diff --git a/.gitattributes b/.gitattributes index f769614..a676483 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,3 +1,5 @@ **/secrets.yaml diff=sops +*.jpg filter=lfs diff=lfs merge=lfs -text *.png filter=lfs diff=lfs merge=lfs -text +*.svg filter=lfs diff=lfs merge=lfs -text diff --git a/.sops.yaml b/.sops.yaml index e5aa242..74f5600 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,19 +1,17 @@ keys: - - &jalr 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 + - &jalr 7C207509562C208C4EC1676E87A8E5662DF00274 - &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC - - &raven age1fleny85nvjh6g4arn2tkpju0smq2s4hawwpmnyvgcf0sy65wd3ks4lcvfa + - &raven 10E468768E3BCD6459F9F11AC8F765CF8AD1F892 creation_rules: - path_regex: secrets\.yaml$ key_groups: - pgp: - *jalr - *simon - age: - *raven - path_regex: machines/raven/secrets\.yaml$ key_groups: - pgp: - *jalr - *simon - age: - *raven diff --git a/flake.lock b/flake.lock index 8d98ae2..7dd29ac 100644 --- a/flake.lock +++ b/flake.lock @@ -1,51 +1,12 @@ { "nodes": { - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1727196810, - "narHash": "sha256-xQzgXRlczZoFfrUdA4nD5qojCQVqpiIk82aYINQZd+U=", - "owner": "nix-community", - "repo": "disko", - "rev": "6d42596a35d34918a905e8539a44d3fc91f42b5b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-utils": { - "inputs": { - "systems": "systems" - }, "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "lastModified": 1638122382, + "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", "owner": "numtide", "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", "type": "github" }, "original": { @@ -54,27 +15,6 @@ "type": "github" } }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "nix-pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, "krops": { "inputs": { "flake-utils": [ @@ -85,11 +25,11 @@ ] }, "locked": { - "lastModified": 1644957911, - "narHash": "sha256-ggie/j7pdBqzDs4W7OiPmhqH9IGbXAbJxGqBdVxA8jA=", + "lastModified": 1632420452, + "narHash": "sha256-ncK6vABW/Ku9XI0kqj1otarUfblryoQzSaOCnaZ0oSs=", "owner": "Mic92", "repo": "krops", - "rev": "86fb3d2ee94fd8306231853b323ed8804edf26ec", + "rev": "0388970c568905fedcbf429e5745aacd4f7a6633", "type": "github" }, "original": { @@ -98,43 +38,21 @@ "type": "github" } }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "sbruder-overlay", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1703863825, - "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nix-pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat", - "gitignore": "gitignore", - "nixpkgs": [ - "nixpkgs-unstable" + "flake-utils": [ + "flake-utils" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { - "lastModified": 1726745158, - "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=", + "lastModified": 1639823344, + "narHash": "sha256-jlsQb2y6A5dB1R0wVPLOfDGM0wLyfYqEJNzMtXuzCXw=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74", + "rev": "ff9c0b459ddc4b79c06e19d44251daa8e9cd1746", "type": "github" }, "original": { @@ -146,11 +64,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1727040444, - "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=", + "lastModified": 1640513880, + "narHash": "sha256-dIJYjqGFqCBNh3iasE+6EHG/W96I0YK6ayjfazOVuE8=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac", + "rev": "2a76e1204f3a605f8d8d2f323671e1a295a5246d", "type": "github" }, "original": { @@ -162,59 +80,43 @@ }, "nixpkgs": { "locked": { - "lastModified": 1726969270, - "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=", + "lastModified": 1640531271, + "narHash": "sha256-WsUVTlPu1k3rXg3dyA0KMNvM9rnCEU0Fx4W0QI4rsXE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075", + "rev": "04bd2d1a4700907997be007a2a8f39edd59dac24", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.05", + "ref": "nixos-21.11", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-stable": { + "nixpkgs-asterisk": { "locked": { - "lastModified": 1720386169, - "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", - "owner": "NixOS", + "lastModified": 1638872530, + "narHash": "sha256-4tQOkGTdwa4xGJNwKaM+c67u37bDP4cDseYppq3xy0s=", + "owner": "yayayayaka", "repo": "nixpkgs", - "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", + "rev": "77758650a83959c60aa2c7e2f2cf739ec7ddb793", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_2": { - "locked": { - "lastModified": 1725762081, - "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-24.05", + "owner": "yayayayaka", + "ref": "asterisk-secrets-handling", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1726937504, - "narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=", + "lastModified": 1640408860, + "narHash": "sha256-h2uF3+a8bVfM8SjcS4hLbsOzOuG3qsxuImC0BucWs1Q=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9357f4f23713673f310988025d9dc261c20e70c6", + "rev": "cb372c3b8880e504b06946e8fb2ca9777c685505", "type": "github" }, "original": { @@ -224,42 +126,14 @@ "type": "github" } }, - "poetry2nix": { - "inputs": { - "flake-utils": [ - "sbruder-overlay", - "flake-utils" - ], - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "sbruder-overlay", - "nixpkgs" - ], - "systems": "systems_2", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1714509427, - "narHash": "sha256-YTcd6n7BeAVxBNhzOgUHMmsgBkfQ2Cz9ZcFotXrpEg8=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "184960be60652ca7f865123e8394ece988afb566", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "poetry2nix", - "type": "github" - } - }, "root": { "inputs": { - "disko": "disko", "flake-utils": "flake-utils", "krops": "krops", "nix-pre-commit-hooks": "nix-pre-commit-hooks", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", + "nixpkgs-asterisk": "nixpkgs-asterisk", "nixpkgs-unstable": "nixpkgs-unstable", "sbruder-overlay": "sbruder-overlay", "sops-nix": "sops-nix" @@ -275,15 +149,14 @@ ], "nixpkgs": [ "nixpkgs" - ], - "poetry2nix": "poetry2nix" + ] }, "locked": { - "lastModified": 1719952130, - "narHash": "sha256-j38XlExNwK4ycmoNEdH/dHUd1QGdNvD3gx/UuLY+04Q=", + "lastModified": 1638388788, + "narHash": "sha256-4t+iDoZO9X8fM1cWfbCbsIagRN0PRkpGcJKaMLJE7yc=", "owner": "sbruder", "repo": "nixpkgs-overlay", - "rev": "3487b8ce24d40cc898f3dba0a9af5e028e1d5844", + "rev": "72d323ca0410a08abc2d981b812c5cd0fd3338bf", "type": "github" }, "original": { @@ -296,71 +169,19 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_2" - }, - "locked": { - "lastModified": 1726524647, - "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "id": "systems", - "type": "indirect" - } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "sbruder-overlay", - "poetry2nix", - "nixpkgs" ] }, "locked": { - "lastModified": 1714058656, - "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f", + "lastModified": 1638821683, + "narHash": "sha256-oyqALhGijy2ZQxFSACrcC+Z8MzYLiomKCr9FQXVZ47U=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "afe00100b16648c1d79e62926caacac561df93a5", "type": "github" }, "original": { - "owner": "numtide", - "repo": "treefmt-nix", + "owner": "Mic92", + "repo": "sops-nix", "type": "github" } } diff --git a/flake.nix b/flake.nix index a3f323d..a779145 100644 --- a/flake.nix +++ b/flake.nix @@ -1,17 +1,16 @@ { inputs = { - disko.inputs.nixpkgs.follows = "nixpkgs"; - disko.url = "github:nix-community/disko"; - flake-utils.url = "github:numtide/flake-utils"; nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master"; nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; - nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable"; + nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged + nixpkgs-asterisk.url = "github:yayayayaka/nixpkgs/asterisk-secrets-handling"; nixos-hardware.url = "github:nixos/nixos-hardware/master"; @@ -40,7 +39,7 @@ let pkgs = import nixpkgs { inherit system; - overlays = [ self.overlays.default ]; + overlays = [ self.overlay ]; }; inherit (pkgs) lib; in @@ -56,7 +55,7 @@ }; }; - devShells.default = pkgs.mkShell { + devShell = pkgs.mkShell { name = "fablab-nixos-config"; buildInputs = (with pkgs; [ @@ -111,9 +110,14 @@ (flake-utils.lib.flattenTree { inherit (pkgs) fablab; + + nix-gscheits = lib.recurseIntoAttrs { + inherit (pkgs.nix-gscheits) + artwork; + }; }); }) // { - overlays.default = import ./pkgs; + overlay = import ./pkgs; nixosConfigurations = nixpkgs.lib.mapAttrs (hostname: { system @@ -146,7 +150,6 @@ }) ] ++ (with inputs; [ sops-nix.nixosModules.sops - disko.nixosModules.disko ]) ++ extraModules; }) (import ./machines inputs); diff --git a/keys/users/jalr.asc b/keys/users/jalr.asc index 329f049..3ff80bd 100644 --- a/keys/users/jalr.asc +++ b/keys/users/jalr.asc @@ -1,23 +1,52 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -mDMEZbmOERYJKwYBBAHaRw8BAQdAarCLR2RvxBnRODJY8WM98gCRbsHzXFTYTIoR -ZlmbOQe0HEpha29iIExlY2huZXIgPGphbHJAamFsci5kZT6IjgQTFgoANhYhBDBE -5x497/SbWGz1gJv0/MuQhU2pBQJluY4RAhsBBAsJCAcEFQoJCAUWAgMBAAIeBQIX -gAAKCRCb9PzLkIVNqbmFAQDG8xNgbZsZx6N2ssVC9k98IUvuKuMZQ6Gju86EsnNY -dgD/eSVRfAKCtIPSGtoLvE5zL80hk117R4f8rbMEvrmt9gm4MwRluY53FgkrBgEE -AdpHDwEBB0DRonRUQIQSfkqX7yHFHewbEYnc/spaPufL6EnSPVLvZ4j1BBgWCgAm -FiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jncCGwIFCQHhM4AAgQkQm/T8y5CF -Tal2IAQZFgoAHRYhBDp0/wfiMHs2RqSZ6EYNR7hAgU8/BQJluY53AAoJEEYNR7hA -gU8/HikBAPOziBknk+WcsKODsdViFedagVgtnjW8J6mJZRKNcD2fAP4/42g9wU2i -KHKHypLlGdmgOVOpSGNcubkcPFcOOHH7AZevAQDUU/UNpIHe7R3rYq4sFT2iYa9T -ZKpmOostoAzyYOViZwD/RA2suqGyrSe96JLnxwzy3LccYgV3VwEbHDWeUTvOCAy4 -OARluY6pEgorBgEEAZdVAQUBAQdAAXZvPoXdFpBhYS8KgCeXweUMlSwsCnXmgiDh -neSFMwsDAQgHiH4EGBYKACYWIQQwROcePe/0m1hs9YCb9PzLkIVNqQUCZbmOqQIb -DAUJAeEzgAAKCRCb9PzLkIVNqbmEAQDSBggKtjGkLuYtIHBBCfBF4Dx7odOapasa -tYqZTU7twwD/VhDvRGPbTl7X7DYQ36bmyjTe6cZAj3/M0ueQhlTrJAW4MwRluY7E -FgkrBgEEAdpHDwEBB0B95fmIsa7I4c3ttAko71CuEI/wTam0zYrYJNtL7sz3o4h+ -BBgWCgAmFiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jsQCGyAFCQHhM4AACgkQ -m/T8y5CFTamxRwD6A9TAs2Ac2VUQDCGgIEgUeULB2fZ1i0s0zydXctKJf7wBAL64 -utFE0ryrkFHMGY4xHMwZfvWosYH/qfLlKadnb3cK -=WgEZ +mQINBFalRtcBEADXqtNueywhXtjCy7WXAIzoxfmeCWe0+YzK79dHMz7TIqGQU1X4 +nYi9YJRAgIKvD/gY1i+hUoWrbc3s1YHKIbZsOqhHHuXSPgcpCG/xYWMroc6nsGT3 +iu2pbcxDAWRp0ib67SyCGwEQj/LLUpE0DkptZvUHOBgUGi8pohhbJJ1mAN0E7GJ3 +SjAeLKx59a4Q+S8HEKDJCmP6gCzixxIfS07ncG6TU4ppN8jaN/gEF40IIcTbds4C +L+ieCdz9ZVtlDvGKtNiSlT7XHnbjPMuQBlbPZaiVuylQIkJlyLEjZduhLNueag2V +NgcAfqt6HQCNnZ8B7K781rhb/rHtdk98lvOimOWUbNCXREEOHpoVIxZYYTnkVvLo +YokUncWTMym+6Pelfc7RvtfrK1EjjbblTDn/+Wo5YlBYfI02Vr6RUg1CF4s/FwCc +ogDtiG1eYAEpnHe9aV5lQrvJcgvmXF6cbIUnbaslApo0LH1uCYliInxuxKdOaxTT +qRHgug25/SA5XEH3Sc/WFPCun4LFwEElxcrrE4OeWYiixBYU06GMem7GLa+VAf0E +DxrzkGt16QODFyyJcWGQAp1SPxbBJ+E/QAe7KDK9vVocj31Ug4KA7LoqaLS6dW0e +5VJRqtej/bOzI6zJYJYPGV4XejPPTMpg0se6EvMYw775M+qAajAbFnHRHQARAQAB +tBxKYWtvYiBMZWNobmVyIDxtYWlsQGphbHIuZGU+iQJWBBMBCABAAhsjBwsJCAcD +AgEGFQgCCQoLBBYCAwECHgECF4AWIQR8IHUJViwgjE7BZ26HqOVmLfACdAUCYA2o +ywUJC0mVdAAKCRCHqOVmLfACdEJ+D/9iP3odbY9eNiiFw44BVKj/Y728V7p60/q2 +tCKtLSiF6DfPJ8z2zud6OcTUfn8NuD0bqs2peALhRi/MHRkJq7QuGVN6PNN/9fUa +o9gpjGrwOHISnNkwCmEPJWJ60ZAh9XGJCY466IBAcvYurkq/qDx1BSyEi+makymf +DP2UlyhmsspdOFAoN8+ggIRCWNr6mR1TAZO5O6ce7Wos3nxTlGD1MyPAirbKlAYv +e8zqOHkhijdcKYzSIm/E/9y85aSvwDySOS69JpWEMsmGkXxq/VSv9CNzYEy/+ebR +49aoIZgOr10uY4LLN5c0L+tLvVeSS1976dtwXwRECIplysCm0hZU9Wj9JmfOBACf +Y2kIvMcTL+gREX5CKsvpPk1RChNrpELaOk/EY0hAhH4Nx2WSd6b6Kw/MagApVwNi +zfMqOZsZmSd+RPHqn7hJWaI4hpN0HfjRFpVifjKQtR/Q25c1CzIllSkwGBXQ7AEM +LpHoP1fEzk2Au0v+6q32bY8JCoLwChhcPxDZFzKepHOzgf+8QKq+ZB7KPxjWWAET +lzmzgGhKmaQOnZZsBNYYj78opGXOMxkEThaHCBgKPDTBU6XPNgd/8LYUbai/JpA5 +wDOe6i5Z3c5TNXXOIMBpviUQ3BB1z4kd1YSV8DLPHwhY4q2d1oOGToKUZy39NvaZ +Ds/rHILCQrkCDQRWpUbXARAAwxN80JhEojDcNiDRZOHVM7C4hQSdAOUI3upJpFVi +0aJVRU5+w6yebh/2bMVUgL/UBFiEaKxgBtcy6snBsY5YzSZq6QneVhN0HLFyPAKX +j2zrw2MQAaVtJ+ufihdqpxgWELVfY1ycP5rX6pHXAbQA6kw0lg3FNsUi7q/qIPoO +8q8H656alz5fqvJcu1dBEbEQ+oWXUrROVcBkVjElX3Od2uKm2ZBQajcO5EEYj2Va +QtsBTdzehGnrsssEtr7yZz4d85a3uWU3pJ900Ugn22MCBHS9EOk2IuEArgPFE7eV +1S78D+QS7qjU71sJHsHoBeUg5uZoR0hNNnMWqokgYhHA9+A+Qt6KEBPLSb5Bp9Y0 +o5wqRBqjxaLPSGG1NryKkAKc3cvHiCwFW6DxsJzVML1aTH60R879256YCUmVMIUF +pCGjUf3ZkZsFCMKuUDLsBE7Kn2CMVW7yNn1wLOfOhkRfGCtHQNLhIiwTTWD84iDQ +DHQ5v5r2TfosbovSy+HGV0Bi0z3W5tk8x+aV3I67vk5BbSmp9bdC7MkfSuxOYdKA +c3zexmuledVMyjVZvL2DwaJaXYD3YY+ZIUc6N/0Ox/65DllH347022luWUnXjkip +vtM55ENKeGmk3z0368L4atubo2qV1l00UKs+2bdbz65uHDMgGebVBtNsExiO8pzd +1asAEQEAAYkCPAQYAQgAJgIbDBYhBHwgdQlWLCCMTsFnboeo5WYt8AJ0BQJgDai6 +BQkLSZVjAAoJEIeo5WYt8AJ0BxIP/A70jXPM6QKtWGs7xi8n916aVK43ODgCVmDq +vyduV5ywO8x8xljjVuAQm57Ei1thAGCmKzxn4rWmm81cVXBq/ZLRamrDSnP4rctZ +qZfRdsUiLJUimOTxqOn0cDqrJs8trBIIE40M20LX3TlEWueDAhpuO1gndupSb94k +U/PId1VZ1fyPz24tay/GgSfpBa7ZuXiSWr+QtQu2MlX9WXBo7gDo+BDUsZqyy4/w +Gqm1i7NVElW1lJK+KOGCAHC7JcBIjGsfxS3+MjxI0HQ2MeQyDYiwhF0xHDTCLBgv +nXAkFoCe2xB8q/+RZV1hfYGMDPILwFox6OZkpSRW/+a/j1fw+Hi4MidSoe7Xkxbr +zZVTBiFFIUbg46PCxrBdNDtba26vcS4iUZVefqcGa2ZuHQrDYRdYyeqPCZ5z9PLp +tVPYebApFnFSkd8pvcKkx6KPrItWBX5DFsGGTo6QzTg0s/w5WvqNWWHJ3NRFh1V/ +rz/E67uLfJGt3qOVyOkIKKOTzF473Wku9uTMz/BCaBRJ80VhGDYG7Vi5uvQwTte8 +CLhjpjF94XWhijOAIXXavCe+XhmX4QXBIjeDy4UtULi5uod2qCgT8hJRcRdC7T21 +x9o0CU3J3E0QdaVwulZJWEgT4JUTjBJwVRU6jwQNbq0l4FnRrcYULBcidCCAXXzR +GUBE0eMh +=PbMY -----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/default.nix b/machines/default.nix index 6fd7ae9..6007a2f 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -4,11 +4,13 @@ let in { raven = { - targetHost = "raven.fablab-nea.de"; + targetHost = "192.168.94.1"; system = "x86_64-linux"; extraModules = [ hardware.common-cpu-intel hardware.common-pc-ssd + # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged + "${inputs.nixpkgs-asterisk}/nixos/modules/services/networking/asterisk.nix" ]; }; party = { diff --git a/machines/party/configuration.nix b/machines/party/configuration.nix index d28760c..9d3e0e6 100644 --- a/machines/party/configuration.nix +++ b/machines/party/configuration.nix @@ -6,27 +6,19 @@ ./services ]; - nixpkgs.config = { allowAliases = false; }; - console.keyMap = "de"; services.xserver.layout = "de"; services.xserver.enable = true; services.xserver.desktopManager.gnome.enable = true; - services.xserver.displayManager.gdm = { - enable = true; - autoSuspend = false; - }; + services.xserver.displayManager.gdm.enable = true; security.sudo.wheelNeedsPassword = false; users.users.party = { isNormalUser = true; password = "foobar"; - extraGroups = [ - "wheel" - "audio" - ]; + extraGroups = [ "wheel" ]; }; environment.systemPackages = with pkgs; [ diff --git a/machines/party/hardware-configuration.nix b/machines/party/hardware-configuration.nix index a07aa08..9c1f3eb 100644 --- a/machines/party/hardware-configuration.nix +++ b/machines/party/hardware-configuration.nix @@ -27,38 +27,12 @@ fileSystems = { "/" = { - device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700"; + device = "/dev/sda3"; fsType = "btrfs"; - options = [ - "subvol=root" - "discard=async" - "compress=zstd" - ]; + options = [ "discard=async" "noatime" "compress=zstd" ]; }; - - "/home" = { - device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700"; - fsType = "btrfs"; - options = [ - "subvol=home" - "discard=async" - "compress=zstd" - ]; - }; - - "/nix" = { - device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700"; - fsType = "btrfs"; - options = [ - "subvol=nix" - "discard=async" - "compress=zstd" - "noatime" - ]; - }; - "/boot" = { - device = "/dev/disk/by-uuid/3e24b5cf-e59f-41b1-9eef-107f808b9242"; + device = "/dev/sda2"; fsType = "ext2"; }; }; diff --git a/machines/party/services/colorchord.nix b/machines/party/services/colorchord.nix index 95c87fa..1c35254 100644 --- a/machines/party/services/colorchord.nix +++ b/machines/party/services/colorchord.nix @@ -1,28 +1,28 @@ { inputs, lib, pkgs, ... }: let - ledDevices = { + devices = { + traverse = { + leds = 116; + host = "wled-Traverse"; + }; + nhecke = { + leds = 75; + host = "wled-Nhecke"; + }; + printerbench = { + leds = 80; + host = "wled-Printerbench"; + }; + resedaraum = { + leds = 285; + host = "wled-Resedaraum"; + loop = true; + }; kanister = { leds = 43; host = "wled-Kanister"; }; - bar = { - leds = 300; - host = "wled-Bar"; - }; }; - soundDevices = { - sink = "alsa_output.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo.monitor"; - source = "alsa_input.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo"; - }; - - devicesProduct = lib.fold - (soundDevice: acc: acc // lib.mapAttrs' - (ledDevice: value: lib.nameValuePair "${ledDevice}-${soundDevice.name}" (value // { - source = soundDevice.id; - })) - ledDevices) - { } - (lib.attrValues (lib.mapAttrs (n: v: { name = n; id = v; }) soundDevices)); in { environment.systemPackages = with pkgs; [ @@ -41,7 +41,7 @@ in # Audio input amplify = 10 samplerate = 48000 - devrecord = ${config.source} + devrecord = alsa_output.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo.monitor # Visualiser cpu_autolimit = 1 @@ -63,27 +63,25 @@ in skipfirst = 0 ''; }) - devicesProduct; + devices; - systemd.user.services = builtins.listToAttrs (map - (soundDevice: lib.nameValuePair - "colorchord-${soundDevice}@" - { - partOf = [ "colorchord-${soundDevice}.target" ]; - serviceConfig = { - ExecStart = '' - ${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i-${soundDevice}.conf - ''; - Restart = "always"; - }; - }) - (lib.attrNames soundDevices)); + systemd.user.services."colorchord@" = { + partOf = [ "colorchord.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i.conf + ''; + Restart = "always"; + }; + }; - systemd.user.targets = builtins.listToAttrs (map - (soundDevice: lib.nameValuePair - "colorchord-${soundDevice}" - { - wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices); - }) - (lib.attrNames soundDevices)); + systemd.user.targets."colorchord" = { + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + wants = map (name: "colorchord@${name}.service") (lib.attrNames devices); + }; + + nixpkgs.overlays = with inputs; [ + sbruder-overlay.overlay + ]; } diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix index d16de7c..493ccd6 100644 --- a/machines/raven/configuration.nix +++ b/machines/raven/configuration.nix @@ -3,7 +3,6 @@ { imports = [ ./hardware-configuration.nix - ./disko.nix ./services ]; @@ -22,10 +21,6 @@ id = 5; interface = "eno1"; }; - pubevent = { - id = 6; - interface = "eno1"; - }; }; interfaces = { eno2.useDHCP = true; @@ -33,10 +28,6 @@ address = "192.168.94.1"; prefixLength = 24; }]; - pubevent.ipv4.addresses = [{ - address = "10.10.0.1"; - prefixLength = 20; - }]; voip.ipv4.addresses = [{ address = "192.168.93.1"; prefixLength = 24; @@ -47,7 +38,6 @@ externalInterface = "eno2"; internalInterfaces = [ "labprod" - "pubevent" "voip" ]; }; @@ -56,14 +46,7 @@ i18n.defaultLocale = "en_US.UTF-8"; console.keyMap = "de"; - security = { - sudo.wheelNeedsPassword = false; - - acme = { - acceptTerms = true; - defaults.email = "accounts+letsencrypt.org@fablab-nea.de"; - }; - }; + security.sudo.wheelNeedsPassword = false; users.users = { simon = { @@ -73,7 +56,7 @@ }; jalr = { isNormalUser = true; - extraGroups = [ "wheel" "docker" "audio" ]; + extraGroups = [ "wheel" "docker" ]; openssh.authorizedKeys.keys = config.fablab.pubkeys.users.jalr; }; }; @@ -91,5 +74,5 @@ "192.168.94.1" = [ "raven.lab.fablab-nea.de" "labsync.lab.fablab-nea.de" ]; }; - system.stateVersion = "24.05"; + system.stateVersion = "21.05"; } diff --git a/machines/raven/disko.nix b/machines/raven/disko.nix deleted file mode 100644 index 84ad2ea..0000000 --- a/machines/raven/disko.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ - disko.devices = { - disk = { - nvme = { - type = "disk"; - device = "/dev/disk/by-id/ata-WD_Green_2.5_240GB_232497451701"; - content = { - type = "gpt"; - partitions = { - esp = { - type = "EF00"; - size = "1024M"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" "nodev" "nosuid" "noexec" ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "raven-crypt"; - settings = { - allowDiscards = true; - }; - extraFormatArgs = [ "--hash sha512 --use-random --pbkdf argon2id --iter-time 5000 --pbkdf-memory ${builtins.toString (4*1024*1024)} --pbkdf-parallel 4" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" "nodev" "nosuid" ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" "noatime" "nodev" ]; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/machines/raven/hardware-configuration.nix b/machines/raven/hardware-configuration.nix index 27292cd..c0fdfc5 100644 --- a/machines/raven/hardware-configuration.nix +++ b/machines/raven/hardware-configuration.nix @@ -20,13 +20,31 @@ "cryptd" ]; kernelModules = [ "dm-snapshot" ]; + + luks.devices.root = { + name = "root"; + device = "/dev/disk/by-uuid/ee78659c-52a5-4e81-8028-b43de08b6a55"; + preLVM = true; + allowDiscards = true; + }; }; loader = { systemd-boot.enable = true; - systemd-boot.configurationLimit = 20; efi.efiSysMountPoint = "/boot"; efi.canTouchEfiVariables = true; }; }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/80209d1b-27c6-423d-93e8-cd39e1893873"; + fsType = "btrfs"; + options = [ "discard=async" "noatime" "compress=zstd" ]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/20A0-5FD8"; + fsType = "vfat"; + }; + }; } diff --git a/machines/raven/luks-passfile.gpg b/machines/raven/luks-passfile.gpg deleted file mode 100644 index 3b3390b..0000000 Binary files a/machines/raven/luks-passfile.gpg and /dev/null differ diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml index 872e6ea..94be3ae 100644 --- a/machines/raven/secrets.yaml +++ b/machines/raven/secrets.yaml @@ -1,57 +1,75 @@ -dyndns-password: ENC[AES256_GCM,data:Nm6ed/SvRGnOZAXCt64HAf/0xpAoSwNCCZ9d+KM4Fc1tl+rY,iv:TbGGjG55mksyW2eOkMb5JBOMvePpLlTotmEjZoiWBbQ=,tag:vNA0GLM28OloR90elj4SEQ==,type:str] -asterisk-pjsip: ENC[AES256_GCM,data:8nBg6SfWDOhuF4x5T0fz67jxXkIhzfX/FVbL98huIs9rdalGuKIOGeIBBYPzzH5cbLkfvG7ZW5p2r/I/jRoAKAu0airMJzZ2aHIFMjLUgzB+Rl5EbVF1kP8J8mwDVBMw1BFXELDNwnd+EniwWw1TwJcqWvZ3EhG00HIogzurn98l/FFMkNxWCXJ6msWBe6BHlGNpq/jPmyTVc2mlPXQ6uhqK4MWGe97tH3d+d7m7raXNjaTDruZLwKmNkONtVg5udzd1f2OP5GdoM9Tn+UHFkndqn0X6Dk3lH0dAoObRk9hDp57TnGZPrXNXktWroFk1QfsyobiB/Rj8uBRYa4BXHa/6OeQm1o/vRQhTY4e86N5fOdhwFHy/EQtp0sHa6kgiKHd8Koo/HOwAa69R44tKXvmJ/++cuBsfr71oLq+nrXIKcVv4ShmXV0kHNyaeSjCsWRcA57/FjS+uoaK/gKIGvX32TULAYGYHtIFhq43pL43PrS2j8qoDBrZQfkBXwUOW5iQr9c/aHloX7t/gDpFEi5XK7lFQsx/buamH9eWFkqhiDyu5EntSXXJb6UAbYmLREAyD/n3evyp6PTZak+TvhzLpXmol4L/IYOLqvbj8BS3ZfctqwPYtax3J0aglMsvbjCGWpiHywNt90SdPsMJi7s2KbQGbUmpOGWzq7TLByrT5MxXD//pmBXbSROxiKHTPyXpeg4SQuj0boDCIxcGG55rc5ouFMqJOJVdorIrgJ8Il1nTXHgzssuMP0/dFIYXj2gp9/XJ3S9N1acyNJCBhezeRS2PE0L3tCOHLY6IerQuW+1hmLEr8bMrzP6+70FvUb/FlfEfLwgq5AXPKE7l0cX9bn4pLAWkSreurpWE9xAIICJAkRNzcD2zMHaCiRnu4b5O+19ZnrfG1tVl0AQ6GckBFM5wcu0w6bA+YIaOngojUzPcMIynrXRdFEBB7rXiTi3JWN2nlJyTx9n+lXsgpgSf68mGcfEFdNp1hkFEUy65DEKiKQPK3aa0nVYPbAkfh/vcjkLO4X0gd0Ec+4XVda3ZyG2QzSYa2DQWmCYg3nwWg4eiKl4ppatp10soHfPSauRBLRrN5XmFtaH+Sp7Bwr565uVmyqYSgb+VTRY/25vK7VcT9rXpKX0PjOFOD9wFD2jQ4Ezs+tVieidZgvG2CjElxI8zmcsaZk93FUc4cw0lTy85cCo/IibTIlAd/uYrT+lxe47H51W2PtjovyZcH0XJW76BhJV6yMUron7qD9JTFGf3OagTgjoKh5InSsnxON52fy3GLUTvzO2vPg1c+iWg/mVYrPp1iCpK/G6LBh2k+Jj3OyQ8Z3GJZJ7khzI3E3MNOTvyXZJuXESMGTKmXWkHqvRrAvsW/CDBq3TmW0Jd0uMtFP+J4aL++BxAXKZLQ0g/RXwfOI/cQFQIPl3BePXl7VskxaFx5WWuKEbh9YMuF5FQ44vo386dvcDpfVNnRdFBOEltC7Ck6mJDUVPLAM3IhN+xQwobdWARR+baihGOUk9psP5boQrUvcBIx04RmXCLomHVD3Aw5jxh7N5TJ3BC2q6ZbkbpqwbH9UOg5PXrgXd8Eh6L+KhRjc6sl5itSsHK5iitWzfil8qcMpQPcLucZl+s1gISGlHaiE0MwkZj2fT9QZpw2+BmH1VU4tDpSotOue3H8MxK1j2mFnrEwi5sk5eHdBzBjyQ+SzmpbZTDk5eMlgfIKt8sErZ4ABI7iXQp3A8jusOYbZCQiBTPF/guhPOLuE3sWSBJLkpj4iHRrSVSAy/B1qy7fMlnVqqtXujXfy16pFG5IQKLUPGxyO5eotMuf5nkAigm5zn6q+eWpjDub9eBviXDjbemW4F7ncAdtiBzIWrak/hhp0fxMpzuh9h844Vou1brjKC9Xg5cf+IKyESjS8txHRSQhmZgab6iDv3X8Q0l0lRiKxzAOxM/2L14r6Gy03lMwaE1nUKgZjrtflrukeWgWA4EwDE69CdA7vbsX3zJ9d7cr+IlmiuTprldmV6EirJJaBNNdRealehhopGzDODIucUNp1PT3LQ/AidxOui6p6iP1PQG+TuIUtpM8AzxP3DbE+kMf9PNnb2E3JT5NrJz0BBWhhxr1KGBjniozh9CtSRq/JpfWYVLd8PA0P3abA1mW0A7IWaobI00qtPt1pcx/MtV5QzsQ5CPRVu10lFcF9AmKT3ekPySISkjcBtoe1FxO6j6cOqe6nbdx/lg0dnNBFBETVa8gAQwhmOAnqCURYDvbfjHjX99k0jwesiqxm1QH4PRjtbicd/JMiosWsiFBJohFI/0JIscxd0iZ8LvNPALWLeKfcqXulzjNKy4sB9QIxN75dGKaDZv2qInBDm9p8hDaqT+tdXsptXw2SkLfbRiWnim/r+VHKq0uYV9KlolmE4dOm/dWQ/6Ri4XBIFr5Ld9udSQ275GHZ5EHlcoPGEjZeNR6e0VMskcPH7tJXDEs4p/EoEWepVVWeuRidauFkcskSn2QMR7Yd+NAl2XxFYMiniGL0UzkZ5johxgw4WqopQua3Yff76f0oigR9VVHf1ZJlIC8IND1vLNRwbhVpW79SCeaHwp8jui18x//bn69eHMYjxRPvimnxRirSmjdCgCFAalgVtxfUt7WO8p2/Kzlu6kwPQrSMltLycNhkvrGinQcKGPtEkNfzCG4MAvyb3UW5rph/nui7ybCT0AnRW9xFpVURGuuGUhuKFMDhzBbiaB3i1cMdG+DJniwUc4rSg+o4YvrR3Q9w++hQUcfEbT3fJwoWCMOExCsu5O7vhZbdTd6tJzH9sxN72q4yDAXW5pqtnKU71AkWg87meuGv+W23s5IBJr42L0ubEXTEoZMBvjDVrVS+9yKptQz3pkPAIFaXoLUGlJw4XmtBL8wWSj08Zi3F+lnyR+YVFV19infI35Fi7keABHHCmWeNdrlgrcFR9bs/fxn/Oswwk+8gNXQBIGLIs3clnRd+4SggfLQvv1lud8ZBN8jV3j/czAnN8XdMtsqMGZJ31TvBWVuYmqijCpwbuA/hCXrbiyy+DG+6ZHO4sUpIBPB0uQ+TNfuR9FNNxImKZBaUAOMuQgBw3lWU5Weu2CnSfJdKlREX0mBk+1StDKSJmE40x9ACt17XGST+vu8lOwy8C/wjPzCfsVMCHxJURCGe6HMfYQAyclgfwE0knq82kOWulUPFjnIyjhHwr8xbTmm3e6j7wDkvaK5WHIIxamyv420b5Y/Mc0HqA5YrC6a/AWSuHpg6lpCuLP9femhiwtERyEgOWeOJOr5wj+ZgmhD8/RpeUJlCdjWjDB1zFdoF/9u3yNpxJxpqYTB87PkcgY1jRdTP1W9/oMpvsGF61TU1IOTnhVtUZZPWYmXvyv7bHf+wmPrDN8EnxU4gMRK0u2Knx9PPuYb/iDD8UkEgbBPo/oDrboMo4QVE8je76NlIEdPlsLCDWO7GitRvNkAfDqEFrWjh6LUeyIAKmjWgm2IKEBnwHcx1v/p6iU7rABtaDmZyq5hgnbDZtOFEVsZQEk0vYYQNyMuqfC6Kt/uukmZVePRKkGXwTPmNKr5vdUTZmbZa14j46pNiOTm6R/vVKZEzHYDwgpbSoK8yQ50QuuGU9aak+iYZB+CckEH+S3KLInzDSNsA99BthiHGhIpsbwR70gc783coYJoIipYieb//LaTvf8BDmafNKnOQVazP5T2pHeO4yePr1/dEN6x9fdFRVKv/Q73qVBm5S0Jqys6Oo81cdrmISboSLzxAm7V01dijQ6Juv+awBx0emFuUKDVgS8AfZ6pGhugwcJsAE8fKexMS2I29xGaBzeGeQzOYmlTA7RXngTXh/DaHEckgBXp84dcXjcrRiEG0wGRSvNMx1RffnUSoslLpgpMfwNYl0NMwbq+lt1ppH88tJnUXu0G3YyF+Me8lyYVlnQU9afd4u7nNTAamBlNx3QtMndWdK92X20kK2ij7kwefLc1pm6toOZE1vdSaIFXnpZCEh4of6vdNkFscpkxHtsURObPbtFsI4C8WXCypgWj3Po+YgbhMddKRu4BiQfQnopSHatFYYUM3xzTiuL496WwgCorp+Ak+wOhIE45o/iugS2xxfJIQKkMiP1JbzDw59qcaLdnRXOLqcv6nX6bMkwHuxNmVCTn2lk32FmraJdfyVhdTBPrCXx/TjoGISgEOc5w5oct1L7ERLiD6BCbxER2UkSsQb/rLoUYdfHh3bLXbZKLDGVRuf1JoImGHhtTE2R+o5o1dzWwNdHMGjVpMIV1ixxsFsMG27KhjIYUMBdrqVXH8wCXy2TOCxTqIhIOOg6lUMvEwUAh3ZaFRKGe3VaSRyVMcKE8dseHIS7MRq2g7jp9eyJkZqspBh6PEaPyTwYYv8f00VyHauZAV3UdWfWDsEZUYk194wiH2/j7O9+eF7jxPlmLuXUQGQBVTAFObpcoT988N24NalijJh/cuahhkSQYR1hMahBF5jwwVHS3vtN6pUwghTUV4HqeIrtur1cJRB6Qlm/YRgvcB1fX7xbhYyMUJUYEp1gK1xhY1c0A16V8HQPFheL8EV5tfsUT,iv:xh7XXUyLD68UDBBG5aKI/HWxjMZ0Tr4sLkIeQ8vQIso=,tag:FyLg1FhxUGjcNGD2sq4Oeg==,type:str] +dyndns-password: ENC[AES256_GCM,data:FXAuhhVqs1cD8r1SKaY2pbAdzDU=,iv:t1wj201txdfPXRVBrX8bZbemEDNY9JoCQzKnw/VhW1I=,tag:E1XgN73DME1qKZD7qzkxCg==,type:str] +asterisk-pjsip: ENC[AES256_GCM,data:XLEWeD3tTU4ccmj3lOyIxg9Tx0oFX02UbnpLcyIJO4oTYnMpb8GxdHz1MZ72XGKv98/fi4oQr0vnKqxXSoAzJML+E5xR7bRtimPuwd7tyWQypgFHYchGiBz5MKmHhxQ6QqcAN4HnPQ2hzKd3WewQ7elo6WKoL/K5t+4JyRDBJGPH52ihukjZ4pMITHk7VHqGa3RTHLJjExk8U06bc53TAl/UqgOwaiyUfiit1SIk4nR1rq2U1zVzt0dektIxIx4fjkh0AtVVRmdAPyC6PpPqjlpCk27w1JP0JWs6SJuJ3roL8T0rBbJmQizCrzySCceFeKDMXq0R2UtVQ2BYwOh+BosBlHhAtL8OHH8MsYlN3zIJehEwHmpwzxSzbMiK5j/r0aeCdQHSpko6iVgejthkFXOvX1F+HR/lj9nSTLWKD1QZHpAbxt7V93v6eHXUhqq1OHEdhYp+ykPSo+kmG8CkwXu1HPT/GEkZrSiIriVMAnhLWWa83Fq1S72QTpTEXTdzxCToqywJAdF8YIbFtTOMcRnTO5LBtQ/AqwWNksCwPAdeCsWnr6rGeqi5ord95EJaqdwk8kVwzXboTym+ldomBWhlMIzt76GKW6DNGsvqau8bm35TG4tC2nSJujOcnVSHwaYBaqWPHr3pnPyWRNK/7fafJv+sSNI7fo0xQj4Bx5LBXrjjLim5MIwAvD+HkIG2O5AQmGoqpA+9XDAGT7TQj2/RnrocSIggUuzBoXubxcZzUzxygxCvvHZMikbSTaOvH8I52FgCdhWtVk7RXIfgfA7ClJ3+QTVw1pN+80DZmDxF0Y40Ag9opS0M1mc3EKcmSMKdiyuJa83fm0jolImzuOugnxyo551Yl/OQMsUu60MMs+ntrZhL1ndM9bAEsU+SeT/Rck/8BI4I0J6QEjPulSwukvqhDG1S1SqmGuzugYXQooXvNqJR8O3VSEK0KnAe/bxZBewWZBcTawMXY5/9LfQ8bOTK5qw4JwGxVFUDeoTvGkK9wiJzCTYRsmyvc6JCl2LtMdFb9hrOniQmMliWqqji55gYIHgmIQA9g7D1KSCXDfkbbnHCZ/0Q6hZaZZQ8c+TtCpvVEMcr8Ed7CAvQrkqu+BRW1e2DUk7f3TMJpupHs/x1exAhc/DLnrf4LefsTFIDYmUR5D5nRxOVrY+14C7bcSz9I5OAeaBxHx5gEPykjUrLnPsqs8nzij98PN6CwEmSS3Qd8m/Xb71+YK8alh3U0NfVrOUElY/hKvK2PfEZ6YuHkJFuMCkfjfcivSOQNoQ8d2hoBZz8WDYzj+PKdXoo0Sm979+sebwDtQsnQg20v/bO+RwYqNcPuHQB+j/aoD4Wp+OdFZN8ddLi2wa/jgdWw1cBekDUV1w5keLQ4ET4UlBbGQboccwpSceqho51nkPfEG4JmaW28OHMxpoveUJ0v3iOjNdy2xvATdtu77mTuvHrvxMCA7wypznwesHFezibEeNsiqWWJROijDa4ADZN3kCCGy0pfS70DgZcYjOI14GB3FhuPLS1QroSzc6TYusavxnLe9TDezHVol6GItpHW2ARV7aMQY0c9fjOzuVCIfGQR7NSun2YUG8evWnFMyQ5TTTM52PamIc9dmk0d+qDKc2KGZBd7oPbY8s4gnw4xV2wJLhoMkV4yNklMUMm62lc9/4QVCpzUPRuWm189E6gUIoRK7aFvdX8YPKqaqcmgX86SDHfgcSTrZXczW9w17HVKusxmA0VChdWwq+jXRXphWfWtMB2iAE+lgQPu0bB1fKZ8rQo1XN8PX+FNySbybE8oZFEpZ/FO8j67kNdCtDK7AU51jAwuQP6Srj3CzJGub4RcPnB2be1O4S1dUKltsupqXBWe9Ol+zXKUF2TSezuMHja5bI0Z1mSdSaSpGpAcQGUTPZFNydg06nsAo9wWeCqrB1HHzVXGBp4wDY5WGEpBsnKOYuY/2IWjYgCBYU3unL8kgKtQqvm017nYwMyXp3UxO+nYLNZcDL3tzJPwk8v/kcRdP1AVSQC+HyebqzpEVhd+p237BG6LzQ7IyUstkRL9Lpkf3ooTvHVBLDf43gRBc7fFhRTVQG+FAB6Dff8GlfgjXtsq8zE/lu18v+sK+FT3NGmKJvqDPVOT0/V9t9bQz//rNJURqVDW2GUUlk/RV/1Jvue6o/O8pqougO2t0S/6X9rypVdqhQ5tT2Fx8/XDBD/zNOwNFi6uQ1w6kJDlg3BmGkhehnN8uieR2oc58dPJ+QdDZiYGRmITRk2ikafTnAYo9qR6IvEFsNapr8hybD2XySIWkw3q74UjJ1lVKb4wcQgceLYHCI8knGYE7o/4H/M413Br9s14/d6FYtT71PHeglDbMWZd7rM108IIXkHzD2xWjNQ9hbN7hZX2VZ2cuZ7CdcwLTocX63OJomBkoOBJTQf/+JAxK+pUbXod//rfJYyWf40L17VKb0CJryneffQx33ysyv26HI99PWehn4S9/NjsfNnvQoxcn1UjUfhUvbrWGCGrzY5m6UPHIpPV3D+J7V/6V6WKBQp5WmFczPrleMs+5ArTpQu9LTTQWVk4qOtEz0nfRcaSgXPtwohNwH54cQwfUMHrFiXUFxsm3SO9w3xS4atQaB2gBNjqynsjmtBniEqCpV9uvTtJw3u5XaCOOJUr0vssXqSryY4OC3kP4r+UjWjSsVx2cZZVLUjE74Qs7MlDFlx8SDMU7ZwnWy4EQNpV/hco6g2wiXVjCkgrHAFzbbJOL3EeW/cXd/t7kWrGHh9Z9AmcXdRp6mETiIcnuefPHIbEnYqMnVnTG3L5CImR2ekj/vekf40uBZ7VqiMvD1aeVwPpCxyKpYs0w34sOowVutjEySvpnQoPtIppWTdxTQhbAtGki5RWIFmGC7V9+4yXFIsR2gG4mz9O0LilVJLTDllLaM09nuGSdXepdKyBawK+zc/TBLCWDgtNzAug3Kks+Svf5j0oxJ6AeLdsOtRsvln/oz0aZNFStptoihatE6tvJx1rN/neETV3OVK0lC8kjfx9LKwP9JzukmvhEFBnS4mC2YE9X5BsS+ELsRp+jP2BcPpWn7c6cN/WJR+1B7jvsPhVfPc4HDRBw+oKeldpD9Vo+DoxXLAynnrLrYWTHjk98UbPbkzMqDRAq61O6Aa6FqcasGW29BwInPFCaicVoqCbbjiFTO2vVqmdmnVj2DriD9olYHAHhR3wNSQKitGmzMDImTk31WfqH36xYhOydxwxji6p4ICZmvDk5GBtldc5u3j+YRKLLoQYCXb2B6NwuCjvYd5udaifHiZk0uEUGEpz+9XIpRa2QQEW/UoSSppidI+nNvKsRABSPk/t4XBpfHk5442bKpK1Ckw6eZXgzsm27RJZ5ajrL2aBFoZrcW9MPqG5+fS7m5Ig4TIkDteAwbiLDVlP8v4qjyRQDDwdHAolMBSPSWVG2MmbmyZlU4ktWFfW8pOoJ8ER73xw7nnShAWHLhOsF31uPM0eCA8r11/3tWmjDfyDFWrB8Q+At10JfshqHdIfkK5tSG4ucGFCOiNaMaeys2f1sDz5CxJ7L1PFsKjNXFtUndjxnRPu88G+ICs6mFOYdpigbaxur5OzwIph3cDpk+Hb4TZ8zjaNh0sqcGePo+yKomdrXWChqLcvYQFmvApyv20s8OuBCk3/1WDaRAhq/uQ0FRjW7S0uybvx85zjYVOj/Rpug2vvPhuxXASW4VorVcQ4ZLw8Rz3CNkak17QgusaMLocWMKCYvaNF0oL5oGbIHXYA4WJZC3Q7ZzHRmjC2W66KO8DR6nERK0Bj+zh80+2s91VBYnKM+MCqY+FRD4bz9wl41Zpiy3uFdOBGuLUZxT0QMBV/fIslMSi02ZqwOe9y1ALOslqK5JjgWE5+7/oX7PaFy1mYJ+EBt8958JDW13UFH4tNTrZTv26gdI8TIl/u1PBaST/RQkN0JclgbwwPdxOtf83MvRM4++5XqadbQXQ6pkiEryVm/v+VPG9AXJCtKbE5vuw1eU5PgPYqsX62asOi0XlTZY4pggc6GGgivRmT3RQXSV6/RqB+8UINzk1r1r6mdVnkYZCH+2eVeGYSzvI/rV8SL0Z/GM6qT7qv/Lv8RCJAAPhV+t/kVqV2ObuVUlNZusahh/FDsJRHoLV9OUPb0FBEH4FSR/76L+pWJv766jmI2186TcgO5LPNZgAOAIo7ChpHWIaoHljypEQf0sdUYDyYvvjH5d+vSnAK6aD1/xXmZFx++XJX6Msn1peQ/SNMD/M35XlnHUx4BHynHeINDvkVvy8nfZHhVtOID4KvN+eZ9GWQsOYBbZxLSye45yKVe+q+224Eq6r7yPq9CeUR+d+BR0HmnX/7/lME3j97Qmcu4WPOuKOsfQPzTS29ftHXjjqLHuDIQtCTZJkzW4bJSt2fDMW/xYd2bc7QAZ9NkyY/3JogselylFIFj4HJ63jxx6zL6Dk8Tu1BoWG5xvci6uWTVWkaufV+QOvyyKLqotoZc13ftDtgkwPZPdwQDZ4mb9XQ1P4WLzi1C87YSBG+9Eg7RkDHr84AlcjNeUbMFjoqmXM8dD5iQHR3YAEPZCHL5V8ElBU6nraEVBQQTjQj2WG9k2s2xhMTi2o59Da7l84sD3cb7njKK+SnG02SkwRuX+PkjttTte3UK0M85SqMSGEiTFPgFsK3IKEqGjyJOrnpbwiJCo0gBbpJYdULHifKqv/xvWngqtIpYtdib4eCFgb9PHy/S9lB0/iNMGFqOGA3nFtrK/wvCfQDYz0w7PR7wLU+YMYoyHUmxJcs6COrjZQE5AlpPWX5CbEGF1NMYbY44e9pb8zPb9UzfHV9Ge4kgqgZw9guhTCCfkkUtTcL/5Ncuk991TgIDSgV28hhFmCprvg43CNNccJX0OFrDXmyjGzc9axPRzNkzVG4PGwIO81dLdmIYBuLP3HRpVwtczqTEa0TDzB65eUBTjmPoVxLgBwbvbV/qSFKXlbsuxXcsdVk7P7KF5P3ZQRUzzmDR60+G9J15Nw25KZMNDtZtWitwzceFSoHZfMtWb3sfqOzCZ77+sSHabGyeDrtYkMtcGMHO/mYR3aOPzsWzLGfIJt0wjFOUBSfN7XDOGmfmNYx9zj+bNtXM8cXcxn4X2Cwv8KOCoWQ9JSWglWcJmdc6XnZZ/vKbsKZtl90osO1x+0IGypqa7wc9lCJUJIkX6DmKiY8dghDn80lIkzxIoebqFwjwY/zFKW+Mdr/fj8VrPsBOOZJPwiU2yClUqiG0cwxJWxIwp1fzxmBr+iMj7fYi1RB1CJf+DyuDBrNSzZZkDqKrSLYfOsBz9zZUxDtuAWLYJoGAaqj8xi5R/qpeY7FVd53TLHcsBzgmmJARi3fB9HVO5ZOjGBzmo1O/j+LeJEiQhCIUJvjPFnkpHQKi5ty9G5vVBtdK6B/N6CGHP7+wFVF08Iuc9rl/gaT0fYHYuN8lz29PDmz1pyfXbuJMTuHJAZzLe8UAfhZccD9gX8qb5ClhwoH92aIuahLsemG5l7McSqxnSvDMytSohJUrilFE+YTgS4I/wHu+l31GNA/B4S9OmENiXpuvQdqkdu/PmRXb6F8ulQh/hyJ5ZC56v0Ik56nVYwF27fatteouU1tVBFGMaMRHtSGNHkJjurDtSb8P2zGRCGCm8dMSzZMoXRJQhci3OiDZjE/feJqYoehZsh8QwK5/XyIW+OKQKaSgRhdcVvWe/eLSptwgnUMD0ifvxHlDhlxkSdeuD1YusCVMFPZy8KkqImF6AUFimO7LL2MwqlV6lFNI4EDKZwpNeCp+VJaGbzGHZO1vHB2IkKwpp4F9CKlWJ9KuexlwTENmbeijYFjJf0epa9K78LwWxppYXP5b4eAdm6j6FF2gcTwwmjtHHSV/cygd/+mTdmX+fm7EVx0penGrf7qnzvb1cOxlASocOlDjO36YvKjlZR0mK24iSF5yua6AkPjDXQg3wBsq8yQEr+3zgHRsnTsVpwFbWjwrsdKUiZNjI8ItBFCffmf5i/YDludqoHFQjIvlGwHaOd1FqvdoY8gWnTHTjKmNxfKnQfBHEOrMWUwbWp5sDNmTVJ5XySU2GG7l4VGp4Tnkox1ErU1s8JwCSsxGT3hTSM/accid3paCzI/hADe3nc33Y/eLdxwxt1QXtSupdRoUw/fdWVvKNp8p9R82I12VSa1MefVFEyFJ2HSCM05B01pd9hSD/jjNQ6,iv:bheINdiaEvdk86IDeCN3Hm76zT9hH1fDqz6gEP/AZRw=,tag:lQYF2KssiqKJsLmEm9tYXw==,type:str] asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKNA1ZVf4DTtm6d232LXKde54ACMSUEyQWTu1mU6oQ7W5P2VSK2HZvHzSrnC0dJVKPrYEnBWfyA6sjKBULQSyW6j1/c/k,iv:jE/Y1A3i8embrwJqN8TBO0E8nr5WhGDKPH0gXgWnsMQ=,tag:j8PH6tDeo2YTCI2BnVY24w==,type:str] asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str] -prometheus-htpasswd: ENC[AES256_GCM,data:kUU0TqnVxQ8jLfjUpBje3eGxJw+ItD/YSNhiny1XPM0PDksnOO8Ecbyqm9W5p3WZIFc+h/FH1AsyNdhXdAhbgMNNxjebq2PNbJr/DeMWTxuf1D9q5iYpDrFGuK6r65DeCPvwN1tlTKkzJnLCqy3LLWbziANplMpmoUL7Ay3S2r5UQNgl4QIL,iv:o23da3kSbMAiF6H3zgja95As89aDK/+jWofvw9ZIjj8=,tag:VPB9YD33Xuk8IKxoBVEXdQ==,type:str] -unpoller-password: ENC[AES256_GCM,data:nvbKOzS657tfumP93kNAD2Edw3+BN3xQ,iv:FZ169TIyHrhazji+b2V4o0XvyzqwNelnR4TkKXuNqWg=,tag:62Y1LTlI+2KdSjq8dHiuSQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] - age: - - recipient: age1fleny85nvjh6g4arn2tkpju0smq2s4hawwpmnyvgcf0sy65wd3ks4lcvfa - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBML0wrQWtGbjhEY1BpT0lU - OXZZTlF5SzlWSGc4dzgvYnJ1QUtRUDM4a0QwCmU2bEVRUEZFTEw3QW9MUm16QVFk - bmlwMmN5eldzRis4czJNTkpGUUkyd3cKLS0tIFZ3TWswMnBXOW5xOW8zbTNiUGtS - T2VuTEpzYmhESnJZTW5IS3orRk44ODAK/KBOctiKRH5y/zuI4sIKNK9nze6aDOmc - Eg7zjCXX3hvmowFt45rMKODJ56Dy6uJEgu6OWMWV2M87CphyHKA5fg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-04T10:58:16Z" - mac: ENC[AES256_GCM,data:yRoKVClRcbqFYM06F+83kU9s0KcoiYEx0fpr4DL39YoDDx3ZdX2aYqOEtPCGHKEccFanDsZSI4Q9jG2NEa9IykI9DDjQtci1pcNkt9VaWgPTTo2KzP086ncQHaKHyy109CjugeC2oQYIOBfSiO5b+/SP5fml2N3rhIGzROz2NRA=,iv:JR2MVuIxVhCDsx8kelTu86x4Snf6yqJ7s9vb/3bj24o=,tag:V9BadPHshitupxnAzYF3Nw==,type:str] + age: [] + lastmodified: "2021-12-27T17:31:30Z" + mac: ENC[AES256_GCM,data:Nu8wP0+yCzSl0EOkf52DXmjefa/bd/LITY4LrcBETndMAYhiqNMTVzTTYJAnh0GKdTzx0YQmVA9oiotOm9JvkKMoXPZgcfe1L/E/mZxASAT0t+qojf9tSxjuXyTarLA7Nkvdw8rzbNs8ffh2Otp3s4nNzLcG4rHvyObksTFbiCE=,iv:xpMJqYx5VtJeQyIY0R8yJPmypWReTq3nOODxUY2PWfQ=,tag:4XQLec2KH1He5IyEvEHGEA==,type:str] pgp: - - created_at: "2024-09-24T19:30:34Z" - enc: |- + - created_at: "2021-12-18T19:52:00Z" + enc: | -----BEGIN PGP MESSAGE----- - hF4DY/xpNY5WhB0SAQdAyqAyhamC5ViSdA1B1b8fI2iaSIAfyVJEe2ZaDyFI82Uw - NPvBXNKx4u0KTnMG6tl63Tb2/6sC4uhkp3n/pM+cxKIMfTXodIenddK5siPs8MQI - 0l4BeIxec9DiNskvxTqnZ7jtVd7hWy494cDrr7Yb9J0GZWQ5mP2ZtqgcDkbzZnqb - E8glyIInDNAKedtpbE0waUWPwbA3XAgsQX6xijwe5q0j4Rqqc4rlvJuk9Xd7G+M9 - =77Op + hQIMAxozgf2eefjfAQ//XAQCrrtb5PfXdAIVG5MKQnDgRCAlm83wRQGWxltTRl5A + 4bnM6eSUbR80GsX2kwJJ3hxzQus5ZQxf9SnuzhC3X4jzzEi2GwZr8PruaSWTYM8E + KkXgt8UWjNEYLaxLU31RimDi1L8ONmspZ+P3JX40JhwibOPXbeJYJL+pAsouRAFU + HAVqbSWYLoXbJqK9Y+UJ3Ra0r34wCct9Jl288idQ3UXBaZ8kT40sglRzLQHnfQTl + /erNeh8R2Gp89QX9Vw6kPT06seCr8UeHgqn6XfH308Dr20xi8G9qTGqt3baqPOBx + sa5VlUtNX+O7//FouoZkUiuF9TqJcCItvyY6FsYYBtbZvlJS8SWsgkuYGB8BrLuk + CZeq6uZj1FSaOO4aU/hQq5oI9fDGXk+CBFihe1KVfvOM+7EiVSGehUJvp51Vddue + Rd9MSDyD8ntg0ic/BGOaVuDV6G7bmGnzW4N8iw1dQcppCYMeXo2oK7sK4e5/F/dq + N1AVgkJeu/0HiUwS4k6OD3thf+zrdbb6HYbifgd0A6pweoGYGJsbFa9Qc4goE6Tu + 8qc3OtGiduH2wipQJDWpJSRy7HpkQ2y6Zw3ufnDke+5Vta7+LnsRLBSe0wxwX7aB + lodx6MXy2aM/LKd2BhFK+qAgKizB6sjKjWMLDgrbeqZDIsI60+umwr99FNVUwtvS + XgGyEJwZT7cYhULzE8WWuXO6y3aD/9RepRm3Rsh3LYMoZKOT2qavZsVJko1TyqHl + plph0h/+tYsmneIj43LgUJqZKn6Q1Wk6QH22Rt1GW6TkJZRNsTw+ViELcOQZFQA= + =/6dy -----END PGP MESSAGE----- - fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 - - created_at: "2024-09-24T19:30:34Z" - enc: |- + fp: 7C207509562C208C4EC1676E87A8E5662DF00274 + - created_at: "2021-12-18T19:52:00Z" + enc: | -----BEGIN PGP MESSAGE----- - hQIMAwDgSONkM+d4AQ//VH43OoHprfVhgtPmGjP3dHvWxLkAtyEi2QOYWjGLGbuw - l5TAY8RAp3c34E0qp52a2a+GSJUwdxVusK4MSWGzzg0x1VKPFr5Dz11SRnjqyWuQ - sM7zo9AP1cIUoIaP4G/jnwYicEH+3ADjFEpNazfNw56cpjWL/1yQSKK4uk4x/m7e - AWWcRQHJa7j/sPuR2R24CQjZq6WfxoDDe2v1J+NTxBoZh16CJ8LDUWOCAgRDvEDn - d1WczY5cu0n/IAl8baKrvAtBoahEeF97lBmZ7BtXiFT2c6jvwjY0erj+BA0N4Jfc - WnJaU1y+a0RKxvH3AOo7R09NmvFtfWcUrFD6k5jLGhvbkuMd4+akEhDv98GeW77m - qjimf2gOLt0mR536JQP0pZ41O5hXLGVhPDESRWKMkeJcJ97+7wN9WkUnfW+AA0+y - TSqQ+KEsJMIYK1HCWJeW8oc+G+gEY7iutIxY+dL7NV8EzUWREhy0/1WzEIb3AfgH - XfzQufzXnKG844GUV0WKHiff7/Wmuhcz6+yFNLqdG2u7LM91eBB3B00ubFmfcz4U - OO4SopFeGHUo7xjQMDI3SzwPocRBsL3Fz+f2o5zsOGUPS/UebLwgN4UvaW0BKbZ5 - zRiC0v5OKWRMxZVbhpmfvfYFEjkflVfYuiTul6ajnaXarO+S9Sp8r+RSkkJx7ZXS - XgHjN92PHYzz8O0ls8NxJiMFdG5ozfims6VN3sC98LjhRsaCb5oEwh8ZoB6WDb7y - 0FeEsVM12vBGVF2oU8SVSJNnsgf4aMCTAPi+vdimq4UBKMEyxBwWkp62r2xXmoA= - =/jcl + hQIMAwDgSONkM+d4AQ//YvYxPPGXMWoZKNp6V/a8YjRZ5GtsW6NULoxn1mSqjwGv + rnH2FJQaIhgNRDcGQuLyxkEhI6WVd2peCvh7FAzbonWq6piMFkkhUzO/vPzxFVzW + /glU5hHPOFhAXwMigtB9cAg84Vn39dcLSNIcawBEFYHHHkhWdxdyzVJsoMUfFh4c + W/rSqDBi2pwiwCHnqVo3G3RtmVK0GjTIc3QSuvwF5eboHh5/27biJ3KZasMQBbsW + 4JU1KaF8hQr/a6S1GitONyTBYoMxKJed3i5Cu48jKBex9hjVBe0Wwklb8Nz3u6o5 + fw9suLouDL7Lqoiy75UKGMpj7LFpj1jKCBPBrivKG2sMNSkF629pvbGaqkTr+7h+ + d4eUY/IJT7Qc8KiSx9ZCCqlWzBW55fLKyVtTSk970qPMeqsF5/n/jSS3zV1N5DRi + xsULNqkbvrscJVOC76hIjLW9KfoWNFamQ/cJXy1I4/5BByIbzBOCztYZcb7XNcVg + AU9Dyw4ANaY75SmY4K3ebnOx+vNjIHRcZeySc0gVXju4MiluAvBAVg5lv6o3liRx + EurFvcP0xSt8H6A2/Cg5jIU8+BAA7XvIV1y0S1OF9WNpjdv9BcDZSH/jeFzqleNF + meN1EIzgh5CMMprzveom49sd+EhVD1zfPswBZJbi/xCPhDeeLJu546YEtF7crq3S + XgFnqNAaGjllr2kz1/x4uuxfC02zfYZiIk6MGwI6ToK6hJQUHODNJOB63UNPA1wd + sD/qHS4T4/D7P9JG9mZbIiIoLw9gcDtBKhHtQE8RsKSQnV5/r7995gRJhR1RXeY= + =hprK -----END PGP MESSAGE----- fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC + - created_at: "2021-12-18T19:52:00Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA8j3Zc+K0fiSARAArsim5SqLDRv+UNz9DmUOZwk5x7/esF5C5SsNM7Ko2xHd + Wc4xO2h4zKnCbaogDTu9/z3VCQtTVSMhKM8UXjcMfZ/l8jS/ralKZwyVvP3daR+f + hkRtLNXGftwrHcrey3CsxZXwNTmfCGfV7wvN/FvL1l7n4K/HkHrwbMLSMNb1T11p + SH6Fkx/tfvi4EeUi3B3J8NHX4AposgULMThbd5asp5lxibC+L7o72/32vTyVTofe + Uo/hZvnOtU5O+vWWc+/NI6QtanYVQJaRhoNf28uKWi4Dbo91exSi2adjkDVApyaE + oToqaBBaV+i1mXb0zJi/VHpd+cbz0u6xkFyPfoBm8otm/X6pem7+nFF65XLIXQZ7 + HgETSEshU3zsf4mwyDx84bmTU1pF3c7O5n5lK+Ag4wuLYMQUwxdaH0mhXSBSfFO+ + BKjHhL66vJqCYrBmfNNnP2n2IkigRUJPm4aw6vYXOEcthb+NHJYY+Q+AElv7oosN + 79q1VfqPoPhs9sQA05CgPwF50dlh82qmN/U82vBwhDMQoAetFIJb6BWQtNMoFhCI + MUrcJf7VoAPFFiiaKAqudIcUnLjD7v+/wV1v33ApPPWUmYoQhm5oznAJsruncxwS + kAnymmp5cXmmWu1ImXI46QSxUuvTDiYrLqp3tBdUAKadvkUD0X+iljD/S4uIfzDS + UAF84HSK4O4qZVaL2DCKh2+rr8PxhzTYB/h7HRGpV78QIUSUresSMCfFpGjQUA2z + ebPq7pa7tQ6IiBigmApPAEYk4rfyVTqfk9fOqwg/Cq6j + =Jfbg + -----END PGP MESSAGE----- + fp: 10E468768E3BCD6459F9F11AC8F765CF8AD1F892 unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.7.1 diff --git a/machines/raven/services/asterisk.nix b/machines/raven/services/asterisk.nix index 075024a..910ea5f 100644 --- a/machines/raven/services/asterisk.nix +++ b/machines/raven/services/asterisk.nix @@ -1,6 +1,5 @@ { config, lib, ... }: let - cfg = config.services.asterisk; secretConfigFiles = [ "ari" "pjsip" @@ -12,6 +11,9 @@ let }; in { + # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged + disabledModules = [ "services/networking/asterisk.nix" ]; + services.asterisk = { enable = true; confFiles = { @@ -22,6 +24,11 @@ in same = n,VoiceMail(7929876@fablab,su) same => n,Hangup() + [eventphone-in] + exten => _5257,1,Noop(Processing an incoming call) + same => n,Dial(PJSIP/101,60,tT) + same => n,Hangup() + exten => _3529,1,Noop(Processing an incoming call) same => n,Dial(PJSIP/100,60,tT) same => n,Hangup() @@ -40,10 +47,14 @@ in exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT) same = n,Hangup() - ; Kassen exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT) same = n,Hangup() + ; eventphone + exten => _XXXX,1,Noop(Processing an outgoing eventphone call) + same = n,Set(destination=''${EXTEN}) + same = n,Goto(eventphone-out,''${CALLERID(num)},1) + ; weinturm exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT) same = n,Hangup() @@ -53,6 +64,13 @@ in same => n,Dial(PJSIP/''${EXTEN}@sipgate,tT) same => n,Hangup() + [eventphone-out] + exten => 100,1,Dial(PJSIP/''${destination}@eventphone_lab,30,tT) + same = n,Hangup() + + exten => 101,1,Dial(PJSIP/''${destination}@eventphone_jalr,30,tT) + same = n,Hangup() + [cisco] exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT) same = n,Hangup() @@ -66,11 +84,6 @@ in ; weinturm exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT) same = n,Hangup() - - ; Kleinturm - exten = _58X,1,Dial(PJSIP/''${EXTEN},30,tT) - same = n,Hangup() - ; /weinturm ''; "http.conf" = '' @@ -92,25 +105,10 @@ in rtpstart=${toString rtp.start} rtpend=${toString rtp.end} ''; - "dnsmgr.conf" = '' - [general] - enable=yes - refreshinterval=60 - ''; - "prometheus.conf" = '' - [general] - enabled = yes - ''; }; useTheseDefaultConfFiles = [ ]; }; - system.activationScripts.copyAsteriskFiles = lib.stringAfter [ "var" ] '' - rm -f /var/lib/asterisk/documentation/core-en_US.xml - mkdir -p /var/lib/asterisk/documentation - ln -s ${cfg.package}/var/lib/asterisk/static-http/core-en_US.xml /var/lib/asterisk/documentation/core-en_US.xml - ''; - sops.secrets = (lib.listToAttrs (map (name: lib.nameValuePair "asterisk-${name}" { sopsFile = ../secrets.yaml; diff --git a/machines/raven/services/colorchord.nix b/machines/raven/services/colorchord.nix deleted file mode 100644 index 7194834..0000000 --- a/machines/raven/services/colorchord.nix +++ /dev/null @@ -1,109 +0,0 @@ -{ inputs, lib, pkgs, ... }: -let - ledDevices = { - workbench-1 = { - leds = 87 * 2; - host = "wled-Workbench-1"; - }; - workbench-2 = { - leds = 87 * 2; - host = "wled-Workbench-2"; - }; - elektrodecke = { - leds = 87 * 2; - host = "wled-Elektrodecke"; - }; - traverse = { - leds = 235; - host = "wled-Traverse"; - }; - nhecke = { - leds = 75; - host = "wled-Nhecke"; - }; - printerbench = { - leds = 80; - host = "wled-Printerbench"; - }; - resedaraum = { - leds = 285; - host = "wled-Resedaraum"; - loop = true; - }; - }; - soundDevices = { - sink = "alsa_output.usb-Burr-Brown_from_TI_USB_Audio_DAC-00.analog-stereo"; - }; - - devicesProduct = lib.fold - (soundDevice: acc: acc // lib.mapAttrs' - (ledDevice: value: lib.nameValuePair "${ledDevice}-${soundDevice.name}" (value // { - source = soundDevice.id; - })) - ledDevices) - { } - (lib.attrValues (lib.mapAttrs (n: v: { name = n; id = v; }) soundDevices)); -in -{ - environment.systemPackages = with pkgs; [ - colorchord2 - ]; - - environment.etc = lib.mapAttrs' - (name: config: lib.nameValuePair - "colorchord/${name}.conf" - { - text = '' - # Basic - outdrivers = DisplayNetwork, OutputLinear - headless = 1 - - # Audio input - amplify = 10 - samplerate = 48000 - devrecord = ${config.source} - - # Visualiser - cpu_autolimit = 1 - satamp = 1 - - # LED config - leds = ${toString config.leds} - is_loop = ${if config ? loop && config.loop then "1" else "0"} - light_siding = 1.5 - led_floor = 0.1 - steady_bright = 1 - fliprg = 0 - - # WLED - wled_realtime = 1 - port = 19446 - address = ${config.host} - wled_timeout = 2 - skipfirst = 0 - ''; - }) - devicesProduct; - - systemd.user.services = builtins.listToAttrs (map - (soundDevice: lib.nameValuePair - "colorchord-${soundDevice}@" - { - partOf = [ "colorchord-${soundDevice}.target" ]; - serviceConfig = { - ExecStart = '' - ${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i-${soundDevice}.conf - ''; - Restart = "always"; - }; - }) - (lib.attrNames soundDevices)); - - systemd.user.targets = builtins.listToAttrs (map - (soundDevice: lib.nameValuePair - "colorchord-${soundDevice}" - { - wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices); - }) - (lib.attrNames soundDevices)); -} diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix index d0b18c3..420c68a 100644 --- a/machines/raven/services/default.nix +++ b/machines/raven/services/default.nix @@ -1,15 +1,9 @@ { imports = [ ./asterisk.nix - ./colorchord.nix ./dnsmasq.nix ./dyndns.nix - ./freeradius.nix - ./grafana.nix ./labsync - ./mailhog.nix - ./prometheus.nix ./unifi-controller.nix - ./wekan.nix ]; } diff --git a/machines/raven/services/dnsmasq.nix b/machines/raven/services/dnsmasq.nix index 8960eb2..0eb666a 100644 --- a/machines/raven/services/dnsmasq.nix +++ b/machines/raven/services/dnsmasq.nix @@ -1,93 +1,37 @@ { pkgs, ... }: -let - stateDir = "/var/lib/dnsmasq"; - dnsmasqEventsConf = pkgs.writeText "dnsmasq-events.conf" '' - dhcp-leasefile=${stateDir}/dnsmasq-events.leases - bind-dynamic - listen-address=10.10.0.1 - except-interface=lo - - domain=events.fablab-nea.de - dhcp-range=10.10.0.20,10.10.15.254,24h - - cache-size=10000 - dns-forward-max=1000 - - no-hosts - ''; -in { services.dnsmasq = { enable = true; - settings = { - server = [ - "142.250.185.78" # dns.as250.net - "2001:470:20::2" # ordns.he.net - "74.82.42.42" # ordns.he.net - ]; - bind-dynamic = true; - listen-address = [ - "192.168.93.1" - "192.168.94.1" - ]; - interface = "lo"; - expand-hosts = true; - domain = "lab.fablab-nea.de"; - dhcp-range = [ - "set:voice,192.168.93.20,192.168.93.254,4h" - "set:lab,192.168.94.20,192.168.94.254,4h" - ]; - dhcp-host = [ - "00:30:42:1b:23:ed,192.168.93.21,rfp-01" - "00:30:42:1b:21:c1,192.168.93.22,rfp-02" - "00:30:42:1b:26:f6,192.168.93.23,rfp-03" - "00:30:42:1b:22:3b,192.168.93.24,rfp-04" - "00:30:42:1b:22:7c,192.168.93.25,rfp-05" - ]; - dhcp-option = [ - "vendor:OpenMobility,10,192.168.93.21" - "vendor:OpenMobility,224,OpenMobilitySIP-DECT" - ]; - dhcp-boot = "lpxelinux.0,raven,192.168.94.1"; - cache-size = 10000; - dns-forward-max = 1000; - auth-zone = "lab.fablab-nea.de,192.168.94.0/24"; - auth-server = "lab.fablab-nea.de,78.47.224.251"; - no-hosts = true; - addn-hosts = "${pkgs.writeText "hosts.dnsmasq" '' + + extraConfig = '' + bind-dynamic + + expand-hosts + domain=lab.fablab-nea.de + dhcp-range=192.168.93.20,192.168.93.254,5m + dhcp-range=192.168.94.20,192.168.94.254,5m + + dhcp-boot=lpxelinux.0,raven,192.168.94.1 + + cache-size=10000 + dns-forward-max=1000 + + auth-zone=lab.fablab-nea.de,192.168.94.0/24 + auth-server=lab.fablab-nea.de,78.47.224.251 + + no-hosts + addn-hosts=${pkgs.writeText "hosts.dnsmasq" '' 192.168.94.1 raven labsync unifi 192.168.94.2 switch - 192.168.94.3 schneiderscheune-weinturm-ap - 192.168.94.4 schneiderscheune-weinturm-sta - 192.168.94.5 wechselbruecke-router - 192.168.94.6 wechselbruecke-ap - 192.168.94.7 helferbereich-sta - 192.168.94.8 helferbereich-switch - 192.168.94.9 kleinturmbuehne-router - ''}"; - }; - }; - - systemd.services."dnsmasq-events" = { - description = "dnsmasq daemon for public event network"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.dnsmasq ]; - preStart = '' - mkdir -m 755 -p ${stateDir} - dnsmasq --test -C ${dnsmasqEventsConf} + ''} ''; - serviceConfig = { - Type = "dbus"; - BusName = "uk.org.thekelleys.dnsmasq-events"; - ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -k --enable-dbus --user=dnsmasq -C ${dnsmasqEventsConf}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - PrivateTmp = true; - ProtectSystem = true; - ProtectHome = true; - Restart = "on-failure"; - }; + + servers = [ + "142.250.185.78" # dns.as250.net + "2001:470:20::2" # ordns.he.net + "74.82.42.42" # ordns.he.net + ]; }; networking.firewall = { diff --git a/machines/raven/services/dyndns.nix b/machines/raven/services/dyndns.nix index 47795c1..2c64bbe 100644 --- a/machines/raven/services/dyndns.nix +++ b/machines/raven/services/dyndns.nix @@ -6,11 +6,12 @@ services.ddclient = { enable = true; interval = "1min"; - server = "www.duckdns.org"; - protocol = "duckdns"; - username = "nouser"; + use = "web, web=checkip.dynu.com/, web-skip='IP Address'"; + server = "api.dynu.com"; + protocol = "dyndns2"; + username = "fablabnea"; passwordFile = config.sops.secrets.dyndns-password.path; - domains = [ "fablab-nea" ]; - use = "web, web=freedns.afraid.org/dynamic/check.php"; + domains = [ "fablab-nea.freeddns.org" ]; + ipv6 = false; }; } diff --git a/machines/raven/services/freeradius.nix b/machines/raven/services/freeradius.nix deleted file mode 100644 index 9fb95db..0000000 --- a/machines/raven/services/freeradius.nix +++ /dev/null @@ -1,17 +0,0 @@ -# service for unifi wifi -# provides anonymous access via WPA2 enterprise (PEAP) -{ pkgs, ... }: - -{ - services.freeradius = { - enable = true; - configDir = "${pkgs.fablab.freeradius-anon-access}/raddb"; - debug = true; - }; - users.users.radius.group = "radius"; - users.groups.radius = { }; - networking.firewall.allowedUDPPorts = [ - 1812 - 1813 - ]; -} diff --git a/machines/raven/services/grafana.nix b/machines/raven/services/grafana.nix deleted file mode 100644 index 29558c2..0000000 --- a/machines/raven/services/grafana.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - domain = "grafana.fablab-nea.de"; - srv = config.services.grafana.settings.server; -in -{ - services.grafana = { - enable = true; - settings.server.domain = domain; - }; - - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://${srv.http_addr}:${toString srv.http_port}"; - recommendedProxySettings = true; - }; - extraConfig = '' - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Content-Type-Options "nosniff"; - ''; - }; -} diff --git a/machines/raven/services/labsync/default.nix b/machines/raven/services/labsync/default.nix index 8a9250a..471a62c 100644 --- a/machines/raven/services/labsync/default.nix +++ b/machines/raven/services/labsync/default.nix @@ -1,19 +1,9 @@ # legacy labsync, currently partly implemented in docker outside of this configuration { pkgs, ... }: -let - generator_port = 8695; -in { services.opentracker.enable = true; - services.nginx.virtualHosts."labsync.fablab-nea.de" = { - addSSL = true; - enableACME = true; - locations = { - "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/"; - }; - }; services.nginx.virtualHosts."labsync.lab.fablab-nea.de" = { locations = { "/" = { @@ -22,7 +12,7 @@ in autoindex on; ''; }; - "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/"; + "/generator/".proxyPass = "http://127.0.0.1:8695/"; }; }; diff --git a/machines/raven/services/mailhog.nix b/machines/raven/services/mailhog.nix deleted file mode 100644 index 8ec4c7b..0000000 --- a/machines/raven/services/mailhog.