pkgs/nix-gscheits.artwork: init

Since OpenSCAD has only limited SVG export capabilities, this implementation exports the image as PNG. Also, because OpenSCAD lacks transparency and anti-aliasing, the background colour is replaced by transparency and the image is then scaled down.
2021-12-28 18:24:35 +01:00
163 changed files with 437 additions and 10982 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1,3 +1,5 @@
 **/secrets.yaml diff=sops

+*.jpg filter=lfs diff=lfs merge=lfs -text
 *.png filter=lfs diff=lfs merge=lfs -text
+*.svg filter=lfs diff=lfs merge=lfs -text
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,19 +1,17 @@
 keys:
-  - &jalr 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
+  - &jalr 7C207509562C208C4EC1676E87A8E5662DF00274
  - &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
-  - &raven age1fleny85nvjh6g4arn2tkpju0smq2s4hawwpmnyvgcf0sy65wd3ks4lcvfa
+  - &raven 10E468768E3BCD6459F9F11AC8F765CF8AD1F892
 creation_rules:
  - path_regex: secrets\.yaml$
    key_groups:
    - pgp:
      - *jalr
      - *simon
-      age:
      - *raven
  - path_regex: machines/raven/secrets\.yaml$
    key_groups:
    - pgp:
      - *jalr
      - *simon
-      age:
      - *raven
--- a/flake.lock
+++ b/flake.lock
@ -1,51 +1,12 @@
 {
  "nodes": {
-    "disko": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1727196810,
-        "narHash": "sha256-xQzgXRlczZoFfrUdA4nD5qojCQVqpiIk82aYINQZd+U=",
-        "owner": "nix-community",
-        "repo": "disko",
-        "rev": "6d42596a35d34918a905e8539a44d3fc91f42b5b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "disko",
-        "type": "github"
-      }
-    },
-    "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
      "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "lastModified": 1638122382,
+        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
        "type": "github"
      },
      "original": {
@ -54,27 +15,6 @@
        "type": "github"
      }
    },
-    "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "nix-pre-commit-hooks",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
    "krops": {
      "inputs": {
        "flake-utils": [
@ -85,11 +25,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1644957911,
-        "narHash": "sha256-ggie/j7pdBqzDs4W7OiPmhqH9IGbXAbJxGqBdVxA8jA=",
+        "lastModified": 1632420452,
+        "narHash": "sha256-ncK6vABW/Ku9XI0kqj1otarUfblryoQzSaOCnaZ0oSs=",
        "owner": "Mic92",
        "repo": "krops",
-        "rev": "86fb3d2ee94fd8306231853b323ed8804edf26ec",
+        "rev": "0388970c568905fedcbf429e5745aacd4f7a6633",
        "type": "github"
      },
      "original": {
@ -98,43 +38,21 @@
        "type": "github"
      }
    },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "sbruder-overlay",
-          "poetry2nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1703863825,
-        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
    "nix-pre-commit-hooks": {
      "inputs": {
-        "flake-compat": "flake-compat",
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "nixpkgs-unstable"
+        "flake-utils": [
+          "flake-utils"
        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
      },
      "locked": {
-        "lastModified": 1726745158,
-        "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
+        "lastModified": 1639823344,
+        "narHash": "sha256-jlsQb2y6A5dB1R0wVPLOfDGM0wLyfYqEJNzMtXuzCXw=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
+        "rev": "ff9c0b459ddc4b79c06e19d44251daa8e9cd1746",
        "type": "github"
      },
      "original": {
@ -146,11 +64,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1727040444,
-        "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=",
+        "lastModified": 1640513880,
+        "narHash": "sha256-dIJYjqGFqCBNh3iasE+6EHG/W96I0YK6ayjfazOVuE8=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac",
+        "rev": "2a76e1204f3a605f8d8d2f323671e1a295a5246d",
        "type": "github"
      },
      "original": {
@ -162,59 +80,43 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1726969270,
-        "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=",
+        "lastModified": 1640531271,
+        "narHash": "sha256-WsUVTlPu1k3rXg3dyA0KMNvM9rnCEU0Fx4W0QI4rsXE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075",
+        "rev": "04bd2d1a4700907997be007a2a8f39edd59dac24",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-21.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
-    "nixpkgs-stable": {
+    "nixpkgs-asterisk": {
      "locked": {
-        "lastModified": 1720386169,
-        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
-        "owner": "NixOS",
+        "lastModified": 1638872530,
+        "narHash": "sha256-4tQOkGTdwa4xGJNwKaM+c67u37bDP4cDseYppq3xy0s=",
+        "owner": "yayayayaka",
        "repo": "nixpkgs",
-        "rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
+        "rev": "77758650a83959c60aa2c7e2f2cf739ec7ddb793",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable_2": {
-      "locked": {
-        "lastModified": 1725762081,
-        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
+        "owner": "yayayayaka",
+        "ref": "asterisk-secrets-handling",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1726937504,
-        "narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=",
+        "lastModified": 1640408860,
+        "narHash": "sha256-h2uF3+a8bVfM8SjcS4hLbsOzOuG3qsxuImC0BucWs1Q=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "9357f4f23713673f310988025d9dc261c20e70c6",
+        "rev": "cb372c3b8880e504b06946e8fb2ca9777c685505",
        "type": "github"
      },
      "original": {
@ -224,42 +126,14 @@
        "type": "github"
      }
    },
-    "poetry2nix": {
-      "inputs": {
-        "flake-utils": [
-          "sbruder-overlay",
-          "flake-utils"
-        ],
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": [
-          "sbruder-overlay",
-          "nixpkgs"
-        ],
-        "systems": "systems_2",
-        "treefmt-nix": "treefmt-nix"
-      },
-      "locked": {
-        "lastModified": 1714509427,
-        "narHash": "sha256-YTcd6n7BeAVxBNhzOgUHMmsgBkfQ2Cz9ZcFotXrpEg8=",
-        "owner": "nix-community",
-        "repo": "poetry2nix",
-        "rev": "184960be60652ca7f865123e8394ece988afb566",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "poetry2nix",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
-        "disko": "disko",
        "flake-utils": "flake-utils",
        "krops": "krops",
        "nix-pre-commit-hooks": "nix-pre-commit-hooks",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
+        "nixpkgs-asterisk": "nixpkgs-asterisk",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sbruder-overlay": "sbruder-overlay",
        "sops-nix": "sops-nix"
@ -275,15 +149,14 @@
        ],
        "nixpkgs": [
          "nixpkgs"
-        ],
-        "poetry2nix": "poetry2nix"
+        ]
      },
      "locked": {
-        "lastModified": 1719952130,
-        "narHash": "sha256-j38XlExNwK4ycmoNEdH/dHUd1QGdNvD3gx/UuLY+04Q=",
+        "lastModified": 1638388788,
+        "narHash": "sha256-4t+iDoZO9X8fM1cWfbCbsIagRN0PRkpGcJKaMLJE7yc=",
        "owner": "sbruder",
        "repo": "nixpkgs-overlay",
-        "rev": "3487b8ce24d40cc898f3dba0a9af5e028e1d5844",
+        "rev": "72d323ca0410a08abc2d981b812c5cd0fd3338bf",
        "type": "github"
      },
      "original": {
@ -296,71 +169,19 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
-      },
-      "locked": {
-        "lastModified": 1726524647,
-        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
-      }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "id": "systems",
-        "type": "indirect"
-      }
-    },
-    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "sbruder-overlay",
-          "poetry2nix",
-          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1714058656,
-        "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f",
+        "lastModified": 1638821683,
+        "narHash": "sha256-oyqALhGijy2ZQxFSACrcC+Z8MzYLiomKCr9FQXVZ47U=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "afe00100b16648c1d79e62926caacac561df93a5",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
+        "owner": "Mic92",
+        "repo": "sops-nix",
        "type": "github"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@ -1,17 +1,16 @@
 {
  inputs = {
-    disko.inputs.nixpkgs.follows = "nixpkgs";
-    disko.url = "github:nix-community/disko";
-
    flake-utils.url = "github:numtide/flake-utils";

    nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
    nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
-    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";

-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11";

    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged
+    nixpkgs-asterisk.url = "github:yayayayaka/nixpkgs/asterisk-secrets-handling";

    nixos-hardware.url = "github:nixos/nixos-hardware/master";

@ -40,7 +39,7 @@
      let
        pkgs = import nixpkgs {
          inherit system;
-          overlays = [ self.overlays.default ];
+          overlays = [ self.overlay ];
        };
        inherit (pkgs) lib;
      in
@ -56,7 +55,7 @@
          };
        };

-        devShells.default = pkgs.mkShell {
+        devShell = pkgs.mkShell {
          name = "fablab-nixos-config";

          buildInputs = (with pkgs; [
@ -111,9 +110,14 @@
          (flake-utils.lib.flattenTree {
            inherit (pkgs)
              fablab;
+
+            nix-gscheits = lib.recurseIntoAttrs {
+              inherit (pkgs.nix-gscheits)
+                artwork;
+            };
          });
      }) // {
-      overlays.default = import ./pkgs;
+      overlay = import ./pkgs;

      nixosConfigurations = nixpkgs.lib.mapAttrs
        (hostname: { system
@ -146,7 +150,6 @@
            })
          ] ++ (with inputs; [
            sops-nix.nixosModules.sops
-            disko.nixosModules.disko
          ]) ++ extraModules;
        })
        (import ./machines inputs);
--- a/keys/users/jalr.asc
+++ b/keys/users/jalr.asc
@ -1,23 +1,52 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----

-mDMEZbmOERYJKwYBBAHaRw8BAQdAarCLR2RvxBnRODJY8WM98gCRbsHzXFTYTIoR
-ZlmbOQe0HEpha29iIExlY2huZXIgPGphbHJAamFsci5kZT6IjgQTFgoANhYhBDBE
-5x497/SbWGz1gJv0/MuQhU2pBQJluY4RAhsBBAsJCAcEFQoJCAUWAgMBAAIeBQIX
-gAAKCRCb9PzLkIVNqbmFAQDG8xNgbZsZx6N2ssVC9k98IUvuKuMZQ6Gju86EsnNY
-dgD/eSVRfAKCtIPSGtoLvE5zL80hk117R4f8rbMEvrmt9gm4MwRluY53FgkrBgEE
-AdpHDwEBB0DRonRUQIQSfkqX7yHFHewbEYnc/spaPufL6EnSPVLvZ4j1BBgWCgAm
-FiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jncCGwIFCQHhM4AAgQkQm/T8y5CF
-Tal2IAQZFgoAHRYhBDp0/wfiMHs2RqSZ6EYNR7hAgU8/BQJluY53AAoJEEYNR7hA
-gU8/HikBAPOziBknk+WcsKODsdViFedagVgtnjW8J6mJZRKNcD2fAP4/42g9wU2i
-KHKHypLlGdmgOVOpSGNcubkcPFcOOHH7AZevAQDUU/UNpIHe7R3rYq4sFT2iYa9T
-ZKpmOostoAzyYOViZwD/RA2suqGyrSe96JLnxwzy3LccYgV3VwEbHDWeUTvOCAy4
-OARluY6pEgorBgEEAZdVAQUBAQdAAXZvPoXdFpBhYS8KgCeXweUMlSwsCnXmgiDh
-neSFMwsDAQgHiH4EGBYKACYWIQQwROcePe/0m1hs9YCb9PzLkIVNqQUCZbmOqQIb
-DAUJAeEzgAAKCRCb9PzLkIVNqbmEAQDSBggKtjGkLuYtIHBBCfBF4Dx7odOapasa
-tYqZTU7twwD/VhDvRGPbTl7X7DYQ36bmyjTe6cZAj3/M0ueQhlTrJAW4MwRluY7E
-FgkrBgEEAdpHDwEBB0B95fmIsa7I4c3ttAko71CuEI/wTam0zYrYJNtL7sz3o4h+
-BBgWCgAmFiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jsQCGyAFCQHhM4AACgkQ
-m/T8y5CFTamxRwD6A9TAs2Ac2VUQDCGgIEgUeULB2fZ1i0s0zydXctKJf7wBAL64
-utFE0ryrkFHMGY4xHMwZfvWosYH/qfLlKadnb3cK
-=WgEZ
+mQINBFalRtcBEADXqtNueywhXtjCy7WXAIzoxfmeCWe0+YzK79dHMz7TIqGQU1X4
+nYi9YJRAgIKvD/gY1i+hUoWrbc3s1YHKIbZsOqhHHuXSPgcpCG/xYWMroc6nsGT3
+iu2pbcxDAWRp0ib67SyCGwEQj/LLUpE0DkptZvUHOBgUGi8pohhbJJ1mAN0E7GJ3
+SjAeLKx59a4Q+S8HEKDJCmP6gCzixxIfS07ncG6TU4ppN8jaN/gEF40IIcTbds4C
+L+ieCdz9ZVtlDvGKtNiSlT7XHnbjPMuQBlbPZaiVuylQIkJlyLEjZduhLNueag2V
+NgcAfqt6HQCNnZ8B7K781rhb/rHtdk98lvOimOWUbNCXREEOHpoVIxZYYTnkVvLo
+YokUncWTMym+6Pelfc7RvtfrK1EjjbblTDn/+Wo5YlBYfI02Vr6RUg1CF4s/FwCc
+ogDtiG1eYAEpnHe9aV5lQrvJcgvmXF6cbIUnbaslApo0LH1uCYliInxuxKdOaxTT
+qRHgug25/SA5XEH3Sc/WFPCun4LFwEElxcrrE4OeWYiixBYU06GMem7GLa+VAf0E
+DxrzkGt16QODFyyJcWGQAp1SPxbBJ+E/QAe7KDK9vVocj31Ug4KA7LoqaLS6dW0e
+5VJRqtej/bOzI6zJYJYPGV4XejPPTMpg0se6EvMYw775M+qAajAbFnHRHQARAQAB
+tBxKYWtvYiBMZWNobmVyIDxtYWlsQGphbHIuZGU+iQJWBBMBCABAAhsjBwsJCAcD
+AgEGFQgCCQoLBBYCAwECHgECF4AWIQR8IHUJViwgjE7BZ26HqOVmLfACdAUCYA2o
+ywUJC0mVdAAKCRCHqOVmLfACdEJ+D/9iP3odbY9eNiiFw44BVKj/Y728V7p60/q2
+tCKtLSiF6DfPJ8z2zud6OcTUfn8NuD0bqs2peALhRi/MHRkJq7QuGVN6PNN/9fUa
+o9gpjGrwOHISnNkwCmEPJWJ60ZAh9XGJCY466IBAcvYurkq/qDx1BSyEi+makymf
+DP2UlyhmsspdOFAoN8+ggIRCWNr6mR1TAZO5O6ce7Wos3nxTlGD1MyPAirbKlAYv
+e8zqOHkhijdcKYzSIm/E/9y85aSvwDySOS69JpWEMsmGkXxq/VSv9CNzYEy/+ebR
+49aoIZgOr10uY4LLN5c0L+tLvVeSS1976dtwXwRECIplysCm0hZU9Wj9JmfOBACf
+Y2kIvMcTL+gREX5CKsvpPk1RChNrpELaOk/EY0hAhH4Nx2WSd6b6Kw/MagApVwNi
+zfMqOZsZmSd+RPHqn7hJWaI4hpN0HfjRFpVifjKQtR/Q25c1CzIllSkwGBXQ7AEM
+LpHoP1fEzk2Au0v+6q32bY8JCoLwChhcPxDZFzKepHOzgf+8QKq+ZB7KPxjWWAET
+lzmzgGhKmaQOnZZsBNYYj78opGXOMxkEThaHCBgKPDTBU6XPNgd/8LYUbai/JpA5
+wDOe6i5Z3c5TNXXOIMBpviUQ3BB1z4kd1YSV8DLPHwhY4q2d1oOGToKUZy39NvaZ
+Ds/rHILCQrkCDQRWpUbXARAAwxN80JhEojDcNiDRZOHVM7C4hQSdAOUI3upJpFVi
+0aJVRU5+w6yebh/2bMVUgL/UBFiEaKxgBtcy6snBsY5YzSZq6QneVhN0HLFyPAKX
+j2zrw2MQAaVtJ+ufihdqpxgWELVfY1ycP5rX6pHXAbQA6kw0lg3FNsUi7q/qIPoO
+8q8H656alz5fqvJcu1dBEbEQ+oWXUrROVcBkVjElX3Od2uKm2ZBQajcO5EEYj2Va
+QtsBTdzehGnrsssEtr7yZz4d85a3uWU3pJ900Ugn22MCBHS9EOk2IuEArgPFE7eV
+1S78D+QS7qjU71sJHsHoBeUg5uZoR0hNNnMWqokgYhHA9+A+Qt6KEBPLSb5Bp9Y0
+o5wqRBqjxaLPSGG1NryKkAKc3cvHiCwFW6DxsJzVML1aTH60R879256YCUmVMIUF
+pCGjUf3ZkZsFCMKuUDLsBE7Kn2CMVW7yNn1wLOfOhkRfGCtHQNLhIiwTTWD84iDQ
+DHQ5v5r2TfosbovSy+HGV0Bi0z3W5tk8x+aV3I67vk5BbSmp9bdC7MkfSuxOYdKA
+c3zexmuledVMyjVZvL2DwaJaXYD3YY+ZIUc6N/0Ox/65DllH347022luWUnXjkip
+vtM55ENKeGmk3z0368L4atubo2qV1l00UKs+2bdbz65uHDMgGebVBtNsExiO8pzd
+1asAEQEAAYkCPAQYAQgAJgIbDBYhBHwgdQlWLCCMTsFnboeo5WYt8AJ0BQJgDai6
+BQkLSZVjAAoJEIeo5WYt8AJ0BxIP/A70jXPM6QKtWGs7xi8n916aVK43ODgCVmDq
+vyduV5ywO8x8xljjVuAQm57Ei1thAGCmKzxn4rWmm81cVXBq/ZLRamrDSnP4rctZ
+qZfRdsUiLJUimOTxqOn0cDqrJs8trBIIE40M20LX3TlEWueDAhpuO1gndupSb94k
+U/PId1VZ1fyPz24tay/GgSfpBa7ZuXiSWr+QtQu2MlX9WXBo7gDo+BDUsZqyy4/w
+Gqm1i7NVElW1lJK+KOGCAHC7JcBIjGsfxS3+MjxI0HQ2MeQyDYiwhF0xHDTCLBgv
+nXAkFoCe2xB8q/+RZV1hfYGMDPILwFox6OZkpSRW/+a/j1fw+Hi4MidSoe7Xkxbr
+zZVTBiFFIUbg46PCxrBdNDtba26vcS4iUZVefqcGa2ZuHQrDYRdYyeqPCZ5z9PLp
+tVPYebApFnFSkd8pvcKkx6KPrItWBX5DFsGGTo6QzTg0s/w5WvqNWWHJ3NRFh1V/
+rz/E67uLfJGt3qOVyOkIKKOTzF473Wku9uTMz/BCaBRJ80VhGDYG7Vi5uvQwTte8
+CLhjpjF94XWhijOAIXXavCe+XhmX4QXBIjeDy4UtULi5uod2qCgT8hJRcRdC7T21
+x9o0CU3J3E0QdaVwulZJWEgT4JUTjBJwVRU6jwQNbq0l4FnRrcYULBcidCCAXXzR
+GUBE0eMh
+=PbMY
 -----END PGP PUBLIC KEY BLOCK-----
--- a/machines/default.nix
+++ b/machines/default.nix
@ -4,11 +4,13 @@ let
 in
 {
  raven = {
-    targetHost = "raven.fablab-nea.de";
+    targetHost = "192.168.94.1";
    system = "x86_64-linux";
    extraModules = [
      hardware.common-cpu-intel
      hardware.common-pc-ssd
+      # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged
+      "${inputs.nixpkgs-asterisk}/nixos/modules/services/networking/asterisk.nix"
    ];
  };
  party = {
--- a/machines/party/configuration.nix
+++ b/machines/party/configuration.nix
@ -6,27 +6,19 @@
    ./services
  ];

