nYwMyXp3UxO+nYLNZcDL3tzJPwk8v/kcRdP1AVSQC+HyebqzpEVhd+p237BG6LzQ7IyUstkRL9Lpkf3ooTvHVBLDf43gRBc7fFhRTVQG+FAB6Dff8GlfgjXtsq8zE/lu18v+sK+FT3NGmKJvqDPVOT0/V9t9bQz//rNJURqVDW2GUUlk/RV/1Jvue6o/O8pqougO2t0S/6X9rypVdqhQ5tT2Fx8/XDBD/zNOwNFi6uQ1w6kJDlg3BmGkhehnN8uieR2oc58dPJ+QdDZiYGRmITRk2ikafTnAYo9qR6IvEFsNapr8hybD2XySIWkw3q74UjJ1lVKb4wcQgceLYHCI8knGYE7o/4H/M413Br9s14/d6FYtT71PHeglDbMWZd7rM108IIXkHzD2xWjNQ9hbN7hZX2VZ2cuZ7CdcwLTocX63OJomBkoOBJTQf/+JAxK+pUbXod//rfJYyWf40L17VKb0CJryneffQx33ysyv26HI99PWehn4S9/NjsfNnvQoxcn1UjUfhUvbrWGCGrzY5m6UPHIpPV3D+J7V/6V6WKBQp5WmFczPrleMs+5ArTpQu9LTTQWVk4qOtEz0nfRcaSgXPtwohNwH54cQwfUMHrFiXUFxsm3SO9w3xS4atQaB2gBNjqynsjmtBniEqCpV9uvTtJw3u5XaCOOJUr0vssXqSryY4OC3kP4r+UjWjSsVx2cZZVLUjE74Qs7MlDFlx8SDMU7ZwnWy4EQNpV/hco6g2wiXVjCkgrHAFzbbJOL3EeW/cXd/t7kWrGHh9Z9AmcXdRp6mETiIcnuefPHIbEnYqMnVnTG3L5CImR2ekj/vekf40uBZ7VqiMvD1aeVwPpCxyKpYs0w34sOowVutjEySvpnQoPtIppWTdxTQhbAtGki5RWIFmGC7V9+4yXFIsR2gG4mz9O0LilVJLTDllLaM09nuGSdXepdKyBawK+zc/TBLCWDgtNzAug3Kks+Svf5j0oxJ6AeLdsOtRsvln/oz0aZNFStptoihatE6tvJx1rN/neETV3OVK0lC8kjfx9LKwP9JzukmvhEFBnS4mC2YE9X5BsS+ELsRp+jP2BcPpWn7c6cN/WJR+1B7jvsPhVfPc4HDRBw+oKeldpD9Vo+DoxXLAynnrLrYWTHjk98UbPbkzMqDRAq61O6Aa6FqcasGW29BwInPFCaicVoqCbbjiFTO2vVqmdmnVj2DriD9olYHAHhR3wNSQKitGmzMDImTk31WfqH36xYhOydxwxji6p4ICZmvDk5GBtldc5u3j+YRKLLoQYCXb2B6NwuCjvYd5udaifHiZk0uEUGEpz+9XIpRa2QQEW/UoSSppidI+nNvKsRABSPk/t4XBpfHk5442bKpK1Ckw6eZXgzsm27RJZ5ajrL2aBFoZrcW9MPqG5+fS7m5Ig4TIkDteAwbiLDVlP8v4qjyRQDDwdHAolMBSPSWVG2MmbmyZlU4ktWFfW8pOoJ8ER73xw7nnShAWHLhOsF31uPM0eCA8r11/3tWmjDfyDFWrB8Q+At10JfshqHdIfkK5tSG4ucGFCOiNaMaeys2f1sDz5CxJ7L1PFsKjNXFtUndjxnRPu88G+ICs6mFOYdpigbaxur5OzwIph3cDpk+Hb4TZ8zjaNh0sqcGePo+yKomdrXWChqLcvYQFmvApyv20s8OuBCk3/1WDaRAhq/uQ0FRjW7S0uybvx85zjYVOj/Rpug2vvPhuxXASW4VorVcQ4ZLw8Rz3CNkak17QgusaMLocWMKCYvaNF0oL5oGbIHXYA4WJZC3Q7ZzHRmjC2W66KO8DR6nERK0Bj+zh80+2s91VBYnKM+MCqY+FRD4bz9wl41Zpiy3uFdOBGuLUZxT0QMBV/fIslMSi02ZqwOe9y1ALOslqK5JjgWE5+7/oX7PaFy1mYJ+EBt8958JDW13UFH4tNTrZTv26gdI8TIl/u1PBaST/RQkN0JclgbwwPdxOtf83MvRM4++5XqadbQXQ6pkiEryVm/v+VPG9AXJCtKbE5vuw1eU5PgPYqsX62asOi0XlTZY4pggc6GGgivRmT3RQXSV6/RqB+8UINzk1r1r6mdVnkYZCH+2eVeGYSzvI/rV8SL0Z/GM6qT7qv/Lv8RCJAAPhV+t/kVqV2ObuVUlNZusahh/FDsJRHoLV9OUPb0FBEH4FSR/76L+pWJv766jmI2186TcgO5LPNZgAOAIo7ChpHWIaoHljypEQf0sdUYDyYvvjH5d+vSnAK6aD1/xXmZFx++XJX6Msn1peQ/SNMD/M35XlnHUx4BHynHeINDvkVvy8nfZHhVtOID4KvN+eZ9GWQsOYBbZxLSye45yKVe+q+224Eq6r7yPq9CeUR+d+BR0HmnX/7/lME3j97Qmcu4WPOuKOsfQPzTS29ftHXjjqLHuDIQtCTZJkzW4bJSt2fDMW/xYd2bc7QAZ9NkyY/3JogselylFIFj4HJ63jxx6zL6Dk8Tu1BoWG5xvci6uWTVWkaufV+QOvyyKLqotoZc13ftDtgkwPZPdwQDZ4mb9XQ1P4WLzi1C87YSBG+9Eg7RkDHr84AlcjNeUbMFjoqmXM8dD5iQHR3YAEPZCHL5V8ElBU6nraEVBQQTjQj2WG9k2s2xhMTi2o59Da7l84sD3cb7njKK+SnG02SkwRuX+PkjttTte3UK0M85SqMSGEiTFPgFsK3IKEqGjyJOrnpbwiJCo0gBbpJYdULHifKqv/xvWngqtIpYtdib4eCFgb9PHy/S9lB0/iNMGFqOGA3nFtrK/wvCfQDYz0w7PR7wLU+YMYoyHUmxJcs6COrjZQE5AlpPWX5CbEGF1NMYbY44e9pb8zPb9UzfHV9Ge4kgqgZw9guhTCCfkkUtTcL/5Ncuk991TgIDSgV28hhFmCprvg43CNNccJX0OFrDXmyjGzc9axPRzNkzVG4PGwIO81dLdmIYBuLP3HRpVwtczqTEa0TDzB65eUBTjmPoVxLgBwbvbV/qSFKXlbsuxXcsdVk7P7KF5P3ZQRUzzmDR60+G9J15Nw25KZMNDtZtWitwzceFSoHZfMtWb3sfqOzCZ77+sSHabGyeDrtYkMtcGMHO/mYR3aOPzsWzLGfIJt0wjFOUBSfN7XDOGmfmNYx9zj+bNtXM8cXcxn4X2Cwv8KOCoWQ9JSWglWcJmdc6XnZZ/vKbsKZtl90osO1x+0IGypqa7wc9lCJUJIkX6DmKiY8dghDn80lIkzxIoebqFwjwY/zFKW+Mdr/fj8VrPsBOOZJPwiU2yClUqiG0cwxJWxIwp1fzxmBr+iMj7fYi1RB1CJf+DyuDBrNSzZZkDqKrSLYfOsBz9zZUxDtuAWLYJoGAaqj8xi5R/qpeY7FVd53TLHcsBzgmmJARi3fB9HVO5ZOjGBzmo1O/j+LeJEiQhCIUJvjPFnkpHQKi5ty9G5vVBtdK6B/N6CGHP7+wFVF08Iuc9rl/gaT0fYHYuN8lz29PDmz1pyfXbuJMTuHJAZzLe8UAfhZccD9gX8qb5ClhwoH92aIuahLsemG5l7McSqxnSvDMytSohJUrilFE+YTgS4I/wHu+l31GNA/B4S9OmENiXpuvQdqkdu/PmRXb6F8ulQh/hyJ5ZC56v0Ik56nVYwF27fatteouU1tVBFGMaMRHtSGNHkJjurDtSb8P2zGRCGCm8dMSzZMoXRJQhci3OiDZjE/feJqYoehZsh8QwK5/XyIW+OKQKaSgRhdcVvWe/eLSptwgnUMD0ifvxHlDhlxkSdeuD1YusCVMFPZy8KkqImF6AUFimO7LL2MwqlV6lFNI4EDKZwpNeCp+VJaGbzGHZO1vHB2IkKwpp4F9CKlWJ9KuexlwTENmbeijYFjJf0epa9K78LwWxppYXP5b4eAdm6j6FF2gcTwwmjtHHSV/cygd/+mTdmX+fm7EVx0penGrf7qnzvb1cOxlASocOlDjO36YvKjlZR0mK24iSF5yua6AkPjDXQg3wBsq8yQEr+3zgHRsnTsVpwFbWjwrsdKUiZNjI8ItBFCffmf5i/YDludqoHFQjIvlGwHaOd1FqvdoY8gWnTHTjKmNxfKnQfBHEOrMWUwbWp5sDNmTVJ5XySU2GG7l4VGp4Tnkox1ErU1s8JwCSsxGT3hTSM/accid3paCzI/hADe3nc33Y/eLdxwxt1QXtSupdRoUw/fdWVvKNp8p9R82I12VSa1MefVFEyFJ2HSCM05B01pd9hSD/jjNQ6,iv:bheINdiaEvdk86IDeCN3Hm76zT9hH1fDqz6gEP/AZRw=,tag:lQYF2KssiqKJsLmEm9tYXw==,type:str] +asterisk-pjsip: ENC[AES256_GCM,data:SlrdQFd5V7OKScM6kkMO03o5s99WVEMtXf7emhEZGeAzGC1BD6PLXQKB1La409ZDCCkpM6DB2/+SR6qmtrMWwGnngAc8OQVst5Hh07gzglzOuzBi5Gdw5wkq+Nmf08qvnPAjV5lW7yZ2kTUmO54JUjTsT6OhYBgQNh1LnpT+A+39J0DFltNh8jqWPanKvzMPvB/7YU8NyaAbrPHtVwJu0wPkA/eA1DFTzVEHX3l6xKKmWFlPh2xn0CR7iZK8ZQ1jlGuXA+g1IXedhqo2N/GsC+F5OaFuUEkoxyg3kDgignCBuMt7bSiDNSpHIYSKMkMs/T5ZxoXZ1pOz8IpvY8X8u7tBdLIwUFOIGHewpA7vLpEBL3gliaxRNQCU6jTwnc9xx69s0CWtlB/8MqQtt+f+4Gx5ri7f3FI1S9wLS+2u7c7r5ff3lxRYY/mo/BiCJUI2DwUejG8j6uj9+Mc5XpEWVUnNozYoTrnVCHI8qFRdvqf/qYavTRaxEPZvsEIQ5Xb/V+Wz98UZ+GLtLyn1QT1+n3YkIJNL6HNmTFDB5eivlceVpPeQuZ5L6tW0WHn87pZDfCy+tyngH5OsaQj8Ty9yXlJyOtW+Wct38AHNl0YLfyQSVaO+DsGQcl/99wJlmpuEy5sfbUnm1AdTcFWaqvrdPLRs4Egi32O3N0aUdq2alC0tGQv+72XTcuhDVRdDxiIJQ808uj0aRaISYHH1UnMG3O+APh44xvCHg3MuE9NwbmmOVx8iMTn8wQ0KhLzZY3+FSh4XIW8SC5D4JQefPThjQjd4dJ3GAtuRhPMd8fhNI8WWGlYhjxR8luf5fR8+bsJn4sWP6uyW8SnGkeWqaU/80CawmvayMt9FV7kFc7lSsHcwdxkEzHUoeOWhJW8uJv1GjDyibZtlHYVnn8Zn8YDohvawSGwXwbdRyjXNEIFnQcZ+HIWfsZ0xSViMb+D3pnHc6SMc6Bn3blAk5Dcw9WHsuP2zcGsZ6hzTZI2BnvX8GPp2A1MkzaBFuORgeCHlnt9sNc8GioEMpmEgVcVlDUElYu/o8pUy2+DdYFanV/1MvwcCDDvog0iwAq85UiO3guzVTq/6RvnAP36UNyG/1JEM9K0ovPh0pVMVX91r0PLxmYWul6M6WfK7p0YP6IcHj3mimdvPoGoiK6Mx60kGyua6WhQuWcQ2GiH0bCeNd3rcIECBumDBoofdEWbjINbppcSCgDufmhyAaV9XzJEzxK9xjYiz837Gn4oZ4ZjDMtng1O3I8KnCSSGvKYp2rF5dg67RplLZZC80DT/4VIikJygfMjqNHPUcKUcPInVQYsxFg11hxBgTw6utxgWD7AZMegqbrIka9U+rKm2qSUUBNqGNXCzv4/slu0EHNPjaWKg/1C2EmE0JdtJ02+TQaZgTT+RXf9UjQgZYVG/Q49oloaGN/Lbzn1xhhX2X0UuJNYMrFzuimG+U4okmwfZl3ErW3J9oLZmVVvtbRIkeq785cq163IjPVylw1mXsNWvlxe+f6V/R3U31hOOxYWyC7zAqEE/DNI79aJ7nVo7gdCc0K8nzv764pCZhnOtMA6ZDQao22BzruRIELEvHdjij2isdM/UtSocU6wvkNYlxhqPdoIV08tWk8nvN9HM2kcVaeA7eqWoMIk2nm4jY2WxJ4vCX1el9YhFZBR6TwF403Z1HspIuMf1IWh36TVbUvinexRhTwtg0c4EWlH1LGslcfedmEOaEAyDK8UJs3LBTawgbOulC09WZXYMdb+EXKyPjQqxhDf4qM+/3+rSNcc43WUIeOlLqJFDDtK93m5u0kbjbxwOAyleQTWHsdsVhA9uzuGg0gfkmSH98R6now4QH/E/znWnGBpb3wMfi+EPVNjPRO4h/fO44UhCkb1EI5pjT4Aj1mmYim+NNzW2ZPN/p/xvLv/bRR1fEAE5QPv7NSCBh5OizmLghfAQu+Omfn6tA3XUzprw7d/k8fGuUS/TM4AuJUtjn1hioA1Lz2uqelhQQcZgz7ttgVhQSdOmGZ+KIZOkx59DcTBO9RB5yBWnWjRWneggHQ6k+nhrt8G7SbNP04ADEe1GCD0EWiK5HITiFvMXyEEIxy7ZSIkwESHsG+HuppPvDUp8ytaIKY6ad8yWH5DMNeTo3zKoXrvN3tgZTYVpFejonYPhmpf6BE0MSKTtRkxh9LDQVAciAYXFIRFwVs5hKHUOIHGq7sR4uaSt3PF/bxUo02/EmNFjn4le5/Q0k2zf/Rc7+tdDVXYuPEQR4D2orXzrOocdV7jhc9/vN0+tBenQ1jPEKfsB4J0xztkylf/4SS2CzAqzXi4UV87uNO9YY7zsZKaElcNp7j9Dn/6k4TJXfeFZ3iaCGWVOBWAqJLIXcMyM0FdrAIkG+qMfd4CRWCLW70BwspRPcaf/n7+O1xv41E1dovPsSO41A7xXADo2vlU6XSAWi8R5kodUDuDjBww/UFZC4E+Fs2CbWPp9Ea66ZsQf1GyBxxwkBNQfP2Ge5oMWKopFYVSys+T6wPw9Szg8csiTkkNd5Uvxb6pz4fr8URNFfviRtcDFchOi5PshYmsvYPwRkFUeiEys6t+rdVB881PpovCC1pptDrVmQWnzCeoBy4GHR2olkCTgTfxidQwmDatuhwkeVGI2mXjS5jiDl/UhfpmsJB3dFSnnxtWhm5Ns184Czz/CnGqX1Yg2xB1pqBb8dYpY6xU7uVEKQ1P978OIWBqZ2sgvQmUs/IkDRsPp9moiOyit9y3LVoLxynWE61IFWxZvls2osV2zU4qoMwpM5WjYjuqV9GBKa2X2+x95Z7Uw8r653A6j4JoujCE72oDV6ExiOAImyyQaJEyegRUYYMyQUPVsjCwLqFqyb1wReZpLeDCeaaodt1MaO058Owyd90n4l7s3iVHHX/qIkp4Ui/NE84hnM1DGqIvw+2VKWgw7MKwJaOfDa2yWU/fcsWT9f0Dp47bVFHNcMOtZivfwhSq29dx9IB8SA6SW3+mcOe1ZV/xYGsPZCAeS/jZX402XUY1xZrnjfkwnwzNdpfxIl5yNcPadHsRq6Qi2BuQ4NzAIWisYk0VXBuA9eVWDUmhKIFBOxFQm2QwIpImeK1qQtTINUgls+ohd7ilVirtRHjq1YOO1nN45msTeLYB8Gv6tjhAJ6kSSG56S6Ru3Z8ylxUtcHzBkTRWWFxKnLl3ZzfdUP3glYrKeB3IqXhzFxSQ0fRYvNAKBig9UY33/cLHkZbdDSr89Rw8ehkU/Zqza+puFfCRNspOxP97XeyD9P5kjWJDXzd6i1gO2Ph61X1y5q5r8rTp8/gMos6AVqIdyq0UgLNql3gXAUIy7/u6JBgECWeM1fS5Zb28Jcf6/YkI5xKkwTMMP3DzBEownOTICcbvbXFJmiqK/wQg8zztofEOIothEm+xseW/zGqR15V4+fbBIeHrsHbGwqU3mWeJnTdQOB+tDGLn4fBS1Yb1y7gnvpw/wxShCUBRTCNNWXlHga+qFHgW8swz/HlZxT2y7FtH7VYwdG60eucUQ6w/Gjgdcsv536fy/Ei7p4Bz6Xu3AGRpvECLgy9rYKPdrT1OOqTrPlAJH6Lgr5bI6LgX32t6LRn6axa5hF63Rx1/PJuw49yw+oRMk4i4RrF7E6x8cuRmz96zaOpZytB75aqs8SE7wlMc73ZqMvgJ/71cAfX6+RdTbbW5l/zp1dzNXLTwM/gzOSGRFEVpt5RudUuGtCi8eBur+CAhgfHtxrkRH80N8H5MnoNP4ZvGZ2kezSvtzhisUIJUVgrkVlXzv0IfSZ5M72BfiCA09qc4GjWGxG1T5zz3sByh/BfHsisYMX5coLgF1VfIPZMKS6cP4xqSepbao6tklGwO9+b8dZYcl4nTeunYYcp/1d8zCcbUzn4wr2KmcfP2T3QwvUjDCKRHO9rcMg6ob+MqSoRm9uW/apAy+d/HiOfULTkaE3hoP/FCy4WJTlcZjcf+SMUlWtI9SypkiybxIEK5QlVpJlWlpECv8sx7bjw+ItxcHpZm+WpfEWJ7dEOU9V+gSp/KGk1HYObPxygiizd2PomqoubL05aC68RT+ZAd5fsKu0a5KPASGMv+rwOofJJ12nXfcXGYG/Qgre9FMWN7uA3eoLeK5BzAy/rwzvNBbFhHXovDjl5kuiUwBdjI2WfsGVDhFb8LmgdnuXaI5CCuAx+yH68wQog/a+dDuNiywRl5Birgo1wR3Xbf03q6wcMkQ/3Mdmp1ImgwyfzJ0xrTlaJrsm0ACHKzQJYHDdTvHke0ZjERS4OMDoB1Jii4R114VqYR8qmSvoL9TnqrGQbCLNMdGZCG1MjHCKXdAakVPmcrRHH2sO7nnDFIxfmWnyp42pDfaTtrqnqbKqyT8nA4/j1dGpxx0qcrl64Ed9wJ7xYpQNHpEgdWqLjowK+DrWO+mmy2L7zjT7kNBE5AEc1+HyUUOk1EhSxZIyqZewPZylxzJC12cJFbm1BzdUx8xYvdLN/T4dKORMBSVGOVXbodQzGfBkk8onovl7oA/Hmfhm8jGLkT+8zbzZw4tyAnGN59iF8Lej8S67TTU8V6vxUSihsHUNipka/OU7LjQDOeY0xvYIa/0CqYQJZoMIEaz+8mD14vyrVTsX6JHXAEYM2pGRhqbBl/h8lg67/AGA8BYPZOyG7IpwbvsQ1hmixfP6KeCiJdUn6o8BpuF48+nExxJNiewr20w8LBqg86UwOuEngTp2Di68+36GnQO+qQmQjCVybzJycqEowjVq4mnwBPQZ0BrGKV/dEPrxTSqGFKMT6es2KJ6dWAz0si/2AMZmXjZr2b61jkUL1rj8pQhx+rHH3s+SFgqlsXrzU8kKrGE2OME5ZE5/PSN/bWsPbqeVXKKREWSEIdAJhU110d6dMzIccYeaLDuDXoi6ETSd0tw+qva4GWYmsFAD7B6aQ0CnAm/co/qFA0x9K7xxULN6E6J1l3wL/H5b8bGs9+s7OepgRzU/vKZEWjKfhxC8VlHy+aDGX280yF+C8QPqQd7k2O8GjURIic/X99Ojn6xGAvLx9e5vH2Mn/A9eFkV4BQ4zErHwYS6q+wZUnAd22Uqww33FJEFp+DP8zY+u3a97reOjS83TcGCfS6gtJWwQ9FeETECY0D7BAaJpZ1LImESpIFSZNyb+n+XN7A5wp1x/m7kaC9+Fn3/7x/ZAaCaZdFe4RC0/rs/pYhtMazdeIgoZOBD6h7yk4IOsb2dzzRXMldxWvFbvfU6HbzHa2MO5Wf6nSJBIyd7HQ09cK+qVAtNLS6cZGimOS/yooO1Qxbo8lOMhgi6dBmzjcm3misS6FgGgzqdxWYnrrAWf6tDxrEYwWBpM8lhEwnHGkH/ul017tdkokpD+02o0bDrpD+9Z3d8bIra2QdCnlftQJYMeWgieoaWq0IGsPSGykkbL1AdwkdfUYJ6Afu+pAq9GCNqfHrxO8MNgo5T0af9KjHYOm7k3VeRlOOM/yDgjn6Aq1BQ5NDir5qvyu+G28ekWyO9EM8H3dDUpwDYNb8SOl1v6PIbwq7DcfV/5JXSFeEjb5nsRHeuWcmNYpmP0KKCFMTMGMTwKWUUBS4OcfPnWPFzHgZV53IDD8C3651EpE6jhtzEVQ5UosROJrDXe6ur+NGXJv4REAHZmbpaVop4OXvOlPgfE11lbO53zCNVEZ+OC7P3K3oHikY3/vSiBNuNhycmo5oE9RVx1bQ4w+mIiPborAzmPJtyt1/5C6TyGDn9tRcde/izSUmHMju9EMxRxuPW6YqEG/gA+sKd5xSpJ/z7KCf6nL9asDtkIKczJb/7aHghDPzXaz23EmwIeFFRzTs1UV2RYfcQ7u+Uza8UcXHTSfVVu8+C92p+JdIWbZ4o9kQx9KjSTnSnYMnym/qhC/E8XMJiSM/RMQ9zZvWHTCA6AWVXUbN/H5iSolx8lwmjIekOrr7OYdR0n0HEa4s8U3O4Pz8w2aX6QI21ew4ZHsxuGiFCIwWxo1KrXApGzSoTGU3ZhDOTOSKXW47jadxOuah2/yhyuo0xI8v2nZceDUUaE44oDx+0CkVlshBZ+2IOYZXhvNRaiGo6X8mnChzVLK9qvC2bPZsh+Tbaag4Bod8KCVSCDhMpwyN5ptiimaf+F3ncbfmHwh7Qujid1uGZQ2VAKXHQh+R343Mj/jIiL2Q+nU17FTi/2K4AcDcH+PXrnFh8jvyYeoHpslOp6VFxKXHd86S3xAWqL3u/i03TGN5qhrtOnRDXTCsOkVn8LbNGYik32MzWFa+zSbv++HvSDaO8CygJQO1GiQu5udX8205KjZ95OF3xxUERXzB0xSAV2LHn+3bGpex8UYGSEGaUbEbM0GUmNaI0X88u+VHdUMdImGjvFptGfnxo0tqP7nRQB0inPUOrX/80r31Z9IX7U3jL66ejiGrHFxROXQ0fIiuPZd6RAN5gu0jQvSlNriYWUJMTkY99pe5hVBp0FRmrMRd5Emo8LhErrJWmRgF8ohzLoXXpVYUxvMifSflU1pMbU16W1G+My2xDsg443alqwvii7cdJ21Z/mR8tdJU3VHmE2XLh3YZT3d35ZP/4wcEbdANiZ7iUuO2OGjpF+qEictSp/lfQAx3xcBoAm/NkvttzPLIvTcrtQHAuhWPc3BFRQJBsmPmiWNO377Bp6oxOYddZ76j5AhpfLD+HtQM1D9QRLQLNexHEK9oYsrLihb/bmU4EJV9JcQlfW4sN15GSp+WKpfb9D74IJDeepVJDEMR3TcT8JqJRmIAJV6Sh23l6eDdSM4gH9xgEEhzPsGrXF4IkbfnLMtyeEOMsthI16g9jphxa1WXIdMT6Nl/2HwwErWlge8Eqa+uLCPToNZZZhhbizfzceOznbcpp2p9eGg3axIhLEGwubDu+VuiLjo+BUKOIXKz1//ZZu69R5ZVF500nR4TKZmjMPe/LkPXWnD4XLsR0pODp6sRvARrtuTJztVoWt9bM9PCYbuRAHScod9pb1VoL7tqMG5kwbQsNDooLwovazZpWwc7kTsRl4g6uT1B7ryKumDMs=,iv:hGrQKxKeeBrHWRgfge6b8z0iOZmEVR83tFUbj4nNN6g=,tag:2t4e2KeThIY9YXfq3jbiYA==,type:str] asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKNA1ZVf4DTtm6d232LXKde54ACMSUEyQWTu1mU6oQ7W5P2VSK2HZvHzSrnC0dJVKPrYEnBWfyA6sjKBULQSyW6j1/c/k,iv:jE/Y1A3i8embrwJqN8TBO0E8nr5WhGDKPH0gXgWnsMQ=,tag:j8PH6tDeo2YTCI2BnVY24w==,type:str] asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str] sops: @@ -8,8 +8,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2021-12-27T17:31:30Z" - mac: ENC[AES256_GCM,data:Nu8wP0+yCzSl0EOkf52DXmjefa/bd/LITY4LrcBETndMAYhiqNMTVzTTYJAnh0GKdTzx0YQmVA9oiotOm9JvkKMoXPZgcfe1L/E/mZxASAT0t+qojf9tSxjuXyTarLA7Nkvdw8rzbNs8ffh2Otp3s4nNzLcG4rHvyObksTFbiCE=,iv:xpMJqYx5VtJeQyIY0R8yJPmypWReTq3nOODxUY2PWfQ=,tag:4XQLec2KH1He5IyEvEHGEA==,type:str] + lastmodified: "2022-08-04T21:53:32Z" + mac: ENC[AES256_GCM,data:S05dsBzRMJKvGNfpT5TLSKmogl8Ekd3A53jNHULSnWkE2/xNSQFSKegHe9fsB9IkjUc6CMlScozbeya0oAGa7Af042OtvmP++OvaT1KtdEhH7VQkpGJo+TRn/inOI6FggOcPQAsFeLgEbZ0hq3eJuO+n4S3SiVu7mNowDXy79UI=,iv:VU18VJH6kakQi6lltnda37FqsxwJg4iNqR2J+rhEJAI=,tag:9pPGr/1NStkvZIUFs+/v/g==,type:str] pgp: - created_at: "2022-01-04T00:46:57Z" enc: | @@ -63,4 +63,4 @@ sops: -----END PGP MESSAGE----- fp: 10E468768E3BCD6459F9F11AC8F765CF8AD1F892 unencrypted_suffix: _unencrypted - version: 3.7.1 + version: 3.7.3 diff --git a/machines/raven/services/asterisk.nix b/machines/raven/services/asterisk.nix index b25d4eb..9a2fda7 100644 --- a/machines/raven/services/asterisk.nix +++ b/machines/raven/services/asterisk.nix @@ -44,6 +44,7 @@ in exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT) same = n,Hangup() + ; Kassen exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT) same = n,Hangup() @@ -81,6 +82,11 @@ in ; weinturm exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT) same = n,Hangup() + + ; Kleinturm + exten = _58X,1,Dial(PJSIP/''${EXTEN},30,tT) + same = n,Hangup() + ; /weinturm ''; "http.conf" = '' From 83375b2ef64c3d5b3ff07505fb9309efe974c0d5 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Nov 2022 18:24:35 +0000 Subject: [PATCH 06/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'flake-utils': 'github:numtide/flake-utils/7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249' (2022-07-04) → 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/f436e6dbc10bb3500775785072a40eefe057b18e' (2022-07-23) → 'github:cachix/pre-commit-hooks.nix/3eb97d920682777005930ebe01797dc54b1ccb32' (2022-11-04) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/83009edccc2e24afe3d0165ed98b60ff7471a5f8' (2022-07-21) → 'github:nixos/nixos-hardware/6b35a59c19ddbbeb229fcd1d3dcd422dcc0fa927' (2022-11-04) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/9370544d849be8a07193e7611d02e6f6f1b10768' (2022-07-28) → 'github:nixos/nixpkgs/4f09cfce9c1d54fb56b65125061a632849de1a49' (2022-11-02) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/2a93ea177c3d7700b934bf95adfe00c435f696b8' (2022-07-29) → 'github:nixos/nixpkgs/a2a777538d971c6b01c6e54af89ddd6567c055e8' (2022-11-03) • Updated input 'sops-nix': 'github:Mic92/sops-nix/d7f8cf1b77ebe5f287884f17b1ee4cc4f48bad1d' (2022-07-24) → 'github:Mic92/sops-nix/486b4455da16272c1ed31bc82adcdbe7af829465' (2022-11-02) • Updated input 'sops-nix/nixpkgs-22_05': 'github:NixOS/nixpkgs/2e14bc76ab41c60ba57fd57ff52badaa29d349f5' (2022-07-24) → 'github:NixOS/nixpkgs/6440d13df2327d2db13d3b17e419784020b71d22' (2022-10-30) --- flake.lock | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index 492216f..75b9a7d 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "flake-utils": { "locked": { - "lastModified": 1656928814, - "narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=", + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "owner": "numtide", "repo": "flake-utils", - "rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1658611562, - "narHash": "sha256-jktQ3mRrFAiFzzmVxQXh+8IxZOEE4hfr7St3ncXeVy4=", + "lastModified": 1667569243, + "narHash": "sha256-oJ9zVRE6EFa6Pgh0ZWPAbtDrVu1mxp9lH88LZH6MlfQ=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "f436e6dbc10bb3500775785072a40eefe057b18e", + "rev": "3eb97d920682777005930ebe01797dc54b1ccb32", "type": "github" }, "original": { @@ -64,11 +64,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1658401027, - "narHash": "sha256-z/sDfzsFOoWNO9nZGfxDCNjHqXvSVZLDBDSgzr9qDXE=", + "lastModified": 1667585378, + "narHash": "sha256-cvOwucrjBaAkaGk3FunG+MQiwiSBeIVTtO5n/YavpC0=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "83009edccc2e24afe3d0165ed98b60ff7471a5f8", + "rev": "6b35a59c19ddbbeb229fcd1d3dcd422dcc0fa927", "type": "github" }, "original": { @@ -80,11 +80,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1659052185, - "narHash": "sha256-TUbwbzCbprtWB9EtXPM52cWuKETuCV3H+cMXjLRbwTw=", + "lastModified": 1667420999, + "narHash": "sha256-NDz83NKuuEuonbhC5HnfhUpZsJQGmAWJr22snKGfhKs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9370544d849be8a07193e7611d02e6f6f1b10768", + "rev": "4f09cfce9c1d54fb56b65125061a632849de1a49", "type": "github" }, "original": { @@ -96,11 +96,11 @@ }, "nixpkgs-22_05": { "locked": { - "lastModified": 1658634393, - "narHash": "sha256-VW7edeFzA9VU8gZPxPFGpoPsM2AQLYHKhA9H5+OYtno=", + "lastModified": 1667091951, + "narHash": "sha256-62sz0fn06Nq8OaeBYrYSR3Y6hUcp8/PC4dJ7HeGaOhU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2e14bc76ab41c60ba57fd57ff52badaa29d349f5", + "rev": "6440d13df2327d2db13d3b17e419784020b71d22", "type": "github" }, "original": { @@ -128,11 +128,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1659077768, - "narHash": "sha256-P0XIHBVty6WIuIrk2DZNvLcYev9956y1prT4zL212H8=", + "lastModified": 1667482890, + "narHash": "sha256-pua0jp87iwN7NBY5/ypx0s9L9CG49Ju/NI4wGwurHc4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2a93ea177c3d7700b934bf95adfe00c435f696b8", + "rev": "a2a777538d971c6b01c6e54af89ddd6567c055e8", "type": "github" }, "original": { @@ -189,11 +189,11 @@ "nixpkgs-22_05": "nixpkgs-22_05" }, "locked": { - "lastModified": 1658635258, - "narHash": "sha256-EC8y3Rg+l9IzIUdOaFSA0LMdDipTRoweg1Y2EL8XhMc=", + "lastModified": 1667427533, + "narHash": "sha256-MsgTnQEi1g7f8anlW5klHW2pJgam4CLbJaYyBw2ed58=", "owner": "Mic92", "repo": "sops-nix", - "rev": "d7f8cf1b77ebe5f287884f17b1ee4cc4f48bad1d", + "rev": "486b4455da16272c1ed31bc82adcdbe7af829465", "type": "github" }, "original": { From 886d3e0c37eaf44946e43f61083f05cc1ad9dc29 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Nov 2022 19:03:03 +0000 Subject: [PATCH 07/59] Use stable nix package unstable is no longer required as flakes are now part of nix --- modules/nix.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/nix.nix b/modules/nix.nix index 98a1d68..6a11112 100644 --- a/modules/nix.nix +++ b/modules/nix.nix @@ -21,9 +21,6 @@ let in { nix = { - # flake support - package = pkgs.nixUnstable; - extraOptions = '' experimental-features = nix-command flakes ''; From 9bf8b48a8412f397b4216743847c0edf0ec4462f Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Nov 2022 22:37:03 +0000 Subject: [PATCH 08/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'sbruder-overlay': 'github:sbruder/nixpkgs-overlay/72d323ca0410a08abc2d981b812c5cd0fd3338bf' (2021-12-01) → 'github:sbruder/nixpkgs-overlay/ff4ce742bffb71fc983cb13a3634ec0d243d869c' (2022-11-04) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 75b9a7d..89860e4 100644 --- a/flake.lock +++ b/flake.lock @@ -168,11 +168,11 @@ ] }, "locked": { - "lastModified": 1638388788, - "narHash": "sha256-4t+iDoZO9X8fM1cWfbCbsIagRN0PRkpGcJKaMLJE7yc=", + "lastModified": 1667592878, + "narHash": "sha256-zB0kNNeUBPGw+LWzWmSqTHRfvfy3ckOUMtyE3F90Dns=", "owner": "sbruder", "repo": "nixpkgs-overlay", - "rev": "72d323ca0410a08abc2d981b812c5cd0fd3338bf", + "rev": "ff4ce742bffb71fc983cb13a3634ec0d243d869c", "type": "github" }, "original": { From da5a19465557679969a90e95b2440b04949353c7 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Nov 2022 22:43:02 +0000 Subject: [PATCH 09/59] Add pipewire module --- modules/default.nix | 1 + modules/pipewire.nix | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 modules/pipewire.nix diff --git a/modules/default.nix b/modules/default.nix index 86ada52..244c94d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,6 +2,7 @@ imports = [ ./base.nix ./nix.nix + ./pipewire.nix ./pubkeys.nix ./sops.nix ./tools.nix diff --git a/modules/pipewire.nix b/modules/pipewire.nix new file mode 100644 index 0000000..9531e64 --- /dev/null +++ b/modules/pipewire.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: + +{ + sound.enable = true; + hardware.pulseaudio.enable = false; + + services.pipewire = { + enable = true; + pulse = { + enable = true; + }; + jack = { + enable = false; + }; + alsa = { + enable = true; + support32Bit = true; + }; + }; + + environment.systemPackages = with pkgs; [ + pulseaudio # pacmd and pactl + ]; +} From 7f2e0ea8e952d45776871158cc5ec7ab8be1bb45 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Nov 2022 22:40:17 +0000 Subject: [PATCH 10/59] Reinstall party --- machines/party/configuration.nix | 12 +++++++-- machines/party/hardware-configuration.nix | 33 ++++++++++++++++++++--- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/machines/party/configuration.nix b/machines/party/configuration.nix index 9d3e0e6..d28760c 100644 --- a/machines/party/configuration.nix +++ b/machines/party/configuration.nix @@ -6,19 +6,27 @@ ./services ]; + nixpkgs.config = { allowAliases = false; }; + console.keyMap = "de"; services.xserver.layout = "de"; services.xserver.enable = true; services.xserver.desktopManager.gnome.enable = true; - services.xserver.displayManager.gdm.enable = true; + services.xserver.displayManager.gdm = { + enable = true; + autoSuspend = false; + }; security.sudo.wheelNeedsPassword = false; users.users.party = { isNormalUser = true; password = "foobar"; - extraGroups = [ "wheel" ]; + extraGroups = [ + "wheel" + "audio" + ]; }; environment.systemPackages = with pkgs; [ diff --git a/machines/party/hardware-configuration.nix b/machines/party/hardware-configuration.nix index 9c1f3eb..b32f461 100644 --- a/machines/party/hardware-configuration.nix +++ b/machines/party/hardware-configuration.nix @@ -21,18 +21,45 @@ loader.grub = { enable = true; + version = 2; device = "/dev/sda"; }; }; fileSystems = { "/" = { - device = "/dev/sda3"; + device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700"; fsType = "btrfs"; - options = [ "discard=async" "noatime" "compress=zstd" ]; + options = [ + "subvol=root" + "discard=async" + "compress=zstd" + ]; }; + + "/home" = { + device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700"; + fsType = "btrfs"; + options = [ + "subvol=home" + "discard=async" + "compress=zstd" + ]; + }; + + "/nix" = { + device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700"; + fsType = "btrfs"; + options = [ + "subvol=nix" + "discard=async" + "compress=zstd" + "noatime" + ]; + }; + "/boot" = { - device = "/dev/sda2"; + device = "/dev/disk/by-uuid/3e24b5cf-e59f-41b1-9eef-107f808b9242"; fsType = "ext2"; }; }; From a3ce6223b10d2f2608eaa3699040349f101225c4 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Nov 2022 22:42:45 +0000 Subject: [PATCH 11/59] Add colorchord service to raven --- machines/party/services/colorchord.nix | 21 ----- machines/raven/configuration.nix | 2 +- machines/raven/services/colorchord.nix | 113 +++++++++++++++++++++++++ machines/raven/services/default.nix | 1 + 4 files changed, 115 insertions(+), 22 deletions(-) create mode 100644 machines/raven/services/colorchord.nix diff --git a/machines/party/services/colorchord.nix b/machines/party/services/colorchord.nix index c5fa8be..661025a 100644 --- a/machines/party/services/colorchord.nix +++ b/machines/party/services/colorchord.nix @@ -1,31 +1,10 @@ { inputs, lib, pkgs, ... }: let ledDevices = { - traverse = { - leds = 116; - host = "wled-Traverse"; - }; - nhecke = { - leds = 75; - host = "wled-Nhecke"; - }; - printerbench = { - leds = 80; - host = "wled-Printerbench"; - }; - resedaraum = { - leds = 285; - host = "wled-Resedaraum"; - loop = true; - }; kanister = { leds = 43; host = "wled-Kanister"; }; - dj-table-floor-02 = { - leds = 300; - host = "wled-DJ-Table-Floor-02"; - }; bar = { leds = 300; host = "wled-Bar"; diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix index 80bead5..e72facb 100644 --- a/machines/raven/configuration.nix +++ b/machines/raven/configuration.nix @@ -72,7 +72,7 @@ }; jalr = { isNormalUser = true; - extraGroups = [ "wheel" "docker" ]; + extraGroups = [ "wheel" "docker" "audio" ]; openssh.authorizedKeys.keys = config.fablab.pubkeys.users.jalr; }; }; diff --git a/machines/raven/services/colorchord.nix b/machines/raven/services/colorchord.nix new file mode 100644 index 0000000..61218b1 --- /dev/null +++ b/machines/raven/services/colorchord.nix @@ -0,0 +1,113 @@ +{ inputs, lib, pkgs, ... }: +let + ledDevices = { + workbench-1 = { + leds = 87 * 2; + host = "wled-Workbench-1"; + }; + workbench-2 = { + leds = 87 * 2; + host = "wled-Workbench-2"; + }; + elektrodecke = { + leds = 87 * 2; + host = "wled-Elektrodecke"; + }; + traverse = { + leds = 235; + host = "wled-Traverse"; + }; + nhecke = { + leds = 75; + host = "wled-Nhecke"; + }; + printerbench = { + leds = 80; + host = "wled-Printerbench"; + }; + resedaraum = { + leds = 285; + host = "wled-Resedaraum"; + loop = true; + }; + }; + soundDevices = { + sink = "alsa_output.usb-Burr-Brown_from_TI_USB_Audio_DAC-00.analog-stereo"; + }; + + devicesProduct = lib.fold + (soundDevice: acc: acc // lib.mapAttrs' + (ledDevice: value: lib.nameValuePair "${ledDevice}-${soundDevice.name}" (value // { + source = soundDevice.id; + })) + ledDevices) + { } + (lib.attrValues (lib.mapAttrs (n: v: { name = n; id = v; }) soundDevices)); +in +{ + environment.systemPackages = with pkgs; [ + colorchord2 + ]; + + environment.etc = lib.mapAttrs' + (name: config: lib.nameValuePair + "colorchord/${name}.conf" + { + text = '' + # Basic + outdrivers = DisplayNetwork, OutputLinear + headless = 1 + + # Audio input + amplify = 10 + samplerate = 48000 + devrecord = ${config.source} + + # Visualiser + cpu_autolimit = 1 + satamp = 1 + + # LED config + leds = ${toString config.leds} + is_loop = ${if config ? loop && config.loop then "1" else "0"} + light_siding = 1.5 + led_floor = 0.1 + steady_bright = 1 + fliprg = 0 + + # WLED + wled_realtime = 1 + port = 19446 + address = ${config.host} + wled_timeout = 2 + skipfirst = 0 + ''; + }) + devicesProduct; + + systemd.user.services = builtins.listToAttrs (map + (soundDevice: lib.nameValuePair + "colorchord-${soundDevice}@" + { + partOf = [ "colorchord-${soundDevice}.