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ config, ... }: -{ - services.mailhog.enable = true; -} diff --git a/machines/raven/services/prometheus.nix b/machines/raven/services/prometheus.nix deleted file mode 100644 index 5ec4a7a..0000000 --- a/machines/raven/services/prometheus.nix +++ /dev/null @@ -1,144 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - domain = "prometheus.fablab-nea.de"; - cfg = config.services.prometheus; - mkStaticTargets = targets: lib.singleton { inherit targets; }; - mkStaticTarget = target: mkStaticTargets (lib.singleton target); -in -{ - services.prometheus.exporters.node.enable = true; - - services.prometheus = { - enable = true; - listenAddress = "127.0.0.1"; - webExternalUrl = "https://${domain}"; - globalConfig = { - scrape_interval = "15s"; - evaluation_interval = "15s"; - }; - extraFlags = [ - "--storage.tsdb.retention.time=90d" - "--web.enable-admin-api" - ]; - alertmanagers = [ - { - static_configs = mkStaticTarget "${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}"; - path_prefix = "/alertmanager/"; - } - ]; - alertmanager = { - enable = true; - listenAddress = "127.0.0.1"; - webExternalUrl = "https://${domain}/alertmanager"; - configuration = { - global.resolve_timeout = "2m"; - - route = { - receiver = "matrix"; - group_by = [ "alertname" ]; - group_wait = "3m"; - }; - - receivers = [ - { - name = "matrix"; - webhook_configs = lib.singleton { - url = "http://localhost/webhook"; - }; - } - ]; - }; - }; - scrapeConfigs = [ - { - job_name = "prometheus"; - static_configs = mkStaticTargets [ - "localhost:${toString cfg.port}" - "kleinturmbuehne-router:9100" - ]; - } - { - job_name = "node"; - static_configs = mkStaticTargets [ - "127.0.0.1:9100" - ]; - } - { - job_name = "asterisk"; - metrics_path = "/"; - static_configs = mkStaticTargets [ - "127.0.0.1:8088" - ]; - } - { - job_name = "mikrotik"; - static_configs = mkStaticTargets [ - "${cfg.exporters.mikrotik.listenAddress}:${toString cfg.exporters.mikrotik.port}" - ]; - } - { - job_name = "unifi"; - static_configs = mkStaticTargets [ - "${cfg.exporters.unpoller.listenAddress}:${toString cfg.exporters.unpoller.port}" - ]; - } - ]; - rules = - let - mkAlert = { name, expr, for ? "1m", description ? null }: { - alert = name; - inherit expr for; - annotations = lib.optionalAttrs (description != null) { inherit description; }; - }; - in - [ - (lib.generators.toYAML { } { - groups = lib.singleton { - name = "alert.rules"; - rules = map mkAlert [ - { - name = "InstanceDown"; - expr = ''up == 0''; - description = "Instance {{ $labels.instance }} of job {{ $labels.job }} has been down for - more than 1 minutes."; - } - ]; - }; - }) - ]; - }; - - sops.secrets.prometheus-htpasswd = { - owner = "nginx"; - sopsFile = ../secrets.yaml; - }; - - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - - basicAuthFile = config.sops.secrets.prometheus-htpasswd.path; - - locations = { - "/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}"; - - "/alertmanager/".proxyPass = "http://${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}"; - }; - }; - - services.prometheus.exporters.mikrotik = { - enable = true; - listenAddress = "127.0.0.1"; - configuration = { - devices = [ - ]; - features = { - bgp = true; - dhcp = true; - routes = true; - optics = true; - }; - }; - }; -} diff --git a/machines/raven/services/unifi-controller.nix b/machines/raven/services/unifi-controller.nix index 6befce2..7af0870 100644 --- a/machines/raven/services/unifi-controller.nix +++ b/machines/raven/services/unifi-controller.nix @@ -1,30 +1,9 @@ -{ config, pkgs, ... }: - -let - promCfg = config.services.prometheus; -in +{ pkgs, ... }: { services.unifi = { enable = true; - openFirewall = true; - unifiPackage = pkgs.unifi8; + openPorts = true; + unifiPackage = pkgs.unifi; }; networking.firewall.allowedTCPPorts = [ 8443 ]; - - sops.secrets.unpoller-password = { - #owner = promCfg.exporters.unpoller.user; - owner = config.services.prometheus.exporters.unpoller.user; - sopsFile = ../secrets.yaml; - }; - - services.prometheus.exporters.unpoller = { - enable = true; - controllers = [{ - user = "unpoller"; - pass = config.sops.secrets.unpoller-password.path; - verify_ssl = false; - hash_pii = true; - }]; - log.prometheusErrors = true; - }; } diff --git a/machines/raven/services/wekan.nix b/machines/raven/services/wekan.nix deleted file mode 100644 index 3b9716d..0000000 --- a/machines/raven/services/wekan.nix +++ /dev/null @@ -1,123 +0,0 @@ -{ config, lib, pkgs, ... }: -let - serviceName = "wekan"; - databaseName = "wekandb"; - networkName = "wekan-tier"; - port = 8001; - domain = "wekan.fablab-nea.de"; - url = "https://${domain}"; - - directories = { - db = "/var/lib/wekan/db"; - dbDump = "/var/lib/wekan/db-dump"; - data = "/var/lib/wekan/data"; - }; -in -{ - virtualisation.oci-containers = { - backend = "podman"; - containers = { - "${serviceName}" = { - autoStart = true; - image = "ghcr.io/wekan/wekan:latest"; - environment = { - WRITABLE_PATH = "/data"; - MONGO_URL = "mongodb://${databaseName}:27017/wekan"; - ROOT_URL = url; - #WITH_API = "true"; - RICHER_CARD_COMMENT_EDITOR = "false"; - CARD_OPENED_WEBHOOK_ENABLED = "false"; - BIGEVENTS_PATTERN = "NONE"; - BROWSER_POLICY_ENABLED = "true"; - }; - ports = [ - "127.0.0.1:${toString port}:8080" - ]; - dependsOn = [ databaseName ]; - volumes = [ - "/etc/localtime:/etc/localtime:ro" - "${directories.data}:/data:rw" - ]; - extraOptions = [ - "--network=${networkName}" - "--pull=newer" - ]; - }; - "${databaseName}" = { - autoStart = true; - image = "mongo:6"; - cmd = [ "mongod" "--logpath" "/dev/null" "--oplogSize" "128" "--quiet" ]; - volumes = [ - "/etc/localtime:/etc/localtime:ro" - #"/etc/timezone:/etc/timezone:ro" - "${directories.db}:/data/db" - "${directories.dbDump}:/dump" - ]; - extraOptions = [ - "--network=${networkName}" - "--pull=newer" - ]; - }; - }; - }; - - # Create the netowrk - systemd.services.init-filerun-network-and-files = { - description = "Create the network bridge ${networkName} for WeKan."; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig.Type = "oneshot"; - script = - let podmancli = "${pkgs.podman}/bin/podman"; - in '' - if ! ${podmancli} network ls --format '{{ .Name }}' | grep -qFx -- "${networkName}"; then - ${podmancli} network create "${networkName}" - else - echo "network already exists" - fi - ''; - }; - - systemd.services.wekan-restart = { - description = "Restart Wekan services."; - serviceConfig = { - Type = "oneshot"; - }; - script = '' - ${pkgs.systemd}/bin/systemctl restart "podman-${databaseName}.service" "podman-${serviceName}.service" - ''; - }; - - systemd.timers.wekan-restart = { - description = "Restart wekan containers"; - after = [ "network.target" ]; - wantedBy = [ "timers.target" ]; - timerConfig = { - Persistent = true; - OnCalendar = "*-*-* 04:00:00"; - Unit = "wekan-restart.service"; - }; - }; - - system.activationScripts.makeWekanDirectories = lib.stringAfter [ "var" ] '' - mkdir -p "${directories.db}" - mkdir -p "${directories.dbDump}" - mkdir -p "${directories.data}" - chown 999:999 "${directories.data}" - ''; - - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - extraConfig = '' - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Content-Type-Options "nosniff"; - ''; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString port}"; - }; - }; -} diff --git a/modules/base.nix b/modules/base.nix index 2755c93..b233273 100644 --- a/modules/base.nix +++ b/modules/base.nix @@ -1,3 +1,3 @@ { - boot.tmp.cleanOnBoot = true; + boot.cleanTmpDir = true; } diff --git a/modules/default.nix b/modules/default.nix index 244c94d..86ada52 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,7 +2,6 @@ imports = [ ./base.nix ./nix.nix - ./pipewire.nix ./pubkeys.nix ./sops.nix ./tools.nix diff --git a/modules/nix.nix b/modules/nix.nix index fc6d9da..98a1d68 100644 --- a/modules/nix.nix +++ b/modules/nix.nix @@ -21,6 +21,9 @@ let in { nix = { + # flake support + package = pkgs.nixUnstable; + extraOptions = '' experimental-features = nix-command flakes ''; @@ -34,13 +37,11 @@ in "nixpkgs-overlays=${overlaysCompat}" ]; - settings = { - # sudoers are trusted nix users - trusted-users = [ "@wheel" ]; + # sudoers are trusted nix users + trustedUsers = [ "@wheel" ]; - # On-the-fly optimisation of nix store - auto-optimise-store = true; - }; + # On-the-fly optimisation of nix store + autoOptimiseStore = true; # less noticeable nix builds daemonCPUSchedPolicy = "idle"; @@ -49,8 +50,8 @@ in }; nixpkgs.overlays = with inputs; [ - self.overlays.default - sbruder-overlay.overlays.default + self.overlay + (final: prev: { unstable = import nixpkgs-unstable { inherit (config.nixpkgs) diff --git a/modules/pipewire.nix b/modules/pipewire.nix deleted file mode 100644 index 9531e64..0000000 --- a/modules/pipewire.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, ... }: - -{ - sound.enable = true; - hardware.pulseaudio.enable = false; - - services.pipewire = { - enable = true; - pulse = { - enable = true; - }; - jack = { - enable = false; - }; - alsa = { - enable = true; - support32Bit = true; - }; - }; - - environment.systemPackages = with pkgs; [ - pulseaudio # pacmd and pactl - ]; -} diff --git a/modules/pubkeys.nix b/modules/pubkeys.nix index c515fe1..9a45a8a 100644 --- a/modules/pubkeys.nix +++ b/modules/pubkeys.nix @@ -3,11 +3,11 @@ { options.fablab.pubkeys = with lib.types; { users = lib.mkOption { - type = attrsOf (listOf str); + type = attrsOf (listOf string); description = "pubkeys for a specific user"; }; groups = lib.mkOption { - type = attrsOf (listOf str); + type = attrsOf (listOf string); description = "pubkeys for a group of users"; }; }; @@ -16,7 +16,7 @@ fablab.pubkeys = { users = { jalr = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3l+Yixrsjhze20CSjvUK4Qj/BNqbTNitgk20vuzPej cardno:25_750_479" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0f7+Y4QSUsSvd360eq0Q/ESVfE/s0WxJIrzvW8cazTcmld8/rKxGQR2xrxApu7pzZlZC3LDbQrx3B6nNVEZi0dPUgkJz9oEKRY5vSJ6x0H9cZ0iFfTcCTz5znflqGaFI6E6W6Vtl+DzIrmkFgaR0wNmV9DCcYAJreW4E32t8dKsG1Pv347N0eAZs3shokPYr7dmGoNiKzTOn/ILQ1Hxppzqy1ch2h8k2KL0+FM6wO76ijivBzfMZRJW0DVYsmebO6Je5HglkzYXvrNUtcD2gIrNE0YKByjorTjjf3336S+0uBGxetzhnl+XA2PxHB/3n9AzYC4DI/Nb9wgLBo6Ql+EYaPLKnGl3JHvtcOyAfoNVPdNDfbZz+tfe8cBUt1IPTlm26RYKgwCnJvcBD6dk/5mxu1ogjSfgEIqihJaq3j3+NfIY1CUFx1U6ISG40SWEXF5xV1qW3NZg5FqqA8sOfWLlkON/yFkPJ2shXUXmiZtjXMWM6XLIO054EN7cpUxHGPspjgynU9XLc45c4k5lKF1xQv13B8n8dHNEL01MU21svfdGcpuOsRvzagLX51+rVRJObYP1bZudyYVDgsxB6B/TiBHw3Xl3mwEs4KVi/cqVsPpaG3hwqCreDlV+NeCVtb0qb1WJ2Sae83CA6NEcUvRbrwAnU/vEhJepfo6j7WSw== jalr@jalr-tp" ]; simon = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii" diff --git a/modules/tools.nix b/modules/tools.nix index 982e167..5ec2282 100644 --- a/modules/tools.nix +++ b/modules/tools.nix @@ -23,6 +23,7 @@ compsize curl dnsutils + exa fd file git diff --git a/modules/unfree.nix b/modules/unfree.nix index 3394261..5024029 100644 --- a/modules/unfree.nix +++ b/modules/unfree.nix @@ -3,6 +3,5 @@ { nixpkgs.config.allowUnfreePredicate = (pkg: lib.elem (lib.getName pkg) [ "unifi-controller" - "mongodb" ]); } diff --git a/pkgs/artwork/artwork/.gitignore b/pkgs/artwork/artwork/.gitignore new file mode 100644 index 0000000..6291140 --- /dev/null +++ b/pkgs/artwork/artwork/.gitignore @@ -0,0 +1,3 @@ +/icon-*.png +/logo.png +/wallpaper.jpg diff --git a/pkgs/artwork/artwork/Makefile b/pkgs/artwork/artwork/Makefile new file mode 100644 index 0000000..847e6fa --- /dev/null +++ b/pkgs/artwork/artwork/Makefile @@ -0,0 +1,26 @@ +ICON_RESOLUTIONS = 16 32 48 64 128 256 512 1024 +ICONS = $(foreach resolution,$(ICON_RESOLUTIONS),icon-$(resolution).png ) + +default: wallpaper.jpg $(ICONS) + +logo.png: logo.scad + xvfb-run openscad -q -o $@ $< --camera=0,0,0,0,0,0,150 --projection=ortho --imgsize=4096,4096 + mogrify -transparent "#ffffe5" -filter Mitchell -resize 2048 logo.png + +icon-%.png: logo.png + convert -filter Mitchell -resize $(basename $(@:icon-%=%)) $< $@ + oxipng -q $@ + +wallpaper.jpg: wallpaper.svg logo.png + inkscape -o - --export-type=png wallpaper.svg | convert -quality 92 - $@ + jpegoptim -q -s $@ + +.PHONY: clean install +install: wallpaper.jpg $(ICONS) + install -Dm444 wallpaper.jpg $(PREFIX)/share/backgrounds/nix-gscheits.jpg + for resolution in $(ICON_RESOLUTIONS); do \ + install -Dm444 icon-$${resolution}.png $(PREFIX)/share/icons/hicolor/$${resolution}x$${resolution}/nix-gscheits.png; \ + done + +clean: + rm -f logo.png wallpaper.jpg $(ICONS) diff --git a/pkgs/artwork/artwork/lasercutter.jpg b/pkgs/artwork/artwork/lasercutter.jpg new file mode 100644 index 0000000..6701ab3 --- /dev/null +++ b/pkgs/artwork/artwork/lasercutter.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1f628ac0a690dd0992e2087deca3cdf52e47eb0ad0af68419c39d09dce505d90 +size 10696485 diff --git a/pkgs/artwork/artwork/logo.scad b/pkgs/artwork/artwork/logo.scad new file mode 100644 index 0000000..ce5285d --- /dev/null +++ b/pkgs/artwork/artwork/logo.scad @@ -0,0 +1,61 @@ +// constants +$fn=64; + +LABCUBE_COLOURS = [ "#c93841", "#4164b0", "#14a95d" ]; +NIX_FLAKE_COLOURS = [ "#5277c3", "#7ebae4" ]; + +// lib +module axonometric2rectangular(angle) { + scale([tan(angle), 1, 1]) rotate(45) children(); +} + +module shear2d(x, y) { + multmatrix(m = [[ 1, tan(x)], + [tan(y), 1]]) scale([cos(y), cos(x)]) children(); +} + +// nix flake +module axonometric_lambda() { + polygon([ + [0, 0], + [-8, 0], + [-8, -9], + [-21, -9], + [-21, -13], + [-17, -17], + [-8, -17], + [-8, -26], + [0, -34] + ]); +} + +module lambda() { + axonometric2rectangular(30) axonometric_lambda(); +} + + +module nix_flake(gap = 0.5, hexagon_size = 10) { + for (angle = [0:60:360]) { + color(NIX_FLAKE_COLOURS[(angle%120)/60]) rotate(angle) translate([-hexagon_size, -gap, 0]) lambda(); + } +} + +// lab cube +module labcube_face(radius = .33, neck = .32) { + translate([-1/2, -1/2]) + difference() { + square(); + translate([1/2, 1/2]) circle(radius); + translate([(1-neck)/2, 0]) square(neck); + } +} + +module labcube(size = 10) { + for (i = [0:2]) { + color(LABCUBE_COLOURS[i]) rotate(i*120) shear2d(-30, 0) translate([size/2, size/2]) mirror([0, 1, 0]) scale(size) labcube_face(); + } +} + +// composition +nix_flake(gap = 0.5); +labcube(size = 10-0.5); diff --git a/pkgs/artwork/artwork/wallpaper.svg b/pkgs/artwork/artwork/wallpaper.svg new file mode 100644 index 0000000..86aa5a8 --- /dev/null +++ b/pkgs/artwork/artwork/wallpaper.svg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d3f6cfa1d24bb50c496c88c5599308f1b5903aaaaa9c7749cd58410eb57a312 +size 3137 diff --git a/pkgs/artwork/default.nix b/pkgs/artwork/default.nix new file mode 100644 index 0000000..ffccaad --- /dev/null +++ b/pkgs/artwork/default.nix @@ -0,0 +1,32 @@ +{ lib, stdenv, imagemagick, inkscape, jpegoptim, mesa, openscad, oxipng, xvfb-run }: + +stdenv.mkDerivation { + name = "nix-gscheits-artwork"; + + src = ./artwork; + + nativeBuildInputs = [ + imagemagick + inkscape + jpegoptim + openscad + oxipng + xvfb-run + ]; + + preBuild = '' + export LIBGL_DRIVERS_PATH=${mesa.drivers}/lib/dri + export LD_LIBRARY_PATH=${mesa.drivers}/lib + ''; + + enableParallelBuilding = true; + + makeFlags = [ "PREFIX=$(out)" ]; + + meta = with lib; { + description = "Artwork for nix-gscheits"; + license = licenses.cc-by-sa-40; + maintainers = with maintainers; [ sbruder ]; + platforms = platforms.unix; + }; +} diff --git a/pkgs/default.nix b/pkgs/default.nix index f9ac13a..400c16b 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -4,4 +4,8 @@ let in { fablab = recurseIntoAttrs (callPackage ./fablab { }); + + nix-gscheits = prev.recurseIntoAttrs { + artwork = callPackage ./artwork { }; + }; } diff --git a/pkgs/fablab/default.nix b/pkgs/fablab/default.nix index 9d10179..d32b0b0 100644 --- a/pkgs/fablab/default.nix +++ b/pkgs/fablab/default.nix @@ -1,6 +1,5 @@ { callPackage }: { - freeradius-anon-access = callPackage ./freeradius-anon-access { }; mitgliedsantrag = callPackage ./mitgliedsantrag { }; } diff --git a/pkgs/fablab/freeradius-anon-access/default.nix b/pkgs/fablab/freeradius-anon-access/default.nix deleted file mode 100644 index 7b56597..0000000 --- a/pkgs/fablab/freeradius-anon-access/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ lib, freeradius, stdenvNoCC, ... }: - -stdenvNoCC.mkDerivation { - name = "freeradius-anon-access"; - src = ./.; - dontBuild = true; - installPhase = '' - mkdir $out - cp -r raddb $out - sed -i 's#@PREFIX@#${freeradius}#' $out/raddb/radiusd.conf - ''; - nativeBuildInputs = [ - freeradius - ]; - meta = with lib; { - platforms = platforms.unix; - }; -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/README.rst b/pkgs/fablab/freeradius-anon-access/raddb/README.rst deleted file mode 100644 index 118dcdf..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/README.rst +++ /dev/null @@ -1,665 +0,0 @@ -Upgrading to Version 3.0 -======================== - -.. contents:: Sections - :depth: 2 - -.. important:: - The configuration for 3.0 is *largely* compatible with the 2.x.x - configuration. However, it is NOT possible to simply use the 2.x.x - configuration as-is. Instead, you should re-create it. - -Security --------- - -A number of configuration items have moved into the "security" -subsection of radiusd.conf. If you use these, you should move them. -Otherwise, they can be ignored. - -The list of moved options is:: - - chroot - user - group - allow_core_dumps - reject_delay - status_server - -These entries should be moved from "radiusd.conf" to the "security" -subsection of that file. - -Naming ------- - -Many names used by configuration items were inconsistent in earlier -versions of the server. These names have been unified in version 3.0. - -If a file is being referenced or created the config item ``filename`` -is used. - -If a file is being created, the initial permissions are set by the -``permissions`` config item. - -If a directory hierarchy needs to be created, the permissions are set -by ``dir_permissions``. - -If an external host is referenced in the context of a module the -``server`` config item is used. - -Unless the config item is a well recognised portmanteau -(as ``filename`` is for example), it must be written as multiple -distinct words separated by underscores ``_``. - -The configuration items ``file``, ``script_file``, ``module``, -``detail``, ``detailfile``, ``attrsfile``, ``perm``, ``dirperm``, -``detailperm``, and ``hostname`` are deprecated. As well as any false -portmanteaus, and configuration items that used hyphens as word -delimiters. e.g. ``foo-bar`` has been changed to ``foo_bar``. Please -update your module configuration to use the new syntax. - -In most cases the server will tell you the replacement config item to -use. As always, run the server in debugging mode to see these -messages. - -Modules Directory ------------------ - -As of version 3.0, the ``modules/`` directory no longer exists. - -Instead, all "example" modules have been put into the -``mods-available/`` directory. Modules which can be loaded by the -server are placed in the ``mods-enabled/`` directory. All of the -modules in that directory will be loaded. This means that the -``instantiate`` section of radiusd.conf is less important. The only -reason to list a module in the ``instantiate`` section is to force -ordering when the modules are loaded. - -Modules can be enabled by creating a soft link. For module ``foo``, do:: - - $ cd raddb/mods-enabled - $ ln -s ../mods-available/foo - -To create "local" versions of the modules, we suggest copying the file -instead. This leaves the original file (with documentation) in the -``mods-available/`` directory. Local changes should go into the -``mods-enabled/`` directory. - -Module-specific configuration files are now in the ``mods-config/`` -directory. This change allows for better organization, and means that -there are fewer files in the main ``raddb`` directory. See -``mods-config/README.rst`` for more details. - -Changed Modules ---------------- - -The following modules have been changed. - - -rlm_sql -~~~~~~~ - -The SQL configuration has been moved from ``sql.conf`` to -``mods-available/sql``. The ``sqlippool.conf`` file has also been -moved to ``mods-available/sqlippool``. - -The SQL module configuration has been changed. The old connection -pool options are no longer accepted:: - - num_sql_socks - connect_failure_retry_delay - lifetime - max_queries - -Instead, a connection pool configuration is used. This configuration -contains all of the functionality of the previous configuration, but -in a more generic form. It also is used in multiple modules, meaning -that there are fewer different configuration items. The mapping -between the configuration items is:: - - num_sql_socks -> pool { max } - connect_failure_retry_delay -> pool { retry_delay } - lifetime -> pool { lifetime } - max_queries -> pool { uses } - -The pool configuration adds a number of new configuration options, -which allow the administrator to better control how FreeRADIUS uses -SQL connection pools. - -The following parameters have been changed:: - - trace -> removed - tracefile -> logfile - -The logfile is intended to log SQL queries performed. If you need to -debug the server, use debugging mode. If ``logfile`` is set, then -*all* SQL queries will go to ``logfile``. - -You can now use a NULL SQL database:: - - driver = rlm_sql_null - -This is an empty driver which will always return "success". It is -intended to be used to replace the ``sql_log`` module, and to work in -conjunction with the ``radsqlrelay`` program. Simply take your normal -configuration for raddb/mods-enabled/sql, and set:: - - driver = rlm_sql_null - ... - logfile = ${radacctdir}/sql.log - -All of the SQL queries will be logged to that file. The connection -pool does not need to be configured for the ``null`` SQL driver. It -can be left as-is, or deleted from the SQL configuration file. - -rlm_sql_sybase -~~~~~~~~~~~~~~ - -The ``rlm_sql_sybase`` module has been renamed to ``rlm_sql_freetds`` -and the old ``rlm_sql_freetds`` module has been removed. - -``rlm_sql_sybase`` used the newer ct-lib API, and ``rlm_sql_freetds`` -used an older API and was incomplete. - -The new ``rlm_sql_freetds`` module now also supports database -selection on connection startup so ``use`` statements no longer -have to be included in queries. - -sql/dialup.conf -~~~~~~~~~~~~~~~ - -Queries for post-auth and accounting calls have been re-arranged. The -SQL module will now expand the 'reference' configuration item in the -appropriate sub-section, and resolve this to a configuration -item. This behaviour is similar to rlm_linelog. This dynamic -expansion allows for a dynamic mapping between accounting types and -SQL queries. Previously, the mapping was fixed. Any "new" accounting -type was ignored by the module. Now, support for any accounting type -can be added by just adding a new target, as below. - -Queries from v2.x.x may be manually copied to the new v3.0 -``dialup.conf`` file (``raddb/mods-config/sql/main//queries.conf``). -When doing this you may also need to update references to the -accounting tables, as their definitions will now be outside of -the subsection containing the query. - -The mapping from old "fixed" query to new "dynamic" query is as follows:: - - accounting_onoff_query -> accounting.type.accounting-on.query - accounting_update_query -> accounting.type.interim-update.query - accounting_update_query_alt +> accounting.type.interim-update.query - accounting_start_query -> accounting.type.start.query - accounting_start_query_alt +> accounting.type.start.query - accounting_stop_query -> accounting.type.stop.query - accounting_stop_query_alt +> accounting.type.stop.query - postauth_query -> post-auth.query - -Alternatively a 2.x.x config may be patched to work with the -3.0 module by adding the following:: - - accounting { - reference = "%{tolower:type.%{Acct-Status-Type}.query}" - type { - accounting-on { - query = "${....accounting_onoff_query}" - } - accounting-off { - query = "${....accounting_onoff_query}" - } - start { - query = "${....accounting_start_query}" - query = "${....accounting_start_query_alt}" - } - interim-update { - query = "${....accounting_update_query}" - query = "${....accounting_update_query_alt}" - } - stop { - query = "${....accounting_stop_query}" - query = "${....accounting_stop_query_alt}" - } - } - } - - post-auth { - query = "${..postauth_query}" - } - -In general, it is safer to migrate the configuration rather than -trying to "patch" it, to make it look like a v2 configuration. - -Note that the sub-sections holding the queries are labelled -``accounting-on``, and not ``accounting_on``. The reason is that the -names of these sections are taken directly from the -``Accounting-Request`` packet, and the ``Acct-Status-Type`` field. -The ``sql`` module looks at the value of that field, and then looks -for a section of that name, in order to find the query to use. - -That process means that the server can be extended to support any new -value of ``Acct-Status-Type``, simply by adding a named sub-section, -and a query. This behavior is preferable to that of v2, which had -hard-coded queries for certain ``Acct-Status-Type`` values, and was -ignored all other values. - -rlm_ldap -~~~~~~~~ - -The LDAP module configuration has been substantially changed. Please -read ``raddb/mods-available/ldap``. It now uses a connection pool, -just like the SQL module. - -Many of the configuration items remain the same, but they have been -moved into subsections. This change is largely cosmetic, but it makes -the configuration clearer. Instead of having a large set of random -configuration items, they are now organized into logical groups. - -You will need to read your old LDAP configuration, and migrate it -manually to the new configuration. Simply copying the old -configuration WILL NOT WORK. - -Users upgrading from 2.x.x who used to call the ldap module in -``post-auth`` should now set ``edir_autz = yes``, and remove the ``ldap`` -module from the ``post-auth`` section. - -rlm_ldap and LDAP-Group -~~~~~~~~~~~~~~~~~~~~~~~ - -In 2.x.x the registration of the ``LDAP-Group`` pair comparison was done -by the last instance of rlm_ldap to be instantiated. In 3.0 this has -changed so that only the default ``ldap {}`` instance registers -``LDAP-Group``. - -If ``-LDAP-Group`` is already used throughout your configuration -no changes will be needed. - -rlm_ldap authentication -~~~~~~~~~~~~~~~~~~~~~~~ - -In 2.x.x the LDAP module had a ``set_auth_type`` configuration item, -which forced ``Auth-Type := ldap``. This was removed in 3.x.x as it -often did not work, and was not consistent with the rest of the -server. We generally recommend that LDAP should be used as a -database, and that FreeRADIUS should do authentication. - -The only reason to use ``Auth-Type := ldap`` is when the LDAP server -will not supply the "known good" password to FreeRADIUS, *and* where -the Access-Request contains User-Password. This situation happens -only for Active Directory. If you think you need to force ``Auth-Type -:= ldap`` in other situations, you are very likely to be wrong. - -The following is an example of what should be inserted into the -``authorize {}`` and ``authenticate {}`` sections of the relevant -virtual-servers, to get functionality equivalent to v2.x:: - - authorize { - ... - ldap - if ((ok || updated) && User-Password) { - update control { - Auth-Type := ldap - } - } - ... - } - - authenticate { - ... - Auth-Type ldap { - ldap - } - ... - } - -rlm_eap -~~~~~~~ - -The EAP configuration has been moved from ``eap.conf`` to -``mods-available/eap``. A new ``pwd`` subsection has been added for -EAP-PWD. - -rlm_expiration & rlm_logintime -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The rlm_expiration and rlm_logintime modules no longer add a ``Reply-Message``, -the same behaviour can be achieved checking the return code of the module and -adding the ``Reply-Message`` with unlang:: - - expiration - if (userlock) { - update reply { - Reply-Message := "Your account has expired" - } - } - -rlm_unix -~~~~~~~~ - -The ``unix`` module does not have an ``authenticate`` section. So you -cannot set ``Auth-Type := System``. The ``unix`` module has also been -deleted from the examples in ``sites-available/``. Listing it there -has been deprecated for many years. - -The PAP module can do crypt authentication. It should be used instead -of Unix authentication. - -The Unix module still can pull the passwords from ``/etc/passwd``, or -``/etc/shadow``. This is done by listing it in the ``authorize`` -section, as is done in the examples in ``sites-available/``. However, -some systems using NIS or NSS will not supply passwords to the -``unix`` module. For those systems, we recommend putting users and -passwords into a database, instead of relying on ``/etc/passwd``. - -rlm_preprocess -~~~~~~~~~~~~~~ - -In 2.x.x ``huntroups`` and ``users`` files were loaded from default locations -without being configured explicitly. Since 3.x.x you need to set -``huntgroups`` and ``users`` configuration item(s) in module section in order -to get them being processed. - -New Modules ------------ - -rlm_date -~~~~~~~~ - -Instances of rlm_date register an xlat method which can translate -integer and date values to an arbitrarily formatted date time -string, or an arbitrarily formated time string to an integer, -depending on the attribute type passed. - -rlm_rest -~~~~~~~~ - -The ``rest`` module is used to translate RADIUS requests into -RESTfull HTTP requests. Currently supported body types are JSON -and POST. - -rlm_unpack -~~~~~~~~~~ - -The ``unpack`` module is used to turn data buried inside of binary -attributes. e.g. if we have ``Class = 0x00000001020304`` then:: - - Tmp-Integer-0 := "%{unpack:&Class 4 short}" - -will unpack octets 4 and 5 as a "short", which has value 0x0304. -All integers are assumed to be in network byte order. - -rlm_yubikey -~~~~~~~~~~~ - -The ``yubikey`` module can be used to forward yubikey OTP token -values to a Yubico validation server, or decrypt the token -using a PSK. - -Deleted Modules ---------------- - -The following modules have been deleted, and are no longer supported -in Version 3. If you are using one of these modules, your -configuration can probably be changed to not need it. Otherwise email -the freeradius-devel list, and ask about the module. - -rlm_acct_unique -~~~~~~~~~~~~~~~ - -This module has been replaced by the "acct_unique" policy. See -raddb/policy.d/accounting. - -The method for calculating the value of acct_unique has changed. -However, as this method was configurable, this change should not -matter. The only issue is in having a v2 and v3 server writing to the -same database at the same time. They will calculate different values -for Acct-Unique-Id. - -rlm_acctlog -~~~~~~~~~~~ - -You should use rlm_linelog instead. That module has a superset of the -acctlog functionality. - -rlm_attr_rewrite -~~~~~~~~~~~~~~~~ - -The attr_rewrite module looked for an attribute, and then re-wrote it, -or created a new attribute. All of that can be done in "unlang". - -A sample configuration in "unlang" is:: - - if (request:Calling-Station-Id) { - update request { - Calling-Station-Id := "...." - } - } - -We suggest updating all uses of attr_rewrite to use unlang instead. - -rlm_checkval -~~~~~~~~~~~~ - -The checkval module compared two attributes. All of that can be done in "unlang":: - - if (&request:Calling-Station-Id == &control:Calling-Station-Id) { - ok - } - -We suggest updating all uses of checkval to use unlang instead. - -rlm_dbm -~~~~~~~ - -No one seems to use it. There is no sample configuration for it. -There is no speed advantage to using it over the "files" module. -Modern systems are fast enough that 10K entries can be read from the -"users" file in about 10ms. If you need more users than that, use a -real database such as SQL. - -rlm_fastusers -~~~~~~~~~~~~~ - -No one seems to use it. It has been deprecated since Version 2.0.0. -The "files" module was rewritten so that the "fastusers" module was no -longer necessary. - -rlm_policy -~~~~~~~~~~ - -No one seems to use it. Almost all of its functionality is available -via "unlang". - -rlm_sim_files -~~~~~~~~~~~~~ - -The rlm_sim_files module has been deleted. It was never marked "stable", -and was never used in a production environment. There are better ways -to test EAP. - -If you want similar functionality, see rlm_passwd. It can read CSV -files, and create attributes from them. - -rlm_sql_log -~~~~~~~~~~~ - -This has been replaced with the "null" sql driver. See -raddb/mods-available/sql for an example configuration. - -The main SQL module has more functionality than rlm_sql_log, and -results in less code in the server. - -Other Functionality -------------------- - -The following is a list of new / changed functionality. - -RadSec -~~~~~~ - -RadSec (or RADIUS over TLS) is now supported. RADIUS over bare TCP -is also supported, but is recommended only for secure networks. - -See ``sites-available/tls`` for complete details on using TLS. The server -can both receive incoming TLS connections, and also originate outgoing -TLS connections. - -The TLS configuration is taken from the old EAP-TLS configuration. It -is largely identical to the old EAP-TLS configuration, so it should be -simple to use and configure. It re-uses much of the EAP-TLS code, -so it is well-tested and reliable. - -Once RadSec is enabled, normal debugging mode will not work. This is -because the TLS code requires threading to work properly. Instead of doing:: - - $ radiusd -X - -you will need to do:: - - $ radiusd -fxx -l stdout - -That's the price to pay for using RadSec. This limitation may be -lifted in a future version of the server. - - -PAP and User-Password -~~~~~~~~~~~~~~~~~~~~~ - -From version 3.0 onwards the server no longer supports authenticating -against a cleartext password in the 'User-Password' attribute. Any -occurences of this (for instance, in the users file) should now be changed -to 'Cleartext-Password' instead. - -e.g. change entries like this:: - - bob User-Password == "hello" - -to ones like this:: - - bob Cleartext-Password := "hello" - - -If this is not done, authentication will likely fail. The server will -also print a helpful message in debugging mode. - -If it really is impossible to do this, the following unlang inserted above -the call to the pap module may be used to copy User-Password to the correct -attribute:: - - if (!control:Cleartext-Password && control:User-Password) { - update control { - Cleartext-Password := "%{control:User-Password}" - } - } - -However, this should only be seen as a temporary, not permanent, fix. -It is better to fix your databases to use the correct configuration. - -Unlang -~~~~~~ - -The unlang policy language is compatible with v2, but has a number of -new features. See ``man unlang`` for complete documentation. - -ERRORS - -Many more errors are caught when the server is starting up. Syntax -errors in ``unlang`` are caught, and a helpful error message is -printed. The error message points to the exact place where the error -occurred:: - - ./raddb/sites-enabled/default[230]: Parse error in condition - ERROR: if (User-Name ! "bob") { - ERROR: ^ Invalid operator - -``update`` sections are more generic. Instead of doing ``update -reply``, you can do the following:: - - update { - reply:Class := 0x0000 - control:Cleartext-Password := "hello" - } - -This change means that you need fewer ``update`` sections. - -COMPARISONS - -Attribute comparisons can be done via the ``&`` operator. When you -needed to compare two attributes, the old comparison style was:: - - if (User-Name == "%{control:Tmp-String-0}") { - -This syntax is inefficient, as the ``Tmp-String-0`` attribute would be -printed to an intermediate string, causing unnecessary work. You can -now instead compare the two attributes directly:: - - if (&User-Name == &control:Tmp-String-0) { - -See ``man unlang`` for more details. - -CASTS - -Casts are now permitted. This allows you to force type-specific -comparisons:: - - if ("%{sql: SELECT...}" == 127.0.0.1) { - -This forces the string returned by the SELECT to be treated as an IP -address, and compare to ``127.0.0.1``. Previously, the comparison -would have been done as a simple string comparison. - -NETWORKS - -IP networks are now supported:: - - if (127.0.0.1/32 == 127.0.0.1) { - -Will be ``true``. The various comparison operators can be used to -check IP network membership:: - - if (127/8 > 127.0.0.1) { - -Returns ``true``, because ``127.0.0.1`` is within the ``127/8`` -network. However, the following comparison will return ``false``:: - - if (127/8 > 192.168.0.1) { - -because ``192.168.0.1`` is outside of the ``127/8`` network. - -OPTIMIZATION - -As ``unlang`` is now pre-compiled, many compile-time optimizations are -done. This means that the debug output may not be exactly the same as -what is in the configuration files:: - - if (0 && (User-Name == "bob')) { - -The result will always be ``false``, as the ``if 0`` prevents the -following ``&& ...`` from being evaluated. - -Not only that, but the entire contents of that section will be ignored -entirely:: - - if (0) { - this_module_does_not_exist - and_this_one_does_not_exist_either - } - -In v2, that configuration would result in a parse error, as there is -no module called ``this_module_does_not_exist``. In v3, that text is -ignored. This ability allows you to have dynamic configurations where -certain parts are used (or not) depending on compile-time configuration. - -Similarly, conditions which always evaluate to ``true`` will be -optimized away:: - - if (1) { - files - } - -That configuration will never show the ``if (1)`` output in debugging mode. - - -Dialup_admin ------------- - -The dialup_admin directory has been removed. No one stepped forward -to maintain it, and the code had not been changed in many years. - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.conf b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.conf deleted file mode 100644 index d7c8b5b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.conf +++ /dev/null @@ -1,24 +0,0 @@ -[ req ] -default_bits = 1024 -distinguished_name = req_DN -string_mask = nombstr - -[ req_DN ] -countryName = "1. Country Name (2 letter code)" -countryName_default = DE -countryName_min = 2 -countryName_max = 2 -stateOrProvinceName = "2. State or Province Name (full name) " -stateOrProvinceName_default = Berlin -localityName = "3. Locality Name (eg, city) " -localityName_default = Berlin -0.organizationName = "4. Organization Name (eg, company) " -0.organizationName_default = Mustermann -organizationalUnitName = "5. Organizational Unit Name (eg, section) " -organizationalUnitName_default = Certificate Authority -commonName = "6. Common Name (eg, CA name) " -commonName_max = 64 -commonName_default = Mustermann CA -emailAddress = "7. Email Address (eg, name@FQDN)" -emailAddress_max = 40 -emailAddress_default = ca@mustermann.de diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.crt b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.crt deleted file mode 100644 index 4bb725e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL -BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl -cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg -QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB -FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0 -NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl -cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg -QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB -FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt -tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD -yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX -H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud -EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt -YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg -hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o -dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o -ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI -hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX -cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY -hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg= ------END CERTIFICATE----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.csr b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.csr deleted file mode 100644 index 56b6bde..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.csr +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN -BgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2Vy -dGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJ -KoZIhvcNAQkBFhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GN -ADCBiQKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD -269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFn -OyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABoAAw -DQYJKoZIhvcNAQELBQADgYEAK+Fbl3mG7m0gBkekWwU4BvC92eMs93GYCtYQECu7 -/Dc0J2K1ItGC7JrRVlQvStbEFCw3cXzlbSec2v+8rvvIbn6MB+StRRYjPUiIYS3h -qly2FpcAo3Cg5GcnNf4keDGBzClo37MF2wlT0DAQIVPHMlTbkfgAQYwQS+uKLBre -TwM= ------END CERTIFICATE REQUEST----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.ext b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.ext deleted file mode 100644 index cb5c705..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.ext +++ /dev/null @@ -1,9 +0,0 @@ -extensions = x509v3 - -[ x509v3 ] -basicConstraints = CA:true,pathlen:0 -crlDistributionPoints = URI:http://www.mustermann.de/ca/mustermann.crl -nsCertType = sslCA,emailCA,objCA -nsCaPolicyUrl = "http://www.mustermann.de/ca/policy.htm" -nsCaRevocationUrl = "http://www.mustermann.de/ca/heimpold.crl" -nsComment = "Mustermann CA" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.key b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.key deleted file mode 100644 index 0c7365b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5 -OFlD269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrE -IvFnOyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQAB -AoGAQaCF2idVGbRSVF3ae1qHGOj3Hive3WcReKg/8EittAPpNuP3tqiLUQ/WjxZr -V1NTtZ4syvM+LXlDW186rU21iGpQqj9ce2zjxpWMco6GFf0qKBO1ZoYSyD6jW6ny -M82TtCOVjH1LnyAz5AKRH6Wv5sG99gndK5AriEZEYrsnjQECQQDmK5EU5yVzz2o0 -X02Lolz0dRDy5J3x3hlaYKLoszMv4L04MAZ9XaMtGjqmKSOWsbMkIvp/d5A+2uJm -42sULKC9AkEAwTN8+4Kd8d5qpNfaKiYU6x5I2qUwvkE6V7x+ttPoFzbzeHr5CM2z -jkpA+x5u1fCtbl319zOb3ApVsrJ3o0+XqQJASeIgPxJ3jjY9RDR3YuQqbHoLh7xl -CtedUcqFYKbtPmgotRmNa76b+4VY4C+CcgP2mhn0SOhrUBHY7OgBXkd5DQJBAIat -ksFtAxdZGXRB+BYLp+dinBy2rKzjoX0JrDdcrtyH9N8WskU9x544CuZDB7ZhaTSX -kV+6fTq9hZHlMNsKH8kCQQCGnlQIy3U3cN6E1O9UI4DRwPhSwl+xEfc3n0DB/Kcy -faIPo3HnlNw/+4cIyc/7i1Ilkrj4zHtdrnAjP+OvZD7+ ------END RSA PRIVATE KEY----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.pem b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.pem deleted file mode 100644 index 4bb725e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL -BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl -cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg -QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB -FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0 -NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl -cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg -QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB -FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt -tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD -yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX -H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud -EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt -YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg -hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o -dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o -ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI -hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX -cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY -hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg= ------END CERTIFICATE----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.serial b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.serial deleted file mode 100644 index 75016ea..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.serial +++ /dev/null @@ -1 +0,0 @@ -03 diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.conf b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.conf deleted file mode 100644 index 0f78075..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.conf +++ /dev/null @@ -1,24 +0,0 @@ -[ req ] -default_bits = 1024 -distinguished_name = req_DN -string_mask = nombstr - -[ req_DN ] -countryName = "1. Country Name (2 letter code)" -countryName_default = DE -countryName_min = 2 -countryName_max = 2 -stateOrProvinceName = "2. State or Province Name (full name) " -stateOrProvinceName_default = Berlin -localityName = "3. Locality Name (eg, city) " -localityName_default = Berlin -0.organizationName = "4. Organization Name (eg, company) " -0.organizationName_default = Mustermann -organizationalUnitName = "5. Organizational Unit Name (eg, section) " -#organizationalUnitName_default = -commonName = "6. Common Name (eg, CA name) " -commonName_max = 64 -commonName_default = Max Mustermann -emailAddress = "7. Email Address (eg, name@FQDN)" -emailAddress_max = 40 -emailAddress_default = max@mustermann.de diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.crt b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.crt deleted file mode 100644 index c804097..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.crt +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx -DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0 -ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT -DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw -HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP -MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl -cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt -YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O -I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4 -jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6 -ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4 -QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB -R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0 -oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1 -/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw== ------END CERTIFICATE----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.csr b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.csr deleted file mode 100644 index 316765d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.csr +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0G -A1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0ZXJtYW5uMRcwFQYDVQQDEw5NYXgg -TXVzdGVybWFubjEgMB4GCSqGSIb3DQEJARYRbWF4QG11c3Rlcm1hbm4uZGUwgZ8w -DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANFPziPlydE+D1lKE+5Wh/aHDuQ4HBfF -2PDWetE7um2d06newc3RZn+1JjpedX3t0u38eI5bJ2mOPj6bfdhVQBoM0/6ZE+rf -l3EbjT69GqiAPYlA7ZlgMgz2TgO1lWwvyruMOnj2l3uHEZomY6hla9pxTjqJ7n8U -HVVTUvZihoQ/AgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQBX3obDa6757IR9ejEb -1cY0k6S1SioC8ufX0Z2veFKoDLXKHL4kCZ89ie74hBf7mqx6O9ZscASXNcyuKFBz -uaae2MSoh+DBJH6I7j23PMhs9ziaSJYLmawja0sWK/J8RaR7JNjVAzb/eU2zBQlq -GTc8H8je+e2+aRUFYNgdGxgQ0g== ------END CERTIFICATE REQUEST----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.ext b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.ext deleted file mode 100644 index 8a509fe..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.ext +++ /dev/null @@ -1,5 +0,0 @@ -extensions = x509v3 - -[ x509v3 ] -nsCertType = client,email,objsign -keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.key b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.key deleted file mode 100644 index 52aa36f..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN -0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z -YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB -AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG -FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+ -MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn -s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF -B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo -fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q -VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B -aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi -fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb -tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8= ------END RSA PRIVATE KEY----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.pem.crt b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.pem.crt deleted file mode 100644 index 752c0e7..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.pem.crt +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx -DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0 -ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT -DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw -HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP -MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl -cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt -YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O -I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4 -jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6 -ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4 -QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB -R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0 -oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1 -/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw== ------END CERTIFICATE----- ------BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN -0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z -YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB -AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG -FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+ -MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn -s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF -B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo -fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q -VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B -aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi -fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb -tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8= ------END RSA PRIVATE KEY----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/dh b/pkgs/fablab/freeradius-anon-access/raddb/certs/dh deleted file mode 100644 index cf3c118..