-  nixpkgs.config = { allowAliases = false; };
-
  console.keyMap = "de";
  services.xserver.layout = "de";

  services.xserver.enable = true;
  services.xserver.desktopManager.gnome.enable = true;
-  services.xserver.displayManager.gdm = {
-    enable = true;
-    autoSuspend = false;
-  };
+  services.xserver.displayManager.gdm.enable = true;

  security.sudo.wheelNeedsPassword = false;

  users.users.party = {
    isNormalUser = true;
    password = "foobar";
-    extraGroups = [
-      "wheel"
-      "audio"
-    ];
+    extraGroups = [ "wheel" ];
  };

  environment.systemPackages = with pkgs; [
--- a/machines/party/hardware-configuration.nix
+++ b/machines/party/hardware-configuration.nix
@ -27,38 +27,12 @@

  fileSystems = {
    "/" = {
-      device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700";
+      device = "/dev/sda3";
      fsType = "btrfs";
-      options = [
-        "subvol=root"
-        "discard=async"
-        "compress=zstd"
-      ];
+      options = [ "discard=async" "noatime" "compress=zstd" ];
    };
-
-    "/home" = {
-      device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700";
-      fsType = "btrfs";
-      options = [
-        "subvol=home"
-        "discard=async"
-        "compress=zstd"
-      ];
-    };
-
-    "/nix" = {
-      device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700";
-      fsType = "btrfs";
-      options = [
-        "subvol=nix"
-        "discard=async"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-
    "/boot" = {
-      device = "/dev/disk/by-uuid/3e24b5cf-e59f-41b1-9eef-107f808b9242";
+      device = "/dev/sda2";
      fsType = "ext2";
    };
  };
--- a/machines/party/services/colorchord.nix
+++ b/machines/party/services/colorchord.nix
@ -1,28 +1,28 @@
 { inputs, lib, pkgs, ... }:
 let
-  ledDevices = {
+  devices = {
+    traverse = {
+      leds = 116;
+      host = "wled-Traverse";
+    };
+    nhecke = {
+      leds = 75;
+      host = "wled-Nhecke";
+    };
+    printerbench = {
+      leds = 80;
+      host = "wled-Printerbench";
+    };
+    resedaraum = {
+      leds = 285;
+      host = "wled-Resedaraum";
+      loop = true;
+    };
    kanister = {
      leds = 43;
      host = "wled-Kanister";
    };
-    bar = {
-      leds = 300;
-      host = "wled-Bar";
-    };
  };
-  soundDevices = {
-    sink = "alsa_output.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo.monitor";
-    source = "alsa_input.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo";
-  };
-
-  devicesProduct = lib.fold
-    (soundDevice: acc: acc // lib.mapAttrs'
-      (ledDevice: value: lib.nameValuePair "${ledDevice}-${soundDevice.name}" (value // {
-        source = soundDevice.id;
-      }))
-      ledDevices)
-    { }
-    (lib.attrValues (lib.mapAttrs (n: v: { name = n; id = v; }) soundDevices));
 in
 {
  environment.systemPackages = with pkgs; [
@ -41,7 +41,7 @@ in
          # Audio input
          amplify = 10
          samplerate = 48000
-          devrecord = ${config.source}
+          devrecord = alsa_output.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo.monitor

          # Visualiser
          cpu_autolimit = 1
@ -63,27 +63,25 @@ in
          skipfirst = 0
        '';
      })
-    devicesProduct;
+    devices;

-  systemd.user.services = builtins.listToAttrs (map
-    (soundDevice: lib.nameValuePair
-      "colorchord-${soundDevice}@"
-      {
-        partOf = [ "colorchord-${soundDevice}.target" ];
-        serviceConfig = {
-          ExecStart = ''
-            ${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i-${soundDevice}.conf
-          '';
-          Restart = "always";
-        };
-      })
-    (lib.attrNames soundDevices));
+  systemd.user.services."colorchord@" = {
+    partOf = [ "colorchord.target" ];
+    serviceConfig = {
+      ExecStart = ''
+        ${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i.conf
+      '';
+      Restart = "always";
+    };
+  };

-  systemd.user.targets = builtins.listToAttrs (map
-    (soundDevice: lib.nameValuePair
-      "colorchord-${soundDevice}"
-      {
-        wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices);
-      })
-    (lib.attrNames soundDevices));
+  systemd.user.targets."colorchord" = {
+    wantedBy = [ "graphical-session.target" ];
+    partOf = [ "graphical-session.target" ];
+    wants = map (name: "colorchord@${name}.service") (lib.attrNames devices);
+  };
+
+  nixpkgs.overlays = with inputs; [
+    sbruder-overlay.overlay
+  ];
 }
--- a/machines/raven/configuration.nix
+++ b/machines/raven/configuration.nix
@ -3,7 +3,6 @@
 {
  imports = [
    ./hardware-configuration.nix
-    ./disko.nix
    ./services
  ];

@ -22,10 +21,6 @@
        id = 5;
        interface = "eno1";
      };
-      pubevent = {
-        id = 6;
-        interface = "eno1";
-      };
    };
    interfaces = {
      eno2.useDHCP = true;
@ -33,10 +28,6 @@
        address = "192.168.94.1";
        prefixLength = 24;
      }];
-      pubevent.ipv4.addresses = [{
-        address = "10.10.0.1";
-        prefixLength = 20;
-      }];
      voip.ipv4.addresses = [{
        address = "192.168.93.1";
        prefixLength = 24;
@ -47,7 +38,6 @@
      externalInterface = "eno2";
      internalInterfaces = [
        "labprod"
-        "pubevent"
        "voip"
      ];
    };
@ -56,14 +46,7 @@
  i18n.defaultLocale = "en_US.UTF-8";
  console.keyMap = "de";

-  security = {
-    sudo.wheelNeedsPassword = false;
-
-    acme = {
-      acceptTerms = true;
-      defaults.email = "accounts+letsencrypt.org@fablab-nea.de";
-    };
-  };
+  security.sudo.wheelNeedsPassword = false;

  users.users = {
    simon = {
@ -73,7 +56,7 @@
    };
    jalr = {
      isNormalUser = true;
-      extraGroups = [ "wheel" "docker" "audio" ];
+      extraGroups = [ "wheel" "docker" ];
      openssh.authorizedKeys.keys = config.fablab.pubkeys.users.jalr;
    };
  };
@ -91,5 +74,5 @@
    "192.168.94.1" = [ "raven.lab.fablab-nea.de" "labsync.lab.fablab-nea.de" ];
  };

-  system.stateVersion = "24.05";
+  system.stateVersion = "21.05";
 }
--- a/machines/raven/disko.nix
+++ b/machines/raven/disko.nix
@ -1,54 +0,0 @@
-{
-  disko.devices = {
-    disk = {
-      nvme = {
-        type = "disk";
-        device = "/dev/disk/by-id/ata-WD_Green_2.5_240GB_232497451701";
-        content = {
-          type = "gpt";
-          partitions = {
-            esp = {
-              type = "EF00";
-              size = "1024M";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-                mountOptions = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" "nodev" "nosuid" "noexec" ];
-              };
-            };
-            luks = {
-              size = "100%";
-              content = {
-                type = "luks";
-                name = "raven-crypt";
-                settings = {
-                  allowDiscards = true;
-                };
-                extraFormatArgs = [ "--hash sha512 --use-random --pbkdf argon2id --iter-time 5000 --pbkdf-memory ${builtins.toString (4*1024*1024)} --pbkdf-parallel 4" ];
-                content = {
-                  type = "btrfs";
-                  extraArgs = [ "-f" ];
-                  subvolumes = {
-                    "/root" = {
-                      mountpoint = "/";
-                      mountOptions = [ "compress=zstd" "noatime" ];
-                    };
-                    "/home" = {
-                      mountpoint = "/home";
-                      mountOptions = [ "compress=zstd" "noatime" "nodev" "nosuid" ];
-                    };
-                    "/nix" = {
-                      mountpoint = "/nix";
-                      mountOptions = [ "compress=zstd" "noatime" "noatime" "nodev" ];
-                    };
-                  };
-                };
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}
--- a/machines/raven/hardware-configuration.nix
+++ b/machines/raven/hardware-configuration.nix
@ -20,13 +20,31 @@
        "cryptd"
      ];
      kernelModules = [ "dm-snapshot" ];
+
+      luks.devices.root = {
+        name = "root";
+        device = "/dev/disk/by-uuid/ee78659c-52a5-4e81-8028-b43de08b6a55";
+        preLVM = true;
+        allowDiscards = true;
+      };
    };

    loader = {
      systemd-boot.enable = true;
-      systemd-boot.configurationLimit = 20;
      efi.efiSysMountPoint = "/boot";
      efi.canTouchEfiVariables = true;
    };
  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/80209d1b-27c6-423d-93e8-cd39e1893873";
+      fsType = "btrfs";
+      options = [ "discard=async" "noatime" "compress=zstd" ];
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/20A0-5FD8";
+      fsType = "vfat";
+    };
+  };
 }
--- a/machines/raven/luks-passfile.gpg
+++ b/machines/raven/luks-passfile.gpg
--- a/machines/raven/secrets.yaml
+++ b/machines/raven/secrets.yaml
--- a/machines/raven/services/asterisk.nix
+++ b/machines/raven/services/asterisk.nix
@ -1,6 +1,5 @@
 { config, lib, ... }:
 let
-  cfg = config.services.asterisk;
  secretConfigFiles = [
    "ari"
    "pjsip"
@ -12,6 +11,9 @@ let
  };
 in
 {
+  # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/149323 is merged
+  disabledModules = [ "services/networking/asterisk.nix" ];
+
  services.asterisk = {
    enable = true;
    confFiles = {
@ -22,6 +24,11 @@ in
        same  = n,VoiceMail(7929876@fablab,su)
        same => n,Hangup()

+        [eventphone-in]
+        exten => _5257,1,Noop(Processing an incoming call)
+        same => n,Dial(PJSIP/101,60,tT)
+        same => n,Hangup()
+
        exten => _3529,1,Noop(Processing an incoming call)
        same => n,Dial(PJSIP/100,60,tT)
        same => n,Hangup()
@ -40,10 +47,14 @@ in
        exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT)
        same = n,Hangup()

-        ; Kassen
        exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT)
        same = n,Hangup()

+        ; eventphone
+        exten => _XXXX,1,Noop(Processing an outgoing eventphone call)
+        same = n,Set(destination=''${EXTEN})
+        same = n,Goto(eventphone-out,''${CALLERID(num)},1)
+
        ; weinturm
        exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT)
        same = n,Hangup()
@ -53,6 +64,13 @@ in
        same => n,Dial(PJSIP/''${EXTEN}@sipgate,tT)
        same => n,Hangup()

+        [eventphone-out]
+        exten => 100,1,Dial(PJSIP/''${destination}@eventphone_lab,30,tT)
+        same = n,Hangup()
+
+        exten => 101,1,Dial(PJSIP/''${destination}@eventphone_jalr,30,tT)
+        same = n,Hangup()
+
        [cisco]
        exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT)
        same = n,Hangup()
@ -66,11 +84,6 @@ in
        ; weinturm
        exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT)
        same = n,Hangup()
-
-        ; Kleinturm
-        exten = _58X,1,Dial(PJSIP/''${EXTEN},30,tT)
-        same = n,Hangup()
-
        ; /weinturm
      '';
      "http.conf" = ''
@ -92,25 +105,10 @@ in
        rtpstart=${toString rtp.start}
        rtpend=${toString rtp.end}
      '';
-      "dnsmgr.conf" = ''
-        [general]
-        enable=yes
-        refreshinterval=60
-      '';
-      "prometheus.conf" = ''
-        [general]
-        enabled = yes
-      '';
    };
    useTheseDefaultConfFiles = [ ];
  };

-  system.activationScripts.copyAsteriskFiles = lib.stringAfter [ "var" ] ''
-    rm -f /var/lib/asterisk/documentation/core-en_US.xml
-    mkdir -p /var/lib/asterisk/documentation
-    ln -s ${cfg.package}/var/lib/asterisk/static-http/core-en_US.xml /var/lib/asterisk/documentation/core-en_US.xml
-  '';
-
  sops.secrets = (lib.listToAttrs (map
    (name: lib.nameValuePair "asterisk-${name}" {
      sopsFile = ../secrets.yaml;
--- a/machines/raven/services/colorchord.nix
+++ b/machines/raven/services/colorchord.nix
@ -1,109 +0,0 @@
-{ inputs, lib, pkgs, ... }:
-let
-  ledDevices = {
-    workbench-1 = {
-      leds = 87 * 2;
-      host = "wled-Workbench-1";
-    };
-    workbench-2 = {
-      leds = 87 * 2;
-      host = "wled-Workbench-2";
-    };
-    elektrodecke = {
-      leds = 87 * 2;
-      host = "wled-Elektrodecke";
-    };
-    traverse = {
-      leds = 235;
-      host = "wled-Traverse";
-    };
-    nhecke = {
-      leds = 75;
-      host = "wled-Nhecke";
-    };
-    printerbench = {
-      leds = 80;
-      host = "wled-Printerbench";
-    };
-    resedaraum = {
-      leds = 285;
-      host = "wled-Resedaraum";
-      loop = true;
-    };
-  };
-  soundDevices = {
-    sink = "alsa_output.usb-Burr-Brown_from_TI_USB_Audio_DAC-00.analog-stereo";
-  };
-
-  devicesProduct = lib.fold
-    (soundDevice: acc: acc // lib.mapAttrs'
-      (ledDevice: value: lib.nameValuePair "${ledDevice}-${soundDevice.name}" (value // {
-        source = soundDevice.id;
-      }))
-      ledDevices)
-    { }
-    (lib.attrValues (lib.mapAttrs (n: v: { name = n; id = v; }) soundDevices));
-in
-{
-  environment.systemPackages = with pkgs; [
-    colorchord2
-  ];
-
-  environment.etc = lib.mapAttrs'
-    (name: config: lib.nameValuePair
-      "colorchord/${name}.conf"
-      {
-        text = ''
-          # Basic
-          outdrivers = DisplayNetwork, OutputLinear
-          headless = 1
-
-          # Audio input
-          amplify = 10
-          samplerate = 48000
-          devrecord = ${config.source}
-
-          # Visualiser
-          cpu_autolimit = 1
-          satamp = 1
-
-          # LED config
-          leds = ${toString config.leds}
-          is_loop = ${if config ? loop && config.loop then "1" else "0"}
-          light_siding = 1.5
-          led_floor = 0.1
-          steady_bright = 1
-          fliprg = 0
-
-          # WLED
-          wled_realtime = 1
-          port = 19446
-          address = ${config.host}
-          wled_timeout = 2
-          skipfirst = 0
-        '';
-      })
-    devicesProduct;
-
-  systemd.user.services = builtins.listToAttrs (map
-    (soundDevice: lib.nameValuePair
-      "colorchord-${soundDevice}@"
-      {
-        partOf = [ "colorchord-${soundDevice}.target" ];
-        serviceConfig = {
-          ExecStart = ''
-            ${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i-${soundDevice}.conf
-          '';
-          Restart = "always";
-        };
-      })
-    (lib.attrNames soundDevices));
-
-  systemd.user.targets = builtins.listToAttrs (map
-    (soundDevice: lib.nameValuePair
-      "colorchord-${soundDevice}"
-      {
-        wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices);
-      })
-    (lib.attrNames soundDevices));
-}
--- a/machines/raven/services/default.nix
+++ b/machines/raven/services/default.nix
@ -1,15 +1,9 @@
 {
  imports = [
    ./asterisk.nix
-    ./colorchord.nix
    ./dnsmasq.nix
    ./dyndns.nix
-    ./freeradius.nix
-    ./grafana.nix
    ./labsync
-    ./mailhog.nix
-    ./prometheus.nix
    ./unifi-controller.nix
-    ./wekan.nix
  ];
 }
--- a/machines/raven/services/dnsmasq.nix
+++ b/machines/raven/services/dnsmasq.nix
@ -1,93 +1,37 @@
 { pkgs, ... }:

-let
-  stateDir = "/var/lib/dnsmasq";
-  dnsmasqEventsConf = pkgs.writeText "dnsmasq-events.conf" ''
-    dhcp-leasefile=${stateDir}/dnsmasq-events.leases
-    bind-dynamic
-    listen-address=10.10.0.1
-    except-interface=lo
-
-    domain=events.fablab-nea.de
-    dhcp-range=10.10.0.20,10.10.15.254,24h
-
-    cache-size=10000
-    dns-forward-max=1000
-
-    no-hosts
-  '';
-in
 {
  services.dnsmasq = {
    enable = true;
-    settings = {
-      server = [
-        "142.250.185.78" # dns.as250.net
-        "2001:470:20::2" # ordns.he.net
-        "74.82.42.42" # ordns.he.net
-      ];
-      bind-dynamic = true;
-      listen-address = [
-        "192.168.93.1"
-        "192.168.94.1"
-      ];
-      interface = "lo";
-      expand-hosts = true;
-      domain = "lab.fablab-nea.de";
-      dhcp-range = [
-        "set:voice,192.168.93.20,192.168.93.254,4h"
-        "set:lab,192.168.94.20,192.168.94.254,4h"
-      ];
-      dhcp-host = [
-        "00:30:42:1b:23:ed,192.168.93.21,rfp-01"
-        "00:30:42:1b:21:c1,192.168.93.22,rfp-02"
-        "00:30:42:1b:26:f6,192.168.93.23,rfp-03"
-        "00:30:42:1b:22:3b,192.168.93.24,rfp-04"
-        "00:30:42:1b:22:7c,192.168.93.25,rfp-05"
-      ];
-      dhcp-option = [
-        "vendor:OpenMobility,10,192.168.93.21"
-        "vendor:OpenMobility,224,OpenMobilitySIP-DECT"
-      ];
-      dhcp-boot = "lpxelinux.0,raven,192.168.94.1";
-      cache-size = 10000;
-      dns-forward-max = 1000;
-      auth-zone = "lab.fablab-nea.de,192.168.94.0/24";
-      auth-server = "lab.fablab-nea.de,78.47.224.251";
-      no-hosts = true;
-      addn-hosts = "${pkgs.writeText "hosts.dnsmasq" ''
+
+    extraConfig = ''
+      bind-dynamic
+
+      expand-hosts
+      domain=lab.fablab-nea.de
+      dhcp-range=192.168.93.20,192.168.93.254,5m
+      dhcp-range=192.168.94.20,192.168.94.254,5m
+
+      dhcp-boot=lpxelinux.0,raven,192.168.94.1
+
+      cache-size=10000
+      dns-forward-max=1000
+
+      auth-zone=lab.fablab-nea.de,192.168.94.0/24
+      auth-server=lab.fablab-nea.de,78.47.224.251
+
+      no-hosts
+      addn-hosts=${pkgs.writeText "hosts.dnsmasq" ''
        192.168.94.1 raven labsync unifi
        192.168.94.2 switch
-        192.168.94.3 schneiderscheune-weinturm-ap
-        192.168.94.4 schneiderscheune-weinturm-sta
-        192.168.94.5 wechselbruecke-router
-        192.168.94.6 wechselbruecke-ap
-        192.168.94.7 helferbereich-sta
-        192.168.94.8 helferbereich-switch
-        192.168.94.9 kleinturmbuehne-router
-      ''}";
-    };
-  };
-
-  systemd.services."dnsmasq-events" = {
-    description = "dnsmasq daemon for public event network";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-    path = [ pkgs.dnsmasq ];
-    preStart = ''
-      mkdir -m 755 -p ${stateDir}
-      dnsmasq --test -C ${dnsmasqEventsConf}
+      ''}
    '';
-    serviceConfig = {
-      Type = "dbus";
-      BusName = "uk.org.thekelleys.dnsmasq-events";
-      ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -k --enable-dbus --user=dnsmasq -C ${dnsmasqEventsConf}";
-      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-      PrivateTmp = true;
-      ProtectSystem = true;
-      ProtectHome = true;
-      Restart = "on-failure";
-    };
+
+    servers = [
+      "142.250.185.78" # dns.as250.net
+      "2001:470:20::2" # ordns.he.net
+      "74.82.42.42" # ordns.he.net
+    ];
  };

  networking.firewall = {
--- a/machines/raven/services/dyndns.nix
+++ b/machines/raven/services/dyndns.nix
@ -6,11 +6,12 @@
  services.ddclient = {
    enable = true;
    interval = "1min";
-    server = "www.duckdns.org";
-    protocol = "duckdns";
-    username = "nouser";
+    use = "web, web=checkip.dynu.com/, web-skip='IP Address'";
+    server = "api.dynu.com";
+    protocol = "dyndns2";
+    username = "fablabnea";
    passwordFile = config.sops.secrets.dyndns-password.path;
-    domains = [ "fablab-nea" ];
-    use = "web, web=freedns.afraid.org/dynamic/check.php";
+    domains = [ "fablab-nea.freeddns.org" ];
+    ipv6 = false;
  };
 }
--- a/machines/raven/services/freeradius.nix
+++ b/machines/raven/services/freeradius.nix
@ -1,17 +0,0 @@
-# service for unifi wifi
-# provides anonymous access via WPA2 enterprise (PEAP)
-{ pkgs, ... }:
-
-{
-  services.freeradius = {
-    enable = true;
-    configDir = "${pkgs.fablab.freeradius-anon-access}/raddb";
-    debug = true;
-  };
-  users.users.radius.group = "radius";
-  users.groups.radius = { };
-  networking.firewall.allowedUDPPorts = [
-    1812
-    1813
-  ];
-}
--- a/machines/raven/services/grafana.nix
+++ b/machines/raven/services/grafana.nix
@ -1,28 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  domain = "grafana.fablab-nea.de";
-  srv = config.services.grafana.settings.server;
-in
-{
-  services.grafana = {
-    enable = true;
-    settings.server.domain = domain;
-  };
-
-  services.nginx.virtualHosts."${domain}" = {
-    enableACME = true;
-    forceSSL = true;
-
-    locations."/" = {
-      proxyPass = "http://${srv.http_addr}:${toString srv.http_port}";
-      recommendedProxySettings = true;
-    };
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-      add_header X-Frame-Options "SAMEORIGIN";
-      add_header X-XSS-Protection "1; mode=block";
-      add_header X-Content-Type-Options "nosniff";
-    '';
-  };
-}
--- a/machines/raven/services/labsync/default.nix
+++ b/machines/raven/services/labsync/default.nix
@ -1,19 +1,9 @@
 # legacy labsync, currently partly implemented in docker outside of this configuration
 { pkgs, ... }:

-let
-  generator_port = 8695;
-in
 {
  services.opentracker.enable = true;

-  services.nginx.virtualHosts."labsync.fablab-nea.de" = {
-    addSSL = true;
-    enableACME = true;
-    locations = {
-      "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/";
-    };
-  };
  services.nginx.virtualHosts."labsync.lab.fablab-nea.de" = {
    locations = {
      "/" = {
@ -22,7 +12,7 @@ in
          autoindex on;
        '';
      };
-      "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/";
+      "/generator/".proxyPass = "http://127.0.0.1:8695/";
    };
  };

--- a/machines/raven/services/mailhog.nix
+++ b/machines/raven/services/mailhog.nix
@ -1,4 +0,0 @@
-{ config, ... }:
-{
-  services.mailhog.enable = true;
-}
--- a/machines/raven/services/prometheus.nix
+++ b/machines/raven/services/prometheus.nix
@ -1,144 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  domain = "prometheus.fablab-nea.de";
-  cfg = config.services.prometheus;
-  mkStaticTargets = targets: lib.singleton { inherit targets; };
-  mkStaticTarget = target: mkStaticTargets (lib.singleton target);
-in
-{
-  services.prometheus.exporters.node.enable = true;
-
-  services.prometheus = {
-    enable = true;
-    listenAddress = "127.0.0.1";
-    webExternalUrl = "https://${domain}";
-    globalConfig = {
-      scrape_interval = "15s";
-      evaluation_interval = "15s";
-    };
-    extraFlags = [
-      "--storage.tsdb.retention.time=90d"
-      "--web.enable-admin-api"
-    ];
-    alertmanagers = [
-      {
-        static_configs = mkStaticTarget "${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
-        path_prefix = "/alertmanager/";
-      }
-    ];
-    alertmanager = {
-      enable = true;
-      listenAddress = "127.0.0.1";
-      webExternalUrl = "https://${domain}/alertmanager";
-      configuration = {
-        global.resolve_timeout = "2m";
-
-        route = {
-          receiver = "matrix";
-          group_by = [ "alertname" ];
-          group_wait = "3m";
-        };
-
-        receivers = [
-          {
-            name = "matrix";
-            webhook_configs = lib.singleton {
-              url = "http://localhost/webhook";
-            };
-          }
-        ];
-      };
-    };
-    scrapeConfigs = [
-      {
-        job_name = "prometheus";
-        static_configs = mkStaticTargets [
-          "localhost:${toString cfg.port}"
-          "kleinturmbuehne-router:9100"
-        ];
-      }
-      {
-        job_name = "node";
-        static_configs = mkStaticTargets [
-          "127.0.0.1:9100"
-        ];
-      }
-      {
-        job_name = "asterisk";
-        metrics_path = "/";
-        static_configs = mkStaticTargets [
-          "127.0.0.1:8088"
-        ];
-      }
-      {
-        job_name = "mikrotik";
-        static_configs = mkStaticTargets [
-          "${cfg.exporters.mikrotik.listenAddress}:${toString cfg.exporters.mikrotik.port}"
-        ];
-      }
-      {
-        job_name = "unifi";
-        static_configs = mkStaticTargets [
-          "${cfg.exporters.unpoller.listenAddress}:${toString cfg.exporters.unpoller.port}"
-        ];
-      }
-    ];
-    rules =
-      let
-        mkAlert = { name, expr, for ? "1m", description ? null }: {
-          alert = name;
-          inherit expr for;
-          annotations = lib.optionalAttrs (description != null) { inherit description; };
-        };
-      in
-      [
-        (lib.generators.toYAML { } {
-          groups = lib.singleton {
-            name = "alert.rules";
-            rules = map mkAlert [
-              {
-                name = "InstanceDown";
-                expr = ''up == 0'';
-                description = "Instance {{ $labels.instance }} of job {{ $labels.job }} has been down for
- more than 1 minutes.";
-              }
-            ];
-          };
-        })
-      ];
-  };
-
-  sops.secrets.prometheus-htpasswd = {
-    owner = "nginx";
-    sopsFile = ../secrets.yaml;
-  };
-
-  services.nginx.virtualHosts."${domain}" = {
-    enableACME = true;
-    forceSSL = true;
-
-    basicAuthFile = config.sops.secrets.prometheus-htpasswd.path;
-
-    locations = {
-      "/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
-
-      "/alertmanager/".proxyPass = "http://${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
-    };
-  };
-
-  services.prometheus.exporters.mikrotik = {
-    enable = true;
-    listenAddress = "127.0.0.1";
-    configuration = {
-      devices = [
-      ];
-      features = {
-        bgp = true;
-        dhcp = true;
-        routes = true;
-        optics = true;
-      };
-    };
-  };
-}
--- a/machines/raven/services/unifi-controller.nix
+++ b/machines/raven/services/unifi-controller.nix
@ -1,30 +1,9 @@
-{ config, pkgs, ... }:
-
-let
-  promCfg = config.services.prometheus;
-in
+{ pkgs, ... }:
 {
  services.unifi = {
    enable = true;
-    openFirewall = true;
-    unifiPackage = pkgs.unifi8;
+    openPorts = true;
+    unifiPackage = pkgs.unifi;
  };
  networking.firewall.allowedTCPPorts = [ 8443 ];
-
-  sops.secrets.unpoller-password = {
-    #owner = promCfg.exporters.unpoller.user;
-    owner = config.services.prometheus.exporters.unpoller.user;
-    sopsFile = ../secrets.yaml;
-  };
-
-  services.prometheus.exporters.unpoller = {
-    enable = true;
-    controllers = [{
-      user = "unpoller";
-      pass = config.sops.secrets.unpoller-password.path;
-      verify_ssl = false;
-      hash_pii = true;
-    }];
-    log.prometheusErrors = true;
-  };
 }
--- a/machines/raven/services/wekan.nix
+++ b/machines/raven/services/wekan.nix
@ -1,123 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  serviceName = "wekan";
-  databaseName = "wekandb";
-  networkName = "wekan-tier";
-  port = 8001;
-  domain = "wekan.fablab-nea.de";
-  url = "https://${domain}";
-
-  directories = {
-    db = "/var/lib/wekan/db";
-    dbDump = "/var/lib/wekan/db-dump";
-    data = "/var/lib/wekan/data";
-  };
-in
-{
-  virtualisation.oci-containers = {
-    backend = "podman";
-    containers = {
-      "${serviceName}" = {
-        autoStart = true;
-        image = "ghcr.io/wekan/wekan:latest";
-        environment = {
-          WRITABLE_PATH = "/data";
-          MONGO_URL = "mongodb://${databaseName}:27017/wekan";
-          ROOT_URL = url;
-          #WITH_API = "true";
-          RICHER_CARD_COMMENT_EDITOR = "false";
-          CARD_OPENED_WEBHOOK_ENABLED = "false";
-          BIGEVENTS_PATTERN = "NONE";
-          BROWSER_POLICY_ENABLED = "true";
-        };
-        ports = [
-          "127.0.0.1:${toString port}:8080"
-        ];
-        dependsOn = [ databaseName ];
-        volumes = [
-          "/etc/localtime:/etc/localtime:ro"
-          "${directories.data}:/data:rw"
-        ];
-        extraOptions = [
-          "--network=${networkName}"
-          "--pull=newer"
-        ];
-      };
-      "${databaseName}" = {
-        autoStart = true;
-        image = "mongo:6";
-        cmd = [ "mongod" "--logpath" "/dev/null" "--oplogSize" "128" "--quiet" ];
-        volumes = [
-          "/etc/localtime:/etc/localtime:ro"
-          #"/etc/timezone:/etc/timezone:ro"
-          "${directories.db}:/data/db"
-          "${directories.dbDump}:/dump"
-        ];
-        extraOptions = [
-          "--network=${networkName}"
-          "--pull=newer"
-        ];
-      };
-    };
-  };
-
-  # Create the netowrk
-  systemd.services.init-filerun-network-and-files = {
-    description = "Create the network bridge ${networkName} for WeKan.";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-
-    serviceConfig.Type = "oneshot";
-    script =
-      let podmancli = "${pkgs.podman}/bin/podman";
-      in ''
-        if ! ${podmancli} network ls --format '{{ .Name }}' | grep -qFx -- "${networkName}"; then
-          ${podmancli} network create "${networkName}"
-        else
-          echo "network already exists"
-        fi
-      '';
-  };
-
-  systemd.services.wekan-restart = {
-    description = "Restart Wekan services.";
-    serviceConfig = {
-      Type = "oneshot";
-    };
-    script = ''
-      ${pkgs.systemd}/bin/systemctl restart "podman-${databaseName}.service" "podman-${serviceName}.service"
-    '';
-  };
-
-  systemd.timers.wekan-restart = {
-    description = "Restart wekan containers";
-    after = [ "network.target" ];
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      Persistent = true;
-      OnCalendar = "*-*-* 04:00:00";
-      Unit = "wekan-restart.service";
-    };
-  };
-
-  system.activationScripts.makeWekanDirectories = lib.stringAfter [ "var" ] ''
-    mkdir -p "${directories.db}"
-    mkdir -p "${directories.dbDump}"
-    mkdir -p "${directories.data}"
-    chown 999:999 "${directories.data}"
-  '';
-
-  services.nginx.virtualHosts."${domain}" = {
-    enableACME = true;
-    forceSSL = true;
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-      add_header X-Frame-Options "SAMEORIGIN";
-      add_header X-XSS-Protection "1; mode=block";
-      add_header X-Content-Type-Options "nosniff";
-    '';
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${toString port}";
-    };
-  };
-}
--- a/modules/base.nix
+++ b/modules/base.nix
@ -1,3 +1,3 @@
 {
-  boot.tmp.cleanOnBoot = true;
+  boot.cleanTmpDir = true;
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -2,7 +2,6 @@
  imports = [
    ./base.nix
    ./nix.nix
-    ./pipewire.nix
    ./pubkeys.nix
    ./sops.nix
    ./tools.nix
--- a/modules/nix.nix
+++ b/modules/nix.nix
@ -21,6 +21,9 @@ let
 in
 {
  nix = {
+    # flake support
+    package = pkgs.nixUnstable;
+
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
@ -34,13 +37,11 @@ in
      "nixpkgs-overlays=${overlaysCompat}"
    ];

-    settings = {
-      # sudoers are trusted nix users
-      trusted-users = [ "@wheel" ];
+    # sudoers are trusted nix users
+    trustedUsers = [ "@wheel" ];

-      # On-the-fly optimisation of nix store
-      auto-optimise-store = true;
-    };
+    # On-the-fly optimisation of nix store
+    autoOptimiseStore = true;

    # less noticeable nix builds
    daemonCPUSchedPolicy = "idle";
@ -49,8 +50,8 @@ in
  };

  nixpkgs.overlays = with inputs; [
-    self.overlays.default
-    sbruder-overlay.overlays.default
+    self.overlay
+
    (final: prev: {
      unstable = import nixpkgs-unstable {
        inherit (config.nixpkgs)
--- a/modules/pipewire.nix
+++ b/modules/pipewire.nix
@ -1,24 +0,0 @@
-{ pkgs, ... }:
-
-{
-  sound.enable = true;
-  hardware.pulseaudio.enable = false;
-
-  services.pipewire = {
-    enable = true;
-    pulse = {
-      enable = true;
-    };
-    jack = {
-      enable = false;
-    };
-    alsa = {
-      enable = true;
-      support32Bit = true;
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    pulseaudio # pacmd and pactl
-  ];
-}
--- a/modules/pubkeys.nix
+++ b/modules/pubkeys.nix
@ -3,11 +3,11 @@
 {
  options.fablab.pubkeys = with lib.types; {
    users = lib.mkOption {
-      type = attrsOf (listOf str);
+      type = attrsOf (listOf string);
      description = "pubkeys for a specific user";
    };
    groups = lib.mkOption {
-      type = attrsOf (listOf str);
+      type = attrsOf (listOf string);
      description = "pubkeys for a group of users";
    };
  };
@ -16,7 +16,7 @@
    fablab.pubkeys = {
      users = {
        jalr = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3l+Yixrsjhze20CSjvUK4Qj/BNqbTNitgk20vuzPej cardno:25_750_479"
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0f7+Y4QSUsSvd360eq0Q/ESVfE/s0WxJIrzvW8cazTcmld8/rKxGQR2xrxApu7pzZlZC3LDbQrx3B6nNVEZi0dPUgkJz9oEKRY5vSJ6x0H9cZ0iFfTcCTz5znflqGaFI6E6W6Vtl+DzIrmkFgaR0wNmV9DCcYAJreW4E32t8dKsG1Pv347N0eAZs3shokPYr7dmGoNiKzTOn/ILQ1Hxppzqy1ch2h8k2KL0+FM6wO76ijivBzfMZRJW0DVYsmebO6Je5HglkzYXvrNUtcD2gIrNE0YKByjorTjjf3336S+0uBGxetzhnl+XA2PxHB/3n9AzYC4DI/Nb9wgLBo6Ql+EYaPLKnGl3JHvtcOyAfoNVPdNDfbZz+tfe8cBUt1IPTlm26RYKgwCnJvcBD6dk/5mxu1ogjSfgEIqihJaq3j3+NfIY1CUFx1U6ISG40SWEXF5xV1qW3NZg5FqqA8sOfWLlkON/yFkPJ2shXUXmiZtjXMWM6XLIO054EN7cpUxHGPspjgynU9XLc45c4k5lKF1xQv13B8n8dHNEL01MU21svfdGcpuOsRvzagLX51+rVRJObYP1bZudyYVDgsxB6B/TiBHw3Xl3mwEs4KVi/cqVsPpaG3hwqCreDlV+NeCVtb0qb1WJ2Sae83CA6NEcUvRbrwAnU/vEhJepfo6j7WSw== jalr@jalr-tp"
        ];
        simon = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii"
--- a/modules/tools.nix
+++ b/modules/tools.nix
@ -23,6 +23,7 @@
    compsize
    curl
    dnsutils
+    exa
    fd
    file
    git
--- a/modules/unfree.nix
+++ b/modules/unfree.nix
@ -3,6 +3,5 @@
 {
  nixpkgs.config.allowUnfreePredicate = (pkg: lib.elem (lib.getName pkg) [
    "unifi-controller"
-    "mongodb"
  ]);
 }
--- a/pkgs/artwork/artwork/.gitignore
+++ b/pkgs/artwork/artwork/.gitignore
@ -0,0 +1,3 @@
+/icon-*.png
+/logo.png
+/wallpaper.jpg
--- a/pkgs/artwork/artwork/Makefile
+++ b/pkgs/artwork/artwork/Makefile
@ -0,0 +1,26 @@
+ICON_RESOLUTIONS = 16 32 48 64 128 256 512 1024
+ICONS = $(foreach resolution,$(ICON_RESOLUTIONS),icon-$(resolution).png )
+
+default: wallpaper.jpg $(ICONS)
+
+logo.png: logo.scad
+	xvfb-run openscad -q -o $@ $< --camera=0,0,0,0,0,0,150 --projection=ortho --imgsize=4096,4096
+	mogrify -transparent "#ffffe5" -filter Mitchell -resize 2048 logo.png
+
+icon-%.png: logo.png
+	convert -filter Mitchell -resize $(basename $(@:icon-%=%)) $< $@
+	oxipng -q $@
+
+wallpaper.jpg: wallpaper.svg logo.png
+	inkscape -o - --export-type=png wallpaper.svg | convert -quality 92 - $@
+	jpegoptim -q -s $@
+
+.PHONY: clean install
+install: wallpaper.jpg $(ICONS)
+	install -Dm444 wallpaper.jpg $(PREFIX)/share/backgrounds/nix-gscheits.jpg
+	for resolution in $(ICON_RESOLUTIONS); do \
+		install -Dm444 icon-$${resolution}.png $(PREFIX)/share/icons/hicolor/$${resolution}x$${resolution}/nix-gscheits.png; \
+	done
+
+clean:
+	rm -f logo.png wallpaper.jpg $(ICONS)
--- a/pkgs/artwork/artwork/lasercutter.jpg
+++ b/pkgs/artwork/artwork/lasercutter.jpg
--- a/pkgs/artwork/artwork/logo.scad
+++ b/pkgs/artwork/artwork/logo.scad
@ -0,0 +1,61 @@
+// constants
+$fn=64;
+
+LABCUBE_COLOURS = [ "#c93841", "#4164b0", "#14a95d" ];
+NIX_FLAKE_COLOURS = [ "#5277c3", "#7ebae4" ];
+
+// lib
+module axonometric2rectangular(angle) {
+    scale([tan(angle), 1, 1]) rotate(45) children();
+}
+
+module shear2d(x, y) {
+    multmatrix(m = [[     1, tan(x)],
+                    [tan(y),      1]]) scale([cos(y), cos(x)]) children();
+}
+
+// nix flake
+module axonometric_lambda() {
+    polygon([
+        [0, 0],
+        [-8, 0],
+        [-8, -9],
+        [-21, -9],
+        [-21, -13],
+        [-17, -17],
+        [-8, -17],
+        [-8, -26],
+        [0, -34]
+    ]);
+}
+
+module lambda() {
+    axonometric2rectangular(30) axonometric_lambda();
+}
+
+
+module nix_flake(gap = 0.5, hexagon_size = 10) {
+    for (angle = [0:60:360]) {
+        color(NIX_FLAKE_COLOURS[(angle%120)/60]) rotate(angle) translate([-hexagon_size, -gap, 0]) lambda();
+    }
+}
+
+// lab cube
+module labcube_face(radius = .33, neck = .32) {
+    translate([-1/2, -1/2])
+    difference() {
+        square();
+        translate([1/2, 1/2]) circle(radius);
+        translate([(1-neck)/2, 0]) square(neck);
+    }
+}
+
+module labcube(size = 10) {
+    for (i = [0:2]) {
+        color(LABCUBE_COLOURS[i]) rotate(i*120) shear2d(-30, 0) translate([size/2, size/2]) mirror([0, 1, 0]) scale(size) labcube_face();
+    }
+}
+
+// composition
+nix_flake(gap = 0.5);
+labcube(size = 10-0.5);
--- a/pkgs/artwork/artwork/wallpaper.svg
+++ b/pkgs/artwork/artwork/wallpaper.svg
--- a/pkgs/artwork/default.nix
+++ b/pkgs/artwork/default.nix
@ -0,0 +1,32 @@
+{ lib, stdenv, imagemagick, inkscape, jpegoptim, mesa, openscad, oxipng, xvfb-run }:
+
+stdenv.mkDerivation {
+  name = "nix-gscheits-artwork";
+
+  src = ./artwork;
+
+  nativeBuildInputs = [
+    imagemagick
+    inkscape
+    jpegoptim
+    openscad
+    oxipng
+    xvfb-run
+  ];
+
+  preBuild = ''
+    export LIBGL_DRIVERS_PATH=${mesa.drivers}/lib/dri
+    export LD_LIBRARY_PATH=${mesa.drivers}/lib
+  '';
+
+  enableParallelBuilding = true;
+
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    description = "Artwork for nix-gscheits";
+    license = licenses.cc-by-sa-40;
+    maintainers = with maintainers; [ sbruder ];
+    platforms = platforms.unix;
+  };
+}
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -4,4 +4,8 @@ let
 in
 {
  fablab = recurseIntoAttrs (callPackage ./fablab { });
+
+  nix-gscheits = prev.recurseIntoAttrs {
+    artwork = callPackage ./artwork { };
+  };
 }
--- a/pkgs/fablab/default.nix
+++ b/pkgs/fablab/default.nix
@ -1,6 +1,5 @@
 { callPackage }:

 {
-  freeradius-anon-access = callPackage ./freeradius-anon-access { };
  mitgliedsantrag = callPackage ./mitgliedsantrag { };
 }
--- a/pkgs/fablab/freeradius-anon-access/default.nix
+++ b/pkgs/fablab/freeradius-anon-access/default.nix
@ -1,18 +0,0 @@
-{ lib, freeradius, stdenvNoCC, ... }:
-
-stdenvNoCC.mkDerivation {
-  name = "freeradius-anon-access";
-  src = ./.;
-  dontBuild = true;
-  installPhase = ''
-    mkdir $out
-    cp -r raddb $out
-    sed -i 's#@PREFIX@#${freeradius}#' $out/raddb/radiusd.conf
-  '';
-  nativeBuildInputs = [
-    freeradius
-  ];
-  meta = with lib; {
-    platforms = platforms.unix;
-  };
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/README.rst
+++ b/pkgs/fablab/freeradius-anon-access/raddb/README.rst
@ -1,665 +0,0 @@
-Upgrading to Version 3.0
-========================
-
-.. contents:: Sections
-   :depth: 2
-
-.. important:: 
-   The configuration for 3.0 is *largely* compatible with the 2.x.x
-   configuration.  However, it is NOT possible to simply use the 2.x.x
-   configuration as-is.  Instead, you should re-create it.
-
-Security
--------
-
-A number of configuration items have moved into the "security"
-subsection of radiusd.conf.  If you use these, you should move them.
-Otherwise, they can be ignored.
-
-The list of moved options is::
-
-  chroot
-  user
-  group
-  allow_core_dumps
-  reject_delay
-  status_server
-
-These entries should be moved from "radiusd.conf" to the "security"
-subsection of that file.
-
-Naming
------
-
-Many names used by configuration items were inconsistent in earlier
-versions of the server.  These names have been unified in version 3.0.
-
-If a file is being referenced or created the config item ``filename``
-is used.
-
-If a file is being created, the initial permissions are set by the
-``permissions`` config item.
-
-If a directory hierarchy needs to be created, the permissions are set
-by ``dir_permissions``.
-
-If an external host is referenced in the context of a module the
-``server`` config item is used.
-
-Unless the config item is a well recognised portmanteau
-(as ``filename`` is for example), it must be written as multiple
-distinct words separated by underscores ``_``.
-
-The configuration items ``file``, ``script_file``, ``module``,
-``detail``, ``detailfile``, ``attrsfile``, ``perm``, ``dirperm``,
-``detailperm``, and ``hostname`` are deprecated. As well as any false
-portmanteaus, and configuration items that used hyphens as word
-delimiters.  e.g. ``foo-bar`` has been changed to ``foo_bar``.  Please
-update your module configuration to use the new syntax.
-
-In most cases the server will tell you the replacement config item to
-use.  As always, run the server in debugging mode to see these
-messages.
-
-Modules Directory
-----------------
-
-As of version 3.0, the ``modules/`` directory no longer exists.
-
-Instead, all "example" modules have been put into the
-``mods-available/`` directory.  Modules which can be loaded by the
-server are placed in the ``mods-enabled/`` directory.  All of the
-modules in that directory will be loaded.  This means that the
-``instantiate`` section of radiusd.conf is less important.  The only
-reason to list a module in the ``instantiate`` section is to force
-ordering when the modules are loaded.
-
-Modules can be enabled by creating a soft link.  For module ``foo``, do::
-
-  $ cd raddb/mods-enabled
-  $ ln -s ../mods-available/foo
-
-To create "local" versions of the modules, we suggest copying the file
-instead.  This leaves the original file (with documentation) in the
-``mods-available/`` directory.  Local changes should go into the
-``mods-enabled/`` directory.
-
-Module-specific configuration files are now in the ``mods-config/``
-directory.  This change allows for better organization, and means that
-there are fewer files in the main ``raddb`` directory.  See
-``mods-config/README.rst`` for more details.
-
-Changed Modules
---------------
-
-The following modules have been changed.
-
-
-rlm_sql
-~~~~~~~
-
-The SQL configuration has been moved from ``sql.conf`` to
-``mods-available/sql``.  The ``sqlippool.conf`` file has also been
-moved to ``mods-available/sqlippool``.
-
-The SQL module configuration has been changed.  The old connection
-pool options are no longer accepted::
-
-  num_sql_socks
-  connect_failure_retry_delay
-  lifetime
-  max_queries
-
-Instead, a connection pool configuration is used.  This configuration
-contains all of the functionality of the previous configuration, but
-in a more generic form.  It also is used in multiple modules, meaning
-that there are fewer different configuration items.  The mapping
-between the configuration items is::
-
-  num_sql_socks			-> pool { max }
-  connect_failure_retry_delay	-> pool { retry_delay }
-  lifetime			-> pool { lifetime }
-  max_queries			-> pool { uses }
-
-The pool configuration adds a number of new configuration options,
-which allow the administrator to better control how FreeRADIUS uses
-SQL connection pools.
-
-The following parameters have been changed::
-
-  trace				-> removed
-  tracefile			-> logfile
-
-The logfile is intended to log SQL queries performed.  If you need to
-debug the server, use debugging mode.  If ``logfile`` is set, then
-*all* SQL queries will go to ``logfile``.
-
-You can now use a NULL SQL database::
-
-  driver = rlm_sql_null
-
-This is an empty driver which will always return "success".  It is
-intended to be used to replace the ``sql_log`` module, and to work in
-conjunction with the ``radsqlrelay`` program.  Simply take your normal
-configuration for raddb/mods-enabled/sql, and set::
-
-  driver = rlm_sql_null
-  ...
-  logfile = ${radacctdir}/sql.log
-
-All of the SQL queries will be logged to that file.  The connection
-pool does not need to be configured for the ``null`` SQL driver.  It
-can be left as-is, or deleted from the SQL configuration file.
-
-rlm_sql_sybase
-~~~~~~~~~~~~~~
-
-The ``rlm_sql_sybase`` module has been renamed to ``rlm_sql_freetds``
-and the old ``rlm_sql_freetds`` module has been removed.
-
-``rlm_sql_sybase`` used the newer ct-lib API, and ``rlm_sql_freetds``
-used an older API and was incomplete.
-
-The new ``rlm_sql_freetds`` module now also supports database
-selection on connection startup so ``use`` statements no longer
-have to be included in queries.
-
-sql/dialup.conf
-~~~~~~~~~~~~~~~
-
-Queries for post-auth and accounting calls have been re-arranged.  The
-SQL module will now expand the 'reference' configuration item in the
-appropriate sub-section, and resolve this to a configuration
-item. This behaviour is similar to rlm_linelog.  This dynamic
-expansion allows for a dynamic mapping between accounting types and
-SQL queries.  Previously, the mapping was fixed.  Any "new" accounting
-type was ignored by the module.  Now, support for any accounting type
-can be added by just adding a new target, as below.
-
-Queries from v2.x.x may be manually copied to the new v3.0
-``dialup.conf`` file (``raddb/mods-config/sql/main/<dialect>/queries.conf``).
-When doing this you may also need to update references to the
-accounting tables, as their definitions will now be outside of
-the subsection containing the query.
-
-The mapping from old "fixed" query to new "dynamic" query is as follows::
-
-  accounting_onoff_query		-> accounting.type.accounting-on.query
-  accounting_update_query		-> accounting.type.interim-update.query
-  accounting_update_query_alt		+> accounting.type.interim-update.query
-  accounting_start_query		-> accounting.type.start.query
-  accounting_start_query_alt		+> accounting.type.start.query
-  accounting_stop_query			-> accounting.type.stop.query
-  accounting_stop_query_alt		+> accounting.type.stop.query
-  postauth_query			-> post-auth.query
-
-Alternatively a 2.x.x config may be patched to work with the
-3.0 module by adding the following::
-
-  accounting {
-	reference = "%{tolower:type.%{Acct-Status-Type}.query}"
-	type {
-		accounting-on {
-			query = "${....accounting_onoff_query}"
-		}
-		accounting-off {
-			query = "${....accounting_onoff_query}"
-		}
-		start {
-			query = "${....accounting_start_query}"
-			query = "${....accounting_start_query_alt}"
-		}
-		interim-update {
-			query = "${....accounting_update_query}"
-			query = "${....accounting_update_query_alt}"
-		}
-		stop {
-			query = "${....accounting_stop_query}"
-			query = "${....accounting_stop_query_alt}"
-		}
-	}
-  }
-
-  post-auth {
-	query = "${..postauth_query}"
-  }
-
-In general, it is safer to migrate the configuration rather than
-trying to "patch" it, to make it look like a v2 configuration.
-
-Note that the sub-sections holding the queries are labelled
-``accounting-on``, and not ``accounting_on``.  The reason is that the
-names of these sections are taken directly from the
-``Accounting-Request`` packet, and the ``Acct-Status-Type`` field.
-The ``sql`` module looks at the value of that field, and then looks
-for a section of that name, in order to find the query to use.
-
-That process means that the server can be extended to support any new
-value of ``Acct-Status-Type``, simply by adding a named sub-section,
-and a query.  This behavior is preferable to that of v2, which had
-hard-coded queries for certain ``Acct-Status-Type`` values, and was
-ignored all other values.
-
-rlm_ldap
-~~~~~~~~
-
-The LDAP module configuration has been substantially changed.  Please
-read ``raddb/mods-available/ldap``.  It now uses a connection pool,
-just like the SQL module.
-
-Many of the configuration items remain the same, but they have been
-moved into subsections.  This change is largely cosmetic, but it makes
-the configuration clearer.  Instead of having a large set of random
-configuration items, they are now organized into logical groups.
-
-You will need to read your old LDAP configuration, and migrate it
-manually to the new configuration.  Simply copying the old
-configuration WILL NOT WORK.
-
-Users upgrading from 2.x.x who used to call the ldap module in
-``post-auth`` should now set ``edir_autz = yes``, and remove the ``ldap``
-module from the ``post-auth`` section.
-
-rlm_ldap and LDAP-Group
-~~~~~~~~~~~~~~~~~~~~~~~
-
-In 2.x.x the registration of the ``LDAP-Group`` pair comparison was done
-by the last instance of rlm_ldap to be instantiated. In 3.0 this has
-changed so that only the default ``ldap {}`` instance registers
-``LDAP-Group``.
-
-If ``<instance>-LDAP-Group`` is already used throughout your configuration
-no changes will be needed.
-
-rlm_ldap authentication
-~~~~~~~~~~~~~~~~~~~~~~~
-
-In 2.x.x the LDAP module had a ``set_auth_type`` configuration item,
-which forced ``Auth-Type := ldap``. This was removed in 3.x.x as it
-often did not work, and was not consistent with the rest of the
-server.  We generally recommend that LDAP should be used as a
-database, and that FreeRADIUS should do authentication.
-
-The only reason to use ``Auth-Type := ldap`` is when the LDAP server
-will not supply the "known good" password to FreeRADIUS, *and* where
-the Access-Request contains User-Password.  This situation happens
-only for Active Directory.  If you think you need to force ``Auth-Type
-:= ldap`` in other situations, you are very likely to be wrong.
-
-The following is an example of what should be inserted into the
-``authorize {}`` and ``authenticate {}`` sections of the relevant
-virtual-servers, to get functionality equivalent to v2.x::
-
-  authorize {
-    ...
-    ldap
-    if ((ok || updated) && User-Password) {
-      update control {
-	Auth-Type := ldap
-      }
-    }
-    ...
-  }
-  
-  authenticate {
-    ...
-    Auth-Type ldap {
-      ldap   
-    }
-    ...
-  }
-
-rlm_eap
-~~~~~~~
-
-The EAP configuration has been moved from ``eap.conf`` to
-``mods-available/eap``.  A new ``pwd`` subsection has been added for
-EAP-PWD.
-
-rlm_expiration & rlm_logintime
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The rlm_expiration and rlm_logintime modules no longer add a ``Reply-Message``,
-the same behaviour can be achieved checking the return code of the module and
-adding the ``Reply-Message`` with unlang::
-
-  expiration
-  if (userlock) {
-    update reply {
-      Reply-Message := "Your account has expired"
-    }
-  }
-
-rlm_unix
-~~~~~~~~
-
-The ``unix`` module does not have an ``authenticate`` section.  So you
-cannot set ``Auth-Type := System``.  The ``unix`` module has also been
-deleted from the examples in ``sites-available/``.  Listing it there
-has been deprecated for many years.
-
-The PAP module can do crypt authentication.  It should be used instead
-of Unix authentication.
-
-The Unix module still can pull the passwords from ``/etc/passwd``, or
-``/etc/shadow``.  This is done by listing it in the ``authorize``
-section, as is done in the examples in ``sites-available/``.  However,
-some systems using NIS or NSS will not supply passwords to the
-``unix`` module.  For those systems, we recommend putting users and
-passwords into a database, instead of relying on ``/etc/passwd``.
-
-rlm_preprocess
-~~~~~~~~~~~~~~
-
-In 2.x.x ``huntroups`` and ``users`` files were loaded from default locations
-without being configured explicitly. Since 3.x.x you need to set
-``huntgroups`` and ``users`` configuration item(s) in module section in order
-to get them being processed.
-
-New Modules
-----------
-
-rlm_date
-~~~~~~~~
-
-Instances of rlm_date register an xlat method which can translate
-integer and date values to an arbitrarily formatted date time
-string, or an arbitrarily formated time string to an integer, 
-depending on the attribute type passed.
-
-rlm_rest
-~~~~~~~~
-
-The ``rest`` module is used to translate RADIUS requests into 
-RESTfull HTTP requests. Currently supported body types are JSON
-and POST.
-
-rlm_unpack
-~~~~~~~~~~
-
-The ``unpack`` module is used to turn data buried inside of binary
-attributes.  e.g. if we have ``Class = 0x00000001020304`` then::
-
-  Tmp-Integer-0 := "%{unpack:&Class 4 short}"
-
-will unpack octets 4 and 5 as a "short", which has value 0x0304.
-All integers are assumed to be in network byte order.
-
-rlm_yubikey
-~~~~~~~~~~~
-
-The ``yubikey`` module can be used to forward yubikey OTP token
-values to a Yubico validation server, or decrypt the token 
-using a PSK.
-
-Deleted Modules
---------------
-
-The following modules have been deleted, and are no longer supported
-in Version 3.  If you are using one of these modules, your
-configuration can probably be changed to not need it.  Otherwise email
-the freeradius-devel list, and ask about the module.
-
-rlm_acct_unique
-~~~~~~~~~~~~~~~
-
-This module has been replaced by the "acct_unique" policy.  See
-raddb/policy.d/accounting.
-
-The method for calculating the value of acct_unique has changed.
-However, as this method was configurable, this change should not
-matter.  The only issue is in having a v2 and v3 server writing to the
-same database at the same time.  They will calculate different values
-for Acct-Unique-Id.
-
-rlm_acctlog
-~~~~~~~~~~~
-
-You should use rlm_linelog instead.  That module has a superset of the
-acctlog functionality.
-
-rlm_attr_rewrite
-~~~~~~~~~~~~~~~~
-
-The attr_rewrite module looked for an attribute, and then re-wrote it,
-or created a new attribute.  All of that can be done in "unlang".
-
-A sample configuration in "unlang" is::
-
-  if (request:Calling-Station-Id) {
-    update request {
-      Calling-Station-Id := "...."
-    }
-  }
-
-We suggest updating all uses of attr_rewrite to use unlang instead.
-
-rlm_checkval
-~~~~~~~~~~~~
-
-The checkval module compared two attributes.  All of that can be done in "unlang"::
-
-  if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
-    ok
-  }
-
-We suggest updating all uses of checkval to use unlang instead.
-
-rlm_dbm
-~~~~~~~
-
-No one seems to use it.  There is no sample configuration for it.
-There is no speed advantage to using it over the "files" module.
-Modern systems are fast enough that 10K entries can be read from the
-"users" file in about 10ms.  If you need more users than that, use a
-real database such as SQL.
-
-rlm_fastusers
-~~~~~~~~~~~~~
-
-No one seems to use it.  It has been deprecated since Version 2.0.0.
-The "files" module was rewritten so that the "fastusers" module was no
-longer necessary.
-
-rlm_policy
-~~~~~~~~~~
-
-No one seems to use it.  Almost all of its functionality is available
-via "unlang".
-
-rlm_sim_files
-~~~~~~~~~~~~~
-
-The rlm_sim_files module has been deleted.  It was never marked "stable",
-and was never used in a production environment.  There are better ways
-to test EAP.
-
-If you want similar functionality, see rlm_passwd.  It can read CSV
-files, and create attributes from them.
-
-rlm_sql_log
-~~~~~~~~~~~
-
-This has been replaced with the "null" sql driver.  See
-raddb/mods-available/sql for an example configuration.
-
-The main SQL module has more functionality than rlm_sql_log, and
-results in less code in the server.
-
-Other Functionality
-------------------
-
-The following is a list of new / changed functionality.
-
-RadSec
-~~~~~~
-
-RadSec (or RADIUS over TLS) is now supported.  RADIUS over bare TCP
-is also supported, but is recommended only for secure networks.
-
-See ``sites-available/tls`` for complete details on using TLS.  The server
-can both receive incoming TLS connections, and also originate outgoing
-TLS connections.
-
-The TLS configuration is taken from the old EAP-TLS configuration.  It
-is largely identical to the old EAP-TLS configuration, so it should be
-simple to use and configure.  It re-uses much of the EAP-TLS code,
-so it is well-tested and reliable.
-
-Once RadSec is enabled, normal debugging mode will not work.  This is
-because the TLS code requires threading to work properly.  Instead of doing::
-
-  $ radiusd -X
-
-you will need to do::
-
-  $ radiusd -fxx -l stdout
-
-That's the price to pay for using RadSec.  This limitation may be
-lifted in a future version of the server.
-
-
-PAP and User-Password
-~~~~~~~~~~~~~~~~~~~~~
-
-From version 3.0 onwards the server no longer supports authenticating
-against a cleartext password in the 'User-Password' attribute. Any
-occurences of this (for instance, in the users file) should now be changed
-to 'Cleartext-Password' instead.
-
-e.g. change entries like this::
-
-  bob User-Password == "hello"
-
-to ones like this::
-
-  bob Cleartext-Password := "hello"
-
-
-If this is not done, authentication will likely fail.  The server will
-also print a helpful message in debugging mode.
-
-If it really is impossible to do this, the following unlang inserted above
-the call to the pap module may be used to copy User-Password to the correct
-attribute::
-
-  if (!control:Cleartext-Password && control:User-Password) {
-    update control {
-      Cleartext-Password := "%{control:User-Password}"
-    }
-  }
-
-However, this should only be seen as a temporary, not permanent, fix.
-It is better to fix your databases to use the correct configuration.
-
-Unlang
-~~~~~~
-
-The unlang policy language is compatible with v2, but has a number of
-new features.  See ``man unlang`` for complete documentation.
-
-ERRORS
-
-Many more errors are caught when the server is starting up.  Syntax
-errors in ``unlang`` are caught, and a helpful error message is
-printed.  The error message points to the exact place where the error
-occurred::
-
-  ./raddb/sites-enabled/default[230]: Parse error in condition
-  ERROR:  if (User-Name ! "bob") {
-  ERROR:                ^ Invalid operator
-
-``update`` sections are more generic.  Instead of doing ``update
-reply``, you can do the following::
-
-  update {
-	  reply:Class := 0x0000
-	  control:Cleartext-Password := "hello"
-  }
-
-This change means that you need fewer ``update`` sections.
-
-COMPARISONS
-
-Attribute comparisons can be done via the ``&`` operator.  When you
-needed to compare two attributes, the old comparison style was::
-