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i-${soundDevice}.conf + ''; + Restart = "always"; + }; + }) + (lib.attrNames soundDevices)); + + systemd.user.targets = builtins.listToAttrs (map + (soundDevice: lib.nameValuePair + "colorchord-${soundDevice}" + { + wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices); + }) + (lib.attrNames soundDevices)); + + nixpkgs.overlays = with inputs; [ + sbruder-overlay.overlay + ]; +} diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix index 0ed81ef..0a789d0 100644 --- a/machines/raven/services/default.nix +++ b/machines/raven/services/default.nix @@ -1,6 +1,7 @@ { imports = [ ./asterisk.nix + ./colorchord.nix ./dnsmasq.nix ./dyndns.nix ./freeradius.nix From b5514516270d2ab93ad1df39f101caf5cf9fcf2e Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Nov 2022 22:59:24 +0000 Subject: [PATCH 12/59] Change ddns provider to Duck DNS --- machines/raven/secrets.yaml | 6 +++--- machines/raven/services/dyndns.nix | 9 ++++----- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml index 308c67d..5dcccd1 100644 --- a/machines/raven/secrets.yaml +++ b/machines/raven/secrets.yaml @@ -1,4 +1,4 @@ -dyndns-password: ENC[AES256_GCM,data:FXAuhhVqs1cD8r1SKaY2pbAdzDU=,iv:t1wj201txdfPXRVBrX8bZbemEDNY9JoCQzKnw/VhW1I=,tag:E1XgN73DME1qKZD7qzkxCg==,type:str] +dyndns-password: ENC[AES256_GCM,data:Nm6ed/SvRGnOZAXCt64HAf/0xpAoSwNCCZ9d+KM4Fc1tl+rY,iv:TbGGjG55mksyW2eOkMb5JBOMvePpLlTotmEjZoiWBbQ=,tag:vNA0GLM28OloR90elj4SEQ==,type:str] asterisk-pjsip: ENC[AES256_GCM,data:SlrdQFd5V7OKScM6kkMO03o5s99WVEMtXf7emhEZGeAzGC1BD6PLXQKB1La409ZDCCkpM6DB2/+SR6qmtrMWwGnngAc8OQVst5Hh07gzglzOuzBi5Gdw5wkq+Nmf08qvnPAjV5lW7yZ2kTUmO54JUjTsT6OhYBgQNh1LnpT+A+39J0DFltNh8jqWPanKvzMPvB/7YU8NyaAbrPHtVwJu0wPkA/eA1DFTzVEHX3l6xKKmWFlPh2xn0CR7iZK8ZQ1jlGuXA+g1IXedhqo2N/GsC+F5OaFuUEkoxyg3kDgignCBuMt7bSiDNSpHIYSKMkMs/T5ZxoXZ1pOz8IpvY8X8u7tBdLIwUFOIGHewpA7vLpEBL3gliaxRNQCU6jTwnc9xx69s0CWtlB/8MqQtt+f+4Gx5ri7f3FI1S9wLS+2u7c7r5ff3lxRYY/mo/BiCJUI2DwUejG8j6uj9+Mc5XpEWVUnNozYoTrnVCHI8qFRdvqf/qYavTRaxEPZvsEIQ5Xb/V+Wz98UZ+GLtLyn1QT1+n3YkIJNL6HNmTFDB5eivlceVpPeQuZ5L6tW0WHn87pZDfCy+tyngH5OsaQj8Ty9yXlJyOtW+Wct38AHNl0YLfyQSVaO+DsGQcl/99wJlmpuEy5sfbUnm1AdTcFWaqvrdPLRs4Egi32O3N0aUdq2alC0tGQv+72XTcuhDVRdDxiIJQ808uj0aRaISYHH1UnMG3O+APh44xvCHg3MuE9NwbmmOVx8iMTn8wQ0KhLzZY3+FSh4XIW8SC5D4JQefPThjQjd4dJ3GAtuRhPMd8fhNI8WWGlYhjxR8luf5fR8+bsJn4sWP6uyW8SnGkeWqaU/80CawmvayMt9FV7kFc7lSsHcwdxkEzHUoeOWhJW8uJv1GjDyibZtlHYVnn8Zn8YDohvawSGwXwbdRyjXNEIFnQcZ+HIWfsZ0xSViMb+D3pnHc6SMc6Bn3blAk5Dcw9WHsuP2zcGsZ6hzTZI2BnvX8GPp2A1MkzaBFuORgeCHlnt9sNc8GioEMpmEgVcVlDUElYu/o8pUy2+DdYFanV/1MvwcCDDvog0iwAq85UiO3guzVTq/6RvnAP36UNyG/1JEM9K0ovPh0pVMVX91r0PLxmYWul6M6WfK7p0YP6IcHj3mimdvPoGoiK6Mx60kGyua6WhQuWcQ2GiH0bCeNd3rcIECBumDBoofdEWbjINbppcSCgDufmhyAaV9XzJEzxK9xjYiz837Gn4oZ4ZjDMtng1O3I8KnCSSGvKYp2rF5dg67RplLZZC80DT/4VIikJygfMjqNHPUcKUcPInVQYsxFg11hxBgTw6utxgWD7AZMegqbrIka9U+rKm2qSUUBNqGNXCzv4/slu0EHNPjaWKg/1C2EmE0JdtJ02+TQaZgTT+RXf9UjQgZYVG/Q49oloaGN/Lbzn1xhhX2X0UuJNYMrFzuimG+U4okmwfZl3ErW3J9oLZmVVvtbRIkeq785cq163IjPVylw1mXsNWvlxe+f6V/R3U31hOOxYWyC7zAqEE/DNI79aJ7nVo7gdCc0K8nzv764pCZhnOtMA6ZDQao22BzruRIELEvHdjij2isdM/UtSocU6wvkNYlxhqPdoIV08tWk8nvN9HM2kcVaeA7eqWoMIk2nm4jY2WxJ4vCX1el9YhFZBR6TwF403Z1HspIuMf1IWh36TVbUvinexRhTwtg0c4EWlH1LGslcfedmEOaEAyDK8UJs3LBTawgbOulC09WZXYMdb+EXKyPjQqxhDf4qM+/3+rSNcc43WUIeOlLqJFDDtK93m5u0kbjbxwOAyleQTWHsdsVhA9uzuGg0gfkmSH98R6now4QH/E/znWnGBpb3wMfi+EPVNjPRO4h/fO44UhCkb1EI5pjT4Aj1mmYim+NNzW2ZPN/p/xvLv/bRR1fEAE5QPv7NSCBh5OizmLghfAQu+Omfn6tA3XUzprw7d/k8fGuUS/TM4AuJUtjn1hioA1Lz2uqelhQQcZgz7ttgVhQSdOmGZ+KIZOkx59DcTBO9RB5yBWnWjRWneggHQ6k+nhrt8G7SbNP04ADEe1GCD0EWiK5HITiFvMXyEEIxy7ZSIkwESHsG+HuppPvDUp8ytaIKY6ad8yWH5DMNeTo3zKoXrvN3tgZTYVpFejonYPhmpf6BE0MSKTtRkxh9LDQVAciAYXFIRFwVs5hKHUOIHGq7sR4uaSt3PF/bxUo02/EmNFjn4le5/Q0k2zf/Rc7+tdDVXYuPEQR4D2orXzrOocdV7jhc9/vN0+tBenQ1jPEKfsB4J0xztkylf/4SS2CzAqzXi4UV87uNO9YY7zsZKaElcNp7j9Dn/6k4TJXfeFZ3iaCGWVOBWAqJLIXcMyM0FdrAIkG+qMfd4CRWCLW70BwspRPcaf/n7+O1xv41E1dovPsSO41A7xXADo2vlU6XSAWi8R5kodUDuDjBww/UFZC4E+Fs2CbWPp9Ea66ZsQf1GyBxxwkBNQfP2Ge5oMWKopFYVSys+T6wPw9Szg8csiTkkNd5Uvxb6pz4fr8URNFfviRtcDFchOi5PshYmsvYPwRkFUeiEys6t+rdVB881PpovCC1pptDrVmQWnzCeoBy4GHR2olkCTgTfxidQwmDatuhwkeVGI2mXjS5jiDl/UhfpmsJB3dFSnnxtWhm5Ns184Czz/CnGqX1Yg2xB1pqBb8dYpY6xU7uVEKQ1P978OIWBqZ2sgvQmUs/IkDRsPp9moiOyit9y3LVoLxynWE61IFWxZvls2osV2zU4qoMwpM5WjYjuqV9GBKa2X2+x95Z7Uw8r653A6j4JoujCE72oDV6ExiOAImyyQaJEyegRUYYMyQUPVsjCwLqFqyb1wReZpLeDCeaaodt1MaO058Owyd90n4l7s3iVHHX/qIkp4Ui/NE84hnM1DGqIvw+2VKWgw7MKwJaOfDa2yWU/fcsWT9f0Dp47bVFHNcMOtZivfwhSq29dx9IB8SA6SW3+mcOe1ZV/xYGsPZCAeS/jZX402XUY1xZrnjfkwnwzNdpfxIl5yNcPadHsRq6Qi2BuQ4NzAIWisYk0VXBuA9eVWDUmhKIFBOxFQm2QwIpImeK1qQtTINUgls+ohd7ilVirtRHjq1YOO1nN45msTeLYB8Gv6tjhAJ6kSSG56S6Ru3Z8ylxUtcHzBkTRWWFxKnLl3ZzfdUP3glYrKeB3IqXhzFxSQ0fRYvNAKBig9UY33/cLHkZbdDSr89Rw8ehkU/Zqza+puFfCRNspOxP97XeyD9P5kjWJDXzd6i1gO2Ph61X1y5q5r8rTp8/gMos6AVqIdyq0UgLNql3gXAUIy7/u6JBgECWeM1fS5Zb28Jcf6/YkI5xKkwTMMP3DzBEownOTICcbvbXFJmiqK/wQg8zztofEOIothEm+xseW/zGqR15V4+fbBIeHrsHbGwqU3mWeJnTdQOB+tDGLn4fBS1Yb1y7gnvpw/wxShCUBRTCNNWXlHga+qFHgW8swz/HlZxT2y7FtH7VYwdG60eucUQ6w/Gjgdcsv536fy/Ei7p4Bz6Xu3AGRpvECLgy9rYKPdrT1OOqTrPlAJH6Lgr5bI6LgX32t6LRn6axa5hF63Rx1/PJuw49yw+oRMk4i4RrF7E6x8cuRmz96zaOpZytB75aqs8SE7wlMc73ZqMvgJ/71cAfX6+RdTbbW5l/zp1dzNXLTwM/gzOSGRFEVpt5RudUuGtCi8eBur+CAhgfHtxrkRH80N8H5MnoNP4ZvGZ2kezSvtzhisUIJUVgrkVlXzv0IfSZ5M72BfiCA09qc4GjWGxG1T5zz3sByh/BfHsisYMX5coLgF1VfIPZMKS6cP4xqSepbao6tklGwO9+b8dZYcl4nTeunYYcp/1d8zCcbUzn4wr2KmcfP2T3QwvUjDCKRHO9rcMg6ob+MqSoRm9uW/apAy+d/HiOfULTkaE3hoP/FCy4WJTlcZjcf+SMUlWtI9SypkiybxIEK5QlVpJlWlpECv8sx7bjw+ItxcHpZm+WpfEWJ7dEOU9V+gSp/KGk1HYObPxygiizd2PomqoubL05aC68RT+ZAd5fsKu0a5KPASGMv+rwOofJJ12nXfcXGYG/Qgre9FMWN7uA3eoLeK5BzAy/rwzvNBbFhHXovDjl5kuiUwBdjI2WfsGVDhFb8LmgdnuXaI5CCuAx+yH68wQog/a+dDuNiywRl5Birgo1wR3Xbf03q6wcMkQ/3Mdmp1ImgwyfzJ0xrTlaJrsm0ACHKzQJYHDdTvHke0ZjERS4OMDoB1Jii4R114VqYR8qmSvoL9TnqrGQbCLNMdGZCG1MjHCKXdAakVPmcrRHH2sO7nnDFIxfmWnyp42pDfaTtrqnqbKqyT8nA4/j1dGpxx0qcrl64Ed9wJ7xYpQNHpEgdWqLjowK+DrWO+mmy2L7zjT7kNBE5AEc1+HyUUOk1EhSxZIyqZewPZylxzJC12cJFbm1BzdUx8xYvdLN/T4dKORMBSVGOVXbodQzGfBkk8onovl7oA/Hmfhm8jGLkT+8zbzZw4tyAnGN59iF8Lej8S67TTU8V6vxUSihsHUNipka/OU7LjQDOeY0xvYIa/0CqYQJZoMIEaz+8mD14vyrVTsX6JHXAEYM2pGRhqbBl/h8lg67/AGA8BYPZOyG7IpwbvsQ1hmixfP6KeCiJdUn6o8BpuF48+nExxJNiewr20w8LBqg86UwOuEngTp2Di68+36GnQO+qQmQjCVybzJycqEowjVq4mnwBPQZ0BrGKV/dEPrxTSqGFKMT6es2KJ6dWAz0si/2AMZmXjZr2b61jkUL1rj8pQhx+rHH3s+SFgqlsXrzU8kKrGE2OME5ZE5/PSN/bWsPbqeVXKKREWSEIdAJhU110d6dMzIccYeaLDuDXoi6ETSd0tw+qva4GWYmsFAD7B6aQ0CnAm/co/qFA0x9K7xxULN6E6J1l3wL/H5b8bGs9+s7OepgRzU/vKZEWjKfhxC8VlHy+aDGX280yF+C8QPqQd7k2O8GjURIic/X99Ojn6xGAvLx9e5vH2Mn/A9eFkV4BQ4zErHwYS6q+wZUnAd22Uqww33FJEFp+DP8zY+u3a97reOjS83TcGCfS6gtJWwQ9FeETECY0D7BAaJpZ1LImESpIFSZNyb+n+XN7A5wp1x/m7kaC9+Fn3/7x/ZAaCaZdFe4RC0/rs/pYhtMazdeIgoZOBD6h7yk4IOsb2dzzRXMldxWvFbvfU6HbzHa2MO5Wf6nSJBIyd7HQ09cK+qVAtNLS6cZGimOS/yooO1Qxbo8lOMhgi6dBmzjcm3misS6FgGgzqdxWYnrrAWf6tDxrEYwWBpM8lhEwnHGkH/ul017tdkokpD+02o0bDrpD+9Z3d8bIra2QdCnlftQJYMeWgieoaWq0IGsPSGykkbL1AdwkdfUYJ6Afu+pAq9GCNqfHrxO8MNgo5T0af9KjHYOm7k3VeRlOOM/yDgjn6Aq1BQ5NDir5qvyu+G28ekWyO9EM8H3dDUpwDYNb8SOl1v6PIbwq7DcfV/5JXSFeEjb5nsRHeuWcmNYpmP0KKCFMTMGMTwKWUUBS4OcfPnWPFzHgZV53IDD8C3651EpE6jhtzEVQ5UosROJrDXe6ur+NGXJv4REAHZmbpaVop4OXvOlPgfE11lbO53zCNVEZ+OC7P3K3oHikY3/vSiBNuNhycmo5oE9RVx1bQ4w+mIiPborAzmPJtyt1/5C6TyGDn9tRcde/izSUmHMju9EMxRxuPW6YqEG/gA+sKd5xSpJ/z7KCf6nL9asDtkIKczJb/7aHghDPzXaz23EmwIeFFRzTs1UV2RYfcQ7u+Uza8UcXHTSfVVu8+C92p+JdIWbZ4o9kQx9KjSTnSnYMnym/qhC/E8XMJiSM/RMQ9zZvWHTCA6AWVXUbN/H5iSolx8lwmjIekOrr7OYdR0n0HEa4s8U3O4Pz8w2aX6QI21ew4ZHsxuGiFCIwWxo1KrXApGzSoTGU3ZhDOTOSKXW47jadxOuah2/yhyuo0xI8v2nZceDUUaE44oDx+0CkVlshBZ+2IOYZXhvNRaiGo6X8mnChzVLK9qvC2bPZsh+Tbaag4Bod8KCVSCDhMpwyN5ptiimaf+F3ncbfmHwh7Qujid1uGZQ2VAKXHQh+R343Mj/jIiL2Q+nU17FTi/2K4AcDcH+PXrnFh8jvyYeoHpslOp6VFxKXHd86S3xAWqL3u/i03TGN5qhrtOnRDXTCsOkVn8LbNGYik32MzWFa+zSbv++HvSDaO8CygJQO1GiQu5udX8205KjZ95OF3xxUERXzB0xSAV2LHn+3bGpex8UYGSEGaUbEbM0GUmNaI0X88u+VHdUMdImGjvFptGfnxo0tqP7nRQB0inPUOrX/80r31Z9IX7U3jL66ejiGrHFxROXQ0fIiuPZd6RAN5gu0jQvSlNriYWUJMTkY99pe5hVBp0FRmrMRd5Emo8LhErrJWmRgF8ohzLoXXpVYUxvMifSflU1pMbU16W1G+My2xDsg443alqwvii7cdJ21Z/mR8tdJU3VHmE2XLh3YZT3d35ZP/4wcEbdANiZ7iUuO2OGjpF+qEictSp/lfQAx3xcBoAm/NkvttzPLIvTcrtQHAuhWPc3BFRQJBsmPmiWNO377Bp6oxOYddZ76j5AhpfLD+HtQM1D9QRLQLNexHEK9oYsrLihb/bmU4EJV9JcQlfW4sN15GSp+WKpfb9D74IJDeepVJDEMR3TcT8JqJRmIAJV6Sh23l6eDdSM4gH9xgEEhzPsGrXF4IkbfnLMtyeEOMsthI16g9jphxa1WXIdMT6Nl/2HwwErWlge8Eqa+uLCPToNZZZhhbizfzceOznbcpp2p9eGg3axIhLEGwubDu+VuiLjo+BUKOIXKz1//ZZu69R5ZVF500nR4TKZmjMPe/LkPXWnD4XLsR0pODp6sRvARrtuTJztVoWt9bM9PCYbuRAHScod9pb1VoL7tqMG5kwbQsNDooLwovazZpWwc7kTsRl4g6uT1B7ryKumDMs=,iv:hGrQKxKeeBrHWRgfge6b8z0iOZmEVR83tFUbj4nNN6g=,tag:2t4e2KeThIY9YXfq3jbiYA==,type:str] asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKNA1ZVf4DTtm6d232LXKde54ACMSUEyQWTu1mU6oQ7W5P2VSK2HZvHzSrnC0dJVKPrYEnBWfyA6sjKBULQSyW6j1/c/k,iv:jE/Y1A3i8embrwJqN8TBO0E8nr5WhGDKPH0gXgWnsMQ=,tag:j8PH6tDeo2YTCI2BnVY24w==,type:str] asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str] @@ -8,8 +8,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-08-04T21:53:32Z" - mac: ENC[AES256_GCM,data:S05dsBzRMJKvGNfpT5TLSKmogl8Ekd3A53jNHULSnWkE2/xNSQFSKegHe9fsB9IkjUc6CMlScozbeya0oAGa7Af042OtvmP++OvaT1KtdEhH7VQkpGJo+TRn/inOI6FggOcPQAsFeLgEbZ0hq3eJuO+n4S3SiVu7mNowDXy79UI=,iv:VU18VJH6kakQi6lltnda37FqsxwJg4iNqR2J+rhEJAI=,tag:9pPGr/1NStkvZIUFs+/v/g==,type:str] + lastmodified: "2022-11-04T22:53:27Z" + mac: ENC[AES256_GCM,data:QbNsW3bSqv74iA+iziOiH9eUnw6D4MEAiDchCv5CdwmRMovLp2OFawn1F9v5ItonP8gak2l3gQvZMS6AEfqqGFITpgbPKQWDSpQoJSUNoobFMzQdVJr/nv0Rcn3tzUFhXWH5R8Zqb++XlviLpFv209KLYYY4wOBBtq6qXghpu+Y=,iv:9JD7lSkcn0ezbCpkTNwJEbDz8wxue9YtLNfm+0qzeak=,tag:Ageub1wxIKAamSaGkZ/ZjQ==,type:str] pgp: - created_at: "2022-01-04T00:46:57Z" enc: | diff --git a/machines/raven/services/dyndns.nix b/machines/raven/services/dyndns.nix index 2c64bbe..8478828 100644 --- a/machines/raven/services/dyndns.nix +++ b/machines/raven/services/dyndns.nix @@ -6,12 +6,11 @@ services.ddclient = { enable = true; interval = "1min"; - use = "web, web=checkip.dynu.com/, web-skip='IP Address'"; - server = "api.dynu.com"; - protocol = "dyndns2"; - username = "fablabnea"; + server = "www.duckdns.org"; + protocol = "duckdns"; + username = "nouser"; passwordFile = config.sops.secrets.dyndns-password.path; - domains = [ "fablab-nea.freeddns.org" ]; + domains = [ "fablab-nea" ]; ipv6 = false; }; } From c6dd03732d645289b53de0f7ab3292ccd36862c3 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Nov 2022 23:05:33 +0000 Subject: [PATCH 13/59] Add settings for NAT with dynamic IPs --- machines/raven/secrets.yaml | 6 +++--- machines/raven/services/asterisk.nix | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml index 5dcccd1..519a4b6 100644 --- a/machines/raven/secrets.yaml +++ b/machines/raven/secrets.yaml @@ -1,5 +1,5 @@ dyndns-password: ENC[AES256_GCM,data:Nm6ed/SvRGnOZAXCt64HAf/0xpAoSwNCCZ9d+KM4Fc1tl+rY,iv:TbGGjG55mksyW2eOkMb5JBOMvePpLlTotmEjZoiWBbQ=,tag:vNA0GLM28OloR90elj4SEQ==,type:str] -asterisk-pjsip: ENC[AES256_GCM,data:SlrdQFd5V7OKScM6kkMO03o5s99WVEMtXf7emhEZGeAzGC1BD6PLXQKB1La409ZDCCkpM6DB2/+SR6qmtrMWwGnngAc8OQVst5Hh07gzglzOuzBi5Gdw5wkq+Nmf08qvnPAjV5lW7yZ2kTUmO54JUjTsT6OhYBgQNh1LnpT+A+39J0DFltNh8jqWPanKvzMPvB/7YU8NyaAbrPHtVwJu0wPkA/eA1DFTzVEHX3l6xKKmWFlPh2xn0CR7iZK8ZQ1jlGuXA+g1IXedhqo2N/GsC+F5OaFuUEkoxyg3kDgignCBuMt7bSiDNSpHIYSKMkMs/T5ZxoXZ1pOz8IpvY8X8u7tBdLIwUFOIGHewpA7vLpEBL3gliaxRNQCU6jTwnc9xx69s0CWtlB/8MqQtt+f+4Gx5ri7f3FI1S9wLS+2u7c7r5ff3lxRYY/mo/BiCJUI2DwUejG8j6uj9+Mc5XpEWVUnNozYoTrnVCHI8qFRdvqf/qYavTRaxEPZvsEIQ5Xb/V+Wz98UZ+GLtLyn1QT1+n3YkIJNL6HNmTFDB5eivlceVpPeQuZ5L6tW0WHn87pZDfCy+tyngH5OsaQj8Ty9yXlJyOtW+Wct38AHNl0YLfyQSVaO+DsGQcl/99wJlmpuEy5sfbUnm1AdTcFWaqvrdPLRs4Egi32O3N0aUdq2alC0tGQv+72XTcuhDVRdDxiIJQ808uj0aRaISYHH1UnMG3O+APh44xvCHg3MuE9NwbmmOVx8iMTn8wQ0KhLzZY3+FSh4XIW8SC5D4JQefPThjQjd4dJ3GAtuRhPMd8fhNI8WWGlYhjxR8luf5fR8+bsJn4sWP6uyW8SnGkeWqaU/80CawmvayMt9FV7kFc7lSsHcwdxkEzHUoeOWhJW8uJv1GjDyibZtlHYVnn8Zn8YDohvawSGwXwbdRyjXNEIFnQcZ+HIWfsZ0xSViMb+D3pnHc6SMc6Bn3blAk5Dcw9WHsuP2zcGsZ6hzTZI2BnvX8GPp2A1MkzaBFuORgeCHlnt9sNc8GioEMpmEgVcVlDUElYu/o8pUy2+DdYFanV/1MvwcCDDvog0iwAq85UiO3guzVTq/6RvnAP36UNyG/1JEM9K0ovPh0pVMVX91r0PLxmYWul6M6WfK7p0YP6IcHj3mimdvPoGoiK6Mx60kGyua6WhQuWcQ2GiH0bCeNd3rcIECBumDBoofdEWbjINbppcSCgDufmhyAaV9XzJEzxK9xjYiz837Gn4oZ4ZjDMtng1O3I8KnCSSGvKYp2rF5dg67RplLZZC80DT/4VIikJygfMjqNHPUcKUcPInVQYsxFg11hxBgTw6utxgWD7AZMegqbrIka9U+rKm2qSUUBNqGNXCzv4/slu0EHNPjaWKg/1C2EmE0JdtJ02+TQaZgTT+RXf9UjQgZYVG/Q49oloaGN/Lbzn1xhhX2X0UuJNYMrFzuimG+U4okmwfZl3ErW3J9oLZmVVvtbRIkeq785cq163IjPVylw1mXsNWvlxe+f6V/R3U31hOOxYWyC7zAqEE/DNI79aJ7nVo7gdCc0K8nzv764pCZhnOtMA6ZDQao22BzruRIELEvHdjij2isdM/UtSocU6wvkNYlxhqPdoIV08tWk8nvN9HM2kcVaeA7eqWoMIk2nm4jY2WxJ4vCX1el9YhFZBR6TwF403Z1HspIuMf1IWh36TVbUvinexRhTwtg0c4EWlH1LGslcfedmEOaEAyDK8UJs3LBTawgbOulC09WZXYMdb+EXKyPjQqxhDf4qM+/3+rSNcc43WUIeOlLqJFDDtK93m5u0kbjbxwOAyleQTWHsdsVhA9uzuGg0gfkmSH98R6now4QH/E/znWnGBpb3wMfi+EPVNjPRO4h/fO44UhCkb1EI5pjT4Aj1mmYim+NNzW2ZPN/p/xvLv/bRR1fEAE5QPv7NSCBh5OizmLghfAQu+Omfn6tA3XUzprw7d/k8fGuUS/TM4AuJUtjn1hioA1Lz2uqelhQQcZgz7ttgVhQSdOmGZ+KIZOkx59DcTBO9RB5yBWnWjRWneggHQ6k+nhrt8G7SbNP04ADEe1GCD0EWiK5HITiFvMXyEEIxy7ZSIkwESHsG+HuppPvDUp8ytaIKY6ad8yWH5DMNeTo3zKoXrvN3tgZTYVpFejonYPhmpf6BE0MSKTtRkxh9LDQVAciAYXFIRFwVs5hKHUOIHGq7sR4uaSt3PF/bxUo02/EmNFjn4le5/Q0k2zf/Rc7+tdDVXYuPEQR4D2orXzrOocdV7jhc9/vN0+tBenQ1jPEKfsB4J0xztkylf/4SS2CzAqzXi4UV87uNO9YY7zsZKaElcNp7j9Dn/6k4TJXfeFZ3iaCGWVOBWAqJLIXcMyM0FdrAIkG+qMfd4CRWCLW70BwspRPcaf/n7+O1xv41E1dovPsSO41A7xXADo2vlU6XSAWi8R5kodUDuDjBww/UFZC4E+Fs2CbWPp9Ea66ZsQf1GyBxxwkBNQfP2Ge5oMWKopFYVSys+T6wPw9Szg8csiTkkNd5Uvxb6pz4fr8URNFfviRtcDFchOi5PshYmsvYPwRkFUeiEys6t+rdVB881PpovCC1pptDrVmQWnzCeoBy4GHR2olkCTgTfxidQwmDatuhwkeVGI2mXjS5jiDl/UhfpmsJB3dFSnnxtWhm5Ns184Czz/CnGqX1Yg2xB1pqBb8dYpY6xU7uVEKQ1P978OIWBqZ2sgvQmUs/IkDRsPp9moiOyit9y3LVoLxynWE61IFWxZvls2osV2zU4qoMwpM5WjYjuqV9GBKa2X2+x95Z7Uw8r653A6j4JoujCE72oDV6ExiOAImyyQaJEyegRUYYMyQUPVsjCwLqFqyb1wReZpLeDCeaaodt1MaO058Owyd90n4l7s3iVHHX/qIkp4Ui/NE84hnM1DGqIvw+2VKWgw7MKwJaOfDa2yWU/fcsWT9f0Dp47bVFHNcMOtZivfwhSq29dx9IB8SA6SW3+mcOe1ZV/xYGsPZCAeS/jZX402XUY1xZrnjfkwnwzNdpfxIl5yNcPadHsRq6Qi2BuQ4NzAIWisYk0VXBuA9eVWDUmhKIFBOxFQm2QwIpImeK1qQtTINUgls+ohd7ilVirtRHjq1YOO1nN45msTeLYB8Gv6tjhAJ6kSSG56S6Ru3Z8ylxUtcHzBkTRWWFxKnLl3ZzfdUP3glYrKeB3IqXhzFxSQ0fRYvNAKBig9UY33/cLHkZbdDSr89Rw8ehkU/Zqza+puFfCRNspOxP97XeyD9P5kjWJDXzd6i1gO2Ph61X1y5q5r8rTp8/gMos6AVqIdyq0UgLNql3gXAUIy7/u6JBgECWeM1fS5Zb28Jcf6/YkI5xKkwTMMP3DzBEownOTICcbvbXFJmiqK/wQg8zztofEOIothEm+xseW/zGqR15V4+fbBIeHrsHbGwqU3mWeJnTdQOB+tDGLn4fBS1Yb1y7gnvpw/wxShCUBRTCNNWXlHga+qFHgW8swz/HlZxT2y7FtH7VYwdG60eucUQ6w/Gjgdcsv536fy/Ei7p4Bz6Xu3AGRpvECLgy9rYKPdrT1OOqTrPlAJH6Lgr5bI6LgX32t6LRn6axa5hF63Rx1/PJuw49yw+oRMk4i4RrF7E6x8cuRmz96zaOpZytB75aqs8SE7wlMc73ZqMvgJ/71cAfX6+RdTbbW5l/zp1dzNXLTwM/gzOSGRFEVpt5RudUuGtCi8eBur+CAhgfHtxrkRH80N8H5MnoNP4ZvGZ2kezSvtzhisUIJUVgrkVlXzv0IfSZ5M72BfiCA09qc4GjWGxG1T5zz3sByh/BfHsisYMX5coLgF1VfIPZMKS6cP4xqSepbao6tklGwO9+b8dZYcl4nTeunYYcp/1d8zCcbUzn4wr2KmcfP2T3QwvUjDCKRHO9rcMg6ob+MqSoRm9uW/apAy+d/HiOfULTkaE3hoP/FCy4WJTlcZjcf+SMUlWtI9SypkiybxIEK5QlVpJlWlpECv8sx7bjw+ItxcHpZm+WpfEWJ7dEOU9V+gSp/KGk1HYObPxygiizd2PomqoubL05aC68RT+ZAd5fsKu0a5KPASGMv+rwOofJJ12nXfcXGYG/Qgre9FMWN7uA3eoLeK5BzAy/rwzvNBbFhHXovDjl5kuiUwBdjI2WfsGVDhFb8LmgdnuXaI5CCuAx+yH68wQog/a+dDuNiywRl5Birgo1wR3Xbf03q6wcMkQ/3Mdmp1ImgwyfzJ0xrTlaJrsm0ACHKzQJYHDdTvHke0ZjERS4OMDoB1Jii4R114VqYR8qmSvoL9TnqrGQbCLNMdGZCG1MjHCKXdAakVPmcrRHH2sO7nnDFIxfmWnyp42pDfaTtrqnqbKqyT8nA4/j1dGpxx0qcrl64Ed9wJ7xYpQNHpEgdWqLjowK+DrWO+mmy2L7zjT7kNBE5AEc1+HyUUOk1EhSxZIyqZewPZylxzJC12cJFbm1BzdUx8xYvdLN/T4dKORMBSVGOVXbodQzGfBkk8onovl7oA/Hmfhm8jGLkT+8zbzZw4tyAnGN59iF8Lej8S67TTU8V6vxUSihsHUNipka/OU7LjQDOeY0xvYIa/0CqYQJZoMIEaz+8mD14vyrVTsX6JHXAEYM2pGRhqbBl/h8lg67/AGA8BYPZOyG7IpwbvsQ1hmixfP6KeCiJdUn6o8BpuF48+nExxJNiewr20w8LBqg86UwOuEngTp2Di68+36GnQO+qQmQjCVybzJycqEowjVq4mnwBPQZ0BrGKV/dEPrxTSqGFKMT6es2KJ6dWAz0si/2AMZmXjZr2b61jkUL1rj8pQhx+rHH3s+SFgqlsXrzU8kKrGE2OME5ZE5/PSN/bWsPbqeVXKKREWSEIdAJhU110d6dMzIccYeaLDuDXoi6ETSd0tw+qva4GWYmsFAD7B6aQ0CnAm/co/qFA0x9K7xxULN6E6J1l3wL/H5b8bGs9+s7OepgRzU/vKZEWjKfhxC8VlHy+aDGX280yF+C8QPqQd7k2O8GjURIic/X99Ojn6xGAvLx9e5vH2Mn/A9eFkV4BQ4zErHwYS6q+wZUnAd22Uqww33FJEFp+DP8zY+u3a97reOjS83TcGCfS6gtJWwQ9FeETECY0D7BAaJpZ1LImESpIFSZNyb+n+XN7A5wp1x/m7kaC9+Fn3/7x/ZAaCaZdFe4RC0/rs/pYhtMazdeIgoZOBD6h7yk4IOsb2dzzRXMldxWvFbvfU6HbzHa2MO5Wf6nSJBIyd7HQ09cK+qVAtNLS6cZGimOS/yooO1Qxbo8lOMhgi6dBmzjcm3misS6FgGgzqdxWYnrrAWf6tDxrEYwWBpM8lhEwnHGkH/ul017tdkokpD+02o0bDrpD+9Z3d8bIra2QdCnlftQJYMeWgieoaWq0IGsPSGykkbL1AdwkdfUYJ6Afu+pAq9GCNqfHrxO8MNgo5T0af9KjHYOm7k3VeRlOOM/yDgjn6Aq1BQ5NDir5qvyu+G28ekWyO9EM8H3dDUpwDYNb8SOl1v6PIbwq7DcfV/5JXSFeEjb5nsRHeuWcmNYpmP0KKCFMTMGMTwKWUUBS4OcfPnWPFzHgZV53IDD8C3651EpE6jhtzEVQ5UosROJrDXe6ur+NGXJv4REAHZmbpaVop4OXvOlPgfE11lbO53zCNVEZ+OC7P3K3oHikY3/vSiBNuNhycmo5oE9RVx1bQ4w+mIiPborAzmPJtyt1/5C6TyGDn9tRcde/izSUmHMju9EMxRxuPW6YqEG/gA+sKd5xSpJ/z7KCf6nL9asDtkIKczJb/7aHghDPzXaz23EmwIeFFRzTs1UV2RYfcQ7u+Uza8UcXHTSfVVu8+C92p+JdIWbZ4o9kQx9KjSTnSnYMnym/qhC/E8XMJiSM/RMQ9zZvWHTCA6AWVXUbN/H5iSolx8lwmjIekOrr7OYdR0n0HEa4s8U3O4Pz8w2aX6QI21ew4ZHsxuGiFCIwWxo1KrXApGzSoTGU3ZhDOTOSKXW47jadxOuah2/yhyuo0xI8v2nZceDUUaE44oDx+0CkVlshBZ+2IOYZXhvNRaiGo6X8mnChzVLK9qvC2bPZsh+Tbaag4Bod8KCVSCDhMpwyN5ptiimaf+F3ncbfmHwh7Qujid1uGZQ2VAKXHQh+R343Mj/jIiL2Q+nU17FTi/2K4AcDcH+PXrnFh8jvyYeoHpslOp6VFxKXHd86S3xAWqL3u/i03TGN5qhrtOnRDXTCsOkVn8LbNGYik32MzWFa+zSbv++HvSDaO8CygJQO1GiQu5udX8205KjZ95OF3xxUERXzB0xSAV2LHn+3bGpex8UYGSEGaUbEbM0GUmNaI0X88u+VHdUMdImGjvFptGfnxo0tqP7nRQB0inPUOrX/80r31Z9IX7U3jL66ejiGrHFxROXQ0fIiuPZd6RAN5gu0jQvSlNriYWUJMTkY99pe5hVBp0FRmrMRd5Emo8LhErrJWmRgF8ohzLoXXpVYUxvMifSflU1pMbU16W1G+My2xDsg443alqwvii7cdJ21Z/mR8tdJU3VHmE2XLh3YZT3d35ZP/4wcEbdANiZ7iUuO2OGjpF+qEictSp/lfQAx3xcBoAm/NkvttzPLIvTcrtQHAuhWPc3BFRQJBsmPmiWNO377Bp6oxOYddZ76j5AhpfLD+HtQM1D9QRLQLNexHEK9oYsrLihb/bmU4EJV9JcQlfW4sN15GSp+WKpfb9D74IJDeepVJDEMR3TcT8JqJRmIAJV6Sh23l6eDdSM4gH9xgEEhzPsGrXF4IkbfnLMtyeEOMsthI16g9jphxa1WXIdMT6Nl/2HwwErWlge8Eqa+uLCPToNZZZhhbizfzceOznbcpp2p9eGg3axIhLEGwubDu+VuiLjo+BUKOIXKz1//ZZu69R5ZVF500nR4TKZmjMPe/LkPXWnD4XLsR0pODp6sRvARrtuTJztVoWt9bM9PCYbuRAHScod9pb1VoL7tqMG5kwbQsNDooLwovazZpWwc7kTsRl4g6uT1B7ryKumDMs=,iv:hGrQKxKeeBrHWRgfge6b8z0iOZmEVR83tFUbj4nNN6g=,tag:2t4e2KeThIY9YXfq3jbiYA==,type:str] +asterisk-pjsip: ENC[AES256_GCM,data:lBvTNOnKnNEUwS4Gb7dsAD1BqKu/JG1R3ZpuBHGl2Q0rKbc6+AM8vnslXiyjWEXGIb6WXxndqkiDBSz7hfOyD1HKoM7k6RnBCcEtzE+ScBiqe8sslAYP5C08KV/N1lXv67f2x8vHeVj0L2rzKtSKyqhOnrBqoRluYIVujssnhhlys2UwJjw7R2tLQG4y1ChDrYVcSo3s/Uz0FTpcUUDfHdDQuodIio3sDmXd2HAryyXwIDK1lRltCSglpx6ZdilL6fcPW3KhtuyWdh5MY3atvWGWwwG9plcPqanF5odZPecSGW/pwP1HpNJBk/LFjA2+/C3U7t6HEO9hDCq95O7u/xEcH/LkJw9lTrlLvIXYxje0swF0vzUrsvArlYp1DUh5sNKirFncy6uofalQTze5QDcYqWbBeNT3E2xqwq3u0v+T2+nRXOqbWdUqHVHphQBbsIqDfoG6x3a84yiR/P7R4PYfqeGDF2+xUj1mrqm7QWXVx5B/HovWYm93ZMstfeu2kq+yaQ2XiipclhRgJOfZhSFRBup3/ZZbcD1gezW2obXHVd0ULxH/KsOX299UOv3AHUiskFwCEzAu1gxE6Bi0x52h2uzj79LmfiJEIMfRgsKCAkqzSOFXNpfQEOhk+0neDH2CCF8SEa0rhadi1Ypbec8qTQMDiwnqAS/9C/tlEdvZlSGez+d0igOhgO+gqrg+YTWFa9vUD2uk83MiGc8bIMr2RuFtMuNwc4njlcR7BeXHY56rGFl2OpCyKSdu5D76HAi2Wr8gfuOkLECGOn4x2O49EYOB02WDFJsHkZ7fU66NH+ReULl9P4/ITtQ7j7O4B0HAGH1qshVv06Hs4S06QWDBtfZynot75cowILIViFVY0D+Gef3U2DuJMpejfj2GSe6iDJe5oecOzCwYiDPoaZgRl5860WQ6nRqyV6LYu2QdODuwtsg/5TPkzysIGJ8fT52CN1KbNmyJqX41PYfsz9oTRCzetnsXdtHVAeoPDkQWWvLwa06W+kWIU+ql1YydPIPNNAMoaGZq1Bxfs6yOu3/xbLb0+AdBl1AKHGoS9XQ3WDJh7OtmqKOM6jV7ikEjDhndlEefusxGld0ehIJYcNbzDXaKs7vhJmUcjp0jvrIhKEn3lfZaaHvAuP4LQrx+VwSTTgxZGV3ZAXykPnPMsJ+Mjm5dA6DUg3IynVFndHCzWxAHLgsvaAkXBNw69TEGbGo3ks08mBntvHYWVVLVTwOEyje2WRIbPijEuUrDwIYuu32mHL3vhuhJOYy78oy1IqbJxNOSEfQKvWcZ+aNPiLhrObbqneXnaqWqnzZJPHKOhGw8DUI1yglEVXfJvGXgfHZspksuYwG1IaVD4l6ydoeeFn1WUiTHyoGxDD+f4RXSDghTGdss1GALvZ50LKMj6v6xMHWg/7c3n12uv4EydW7NwYFOh/kG9PeESXAahpAdN6lrBvsqCs3baqpCOyK1kk0QFknen6AYbM2QZHEgHK5W0cVlUt2nc4vLlxuXOPkSDyNb3J06+YJWX3a4Qe0nwybnOZYDD+PnWn79rMUlL6NMBQh6ID9rxuJ7fcAr4jUbMM3MX84dXl3xTkvUZ+UKp3EezlbqIczXqbat4oMHTNlE136ZijaWYTYY4tJmkQYZd8Vc1z+Cyn5l9DGYtJoxg/BnTkQ1aDlJRVHr8m8WczfMEbKmwL6nG+frhgsfzYvdxpgdltGFKTerevAVxrAwQdLNyscSVYbLuPZQgXAc8R24UyK3SC/W81ZYtsIIiMz6loBTug3aufNYJAjaildsytneKdl0FWsKL2GDm/EBDBw/Q48JApuptV8vsiotWWH0h79hGS/5b25BKpBc2rzi0GV4//ziG8rUOglqGa5s6SxMA4ol21KizZP0hT/IPnK802ou2F4Gd8lPoHnRK88L0pV5O5i0iDrozK6lC6xIQOorHayhTTJaVN1dACPICBcntL6imGQXh1BZ9Ku9UEv1Lg2dcaBOkPCLQBorVmpmLGW2I+QT3l7lSnLOK3LpFsXOoNC9W8mo1nvUyTRmpNtJ6CWUiWSuCs4uN/3sM4gheaSdxWSXeqWyvN9KUBBCrKcF0+rfnBuGCvoZ6Y5CLed4Do04d43ACuU4AyyXJUmp65jKYXfH4qsjt71uu+8svz8Cc9udDIqgsaQsdZ9l2T88xDdu8jpavjpoDauV6CAyKok9QuHfZBKTAS9StUP6MGTYqPejFJm4XcfQBCETzGmiGE5340P/wzajLbflIZi8LwVNosAYF1a1J81eWUdczigIBpGnDHTL3XL0VzfyTfHqGn83vRVVYOge+jhc1503gsOMRdzm8ii+cfMz7e3fOkme4VJ+jLlw8Zb5P84l5IvRLQs9igFOJmvphbCNunMHEpK+1xPGwJ+me5zlV4E4Yy1DO55Rtr1HmituAVS6xIYVBDi5XaxqSCWGnjVlFROgHDuw9oByxc7bD86mcNpp7l0tGCvTPbT725d3R0OYFdsaarfd6rDTffJ39Gc4oM+lduDi0OctzfaxhR4URJ/exSuikaed/e+ujTlyQPsNEvY1ear12ldsBd0yze+TWYGalFmR2dyPP9AQKLgoj6Jn+3LrmKAwYlSitDXLzcyO4eLU9KlKnSVN02tNGYSRmjcf2Ap4RbGmLcXJ1MsYOH7YLAylFRAGUdtlRayq63kGIRm5CEFz/9dl/jDnm3yKDqPVxmO3M8F3hmd4DhoAlW9g2rJrwKkcdqCFlbW8KMN0VcfZEl7hAjXQgJsi6JH9eyGdBAwf2dPEowLyKq3InRH0ywlrT/8/ixuXYj2NL647Nz4Cg/XoFtP/SoewrxP3iDEuSfm7/cac+Q4RdBjC6zjkJUrk0ZhYsopxJG9FRSnUXa1F27Mt+qNGAcBn1UDpHXm3OKFg8YOxyJE4wQ5lMgy4l0Vjvpxqc5UplHPK1Cj9zmgnNuJsUrCeJ0Av7Lgui69N37XjgOGcTlxuw7W4gxhNI1wz6XoxWi/utwgH0KO68slWqk+Y4BYdB6fEYQIAlslEDBJHYiqfYSkllEdubLbRyFcT2SYkJ4ujBPJ3UQkt1e2Jhx9GjHwFHjoaF3MXQldH1tiXIgHt8WJedjof2wo9DtJcy/eAVDEg3UoTULXT/AOEn5zBILu9h4Hct2uWgBmWYFRMsc852BTjSIYj0kQrxH3aK7fXDwNVenx/N7OxwEgPzSrmdBP8hbacGRAv3GmZMwbw7HCEZ+frGrylJHjq0KbefvfYWq5PnMrMB4NZFeRkXOxO8vIkVNETo3Q6mrGbdpai+PKKhtT4gabybPvIhCqf2JaAmZc0KgogPMVJVBr0HccJFjoVQLolqLgwk+Y/G6pnD5BzdLSl8P5m6Nwoad1iiIhqPmlG9xYplz1aj4ZZ/3c6rYi2I+EhejmYfz0MncvEkIMNUwXDt01fPJ+MKcAtzzBqHInQelmRAoRkOp3trpcA/OSRHeggcqEYuk8Gxs/2mee0TdkjVv3F59IhoVa6i9bw8j+o1aSosQh3tod70lU3UVezud6srvqk9FnEw6WwQZcKq52gZFHkMO/KOqihZvRGCXNKkkcjRPu8wn/33sdWU3+/FzjWdLMMmHcU+lC3tFQ8P3OfQ2KLFeRPfe+xGeHwAugea8IUzvKEHwJKs5ZFIq+KfWh/4Sjcv9ofjlkQl6p4eoROrSTTQTUZHOhYCDrcXSvErQN/3OXNPE/mxQVh2rkX12b581ESAVVQz3XGeNFPk+tChhG1F4Sws+P1g8IA2mQY3t0ctuQ+x1Bbz8p6FuGSaiGbn7qMo5xM1/TwjQyjdA0aba/2gkhzd0uUwczSgWxlP/vcH0FTK6j97P0v0Caojg4p7DVLAsuYZvUmJzsnCEifSRFwWC1FKi8fOF07SZypI/jnzuEWXUuKr5u3sRNUb2C2NT8awXq2aaBU9RoENn0xba2vcxtkZWXIFooNOMqCRBdEhUtnjcfQKXyHPAVRVmoXCLUeDUU5ELDrFSaTWPcMOSyMtyOTnUAdlJCoujC/nybynQ+sGQt92+Vlh2t1YslH36MwaRac8CL1x058obhXeEr6yVUKMVcOXMgCJNN/2yaQwks/Gj4n7+lDMRFcjHLh8yqE7VAE6FF+O4vXBhJgyYw9EqmQf825yByF4AJW4aApcsE8irCms7WpxhmvZjzyCJ9gv+xu3d+FzC0JnG8xyOTX7dvapLN4C1VjyUpNhPzEEC5GrHjPq4xcKbok1ZDXUo0vx4IeObGSPQKp+yFIORlzIzmjs7o6eF5jug87Vu1tA88du9ablP5uaKwY5pN1BJ63PA57JKbmkJ2zo5YYqudb/6p98zcZeMjstVBa376QpCJPuyP2E6loCZvny/6UO3tY+4qYBFbpMU8DzHDfar3YXt1UTev5OdjG4rikC2z63B4QnJY8PaRWuTEb1GBB0D1RIynTXmJq7DtOWCMrbDMc5+kRfIpu5rhDaC19Lu858XZm0VPyxWzQi2To2ec6Fy+MCr/0STxU6FaRP4Lyi26pJzGYOiCWlAfTRGXGsSbxCXKQ9v/6NDti04qdYzE8p//PmIqR8a4EI18Oo0CKpwRCR6eIjfBJdrTrQt+iNAJCZ6g7FO7ASmiTXeRSN+NO9LBeniJmTaalYs2bc55hRfar6+spctm6hfdvX0cCVkE+eHSWOkem14DRbdIye1fPyb52gwmfAmmfz+XYfjnsBfnzSzDRfZWX7stZV2ewcsfB2wMjYElAva66ZGRp35sx6v1aEJoM0H1bWeoLNS5z54RwX7j3TMJ9+C74G1X6zRZlCV51R/XHs6is5ZWzTwsXL1fXA6Xzi/z+efn8TYhuehR1AWRwBqSm2nvW4SsapjNHIYBSNIe39poMjqTbDSbcl4BtQ910BqWQsCIQpTOJH+PkQSBcRHPdF6XvRuIbMkJDJCUjkDMlXXfJS9SCVpRsJXnqP8sFpiJrr30Brxut/z9uc2jaGextZly8GOS+dDFnrjJOpiM9IxdLZJj7xwPN5o5jzxhS05UFB0Ymp+B4CIGZCkdqs8p0+cG3OlNP1f5CCVJ7mu1OHR2cep4fax3pgNAXTrrCrtOKVAI1hB7wEa8JgdWyVcJsaoAGMhzyowvTQO8u3CTsH582m7LcccOYMPz72QNcFkkNGq8W/yp50/S+qgnKCKLj08S3CBA4jGfBA14zhTjej4JA5wkxnOTHYnQXxPAn3Ta84RLcVbfbITN/Fd2BoTyMZLQVvxbH34leKSHM1ABKGyZzwBOy9g8TZRQ9EOrNeNlK/otvTT4emj7SKceN57YJ2q+tQdmMEtc+JsDZis8IqQA96zg9Otx6d8a9OPgwdLhoAx2y/8cVSL30+14HUikZvPJofyEProjQA5D07QL3lnD9gwDqI7fRXIcKw016ag5GV7kMq8cVqHEwGI17MVN9xmsmMGer0az+QLQmz4XgfSKNT6ie+JZPq6n2xHd5jjI/DUykKiRwhoyKiQq9uW46e5k3Tr3EPjC3LXBZrErdWA2NDu1ItfNCpZFLHw57cQbhLmX4ex8cX6x1AQPGg4QUhaJn3JtfeMazxIrvV+Dd/zyXMZMuIkyD0Pecn77O98UZfR10xcXQr5oQcr3qZoW2wDTEph6RG+KcBt8nJE3iSfVvxWF6crS8PZL/xYMUlqG0b9vQUFXL+QUaVJjm3qhqZhWc3EmSbnHihT5ZGFVWlsIlBC3XHi3bpl4GSCws4uoJa/pTt1amoLgVwfG3T5guDJ2Xp5k5LJnu+d6FhkcqQDBWDdqP/XgtL4yR4OT4m4at4n/LEFQKf9NcpIxLp1eKgZ5Z2Rp5eeL8t/kGhYj5LozRRJDoQj36Li74g0yZiBaY6+lkeyE8nWp/GTk9wv91AVgxVrneY67aiVs62Fzmdz3yE6sw21X5ahKKF1OZN9DdYKUTitkTFMeV5ryt1hd/zy/qyPTM7qrQhOBxfLGEBpSa02CMNlhInTDpjZjg1CEvUvc/6O4FBPhog61VFsuIIA3jfKpfgEoJIqJ/dTEYamkZDRXPbOxSqDmSIBuN71wJRwNnbPzMq8pFjJtXd3cjvuoj3E+qewKQEXpPVRtX+9ESQ6KbGNCreVLZ+n1UL1ebwc8inp+OK0Pit91KNLGBGStESyKH6XVdOuwjNkOYkcBE0oRT2z834x5a3q0+MHd90h+wbETwHhVc4u7SWHd1po26l9YHnw9slgKZQNdeigS47IOtOt1bo/UetuUv3Rhr66yHRukVzV8+iKMgBw2q/BPNvTuIyj3NX+n9QkDfleUvC+PvlrrofYCxBUSuvUXBtjGYICCVwDq5Q1cvLHk0xKk2EyjF85bz5saZNaNBoON9NdsamLbPM2IEVO19qYfK73lMG6aHJ/HOWNcyMxntwL4SOacBNdGYCD+Cc9ge/l6KiOOHOPfbeP+XGU+Ib7hNxEBKeJKEeoEnXtWw6eSDZNl7fidieyoLijGR2dK7CllZOKpZ7/oRKziO9BB5fOcYs/RRqk48ougPjnajxHmOe/WAKGkUav+c1+/ye7sb4oTeXm0uR67SrpAZ/F+dORWnwk/4vS39qg/rt6n5s5FjIxxg08uKsvoT+GLQkI+aoMBpf/6C/xwTdUOZ/OQ0kJml4ZdpRHcwLOfiE5lvVUIlEmwfr0/xu22bHaK3/Ki/beQYXV4E5qPkERjY6DC2XzZdWNDsUlE2FMibo/IBf0CEr+n8PDZsDTjFcZnSjNPTpANyuOxRqSTxz0FYwn4EZvyEySAd0ozuveuU5zbQIkFUtyaZmYKEVLmLU5bWAr7sU3afA+WoXdPEBkwAtDSBAfMRijVYruBKSW6C3sUnLhbaISIkZ9XSvV2NjrHjLi+2HVcaUKArSwu837lB45TYRLKMB3eTDovlqg9BpHvY+OhrHo2pNFVCcE4qvOHW9z38oBaM4Rc1LYwyUt4PeLJfN9WLn/1DGpkr6pDCXVARuY+tf6fg2GCIIW/oD6H6OlAZxKWga8L95CQmx0EZ4HH4XOoLjKdjYWonqctLtDftGm55dPXgdFpSnHbcOA==,iv:BhKtyXJH8m6MVMQIwnc7r9KaKvchyzm4oGNyJEE3IO4=,tag:fOmAonndQ9F+RscI0eg85A==,type:str] asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKNA1ZVf4DTtm6d232LXKde54ACMSUEyQWTu1mU6oQ7W5P2VSK2HZvHzSrnC0dJVKPrYEnBWfyA6sjKBULQSyW6j1/c/k,iv:jE/Y1A3i8embrwJqN8TBO0E8nr5WhGDKPH0gXgWnsMQ=,tag:j8PH6tDeo2YTCI2BnVY24w==,type:str] asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str] sops: @@ -8,8 +8,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-11-04T22:53:27Z" - mac: ENC[AES256_GCM,data:QbNsW3bSqv74iA+iziOiH9eUnw6D4MEAiDchCv5CdwmRMovLp2OFawn1F9v5ItonP8gak2l3gQvZMS6AEfqqGFITpgbPKQWDSpQoJSUNoobFMzQdVJr/nv0Rcn3tzUFhXWH5R8Zqb++XlviLpFv209KLYYY4wOBBtq6qXghpu+Y=,iv:9JD7lSkcn0ezbCpkTNwJEbDz8wxue9YtLNfm+0qzeak=,tag:Ageub1wxIKAamSaGkZ/ZjQ==,type:str] + lastmodified: "2022-11-04T23:00:58Z" + mac: ENC[AES256_GCM,data:UIKMlFAq+KbWIxbnEizyNH06Nc9dcv3HFi/Etde4lqd1JjsKLpGyxxtHMnmH37xAnRqZYiZAu0UUS3LiifDo3SCASRDpqI6EFQ/kzecQJY+KMLDfEuNYAIWK5H7lYnxvoIYVOD7FYxJhDEih/o02HMSIsU7Vb6IokExKoFbYmRY=,iv:Iulu4XDJMQlg71HD2aZ/uISUoPpREqjkS1kS24xFKfM=,tag:MzV69QfBep/b8OPgEBKRBw==,type:str] pgp: - created_at: "2022-01-04T00:46:57Z" enc: | diff --git a/machines/raven/services/asterisk.nix b/machines/raven/services/asterisk.nix index 9a2fda7..4c084e1 100644 --- a/machines/raven/services/asterisk.nix +++ b/machines/raven/services/asterisk.nix @@ -108,6 +108,11 @@ in rtpstart=${toString rtp.start} rtpend=${toString rtp.end} ''; + "dnsmgr.conf" = '' + [general] + enable=yes + refreshinterval=60 + ''; }; useTheseDefaultConfFiles = [ ]; }; From 4d4e4d6bb561e500d89648cf9d1956a5a0e5c3a7 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Sun, 1 Jan 2023 16:51:26 +0000 Subject: [PATCH 14/59] Bump nixos version to 22.11 --- flake.lock | 8 ++++---- flake.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 89860e4..d305f6c 100644 --- a/flake.lock +++ b/flake.lock @@ -80,16 +80,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1667420999, - "narHash": "sha256-NDz83NKuuEuonbhC5HnfhUpZsJQGmAWJr22snKGfhKs=", + "lastModified": 1672353432, + "narHash": "sha256-oZfgp/44/o2tWiylV30cR+DLyWTJ+5dhsdWZVpzs3e4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4f09cfce9c1d54fb56b65125061a632849de1a49", + "rev": "913a47cd064cc06440ea84e5e0452039a85781f0", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.05", + "ref": "nixos-22.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 815bb68..a49ce41 100644 --- a/flake.nix +++ b/flake.nix @@ -6,7 +6,7 @@ nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged From 120074449b752c5e34c0a695079d08d071192404 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Sun, 1 Jan 2023 16:52:50 +0000 Subject: [PATCH 15/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/3eb97d920682777005930ebe01797dc54b1ccb32' (2022-11-04) → 'github:cachix/pre-commit-hooks.nix/67d98f02443b9928bc77f1267741dcfdd3d7b65c' (2022-12-26) • Added input 'nix-pre-commit-hooks/flake-compat': 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17) • Added input 'nix-pre-commit-hooks/gitignore': 'github:hercules-ci/gitignore.nix/a20de23b925fd8264fd7fad6454652e142fd7f73' (2022-08-14) • Added input 'nix-pre-commit-hooks/gitignore/nixpkgs': follows 'nix-pre-commit-hooks/nixpkgs' • Added input 'nix-pre-commit-hooks/nixpkgs-stable': 'github:NixOS/nixpkgs/d513b448cc2a6da2c8803e3c197c9fc7e67b19e3' (2022-12-17) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/6b35a59c19ddbbeb229fcd1d3dcd422dcc0fa927' (2022-11-04) → 'github:nixos/nixos-hardware/0517e81e8ce24a0f4f9eebedbd7bbefcac97c058' (2023-01-01) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/a2a777538d971c6b01c6e54af89ddd6567c055e8' (2022-11-03) → 'github:nixos/nixpkgs/677ed08a50931e38382dbef01cba08a8f7eac8f6' (2022-12-29) • Updated input 'sops-nix': 'github:Mic92/sops-nix/486b4455da16272c1ed31bc82adcdbe7af829465' (2022-11-02) → 'github:Mic92/sops-nix/b35586cc5abacd4eba9ead138b53e2a60920f781' (2023-01-01) • Removed input 'sops-nix/nixpkgs-22_05' • Added input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/feda52be1d59f13b9aa02f064b4f14784b9a06c8' (2022-12-31) --- flake.lock | 116 +++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 86 insertions(+), 30 deletions(-) diff --git a/flake.lock b/flake.lock index d305f6c..b91de1e 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,21 @@ { "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1667395993, @@ -15,6 +31,27 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "nix-pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "krops": { "inputs": { "flake-utils": [ @@ -40,19 +77,22 @@ }, "nix-pre-commit-hooks": { "inputs": { + "flake-compat": "flake-compat", "flake-utils": [ "flake-utils" ], + "gitignore": "gitignore", "nixpkgs": [ "nixpkgs-unstable" - ] + ], + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1667569243, - "narHash": "sha256-oJ9zVRE6EFa6Pgh0ZWPAbtDrVu1mxp9lH88LZH6MlfQ=", + "lastModified": 1672050129, + "narHash": "sha256-GBQMcvJUSwAVOpDjVKzB6D5mmHI7Y4nFw+04bnS9QrM=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "3eb97d920682777005930ebe01797dc54b1ccb32", + "rev": "67d98f02443b9928bc77f1267741dcfdd3d7b65c", "type": "github" }, "original": { @@ -64,11 +104,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1667585378, - "narHash": "sha256-cvOwucrjBaAkaGk3FunG+MQiwiSBeIVTtO5n/YavpC0=", + "lastModified": 1672566874, + "narHash": "sha256-/lmz3/xzdghGSFeCcTiKMjbj0uRmUqTZhh4HHeUJ++g=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "6b35a59c19ddbbeb229fcd1d3dcd422dcc0fa927", + "rev": "0517e81e8ce24a0f4f9eebedbd7bbefcac97c058", "type": "github" }, "original": { @@ -94,22 +134,6 @@ "type": "github" } }, - "nixpkgs-22_05": { - "locked": { - "lastModified": 1667091951, - "narHash": "sha256-62sz0fn06Nq8OaeBYrYSR3Y6hUcp8/PC4dJ7HeGaOhU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "6440d13df2327d2db13d3b17e419784020b71d22", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-22.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-asterisk": { "locked": { "lastModified": 1639416782, @@ -126,13 +150,45 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1671271954, + "narHash": "sha256-cSvu+bnvN08sOlTBWbBrKaBHQZq8mvk8bgpt0ZJ2Snc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d513b448cc2a6da2c8803e3c197c9fc7e67b19e3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1672500394, + "narHash": "sha256-yzwBzCoeRBoRzm7ySHhm72kBG0QjgFalLz2FY48iLI4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "feda52be1d59f13b9aa02f064b4f14784b9a06c8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { - "lastModified": 1667482890, - "narHash": "sha256-pua0jp87iwN7NBY5/ypx0s9L9CG49Ju/NI4wGwurHc4=", + "lastModified": 1672350804, + "narHash": "sha256-jo6zkiCabUBn3ObuKXHGqqORUMH27gYDIFFfLq5P4wg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a2a777538d971c6b01c6e54af89ddd6567c055e8", + "rev": "677ed08a50931e38382dbef01cba08a8f7eac8f6", "type": "github" }, "original": { @@ -186,14 +242,14 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-22_05": "nixpkgs-22_05" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1667427533, - "narHash": "sha256-MsgTnQEi1g7f8anlW5klHW2pJgam4CLbJaYyBw2ed58=", + "lastModified": 1672543202, + "narHash": "sha256-nlCUtcIZxaBqUBG1GyaXhZmfyG5WK4e6LqypP8llX9E=", "owner": "Mic92", "repo": "sops-nix", - "rev": "486b4455da16272c1ed31bc82adcdbe7af829465", + "rev": "b35586cc5abacd4eba9ead138b53e2a60920f781", "type": "github" }, "original": { From 9e8e2baba1cbecf0da268b6f6cb5a278586664c9 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Sun, 1 Jan 2023 16:53:26 +0000 Subject: [PATCH 16/59] Re-enable opentracker libowfat issue is fixed --- machines/raven/services/labsync/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/machines/raven/services/labsync/default.nix b/machines/raven/services/labsync/default.nix index 75f1980..8a9250a 100644 --- a/machines/raven/services/labsync/default.nix +++ b/machines/raven/services/labsync/default.nix @@ -5,9 +5,7 @@ let generator_port = 8695; in { - # FIXME: opentracker is disabled, because it depends on libowfat-0.32, - #’which currently is marked as broken. - #services.opentracker.enable = true; + services.opentracker.enable = true; services.nginx.virtualHosts."labsync.fablab-nea.de" = { addSSL = true; From 1b8846cb2245189f33d7bdca1c679d7f813ee74d Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 12 May 2023 19:10:10 +0000 Subject: [PATCH 17/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'flake-utils': 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02) → 'github:numtide/flake-utils/cfacdce06f30d2b68473a46042957675eebb3401' (2023-04-11) • Added input 'flake-utils/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/67d98f02443b9928bc77f1267741dcfdd3d7b65c' (2022-12-26) → 'github:cachix/pre-commit-hooks.nix/fb58866e20af98779017134319b5663b8215d912' (2023-04-27) • Updated input 'nix-pre-commit-hooks/flake-compat': 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17) → 'github:edolstra/flake-compat/35bb57c0c8d8b62bbfd284272c928ceb64ddbde9' (2023-01-17) • Updated input 'nix-pre-commit-hooks/nixpkgs-stable': 'github:NixOS/nixpkgs/d513b448cc2a6da2c8803e3c197c9fc7e67b19e3' (2022-12-17) → 'github:NixOS/nixpkgs/9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8' (2023-03-15) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/0517e81e8ce24a0f4f9eebedbd7bbefcac97c058' (2023-01-01) → 'github:nixos/nixos-hardware/fb1317948339713afa82a775a8274a91334f6182' (2023-05-11) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/913a47cd064cc06440ea84e5e0452039a85781f0' (2022-12-29) → 'github:nixos/nixpkgs/a08e061a4ee8329747d54ddf1566d34c55c895eb' (2023-05-09) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/677ed08a50931e38382dbef01cba08a8f7eac8f6' (2022-12-29) → 'github:nixos/nixpkgs/897876e4c484f1e8f92009fd11b7d988a121a4e7' (2023-05-06) • Updated input 'sbruder-overlay': 'github:sbruder/nixpkgs-overlay/ff4ce742bffb71fc983cb13a3634ec0d243d869c' (2022-11-04) → 'github:sbruder/nixpkgs-overlay/b095898a01dd3bf434488a18f887e718e2f5e528' (2023-03-06) • Updated input 'sops-nix': 'github:Mic92/sops-nix/b35586cc5abacd4eba9ead138b53e2a60920f781' (2023-01-01) → 'github:Mic92/sops-nix/36b062a2c85a0efb37de1300c79c54602a094fab' (2023-05-08) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/feda52be1d59f13b9aa02f064b4f14784b9a06c8' (2022-12-31) → 'github:NixOS/nixpkgs/ba0086c178d4ed60a7899f739caea553eca2e046' (2023-05-08) --- flake.lock | 80 +++++++++++++++++++++++++++++++++--------------------- 1 file changed, 49 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index b91de1e..f4fdac0 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -17,12 +17,15 @@ } }, "flake-utils": { + "inputs": { + "systems": "systems" + }, "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "owner": "numtide", "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", "type": "github" }, "original": { @@ -88,11 +91,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1672050129, - "narHash": "sha256-GBQMcvJUSwAVOpDjVKzB6D5mmHI7Y4nFw+04bnS9QrM=", + "lastModified": 1682596858, + "narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "67d98f02443b9928bc77f1267741dcfdd3d7b65c", + "rev": "fb58866e20af98779017134319b5663b8215d912", "type": "github" }, "original": { @@ -104,11 +107,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1672566874, - "narHash": "sha256-/lmz3/xzdghGSFeCcTiKMjbj0uRmUqTZhh4HHeUJ++g=", + "lastModified": 1683836901, + "narHash": "sha256-ecv+VfhGmeQOBS6j9SptM0aKS25sMIEh+QbaYI4pyI0=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "0517e81e8ce24a0f4f9eebedbd7bbefcac97c058", + "rev": "fb1317948339713afa82a775a8274a91334f6182", "type": "github" }, "original": { @@ -120,11 +123,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1672353432, - "narHash": "sha256-oZfgp/44/o2tWiylV30cR+DLyWTJ+5dhsdWZVpzs3e4=", + "lastModified": 1683627095, + "narHash": "sha256-8u9SejRpL2TrMuHBdhYh4FKc1OGPDLyWTpIbNTtoHsA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "913a47cd064cc06440ea84e5e0452039a85781f0", + "rev": "a08e061a4ee8329747d54ddf1566d34c55c895eb", "type": "github" }, "original": { @@ -152,27 +155,27 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1671271954, - "narHash": "sha256-cSvu+bnvN08sOlTBWbBrKaBHQZq8mvk8bgpt0ZJ2Snc=", + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d513b448cc2a6da2c8803e3c197c9fc7e67b19e3", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.05", + "ref": "nixos-22.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1672500394, - "narHash": "sha256-yzwBzCoeRBoRzm7ySHhm72kBG0QjgFalLz2FY48iLI4=", + "lastModified": 1683504292, + "narHash": "sha256-jlZbBIKGa6IMGkcJkQ08pbKnouTAPfeq1fD5I7l/rBw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "feda52be1d59f13b9aa02f064b4f14784b9a06c8", + "rev": "ba0086c178d4ed60a7899f739caea553eca2e046", "type": "github" }, "original": { @@ -184,11 +187,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1672350804, - "narHash": "sha256-jo6zkiCabUBn3ObuKXHGqqORUMH27gYDIFFfLq5P4wg=", + "lastModified": 1683408522, + "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "677ed08a50931e38382dbef01cba08a8f7eac8f6", + "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7", "type": "github" }, "original": { @@ -224,11 +227,11 @@ ] }, "locked": { - "lastModified": 1667592878, - "narHash": "sha256-zB0kNNeUBPGw+LWzWmSqTHRfvfy3ckOUMtyE3F90Dns=", + "lastModified": 1678136274, + "narHash": "sha256-wwYU5H2lkpY7SeK+7bFSEUmSULhxT81d0WZFqbiZ42w=", "owner": "sbruder", "repo": "nixpkgs-overlay", - "rev": "ff4ce742bffb71fc983cb13a3634ec0d243d869c", + "rev": "b095898a01dd3bf434488a18f887e718e2f5e528", "type": "github" }, "original": { @@ -245,11 +248,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1672543202, - "narHash": "sha256-nlCUtcIZxaBqUBG1GyaXhZmfyG5WK4e6LqypP8llX9E=", + "lastModified": 1683545104, + "narHash": "sha256-48wC0zzHAej/wLFWIgV+uj63AvQ2UUk85g7wmXJzTqk=", "owner": "Mic92", "repo": "sops-nix", - "rev": "b35586cc5abacd4eba9ead138b53e2a60920f781", + "rev": "36b062a2c85a0efb37de1300c79c54602a094fab", "type": "github" }, "original": { @@ -257,6 +260,21 @@ "repo": "sops-nix", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", From 1d4d931dd29bd00d3f7f3c66e9ff2d896067bc24 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 25 May 2023 18:36:25 +0000 Subject: [PATCH 18/59] Bump nixos version to 23.05 --- flake.lock | 8 ++++---- flake.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index f4fdac0..1e01563 100644 --- a/flake.lock +++ b/flake.lock @@ -123,16 +123,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1683627095, - "narHash": "sha256-8u9SejRpL2TrMuHBdhYh4FKc1OGPDLyWTpIbNTtoHsA=", + "lastModified": 1684922889, + "narHash": "sha256-l0WZAmln8959O7RdYUJ3gnAIM9OPKFLKHKGX4q+Blrk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a08e061a4ee8329747d54ddf1566d34c55c895eb", + "rev": "04aaf8511678a0d0f347fdf1e8072fe01e4a509e", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index a49ce41..1232b74 100644 --- a/flake.nix +++ b/flake.nix @@ -6,7 +6,7 @@ nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged From 6c4bf599bcb727a49f0f2d6cff20293523af56c5 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 26 May 2023 15:40:26 +0000 Subject: [PATCH 19/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/fb58866e20af98779017134319b5663b8215d912' (2023-04-27) → 'github:cachix/pre-commit-hooks.nix/61e567d6497bc9556f391faebe5e410e6623217f' (2023-05-23) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/fb1317948339713afa82a775a8274a91334f6182' (2023-05-11) → 'github:nixos/nixos-hardware/4cc688ee711159b9bcb5a367be44007934e1a49d' (2023-05-24) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/04aaf8511678a0d0f347fdf1e8072fe01e4a509e' (2023-05-24) → 'github:nixos/nixpkgs/3e01645c40b92d29f3ae76344a6d654986a91a91' (2023-05-25) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/897876e4c484f1e8f92009fd11b7d988a121a4e7' (2023-05-06) → 'github:nixos/nixpkgs/f91ee3065de91a3531329a674a45ddcb3467a650' (2023-05-24) • Updated input 'sops-nix': 'github:Mic92/sops-nix/36b062a2c85a0efb37de1300c79c54602a094fab' (2023-05-08) → 'github:Mic92/sops-nix/4ccdfb573f323a108a44c13bb7730e42baf962a9' (2023-05-21) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/ba0086c178d4ed60a7899f739caea553eca2e046' (2023-05-08) → 'github:NixOS/nixpkgs/d0dade110dc7072d67ce27826cfe9ab2ab0cf247' (2023-05-21) --- flake.lock | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index 1e01563..d8cb60b 100644 --- a/flake.lock +++ b/flake.lock @@ -91,11 +91,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1682596858, - "narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=", + "lastModified": 1684842236, + "narHash": "sha256-rYWsIXHvNhVQ15RQlBUv67W3YnM+Pd+DuXGMvCBq2IE=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "fb58866e20af98779017134319b5663b8215d912", + "rev": "61e567d6497bc9556f391faebe5e410e6623217f", "type": "github" }, "original": { @@ -107,11 +107,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1683836901, - "narHash": "sha256-ecv+VfhGmeQOBS6j9SptM0aKS25sMIEh+QbaYI4pyI0=", + "lastModified": 1684899633, + "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "fb1317948339713afa82a775a8274a91334f6182", + "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d", "type": "github" }, "original": { @@ -123,11 +123,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1684922889, - "narHash": "sha256-l0WZAmln8959O7RdYUJ3gnAIM9OPKFLKHKGX4q+Blrk=", + "lastModified": 1685004253, + "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "04aaf8511678a0d0f347fdf1e8072fe01e4a509e", + "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91", "type": "github" }, "original": { @@ -171,11 +171,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1683504292, - "narHash": "sha256-jlZbBIKGa6IMGkcJkQ08pbKnouTAPfeq1fD5I7l/rBw=", + "lastModified": 1684632198, + "narHash": "sha256-SdxMPd0WmU9MnDBuuy7ouR++GftrThmSGL7PCQj/uVI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ba0086c178d4ed60a7899f739caea553eca2e046", + "rev": "d0dade110dc7072d67ce27826cfe9ab2ab0cf247", "type": "github" }, "original": { @@ -187,11 +187,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1683408522, - "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=", + "lastModified": 1684935479, + "narHash": "sha256-6QMMsXMr2nhmOPHdti2j3KRHt+bai2zw+LJfdCl97Mk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7", + "rev": "f91ee3065de91a3531329a674a45ddcb3467a650", "type": "github" }, "original": { @@ -248,11 +248,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1683545104, - "narHash": "sha256-48wC0zzHAej/wLFWIgV+uj63AvQ2UUk85g7wmXJzTqk=", + "lastModified": 1684637723, + "narHash": "sha256-0vAxL7MVMhGbTkAyvzLvleELHjVsaS43p+PR1h9gzNQ=", "owner": "Mic92", "repo": "sops-nix", - "rev": "36b062a2c85a0efb37de1300c79c54602a094fab", + "rev": "4ccdfb573f323a108a44c13bb7730e42baf962a9", "type": "github" }, "original": { From 3e6fdc74f82f33ba2306c8d80af35f082d131844 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 26 May 2023 18:40:11 +0000 Subject: [PATCH 20/59] Allow unfree package: mongodb mongodb is a requirement for Ubiquity controller. --- modules/unfree.