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/dh +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEAzQsuxnwr0ccOV+/wIsI4Kfj5eyBINjb5KjeFvdZec65Xj5IzJSqo -kw2JaBhqN4Jtsq60doyev3tPtZn6YmBoVH/71CWOtibeZeSBjk67zQj7O0VKHHaG -9OXyjGIyzUKtJl1VpD+mXvlrhZEjnnApf3fp4i8K8Ei7oHFu+6teEyei3qGKobEg -Y+aYse5noocftCOj7QOpqLZU5BjYn+j1CVnivB3kCEuqYYTJJvyvVpTbWhAWTibY -mZU2Sq7GCLn+hbX5R/d3hOAqISJXwloshipHv7pTvipEMF5Q9thbq/Lc8j+DQS1Y -3KZMuq5+aDV2DVeVI5HSNv/uJJsN48hRkwIBAg== ------END DH PARAMETERS----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.conf b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.conf deleted file mode 100644 index bc8f8f1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.conf +++ /dev/null @@ -1,24 +0,0 @@ -[ req ] -default_bits = 1024 -distinguished_name = req_DN -string_mask = nombstr - -[ req_DN ] -countryName = "1. Country Name (2 letter code)" -countryName_default = DE -countryName_min = 2 -countryName_max = 2 -stateOrProvinceName = "2. State or Province Name (full name) " -#stateOrProvinceName_default = -localityName = "3. Locality Name (eg, city) " -localityName_default = Berlin -0.organizationName = "4. Organization Name (eg, company) " -0.organizationName_default = Mustermann -organizationalUnitName = "5. Organizational Unit Name (eg, section) " -organizationalUnitName_default = Server -commonName = "6. Common Name (eg, CA name) " -commonName_max = 64 -commonName_default = www.mustermann.de -emailAddress = "7. Email Address (eg, name@FQDN)" -emailAddress_max = 40 -emailAddress_default = webmaster@mustermann.de diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.crt b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.crt deleted file mode 100644 index e56ad33..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.crt +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC6zCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx -DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0 -ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT -DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw -HhcNMjIwODAxMDEwNjQ1WhcNMjQwNzMxMDEwNjQ1WjCBiDELMAkGA1UEBhMCREUx -DzANBgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEPMA0GA1UECxMG -U2VydmVyMRowGAYDVQQDExF3d3cubXVzdGVybWFubi5kZTEmMCQGCSqGSIb3DQEJ -ARYXd2VibWFzdGVyQG11c3Rlcm1hbm4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A -MIGJAoGBAOGRdBwkcWMlXj5ZIez2OjadgD7JBVqXS06rZopONcFil9O4OvFHSeMP -mGDIeeggZvh1hpcpKq2+zgY6640zlTbXK7J0T8QUXs0XHDJd9uMI5nDovaG37tah -G83YIPKmLBB87p511amdUviPc4QJGaGRJeYnAC4ou2RX/ko6y4yfAgMBAAGjTjBM -MBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwKgYDVR0lBCMwIQYKKwYB -BAGCNwoDAwYJYIZIAYb4QgQBBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOBgQAQ -wU4rNIuiakUH60u9m983BHddCl81Fy4nf2BExbxXSW/B+yj3adHQ/0RF/xGCcVrI -ORtGlyt8OW83VEfGFFpNPMR6XdxPMyoSUEFaEyVbYGQigQUXoa5k5vINmUD6bgxF -5o5taGIFnfnjEncwRTHADFEIN5hKHjtIdXcNRue2kg== ------END CERTIFICATE----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.csr b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.csr deleted file mode 100644 index e504e6b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.csr +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHEwZCZXJsaW4xEzAR -BgNVBAoTCk11c3Rlcm1hbm4xDzANBgNVBAsTBlNlcnZlcjEaMBgGA1UEAxMRd3d3 -Lm11c3Rlcm1hbm4uZGUxJjAkBgkqhkiG9w0BCQEWF3dlYm1hc3RlckBtdXN0ZXJt -YW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhkXQcJHFjJV4+WSHs -9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrxR0njD5hgyHnoIGb4dYaXKSqtvs4GOuuN -M5U21yuydE/EFF7NFxwyXfbjCOZw6L2ht+7WoRvN2CDypiwQfO6eddWpnVL4j3OE -CRmhkSXmJwAuKLtkV/5KOsuMnwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEADZZ5 -+z8oUdzM0aDxMt2KyNSc8+NUkL4u+h38ZuDasHMXCncfWqp7I42qev1FHqKaI1Rn -GWZsWd943kOeMjFgxGkQoesLsyuqRslyUHAACnqHit2ZKz51reiiakK7v/qYxiV6 -aZOZBv5s2eaG6iT1ea5f5j2SKKOyhuDwfs7q4hQ= ------END CERTIFICATE REQUEST----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.ext b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.ext deleted file mode 100644 index 7e6d6b5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.ext +++ /dev/null @@ -1,6 +0,0 @@ -extensions = x509v3 - -[ x509v3 ] -nsCertType = server -keyUsage = digitalSignature,nonRepudiation,keyEncipherment -extendedKeyUsage = msSGC,nsSGC,serverAuth diff --git a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.key b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.key deleted file mode 100644 index 97b5df9..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDhkXQcJHFjJV4+WSHs9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrx -R0njD5hgyHnoIGb4dYaXKSqtvs4GOuuNM5U21yuydE/EFF7NFxwyXfbjCOZw6L2h -t+7WoRvN2CDypiwQfO6eddWpnVL4j3OECRmhkSXmJwAuKLtkV/5KOsuMnwIDAQAB -AoGAO1kEvp7MAnUDfc3/whPqrxHzexFyyioCU1l/aiY3uIDTR44yW+cQxqAEzHoS -sQNNdFOfrMfVBc+s7zCzZvxKZpvapg2HGATkk9I8AFUTuSh7n3oUT/AZ1KGdd04G -wS/6QsLR3G8c+0RB9DPWpMVgg1OlQ1U3ESB+eaeQ28/hLFECQQD6LRHnLfLrGlz9 -0htFV3JD19qPNmwRCEa/bHeK4dICuEikgpQZ18nbOCrfUvR4GltkQA8w6CMGmebJ -5COHx+epAkEA5tG7fsnA8ut/AfA3HoBRi1YtoE4YLOE8b+Jdt72LDE6jaR9mBc0N -gwxDBhdgZf9HTSaWB65j1V1sik8DqkjfBwJABE5SSJBZ5gIGJ7g+D+t5ZAGLGXvu -UDy8Ov8674EDhFh3p503v1ofd054Lm/XFVoeyJLxr/3O3IY5mq/6jJO8QQJBANcC -V51rYojmRZEQqseG0G7y/91r4aksxpeSTapyravxNNcfoHGW6RdBvM1XyTw557k+ -UFMnZ2fBdvH/WHKvHtECQEvLTxtmdxKMrndFJiTObeItdl/iHU9JujW4ib64CysI -RdwEverbouogjHfyeDjazXIsgpIUSIbZNHL13bICpBg= ------END RSA PRIVATE KEY----- diff --git a/pkgs/fablab/freeradius-anon-access/raddb/clients.conf b/pkgs/fablab/freeradius-anon-access/raddb/clients.conf deleted file mode 100644 index 9f2f752..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client 0.0.0.0/0 { - secret = anonymous - require_message_authenticator = no -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/dictionary b/pkgs/fablab/freeradius-anon-access/raddb/dictionary deleted file mode 100644 index 1f7dc90..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/dictionary +++ /dev/null @@ -1,49 +0,0 @@ -# -# This is the local dictionary file which can be -# edited by local administrators. It will be loaded -# AFTER the main dictionary files are loaded. -# -# As of version 3.0.2, FreeRADIUS will automatically -# load the main dictionary files from -# -# ${prefix}/share/freeradius/dictionary -# -# It is no longer necessary for this file to $INCLUDE -# the main dictionaries. However, if the $INCLUDE -# line is here, nothing bad will happen. -# -# Any new/changed attributes MUST be placed in this file. -# The pre-defined dictionaries SHOULD NOT be edited. -# -# See "man dictionary" for documentation on its format. -# -# $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $ -# - -# -# All local attributes and $INCLUDE's should go into -# this file. -# - -# If you want to add entries to the dictionary file, -# which are NOT going to be placed in a RADIUS packet, -# add them to the 'dictionary.local' file. -# -# The numbers you pick should be between 3000 and 4000. -# These attributes will NOT go into a RADIUS packet. -# -# If you want that, you will need to use VSAs. This means -# requesting allocation of a Private Enterprise Code from -# http://iana.org. We STRONGLY suggest doing that only if -# you are a vendor of RADIUS equipment. -# -# See RFC 6158 for more details. -# http://ietf.org/rfc/rfc6158.txt -# - -# -# These attributes are examples -# -#ATTRIBUTE My-Local-String 3000 string -#ATTRIBUTE My-Local-IPAddr 3001 ipaddr -#ATTRIBUTE My-Local-Integer 3002 integer diff --git a/pkgs/fablab/freeradius-anon-access/raddb/experimental.conf b/pkgs/fablab/freeradius-anon-access/raddb/experimental.conf deleted file mode 100644 index e5395f3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/experimental.conf +++ /dev/null @@ -1,116 +0,0 @@ -# -# This file contains the configuration for experimental modules. -# -# By default, it is NOT included in the build. -# -# $Id: 87d9744a4f0fa7b9b06b4908ddd6b7d2f1a7fd62 $ -# - -# Configuration for the Python module. -# -# Where radiusd is a Python module, radiusd.py, and the -# function 'authorize' is called. Here is a dummy piece -# of code: -# -# def authorize(params): -# print params -# return (5, ('Reply-Message', 'banned')) -# -# The RADIUS value-pairs are passed as a tuple of tuple -# pairs as the first argument, e.g. (('attribute1', -# 'value1'), ('attribute2', 'value2')) -# -# The function return is a tuple with the first element -# being the return value of the function. -# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to -# write the return values as Python symbols to avoid -# confusion. -# -# The remaining tuple members are the string form of -# value-pairs which are passed on to pairmake(). -# -python { - mod_instantiate = radiusd_test - func_instantiate = instantiate - - mod_authorize = radiusd_test - func_authorize = authorize - - mod_accounting = radiusd_test - func_accounting = accounting - - mod_pre_proxy = radiusd_test - func_pre_proxy = pre_proxy - - mod_post_proxy = radiusd_test - func_post_proxy = post_proxy - - mod_post_auth = radiusd_test - func_post_auth = post_auth - - mod_recv_coa = radiusd_test - func_recv_coa = recv_coa - - mod_send_coa = radiusd_test - func_send_coa = send_coa - - mod_detach = radiusd_test - func_detach = detach -} - - -# Configuration for the example module. Uncommenting it will cause it -# to get loaded and initialised, but should have no real effect as long -# it is not referenced in one of the autz/auth/preacct/acct sections -example { - # Boolean variable. - # allowed values: {no, yes} - boolean = yes - - # An integer, of any value. - integer = 16 - - # A string. - string = "This is an example configuration string" - - # An IP address, either in dotted quad (1.2.3.4) or hostname - # (example.com) - ipaddr = 127.0.0.1 - - # A subsection - mysubsection { - anotherinteger = 1000 - # They nest - deeply nested { - string = "This is a different string" - } - } -} - -# -# To create a dbm users file, do: -# -# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db -# -# Then add 'dbm' in 'authorize' section. -# -# Note that even if the file has a ".db" or ".dbm" extension, -# you may have to specify it here without that extension. This -# is because the DBM libraries "helpfully" add a ".db" to the -# filename, but don't check if it's already there. -# -dbm { - usersfile = ${confdir}/users_db -} - -# Instantiate a couple instances of the idn module -idn { -} - -# ...more commonly known as... -idn idna { -} - -idn idna_lenient { - UseSTD3ASCIIRules = no -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/hints b/pkgs/fablab/freeradius-anon-access/raddb/hints deleted file mode 120000 index d700878..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/hints +++ /dev/null @@ -1 +0,0 @@ -./mods-config/preprocess/hints \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/huntgroups b/pkgs/fablab/freeradius-anon-access/raddb/huntgroups deleted file mode 120000 index 40da471..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/huntgroups +++ /dev/null @@ -1 +0,0 @@ -./mods-config/preprocess/huntgroups \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/always b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/always deleted file mode 100644 index e9a0d20..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/always +++ /dev/null @@ -1,81 +0,0 @@ -# -*- text -*- -# -# $Id: b77d00c55d46741a3ca1cfc135dee4615466e912 $ - -# -# The "always" module is here for debugging purposes, or -# for use in complex policies. -# Instance simply returns the same result, always, without -# doing anything. -# -# rcode may be one of the following values: -# - reject - Reject the user. -# - fail - Simulate or indicate a failure. -# - ok - Simulate or indicate a success. -# - handled - Indicate that the request has been handled, -# stop processing, and send response if set. -# - invalid - Indicate that the request is invalid. -# - userlock - Indicate that the user account has been -# locked out. -# - notfound - Indicate that a user account can't be found. -# - noop - Simulate a no-op. -# - updated - Indicate that the request has been updated. -# -# If an instance is listed in a session {} section, -# this simulates a user having sessions. -# -# simulcount = -# -# If an instance is listed in a session {} section, -# this simulates the user having multilink -# sessions. -# -# mpp = -# -# An xlat based on the instance name can be called to change the status -# returned by the instance, in this example "always db_status { ... }" -# -# Force the module status to be alive or dead: -# -# %{db_status:alive} -# %{db_status:dead} -# -# Update the rcode returned by an alive module (a dead module returns fail): -# -# %{db_status:ok} -# %{db_status:fail} -# %{db_status:notfound} -# ... -# -# The above xlats expand to the current status of the module. To fetch the -# current status without affecting it call the xlat with an empty argument: -# -# %{db_status:} -# -always reject { - rcode = reject -} -always fail { - rcode = fail -} -always ok { - rcode = ok -} -always handled { - rcode = handled -} -always invalid { - rcode = invalid -} -always userlock { - rcode = userlock -} -always notfound { - rcode = notfound -} -always noop { - rcode = noop -} -always updated { - rcode = updated -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter deleted file mode 100644 index f464783..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter +++ /dev/null @@ -1,61 +0,0 @@ -# -*- text -*- -# -# $Id: a23d3c0f11267a6c0f1afca599f71a6a76c49a1a $ - -# -# This file defines a number of instances of the "attr_filter" module. -# - -# attr_filter - filters the attributes received in replies from -# proxied servers, to make sure we send back to our RADIUS client -# only allowed attributes. -attr_filter attr_filter.post-proxy { - key = "%{Realm}" - filename = ${modconfdir}/${.:name}/post-proxy -} - -# attr_filter - filters the attributes in the packets we send to -# the RADIUS home servers. -attr_filter attr_filter.pre-proxy { - key = "%{Realm}" - filename = ${modconfdir}/${.:name}/pre-proxy -} - -# Enforce RFC requirements on the contents of Access-Reject -# packets. See the comments at the top of the file for -# more details. -# -attr_filter attr_filter.access_reject { - key = "%{User-Name}" - filename = ${modconfdir}/${.:name}/access_reject -} - -# Enforce RFC requirements on the contents of Access-Challenge -# packets. See the comments at the top of the file for -# more details. -# -attr_filter attr_filter.access_challenge { - key = "%{User-Name}" - filename = ${modconfdir}/${.:name}/access_challenge -} - - -# Enforce RFC requirements on the contents of the -# Accounting-Response packets. See the comments at the -# top of the file for more details. -# -attr_filter attr_filter.accounting_response { - key = "%{User-Name}" - filename = ${modconfdir}/${.:name}/accounting_response -} - -# -# Enforce CoA or Disconnect packets. -# -# Note that you MUST edit the "coa" file below for your -# local configuration. Add in any attributes needed by the NAS. -# -attr_filter attr_filter.coa { - key = "%{User-Name}" - filename = ${modconfdir}/${.:name}/coa -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap deleted file mode 100644 index 376fc5b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap +++ /dev/null @@ -1,13 +0,0 @@ -# -# Cache EAP responses for resiliency on intermediary proxy fail-over -# -cache cache_eap { - key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" - - ttl = 15 - - update reply { - reply: += &reply: - &control:State := &request:State - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap deleted file mode 100644 index 97d965b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap +++ /dev/null @@ -1,11 +0,0 @@ -# -*- text -*- -# -# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $ - -# CHAP module -# -# To authenticate requests containing a CHAP-Password attribute. -# -chap { - # no configuration -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/date b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/date deleted file mode 100644 index 25a64da..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/date +++ /dev/null @@ -1,35 +0,0 @@ -# -# Registers xlat to convert between time formats. -# -# xlat input string is an attribute name. If this attribute is of date -# or integer type, the date xlat will convert it to a time string in -# the format of the format config item. -# -# If the attribute is a string type, date will attempt to parse it in -# the format specified by the format config item, and will expand -# to a Unix timestamp. -# -date { - format = "%b %e %Y %H:%M:%S %Z" - - # Use UTC instead of local time. - # - # default = no -# utc = yes -} - -# -# The WISPr-Session-Terminate-Time attribute is of type "string", -# and not "date". Use this expansion to create an attribute -# that holds an actual date: -# -# Tmp-Date-0 := "%{wispr2date:&reply:WISPr-Session-Terminate-Time}" -# -date wispr2date { - format = "%Y-%m-%dT%H:%M:%S" - - # Use UTC instead of local time. - # - # default = no -# utc = yes -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail deleted file mode 100644 index 1d6d5f6..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail +++ /dev/null @@ -1,109 +0,0 @@ -# -*- text -*- -# -# $Id: ccf65f9c839a6d9ea35fae4d9cd208ddca1a0acd $ - -# Write a detailed log of all accounting records received. -# -detail { - # Note that we do NOT use NAS-IP-Address here, as - # that attribute MAY BE from the originating NAS, and - # NOT from the proxy which actually sent us the - # request. - # - # The following line creates a new detail file for - # every radius client (by IP address or hostname). - # In addition, a new detail file is created every - # day, so that the detail file doesn't have to go - # through a 'log rotation' - # - # If your detail files are large, you may also want to add - # a ':%H' (see doc/configuration/variables.rst) to the end - # of it, to create a new detail file every hour, e.g.: - # - # ..../detail-%Y%m%d:%H - # - # This will create a new detail file for every hour. - # - # If you are reading detail files via the "listen" section - # (e.g. as in raddb/sites-available/robust-proxy-accounting), - # you MUST use a unique directory for each combination of a - # detail file writer, and reader. That is, there can only - # be ONE "listen" section reading detail files from a - # particular directory. - # - # The configuration below puts the detail files into separate - # directories for each client. If you are reading the detail - # files via the "listen" section, just use one directory. - # - # e.g. filename = ${radacctdir}/reader1/detail-%Y%m%d - # - # AND use a separate directory (reader2, reader3, etc.) for each - # reader. - # - filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d - - # - # If you are using radrelay, delete the above line for "file", - # and use this one instead: - # -# filename = ${radacctdir}/detail - - # - # Most file systems can handly nearly the full range of UTF-8 - # characters. Ones that can deal with a limited range should - # set this to "yes". - # - escape_filenames = no - - # - # The Unix-style permissions on the 'detail' file. - # - # The detail file often contains secret or private - # information about users. So by keeping the file - # permissions restrictive, we can prevent unwanted - # people from seeing that information. - permissions = 0600 - - # The Unix group of the log file. - # - # The user that the server runs as must be in the specified - # system group otherwise this will fail to work. - # -# group = ${security.group} - - # - # Every entry in the detail file has a header which - # is a timestamp. By default, we use the ctime - # format (see "man ctime" for details). - # - # The header can be customised by editing this - # string. See "doc/configuration/variables.rst" for a - # description of what can be put here. - # - header = "%t" - - # - # Uncomment this line if the detail file reader will be - # reading this detail file. - # -# locking = yes - - # - # Log the Packet src/dst IP/port. This is disabled by - # default, as that information isn't used by many people. - # -# log_packet_header = yes - - # - # Certain attributes such as User-Password may be - # "sensitive", so they should not be printed in the - # detail file. This section lists the attributes - # that should be suppressed. - # - # The attributes should be listed one to a line. - # - #suppress { - # User-Password - #} - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log deleted file mode 100644 index f99566d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log +++ /dev/null @@ -1,75 +0,0 @@ -# -*- text -*- -# -# $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $ - -# -# More examples of doing detail logs. - -# -# Many people want to log authentication requests. -# Rather than modifying the server core to print out more -# messages, we can use a different instance of the 'detail' -# module, to log the authentication requests to a file. -# -# You will also need to un-comment the 'auth_log' line -# in the 'authorize' section, below. -# -detail auth_log { - filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d - - # - # This MUST be 0600, otherwise anyone can read - # the users passwords! - permissions = 0600 - - # You may also strip out passwords completely - suppress { - User-Password - } -} - -# -# This module logs authentication reply packets sent -# to a NAS. Both Access-Accept and Access-Reject packets -# are logged. -# -# You will also need to un-comment the 'reply_log' line -# in the 'post-auth' section, below. -# -detail reply_log { - filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d - - permissions = 0600 -} - -# -# This module logs packets proxied to a home server. -# -# You will also need to un-comment the 'pre_proxy_log' line -# in the 'pre-proxy' section, below. -# -detail pre_proxy_log { - filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d - - # - # This MUST be 0600, otherwise anyone can read - # the users passwords! - permissions = 0600 - - # You may also strip out passwords completely - #suppress { - # User-Password - #} -} - -# -# This module logs response packets from a home server. -# -# You will also need to un-comment the 'post_proxy_log' line -# in the 'post-proxy' section, below. -# -detail post_proxy_log { - filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d - - permissions = 0600 -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest deleted file mode 100644 index af52017..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest +++ /dev/null @@ -1,13 +0,0 @@ -# -*- text -*- -# -# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $ - -# -# The 'digest' module currently has no configuration. -# -# "Digest" authentication against a Cisco SIP server. -# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details -# on performing digest authentication for Cisco SIP servers. -# -digest { -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients deleted file mode 100644 index c5c9c8a..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients +++ /dev/null @@ -1,32 +0,0 @@ -# -*- text -*- -# -# $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $ - -# This module loads RADIUS clients as needed, rather than when the server -# starts. -# -# There are no configuration entries for this module. Instead, it -# relies on the "client" configuration. You must: -# -# 1) link raddb/sites-enabled/dynamic_clients to -# raddb/sites-available/dynamic_clients -# -# 2) Define a client network/mask (see top of the above file) -# -# 3) uncomment the "directory" entry in that client definition -# -# 4) list "dynamic_clients" in the "authorize" section of the -# "dynamic_clients' virtual server. The default example already -# does this. -# -# 5) put files into the above directory, one per IP. -# e.g. file "192.0.2.1" should contain a normal client definition -# for a client with IP address 192.0.2.1. -# -# For more documentation, see the file: -# -# raddb/sites-available/dynamic-clients -# -dynamic_clients { - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap deleted file mode 100644 index 73718ff..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap +++ /dev/null @@ -1,1082 +0,0 @@ -# -*- text -*- -## -## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) -## -## $Id: 61be516b1a686e7a1c83e61f9260960a5f01730d $ - -####################################################################### -# -# Whatever you do, do NOT set 'Auth-Type := EAP'. The server -# is smart enough to figure this out on its own. The most -# common side effect of setting 'Auth-Type := EAP' is that the -# users then cannot use ANY other authentication method. -# -eap { - # Invoke the default supported EAP type when - # EAP-Identity response is received. - # - # The incoming EAP messages DO NOT specify which EAP - # type they will be using, so it MUST be set here. - # - # For now, only one default EAP type may be used at a time. - # - # If the EAP-Type attribute is set by another module, - # then that EAP type takes precedence over the - # default type configured here. - # - default_eap_type = md5 - - # A list is maintained to correlate EAP-Response - # packets with EAP-Request packets. After a - # configurable length of time, entries in the list - # expire, and are deleted. - # - timer_expire = 60 - - # There are many EAP types, but the server has support - # for only a limited subset. If the server receives - # a request for an EAP type it does not support, then - # it normally rejects the request. By setting this - # configuration to "yes", you can tell the server to - # instead keep processing the request. Another module - # MUST then be configured to proxy the request to - # another RADIUS server which supports that EAP type. - # - # If another module is NOT configured to handle the - # request, then the request will still end up being - # rejected. - # - ignore_unknown_eap_types = no - - # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given - # a User-Name attribute in an Access-Accept, it copies one - # more byte than it should. - # - # We can work around it by configurably adding an extra - # zero byte. - # - cisco_accounting_username_bug = no - - # Help prevent DoS attacks by limiting the number of - # sessions that the server is tracking. For simplicity, - # this is taken from the "max_requests" directive in - # radiusd.conf. - # - max_sessions = ${max_requests} - - - ############################################################ - # - # Supported EAP-types - # - - - # EAP-MD5 - # - # We do NOT recommend using EAP-MD5 authentication - # for wireless connections. It is insecure, and does - # not provide for dynamic WEP keys. - # - md5 { - } - - - # EAP-pwd -- secure password-based authentication - # - #pwd { - # group = 19 - - # server_id = theserver@example.com - - # This has the same meaning as for TLS. - # - # fragment_size = 1020 - - # The virtual server which determines the - # "known good" password for the user. - # Note that unlike TLS, only the "authorize" - # section is processed. EAP-PWD requests can be - # distinguished by having a User-Name, but - # no User-Password, CHAP-Password, EAP-Message, etc. - # - # virtual_server = "inner-tunnel" - #} - - - # Cisco LEAP - # - # We do not recommend using LEAP in new deployments. See: - # http://www.securiteam.com/tools/5TP012ACKE.html - # - # As of 3.0.22, LEAP has been removed from the server. - # It is insecure, and no one should be using it. - # - - - # EAP-GTC -- Generic Token Card - # - # Currently, this is only permitted inside of EAP-TTLS, - # or EAP-PEAP. The module "challenges" the user with - # text, and the response from the user is taken to be - # the User-Password. - # - # Proxying the tunneled EAP-GTC session is a bad idea, - # the users password will go over the wire in plain-text, - # for anyone to see. - # - gtc { - # The default challenge, which many clients - # ignore.. - # - # challenge = "Password: " - - # The plain-text response which comes back - # is put into a User-Password attribute, - # and passed to another module for - # authentication. This allows the EAP-GTC - # response to be checked against plain-text, - # or crypt'd passwords. - # - # If you say "Local" instead of "PAP", then - # the module will look for a User-Password - # configured for the request, and do the - # authentication itself. - # - auth_type = PAP - } - - - # Common TLS configuration for TLS-based EAP types - # ------------------------------------------------ - # - # See raddb/certs/README.md for additional comments - # on certificates. - # - # If OpenSSL was not found at the time the server was - # built, the "tls", "ttls", and "peap" sections will - # be ignored. - # - # If you do not currently have certificates signed by - # a trusted CA you may use the 'snakeoil' certificates. - # Included with the server in raddb/certs. - # - # If these certificates have not been auto-generated: - # cd raddb/certs - # make - # - # These test certificates SHOULD NOT be used in a normal - # deployment. They are created only to make it easier - # to install the server, and to perform some simple - # tests with EAP-TLS, TTLS, or PEAP. - # - # Note that you should NOT use a globally known CA here! - # e.g. using a Verisign cert as a "known CA" means that - # ANYONE who has a certificate signed by them can - # authenticate via EAP-TLS! This is likely not what you want. - # - tls-config tls-common { - private_key_password = whatever - private_key_file = ${certdir}/server.key - - # If Private key & Certificate are located in - # the same file, then private_key_file & - # certificate_file must contain the same file - # name. - # - # If ca_file (below) is not used, then the - # certificate_file below SHOULD also include all of - # the intermediate CA certificates used to sign the - # server certificate, but NOT the root CA. - # - # Including the ROOT CA certificate is not useful and - # merely inflates the exchanged data volume during - # the TLS negotiation. - # - # This file should contain the server certificate, - # followed by intermediate certificates, in order. - # i.e. If we have a server certificate signed by CA1, - # which is signed by CA2, which is signed by a root - # CA, then the "certificate_file" should contain - # server.pem, followed by CA1.pem, followed by - # CA2.pem. - # - # When using "ca_file" or "ca_dir", the - # "certificate_file" should contain only - # "server.pem". And then you may (or may not) need - # to set "auto_chain", depending on your version of - # OpenSSL. - # - # In short, SSL / TLS certificates are complex. - # There are many versions of software, each of which - # behave slightly differently. It is impossible to - # give advice which will work everywhere. Instead, - # we give general guidelines. - # - certificate_file = ${certdir}/server.crt - - # Trusted Root CA list - # - # This file can contain multiple CA certificates. - # ALL of the CA's in this list will be trusted to - # issue client certificates for authentication. - # - # In general, you should use self-signed - # certificates for 802.1x (EAP) authentication. - # In that case, this CA file should contain - # *one* CA certificate. - # - ca_file = ${cadir}/ca.pem - - # OpenSSL will automatically create certificate chains, - # unless we tell it to not do that. The problem is that - # it sometimes gets the chains right from a certificate - # signature view, but wrong from the clients view. - # - # When setting "auto_chain = no", the server certificate - # file MUST include the full certificate chain. - # - # auto_chain = yes - - # If OpenSSL supports TLS-PSK, then we can use a - # fixed PSK identity and (hex) password. As of - # 3.0.18, these can be used at the same time as the - # certificate configuration, but only for TLS 1.0 - # through 1.2. - # - # If PSK and certificates are configured at the same - # time for TLS 1.3, then the server will warn you, - # and will disable TLS 1.3, as it will not work. - # - # The work around is to have two modules (or for - # RadSec, two listen sections). One will have PSK - # configured, and the other will have certificates - # configured. - # - # psk_identity = "test" - # psk_hexphrase = "036363823" - - # Dynamic queries for the PSK. If TLS-PSK is used, - # and psk_query is set, then you MUST NOT use - # psk_identity or psk_hexphrase. - # - # Instead, use a dynamic expansion similar to the one - # below. It keys off of TLS-PSK-Identity. It should - # return a of string no more than 512 hex characters. - # That string will be converted to binary, and will - # be used as the dynamic PSK hexphrase. - # - # Note that this query is just an example. You will - # need to customize it for your installation. - # - # psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" - - # For DH cipher suites to work, you have to - # run OpenSSL to create the DH file first: - # - # openssl dhparam -out certs/dh 2048 - # - dh_file = ${certdir}/dh - - # If your system doesn't have /dev/urandom, - # you will need to create this file, and - # periodically change its contents. - # - # For security reasons, FreeRADIUS doesn't - # write to files in its configuration - # directory. - # - # random_file = /dev/urandom - - # This can never exceed the size of a RADIUS - # packet (4096 bytes), and is preferably half - # that, to accommodate other attributes in - # RADIUS packet. On most APs the MAX packet - # length is configured between 1500 - 1600 - # In these cases, fragment size should be - # 1024 or less. - # - # fragment_size = 1024 - - # include_length is a flag which is - # by default set to yes If set to - # yes, Total Length of the message is - # included in EVERY packet we send. - # If set to no, Total Length of the - # message is included ONLY in the - # First packet of a fragment series. - # - # include_length = yes - - - # Check the Certificate Revocation List - # - # 1) Copy CA certificates and CRLs to same directory. - # 2) Execute 'c_rehash '. - # 'c_rehash' is OpenSSL's command. - # 3) uncomment the lines below. - # 5) Restart radiusd - # check_crl = yes - - # Check if intermediate CAs have been revoked. - # check_all_crl = yes - - ca_path = ${cadir} - - # OpenSSL does not reload contents of ca_path dir over time. - # That means that if check_crl is enabled and CRLs are loaded - # from ca_path dir, at some point CRLs will expire and - # RADIUSd will stop authenticating users. - # If ca_path_reload_interval is non-zero, it will force OpenSSL - # to reload all data from ca_path periodically - # - # Flush ca_path each hour - # ca_path_reload_interval = 3600 - - - # Accept an expired Certificate Revocation List - # - # allow_expired_crl = no - - # If check_cert_issuer is set, the value will - # be checked against the DN of the issuer in - # the client certificate. If the values do not - # match, the certificate verification will fail, - # rejecting the user. - # - # This check can be done more generally by checking - # the value of the TLS-Client-Cert-Issuer attribute. - # This check can be done via any mechanism you - # choose. - # - # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" - - # If check_cert_cn is set, the value will - # be xlat'ed and checked against the CN - # in the client certificate. If the values - # do not match, the certificate verification - # will fail rejecting the user. - # - # This check is done only if the previous - # "check_cert_issuer" is not set, or if - # the check succeeds. - # - # This check can be done more generally by writing - # "unlang" statements to examine the value of the - # TLS-Client-Cert-Common-Name attribute. - # - # check_cert_cn = %{User-Name} - - # - # This configuration item only applies when there is - # an intermediate CA between the "root" CA, and the - # client certificate. If we trust the root CA, then - # by definition we also trust ANY intermediate CA - # which is signed by that root. This means ANOTHER - # intermediate CA can issue client certificates, and - # have them accepted by the EAP module. - # - # The solution is to list ONLY the trusted CAs in the - # FreeRADIUS configuration, and then set this - # configuration item to "yes". - # - # Then, when the server receives a client certificate - # from an untrusted CA, that authentication request - # can be rejected. - # - # It is possible to do these checks in "unlang", by - # checking for unknown names in the - # TLS-Cert-Common-Name attribute, but that is - # more complex. So we add a configuration option - # which can be set once, and which works for all - # possible intermediate CAs, no matter what their - # value. - # - # reject_unknown_intermediate_ca = no - - # Set this option to specify the allowed - # TLS cipher suites. The format is listed - # in "man 1 ciphers". - # - cipher_list = "DEFAULT" - - # If enabled, OpenSSL will use server cipher list - # (possibly defined by cipher_list option above) - # for choosing right cipher suite rather than - # using client-specified list which is OpenSSl default - # behavior. Setting this to "yes" means that OpenSSL - # will choose the servers ciphers, even if they do not - # best match what the client sends. - # - # TLS negotiation is usually good, but can be imperfect. - # This setting allows administrators to "fine tune" it - # if necessary. - # - cipher_server_preference = no - - # You can selectively disable TLS versions for - # compatability with old client devices. - # - # If your system has OpenSSL 1.1.0 or greater, do NOT - # use these. Instead, set tls_min_version and - # tls_max_version. - # -# disable_tlsv1_2 = yes -# disable_tlsv1_1 = yes -# disable_tlsv1 = yes - - - # Set min / max TLS version. - # - # Generally speaking you should NOT use TLS 1.0 or - # TLS 1.1. They are old, possibly insecure, and - # deprecated. However, it is sometimes necessary to - # enable it for compatibility with legact systems. - # We recommend replacing those legacy systems, and - # using at least TLS 1.2. - # - # Some Debian versions disable older versions of TLS, - # and requires the application to manually enable - # them. - # - # If you are running such a distribution, you should - # set these options, otherwise older clients will not - # be able to connect. - # - # Allowed values are "1.0", "1.1", "1.2", and "1.3". - # - # As of 2021, it is STRONGLY RECOMMENDED to set - # - # tls_min_version = "1.2" - # - # Older TLS versions are insecure and deprecated. - # - # In order to enable TLS 1.0 and TLS 1.1, you may - # also need to update cipher_list below to: - # - # cipher_list = "DEFAULT@SECLEVEL=1" - # - # The values must be in quotes. - # - # We also STRONGLY RECOMMEND to set - # - # tls_max_version = "1.2" - # - # While the server will accept "1.3" as a value, - # most EAP supplicants WILL NOT DO TLS 1.3 PROPERLY. - # - # i.e. they WILL NOT WORK, SO DO NOT ASK QUESTIONS ON - # THE LIST ABOUT WHY IT DOES NOT WORK. - # - # The TLS 1.3 support is here for future - # compatibility, as clients get upgraded, and people - # don't upgrade their copies of FreeRADIUS. - # - # Also note that we only support TLS 1.3 for EAP-TLS. - # Other versions of EAP (PEAP, TTLS, FAST) DO NOT - # SUPPORT TLS 1.3. - # - tls_min_version = "1.2" - tls_max_version = "1.2" - - # Elliptical cryptography configuration - # - # This configuration should be one of the following: - # - # * a name of the curve to use, e.g. "prime256v1". - # - # * a colon separated list of curve NIDs or names. - # - # * an empty string, in which case OpenSSL will choose - # the "best" curve for the situation. - # - # For supported curve names, please run - # - # openssl ecparam -list_curves - # - ecdh_curve = "prime256v1" - - # Session resumption / fast reauthentication - # cache. - # - # The cache contains the following information: - # - # session Id - unique identifier, managed by SSL - # User-Name - from the Access-Accept - # Stripped-User-Name - from the Access-Request - # Cached-Session-Policy - from the Access-Accept - # - # See also the "store" subsection below for - # additional attributes which can be cached. - # - # The "Cached-Session-Policy" is the name of a - # policy which should be applied to the cached - # session. This policy can be used to assign - # VLANs, IP addresses, etc. It serves as a useful - # way to re-apply the policy from the original - # Access-Accept to the subsequent Access-Accept - # for the cached session. - # - # On session resumption, these attributes are - # copied from the cache, and placed into the - # reply list. - # - # You probably also want "use_tunneled_reply = yes" - # when using fast session resumption. - # - # You can check if a session has been resumed by - # looking for the existence of the EAP-Session-Resumed - # attribute. Note that this attribute will *only* - # exist in the "post-auth" section. - # - # CAVEATS: The cache is stored and reloaded BEFORE - # the "post-auth" section is run. This limitation - # makes caching more difficult than it should be. In - # practice, it means that the first authentication - # session must set the reply attributes before the - # post-auth section is run. - # - # When the session is resumed, the attributes are - # restored and placed into the session-state list. - # - cache { - # Enable it. The default is "no". Deleting the entire "cache" - # subsection also disables caching. - # - # The session cache requires the use of the - # "name" and "persist_dir" configuration - # items, below. - # - # The internal OpenSSL session cache has been permanently - # disabled. - # - # You can disallow resumption for a particular user by adding the - # following attribute to the control item list: - # - # Allow-Session-Resumption = No - # - # If "enable = no" below, you CANNOT enable resumption for just one - # user by setting the above attribute to "yes". - # - enable = no - - # Lifetime of the cached entries, in hours. The sessions will be - # deleted/invalidated after this time. - # - lifetime = 24 # hours - - # Internal "name" of the session cache. Used to - # distinguish which TLS context sessions belong to. - # - # The server will generate a random value if unset. - # This will change across server restart so you MUST - # set the "name" if you want to persist sessions (see - # below). - # - # name = "EAP module" - - # Simple directory-based storage of sessions. - # Two files per session will be written, the SSL - # state and the cached VPs. This will persist session - # across server restarts. - # - # The default directory is ${logdir}, for historical - # reasons. You should ${db_dir} instead. And check - # the value of db_dir in the main radiusd.conf file. - # It should not point to ${raddb} - # - # The server will need write perms, and the directory - # should be secured from anyone else. You might want - # a script to remove old files from here periodically: - # - # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; - # - # This feature REQUIRES "name" option be set above. - # - # persist_dir = "${logdir}/tlscache" - - # - # As of 3.0.20, it is possible to partially - # control which attributes exist in the - # session cache. This subsection lists - # attributes which are taken from the reply, - # and saved to the on-disk cache. When the - # session is resumed, these attributes are - # added to the "session-state" list. The - # default configuration will then take care - # of copying them to the reply. - # - store { - Tunnel-Private-Group-Id - } - } - - # Client certificates can be validated via an - # external command. This allows dynamic CRLs or OCSP - # to be used. - # - # This configuration is commented out in the - # default configuration. Uncomment it, and configure - # the correct paths below to enable it. - # - # If OCSP checking is enabled, and the OCSP checks fail, - # the verify section is not run. - # - # If OCSP checking is disabled, the verify section is - # run on successful certificate validation. - # - verify { - # If the OCSP checks succeed, the verify section - # is run to allow additional checks. - # - # If you want to skip verify on OCSP success, - # uncomment this configuration item, and set it - # to "yes". - # - # skip_if_ocsp_ok = no - - # A temporary directory where the client - # certificates are stored. This directory - # MUST be owned by the UID of the server, - # and MUST not be accessible by any other - # users. When the server starts, it will do - # "chmod go-rwx" on the directory, for - # security reasons. The directory MUST - # exist when the server starts. - # - # You should also delete all of the files - # in the directory when the server starts. - # - # tmpdir = /tmp/radiusd - - # The command used to verify the client cert. - # We recommend using the OpenSSL command-line - # tool. - # - # The ${..ca_path} text is a reference to - # the ca_path variable defined above. - # - # The %{TLS-Client-Cert-Filename} is the name - # of the temporary file containing the cert - # in PEM format. This file is automatically - # deleted by the server when the command - # returns. - # - # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" - } - - # OCSP Configuration - # - # Certificates can be verified against an OCSP - # Responder. This makes it possible to immediately - # revoke certificates without the distribution of - # new Certificate Revocation Lists (CRLs). - # - ocsp { - # Enable it. The default is "no". - # Deleting the entire "ocsp" subsection - # also disables ocsp checking - # - enable = no - - # The OCSP Responder URL can be automatically - # extracted from the certificate in question. - # To override the OCSP Responder URL set - # "override_cert_url = yes". - # - override_cert_url = yes - - # If the OCSP Responder address is not extracted from - # the certificate, the URL can be defined here. - # - url = "http://127.0.0.1/ocsp/" - - # If the OCSP Responder can not cope with nonce - # in the request, then it can be disabled here. - # - # For security reasons, disabling this option - # is not recommended as nonce protects against - # replay attacks. - # - # Note that Microsoft AD Certificate Services OCSP - # Responder does not enable nonce by default. It is - # more secure to enable nonce on the responder than - # to disable it in the query here. - # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx - # - # use_nonce = yes - - # Number of seconds before giving up waiting - # for OCSP response. 