fablab-nea/nix-gscheits
1
0
Fork 0
Code Issues 7 Pull requests 3 Projects Releases Packages Wiki Activity Actions

Compare commits

base: fablab-nea:main
Branches Tags
fablab-nea:main
fablab-nea:esphome
fablab-nea:weinturm
fablab-nea:wpa-enterprise-anon-access
fablab-nea:laserkutter
fablab-nea:artwork
fablab-nea:wip
fablab-nea:readme
..
compare: fablab-nea:wip
Branches Tags
fablab-nea:esphome
fablab-nea:main
fablab-nea:weinturm
fablab-nea:wpa-enterprise-anon-access
fablab-nea:laserkutter
fablab-nea:artwork
fablab-nea:wip
fablab-nea:readme

2 commits
main ... wip

Author SHA1 Message Date
jalr
078cc3abd2 Add howto deploy raven 2021-12-04 15:08:51 +00:00
Simon Bruder
468e8d3f97
WIP: raven/labsync: init 2021-12-04 12:33:59 +01:00
174 changed files with 216 additions and 11642 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitattributes vendored
View file

@ -1,3 +0,0 @@
**/secrets.yaml diff=sops
*.png filter=lfs diff=lfs merge=lfs -text

12
.sops.yaml
View file

@ -1,19 +1,11 @@
keys:
- &jalr 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
- &jalr 7C207509562C208C4EC1676E87A8E5662DF00274
- &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- &raven age1fleny85nvjh6g4arn2tkpju0smq2s4hawwpmnyvgcf0sy65wd3ks4lcvfa
- &raven 2855242612275730D456C3F0DBF3508960495F3C
creation_rules:
- path_regex: secrets\.yaml$
key_groups:
- pgp:
- *jalr
- *simon
age:
- *raven
- path_regex: machines/raven/secrets\.yaml$
key_groups:
- pgp:
- *jalr
- *simon
age:
- *raven

285
flake.lock generated
View file

@ -1,51 +1,12 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1727196810,
"narHash": "sha256-xQzgXRlczZoFfrUdA4nD5qojCQVqpiIk82aYINQZd+U=",
"owner": "nix-community",
"repo": "disko",
"rev": "6d42596a35d34918a905e8539a44d3fc91f42b5b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"lastModified": 1623875721,
"narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
"type": "github"
},
"original": {
@ -54,27 +15,6 @@
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"nix-pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"krops": {
"inputs": {
"flake-utils": [
@ -85,11 +25,11 @@
]
},
"locked": {
"lastModified": 1644957911,
"narHash": "sha256-ggie/j7pdBqzDs4W7OiPmhqH9IGbXAbJxGqBdVxA8jA=",
"lastModified": 1597485541,
"narHash": "sha256-+fqI9qh7zpC2WxinFZlaiDsbvMb/IJxFIiGfdA/xLps=",
"owner": "Mic92",
"repo": "krops",
"rev": "86fb3d2ee94fd8306231853b323ed8804edf26ec",
"rev": "c3a1ffab03e8cfbb7ff532bdfa10b26b3dc76911",
"type": "github"
},
"original": {
@ -98,43 +38,21 @@
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"sbruder-overlay",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs-unstable"
"flake-utils": [
"flake-utils"
],
"nixpkgs-stable": "nixpkgs-stable"
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1726745158,
"narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
"lastModified": 1624971177,
"narHash": "sha256-Amf/nBj1E77RmbSSmV+hg6YOpR+rddCbbVgo5C7BS0I=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
"rev": "397f0713d007250a2c7a745e555fa16c5dc8cadb",
"type": "github"
},
"original": {
@ -146,11 +64,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1727040444,
"narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=",
"lastModified": 1625333638,
"narHash": "sha256-M6J9RN60XJyv6nUfDFCwnz5aVjhe8+GJnV8Q9VpdQQQ=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac",
"rev": "41775780a0b6b32b3d32dcc32bb9bc6df809062d",
"type": "github"
},
"original": {
@ -162,59 +80,27 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1726969270,
"narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=",
"lastModified": 1626489334,
"narHash": "sha256-WcQDF/JB3yWfO7E37M6rlUCKkqcMwG2UiWz+2Vsib9Y=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075",
"rev": "b2f87e0043aaf3f0f05cc983bd6aa80a616b8352",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1725762081,
"narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"ref": "nixos-21.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1726937504,
"narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=",
"lastModified": 1626464457,
"narHash": "sha256-u2PCh/+8vQSLwf0mPpKHKQ8hAPB3l4uNZR3r0TdK2Lg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9357f4f23713673f310988025d9dc261c20e70c6",
"rev": "c6c4a3d45ab200f17805d2d86a1ff1cc7ca2b186",
"type": "github"
},
"original": {
@ -224,143 +110,34 @@
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": [
"sbruder-overlay",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"sbruder-overlay",
"nixpkgs"
],
"systems": "systems_2",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1714509427,
"narHash": "sha256-YTcd6n7BeAVxBNhzOgUHMmsgBkfQ2Cz9ZcFotXrpEg8=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "184960be60652ca7f865123e8394ece988afb566",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"flake-utils": "flake-utils",
"krops": "krops",
"nix-pre-commit-hooks": "nix-pre-commit-hooks",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"sbruder-overlay": "sbruder-overlay",
"sops-nix": "sops-nix"
}
},
"sbruder-overlay": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nix-pre-commit-hooks": [
"nix-pre-commit-hooks"
],
"nixpkgs": [
"nixpkgs"
],
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1719952130,
"narHash": "sha256-j38XlExNwK4ycmoNEdH/dHUd1QGdNvD3gx/UuLY+04Q=",
"owner": "sbruder",
"repo": "nixpkgs-overlay",
"rev": "3487b8ce24d40cc898f3dba0a9af5e028e1d5844",
"type": "github"
},
"original": {
"owner": "sbruder",
"repo": "nixpkgs-overlay",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1726524647,
"narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"sbruder-overlay",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1714058656,
"narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f",
"lastModified": 1625936460,
"narHash": "sha256-U6xlITKrYuhlHWe+poACaz4GJl3ZVN1BSUqZe2gFg+g=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "ec2800174de5a7be8ec5b144819af2c7de77abe2",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}