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/unfree.nix b/modules/unfree.nix index 5024029..3394261 100644 --- a/modules/unfree.nix +++ b/modules/unfree.nix @@ -3,5 +3,6 @@ { nixpkgs.config.allowUnfreePredicate = (pkg: lib.elem (lib.getName pkg) [ "unifi-controller" + "mongodb" ]); } From 3cefc7f9dd90c9b812b9cb247317c953d879ad83 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 13 Jul 2023 16:33:25 +0000 Subject: [PATCH 21/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'flake-utils': 'github:numtide/flake-utils/cfacdce06f30d2b68473a46042957675eebb3401' (2023-04-11) → 'github:numtide/flake-utils/919d646de7be200f3bf08cb76ae1f09402b6f9b4' (2023-07-11) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/61e567d6497bc9556f391faebe5e410e6623217f' (2023-05-23) → 'github:cachix/pre-commit-hooks.nix/c8d18ba345730019c3faf412c96a045ade171895' (2023-07-05) • Updated input 'nix-pre-commit-hooks/nixpkgs-stable': 'github:NixOS/nixpkgs/9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8' (2023-03-15) → 'github:NixOS/nixpkgs/c37ca420157f4abc31e26f436c1145f8951ff373' (2023-06-03) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/4cc688ee711159b9bcb5a367be44007934e1a49d' (2023-05-24) → 'github:nixos/nixos-hardware/44bc025007e5fcc10dbc3d9f96dcbf06fc0e8c1c' (2023-07-11) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/3e01645c40b92d29f3ae76344a6d654986a91a91' (2023-05-25) → 'github:nixos/nixpkgs/fcc147b1e9358a8386b2c4368bd928e1f63a7df2' (2023-07-13) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/f91ee3065de91a3531329a674a45ddcb3467a650' (2023-05-24) → 'github:nixos/nixpkgs/2de8efefb6ce7f5e4e75bdf57376a96555986841' (2023-07-12) • Updated input 'sops-nix': 'github:Mic92/sops-nix/4ccdfb573f323a108a44c13bb7730e42baf962a9' (2023-05-21) → 'github:Mic92/sops-nix/88b964df6981e4844c07be8c192aa6bdca768a10' (2023-07-12) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/d0dade110dc7072d67ce27826cfe9ab2ab0cf247' (2023-05-21) → 'github:NixOS/nixpkgs/510d721ce097150ae3b80f84b04b13b039186571' (2023-07-09) --- flake.lock | 52 ++++++++++++++++++++++++++-------------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/flake.lock b/flake.lock index d8cb60b..363f917 100644 --- a/flake.lock +++ b/flake.lock @@ -21,11 +21,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1681202837, - "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -91,11 +91,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1684842236, - "narHash": "sha256-rYWsIXHvNhVQ15RQlBUv67W3YnM+Pd+DuXGMvCBq2IE=", + "lastModified": 1688596063, + "narHash": "sha256-9t7RxBiKWHygsqXtiNATTJt4lim/oSYZV3RG8OjDDng=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "61e567d6497bc9556f391faebe5e410e6623217f", + "rev": "c8d18ba345730019c3faf412c96a045ade171895", "type": "github" }, "original": { @@ -107,11 +107,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1684899633, - "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=", + "lastModified": 1689060619, + "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d", + "rev": "44bc025007e5fcc10dbc3d9f96dcbf06fc0e8c1c", "type": "github" }, "original": { @@ -123,11 +123,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1685004253, - "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=", + "lastModified": 1689209875, + "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91", + "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2", "type": "github" }, "original": { @@ -155,43 +155,43 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1678872516, - "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "lastModified": 1685801374, + "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1684632198, - "narHash": "sha256-SdxMPd0WmU9MnDBuuy7ouR++GftrThmSGL7PCQj/uVI=", + "lastModified": 1688868408, + "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d0dade110dc7072d67ce27826cfe9ab2ab0cf247", + "rev": "510d721ce097150ae3b80f84b04b13b039186571", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-22.11", + "ref": "release-23.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1684935479, - "narHash": "sha256-6QMMsXMr2nhmOPHdti2j3KRHt+bai2zw+LJfdCl97Mk=", + "lastModified": 1689192006, + "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f91ee3065de91a3531329a674a45ddcb3467a650", + "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841", "type": "github" }, "original": { @@ -248,11 +248,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1684637723, - "narHash": "sha256-0vAxL7MVMhGbTkAyvzLvleELHjVsaS43p+PR1h9gzNQ=", + "lastModified": 1689149796, + "narHash": "sha256-3FCUdayBHcxk6BZOxEIfa5UxbXNQzTc/VlN7ociI2Dw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "4ccdfb573f323a108a44c13bb7730e42baf962a9", + "rev": "88b964df6981e4844c07be8c192aa6bdca768a10", "type": "github" }, "original": { From 27460d368211dc8660a89c446324c21324c5af7f Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 13 Jul 2023 22:56:35 +0000 Subject: [PATCH 22/59] Fix deprecations --- flake.nix | 6 +-- machines/party/hardware-configuration.nix | 1 - machines/raven/services/dnsmasq.nix | 57 +++++++++++------------ modules/base.nix | 2 +- modules/nix.nix | 12 +++-- 5 files changed, 38 insertions(+), 40 deletions(-) diff --git a/flake.nix b/flake.nix index 1232b74..e2c0ad8 100644 --- a/flake.nix +++ b/flake.nix @@ -39,7 +39,7 @@ let pkgs = import nixpkgs { inherit system; - overlays = [ self.overlay ]; + overlays = [ self.overlays.default ]; }; inherit (pkgs) lib; in @@ -55,7 +55,7 @@ }; }; - devShell = pkgs.mkShell { + devShells.default = pkgs.mkShell { name = "fablab-nixos-config"; buildInputs = (with pkgs; [ @@ -112,7 +112,7 @@ fablab; }); }) // { - overlay = import ./pkgs; + overlays.default = import ./pkgs; nixosConfigurations = nixpkgs.lib.mapAttrs (hostname: { system diff --git a/machines/party/hardware-configuration.nix b/machines/party/hardware-configuration.nix index b32f461..a07aa08 100644 --- a/machines/party/hardware-configuration.nix +++ b/machines/party/hardware-configuration.nix @@ -21,7 +21,6 @@ loader.grub = { enable = true; - version = 2; device = "/dev/sda"; }; }; diff --git a/machines/raven/services/dnsmasq.nix b/machines/raven/services/dnsmasq.nix index 2610096..35faad7 100644 --- a/machines/raven/services/dnsmasq.nix +++ b/machines/raven/services/dnsmasq.nix @@ -20,40 +20,37 @@ in { services.dnsmasq = { enable = true; - - extraConfig = '' - bind-dynamic - listen-address=192.168.93.1 - listen-address=192.168.94.1 - interface=lo - - expand-hosts - domain=lab.fablab-nea.de - dhcp-range=192.168.93.20,192.168.93.254,4h - dhcp-range=192.168.94.20,192.168.94.254,4h - - dhcp-boot=lpxelinux.0,raven,192.168.94.1 - - cache-size=10000 - dns-forward-max=1000 - - auth-zone=lab.fablab-nea.de,192.168.94.0/24 - auth-server=lab.fablab-nea.de,78.47.224.251 - - no-hosts - addn-hosts=${pkgs.writeText "hosts.dnsmasq" '' + settings = { + server = [ + "142.250.185.78" # dns.as250.net + "2001:470:20::2" # ordns.he.net + "74.82.42.42" # ordns.he.net + ]; + bind-dynamic = true; + listen-address = [ + "192.168.93.1" + "192.168.94.1" + ]; + interface = "lo"; + expand-hosts = true; + domain = "lab.fablab-nea.de"; + dhcp-range = [ + "192.168.93.20,192.168.93.254,4h" + "192.168.94.20,192.168.94.254,4h" + ]; + dhcp-boot = "lpxelinux.0,raven,192.168.94.1"; + cache-size = 10000; + dns-forward-max = 1000; + auth-zone = "lab.fablab-nea.de,192.168.94.0/24"; + auth-server = "lab.fablab-nea.de,78.47.224.251"; + no-hosts = true; + addn-hosts = "${pkgs.writeText "hosts.dnsmasq" '' 192.168.94.1 raven labsync unifi 192.168.94.2 switch 192.168.94.3 schneiderscheune-weinturm-ap 192.168.94.4 schneiderscheune-weinturm-sta - ''} - ''; - - servers = [ - "142.250.185.78" # dns.as250.net - "2001:470:20::2" # ordns.he.net - "74.82.42.42" # ordns.he.net - ]; + ''}"; + }; }; systemd.services."dnsmasq-events" = { diff --git a/modules/base.nix b/modules/base.nix index b233273..2755c93 100644 --- a/modules/base.nix +++ b/modules/base.nix @@ -1,3 +1,3 @@ { - boot.cleanTmpDir = true; + boot.tmp.cleanOnBoot = true; } diff --git a/modules/nix.nix b/modules/nix.nix index 6a11112..e669255 100644 --- a/modules/nix.nix +++ b/modules/nix.nix @@ -34,11 +34,13 @@ in "nixpkgs-overlays=${overlaysCompat}" ]; - # sudoers are trusted nix users - trustedUsers = [ "@wheel" ]; + settings = { + # sudoers are trusted nix users + trusted-users = [ "@wheel" ]; - # On-the-fly optimisation of nix store - autoOptimiseStore = true; + # On-the-fly optimisation of nix store + auto-optimise-store = true; + }; # less noticeable nix builds daemonCPUSchedPolicy = "idle"; @@ -47,7 +49,7 @@ in }; nixpkgs.overlays = with inputs; [ - self.overlay + self.overlays.default (final: prev: { unstable = import nixpkgs-unstable { From fbca9cf7e0e11a3e1dc43d57ef3bb3bcfba99436 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 13 Jul 2023 23:32:18 +0000 Subject: [PATCH 23/59] Update state version --- machines/raven/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix index e72facb..c4ed459 100644 --- a/machines/raven/configuration.nix +++ b/machines/raven/configuration.nix @@ -90,5 +90,5 @@ "192.168.94.1" = [ "raven.lab.fablab-nea.de" "labsync.lab.fablab-nea.de" ]; }; - system.stateVersion = "21.05"; + system.stateVersion = "23.05"; } From 700b505de49cc159db3b80ef8fe077b567832b43 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 14 Jul 2023 12:18:27 +0000 Subject: [PATCH 24/59] Add Wekan --- machines/raven/services/default.nix | 1 + machines/raven/services/wekan.nix | 95 +++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 machines/raven/services/wekan.nix diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix index 0a789d0..a26ab2d 100644 --- a/machines/raven/services/default.nix +++ b/machines/raven/services/default.nix @@ -7,5 +7,6 @@ ./freeradius.nix ./labsync ./unifi-controller.nix + ./wekan.nix ]; } diff --git a/machines/raven/services/wekan.nix b/machines/raven/services/wekan.nix new file mode 100644 index 0000000..d137f2e --- /dev/null +++ b/machines/raven/services/wekan.nix @@ -0,0 +1,95 @@ +{ config, lib, pkgs, ... }: +let + databaseName = "wekandb"; + port = 8001; + domain = "wekan.fablab-nea.de"; + url = "https://${domain}"; + + directories = { + db = "/var/lib/wekan/db"; + dbDump = "/var/lib/wekan/db-dump"; + data = "/var/lib/wekan/data"; + }; +in +{ + virtualisation.oci-containers = { + backend = "podman"; + containers = { + wekan = { + autoStart = true; + image = "ghcr.io/wekan/wekan:latest"; + environment = { + WRITABLE_PATH = "/data"; + MONGO_URL = "mongodb://${databaseName}:27017/wekan"; + ROOT_URL = url; + #WITH_API = "true"; + RICHER_CARD_COMMENT_EDITOR = "false"; + CARD_OPENED_WEBHOOK_ENABLED = "false"; + BIGEVENTS_PATTERN = "NONE"; + BROWSER_POLICY_ENABLED = "true"; + }; + ports = [ + "127.0.0.1:${toString port}:8080" + ]; + dependsOn = [ databaseName ]; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "${directories.data}:/data:rw" + ]; + extraOptions = [ "--network=wekan-tier" ]; + }; + "${databaseName}" = { + autoStart = true; + image = "mongo:6"; + cmd = [ "mongod" "--logpath" "/dev/null" "--oplogSize" "128" "--quiet" ]; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + #"/etc/timezone:/etc/timezone:ro" + "${directories.db}:/data/db" + "${directories.dbDump}:/dump" + ]; + extraOptions = [ "--network=wekan-tier" ]; + }; + }; + }; + + # Create the wekan-tier netowrk + systemd.services.init-filerun-network-and-files = { + description = "Create the network bridge wekan-tier for WeKan."; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.Type = "oneshot"; + script = + let podmancli = "${pkgs.podman}/bin/podman"; + in '' + check=$(${podmancli} network ls | grep "wekan-tier" || true) + if [ -z "$check" ]; then + ${podmancli} network create wekan-tier + else + echo "wekan-tier already exists" + fi + ''; + }; + + system.activationScripts.makeWekanDirectories = lib.stringAfter [ "var" ] '' + mkdir -p "${directories.db}" + mkdir -p "${directories.dbDump}" + mkdir -p "${directories.data}" + chown 999:999 "${directories.data}" + ''; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + ''; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + }; + }; +} From a023ff01f0572f07774c725cd43611510aafc191 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 14 Jul 2023 13:36:38 +0000 Subject: [PATCH 25/59] Add variable `serviceName` --- machines/raven/services/wekan.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/raven/services/wekan.nix b/machines/raven/services/wekan.nix index d137f2e..ed93b14 100644 --- a/machines/raven/services/wekan.nix +++ b/machines/raven/services/wekan.nix @@ -1,5 +1,6 @@ { config, lib, pkgs, ... }: let + serviceName = "wekan"; databaseName = "wekandb"; port = 8001; domain = "wekan.fablab-nea.de"; @@ -15,7 +16,7 @@ in virtualisation.oci-containers = { backend = "podman"; containers = { - wekan = { + "${serviceName}" = { autoStart = true; image = "ghcr.io/wekan/wekan:latest"; environment = { From 768d7ac559198cd55610cb59e992b0d2f6dcf872 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 14 Jul 2023 13:37:16 +0000 Subject: [PATCH 26/59] Add variable `networkName` --- machines/raven/services/wekan.nix | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/machines/raven/services/wekan.nix b/machines/raven/services/wekan.nix index ed93b14..774b31a 100644 --- a/machines/raven/services/wekan.nix +++ b/machines/raven/services/wekan.nix @@ -2,6 +2,7 @@ let serviceName = "wekan"; databaseName = "wekandb"; + networkName = "wekan-tier"; port = 8001; domain = "wekan.fablab-nea.de"; url = "https://${domain}"; @@ -37,7 +38,9 @@ in "/etc/localtime:/etc/localtime:ro" "${directories.data}:/data:rw" ]; - extraOptions = [ "--network=wekan-tier" ]; + extraOptions = [ + "--network=${networkName}" + ]; }; "${databaseName}" = { autoStart = true; @@ -49,14 +52,16 @@ in "${directories.db}:/data/db" "${directories.dbDump}:/dump" ]; - extraOptions = [ "--network=wekan-tier" ]; + extraOptions = [ + "--network=${networkName}" + ]; }; }; }; - # Create the wekan-tier netowrk + # Create the netowrk systemd.services.init-filerun-network-and-files = { - description = "Create the network bridge wekan-tier for WeKan."; + description = "Create the network bridge ${networkName} for WeKan."; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; @@ -64,11 +69,10 @@ in script = let podmancli = "${pkgs.podman}/bin/podman"; in '' - check=$(${podmancli} network ls | grep "wekan-tier" || true) - if [ -z "$check" ]; then - ${podmancli} network create wekan-tier + if ! ${podmancli} network ls --format '{{ .Name }}' | grep -qFx -- "${networkName}"; then + ${podmancli} network create "${networkName}" else - echo "wekan-tier already exists" + echo "network already exists" fi ''; }; From 5425a5fac6f58c186c462f4c33f824343b3c4efb Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 14 Jul 2023 13:37:45 +0000 Subject: [PATCH 27/59] Add pull policy --- machines/raven/services/wekan.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/machines/raven/services/wekan.nix b/machines/raven/services/wekan.nix index 774b31a..e45db44 100644 --- a/machines/raven/services/wekan.nix +++ b/machines/raven/services/wekan.nix @@ -40,6 +40,7 @@ in ]; extraOptions = [ "--network=${networkName}" + "--pull=newer" ]; }; "${databaseName}" = { @@ -54,6 +55,7 @@ in ]; extraOptions = [ "--network=${networkName}" + "--pull=newer" ]; }; }; From 27ebfe4faeab0778c415680bdfc5f32dfecac17f Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 14 Jul 2023 13:39:14 +0000 Subject: [PATCH 28/59] Add restart timer to update container image --- machines/raven/services/wekan.nix | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/machines/raven/services/wekan.nix b/machines/raven/services/wekan.nix index e45db44..3b9716d 100644 --- a/machines/raven/services/wekan.nix +++ b/machines/raven/services/wekan.nix @@ -79,6 +79,27 @@ in ''; }; + systemd.services.wekan-restart = { + description = "Restart Wekan services."; + serviceConfig = { + Type = "oneshot"; + }; + script = '' + ${pkgs.systemd}/bin/systemctl restart "podman-${databaseName}.service" "podman-${serviceName}.service" + ''; + }; + + systemd.timers.wekan-restart = { + description = "Restart wekan containers"; + after = [ "network.target" ]; + wantedBy = [ "timers.target" ]; + timerConfig = { + Persistent = true; + OnCalendar = "*-*-* 04:00:00"; + Unit = "wekan-restart.service"; + }; + }; + system.activationScripts.makeWekanDirectories = lib.stringAfter [ "var" ] '' mkdir -p "${directories.db}" mkdir -p "${directories.dbDump}" From f960367e32121d64006ff0813e7a50e1cfa2c069 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 20 Jul 2023 16:36:44 +0000 Subject: [PATCH 29/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/c8d18ba345730019c3faf412c96a045ade171895' (2023-07-05) → 'github:cachix/pre-commit-hooks.nix/eb433bff05b285258be76513add6f6c57b441775' (2023-07-18) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/44bc025007e5fcc10dbc3d9f96dcbf06fc0e8c1c' (2023-07-11) → 'github:nixos/nixos-hardware/d4ea64f2063820120c05f6ba93ee02e6d4671d6b' (2023-07-14) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/fcc147b1e9358a8386b2c4368bd928e1f63a7df2' (2023-07-13) → 'github:nixos/nixpkgs/08700de174bc6235043cb4263b643b721d936bdb' (2023-07-18) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/2de8efefb6ce7f5e4e75bdf57376a96555986841' (2023-07-12) → 'github:nixos/nixpkgs/684c17c429c42515bafb3ad775d2a710947f3d67' (2023-07-18) • Updated input 'sops-nix': 'github:Mic92/sops-nix/88b964df6981e4844c07be8c192aa6bdca768a10' (2023-07-12) → 'github:Mic92/sops-nix/bd695cc4d0a5e1bead703cc1bec5fa3094820a81' (2023-07-16) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/510d721ce097150ae3b80f84b04b13b039186571' (2023-07-09) → 'github:NixOS/nixpkgs/13231eccfa1da771afa5c0807fdd73e05a1ec4e6' (2023-07-16) --- flake.lock | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/flake.lock b/flake.lock index 363f917..ce1396d 100644 --- a/flake.lock +++ b/flake.lock @@ -91,11 +91,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1688596063, - "narHash": "sha256-9t7RxBiKWHygsqXtiNATTJt4lim/oSYZV3RG8OjDDng=", + "lastModified": 1689668210, + "narHash": "sha256-XAATwDkaUxH958yXLs1lcEOmU6pSEIkatY3qjqk8X0E=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "c8d18ba345730019c3faf412c96a045ade171895", + "rev": "eb433bff05b285258be76513add6f6c57b441775", "type": "github" }, "original": { @@ -107,11 +107,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1689060619, + "lastModified": 1689320556, "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "44bc025007e5fcc10dbc3d9f96dcbf06fc0e8c1c", + "rev": "d4ea64f2063820120c05f6ba93ee02e6d4671d6b", "type": "github" }, "original": { @@ -123,11 +123,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1689209875, - "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=", + "lastModified": 1689680872, + "narHash": "sha256-brNix2+ihJSzCiKwLafbyejrHJZUP0Fy6z5+xMOC27M=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2", + "rev": "08700de174bc6235043cb4263b643b721d936bdb", "type": "github" }, "original": { @@ -171,11 +171,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1688868408, - "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", + "lastModified": 1689473667, + "narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "510d721ce097150ae3b80f84b04b13b039186571", + "rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6", "type": "github" }, "original": { @@ -187,11 +187,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1689192006, - "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=", + "lastModified": 1689679375, + "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841", + "rev": "684c17c429c42515bafb3ad775d2a710947f3d67", "type": "github" }, "original": { @@ -248,11 +248,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1689149796, - "narHash": "sha256-3FCUdayBHcxk6BZOxEIfa5UxbXNQzTc/VlN7ociI2Dw=", + "lastModified": 1689534977, + "narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "88b964df6981e4844c07be8c192aa6bdca768a10", + "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81", "type": "github" }, "original": { From b58558db652b65c74fb0d33d0d999f5c6d5c840f Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 20 Jul 2023 19:49:02 +0000 Subject: [PATCH 30/59] Replace hard-coded path to freeradius --- pkgs/fablab/freeradius-anon-access/default.nix | 6 +++++- pkgs/fablab/freeradius-anon-access/raddb/radiusd.conf | 6 +++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/pkgs/fablab/freeradius-anon-access/default.nix b/pkgs/fablab/freeradius-anon-access/default.nix index c9e98bd..7b56597 100644 --- a/pkgs/fablab/freeradius-anon-access/default.nix +++ b/pkgs/fablab/freeradius-anon-access/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenvNoCC, ... }: +{ lib, freeradius, stdenvNoCC, ... }: stdenvNoCC.mkDerivation { name = "freeradius-anon-access"; @@ -7,7 +7,11 @@ stdenvNoCC.mkDerivation { installPhase = '' mkdir $out cp -r raddb $out + sed -i 's#@PREFIX@#${freeradius}#' $out/raddb/radiusd.conf ''; + nativeBuildInputs = [ + freeradius + ]; meta = with lib; { platforms = platforms.unix; }; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/radiusd.conf b/pkgs/fablab/freeradius-anon-access/raddb/radiusd.conf index 9168b1e..965a495 100644 --- a/pkgs/fablab/freeradius-anon-access/raddb/radiusd.conf +++ b/pkgs/fablab/freeradius-anon-access/raddb/radiusd.conf @@ -80,11 +80,11 @@ ###################################################################### -prefix = /nix/store/pciav5yyf7h5jyv4qqdi8k4yss5yxkxp-freeradius-3.0.25 +prefix = @PREFIX@ exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var -sbindir = /nix/store/pciav5yyf7h5jyv4qqdi8k4yss5yxkxp-freeradius-3.0.25/sbin +sbindir = ${prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct @@ -135,7 +135,7 @@ db_dir = ${raddbdir} # make # make install # -libdir = /nix/store/pciav5yyf7h5jyv4qqdi8k4yss5yxkxp-freeradius-3.0.25/lib +libdir = ${prefix}/lib # pidfile: Where to place the PID of the RADIUS server. # From 32b8480264536ab2b1e625af4f9f292bb4572c34 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 27 Jul 2023 21:08:03 +0000 Subject: [PATCH 31/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/eb433bff05b285258be76513add6f6c57b441775' (2023-07-18) → 'github:cachix/pre-commit-hooks.nix/9289996dcac62fd45836db7c07b87d2521eb526d' (2023-07-27) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/d4ea64f2063820120c05f6ba93ee02e6d4671d6b' (2023-07-14) → 'github:nixos/nixos-hardware/ba9650b14e83b365fb9e731f7d7c803f22d2aecf' (2023-07-24) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/08700de174bc6235043cb4263b643b721d936bdb' (2023-07-18) → 'github:nixos/nixpkgs/f3fbbc36b4e179a5985b9ab12624e9dfe7989341' (2023-07-26) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/684c17c429c42515bafb3ad775d2a710947f3d67' (2023-07-18) → 'github:nixos/nixpkgs/ef99fa5c5ed624460217c31ac4271cfb5cb2502c' (2023-07-25) • Updated input 'sops-nix': 'github:Mic92/sops-nix/bd695cc4d0a5e1bead703cc1bec5fa3094820a81' (2023-07-16) → 'github:Mic92/sops-nix/c36df4fe4bf4bb87759b1891cab21e7a05219500' (2023-07-24) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/13231eccfa1da771afa5c0807fdd73e05a1ec4e6' (2023-07-16) → 'github:NixOS/nixpkgs/ce45b591975d070044ca24e3003c830d26fea1c8' (2023-07-22) --- flake.lock | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index ce1396d..a69e897 100644 --- a/flake.lock +++ b/flake.lock @@ -91,11 +91,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1689668210, - "narHash": "sha256-XAATwDkaUxH958yXLs1lcEOmU6pSEIkatY3qjqk8X0E=", + "lastModified": 1690464206, + "narHash": "sha256-38V4kmOh6ikpfGiAS+Kt2H/TA2DubSqE66veP/jmB4Q=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "eb433bff05b285258be76513add6f6c57b441775", + "rev": "9289996dcac62fd45836db7c07b87d2521eb526d", "type": "github" }, "original": { @@ -107,11 +107,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1689320556, - "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", + "lastModified": 1690200740, + "narHash": "sha256-aRkEXGmCbAGcvDcdh/HB3YN+EvoPoxmJMOaqRZmf6vM=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "d4ea64f2063820120c05f6ba93ee02e6d4671d6b", + "rev": "ba9650b14e83b365fb9e731f7d7c803f22d2aecf", "type": "github" }, "original": { @@ -123,11 +123,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1689680872, - "narHash": "sha256-brNix2+ihJSzCiKwLafbyejrHJZUP0Fy6z5+xMOC27M=", + "lastModified": 1690370995, + "narHash": "sha256-9z//23jGegLJrf3ITStLwVf715O39dq5u48Kr/XW14U=", "owner": "nixos", "repo": "nixpkgs", - "rev": "08700de174bc6235043cb4263b643b721d936bdb", + "rev": "f3fbbc36b4e179a5985b9ab12624e9dfe7989341", "type": "github" }, "original": { @@ -171,11 +171,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1689473667, - "narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=", + "lastModified": 1690066826, + "narHash": "sha256-6L2qb+Zc0BFkh72OS9uuX637gniOjzU6qCDBpjB2LGY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6", + "rev": "ce45b591975d070044ca24e3003c830d26fea1c8", "type": "github" }, "original": { @@ -187,11 +187,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1689679375, - "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=", + "lastModified": 1690272529, + "narHash": "sha256-MakzcKXEdv/I4qJUtq/k/eG+rVmyOZLnYNC2w1mB59Y=", "owner": "nixos", "repo": "nixpkgs", - "rev": "684c17c429c42515bafb3ad775d2a710947f3d67", + "rev": "ef99fa5c5ed624460217c31ac4271cfb5cb2502c", "type": "github" }, "original": { @@ -248,11 +248,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1689534977, - "narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=", + "lastModified": 1690199016, + "narHash": "sha256-yTLL72q6aqGmzHq+C3rDp3rIjno7EJZkFLof6Ika7cE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81", + "rev": "c36df4fe4bf4bb87759b1891cab21e7a05219500", "type": "github" }, "original": { From bab350fae335a1c7d011d90ee1c660bd43f031ad Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 28 Jul 2023 04:15:36 +0000 Subject: [PATCH 32/59] Fix asterisk not loading res_geolocation See https://github.com/NixOS/nixpkgs/issues/208165 --- machines/raven/services/asterisk.