0 uses system default. - # - # timeout = 0 - - # Normally an error in querying the OCSP - # responder (no response from server, server did - # not understand the request, etc) will result in - # a validation failure. - # - # To treat these errors as 'soft' failures and - # still accept the certificate, enable this - # option. - # - # Warning: this may enable clients with revoked - # certificates to connect if the OCSP responder - # is not available. Use with caution. - # - # softfail = no - } - } - - - # EAP-TLS - # - # The TLS configuration for TLS-based EAP types is held in - # the "tls-config" section, above. - # - tls { - # Point to the common TLS configuration - # - tls = tls-common - - # As part of checking a client certificate, the EAP-TLS - # sets some attributes such as TLS-Client-Cert-Common-Name. This - # virtual server has access to these attributes, and can - # be used to accept or reject the request. - # - # virtual_server = check-eap-tls - - # You can control whether or not EAP-TLS requires a - # client certificate by setting - # - # configurable_client_cert = yes - # - # Once that setting has been changed, you can then set - # - # EAP-TLS-Require-Client-Cert = No - # - # in the control items for a request, and the EAP-TLS - # module will not require a client certificate from - # the supplicant. - # - # WARNING: This configuration should only be used - # when the users are placed into a "captive portal" - # or "walled garden", where they have limited network - # access. Otherwise the configuraton will allow - # anyone on the network, without authenticating them! - # -# configurable_client_cert = no - } - - - # EAP-TTLS -- Tunneled TLS - # - # The TTLS module implements the EAP-TTLS protocol, - # which can be described as EAP inside of Diameter, - # inside of TLS, inside of EAP, inside of RADIUS... - # - # Surprisingly, it works quite well. - # - ttls { - # Which tls-config section the TLS negotiation parameters - # are in - see EAP-TLS above for an explanation. - # - # In the case that an old configuration from FreeRADIUS - # v2.x is being used, all the options of the tls-config - # section may also appear instead in the 'tls' section - # above. If that is done, the tls= option here (and in - # tls above) MUST be commented out. - # - tls = tls-common - - # The tunneled EAP session needs a default EAP type - # which is separate from the one for the non-tunneled - # EAP module. Inside of the TTLS tunnel, we recommend - # using EAP-MD5. If the request does not contain an - # EAP conversation, then this configuration entry is - # ignored. - # - default_eap_type = md5 - - # The tunneled authentication request does not usually - # contain useful attributes like 'Calling-Station-Id', - # etc. These attributes are outside of the tunnel, - # and normally unavailable to the tunneled - # authentication request. - # - # By setting this configuration entry to 'yes', - # any attribute which is NOT in the tunneled - # authentication request, but which IS available - # outside of the tunnel, is copied to the tunneled - # request. - # - # allowed values: {no, yes} - # - copy_request_to_tunnel = no - - # This configuration item is deprecated. Instead, - # you should use: - # - # update outer.session-state { - # ... - # } - # - # This will cache attributes for the final Access-Accept. - # - # See "update outer.session-state" in the "post-auth" - # sections of sites-available/default, and of - # sites-available/inner-tunnel - # - # The reply attributes sent to the NAS are usually - # based on the name of the user 'outside' of the - # tunnel (usually 'anonymous'). If you want to send - # the reply attributes based on the user name inside - # of the tunnel, then set this configuration entry to - # 'yes', and the reply to the NAS will be taken from - # the reply to the tunneled request. - # - # allowed values: {no, yes} - # - use_tunneled_reply = yes - - # The inner tunneled request can be sent - # through a virtual server constructed - # specifically for this purpose. - # - # A virtual server MUST be specified. - # - virtual_server = "inner-tunnel" - - # This has the same meaning, and overwrites, the - # same field in the "tls" configuration, above. - # The default value here is "yes". - # - # include_length = yes - - # Unlike EAP-TLS, EAP-TTLS does not require a client - # certificate. However, you can require one by setting the - # following option. You can also override this option by - # setting - # - # EAP-TLS-Require-Client-Cert = Yes - # - # in the control items for a request. - # - # Note that the majority of supplicants do not support using a - # client certificate with EAP-TTLS, so this option is unlikely - # to be usable for most people. - # - # require_client_cert = yes - } - - - # EAP-PEAP - # - - ################################################## - # - # !!!!! WARNINGS for Windows compatibility !!!!! - # - ################################################## - # - # If you see the server send an Access-Challenge, - # and the client never sends another Access-Request, - # then - # - # STOP! - # - # The server certificate has to have special OID's - # in it, or else the Microsoft clients will silently - # fail. See the "scripts/xpextensions" file for - # details, and the following page: - # - # https://support.microsoft.com/en-us/help/814394/ - # - # If is still doesn't work, and you're using Samba, - # you may be encountering a Samba bug. See: - # - # https://bugzilla.samba.org/show_bug.cgi?id=6563 - # - # Note that we do not necessarily agree with their - # explanation... but the fix does appear to work. - # - ################################################## - - # The tunneled EAP session needs a default EAP type - # which is separate from the one for the non-tunneled - # EAP module. Inside of the TLS/PEAP tunnel, we - # recommend using EAP-MS-CHAPv2. - # - peap { - # Which tls-config section the TLS negotiation parameters - # are in - see EAP-TLS above for an explanation. - # - # In the case that an old configuration from FreeRADIUS - # v2.x is being used, all the options of the tls-config - # section may also appear instead in the 'tls' section - # above. If that is done, the tls= option here (and in - # tls above) MUST be commented out. - # - tls = tls-common - - # The tunneled EAP session needs a default - # EAP type which is separate from the one for - # the non-tunneled EAP module. Inside of the - # PEAP tunnel, we recommend using MS-CHAPv2, - # as that is the default type supported by - # Windows clients. - # - default_eap_type = mschapv2 - - # The PEAP module also has these configuration - # items, which are the same as for TTLS. - # - copy_request_to_tunnel = no - - # This configuration item is deprecated. Instead, - # you should use: - # - # update outer.session-state { - # ... - # } - # - # This will cache attributes for the final Access-Accept. - # - # See "update outer.session-state" in the "post-auth" - # sections of sites-available/default, and of - # sites-available/inner-tunnel - # - use_tunneled_reply = yes - - # When the tunneled session is proxied, the - # home server may not understand EAP-MSCHAP-V2. - # Set this entry to "no" to proxy the tunneled - # EAP-MSCHAP-V2 as normal MSCHAPv2. - # - # This setting can be over-ridden on a packet by - # packet basis by setting - # - # &control:Proxy-Tunneled-Request-As-EAP = yes - # - # proxy_tunneled_request_as_eap = yes - - # The inner tunneled request can be sent - # through a virtual server constructed - # specifically for this purpose. - # - # A virtual server MUST be specified. - # - virtual_server = "inner-tunnel" - - # This option enables support for MS-SoH - # see doc/SoH.txt for more info. - # It is disabled by default. - # - # soh = yes - - # The SoH reply will be turned into a request which - # can be sent to a specific virtual server: - # - # soh_virtual_server = "soh-server" - - # Unlike EAP-TLS, PEAP does not require a client certificate. - # However, you can require one by setting the following - # option. You can also override this option by setting - # - # EAP-TLS-Require-Client-Cert = Yes - # - # in the control items for a request. - # - # Note that the majority of supplicants do not support using a - # client certificate with PEAP, so this option is unlikely to - # be usable for most people. - # - # require_client_cert = yes - } - - - # EAP-MSCHAPv2 - # - # Note that it is the EAP MS-CHAPv2 sub-module, not - # the main 'mschap' module. - # - # Note also that in order for this sub-module to work, - # the main 'mschap' module MUST ALSO be configured. - # - # This module is the *Microsoft* implementation of MS-CHAPv2 - # in EAP. There is another (incompatible) implementation - # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not - # currently support. - # - mschapv2 { - # In earlier versions of the server, this module - # never sent the MS-CHAP-Error message to the client. - # This worked, but it had issues when the cached - # password was wrong. The server *should* send - # "E=691 R=0" to the client, which tells it to prompt - # the user for a new password. - # - # The default is to use that functionality. which is - # known to work. If you set "send_error = yes", then - # the error message will be sent back to the client. - # This *may* help some clients work better, but *may* - # also cause other clients to stop working. - # - # send_error = no - - # Server identifier to send back in the challenge. - # This should generally be the host name of the - # RADIUS server. Or, some information to uniquely - # identify it. - # - # identity = "FreeRADIUS" - } - - - # EAP-FAST - # - # The FAST module implements the EAP-FAST protocol - # - #fast { - # Point to the common TLS configuration - # - # tls = tls-common - - # If 'cipher_list' is set here, it will over-ride the - # 'cipher_list' configuration from the 'tls-common' - # configuration. The EAP-FAST module has it's own - # over-ride for 'cipher_list' because the - # specifications mandata a different set of ciphers - # than are used by the other EAP methods. - # - # cipher_list though must include "ADH" for anonymous provisioning. - # This is not as straight forward as appending "ADH" alongside - # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is - # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used - # - # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" - - # PAC lifetime in seconds (default: seven days) - # - # pac_lifetime = 604800 - - # Authority ID of the server - # - # If you are running a cluster of RADIUS servers, you should make - # the value chosen here (and for "pac_opaque_key") the same on all - # your RADIUS servers. This value should be unique to your - # installation. We suggest using a domain name. - # - # authority_identity = "1234" - - # PAC Opaque encryption key (must be exactly 32 bytes in size) - # - # This value MUST be secret, and MUST be generated using - # a secure method, such as via 'openssl rand -hex 32' - # - # pac_opaque_key = "0123456789abcdef0123456789ABCDEF" - - # Same as for TTLS, PEAP, etc. - # - # virtual_server = inner-tunnel - #} -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo deleted file mode 100644 index c21a8ff..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo +++ /dev/null @@ -1,123 +0,0 @@ -# -*- text -*- -# -# $Id: ad3e15933f9e85c5566810432a5fec8f23d877c1 $ - -# -# This is a more general example of the execute module. -# -# This one is called "echo". -# -# Attribute-Name = `%{echo:/path/to/program args}` -# -# If you wish to execute an external program in more than -# one section (e.g. 'authorize', 'pre_proxy', etc), then it -# is probably best to define a different instance of the -# 'exec' module for every section. -# -# The return value of the program run determines the result -# of the exec instance call as follows: -# (See doc/configurable_failover for details) -# -# < 0 : fail the module failed -# = 0 : ok the module succeeded -# = 1 : reject the module rejected the user -# = 2 : fail the module failed -# = 3 : ok the module succeeded -# = 4 : handled the module has done everything to handle the request -# = 5 : invalid the user's configuration entry was invalid -# = 6 : userlock the user was locked out -# = 7 : notfound the user was not found -# = 8 : noop the module did nothing -# = 9 : updated the module updated information in the request -# > 9 : fail the module failed -# -exec echo { - # - # Wait for the program to finish. - # - # If we do NOT wait, then the program is "fire and - # forget", and any output attributes from it are ignored. - # - # If we are looking for the program to output - # attributes, and want to add those attributes to the - # request, then we MUST wait for the program to - # finish, and therefore set 'wait=yes' - # - # allowed values: {no, yes} - wait = yes - - # - # The name of the program to execute, and it's - # arguments. Dynamic translation is done on this - # field, so things like the following example will - # work. - # - program = "/bin/echo %{User-Name}" - - # - # The attributes which are placed into the - # environment variables for the program. - # - # Allowed values are: - # - # request attributes from the request - # config attributes from the configuration items list - # reply attributes from the reply - # proxy-request attributes from the proxy request - # proxy-reply attributes from the proxy reply - # - # Note that some attributes may not exist at some - # stages. e.g. There may be no proxy-reply - # attributes if this module is used in the - # 'authorize' section. - # - input_pairs = request - - # - # Where to place the output attributes (if any) from - # the executed program. The values allowed, and the - # restrictions as to availability, are the same as - # for the input_pairs. - # - output_pairs = reply - - # - # When to execute the program. If the packet - # type does NOT match what's listed here, then - # the module does NOT execute the program. - # - # For a list of allowed packet types, see - # the 'dictionary' file, and look for VALUEs - # of the Packet-Type attribute. - # - # By default, the module executes on ANY packet. - # Un-comment out the following line to tell the - # module to execute only if an Access-Accept is - # being sent to the NAS. - # - #packet_type = Access-Accept - - # - # Should we escape the environment variables? - # - # If this is set, all the RADIUS attributes - # are capitalised and dashes replaced with - # underscores. Also, RADIUS values are surrounded - # with double-quotes. - # - # That is to say: User-Name=BobUser => USER_NAME="BobUser" - shell_escape = yes - - # - # How long should we wait for the program to finish? - # - # Default is 10 seconds, which should be plenty for nearly - # anything. Range is 1 to 30 seconds. You are strongly - # encouraged to NOT increase this value. Decreasing can - # be used to cause authentication to fail sooner when you - # know it's going to fail anyway due to the time taken, - # thereby saving resources. - # - #timeout = 10 - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec deleted file mode 100644 index 8f07a82..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec +++ /dev/null @@ -1,29 +0,0 @@ -# -*- text -*- -# -# $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $ - -# -# Execute external programs -# -# This module is useful only for 'xlat'. To use it, -# put 'exec' into the 'instantiate' section. You can then -# do dynamic translation of attributes like: -# -# Attribute-Name = `%{exec:/path/to/program args}` -# -# The value of the attribute will be replaced with the output -# of the program which is executed. Due to RADIUS protocol -# limitations, any output over 253 bytes will be ignored. -# -# The RADIUS attributes from the user request will be placed -# into environment variables of the executed program, as -# described in "man unlang" and in doc/configuration/variables.rst -# -# See also "echo" for more sample configuration. -# -exec { - wait = no - input_pairs = request - shell_escape = yes - timeout = 10 -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration deleted file mode 100644 index dfc0550..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration +++ /dev/null @@ -1,13 +0,0 @@ -# -*- text -*- -# -# $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $ - -# -# The expiration module. This handles the Expiration attribute -# It should be included in the *end* of the authorize section -# in order to handle user Expiration. It should also be included -# in the instantiate section in order to register the Expiration -# compare function -# -expiration { -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr deleted file mode 100644 index b0bfc73..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr +++ /dev/null @@ -1,146 +0,0 @@ -# -*- text -*- -# -# $Id: 43dbea35e41698f8ced22c1cf4ad128b08dee7ca $ - -# -# This module performs mathematical calculations: -# -# Attribute-Name = "%{expr:2 + 3 + &NAS-Port}" -# -# It supports the following operators (in order of precedence) -# -# & binary AND -# | binary OR -# << left shift -# >> right shift -# + addition -# - subtraction -# * multiply -# / divide -# %% remainder -# ^ exponentiation -# (...) sub-expression -# -# Operator precedence follows the normal rules. -# Division by zero means that the entire expression is invalid. -# -# Note that in versions before 3.0.5, the expression -# was parsed strictly left to right, and ignored operator -# precedence. -# -# It also allows unary negation: -1 -# And twos complement: ~1 -# -# All calculations are done on signed 63-bit integers. -# e.g. int64_t. This should be sufficient for all normal -# purposes. -# -# Hex numbers are supported: 0xabcdef -# -# As with all string expansions, you can nest the expansions: -# -# %{expr: %{NAS-Port} + 1} -# %{expr: %{sql:SELECT ... } + 1} -# -# Attribute references are supported for integer attributes. -# e.g. &NAS-Port. The benefit of using attribute references -# is that the expression is calculated directly on the -# attribute. It skips the step of "print to string, and then -# parse to number". This means it's a little faster. -# -# Otherwise, all numbers are decimal. -# - -# -# The module also registers a few paircompare functions, and -# many string manipulation functions, including: -# -# rand get random number from 0 to n-1 -# "%{rand:10}" == "9" -# -# randstr get random string built from character classes: -# c lowercase letters -# C uppercase letters -# n numbers -# a alphanumeric -# ! punctuation -# . alphanumeric + punctuation -# s alphanumeric + "./" -# o characters suitable for OTP (easily confused removed) -# h binary data as lowercase hex -# H binary data as uppercase hex -# -# "%{randstr:CCCC!!cccnnn}" == "IPFL>{saf874" -# "%{randstr:oooooooo}" == "rfVzyA4y" -# "%{randstr:hhhh}" == "68d60de3" -# -# urlquote quote special characters in URI -# "%{urlquote:http://example.org/}" == "http%3A%47%47example.org%47" -# -# urlunquote unquote URL special characters -# "%{urlunquote:http%%3A%%47%%47example.org%%47}" == "http://example.org/" -# -# escape escape string similar to rlm_sql safe_characters -# "%{escape:foo.jpg}" == "=60img=62foo.jpg=60/img=62" -# -# unescape reverse of escape -# "%{unescape:=60img=62foo.jpg=60/img=62}" == "foo.jpg" -# -# tolower convert to lowercase -# "%{tolower:Bar}" == "bar" -# -# toupper convert to uppercase -# "%{toupper:Foo}" == "FOO" -# -# md5 get md5sum hash -# "%{md5:foo}" == "acbd18db4cc2f85cedef654fccc4a4d8" -# -# sha1 get sha1 hash -# "%{sha1:foo}" == "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33" -# -# sha256 get sha256 hash -# "%{sha256:foo}" == "2c26b46b68ffc68ff99b453c1d30413413422d706..." -# -# sha512 get sha512 hash -# "%{sha512:foo}" == "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae29838..." -# -# hmacmd5 generate HMAC-MD5 of string -# "%{hmacmd5:foo bar}" == "31b6db9e5eb4addb42f1a6ca07367adc" -# -# hmacsha1 generate HMAC-SHA1 of string -# "%{hmacsha1:foo bar}" == "85d155c55ed286a300bd1cf124de08d87e914f3a" -# -# crypt encrypt with a salt: %{crypt:salt:password} -# "%{crypt:aa:foo}" == "aaKNIEDOaueR6" -# "%{crypt:$1$abcdefgh:foo}" == "$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0" -# "%{crypt:$5$%{randstr:aaaaaaaaaaaaaaaa}:foo}" == "$1$fu4P2fcAdo9gM..." -# -# pairs serialize attributes as comma-delimited string -# "%{pairs:request:}" == "User-Name = 'foo', User-Password = 'bar', ..." -# -# base64 encode string as base64 -# "%{base64:foo}" == "Zm9v" -# -# base64tohex convert base64 to hex -# "%{base64tohex:Zm9v}" == "666f6f" -# -# explode split an attribute into multiple new attributes based on a delimiter -# "%{explode:&ref }" -# -# nexttime calculate number of seconds until next n hour(s), day(s), week(s), year(s) -# if it were 16:18, %{nexttime:1h} would expand to 2520 -# -# lpad left-pad a string -# if User-Name is "foo": "%{lpad:&User-Name 6 x}" == "xxxfoo" -# -# rpad right-pad a string -# if User-Name is "foo": "%{rpad:&User-Name 5 -}" == "foo--" -# - -expr { - # - # Characters that will not be encoded by the %{escape} - # xlat function. - # - safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/files b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/files deleted file mode 100644 index bf968c5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/files +++ /dev/null @@ -1,30 +0,0 @@ -# -*- text -*- -# -# $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $ - -# Livingston-style 'users' file -# -# See "man users" for more information. -# -files { - # Search for files in a subdirectory of mods-config which - # matches this instance of the files module. - moddir = ${modconfdir}/${.:instance} - - # The default key attribute to use for matches. The content - # of this attribute is used to match the "name" of the - # entry. - #key = "%{%{Stripped-User-Name}:-%{User-Name}}" - - # The old "users" style file is now located here. - filename = ${moddir}/authorize - - # This is accepted for backwards compatibility - # It will be removed in a future release. -# usersfile = ${moddir}/authorize - - # These are accepted for backwards compatibility. - # They will be renamed in a future release. - acctusersfile = ${moddir}/accounting - preproxy_usersfile = ${moddir}/pre-proxy -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog deleted file mode 100644 index 37e5f0d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog +++ /dev/null @@ -1,161 +0,0 @@ -# -*- text -*- -# -# $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $ - -# -# The "linelog" module will log one line of text to a file. -# Both the filename and the line of text are dynamically expanded. -# -# We STRONGLY suggest that you do not use data from the -# packet as part of the filename. -# -linelog { - # - # The file where the logs will go. - # - # If the filename is "syslog", then the log messages will - # go to syslog. - filename = ${logdir}/linelog - - # - # Most file systems can handly nearly the full range of UTF-8 - # characters. Ones that can deal with a limited range should - # set this to "yes". - # - escape_filenames = no - - # - # The Unix-style permissions on the log file. - # - # Depending on format string, the log file may contain secret or - # private information about users. Keep the file permissions as - # restrictive as possible. - permissions = 0600 - - # The Unix group which owns the log file. - # - # The user that freeradius runs as must be in the specified - # group, otherwise it will not be possible to set the group. -# group = ${security.group} - - # Syslog facility (if logging via syslog). - # Defaults to the syslog_facility config item in radiusd.conf. - # Standard facilities are: - # - kern Messages generated by the kernel. These cannot - # be generated by any user processes. - # - user Messages generated by random user processes. - # This is the default facility identifier if - # none is specified. - # - mail The mail system. - # - daemon System daemons, such as routed(8), that are not - # provided for explicitly by other facilities. - # - auth The authorization system: login(1), su(1), - # getty(8), etc. - # - lpr The line printer spooling system: cups-lpd(8), - # cupsd(8), etc. - # - news The network news system. - # - uucp The uucp system. - # - cron The cron daemon: cron(8). - # - authpriv The same as LOG_AUTH, but logged to a file - # readable only by selected individuals. - # - ftp The file transfer protocol daemons: ftpd(8), - # tftpd(8). - # - local[0-7] Reserved for local use. -# syslog_facility = daemon - - # Syslog severity (if logging via syslog). Defaults to info. - # Possible values are: - # - emergency A panic condition. This is normally broadcast - # to all users. - # - alert A condition that should be corrected immediately, - # such as a corrupted system database. - # - critical Critical conditions, e.g., hard device errors. - # - error Errors. - # - warning Warning messages. - # - notice Conditions that are not error conditions, but - # should possibly be handled specially. - # - info Informational messages. - # - debug Messages that contain information normally of use - # only when debugging a program. -# syslog_severity = info - - # If logging via syslog, the severity can be set here. - # Defaults to info. - # - # The default format string. - format = "This is a log message for %{User-Name}" - - # - # This next line can be omitted. If it is omitted, then - # the log message is static, and is always given by "format", - # above. - # - # If it is defined, then the string is dynamically expanded, - # and the result is used to find another configuration entry - # here, with the given name. That name is then used as the - # format string. - # - # If the configuration entry cannot be found, then no log - # message is printed. - # - # i.e. You can have many log messages in one "linelog" module. - # If this two-step expansion did not exist, you would have - # needed to configure one "linelog" module for each log message. - - # - # Reference the Packet-Type (Access-Accept, etc.) If it doesn't - # exist, reference the "default" entry. - # - # This is for "linelog" being used in the post-auth section - # If you want to use it in "authorize", you need to change - # the reference to "messages.%{%{Packet-Type}:-default}", - # and then add the appropriate messages. - # - reference = "messages.%{%{reply:Packet-Type}:-default}" - - # - # The messages defined here are taken from the "reference" - # expansion, above. - # - messages { - default = "Unknown packet type %{Packet-Type}" - - Access-Accept = "Accepted user: %{User-Name}" - Access-Reject = "Rejected user: %{User-Name}" - Access-Challenge = "Sent challenge: %{User-Name}" - } -} - -# -# Another example, for accounting packets. -# -linelog log_accounting { - # - # Used if the expansion of "reference" fails. - # - format = "" - - filename = ${logdir}/linelog-accounting - - permissions = 0600 - - reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" - - # - # Another example: - # - # - Accounting-Request { - Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})" - Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds" - - # Don't log anything for these packets. - Alive = "" - - Accounting-On = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just came online" - Accounting-Off = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just went offline" - - # don't log anything for other Acct-Status-Types. - unknown = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) sent unknown Acct-Status-Type %{Acct-Status-Type}" - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime deleted file mode 100644 index d4f6f3e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime +++ /dev/null @@ -1,23 +0,0 @@ -# -*- text -*- -# -# $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $ - -# The logintime module. This handles the Login-Time, -# Current-Time, and Time-Of-Day attributes. It should be -# included in the *end* of the authorize section in order to -# handle Login-Time checks. It should also be included in the -# instantiate section in order to register the Current-Time -# and Time-Of-Day comparison functions. -# -# When the Login-Time attribute is set to some value, and the -# user has been permitted to log in, a Session-Timeout is -# calculated based on the remaining time. See "doc/README". -# -logintime { - # The minimum timeout (in seconds) a user is allowed - # to have. If the calculated timeout is lower we don't - # allow the login. Some NAS do not handle values - # lower than 60 seconds well. - minimum_timeout = 60 -} - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap deleted file mode 100644 index 44440bd..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap +++ /dev/null @@ -1,253 +0,0 @@ -# -*- text -*- -# -# $Id: 1748d5747f5b2fda08a017ad3095d9b96b0c2ee0 $ - -# -# Microsoft CHAP authentication -# -# This module supports MS-CHAP and MS-CHAPv2 authentication. -# It also enforces the SMB-Account-Ctrl attribute. -# -mschap { - # - # If you are using /etc/smbpasswd, see the 'passwd' - # module for an example of how to use /etc/smbpasswd - # - - # - # If use_mppe is not set to no mschap, will - # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and - # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 - # -# use_mppe = no - - # - # If MPPE is enabled, require_encryption makes - # encryption moderate - # -# require_encryption = yes - - # - # require_strong always requires 128 bit key - # encryption - # -# require_strong = yes - - # - # This module can perform authentication itself, OR - # use a Windows Domain Controller. This configuration - # directive tells the module to call the ntlm_auth - # program, which will do the authentication, and return - # the NT-Key. Note that you MUST have "winbindd" and - # "nmbd" running on the local machine for ntlm_auth - # to work. See the ntlm_auth program documentation - # for details. - # - # If ntlm_auth is configured below, then the mschap - # module will call ntlm_auth for every MS-CHAP - # authentication request. If there is a cleartext - # or NT hashed password available, you can set - # "MS-CHAP-Use-NTLM-Auth := No" in the control items, - # and the mschap module will do the authentication itself, - # without calling ntlm_auth. - # - # Be VERY careful when editing the following line! - # - # You can also try setting the user name as: - # - # ... --username=%{mschap:User-Name} ... - # - # In that case, the mschap module will look at the User-Name - # attribute, and do prefix/suffix checks in order to obtain - # the "best" user name for the request. - # - # For Samba 4, you should also set the "ntlm auth" parameter - # in the Samba configuration: - # - # ntlm auth = yes - # - # or - # - # ntlm auth = mschapv2-and-ntlmv2-only - # - # This will let Samba 4 accept the MS-CHAP authentication - # method that is needed by FreeRADIUS. - # - # Depending on the Samba version, you may also need to add: - # - # --allow-mschapv2 - # - # to the command-line parameters. - # -# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" - - # - # The default is to wait 10 seconds for ntlm_auth to - # complete. This is a long time, and if it's taking that - # long then you likely have other problems in your domain. - # The length of time can be decreased with the following - # option, which can save clients waiting if your ntlm_auth - # usually finishes quicker. Range 1 to 10 seconds. - # -# ntlm_auth_timeout = 10 - - # - # An alternative to using ntlm_auth is to connect to the - # winbind daemon directly for authentication. This option - # is likely to be faster and may be useful on busy systems, - # but is less well tested. - # - # Using this option requires libwbclient from Samba 4.2.1 - # or later to be installed. Make sure that ntlm_auth above is - # commented out. - # -# winbind_username = "%{mschap:User-Name}" -# winbind_domain = "%{mschap:NT-Domain}" - - # - # When using single sign-on with a winbind connection and the - # client uses a different casing for the username than the - # casing is according to the backend, reauth may fail because - # of some Windows internals. This switch tries to find the - # user in the correct casing in the backend, and retry - # authentication with that username. - # -# winbind_retry_with_normalised_username = no - - # - # Information for the winbind connection pool. The configuration - # items below are the same for all modules which use the new - # connection pool. - # - pool { - # - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # winbind daemon being available. - # - start = ${thread[pool].start_servers} - - # - # Minimum number of connections to keep open - # - min = ${thread[pool].min_spare_servers} - - # - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - # - max = ${thread[pool].max_servers} - - # - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - # - spare = ${thread[pool].max_spare_servers} - - # - # Number of uses before the connection is closed - # - # 0 means "infinite" - # - uses = 0 - - # - # The number of seconds to wait after the server tries - # to open a connection, and fails. During this time, - # no new connections will be opened. - # - retry_delay = 30 - - # - # The lifetime (in seconds) of the connection - # - # NOTE: A setting of 0 means infinite (no limit). - # - lifetime = 86400 - - # - # The pool is checked for free connections every - # "cleanup_interval". If there are free connections, - # then one of them is closed. - # - cleanup_interval = 300 - - # - # The idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - # - # NOTE: A setting of 0 means infinite (no timeout). - # - idle_timeout = 600 - - # - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - # - } - - passchange { - # - # This support MS-CHAPv2 (not v1) password change - # requests. See doc/mschap.rst for more IMPORTANT - # information. - # - # Samba/ntlm_auth - if you are using ntlm_auth to - # validate passwords, you will need to use ntlm_auth - # to change passwords. Uncomment the three lines - # below, and change the path to ntlm_auth. - # -# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" -# ntlm_auth_username = "username: %{mschap:User-Name}" -# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}" - - # - # To implement a local password change, you need to - # supply a string which is then expanded, so that the - # password can be placed somewhere. e.g. passed to a - # script (exec), or written to SQL (UPDATE/INSERT). - # We give both examples here, but only one will be - # used. - # -# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}" - # -# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}" - } - - # - # For Apple Server, when running on the same machine as - # Open Directory. It has no effect on other systems. - # -# use_open_directory = yes - - # - # On failure, set (or not) the MS-CHAP error code saying - # "retries allowed". - # -# allow_retry = yes - - # - # An optional retry message. - # -# retry_msg = "Re-enter (or reset) the password" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth deleted file mode 100644 index ab0017c..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth +++ /dev/null @@ -1,18 +0,0 @@ -# -# For testing ntlm_auth authentication with PAP. -# -# If you have problems with authentication failing, even when the -# password is good, it may be a bug in Samba: -# -# https://bugzilla.samba.org/show_bug.cgi?id=6563 -# -# Depending on the AD / Samba configuration, you may also need to add: -# -# --allow-mschapv2 -# -# to the list of command-line options. -# -exec ntlm_auth { - wait = yes - program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap deleted file mode 100644 index f766843..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap +++ /dev/null @@ -1,18 +0,0 @@ -# -*- text -*- -# -# $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $ - -# PAP module to authenticate users based on their stored password -# -# Supports multiple encryption/hash schemes. See "man rlm_pap" -# for details. -# -# For instructions on creating the various types of passwords, see: -# -# http://www.openldap.org/faq/data/cache/347.html -pap { - # By default the server will use heuristics to try and automatically - # handle base64 or hex encoded passwords. This behaviour can be - # stopped by setting the following to "no". -# normalise = yes -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd deleted file mode 100644 index bf77f3a..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd +++ /dev/null @@ -1,55 +0,0 @@ -# -*- text -*- -# -# $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $ - -# passwd module allows to do authorization via any passwd-like -# file and to extract any attributes from these files. -# -# See the "smbpasswd" and "etc_group" files for more examples. -# -# parameters are: -# filename - path to file -# -# format - format for filename record. This parameters -# correlates record in the passwd file and RADIUS -# attributes. -# -# Field marked as '*' is a key field. That is, the parameter -# with this name from the request is used to search for -# the record from passwd file -# -# Attributes marked as '=' are added to reply_items instead -# of default configure_items -# -# Attributes marked as '~' are added to request_items -# -# Field marked as ',' may contain a comma separated list -# of attributes. -# -# hash_size - hashtable size. Setting it to 0 is no longer permitted -# A future version of the server will have the module -# automatically determine the hash size. Having it set -# manually should not be necessary. -# -# allow_multiple_keys - if many records for a key are allowed -# -# ignore_nislike - ignore NIS-related records -# -# delimiter - symbol to use as a field separator in passwd file, -# for format ':' symbol is always used. '\0', '\n' are -# not allowed -# - -# An example configuration for using /etc/passwd. -# -# This is an example which will NOT WORK if you have shadow passwords, -# NIS, etc. The "unix" module is normally responsible for reading -# system passwords. You should use it instead of this example. -# -passwd etc_passwd { - filename = /etc/passwd - format = "*User-Name:Crypt-Password:" - hash_size = 100 - ignore_nislike = no - allow_multiple_keys = no -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess deleted file mode 100644 index ae349e9..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess +++ /dev/null @@ -1,62 +0,0 @@ -# -*- text -*- -# -# $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $ - -# Preprocess the incoming RADIUS request, before handing it off -# to other modules. -# -# This module processes the 'huntgroups' and 'hints' files. -# In addition, it re-writes some weird attributes created -# by some NAS, and converts the attributes into a form which -# is a little more standard. -# -preprocess { - # Search for files in a subdirectory of mods-config which - # matches this instance of the preprocess module. - moddir = ${modconfdir}/${.:instance} - - huntgroups = ${moddir}/huntgroups - hints = ${moddir}/hints - - # This hack changes Ascend's weird port numbering - # to standard 0-??? port numbers so that the "+" works - # for IP address assignments. - with_ascend_hack = no - ascend_channels_per_line = 23 - - # Windows NT machines often authenticate themselves as - # NT_DOMAIN\username - # - # If this is set to 'yes', then the NT_DOMAIN portion - # of the user-name is silently discarded. - # - # This configuration entry SHOULD NOT be used. - # See the "realms" module for a better way to handle - # NT domains. - with_ntdomain_hack = no - - # Specialix Jetstream 8500 24 port access server. - # - # If the user name is 10 characters or longer, a "/" - # and the excess characters after the 10th are - # appended to the user name. - # - # If you're not running that NAS, you don't need - # this hack. - with_specialix_jetstream_hack = no - - # Cisco (and Quintum in Cisco mode) sends it's VSA attributes - # with the attribute name *again* in the string, like: - # - # H323-Attribute = "h323-attribute=value". - # - # If this configuration item is set to 'yes', then - # the redundant data in the the attribute text is stripped - # out. The result is: - # - # H323-Attribute = "value" - # - # If you're not running a Cisco or Quintum NAS, you don't - # need this hack. - with_cisco_vsa_hack = no -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp deleted file mode 100644 index 8430fc1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp +++ /dev/null @@ -1,53 +0,0 @@ -# -*- text -*- -# -# $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $ - -# Write a 'utmp' style file, of which users are currently -# logged in, and where they've logged in from. -# -# This file is used mainly for Simultaneous-Use checking, -# and also 'radwho', to see who's currently logged in. -# -radutmp { - # Where the file is stored. It's not a log file, - # so it doesn't need rotating. - # - filename = ${logdir}/radutmp - - # The field in the packet to key on for the - # 'user' name, If you have other fields which you want - # to use to key on to control Simultaneous-Use, - # then you can use them here. - # - # Note, however, that the size of the field in the - # 'utmp' data structure is small, around 32 - # characters, so that will limit the possible choices - # of keys. - # - # You may want instead: %{%{Stripped-User-Name}:-%{User-Name}} - username = %{User-Name} - - - # Whether or not we want to treat "user" the same - # as "USER", or "User". Some systems have problems - # with case sensitivity, so this should be set to - # 'no' to enable the comparisons of the key attribute - # to be case insensitive. - # - case_sensitive = yes - - # Accounting information may be lost, so the user MAY - # have logged off of the NAS, but we haven't noticed. - # If so, we can verify this information with the NAS, - # - # If we want to believe the 'utmp' file, then this - # configuration entry can be set to 'no'. - # - check_with_nas = yes - - # Set the file permissions, as the contents of this file - # are usually private. - permissions = 0600 - - caller_id = "yes" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm deleted file mode 100644 index fb014f7..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm +++ /dev/null @@ -1,75 +0,0 @@ -# -*- text -*- -# -# $Id: 8ff95a9e9a652c2df9f992b0eb528084b6a7a2dc $ - -# Realm module, for proxying. -# -# You can have multiple instances of the realm module to -# support multiple realm syntaxes at the same time. The -# search order is defined by the order that the modules are listed -# in the authorize and preacct sections. -# -# Four config options: -# format - must be "prefix" or "suffix" -# The special cases of "DEFAULT" -# and "NULL" are allowed, too. -# delimiter - must be a single character - -# 'realm/username' -# -# Using this entry, IPASS users have their realm set to "IPASS". -realm IPASS { - format = prefix - delimiter = "/" -} - -# 'username@realm' -# -realm suffix { - format = suffix - delimiter = "@" - - # The next configuration items are valid ONLY for a trust-router. - # For all other realms, they are ignored. -# trust_router = "localhost" -# tr_port = 12309 -# rp_realm = "realm.example.com" -# default_community = "apc.communities.example.com" -# # if rekey_enabled is enabled, dynamic realms are automatically rekeyed -# # before they expire to avoid having to recreate them from scrach on -# # demand (implying lengthy authentications) -# rekey_enabled = no -# # if realm_lifetime is > 0, the rekey is scheduled to happen the -# # specified number of seconds after its creation or rekeying. Otherwise, -# # the key material expiration timestamp is used -# realm_lifetime = 0 -} - -# 'realm!username' -# -realm bangpath { - format = prefix - delimiter = "!" - -# trust_router = "localhost" -# tr_port = 12309 -# rp_realm = "realm.example.com" -# default_community = "apc.communities.example.com" -# rekey_enabled = no -# realm_lifetime = 0 -} - -# 'username%realm' -# -realm realmpercent { - format = suffix - delimiter = "%" -} - -# -# 'domain\user' -# -realm ntdomain { - format = prefix - delimiter = "\\" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate deleted file mode 100644 index 3ba88c1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate +++ /dev/null @@ -1,42 +0,0 @@ -# Replicate packet(s) to a home server. -# -# This module will open a new socket for each packet, and "clone" -# the incoming packet to the destination realm (i.e. home server). -# These packets are only sent to UDP home servers. TCP and TLS -# are not supported. -# -# Use it by setting "Replicate-To-Realm = name" in the control list, -# just like Proxy-To-Realm. The configurations for the two attributes -# are identical. The realm must exist, the home_server_pool must exist, -# and the home_server must exist. -# -# The only difference is that the "replicate" module sends requests -# and does not expect a reply. Any reply is ignored. -# -# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time. -# -# To use this module, list "replicate" in the "authorize" or -# "accounting" section. Then, ensure that Replicate-To-Realm is set. -# The contents of the "packet" attribute list will be sent to the -# home server. The usual load-balancing, etc. features of the home -# server will be used. -# -# "radmin" can be used to mark home servers alive/dead, in order to -# enable/disable replication to specific servers. -# -# Packets can be replicated to multiple destinations. Just set -# Replicate-To-Realm multiple times. One packet will be sent for -# each of the Replicate-To-Realm attribute in the "control" list. -# -# If no packets are sent, the module returns "noop". If at least one -# packet is sent, the module returns "ok". If an error occurs, the -# module returns "fail" -# -# Note that replication does NOT change any of the packet statistics. -# If you use "radmin" to look at the statistics for a home server, -# the replicated packets will cause NO counters to increment. This -# is not a bug, this is how replication works. -# -replicate { - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh deleted file mode 100644 index d125ce4..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh +++ /dev/null @@ -1,4 +0,0 @@ -# SoH module -soh { - dhcp = yes -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp deleted file mode 100644 index 8e28704..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp +++ /dev/null @@ -1,16 +0,0 @@ -# -*- text -*- -# -# $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $ - -# "Safe" radutmp - does not contain caller ID, so it can be -# world-readable, and radwho can work for normal users, without -# exposing any information that isn't already exposed by who(1). -# -# This is another 'instance' of the radutmp module, but it is given -# then name "sradutmp" to identify it later in the "accounting" -# section. -radutmp sradutmp { - filename = ${logdir}/sradutmp - permissions = 0644 - caller_id = "no" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp deleted file mode 100644 index b06946a..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp +++ /dev/null @@ -1,40 +0,0 @@ -# -*- text -*- -# -# $Id: 695365f7d2c05a34da935ea2a9ca0dec55518195 $ - -# -# Time-based One-Time Passwords (TOTP) -# -# Defined in RFC 6238, and used in Google Authenticator. -# -# This module can only be used in the "authenticate" section. -# -# The Base32-encoded secret should be placed into: -# -# &control:TOTP-Secret -# -# The TOTP password entered by the user should be placed into: -# -# &request:TOTP-Password -# -# The module will return "ok" if the passwords match, and "fail" -# if the passwords do not match. -# -# Note that this module will NOT interact with Google. The module is -# intended to be used where the local administrator knows the TOTP -# secret key, and user has an authenticator app on their phone. -# -# Note also that while you can use the Google "chart" APIs to -# generate a QR code, doing this will give the secret to Google! -# -# Administrators should instead install a tool such as "qrcode" -# -# https://linux.die.net/man/1/qrencode -# -# and then run that locally to get an image. -# -# -# The module takes no configuration items. -# -totp { -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix deleted file mode 100644 index a5798d5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix +++ /dev/null @@ -1,25 +0,0 @@ -# -*- text -*- -# -# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $ - -# Unix /etc/passwd style authentication -# -# This module calls the system functions to get the "known good" -# password. This password is usually in the "crypt" form, and is -# incompatible with CHAP, MS-CHAP, PEAP, etc. -# -# If passwords are in /etc/shadow, you will need to set the "group" -# configuration in radiusd.conf. Look for "shadow", and follow the -# instructions there. -# -unix { - # - # The location of the "wtmp" file. - # The only use for 'radlast'. If you don't use - # 'radlast', then you can comment out this item. - # - # Note that the radwtmp file may get large! You should - # rotate it (cp /dev/null radwtmp), or just not use it. - # - radwtmp = ${logdir}/radwtmp -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack deleted file mode 100644 index 1cd95d2..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack +++ /dev/null @@ -1,105 +0,0 @@ -# -*- text -*- -# -# $Id: 89ef1699a1af78374b1af0a3787a088af3ba320c $ - -# -# This module is useful only for 'xlat'. -# To use it, add it to the raddb/mods-enabled/ directory. -# -# Two xlat functions are provided by this module: -# - unpack -# - substring -# -# Both are for use on the right-hand side of a variable assignment. -# -# unpack -# ====== -# -# ... = "%{unpack:data 1 integer}" -# -# The arguments are three fields: -# -# data -# Either &Attribute-Name -# the name of the attribute to unpack. -# MUST be a "string" or "octets" type. -# -# or 0xabcdef -# e.g. hex data. -# -# 1 -# The offset into the string from which -# it starts unpacking. The offset starts -# at zero, for the first attribute. -# -# integer -# the data type to unpack at that offset. -# e.g. integer, ipaddr, byte, short, etc. -# -# e.g. if we have Class = 0x0000000102030405, then -# -# %{unpack:&Class 4 short} -# -# will unpack octets 4 and 5 as a "short", which has -# value 0x0304. -# -# This module is used when vendors put multiple fields -# into one attribute of type "octets". -# -# The module can also be used to unpack substrings, by specifing a -# data type of "string(len)" or "octets(len)". Where "len" is an -# actual number. For example: -# -# %{unpack:&User-Name 1 string(2)} -# -# When given a User-Name of "hello", it will start taking the -# substring at offset 1 (i.e. "e"), and it will take two characters -# from that offset, i.e. "el". -# -# As a special case, you can unpack an entire string by specifying -# the offset, and nothing for the length: -# -# %{unpack:&User-Name 1 string()} -# -# When "octets(len)" is used, the output is printed as hex. e.g. for -# the above example with Class: -# -# %{unpack:&Class 4 octets(4)} -# -# Will return the hex string "02030405" -# -# -# substring -# ========= -# -# substring will return a substring of a string or attribute using -# the syntax -# -# %{substring:data start len} -# -# data -# Either an attribute name or string data. String data -# can have leading or trailing spaces. Only a single -# space before "start" is taken as the separator. -# -# start -# the zero based offset for the start of the substring. -# A negative value will count in from the end of the -# string. -# -# len -# the number of characters to return. A Negative value -# will remove that number of characters from the end. -# If len is more than the available number of characters -# then only the available number will be returned. -# -# Examples: -# -# "%{substring:foobar 2 3}" == "oba" -# "%{substring:foobar -3 2}" == "ba" -# "%{substring:foobar 1 -1}" == "ooba" -# if User-Name is "foobar" "%{substring:&User-Name 1 -2}" == "oob" -# - -unpack { -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8 b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8 deleted file mode 100644 index 00812fa..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8 +++ /dev/null @@ -1,14 +0,0 @@ -# -# Enforces UTF-8 on strings coming in from the NAS. -# -# An attribute of type "string" containing UTF-8 makes -# the module return NOOP. -# -# An attribute of type "string" containing non-UTF-8 data -# makes the module return FAIL. -# -# This module takes no configuration. -# -utf8 { - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_challenge b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_challenge deleted file mode 100644 index 528670c..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_challenge +++ /dev/null @@ -1,19 +0,0 @@ -# -# Configuration file for the rlm_attr_filter module. -# Please see rlm_attr_filter(5) manpage for more information. -# -# $Id: 12ed619cf16f7322221ef2dfaf28f9c36c616e3c $ -# -# This configuration file is used to remove almost all of the -# attributes From an Access-Challenge message. The RFCs say -# that an Access-Challenge packet can contain only a few -# attributes. We enforce that here. -# -DEFAULT - EAP-Message =* ANY, - State =* ANY, - Message-Authenticator =* ANY, - Reply-Message =* ANY, - Proxy-State =* ANY, - Session-Timeout =* ANY, - Idle-Timeout =* ANY diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_reject b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_reject deleted file mode 100644 index 54668f7..