29
flake.nix
View file

@ -1,15 +1,12 @@
{
inputs = {
disko.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
flake-utils.url = "github:numtide/flake-utils";
nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
@ -21,11 +18,6 @@
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
sbruder-overlay.url = "github:sbruder/nixpkgs-overlay";
sbruder-overlay.inputs.flake-utils.follows = "flake-utils";
sbruder-overlay.inputs.nix-pre-commit-hooks.follows = "nix-pre-commit-hooks";
sbruder-overlay.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
@ -38,10 +30,7 @@
}@inputs: flake-utils.lib.eachDefaultSystem
(system:
let
pkgs = import nixpkgs {
inherit system;
overlays = [ self.overlays.default ];
};
pkgs = nixpkgs.legacyPackages.${system};
inherit (pkgs) lib;
in
rec {
@ -56,7 +45,7 @@
};
};
devShells.default = pkgs.mkShell {
devShell = pkgs.mkShell {
name = "fablab-nixos-config";
buildInputs = (with pkgs; [
@ -105,15 +94,8 @@
${pkgs.gnupg}/bin/gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }'
'';
});
packages = lib.filterAttrs
(n: v: lib.elem system v.meta.platforms)
(flake-utils.lib.flattenTree {
inherit (pkgs)
fablab;
});
}) // {
overlays.default = import ./pkgs;
overlay = import ./pkgs;
nixosConfigurations = nixpkgs.lib.mapAttrs
(hostname: { system
@ -146,7 +128,6 @@
})
] ++ (with inputs; [
sops-nix.nixosModules.sops
disko.nixosModules.disko
]) ++ extraModules;
})
(import ./machines inputs);

48
keys/machines/raven.asc
View file

@ -1,28 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEAC5RX7E07G3dOlgwYW7D/Cgq7xD288JWNTotXAnGTPQbF04yx62
EUEjQ3ggxcTz4t/7Sv9WOfbWBvlRy48rhW+zxN9de8ld9FhPW0hG6GKfgN88LCSG
pVSY4WQ1wqry2ZF68n4YNdrXCZ6PG0EgbrTSSOHaxHVxiVsfZIGWrAUcTyIEhmka
60tenlQVXj8c45WTRAXQ7kLpXLZAfYmetlyDhUMGj1c46+551GXWnxTYnGZGXS2X
4gavMnGZWOG0mNtY0TPaDxfJ+1kgANUbtPc9UNIZuhWHuz/K6LdBybMKsDWv+8Of
962TXj8NlEjRs+t1bhalSWl2zFZ0gI3/gQc8RM4fO7yBht5oFAlSh9fUBuFjyp0c
KuCs1twQ32NNHlm2+RjVPUN+ITWKCRr0c05OGC2cE7M2ks44F/bMKRvH3v28biZC
6bj00novLw8dSQzya34nZttA7htySJTbyt7H9aBCyZhs22TxRNIed3UrkmFZr4QH
QiEzZ44SJ1QYOVtRVcAeLDRcyfJWjUqo7QxPnJS27iN4cjaeWkm6AFk+bsx2nIcb
10vM6Y5rMcwcWTwZnEbqmhTvO+l661yQAR+RrdeVl+J2MQHZ6fsxbDFyW0YdaSnZ
0geev9lqbg86nLIPdQANkFHtnYZIURliitxT9OahUce4xdUds3Iaep4pbwARAQAB
xsFNBAAAAAABEADJuRGmEF1kSUg8qjGCk2/lBaDa2FYKM77dTRh7z9dHIABG+jy2
3VdQPwT/M94Vipb1m7vkF5qd1DnYFuyOrM38ql/9gq16tihq9EKTsJulv8IcKjY8
+nVD76srojho09G6Y94xcE0np0chZVSVyDQ/o8Bj4b4TYfGcDg8GljL+X8MRQz3Y
W6E1oUjSraDS10DeApsBB//MtIMvzqjpvU7NfA6ny1zM6hrUnsDb+WLgouYONJI3
ZZXuVSwmGYO8NkkdmTVSGA9iytwonceDT+GXt45agr0ry9i0txzji/HC8ma5nR1R
WitDIhYHl6eRNfqAxGhABdi/dmOm4c7w3AZ2hEUMHXjYpj2LTG82G/zS7Iuvdxcb
u+KptBWOXUe4ye54agQSTlCIbFKrDPKkk0gQACuJ5FZkp8VmoBL5gjW7TYOW06Re
iRS7TBAroebnssUOr/OU4zs3WTMJQd5psj4EcVFniSteleDhjo85wxFTIerCDclw
/cC2HU8yNn+6cDcA05MKC/ZusIopH1+WcfTt9wnEf9glRHT4NMuOgrDO/cZocRge
hg2kKgN8kVffCt7z3rHCrDvtQB7vIsATyRHWdJBe2WtC+Lv74vuldyYrrCe6XOAl
wCOTy6rRfQFijfa6zp/MBiXWv5Sy+jXnNbbgu9w6aZ4e40Uy6fft/zF1JwARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQyPdlz4rR+JICGw8CGQEAACCnEABp7v2daTeTU3kZJb5M3Le7
pQpY4VxnAQtekhm3zLoUtjYS4jJIIxCKDwKCVlQvGJG7YQtH/kr6P6AN25me/zOu
vvPPTGwnfDN2yVNjV6f1odsLcDOdNHAh+/ZRhUd+nHNSxZ0ZNttHxNotgJJOCPxV
HkJzYzHZkePvK1ICmxFyWR4XwM/yHiBnWguxJ40a/iA6RCsPt+DpWGlF/3+rX1nA
tU7P+j1ENtkbZLUdRFHmNTBBwo9XEVsZ+U3r6gezncmA/D5OTq4MRS5yHSwAX0+o
PWK5LJogTUn82fZ6+0I90bifHlUID1JVAtif76EUNwqQ9e5LcCbgzw0W34djLpKd
vKWj2kp4FeqKlKCJD7xtqieC5F01rfgEjUKRYZMif9E6RBzvz4awC7KEw4k+LON2
ApKz0S8QGSCTqfKCSJx8sevTvJ3dlDR9qiDv89pI7QaMr2VRgDeNFkS61X9Wb9kD
AADJkXdjwYovknk2SiHyFjSjDWjRR42HhHudD3D3GtTGlbsE8AI9bpc5P6zaQRXZ
IIFOu4/EytTS4BoJGhz0IOjQbhdvlug7DlUvxxUg64GQU3NOMYsQIfGffjf2yNyt
ZUNlkTBqgdWiES1o1Z2wlAFe/X+qcZuouYRLiqjL7arSGNyahSPRPferuY8YbZqR
xdV1XP8tYVK8ecb+OM2tsw==
=ar+A
AQgAFgUCAAAAAAkQ2/NQiWBJXzwCGw8CGQEAABfaEAAjGpldJ2VsitBFkb7oqa0R
+JBLPlhPcdCFW7cDpzpaMoZ1DR04NR21vFg4IpIoxkqYWznepUPgYVE/SP56l/B0
n7rapuIPg9VdxLSFoVNoFX7jXviBUsOrGKSXBp6hPugvh/0Vwt/L2F/9OsnWje3E
jM2mgFOR63G/rGQMn4sCs4UEXUz1sSmrSacpFgKNYZoMx9aYMMR3bHKMqLWU3zkW
ugRqjaxe9jOV73qhENSPYgMoXZEa1IahXC8aeV1Bznw2tQKD/ixMycN2W66/azAU
kdyEUoBE+gCBw0JAgHWZ/jcmiycUD2eZ9Yju/rz2YaDvkpP0rx4Z1s6eF3af0k6K
gMChTD0me8H1Cid7bAMdqcvd1hEmIGJviMXlSAZMJtDxF+QRzUAwP87M9lsu1BdR
WFRi45tLwRUwp9H32oFwu3l+qi/DGSVP1B/PWcG6uEmdcp+HEp7cyclCv7obc+4f
0ew0QPEkZ24aPWeH5mI/y4IJW8wC9cK8I0MYdNWUHLNKzTGEkqHIkY0hHfB8AmT7
MNsSUBh0ozbLAZzYOWHXsRXndJ71OAg8auoxKWWmo7gE3BO1YDM4wxyTRDsmsQuY
OPoh/8kmJpVKvOEzchxz/xHmIBXOwImAMCUTMC+P+PPtWPXbVyOv12ZrPZz7wpI9
+Djsrk2spQ4me4x/Lri+eQ==
=MFPD
-----END PGP PUBLIC KEY BLOCK-----