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/raven/services/asterisk.nix b/machines/raven/services/asterisk.nix index 4c084e1..893011e 100644 --- a/machines/raven/services/asterisk.nix +++ b/machines/raven/services/asterisk.nix @@ -1,5 +1,6 @@ { config, lib, ... }: let + cfg = config.services.asterisk; secretConfigFiles = [ "ari" "pjsip" @@ -117,6 +118,12 @@ in useTheseDefaultConfFiles = [ ]; }; + system.activationScripts.copyAsteriskFiles = lib.stringAfter [ "var" ] '' + rm -f /var/lib/asterisk/documentation/core-en_US.xml + mkdir -p /var/lib/asterisk/documentation + ln -s ${cfg.package}/var/lib/asterisk/static-http/core-en_US.xml /var/lib/asterisk/documentation/core-en_US.xml + ''; + sops.secrets = (lib.listToAttrs (map (name: lib.nameValuePair "asterisk-${name}" { sopsFile = ../secrets.yaml; From f66d88b45e6bedd2b6b6408967f4603530bd1bf1 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 28 Jul 2023 04:17:36 +0000 Subject: [PATCH 33/59] Add tags --- machines/raven/services/dnsmasq.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/raven/services/dnsmasq.nix b/machines/raven/services/dnsmasq.nix index 35faad7..2db2a95 100644 --- a/machines/raven/services/dnsmasq.nix +++ b/machines/raven/services/dnsmasq.nix @@ -35,8 +35,8 @@ in expand-hosts = true; domain = "lab.fablab-nea.de"; dhcp-range = [ - "192.168.93.20,192.168.93.254,4h" - "192.168.94.20,192.168.94.254,4h" + "set:voice,192.168.93.20,192.168.93.254,4h" + "set:lab,192.168.94.20,192.168.94.254,4h" ]; dhcp-boot = "lpxelinux.0,raven,192.168.94.1"; cache-size = 10000; From 1c498bd3b91417f17069d8d660cf10ad25738408 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 28 Jul 2023 04:21:36 +0000 Subject: [PATCH 34/59] Add weinturm hosts --- machines/raven/services/dnsmasq.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/machines/raven/services/dnsmasq.nix b/machines/raven/services/dnsmasq.nix index 2db2a95..83cf1bf 100644 --- a/machines/raven/services/dnsmasq.nix +++ b/machines/raven/services/dnsmasq.nix @@ -49,6 +49,11 @@ in 192.168.94.2 switch 192.168.94.3 schneiderscheune-weinturm-ap 192.168.94.4 schneiderscheune-weinturm-sta + 192.168.94.5 wechselbruecke-router + 192.168.94.6 wechselbruecke-ap + 192.168.94.7 helferbereich-sta + 192.168.94.8 helferbereich-switch + 192.168.94.9 kleinturmbuehne-router ''}"; }; }; From 79231df64d779dfcf1b916d35041eb7bbcf0d387 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 28 Jul 2023 04:22:08 +0000 Subject: [PATCH 35/59] Add SIP-DECT --- machines/raven/services/dnsmasq.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/machines/raven/services/dnsmasq.nix b/machines/raven/services/dnsmasq.nix index 83cf1bf..8960eb2 100644 --- a/machines/raven/services/dnsmasq.nix +++ b/machines/raven/services/dnsmasq.nix @@ -38,6 +38,17 @@ in "set:voice,192.168.93.20,192.168.93.254,4h" "set:lab,192.168.94.20,192.168.94.254,4h" ]; + dhcp-host = [ + "00:30:42:1b:23:ed,192.168.93.21,rfp-01" + "00:30:42:1b:21:c1,192.168.93.22,rfp-02" + "00:30:42:1b:26:f6,192.168.93.23,rfp-03" + "00:30:42:1b:22:3b,192.168.93.24,rfp-04" + "00:30:42:1b:22:7c,192.168.93.25,rfp-05" + ]; + dhcp-option = [ + "vendor:OpenMobility,10,192.168.93.21" + "vendor:OpenMobility,224,OpenMobilitySIP-DECT" + ]; dhcp-boot = "lpxelinux.0,raven,192.168.94.1"; cache-size = 10000; dns-forward-max = 1000; From 9a6059247476ff47253213d1792e3b29a27be511 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 28 Jul 2023 17:04:01 +0000 Subject: [PATCH 36/59] Remove eventphone registration --- machines/raven/secrets.yaml | 6 +++--- machines/raven/services/asterisk.nix | 17 ----------------- 2 files changed, 3 insertions(+), 20 deletions(-) diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml index 519a4b6..8d09eaf 100644 --- a/machines/raven/secrets.yaml +++ b/machines/raven/secrets.yaml @@ -1,5 +1,5 @@ dyndns-password: ENC[AES256_GCM,data:Nm6ed/SvRGnOZAXCt64HAf/0xpAoSwNCCZ9d+KM4Fc1tl+rY,iv:TbGGjG55mksyW2eOkMb5JBOMvePpLlTotmEjZoiWBbQ=,tag:vNA0GLM28OloR90elj4SEQ==,type:str] -asterisk-pjsip: ENC[AES256_GCM,data:lBvTNOnKnNEUwS4Gb7dsAD1BqKu/JG1R3ZpuBHGl2Q0rKbc6+AM8vnslXiyjWEXGIb6WXxndqkiDBSz7hfOyD1HKoM7k6RnBCcEtzE+ScBiqe8sslAYP5C08KV/N1lXv67f2x8vHeVj0L2rzKtSKyqhOnrBqoRluYIVujssnhhlys2UwJjw7R2tLQG4y1ChDrYVcSo3s/Uz0FTpcUUDfHdDQuodIio3sDmXd2HAryyXwIDK1lRltCSglpx6ZdilL6fcPW3KhtuyWdh5MY3atvWGWwwG9plcPqanF5odZPecSGW/pwP1HpNJBk/LFjA2+/C3U7t6HEO9hDCq95O7u/xEcH/LkJw9lTrlLvIXYxje0swF0vzUrsvArlYp1DUh5sNKirFncy6uofalQTze5QDcYqWbBeNT3E2xqwq3u0v+T2+nRXOqbWdUqHVHphQBbsIqDfoG6x3a84yiR/P7R4PYfqeGDF2+xUj1mrqm7QWXVx5B/HovWYm93ZMstfeu2kq+yaQ2XiipclhRgJOfZhSFRBup3/ZZbcD1gezW2obXHVd0ULxH/KsOX299UOv3AHUiskFwCEzAu1gxE6Bi0x52h2uzj79LmfiJEIMfRgsKCAkqzSOFXNpfQEOhk+0neDH2CCF8SEa0rhadi1Ypbec8qTQMDiwnqAS/9C/tlEdvZlSGez+d0igOhgO+gqrg+YTWFa9vUD2uk83MiGc8bIMr2RuFtMuNwc4njlcR7BeXHY56rGFl2OpCyKSdu5D76HAi2Wr8gfuOkLECGOn4x2O49EYOB02WDFJsHkZ7fU66NH+ReULl9P4/ITtQ7j7O4B0HAGH1qshVv06Hs4S06QWDBtfZynot75cowILIViFVY0D+Gef3U2DuJMpejfj2GSe6iDJe5oecOzCwYiDPoaZgRl5860WQ6nRqyV6LYu2QdODuwtsg/5TPkzysIGJ8fT52CN1KbNmyJqX41PYfsz9oTRCzetnsXdtHVAeoPDkQWWvLwa06W+kWIU+ql1YydPIPNNAMoaGZq1Bxfs6yOu3/xbLb0+AdBl1AKHGoS9XQ3WDJh7OtmqKOM6jV7ikEjDhndlEefusxGld0ehIJYcNbzDXaKs7vhJmUcjp0jvrIhKEn3lfZaaHvAuP4LQrx+VwSTTgxZGV3ZAXykPnPMsJ+Mjm5dA6DUg3IynVFndHCzWxAHLgsvaAkXBNw69TEGbGo3ks08mBntvHYWVVLVTwOEyje2WRIbPijEuUrDwIYuu32mHL3vhuhJOYy78oy1IqbJxNOSEfQKvWcZ+aNPiLhrObbqneXnaqWqnzZJPHKOhGw8DUI1yglEVXfJvGXgfHZspksuYwG1IaVD4l6ydoeeFn1WUiTHyoGxDD+f4RXSDghTGdss1GALvZ50LKMj6v6xMHWg/7c3n12uv4EydW7NwYFOh/kG9PeESXAahpAdN6lrBvsqCs3baqpCOyK1kk0QFknen6AYbM2QZHEgHK5W0cVlUt2nc4vLlxuXOPkSDyNb3J06+YJWX3a4Qe0nwybnOZYDD+PnWn79rMUlL6NMBQh6ID9rxuJ7fcAr4jUbMM3MX84dXl3xTkvUZ+UKp3EezlbqIczXqbat4oMHTNlE136ZijaWYTYY4tJmkQYZd8Vc1z+Cyn5l9DGYtJoxg/BnTkQ1aDlJRVHr8m8WczfMEbKmwL6nG+frhgsfzYvdxpgdltGFKTerevAVxrAwQdLNyscSVYbLuPZQgXAc8R24UyK3SC/W81ZYtsIIiMz6loBTug3aufNYJAjaildsytneKdl0FWsKL2GDm/EBDBw/Q48JApuptV8vsiotWWH0h79hGS/5b25BKpBc2rzi0GV4//ziG8rUOglqGa5s6SxMA4ol21KizZP0hT/IPnK802ou2F4Gd8lPoHnRK88L0pV5O5i0iDrozK6lC6xIQOorHayhTTJaVN1dACPICBcntL6imGQXh1BZ9Ku9UEv1Lg2dcaBOkPCLQBorVmpmLGW2I+QT3l7lSnLOK3LpFsXOoNC9W8mo1nvUyTRmpNtJ6CWUiWSuCs4uN/3sM4gheaSdxWSXeqWyvN9KUBBCrKcF0+rfnBuGCvoZ6Y5CLed4Do04d43ACuU4AyyXJUmp65jKYXfH4qsjt71uu+8svz8Cc9udDIqgsaQsdZ9l2T88xDdu8jpavjpoDauV6CAyKok9QuHfZBKTAS9StUP6MGTYqPejFJm4XcfQBCETzGmiGE5340P/wzajLbflIZi8LwVNosAYF1a1J81eWUdczigIBpGnDHTL3XL0VzfyTfHqGn83vRVVYOge+jhc1503gsOMRdzm8ii+cfMz7e3fOkme4VJ+jLlw8Zb5P84l5IvRLQs9igFOJmvphbCNunMHEpK+1xPGwJ+me5zlV4E4Yy1DO55Rtr1HmituAVS6xIYVBDi5XaxqSCWGnjVlFROgHDuw9oByxc7bD86mcNpp7l0tGCvTPbT725d3R0OYFdsaarfd6rDTffJ39Gc4oM+lduDi0OctzfaxhR4URJ/exSuikaed/e+ujTlyQPsNEvY1ear12ldsBd0yze+TWYGalFmR2dyPP9AQKLgoj6Jn+3LrmKAwYlSitDXLzcyO4eLU9KlKnSVN02tNGYSRmjcf2Ap4RbGmLcXJ1MsYOH7YLAylFRAGUdtlRayq63kGIRm5CEFz/9dl/jDnm3yKDqPVxmO3M8F3hmd4DhoAlW9g2rJrwKkcdqCFlbW8KMN0VcfZEl7hAjXQgJsi6JH9eyGdBAwf2dPEowLyKq3InRH0ywlrT/8/ixuXYj2NL647Nz4Cg/XoFtP/SoewrxP3iDEuSfm7/cac+Q4RdBjC6zjkJUrk0ZhYsopxJG9FRSnUXa1F27Mt+qNGAcBn1UDpHXm3OKFg8YOxyJE4wQ5lMgy4l0Vjvpxqc5UplHPK1Cj9zmgnNuJsUrCeJ0Av7Lgui69N37XjgOGcTlxuw7W4gxhNI1wz6XoxWi/utwgH0KO68slWqk+Y4BYdB6fEYQIAlslEDBJHYiqfYSkllEdubLbRyFcT2SYkJ4ujBPJ3UQkt1e2Jhx9GjHwFHjoaF3MXQldH1tiXIgHt8WJedjof2wo9DtJcy/eAVDEg3UoTULXT/AOEn5zBILu9h4Hct2uWgBmWYFRMsc852BTjSIYj0kQrxH3aK7fXDwNVenx/N7OxwEgPzSrmdBP8hbacGRAv3GmZMwbw7HCEZ+frGrylJHjq0KbefvfYWq5PnMrMB4NZFeRkXOxO8vIkVNETo3Q6mrGbdpai+PKKhtT4gabybPvIhCqf2JaAmZc0KgogPMVJVBr0HccJFjoVQLolqLgwk+Y/G6pnD5BzdLSl8P5m6Nwoad1iiIhqPmlG9xYplz1aj4ZZ/3c6rYi2I+EhejmYfz0MncvEkIMNUwXDt01fPJ+MKcAtzzBqHInQelmRAoRkOp3trpcA/OSRHeggcqEYuk8Gxs/2mee0TdkjVv3F59IhoVa6i9bw8j+o1aSosQh3tod70lU3UVezud6srvqk9FnEw6WwQZcKq52gZFHkMO/KOqihZvRGCXNKkkcjRPu8wn/33sdWU3+/FzjWdLMMmHcU+lC3tFQ8P3OfQ2KLFeRPfe+xGeHwAugea8IUzvKEHwJKs5ZFIq+KfWh/4Sjcv9ofjlkQl6p4eoROrSTTQTUZHOhYCDrcXSvErQN/3OXNPE/mxQVh2rkX12b581ESAVVQz3XGeNFPk+tChhG1F4Sws+P1g8IA2mQY3t0ctuQ+x1Bbz8p6FuGSaiGbn7qMo5xM1/TwjQyjdA0aba/2gkhzd0uUwczSgWxlP/vcH0FTK6j97P0v0Caojg4p7DVLAsuYZvUmJzsnCEifSRFwWC1FKi8fOF07SZypI/jnzuEWXUuKr5u3sRNUb2C2NT8awXq2aaBU9RoENn0xba2vcxtkZWXIFooNOMqCRBdEhUtnjcfQKXyHPAVRVmoXCLUeDUU5ELDrFSaTWPcMOSyMtyOTnUAdlJCoujC/nybynQ+sGQt92+Vlh2t1YslH36MwaRac8CL1x058obhXeEr6yVUKMVcOXMgCJNN/2yaQwks/Gj4n7+lDMRFcjHLh8yqE7VAE6FF+O4vXBhJgyYw9EqmQf825yByF4AJW4aApcsE8irCms7WpxhmvZjzyCJ9gv+xu3d+FzC0JnG8xyOTX7dvapLN4C1VjyUpNhPzEEC5GrHjPq4xcKbok1ZDXUo0vx4IeObGSPQKp+yFIORlzIzmjs7o6eF5jug87Vu1tA88du9ablP5uaKwY5pN1BJ63PA57JKbmkJ2zo5YYqudb/6p98zcZeMjstVBa376QpCJPuyP2E6loCZvny/6UO3tY+4qYBFbpMU8DzHDfar3YXt1UTev5OdjG4rikC2z63B4QnJY8PaRWuTEb1GBB0D1RIynTXmJq7DtOWCMrbDMc5+kRfIpu5rhDaC19Lu858XZm0VPyxWzQi2To2ec6Fy+MCr/0STxU6FaRP4Lyi26pJzGYOiCWlAfTRGXGsSbxCXKQ9v/6NDti04qdYzE8p//PmIqR8a4EI18Oo0CKpwRCR6eIjfBJdrTrQt+iNAJCZ6g7FO7ASmiTXeRSN+NO9LBeniJmTaalYs2bc55hRfar6+spctm6hfdvX0cCVkE+eHSWOkem14DRbdIye1fPyb52gwmfAmmfz+XYfjnsBfnzSzDRfZWX7stZV2ewcsfB2wMjYElAva66ZGRp35sx6v1aEJoM0H1bWeoLNS5z54RwX7j3TMJ9+C74G1X6zRZlCV51R/XHs6is5ZWzTwsXL1fXA6Xzi/z+efn8TYhuehR1AWRwBqSm2nvW4SsapjNHIYBSNIe39poMjqTbDSbcl4BtQ910BqWQsCIQpTOJH+PkQSBcRHPdF6XvRuIbMkJDJCUjkDMlXXfJS9SCVpRsJXnqP8sFpiJrr30Brxut/z9uc2jaGextZly8GOS+dDFnrjJOpiM9IxdLZJj7xwPN5o5jzxhS05UFB0Ymp+B4CIGZCkdqs8p0+cG3OlNP1f5CCVJ7mu1OHR2cep4fax3pgNAXTrrCrtOKVAI1hB7wEa8JgdWyVcJsaoAGMhzyowvTQO8u3CTsH582m7LcccOYMPz72QNcFkkNGq8W/yp50/S+qgnKCKLj08S3CBA4jGfBA14zhTjej4JA5wkxnOTHYnQXxPAn3Ta84RLcVbfbITN/Fd2BoTyMZLQVvxbH34leKSHM1ABKGyZzwBOy9g8TZRQ9EOrNeNlK/otvTT4emj7SKceN57YJ2q+tQdmMEtc+JsDZis8IqQA96zg9Otx6d8a9OPgwdLhoAx2y/8cVSL30+14HUikZvPJofyEProjQA5D07QL3lnD9gwDqI7fRXIcKw016ag5GV7kMq8cVqHEwGI17MVN9xmsmMGer0az+QLQmz4XgfSKNT6ie+JZPq6n2xHd5jjI/DUykKiRwhoyKiQq9uW46e5k3Tr3EPjC3LXBZrErdWA2NDu1ItfNCpZFLHw57cQbhLmX4ex8cX6x1AQPGg4QUhaJn3JtfeMazxIrvV+Dd/zyXMZMuIkyD0Pecn77O98UZfR10xcXQr5oQcr3qZoW2wDTEph6RG+KcBt8nJE3iSfVvxWF6crS8PZL/xYMUlqG0b9vQUFXL+QUaVJjm3qhqZhWc3EmSbnHihT5ZGFVWlsIlBC3XHi3bpl4GSCws4uoJa/pTt1amoLgVwfG3T5guDJ2Xp5k5LJnu+d6FhkcqQDBWDdqP/XgtL4yR4OT4m4at4n/LEFQKf9NcpIxLp1eKgZ5Z2Rp5eeL8t/kGhYj5LozRRJDoQj36Li74g0yZiBaY6+lkeyE8nWp/GTk9wv91AVgxVrneY67aiVs62Fzmdz3yE6sw21X5ahKKF1OZN9DdYKUTitkTFMeV5ryt1hd/zy/qyPTM7qrQhOBxfLGEBpSa02CMNlhInTDpjZjg1CEvUvc/6O4FBPhog61VFsuIIA3jfKpfgEoJIqJ/dTEYamkZDRXPbOxSqDmSIBuN71wJRwNnbPzMq8pFjJtXd3cjvuoj3E+qewKQEXpPVRtX+9ESQ6KbGNCreVLZ+n1UL1ebwc8inp+OK0Pit91KNLGBGStESyKH6XVdOuwjNkOYkcBE0oRT2z834x5a3q0+MHd90h+wbETwHhVc4u7SWHd1po26l9YHnw9slgKZQNdeigS47IOtOt1bo/UetuUv3Rhr66yHRukVzV8+iKMgBw2q/BPNvTuIyj3NX+n9QkDfleUvC+PvlrrofYCxBUSuvUXBtjGYICCVwDq5Q1cvLHk0xKk2EyjF85bz5saZNaNBoON9NdsamLbPM2IEVO19qYfK73lMG6aHJ/HOWNcyMxntwL4SOacBNdGYCD+Cc9ge/l6KiOOHOPfbeP+XGU+Ib7hNxEBKeJKEeoEnXtWw6eSDZNl7fidieyoLijGR2dK7CllZOKpZ7/oRKziO9BB5fOcYs/RRqk48ougPjnajxHmOe/WAKGkUav+c1+/ye7sb4oTeXm0uR67SrpAZ/F+dORWnwk/4vS39qg/rt6n5s5FjIxxg08uKsvoT+GLQkI+aoMBpf/6C/xwTdUOZ/OQ0kJml4ZdpRHcwLOfiE5lvVUIlEmwfr0/xu22bHaK3/Ki/beQYXV4E5qPkERjY6DC2XzZdWNDsUlE2FMibo/IBf0CEr+n8PDZsDTjFcZnSjNPTpANyuOxRqSTxz0FYwn4EZvyEySAd0ozuveuU5zbQIkFUtyaZmYKEVLmLU5bWAr7sU3afA+WoXdPEBkwAtDSBAfMRijVYruBKSW6C3sUnLhbaISIkZ9XSvV2NjrHjLi+2HVcaUKArSwu837lB45TYRLKMB3eTDovlqg9BpHvY+OhrHo2pNFVCcE4qvOHW9z38oBaM4Rc1LYwyUt4PeLJfN9WLn/1DGpkr6pDCXVARuY+tf6fg2GCIIW/oD6H6OlAZxKWga8L95CQmx0EZ4HH4XOoLjKdjYWonqctLtDftGm55dPXgdFpSnHbcOA==,iv:BhKtyXJH8m6MVMQIwnc7r9KaKvchyzm4oGNyJEE3IO4=,tag:fOmAonndQ9F+RscI0eg85A==,type:str] +asterisk-pjsip: ENC[AES256_GCM,data:8nBg6SfWDOhuF4x5T0fz67jxXkIhzfX/FVbL98huIs9rdalGuKIOGeIBBYPzzH5cbLkfvG7ZW5p2r/I/jRoAKAu0airMJzZ2aHIFMjLUgzB+Rl5EbVF1kP8J8mwDVBMw1BFXELDNwnd+EniwWw1TwJcqWvZ3EhG00HIogzurn98l/FFMkNxWCXJ6msWBe6BHlGNpq/jPmyTVc2mlPXQ6uhqK4MWGe97tH3d+d7m7raXNjaTDruZLwKmNkONtVg5udzd1f2OP5GdoM9Tn+UHFkndqn0X6Dk3lH0dAoObRk9hDp57TnGZPrXNXktWroFk1QfsyobiB/Rj8uBRYa4BXHa/6OeQm1o/vRQhTY4e86N5fOdhwFHy/EQtp0sHa6kgiKHd8Koo/HOwAa69R44tKXvmJ/++cuBsfr71oLq+nrXIKcVv4ShmXV0kHNyaeSjCsWRcA57/FjS+uoaK/gKIGvX32TULAYGYHtIFhq43pL43PrS2j8qoDBrZQfkBXwUOW5iQr9c/aHloX7t/gDpFEi5XK7lFQsx/buamH9eWFkqhiDyu5EntSXXJb6UAbYmLREAyD/n3evyp6PTZak+TvhzLpXmol4L/IYOLqvbj8BS3ZfctqwPYtax3J0aglMsvbjCGWpiHywNt90SdPsMJi7s2KbQGbUmpOGWzq7TLByrT5MxXD//pmBXbSROxiKHTPyXpeg4SQuj0boDCIxcGG55rc5ouFMqJOJVdorIrgJ8Il1nTXHgzssuMP0/dFIYXj2gp9/XJ3S9N1acyNJCBhezeRS2PE0L3tCOHLY6IerQuW+1hmLEr8bMrzP6+70FvUb/FlfEfLwgq5AXPKE7l0cX9bn4pLAWkSreurpWE9xAIICJAkRNzcD2zMHaCiRnu4b5O+19ZnrfG1tVl0AQ6GckBFM5wcu0w6bA+YIaOngojUzPcMIynrXRdFEBB7rXiTi3JWN2nlJyTx9n+lXsgpgSf68mGcfEFdNp1hkFEUy65DEKiKQPK3aa0nVYPbAkfh/vcjkLO4X0gd0Ec+4XVda3ZyG2QzSYa2DQWmCYg3nwWg4eiKl4ppatp10soHfPSauRBLRrN5XmFtaH+Sp7Bwr565uVmyqYSgb+VTRY/25vK7VcT9rXpKX0PjOFOD9wFD2jQ4Ezs+tVieidZgvG2CjElxI8zmcsaZk93FUc4cw0lTy85cCo/IibTIlAd/uYrT+lxe47H51W2PtjovyZcH0XJW76BhJV6yMUron7qD9JTFGf3OagTgjoKh5InSsnxON52fy3GLUTvzO2vPg1c+iWg/mVYrPp1iCpK/G6LBh2k+Jj3OyQ8Z3GJZJ7khzI3E3MNOTvyXZJuXESMGTKmXWkHqvRrAvsW/CDBq3TmW0Jd0uMtFP+J4aL++BxAXKZLQ0g/RXwfOI/cQFQIPl3BePXl7VskxaFx5WWuKEbh9YMuF5FQ44vo386dvcDpfVNnRdFBOEltC7Ck6mJDUVPLAM3IhN+xQwobdWARR+baihGOUk9psP5boQrUvcBIx04RmXCLomHVD3Aw5jxh7N5TJ3BC2q6ZbkbpqwbH9UOg5PXrgXd8Eh6L+KhRjc6sl5itSsHK5iitWzfil8qcMpQPcLucZl+s1gISGlHaiE0MwkZj2fT9QZpw2+BmH1VU4tDpSotOue3H8MxK1j2mFnrEwi5sk5eHdBzBjyQ+SzmpbZTDk5eMlgfIKt8sErZ4ABI7iXQp3A8jusOYbZCQiBTPF/guhPOLuE3sWSBJLkpj4iHRrSVSAy/B1qy7fMlnVqqtXujXfy16pFG5IQKLUPGxyO5eotMuf5nkAigm5zn6q+eWpjDub9eBviXDjbemW4F7ncAdtiBzIWrak/hhp0fxMpzuh9h844Vou1brjKC9Xg5cf+IKyESjS8txHRSQhmZgab6iDv3X8Q0l0lRiKxzAOxM/2L14r6Gy03lMwaE1nUKgZjrtflrukeWgWA4EwDE69CdA7vbsX3zJ9d7cr+IlmiuTprldmV6EirJJaBNNdRealehhopGzDODIucUNp1PT3LQ/AidxOui6p6iP1PQG+TuIUtpM8AzxP3DbE+kMf9PNnb2E3JT5NrJz0BBWhhxr1KGBjniozh9CtSRq/JpfWYVLd8PA0P3abA1mW0A7IWaobI00qtPt1pcx/MtV5QzsQ5CPRVu10lFcF9AmKT3ekPySISkjcBtoe1FxO6j6cOqe6nbdx/lg0dnNBFBETVa8gAQwhmOAnqCURYDvbfjHjX99k0jwesiqxm1QH4PRjtbicd/JMiosWsiFBJohFI/0JIscxd0iZ8LvNPALWLeKfcqXulzjNKy4sB9QIxN75dGKaDZv2qInBDm9p8hDaqT+tdXsptXw2SkLfbRiWnim/r+VHKq0uYV9KlolmE4dOm/dWQ/6Ri4XBIFr5Ld9udSQ275GHZ5EHlcoPGEjZeNR6e0VMskcPH7tJXDEs4p/EoEWepVVWeuRidauFkcskSn2QMR7Yd+NAl2XxFYMiniGL0UzkZ5johxgw4WqopQua3Yff76f0oigR9VVHf1ZJlIC8IND1vLNRwbhVpW79SCeaHwp8jui18x//bn69eHMYjxRPvimnxRirSmjdCgCFAalgVtxfUt7WO8p2/Kzlu6kwPQrSMltLycNhkvrGinQcKGPtEkNfzCG4MAvyb3UW5rph/nui7ybCT0AnRW9xFpVURGuuGUhuKFMDhzBbiaB3i1cMdG+DJniwUc4rSg+o4YvrR3Q9w++hQUcfEbT3fJwoWCMOExCsu5O7vhZbdTd6tJzH9sxN72q4yDAXW5pqtnKU71AkWg87meuGv+W23s5IBJr42L0ubEXTEoZMBvjDVrVS+9yKptQz3pkPAIFaXoLUGlJw4XmtBL8wWSj08Zi3F+lnyR+YVFV19infI35Fi7keABHHCmWeNdrlgrcFR9bs/fxn/Oswwk+8gNXQBIGLIs3clnRd+4SggfLQvv1lud8ZBN8jV3j/czAnN8XdMtsqMGZJ31TvBWVuYmqijCpwbuA/hCXrbiyy+DG+6ZHO4sUpIBPB0uQ+TNfuR9FNNxImKZBaUAOMuQgBw3lWU5Weu2CnSfJdKlREX0mBk+1StDKSJmE40x9ACt17XGST+vu8lOwy8C/wjPzCfsVMCHxJURCGe6HMfYQAyclgfwE0knq82kOWulUPFjnIyjhHwr8xbTmm3e6j7wDkvaK5WHIIxamyv420b5Y/Mc0HqA5YrC6a/AWSuHpg6lpCuLP9femhiwtERyEgOWeOJOr5wj+ZgmhD8/RpeUJlCdjWjDB1zFdoF/9u3yNpxJxpqYTB87PkcgY1jRdTP1W9/oMpvsGF61TU1IOTnhVtUZZPWYmXvyv7bHf+wmPrDN8EnxU4gMRK0u2Knx9PPuYb/iDD8UkEgbBPo/oDrboMo4QVE8je76NlIEdPlsLCDWO7GitRvNkAfDqEFrWjh6LUeyIAKmjWgm2IKEBnwHcx1v/p6iU7rABtaDmZyq5hgnbDZtOFEVsZQEk0vYYQNyMuqfC6Kt/uukmZVePRKkGXwTPmNKr5vdUTZmbZa14j46pNiOTm6R/vVKZEzHYDwgpbSoK8yQ50QuuGU9aak+iYZB+CckEH+S3KLInzDSNsA99BthiHGhIpsbwR70gc783coYJoIipYieb//LaTvf8BDmafNKnOQVazP5T2pHeO4yePr1/dEN6x9fdFRVKv/Q73qVBm5S0Jqys6Oo81cdrmISboSLzxAm7V01dijQ6Juv+awBx0emFuUKDVgS8AfZ6pGhugwcJsAE8fKexMS2I29xGaBzeGeQzOYmlTA7RXngTXh/DaHEckgBXp84dcXjcrRiEG0wGRSvNMx1RffnUSoslLpgpMfwNYl0NMwbq+lt1ppH88tJnUXu0G3YyF+Me8lyYVlnQU9afd4u7nNTAamBlNx3QtMndWdK92X20kK2ij7kwefLc1pm6toOZE1vdSaIFXnpZCEh4of6vdNkFscpkxHtsURObPbtFsI4C8WXCypgWj3Po+YgbhMddKRu4BiQfQnopSHatFYYUM3xzTiuL496WwgCorp+Ak+wOhIE45o/iugS2xxfJIQKkMiP1JbzDw59qcaLdnRXOLqcv6nX6bMkwHuxNmVCTn2lk32FmraJdfyVhdTBPrCXx/TjoGISgEOc5w5oct1L7ERLiD6BCbxER2UkSsQb/rLoUYdfHh3bLXbZKLDGVRuf1JoImGHhtTE2R+o5o1dzWwNdHMGjVpMIV1ixxsFsMG27KhjIYUMBdrqVXH8wCXy2TOCxTqIhIOOg6lUMvEwUAh3ZaFRKGe3VaSRyVMcKE8dseHIS7MRq2g7jp9eyJkZqspBh6PEaPyTwYYv8f00VyHauZAV3UdWfWDsEZUYk194wiH2/j7O9+eF7jxPlmLuXUQGQBVTAFObpcoT988N24NalijJh/cuahhkSQYR1hMahBF5jwwVHS3vtN6pUwghTUV4HqeIrtur1cJRB6Qlm/YRgvcB1fX7xbhYyMUJUYEp1gK1xhY1c0A16V8HQPFheL8EV5tfsUT,iv:xh7XXUyLD68UDBBG5aKI/HWxjMZ0Tr4sLkIeQ8vQIso=,tag:FyLg1FhxUGjcNGD2sq4Oeg==,type:str] asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKNA1ZVf4DTtm6d232LXKde54ACMSUEyQWTu1mU6oQ7W5P2VSK2HZvHzSrnC0dJVKPrYEnBWfyA6sjKBULQSyW6j1/c/k,iv:jE/Y1A3i8embrwJqN8TBO0E8nr5WhGDKPH0gXgWnsMQ=,tag:j8PH6tDeo2YTCI2BnVY24w==,type:str] asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str] sops: @@ -8,8 +8,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-11-04T23:00:58Z" - mac: ENC[AES256_GCM,data:UIKMlFAq+KbWIxbnEizyNH06Nc9dcv3HFi/Etde4lqd1JjsKLpGyxxtHMnmH37xAnRqZYiZAu0UUS3LiifDo3SCASRDpqI6EFQ/kzecQJY+KMLDfEuNYAIWK5H7lYnxvoIYVOD7FYxJhDEih/o02HMSIsU7Vb6IokExKoFbYmRY=,iv:Iulu4XDJMQlg71HD2aZ/uISUoPpREqjkS1kS24xFKfM=,tag:MzV69QfBep/b8OPgEBKRBw==,type:str] + lastmodified: "2023-07-28T17:03:56Z" + mac: ENC[AES256_GCM,data:wX/iD3q4fRva4zeXowsx3/EscaQbaYpktX5KWhMWOnEeHIUCxRsOC954vsVRD05Hedkh5XrkNXbslQ9xgTHC3fwlFdrIIc90bSbn+1ny8NH9CmTDxMg65JGldLzIjd9QPlBVtmHXSTHsB/E2cstuto8dZ8IW7HYaPYS/yq4Lczo=,iv:XQN/SmZpCoea1yXTuMfjHxdacm8J89Uoo6pQPNhcQRQ=,tag:IAPrc6Ud/VkP0mCmMNPhpw==,type:str] pgp: - created_at: "2022-01-04T00:46:57Z" enc: | diff --git a/machines/raven/services/asterisk.nix b/machines/raven/services/asterisk.nix index 893011e..0bd1a99 100644 --- a/machines/raven/services/asterisk.nix +++ b/machines/raven/services/asterisk.nix @@ -22,11 +22,6 @@ in same = n,VoiceMail(7929876@fablab,su) same => n,Hangup() - [eventphone-in] - exten => _5257,1,Noop(Processing an incoming call) - same => n,Dial(PJSIP/101,60,tT) - same => n,Hangup() - exten => _3529,1,Noop(Processing an incoming call) same => n,Dial(PJSIP/100,60,tT) same => n,Hangup() @@ -49,11 +44,6 @@ in exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT) same = n,Hangup() - ; eventphone - exten => _XXXX,1,Noop(Processing an outgoing eventphone call) - same = n,Set(destination=''${EXTEN}) - same = n,Goto(eventphone-out,''${CALLERID(num)},1) - ; weinturm exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT) same = n,Hangup() @@ -63,13 +53,6 @@ in same => n,Dial(PJSIP/''${EXTEN}@sipgate,tT) same => n,Hangup() - [eventphone-out] - exten => 100,1,Dial(PJSIP/''${destination}@eventphone_lab,30,tT) - same = n,Hangup() - - exten => 101,1,Dial(PJSIP/''${destination}@eventphone_jalr,30,tT) - same = n,Hangup() - [cisco] exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT) same = n,Hangup() From 20b3f1ef42d2bffc79ac9c79c2599dd61f4baef6 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 3 Aug 2023 17:44:17 +0000 Subject: [PATCH 37/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/9289996dcac62fd45836db7c07b87d2521eb526d' (2023-07-27) → 'github:cachix/pre-commit-hooks.nix/52bf404674068e7f1ad8ee08bb95648be5a4fb19' (2023-08-03) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/ba9650b14e83b365fb9e731f7d7c803f22d2aecf' (2023-07-24) → 'github:nixos/nixos-hardware/24f9162b26f0debd163f6d94752aa2acb9db395a' (2023-08-02) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/f3fbbc36b4e179a5985b9ab12624e9dfe7989341' (2023-07-26) → 'github:nixos/nixpkgs/bd836ac5e5a7358dea73cb74a013ca32864ccb86' (2023-08-01) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/ef99fa5c5ed624460217c31ac4271cfb5cb2502c' (2023-07-25) → 'github:nixos/nixpkgs/66aedfd010204949cb225cf749be08cb13ce1813' (2023-08-02) • Updated input 'sbruder-overlay': 'github:sbruder/nixpkgs-overlay/b095898a01dd3bf434488a18f887e718e2f5e528' (2023-03-06) → 'github:sbruder/nixpkgs-overlay/fcd0dc1d7532403fead90e7aad4595133cc994e7' (2023-06-17) • Added input 'sbruder-overlay/poetry2nix': 'github:nix-community/poetry2nix/e2d2c7a31485aeb801fa85da2d0fa103dd5112ef' (2023-04-22) • Added input 'sbruder-overlay/poetry2nix/flake-utils': follows 'sbruder-overlay/flake-utils' • Added input 'sbruder-overlay/poetry2nix/nixpkgs': follows 'sbruder-overlay/nixpkgs' --- flake.lock | 58 +++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 16 deletions(-) diff --git a/flake.lock b/flake.lock index a69e897..3f01190 100644 --- a/flake.lock +++ b/flake.lock @@ -91,11 +91,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1690464206, - "narHash": "sha256-38V4kmOh6ikpfGiAS+Kt2H/TA2DubSqE66veP/jmB4Q=", + "lastModified": 1691073619, + "narHash": "sha256-18/EyL9QuzwaA1iJZm0Qp6Lk7sh4YftfWIa2Is3UOSE=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "9289996dcac62fd45836db7c07b87d2521eb526d", + "rev": "52bf404674068e7f1ad8ee08bb95648be5a4fb19", "type": "github" }, "original": { @@ -107,11 +107,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1690200740, - "narHash": "sha256-aRkEXGmCbAGcvDcdh/HB3YN+EvoPoxmJMOaqRZmf6vM=", + "lastModified": 1690957133, + "narHash": "sha256-0Y4CiOIszhHDDXHFmvHUpmhUotKOIn0m3jpMlm6zUTE=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "ba9650b14e83b365fb9e731f7d7c803f22d2aecf", + "rev": "24f9162b26f0debd163f6d94752aa2acb9db395a", "type": "github" }, "original": { @@ -123,11 +123,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690370995, - "narHash": "sha256-9z//23jGegLJrf3ITStLwVf715O39dq5u48Kr/XW14U=", + "lastModified": 1690927903, + "narHash": "sha256-D5gCaCROnjEKDOel//8TO/pOP87pAEtT0uT8X+0Bj/U=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f3fbbc36b4e179a5985b9ab12624e9dfe7989341", + "rev": "bd836ac5e5a7358dea73cb74a013ca32864ccb86", "type": "github" }, "original": { @@ -187,11 +187,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1690272529, - "narHash": "sha256-MakzcKXEdv/I4qJUtq/k/eG+rVmyOZLnYNC2w1mB59Y=", + "lastModified": 1691006197, + "narHash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ef99fa5c5ed624460217c31ac4271cfb5cb2502c", + "rev": "66aedfd010204949cb225cf749be08cb13ce1813", "type": "github" }, "original": { @@ -201,6 +201,31 @@ "type": "github" } }, + "poetry2nix": { + "inputs": { + "flake-utils": [ + "sbruder-overlay", + "flake-utils" + ], + "nixpkgs": [ + "sbruder-overlay", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682132397, + "narHash": "sha256-NbIdSrx3Y1NioEEvoaOTETNTpq6m6bfoxmEt/C8GLAQ=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "e2d2c7a31485aeb801fa85da2d0fa103dd5112ef", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, "root": { "inputs": { "flake-utils": "flake-utils", @@ -224,14 +249,15 @@ ], "nixpkgs": [ "nixpkgs" - ] + ], + "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1678136274, - "narHash": "sha256-wwYU5H2lkpY7SeK+7bFSEUmSULhxT81d0WZFqbiZ42w=", + "lastModified": 1686992369, + "narHash": "sha256-ElxqG+mvB3ZqNvpugZsvCcsd9Vq6JmlzF96i5Qya8OE=", "owner": "sbruder", "repo": "nixpkgs-overlay", - "rev": "b095898a01dd3bf434488a18f887e718e2f5e528", + "rev": "fcd0dc1d7532403fead90e7aad4595133cc994e7", "type": "github" }, "original": { From a69ff294703079c6327d3f4926b9e83169862524 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Aug 2023 10:06:44 +0000 Subject: [PATCH 38/59] Add grafana --- machines/raven/services/default.nix | 1 + machines/raven/services/grafana.nix | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 machines/raven/services/grafana.nix diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix index a26ab2d..f368970 100644 --- a/machines/raven/services/default.nix +++ b/machines/raven/services/default.nix @@ -5,6 +5,7 @@ ./dnsmasq.nix ./dyndns.nix ./freeradius.nix + ./grafana.nix ./labsync ./unifi-controller.nix ./wekan.nix diff --git a/machines/raven/services/grafana.nix b/machines/raven/services/grafana.nix new file mode 100644 index 0000000..29558c2 --- /dev/null +++ b/machines/raven/services/grafana.