-  if (User-Name == "%{control:Tmp-String-0}") {
-
-This syntax is inefficient, as the ``Tmp-String-0`` attribute would be
-printed to an intermediate string, causing unnecessary work.  You can
-now instead compare the two attributes directly::
-
-  if (&User-Name == &control:Tmp-String-0) {
-
-See ``man unlang`` for more details.
-
-CASTS
-
-Casts are now permitted.  This allows you to force type-specific
-comparisons::
-
-  if (<ipaddr>"%{sql: SELECT...}" == 127.0.0.1) {
-
-This forces the string returned by the SELECT to be treated as an IP
-address, and compare to ``127.0.0.1``.  Previously, the comparison
-would have been done as a simple string comparison.
-
-NETWORKS
-
-IP networks are now supported::
-
-  if (127.0.0.1/32 == 127.0.0.1) {
-
-Will be ``true``.  The various comparison operators can be used to
-check IP network membership::
-
-  if (127/8 > 127.0.0.1) {
-
-Returns ``true``, because ``127.0.0.1`` is within the ``127/8``
-network.  However, the following comparison will return ``false``::
-
-  if (127/8 > 192.168.0.1) {
-
-because ``192.168.0.1`` is outside of the ``127/8`` network.
-
-OPTIMIZATION
-
-As ``unlang`` is now pre-compiled, many compile-time optimizations are
-done.  This means that the debug output may not be exactly the same as
-what is in the configuration files::
-
-  if (0 && (User-Name == "bob')) {
-
-The result will always be ``false``, as the ``if 0`` prevents the
-following ``&& ...`` from being evaluated.
-
-Not only that, but the entire contents of that section will be ignored
-entirely::
-
-  if (0) {
-      this_module_does_not_exist
-      and_this_one_does_not_exist_either
-  }
-
-In v2, that configuration would result in a parse error, as there is
-no module called ``this_module_does_not_exist``.  In v3, that text is
-ignored.  This ability allows you to have dynamic configurations where
-certain parts are used (or not) depending on compile-time configuration.
-
-Similarly, conditions which always evaluate to ``true`` will be
-optimized away::
-
-  if (1) {
-      files
-  }
-
-That configuration will never show the ``if (1)`` output in debugging mode.
-
-
-Dialup_admin
------------
-
-The dialup_admin directory has been removed.  No one stepped forward
-to maintain it, and the code had not been changed in many years.
-
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.conf
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.conf
@ -1,24 +0,0 @@
-[ req ]
-default_bits       = 1024
-distinguished_name = req_DN
-string_mask        = nombstr
- 
-[ req_DN ]
-countryName                     = "1. Country Name             (2 letter code)"
-countryName_default             = DE
-countryName_min                 = 2
-countryName_max                 = 2
-stateOrProvinceName             = "2. State or Province Name   (full name)    "
-stateOrProvinceName_default     = Berlin
-localityName                    = "3. Locality Name            (eg, city)     "
-localityName_default            = Berlin
-0.organizationName              = "4. Organization Name        (eg, company)  "
-0.organizationName_default      = Mustermann
-organizationalUnitName          = "5. Organizational Unit Name (eg, section)  "
-organizationalUnitName_default  = Certificate Authority
-commonName                      = "6. Common Name              (eg, CA name)  "
-commonName_max                  = 64
-commonName_default              = Mustermann CA
-emailAddress                    = "7. Email Address            (eg, name@FQDN)"
-emailAddress_max                = 40
-emailAddress_default            = ca@mustermann.de
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.crt
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.crt
@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL
-BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
-cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
-QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
-FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0
-NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
-cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
-QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
-FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt
-tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD
-yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX
-H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud
-EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt
-YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg
-hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o
-dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o
-ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI
-hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX
-cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY
-hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg=
-----END CERTIFICATE-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.csr
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.csr
@ -1,13 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
-BgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2Vy
-dGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJ
-KoZIhvcNAQkBFhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD
-269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFn
-OyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABoAAw
-DQYJKoZIhvcNAQELBQADgYEAK+Fbl3mG7m0gBkekWwU4BvC92eMs93GYCtYQECu7
-/Dc0J2K1ItGC7JrRVlQvStbEFCw3cXzlbSec2v+8rvvIbn6MB+StRRYjPUiIYS3h
-qly2FpcAo3Cg5GcnNf4keDGBzClo37MF2wlT0DAQIVPHMlTbkfgAQYwQS+uKLBre
-TwM=
-----END CERTIFICATE REQUEST-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.ext
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.ext
@ -1,9 +0,0 @@
-extensions = x509v3
- 
-[ x509v3 ]
-basicConstraints      = CA:true,pathlen:0
-crlDistributionPoints = URI:http://www.mustermann.de/ca/mustermann.crl
-nsCertType            = sslCA,emailCA,objCA
-nsCaPolicyUrl         = "http://www.mustermann.de/ca/policy.htm"
-nsCaRevocationUrl     = "http://www.mustermann.de/ca/heimpold.crl"
-nsComment             = "Mustermann CA"
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.key
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.key
@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5
-OFlD269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrE
-IvFnOyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQAB
-AoGAQaCF2idVGbRSVF3ae1qHGOj3Hive3WcReKg/8EittAPpNuP3tqiLUQ/WjxZr
-V1NTtZ4syvM+LXlDW186rU21iGpQqj9ce2zjxpWMco6GFf0qKBO1ZoYSyD6jW6ny
-M82TtCOVjH1LnyAz5AKRH6Wv5sG99gndK5AriEZEYrsnjQECQQDmK5EU5yVzz2o0
-X02Lolz0dRDy5J3x3hlaYKLoszMv4L04MAZ9XaMtGjqmKSOWsbMkIvp/d5A+2uJm
-42sULKC9AkEAwTN8+4Kd8d5qpNfaKiYU6x5I2qUwvkE6V7x+ttPoFzbzeHr5CM2z
-jkpA+x5u1fCtbl319zOb3ApVsrJ3o0+XqQJASeIgPxJ3jjY9RDR3YuQqbHoLh7xl
-CtedUcqFYKbtPmgotRmNa76b+4VY4C+CcgP2mhn0SOhrUBHY7OgBXkd5DQJBAIat
-ksFtAxdZGXRB+BYLp+dinBy2rKzjoX0JrDdcrtyH9N8WskU9x544CuZDB7ZhaTSX
-kV+6fTq9hZHlMNsKH8kCQQCGnlQIy3U3cN6E1O9UI4DRwPhSwl+xEfc3n0DB/Kcy
-faIPo3HnlNw/+4cIyc/7i1Ilkrj4zHtdrnAjP+OvZD7+
-----END RSA PRIVATE KEY-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.pem
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.pem
@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL
-BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
-cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
-QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
-FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0
-NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
-cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
-QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
-FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt
-tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD
-yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX
-H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud
-EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt
-YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg
-hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o
-dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o
-ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI
-hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX
-cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY
-hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg=
-----END CERTIFICATE-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.serial
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/ca.serial
@ -1 +0,0 @@
-03
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.conf
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.conf
@ -1,24 +0,0 @@
-[ req ]
-default_bits       = 1024
-distinguished_name = req_DN
-string_mask        = nombstr
- 
-[ req_DN ]
-countryName                     = "1. Country Name             (2 letter code)"
-countryName_default             = DE
-countryName_min                 = 2
-countryName_max                 = 2
-stateOrProvinceName             = "2. State or Province Name   (full name)    "
-stateOrProvinceName_default     = Berlin
-localityName                    = "3. Locality Name            (eg, city)     "
-localityName_default            = Berlin
-0.organizationName              = "4. Organization Name        (eg, company)  "
-0.organizationName_default      = Mustermann
-organizationalUnitName          = "5. Organizational Unit Name (eg, section)  "
-#organizationalUnitName_default  =
-commonName                      = "6. Common Name              (eg, CA name)  "
-commonName_max                  = 64
-commonName_default              = Max Mustermann
-emailAddress                    = "7. Email Address            (eg, name@FQDN)"
-emailAddress_max                = 40
-emailAddress_default            = max@mustermann.de
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.crt
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.crt
@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
-DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
-ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
-DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
-HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP
-MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl
-cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt
-YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O
-I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4
-jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6
-ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4
-QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB
-R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0
-oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1
-/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw==
-----END CERTIFICATE-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.csr
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.csr
@ -1,12 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0G
-A1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0ZXJtYW5uMRcwFQYDVQQDEw5NYXgg
-TXVzdGVybWFubjEgMB4GCSqGSIb3DQEJARYRbWF4QG11c3Rlcm1hbm4uZGUwgZ8w
-DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANFPziPlydE+D1lKE+5Wh/aHDuQ4HBfF
-2PDWetE7um2d06newc3RZn+1JjpedX3t0u38eI5bJ2mOPj6bfdhVQBoM0/6ZE+rf
-l3EbjT69GqiAPYlA7ZlgMgz2TgO1lWwvyruMOnj2l3uHEZomY6hla9pxTjqJ7n8U
-HVVTUvZihoQ/AgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQBX3obDa6757IR9ejEb
-1cY0k6S1SioC8ufX0Z2veFKoDLXKHL4kCZ89ie74hBf7mqx6O9ZscASXNcyuKFBz
-uaae2MSoh+DBJH6I7j23PMhs9ziaSJYLmawja0sWK/J8RaR7JNjVAzb/eU2zBQlq
-GTc8H8je+e2+aRUFYNgdGxgQ0g==
-----END CERTIFICATE REQUEST-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.ext
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.ext
@ -1,5 +0,0 @@
-extensions = x509v3
- 
-[ x509v3 ]
-nsCertType = client,email,objsign
-keyUsage   = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.key
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.key
@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN
-0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z
-YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB
-AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG
-FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+
-MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn
-s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF
-B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo
-fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q
-VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B
-aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi
-fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb
-tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8=
-----END RSA PRIVATE KEY-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/client.pem.crt
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/client.pem.crt
@ -1,32 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
-DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
-ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
-DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
-HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP
-MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl
-cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt
-YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O
-I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4
-jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6
-ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4
-QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB
-R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0
-oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1
-/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN
-0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z
-YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB
-AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG
-FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+
-MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn
-s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF
-B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo
-fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q
-VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B
-aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi
-fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb
-tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8=
-----END RSA PRIVATE KEY-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/dh
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/dh
@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAzQsuxnwr0ccOV+/wIsI4Kfj5eyBINjb5KjeFvdZec65Xj5IzJSqo
-kw2JaBhqN4Jtsq60doyev3tPtZn6YmBoVH/71CWOtibeZeSBjk67zQj7O0VKHHaG
-9OXyjGIyzUKtJl1VpD+mXvlrhZEjnnApf3fp4i8K8Ei7oHFu+6teEyei3qGKobEg
-Y+aYse5noocftCOj7QOpqLZU5BjYn+j1CVnivB3kCEuqYYTJJvyvVpTbWhAWTibY
-mZU2Sq7GCLn+hbX5R/d3hOAqISJXwloshipHv7pTvipEMF5Q9thbq/Lc8j+DQS1Y
-3KZMuq5+aDV2DVeVI5HSNv/uJJsN48hRkwIBAg==
-----END DH PARAMETERS-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.conf
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.conf
@ -1,24 +0,0 @@
-[ req ]
-default_bits       = 1024
-distinguished_name = req_DN
-string_mask        = nombstr
- 
-[ req_DN ]
-countryName                     = "1. Country Name             (2 letter code)"
-countryName_default             = DE
-countryName_min                 = 2
-countryName_max                 = 2
-stateOrProvinceName             = "2. State or Province Name   (full name)    "
-#stateOrProvinceName_default     =
-localityName                    = "3. Locality Name            (eg, city)     "
-localityName_default            = Berlin
-0.organizationName              = "4. Organization Name        (eg, company)  "
-0.organizationName_default      = Mustermann
-organizationalUnitName          = "5. Organizational Unit Name (eg, section)  "
-organizationalUnitName_default  = Server
-commonName                      = "6. Common Name              (eg, CA name)  "
-commonName_max                  = 64
-commonName_default              = www.mustermann.de
-emailAddress                    = "7. Email Address            (eg, name@FQDN)"
-emailAddress_max                = 40
-emailAddress_default            = webmaster@mustermann.de
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.crt
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.crt
@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIC6zCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
-DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
-ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
-DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
-HhcNMjIwODAxMDEwNjQ1WhcNMjQwNzMxMDEwNjQ1WjCBiDELMAkGA1UEBhMCREUx
-DzANBgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEPMA0GA1UECxMG
-U2VydmVyMRowGAYDVQQDExF3d3cubXVzdGVybWFubi5kZTEmMCQGCSqGSIb3DQEJ
-ARYXd2VibWFzdGVyQG11c3Rlcm1hbm4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
-MIGJAoGBAOGRdBwkcWMlXj5ZIez2OjadgD7JBVqXS06rZopONcFil9O4OvFHSeMP
-mGDIeeggZvh1hpcpKq2+zgY6640zlTbXK7J0T8QUXs0XHDJd9uMI5nDovaG37tah
-G83YIPKmLBB87p511amdUviPc4QJGaGRJeYnAC4ou2RX/ko6y4yfAgMBAAGjTjBM
-MBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwKgYDVR0lBCMwIQYKKwYB
-BAGCNwoDAwYJYIZIAYb4QgQBBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOBgQAQ
-wU4rNIuiakUH60u9m983BHddCl81Fy4nf2BExbxXSW/B+yj3adHQ/0RF/xGCcVrI
-ORtGlyt8OW83VEfGFFpNPMR6XdxPMyoSUEFaEyVbYGQigQUXoa5k5vINmUD6bgxF
-5o5taGIFnfnjEncwRTHADFEIN5hKHjtIdXcNRue2kg==
-----END CERTIFICATE-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.csr
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.csr
@ -1,12 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHEwZCZXJsaW4xEzAR
-BgNVBAoTCk11c3Rlcm1hbm4xDzANBgNVBAsTBlNlcnZlcjEaMBgGA1UEAxMRd3d3
-Lm11c3Rlcm1hbm4uZGUxJjAkBgkqhkiG9w0BCQEWF3dlYm1hc3RlckBtdXN0ZXJt
-YW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhkXQcJHFjJV4+WSHs
-9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrxR0njD5hgyHnoIGb4dYaXKSqtvs4GOuuN
-M5U21yuydE/EFF7NFxwyXfbjCOZw6L2ht+7WoRvN2CDypiwQfO6eddWpnVL4j3OE
-CRmhkSXmJwAuKLtkV/5KOsuMnwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEADZZ5
-+z8oUdzM0aDxMt2KyNSc8+NUkL4u+h38ZuDasHMXCncfWqp7I42qev1FHqKaI1Rn
-GWZsWd943kOeMjFgxGkQoesLsyuqRslyUHAACnqHit2ZKz51reiiakK7v/qYxiV6
-aZOZBv5s2eaG6iT1ea5f5j2SKKOyhuDwfs7q4hQ=
-----END CERTIFICATE REQUEST-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.ext
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.ext
@ -1,6 +0,0 @@
-extensions = x509v3
- 
-[ x509v3 ]
-nsCertType       = server
-keyUsage         = digitalSignature,nonRepudiation,keyEncipherment
-extendedKeyUsage = msSGC,nsSGC,serverAuth
--- a/pkgs/fablab/freeradius-anon-access/raddb/certs/server.key
+++ b/pkgs/fablab/freeradius-anon-access/raddb/certs/server.key
@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDhkXQcJHFjJV4+WSHs9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrx
-R0njD5hgyHnoIGb4dYaXKSqtvs4GOuuNM5U21yuydE/EFF7NFxwyXfbjCOZw6L2h
-t+7WoRvN2CDypiwQfO6eddWpnVL4j3OECRmhkSXmJwAuKLtkV/5KOsuMnwIDAQAB
-AoGAO1kEvp7MAnUDfc3/whPqrxHzexFyyioCU1l/aiY3uIDTR44yW+cQxqAEzHoS
-sQNNdFOfrMfVBc+s7zCzZvxKZpvapg2HGATkk9I8AFUTuSh7n3oUT/AZ1KGdd04G
-wS/6QsLR3G8c+0RB9DPWpMVgg1OlQ1U3ESB+eaeQ28/hLFECQQD6LRHnLfLrGlz9
-0htFV3JD19qPNmwRCEa/bHeK4dICuEikgpQZ18nbOCrfUvR4GltkQA8w6CMGmebJ
-5COHx+epAkEA5tG7fsnA8ut/AfA3HoBRi1YtoE4YLOE8b+Jdt72LDE6jaR9mBc0N
-gwxDBhdgZf9HTSaWB65j1V1sik8DqkjfBwJABE5SSJBZ5gIGJ7g+D+t5ZAGLGXvu
-UDy8Ov8674EDhFh3p503v1ofd054Lm/XFVoeyJLxr/3O3IY5mq/6jJO8QQJBANcC
-V51rYojmRZEQqseG0G7y/91r4aksxpeSTapyravxNNcfoHGW6RdBvM1XyTw557k+
-UFMnZ2fBdvH/WHKvHtECQEvLTxtmdxKMrndFJiTObeItdl/iHU9JujW4ib64CysI
-RdwEverbouogjHfyeDjazXIsgpIUSIbZNHL13bICpBg=
-----END RSA PRIVATE KEY-----
--- a/pkgs/fablab/freeradius-anon-access/raddb/clients.conf
+++ b/pkgs/fablab/freeradius-anon-access/raddb/clients.conf
@ -1,4 +0,0 @@
-client 0.0.0.0/0 {
-        secret                        = anonymous
-        require_message_authenticator = no
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/dictionary