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_reject +++ /dev/null @@ -1,18 +0,0 @@ -# -# Configuration file for the rlm_attr_filter module. -# Please see rlm_attr_filter(5) manpage for more information. -# -# $Id: 47f167b085c2a4e22701fe9fe74b8fe0b9575421 $ -# -# This configuration file is used to remove almost all of the attributes -# From an Access-Reject message. The RFCs say that an Access-Reject -# packet can contain only a few attributes. We enforce that here. -# -DEFAULT - EAP-Message =* ANY, - State =* ANY, - Message-Authenticator =* ANY, - Error-Cause =* ANY, - Reply-Message =* ANY, - MS-CHAP-Error =* ANY, - Proxy-State =* ANY diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/accounting_response b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/accounting_response deleted file mode 100644 index 23456b8..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/accounting_response +++ /dev/null @@ -1,16 +0,0 @@ -# -# Configuration file for the rlm_attr_filter module. -# Please see rlm_attr_filter(5) manpage for more information. -# -# $Id: 01e9c6f5bda7a138f45da5010c624d92b6d398a0 $ -# -# This configuration file is used to remove almost all of the attributes -# From an Accounting-Response message. The RFC's say that an -# Accounting-Response packet can contain only a few attributes. -# We enforce that here. -# -DEFAULT - Vendor-Specific =* ANY, - Message-Authenticator =* ANY, - Error-Cause =* ANY, - Proxy-State =* ANY diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/coa b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/coa deleted file mode 100644 index 2d28a45..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/coa +++ /dev/null @@ -1,22 +0,0 @@ -# -# Configuration file for the rlm_attr_filter module. -# Please see rlm_attr_filter(5) manpage for more information. -# -# $Id: 89cea2ea97dea10b82a8146cfeeeb1d7dd33b2f8 $ -# -# This configuration file is used to remove attributes From an -# CoA-Request or Disconnect-Request message. We have specified -# a sample list here. This will have to be modified to add -# attributes needed by your local configuration. -# -DEFAULT - User-Name =* ANY, - NAS-IP-Address =* ANY, - NAS-IPv6-Address =* ANY, - NAS-Port =* ANY, - NAS-Identifier =* ANY, - NAS-Port-Type =* ANY, - Calling-Station-Id =* ANY, - State =* ANY, - Message-Authenticator =* ANY, - Proxy-State =* ANY diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/post-proxy b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/post-proxy deleted file mode 100644 index 3ecddaf..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/post-proxy +++ /dev/null @@ -1,119 +0,0 @@ -# -# Configuration file for the rlm_attr_filter module. -# Please see rlm_attr_filter(5) manpage for more information. -# -# $Id: 5d889ea733ec8e6b246335f86bf6e122b54f23aa $ -# -# This file contains security and configuration information -# for each realm. The first field is the realm name and -# can be up to 253 characters in length. This is followed (on -# the next line) with the list of filter rules to be used to -# decide what attributes and/or values we allow proxy servers -# to pass to the NAS for this realm. -# -# When a proxy-reply packet is received from a home server, -# these attributes and values are tested. Only the first match -# is used unless the "Fall-Through" variable is set to "Yes". -# In that case the rules defined in the DEFAULT case are -# processed as well. -# -# A special realm named "DEFAULT" matches on all realm names. -# You can have only one DEFAULT entry. All entries are processed -# in the order they appear in this file. The first entry that -# matches the login-request will stop processing unless you use -# the Fall-Through variable. -# -# Indented (with the tab character) lines following the first -# line indicate the filter rules. -# -# You can include another `attrs' file with `$INCLUDE attrs.other' -# - -# -# This is a complete entry for realm "fisp". Note that there is no -# Fall-Through entry so that no DEFAULT entry will be used, and the -# server will NOT allow any other a/v pairs other than the ones -# listed here. -# -# These rules allow: -# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear ) -# o PPP sessions ( no SLIP, CSLIP, etc. ) -# o dynamic ip assignment ( can't assign a static ip ) -# o an idle timeout value set to 600 seconds (10 min) or less -# o a max session time set to 28800 seconds (8 hours) or less -# -#fisp -# Service-Type == Framed-User, -# Framed-Protocol == PPP, -# Framed-IP-Address == 255.255.255.254, -# Idle-Timeout <= 600, -# Session-Timeout <= 28800 - -# -# This is a complete entry for realm "tisp". Note that there is no -# Fall-Through entry so that no DEFAULT entry will be used, and the -# server will NOT allow any other a/v pairs other than the ones -# listed here. -# -# These rules allow: -# o Only Login-User Service-Type ( no framed/ppp sessions ) -# o Telnet sessions only ( no rlogin, tcp-clear ) -# o Login host of 192.0.2.1 -# -#tisp -# Service-Type == Login-User, -# Login-Service == Telnet, -# Login-TCP-Port == 23, -# Login-IP-Host == 192.0.2.1 - -# -# The following example can be used for a home server which is only -# allowed to supply a Reply-Message, a Session-Timeout attribute of -# maximum 86400, a Idle-Timeout attribute of maximum 600 and a -# Acct-Interim-Interval attribute between 300 and 3600. -# All other attributes sent back will be filtered out. -# -#strictrealm -# Reply-Message =* ANY, -# Session-Timeout <= 86400, -# Idle-Timeout <= 600, -# Acct-Interim-Interval >= 300, -# Acct-Interim-Interval <= 3600 - -# -# This is a complete entry for realm "spamrealm". Fall-Through is used, -# so that the DEFAULT filter rules are used in addition to these. -# -# These rules allow: -# o Force the application of Filter-ID attribute to be returned -# in the proxy reply, whether the proxy sent it or not. -# o The standard DEFAULT rules as defined below -# -#spamrealm -# Framed-Filter-Id := "nosmtp.in", -# Fall-Through = Yes - -# -# The rest of this file contains the DEFAULT entry. -# DEFAULT matches with all realm names. (except if the realm previously -# matched an entry with no Fall-Through) -# - -DEFAULT - Framed-IP-Address == 255.255.255.254, - Framed-IP-Netmask == 255.255.255.255, - Framed-MTU >= 576, - Framed-Filter-ID =* ANY, - Reply-Message =* ANY, - Proxy-State =* ANY, - EAP-Message =* ANY, - Message-Authenticator =* ANY, - MS-MPPE-Recv-Key =* ANY, - MS-MPPE-Send-Key =* ANY, - MS-CHAP-MPPE-Keys =* ANY, - State =* ANY, - Session-Timeout <= 28800, - Idle-Timeout <= 600, - Calling-Station-Id =* ANY, - Operator-Name =* ANY, - Port-Limit <= 2 diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/pre-proxy b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/pre-proxy deleted file mode 100644 index 7144d70..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/pre-proxy +++ /dev/null @@ -1,65 +0,0 @@ -# -# Configuration file for the rlm_attr_filter module. -# Please see rlm_attr_filter(5) manpage for more information. -# -# $Id: 47b01266f44d0475261c6ea16f74ca17d8838749 $ -# -# This file contains security and configuration information -# for each realm. It can be used be an rlm_attr_filter module -# instance to filter attributes before sending packets to the -# home server of a realm. -# -# When a packet is sent to a home server, these attributes -# and values are tested. Only the first match is used unless -# the "Fall-Through" variable is set to "Yes". In that case -# the rules defined in the DEFAULT case are processed as well. -# -# A special realm named "DEFAULT" matches on all realm names. -# You can have only one DEFAULT entry. All entries are processed -# in the order they appear in this file. The first entry that -# matches the login-request will stop processing unless you use -# the Fall-Through variable. -# -# The first line indicates the realm to which the rules apply. -# Indented (with the tab character) lines following the first -# line indicate the filter rules. -# - -# This is a complete entry for 'nochap' realm. It allows to send very -# basic attributes to the home server. Note that there is no Fall-Through -# entry so that no DEFAULT entry will be used. Only the listed attributes -# will be sent in the packet, all other attributes will be filtered out. -# -#nochap -# User-Name =* ANY, -# User-Password =* ANY, -# NAS-IP-Address =* ANY, -# NAS-Identifier =* ANY - -# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type -# if its value is different from 'Ethernet'. Then the default rules are -# applied. -# -#brokenas -# NAS-Port-Type == Ethernet -# Fall-Through = Yes - -# The rest of this file contains the DEFAULT entry. -# DEFAULT matches with all realm names. - -DEFAULT - User-Name =* ANY, - User-Password =* ANY, - CHAP-Password =* ANY, - CHAP-Challenge =* ANY, - MS-CHAP-Challenge =* ANY, - MS-CHAP-Response =* ANY, - EAP-Message =* ANY, - Message-Authenticator =* ANY, - State =* ANY, - NAS-IP-Address =* ANY, - NAS-Identifier =* ANY, - Operator-Name =* ANY, - Calling-Station-Id =* ANY, - Chargeable-User-Identity =* ANY, - Proxy-State =* ANY diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/accounting b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/accounting deleted file mode 100644 index db75515..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/accounting +++ /dev/null @@ -1,27 +0,0 @@ -# -# $Id: eaf952a72dc9d19387af4d2056d7f7027b2435e8 $ -# -# This is like the 'users' file, but it is processed only for -# accounting packets. -# - -# Select between different accounting methods based for example on the -# Realm, the Huntgroup-Name or any combinaison of the attribute/value -# pairs contained in an accounting packet. -# -# You will need to add an "Acct-Type foo {...}" subsection to the -# main "accounting" section in order for these sample configurations -# to work. -# -#DEFAULT Realm == "foo.net", Acct-Type := foo -# -#DEFAULT Huntgroup-Name == "wifi", Acct-Type := wifi -# -#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := other -# -#DEFAULT Acct-Status-Type == Start, Acct-Type := start - -# Replace the User-Name with the Stripped-User-Name, if it exists. -# -#DEFAULT -# User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/authorize b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/authorize deleted file mode 100644 index b78dbc8..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/authorize +++ /dev/null @@ -1,13 +0,0 @@ -anonymous Cleartext-Password := "anonymous" - -#/ wildcard, accept any credentials -DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Accept - Tunnel-Type = VLAN, - Tunnel-Medium-Type = IEEE-802, - Tunnel-Private-Group-ID = 6 - -#DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Accept -# session-timeout = 14400, -# Termination-Action = RADIUS-Request, -# Tunnel-Private-Group-ID := 1, -# Reply-Message := "Hello %{User-Name}, You are assigned vlan 1" diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/dhcp b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/dhcp deleted file mode 100644 index 04f37b5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/dhcp +++ /dev/null @@ -1,153 +0,0 @@ -# -# This configuration file that may be used by multiple instances of rlm_files -# to set reply and control options for defining DHCP replies. -# -# The content of this file is all made up and needs to be set appropriate to -# the network being served. -# - -############################################ -# Global and network-specific parameters # -############################################ - -# -# Note: This section is matched by calling the dhcp_network instance of the -# files module. -# - - -# -# Default options that can be overridden by subsequent matches. -# -network - DHCP-Domain-Name-Server := 192.0.1.100, - DHCP-Domain-Name-Server += 192.0.1.101, - DHCP-Time-Server := 192.0.1.200, - DHCP-Domain-Name := "example.org", - DHCP-IP-Address-Lease-Time := 7200, - Fall-Through := yes - - -# -# The following examples set options specific to the Layer 2 network, matched -# on whether the internal attribute DHCP-Network-Subnet (that acts as a -# network identifier) is within the indicated range. This is equivalent to a -# "shared-network" or "multinet" configuration (i.e. one that is possibly -# composed of multiple subnets) as defined by some other DHCP servers. -# - -# -# Here is an example for a network containing a single IP subnet. We can set -# the network-specific options *and* we directly set the DHCP-Subnet-Mask, -# DHCP-Router-Address and DHCP-Broadcast-Address since it is a common reply -# parameter for all DHCP requests originating from this network. -# -# The use of the ^= "prepend" operator for setting DHCP-Domain-Name-Server -# results in this new value being inserted at the start of the list, meaning -# this will become the first DNS server presented in the reply. -# -# Note: If the architecture has only a single subnet for each Layer 2 network -# then by placing all subnet-related options here we can avoid calling the -# dhcp_subnet policy after IP allocation. -# -network DHCP-Network-Subnet < 10.20.0.0/16, Pool-Name := "smalldept" - DHCP-IP-Address-Lease-Time := 3600, - DHCP-Domain-Name := "smalldept.example.org", - DHCP-Subnet-Mask := 255.255.0.0, - DHCP-Router-Address := 10.20.0.1, - DHCP-Domain-Name-Server ^= 10.20.0.2, - DHCP-Broadcast-Address := 10.20.255.255 - -# -# Here is an example for a network that consists of multiple IP subnets, each -# of which is valid for a DHCP request originating from the network. We set -# the Pool-Name parameter to identify a single pool that contains the IP -# address within each subnet, any of which is suitable. -# -# We set the options that are common to the network but we defer the setting -# of DHCP-Subnet-Mask, DHCP-Router-Address and DHCP-Broadcast-Address until an -# address has been allocated. Only then do we know which subnet parameters are -# required. See the next section. -# -network DHCP-Network-Subnet < 10.30.0.0/16, Pool-Name := "bigdept" - DHCP-Domain-Name := "bigdept.example.org" - - -# -# Here is an example for a network that has a dedicated pool for admin staff -# and a seperate pool for everything else. -# -network DHCP-Network-Subnet < 192.0.2.0/24, DHCP-Group-Name == "admin", Pool-Name := "admin-only" -network DHCP-Network-Subnet < 192.0.2.0/24, Pool-Name := "general" - - -################################ -# Subnet-specific parameters # -################################ - -# -# Note: This section is matched by calling the dhcp_subnet policy which sets -# DHCP-Network-Subnet to the allocated IP address of the device and then -# calls the dhcp_subnet instance of the files module. -# -# Layer 2 networks many contain multiple subnets, each with their own gateway. -# We call this section *after* the allocation of an IP address (e.g. from a -# single pool containing addresses within multiple equally-valid subnets for -# the network) so that we then know which subnet-specific parameters to -# return. -# - -# -# Subnet-specific options, matched on whether the allocated IP address is -# within the indicated range. -# -subnet DHCP-Network-Subnet < 10.30.10.0/24 - DHCP-Subnet-Mask := 255.255.255.0, - DHCP-Router-Address := 10.30.10.1, - DHCP-Broadcast-Address := 10.30.10.255 - -subnet DHCP-Network-Subnet < 10.30.20.0/24 - DHCP-Subnet-Mask := 255.255.255.0, - DHCP-Router-Address := 10.30.20.1, - DHCP-Broadcast-Address := 10.30.20.255 - - -############################### -# Group-specific parameters # -############################### - -# -# Note: This section is matched by calling the dhcp_group_options policy. -# -# It should be called *after* defining the device's group memberships in -# DHCP-Group-Name request attributes. In the default dhcp virtual server this -# is demonstrated with the help of the dhcp_group_membership instance of the -# passwd module. -# - -# -# Group-specific options, keyed by DHCP-Group-Name -# -group1 - DHCP-Server-Host-Name := "terminal-booter.example.org", - DHCP-Boot-Filename := "bootfile.pxe" - - -############################## -# Host-specific parameters # -############################## - -# -# Note: This section is matched by calling the dhcp_hosts instance of the -# files module. -# - -# -# Host-specific options, keyed by DHCP-Client-Hardware-Address -# -host-00:10:20:30:40:50 - DHCP-Boot-Filename := "customboot.pxe" - -host-10:90:80:70:aa:bb - DHCP-X-Window-Font-Server := 10.20.1.10, - DHCP-Impress-Server := 10.20.1.20 diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/pre-proxy b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/pre-proxy deleted file mode 100644 index 9c848fd..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/pre-proxy +++ /dev/null @@ -1,31 +0,0 @@ -# -# Configuration file for the rlm_files module. -# Please see rlm_files(5) manpage for more information. -# -# $Id: 7292e23ea51717ee5cb50c4b9b609e91ebe4a41c $ -# -# This file is similar to the "users" file. The check items -# are compared against the request, but the "reply" items are -# used to update the proxied packet, not the reply to the NAS. -# -# You can use this file to re-write requests which are about to -# be sent to a home server. -# - -# -# Requests destinated to realm "extisp" are sent to a RADIUS -# home server hosted by an other company which doesn't know about -# the IP addresses of our NASes. Therefore we replace the value of -# the NAS-IP-Address attribute by a unique value we communicated -# to them. -# -#DEFAULT Realm == "extisp" -# NAS-IP-Address := 10.1.2.3 - -# -# For all proxied packets, set the User-Name in the proxied packet -# to the Stripped-User-Name, if it exists. If not, set it to the -# User-Name from the original request. -# -#DEFAULT -# User-Name := `%{%{Stripped-User-Name}:-%{User-Name}}` diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/hints b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/hints deleted file mode 100644 index a785879..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/hints +++ /dev/null @@ -1,86 +0,0 @@ -# -# hints -# -# The hints file. This file is used to match -# a request, and then add attributes to it. This -# process allows a user to login as "bob.ppp" (for example), -# and receive a PPP connection, even if the NAS doesn't -# ask for PPP. The "hints" file is used to match the -# ".ppp" portion of the username, and to add a set of -# "user requested PPP" attributes to the request. -# -# Matching can take place with the the Prefix and Suffix -# attributes, just like in the "users" file. -# These attributes operate ONLY on the username, though. -# -# Note that the attributes that are set for each entry are -# NOT added to the reply attributes passed back to the NAS. -# Instead they are added to the list of attributes in the -# request that has been SENT by the NAS. -# -# This extra information can be used in the users file to -# match on. Usually this is done in the DEFAULT entries, -# of which there can be more than one. -# -# In addition a matching entry can transform a username -# for authentication purposes if the "Strip-User-Name" -# variable is set to Yes in an entry (default is Yes). -# -# A special non-protocol name-value pair called "Hint" -# can be set to match on in the "users" file. -# -# As with the "users" file, the first entry that matches the -# incoming request will cause the server to stop looking for -# more hints. If the "Fall-Through" attribute is set to -# "Yes" in an entry then the server will not stop, but -# continue to process further hints from the file. Matches -# on subsequent hints will be against the altered request -# from the previous hints, not against the original request. -# -# The following is how most dial-up ISPs want to set this up. -# -# Version: $Id: 84d4d78d5dc8613f6205fc2ef48f454101caaf33 $ -# - - -DEFAULT Suffix == ".ppp", Strip-User-Name = Yes - Hint = "PPP", - Service-Type = Framed-User, - Framed-Protocol = PPP - -DEFAULT Suffix == ".slip", Strip-User-Name = Yes - Hint = "SLIP", - Service-Type = Framed-User, - Framed-Protocol = SLIP - -DEFAULT Suffix == ".cslip", Strip-User-Name = Yes - Hint = "CSLIP", - Service-Type = Framed-User, - Framed-Protocol = SLIP, - Framed-Compression = Van-Jacobson-TCP-IP - -###################################################################### -# -# These entries are old, and commented out by default. -# They confuse too many people when "Peter" logs in, and the -# server thinks that the user "eter" is asking for PPP. -# -#DEFAULT Prefix == "U", Strip-User-Name = No -# Hint = "UUCP" - -#DEFAULT Prefix == "P", Strip-User-Name = Yes -# Hint = "PPP", -# Service-Type = Framed-User, -# Framed-Protocol = PPP - -#DEFAULT Prefix == "S", Strip-User-Name = Yes -# Hint = "SLIP", -# Service-Type = Framed-User, -# Framed-Protocol = SLIP - -#DEFAULT Prefix == "C", Strip-User-Name = Yes -# Hint = "CSLIP", -# Service-Type = Framed-User, -# Framed-Protocol = SLIP, -# Framed-Compression = Van-Jacobson-TCP-IP - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/huntgroups b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/huntgroups deleted file mode 100644 index da28dba..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/huntgroups +++ /dev/null @@ -1,43 +0,0 @@ -# -# huntgroups This file defines the `huntgroups' that you have. A -# huntgroup is defined by specifying the IP address of -# the NAS and possibly a port. -# -# Matching is done while RADIUS scans the user file; if it -# includes the selection criteria "Huntgroup-Name == XXX" -# the huntgroup is looked up in this file to see if it -# matches. There can be multiple definitions of the same -# huntgroup; the first one that matches will be used. -# -# This file can also be used to define restricted access -# to certain huntgroups. The second and following lines -# define the access restrictions (based on username and -# UNIX usergroup) for the huntgroup. -# - -# -# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name -# called Alphen that matches on all three terminal servers. -# -#alphen NAS-IP-Address == 192.0.2.5 -#alphen NAS-IP-Address == 192.0.2.6 -#alphen NAS-IP-Address == 192.0.2.7 - -# -# The POP in Delft consists of only one terminal server. -# -#delft NAS-IP-Address == 198.51.100.5 - -# -# Port 0 on the first terminal server in Alphen are connected to -# a huntgroup that is for business users only. Note that only one -# of the username or groupname has to match to get access (OR/OR). -# -# Note that this huntgroup is a subset of the "alphen" huntgroup. -# -#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0 -# User-Name == rogerl, -# User-Name == henks, -# Group == business, -# Group == staff - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/always b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/always deleted file mode 120000 index 2cc1029..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/always +++ /dev/null @@ -1 +0,0 @@ -../mods-available/always \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/attr_filter b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/attr_filter deleted file mode 120000 index 400dfd1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/attr_filter +++ /dev/null @@ -1 +0,0 @@ -../mods-available/attr_filter \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/cache_eap b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/cache_eap deleted file mode 120000 index 22cfe44..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/cache_eap +++ /dev/null @@ -1 +0,0 @@ -../mods-available/cache_eap \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/chap b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/chap deleted file mode 120000 index 6ccd392..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/chap +++ /dev/null @@ -1 +0,0 @@ -../mods-available/chap \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/date b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/date deleted file mode 120000 index 75aeb64..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/date +++ /dev/null @@ -1 +0,0 @@ -../mods-available/date \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail deleted file mode 120000 index ad00d0e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail +++ /dev/null @@ -1 +0,0 @@ -../mods-available/detail \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail.log b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail.log deleted file mode 120000 index 155062d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/detail.log +++ /dev/null @@ -1 +0,0 @@ -../mods-available/detail.log \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/digest b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/digest deleted file mode 120000 index 95d3d36..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/digest +++ /dev/null @@ -1 +0,0 @@ -../mods-available/digest \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/dynamic_clients b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/dynamic_clients deleted file mode 120000 index 7b030ba..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/dynamic_clients +++ /dev/null @@ -1 +0,0 @@ -../mods-available/dynamic_clients \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/eap b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/eap deleted file mode 120000 index 37bab92..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/eap +++ /dev/null @@ -1 +0,0 @@ -../mods-available/eap \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/echo b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/echo deleted file mode 120000 index a436e68..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/echo +++ /dev/null @@ -1 +0,0 @@ -../mods-available/echo \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/exec b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/exec deleted file mode 120000 index a42a481..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/exec +++ /dev/null @@ -1 +0,0 @@ -../mods-available/exec \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expiration b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expiration deleted file mode 120000 index 340f641..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expiration +++ /dev/null @@ -1 +0,0 @@ -../mods-available/expiration \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expr b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expr deleted file mode 120000 index 64dd3ab..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/expr +++ /dev/null @@ -1 +0,0 @@ -../mods-available/expr \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/files b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/files deleted file mode 120000 index 372bc86..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/files +++ /dev/null @@ -1 +0,0 @@ -../mods-available/files \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/linelog b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/linelog deleted file mode 120000 index d6acab4..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/linelog +++ /dev/null @@ -1 +0,0 @@ -../mods-available/linelog \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/logintime b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/logintime deleted file mode 120000 index 99b698e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/logintime +++ /dev/null @@ -1 +0,0 @@ -../mods-available/logintime \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/mschap b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/mschap deleted file mode 120000 index c7523de..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/mschap +++ /dev/null @@ -1 +0,0 @@ -../mods-available/mschap \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/ntlm_auth b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/ntlm_auth deleted file mode 120000 index 3d68f67..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/ntlm_auth +++ /dev/null @@ -1 +0,0 @@ -../mods-available/ntlm_auth \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/pap b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/pap deleted file mode 120000 index 07f986f..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/pap +++ /dev/null @@ -1 +0,0 @@ -../mods-available/pap \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/passwd b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/passwd deleted file mode 120000 index be64f8b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/passwd +++ /dev/null @@ -1 +0,0 @@ -../mods-available/passwd \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/preprocess b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/preprocess deleted file mode 120000 index 266822a..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/preprocess +++ /dev/null @@ -1 +0,0 @@ -../mods-available/preprocess \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/radutmp b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/radutmp deleted file mode 120000 index e3c390c..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/radutmp +++ /dev/null @@ -1 +0,0 @@ -../mods-available/radutmp \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/realm b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/realm deleted file mode 120000 index acc66be..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/realm +++ /dev/null @@ -1 +0,0 @@ -../mods-available/realm \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/replicate b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/replicate deleted file mode 120000 index b03d8de..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/replicate +++ /dev/null @@ -1 +0,0 @@ -../mods-available/replicate \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/soh b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/soh deleted file mode 120000 index af88216..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/soh +++ /dev/null @@ -1 +0,0 @@ -../mods-available/soh \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/sradutmp b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/sradutmp deleted file mode 120000 index ac90674..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/sradutmp +++ /dev/null @@ -1 +0,0 @@ -../mods-available/sradutmp \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/totp b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/totp deleted file mode 120000 index 88dbfb1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/totp +++ /dev/null @@ -1 +0,0 @@ -../mods-available/totp \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unix b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unix deleted file mode 120000 index 599fdef..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unix +++ /dev/null @@ -1 +0,0 @@ -../mods-available/unix \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unpack b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unpack deleted file mode 120000 index dad4563..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/unpack +++ /dev/null @@ -1 +0,0 @@ -../mods-available/unpack \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/utf8 b/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/utf8 deleted file mode 120000 index 7979255..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-enabled/utf8 +++ /dev/null @@ -1 +0,0 @@ -../mods-available/utf8 \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/panic.gdb b/pkgs/fablab/freeradius-anon-access/raddb/panic.gdb deleted file mode 100644 index 3ae253a..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/panic.gdb +++ /dev/null @@ -1,4 +0,0 @@ -info locals -info args -thread apply all bt full -quit diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/abfab-tr b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/abfab-tr deleted file mode 100644 index 834ac2e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/abfab-tr +++ /dev/null @@ -1,106 +0,0 @@ -# -# ABFAB Trust router policies. -# -# $Id: 3a088538b5acc09aebc80b40391febf1d57a617a $ -# - - -# -# Verify rp parameters -# -psk_authorize { - if (&TLS-PSK-Identity) { - # TODO: may need to check trust-router-apc as well - if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}") { - # do things here - } - else { - update reply { - Reply-Message = "RP not authorized for this ABFAB request" - } - reject - } - } -} - -abfab_client_check { - # check that GSS-Acceptor-Host-Name is correct - if ("%{client:gss_acceptor_host_name}") { - if (&request:GSS-Acceptor-Host-Name) { - if (&request:GSS-Acceptor-Host-Name != "%{client:gss_acceptor_host_name}") { - update reply { - Reply-Message = "GSS-Acceptor-Host-Name incorrect" - } - reject - } - } - else { - # set GSS-Acceptor-Host-Name if it is not set by the mechanism - # but it is defined in the client configuration - update request { - GSS-Acceptor-Host-Name = "%{client:gss_acceptor_host_name}" - } - } - } - - # set Trust-Router-COI attribute from the client configuration - if ("%{client:trust_router_coi}") { - update request { - Trust-Router-COI := "%{client:trust_router_coi}" - } - } - - # set GSS-Acceptor-Realm-Name attribute from the client configuration - if ("%{client:gss_acceptor_realm_name}") { - update request { - GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}" - } - } - - # set GSS-Acceptor-Service-Name attribute from the client configuration - if ("%{client:gss_acceptor_service_name}") { - update request { - GSS-Acceptor-Service-Name = "%{client:gss_acceptor_service_name}" - } - } - -} - -# A policy which is used to validate channel-bindings. -# -abfab_channel_bindings { - if (&GSS-Acceptor-Service-Name && (&outer.request:GSS-Acceptor-Service-Name != &GSS-Acceptor-Service-Name)) { - reject - } - - if (&GSS-Acceptor-Host-Name && &outer.request:GSS-Acceptor-Host-Name != &GSS-Acceptor-Host-Name ) { - reject - } - - if (&GSS-Acceptor-Realm-Name && &outer.request:GSS-Acceptor-Realm-Name != &GSS-Acceptor-Realm-Name ) { - reject - } - - if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) { - update control { - &Chbind-Response-Code := success - } - - # - # ACK the attributes in the request. - # - # If any one of these attributes don't exist in the request, - # then they won't be copied to the reply. - # - update reply { - &GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name - &GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name - &GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name - } - } - - # - # Return "handled" so that the "authenticate" section isn't used. - # - handled -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/accounting b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/accounting deleted file mode 100644 index 7672e1b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/accounting +++ /dev/null @@ -1,130 +0,0 @@ -# We check for this prefix to determine whether the class value was -# generated by this server. It should be changed so that it is -# globally unique. -class_value_prefix = 'ai:' - -# -# Replacement for the old rlm_acct_unique module -# -acct_unique { - # - # If we have a class attribute in the format - # 'auth_id:[0-9a-f]{32}' it'll have a local value - # (defined by insert_acct_class), this ensures - # uniqueness and suitability. - # - # We could just use the Class attribute as - # Acct-Unique-Session-Id, but this may cause problems - # with NAS that carry Class values across between - # multiple linked sessions. So we rehash class with - # Acct-Session-ID to provide a truely unique session - # identifier. - # - # Using a Class/Session-ID combination is more robust - # than using elements in the Accounting-Request, - # which may be subject to change, such as - # NAS-IP-Address, Client-IP-Address and - # NAS-Port-ID/NAS-Port. - # - # This policy should ensure that session data is not - # affected if NAS IP addresses change, or the client - # roams to a different 'port' whilst maintaining its - # initial authentication session (Common in a - # wireless environment). - # - update request { - &Tmp-String-9 := "${policy.class_value_prefix}" - } - - if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && \ - ("%{string:&Class}" =~ /^${policy.class_value_prefix}([0-9a-f]{32})/i)) { - update request { - &Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}" - } - } - - # - # Not All devices respect RFC 2865 when dealing with - # the class attribute, so be prepared to use the - # older style of hashing scheme if a class attribute - # is not included - # - else { - update request { - &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}" - } - } -} - -# -# Insert a (hopefully unique) value into class -# -insert_acct_class { - update reply { - &Class = "${policy.class_value_prefix}%{md5:%t,%{Packet-Src-Port},%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name},%{session-state:User-Name} }" - } -} - -# -# Merges Acct-[Input|Output]-Octets and Acct-[Input|Output]-Gigawords into Acct-[Input|Output]-Octets64 -# -# If the &Attr-Foo doesn't exist, it's value is taken as zero. -# -acct_counters64.preacct { - update request { - &Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}" - &Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}" - } -} - -# -# There is a delay between sending the Access-Accept and receiving -# the corresponding Accounting-Request "start" packet. This delay -# can be leveraged by a user to bypass Simultaneous-Use checks. -# -# The user can start up multiple sessions at the same time. When -# that happens, both Simultaneous-Use checks are performed before any -# Accounting-Request packet is received. Both Simultaneous-Use -# checks will result in "no user session" in the radacct table, and -# both sessions will be allowed. At some point later in time, the -# Accounting-Request packets are received. But by then it's too -# late. -# -# The solution is to insert a temporary session into the "radacct" -# table, during the "post-auth" section. This is done by -# uncommenting the "sql_session_start" entry in -# sites-enabled/default. Then, reading -# raddb/mods-config/sql/main/*/queries.conf, and looking for the -# "sql_session_start" comments. Follow the instructions there to -# finalize the configuration. -# -# The server will then create a temporary entry in "radacct" before -# it returns the Access-Request. Any other Access-Request which is -# received at the same time will then have it's Simultaneous-Use -# check see that entry, and will be rejected. -# -# Subsequent Accounting-Request packets for the first session will -# then UPDATE (not INSERT) the data for the session. -# -# There is still a small race condition as the Simultaneous-Use -# checks are not done at the same time as updating radacct. But the -# window of opportunity is much smaller. i.e. milliseconds, instead -# of seconds. -# -# This policy can also be used to "bootstrap" accounting sessions. -# If there is data which is only available in the Access-Request, -# it can be placed in the accounting table. Then, when accounting -# packets are received, they will update the row which contains -# the session information. -# -sql_session_start.post-auth { - acct_unique - - # - # The SQL accounting queries need an Acct-Status-Type attribute - # - update request { - Acct-Status-Type := Start - } - sql.accounting -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/canonicalization b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/canonicalization deleted file mode 100644 index 6d90e37..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/canonicalization +++ /dev/null @@ -1,113 +0,0 @@ -# -# Split User-Name in NAI format (RFC 4282) into components -# -# This policy writes the Username and Domain portions of the -# NAI into the Stripped-User-Name and Stripped-User-Domain -# attributes. -# -# The regular expression to do this is not strictly compliant -# with the standard, but it is not possible to write a -# compliant regexp without perl style regular expressions (or -# at least not a legible one). -# -nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$' - -split_username_nai { - if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) { - update request { - &Stripped-User-Name := "%{1}" - } - - # Only add the Stripped-User-Domain attribute if - # we have a domain. This means presence checks - # for Stripped-User-Domain work. - if ("%{3}" != '') { - update request { - &Stripped-User-Domain = "%{3}" - } - } - - # If any of the expansions result in a null - # string, the update section may return - # something other than updated... - updated - } - else { - noop - } -} - -# -# If called in post-proxy we modify the proxy-reply message -# -split_username_nai.post-proxy { - if (&proxy-reply:User-Name && (&proxy-reply:User-Name =~ /${policy.nai_regexp}/)) { - update proxy-reply { - &Stripped-User-Name := "%{1}" - } - - # Only add the Stripped-User-Domain attribute if - # we have a domain. This means presence checks - # for Stripped-User-Domain work. - if ("%{3}" != '') { - update proxy-reply { - &Stripped-User-Domain = "%{3}" - } - } - updated - } - else { - noop - } -} - -# -# Normalize the MAC Addresses in the Calling/Called-Station-Id -# -mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})' - -# -# Add "rewrite_called_station_id" in the "authorize" and -# "preacct" sections. -# -# Makes Called-Station-ID conform to what RFC3580 says should -# be provided by 802.1X authenticators. -# -rewrite_called_station_id { - if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) { - update request { - &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" - } - - # SSID component? - if ("%{8}") { - update request { - &Called-Station-SSID := "%{8}" - } - } - updated - } - else { - noop - } -} - -# -# Add "rewrite_calling_station_id" in the "authorize" and -# "preacct" sections. -# -# Makes Calling-Station-ID conform to what RFC3580 says should -# be provided by 802.1X authenticators. -# -rewrite_calling_station_id { - if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) { - update request { - &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" - } - updated - } - else { - noop - } -} - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/control b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/control deleted file mode 100644 index b3f1e03..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/control +++ /dev/null @@ -1,40 +0,0 @@ -# -# If you want the server to pretend that it is dead, -# then use the "do_not_respond" policy. -# -do_not_respond { - update control { - &Response-Packet-Type := Do-Not-Respond - } - handled -} - -# -# Send Access-Accept immediately -# -accept { - update control { - &Response-Packet-Type = Access-Accept - } - handled -} - -# -# Send Access-Challenge immediately -# -challenge { - update control { - &Response-Packet-Type = Access-Challenge - } - handled -} - -# -# Send an Accounting-Response immediately -# -acct_response { - update control { - &Response-Packet-Type = Accounting-Response - } - handled -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/cui b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/cui deleted file mode 100644 index 08b2c91..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/cui +++ /dev/null @@ -1,131 +0,0 @@ -# -# The following policies are for the Chargeable-User-Identity -# (CUI) configuration. -# -# The policies below can be called as just 'cui' (not -# cui.authorize etc..) from the various config sections. -# - -# -# cui_hash_key definition -# This key serves the purpose of protecting CUI values against -# dictionary attacks, therefore should be chosen as a "random" -# string and kept secret. -# -cui_hash_key = "changeme" - -# -# cui_require_operator_name switch -# If this is set to nonzero value then CUI will only be added -# when a non-empty Operator-Name value is present in the request -# -cui_require_operator_name = "no" - -# -# The client indicates it can do CUI by sending a CUI attribute -# containing one zero byte. -# A non-empty value in Operator-Name can be an additional requirement. -# Normally CUI support is turned on only for such requests. -# CUI support can be used for local clients which do not -# supports CUI themselves, the server can simulate a CUI request -# adding the missing NUL CUI value and the Operator-Name attribute. -# Clients which are supposed to get this treatment should -# be marked by add_cui flag in clients.conf -# We assume that local clients are marked in the client.conf with -# add_cui flag, e.g. -# client xxxx { -# ... -# add_cui = yes -# } -# -cui.authorize { - if ("%{client:add_cui}" == 'yes') { - update request { - &Chargeable-User-Identity := 0x00 - } - } -} - -# -# Before proxing an Access-Request to a remote server, a NUL CUI -# attribute should be added, unless it is already present in the request. -# -cui.pre-proxy { - if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add_cui}" == 'yes')) { - update proxy-request { - &Chargeable-User-Identity = 0x00 - } - } -} - - -# -# Add a CUI attribute based on the User-Name, and a secret key -# known only to this server. -# For EAP-TTLS and EAP-PEAP methods -# use_tunneled_reply parameter MUST be set to yes -# -cui.post-auth { - if (!&control:Proxy-To-Realm && &Chargeable-User-Identity && !&reply:Chargeable-User-Identity && \ - (&Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) { - update reply { - &Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}" - } - } - - # - # The section below will store a CUI for the User in the DB and remove the - # User-Name attribute from the reply if a CUI is present. - # - # You need to configure the cuisql module and your database for this to work. - # If your NAS can do CUI based accounting themselves or you do not care about - # accounting, comment out the 'cuisql' line below. - # - if (&reply:Chargeable-User-Identity) { - # Force User-Name to be the User-Name from the request - update { - &reply:User-Name := &request:User-Name - } - cuisql - } -} - - -cui-inner.post-auth { - if (&outer.request:Chargeable-User-Identity && \ - (&outer.request:Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) { - update reply { - &Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request:Operator-Name}:-}}}" - } - } -} - -# -# If your NAS can do CUI based accounting or you do not care about -# accounting then just comment out the call to cui in ...... -# -# If we had stored a CUI for the User, add it to the request. -# -cui.accounting { - # - # If the CUI isn't in the packet, see if we can find it - # in the DB. - # - if (!&Chargeable-User-Identity) { - update request { - &Chargeable-User-Identity := "%{cuisql:\ - SELECT cui FROM cui \ - WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ - AND callingstationid = '%{Calling-Station-Id}' \ - AND username = '%{User-Name}'}" - } - } - - # - # If it exists now, then write out when we last saw - # this CUI. - # - if (&Chargeable-User-Identity && (&Chargeable-User-Identity != '')) { - cuisql - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/debug b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/debug deleted file mode 100644 index 26583f1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/debug +++ /dev/null @@ -1,64 +0,0 @@ -# -# Outputs the contents of the control list in debugging (-X) mode -# -debug_control { - if("%{debug_attr:control:}" == '') { - noop - } -} - -# -# Outputs the contents of the request list in debugging (-X) mode -# -debug_request { - if("%{debug_attr:request:}" == '') { - noop - } -} - -# -# Outputs the contents of the coa list in debugging (-X) mode -# -debug_coa { - if("%{debug_attr:coa:}" == '') { - noop - } -} - -# -# Outputs the contents of the reply list in debugging (-X) mode -# -debug_reply { - if("%{debug_attr:reply:}" == '') { - noop - } -} - -# -# Outputs the contents of the session state list in debugging (-X) mode -# -debug_session_state { - if("%{debug_attr:session-state:}" == '') { - noop - } -} - -# -# Outputs the contents of the proxy-request state list in debugging (-X) mode -# -debug_proxy_request { - if("%{debug_attr:proxy-request:}" == '') { - noop - } -} - -# -# Outputs the contents of the main lists in debugging (-X) mode -# -debug_all { - debug_control - debug_request - debug_coa - debug_reply - debug_session_state -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/dhcp b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/dhcp deleted file mode 100644 index 1752acb..