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +let + domain = "grafana.fablab-nea.de"; + srv = config.services.grafana.settings.server; +in +{ + services.grafana = { + enable = true; + settings.server.domain = domain; + }; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://${srv.http_addr}:${toString srv.http_port}"; + recommendedProxySettings = true; + }; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + ''; + }; +} From bae054fc556b2a00f02690e17ea461a17a182c82 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Aug 2023 10:54:44 +0000 Subject: [PATCH 39/59] Remove targetHost setting --- machines/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/default.nix b/machines/default.nix index cbb7920..8ceaf73 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -4,7 +4,7 @@ let in { raven = { - targetHost = "192.168.94.1"; + #targetHost = "192.168.94.1"; system = "x86_64-linux"; extraModules = [ hardware.common-cpu-intel From 53fec820decea3b446a178734988472d9b3263f7 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Aug 2023 11:00:08 +0000 Subject: [PATCH 40/59] Add Prometheus --- machines/raven/secrets.yaml | 6 +- machines/raven/services/asterisk.nix | 4 + machines/raven/services/default.nix | 1 + machines/raven/services/prometheus.nix | 144 +++++++++++++++++++ machines/raven/services/unifi-controller.nix | 23 ++- 5 files changed, 175 insertions(+), 3 deletions(-) create mode 100644 machines/raven/services/prometheus.nix diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml index 8d09eaf..223320d 100644 --- a/machines/raven/secrets.yaml +++ b/machines/raven/secrets.yaml @@ -2,14 +2,16 @@ dyndns-password: ENC[AES256_GCM,data:Nm6ed/SvRGnOZAXCt64HAf/0xpAoSwNCCZ9d+KM4Fc1 asterisk-pjsip: ENC[AES256_GCM,data:8nBg6SfWDOhuF4x5T0fz67jxXkIhzfX/FVbL98huIs9rdalGuKIOGeIBBYPzzH5cbLkfvG7ZW5p2r/I/jRoAKAu0airMJzZ2aHIFMjLUgzB+Rl5EbVF1kP8J8mwDVBMw1BFXELDNwnd+EniwWw1TwJcqWvZ3EhG00HIogzurn98l/FFMkNxWCXJ6msWBe6BHlGNpq/jPmyTVc2mlPXQ6uhqK4MWGe97tH3d+d7m7raXNjaTDruZLwKmNkONtVg5udzd1f2OP5GdoM9Tn+UHFkndqn0X6Dk3lH0dAoObRk9hDp57TnGZPrXNXktWroFk1QfsyobiB/Rj8uBRYa4BXHa/6OeQm1o/vRQhTY4e86N5fOdhwFHy/EQtp0sHa6kgiKHd8Koo/HOwAa69R44tKXvmJ/++cuBsfr71oLq+nrXIKcVv4ShmXV0kHNyaeSjCsWRcA57/FjS+uoaK/gKIGvX32TULAYGYHtIFhq43pL43PrS2j8qoDBrZQfkBXwUOW5iQr9c/aHloX7t/gDpFEi5XK7lFQsx/buamH9eWFkqhiDyu5EntSXXJb6UAbYmLREAyD/n3evyp6PTZak+TvhzLpXmol4L/IYOLqvbj8BS3ZfctqwPYtax3J0aglMsvbjCGWpiHywNt90SdPsMJi7s2KbQGbUmpOGWzq7TLByrT5MxXD//pmBXbSROxiKHTPyXpeg4SQuj0boDCIxcGG55rc5ouFMqJOJVdorIrgJ8Il1nTXHgzssuMP0/dFIYXj2gp9/XJ3S9N1acyNJCBhezeRS2PE0L3tCOHLY6IerQuW+1hmLEr8bMrzP6+70FvUb/FlfEfLwgq5AXPKE7l0cX9bn4pLAWkSreurpWE9xAIICJAkRNzcD2zMHaCiRnu4b5O+19ZnrfG1tVl0AQ6GckBFM5wcu0w6bA+YIaOngojUzPcMIynrXRdFEBB7rXiTi3JWN2nlJyTx9n+lXsgpgSf68mGcfEFdNp1hkFEUy65DEKiKQPK3aa0nVYPbAkfh/vcjkLO4X0gd0Ec+4XVda3ZyG2QzSYa2DQWmCYg3nwWg4eiKl4ppatp10soHfPSauRBLRrN5XmFtaH+Sp7Bwr565uVmyqYSgb+VTRY/25vK7VcT9rXpKX0PjOFOD9wFD2jQ4Ezs+tVieidZgvG2CjElxI8zmcsaZk93FUc4cw0lTy85cCo/IibTIlAd/uYrT+lxe47H51W2PtjovyZcH0XJW76BhJV6yMUron7qD9JTFGf3OagTgjoKh5InSsnxON52fy3GLUTvzO2vPg1c+iWg/mVYrPp1iCpK/G6LBh2k+Jj3OyQ8Z3GJZJ7khzI3E3MNOTvyXZJuXESMGTKmXWkHqvRrAvsW/CDBq3TmW0Jd0uMtFP+J4aL++BxAXKZLQ0g/RXwfOI/cQFQIPl3BePXl7VskxaFx5WWuKEbh9YMuF5FQ44vo386dvcDpfVNnRdFBOEltC7Ck6mJDUVPLAM3IhN+xQwobdWARR+baihGOUk9psP5boQrUvcBIx04RmXCLomHVD3Aw5jxh7N5TJ3BC2q6ZbkbpqwbH9UOg5PXrgXd8Eh6L+KhRjc6sl5itSsHK5iitWzfil8qcMpQPcLucZl+s1gISGlHaiE0MwkZj2fT9QZpw2+BmH1VU4tDpSotOue3H8MxK1j2mFnrEwi5sk5eHdBzBjyQ+SzmpbZTDk5eMlgfIKt8sErZ4ABI7iXQp3A8jusOYbZCQiBTPF/guhPOLuE3sWSBJLkpj4iHRrSVSAy/B1qy7fMlnVqqtXujXfy16pFG5IQKLUPGxyO5eotMuf5nkAigm5zn6q+eWpjDub9eBviXDjbemW4F7ncAdtiBzIWrak/hhp0fxMpzuh9h844Vou1brjKC9Xg5cf+IKyESjS8txHRSQhmZgab6iDv3X8Q0l0lRiKxzAOxM/2L14r6Gy03lMwaE1nUKgZjrtflrukeWgWA4EwDE69CdA7vbsX3zJ9d7cr+IlmiuTprldmV6EirJJaBNNdRealehhopGzDODIucUNp1PT3LQ/AidxOui6p6iP1PQG+TuIUtpM8AzxP3DbE+kMf9PNnb2E3JT5NrJz0BBWhhxr1KGBjniozh9CtSRq/JpfWYVLd8PA0P3abA1mW0A7IWaobI00qtPt1pcx/MtV5QzsQ5CPRVu10lFcF9AmKT3ekPySISkjcBtoe1FxO6j6cOqe6nbdx/lg0dnNBFBETVa8gAQwhmOAnqCURYDvbfjHjX99k0jwesiqxm1QH4PRjtbicd/JMiosWsiFBJohFI/0JIscxd0iZ8LvNPALWLeKfcqXulzjNKy4sB9QIxN75dGKaDZv2qInBDm9p8hDaqT+tdXsptXw2SkLfbRiWnim/r+VHKq0uYV9KlolmE4dOm/dWQ/6Ri4XBIFr5Ld9udSQ275GHZ5EHlcoPGEjZeNR6e0VMskcPH7tJXDEs4p/EoEWepVVWeuRidauFkcskSn2QMR7Yd+NAl2XxFYMiniGL0UzkZ5johxgw4WqopQua3Yff76f0oigR9VVHf1ZJlIC8IND1vLNRwbhVpW79SCeaHwp8jui18x//bn69eHMYjxRPvimnxRirSmjdCgCFAalgVtxfUt7WO8p2/Kzlu6kwPQrSMltLycNhkvrGinQcKGPtEkNfzCG4MAvyb3UW5rph/nui7ybCT0AnRW9xFpVURGuuGUhuKFMDhzBbiaB3i1cMdG+DJniwUc4rSg+o4YvrR3Q9w++hQUcfEbT3fJwoWCMOExCsu5O7vhZbdTd6tJzH9sxN72q4yDAXW5pqtnKU71AkWg87meuGv+W23s5IBJr42L0ubEXTEoZMBvjDVrVS+9yKptQz3pkPAIFaXoLUGlJw4XmtBL8wWSj08Zi3F+lnyR+YVFV19infI35Fi7keABHHCmWeNdrlgrcFR9bs/fxn/Oswwk+8gNXQBIGLIs3clnRd+4SggfLQvv1lud8ZBN8jV3j/czAnN8XdMtsqMGZJ31TvBWVuYmqijCpwbuA/hCXrbiyy+DG+6ZHO4sUpIBPB0uQ+TNfuR9FNNxImKZBaUAOMuQgBw3lWU5Weu2CnSfJdKlREX0mBk+1StDKSJmE40x9ACt17XGST+vu8lOwy8C/wjPzCfsVMCHxJURCGe6HMfYQAyclgfwE0knq82kOWulUPFjnIyjhHwr8xbTmm3e6j7wDkvaK5WHIIxamyv420b5Y/Mc0HqA5YrC6a/AWSuHpg6lpCuLP9femhiwtERyEgOWeOJOr5wj+ZgmhD8/RpeUJlCdjWjDB1zFdoF/9u3yNpxJxpqYTB87PkcgY1jRdTP1W9/oMpvsGF61TU1IOTnhVtUZZPWYmXvyv7bHf+wmPrDN8EnxU4gMRK0u2Knx9PPuYb/iDD8UkEgbBPo/oDrboMo4QVE8je76NlIEdPlsLCDWO7GitRvNkAfDqEFrWjh6LUeyIAKmjWgm2IKEBnwHcx1v/p6iU7rABtaDmZyq5hgnbDZtOFEVsZQEk0vYYQNyMuqfC6Kt/uukmZVePRKkGXwTPmNKr5vdUTZmbZa14j46pNiOTm6R/vVKZEzHYDwgpbSoK8yQ50QuuGU9aak+iYZB+CckEH+S3KLInzDSNsA99BthiHGhIpsbwR70gc783coYJoIipYieb//LaTvf8BDmafNKnOQVazP5T2pHeO4yePr1/dEN6x9fdFRVKv/Q73qVBm5S0Jqys6Oo81cdrmISboSLzxAm7V01dijQ6Juv+awBx0emFuUKDVgS8AfZ6pGhugwcJsAE8fKexMS2I29xGaBzeGeQzOYmlTA7RXngTXh/DaHEckgBXp84dcXjcrRiEG0wGRSvNMx1RffnUSoslLpgpMfwNYl0NMwbq+lt1ppH88tJnUXu0G3YyF+Me8lyYVlnQU9afd4u7nNTAamBlNx3QtMndWdK92X20kK2ij7kwefLc1pm6toOZE1vdSaIFXnpZCEh4of6vdNkFscpkxHtsURObPbtFsI4C8WXCypgWj3Po+YgbhMddKRu4BiQfQnopSHatFYYUM3xzTiuL496WwgCorp+Ak+wOhIE45o/iugS2xxfJIQKkMiP1JbzDw59qcaLdnRXOLqcv6nX6bMkwHuxNmVCTn2lk32FmraJdfyVhdTBPrCXx/TjoGISgEOc5w5oct1L7ERLiD6BCbxER2UkSsQb/rLoUYdfHh3bLXbZKLDGVRuf1JoImGHhtTE2R+o5o1dzWwNdHMGjVpMIV1ixxsFsMG27KhjIYUMBdrqVXH8wCXy2TOCxTqIhIOOg6lUMvEwUAh3ZaFRKGe3VaSRyVMcKE8dseHIS7MRq2g7jp9eyJkZqspBh6PEaPyTwYYv8f00VyHauZAV3UdWfWDsEZUYk194wiH2/j7O9+eF7jxPlmLuXUQGQBVTAFObpcoT988N24NalijJh/cuahhkSQYR1hMahBF5jwwVHS3vtN6pUwghTUV4HqeIrtur1cJRB6Qlm/YRgvcB1fX7xbhYyMUJUYEp1gK1xhY1c0A16V8HQPFheL8EV5tfsUT,iv:xh7XXUyLD68UDBBG5aKI/HWxjMZ0Tr4sLkIeQ8vQIso=,tag:FyLg1FhxUGjcNGD2sq4Oeg==,type:str] asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKNA1ZVf4DTtm6d232LXKde54ACMSUEyQWTu1mU6oQ7W5P2VSK2HZvHzSrnC0dJVKPrYEnBWfyA6sjKBULQSyW6j1/c/k,iv:jE/Y1A3i8embrwJqN8TBO0E8nr5WhGDKPH0gXgWnsMQ=,tag:j8PH6tDeo2YTCI2BnVY24w==,type:str] asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str] +prometheus-htpasswd: ENC[AES256_GCM,data:kUU0TqnVxQ8jLfjUpBje3eGxJw+ItD/YSNhiny1XPM0PDksnOO8Ecbyqm9W5p3WZIFc+h/FH1AsyNdhXdAhbgMNNxjebq2PNbJr/DeMWTxuf1D9q5iYpDrFGuK6r65DeCPvwN1tlTKkzJnLCqy3LLWbziANplMpmoUL7Ay3S2r5UQNgl4QIL,iv:o23da3kSbMAiF6H3zgja95As89aDK/+jWofvw9ZIjj8=,tag:VPB9YD33Xuk8IKxoBVEXdQ==,type:str] +unpoller-password: ENC[AES256_GCM,data:nvbKOzS657tfumP93kNAD2Edw3+BN3xQ,iv:FZ169TIyHrhazji+b2V4o0XvyzqwNelnR4TkKXuNqWg=,tag:62Y1LTlI+2KdSjq8dHiuSQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-07-28T17:03:56Z" - mac: ENC[AES256_GCM,data:wX/iD3q4fRva4zeXowsx3/EscaQbaYpktX5KWhMWOnEeHIUCxRsOC954vsVRD05Hedkh5XrkNXbslQ9xgTHC3fwlFdrIIc90bSbn+1ny8NH9CmTDxMg65JGldLzIjd9QPlBVtmHXSTHsB/E2cstuto8dZ8IW7HYaPYS/yq4Lczo=,iv:XQN/SmZpCoea1yXTuMfjHxdacm8J89Uoo6pQPNhcQRQ=,tag:IAPrc6Ud/VkP0mCmMNPhpw==,type:str] + lastmodified: "2023-08-04T10:58:16Z" + mac: ENC[AES256_GCM,data:yRoKVClRcbqFYM06F+83kU9s0KcoiYEx0fpr4DL39YoDDx3ZdX2aYqOEtPCGHKEccFanDsZSI4Q9jG2NEa9IykI9DDjQtci1pcNkt9VaWgPTTo2KzP086ncQHaKHyy109CjugeC2oQYIOBfSiO5b+/SP5fml2N3rhIGzROz2NRA=,iv:JR2MVuIxVhCDsx8kelTu86x4Snf6yqJ7s9vb/3bj24o=,tag:V9BadPHshitupxnAzYF3Nw==,type:str] pgp: - created_at: "2022-01-04T00:46:57Z" enc: | diff --git a/machines/raven/services/asterisk.nix b/machines/raven/services/asterisk.nix index 0bd1a99..075024a 100644 --- a/machines/raven/services/asterisk.nix +++ b/machines/raven/services/asterisk.nix @@ -97,6 +97,10 @@ in enable=yes refreshinterval=60 ''; + "prometheus.conf" = '' + [general] + enabled = yes + ''; }; useTheseDefaultConfFiles = [ ]; }; diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix index f368970..8c2ec36 100644 --- a/machines/raven/services/default.nix +++ b/machines/raven/services/default.nix @@ -7,6 +7,7 @@ ./freeradius.nix ./grafana.nix ./labsync + ./prometheus.nix ./unifi-controller.nix ./wekan.nix ]; diff --git a/machines/raven/services/prometheus.nix b/machines/raven/services/prometheus.nix new file mode 100644 index 0000000..5ec4a7a --- /dev/null +++ b/machines/raven/services/prometheus.nix @@ -0,0 +1,144 @@ +{ config, lib, pkgs, ... }: + +let + domain = "prometheus.fablab-nea.de"; + cfg = config.services.prometheus; + mkStaticTargets = targets: lib.singleton { inherit targets; }; + mkStaticTarget = target: mkStaticTargets (lib.singleton target); +in +{ + services.prometheus.exporters.node.enable = true; + + services.prometheus = { + enable = true; + listenAddress = "127.0.0.1"; + webExternalUrl = "https://${domain}"; + globalConfig = { + scrape_interval = "15s"; + evaluation_interval = "15s"; + }; + extraFlags = [ + "--storage.tsdb.retention.time=90d" + "--web.enable-admin-api" + ]; + alertmanagers = [ + { + static_configs = mkStaticTarget "${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}"; + path_prefix = "/alertmanager/"; + } + ]; + alertmanager = { + enable = true; + listenAddress = "127.0.0.1"; + webExternalUrl = "https://${domain}/alertmanager"; + configuration = { + global.resolve_timeout = "2m"; + + route = { + receiver = "matrix"; + group_by = [ "alertname" ]; + group_wait = "3m"; + }; + + receivers = [ + { + name = "matrix"; + webhook_configs = lib.singleton { + url = "http://localhost/webhook"; + }; + } + ]; + }; + }; + scrapeConfigs = [ + { + job_name = "prometheus"; + static_configs = mkStaticTargets [ + "localhost:${toString cfg.port}" + "kleinturmbuehne-router:9100" + ]; + } + { + job_name = "node"; + static_configs = mkStaticTargets [ + "127.0.0.1:9100" + ]; + } + { + job_name = "asterisk"; + metrics_path = "/"; + static_configs = mkStaticTargets [ + "127.0.0.1:8088" + ]; + } + { + job_name = "mikrotik"; + static_configs = mkStaticTargets [ + "${cfg.exporters.mikrotik.listenAddress}:${toString cfg.exporters.mikrotik.port}" + ]; + } + { + job_name = "unifi"; + static_configs = mkStaticTargets [ + "${cfg.exporters.unpoller.listenAddress}:${toString cfg.exporters.unpoller.port}" + ]; + } + ]; + rules = + let + mkAlert = { name, expr, for ? "1m", description ? null }: { + alert = name; + inherit expr for; + annotations = lib.optionalAttrs (description != null) { inherit description; }; + }; + in + [ + (lib.generators.toYAML { } { + groups = lib.singleton { + name = "alert.rules"; + rules = map mkAlert [ + { + name = "InstanceDown"; + expr = ''up == 0''; + description = "Instance {{ $labels.instance }} of job {{ $labels.job }} has been down for + more than 1 minutes."; + } + ]; + }; + }) + ]; + }; + + sops.secrets.prometheus-htpasswd = { + owner = "nginx"; + sopsFile = ../secrets.yaml; + }; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + + basicAuthFile = config.sops.secrets.prometheus-htpasswd.path; + + locations = { + "/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}"; + + "/alertmanager/".proxyPass = "http://${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}"; + }; + }; + + services.prometheus.exporters.mikrotik = { + enable = true; + listenAddress = "127.0.0.1"; + configuration = { + devices = [ + ]; + features = { + bgp = true; + dhcp = true; + routes = true; + optics = true; + }; + }; + }; +} diff --git a/machines/raven/services/unifi-controller.nix b/machines/raven/services/unifi-controller.nix index f34d12d..4b0f1db 100644 --- a/machines/raven/services/unifi-controller.nix +++ b/machines/raven/services/unifi-controller.nix @@ -1,4 +1,8 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: + +let + promCfg = config.services.prometheus; +in { services.unifi = { enable = true; @@ -6,4 +10,21 @@ unifiPackage = pkgs.unifi; }; networking.firewall.allowedTCPPorts = [ 8443 ]; + + sops.secrets.unpoller-password = { + #owner = promCfg.exporters.unpoller.user; + owner = config.services.prometheus.exporters.unpoller.user; + sopsFile = ../secrets.yaml; + }; + + services.prometheus.exporters.unpoller = { + enable = true; + controllers = [{ + user = "unpoller"; + pass = config.sops.secrets.unpoller-password.path; + verify_ssl = false; + hash_pii = true; + }]; + log.prometheusErrors = true; + }; } From ba2d32e62472f09f67f3ec4e9b797b8940b1f882 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 4 Aug 2023 11:01:43 +0000 Subject: [PATCH 41/59] Add mailhog Let's use it for now until we have a proper mailing setup. --- machines/raven/services/default.nix | 1 + machines/raven/services/mailhog.nix | 4 ++++ 2 files changed, 5 insertions(+) create mode 100644 machines/raven/services/mailhog.nix diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix index 8c2ec36..d0b18c3 100644 --- a/machines/raven/services/default.nix +++ b/machines/raven/services/default.nix @@ -7,6 +7,7 @@ ./freeradius.nix ./grafana.nix ./labsync + ./mailhog.nix ./prometheus.nix ./unifi-controller.nix ./wekan.nix diff --git a/machines/raven/services/mailhog.nix b/machines/raven/services/mailhog.nix new file mode 100644 index 0000000..8ec4c7b --- /dev/null +++ b/machines/raven/services/mailhog.nix @@ -0,0 +1,4 @@ +{ config, ... }: +{ + services.mailhog.enable = true; +} From fe93c7c863294ca67e67cea5ad03711b49487a36 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Wed, 6 Mar 2024 22:09:24 +0000 Subject: [PATCH 42/59] Fix dyndns - remove IPv6 configuration - use `freedns.afraid.org` to retrieve IP address --- machines/raven/services/dyndns.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/raven/services/dyndns.nix b/machines/raven/services/dyndns.nix index 8478828..47795c1 100644 --- a/machines/raven/services/dyndns.nix +++ b/machines/raven/services/dyndns.nix @@ -11,6 +11,6 @@ username = "nouser"; passwordFile = config.sops.secrets.dyndns-password.path; domains = [ "fablab-nea" ]; - ipv6 = false; + use = "web, web=freedns.afraid.org/dynamic/check.php"; }; } From f08fd1ad0cd8dcdc35b8476d4cb7d499a928a72d Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Wed, 6 Mar 2024 22:17:20 +0000 Subject: [PATCH 43/59] Update my GPG key --- .sops.yaml | 2 +- keys/users/jalr.asc | 40 +++++++++---------- machines/raven/secrets.yaml | 76 ++++++++++++++++++------------------- 3 files changed, 59 insertions(+), 59 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index afc201c..b49af20 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,5 +1,5 @@ keys: - - &jalr 66FB54F6081375106EEBF651A222365EB448F934 + - &jalr 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 - &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC - &raven 10E468768E3BCD6459F9F11AC8F765CF8AD1F892 creation_rules: diff --git a/keys/users/jalr.asc b/keys/users/jalr.asc index 05cd8a9..329f049 100644 --- a/keys/users/jalr.asc +++ b/keys/users/jalr.asc @@ -1,23 +1,23 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -mDMEYdCpCxYJKwYBBAHaRw8BAQdAL5OkhCMv9ekGaHmLALjDyINBhcR3gmuMZiE/ -FzEjNLq0HEpha29iIExlY2huZXIgPG1haWxAamFsci5kZT6IlgQTFgoAPhYhBGb7 -VPYIE3UQbuv2UaIiNl60SPk0BQJh0KkLAhsBBQleC+EABQsJCAcDBRUKCQgLBRYC -AwEAAh4BAheAAAoJEKIiNl60SPk0wrsBAKmdNnQza/qt6kMSt4/v/VLAwO9CkIYd -LQIbnDhZcmHxAQDdwWYnSNS357bz8YeUpUKeUfOZ6xAjyRmYuQQ2Mu4tDLgzBGHQ -qkkWCSsGAQQB2kcPAQEHQI0iSVnqIurvk2KV1vpvy4T678NWLqXgXooGTAD1Bq2E -iPUEGBYKACYWIQRm+1T2CBN1EG7r9lGiIjZetEj5NAUCYdCqSQIbAgUJAeEzgACB -CRCiIjZetEj5NHYgBBkWCgAdFiEECgvMdrJ/xQJ9TjAFmWCC77WQbBAFAmHQqkkA -CgkQmWCC77WQbBApJwD9HkYwBQDpNueYPTalsOrMDVUK2+jhNFrTVOLLeppevysA -/2aVnZxLJWh16T7gcQXW73Eifyq0DSzSRKfSKOeOn4kH8poA/jh+ubA9PO6PrwoB -MGRA/sZmPV7bR/Sm/6KWxzCUDSRpAP9EpOHwe0yb55yEyvJHD8vXB9jgeQu+im0y -UDCF+tX9Brg4BGHQqocSCisGAQQBl1UBBQEBB0BpQ5RvkE8dxQpSJKndxOXh6bIA -DOQu5VovlDinXLfYEAMBCAeIfgQYFgoAJhYhBGb7VPYIE3UQbuv2UaIiNl60SPk0 -BQJh0KqHAhsMBQkB4TOAAAoJEKIiNl60SPk0uQoA/ibS+RGMq3jPQRy0019mi6yM -hLBjZFEhzh1TgzUvix89AP9dDgHnbS27tBUmqYDR9vFdS3Pww3YI8josvT7m2rJJ -CrgzBGHQqsUWCSsGAQQB2kcPAQEHQM2x+uWFR4z9MzwZnlFMgJrFXxpruZ58WukK -yWrCjURjiH4EGBYKACYWIQRm+1T2CBN1EG7r9lGiIjZetEj5NAUCYdCqxQIbIAUJ -AeEzgAAKCRCiIjZetEj5NJt/AQDB/+oiJ/+WUGViRfPt2xm0MFL+Qzsu+of22Y2I -Ho4ZAgD+IHfBGJyTsMEZktPW/j4wQG8BlFitcos1iRcRdDf6twY= -=trJC +mDMEZbmOERYJKwYBBAHaRw8BAQdAarCLR2RvxBnRODJY8WM98gCRbsHzXFTYTIoR +ZlmbOQe0HEpha29iIExlY2huZXIgPGphbHJAamFsci5kZT6IjgQTFgoANhYhBDBE +5x497/SbWGz1gJv0/MuQhU2pBQJluY4RAhsBBAsJCAcEFQoJCAUWAgMBAAIeBQIX +gAAKCRCb9PzLkIVNqbmFAQDG8xNgbZsZx6N2ssVC9k98IUvuKuMZQ6Gju86EsnNY +dgD/eSVRfAKCtIPSGtoLvE5zL80hk117R4f8rbMEvrmt9gm4MwRluY53FgkrBgEE +AdpHDwEBB0DRonRUQIQSfkqX7yHFHewbEYnc/spaPufL6EnSPVLvZ4j1BBgWCgAm +FiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jncCGwIFCQHhM4AAgQkQm/T8y5CF +Tal2IAQZFgoAHRYhBDp0/wfiMHs2RqSZ6EYNR7hAgU8/BQJluY53AAoJEEYNR7hA +gU8/HikBAPOziBknk+WcsKODsdViFedagVgtnjW8J6mJZRKNcD2fAP4/42g9wU2i +KHKHypLlGdmgOVOpSGNcubkcPFcOOHH7AZevAQDUU/UNpIHe7R3rYq4sFT2iYa9T +ZKpmOostoAzyYOViZwD/RA2suqGyrSe96JLnxwzy3LccYgV3VwEbHDWeUTvOCAy4 +OARluY6pEgorBgEEAZdVAQUBAQdAAXZvPoXdFpBhYS8KgCeXweUMlSwsCnXmgiDh +neSFMwsDAQgHiH4EGBYKACYWIQQwROcePe/0m1hs9YCb9PzLkIVNqQUCZbmOqQIb +DAUJAeEzgAAKCRCb9PzLkIVNqbmEAQDSBggKtjGkLuYtIHBBCfBF4Dx7odOapasa +tYqZTU7twwD/VhDvRGPbTl7X7DYQ36bmyjTe6cZAj3/M0ueQhlTrJAW4MwRluY7E +FgkrBgEEAdpHDwEBB0B95fmIsa7I4c3ttAko71CuEI/wTam0zYrYJNtL7sz3o4h+ +BBgWCgAmFiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jsQCGyAFCQHhM4AACgkQ +m/T8y5CFTamxRwD6A9TAs2Ac2VUQDCGgIEgUeULB2fZ1i0s0zydXctKJf7wBAL64 +utFE0ryrkFHMGY4xHMwZfvWosYH/qfLlKadnb3cK +=WgEZ -----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml index 223320d..296e672 100644 --- a/machines/raven/secrets.yaml +++ b/machines/raven/secrets.yaml @@ -13,55 +13,55 @@ sops: lastmodified: "2023-08-04T10:58:16Z" mac: ENC[AES256_GCM,data:yRoKVClRcbqFYM06F+83kU9s0KcoiYEx0fpr4DL39YoDDx3ZdX2aYqOEtPCGHKEccFanDsZSI4Q9jG2NEa9IykI9DDjQtci1pcNkt9VaWgPTTo2KzP086ncQHaKHyy109CjugeC2oQYIOBfSiO5b+/SP5fml2N3rhIGzROz2NRA=,iv:JR2MVuIxVhCDsx8kelTu86x4Snf6yqJ7s9vb/3bj24o=,tag:V9BadPHshitupxnAzYF3Nw==,type:str] pgp: - - created_at: "2022-01-04T00:46:57Z" + - created_at: "2024-03-06T22:15:56Z" enc: | -----BEGIN PGP MESSAGE----- - hF4D3ylLYNOsO+0SAQdAj++uvPwv/jjwBCxVI3U7BQbne02cPxaBgARZmZKfnz4w - J1rc2CxvixjutPbmkHUMfZSNeh0Ph064xewj1v7CcCZMCHeo1gxo6DOtPq24bXBr - 0l4BtY6fVd0bbKj7g5FvqlNjX+xIeZTsocRbNfPAloywTttRGfAnyp1X1Oyhpfci - pTa4yxy3TMxzzT0rJNJ/dmuPE4Fzf07mDLFgDlIBoPyAfXMcTN1MaVPPXH1hxTYG - =w9fC + hF4DY/xpNY5WhB0SAQdAg3as/btOvNHhLPywUjqmly8Z/FYiIexBKnHU7z/t/1gw + Y5uB8Ykskx61s3VBS+oiFHt76Ndf40noVXlyArhYNkR1JKxJ4Ld32/0O2l3jSNMe + 0l4BS5LCUBZnyxMz/yq7roK6TOplWMCn0UymtLLrSn7p5y04xmM4FmZQgvF9w6rY + PpyEdtt27Y+xHZDxesZMdkBT3vwxJRkyY6rscd9YKlEqAHhvslf7XO7iQTzHgFA4 + =UmXy -----END PGP MESSAGE----- - fp: 66FB54F6081375106EEBF651A222365EB448F934 - - created_at: "2022-01-04T00:46:57Z" - enc: | + fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 + - created_at: "2024-03-06T22:15:56Z" + enc: |- -----BEGIN PGP MESSAGE----- - hQIMAwDgSONkM+d4ARAAqK2vdhE0UQ3ZPa4i94yaedtcF+HbEvwlUDc++wd6BBiq - btdJLiYIpsqtTI3+Gtdj5f+mS9Wi/hK3i/25PR1vZBRt19YZPFKLaxL05R2RSy1N - DfGsE2S7BKg2n1BFHMUtRaVyrlePvWTVJdgLRdDQmB4rsqpnAIZF7b+X5PljuwKF - kQIUeT/qfjrQ5bCLKAsT/S8p4SRDQoE47NQd57CrpYOjwzbLQFav8H/cTY0dvucZ - C3m0D+xRthB/doi0ElQcHDD8xCK8DwjZiEjkYcvHs6lSVHYhNzY5i9yjOrr7PdR4 - W6nMM2xREaVznBQH79JqDRcWpBJGFrkhVmsylaWWuJ7CZcDpknGPxP74tdKR6kMS - /XSl7SzyVd1yJHZ8jHbgYvYwUFnaUJSruAO678t1aT/dVIK2AFcmj4/hX/86M2tE - L5Ern78SBoYdEC7Mxa6R+O/kQ5mnr6opzZg/+amPrrugNMAHaKUVs23t6Wcl+vGk - t7Uepj6OeFoKDZW5mQrlAlBpK2+mNisELbpPwFtg9vAYvzW+eqX3K/GwLM1sVewi - A/5LAQdExbzx7g/JZx5fogV9x4AKnBtz06/f7npQT7fGhOoUkz7rDkdkCNQ8Wzmj - iqs1MiS8lWS75UP9SHhwEu1O8m8j0cCnfXKL3yxUXvMdtLQK/NehlNTTkF9OqBTS - XgHf5dxGyRNa9A+JsfcIUPBDEygJTiRLgsQ9hHOdXoI+pxdOqj5iJHHFAzDka9mU - fHonxXNxyUlLvlGE/QY6bm2vOoLS5psEd/kPBC0iWswMPFywI51kUV7rlYBLPlw= - =JTBg + wcFMAwDgSONkM+d4ARAAtqjFvGr1EJguUHDCMBvDRzjshVYCW57sRvQrSnpGFbKr + TiFaBPFow6NJMN58Tt2NUp2+lt3XaGGwqwjbNStpSXYhyF2WChrJN9PMdjvRIYPY + kZvjwfGAHKKrAKFtHVfLVPRi2145oDXjoYgLWq9wtWVR/5Id9WVBIg63F8Kn8hwc + 3G1XsM85/6ggiJjWxHPj7PO+VOwlEJ0Uxg3REDpy5Zo0+xOQ8ESHPFAr2qtRlJzl + plYv9wrLrBbJcQ11NYTuhg0zf5yWV8mrhzrYn/1gWuaHDozuwyH8Q6KDcSxfXPCs + 4c22fcuuylV99Ig4+m2IUtw19sk9EeQtDh3MIv2c6HV4uuYQEPjVlU4pPGH6wSXy + SrtSgWgH3BGiJPL7rv3Axy3h22zwgiRosDGDh/Qy65aU8ivjWJwwF+c457ULDcA7 + a8asRIIywwxHJOLEggV1b8Addnl9DAItwK5MYwU/UvO0qSRrStKcf6UDxF9ZQmLS + aeVXR8p6NGEZ/8dEFUS8QDVOnp+J6vJDUwHNZzo2VYLqp9B8Zg78rsMMIHzKEFkU + EgHrg5+ilSZrkTCC3ZPiddK6esCEZCgwDTWoTOlxeLtt85G8GS7GHvykoXFqzDkU + 8V6jpXSuK5EMfexVRajspqTqFPSxwSDAZhDSKstThUwbMkLfFo0ESYXy8+GfAITS + UQGSmewokOgbxb3QY+afQ4t6PEe/qLgc4IIDn+kuZ9KmXbNVqUbqgM4AznkoMCkG + U7OqeXp36Lu40mCDqyOPabDA40rM9sSkVUmXpEW74GeayQ== + =ddqa -----END PGP MESSAGE----- fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC - - created_at: "2022-01-04T00:46:57Z" + - created_at: "2024-03-06T22:15:56Z" enc: | -----BEGIN PGP MESSAGE----- - hQIMA8j3Zc+K0fiSAQ//S7nCpxTBI/LK5X7eY988gSTgE1aW/rpW46MqWSX0P6F+ - Zw8bxd9sfIl33DCG1voXN0bum3S+sVMQpt4sDsxeD47wSCJgcFtTDicK/IWvp/33 - 3DYL6y4L/A+oqsmQ3T2ZskMdfx0hcCqRJlVohxPqj8vnuMHDq1dINKee/yYAwHZu - zgpXKCtGKyPCHEu2DLu0Kd78bTidXwQm/Xo4hifGZS105EFmUT8j5D9MWiM4jykH - nZ/B7hej/KXy3geraj/YMyFvEfk0bfkTLV+vwf0fc9copcpnCfhRZ/7Uj5H/p7im - OBFBgeCNYgivI7WUr8uZGvzCkZLUfQ+8Lxg0DrzeYrIx8NQDUCVaHpA88YZ+iAIt - +gBjatUac+/qIwuhNCHNF8Q/t2fFxytcrhEmBZNj82zr244O3h+3aDyvmdh/2aVm - 4fRvW7/pMZCpUIBHsc2FeT/C/XtaOANoynmZJfj32aHsuZQED59C3P6UJym7uU+2 - 336topEsOr9WcNR0wLFdfSyMW6ZlTcG/FrJHiJOKK44HXqfdasvQSg5Pa1XQLPhV - KIUyQNXWLvOsaTUSRXLM/lSJheemhdzVN643uSSeLgij7w8XzauV/UVJAe/q6f8E - 5XmGSV0Dl0xpBcq6A/h/i7Xm/4vDpIx1S6RI55xXHdQ89s5SD1J+M1hePeSjD0PS - UAG6yeiEpbDtRF5rsi3Iq7aRsHBkXKiJdr9uATIWOnUAdcLy35VeCH1qWUFJDUxE - iD9SVWuY5/FoQ0vOl8Mr13Zsl29dfCLrHDG2u2jKRaDB - =lH+V + hQIMA8j3Zc+K0fiSAQ//cajo/FPvA1PmKXph8Ov7SmKD9heVzcvdAlxJPLFq2y+S + c7nH1033oaH0CTIEWyDGqOee9nS0+0NtnhnsUa8QO0Z+BhKj/3/o3ERxRCzRzxdZ + 3Qd60o+rbqSo7XrdYIy2rR6iAs6re0I4k3P33ge+z4U8u01iv/GCS6q6fvx8mAeW + 8Fw7DJXKOmC4dTkvrAScIScxmljAoEOiw1bIPf2w8mypvNL7QFMK4ow+Yi+3uDC2 + Zy6pwvN2NWROPAmQ+D2PmZM40xJoWFkur8rMYC5eMq66usGCftZqaVPZVPR0dS3c + bVtmLdds4QzA79oxBbnwayPdCrqYEEGGDpJffOg1hneSPIBvVQVcECSEA6v5bBfN + zKZKmBiLZh1On3O4TOB/vkPucm/xqWwthTkQWJFiImbp3a2EQIqJeYb4ywDh2gxo + gzEf8SUW4ZyvhNSiAI/SkExOxZsKEBzkvbnxpzRR0+wvoCptLaUGX8MTtxyX2qm6 + JWppTYcbmoDBGsosyVpcKSn7DTA2D7PgStZruewkF9UiAZQF12U46AHGhkRXGjSu + BIUlt7MGMgH7qKmavw5EtwhGFQPdIJxDxOylHy3JB8BH7rhZkWtC3DqEdHs2UN8x + HEOcgBuNYacHmi8yHEEKBgAs4I295rHBZAYvUWEJoyykFpOjyVGoo82kJ3F0kIjS + WAG2Sm6+pgwdYAspBBOaheu12UO9UC0J7mNa2UrRtS1reMB31c6thNXto6zmjM6u + y4C10byfQizvMJDkflSWDB/fRK47fcnrMU6Ye6Pfq5PlDVTKW4dB7ZI= + =iQ8f -----END PGP MESSAGE----- fp: 10E468768E3BCD6459F9F11AC8F765CF8AD1F892 unencrypted_suffix: _unencrypted From 93c1fa27e93de546a03e88fc768a2b5917eca7bd Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Wed, 6 Mar 2024 22:32:32 +0000 Subject: [PATCH 44/59] Removed input `nixpkgs-asterisk` --- flake.lock | 17 ----------------- flake.nix | 2 -- 2 files changed, 19 deletions(-) diff --git a/flake.lock b/flake.lock index 3f01190..4c14d81 100644 --- a/flake.lock +++ b/flake.lock @@ -137,22 +137,6 @@ "type": "github" } }, - "nixpkgs-asterisk": { - "locked": { - "lastModified": 1639416782, - "narHash": "sha256-ULr0km91xD8g+UR/Br8PD+H0kMjT0lHVc12KRag7ue4=", - "owner": "yayayayaka", - "repo": "nixpkgs", - "rev": "ce220610f741ba209a02d7655fb3425f3e5a3358", - "type": "github" - }, - "original": { - "owner": "yayayayaka", - "ref": "asterisk-secrets-handling", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1685801374, @@ -233,7 +217,6 @@ "nix-pre-commit-hooks": "nix-pre-commit-hooks", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", - "nixpkgs-asterisk": "nixpkgs-asterisk", "nixpkgs-unstable": "nixpkgs-unstable", "sbruder-overlay": "sbruder-overlay", "sops-nix": "sops-nix" diff --git a/flake.nix b/flake.nix index e2c0ad8..f66c293 100644 --- a/flake.nix +++ b/flake.nix @@ -9,8 +9,6 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged - nixpkgs-asterisk.url = "github:yayayayaka/nixpkgs/asterisk-secrets-handling"; nixos-hardware.url = "github:nixos/nixos-hardware/master"; From 1dd960d23fa983bc376f1386ffbe6ad11f3fba85 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Wed, 6 Mar 2024 22:34:00 +0000 Subject: [PATCH 45/59] Update to 23.11 --- flake.lock | 8 ++++---- flake.