69
keys/users/jalr.asc
View file

@ -1,23 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZbmOERYJKwYBBAHaRw8BAQdAarCLR2RvxBnRODJY8WM98gCRbsHzXFTYTIoR
ZlmbOQe0HEpha29iIExlY2huZXIgPGphbHJAamFsci5kZT6IjgQTFgoANhYhBDBE
5x497/SbWGz1gJv0/MuQhU2pBQJluY4RAhsBBAsJCAcEFQoJCAUWAgMBAAIeBQIX
gAAKCRCb9PzLkIVNqbmFAQDG8xNgbZsZx6N2ssVC9k98IUvuKuMZQ6Gju86EsnNY
dgD/eSVRfAKCtIPSGtoLvE5zL80hk117R4f8rbMEvrmt9gm4MwRluY53FgkrBgEE
AdpHDwEBB0DRonRUQIQSfkqX7yHFHewbEYnc/spaPufL6EnSPVLvZ4j1BBgWCgAm
FiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jncCGwIFCQHhM4AAgQkQm/T8y5CF
Tal2IAQZFgoAHRYhBDp0/wfiMHs2RqSZ6EYNR7hAgU8/BQJluY53AAoJEEYNR7hA
gU8/HikBAPOziBknk+WcsKODsdViFedagVgtnjW8J6mJZRKNcD2fAP4/42g9wU2i
KHKHypLlGdmgOVOpSGNcubkcPFcOOHH7AZevAQDUU/UNpIHe7R3rYq4sFT2iYa9T
ZKpmOostoAzyYOViZwD/RA2suqGyrSe96JLnxwzy3LccYgV3VwEbHDWeUTvOCAy4
OARluY6pEgorBgEEAZdVAQUBAQdAAXZvPoXdFpBhYS8KgCeXweUMlSwsCnXmgiDh
neSFMwsDAQgHiH4EGBYKACYWIQQwROcePe/0m1hs9YCb9PzLkIVNqQUCZbmOqQIb
DAUJAeEzgAAKCRCb9PzLkIVNqbmEAQDSBggKtjGkLuYtIHBBCfBF4Dx7odOapasa
tYqZTU7twwD/VhDvRGPbTl7X7DYQ36bmyjTe6cZAj3/M0ueQhlTrJAW4MwRluY7E
FgkrBgEEAdpHDwEBB0B95fmIsa7I4c3ttAko71CuEI/wTam0zYrYJNtL7sz3o4h+
BBgWCgAmFiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jsQCGyAFCQHhM4AACgkQ
m/T8y5CFTamxRwD6A9TAs2Ac2VUQDCGgIEgUeULB2fZ1i0s0zydXctKJf7wBAL64
utFE0ryrkFHMGY4xHMwZfvWosYH/qfLlKadnb3cK
=WgEZ
mQINBFalRtcBEADXqtNueywhXtjCy7WXAIzoxfmeCWe0+YzK79dHMz7TIqGQU1X4
nYi9YJRAgIKvD/gY1i+hUoWrbc3s1YHKIbZsOqhHHuXSPgcpCG/xYWMroc6nsGT3
iu2pbcxDAWRp0ib67SyCGwEQj/LLUpE0DkptZvUHOBgUGi8pohhbJJ1mAN0E7GJ3
SjAeLKx59a4Q+S8HEKDJCmP6gCzixxIfS07ncG6TU4ppN8jaN/gEF40IIcTbds4C
L+ieCdz9ZVtlDvGKtNiSlT7XHnbjPMuQBlbPZaiVuylQIkJlyLEjZduhLNueag2V
NgcAfqt6HQCNnZ8B7K781rhb/rHtdk98lvOimOWUbNCXREEOHpoVIxZYYTnkVvLo
YokUncWTMym+6Pelfc7RvtfrK1EjjbblTDn/+Wo5YlBYfI02Vr6RUg1CF4s/FwCc
ogDtiG1eYAEpnHe9aV5lQrvJcgvmXF6cbIUnbaslApo0LH1uCYliInxuxKdOaxTT
qRHgug25/SA5XEH3Sc/WFPCun4LFwEElxcrrE4OeWYiixBYU06GMem7GLa+VAf0E
DxrzkGt16QODFyyJcWGQAp1SPxbBJ+E/QAe7KDK9vVocj31Ug4KA7LoqaLS6dW0e
5VJRqtej/bOzI6zJYJYPGV4XejPPTMpg0se6EvMYw775M+qAajAbFnHRHQARAQAB
tBxKYWtvYiBMZWNobmVyIDxtYWlsQGphbHIuZGU+iQJWBBMBCABAAhsjBwsJCAcD
AgEGFQgCCQoLBBYCAwECHgECF4AWIQR8IHUJViwgjE7BZ26HqOVmLfACdAUCYA2o
ywUJC0mVdAAKCRCHqOVmLfACdEJ+D/9iP3odbY9eNiiFw44BVKj/Y728V7p60/q2
tCKtLSiF6DfPJ8z2zud6OcTUfn8NuD0bqs2peALhRi/MHRkJq7QuGVN6PNN/9fUa
o9gpjGrwOHISnNkwCmEPJWJ60ZAh9XGJCY466IBAcvYurkq/qDx1BSyEi+makymf
DP2UlyhmsspdOFAoN8+ggIRCWNr6mR1TAZO5O6ce7Wos3nxTlGD1MyPAirbKlAYv
e8zqOHkhijdcKYzSIm/E/9y85aSvwDySOS69JpWEMsmGkXxq/VSv9CNzYEy/+ebR
49aoIZgOr10uY4LLN5c0L+tLvVeSS1976dtwXwRECIplysCm0hZU9Wj9JmfOBACf
Y2kIvMcTL+gREX5CKsvpPk1RChNrpELaOk/EY0hAhH4Nx2WSd6b6Kw/MagApVwNi
zfMqOZsZmSd+RPHqn7hJWaI4hpN0HfjRFpVifjKQtR/Q25c1CzIllSkwGBXQ7AEM