+++ b/pkgs/fablab/freeradius-anon-access/raddb/dictionary
@ -1,49 +0,0 @@
-#
-#	This is the local dictionary file which can be
-#	edited by local administrators.  It will be loaded
-#	AFTER the main dictionary files are loaded.
-#
-#	As of version 3.0.2, FreeRADIUS will automatically
-#	load the main dictionary files from
-#
-#		${prefix}/share/freeradius/dictionary
-#
-#	It is no longer necessary for this file to $INCLUDE
-#	the main dictionaries.  However, if the $INCLUDE
-#	line is here, nothing bad will happen.
-#
-#	Any new/changed attributes MUST be placed in this file.
-#	The pre-defined dictionaries SHOULD NOT be edited.
-#
-#	See "man dictionary" for documentation on its format.
-#
-#	$Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $
-#
-
-#
-#	All local attributes and $INCLUDE's should go into
-#	this file.
-#
-
-#	If you want to add entries to the dictionary file,
-#	which are NOT going to be placed in a RADIUS packet,
-#	add them to the 'dictionary.local' file.
-#
-#	The numbers you pick should be between 3000 and 4000.
-#	These attributes will NOT go into a RADIUS packet.
-#
-#	If you want that, you will need to use VSAs.  This means
-#	requesting allocation of a Private Enterprise Code from
-#	http://iana.org.  We STRONGLY suggest doing that only if
-#	you are a vendor of RADIUS equipment.
-#
-#	See RFC 6158 for more details.
-#	http://ietf.org/rfc/rfc6158.txt
-#
-
-#
-#	These attributes are examples
-#
-#ATTRIBUTE	My-Local-String		3000	string
-#ATTRIBUTE	My-Local-IPAddr		3001	ipaddr
-#ATTRIBUTE	My-Local-Integer	3002	integer
--- a/pkgs/fablab/freeradius-anon-access/raddb/experimental.conf
+++ b/pkgs/fablab/freeradius-anon-access/raddb/experimental.conf
@ -1,116 +0,0 @@
-#
-#  This file contains the configuration for experimental modules.
-#
-#  By default, it is NOT included in the build.
-#
-#  $Id: 87d9744a4f0fa7b9b06b4908ddd6b7d2f1a7fd62 $
-#
-
-# Configuration for the Python module.
-#
-# Where radiusd is a Python module, radiusd.py, and the
-# function 'authorize' is called.  Here is a dummy piece
-# of code:
-#
-#	def authorize(params):
-#		print params
-#		return (5, ('Reply-Message', 'banned'))
-#
-# The RADIUS value-pairs are passed as a tuple of tuple
-# pairs as the first argument, e.g. (('attribute1',
-# 'value1'), ('attribute2', 'value2'))
-#
-# The function return is a tuple with the first element
-# being the return value of the function.
-# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
-# write the return values as Python symbols to avoid
-# confusion.
-#
-# The remaining tuple members are the string form of
-# value-pairs which are passed on to pairmake().
-#
-python {
-	mod_instantiate = radiusd_test
-	func_instantiate = instantiate
-
-	mod_authorize = radiusd_test
-	func_authorize = authorize
-
-	mod_accounting = radiusd_test
-	func_accounting = accounting
-
-	mod_pre_proxy = radiusd_test
-	func_pre_proxy = pre_proxy
-
-	mod_post_proxy = radiusd_test
-	func_post_proxy = post_proxy
-
-	mod_post_auth = radiusd_test
-	func_post_auth = post_auth
-
-	mod_recv_coa = radiusd_test
-	func_recv_coa = recv_coa
-
-	mod_send_coa = radiusd_test
-	func_send_coa = send_coa
-
-	mod_detach = radiusd_test
-	func_detach = detach
-}
-
-
-# Configuration for the example module.  Uncommenting it will cause it
-# to get loaded and initialised, but should have no real effect as long
-# it is not referenced in one of the autz/auth/preacct/acct sections
-example {
-	#  Boolean variable.
-	# allowed values: {no, yes}
-	boolean = yes
-
-	#  An integer, of any value.
-	integer = 16
-
-	#  A string.
-	string = "This is an example configuration string"
-
-	# An IP address, either in dotted quad (1.2.3.4) or hostname
-	# (example.com)
-	ipaddr = 127.0.0.1
-
-	# A subsection
-	mysubsection {
-		anotherinteger = 1000
-		# They nest
-		deeply nested {
-			string = "This is a different string"
-		}
-	}
-}
-
-#
-#  To create a dbm users file, do:
-#
-#   cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
-#
-#  Then add 'dbm' in 'authorize' section.
-#
-#  Note that even if the file has a ".db" or ".dbm" extension,
-#  you may have to specify it here without that extension.  This
-#  is because the DBM libraries "helpfully" add a ".db" to the
-#  filename, but don't check if it's already there.
-#
-dbm {
-	usersfile = ${confdir}/users_db
-}
-
-# Instantiate a couple instances of the idn module
-idn {
-}
-
-# ...more commonly known as...
-idn idna {
-}
-
-idn idna_lenient {
-	UseSTD3ASCIIRules = no
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/hints
+++ b/pkgs/fablab/freeradius-anon-access/raddb/hints
@ -1 +0,0 @@
-./mods-config/preprocess/hints
--- a/pkgs/fablab/freeradius-anon-access/raddb/huntgroups
+++ b/pkgs/fablab/freeradius-anon-access/raddb/huntgroups
@ -1 +0,0 @@
-./mods-config/preprocess/huntgroups
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/always
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/always
@ -1,81 +0,0 @@
-# -*- text -*-
-#
-#  $Id: b77d00c55d46741a3ca1cfc135dee4615466e912 $
-
-#
-#  The "always" module is here for debugging purposes, or
-#  for use in complex policies.
-#  Instance simply returns the same result, always, without
-#  doing anything.
-#
-#  rcode may be one of the following values:
-#  - reject   - Reject the user.
-#  - fail     - Simulate or indicate a failure.
-#  - ok       - Simulate or indicate a success.
-#  - handled  - Indicate that the request has been handled,
-#               stop processing, and send response if set.
-#  - invalid  - Indicate that the request is invalid.
-#  - userlock - Indicate that the user account has been
-#               locked out.
-#  - notfound - Indicate that a user account can't be found.
-#  - noop     - Simulate a no-op.
-#  - updated  - Indicate that the request has been updated.
-#
-#  If an instance is listed in a session {}  section, 
-#  this simulates a user having <integer> sessions.
-#  
-#  simulcount = <integer>
-#
-#  If an instance is listed in a session {}  section, 
-#  this simulates the user having multilink
-#  sessions.
-#
-#  mpp = <integer>
-#
-#  An xlat based on the instance name can be called to change the status
-#  returned by the instance, in this example "always db_status { ... }"
-#
-#  Force the module status to be alive or dead:
-#
-#  %{db_status:alive}
-#  %{db_status:dead}
-#
-#  Update the rcode returned by an alive module (a dead module returns fail):
-#
-#  %{db_status:ok}
-#  %{db_status:fail}
-#  %{db_status:notfound}
-#  ...
-#
-#  The above xlats expand to the current status of the module. To fetch the
-#  current status without affecting it call the xlat with an empty argument:
-#
-#  %{db_status:}
-#
-always reject {
-	rcode = reject
-}
-always fail {
-	rcode = fail
-}
-always ok {
-	rcode = ok
-}
-always handled {
-	rcode = handled
-}
-always invalid {
-	rcode = invalid
-}
-always userlock {
-	rcode = userlock
-}
-always notfound {
-	rcode = notfound
-}
-always noop {
-	rcode = noop
-}
-always updated {
-	rcode = updated
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter
@ -1,61 +0,0 @@
-# -*- text -*-
-#
-#  $Id: a23d3c0f11267a6c0f1afca599f71a6a76c49a1a $
-
-#
-#  This file defines a number of instances of the "attr_filter" module.
-#
-
-# attr_filter - filters the attributes received in replies from
-# proxied servers, to make sure we send back to our RADIUS client
-# only allowed attributes.
-attr_filter attr_filter.post-proxy {
-	key = "%{Realm}"
-	filename = ${modconfdir}/${.:name}/post-proxy
-}
-
-# attr_filter - filters the attributes in the packets we send to
-# the RADIUS home servers.
-attr_filter attr_filter.pre-proxy {
-	key = "%{Realm}"
-	filename = ${modconfdir}/${.:name}/pre-proxy
-}
-
-# Enforce RFC requirements on the contents of Access-Reject
-# packets.  See the comments at the top of the file for
-# more details.
-#
-attr_filter attr_filter.access_reject {
-	key = "%{User-Name}"
-	filename = ${modconfdir}/${.:name}/access_reject
-}
-
-# Enforce RFC requirements on the contents of Access-Challenge
-# packets.  See the comments at the top of the file for
-# more details.
-#
-attr_filter attr_filter.access_challenge {
-	key = "%{User-Name}"
-	filename = ${modconfdir}/${.:name}/access_challenge
-}
-
-
-#  Enforce RFC requirements on the contents of the
-#  Accounting-Response packets.  See the comments at the
-#  top of the file for more details.
-#
-attr_filter attr_filter.accounting_response {
-	key = "%{User-Name}"
-	filename = ${modconfdir}/${.:name}/accounting_response
-}
-
-#
-#  Enforce CoA or Disconnect packets.
-#
-#  Note that you MUST edit the "coa" file below for your
-#  local configuration.  Add in any attributes needed by the NAS.
-#
-attr_filter attr_filter.coa {
-	key = "%{User-Name}"
-	filename = ${modconfdir}/${.:name}/coa
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap
@ -1,13 +0,0 @@
-#
-#	Cache EAP responses for resiliency on intermediary proxy fail-over
-#
-cache cache_eap {
-	key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
-
-	ttl = 15
-
-	update reply {
-		reply: += &reply:
-		&control:State := &request:State
-	}
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap
@ -1,11 +0,0 @@
-# -*- text -*-
-#
-#  $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
-
-# CHAP module
-#
-#  To authenticate requests containing a CHAP-Password attribute.
-#
-chap {
-	# no configuration
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/date
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/date
@ -1,35 +0,0 @@
-#
-#  Registers xlat to convert between time formats.
-#
-#  xlat input string is an attribute name. If this attribute is of date
-#  or integer type, the date xlat will convert it to a time string in
-#  the format of the format config item.
-#
-#  If the attribute is a string type, date will attempt to parse it in
-#  the format specified by the format config item, and will expand
-#  to a Unix timestamp.
-#
-date {
-	format = "%b %e %Y %H:%M:%S %Z"
-
-	# Use UTC instead of local time.
-	#
-	#  default = no
-#	utc = yes
-}
-
-#
-#  The WISPr-Session-Terminate-Time attribute is of type "string",
-#  and not "date".  Use this expansion to create an attribute
-#  that holds an actual date:
-#
-#	Tmp-Date-0 := "%{wispr2date:&reply:WISPr-Session-Terminate-Time}"
-#
-date wispr2date {
-	format = "%Y-%m-%dT%H:%M:%S"
-
-	# Use UTC instead of local time.
-	#
-	#  default = no
-#	utc = yes
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail
@ -1,109 +0,0 @@
-# -*- text -*-
-#
-#  $Id: ccf65f9c839a6d9ea35fae4d9cd208ddca1a0acd $
-
-# Write a detailed log of all accounting records received.
-#
-detail {
-	#  Note that we do NOT use NAS-IP-Address here, as
-	#  that attribute MAY BE from the originating NAS, and
-	#  NOT from the proxy which actually sent us the
-	#  request.
-	#
-	#  The following line creates a new detail file for
-	#  every radius client (by IP address or hostname).
-	#  In addition, a new detail file is created every
-	#  day, so that the detail file doesn't have to go
-	#  through a 'log rotation'
-	#
-	#  If your detail files are large, you may also want to add
-	#  a ':%H' (see doc/configuration/variables.rst) to the end
-	#  of it, to create a new detail file every hour, e.g.:
-	#
-	#   ..../detail-%Y%m%d:%H
-	#
-	#  This will create a new detail file for every hour.
-	#
-	#  If you are reading detail files via the "listen" section
-	#  (e.g. as in raddb/sites-available/robust-proxy-accounting),
-	#  you MUST use a unique directory for each combination of a
-	#  detail file writer, and reader.  That is, there can only
-	#  be ONE "listen" section reading detail files from a
-	#  particular directory.
-	#
-	#  The configuration below puts the detail files into separate
-	#  directories for each client.  If you are reading the detail
-	#  files via the "listen" section, just use one directory.
-	#
-	#  e.g. filename = ${radacctdir}/reader1/detail-%Y%m%d
-	#
-	#  AND use a separate directory (reader2, reader3, etc.) for each
-	#  reader.
-	#
-	filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
-
-	#
-	#  If you are using radrelay, delete the above line for "file",
-	#  and use this one instead:
-	#
-#	filename = ${radacctdir}/detail
-
-	#
-	#  Most file systems can handly nearly the full range of UTF-8
-	#  characters.  Ones that can deal with a limited range should
-	#  set this to "yes".
-	#
-	escape_filenames = no
-
-	#
-	#  The Unix-style permissions on the 'detail' file.
-	#
-	#  The detail file often contains secret or private
-	#  information about users.  So by keeping the file
-	#  permissions restrictive, we can prevent unwanted
-	#  people from seeing that information.
-	permissions = 0600
-
-	# The Unix group of the log file.
-	#
-	# The user that the server runs as must be in the specified
-	# system group otherwise this will fail to work.
-	#
-#	group = ${security.group}
-
-	#
-	#  Every entry in the detail file has a header which
-	#  is a timestamp.  By default, we use the ctime
-	#  format (see "man ctime" for details).
-	#
-	#  The header can be customised by editing this
-	#  string.  See "doc/configuration/variables.rst" for a
-	#  description of what can be put here.
-	#
-	header = "%t"
-
-	#
-	#  Uncomment this line if the detail file reader will be
-	#  reading this detail file.
-	#
-#	locking = yes
-
-	#
-	#  Log the Packet src/dst IP/port.  This is disabled by
-	#  default, as that information isn't used by many people.
-	#
-#	log_packet_header = yes
-
-	#
-	# Certain attributes such as User-Password may be
-	# "sensitive", so they should not be printed in the
-	# detail file.  This section lists the attributes
-	# that should be suppressed.
-	#
-	# The attributes should be listed one to a line.
-	#
-	#suppress {
-		# User-Password
-	#}
-
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log
@ -1,75 +0,0 @@
-# -*- text -*-
-#
-#  $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $
-
-#
-#  More examples of doing detail logs.
-
-#
-#  Many people want to log authentication requests.
-#  Rather than modifying the server core to print out more
-#  messages, we can use a different instance of the 'detail'
-#  module, to log the authentication requests to a file.
-#
-#  You will also need to un-comment the 'auth_log' line
-#  in the 'authorize' section, below.
-#
-detail auth_log {
-	filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-
-	#
-	#  This MUST be 0600, otherwise anyone can read
-	#  the users passwords!
-	permissions = 0600
-
-	# You may also strip out passwords completely
-	suppress {
-		User-Password
-	}
-}
-
-#
-#  This module logs authentication reply packets sent
-#  to a NAS.  Both Access-Accept and Access-Reject packets
-#  are logged.
-#
-#  You will also need to un-comment the 'reply_log' line
-#  in the 'post-auth' section, below.
-#
-detail reply_log {
-	filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
-
-	permissions = 0600
-}
-
-#
-#  This module logs packets proxied to a home server.
-#
-#  You will also need to un-comment the 'pre_proxy_log' line
-#  in the 'pre-proxy' section, below.
-#
-detail pre_proxy_log {
-	filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
-
-	#
-	#  This MUST be 0600, otherwise anyone can read
-	#  the users passwords!
-	permissions = 0600
-
-	# You may also strip out passwords completely
-	#suppress {
-		# User-Password
-	#}
-}
-
-#
-#  This module logs response packets from a home server.
-#
-#  You will also need to un-comment the 'post_proxy_log' line
-#  in the 'post-proxy' section, below.
-#
-detail post_proxy_log {
-	filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
-
-	permissions = 0600
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest
@ -1,13 +0,0 @@
-# -*- text -*-
-#
-#  $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
-
-#
-#  The 'digest' module currently has no configuration.
-#
-#  "Digest" authentication against a Cisco SIP server.
-#  See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
-#  on performing digest authentication for Cisco SIP servers.
-#
-digest {
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients
@ -1,32 +0,0 @@
-# -*- text -*-
-#
-#  $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $
-
-# This module loads RADIUS clients as needed, rather than when the server
-# starts.
-#
-#  There are no configuration entries for this module.  Instead, it
-#  relies on the "client" configuration.  You must:
-#
-#	1) link raddb/sites-enabled/dynamic_clients to
-#	   raddb/sites-available/dynamic_clients
-#
-#	2) Define a client network/mask (see top of the above file)
-#
-#	3) uncomment the "directory" entry in that client definition
-#
-#	4) list "dynamic_clients" in the "authorize" section of the
-#	   "dynamic_clients' virtual server.  The default example already
-#	   does this.
-#
-#	5) put files into the above directory, one per IP.
-#	   e.g. file "192.0.2.1" should contain a normal client definition
-#	   for a client with IP address 192.0.2.1.
-#
-#  For more documentation, see the file:
-#
-#	raddb/sites-available/dynamic-clients
-#
-dynamic_clients {
-
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo
@ -1,123 +0,0 @@
-# -*- text -*-
-#
-#  $Id: ad3e15933f9e85c5566810432a5fec8f23d877c1 $
-
-#
-#  This is a more general example of the execute module.
-#
-#  This one is called "echo".
-#
-#  Attribute-Name = `%{echo:/path/to/program args}`
-#
-#  If you wish to execute an external program in more than
-#  one section (e.g. 'authorize', 'pre_proxy', etc), then it
-#  is probably best to define a different instance of the
-#  'exec' module for every section.
-#
-#  The return value of the program run determines the result
-#  of the exec instance call as follows:
-#  (See doc/configurable_failover for details)
-#
-#  < 0 : fail      the module failed
-#  = 0 : ok        the module succeeded
-#  = 1 : reject    the module rejected the user
-#  = 2 : fail      the module failed
-#  = 3 : ok        the module succeeded
-#  = 4 : handled   the module has done everything to handle the request
-#  = 5 : invalid   the user's configuration entry was invalid
-#  = 6 : userlock  the user was locked out
-#  = 7 : notfound  the user was not found
-#  = 8 : noop      the module did nothing
-#  = 9 : updated   the module updated information in the request
-#  > 9 : fail      the module failed
-#
-exec echo {
-	#
-	#  Wait for the program to finish.
-	#
-	#  If we do NOT wait, then the program is "fire and
-	#  forget", and any output attributes from it are ignored.
-	#
-	#  If we are looking for the program to output
-	#  attributes, and want to add those attributes to the
-	#  request, then we MUST wait for the program to
-	#  finish, and therefore set 'wait=yes'
-	#
-	# allowed values: {no, yes}
-	wait = yes
-
-	#
-	#  The name of the program to execute, and it's
-	#  arguments.  Dynamic translation is done on this
-	#  field, so things like the following example will
-	#  work.
-	#
-	program = "/bin/echo %{User-Name}"
-
-	#
-	#  The attributes which are placed into the
-	#  environment variables for the program.
-	#
-	#  Allowed values are:
-	#
-	#	request		attributes from the request
-	#	config		attributes from the configuration items list
-	#	reply		attributes from the reply
-	#	proxy-request	attributes from the proxy request
-	#	proxy-reply	attributes from the proxy reply
-	#
-	#  Note that some attributes may not exist at some
-	#  stages.  e.g. There may be no proxy-reply
-	#  attributes if this module is used in the
-	#  'authorize' section.
-	#
-	input_pairs = request
-
-	#
-	#  Where to place the output attributes (if any) from
-	#  the executed program.  The values allowed, and the
-	#  restrictions as to availability, are the same as
-	#  for the input_pairs.
-	#
-	output_pairs = reply
-
-	#
-	#  When to execute the program.  If the packet
-	#  type does NOT match what's listed here, then
-	#  the module does NOT execute the program.
-	#