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 4c14d81..6a14559 100644 --- a/flake.lock +++ b/flake.lock @@ -123,16 +123,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690927903, - "narHash": "sha256-D5gCaCROnjEKDOel//8TO/pOP87pAEtT0uT8X+0Bj/U=", + "lastModified": 1709569716, + "narHash": "sha256-iOR44RU4jQ+YPGrn+uQeYAp7Xo7Z/+gT+wXJoGxxLTY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "bd836ac5e5a7358dea73cb74a013ca32864ccb86", + "rev": "617579a787259b9a6419492eaac670a5f7663917", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index f66c293..2b2371c 100644 --- a/flake.nix +++ b/flake.nix @@ -6,7 +6,7 @@ nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; From 3cb035de5e588939d2494d1648142760994ea1d6 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Wed, 6 Mar 2024 22:38:19 +0000 Subject: [PATCH 46/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'flake-utils': 'github:numtide/flake-utils/919d646de7be200f3bf08cb76ae1f09402b6f9b4' (2023-07-11) → 'github:numtide/flake-utils/d465f4819400de7c8d874d50b982301f28a84605' (2024-02-28) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/52bf404674068e7f1ad8ee08bb95648be5a4fb19' (2023-08-03) → 'github:cachix/pre-commit-hooks.nix/5df5a70ad7575f6601d91f0efec95dd9bc619431' (2024-02-15) • Updated input 'nix-pre-commit-hooks/flake-compat': 'github:edolstra/flake-compat/35bb57c0c8d8b62bbfd284272c928ceb64ddbde9' (2023-01-17) → 'github:edolstra/flake-compat/0f9255e01c2351cc7d116c072cb317785dd33b33' (2023-10-04) • Updated input 'nix-pre-commit-hooks/gitignore': 'github:hercules-ci/gitignore.nix/a20de23b925fd8264fd7fad6454652e142fd7f73' (2022-08-14) → 'github:hercules-ci/gitignore.nix/43e1aa1308018f37118e34d3a9cb4f5e75dc11d5' (2023-12-29) • Updated input 'nix-pre-commit-hooks/nixpkgs-stable': 'github:NixOS/nixpkgs/c37ca420157f4abc31e26f436c1145f8951ff373' (2023-06-03) → 'github:NixOS/nixpkgs/3dc440faeee9e889fe2d1b4d25ad0f430d449356' (2024-01-10) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/24f9162b26f0debd163f6d94752aa2acb9db395a' (2023-08-02) → 'github:nixos/nixos-hardware/59e37017b9ed31dee303dbbd4531c594df95cfbc' (2024-03-02) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/66aedfd010204949cb225cf749be08cb13ce1813' (2023-08-02) → 'github:nixos/nixpkgs/b8697e57f10292a6165a20f03d2f42920dfaf973' (2024-03-03) • Updated input 'sbruder-overlay': 'github:sbruder/nixpkgs-overlay/fcd0dc1d7532403fead90e7aad4595133cc994e7' (2023-06-17) → 'github:sbruder/nixpkgs-overlay/32ef4fd545a29cdcb2613934525b97470818b42e' (2024-01-01) • Updated input 'sbruder-overlay/poetry2nix': 'github:nix-community/poetry2nix/e2d2c7a31485aeb801fa85da2d0fa103dd5112ef' (2023-04-22) → 'github:nix-community/poetry2nix/7acb78166a659d6afe9b043bb6fe5cb5e86bb75e' (2023-12-01) • Added input 'sbruder-overlay/poetry2nix/nix-github-actions': 'github:nix-community/nix-github-actions/4bb5e752616262457bc7ca5882192a564c0472d2' (2023-11-03) • Added input 'sbruder-overlay/poetry2nix/nix-github-actions/nixpkgs': follows 'sbruder-overlay/poetry2nix/nixpkgs' • Added input 'sbruder-overlay/poetry2nix/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) • Added input 'sbruder-overlay/poetry2nix/treefmt-nix': 'github:numtide/treefmt-nix/e82f32aa7f06bbbd56d7b12186d555223dc399d1' (2023-11-12) • Added input 'sbruder-overlay/poetry2nix/treefmt-nix/nixpkgs': follows 'sbruder-overlay/poetry2nix/nixpkgs' • Updated input 'sops-nix': 'github:Mic92/sops-nix/c36df4fe4bf4bb87759b1891cab21e7a05219500' (2023-07-24) → 'github:Mic92/sops-nix/25dd60fdd08fcacee2567a26ba6b91fe098941dc' (2024-03-06) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/ce45b591975d070044ca24e3003c830d26fea1c8' (2023-07-22) → 'github:NixOS/nixpkgs/66d65cb00b82ffa04ee03347595aa20e41fe3555' (2024-03-03) --- flake.lock | 133 ++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 97 insertions(+), 36 deletions(-) diff --git a/flake.lock b/flake.lock index 6a14559..47c9f17 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -21,11 +21,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", "owner": "numtide", "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", "type": "github" }, "original": { @@ -42,11 +42,11 @@ ] }, "locked": { - "lastModified": 1660459072, - "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "lastModified": 1703887061, + "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=", "owner": "hercules-ci", "repo": "gitignore.nix", - "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5", "type": "github" }, "original": { @@ -78,6 +78,28 @@ "type": "github" } }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "sbruder-overlay", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1698974481, + "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "4bb5e752616262457bc7ca5882192a564c0472d2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nix-pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat", @@ -91,11 +113,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1691073619, - "narHash": "sha256-18/EyL9QuzwaA1iJZm0Qp6Lk7sh4YftfWIa2Is3UOSE=", + "lastModified": 1708018599, + "narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "52bf404674068e7f1ad8ee08bb95648be5a4fb19", + "rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431", "type": "github" }, "original": { @@ -107,11 +129,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1690957133, - "narHash": "sha256-0Y4CiOIszhHDDXHFmvHUpmhUotKOIn0m3jpMlm6zUTE=", + "lastModified": 1709410583, + "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "24f9162b26f0debd163f6d94752aa2acb9db395a", + "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc", "type": "github" }, "original": { @@ -139,43 +161,43 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1685801374, - "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "lastModified": 1704874635, + "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1690066826, - "narHash": "sha256-6L2qb+Zc0BFkh72OS9uuX637gniOjzU6qCDBpjB2LGY=", + "lastModified": 1709428628, + "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ce45b591975d070044ca24e3003c830d26fea1c8", + "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1691006197, - "narHash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=", + "lastModified": 1709479366, + "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "66aedfd010204949cb225cf749be08cb13ce1813", + "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973", "type": "github" }, "original": { @@ -191,17 +213,20 @@ "sbruder-overlay", "flake-utils" ], + "nix-github-actions": "nix-github-actions", "nixpkgs": [ "sbruder-overlay", "nixpkgs" - ] + ], + "systems": "systems_2", + "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1682132397, - "narHash": "sha256-NbIdSrx3Y1NioEEvoaOTETNTpq6m6bfoxmEt/C8GLAQ=", + "lastModified": 1701399357, + "narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=", "owner": "nix-community", "repo": "poetry2nix", - "rev": "e2d2c7a31485aeb801fa85da2d0fa103dd5112ef", + "rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e", "type": "github" }, "original": { @@ -236,11 +261,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1686992369, - "narHash": "sha256-ElxqG+mvB3ZqNvpugZsvCcsd9Vq6JmlzF96i5Qya8OE=", + "lastModified": 1704120598, + "narHash": "sha256-9g7bZbVHAjMPNUWD2okeOdTmTrC9pkCeVe1zFyvtvqo=", "owner": "sbruder", "repo": "nixpkgs-overlay", - "rev": "fcd0dc1d7532403fead90e7aad4595133cc994e7", + "rev": "32ef4fd545a29cdcb2613934525b97470818b42e", "type": "github" }, "original": { @@ -257,11 +282,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1690199016, - "narHash": "sha256-yTLL72q6aqGmzHq+C3rDp3rIjno7EJZkFLof6Ika7cE=", + "lastModified": 1709711091, + "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c36df4fe4bf4bb87759b1891cab21e7a05219500", + "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc", "type": "github" }, "original": { @@ -284,6 +309,42 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "id": "systems", + "type": "indirect" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "sbruder-overlay", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699786194, + "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", From af9856537e7dac78156e74cca4d3322ba6680819 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Wed, 6 Mar 2024 23:07:39 +0000 Subject: [PATCH 47/59] Fix deprecation types.string is deprecated --- modules/pubkeys.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/pubkeys.nix b/modules/pubkeys.nix index 29e2e93..52dea77 100644 --- a/modules/pubkeys.nix +++ b/modules/pubkeys.nix @@ -3,11 +3,11 @@ { options.fablab.pubkeys = with lib.types; { users = lib.mkOption { - type = attrsOf (listOf string); + type = attrsOf (listOf str); description = "pubkeys for a specific user"; }; groups = lib.mkOption { - type = attrsOf (listOf string); + type = attrsOf (listOf str); description = "pubkeys for a group of users"; }; }; From a2bf925873b5b24674bf63420043341536092a4b Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Wed, 6 Mar 2024 22:50:19 +0000 Subject: [PATCH 48/59] Add luks passfile --- machines/raven/hardware-configuration.nix | 4 ++++ machines/raven/luks-passfile.gpg | Bin 0 -> 4262 bytes 2 files changed, 4 insertions(+) create mode 100644 machines/raven/luks-passfile.gpg diff --git a/machines/raven/hardware-configuration.nix b/machines/raven/hardware-configuration.nix index c0fdfc5..2d22b58 100644 --- a/machines/raven/hardware-configuration.nix +++ b/machines/raven/hardware-configuration.nix @@ -26,7 +26,11 @@ device = "/dev/disk/by-uuid/ee78659c-52a5-4e81-8028-b43de08b6a55"; preLVM = true; allowDiscards = true; + keyFileSize = 4096; + keyFile = "/dev/disk/by-id/usb-jalr_RAM_Mass_Storage_DE6270431F6F342C-0:0"; + keyFileTimeout = 5; }; + systemd.enable = true; }; loader = { diff --git a/machines/raven/luks-passfile.gpg b/machines/raven/luks-passfile.gpg new file mode 100644 index 0000000000000000000000000000000000000000..3b3390bcf8ca9709233303ed051792e22abc2163 GIT binary patch literal 4262 zcmZpPV^02)Y1$XoA}hqm?hqzs9%U?ci)U9?;1ol)10Sy#Z|$Ack~#lfW>&)W;{tI8 z8&(NS&pWgAX)xRGH(DEcwlCN2ZmF1|`1HiiQswO9;vQ{`a#1Xb@#Z>K{$ck{zE{8W zit(=Nti&6?9`~PPlM~|p81yuJ+Op3At2&f2rhU`ju_^FRhV0C`a6|Nhd{Sx>&1+VdSfqIqDE>C4?; zt}AOTtKWCrJDQU-Sh#T>Yu>|Pj`ZCVo_+9&s9$>LN}aCx6ZzHmM321_UbW04V4Yx* z;_a%sh1Hy*MvGm{&h%w1=`m$kcVPGN+euP_e+t^f7G7-U@@<;bCA!wbWubHt&*p-Y zc4wCTNaVYD2PFkon6CaRMgXxe+lcQcv!M`Rso(W!uw(%g-)&d%XRqn8-pa z`Twi+7MeFpa0fPiZQz~p@|W$KsOOVd9{haOvg~v4-y?HNS$49A_r>z>zWQRu_mm^* zPF$M&T(yTW=N? z-4}k`bFKJB{lWx(L4U9O_3678b;_`4NJK~<_Rxz`ViBJa>#eiLnd8&?;uZV%1ifmj zae1hB^}vZQw@Rf&*+gVydyV#*XVs}nB)nOE^VWw4{kcD{^_HqwuS*h}|A^!1pR^~_ zYpzepRf$*fUDLc#nfmZduK-c=z&_ofXr>c!Rr}4)4-AeCNM{57(SSk82qJYJAt zTHemjg^BTf23tQ%O#A!ha+DkEzN692VmCIgC{Jn@i7ngGc)ebBo}@_8;;V8Tdw1Tl zX}W2(!mj9w?&F}#GB?$ zlRT*sBcdMgG%$a??3cJyv#pW5MqZzf9&VYt_Q6l(W+_p>MBUV9mlFjf;)FkS_p@+6 zxc_ApHT@?rNlDU4U+nsm3y^LhrMavnNxA&LKd6L?nNv06842{x%6a9 z(({D0;_|(3f}(EB&o1TXzkXs@Z@}xUE6gdX@xpD-PaJSL{Csg()5@)z<7OSW?6GEs zzm4tNAC`}75|4@}EN5KYeQsON_Sf5wWD8x+IL&oW{OGdqO~PD-U9aYt9y%DWwIKQ0 zi(N;ya~ogn4St-eX0vx4>&BSxx)Y^)S?Aq2?zPK#+HJ8l_qMvPZhOiRbW`?B?O#rb zPxhC?EY1l(O9+^FUn#Y8i-JT^YudAGc2Bw*r!0E+GPj`Z_>*ZDYrM9<;@5OxPvPuLzTO`BSwRokx_|C9~lq(BoZ&qc| zGjS^N==oWZyZqH`CC0UNvsz8>)LzhaI}%uadP0odg%@cT|4jJ5jm6zlxkgzc+So@( zsMx@a?bU829#XKz&-|~2Z?0!w`mL!kpT9QYO2f_j zMVr^RZZF+D^K@x(oD*AE+liGILTCDAAF4fY;xn&8^v|zq`<7U7eZEz`J}vB z@}F17>=!((n8$oeDrj|lr?}8cE|DI@1_(>IpxNz3-z=e&%WdhdtN zjFlCitIc%po_(+}D)Laad&unfPZC?o`c6$#7SqYE7I(DzZ_#(LQuF$>uK{s!*=eX3Kt<HV58C1S$Yg=!?yRR0S z|8?P)#<%As_St1t-{{Din^z)#T}_FdAO|I-fM z``GigR(RnCe}|U!%(u5qxpL>jGjRjk2MLv@`U)M@UfYkc&_8gl2 z`KsQc#NC&tsn1z;M5J?%>x2*H7vhf2E}Y<6=;XrrimAG0UhT>I8fI!e8@{G3$lWk! zlkfgxa=R_}#YzeJ3fG>Uy(jvBy7kB1%S8_4Hukk8tY1)k(TQt!#q`ThPjl}+XY|Z> z-mh=su2GRk=Bp^GdXyFIOgjEEKx%HTw(qRnTOO@`_0-;~qt>h;eBq@(TCX=8Qg1!_ zck`!7_iMZl987FnHbGA~rZTnHnj!U2|Me~JwqCX_a$>1pcQj<$XQRzOPE0*FN2L?#SBob$$iY z9>l%}ajm;|zT1X6=4*pBo>$S>-NYI&ZtnTULQ8cBwOyXK?>l z-`d;CAtZb3QrxV*z+m0lMYsNn|NlIX_w1R!7M{AhE_T#(U-qj~Kg_h|iQ}u2u@l{` zxUWikXp{!DguTm6cGa?-tHNKr(EO)%NB!O~p61u(Ts+HPSF4`yeP=pr|4d(|&(jzF zKk9kfJ>x;+%k%2rt)85=KmOoZ=_Ed(t7|sB%gqecX1c(mcHc<(gWHJ@Hpw2l-LCBp zow<5n&XtzwCF~jL8+WwG{tu~7e}DOKQ;x$HzxU-c9)35ja4zg$d+6=^$+5S$^c32% zaZT!8oqSR&!k^9PQq9()Sj>5lV+XUt9bI}l_|V^u6{&(~H7zY%s`*t+Rd57Hx4NnbeO_|eE zRsNp1H@UfOL)#zrDT8;_rtkcv~?K1W?-WtzfMmq(9v4!@SQxf%YU>xaM}2cO#A zkJkL>@l!l>Qe%S`i$wj&L$`!dSDWT39F{%9vEbiM*6X`VBr{ARZ|ps8{W7}glFh%+ zbODxUUH+o0RL^Z@>4|v!`G{euOO{UPtYyD;nYjk0zVwoe%WwLh{Q6&wQ^~>e38yL# zb>@VAzgNz}$=&hY_h#3=qY;)5)IHZs`x7T~(_@|&n~;-=Tx!`d-?BLeU8}DAsJS$y zLm}~bkl6*}$yO!;wic)BYYIa{jkcT?Rlggyai-A2A4#G@srxrcgp{WGpIGm9wzA^Z zUyZ{mUC~-s&3^CezLX)|CpO+YJRS^|35v=c})oCsScx)jv0)BN4J$oKPfT| zv$9)bq7rk^zs|WPAo`JDNn*ukhFHDzd~4j+p40X_Qmw}6(^k&TCZ)SkdWDWX*L-QN ze+ADU={u%Ne>?VN>6+CuQ!B1+Te+*CJj#T@x!L%KN{zUqzyu{Tt-~)xtj?|8eN3&l z;E}-s-Ki3;(esa8Sh03}QBHICqJKUD7i6SU*PajDXufQBz^lrp3F7hXhtCE5b^qCL z;PaMA~N3DJW@kEqeSQ#Khv+wMj0k_W9_qO;WD9cdkgc>BSxkH=}oAA7Ae&Fj_n9VF=ff z4^O?1YX3<5wpMKR1Lw~hY)jd^U1l$x@umJuKeNaZiAeiqrk8Wvl{@b?J`NW@agHrK zZ&E13SMP^MRJWL?ORJqbA2B&!JLOB~t$Q{R@t=-pFFF%@N!TcFX})nyn!CV-(`l(* zld5^N7SDUKcad(k_b>NNI)5`KSpNRHj;CHmRbTAY#0@hWq(3s4EhyXga{G-F4{y(5 zUvz5QyCA0*D_)A{`F_22^5og*tX=D4AH}5vOiOUwHSurhQQwHi4-8e(%e8E~w=^)N z+P%8cedIaUcSqIWpFeF~A4$LJ<^3o9V`qT0uWLACMDl)*um~3I2aW;8UC%=$*X$0O fvSoK)3(ulE`@3)GO Date: Wed, 6 Mar 2024 23:25:28 +0000 Subject: [PATCH 49/59] Remove exa as it has been removed --- modules/tools.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/tools.nix b/modules/tools.nix index 5ec2282..982e167 100644 --- a/modules/tools.nix +++ b/modules/tools.nix @@ -23,7 +23,6 @@ compsize curl dnsutils - exa fd file git From f51cb0e8ddd0610ec4751981ed47de97908064cc Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Wed, 6 Mar 2024 23:27:05 +0000 Subject: [PATCH 50/59] Fix overlay --- machines/party/services/colorchord.nix | 4 ---- machines/raven/services/colorchord.nix | 4 ---- modules/nix.nix | 2 +- 3 files changed, 1 insertion(+), 9 deletions(-) diff --git a/machines/party/services/colorchord.nix b/machines/party/services/colorchord.nix index 661025a..95c87fa 100644 --- a/machines/party/services/colorchord.nix +++ b/machines/party/services/colorchord.nix @@ -86,8 +86,4 @@ in wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices); }) (lib.attrNames soundDevices)); - - nixpkgs.overlays = with inputs; [ - sbruder-overlay.overlay - ]; } diff --git a/machines/raven/services/colorchord.nix b/machines/raven/services/colorchord.nix index 61218b1..7194834 100644 --- a/machines/raven/services/colorchord.nix +++ b/machines/raven/services/colorchord.nix @@ -106,8 +106,4 @@ in wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices); }) (lib.attrNames soundDevices)); - - nixpkgs.overlays = with inputs; [ - sbruder-overlay.overlay - ]; } diff --git a/modules/nix.nix b/modules/nix.nix index e669255..fc6d9da 100644 --- a/modules/nix.nix +++ b/modules/nix.nix @@ -50,7 +50,7 @@ in nixpkgs.overlays = with inputs; [ self.overlays.default - + sbruder-overlay.overlays.default (final: prev: { unstable = import nixpkgs-unstable { inherit (config.nixpkgs) From 0615870cee66bf7c39d2234cbf6191dc0adb5500 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Wed, 6 Mar 2024 23:27:16 +0000 Subject: [PATCH 51/59] Update system.stateVersion --- machines/raven/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix index c4ed459..8292c4c 100644 --- a/machines/raven/configuration.nix +++ b/machines/raven/configuration.nix @@ -90,5 +90,5 @@ "192.168.94.1" = [ "raven.lab.fablab-nea.de" "labsync.lab.fablab-nea.de" ]; }; - system.stateVersion = "23.05"; + system.stateVersion = "23.11"; } From 684da44657dd6235386c3cc941b7f41e498ccf6b Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Tue, 4 Jun 2024 00:24:09 +0200 Subject: [PATCH 52/59] Update to 24.05 --- flake.lock | 8 ++++---- flake.nix | 2 +- machines/raven/configuration.nix | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 47c9f17..54558d8 100644 --- a/flake.lock +++ b/flake.lock @@ -145,16 +145,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709569716, - "narHash": "sha256-iOR44RU4jQ+YPGrn+uQeYAp7Xo7Z/+gT+wXJoGxxLTY=", + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "617579a787259b9a6419492eaac670a5f7663917", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 2b2371c..f0c233e 100644 --- a/flake.nix +++ b/flake.nix @@ -6,7 +6,7 @@ nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix index 8292c4c..f73ccda 100644 --- a/machines/raven/configuration.nix +++ b/machines/raven/configuration.nix @@ -90,5 +90,5 @@ "192.168.94.1" = [ "raven.lab.fablab-nea.de" "labsync.lab.fablab-nea.de" ]; }; - system.stateVersion = "23.11"; + system.stateVersion = "24.05"; } From af1c8a76ba417c4c0c93c07cf36744979200c1f6 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 20 Jun 2024 23:45:30 +0200 Subject: [PATCH 53/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'flake-utils': 'github:numtide/flake-utils/d465f4819400de7c8d874d50b982301f28a84605' (2024-02-28) → 'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a' (2024-03-11) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/5df5a70ad7575f6601d91f0efec95dd9bc619431' (2024-02-15) → 'github:cachix/pre-commit-hooks.nix/8cd35b9496d21a6c55164d8547d9d5280162b07a' (2024-06-20) • Removed input 'nix-pre-commit-hooks/flake-utils' • Updated input 'nix-pre-commit-hooks/gitignore': 'github:hercules-ci/gitignore.nix/43e1aa1308018f37118e34d3a9cb4f5e75dc11d5' (2023-12-29) → 'github:hercules-ci/gitignore.nix/637db329424fd7e46cf4185293b9cc8c88c95394' (2024-02-28) • Updated input 'nix-pre-commit-hooks/nixpkgs-stable': 'github:NixOS/nixpkgs/3dc440faeee9e889fe2d1b4d25ad0f430d449356' (2024-01-10) → 'github:NixOS/nixpkgs/842253bf992c3a7157b67600c2857193f126563a' (2024-06-15) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/59e37017b9ed31dee303dbbd4531c594df95cfbc' (2024-03-02) → 'github:nixos/nixos-hardware/083823b7904e43a4fc1c7229781417e875359a42' (2024-06-20) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/805a384895c696f802a9bf5bf4720f37385df547' (2024-05-31) → 'github:nixos/nixpkgs/938aa157bbd6e3c6fd7dcb77998b1f92c2ad1631' (2024-06-18) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/b8697e57f10292a6165a20f03d2f42920dfaf973' (2024-03-03) → 'github:nixos/nixpkgs/c00d587b1a1afbf200b1d8f0b0e4ba9deb1c7f0e' (2024-06-18) • Updated input 'sbruder-overlay': 'github:sbruder/nixpkgs-overlay/32ef4fd545a29cdcb2613934525b97470818b42e' (2024-01-01) → 'github:sbruder/nixpkgs-overlay/2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8' (2024-04-12) • Updated input 'sops-nix': 'github:Mic92/sops-nix/25dd60fdd08fcacee2567a26ba6b91fe098941dc' (2024-03-06) → 'github:Mic92/sops-nix/797ce4c1f45a85df6dd3d9abdc53f2691bea9251' (2024-06-16) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/66d65cb00b82ffa04ee03347595aa20e41fe3555' (2024-03-03) → 'github:NixOS/nixpkgs/c884223af91820615a6146af1ae1fea25c107005' (2024-06-15) --- flake.lock | 63 ++++++++++++++++++++++++++---------------------------- 1 file changed, 30 insertions(+), 33 deletions(-) diff --git a/flake.lock b/flake.lock index 54558d8..8a8071c 100644 --- a/flake.lock +++ b/flake.lock @@ -21,11 +21,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1709126324, - "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "d465f4819400de7c8d874d50b982301f28a84605", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -42,11 +42,11 @@ ] }, "locked": { - "lastModified": 1703887061, - "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=", + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", "owner": "hercules-ci", "repo": "gitignore.nix", - "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", "type": "github" }, "original": { @@ -103,9 +103,6 @@ "nix-pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat", - "flake-utils": [ - "flake-utils" - ], "gitignore": "gitignore", "nixpkgs": [ "nixpkgs-unstable" @@ -113,11 +110,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1708018599, - "narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=", + "lastModified": 1718879355, + "narHash": "sha256-RTyqP4fBX2MdhNuMP+fnR3lIwbdtXhyj7w7fwtvgspc=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431", + "rev": "8cd35b9496d21a6c55164d8547d9d5280162b07a", "type": "github" }, "original": { @@ -129,11 +126,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1709410583, - "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=", + "lastModified": 1718894893, + "narHash": "sha256-hxQBUtDbFOCCW1CsFZTS9Q5Ov1ZKdJgbBZHSez1M6iA=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc", + "rev": "083823b7904e43a4fc1c7229781417e875359a42", "type": "github" }, "original": { @@ -145,11 +142,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1717144377, - "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "lastModified": 1718717462, + "narHash": "sha256-qddfQLMaWR2gxfEzUM/zFZVK6H1kTv9WBQSBQxbP3MU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "rev": "938aa157bbd6e3c6fd7dcb77998b1f92c2ad1631", "type": "github" }, "original": { @@ -161,11 +158,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1704874635, - "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", + "lastModified": 1718447546, + "narHash": "sha256-JHuXsrC9pr4kA4n7LuuPfWFJUVlDBVJ1TXDVpHEuUgM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356", + "rev": "842253bf992c3a7157b67600c2857193f126563a", "type": "github" }, "original": { @@ -177,11 +174,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1709428628, - "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", + "lastModified": 1718478900, + "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", + "rev": "c884223af91820615a6146af1ae1fea25c107005", "type": "github" }, "original": { @@ -193,11 +190,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1709479366, - "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", + "lastModified": 1718714799, + "narHash": "sha256-FUZpz9rg3gL8NVPKbqU8ei1VkPLsTIfAJ2fdAf5qjak=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973", + "rev": "c00d587b1a1afbf200b1d8f0b0e4ba9deb1c7f0e", "type": "github" }, "original": { @@ -261,11 +258,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1704120598, - "narHash": "sha256-9g7bZbVHAjMPNUWD2okeOdTmTrC9pkCeVe1zFyvtvqo=", + "lastModified": 1712934106, + "narHash": "sha256-JubHgaV6HUZarwwq4y2rxJaaj2a6euErJfCqpmhrhWk=", "owner": "sbruder", "repo": "nixpkgs-overlay", - "rev": "32ef4fd545a29cdcb2613934525b97470818b42e", + "rev": "2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8", "type": "github" }, "original": { @@ -282,11 +279,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1709711091, - "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=", + "lastModified": 1718506969, + "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc", + "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251", "type": "github" }, "original": { From 001ebc9b1fd595b1bf1dc6972352825e360ce3a9 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 21 Jun 2024 14:04:30 +0200 Subject: [PATCH 54/59] Add disko --- flake.lock | 21 +++++++++++++++++++++ flake.nix | 4 ++++ 2 files changed, 25 insertions(+) diff --git a/flake.lock b/flake.lock index 8a8071c..e72fc2c 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718846788, + "narHash": "sha256-9dtXYtEkmXoUJV+PGLqscqF7qTn4AIhAKpFWRFU2NYs=", + "owner": "nix-community", + "repo": "disko", + "rev": "e1174d991944a01eaaa04bc59c6281edca4c0e6e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -234,6 +254,7 @@ }, "root": { "inputs": { + "disko": "disko", "flake-utils": "flake-utils", "krops": "krops", "nix-pre-commit-hooks": "nix-pre-commit-hooks", diff --git a/flake.nix b/flake.nix index f0c233e..a3f323d 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,8 @@ { inputs = { + disko.inputs.nixpkgs.follows = "nixpkgs"; + disko.url = "github:nix-community/disko"; + flake-utils.url = "github:numtide/flake-utils"; nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master"; @@ -143,6 +146,7 @@ }) ] ++ (with inputs; [ sops-nix.nixosModules.sops + disko.nixosModules.disko ]) ++ extraModules; }) (import ./machines inputs); From ad3b9ab43fe4a86c09a60606d3af1992c93c13b5 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 21 Jun 2024 14:06:28 +0200 Subject: [PATCH 55/59] Reinstall raven --- machines/default.nix | 2 +- machines/raven/configuration.nix | 1 + machines/raven/disko.nix | 54 +++++++++++++++++++++++ machines/raven/hardware-configuration.nix | 24 +--------- 4 files changed, 57 insertions(+), 24 deletions(-) create mode 100644 machines/raven/disko.nix diff --git a/machines/default.nix b/machines/default.nix index 8ceaf73..6fd7ae9 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -4,7 +4,7 @@ let in { raven = { - #targetHost = "192.168.94.1"; + targetHost = "raven.fablab-nea.de"; system = "x86_64-linux"; extraModules = [ hardware.common-cpu-intel diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix index f73ccda..d16de7c 100644 --- a/machines/raven/configuration.nix +++ b/machines/raven/configuration.nix @@ -3,6 +3,7 @@ { imports = [ ./hardware-configuration.nix + ./disko.nix ./services ]; diff --git a/machines/raven/disko.nix b/machines/raven/disko.nix new file mode 100644 index 0000000..84ad2ea --- /dev/null +++ b/machines/raven/disko.nix @@ -0,0 +1,54 @@ +{ + disko.devices = { + disk = { + nvme = { + type = "disk"; + device = "/dev/disk/by-id/ata-WD_Green_2.5_240GB_232497451701"; + content = { + type = "gpt"; + partitions = { + esp = { + type = "EF00"; + size = "1024M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" "nodev" "nosuid" "noexec" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "raven-crypt"; + settings = { + allowDiscards = true; + }; + extraFormatArgs = [ "--hash sha512 --use-random --pbkdf argon2id --iter-time 5000 --pbkdf-memory ${builtins.toString (4*1024*1024)} --pbkdf-parallel 4" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" "nodev" "nosuid" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" "noatime" "nodev" ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/raven/hardware-configuration.nix b/machines/raven/hardware-configuration.nix index 2d22b58..27292cd 100644 --- a/machines/raven/hardware-configuration.nix +++ b/machines/raven/hardware-configuration.nix @@ -20,35 +20,13 @@ "cryptd" ]; kernelModules = [ "dm-snapshot" ]; - - luks.devices.root = { - name = "root"; - device = "/dev/disk/by-uuid/ee78659c-52a5-4e81-8028-b43de08b6a55"; - preLVM = true; - allowDiscards = true; - keyFileSize = 4096; - keyFile = "/dev/disk/by-id/usb-jalr_RAM_Mass_Storage_DE6270431F6F342C-0:0"; - keyFileTimeout = 5; - }; - systemd.enable = true; }; loader = { systemd-boot.enable = true; + systemd-boot.configurationLimit = 20; efi.efiSysMountPoint = "/boot"; efi.canTouchEfiVariables = true; }; }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/80209d1b-27c6-423d-93e8-cd39e1893873"; - fsType = "btrfs"; - options = [ "discard=async" "noatime" "compress=zstd" ]; - }; - "/boot" = { - device = "/dev/disk/by-uuid/20A0-5FD8"; - fsType = "vfat"; - }; - }; } From 43db0de26a8bcfe16d8d7282fa3ac2b20d4e772a Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 21 Jun 2024 14:04:53 +0200 Subject: [PATCH 56/59] Update my SSH keys --- .sops.yaml | 4 +- machines/raven/secrets.yaml | 79 ++++++++++++++++--------------------- modules/pubkeys.nix | 3 +- 3 files changed, 38 insertions(+), 48 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index b49af20..e5aa242 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,17 +1,19 @@ keys: - &jalr 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 - &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC - - &raven 10E468768E3BCD6459F9F11AC8F765CF8AD1F892 + - &raven age1fleny85nvjh6g4arn2tkpju0smq2s4hawwpmnyvgcf0sy65wd3ks4lcvfa creation_rules: - path_regex: secrets\.yaml$ key_groups: - pgp: - *jalr - *simon + age: - *raven - path_regex: machines/raven/secrets\.yaml$ key_groups: - pgp: - *jalr - *simon + age: - *raven diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml index 296e672..872e6ea 100644 --- a/machines/raven/secrets.yaml +++ b/machines/raven/secrets.yaml @@ -9,60 +9,49 @@ sops: gcp_kms: [] azure_kv: [] hc_vault: [] - age: [] + age: + - recipient: age1fleny85nvjh6g4arn2tkpju0smq2s4hawwpmnyvgcf0sy65wd3ks4lcvfa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBML0wrQWtGbjhEY1BpT0lU + OXZZTlF5SzlWSGc4dzgvYnJ1QUtRUDM4a0QwCmU2bEVRUEZFTEw3QW9MUm16QVFk + bmlwMmN5eldzRis4czJNTkpGUUkyd3cKLS0tIFZ3TWswMnBXOW5xOW8zbTNiUGtS + T2VuTEpzYmhESnJZTW5IS3orRk44ODAK/KBOctiKRH5y/zuI4sIKNK9nze6aDOmc + Eg7zjCXX3hvmowFt45rMKODJ56Dy6uJEgu6OWMWV2M87CphyHKA5fg== + -----END AGE ENCRYPTED FILE----- lastmodified: "2023-08-04T10:58:16Z" mac: ENC[AES256_GCM,data:yRoKVClRcbqFYM06F+83kU9s0KcoiYEx0fpr4DL39YoDDx3ZdX2aYqOEtPCGHKEccFanDsZSI4Q9jG2NEa9IykI9DDjQtci1pcNkt9VaWgPTTo2KzP086ncQHaKHyy109CjugeC2oQYIOBfSiO5b+/SP5fml2N3rhIGzROz2NRA=,iv:JR2MVuIxVhCDsx8kelTu86x4Snf6yqJ7s9vb/3bj24o=,tag:V9BadPHshitupxnAzYF3Nw==,type:str] pgp: - - created_at: "2024-03-06T22:15:56Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DY/xpNY5WhB0SAQdAg3as/btOvNHhLPywUjqmly8Z/FYiIexBKnHU7z/t/1gw - Y5uB8Ykskx61s3VBS+oiFHt76Ndf40noVXlyArhYNkR1JKxJ4Ld32/0O2l3jSNMe - 0l4BS5LCUBZnyxMz/yq7roK6TOplWMCn0UymtLLrSn7p5y04xmM4FmZQgvF9w6rY - PpyEdtt27Y+xHZDxesZMdkBT3vwxJRkyY6rscd9YKlEqAHhvslf7XO7iQTzHgFA4 - =UmXy - -----END PGP MESSAGE----- - fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 - - created_at: "2024-03-06T22:15:56Z" + - created_at: "2024-09-24T19:30:34Z" enc: |- -----BEGIN PGP MESSAGE----- - wcFMAwDgSONkM+d4ARAAtqjFvGr1EJguUHDCMBvDRzjshVYCW57sRvQrSnpGFbKr - TiFaBPFow6NJMN58Tt2NUp2+lt3XaGGwqwjbNStpSXYhyF2WChrJN9PMdjvRIYPY - kZvjwfGAHKKrAKFtHVfLVPRi2145oDXjoYgLWq9wtWVR/5Id9WVBIg63F8Kn8hwc - 3G1XsM85/6ggiJjWxHPj7PO+VOwlEJ0Uxg3REDpy5Zo0+xOQ8ESHPFAr2qtRlJzl - plYv9wrLrBbJcQ11NYTuhg0zf5yWV8mrhzrYn/1gWuaHDozuwyH8Q6KDcSxfXPCs - 4c22fcuuylV99Ig4+m2IUtw19sk9EeQtDh3MIv2c6HV4uuYQEPjVlU4pPGH6wSXy - SrtSgWgH3BGiJPL7rv3Axy3h22zwgiRosDGDh/Qy65aU8ivjWJwwF+c457ULDcA7 - a8asRIIywwxHJOLEggV1b8Addnl9DAItwK5MYwU/UvO0qSRrStKcf6UDxF9ZQmLS - aeVXR8p6NGEZ/8dEFUS8QDVOnp+J6vJDUwHNZzo2VYLqp9B8Zg78rsMMIHzKEFkU - EgHrg5+ilSZrkTCC3ZPiddK6esCEZCgwDTWoTOlxeLtt85G8GS7GHvykoXFqzDkU - 8V6jpXSuK5EMfexVRajspqTqFPSxwSDAZhDSKstThUwbMkLfFo0ESYXy8+GfAITS - UQGSmewokOgbxb3QY+afQ4t6PEe/qLgc4IIDn+kuZ9KmXbNVqUbqgM4AznkoMCkG - U7OqeXp36Lu40mCDqyOPabDA40rM9sSkVUmXpEW74GeayQ== - =ddqa + hF4DY/xpNY5WhB0SAQdAyqAyhamC5ViSdA1B1b8fI2iaSIAfyVJEe2ZaDyFI82Uw + NPvBXNKx4u0KTnMG6tl63Tb2/6sC4uhkp3n/pM+cxKIMfTXodIenddK5siPs8MQI + 0l4BeIxec9DiNskvxTqnZ7jtVd7hWy494cDrr7Yb9J0GZWQ5mP2ZtqgcDkbzZnqb + E8glyIInDNAKedtpbE0waUWPwbA3XAgsQX6xijwe5q0j4Rqqc4rlvJuk9Xd7G+M9 + =77Op -----END PGP MESSAGE----- - fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC - - created_at: "2024-03-06T22:15:56Z" - enc: | + fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 + - created_at: "2024-09-24T19:30:34Z" + enc: |- -----BEGIN PGP MESSAGE----- - hQIMA8j3Zc+K0fiSAQ//cajo/FPvA1PmKXph8Ov7SmKD9heVzcvdAlxJPLFq2y+S - c7nH1033oaH0CTIEWyDGqOee9nS0+0NtnhnsUa8QO0Z+BhKj/3/o3ERxRCzRzxdZ - 3Qd60o+rbqSo7XrdYIy2rR6iAs6re0I4k3P33ge+z4U8u01iv/GCS6q6fvx8mAeW - 8Fw7DJXKOmC4dTkvrAScIScxmljAoEOiw1bIPf2w8mypvNL7QFMK4ow+Yi+3uDC2 - Zy6pwvN2NWROPAmQ+D2PmZM40xJoWFkur8rMYC5eMq66usGCftZqaVPZVPR0dS3c - bVtmLdds4QzA79oxBbnwayPdCrqYEEGGDpJffOg1hneSPIBvVQVcECSEA6v5bBfN - zKZKmBiLZh1On3O4TOB/vkPucm/xqWwthTkQWJFiImbp3a2EQIqJeYb4ywDh2gxo - gzEf8SUW4ZyvhNSiAI/SkExOxZsKEBzkvbnxpzRR0+wvoCptLaUGX8MTtxyX2qm6 - JWppTYcbmoDBGsosyVpcKSn7DTA2D7PgStZruewkF9UiAZQF12U46AHGhkRXGjSu - BIUlt7MGMgH7qKmavw5EtwhGFQPdIJxDxOylHy3JB8BH7rhZkWtC3DqEdHs2UN8x - HEOcgBuNYacHmi8yHEEKBgAs4I295rHBZAYvUWEJoyykFpOjyVGoo82kJ3F0kIjS - WAG2Sm6+pgwdYAspBBOaheu12UO9UC0J7mNa2UrRtS1reMB31c6thNXto6zmjM6u - y4C10byfQizvMJDkflSWDB/fRK47fcnrMU6Ye6Pfq5PlDVTKW4dB7ZI= - =iQ8f + hQIMAwDgSONkM+d4AQ//VH43OoHprfVhgtPmGjP3dHvWxLkAtyEi2QOYWjGLGbuw + l5TAY8RAp3c34E0qp52a2a+GSJUwdxVusK4MSWGzzg0x1VKPFr5Dz11SRnjqyWuQ + sM7zo9AP1cIUoIaP4G/jnwYicEH+3ADjFEpNazfNw56cpjWL/1yQSKK4uk4x/m7e + AWWcRQHJa7j/sPuR2R24CQjZq6WfxoDDe2v1J+NTxBoZh16CJ8LDUWOCAgRDvEDn + d1WczY5cu0n/IAl8baKrvAtBoahEeF97lBmZ7BtXiFT2c6jvwjY0erj+BA0N4Jfc + WnJaU1y+a0RKxvH3AOo7R09NmvFtfWcUrFD6k5jLGhvbkuMd4+akEhDv98GeW77m + qjimf2gOLt0mR536JQP0pZ41O5hXLGVhPDESRWKMkeJcJ97+7wN9WkUnfW+AA0+y + TSqQ+KEsJMIYK1HCWJeW8oc+G+gEY7iutIxY+dL7NV8EzUWREhy0/1WzEIb3AfgH + XfzQufzXnKG844GUV0WKHiff7/Wmuhcz6+yFNLqdG2u7LM91eBB3B00ubFmfcz4U + OO4SopFeGHUo7xjQMDI3SzwPocRBsL3Fz+f2o5zsOGUPS/UebLwgN4UvaW0BKbZ5 + zRiC0v5OKWRMxZVbhpmfvfYFEjkflVfYuiTul6ajnaXarO+S9Sp8r+RSkkJx7ZXS + XgHjN92PHYzz8O0ls8NxJiMFdG5ozfims6VN3sC98LjhRsaCb5oEwh8ZoB6WDb7y + 0FeEsVM12vBGVF2oU8SVSJNnsgf4aMCTAPi+vdimq4UBKMEyxBwWkp62r2xXmoA= + =/jcl -----END PGP MESSAGE----- - fp: 10E468768E3BCD6459F9F11AC8F765CF8AD1F892 + fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/modules/pubkeys.nix b/modules/pubkeys.nix index 52dea77..c515fe1 100644 --- a/modules/pubkeys.nix +++ b/modules/pubkeys.nix @@ -16,8 +16,7 @@ fablab.pubkeys = { users = { jalr = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0f7+Y4QSUsSvd360eq0Q/ESVfE/s0WxJIrzvW8cazTcmld8/rKxGQR2xrxApu7pzZlZC3LDbQrx3B6nNVEZi0dPUgkJz9oEKRY5vSJ6x0H9cZ0iFfTcCTz5znflqGaFI6E6W6Vtl+DzIrmkFgaR0wNmV9DCcYAJreW4E32t8dKsG1Pv347N0eAZs3shokPYr7dmGoNiKzTOn/ILQ1Hxppzqy1ch2h8k2KL0+FM6wO76ijivBzfMZRJW0DVYsmebO6Je5HglkzYXvrNUtcD2gIrNE0YKByjorTjjf3336S+0uBGxetzhnl+XA2PxHB/3n9AzYC4DI/Nb9wgLBo6Ql+EYaPLKnGl3JHvtcOyAfoNVPdNDfbZz+tfe8cBUt1IPTlm26RYKgwCnJvcBD6dk/5mxu1ogjSfgEIqihJaq3j3+NfIY1CUFx1U6ISG40SWEXF5xV1qW3NZg5FqqA8sOfWLlkON/yFkPJ2shXUXmiZtjXMWM6XLIO054EN7cpUxHGPspjgynU9XLc45c4k5lKF1xQv13B8n8dHNEL01MU21svfdGcpuOsRvzagLX51+rVRJObYP1bZudyYVDgsxB6B/TiBHw3Xl3mwEs4KVi/cqVsPpaG3hwqCreDlV+NeCVtb0qb1WJ2Sae83CA6NEcUvRbrwAnU/vEhJepfo6j7WSw== jalr@jalr-tp" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2x+uWFR4z9MzwZnlFMgJrFXxpruZ58WukKyWrCjURj cardno:000616522763" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3l+Yixrsjhze20CSjvUK4Qj/BNqbTNitgk20vuzPej cardno:25_750_479" ]; simon = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii" From 09d3b5b22fffa66b0855d01435e436037b4a98c0 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 20 Sep 2024 01:32:44 +0200 Subject: [PATCH 57/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/e1174d991944a01eaaa04bc59c6281edca4c0e6e' (2024-06-20) → 'github:nix-community/disko/624fd86460e482017ed9c3c3c55a3758c06a4e7f' (2024-09-19) • Updated input 'flake-utils': 'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a' (2024-03-11) → 'github:numtide/flake-utils/c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a' (2024-09-17) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/8cd35b9496d21a6c55164d8547d9d5280162b07a' (2024-06-20) → 'github:cachix/pre-commit-hooks.nix/4e743a6920eab45e8ba0fbe49dc459f1423a4b74' (2024-09-19) • Updated input 'nix-pre-commit-hooks/nixpkgs-stable': 'github:NixOS/nixpkgs/842253bf992c3a7157b67600c2857193f126563a' (2024-06-15) → 'github:NixOS/nixpkgs/194846768975b7ad2c4988bdb82572c00222c0d7' (2024-07-07) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/083823b7904e43a4fc1c7229781417e875359a42' (2024-06-20) → 'github:nixos/nixos-hardware/10d5e0ecc32984c1bf1a9a46586be3451c42fd94' (2024-09-19) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/938aa157bbd6e3c6fd7dcb77998b1f92c2ad1631' (2024-06-18) → 'github:nixos/nixpkgs/086b448a5d54fd117f4dc2dee55c9f0ff461bdc1' (2024-09-16) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/c00d587b1a1afbf200b1d8f0b0e4ba9deb1c7f0e' (2024-06-18) → 'github:nixos/nixpkgs/99dc8785f6a0adac95f5e2ab05cc2e1bf666d172' (2024-09-16) • Updated input 'sbruder-overlay': 'github:sbruder/nixpkgs-overlay/2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8' (2024-04-12) → 'github:sbruder/nixpkgs-overlay/3487b8ce24d40cc898f3dba0a9af5e028e1d5844' (2024-07-02) • Updated input 'sbruder-overlay/poetry2nix': 'github:nix-community/poetry2nix/7acb78166a659d6afe9b043bb6fe5cb5e86bb75e' (2023-12-01) → 'github:nix-community/poetry2nix/184960be60652ca7f865123e8394ece988afb566' (2024-04-30) • Updated input 'sbruder-overlay/poetry2nix/nix-github-actions': 'github:nix-community/nix-github-actions/4bb5e752616262457bc7ca5882192a564c0472d2' (2023-11-03) → 'github:nix-community/nix-github-actions/5163432afc817cf8bd1f031418d1869e4c9d5547' (2023-12-29) • Updated input 'sbruder-overlay/poetry2nix/treefmt-nix': 'github:numtide/treefmt-nix/e82f32aa7f06bbbd56d7b12186d555223dc399d1' (2023-11-12) → 'github:numtide/treefmt-nix/c6aaf729f34a36c445618580a9f95a48f5e4e03f' (2024-04-25) • Updated input 'sops-nix': 'github:Mic92/sops-nix/797ce4c1f45a85df6dd3d9abdc53f2691bea9251' (2024-06-16) → 'github:Mic92/sops-nix/e2d404a7ea599a013189aa42947f66cede0645c8' (2024-09-16) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/c884223af91820615a6146af1ae1fea25c107005' (2024-06-15) → 'github:NixOS/nixpkgs/dc454045f5b5d814e5862a6d057e7bb5c29edc05' (2024-09-08) --- flake.lock | 82 +++++++++++++++++++++++++++--------------------------- 1 file changed, 41 insertions(+), 41 deletions(-) diff --git a/flake.lock b/flake.lock index e72fc2c..fffa600 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1718846788, - "narHash": "sha256-9dtXYtEkmXoUJV+PGLqscqF7qTn4AIhAKpFWRFU2NYs=", + "lastModified": 1726775926, + "narHash": "sha256-5zShvCy9S4tuISFjNSjb+TWpPtORqPbRZ0XwbLbPLho=", "owner": "nix-community", "repo": "disko", - "rev": "e1174d991944a01eaaa04bc59c6281edca4c0e6e", + "rev": "624fd86460e482017ed9c3c3c55a3758c06a4e7f", "type": "github" }, "original": { @@ -41,11 +41,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -107,11 +107,11 @@ ] }, "locked": { - "lastModified": 1698974481, - "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=", + "lastModified": 1703863825, + "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=", "owner": "nix-community", "repo": "nix-github-actions", - "rev": "4bb5e752616262457bc7ca5882192a564c0472d2", + "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547", "type": "github" }, "original": { @@ -130,11 +130,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1718879355, - "narHash": "sha256-RTyqP4fBX2MdhNuMP+fnR3lIwbdtXhyj7w7fwtvgspc=", + "lastModified": 1726745158, + "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "8cd35b9496d21a6c55164d8547d9d5280162b07a", + "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74", "type": "github" }, "original": { @@ -146,11 +146,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1718894893, - "narHash": "sha256-hxQBUtDbFOCCW1CsFZTS9Q5Ov1ZKdJgbBZHSez1M6iA=", + "lastModified": 1726724509, + "narHash": "sha256-sVeAM1tgVi52S1e29fFBTPUAFSzgQwgLon3CrztXGm8=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "083823b7904e43a4fc1c7229781417e875359a42", + "rev": "10d5e0ecc32984c1bf1a9a46586be3451c42fd94", "type": "github" }, "original": { @@ -162,11 +162,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1718717462, - "narHash": "sha256-qddfQLMaWR2gxfEzUM/zFZVK6H1kTv9WBQSBQxbP3MU=", + "lastModified": 1726447378, + "narHash": "sha256-2yV8nmYE1p9lfmLHhOCbYwQC/W8WYfGQABoGzJOb1JQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "938aa157bbd6e3c6fd7dcb77998b1f92c2ad1631", + "rev": "086b448a5d54fd117f4dc2dee55c9f0ff461bdc1", "type": "github" }, "original": { @@ -178,43 +178,43 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1718447546, - "narHash": "sha256-JHuXsrC9pr4kA4n7LuuPfWFJUVlDBVJ1TXDVpHEuUgM=", + "lastModified": 1720386169, + "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "842253bf992c3a7157b67600c2857193f126563a", + "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1718478900, - "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=", + "lastModified": 1725762081, + "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c884223af91820615a6146af1ae1fea25c107005", + "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.11", + "ref": "release-24.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1718714799, - "narHash": "sha256-FUZpz9rg3gL8NVPKbqU8ei1VkPLsTIfAJ2fdAf5qjak=", + "lastModified": 1726463316, + "narHash": "sha256-gI9kkaH0ZjakJOKrdjaI/VbaMEo9qBbSUl93DnU7f4c=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c00d587b1a1afbf200b1d8f0b0e4ba9deb1c7f0e", + "rev": "99dc8785f6a0adac95f5e2ab05cc2e1bf666d172", "type": "github" }, "original": { @@ -239,11 +239,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1701399357, - "narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=", + "lastModified": 1714509427, + "narHash": "sha256-YTcd6n7BeAVxBNhzOgUHMmsgBkfQ2Cz9ZcFotXrpEg8=", "owner": "nix-community", "repo": "poetry2nix", - "rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e", + "rev": "184960be60652ca7f865123e8394ece988afb566", "type": "github" }, "original": { @@ -279,11 +279,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1712934106, - "narHash": "sha256-JubHgaV6HUZarwwq4y2rxJaaj2a6euErJfCqpmhrhWk=", + "lastModified": 1719952130, + "narHash": "sha256-j38XlExNwK4ycmoNEdH/dHUd1QGdNvD3gx/UuLY+04Q=", "owner": "sbruder", "repo": "nixpkgs-overlay", - "rev": "2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8", + "rev": "3487b8ce24d40cc898f3dba0a9af5e028e1d5844", "type": "github" }, "original": { @@ -300,11 +300,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1718506969, - "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=", + "lastModified": 1726524647, + "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251", + "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", "type": "github" }, "original": { @@ -351,11 +351,11 @@ ] }, "locked": { - "lastModified": 1699786194, - "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=", + "lastModified": 1714058656, + "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1", + "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f", "type": "github" }, "original": { From 26f62b0ed5956c37a7f24ba4011f0f80bc7a582f Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 1 Aug 2024 18:44:37 +0200 Subject: [PATCH 58/59] Update unifi controller to version 8 --- machines/raven/services/unifi-controller.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/raven/services/unifi-controller.nix b/machines/raven/services/unifi-controller.nix index 4b0f1db..6befce2 100644 --- a/machines/raven/services/unifi-controller.nix +++ b/machines/raven/services/unifi-controller.nix @@ -7,7 +7,7 @@ in services.unifi = { enable = true; openFirewall = true; - unifiPackage = pkgs.unifi; + unifiPackage = pkgs.unifi8; }; networking.firewall.allowedTCPPorts = [ 8443 ]; From cac031dd8f25cba44df65dac679b0a443131b11f Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Tue, 24 Sep 2024 21:33:14 +0200 Subject: [PATCH 59/59] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/624fd86460e482017ed9c3c3c55a3758c06a4e7f' (2024-09-19) → 'github:nix-community/disko/6d42596a35d34918a905e8539a44d3fc91f42b5b' (2024-09-24) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/10d5e0ecc32984c1bf1a9a46586be3451c42fd94' (2024-09-19) → 'github:nixos/nixos-hardware/d0cb432a9d28218df11cbd77d984a2a46caeb5ac' (2024-09-22) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/086b448a5d54fd117f4dc2dee55c9f0ff461bdc1' (2024-09-16) → 'github:nixos/nixpkgs/23cbb250f3bf4f516a2d0bf03c51a30900848075' (2024-09-22) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/99dc8785f6a0adac95f5e2ab05cc2e1bf666d172' (2024-09-16) → 'github:nixos/nixpkgs/9357f4f23713673f310988025d9dc261c20e70c6' (2024-09-21) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index fffa600..8d98ae2 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1726775926, - "narHash": "sha256-5zShvCy9S4tuISFjNSjb+TWpPtORqPbRZ0XwbLbPLho=", + "lastModified": 1727196810, + "narHash": "sha256-xQzgXRlczZoFfrUdA4nD5qojCQVqpiIk82aYINQZd+U=", "owner": "nix-community", "repo": "disko", - "rev": "624fd86460e482017ed9c3c3c55a3758c06a4e7f", + "rev": "6d42596a35d34918a905e8539a44d3fc91f42b5b", "type": "github" }, "original": { @@ -146,11 +146,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1726724509, - "narHash": "sha256-sVeAM1tgVi52S1e29fFBTPUAFSzgQwgLon3CrztXGm8=", + "lastModified": 1727040444, + "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "10d5e0ecc32984c1bf1a9a46586be3451c42fd94", + "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac", "type": "github" }, "original": { @@ -162,11 +162,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1726447378, - "narHash": "sha256-2yV8nmYE1p9lfmLHhOCbYwQC/W8WYfGQABoGzJOb1JQ=", + "lastModified": 1726969270, + "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "086b448a5d54fd117f4dc2dee55c9f0ff461bdc1", + "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075", "type": "github" }, "original": { @@ -210,11 +210,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1726463316, - "narHash": "sha256-gI9kkaH0ZjakJOKrdjaI/VbaMEo9qBbSUl93DnU7f4c=", + "lastModified": 1726937504, + "narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=", "owner": "nixos", "repo": "nixpkgs", - "rev": "99dc8785f6a0adac95f5e2ab05cc2e1bf666d172", + "rev": "9357f4f23713673f310988025d9dc261c20e70c6", "type": "github" }, "original": {