LpHoP1fEzk2Au0v+6q32bY8JCoLwChhcPxDZFzKepHOzgf+8QKq+ZB7KPxjWWAET
lzmzgGhKmaQOnZZsBNYYj78opGXOMxkEThaHCBgKPDTBU6XPNgd/8LYUbai/JpA5
wDOe6i5Z3c5TNXXOIMBpviUQ3BB1z4kd1YSV8DLPHwhY4q2d1oOGToKUZy39NvaZ
Ds/rHILCQrkCDQRWpUbXARAAwxN80JhEojDcNiDRZOHVM7C4hQSdAOUI3upJpFVi
0aJVRU5+w6yebh/2bMVUgL/UBFiEaKxgBtcy6snBsY5YzSZq6QneVhN0HLFyPAKX
j2zrw2MQAaVtJ+ufihdqpxgWELVfY1ycP5rX6pHXAbQA6kw0lg3FNsUi7q/qIPoO
8q8H656alz5fqvJcu1dBEbEQ+oWXUrROVcBkVjElX3Od2uKm2ZBQajcO5EEYj2Va
QtsBTdzehGnrsssEtr7yZz4d85a3uWU3pJ900Ugn22MCBHS9EOk2IuEArgPFE7eV
1S78D+QS7qjU71sJHsHoBeUg5uZoR0hNNnMWqokgYhHA9+A+Qt6KEBPLSb5Bp9Y0
o5wqRBqjxaLPSGG1NryKkAKc3cvHiCwFW6DxsJzVML1aTH60R879256YCUmVMIUF
pCGjUf3ZkZsFCMKuUDLsBE7Kn2CMVW7yNn1wLOfOhkRfGCtHQNLhIiwTTWD84iDQ
DHQ5v5r2TfosbovSy+HGV0Bi0z3W5tk8x+aV3I67vk5BbSmp9bdC7MkfSuxOYdKA
c3zexmuledVMyjVZvL2DwaJaXYD3YY+ZIUc6N/0Ox/65DllH347022luWUnXjkip
vtM55ENKeGmk3z0368L4atubo2qV1l00UKs+2bdbz65uHDMgGebVBtNsExiO8pzd
1asAEQEAAYkCPAQYAQgAJgIbDBYhBHwgdQlWLCCMTsFnboeo5WYt8AJ0BQJgDai6
BQkLSZVjAAoJEIeo5WYt8AJ0BxIP/A70jXPM6QKtWGs7xi8n916aVK43ODgCVmDq
vyduV5ywO8x8xljjVuAQm57Ei1thAGCmKzxn4rWmm81cVXBq/ZLRamrDSnP4rctZ
qZfRdsUiLJUimOTxqOn0cDqrJs8trBIIE40M20LX3TlEWueDAhpuO1gndupSb94k
U/PId1VZ1fyPz24tay/GgSfpBa7ZuXiSWr+QtQu2MlX9WXBo7gDo+BDUsZqyy4/w
Gqm1i7NVElW1lJK+KOGCAHC7JcBIjGsfxS3+MjxI0HQ2MeQyDYiwhF0xHDTCLBgv
nXAkFoCe2xB8q/+RZV1hfYGMDPILwFox6OZkpSRW/+a/j1fw+Hi4MidSoe7Xkxbr
zZVTBiFFIUbg46PCxrBdNDtba26vcS4iUZVefqcGa2ZuHQrDYRdYyeqPCZ5z9PLp
tVPYebApFnFSkd8pvcKkx6KPrItWBX5DFsGGTo6QzTg0s/w5WvqNWWHJ3NRFh1V/
rz/E67uLfJGt3qOVyOkIKKOTzF473Wku9uTMz/BCaBRJ80VhGDYG7Vi5uvQwTte8
CLhjpjF94XWhijOAIXXavCe+XhmX4QXBIjeDy4UtULi5uod2qCgT8hJRcRdC7T21
x9o0CU3J3E0QdaVwulZJWEgT4JUTjBJwVRU6jwQNbq0l4FnRrcYULBcidCCAXXzR
GUBE0eMh
=PbMY
-----END PGP PUBLIC KEY BLOCK-----

9
machines/default.nix
View file

@ -4,14 +4,7 @@ let
in
{
raven = {
targetHost = "raven.fablab-nea.de";
system = "x86_64-linux";
extraModules = [
hardware.common-cpu-intel
hardware.common-pc-ssd
];
};
party = {
targetHost = "10.105.255.242"; # FIXME
system = "x86_64-linux";
extraModules = [
hardware.common-cpu-intel

45
machines/party/configuration.nix
View file

@ -1,45 +0,0 @@
{ pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./services
];
nixpkgs.config = { allowAliases = false; };
console.keyMap = "de";
services.xserver.layout = "de";
services.xserver.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.displayManager.gdm = {
enable = true;
autoSuspend = false;
};
security.sudo.wheelNeedsPassword = false;
users.users.party = {
isNormalUser = true;
password = "foobar";
extraGroups = [
"wheel"
"audio"
];
};
environment.systemPackages = with pkgs; [
firefox
mpv
pavucontrol
];
networking.firewall.enable = false;
services.openssh.enable = true;
networking.hostName = "party";
system.stateVersion = "21.11";
}