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/dhcp +++ /dev/null @@ -1,327 +0,0 @@ -# Assign common DHCP reply packet options -dhcp_common { - # The contents here are invented. Change them! - update reply { - &DHCP-Domain-Name-Server = 127.0.0.1 - &DHCP-Domain-Name-Server += 127.0.0.2 - &DHCP-Subnet-Mask = 255.255.255.0 - &DHCP-Router-Address = 192.0.2.1 - &DHCP-Broadcast-Address = 192.0.2.255 - &DHCP-IP-Address-Lease-Time = 7200 - &DHCP-DHCP-Server-Identifier = &control:DHCP-DHCP-Server-Identifier - } -} - -# Lookup DHCP group based options. This policy allows for membership -# of multiple groups so can cover the ISC concepts of "group" and "class" -# To use this enable the "dhcp_files" module -#dhcp_group_options { -# foreach &request:DHCP-Group-Name { -# dhcp_set_group_options -# } -#} - -# Policy to override DHCP-Network-Subnet -# -# Some networks have a "shared-network" or "multinet" configuration (as -# defined by some other DHCP servers) in which multiple IP subnets may -# co-exist in a single Layer 2 network (or VLAN). -# -# In enterprise environments this is often for the purpose of providing loose -# segregation between classes of devices such as local network-attached -# storage or IP telephony. There are valid reasons why each of the subnets is -# not seperately VLANed, such as to enable the use of ICMP redirects to avoid -# hairpinning of cross-subnet traffic via a gateway. -# -# In ISP environments this is a common configuration for edge networks whose -# access is provided by DOCSIS cable modems that share a VLAN with the devices -# they provide a service to but are seperately addressed. -# -# Where it is necessary to force the selection of a particular subnet for a -# device, multiple pools must be configured for each subnet and referenced -# with unique identifiers in the *network-specific* section of -# mods-config/files/dhcp. -# -# By default DHCP-Network-Subnet is populated such that it normally -# refers to the Layer 2 network from which the DHCP query originates - we -# cannot know the intended subnet for the device without additional input to -# the policy. -# -# Override DHCP-Network-Subnet to be an address within the desired -# network to force selection of a particular address pool and/or network -# parameters. -# -# Note: If each subnet within a network is equally valid for the DHCP requests -# originating from that network then you do not need to call this policy, -# rather look at the examples concerning dhcp_subnet in -# mods-config/files/dhcp instead, which use a single pool containing addresses -# from all subnets then set the correct subnet-specific options based on the -# randomly assigned IP address. -# -#dhcp_override_network { -# if (&DHCP-Vendor-Class-Identifier && &DHCP-Vendor-Class-Identifier == "SIP100") -# update request { -# DHCP-Network-Subnet := 10.10.0.0 -# } -# } -#} - - -# Policy that calls the files instance of the same name after first making -# DHCP-Network-Subnet specific to the allocated IP address of the client. -#dhcp_subnet { -# update { -# &DHCP-Network-Subnet := "%{%{reply:DHCP-Your-IP-Address}:-%{DHCP-Client-IP-Address}}" -# } -# -# # Call the dhcp_subnet instance of the files module -# dhcp_subnet -#} - -# Assign compatibility data to request for sqlippool for DHCP Request -dhcp_sqlippool_request { - - # - # During initial address selection (DORA) the REQUEST is broadcast and - # requested-ip must be provided. We revoke any active offers for addresses - # not matching the requested-ip, i.e. those made by other servers when - # processing the DISCOVER. - # - # If there is only a single server then this optimisation can be disabled. - # - if (&DHCP-Requested-IP-Address) { - update request { - &Acct-Status-Type := Start - } - dhcp_sqlippool.accounting - } - - # Extend an existing offer or active lease - update request { - &Acct-Status-Type := Alive - } - dhcp_sqlippool.accounting { - notfound = return - } - - update reply { - &DHCP-Your-IP-Address := "%{%{DHCP-Requested-IP-Address}:-%{DHCP-Client-IP-Address}}" - } - -} - -# Assign compatibility data to request for sqlippool for DHCP Release -dhcp_sqlippool_release { - - # Do some minor hacks to the request so that it looks - # like a RADIUS Accounting Stop request to the SQL IP Pool module. - update request { - &Acct-Status-Type = Stop - } - - # Call the actual module in accounting context - dhcp_sqlippool.accounting - -} - -# Assign compatibility data to request for sqlippool for DHCP Decline -dhcp_sqlippool_decline { - - # Do a minor hack to the request so that it looks - # like a RADIUS Accounting Off request to the SQL IP Pool module. - update request { - &Acct-Status-Type = Accounting-Off - } - - # Call the actual module in accounting context - dhcp_sqlippool.accounting - -} - -# Example policy for fetching option data from SQL -dhcp_policy_sql { - - # - # Network-specific options - # - - # - # We want to lookup the Layer 2 network specific DHCP options to - # include in the reply. For this we need a stable identifier for the - # network from which the request is originating (based on - # DHCP-Network-Subnet) which can be used as the lookup key - # (DHCP-SQL-Option-Identifier) for the network options. - # - # Here we fabricate an example for the purpose of placing all - # configuration elements into SQL. We use a PostgreSQL query that - # returns the network identifier in the row containing the smallest - # enclosing CIDR, which assumes a schema such as the following: - # - # CREATE TABLE fr_network_to_identifier (network CIDR, network_id TEXT) - # - # Note: An rlm_files based lookup of the network_identifier (as per - # the examples in the dhcp virtual server) may be preferable to an ad - # hoc SQL query assuming that the network topology does not change - # frequently. - # -# update control { -# &control:Tmp-String-0 := "%{dhcp_sql:SELECT network_id \ -# FROM fr_network_to_identifier \ -# WHERE '%{DHCP-Network-Subnet}'::inet << network \ -# ORDER BY MASKLEN(network) DESC LIMIT 1;}" -# } - - # - # Use the network identifer to lookup the options specific to the - # originating network, using "network" context. Common network - # settings can be placed into a group and shared, with individual - # networks mapped to one or more option groups. - # - # - Place network-specific options in the dhcpreply table with - # "context = 'network'". - # - Add "Fall-Through := Yes" to the network options in the dhcpreply - # table to trigger group lookups for the network, which are - # disabled by default. - # - Place "identifier = , groupname = , - # priority = , context = 'network'" in the dhcpgroup - # table to map a network to a shared set of network options. - # - Place group-specific options in the dhcpgroupreply table with - # "context = 'network'". - # - # Note: In "shared-network" or "multinet" topologies you can instead - # just set all of the network options once in the subnet-specific - # options (after obtaining an IP address), below. - # -# update control { -# &DHCP-SQL-Option-Context := "network" -# &DHCP-SQL-Option-Identifier := &control:Tmp-String-0 -# } -# dhcp_sql.authorize - - - # - # Allocate IPs from the DHCP pool in SQL. - # - # Here we simply reuse the network_id (obtained previously) as the - # Pool-Name. - # -# update control { -# &Pool-Name := &control:Tmp-String-0 -# } -# dhcp_sqlippool - - - # - # Subnet-specific options - # - - # - # In "shared-network" or "multinet" topologies (in which a Layer 2 - # network has a single pool that contains addresses from multiple - # subnets) it is necessary to set subnet-specific options based on the - # address that has just been allocated. - # - # Again, for this we need to derive a stable identifier for the subnet - # to which the IP address we are issuing belongs that will serve as a - # lookup key for the network options. - # - # Continuing our previous example, we can use a PostgreSQL query to - # find the subnet identifer in the row with the closest enclosing - # CIDR, which assumes a schema such as the following: - # - # CREATE TABLE fr_subnet_to_identifier (subnet CIDR, subnet_id TEXT) - # - # Note: An rlm_files based lookup of the subnet_identifier (as per the - # examples in the dhcp virtual server) is preferable to an ad hoc SQL - # query assuming that the network topology does not change frequently. - # -# update control { -# &control:Tmp-String-0 := "%{dhcp_sql:SELECT subnet_id \ -# FROM fr_subnet_to_identifier \ -# WHERE '%{reply:DHCP-Your-IP-Address}'::inet << subnet \ -# ORDER BY MASKLEN(subnet) DESC LIMIT 1;}" -# } - - # - # Use the subnet identifer to lookup the options specific to the - # subnet for the IP we are allocating, using "subnet" context. Common - # subnet settings can be placed into a group and shared, with - # individual subnets mapped to one or more option groups. - # - # - Place subnet-specific options in the dhcpreply table with - # "context = 'subnet'". - # - Add "Fall-Through := Yes" to the subnet options in the dhcpreply - # table to trigger group lookups for the subnet, which are - # disabled by default. - # - Place "identifier = , groupname = , - # priority = , context = 'subnet'" in the dhcpgroup - # table to map a subnet to a shared set of subnet options. - # - Place group-specific options in the dhcpgroupreply table with - # "context = 'subnet'". - # -# update control { -# &DHCP-SQL-Option-Context := "subnet" -# &DHCP-SQL-Option-Identifier := &control:Tmp-String-0 -# } -# dhcp_sql.authorize - - - # - # Host-specific and group-specific options - # - - # "Groups" conventionally differentiate devices based on manual - # groupings using a device-specific identifier such as the MAC - # address. - # - # - Place host-specific options in the dhcpreply table with - # "context = 'group'". - # - Add "Fall-Through := Yes" to the device options in the dhcpreply - # table to trigger group lookups, which are disabled by default. - # - Place "identifier = , groupname = , - # priority = , context='group'" in the dhcpgroup table - # to map a device to its groups. - # - Place group-specific options in the dhcpgroupreply table with - # "context = 'group'". - # -# update control { -# &DHCP-SQL-Option-Context := "group" -# &DHCP-SQL-Option-Identifier := &request:DHCP-Client-Hardware-Address -# } -# dhcp_sql.authorize - - - # - # Class/subclass-specific options - # - - # - # "Classes" conventionally differentiate devices based on all or part - # of one or more DHCP request options, or any combination of - # information that is available in the request or has already looked - # up from some datastore. - # - # Create multiple instances of the following block, one for each - # class. Differentiate between classes by setting - # DHCP-SQL-Option-Context uniquely. - # - # - Place "subclass"-specific options (i.e. each member of a class) - # in the dhcpreply table with "context = ". - # - For class-level options common to every member of a class, - # either: - # - Duplicate the options for each member of the subclass. - # or: - # - Add "Fall-Through := Yes" to each members options to trigger - # group lookups, which are disabled by default. - # - Map each member of the class to a group in the dhcpgroup - # table with context = ''; - # - Create the corresponding class in the dhcpgroupreply table - # with "context = ''". - # -# update control { -# &DHCP-SQL-Option-Context := "class-vci-substring" -# &DHCP-SQL-Option-Identifier := "%{substring %{request:DHCP-Vendor-Class-Identifier} 5 4}" -# } -# dhcp_sql.authorize - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/eap b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/eap deleted file mode 100644 index 17cf873..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/eap +++ /dev/null @@ -1,97 +0,0 @@ -# -# Response caching to handle proxy failovers -# -Xeap.authorize { - cache_eap - if (ok) { - # - # Expire previous cache entry - # - if (&control:State) { - update control { - &Cache-TTL := 0 - } - cache_eap - - update control { - &State !* ANY - } - } - - handled - } - else { - eap.authorize - } -} - -# -# Populate cache with responses from the EAP module -# -Xeap.authenticate { - eap { - handled = 1 - } - if (handled) { - cache_eap.authorize - - handled - } - - cache_eap.authorize -} - -# -# Forbid all EAP types. Enable this by putting "forbid_eap" -# into the "authorize" section. -# -forbid_eap { - if (&EAP-Message) { - reject - } -} - -# -# Forbid all non-EAP types outside of an EAP tunnel. -# -permit_only_eap { - if (!&EAP-Message) { - # We MAY be inside of a TTLS tunnel. - # PEAP and EAP-FAST require EAP inside of - # the tunnel, so this check is OK. - # If so, then there MUST be an outer EAP message. - if (!&outer.request || !&outer.request:EAP-Message) { - reject - } - } -} - -# -# Remove Reply-Message from response if were doing EAP -# -# Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should -# not be present in the same response. -# -remove_reply_message_if_eap { - if (&reply:EAP-Message && &reply:Reply-Message) { - update reply { - &Reply-Message !* ANY - } - } - else { - noop - } -} - -verify_tls_client_common_name { - # - # If the User-Name is anonymized, then don't check it. - # - # But if User-Name is realm AND there's a certificate name, then check - # if they match. This is not always the case, but it is the case - # often enough that it matters. - # - if ((&User-Name !~ /^@/) && &TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) { - reject - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/filter b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/filter deleted file mode 100644 index ff8f531..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/filter +++ /dev/null @@ -1,211 +0,0 @@ -# -# Example of forbidding all attempts to login via -# realms. -# -deny_realms { - if (&User-Name && (&User-Name =~ /@|\\/)) { - reject - } -} - -# -# Filter the username -# -# Force some sanity on User-Name. This helps to avoid issues -# issues where the back-end database is "forgiving" about -# what constitutes a user name. -# -filter_username { - if (&User-Name) { - # - # reject mixed case e.g. "UseRNaMe" - # - #if (&User-Name != "%{tolower:%{User-Name}}") { - # reject - #} - - # - # reject all whitespace - # e.g. "user@ site.com", or "us er", or " user", or "user " - # - if (&User-Name =~ / /) { - update request { - &Module-Failure-Message += 'Rejected: User-Name contains whitespace' - } - reject - } - - # - # reject Multiple @'s - # e.g. "user@site.com@site.com" - # - if (&User-Name =~ /@[^@]*@/ ) { - update request { - &Module-Failure-Message += 'Rejected: Multiple @ in User-Name' - } - reject - } - - # - # reject double dots - # e.g. "user@site..com" - # - if (&User-Name =~ /\.\./ ) { - update request { - &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s' - } - reject - } - - # - # must have at least 1 string-dot-string after @ - # e.g. "user@site.com" - # - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { - update request { - &Module-Failure-Message += 'Rejected: Realm does not have at least one dot separator' - } - reject - } - - # - # Realm ends with a dot - # e.g. "user@site.com." - # - if (&User-Name =~ /\.$/) { - update request { - &Module-Failure-Message += 'Rejected: Realm ends with a dot' - } - reject - } - - # - # Realm begins with a dot - # e.g. "user@.site.com" - # - if (&User-Name =~ /@\./) { - update request { - &Module-Failure-Message += 'Rejected: Realm begins with a dot' - } - reject - } - } -} - -# -# Filter the User-Password -# -# Some equipment sends passwords with embedded zeros. -# This policy filters them out. -# -filter_password { - if (&User-Password && \ - (&User-Password != "%{string:User-Password}")) { - update request { - &Tmp-String-0 := "%{string:User-Password}" - &User-Password := "%{string:Tmp-String-0}" - &Tmp-String-0 !* "" - } - } -} - -filter_inner_identity { - # - # No names, reject. - # - if (!&outer.request:User-Name || !&User-Name) { - update request { - Module-Failure-Message = "User-Name is required for tunneled authentication" - } - reject - } - - # - # Do detailed checks only if the inner and outer - # NAIs are different. - # - # If the NAIs are the same, it violates user privacy, - # but is allowed. - # - if (&outer.request:User-Name != &User-Name) { - # - # Get the outer realm. - # - if (&outer.request:User-Name =~ /@([^@]+)$/) { - update request { - Outer-Realm-Name = "%{1}" - } - - # - # When we have an outer realm name, the user portion - # MUST either be empty, or begin with "anon". - # - # We don't check for the full "anonymous", because - # some vendors don't follow the standards. - # - if (&outer.request:User-Name !~ /^(anon|@)/) { - update request { - Module-Failure-Message = "User-Name is not anonymized" - } - reject - } - } - - # - # There's no outer realm. The outer NAI is different from the - # inner NAI. The User-Name MUST be anonymized. - # - # Otherwise, you could log in as outer "bob", and inner "doug", - # and we'd have no idea which one was correct. - # - elsif (&outer.request:User-Name !~ /^anon/) { - update request { - Module-Failure-Message = "User-Name is not anonymized" - } - reject - } - - # - # Get the inner realm. - # - if (&User-Name =~ /@([^@]+)$/) { - update request { - Inner-Realm-Name = "%{1}" - } - - # - # Note that we do EQUALITY checks for realm names. - # There is no simple way to do case insensitive checks - # on internationalized domain names. There is no reason - # to allow outer "anonymous@EXAMPLE.COM" and inner - # "user@example.com". The user should enter the same - # realm for both identities. - # - # If the inner realm isn't the same as the outer realm, - # the inner realm MUST be a subdomain of the outer realm. - # - if (&Outer-Realm-Name && \ - (&Inner-Realm-Name != &Outer-Realm-Name) && \ - (&Inner-Realm-Name !~ /\.%{Outer-Realm-Name}$/)) { - update request { - Module-Failure-Message = "Inner realm '%{Inner-Realm-Name}' and outer realm '%{Outer-Realm-Name}' are not from the same domain." - } - reject - } - - # - # It's OK to have an inner realm and no outer realm. - # - # That won't work for roaming, but the local RADIUS server - # can still authenticate the user. - # - } - - # - # It's OK to have an outer realm and no inner realm. - # - # It will work for roaming, and the local RADIUS server - # can authenticate the user without the realm. - # - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/moonshot-targeted-ids b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/moonshot-targeted-ids deleted file mode 100644 index 98ae4a1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/moonshot-targeted-ids +++ /dev/null @@ -1,249 +0,0 @@ -# -# The following policies generate targeted IDs for ABFAB (Moonshot) -# -# This policy requires that the UUID package is installed on your platform -# and that this is called from the inner-tunnel -# -# The following string attributes need to exist in the UKERNA dictionary -# Moonshot-Host-TargetedId (138) -# Moonshot-Realm-TargetedId (139) -# Moonshot-TR-COI-TargetedId (140) -# Moonshot-MSTID-GSS-Acceptor (141) -# Moonshot-MSTID-Namespace (142) -# Moonshot-MSTID-TargetedId (143) -# -# These attributes should also be listed in the attr_filter policies -# post-proxy and pre-proxy when you use attribute filtering: -# Moonshot-Host-TargetedId =* ANY, -# Moonshot-Realm-TargetedId =* ANY, -# Moonshot-TR-COI-TargetedId =* ANY, -# - -# -# targeted_id_salt definition -# This salt serves the purpose of protecting targeted IDs against -# dictionary attacks, therefore should be chosen as a "random" -# string and kept secret. -# -# If you use special characters %, { and }, escape them with a \ first -# -targeted_id_salt = 'changeme' - -# -# Moonshot namespaces -# These namespaces are used for UUID generation. -# They should not be changed by implementors -# -moonshot_host_namespace = 'a574a04e-b7ff-4850-aa24-a8599c7de1c6' -moonshot_realm_namespace = 'dea5f26d-a013-4444-977d-d09fc990d2e6' -moonshot_coi_namespace = '145d7e7e-7d54-43ee-bbcb-3c6ad9428247' - - -# This policy generates a host-specific TargetedId -# -moonshot_host_tid.post-auth { - # retrieve or generate a UUID for Moonshot-Host-TargetedId - if (&outer.request:GSS-Acceptor-Host-Name) { - # prep some variables (used regardless of SQL backing or not!) - update control { - Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}" - Moonshot-MSTID-Namespace := "${policy.moonshot_host_namespace}" - } - - # if you want to use SQL-based backing, remove the comment from - # this line. You also have to configure and enable the - # moonshot-targeted-ids sql module in mods-enabled. - # -# moonshot_get_targeted_id - - # generate a UUID for Moonshot-Host-TargetedId - if (!&control:Moonshot-MSTID-TargetedId) { - # generate the TID - moonshot_make_targeted_id - - # if you want to store your TargetedId in SQL-based backing, - # remove the comment from this line. You also have to configure - # and enable the moonshot-targeted-ids sql module in mods-enabled. - # -# moonshot_tid_sql - } - - # set the actual TargetedId in the session-state list - if (&control:Moonshot-MSTID-TargetedId) { - update outer.session-state { - Moonshot-Host-TargetedId := &control:Moonshot-MSTID-TargetedId - } - update control { - Moonshot-MSTID-TargetedId !* ANY - } - } - - # Sanitise the control list to remove the internal attributes - update control { - Moonshot-MSTID-GSS-Acceptor !* ANY - Moonshot-MSTID-Namespace !* ANY - } - } -} - -# This policy generates a realm-specific TargetedId -# -moonshot_realm_tid.post-auth { - # retrieve or generate a UUID for Moonshot-Realm-TargetedId - if (&outer.request:GSS-Acceptor-Realm-Name) { - # prep some variables (used regardless of SQL backing or not!) - update control { - Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}" - Moonshot-MSTID-Namespace := "${policy.moonshot_realm_namespace}" - } - - # if you want to use SQL-based backing, remove the comment from - # this line. You also have to configure and enable the - # moonshot-targeted-ids sql module in mods-enabled. - # -# moonshot_get_targeted_id - - # generate a UUID for Moonshot-Realm-TargetedId - if (!&control:Moonshot-MSTID-TargetedId) { - # generate the TID - moonshot_make_targeted_id - - # if you want to store your TargetedId in SQL-based backing, - # remove the comment from this line. You also have to configure - # and enable the moonshot-targeted-ids sql module in mods-enabled. - # -# moonshot_tid_sql - } - - # set the actual TargetedId in the session-state list - if (&control:Moonshot-MSTID-TargetedId) { - update outer.session-state { - Moonshot-Realm-TargetedId := &control:Moonshot-MSTID-TargetedId - } - update control { - Moonshot-MSTID-TargetedId !* ANY - } - } - - # Sanitise the control list to remove the internal attributes - update control { - Moonshot-MSTID-GSS-Acceptor !* ANY - Moonshot-MSTID-Namespace !* ANY - } - } -} - -# This policy generates a COI-specific targeted ID -# -moonshot_coi_tid.post-auth { - # retrieve or generate a UUID for Moonshot-TR-COI-TargetedId - if (&outer.request:Trust-Router-COI) { - # prep some variables (used regardless of SQL backing or not!) - update control { - Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:Trust-Router-COI}}" - Moonshot-MSTID-Namespace := "${policy.moonshot_coi_namespace}" - } - - # if you want to use SQL-based backing, remove the comment from - # this line. You also have to configure and enable the - # moonshot-targeted-ids sql module in mods-enabled. - # -# moonshot_get_targeted_id - - # generate a UUID for Moonshot-TR-COI-TargetedId - if (!&control:Moonshot-MSTID-TargetedId) { - # generate the TID - moonshot_make_targeted_id - - # if you want to store your TargetedId in SQL-based backing, - # remove the comment from this line. You also have to configure - # and enable the moonshot-targeted-ids sql module in mods-enabled. - # -# moonshot_tid_sql - } - - # set the actual TargetedId in the session-state list - if (&control:Moonshot-MSTID-TargetedId) { - update outer.session-state { - Moonshot-TR-COI-TargetedId := &control:Moonshot-MSTID-TargetedId - } - update control { - Moonshot-MSTID-TargetedId !* ANY - } - } - - # Sanitise the control list to remove the internal attributes - update control { - Moonshot-MSTID-GSS-Acceptor !* ANY - Moonshot-MSTID-Namespace !* ANY - } - } -} - -# This is the generic generation policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables -# -moonshot_make_targeted_id.post-auth { - # uses variables set in the control list - # - if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) { - # targeted id = (uuid -v 5 [namespace] [username][salt][GSS acceptor value])@[IdP realm name] - # - if ("%{echo:/usr/bin/uuid -v 5 %{control:Moonshot-MSTID-Namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{control:Moonshot-MSTID-GSS-Acceptor}}" =~ /^([^ ]+)([ ]*)$/) { - update control { - Moonshot-MSTID-TargetedId := "%{1}@%{tolower:%{request:Realm}}" - } - if (&control:Moonshot-MSTID-TargetedId =~ /([\%\{\}]+)/) { - update control { - Moonshot-MSTID-TargetedId !* ANY - } - update outer.session-state { - Module-Failure-Message = 'Invalid TargetedId generated, check your targeted_id_salt!' - } - reject - } - } - else { - # we simply return the 'echo' error message as the Module-Failure-Message, usually a lack of 'uuid' - reject - } - } - else { - # Our variables were not set, so we'll throw an error because there's no point in continuing! - update outer.session-state { - Module-Failure-Message = 'Required variables for moonshot_make_targeted_id not set!' - } - reject - } -} - -# This is the generic retrieval policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables -# -moonshot_get_targeted_id.post-auth { - # uses variables set in the control list - # - if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) { - # retrieve the TargetedId - # - update control { - Moonshot-MSTID-TargetedId := "%{moonshot_tid_sql:\ - SELECT targeted_id FROM moonshot_targeted_ids \ - WHERE gss_acceptor = '%{control:Moonshot-MSTID-GSS-Acceptor}' \ - AND namespace = '%{control:Moonshot-MSTID-Namespace}' \ - AND username = '%{tolower:%{User-Name}}'}" - } - - # if the value is empty, there's no point in setting it and delete it from the control list! - if (&control:Moonshot-MSTID-TargetedId == '') { - update control { - Moonshot-MSTID-TargetedId !* ANY - } - } - } - else { - # Our variables were not set, so we'll throw an error because there's no point in continuing! - update outer.session-state { - Module-Failure-Message = 'Required variables for moonshot_get_targeted_id not set!' - } - reject - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/operator-name b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/operator-name deleted file mode 100644 index 6d042d4..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/operator-name +++ /dev/null @@ -1,46 +0,0 @@ -# -# The following policies are for the Operator-Name -# configuration. -# -# The policies below can be called as just 'operator-name' (not -# operator-name.authorize etc..) from the various config sections. -# - -# If you require that the Operator-Name be set -# for local clients then call the 'operator-name' policy -# in the authorize section of the virtual-server for your clients in clients.conf - -# To inject an Operator-Name whilst proxying, call the -# 'operator-name' policy in the pre-proxy section of the virtual server -# No need to call this if you have already enabled this in -# the authorize section. - -# -# We assume that clients can have the operator-name definition -# in the client.conf, e.g. -# client xxxx { -# ... -# Operator-Name = 1your.domain -# } -# If this parameter is found for a client, then we add -# an Operator-Name attribute -# -operator-name.authorize { - if ("%{client:Operator-Name}") { - update request { - &Operator-Name = "%{client:Operator-Name}" - } - } -} - -# -# Before proxing the client add an Operator-Name -# attribute identifying this site if the operator-name is found for this client -# -operator-name.pre-proxy { - if (("%{request:Packet-Type}" == 'Access-Request') && "%{client:Operator-Name}") { - update proxy-request { - &Operator-Name := "%{client:Operator-Name}" - } - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/rfc7542 b/pkgs/fablab/freeradius-anon-access/raddb/policy.d/rfc7542 deleted file mode 100644 index 97935a5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/policy.d/rfc7542 +++ /dev/null @@ -1,46 +0,0 @@ -# -# The following policy is for RFC7542-style bang path -# management. -# -# It hands control from the standard 'suffix' realm -# processor to the 'bangpath' processer, allowing the -# definition of specific routing information in the -# decoration of the User-Name. -# -# Use this with caution. In particular, read the following -# RFC document sections for reasons why you shouldn't use -# this, and also why this is used: -# -# 1. https://tools.ietf.org/html/rfc4282#section-2.7 -# 2. https://tools.ietf.org/html/rfc7542#section-3.3.1 -# -# $Id: 84a5c17d2623ca622884c835bb7906e63c417e77 $ -# - -# This is a |-separated list of realms this specific service -# is responsible for. We cannot read this from the proxy.conf -# file, so we turn this into an 'or list' regex. -# Examples: rfc7542_realms = 'example.com' -# rfc7542_realms = 'example.com|another.net|this.org' -# -rfc7542_realms = 'changeme' - -# This policy checks the User-Name attribute whether it is in -# RFC7542 bang-path format. If it is, it lets the bangpath realm -# processor handle it, otherwise it leaves it for suffix to handle -# -rfc7542.authorize { - # Format: not_local_realm!...@local_realm: Handle with bangpath - if ( (&request:User-Name =~ /(.+)!(.*)\@(${policy.rfc7542_realms})/) && \ - !(&request:User-Name =~ /(${policy.rfc7542_realms})!(.*)\@(.+)/) ) { - bangpath - updated - } - - # Format: local_realm!...@not_local_realm: Handle with bangpath - elsif ( (&request:User-Name =~ /(${policy.rfc7542_realms})!(.*)\@(.+)/) && \ - !(&request:User-Name =~ /(.+)!(.*)\@(${policy.rfc7542_realms})/) ) { - bangpath - updated - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/proxy.conf b/pkgs/fablab/freeradius-anon-access/raddb/proxy.conf deleted file mode 100644 index a12d332..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/proxy.conf +++ /dev/null @@ -1,846 +0,0 @@ -# -*- text -*- -## -## proxy.conf -- proxy radius and realm configuration directives -## -## $Id: ac90a273522ed36a100d10dd91c62b99db450689 $ - -####################################################################### -# -# Proxy server configuration -# -# This entry controls the servers behaviour towards ALL other servers -# to which it sends proxy requests. -# -proxy server { - # - # Note that as of 2.0, the "synchronous", "retry_delay", - # "retry_count", and "dead_time" have all been deprecated. - # For backwards compatibility, they are are still accepted - # by the server, but they ONLY apply to the old-style realm - # configuration. i.e. realms with "authhost" and/or "accthost" - # entries. - # - # i.e. "retry_delay" and "retry_count" have been replaced - # with per-home-server configuration. See the "home_server" - # example below for details. - # - # i.e. "dead_time" has been replaced with a per-home-server - # "revive_interval". We strongly recommend that this not - # be used, however. The new method is much better. - - # - # In 2.0, the server is always "synchronous", and setting - # "synchronous = no" is impossible. This simplifies the - # server and increases the stability of the network. - # However, it means that the server (i.e. proxy) NEVER - # originates packets. It proxies packets ONLY when it receives - # a packet or a re-transmission from the NAS. If the NAS never - # re-transmits, the proxy never re-transmits, either. This can - # affect fail-over, where a packet does *not* fail over to a - # second home server.. because the NAS never retransmits the - # packet. - # - # If you need to set "synchronous = no", please send a - # message to the list - # explaining why this feature is vital for your network. - - # - # If a realm exists, but there are no live home servers for - # it, we can fall back to using the "DEFAULT" realm. This is - # most useful for accounting, where the server can proxy - # accounting requests to home servers, but if they're down, - # use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL), - # and then store the packets in the "detail" file. That data - # can be later proxied to the home servers by radrelay, when - # those home servers come back up again. - - # Setting this to "yes" may have issues for authentication. - # i.e. If you are proxying for two different ISP's, and then - # act as a general dial-up for Gric. If one of the first two - # ISP's has their RADIUS server go down, you do NOT want to - # proxy those requests to GRIC. Instead, you probably want - # to just drop the requests on the floor. In that case, set - # this value to 'no'. - # - # allowed values: {yes, no} - # - default_fallback = no - - # - # Whether or not we allow dynamic home servers. - # - # This setting should be "no" by default. If set to "yes", - # it can slow the server down, due to mutex locking across - # multiple threads. - # - # Dynamic servers will work ONLY with the "directory" - # configuration below. - # -# dynamic = yes - - # - # The directory which contains dynamic home servers. Each - # file in the directory should be a normal "home_server" - # definitions. This directory does not exist by default. - # - # e.g: The content of ${raddbdir}/home_servers/example.com should be: - # - # home_server example.com { - # ... - # } - # - # For complete documentation, please see - # - # doc/configuration/dynamic_home_servers.md - # -# directory = ${raddbdir}/home_servers - -} - -####################################################################### -# -# Configuration for the proxy realms. -# -# As of 2.0, the "realm" configuration has changed. Instead of -# specifying "authhost" and "accthost" in a realm section, the home -# servers are specified separately in a "home_server" section. For -# backwards compatibility, you can still use the "authhost" and -# "accthost" directives. If you only have one home server for a -# realm, it is easier to use the old-style configuration. -# -# However, if you have multiple servers for a realm, we STRONGLY -# suggest moving to the new-style configuration. -# -# -# Load-balancing and failover between home servers is handled via -# a "home_server_pool" section. -# -# Finally, The "realm" section defines the realm, some options, and -# indicates which server pool should be used for the realm. -# -# This change means that simple configurations now require multiple -# sections to define a realm. However, complex configurations -# are much simpler than before, as multiple realms can share the same -# server pool. -# -# That is, realms point to server pools, and server pools point to -# home servers. Multiple realms can point to one server pool. One -# server pool can point to multiple home servers. Each home server -# can appear in one or more pools. -# -# See sites-available/tls for an example of configuring home servers, -# pools, and realms with TLS. -# - -###################################################################### -# -# This section defines a "Home Server" which is another RADIUS -# server that gets sent proxied requests. In earlier versions -# of FreeRADIUS, home servers were defined in "realm" sections, -# which was awkward. In 2.0, they have been made independent -# from realms, which is better for a number of reasons. -# -# You can proxy to a specific home server by doing: -# -# update control { -# Home-Server-Name = "name of home server" -# } -# -home_server localhost { - # - # Home servers can be sent Access-Request packets - # or Accounting-Request packets. - # - # Allowed values are: - # auth - Handles Access-Request packets - # acct - Handles Accounting-Request packets - # auth+acct - Handles Access-Request packets at "port", - # and Accounting-Request packets at "port + 1" - # coa - Handles CoA-Request and Disconnect-Request packets. - # See also raddb/sites-available/originate-coa - type = auth - - # - # Configure ONE OF the following entries: - # - # IPv4 address - # - ipaddr = 127.0.0.1 - - # OR IPv6 address - # ipv6addr = ::1 - - # OR virtual server - # virtual_server = foo - - # Note that while both ipaddr and ipv6addr will accept - # both addresses and host names, we do NOT recommend - # using host names. When you specify a host name, the - # server has to do a DNS lookup to find the IP address - # of the home server. If the DNS server is slow or - # unresponsive, it means that FreeRADIUS will NOT be - # able to determine the address, and will therefore NOT - # start. - # - # Also, the mapping of host name to address is done ONCE - # when the server starts. If DNS is later updated to - # change the address, FreeRADIUS will NOT discover that - # until after a re-start, or a HUP. - # - # If you specify a virtual_server here, then requests - # will be proxied internally to that virtual server. - # These requests CANNOT be proxied again, however. The - # intent is to have the local server handle packets - # when all home servers are dead. - # - # Requests proxied to a virtual server will be passed - # through the pre-proxy and post-proxy sections, just - # like any other request. See also the sample "realm" - # configuration, below. - # - # None of the rest of the home_server configuration is used - # for the "virtual_server" configuration. - - # - # The port to which packets are sent. - # - # Usually 1812 for type "auth", and 1813 for type "acct". - # Older servers may use 1645 and 1646. - # Use 3799 for type "coa" - # - port = 1812 - - # - # The transport protocol. - # - # If unspecified, defaults to "udp", which is the traditional - # RADIUS transport. It may also be "tcp", in which case TCP - # will be used to talk to this home server. - # - # When home servers are put into pools, the pool can contain - # home servers with both UDP and TCP transports. - # - #proto = udp - - # - # The shared secret use to "encrypt" and "sign" packets between - # FreeRADIUS and the home server. - # - # The secret can be any string, up to 8k characters in length. - # - # Control codes can be entered vi octal encoding, - # e.g. "\101\102" == "AB" - # Quotation marks can be entered by escaping them, - # e.g. "foo\"bar" - # Spaces or other "special" characters can be entered - # by putting quotes around the string. - # e.g. "foo bar" - # "foo;bar" - # - secret = testing123 - - ############################################################ - # - # The rest of the configuration items listed here are optional, - # and do not have to appear in every home server definition. - # - ############################################################ - - # - # You can optionally specify the source IP address used when - # proxying requests to this home server. When the src_ipaddr - # it set, the server will automatically create a proxy - # listener for that IP address. - # - # If you specify this field for one home server, you will - # likely need to specify it for ALL home servers. - # - # If you don't care about the source IP address, leave this - # entry commented. - # -# src_ipaddr = 127.0.0.1 - - # - # If the home server does not respond to a request within - # this time, the server marks the request as timed out. - # After "response_timeouts", the home server is marked - # as being "zombie", and "zombie_period" starts. - # - # The response window can be a number between 0.001 and 60.000 - # Values on the low end are discouraged, as they will likely - # not work due to limitations of operating system timers. - # - # The default response window is large because responses may - # be slow, especially when proxying across the Internet. - # - # Useful range of values: 5 to 60 - response_window = 20 - - # - # Start "zombie_period" after this many responses have - # timed out. - # -# response_timeouts = 1 - - # - # If the home server does not respond to ANY packets during - # the "zombie period", it will be considered to be dead. - # - # A home server that is marked "zombie" will be used for - # proxying as a low priority. If there are live servers, - # they will always be preferred to a zombie. Requests will - # be proxied to a zombie server ONLY when there are no - # live servers. - # - # Any request that is proxied to a home server will continue - # to be sent to that home server until the home server is - # marked dead. At that point, it will fail over to another - # server, if a live server is available. If none is available, - # then the "post-proxy-type fail" handler will be called. - # - # If "status_check" below is something other than "none", then - # the server will start sending status checks at the start of - # the zombie period. It will continue sending status checks - # until the home server is marked "alive". - # - # Useful range of values: 20 to 120 - zombie_period = 40 - - ############################################################ - # - # As of 2.0, FreeRADIUS supports RADIUS layer "status - # checks". These are used by a proxy server to see if a home - # server is alive. - # - # These status packets are sent ONLY if the proxying server - # believes that the home server is dead. They are NOT sent - # if the proxying server believes that the home server is - # alive. They are NOT sent if the proxying server is not - # proxying packets. - # - # If the home server responds to the status check packet, - # then it is marked alive again, and is returned to use. - # - ############################################################ - - # - # Some home servers do not support status checks via the - # Status-Server packet. Others may not have a "test" user - # configured that can be used to query the server, to see if - # it is alive. For those servers, we have NO WAY of knowing - # when it becomes alive again. Therefore, after the server - # has been marked dead, we wait a period of time, and mark - # it alive again, in the hope that it has come back to - # life. - # - # If it has NOT come back to life, then FreeRADIUS will wait - # for "zombie_period" before marking it dead again. During - # the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because - # the home server is still dead. There is NOTHING that can - # be done about this, other than to enable the status checks, - # as documented below. - # - # e.g. if "zombie_period" is 40 seconds, and "revive_interval" - # is 300 seconds, the for 40 seconds out of every 340, or about - # 10% of the time, all authentications will fail. - # - # If the "zombie_period" and "revive_interval" configurations - # are set smaller, than it is possible for up to 50% of - # authentications to fail. - # - # As a result, we recommend enabling status checks, and - # we do NOT recommend using "revive_interval". - # - # The "revive_interval" is used ONLY if the "status_check" - # entry below is "none". Otherwise, it will not be used, - # and should be deleted. - # - # Useful range of values: 10 to 3600 - revive_interval = 120 - - # - # The proxying server (i.e. this one) can do periodic status - # checks to see if a dead home server has come back alive. - # - # If set to "none", then the other configuration items listed - # below are not used, and the "revive_interval" time is used - # instead. - # - # If set to "status-server", the Status-Server packets are - # sent. Many RADIUS servers support Status-Server. If a - # server does not support it, please contact the server - # vendor and request that they add it. With status-server if - # the home server is marked as a zombie and a status-server - # response is received, it will be immediately marked as live. - # - # This prevents spurious failovers in federations such as - # eduroam, where intermediary proxy servers may be functional - # but the servers of a home institution may not be, - # - # If set to "request", then Access-Request, or Accounting-Request - # packets are sent, depending on the "type" entry above (auth/acct). - # - # Allowed values: none, status-server, request - status_check = status-server - - # - # If the home server does not support Status-Server packets, - # then the server can still send Access-Request or - # Accounting-Request packets, with a pre-defined user name. - # - # This practice is NOT recommended, as it may potentially let - # users gain network access by using these "test" accounts! - # - # If it is used, we recommend that the home server ALWAYS - # respond to these Access-Request status checks with - # Access-Reject. The status check just needs an answer, it - # does not need an Access-Accept. - # - # For Accounting-Request status checks, only the username - # needs to be set. The rest of the accounting attribute are - # set to default values. The home server that receives these - # accounting packets SHOULD NOT treat them like normal user - # accounting packets. i.e It should probably NOT log them to - # a database. - # - # username = "test_user_please_reject_me" - # password = "this is really secret" - - # - # Configure the interval between sending status check packets. - # - # Setting it too low increases the probability of spurious - # fail-over and fallback attempts. - # - # Useful range of values: 6 to 120 - check_interval = 30 - - # - # Wait "check_timeout" seconds for a reply to a status check - # packet. - # - check_timeout = 4 - - # - # Configure the number of status checks in a row that the - # home server needs to respond to before it is marked alive. - # - # If you want to mark a home server as alive after a short - # time period of being responsive, it is best to use a small - # "check_interval", and a large value for - # "num_answers_to_alive". Using a long "check_interval" and - # a small number for "num_answers_to_alive" increases the - # probability of spurious fail-over and fallback attempts. - # - # Useful range of values: 3 to 10 - num_answers_to_alive = 3 - - # - # Limit the total number of outstanding packets to the home - # server. - # - # if ((#request sent) - (#requests received)) > max_outstanding - # then stop sending more packets to the home server - # - # This lets us gracefully fall over when the home server - # is overloaded. - max_outstanding = 65536 - - # - # The configuration items in the next sub-section are used ONLY - # when "type = coa". It is ignored for all other type of home - # servers. - # - # See RFC 5080 for the definitions of the following terms. - # RAND is a function (internal to FreeRADIUS) returning - # random numbers between -0.1 and +0.1 - # - # First Re-transmit occurs after: - # - # RT = IRT + RAND*IRT - # - # Subsequent Re-transmits occur after: - # - # RT = 2 * RTprev + RAND * RTprev - # - # Re-transmits are capped at: - # - # if (MRT && (RT > MRT)) RT = MRT + RAND * MRT - # - # For a maximum number of attempts: MRC - # - # For a maximum (total) period of time: MRD. - # - coa { - # Initial retransmit interval: 1..5 - irt = 2 - - # Maximum Retransmit Timeout: 1..30 (0 == no maximum) - mrt = 16 - - # Maximum Retransmit Count: 1..20 (0 == retransmit forever) - mrc = 5 - - # Maximum Retransmit Duration: 5..60 - mrd = 30 - } - - # - # Connection limiting for home servers with "proto = tcp". - # - # This section is ignored for other home servers. - # - limit { - # - # Limit the number of TCP connections to the home server. - # - # The default is 16. - # Setting this to 0 means "no limit" - max_connections = 16 - - # - # Limit the total number of requests sent over one - # TCP connection. After this number of requests, the - # connection will be closed. Any new packets that are - # proxied to the home server will result in a new TCP - # connection being made. - # - # Setting this to 0 means "no limit" - max_requests = 0 - - # - # The lifetime, in seconds, of a TCP connection. After - # this lifetime, the connection will be closed. - # - # Setting this to 0 means "forever". - lifetime = 0 - - # - # The idle timeout, in seconds, of a TCP connection. - # If no packets have been sent over the connection for - # this time, the connection will be closed. - # - # Setting this to 0 means "no timeout". - idle_timeout = 0 - } - -} - -# Sample virtual home server. -# -# -#home_server virtual.example.com { -# virtual_server = virtual.example.com -#} - -###################################################################### -# -# This section defines a pool of home servers that is used -# for fail-over and load-balancing. In earlier versions of -# FreeRADIUS, fail-over and load-balancing were defined per-realm. -# As a result, if a server had 5 home servers, each of which served -# the same 10 realms, you would need 50 "realm" entries. -# -# In version 2.0, you would need 5 "home_server" sections, -# 10 'realm" sections, and one "home_server_pool" section to tie the -# two together. -# -# You can proxy to a specific home server pool by doing: -# -# update control { -# Home-Server-Pool = "name of pool" -# } -# -home_server_pool my_auth_failover { - # - # The type of this pool controls how home servers are chosen. - # - # fail-over - the request is sent to the first live - # home server in the list. i.e. If the first home server - # is marked "dead", the second one is chosen, etc. - # - # load-balance - the least busy home server is chosen, - # where "least busy" is counted by taking the number of - # requests sent to that home server, and subtracting the - # number of responses received from that home server. - # - # If there are two or more servers with the same low - # load, then one of those servers is chosen at random. - # This configuration is most similar to the old - # "round-robin" method, though it is not exactly the same. - # - # Note that load balancing does not work well with EAP, - # as EAP requires packets for an EAP conversation to be - # sent to the same home server. The load balancing method - # does not keep state in between packets, meaning that - # EAP packets for the same conversation may be sent to - # different home servers. This will prevent EAP from - # working. - # - # For non-EAP authentication methods, and for accounting - # packets, we recommend using "load-balance". It will - # ensure the highest availability for your network. - # - # client-balance - the home server is chosen by hashing the - # source IP address of the packet. If that home server - # is down, the next one in the list is used, just as - # with "fail-over". - # - # There is no way of predicting which source IP will map - # to which home server. - # - # This configuration is most useful to do simple load - # balancing for EAP sessions, as the EAP session will - # always be sent to the same home server. - # - # client-port-balance - the home server is chosen by hashing - # the source IP address and source port of the packet. - # If that home server is down, the next one in the list - # is used, just as with "fail-over". - # - # This method provides slightly better load balancing - # for EAP sessions than "client-balance". However, it - # also means that authentication and accounting packets - # for the same session MAY go to different home servers. - # - # keyed-balance - the home server is chosen by hashing (FNV) - # the contents of the Load-Balance-Key attribute from the - # control items. The request is then sent to home server - # chosen by taking: - # - # server = (hash % num_servers_in_pool). - # - # If there is no Load-Balance-Key in the control items, - # the load balancing method is identical to "load-balance". - # - # For most non-EAP authentication methods, The User-Name - # attribute provides a good key. An "unlang" policy can - # be used to copy the User-Name to the Load-Balance-Key - # attribute. This method may not work for EAP sessions, - # as the User-Name outside of the TLS tunnel is often - # static, e.g. "anonymous@realm". - # - # - # The default type is fail-over. - type = fail-over - - # - # A virtual_server may be specified here. If so, the - # "pre-proxy" and "post-proxy" sections are called when - # the request is proxied, and when a response is received. - # - # This lets you have one policy for all requests that are proxied - # to a home server. This policy is completely independent of - # any policies used to receive, or process the request. - # - #virtual_server = pre_post_proxy_for_pool - - # - # Next, a list of one or more home servers. The names - # of the home servers are NOT the hostnames, but the names - # of the sections. (e.g. home_server foo {...