-	#  For a list of allowed packet types, see
-	#  the 'dictionary' file, and look for VALUEs
-	#  of the Packet-Type attribute.
-	#
-	#  By default, the module executes on ANY packet.
-	#  Un-comment out the following line to tell the
-	#  module to execute only if an Access-Accept is
-	#  being sent to the NAS.
-	#
-	#packet_type = Access-Accept
-
-	#
-	#  Should we escape the environment variables?
-	#
-	#  If this is set, all the RADIUS attributes
-	#  are capitalised and dashes replaced with
-	#  underscores. Also, RADIUS values are surrounded
-	#  with double-quotes.
-	#
-	#  That is to say: User-Name=BobUser => USER_NAME="BobUser"
-	shell_escape = yes
-
-	#
-	#  How long should we wait for the program to finish?
-	#
-	#  Default is 10 seconds, which should be plenty for nearly
-	#  anything. Range is 1 to 30 seconds. You are strongly
-	#  encouraged to NOT increase this value. Decreasing can
-	#  be used to cause authentication to fail sooner when you
-	#  know it's going to fail anyway due to the time taken,
-	#  thereby saving resources.
-	#
-	#timeout = 10
-
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec
@ -1,29 +0,0 @@
-# -*- text -*-
-#
-#  $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $
-
-#
-#  Execute external programs
-#
-#  This module is useful only for 'xlat'.  To use it,
-#  put 'exec' into the 'instantiate' section.  You can then
-#  do dynamic translation of attributes like:
-#
-#  Attribute-Name = `%{exec:/path/to/program args}`
-#
-#  The value of the attribute will be replaced with the output
-#  of the program which is executed.  Due to RADIUS protocol
-#  limitations, any output over 253 bytes will be ignored.
-#
-#  The RADIUS attributes from the user request will be placed
-#  into environment variables of the executed program, as
-#  described in "man unlang" and in doc/configuration/variables.rst
-#
-#  See also "echo" for more sample configuration.
-#
-exec {
-	wait = no
-	input_pairs = request
-	shell_escape = yes
-	timeout = 10
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration
@ -1,13 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $
-
-#
-# The expiration module. This handles the Expiration attribute
-# It should be included in the *end* of the authorize section
-# in order to handle user Expiration. It should also be included
-# in the instantiate section in order to register the Expiration
-# compare function
-#
-expiration {
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr
@ -1,146 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 43dbea35e41698f8ced22c1cf4ad128b08dee7ca $
-
-#
-#  This module performs mathematical calculations:
-#
-#	Attribute-Name = "%{expr:2 + 3 + &NAS-Port}"
-#
-#  It supports the following operators (in order of precedence)
-#
-#	&	binary AND
-#	|	binary OR
-#	<<	left shift
-#	>>	right shift
-#	+	addition
-#	-	subtraction
-#	*	multiply
-#	/	divide
-#	%%	remainder
-#	^	exponentiation
-#	(...)	sub-expression
-#
-#  Operator precedence follows the normal rules.
-#  Division by zero means that the entire expression is invalid.
-#
-#  Note that in versions before 3.0.5, the expression
-#  was parsed strictly left to right, and ignored operator
-#  precedence.
-#
-#  It also allows unary negation:	-1
-#  And twos complement:			~1
-#
-#  All calculations are done on signed 63-bit integers.
-#  e.g. int64_t.  This should be sufficient for all normal
-#  purposes.
-#
-#  Hex numbers are supported:		0xabcdef
-#
-#  As with all string expansions, you can nest the expansions:
-#
-#	%{expr: %{NAS-Port} + 1}
-#	%{expr: %{sql:SELECT ... } + 1}
-#
-#  Attribute references are supported for integer attributes.
-#  e.g. &NAS-Port.  The benefit of using attribute references
-#  is that the expression is calculated directly on the
-#  attribute.  It skips the step of "print to string, and then
-#  parse to number".  This means it's a little faster.
-#
-#  Otherwise, all numbers are decimal.
-#
-
-#
-#  The module also registers a few paircompare functions, and
-#  many string manipulation functions, including:
-#
-#  rand		get random number from 0 to n-1
-#		"%{rand:10}" == "9"
-#
-#  randstr	get random string built from character classes:
-#			c lowercase letters
-#			C uppercase letters
-#			n numbers
-#			a alphanumeric
-#			! punctuation
-#			. alphanumeric + punctuation
-#			s alphanumeric + "./"
-#			o characters suitable for OTP (easily confused removed)
-#			h binary data as lowercase hex
-#			H binary data as uppercase hex
-#
-#		"%{randstr:CCCC!!cccnnn}" == "IPFL>{saf874"
-#		"%{randstr:oooooooo}" == "rfVzyA4y"
-#		"%{randstr:hhhh}" == "68d60de3"
-#
-#  urlquote	quote special characters in URI
-#		"%{urlquote:http://example.org/}" == "http%3A%47%47example.org%47"
-#
-#  urlunquote	unquote URL special characters
-#		"%{urlunquote:http%%3A%%47%%47example.org%%47}" == "http://example.org/"
-#
-#  escape	escape string similar to rlm_sql safe_characters
-#		"%{escape:<img>foo.jpg</img>}" == "=60img=62foo.jpg=60/img=62" 
-#
-#  unescape	reverse of escape
-#		"%{unescape:=60img=62foo.jpg=60/img=62}" == "<img>foo.jpg</img>"
-#
-#  tolower	convert to lowercase
-#		"%{tolower:Bar}" == "bar"
-#
-#  toupper	convert to uppercase
-#		"%{toupper:Foo}" == "FOO"
-#
-#  md5		get md5sum hash
-#		"%{md5:foo}" == "acbd18db4cc2f85cedef654fccc4a4d8"
-#		
-#  sha1		get sha1 hash
-#		"%{sha1:foo}" == "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33"
-#
-#  sha256	get sha256 hash
-#		"%{sha256:foo}" == "2c26b46b68ffc68ff99b453c1d30413413422d706..."
-#
-#  sha512	get sha512 hash
-#		"%{sha512:foo}" == "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae29838..."
-#
-#  hmacmd5	generate HMAC-MD5 of string
-#		"%{hmacmd5:foo bar}" == "31b6db9e5eb4addb42f1a6ca07367adc"
-#
-#  hmacsha1	generate HMAC-SHA1 of string
-#		"%{hmacsha1:foo bar}" == "85d155c55ed286a300bd1cf124de08d87e914f3a"
-#
-#  crypt	encrypt with a salt: %{crypt:salt:password}
-#		"%{crypt:aa:foo}" == "aaKNIEDOaueR6"
-#		"%{crypt:$1$abcdefgh:foo}" == "$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0"
-#		"%{crypt:$5$%{randstr:aaaaaaaaaaaaaaaa}:foo}" == "$1$fu4P2fcAdo9gM..."
-#
-#  pairs	serialize attributes as comma-delimited string
-#		"%{pairs:request:}" == "User-Name = 'foo', User-Password = 'bar', ..."
-#
-#  base64	encode string as base64
-#		"%{base64:foo}" == "Zm9v"
-#
-#  base64tohex	convert base64 to hex
-#		"%{base64tohex:Zm9v}" == "666f6f"
-#
-#  explode	split an attribute into multiple new attributes based on a delimiter
-#		"%{explode:&ref <delim>}"
-#
-#  nexttime	calculate number of seconds until next n hour(s), day(s), week(s), year(s)
-#		if it were 16:18, %{nexttime:1h} would expand to 2520
-#
-#  lpad		left-pad a string
-#		if User-Name is "foo": "%{lpad:&User-Name 6 x}" == "xxxfoo"
-#
-#  rpad		right-pad a string
-#		if User-Name is "foo": "%{rpad:&User-Name 5 -}" == "foo--"
-#
-
-expr {
-	#
-	# Characters that will not be encoded by the %{escape}
-	# xlat function.
-	#
-	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/files
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/files
@ -1,30 +0,0 @@
-# -*- text -*-
-#
-#  $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $
-
-# Livingston-style 'users' file
-#
-# See "man users" for more information.
-#
-files {
-	# Search for files in a subdirectory of mods-config which
-	# matches this instance of the files module.
-	moddir = ${modconfdir}/${.:instance}
-
-	# The default key attribute to use for matches.  The content
-	# of this attribute is used to match the "name" of the
-	# entry.
-	#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
-
-	#  The old "users" style file is now located here.
-	filename = ${moddir}/authorize
-
-	#  This is accepted for backwards compatibility
-	#  It will be removed in a future release.
-#	usersfile = ${moddir}/authorize
-
-	#  These are accepted for backwards compatibility.
-	#  They will be renamed in a future release.
-	acctusersfile = ${moddir}/accounting
-	preproxy_usersfile = ${moddir}/pre-proxy
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog
@ -1,161 +0,0 @@
-# -*- text -*-
-#
-#  $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $
-
-#
-#  The "linelog" module will log one line of text to a file.
-#  Both the filename and the line of text are dynamically expanded.
-#
-#  We STRONGLY suggest that you do not use data from the
-#  packet as part of the filename.
-#
-linelog {
-	#
-	#  The file where the logs will go.
-	#
-	#  If the filename is "syslog", then the log messages will
-	#  go to syslog.
-	filename = ${logdir}/linelog
-
-	#
-	#  Most file systems can handly nearly the full range of UTF-8
-	#  characters.  Ones that can deal with a limited range should
-	#  set this to "yes".
-	#
-	escape_filenames = no
-
-	#
-	#  The Unix-style permissions on the log file.
-	#
-	#  Depending on format string, the log file may contain secret or
-	#  private information about users.  Keep the file permissions as
-	#  restrictive as possible.
-	permissions = 0600
-
-	#  The Unix group which owns the log file.
-	#
-	#  The user that freeradius runs as must be in the specified
-	#  group, otherwise it will not be possible to set the group.
-#	group = ${security.group}
-
-	#  Syslog facility (if logging via syslog).
-	#  Defaults to the syslog_facility config item in radiusd.conf.
-	#  Standard facilities are:
-	#  - kern        Messages generated by the kernel.  These cannot
-	#                be generated by any user processes.
-	#  - user        Messages generated by random user processes.
-	#                This is the default facility identifier if
-	#                none is specified.
-	#  - mail        The mail system.
-	#  - daemon      System daemons, such as routed(8), that are not
-	#                provided for explicitly by other facilities.
-	#  - auth        The authorization system: login(1), su(1),
-	#                getty(8), etc.
-	#  - lpr         The line printer spooling system: cups-lpd(8),
-	#                cupsd(8), etc.
-	#  - news        The network news system.
-	#  - uucp        The uucp system.
-	#  - cron        The cron daemon: cron(8).
-	#  - authpriv    The same as LOG_AUTH, but logged to a file
-	#                readable only by selected individuals.
-	#  - ftp         The file transfer protocol daemons: ftpd(8),
-	#                tftpd(8).
-	#  - local[0-7]  Reserved for local use.
-#	syslog_facility = daemon
-
-	#  Syslog severity (if logging via syslog). Defaults to info.
-	#  Possible values are:
-	#  - emergency   A panic condition.  This is normally broadcast
-	#                to all users.
-	#  - alert       A condition that should be corrected immediately,
-	#                such as a corrupted system database.
-	#  - critical    Critical conditions, e.g., hard device errors.
-	#  - error       Errors.
-	#  - warning     Warning messages.
-	#  - notice      Conditions that are not error conditions, but
-	#                should possibly be handled specially.
-	#  - info        Informational messages.
-	#  - debug       Messages that contain information normally of use
-	#                only when debugging a program.
-#	syslog_severity = info
-
-	#  If logging via syslog, the severity can be set here.
-	#  Defaults to info.
-	#
-	#  The default format string.
-	format = "This is a log message for %{User-Name}"
-
-	#
-	#  This next line can be omitted.  If it is omitted, then
-	#  the log message is static, and is always given by "format",
-	#  above.
-	#
-	#  If it is defined, then the string is dynamically expanded,
-	#  and the result is used to find another configuration entry
-	#  here, with the given name.  That name is then used as the
-	#  format string.
-	#
-	#  If the configuration entry cannot be found, then no log
-	#  message is printed.
-	#
-	#  i.e. You can have many log messages in one "linelog" module.
-	#  If this two-step expansion did not exist, you would have
-	#  needed to configure one "linelog" module for each log message.
-
-	#
-	#  Reference the Packet-Type (Access-Accept, etc.)  If it doesn't
-	#  exist, reference the "default" entry.
-	#
-	#  This is for "linelog" being used in the post-auth section
-	#  If you want to use it in "authorize", you need to change
-	#  the reference to "messages.%{%{Packet-Type}:-default}",
-	#  and then add the appropriate messages.
-	#
-	reference = "messages.%{%{reply:Packet-Type}:-default}"
-
-	#
-	#  The messages defined here are taken from the "reference"
-	#  expansion, above.
-	#
-	messages {
-		default = "Unknown packet type %{Packet-Type}"
-
-		Access-Accept = "Accepted user: %{User-Name}"
-		Access-Reject = "Rejected user: %{User-Name}"
-		Access-Challenge = "Sent challenge: %{User-Name}"
-	}
-}
-
-#
-#  Another example, for accounting packets.
-#
-linelog log_accounting {
-	#
-	#  Used if the expansion of "reference" fails.
-	#
-	format = ""
-
-	filename = ${logdir}/linelog-accounting
-
-	permissions = 0600
-
-	reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
-
-	#
-	#  Another example:
-	#
-	#
-	Accounting-Request {
-		Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
-		Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
-
-		#  Don't log anything for these packets.
-		Alive = ""
-
-		Accounting-On = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just came online"
-		Accounting-Off = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just went offline"
-
-		# don't log anything for other Acct-Status-Types.
-		unknown = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) sent unknown Acct-Status-Type %{Acct-Status-Type}"
-	}
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime
@ -1,23 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $
-
-# The logintime module. This handles the Login-Time,
-# Current-Time, and Time-Of-Day attributes.  It should be
-# included in the *end* of the authorize section in order to
-# handle Login-Time checks. It should also be included in the
-# instantiate section in order to register the Current-Time
-# and Time-Of-Day comparison functions.
-#
-# When the Login-Time attribute is set to some value, and the
-# user has been permitted to log in, a Session-Timeout is
-# calculated based on the remaining time.  See "doc/README".
-#
-logintime {
-	# The minimum timeout (in seconds) a user is allowed
-	# to have. If the calculated timeout is lower we don't
-	# allow the login. Some NAS do not handle values
-	# lower than 60 seconds well.
-	minimum_timeout = 60
-}
-
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap
@ -1,253 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 1748d5747f5b2fda08a017ad3095d9b96b0c2ee0 $
-
-#
-#  Microsoft CHAP authentication
-#
-#  This module supports MS-CHAP and MS-CHAPv2 authentication.
-#  It also enforces the SMB-Account-Ctrl attribute.
-#
-mschap {
-	#
-	#  If you are using /etc/smbpasswd, see the 'passwd'
-	#  module for an example of how to use /etc/smbpasswd
-	#
-
-	#
-	#  If use_mppe is not set to no mschap, will
-	#  add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
-	#  MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
-	#
-#	use_mppe = no
-
-	#
-	#  If MPPE is enabled, require_encryption makes
-	#  encryption moderate
-	#
-#	require_encryption = yes
-
-	#
-	#  require_strong always requires 128 bit key
-	#  encryption
-	#
-#	require_strong = yes
-
-	#
-	#  This module can perform authentication itself, OR
-	#  use a Windows Domain Controller.  This configuration
-	#  directive tells the module to call the ntlm_auth
-	#  program, which will do the authentication, and return
-	#  the NT-Key.  Note that you MUST have "winbindd" and
-	#  "nmbd" running on the local machine for ntlm_auth
-	#  to work.  See the ntlm_auth program documentation
-	#  for details.
-	#
-	#  If ntlm_auth is configured below, then the mschap
-	#  module will call ntlm_auth for every MS-CHAP
-	#  authentication request.  If there is a cleartext
-	#  or NT hashed password available, you can set
-	#  "MS-CHAP-Use-NTLM-Auth := No" in the control items,
-	#  and the mschap module will do the authentication itself,
-	#  without calling ntlm_auth.
-	#
-	#  Be VERY careful when editing the following line!
-	#
-	#  You can also try setting the user name as:
-	#
-	#	... --username=%{mschap:User-Name} ...
-	#
-	#  In that case, the mschap module will look at the User-Name
-	#  attribute, and do prefix/suffix checks in order to obtain
-	#  the "best" user name for the request.
-	#
-	#  For Samba 4, you should also set the "ntlm auth" parameter
-	#  in the Samba configuration:
-	#
-	#	ntlm auth = yes
-	#
-	#  or
-	#
-	#	ntlm auth = mschapv2-and-ntlmv2-only
-	#
-	#  This will let Samba 4 accept the MS-CHAP authentication
-	#  method that is needed by FreeRADIUS.
-	#
-	#  Depending on the Samba version, you may also need to add:
-	#
-	#	--allow-mschapv2
-	#
-	#  to the command-line parameters.
-	#
-#	ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
-
-	#
-	#  The default is to wait 10 seconds for ntlm_auth to
-	#  complete.  This is a long time, and if it's taking that
-	#  long then you likely have other problems in your domain.
-	#  The length of time can be decreased with the following
-	#  option, which can save clients waiting if your ntlm_auth
-	#  usually finishes quicker. Range 1 to 10 seconds.
-	#
-#	ntlm_auth_timeout = 10
-
-	#
-	#  An alternative to using ntlm_auth is to connect to the
-	#  winbind daemon directly for authentication. This option
-	#  is likely to be faster and may be useful on busy systems,
-	#  but is less well tested.
-	#
-	#  Using this option requires libwbclient from Samba 4.2.1
-	#  or later to be installed. Make sure that ntlm_auth above is
-	#  commented out.
-	#
-#	winbind_username = "%{mschap:User-Name}"
-#	winbind_domain = "%{mschap:NT-Domain}"
-
-	#
-	#  When using single sign-on with a winbind connection and the
-	#  client uses a different casing for the username than the
-	#  casing is according to the backend, reauth may fail because
-	#  of some Windows internals. This switch tries to find the
-	#  user in the correct casing in the backend, and retry
-	#  authentication with that username.
-	#
-#	winbind_retry_with_normalised_username = no
-
-	#
-	#  Information for the winbind connection pool.  The configuration
-	#  items below are the same for all modules which use the new
-	#  connection pool.
-	#
-	pool {
-		#
-		#  Connections to create during module instantiation.
-		#  If the server cannot create specified number of
-		#  connections during instantiation it will exit.
-		#  Set to 0 to allow the server to start without the
-		#  winbind daemon being available.
-		#
-		start = ${thread[pool].start_servers}
-
-		#
-		#  Minimum number of connections to keep open
-		#
-		min = ${thread[pool].min_spare_servers}
-
-		#
-		#  Maximum number of connections
-		#
-		#  If these connections are all in use and a new one
-		#  is requested, the request will NOT get a connection.
-		#
-		#  Setting 'max' to LESS than the number of threads means
-		#  that some threads may starve, and you will see errors
-		#  like 'No connections available and at max connection limit'
-		#
-		#  Setting 'max' to MORE than the number of threads means
-		#  that there are more connections than necessary.
-		#
-		max = ${thread[pool].max_servers}
-
-		#
-		#  Spare connections to be left idle
-		#
-		#  NOTE: Idle connections WILL be closed if "idle_timeout"
-		#  is set.  This should be less than or equal to "max" above.
-		#
-		spare = ${thread[pool].max_spare_servers}
-
-		#
-		#  Number of uses before the connection is closed
-		#
-		#  0 means "infinite"
-		#
-		uses = 0
-
-		#
-		#  The number of seconds to wait after the server tries
-		#  to open a connection, and fails.  During this time,
-		#  no new connections will be opened.
-		#
-		retry_delay = 30
-
-		#
-		#  The lifetime (in seconds) of the connection
-		#
-		#  NOTE: A setting of 0 means infinite (no limit).
-		#
-		lifetime = 86400