65
machines/party/hardware-configuration.nix
View file

@ -1,65 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
kernelModules = [ "kvm-intel" ];
initrd = {
availableKernelModules = [
"xhci_pci"
"ehci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
];
};
loader.grub = {
enable = true;
device = "/dev/sda";
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700";
fsType = "btrfs";
options = [
"subvol=root"
"discard=async"
"compress=zstd"
];
};
"/home" = {
device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700";
fsType = "btrfs";
options = [
"subvol=home"
"discard=async"
"compress=zstd"
];
};
"/nix" = {
device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700";
fsType = "btrfs";
options = [
"subvol=nix"
"discard=async"
"compress=zstd"
"noatime"
];
};
"/boot" = {
device = "/dev/disk/by-uuid/3e24b5cf-e59f-41b1-9eef-107f808b9242";
fsType = "ext2";
};
};
}

89
machines/party/services/colorchord.nix
View file

@ -1,89 +0,0 @@
{ inputs, lib, pkgs, ... }:
let
ledDevices = {
kanister = {
leds = 43;
host = "wled-Kanister";
};
bar = {
leds = 300;
host = "wled-Bar";
};
};
soundDevices = {
sink = "alsa_output.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo.monitor";
source = "alsa_input.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo";
};
devicesProduct = lib.fold
(soundDevice: acc: acc // lib.mapAttrs'
(ledDevice: value: lib.nameValuePair "${ledDevice}-${soundDevice.name}" (value // {
source = soundDevice.id;
}))
ledDevices)
{ }
(lib.attrValues (lib.mapAttrs (n: v: { name = n; id = v; }) soundDevices));
in
{
environment.systemPackages = with pkgs; [
colorchord2
];
environment.etc = lib.mapAttrs'
(name: config: lib.nameValuePair
"colorchord/${name}.conf"
{
text = ''
# Basic
outdrivers = DisplayNetwork, OutputLinear
headless = 1
# Audio input
amplify = 10
samplerate = 48000
devrecord = ${config.source}
# Visualiser
cpu_autolimit = 1
satamp = 1
# LED config
leds = ${toString config.leds}
is_loop = ${if config ? loop && config.loop then "1" else "0"}
light_siding = 1.5
led_floor = 0.1
steady_bright = 1
fliprg = 0
# WLED
wled_realtime = 1
port = 19446
address = ${config.host}
wled_timeout = 2
skipfirst = 0
'';
})
devicesProduct;
systemd.user.services = builtins.listToAttrs (map
(soundDevice: lib.nameValuePair
"colorchord-${soundDevice}@"
{
partOf = [ "colorchord-${soundDevice}.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i-${soundDevice}.conf
'';
Restart = "always";
};
})
(lib.attrNames soundDevices));
systemd.user.targets = builtins.listToAttrs (map
(soundDevice: lib.nameValuePair
"colorchord-${soundDevice}"
{
wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices);
})
(lib.attrNames soundDevices));
}

6
machines/party/services/default.nix
View file

@ -1,6 +0,0 @@
{
imports = [
./colorchord.nix
./dmx.nix
];
}

12
machines/party/services/dmx.nix
View file

@ -1,12 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
qlcplus
];
services.udev.extraRules = ''
# uDMX
SUBSYSTEM=="usb", ATTR{idVendor}=="16c0", ATTR{idProduct}=="05dc", GROUP="users", MODE="0660"
'';
}

15
machines/raven/README.md
View file

@ -1,15 +0,0 @@
# raven
## Services
### unifi-controller
The unifi controller is used for managing the wireless network. It provides a [Web UI](https://raven.fablab-nea.de:8443).
The following ports are opened in the firewall:
- `3478/udp` used for STUN
- `6789/tcp` used for UniFi mobile speed test
- `8080/tcp` used for application GUI/API as seen in a web browser
- `8880/tcp` used for HTTP portal redirection
- `10001/udp` used for device discovery

49
machines/raven/configuration.nix
View file

@ -3,7 +3,6 @@
{
imports = [
./hardware-configuration.nix
./disko.nix
./services
];
@ -14,56 +13,38 @@
networking = {
useDHCP = false;
vlans = {
jt = {
id = 2;
interface = "enp0s25";
};
labprod = {
id = 1;
interface = "eno1";
interface = "enp0s25";
};
voip = {
labdev = {
id = 5;
interface = "eno1";
};
pubevent = {
id = 6;
interface = "eno1";
interface = "enp0s25";
};
};
interfaces = {
eno2.useDHCP = true;
labprod.ipv4.addresses = [{
labprod.useDHCP = true;
jt.useDHCP = true;
labdev.ipv4.addresses = [{
address = "192.168.94.1";
prefixLength = 24;
}];
pubevent.ipv4.addresses = [{
address = "10.10.0.1";
prefixLength = 20;
}];
voip.ipv4.addresses = [{
address = "192.168.93.1";
prefixLength = 24;
}];
};
nat = {
enable = true;
externalInterface = "eno2";
internalInterfaces = [
"labprod"
"pubevent"
"voip"
];
externalInterface = "jt";
internalInterfaces = lib.singleton "labdev";
};
};
i18n.defaultLocale = "en_US.UTF-8";
console.keyMap = "de";
security = {
sudo.wheelNeedsPassword = false;
acme = {
acceptTerms = true;
defaults.email = "accounts+letsencrypt.org@fablab-nea.de";
};
};
security.sudo.wheelNeedsPassword = false;
users.users = {
simon = {
@ -73,7 +54,7 @@
};
jalr = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "audio" ];
extraGroups = [ "wheel" "docker" ];
openssh.authorizedKeys.keys = config.fablab.pubkeys.users.jalr;
};
};
@ -91,5 +72,5 @@
"192.168.94.1" = [ "raven.lab.fablab-nea.de" "labsync.lab.fablab-nea.de" ];
};
system.stateVersion = "24.05";
system.stateVersion = "21.05";
}

54
machines/raven/disko.nix
View file

@ -1,54 +0,0 @@
{
disko.devices = {
disk = {
nvme = {
type = "disk";
device = "/dev/disk/by-id/ata-WD_Green_2.5_240GB_232497451701";
content = {
type = "gpt";
partitions = {
esp = {
type = "EF00";
size = "1024M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" "nodev" "nosuid" "noexec" ];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "raven-crypt";
settings = {
allowDiscards = true;
};
extraFormatArgs = [ "--hash sha512 --use-random --pbkdf argon2id --iter-time 5000 --pbkdf-memory ${builtins.toString (4*1024*1024)} --pbkdf-parallel 4" ];
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" "nodev" "nosuid" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" "noatime" "nodev" ];
};
};
};
};
};
};
};
};
};
};
}

16
machines/raven/hardware-configuration.nix
View file

@ -19,14 +19,26 @@
"aesni_intel"
"cryptd"
];
kernelModules = [ "dm-snapshot" ];
luks.devices."cryptroot".device = "/dev/disk/by-uuid/ad04bc72-bc84-42e3-856f-152c162ad88c";
};
loader = {
systemd-boot.enable = true;
systemd-boot.configurationLimit = 20;
efi.efiSysMountPoint = "/boot";
efi.canTouchEfiVariables = true;
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/1ac13504-fb49-4739-a0e3-f87a3f840fb1";
fsType = "btrfs";
options = [ "discard=async" "noatime" "compress=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/0FEA-FAF6";
fsType = "vfat";
};
};
}

BIN
machines/raven/luks-passfile.gpg
View file

Binary file not shown.