} has name "foo". - # - # Note that ALL home servers listed here have to be of the same - # type. i.e. they all have to be "auth", or they all have to - # be "acct", or the all have to be "auth+acct". - # - home_server = localhost - - # Additional home servers can be listed. - # There is NO LIMIT to the number of home servers that can - # be listed, though using more than 10 or so will become - # difficult to manage. - # - # home_server = foo.example.com - # home_server = bar.example.com - # home_server = baz.example.com - # home_server = ... - - - # - # If ALL home servers are dead, then this "fallback" home server - # is used. If set, it takes precedence over any realm-based - # fallback, such as the DEFAULT realm. - # - # For reasons of stability, this home server SHOULD be a virtual - # server. Otherwise, the fallback may itself be dead! - # - #fallback = virtual.example.com -} - -###################################################################### -# -# -# This section defines a new-style "realm". Note the in version 2.0, -# there are many fewer configuration items than in 1.x for a realm. -# -# Automatic proxying is done via the "realms" module (see "man -# rlm_realm"). To manually proxy the request put this entry in the -# "users" file: - -# -# -#DEFAULT Proxy-To-Realm := "realm_name" -# -# -realm example.com { - # - # Realms point to pools of home servers. -# - # For authentication, the "auth_pool" configuration item - # should point to a "home_server_pool" that was previously - # defined. All of the home servers in the "auth_pool" must - # be of type "auth". - # - # For accounting, the "acct_pool" configuration item - # should point to a "home_server_pool" that was previously - # defined. All of the home servers in the "acct_pool" must - # be of type "acct". - # - # If you have a "home_server_pool" where all of the home servers - # are of type "auth+acct", you can just use the "pool" - # configuration item, instead of specifying both "auth_pool" - # and "acct_pool". - - auth_pool = my_auth_failover -# acct_pool = acct - - # The server can proxy CoA packets based on the Operator-Name - # attribute. This requires that the "suffix" module be - # listed in the "recv-coa" section. - # - # See raddb/sites-available/coa - # -# coa_pool = name_of_coa_pool - - # - # Normally, when an incoming User-Name is matched against the - # realm, the realm name is "stripped" off, and the "stripped" - # user name is used to perform matches. - # - # e.g. User-Name = "bob@example.com" will result in two new - # attributes being created by the "realms" module: - # - # Stripped-User-Name = "bob" - # Realm = "example.com" - # - # The Stripped-User-Name is then used as a key in the "users" - # file, for example. - # - # If you do not want this to happen, uncomment "nostrip" below. - # - # nostrip - - # There are no more configuration entries for a realm. -} - - -# -# This is a sample entry for iPass. -# Note that you have to define "ipass_auth_pool" and -# "ipass_acct_pool", along with home_servers for them, too. -# -#realm IPASS { -# nostrip -# -# auth_pool = ipass_auth_pool -# acct_pool = ipass_acct_pool -#} - -# -# This realm is used mainly to cancel proxying. You can have -# the "realm suffix" module configured to proxy all requests for -# a realm, and then later cancel the proxying, based on other -# configuration. -# -# For example, you want to terminate PEAP or EAP-TTLS locally, -# you can add the following to the "users" file: -# -# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL -# -realm LOCAL { - # If we do not specify a server pool, the realm is LOCAL, and - # requests are not proxied to it. -} - -# -# This realm is for requests which don't have an explicit realm -# prefix or suffix. User names like "bob" will match this one. -# -#realm NULL { -# authhost = radius.example.com:1600 -# accthost = radius.example.com:1601 -# secret = testing123 -#} - -# -# This realm is for ALL OTHER requests. -# -#realm DEFAULT { -# authhost = radius.example.com:1600 -# accthost = radius.example.com:1601 -# secret = testing123 -#} - - -# This realm "proxies" requests internally to a virtual server. -# The pre-proxy and post-proxy sections are run just as with any -# other kind of home server. The virtual server then receives -# the request, and replies, just as with any other packet. -# -# Once proxied internally like this, the request CANNOT be proxied -# internally or externally. -# -#realm virtual.example.com { -# virtual_server = virtual.example.com -#} -# - -# -# Regular expressions may also be used as realm names. If these are used, -# then the "find matching realm" process is as follows: -# -# 1) Look for a non-regex realm with an *exact* match for the name. -# If found, it is used in preference to any regex matching realm. -# -# 2) Look for a regex realm, in the order that they are listed -# in the configuration files. Any regex match is performed in -# a case-insensitive fashion. -# -# 3) If no realm is found, return the DEFAULT realm, if any. -# -# The order of the realms matters in step (2). For example, defining -# two realms ".*\.example.net$" and ".*\.test\.example\.net$" will result in -# the second realm NEVER matching. This is because all of the realms -# which match the second regex also match the first one. Since the -# first regex matches, it is returned. -# -# The solution is to list the realms in the opposite order,. e.g. -# ".*\.test\.example.net$", followed by ".*\.example\.net$". -# -# -# Some helpful rules: -# -# - always place a '~' character at the start of the realm name. -# This signifies that it is a regex match, and not an exact match -# for the realm. -# -# - place the regex in double quotes. This helps the configuration -# file parser ignore any "special" characters in the regex. -# Yes, this rule is different than the normal "unlang" rules for -# regular expressions. That may be fixed in a future release. -# -# - If you are matching domain names, put a '$' at the end of the regex -# that matches the domain name. This tells the regex matching code -# that the realm ENDS with the domain name, so it does not match -# realms with the domain name in the middle. e.g. "~.*\.example\.net" -# will match "test.example.netFOO", which is likely not what you want. -# Using "~(.*\.)example\.net$" is better. -# -# The more regex realms that are defined, the more time it takes to -# process them. You should define as few regex realms as possible -# in order to maximize server performance. -# -#realm "~(.*\.)*example\.net$" { -# auth_pool = my_auth_failover -#} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/radiusd.conf b/pkgs/fablab/freeradius-anon-access/raddb/radiusd.conf deleted file mode 100644 index 965a495..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/radiusd.conf +++ /dev/null @@ -1,931 +0,0 @@ -# -*- text -*- -## -## radiusd.conf -- FreeRADIUS server configuration file - 3.0.25 -## -## http://www.freeradius.org/ -## $Id: 70c0c32547eb6b68d6362430f66e27fc105fe2b2 $ -## - -###################################################################### -# -# The format of this (and other) configuration file is -# documented in "man unlang". There are also READMEs in many -# subdirectories: -# -# raddb/README.rst -# How to upgrade from v2. -# -# raddb/mods-available/README.rst -# How to use mods-available / mods-enabled. -# All of the modules are in individual files, -# along with configuration items and full documentation. -# -# raddb/sites-available/README -# virtual servers, "listen" sections, clients, etc. -# The "sites-available" directory contains many -# worked examples of common configurations. -# -# raddb/certs/README.md -# How to create certificates for EAP or RadSec. -# -# Every configuration item in the server is documented -# extensively in the comments in the example configuration -# files. -# -# Before editing this (or any other) configuration file, PLEASE -# read "man radiusd". See the section titled DEBUGGING. It -# outlines a method where you can quickly create the -# configuration you want, with minimal effort. -# -# Run the server in debugging mode, and READ the output. -# -# $ radiusd -X -# -# We cannot emphasize this point strongly enough. The vast -# majority of problems can be solved by carefully reading the -# debugging output, which includes warnings about common issues, -# and suggestions for how they may be fixed. -# -# There may be a lot of output, but look carefully for words like: -# "warning", "error", "reject", or "failure". The messages there -# will usually be enough to guide you to a solution. -# -# More documentation on "radiusd -X" is available on the wiki: -# https://wiki.freeradius.org/radiusd-X -# -# If you are going to ask a question on the mailing list, then -# explain what you are trying to do, and include the output from -# debugging mode (radiusd -X). Failure to do so means that all -# of the responses to your question will be people telling you -# to "post the output of radiusd -X". -# -# Guidelines for posting to the mailing list are on the wiki: -# https://wiki.freeradius.org/list-help -# -# Please read those guidelines before posting to the list. -# -# Further documentation is available in the "doc" directory -# of the server distribution, or on the wiki at: -# https://wiki.freeradius.org/ -# -# New users to RADIUS should read the Technical Guide. That guide -# explains how RADIUS works, how FreeRADIUS works, and what each -# part of a RADIUS system does. It is not just "configure FreeRADIUS"! -# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf -# -# More documentation on dictionaries, modules, unlang, etc. is also -# available on the Network RADIUS web site: -# https://networkradius.com/freeradius-documentation/ -# - -###################################################################### - -prefix = @PREFIX@ -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -modconfdir = ${confdir}/mods-config -certdir = ${confdir}/certs -cadir = ${confdir}/certs -run_dir = ${localstatedir}/run/${name} - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# -# libdir: Where to find the rlm_* modules. -# -# This should be automatically set at configuration time. -# -# If the server builds and installs, but fails at execution time -# with an 'undefined symbol' error, then you can use the libdir -# directive to work around the problem. -# -# The cause is usually that a library has been installed on your -# system in a place where the dynamic linker CANNOT find it. When -# executing as root (or another user), your personal environment MAY -# be set up to allow the dynamic linker to find the library. When -# executing as a daemon, FreeRADIUS MAY NOT have the same -# personalized configuration. -# -# To work around the problem, find out which library contains that symbol, -# and add the directory containing that library to the end of 'libdir', -# with a colon separating the directory names. NO spaces are allowed. -# -# e.g. libdir = /usr/local/lib:/opt/package/lib -# -# You can also try setting the LD_LIBRARY_PATH environment variable -# in a script which starts the server. -# -# If that does not work, then you can re-configure and re-build the -# server to NOT use shared libraries, via: -# -# ./configure --disable-shared -# make -# make install -# -libdir = ${prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -# -# The server may be signalled while it's running by using this -# file. -# -# This file is written when ONLY running in daemon mode. -# -# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` -# -pidfile = ${run_dir}/${name}.pid - -# -# correct_escapes: use correct backslash escaping -# -# Prior to version 3.0.5, the handling of backslashes was a little -# awkward, i.e. "wrong". In some cases, to get one backslash into -# a regex, you had to put 4 in the config files. -# -# Version 3.0.5 fixes that. However, for backwards compatibility, -# the new method of escaping is DISABLED BY DEFAULT. This means -# that upgrading to 3.0.5 won't break your configuration. -# -# If you don't have double backslashes (i.e. \\) in your configuration, -# this won't matter to you. If you do have them, fix that to use only -# one backslash, and then set "correct_escapes = true". -# -# You can check for this by doing: -# -# $ grep '\\\\' $(find raddb -type f -print) -# -correct_escapes = true - -# panic_action: Command to execute if the server dies unexpectedly. -# -# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. -# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. -# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. -# -# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE -# PATTACH CAN BE USED AS AN ATTACK VECTOR. -# -# The panic action is a command which will be executed if the server -# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, -# SIGABRT or SIGFPE. -# -# This can be used to start an interactive debugging session so -# that information regarding the current state of the server can -# be acquired. -# -# The following string substitutions are available: -# - %e The currently executing program e.g. /sbin/radiusd -# - %p The PID of the currently executing program e.g. 12345 -# -# Standard ${} substitutions are also allowed. -# -# An example panic action for opening an interactive session in GDB would be: -# -#panic_action = "gdb %e %p" -# -# Again, don't use that on a production system. -# -# An example panic action for opening an automated session in GDB would be: -# -#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" -# -# That command can be used on a production system. -# - -# max_request_time: The maximum time (in seconds) to handle a request. -# -# Requests which take more time than this to process may be killed, and -# a REJECT message is returned. -# -# WARNING: If you notice that requests take a long time to be handled, -# then this MAY INDICATE a bug in the server, in one of the modules -# used to handle a request, OR in your local configuration. -# -# This problem is most often seen when using an SQL database. If it takes -# more than a second or two to receive an answer from the SQL database, -# then it probably means that you haven't indexed the database. See your -# SQL server documentation for more information. -# -# Useful range of values: 5 to 120 -# -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -# a reply which was sent to the NAS. -# -# The RADIUS request is normally cached internally for a short period -# of time, after the reply is sent to the NAS. The reply packet may be -# lost in the network, and the NAS will not see it. The NAS will then -# re-send the request, and the server will respond quickly with the -# cached reply. -# -# If this value is set too low, then duplicate requests from the NAS -# MAY NOT be detected, and will instead be handled as separate requests. -# -# If this value is set too high, then the server will cache too many -# requests, and some new requests may get blocked. (See 'max_requests'.) -# -# Useful range of values: 2 to 30 -# -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -# track of. This should be 256 multiplied by the number of clients. -# e.g. With 4 clients, this number should be 1024. -# -# If this number is too low, then when the server becomes busy, -# it will not respond to any new requests, until the 'cleanup_delay' -# time has passed, and it has removed the old requests. -# -# If this number is set too high, then the server will use a bit more -# memory for no real benefit. -# -# If you aren't sure what it should be set to, it's better to set it -# too high than too low. Setting it to 1000 per client is probably -# the highest it should be. -# -# Useful range of values: 256 to infinity -# -max_requests = 16384 - -# hostname_lookups: Log the names of clients or just their IP addresses -# e.g., www.freeradius.org (on) or 206.47.27.232 (off). -# -# The default is 'off' because it would be overall better for the net -# if people had to knowingly turn this feature on, since enabling it -# means that each client request will result in AT LEAST one lookup -# request to the nameserver. Enabling hostname_lookups will also -# mean that your server may stop randomly for 30 seconds from time -# to time, if the DNS requests take too long. -# -# Turning hostname lookups off also means that the server won't block -# for 30 seconds, if it sees an IP address which has no name associated -# with it. -# -# allowed values: {no, yes} -# -hostname_lookups = no - -# -# Run a "Post-Auth-Type Client-Lost" section. This ONLY happens when -# the server sends an Access-Challenge, and then client does not -# respond to it. The goal is to allow administrators to log -# something when the client does not respond. -# -# See sites-available/default, "Post-Auth-Type Client-Lost" for more -# information. -# -#postauth_client_lost = no - -# -# Logging section. The various "log_*" configuration items -# will eventually be moved here. -# -log { - # - # Destination for log messages. This can be one of: - # - # files - log to "file", as defined below. - # syslog - to syslog (see also the "syslog_facility", below. - # stdout - standard output - # stderr - standard error. - # - # The command-line option "-X" over-rides this option, and forces - # logging to go to stdout. - # - destination = files - - # - # Highlight important messages sent to stderr and stdout. - # - # Option will be ignored (disabled) if output if TERM is not - # an xterm or output is not to a TTY. - # - colourise = yes - - # - # The logging messages for the server are appended to the - # tail of this file if destination == "files" - # - # If the server is running in debugging mode, this file is - # NOT used. - # - file = ${logdir}/radius.log - - # - # Which syslog facility to use, if ${destination} == "syslog" - # - # The exact values permitted here are OS-dependent. You probably - # don't want to change this. - # - syslog_facility = daemon - - # Log the full User-Name attribute, as it was found in the request. - # - # allowed values: {no, yes} - # - stripped_names = no - - # Log all (accept and reject) authentication results to the log file. - # - # This is the same as setting "auth_accept = yes" and - # "auth_reject = yes" - # - # allowed values: {no, yes} - # - auth = yes - - # Log Access-Accept results to the log file. - # - # This is only used if "auth = no" - # - # allowed values: {no, yes} - # -# auth_accept = no - - # Log Access-Reject results to the log file. - # - # This is only used if "auth = no" - # - # allowed values: {no, yes} - # -# auth_reject = no - - # Log passwords with the authentication requests. - # auth_badpass - logs password if it's rejected - # auth_goodpass - logs password if it's correct - # - # allowed values: {no, yes} - # - auth_badpass = yes - auth_goodpass = yes - - # Log additional text at the end of the "Login OK" messages. - # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" - # configurations above have to be set to "yes". - # - # The strings below are dynamically expanded, which means that - # you can put anything you want in them. However, note that - # this expansion can be slow, and can negatively impact server - # performance. - # -# msg_goodpass = "" -# msg_badpass = "" - - # The message when the user exceeds the Simultaneous-Use limit. - # - msg_denied = "You are already logged in - access denied" - - # Suppress "secret" attributes when printing them in debug mode. - # - # Secrets are NOT tracked across xlat expansions. If your - # configuration puts secrets into other strings, they will - # still get printed. - # - # Setting this to "yes" means that the server prints - # - # <<< secret >>> - # - # instead of the value, for attriburtes which contain secret - # information. e.g. User-Name, Tunnel-Password, etc. - # - # This configuration is disabled by default. It is extremely - # important for administrators to be able to debug user logins - # by seeing what is actually being sent. - # -# suppress_secrets = no -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# -# ENVIRONMENT VARIABLES -# -# You can reference environment variables using an expansion like -# `$ENV{PATH}`. However it is sometimes useful to be able to also set -# environment variables. This section lets you do that. -# -# The main purpose of this section is to allow administrators to keep -# RADIUS-specific configuration in the RADIUS configuration files. -# For example, if you need to set an environment variable which is -# used by a module. You could put that variable into a shell script, -# but that's awkward. Instead, just list it here. -# -# Note that these environment variables are set AFTER the -# configuration file is loaded. So you cannot set FOO here, and -# expect to reference it via `$ENV{FOO}` in another configuration file. -# You should instead just use a normal configuration variable for -# that. -# -ENV { - # - # Set environment varable `FOO` to value '/bar/baz'. - # - # NOTE: Note that you MUST use '='. You CANNOT use '+=' to append - # values. - # -# FOO = '/bar/baz' - - # - # Delete environment variable `BAR`. - # -# BAR - - # - # `LD_PRELOAD` is special. It is normally set before the - # application runs, and is interpreted by the dynamic linker. - # Which means you cannot set it inside of an application, and - # expect it to load libraries. - # - # Since this functionality is useful, we extend it here. - # - # You can set - # - # LD_PRELOAD = /path/to/library.so - # - # and the server will load the named libraries. Multiple - # libraries can be loaded by specificing multiple individual - # `LD_PRELOAD` entries. - # - # -# LD_PRELOAD = /path/to/library1.so -# LD_PRELOAD = /path/to/library2.so -} - -# SECURITY CONFIGURATION -# -# There may be multiple methods of attacking on the server. This -# section holds the configuration items which minimize the impact -# of those attacks -# -security { - # chroot: directory where the server does "chroot". - # - # The chroot is done very early in the process of starting - # the server. After the chroot has been performed it - # switches to the "user" listed below (which MUST be - # specified). If "group" is specified, it switches to that - # group, too. Any other groups listed for the specified - # "user" in "/etc/group" are also added as part of this - # process. - # - # The current working directory (chdir / cd) is left - # *outside* of the chroot until all of the modules have been - # initialized. This allows the "raddb" directory to be left - # outside of the chroot. Once the modules have been - # initialized, it does a "chdir" to ${logdir}. This means - # that it should be impossible to break out of the chroot. - # - # If you are worried about security issues related to this - # use of chdir, then simply ensure that the "raddb" directory - # is inside of the chroot, end be sure to do "cd raddb" - # BEFORE starting the server. - # - # If the server is statically linked, then the only files - # that have to exist in the chroot are ${run_dir} and - # ${logdir}. If you do the "cd raddb" as discussed above, - # then the "raddb" directory has to be inside of the chroot - # directory, too. - # -# chroot = /path/to/chroot/directory - - # user/group: The name (or #number) of the user/group to run radiusd as. - # - # If these are commented out, the server will run as the - # user/group that started it. In order to change to a - # different user/group, you MUST be root ( or have root - # privileges ) to start the server. - # - # We STRONGLY recommend that you run the server with as few - # permissions as possible. That is, if you're not using - # shadow passwords, the user and group items below should be - # set to radius'. - # - # NOTE that some kernels refuse to setgid(group) when the - # value of (unsigned)group is above 60000; don't use group - # "nobody" on these systems! - # - # On systems with shadow passwords, you might have to set - # 'group = shadow' for the server to be able to read the - # shadow password file. If you can authenticate users while - # in debug mode, but not in daemon mode, it may be that the - # debugging mode server is running as a user that can read - # the shadow info, and the user listed below can not. - # - # The server will also try to use "initgroups" to read - # /etc/groups. It will join all groups where "user" is a - # member. This can allow for some finer-grained access - # controls. - # -# user = radius -# group = radius - - # Core dumps are a bad thing. This should only be set to - # 'yes' if you're debugging a problem with the server. - # - # allowed values: {no, yes} - # - allow_core_dumps = no - - # - # max_attributes: The maximum number of attributes - # permitted in a RADIUS packet. Packets which have MORE - # than this number of attributes in them will be dropped. - # - # If this number is set too low, then no RADIUS packets - # will be accepted. - # - # If this number is set too high, then an attacker may be - # able to send a small number of packets which will cause - # the server to use all available memory on the machine. - # - # Setting this number to 0 means "allow any number of attributes" - max_attributes = 200 - - # - # reject_delay: When sending an Access-Reject, it can be - # delayed for a few seconds. This may help slow down a DoS - # attack. It also helps to slow down people trying to brute-force - # crack a users password. - # - # Setting this number to 0 means "send rejects immediately" - # - # If this number is set higher than 'cleanup_delay', then the - # rejects will be sent at 'cleanup_delay' time, when the request - # is deleted from the internal cache of requests. - # - # This number can be a decimal, e.g. 3.4 - # - # Useful ranges: 1 to 5 - reject_delay = 1 - - # - # status_server: Whether or not the server will respond - # to Status-Server requests. - # - # When sent a Status-Server message, the server responds with - # an Access-Accept or Accounting-Response packet. - # - # This is mainly useful for administrators who want to "ping" - # the server, without adding test users, or creating fake - # accounting packets. - # - # It's also useful when a NAS marks a RADIUS server "dead". - # The NAS can periodically "ping" the server with a Status-Server - # packet. If the server responds, it must be alive, and the - # NAS can start using it for real requests. - # - # See also raddb/sites-available/status - # - status_server = yes - - # - # allow_vulnerable_openssl: Allow the server to start with - # versions of OpenSSL known to have critical vulnerabilities. - # - # This check is based on the version number reported by libssl - # and may not reflect patches applied to libssl by - # distribution maintainers. - # - allow_vulnerable_openssl = no -} - -# PROXY CONFIGURATION -# -# proxy_requests: Turns proxying of RADIUS requests on or off. -# -# The server has proxying turned on by default. If your system is NOT -# set up to proxy requests to another server, then you can turn proxying -# off here. This will save a small amount of resources on the server. -# -# If you have proxying turned off, and your configuration files say -# to proxy a request, then an error message will be logged. -# -# To disable proxying, change the "yes" to "no", and comment the -# $INCLUDE line. -# -# allowed values: {no, yes} -# -proxy_requests = yes -$INCLUDE proxy.conf - - -# CLIENTS CONFIGURATION -# -# Client configuration is defined in "clients.conf". -# - -# The 'clients.conf' file contains all of the information from the old -# 'clients' and 'naslist' configuration files. We recommend that you -# do NOT use 'client's or 'naslist', although they are still -# supported. -# -# Anything listed in 'clients.conf' will take precedence over the -# information from the old-style configuration files. -# -$INCLUDE clients.conf - - -# THREAD POOL CONFIGURATION -# -# The thread pool is a long-lived group of threads which -# take turns (round-robin) handling any incoming requests. -# -# You probably want to have a few spare threads around, -# so that high-load situations can be handled immediately. If you -# don't have any spare threads, then the request handling will -# be delayed while a new thread is created, and added to the pool. -# -# You probably don't want too many spare threads around, -# otherwise they'll be sitting there taking up resources, and -# not doing anything productive. -# -# The numbers given below should be adequate for most situations. -# -thread pool { - # Number of servers to start initially --- should be a reasonable - # ballpark figure. - start_servers = 5 - - # Limit on the total number of servers running. - # - # If this limit is ever reached, clients will be LOCKED OUT, so it - # should NOT BE SET TOO LOW. It is intended mainly as a brake to - # keep a runaway server from taking the system with it as it spirals - # down... - # - # You may find that the server is regularly reaching the - # 'max_servers' number of threads, and that increasing - # 'max_servers' doesn't seem to make much difference. - # - # If this is the case, then the problem is MOST LIKELY that - # your back-end databases are taking too long to respond, and - # are preventing the server from responding in a timely manner. - # - # The solution is NOT do keep increasing the 'max_servers' - # value, but instead to fix the underlying cause of the - # problem: slow database, or 'hostname_lookups=yes'. - # - # For more information, see 'max_request_time', above. - # - max_servers = 32 - - # Server-pool size regulation. Rather than making you guess - # how many servers you need, FreeRADIUS dynamically adapts to - # the load it sees, that is, it tries to maintain enough - # servers to handle the current load, plus a few spare - # servers to handle transient load spikes. - # - # It does this by periodically checking how many servers are - # waiting for a request. If there are fewer than - # min_spare_servers, it creates a new spare. If there are - # more than max_spare_servers, some of the spares die off. - # The default values are probably OK for most sites. - # - min_spare_servers = 3 - max_spare_servers = 10 - - # When the server receives a packet, it places it onto an - # internal queue, where the worker threads (configured above) - # pick it up for processing. The maximum size of that queue - # is given here. - # - # When the queue is full, any new packets will be silently - # discarded. - # - # The most common cause of the queue being full is that the - # server is dependent on a slow database, and it has received - # a large "spike" of traffic. When that happens, there is - # very little you can do other than make sure the server - # receives less traffic, or make sure that the database can - # handle the load. - # -# max_queue_size = 65536 - - # Clean up old threads periodically. For no reason other than - # it might be useful. - # - # '0' is a special value meaning 'infinity', or 'the servers never - # exit' - max_requests_per_server = 0 - - # Automatically limit the number of accounting requests. - # This configuration item tracks how many requests per second - # the server can handle. It does this by tracking the - # packets/s received by the server for processing, and - # comparing that to the packets/s handled by the child - # threads. - # - - # If the received PPS is larger than the processed PPS, *and* - # the queue is more than half full, then new accounting - # requests are probabilistically discarded. This lowers the - # number of packets that the server needs to process. Over - # time, the server will "catch up" with the traffic. - # - # Throwing away accounting packets is usually safe and low - # impact. The NAS will retransmit them in a few seconds, or - # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 - # to see how accounting packets should be retransmitted. Using - # any other method is likely to cause network meltdowns. - # - auto_limit_acct = no -} - -###################################################################### -# -# SNMP notifications. Uncomment the following line to enable -# snmptraps. Note that you MUST also configure the full path -# to the "snmptrap" command in the "trigger.conf" file. -# -#$INCLUDE trigger.conf - -# MODULE CONFIGURATION -# -# The names and configuration of each module is located in this section. -# -# After the modules are defined here, they may be referred to by name, -# in other sections of this configuration file. -# -modules { - # - # Each module has a configuration as follows: - # - # name [ instance ] { - # config_item = value - # ... - # } - # - # The 'name' is used to load the 'rlm_name' library - # which implements the functionality of the module. - # - # The 'instance' is optional. To have two different instances - # of a module, it first must be referred to by 'name'. - # The different copies of the module are then created by - # inventing two 'instance' names, e.g. 'instance1' and 'instance2' - # - # The instance names can then be used in later configuration - # INSTEAD of the original 'name'. See the 'radutmp' configuration - # for an example. - # - - # - # Some modules have ordering issues. e.g. "sqlippool" uses - # the configuration from "sql". In that case, the "sql" - # module must be read off of disk before the "sqlippool". - # However, the directory inclusion below just reads the - # directory from start to finish. Which means that the - # modules are read off of disk randomly. - # - # You can list individual modules *before* the directory - # inclusion. Those modules will be loaded first. Then, when - # the directory is read, those modules will be skipped and - # not read twice. - # -# $INCLUDE mods-enabled/sql - - # - # All modules are in ther mods-enabled/ directory. Files - # matching the regex /[a-zA-Z0-9_.]+/ are read. The - # modules are initialized ONLY if they are referenced in a - # processing section, such as authorize, authenticate, - # accounting, pre/post-proxy, etc. - # - $INCLUDE mods-enabled/ -} - -# Instantiation -# -# This section sets the instantiation order of the modules. listed -# here will get started up BEFORE the sections like authorize, -# authenticate, etc. get examined. -# -# This section is not strictly needed. When a section like authorize -# refers to a module, the module is automatically loaded and -# initialized. However, some modules may not be listed in any of the -# processing sections, so they should be listed here. -# -# Also, listing modules here ensures that you have control over -# the order in which they are initialized. If one module needs -# something defined by another module, you can list them in order -# here, and ensure that the configuration will be OK. -# -# After the modules listed here have been loaded, all of the modules -# in the "mods-enabled" directory will be loaded. Loading the -# "mods-enabled" directory means that unlike Version 2, you usually -# don't need to list modules here. -# -instantiate { - # - # We list the counter module here so that it registers - # the check_name attribute before any module which sets - # it -# daily - - # subsections here can be thought of as "virtual" modules. - # - # e.g. If you have two redundant SQL servers, and you want to - # use them in the authorize and accounting sections, you could - # place a "redundant" block in each section, containing the - # exact same text. Or, you could uncomment the following - # lines, and list "redundant_sql" in the authorize and - # accounting sections. - # - # The "virtual" module defined here can also be used with - # dynamic expansions, under a few conditions: - # - # * The section is "redundant", or "load-balance", or - # "redundant-load-balance" - # * The section contains modules ONLY, and no sub-sections - # * all modules in the section are using the same rlm_ - # driver, e.g. They are all sql, or all ldap, etc. - # - # When those conditions are satisfied, the server will - # automatically register a dynamic expansion, using the - # name of the "virtual" module. In the example below, - # it will be "redundant_sql". You can then use this expansion - # just like any other: - # - # update reply { - # Filter-Id := "%{redundant_sql: ... }" - # } - # - # In this example, the expansion is done via module "sql1", - # and if that expansion fails, using module "sql2". - # - # For best results, configure the "pool" subsection of the - # module so that "retry_delay" is non-zero. That will allow - # the redundant block to quickly ignore all "down" SQL - # databases. If instead we have "retry_delay = 0", then - # every time the redundant block is used, the server will try - # to open a connection to every "down" database, causing - # problems. - # - #redundant redundant_sql { - # sql1 - # sql2 - #} -} - -###################################################################### -# -# Policies are virtual modules, similar to those defined in the -# "instantiate" section above. -# -# Defining a policy in one of the policy.d files means that it can be -# referenced in multiple places as a *name*, rather than as a series of -# conditions to match, and actions to take. -# -# Policies are something like subroutines in a normal language, but -# they cannot be called recursively. They MUST be defined in order. -# If policy A calls policy B, then B MUST be defined before A. -# -###################################################################### -policy { - $INCLUDE policy.d/ -} - -###################################################################### -# -# Load virtual servers. -# -# This next $INCLUDE line loads files in the directory that -# match the regular expression: /[a-zA-Z0-9_.]+/ -# -# It allows you to define new virtual servers simply by placing -# a file into the raddb/sites-enabled/ directory. -# -$INCLUDE sites-enabled/ - -###################################################################### -# -# All of the other configuration sections like "authorize {}", -# "authenticate {}", "accounting {}", have been moved to the -# the file: -# -# raddb/sites-available/default -# -# This is the "default" virtual server that has the same -# configuration as in version 1.0.x and 1.1.x. The default -# installation enables this virtual server. You should -# edit it to create policies for your local site. -# -# For more documentation on virtual servers, see: -# -# raddb/sites-available/README -# -###################################################################### diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/default b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/default deleted file mode 100644 index 05d7a38..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/default +++ /dev/null @@ -1,1138 +0,0 @@ -###################################################################### -# -# As of 2.0.0, FreeRADIUS supports virtual hosts using the -# "server" section, and configuration directives. -# -# Virtual hosts should be put into the "sites-available" -# directory. Soft links should be created in the "sites-enabled" -# directory to these files. This is done in a normal installation. -# -# If you are using 802.1X (EAP) authentication, please see also -# the "inner-tunnel" virtual server. You will likely have to edit -# that, too, for authentication to work. -# -# $Id: 1926b7cd6e381cebfb809c7e89f8db0808124625 $ -# -###################################################################### -# -# Read "man radiusd" before editing this file. See the section -# titled DEBUGGING. It outlines a method where you can quickly -# obtain the configuration you want, without running into -# trouble. See also "man unlang", which documents the format -# of this file. -# -# This configuration is designed to work in the widest possible -# set of circumstances, with the widest possible number of -# authentication methods. This means that in general, you should -# need to make very few changes to this file. -# -# The best way to configure the server for your local system -# is to CAREFULLY edit this file. Most attempts to make large -# edits to this file will BREAK THE SERVER. Any edits should -# be small, and tested by running the server with "radiusd -X". -# Once the edits have been verified to work, save a copy of these -# configuration files somewhere. (e.g. as a "tar" file). Then, -# make more edits, and test, as above. -# -# There are many "commented out" references to modules such -# as ldap, sql, etc. These references serve as place-holders. -# If you need the functionality of that module, then configure -# it in radiusd.conf, and un-comment the references to it in -# this file. In most cases, those small changes will result -# in the server being able to connect to the DB, and to -# authenticate users. -# -###################################################################### - -server default { -# -# If you want the server to listen on additional addresses, or on -# additional ports, you can use multiple "listen" sections. -# -# Each section make the server listen for only one type of packet, -# therefore authentication and accounting have to be configured in -# different sections. -# -# The server ignore all "listen" section if you are using '-i' and '-p' -# on the command line. -# -listen { - # Type of packets to listen for. - # Allowed values are: - # auth listen for authentication packets - # acct listen for accounting packets - # auth+acct listen for both authentication and accounting packets - # proxy IP to use for sending proxied packets - # detail Read from the detail file. For examples, see - # raddb/sites-available/copy-acct-to-home-server - # status listen for Status-Server packets. For examples, - # see raddb/sites-available/status - # coa listen for CoA-Request and Disconnect-Request - # packets. For examples, see the file - # raddb/sites-available/coa - # - type = auth - - # Note: "type = proxy" lets you control the source IP used for - # proxying packets, with some limitations: - # - # * A proxy listener CANNOT be used in a virtual server section. - # * You should probably set "port = 0". - # * Any "clients" configuration will be ignored. - # - # See also proxy.conf, and the "src_ipaddr" configuration entry - # in the sample "home_server" section. When you specify the - # source IP address for packets sent to a home server, the - # proxy listeners are automatically created. - - # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. - # If multiple ones are listed, only the first one will - # be used, and the others will be ignored. - # - # The configuration options accept the following syntax: - # - # ipv4addr - IPv4 address (e.g.192.0.2.3) - # - wildcard (i.e. *) - # - hostname (radius.example.com) - # Only the A record for the host name is used. - # If there is no A record, an error is returned, - # and the server fails to start. - # - # ipv6addr - IPv6 address (e.g. 2001:db8::1) - # - wildcard (i.e. *) - # - hostname (radius.example.com) - # Only the AAAA record for the host name is used. - # If there is no AAAA record, an error is returned, - # and the server fails to start. - # - # ipaddr - IPv4 address as above - # - IPv6 address as above - # - wildcard (i.e. *), which means IPv4 wildcard. - # - hostname - # If there is only one A or AAAA record returned - # for the host name, it is used. - # If multiple A or AAAA records are returned - # for the host name, only the first one is used. - # If both A and AAAA records are returned - # for the host name, only the A record is used. - # - # ipv4addr = * - # ipv6addr = * - ipaddr = * - - # Port on which to listen. - # Allowed values are: - # integer port number (1812) - # 0 means "use /etc/services for the proper port" - port = 0 - - # Some systems support binding to an interface, in addition - # to the IP address. This feature isn't strictly necessary, - # but for sites with many IP addresses on one interface, - # it's useful to say "listen on all addresses for eth0". - # - # If your system does not support this feature, you will - # get an error if you try to use it. - # -# interface = eth0 - - # Per-socket lists of clients. This is a very useful feature. - # - # The name here is a reference to a section elsewhere in - # radiusd.conf, or clients.conf. Having the name as - # a reference allows multiple sockets to use the same - # set of clients. - # - # If this configuration is used, then the global list of clients - # is IGNORED for this "listen" section. Take care configuring - # this feature, to ensure you don't accidentally disable a - # client you need. - # - # See clients.conf for the configuration of "per_socket_clients". - # -# clients = per_socket_clients - - # - # Set the default UDP receive buffer size. In most cases, - # the default values set by the kernel are fine. However, in - # some cases the NASes will send large packets, and many of - # them at a time. It is then possible to overflow the - # buffer, causing the kernel to drop packets before they - # reach FreeRADIUS. Increasing the size of the buffer will - # avoid these packet drops. - # -# recv_buff = 65536 - - # - # Connection limiting for sockets with "proto = tcp". - # - # This section is ignored for other kinds of sockets. - # - limit { - # - # Limit the number of simultaneous TCP connections to the socket - # - # The default is 16. - # Setting this to 0 means "no limit" - max_connections = 16 - - # The per-socket "max_requests" option does not exist. - - # - # The lifetime, in seconds, of a TCP connection. After - # this lifetime, the connection will be closed. - # - # Setting this to 0 means "forever". - lifetime = 0 - - # - # The idle timeout, in seconds, of a TCP connection. - # If no packets have been received over the connection for - # this time, the connection will be closed. - # - # Setting this to 0 means "no timeout". - # - # We STRONGLY RECOMMEND that you set an idle timeout. - # - idle_timeout = 30 - } -} - -# -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - ipaddr = * -# ipv6addr = :: - port = 0 - type = acct -# interface = eth0 -# clients = per_socket_clients - - limit { - # The number of packets received can be rate limited via the - # "max_pps" configuration item. When it is set, the server - # tracks the total number of packets received in the previous - # second. If the count is greater than "max_pps", then the - # new packet is silently discarded. This helps the server - # deal with overload situations. - # - # The packets/s counter is tracked in a sliding window. This - # means that the pps calculation is done for the second - # before the current packet was received. NOT for the current - # wall-clock second, and NOT for the previous wall-clock second. - # - # Useful values are 0 (no limit), or 100 to 10000. - # Values lower than 100 will likely cause the server to ignore - # normal traffic. Few systems are capable of handling more than - # 10K packets/s. - # - # It is most useful for accounting systems. Set it to 50% - # more than the normal accounting load, and you can be sure that - # the server will never get overloaded - # -# max_pps = 0 - - # Only for "proto = tcp". These are ignored for "udp" sockets. - # -# idle_timeout = 0 -# lifetime = 0 -# max_connections = 0 - } -} - -# IPv6 versions of the above - read their full config to understand options -listen { - type = auth - ipv6addr = :: # any. ::1 == localhost - port = 0 -# interface = eth0 -# clients = per_socket_clients - limit { - max_connections = 16 - lifetime = 0 - idle_timeout = 30 - } -} - -listen { - ipv6addr = :: - port = 0 - type = acct -# interface = eth0 -# clients = per_socket_clients - - limit { -# max_pps = 0 -# idle_timeout = 0 -# lifetime = 0 -# max_connections = 0 - } -} - -# Authorization. First preprocess (hints and huntgroups files), -# then realms, and finally look in the "users" file. -# -# Any changes made here should also be made to the "inner-tunnel" -# virtual server. -# -# The order of the realm modules will determine the order that -# we try to find a matching realm. -# -# Make *sure* that 'preprocess' comes before any realm if you -# need to setup hints for the remote radius server -authorize { - # - # Take a User-Name, and perform some checks on it, for spaces and other - # invalid characters. If the User-Name appears invalid, reject the - # request. - # - # See policy.d/filter for the definition of the filter_username policy. - # - filter_username - - # - # Some broken equipment sends passwords with embedded zeros. - # i.e. the debug output will show - # - # User-Password = "password\000\000" - # - # This policy will fix it to just be "password". - # -# filter_password - - # - # The preprocess module takes care of sanitizing some bizarre - # attributes in the request, and turning them into attributes - # which are more standard. - # - # It takes care of processing the 'raddb/mods-config/preprocess/hints' - # and the 'raddb/mods-config/preprocess/huntgroups' files. - preprocess - - # If you intend to use CUI and you require that the Operator-Name - # be set for CUI generation and you want to generate CUI also - # for your local clients then uncomment the operator-name - # below and set the operator-name for your clients in clients.conf -# operator-name - - # - # If you want to generate CUI for some clients that do not - # send proper CUI requests, then uncomment the - # cui below and set "add_cui = yes" for these clients in clients.conf -# cui - - # - # If you want to have a log of authentication requests, - # un-comment the following line. -# auth_log - - # - # The chap module will set 'Auth-Type := CHAP' if we are - # handling a CHAP request and Auth-Type has not already been set - chap - - # - # If the users are logging in with an MS-CHAP-Challenge - # attribute for authentication, the mschap module will find - # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' - # to the request, which will cause the server to then use - # the mschap module for authentication. - mschap - - # - # If you have