-
-		#
-		#  The pool is checked for free connections every
-		#  "cleanup_interval".  If there are free connections,
-		#  then one of them is closed.
-		#
-		cleanup_interval = 300
-
-		#
-		#  The idle timeout (in seconds).  A connection which is
-		#  unused for this length of time will be closed.
-		#
-		#  NOTE: A setting of 0 means infinite (no timeout).
-		#
-		idle_timeout = 600
-
-		#
-		#  NOTE: All configuration settings are enforced.  If a
-		#  connection is closed because of "idle_timeout",
-		#  "uses", or "lifetime", then the total number of
-		#  connections MAY fall below "min".  When that
-		#  happens, it will open a new connection.  It will
-		#  also log a WARNING message.
-		#
-		#  The solution is to either lower the "min" connections,
-		#  or increase lifetime/idle_timeout.
-		#
-	}
-
-	passchange {
-		#
-		#  This support MS-CHAPv2 (not v1) password change
-		#  requests.  See doc/mschap.rst for more IMPORTANT
-		#  information.
-		#
-		#  Samba/ntlm_auth - if you are using ntlm_auth to
-		#  validate passwords, you will need to use ntlm_auth
-		#  to change passwords.  Uncomment the three lines
-		#  below, and change the path to ntlm_auth.
-		#
-#		ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
-#		ntlm_auth_username = "username: %{mschap:User-Name}"
-#		ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
-
-		#
-		#  To implement a local password change, you need to
-		#  supply a string which is then expanded, so that the
-		#  password can be placed somewhere.  e.g. passed to a
-		#  script (exec), or written to SQL (UPDATE/INSERT).
-		#  We give both examples here, but only one will be
-		#  used.
-		#
-#		local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
-		#
-#		local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
-	}
-
-	#
-	#  For Apple Server, when running on the same machine as
-	#  Open Directory.  It has no effect on other systems.
-	#
-#	use_open_directory = yes
-
-	#
-	#  On failure, set (or not) the MS-CHAP error code saying
-	#  "retries allowed".
-	#
-#	allow_retry = yes
-
-	#
-	#  An optional retry message.
-	#
-#	retry_msg = "Re-enter (or reset) the password"
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth
@ -1,18 +0,0 @@
-#
-#  For testing ntlm_auth authentication with PAP.
-#
-#  If you have problems with authentication failing, even when the
-#  password is good, it may be a bug in Samba:
-#
-#	https://bugzilla.samba.org/show_bug.cgi?id=6563
-#
-#  Depending on the AD / Samba configuration, you may also need to add:
-#
-#	--allow-mschapv2
-#
-#  to the list of command-line options.
-#
-exec ntlm_auth {
-	wait = yes
-	program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap
@ -1,18 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $
-
-# PAP module to authenticate users based on their stored password
-#
-#  Supports multiple encryption/hash schemes.  See "man rlm_pap"
-#  for details.
-#
-#  For instructions on creating the various types of passwords, see:
-#
-#  http://www.openldap.org/faq/data/cache/347.html
-pap {
-	#  By default the server will use heuristics to try and automatically
-	#  handle base64 or hex encoded passwords. This behaviour can be
-	#  stopped by setting the following to "no".
-#	normalise = yes
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd
@ -1,55 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $
-
-# passwd module allows to do authorization via any passwd-like
-# file and to extract any attributes from these files.
-#
-#  See the "smbpasswd" and "etc_group" files for more examples.
-#
-# parameters are:
-#   filename - path to file
-#
-#   format - format for filename record. This parameters
-#            correlates record in the passwd file and RADIUS
-#            attributes.
-#
-#            Field marked as '*' is a key field. That is, the parameter
-#            with this name from the request is used to search for
-#            the record from passwd file
-#
-#            Attributes marked as '=' are added to reply_items instead
-#            of default configure_items
-#
-#	     Attributes marked as '~' are added to request_items
-#
-#            Field marked as ',' may contain a comma separated list
-#            of attributes.
-#
-#   hash_size - hashtable size.  Setting it to 0 is no longer permitted
-#		A future version of the server will have the module
-#		automatically determine the hash size.  Having it set
-#		manually should not be necessary.
-#
-#   allow_multiple_keys - if many records for a key are allowed
-#
-#   ignore_nislike - ignore NIS-related records
-#
-#   delimiter - symbol to use as a field separator in passwd file,
-#            for format ':' symbol is always used. '\0', '\n' are
-#	     not allowed
-#
-
-#  An example configuration for using /etc/passwd.
-#
-#  This is an example which will NOT WORK if you have shadow passwords,
-#  NIS, etc.  The "unix" module is normally responsible for reading
-#  system passwords.  You should use it instead of this example.
-#
-passwd etc_passwd {
-	filename = /etc/passwd
-	format = "*User-Name:Crypt-Password:"
-	hash_size = 100
-	ignore_nislike = no
-	allow_multiple_keys = no
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess
@ -1,62 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $
-
-# Preprocess the incoming RADIUS request, before handing it off
-# to other modules.
-#
-#  This module processes the 'huntgroups' and 'hints' files.
-#  In addition, it re-writes some weird attributes created
-#  by some NAS, and converts the attributes into a form which
-#  is a little more standard.
-#
-preprocess {
-	# Search for files in a subdirectory of mods-config which
-	# matches this instance of the preprocess module.
-	moddir = ${modconfdir}/${.:instance}
-
-	huntgroups = ${moddir}/huntgroups
-	hints = ${moddir}/hints
-
-	# This hack changes Ascend's weird port numbering
-	# to standard 0-??? port numbers so that the "+" works
-	# for IP address assignments.
-	with_ascend_hack = no
-	ascend_channels_per_line = 23
-
-	# Windows NT machines often authenticate themselves as
-	# NT_DOMAIN\username
-	#
-	# If this is set to 'yes', then the NT_DOMAIN portion
-	# of the user-name is silently discarded.
-	#
-	# This configuration entry SHOULD NOT be used.
-	# See the "realms" module for a better way to handle
-	# NT domains.
-	with_ntdomain_hack = no
-
-	# Specialix Jetstream 8500 24 port access server.
-	#
-	# If the user name is 10 characters or longer, a "/"
-	# and the excess characters after the 10th are
-	# appended to the user name.
-	#
-	# If you're not running that NAS, you don't need
-	# this hack.
-	with_specialix_jetstream_hack = no
-
-	# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
-	# with the attribute name *again* in the string, like:
-	#
-	#   H323-Attribute = "h323-attribute=value".
-	#
-	# If this configuration item is set to 'yes', then
-	# the redundant data in the the attribute text is stripped
-	# out.  The result is:
-	#
-	#  H323-Attribute = "value"
-	#
-	# If you're not running a Cisco or Quintum NAS, you don't
-	# need this hack.
-	with_cisco_vsa_hack = no
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp
@ -1,53 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $
-
-#  Write a 'utmp' style file, of which users are currently
-#  logged in, and where they've logged in from.
-#
-#  This file is used mainly for Simultaneous-Use checking,
-#  and also 'radwho', to see who's currently logged in.
-#
-radutmp {
-	#  Where the file is stored.  It's not a log file,
-	#  so it doesn't need rotating.
-	#
-	filename = ${logdir}/radutmp
-
-	#  The field in the packet to key on for the
-	#  'user' name,  If you have other fields which you want
-	#  to use to key on to control Simultaneous-Use,
-	#  then you can use them here.
-	#
-	#  Note, however, that the size of the field in the
-	#  'utmp' data structure is small, around 32
-	#  characters, so that will limit the possible choices
-	#  of keys.
-	#
-	#  You may want instead: %{%{Stripped-User-Name}:-%{User-Name}}
-	username = %{User-Name}
-
-
-	#  Whether or not we want to treat "user" the same
-	#  as "USER", or "User".  Some systems have problems
-	#  with case sensitivity, so this should be set to
-	#  'no' to enable the comparisons of the key attribute
-	#  to be case insensitive.
-	#
-	case_sensitive = yes
-
-	#  Accounting information may be lost, so the user MAY
-	#  have logged off of the NAS, but we haven't noticed.
-	#  If so, we can verify this information with the NAS,
-	#
-	#  If we want to believe the 'utmp' file, then this
-	#  configuration entry can be set to 'no'.
-	#
-	check_with_nas = yes
-
-	# Set the file permissions, as the contents of this file
-	# are usually private.
-	permissions = 0600
-
-	caller_id = "yes"
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm
@ -1,75 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 8ff95a9e9a652c2df9f992b0eb528084b6a7a2dc $
-
-# Realm module, for proxying.
-#
-#  You can have multiple instances of the realm module to
-#  support multiple realm syntaxes at the same time.  The
-#  search order is defined by the order that the modules are listed
-#  in the authorize and preacct sections.
-#
-#  Four config options:
-#	format	 -  must be "prefix" or "suffix"
-#			  The special cases of "DEFAULT"
-#			  and "NULL" are allowed, too.
-#	delimiter      -  must be a single character
-
-#  'realm/username'
-#
-#  Using this entry, IPASS users have their realm set to "IPASS".
-realm IPASS {
-	format = prefix
-	delimiter = "/"
-}
-
-#  'username@realm'
-#
-realm suffix {
-	format = suffix
-	delimiter = "@"
-
-	# The next configuration items are valid ONLY for a trust-router.
-	# For all other realms, they are ignored.
-#	trust_router = "localhost"
-#	tr_port = 12309
-#	rp_realm = "realm.example.com"
-#	default_community = "apc.communities.example.com"
-#	# if rekey_enabled is enabled, dynamic realms are automatically rekeyed
-#	# before they expire to avoid having to recreate them from scrach on
-#	# demand (implying lengthy authentications)
-#	rekey_enabled = no
-#	# if realm_lifetime is > 0, the rekey is scheduled to happen the
-#	# specified number of seconds after its creation or rekeying. Otherwise,
-#	# the key material expiration timestamp is used
-#	realm_lifetime = 0
-}
-
-#  'realm!username'
-#
-realm bangpath {
-	format = prefix
-	delimiter = "!"
-
-#	trust_router = "localhost"
-#	tr_port = 12309
-#	rp_realm = "realm.example.com"
-#	default_community = "apc.communities.example.com"
-#	rekey_enabled = no
-#	realm_lifetime = 0
-}
-
-#  'username%realm'
-#
-realm realmpercent {
-	format = suffix
-	delimiter = "%"
-}
-
-#
-#  'domain\user'
-#
-realm ntdomain {
-	format = prefix
-	delimiter = "\\"
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate
@ -1,42 +0,0 @@
-#  Replicate packet(s) to a home server.
-#
-#  This module will open a new socket for each packet, and "clone"
-#  the incoming packet to the destination realm (i.e. home server).
-#  These packets are only sent to UDP home servers.  TCP and TLS
-#  are not supported.
-#
-#  Use it by setting "Replicate-To-Realm = name" in the control list,
-#  just like Proxy-To-Realm.  The configurations for the two attributes
-#  are identical.  The realm must exist, the home_server_pool must exist,
-#  and the home_server must exist.
-#
-#  The only difference is that the "replicate" module sends requests
-#  and does not expect a reply.  Any reply is ignored.
-#
-#  Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time.
-#
-#  To use this module, list "replicate" in the "authorize" or
-#  "accounting" section.  Then, ensure that Replicate-To-Realm is set.
-#  The contents of the "packet" attribute list will be sent to the
-#  home server.  The usual load-balancing, etc. features of the home
-#  server will be used.
-#
-#  "radmin" can be used to mark home servers alive/dead, in order to
-#  enable/disable replication to specific servers.
-#
-#  Packets can be replicated to multiple destinations.  Just set
-#  Replicate-To-Realm multiple times.  One packet will be sent for
-#  each of the Replicate-To-Realm attribute in the "control" list.
-#
-#  If no packets are sent, the module returns "noop".  If at least one
-#  packet is sent, the module returns "ok".  If an error occurs, the
-#  module returns "fail"
-#
-#  Note that replication does NOT change any of the packet statistics.
-#  If you use "radmin" to look at the statistics for a home server,
-#  the replicated packets will cause NO counters to increment.  This
-#  is not a bug, this is how replication works.
-#
-replicate {
-
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh
@ -1,4 +0,0 @@
-# SoH module
-soh {
-	dhcp = yes
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp
@ -1,16 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $
-
-# "Safe" radutmp - does not contain caller ID, so it can be
-# world-readable, and radwho can work for normal users, without
-# exposing any information that isn't already exposed by who(1).
-#
-# This is another 'instance' of the radutmp module, but it is given
-# then name "sradutmp" to identify it later in the "accounting"
-# section.
-radutmp sradutmp {
-	filename = ${logdir}/sradutmp
-	permissions = 0644
-	caller_id = "no"
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp
@ -1,40 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 695365f7d2c05a34da935ea2a9ca0dec55518195 $
-
-#
-#  Time-based One-Time Passwords (TOTP)
-#
-#  Defined in RFC 6238, and used in Google Authenticator.
-#
-#  This module can only be used in the "authenticate" section.
-#
-#  The Base32-encoded secret should be placed into:
-#
-#	&control:TOTP-Secret
-#
-#  The TOTP password entered by the user should be placed into:
-#
-#	&request:TOTP-Password
-#
-#  The module will return "ok" if the passwords match, and "fail"
-#  if the passwords do not match.
-#
-#  Note that this module will NOT interact with Google.  The module is
-#  intended to be used where the local administrator knows the TOTP
-#  secret key, and user has an authenticator app on their phone.
-#
-#  Note also that while you can use the Google "chart" APIs to
-#  generate a QR code, doing this will give the secret to Google!
-#
-#  Administrators should instead install a tool such as "qrcode"
-#
-#	https://linux.die.net/man/1/qrencode
-#
-#  and then run that locally to get an image.
-#  
-#
-#  The module takes no configuration items.
-#
-totp {
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix
@ -1,25 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $
-
-# Unix /etc/passwd style authentication
-#
-#  This module calls the system functions to get the "known good"
-#  password.  This password is usually in the "crypt" form, and is
-#  incompatible with CHAP, MS-CHAP, PEAP, etc.
-#
-#  If passwords are in /etc/shadow, you will need to set the "group"
-#  configuration in radiusd.conf.  Look for "shadow", and follow the
-#  instructions there.
-#
-unix {
-	#
-	#  The location of the "wtmp" file.
-	#  The only use for 'radlast'.  If you don't use
-	#  'radlast', then you can comment out this item.
-	#
-	#  Note that the radwtmp file may get large!  You should
-	#  rotate it (cp /dev/null radwtmp), or just not use it.
-	#
-	radwtmp = ${logdir}/radwtmp
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack
@ -1,105 +0,0 @@
-# -*- text -*-
-#
-#  $Id: 89ef1699a1af78374b1af0a3787a088af3ba320c $
-
-#
-#  This module is useful only for 'xlat'.
-#  To use it, add it to the raddb/mods-enabled/ directory.
-#
-#  Two xlat functions are provided by this module:
-#    - unpack
-#    - substring
-#
-#  Both are for use on the right-hand side of a variable assignment.
-#
-#  unpack
-#  ======
-#
-#  ... = "%{unpack:data 1 integer}"
-#
-#  The arguments are three fields:
-#
-#	data
-#		Either &Attribute-Name
-#		the name of the attribute to unpack.
-#		MUST be a "string" or "octets" type.
-#
-#		or 0xabcdef
-#		e.g. hex data.
-#
-#	1
-#		The offset into the string from which
-#		it starts unpacking.  The offset starts
-#		at zero, for the first attribute.
-#
-#	integer
-#		the data type to unpack at that offset.
-#		e.g. integer, ipaddr, byte, short, etc.
-#
-#  e.g. if we have Class = 0x0000000102030405, then
-#
-#	%{unpack:&Class 4 short}
-#
-#  will unpack octets 4 and 5 as a "short", which has
-#  value 0x0304.
-#
-#  This module is used when vendors put multiple fields
-#  into one attribute of type "octets".
-#
-#  The module can also be used to unpack substrings, by specifing a
-#  data type of "string(len)" or "octets(len)".  Where "len" is an
-#  actual number.  For example:
-#
-#	%{unpack:&User-Name 1 string(2)}
-#
-#  When given a User-Name of "hello", it will start taking the
-#  substring at offset 1 (i.e. "e"), and it will take two characters
-#  from that offset, i.e. "el".
-#
-#  As a special case, you can unpack an entire string by specifying
-#  the offset, and nothing for the length:
-#
-#	%{unpack:&User-Name 1 string()}
-#
-#  When "octets(len)" is used, the output is printed as hex.  e.g. for
-#  the above example with Class:
-#
-#	%{unpack:&Class 4 octets(4)}
-#
-#  Will return the hex string "02030405"
-#
-#
-#  substring
-#  =========
-#
-#  substring will return a substring of a string or attribute using
-#  the syntax
-#
-#	%{substring:data start len}
-#
-#	data
-#		Either an attribute name or string data.  String data
-#		can have leading or trailing spaces.  Only a single
-#		space before "start" is taken as the separator.
-#
-#  	start
-#		the zero based offset for the start of the substring.
-#		A negative value will count in from the end of the
-#		string.
-#
-#	len
-#		the number of characters to return.  A Negative value
-#		will remove that number of characters from the end.
-#		If len is more than the available number of characters
-#		then only the available number will be returned.
-#
-#  Examples:
-#
-#	"%{substring:foobar 2 3}" == "oba"
-#	"%{substring:foobar -3 2}" == "ba"
-#	"%{substring:foobar 1 -1}" == "ooba"
-#	if User-Name is "foobar" "%{substring:&User-Name 1 -2}" == "oob"
-#
-
-unpack {
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8
@ -1,14 +0,0 @@
-#
-#  Enforces UTF-8 on strings coming in from the NAS.
-#
-#  An attribute of type "string" containing UTF-8 makes
-#  the module return NOOP.
-#
-#  An attribute of type "string" containing non-UTF-8 data
-#  makes the module return FAIL.
-#
-#  This module takes no configuration.
-#
-utf8 {
-
-}
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_challenge
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_challenge
@ -1,19 +0,0 @@
-#
-#	Configuration file for the rlm_attr_filter module.
-#	Please see rlm_attr_filter(5) manpage for more information.
-#
-#	$Id: 12ed619cf16f7322221ef2dfaf28f9c36c616e3c $
-#
-#	This configuration file is used to remove almost all of the
-#	attributes From an Access-Challenge message.  The RFCs say
-#	that an Access-Challenge packet can contain only a few
-#	attributes.  We enforce that here.
-#
-DEFAULT
-	EAP-Message =* ANY,
-	State =* ANY,
-	Message-Authenticator =* ANY,
-	Reply-Message =* ANY,
-	Proxy-State =* ANY,
-	Session-Timeout =* ANY,
-	Idle-Timeout =* ANY
--- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_reject
+++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_reject
@ -1,18 +0,0 @@
-#
-#	Configuration file for the rlm_attr_filter module.
-#	Please see rlm_attr_filter(5) manpage for more information.
-#
-#	$Id: 47f167b085c2a4e22701fe9fe74b8fe0b9575421 $
-#
-#	This configuration file is used to remove almost all of the attributes
-#	From an Access-Reject message.  The RFCs say that an Access-Reject
-#	packet can contain only a few attributes.  We enforce that here.
-#
-DEFAULT
-	EAP-Message =* ANY,
-	State =* ANY,
-	Message-Authenticator =* ANY,
-	Error-Cause =* ANY,
-	Reply-Message =* ANY,
-	MS-CHAP-Error =* ANY,
-	Proxy-State =* ANY
--- a/Show more
+++ b/Show more