57
machines/raven/secrets.yaml
View file

@ -1,57 +0,0 @@
dyndns-password: ENC[AES256_GCM,data:Nm6ed/SvRGnOZAXCt64HAf/0xpAoSwNCCZ9d+KM4Fc1tl+rY,iv:TbGGjG55mksyW2eOkMb5JBOMvePpLlTotmEjZoiWBbQ=,tag:vNA0GLM28OloR90elj4SEQ==,type:str]
asterisk-pjsip: ENC[AES256_GCM,data:8nBg6SfWDOhuF4x5T0fz67jxXkIhzfX/FVbL98huIs9rdalGuKIOGeIBBYPzzH5cbLkfvG7ZW5p2r/I/jRoAKAu0airMJzZ2aHIFMjLUgzB+Rl5EbVF1kP8J8mwDVBMw1BFXELDNwnd+EniwWw1TwJcqWvZ3EhG00HIogzurn98l/FFMkNxWCXJ6msWBe6BHlGNpq/jPmyTVc2mlPXQ6uhqK4MWGe97tH3d+d7m7raXNjaTDruZLwKmNkONtVg5udzd1f2OP5GdoM9Tn+UHFkndqn0X6Dk3lH0dAoObRk9hDp57TnGZPrXNXktWroFk1QfsyobiB/Rj8uBRYa4BXHa/6OeQm1o/vRQhTY4e86N5fOdhwFHy/EQtp0sHa6kgiKHd8Koo/HOwAa69R44tKXvmJ/++cuBsfr71oLq+nrXIKcVv4ShmXV0kHNyaeSjCsWRcA57/FjS+uoaK/gKIGvX32TULAYGYHtIFhq43pL43PrS2j8qoDBrZQfkBXwUOW5iQr9c/aHloX7t/gDpFEi5XK7lFQsx/buamH9eWFkqhiDyu5EntSXXJb6UAbYmLREAyD/n3evyp6PTZak+TvhzLpXmol4L/IYOLqvbj8BS3ZfctqwPYtax3J0aglMsvbjCGWpiHywNt90SdPsMJi7s2KbQGbUmpOGWzq7TLByrT5MxXD//pmBXbSROxiKHTPyXpeg4SQuj0boDCIxcGG55rc5ouFMqJOJVdorIrgJ8Il1nTXHgzssuMP0/dFIYXj2gp9/XJ3S9N1acyNJCBhezeRS2PE0L3tCOHLY6IerQuW+1hmLEr8bMrzP6+70FvUb/FlfEfLwgq5AXPKE7l0cX9bn4pLAWkSreurpWE9xAIICJAkRNzcD2zMHaCiRnu4b5O+19ZnrfG1tVl0AQ6GckBFM5wcu0w6bA+YIaOngojUzPcMIynrXRdFEBB7rXiTi3JWN2nlJyTx9n+lXsgpgSf68mGcfEFdNp1hkFEUy65DEKiKQPK3aa0nVYPbAkfh/vcjkLO4X0gd0Ec+4XVda3ZyG2QzSYa2DQWmCYg3nwWg4eiKl4ppatp10soHfPSauRBLRrN5XmFtaH+Sp7Bwr565uVmyqYSgb+VTRY/25vK7VcT9rXpKX0PjOFOD9wFD2jQ4Ezs+tVieidZgvG2CjElxI8zmcsaZk93FUc4cw0lTy85cCo/IibTIlAd/uYrT+lxe47H51W2PtjovyZcH0XJW76BhJV6yMUron7qD9JTFGf3OagTgjoKh5InSsnxON52fy3GLUTvzO2vPg1c+iWg/mVYrPp1iCpK/G6LBh2k+Jj3OyQ8Z3GJZJ7khzI3E3MNOTvyXZJuXESMGTKmXWkHqvRrAvsW/CDBq3TmW0Jd0uMtFP+J4aL++BxAXKZLQ0g/RXwfOI/cQFQIPl3BePXl7VskxaFx5WWuKEbh9YMuF5FQ44vo386dvcDpfVNnRdFBOEltC7Ck6mJDUVPLAM3IhN+xQwobdWARR+baihGOUk9psP5boQrUvcBIx04RmXCLomHVD3Aw5jxh7N5TJ3BC2q6ZbkbpqwbH9UOg5PXrgXd8Eh6L+KhRjc6sl5itSsHK5iitWzfil8qcMpQPcLucZl+s1gISGlHaiE0MwkZj2fT9QZpw2+BmH1VU4tDpSotOue3H8MxK1j2mFnrEwi5sk5eHdBzBjyQ+SzmpbZTDk5eMlgfIKt8sErZ4ABI7iXQp3A8jusOYbZCQiBTPF/guhPOLuE3sWSBJLkpj4iHRrSVSAy/B1qy7fMlnVqqtXujXfy16pFG5IQKLUPGxyO5eotMuf5nkAigm5zn6q+eWpjDub9eBviXDjbemW4F7ncAdtiBzIWrak/hhp0fxMpzuh9h844Vou1brjKC9Xg5cf+IKyESjS8txHRSQhmZgab6iDv3X8Q0l0lRiKxzAOxM/2L14r6Gy03lMwaE1nUKgZjrtflrukeWgWA4EwDE69CdA7vbsX3zJ9d7cr+IlmiuTprldmV6EirJJaBNNdRealehhopGzDODIucUNp1PT3LQ/AidxOui6p6iP1PQG+TuIUtpM8AzxP3DbE+kMf9PNnb2E3JT5NrJz0BBWhhxr1KGBjniozh9CtSRq/JpfWYVLd8PA0P3abA1mW0A7IWaobI00qtPt1pcx/MtV5QzsQ5CPRVu10lFcF9AmKT3ekPySISkjcBtoe1FxO6j6cOqe6nbdx/lg0dnNBFBETVa8gAQwhmOAnqCURYDvbfjHjX99k0jwesiqxm1QH4PRjtbicd/JMiosWsiFBJohFI/0JIscxd0iZ8LvNPALWLeKfcqXulzjNKy4sB9QIxN75dGKaDZv2qInBDm9p8hDaqT+tdXsptXw2SkLfbRiWnim/r+VHKq0uYV9KlolmE4dOm/dWQ/6Ri4XBIFr5Ld9udSQ275GHZ5EHlcoPGEjZeNR6e0VMskcPH7tJXDEs4p/EoEWepVVWeuRidauFkcskSn2QMR7Yd+NAl2XxFYMiniGL0UzkZ5johxgw4WqopQua3Yff76f0oigR9VVHf1ZJlIC8IND1vLNRwbhVpW79SCeaHwp8jui18x//bn69eHMYjxRPvimnxRirSmjdCgCFAalgVtxfUt7WO8p2/Kzlu6kwPQrSMltLycNhkvrGinQcKGPtEkNfzCG4MAvyb3UW5rph/nui7ybCT0AnRW9xFpVURGuuGUhuKFMDhzBbiaB3i1cMdG+DJniwUc4rSg+o4YvrR3Q9w++hQUcfEbT3fJwoWCMOExCsu5O7vhZbdTd6tJzH9sxN72q4yDAXW5pqtnKU71AkWg87meuGv+W23s5IBJr42L0ubEXTEoZMBvjDVrVS+9yKptQz3pkPAIFaXoLUGlJw4XmtBL8wWSj08Zi3F+lnyR+YVFV19infI35Fi7keABHHCmWeNdrlgrcFR9bs/fxn/Oswwk+8gNXQBIGLIs3clnRd+4SggfLQvv1lud8ZBN8jV3j/czAnN8XdMtsqMGZJ31TvBWVuYmqijCpwbuA/hCXrbiyy+DG+6ZHO4sUpIBPB0uQ+TNfuR9FNNxImKZBaUAOMuQgBw3lWU5Weu2CnSfJdKlREX0mBk+1StDKSJmE40x9ACt17XGST+vu8lOwy8C/wjPzCfsVMCHxJURCGe6HMfYQAyclgfwE0knq82kOWulUPFjnIyjhHwr8xbTmm3e6j7wDkvaK5WHIIxamyv420b5Y/Mc0HqA5YrC6a/AWSuHpg6lpCuLP9femhiwtERyEgOWeOJOr5wj+ZgmhD8/RpeUJlCdjWjDB1zFdoF/9u3yNpxJxpqYTB87PkcgY1jRdTP1W9/oMpvsGF61TU1IOTnhVtUZZPWYmXvyv7bHf+wmPrDN8EnxU4gMRK0u2Knx9PPuYb/iDD8UkEgbBPo/oDrboMo4QVE8je76NlIEdPlsLCDWO7GitRvNkAfDqEFrWjh6LUeyIAKmjWgm2IKEBnwHcx1v/p6iU7rABtaDmZyq5hgnbDZtOFEVsZQEk0vYYQNyMuqfC6Kt/uukmZVePRKkGXwTPmNKr5vdUTZmbZa14j46pNiOTm6R/vVKZEzHYDwgpbSoK8yQ50QuuGU9aak+iYZB+CckEH+S3KLInzDSNsA99BthiHGhIpsbwR70gc783coYJoIipYieb//LaTvf8BDmafNKnOQVazP5T2pHeO4yePr1/dEN6x9fdFRVKv/Q73qVBm5S0Jqys6Oo81cdrmISboSLzxAm7V01dijQ6Juv+awBx0emFuUKDVgS8AfZ6pGhugwcJsAE8fKexMS2I29xGaBzeGeQzOYmlTA7RXngTXh/DaHEckgBXp84dcXjcrRiEG0wGRSvNMx1RffnUSoslLpgpMfwNYl0NMwbq+lt1ppH88tJnUXu0G3YyF+Me8lyYVlnQU9afd4u7nNTAamBlNx3QtMndWdK92X20kK2ij7kwefLc1pm6toOZE1vdSaIFXnpZCEh4of6vdNkFscpkxHtsURObPbtFsI4C8WXCypgWj3Po+YgbhMddKRu4BiQfQnopSHatFYYUM3xzTiuL496WwgCorp+Ak+wOhIE45o/iugS2xxfJIQKkMiP1JbzDw59qcaLdnRXOLqcv6nX6bMkwHuxNmVCTn2lk32FmraJdfyVhdTBPrCXx/TjoGISgEOc5w5oct1L7ERLiD6BCbxER2UkSsQb/rLoUYdfHh3bLXbZKLDGVRuf1JoImGHhtTE2R+o5o1dzWwNdHMGjVpMIV1ixxsFsMG27KhjIYUMBdrqVXH8wCXy2TOCxTqIhIOOg6lUMvEwUAh3ZaFRKGe3VaSRyVMcKE8dseHIS7MRq2g7jp9eyJkZqspBh6PEaPyTwYYv8f00VyHauZAV3UdWfWDsEZUYk194wiH2/j7O9+eF7jxPlmLuXUQGQBVTAFObpcoT988N24NalijJh/cuahhkSQYR1hMahBF5jwwVHS3vtN6pUwghTUV4HqeIrtur1cJRB6Qlm/YRgvcB1fX7xbhYyMUJUYEp1gK1xhY1c0A16V8HQPFheL8EV5tfsUT,iv:xh7XXUyLD68UDBBG5aKI/HWxjMZ0Tr4sLkIeQ8vQIso=,tag:FyLg1FhxUGjcNGD2sq4Oeg==,type:str]
asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKNA1ZVf4DTtm6d232LXKde54ACMSUEyQWTu1mU6oQ7W5P2VSK2HZvHzSrnC0dJVKPrYEnBWfyA6sjKBULQSyW6j1/c/k,iv:jE/Y1A3i8embrwJqN8TBO0E8nr5WhGDKPH0gXgWnsMQ=,tag:j8PH6tDeo2YTCI2BnVY24w==,type:str]
asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str]
prometheus-htpasswd: ENC[AES256_GCM,data:kUU0TqnVxQ8jLfjUpBje3eGxJw+ItD/YSNhiny1XPM0PDksnOO8Ecbyqm9W5p3WZIFc+h/FH1AsyNdhXdAhbgMNNxjebq2PNbJr/DeMWTxuf1D9q5iYpDrFGuK6r65DeCPvwN1tlTKkzJnLCqy3LLWbziANplMpmoUL7Ay3S2r5UQNgl4QIL,iv:o23da3kSbMAiF6H3zgja95As89aDK/+jWofvw9ZIjj8=,tag:VPB9YD33Xuk8IKxoBVEXdQ==,type:str]
unpoller-password: ENC[AES256_GCM,data:nvbKOzS657tfumP93kNAD2Edw3+BN3xQ,iv:FZ169TIyHrhazji+b2V4o0XvyzqwNelnR4TkKXuNqWg=,tag:62Y1LTlI+2KdSjq8dHiuSQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1fleny85nvjh6g4arn2tkpju0smq2s4hawwpmnyvgcf0sy65wd3ks4lcvfa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBML0wrQWtGbjhEY1BpT0lU
OXZZTlF5SzlWSGc4dzgvYnJ1QUtRUDM4a0QwCmU2bEVRUEZFTEw3QW9MUm16QVFk
bmlwMmN5eldzRis4czJNTkpGUUkyd3cKLS0tIFZ3TWswMnBXOW5xOW8zbTNiUGtS
T2VuTEpzYmhESnJZTW5IS3orRk44ODAK/KBOctiKRH5y/zuI4sIKNK9nze6aDOmc
Eg7zjCXX3hvmowFt45rMKODJ56Dy6uJEgu6OWMWV2M87CphyHKA5fg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-04T10:58:16Z"
mac: ENC[AES256_GCM,data:yRoKVClRcbqFYM06F+83kU9s0KcoiYEx0fpr4DL39YoDDx3ZdX2aYqOEtPCGHKEccFanDsZSI4Q9jG2NEa9IykI9DDjQtci1pcNkt9VaWgPTTo2KzP086ncQHaKHyy109CjugeC2oQYIOBfSiO5b+/SP5fml2N3rhIGzROz2NRA=,iv:JR2MVuIxVhCDsx8kelTu86x4Snf6yqJ7s9vb/3bj24o=,tag:V9BadPHshitupxnAzYF3Nw==,type:str]
pgp:
- created_at: "2024-09-24T19:30:34Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DY/xpNY5WhB0SAQdAyqAyhamC5ViSdA1B1b8fI2iaSIAfyVJEe2ZaDyFI82Uw
NPvBXNKx4u0KTnMG6tl63Tb2/6sC4uhkp3n/pM+cxKIMfTXodIenddK5siPs8MQI
0l4BeIxec9DiNskvxTqnZ7jtVd7hWy494cDrr7Yb9J0GZWQ5mP2ZtqgcDkbzZnqb
E8glyIInDNAKedtpbE0waUWPwbA3XAgsQX6xijwe5q0j4Rqqc4rlvJuk9Xd7G+M9
=77Op
-----END PGP MESSAGE-----
fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
- created_at: "2024-09-24T19:30:34Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4AQ//VH43OoHprfVhgtPmGjP3dHvWxLkAtyEi2QOYWjGLGbuw
l5TAY8RAp3c34E0qp52a2a+GSJUwdxVusK4MSWGzzg0x1VKPFr5Dz11SRnjqyWuQ
sM7zo9AP1cIUoIaP4G/jnwYicEH+3ADjFEpNazfNw56cpjWL/1yQSKK4uk4x/m7e
AWWcRQHJa7j/sPuR2R24CQjZq6WfxoDDe2v1J+NTxBoZh16CJ8LDUWOCAgRDvEDn
d1WczY5cu0n/IAl8baKrvAtBoahEeF97lBmZ7BtXiFT2c6jvwjY0erj+BA0N4Jfc
WnJaU1y+a0RKxvH3AOo7R09NmvFtfWcUrFD6k5jLGhvbkuMd4+akEhDv98GeW77m
qjimf2gOLt0mR536JQP0pZ41O5hXLGVhPDESRWKMkeJcJ97+7wN9WkUnfW+AA0+y
TSqQ+KEsJMIYK1HCWJeW8oc+G+gEY7iutIxY+dL7NV8EzUWREhy0/1WzEIb3AfgH
XfzQufzXnKG844GUV0WKHiff7/Wmuhcz6+yFNLqdG2u7LM91eBB3B00ubFmfcz4U
OO4SopFeGHUo7xjQMDI3SzwPocRBsL3Fz+f2o5zsOGUPS/UebLwgN4UvaW0BKbZ5
zRiC0v5OKWRMxZVbhpmfvfYFEjkflVfYuiTul6ajnaXarO+S9Sp8r+RSkkJx7ZXS
XgHjN92PHYzz8O0ls8NxJiMFdG5ozfims6VN3sC98LjhRsaCb5oEwh8ZoB6WDb7y
0FeEsVM12vBGVF2oU8SVSJNnsgf4aMCTAPi+vdimq4UBKMEyxBwWkp62r2xXmoA=
=/jcl
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
unencrypted_suffix: _unencrypted
version: 3.7.3