a Cisco SIP server authenticating against - # FreeRADIUS, uncomment the following line, and the 'digest' - # line in the 'authenticate' section. - digest - - # - # The WiMAX specification says that the Calling-Station-Id - # is 6 octets of the MAC. This definition conflicts with - # RFC 3580, and all common RADIUS practices. If you are using - # old style WiMAX (non LTE) the un-commenting the "wimax" module - # here means that it will fix the Calling-Station-Id attribute to - # the normal format as specified in RFC 3580 Section 3.21. - # - # If you are using WiMAX 2.1 (LTE) then un-commenting will allow - # the module to handle SQN resyncronisation. Prior to calling the - # module it is necessary to populate the following attributes - # with the relevant keys: - # control:WiMAX-SIM-Ki - # control:WiMAX-SIM-OPc - # - # If WiMAX-Re-synchronization-Info is found in the request then - # the module will attempt to extract SQN and store it in - # control:WiMAX-SIM-SQN. Also a copy of RAND is extracted to - # control:WiMAX-SIM-RAND. - # - # If the SIM cannot be authenticated using Ki and OPc then reject - # will be returned. -# wimax - - # - # Look for IPASS style 'realm/', and if not found, look for - # '@realm', and decide whether or not to proxy, based on - # that. -# IPASS - - # - # Look for realms in user@domain format - suffix -# ntdomain - - # - # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP - # authentication. - # - # It also sets the EAP-Type attribute in the request - # attribute list to the EAP type from the packet. - # - # The EAP module returns "ok" or "updated" if it is not yet ready - # to authenticate the user. The configuration below checks for - # "ok", and stops processing the "authorize" section if so. - # - # Any LDAP and/or SQL servers will not be queried for the - # initial set of packets that go back and forth to set up - # TTLS or PEAP. - # - # The "updated" check is commented out for compatibility with - # previous versions of this configuration, but you may wish to - # uncomment it as well; this will further reduce the number of - # LDAP and/or SQL queries for TTLS or PEAP. - # - eap { - ok = return -# updated = return - } - - # - # Pull crypt'd passwords from /etc/passwd or /etc/shadow, - # using the system API's to get the password. If you want - # to read /etc/passwd or /etc/shadow directly, see the - # mods-available/passwd module. - # -# unix - - # - # Read the 'users' file. In v3, this is located in - # raddb/mods-config/files/authorize - files - - # - # Look in an SQL database. The schema of the database - # is meant to mirror the "users" file. - # - # See "Authorization Queries" in mods-available/sql - -sql - - # - # If you are using /etc/smbpasswd, and are also doing - # mschap authentication, the un-comment this line, and - # configure the 'smbpasswd' module. -# smbpasswd - - # - # The ldap module reads passwords from the LDAP database. - -ldap - - # - # Enforce daily limits on time spent logged in. -# daily - - # - expiration - logintime - - # - # If no other module has claimed responsibility for - # authentication, then try to use PAP. This allows the - # other modules listed above to add a "known good" password - # to the request, and to do nothing else. The PAP module - # will then see that password, and use it to do PAP - # authentication. - # - # This module should be listed last, so that the other modules - # get a chance to set Auth-Type for themselves. - # - pap - - # - # If "status_server = yes", then Status-Server messages are passed - # through the following section, and ONLY the following section. - # This permits you to do DB queries, for example. If the modules - # listed here return "fail", then NO response is sent. - # -# Autz-Type Status-Server { -# -# } - - # - # RADIUS/TLS (or RadSec) connections are processed through - # this section. See sites-available/tls, and the configuration - # item "check_client_connections" for more information. - # - # The request contains TLS client certificate attributes, - # and nothing else. The debug output will print which - # attributes are available on your system. - # - # If the section returns "ok" or "updated", then the - # connection is accepted. Otherwise the connection is - # terminated. - # - Autz-Type New-TLS-Connection { - ok - } -} - - -# Authentication. -# -# -# This section lists which modules are available for authentication. -# Note that it does NOT mean 'try each module in order'. It means -# that a module from the 'authorize' section adds a configuration -# attribute 'Auth-Type := FOO'. That authentication type is then -# used to pick the appropriate module from the list below. -# - -# In general, you SHOULD NOT set the Auth-Type attribute. The server -# will figure it out on its own, and will do the right thing. The -# most common side effect of erroneously setting the Auth-Type -# attribute is that one authentication method will work, but the -# others will not. -# -# The common reasons to set the Auth-Type attribute by hand -# is to either forcibly reject the user (Auth-Type := Reject), -# or to or forcibly accept the user (Auth-Type := Accept). -# -# Note that Auth-Type := Accept will NOT work with EAP. -# -# Please do not put "unlang" configurations into the "authenticate" -# section. Put them in the "post-auth" section instead. That's what -# the post-auth section is for. -# -authenticate { - # - # PAP authentication, when a back-end database listed - # in the 'authorize' section supplies a password. The - # password can be clear-text, or encrypted. - Auth-Type PAP { - pap - } - - # - # Most people want CHAP authentication - # A back-end database listed in the 'authorize' section - # MUST supply a CLEAR TEXT password. Encrypted passwords - # won't work. - Auth-Type CHAP { - chap - } - - # - # MSCHAP authentication. - Auth-Type MS-CHAP { - mschap - } - - # - # For old names, too. - # - mschap - - # - # If you have a Cisco SIP server authenticating against - # FreeRADIUS, uncomment the following line, and the 'digest' - # line in the 'authorize' section. - digest - - # - # Pluggable Authentication Modules. -# pam - - # Uncomment it if you want to use ldap for authentication - # - # Note that this means "check plain-text password against - # the ldap database", which means that EAP won't work, - # as it does not supply a plain-text password. - # - # We do NOT recommend using this. LDAP servers are databases. - # They are NOT authentication servers. FreeRADIUS is an - # authentication server, and knows what to do with authentication. - # LDAP servers do not. - # -# Auth-Type LDAP { -# ldap -# } - - # - # Allow EAP authentication. - eap - - # - # The older configurations sent a number of attributes in - # Access-Challenge packets, which wasn't strictly correct. - # If you want to filter out these attributes, uncomment - # the following lines. - # -# Auth-Type eap { -# eap { -# handled = 1 -# } -# if (handled && (Response-Packet-Type == Access-Challenge)) { -# attr_filter.access_challenge.post-auth -# handled # override the "updated" code from attr_filter -# } -# } -} - - -# -# Pre-accounting. Decide which accounting type to use. -# -preacct { - preprocess - - # - # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets - # into a single 64bit counter Acct-[Input|Output]-Octets64. - # -# acct_counters64 - - # - # Session start times are *implied* in RADIUS. - # The NAS never sends a "start time". Instead, it sends - # a start packet, *possibly* with an Acct-Delay-Time. - # The server is supposed to conclude that the start time - # was "Acct-Delay-Time" seconds in the past. - # - # The code below creates an explicit start time, which can - # then be used in other modules. It will be *mostly* correct. - # Any errors are due to the 1-second resolution of RADIUS, - # and the possibility that the time on the NAS may be off. - # - # The start time is: NOW - delay - session_length - # - -# update request { -# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" -# } - - - # - # Ensure that we have a semi-unique identifier for every - # request, and many NAS boxes are broken. - acct_unique - - # - # Look for IPASS-style 'realm/', and if not found, look for - # '@realm', and decide whether or not to proxy, based on - # that. - # - # Accounting requests are generally proxied to the same - # home server as authentication requests. -# IPASS - suffix -# ntdomain - - # - # Read the 'acct_users' file - files -} - -# -# Accounting. Log the accounting data. -# -accounting { - # Update accounting packet by adding the CUI attribute - # recorded from the corresponding Access-Accept - # use it only if your NAS boxes do not support CUI themselves -# cui - # - # Create a 'detail'ed log of the packets. - # Note that accounting requests which are proxied - # are also logged in the detail file. - detail -# daily - - # Update the wtmp file - # - # If you don't use "radlast", you can delete this line. - unix - - # - # For Simultaneous-Use tracking. - # - # Due to packet losses in the network, the data here - # may be incorrect. There is little we can do about it. -# radutmp -# sradutmp - - # - # Return an address to the IP Pool when we see a stop record. - # - # Ensure that &control:Pool-Name is set to determine which - # pool of IPs are used. -# sqlippool - - # - # Log traffic to an SQL database. - # - # See "Accounting queries" in mods-available/sql - -sql - - # - # If you receive stop packets with zero session length, - # they will NOT be logged in the database. The SQL module - # will print a message (only in debugging mode), and will - # return "noop". - # - # You can ignore these packets by uncommenting the following - # three lines. Otherwise, the server will not respond to the - # accounting request, and the NAS will retransmit. - # -# if (noop) { -# ok -# } - - # Cisco VoIP specific bulk accounting -# pgsql-voip - - # For Exec-Program and Exec-Program-Wait - exec - - # Filter attributes from the accounting response. - attr_filter.accounting_response - - # - # See "Autz-Type Status-Server" for how this works. - # -# Acct-Type Status-Server { -# -# } -} - - -# Session database, used for checking Simultaneous-Use. Either the radutmp -# or rlm_sql module can handle this. -# The rlm_sql module is *much* faster -session { -# radutmp - - # - # See "Simultaneous Use Checking Queries" in mods-available/sql -# sql -} - - -# Post-Authentication -# Once we KNOW that the user has been authenticated, there are -# additional steps we can take. -post-auth { - # - # If you need to have a State attribute, you can - # add it here. e.g. for later CoA-Request with - # State, and Service-Type = Authorize-Only. - # -# if (!&reply:State) { -# update reply { -# State := "0x%{randstr:16h}" -# } -# } - - # - # Reject packets where User-Name != TLS-Client-Cert-Common-Name - # There is no reason for users to lie about their names. - # - # In general, User-Name == EAP Identity == TLS-Client-Cert-Common-Name - # -# verify_tls_client_common_name - - # - # If there is no Stripped-User-Name in the request, AND we have a client cert, - # then create a Stripped-User-Name from the TLS client certificate information. - # - # Note that this policy MUST be edited for your local system! - # We do not know which fields exist in which certificate, as - # there is no standard here. There is no way for us to have - # a default configuration which "just works" everywhere. We - # can only make recommendations. - # - # The Stripped-User-Name is updated so that it is logged in - # the various "username" fields. This logging means that you - # can associate a particular session with a particular client - # certificate. - # -# if (&EAP-Message && !&Stripped-User-Name && &TLS-Client-Cert-Serial) { -# update request { -# &Stripped-User-Name := "%{%{TLS-Client-Cert-Subject-Alt-Name-Email}:-%{%{TLS-Client-Cert-Common-Name}:-%{TLS-Client-Cert-Serial}}}" -# } -# - # - # Create a Class attribute which is a hash of a bunch - # of information which we hope exists. This - # attribute should be echoed back in - # Accounting-Request packets, which will let the - # administrator correlate authentication and - # accounting. - # -# update reply { -# Class += "%{md5:%{Calling-Station-Id}%{Called-Station-Id}%{TLS-Client-Cert-Subject-Alt-Name-Email}%{TLS-Client-Cert-Common-Name}%{TLS-Client-Cert-Serial}%{NAS-IPv6-Address}%{NAS-IP-Address}%{NAS-Identifier}%{NAS-Port}" -# } -# -# } - - # - # For EAP-TTLS and PEAP, add the cached attributes to the reply. - # The "session-state" attributes are automatically cached when - # an Access-Challenge is sent, and automatically retrieved - # when an Access-Request is received. - # - # The session-state attributes are automatically deleted after - # an Access-Reject or Access-Accept is sent. - # - # If both session-state and reply contain a User-Name attribute, remove - # the one in the reply if it is just a copy of the one in the request, so - # we don't end up with two User-Name attributes. - - if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { - update reply { - &User-Name !* ANY - } - } - update { - &reply: += &session-state: - } - - # - # Refresh leases when we see a start or alive. Return an address to - # the IP Pool when we see a stop record. - # - # Ensure that &control:Pool-Name is set to determine which - # pool of IPs are used. -# sqlippool - - - # Create the CUI value and add the attribute to Access-Accept. - # Uncomment the line below if *returning* the CUI. -# cui - - # Create empty accounting session to make simultaneous check - # more robust. See the accounting queries configuration in - # raddb/mods-config/sql/main/*/queries.conf for details. - # - # The "sql_session_start" policy is defined in - # raddb/policy.d/accounting. See that file for more details. -# sql_session_start - - # - # If you want to have a log of authentication replies, - # un-comment the following line, and enable the - # 'detail reply_log' module. -# reply_log - - # - # After authenticating the user, do another SQL query. - # - # See "Authentication Logging Queries" in mods-available/sql - -sql - - # - # Un-comment the following if you want to modify the user's object - # in LDAP after a successful login. - # -# ldap - - # For Exec-Program and Exec-Program-Wait - exec - - # - # In order to calcualate the various keys for old style WiMAX - # (non LTE) you will need to define the WiMAX NAI, usually via - # - # update request { - # &WiMAX-MN-NAI = "%{User-Name}" - # } - # - # If you want various keys to be calculated, you will need to - # update the reply with "template" values. The module will see - # this, and replace the template values with the correct ones - # taken from the cryptographic calculations. e.g. - # - # update reply { - # &WiMAX-FA-RK-Key = 0x00 - # &WiMAX-MSK = "%{reply:EAP-MSK}" - # } - # - # You may want to delete the MS-MPPE-*-Keys from the reply, - # as some WiMAX clients behave badly when those attributes - # are included. See "raddb/modules/wimax", configuration - # entry "delete_mppe_keys" for more information. - # - # For LTE style WiMAX you need to populate the following with the - # relevant values: - # control:WiMAX-SIM-Ki - # control:WiMAX-SIM-OPc - # control:WiMAX-SIM-AMF - # control:WiMAX-SIM-SQN - # -# wimax - - # If there is a client certificate (EAP-TLS, sometimes PEAP - # and TTLS), then some attributes are filled out after the - # certificate verification has been performed. These fields - # MAY be available during the authentication, or they may be - # available only in the "post-auth" section. - # - # The first set of attributes contains information about the - # issuing certificate which is being used. The second - # contains information about the client certificate (if - # available). -# -# update reply { -# Reply-Message += "%{TLS-Cert-Serial}" -# Reply-Message += "%{TLS-Cert-Expiration}" -# Reply-Message += "%{TLS-Cert-Subject}" -# Reply-Message += "%{TLS-Cert-Issuer}" -# Reply-Message += "%{TLS-Cert-Common-Name}" -# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" -# -# Reply-Message += "%{TLS-Client-Cert-Serial}" -# Reply-Message += "%{TLS-Client-Cert-Expiration}" -# Reply-Message += "%{TLS-Client-Cert-Subject}" -# Reply-Message += "%{TLS-Client-Cert-Issuer}" -# Reply-Message += "%{TLS-Client-Cert-Common-Name}" -# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" -# } - - # Insert class attribute (with unique value) into response, - # aids matching auth and acct records, and protects against duplicate - # Acct-Session-Id. Note: Only works if the NAS has implemented - # RFC 2865 behaviour for the class attribute, AND if the NAS - # supports long Class attributes. Many older or cheap NASes - # only support 16-octet Class attributes. -# insert_acct_class - - # MacSEC requires the use of EAP-Key-Name. However, we don't - # want to send it for all EAP sessions. Therefore, the EAP - # modules put required data into the EAP-Session-Id attribute. - # This attribute is never put into a request or reply packet. - # - # Uncomment the next few lines to copy the required data into - # the EAP-Key-Name attribute -# if (&reply:EAP-Session-Id) { -# update reply { -# EAP-Key-Name := &reply:EAP-Session-Id -# } -# } - - # Remove reply message if the response contains an EAP-Message - remove_reply_message_if_eap - - # - # Access-Reject packets are sent through the REJECT sub-section of the - # post-auth section. - # - # Add the ldap module name (or instance) if you have set - # 'edir = yes' in the ldap module configuration - # - # The "session-state" attributes are not available here. - # - Post-Auth-Type REJECT { - # log failed authentications in SQL, too. - -sql - attr_filter.access_reject - - # Insert EAP-Failure message if the request was - # rejected by policy instead of because of an - # authentication failure - eap - - # Remove reply message if the response contains an EAP-Message - remove_reply_message_if_eap - } - - # - # Filter access challenges. - # - Post-Auth-Type Challenge { -# remove_reply_message_if_eap -# attr_filter.access_challenge.post-auth - } - - # - # The Client-Lost section will be run for a request when - # FreeRADIUS has given up waiting for an end-users client to - # respond. This is most useful for logging EAP sessions where - # the client stopped responding (likely because the - # certificate was not acceptable.) i.e. this is not for - # RADIUS clients, but for end-user systems. - # - # This will only be triggered by new packets arriving, - # and will be run at some point in the future *after* the - # original request has been discarded. - # - # Therefore the *ONLY* attributes that are available here - # are those in the session-state list. If you want data - # to log, make sure it is copied to &session-state: - # before the client stops responding. NONE of the other - # original attributes (request, reply, etc) will be - # available. - # - # This section will only be run if `postauth_client_lost` - # is enabled in the main configuration in `radiusd.conf`. - # - # Note that there are MANY reasons why an end users system - # might not respond: - # - # * it could not get the packet due to firewall issues - # * it could not get the packet due to a lossy network - # * the users system might not like the servers cert - # * the users system might not like something else... - # - # In some cases, the client is helpful enough to send us a - # TLS Alert message, saying what it doesn't like about the - # certificate. In other cases, no such message is available. - # - # All that we can know on the FreeRADIUS side is that we sent - # an Access-Challenge, and the client never sent anything - # else. The reasons WHY this happens are buried inside of - # the logs on the client system. No amount of looking at the - # FreeRADIUS logs, or poking the FreeRADIUS configuration - # will tell you why the client gave up. The answers are in - # the logs on the client side. And no, the FreeRADIUS team - # didn't write the client, so we don't know where those logs - # are, or how to get at them. - # - # Information about the TLS state changes is in the - # &session-state:TLS-Session-Information attribute. - # - Post-Auth-Type Client-Lost { - # - # Debug ALL of the TLS state changes done during the - # EAP negotiation. - # -# %{debug_attr:&session-state:TLS-Session-Information[*]} - - # - # Debug the LAST TLS state change done during the EAP - # negotiation. For errors, this is usually a TLS - # alert from the client saying something like - # "unknown CA". - # -# %{debug_attr:&session-state:TLS-Session-Information[n]} - - # - # Debug the last module failure message. This may be - # useful, or it may refer to a server-side failure - # which did not cause the client to stop talking to the server. - # -# %{debug_attr:&session-state:Module-Failure-Message} - } - - # - # If the client sends EAP-Key-Name in the request, - # then echo the real value back in the reply. - # - if (EAP-Key-Name && &reply:EAP-Session-Id) { - update reply { - &EAP-Key-Name := &reply:EAP-Session-Id - } - } -} - -# -# When the server decides to proxy a request to a home server, -# the proxied request is first passed through the pre-proxy -# stage. This stage can re-write the request, or decide to -# cancel the proxy. -# -# Only a few modules currently have this method. -# -pre-proxy { - # Before proxing the request add an Operator-Name attribute identifying - # if the operator-name is found for this client. - # No need to uncomment this if you have already enabled this in - # the authorize section. -# operator-name - - # The client requests the CUI by sending a CUI attribute - # containing one zero byte. - # Uncomment the line below if *requesting* the CUI. -# cui - - # Uncomment the following line if you want to change attributes - # as defined in the preproxy_users file. -# files - - # Uncomment the following line if you want to filter requests - # sent to remote servers based on the rules defined in the - # 'attrs.pre-proxy' file. -# attr_filter.pre-proxy - - # If you want to have a log of packets proxied to a home - # server, un-comment the following line, and the - # 'detail pre_proxy_log' section, above. -# pre_proxy_log -} - -# -# When the server receives a reply to a request it proxied -# to a home server, the request may be massaged here, in the -# post-proxy stage. -# -post-proxy { - - # If you want to have a log of replies from a home server, - # un-comment the following line, and the 'detail post_proxy_log' - # section, above. -# post_proxy_log - - # Uncomment the following line if you want to filter replies from - # remote proxies based on the rules defined in the 'attrs' file. -# attr_filter.post-proxy - - # - # If you are proxying LEAP, you MUST configure the EAP - # module, and you MUST list it here, in the post-proxy - # stage. - # - # You MUST also use the 'nostrip' option in the 'realm' - # configuration. Otherwise, the User-Name attribute - # in the proxied request will not match the user name - # hidden inside of the EAP packet, and the end server will - # reject the EAP request. - # - eap - - # - # If the server tries to proxy a request and fails, then the - # request is processed through the modules in this section. - # - # The main use of this section is to permit robust proxying - # of accounting packets. The server can be configured to - # proxy accounting packets as part of normal processing. - # Then, if the home server goes down, accounting packets can - # be logged to a local "detail" file, for processing with - # radrelay. When the home server comes back up, radrelay - # will read the detail file, and send the packets to the - # home server. - # - # See the "mods-available/detail.example.com" file for more - # details on writing a detail file specifically for one - # destination. - # - # See the "sites-available/robust-proxy-accounting" virtual - # server for more details on reading this "detail" file. - # - # With this configuration, the server always responds to - # Accounting-Requests from the NAS, but only writes - # accounting packets to disk if the home server is down. - # -# Post-Proxy-Type Fail-Accounting { -# detail.example.com -# } -} -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/inner-tunnel b/pkgs/fablab/freeradius-anon-access/raddb/sites-available/inner-tunnel deleted file mode 100644 index 5ad63ae..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-available/inner-tunnel +++ /dev/null @@ -1,438 +0,0 @@ -# -*- text -*- -###################################################################### -# -# This is a virtual server that handles *only* inner tunnel -# requests for EAP-TTLS and PEAP types. -# -# $Id: 10eeb55db7a1129ea62f2195c17b286eb4acd1d2 $ -# -###################################################################### - -server inner-tunnel { - -# -# This next section is here to allow testing of the "inner-tunnel" -# authentication methods, independently from the "default" server. -# It is listening on "localhost", so that it can only be used from -# the same machine. -# -# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 -# -# If it works, you have configured the inner tunnel correctly. To check -# if PEAP will work, use: -# -# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 -# -# If that works, PEAP should work. If that command doesn't work, then -# -# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS. -# -# Do NOT do any PEAP tests. It won't help. Instead, concentrate -# on fixing the inner tunnel configuration. DO NOTHING ELSE. -# -listen { - ipaddr = 127.0.0.1 - port = 18120 - type = auth -} - - -# Authorization. First preprocess (hints and huntgroups files), -# then realms, and finally look in the "users" file. -# -# The order of the realm modules will determine the order that -# we try to find a matching realm. -# -# Make *sure* that 'preprocess' comes before any realm if you -# need to setup hints for the remote radius server -authorize { - # - # Take a User-Name, and perform some checks on it, for spaces and other - # invalid characters. If the User-Name appears invalid, reject the - # request. - # - # See policy.d/filter for the definition of the filter_username policy. - # - filter_username - - # - # Do checks on outer / inner User-Name, so that users - # can't spoof us by using incompatible identities - # -# filter_inner_identity - - # - # The chap module will set 'Auth-Type := CHAP' if we are - # handling a CHAP request and Auth-Type has not already been set - chap - - # - # If the users are logging in with an MS-CHAP-Challenge - # attribute for authentication, the mschap module will find - # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' - # to the request, which will cause the server to then use - # the mschap module for authentication. - mschap - - # - # Pull crypt'd passwords from /etc/passwd or /etc/shadow, - # using the system API's to get the password. If you want - # to read /etc/passwd or /etc/shadow directly, see the - # passwd module, above. - # -# unix - - # - # Look for IPASS style 'realm/', and if not found, look for - # '@realm', and decide whether or not to proxy, based on - # that. -# IPASS - - # - # Look for realms in user@domain format - # - # Note that proxying the inner tunnel authentication means - # that the user MAY use one identity in the outer session - # (e.g. "anonymous", and a different one here - # (e.g. "user@example.com"). The inner session will then be - # proxied elsewhere for authentication. If you are not - # careful, this means that the user can cause you to forward - # the authentication to another RADIUS server, and have the - # accounting logs *not* sent to the other server. This makes - # it difficult to bill people for their network activity. - # - suffix -# ntdomain - - # - # The "suffix" module takes care of stripping the domain - # (e.g. "@example.com") from the User-Name attribute, and the - # next few lines ensure that the request is not proxied. - # - # If you want the inner tunnel request to be proxied, delete - # the next few lines. - # - update control { - &Proxy-To-Realm := LOCAL - } - - # - # This module takes care of EAP-MSCHAPv2 authentication. - # - # It also sets the EAP-Type attribute in the request - # attribute list to the EAP type from the packet. - # - # The example below uses module failover to avoid querying all - # of the following modules if the EAP module returns "ok". - # Therefore, your LDAP and/or SQL servers will not be queried - # for the many packets that go back and forth to set up TTLS - # or PEAP. The load on those servers will therefore be reduced. - # - eap { - ok = return - } - - # - # Read the 'users' file - files - - # - # Look in an SQL database. The schema of the database - # is meant to mirror the "users" file. - # - # See "Authorization Queries" in `mods-config/sql/main/$driver/queries.conf` - -sql - - # - # If you are using /etc/smbpasswd, and are also doing - # mschap authentication, the un-comment this line, and - # enable the "smbpasswd" module. -# smbpasswd - - # - # The ldap module reads passwords from the LDAP database. - -ldap - - # - # Enforce daily limits on time spent logged in. -# daily - - expiration - logintime - - # - # If no other module has claimed responsibility for - # authentication, then try to use PAP. This allows the - # other modules listed above to add a "known good" password - # to the request, and to do nothing else. The PAP module - # will then see that password, and use it to do PAP - # authentication. - # - # This module should be listed last, so that the other modules - # get a chance to set Auth-Type for themselves. - # - pap -} - - -# Authentication. -# -# -# This section lists which modules are available for authentication. -# Note that it does NOT mean 'try each module in order'. It means -# that a module from the 'authorize' section adds a configuration -# attribute 'Auth-Type := FOO'. That authentication type is then -# used to pick the appropriate module from the list below. -# - -# In general, you SHOULD NOT set the Auth-Type attribute. The server -# will figure it out on its own, and will do the right thing. The -# most common side effect of erroneously setting the Auth-Type -# attribute is that one authentication method will work, but the -# others will not. -# -# The common reasons to set the Auth-Type attribute by hand -# is to either forcibly reject the user, or forcibly accept him. -# -authenticate { - # - # PAP authentication, when a back-end database listed - # in the 'authorize' section supplies a password. The - # password can be clear-text, or encrypted. - Auth-Type PAP { - pap - } - - # - # Most people want CHAP authentication - # A back-end database listed in the 'authorize' section - # MUST supply a CLEAR TEXT password. Encrypted passwords - # won't work. - Auth-Type CHAP { - chap - } - - # - # MSCHAP authentication. - Auth-Type MS-CHAP { - mschap - } - - # - # For old names, too. - # - mschap - - # - # Pluggable Authentication Modules. -# pam - - # Uncomment it if you want to use ldap for authentication - # - # Note that this means "check plain-text password against - # the ldap database", which means that EAP won't work, - # as it does not supply a plain-text password. - # - # We do NOT recommend using this. LDAP servers are databases. - # They are NOT authentication servers. FreeRADIUS is an - # authentication server, and knows what to do with authentication. - # LDAP servers do not. - # -# Auth-Type LDAP { -# ldap -# } - - # - # Allow EAP authentication. - eap -} - -###################################################################### -# -# There are no accounting requests inside of EAP-TTLS or PEAP -# tunnels. -# -###################################################################### - - -# Session database, used for checking Simultaneous-Use. Either the radutmp -# or rlm_sql module can handle this. -# The rlm_sql module is *much* faster -session { - radutmp - - # - # See "Simultaneous Use Checking Queries" in `mods-config/sql/main/$driver/queries.conf` -# sql -} - - -# Post-Authentication -# Once we KNOW that the user has been authenticated, there are -# additional steps we can take. -# -# Note that the last packet of the inner-tunnel authentication -# MAY NOT BE the last packet of the outer session. So updating -# the outer reply MIGHT work, and sometimes MIGHT NOT. The -# exact functionality depends on both the inner and outer -# authentication methods. -# -# If you need to send a reply attribute in the outer session, -# the ONLY safe way is to set "use_tunneled_reply = yes", and -# then update the inner-tunnel reply. -post-auth { - # If you want privacy to remain, see the - # Chargeable-User-Identity attribute from RFC 4372. - # If you want to use it just uncomment the line below. -# cui-inner - - # - # If you want the Access-Accept to contain the inner - # User-Name, uncomment the following lines. - # -# update outer.session-state { -# User-Name := &User-Name -# } - - # - # If you want to have a log of authentication replies, - # un-comment the following line, and enable the - # 'detail reply_log' module. -# reply_log - - # - # After authenticating the user, do another SQL query. - # - # See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf` - -sql - - # - # Un-comment the following if you have set - # 'edir = yes' in the ldap module sub-section of - # the 'modules' section. - # -# ldap - - - # - # Un-comment the following if you want to generate Moonshot (ABFAB) TargetedIds - # - # IMPORTANT: This requires the UUID package to be installed, and a targeted_id_salt - # to be configured. - # - # This functionality also supports SQL backing. To use this functionality, enable - # and configure the moonshot-targeted-ids SQL module in the mods-enabled directory. - # Then remove the comments from the appropriate lines in each of the below - # policies in the policy.d/moonshot-targeted-ids file. - # -# moonshot_host_tid -# moonshot_realm_tid -# moonshot_coi_tid - - # - # Instead of "use_tunneled_reply", change this "if (0)" to an - # "if (1)". - # - if (0) { - # - # These attributes are for the inner-tunnel only, - # and MUST NOT be copied to the outer reply. - # - update reply { - User-Name !* ANY - Message-Authenticator !* ANY - EAP-Message !* ANY - Proxy-State !* ANY - MS-MPPE-Encryption-Types !* ANY - MS-MPPE-Encryption-Policy !* ANY - MS-MPPE-Send-Key !* ANY - MS-MPPE-Recv-Key !* ANY - } - - # - # Copy the inner reply attributes to the outer - # session-state list. The post-auth policy will take - # care of copying the outer session-state list to the - # outer reply. - # - update { - &outer.session-state: += &reply: - } - } - - # - # Access-Reject packets are sent through the REJECT sub-section of the - # post-auth section. - # - # Add the ldap module name (or instance) if you have set - # 'edir = yes' in the ldap module configuration - # - Post-Auth-Type REJECT { - # log failed authentications in SQL, too. - -sql - attr_filter.access_reject - - # - # Let the outer session know which module failed, and why. - # - update outer.session-state { - &Module-Failure-Message := &request:Module-Failure-Message - } - } -} - -# -# When the server decides to proxy a request to a home server, -# the proxied request is first passed through the pre-proxy -# stage. This stage can re-write the request, or decide to -# cancel the proxy. -# -# Only a few modules currently have this method. -# -pre-proxy { - # Uncomment the following line if you want to change attributes - # as defined in the preproxy_users file. -# files - - # Uncomment the following line if you want to filter requests - # sent to remote servers based on the rules defined in the - # 'attrs.pre-proxy' file. -# attr_filter.pre-proxy - - # If you want to have a log of packets proxied to a home - # server, un-comment the following line, and the - # 'detail pre_proxy_log' section, above. -# pre_proxy_log -} - -# -# When the server receives a reply to a request it proxied -# to a home server, the request may be massaged here, in the -# post-proxy stage. -# -post-proxy { - - # If you want to have a log of replies from a home server, - # un-comment the following line, and the 'detail post_proxy_log' - # section, above. -# post_proxy_log - - # Uncomment the following line if you want to filter replies from - # remote proxies based on the rules defined in the 'attrs' file. -# attr_filter.post-proxy - - # - # If you are proxying LEAP, you MUST configure the EAP - # module, and you MUST list it here, in the post-proxy - # stage. - # - # You MUST also use the 'nostrip' option in the 'realm' - # configuration. Otherwise, the User-Name attribute - # in the proxied request will not match the user name - # hidden inside of the EAP packet, and the end server will - # reject the EAP request. - # - eap -} - -} # inner-tunnel server block diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/default b/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/default deleted file mode 120000 index 6d9ba33..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/default +++ /dev/null @@ -1 +0,0 @@ -../sites-available/default \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/inner-tunnel b/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/inner-tunnel deleted file mode 120000 index 55aba6e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/sites-enabled/inner-tunnel +++ /dev/null @@ -1 +0,0 @@ -../sites-available/inner-tunnel \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/templates.conf b/pkgs/fablab/freeradius-anon-access/raddb/templates.conf deleted file mode 100644 index 22c0a09..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/templates.conf +++ /dev/null @@ -1,108 +0,0 @@ -# -*- text -*- -## -## templates.conf -- configurations to be used in multiple places -## -## $Id: 7b8b44e051c974c1a0a6e27a0cff50e621835df2 $ - -###################################################################### -# -# Version 2.0 has a useful new feature called "templates". -# -# Use templates by adding a line in radiusd.conf: -# -# $INCLUDE templates.conf -# -# The goal of the templates is to have common configuration located -# in this file, and to list only the *differences* in the individual -# sections. This feature is most useful for sections like "clients" -# or "home_servers", where many may be defined, and each one has -# similar repeated configuration. -# -# Something similar to templates can be done by putting common -# configuration into separate files, and using "$INCLUDE file...", -# but this is more flexible, and simpler to understand. It's also -# cheaper for the server, because "$INCLUDE" makes a copy of the -# configuration for inclusion, and templates are simply referenced. -# -# The templates are defined in the "templates" section, so that they -# do not affect the rest of the server configuration. -# -# A section can reference a template by using "$template name" -# -templates { - # - # The contents of the templates section are other - # configuration sections that would normally go into - # the configuration files. - # - - # - # This is a default template for the "home_server" section. - # Note that there is no name for the section. - # - # Any configuration item that is valid for a "home_server" - # section is also valid here. When a "home_server" section - # is defined in proxy.conf, this section is referenced as - # the template. - # - # Configuration items that are explicitly listed in a - # "home_server" section of proxy.conf are used in - # preference to the configuration items listed here. - # - # However, if a configuration item is NOT listed in a - # "home_server" section of proxy.conf, then the value here - # is used. - # - # This functionality lets you put common configuration into - # a template, and to put only the unique configuration - # items in "proxy.conf". Each section in proxy.conf can - # then contain a line "$template home_server", which will - # cause it to reference this template. - # - home_server { - response_window = 20 - zombie_period = 40 - revive_interval = 120 - # - # Etc. - } - - # - # You can also have named templates. For example, if you - # are proxying to 3 different home servers all at the same - # site, with identical configurations (other than IP - # addresses), you can use this named template. - # - - # Then, each "home_server" section in "proxy.conf" would - # only list the IP address of that home server, and a - # line saying - # - # $template example_com - # - # That would tell FreeRADIUS to look in the section below - # for the rest of the configuration items. - # - # For various reasons, you shouldn't have a "." in the template - # name. Doing so means that the server will be unable to find - # the template. - # - example_com { - type = auth - port = 1812 - secret = testing123 - response_window = 20 - # - # Etc... - } - - # - # You can have templates for other sections, too, but they - # seem to be most useful for home_servers. - # - # For now, you can use templates only for sections in - # radiusd.conf, not sub-sections. So you still have to use - # the "$INCLUDE file.." method for things like defining - # multiple "sql" modules, each with similar configuration. - # -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/trigger.conf b/pkgs/fablab/freeradius-anon-access/raddb/trigger.conf deleted file mode 100644 index f13dbed..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/trigger.conf +++ /dev/null @@ -1,281 +0,0 @@ -# -*- text -*- -## -## trigger.conf -- Events in the server can trigger a hook to be executed. -## -## $Id: 413a182eec6a193ef8ffd284295e181962265395 $ - -# -# The triggers are named as "type.subtype.value". These names refer -# to subsections and then configuration items in the "trigger" -# section below. When an event occurs, the trigger is executed. The -# trigger is simply a program that is run, with optional arguments. -# -# The server does not wait when a trigger is executed. It is simply -# a "one-shot" event that is sent. -# -# The trigger names should be self-explanatory. -# - -# -# SNMP configuration. -# -# For now, this is only for SNMP traps. -# -# They are enabled by uncommenting (or adding) "$INCLUDE trigger.conf" -# in the main "radiusd.conf" file. -# -# The traps *REQUIRE* that the files in the "mibs" directory be copied -# to the global mibs directory, usually /usr/share/snmp/mibs/. -# If this is not done, the "snmptrap" program has no idea what information -# to send, and will not work. The MIB installation is *NOT* done as -# part of the default installation, so that step *MUST* be done manually. -# -# The global MIB directory can be found by running the following command: -# -# snmptranslate -Dinit_mib .1.3 2>&1 | grep MIBDIR | sed "s/' .*//;s/.* '//;s/.*://" -# -# Or maybe just: -# -# snmptranslate -Dinit_mib .1.3 2>&1 | grep MIBDIR -# -# If you have copied the MIBs to that directory, you can test the -# FreeRADIUS MIBs by running the following command: -# -# snmptranslate -m +FREERADIUS-NOTIFICATION-MIB -IR -On serverStart -# -# It should print out: -# -# .1.3.6.1.4.1.11344.4.1.1 -# -# As always, run the server in debugging mode after enabling the -# traps. You will see the "snmptrap" command being run, and it will -# print out any errors or issues that it encounters. Those need to -# be fixed before running the server in daemon mode. -# -# We also suggest running in debugging mode as the "radiusd" user, if -# you have "user/group" set in radiusd.conf. The "snmptrap" program -# may behave differently when run as "root" or as the "radiusd" user. -# -snmp { - # - # Configuration for SNMP traps / notifications - # - # To disable traps, edit "radiusd.conf", and delete the line - # which says "$INCUDE trigger.conf" - # - trap { - # - # Absolute path for the "snmptrap" command, and - # default command-line arguments. - # - # You can disable traps by changing the command to - # "/bin/echo". - # - cmd = "/usr/bin/snmptrap -v2c" - - # - # Community string - # - community = "public" - - # - # Agent configuration. - # - agent = "localhost ''" - } -} - -# -# The "snmptrap" configuration defines the full command used to run the traps. -# -# This entry should not be edited. Instead, edit the "trap" section above. -# -snmptrap = "${snmp.trap.cmd} -c ${snmp.trap.community} ${snmp.trap.agent} FREERADIUS-NOTIFICATION-MIB" - -# -# The individual triggers are defined here. You can disable one by -# deleting it, or by commenting it out. You can disable an entire -# section of traps by deleting the section. -# -# The entries below should not be edited. For example, the double colons -# *must* immediately follow the ${snmptrap} reference. Adding a space -# before the double colons will break all SNMP traps. -# -# However... the traps are just programs which are run when -# particular events occur. If you want to replace a trap with -# another program, you can. Just edit the definitions below, so that -# they run a program of your choice. -# -# For example, you can leverage the "start/stop" triggers to run a -# program when the server starts, or when it stops. But that will -# prevent the start/stop SNMP traps from working, of course. -# -trigger { - # - # Events in the server core - # - server { - # the server has just started - start = "${snmptrap}::serverStart" - - # the server is about to stop - stop = "${snmptrap}::serverStop" - - # The "max_requests" condition has been reached. - # This will trigger only once per 60 seconds. - max_requests = "${snmptrap}::serverMaxRequests" - - # For events related to clients - client { - # Added a new dynamic client - add = "/path/to/file %{Packet-Src-IP-Address}" - - # There is no event for when dynamic clients expire - } - - # Events related to signals received. - signal { - # a HUP signal - hup = "${snmptrap}::signalHup" - - # a TERM signal - term = "${snmptrap}::signalTerm" - } - - - # Events related to the thread pool - thread { - # A new thread has been started - start = "${snmptrap}::threadStart" - - # an existing thread has been stopped - stop = "${snmptrap}::threadStop" - - # an existing thread is unresponsive - unresponsive = "${snmptrap}::threadUnresponsive" - - # the "max_threads" limit has been reached - max_threads = "${snmptrap}::threadMaxThreads" - } - } - - # When a home server changes state. - # These traps are edge triggered. - home_server { - # common arguments: IP, port, identifier - args = "radiusAuthServerAddress a %{proxy-request:Packet-Dst-IP-Address} radiusAuthClientServerPortNumber i %{proxy-request:Packet-Dst-Port} radiusAuthServIdent s '%{home_server:instance}'" - - # The home server has been marked "alive" - alive = "${snmptrap}::homeServerAlive ${args}" - - # The home server has been marked "zombie" - zombie = "${snmptrap}::homeServerZombie ${args}" - - # The home server has been marked "dead" - dead = "${snmptrap}::homeServerDead ${args}" - } - - # When a pool of home servers changes state. - home_server_pool { - # common arguments - args = "radiusdConfigName s %{home_server:instance}" - - # It has reverted to "normal" mode, where at least one - # home server is alive. - normal = "${snmptrap}::homeServerPoolNormal ${args}" - - # It is in "fallback" mode, with all home servers "dead" - fallback = "${snmptrap}::homeServerPoolFallback ${args}" - } - - # Triggers for specific modules. These are NOT in the module - # configuration because they are global to all instances of the - # module. You can have module-specific triggers, by placing a - # "trigger" subsection in the module configuration. - modules { - # Common arguments - args = "radiusdModuleInstance s ''" - - # The files module - files { - # Common arguments - args = "radiusdModuleName s files ${..args}" - - # The module has been HUP'd via radmin - hup = "${snmptrap}::serverModuleHup ${args}" - - # Note that "hup" can be used for every module - # which can be HUP'd via radmin - } - - # The LDAP module - # If the server does "bind as user", it will open and close - # an LDAP connection ofr every "bind as user". Be aware that - # this will likely produce a lot of triggers. - ldap { - # Common arguments - args = "radiusdModuleName s ldap ${..args}" - - # A new connection to the DB has been opened - open = "${snmptrap}::serverModuleConnectionUp ${args}" - - # A connection to the DB has been closed - close = "${snmptrap}::serverModuleConnectionDown ${args}" - - # The module has been HUP'd via radmin - hup = "${snmptrap}::serverModuleHup ${args}" - } - - # The SQL module - sql { - # Common arguments - args = "radiusdModuleName s sql ${..args}" - - # A new connection to the DB has been opened - open = "${snmptrap}::serverModuleConnectionUp ${args}" - - # A connection to the DB has been closed - close = "${snmptrap}::serverModuleConnectionDown ${args}" - - # Failed to open a new connection to the DB - fail = "${snmptrap}::serverModuleConnectionFail ${args}" - - # The module has been HUP'd via radmin - hup = "${snmptrap}::serverModuleHup ${args}" - } - - # You can also use connection pool's start/stop/open/close triggers - # for any module which uses the "pool" section, here and under - # pool.trigger in module configuration. - } -} - -# -# The complete list of triggers as generated from the source code is below. -# -# These are the ONLY traps which are generated. You CANNOT add new traps -# by defining them in one of the sections above. New traps can be created -# only by edited both the source code to the server, *and* the MIBs. -# If you are not an expert in C and SNMP, then adding new traps will be -# difficult to create. -# -# home_server.alive -# home_server.dead -# home_server.zombie -# home_server_pool.fallback -# home_server_pool.normal -# modules.*.hup -# modules.ldap.timeout -# modules.sql.close -# modules.sql.fail -# modules.sql.open -# server.client.add -# server.max_requests -# server.signal.hup -# server.signal.term -# server.start -# server.stop -# server.thread.max_threads -# server.thread.start -# server.thread.stop -# server.thread.unresponsive diff --git a/pkgs/fablab/freeradius-anon-access/raddb/users b/pkgs/fablab/freeradius-anon-access/raddb/users deleted file mode 120000 index 458cce2..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/users +++ /dev/null @@ -1 +0,0 @@ -./mods-config/files/authorize \ No newline at end of file