138
machines/raven/services/asterisk.nix
View file

@ -1,138 +0,0 @@
{ config, lib, ... }:
let
cfg = config.services.asterisk;
secretConfigFiles = [
"ari"
"pjsip"
"voicemail"
];
rtp = {
start = 10000;
end = 10200;
};
in
{
services.asterisk = {
enable = true;
confFiles = {
"extensions.conf" = ''
[sipgate-in]
exten => _2430207e0,1,Noop(Processing an incoming call)
same => n,Dial(PJSIP/100,20,tT)
same = n,VoiceMail(7929876@fablab,su)
same => n,Hangup()
exten => _3529,1,Noop(Processing an incoming call)
same => n,Dial(PJSIP/100,60,tT)
same => n,Hangup()
[dect]
exten = 99,1,Answer()
same = n,Wait(1)
same = n,VoiceMailMain(7929876@fablab)
same = n,Hangup()
exten = 98,1,Answer()
same = n,Wait(1)
same = n,Playback(der_dude_ist_nicht)
same = n,Hangup()
exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT)
same = n,Hangup()
; Kassen
exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT)
same = n,Hangup()
; weinturm
exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT)
same = n,Hangup()
; /weinturm
exten => _XXX.,1,Noop(Processing an outgoing call)
same => n,Dial(PJSIP/''${EXTEN}@sipgate,tT)
same => n,Hangup()
[cisco]
exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT)
same = n,Hangup()
exten = 420,1,Dial(PJSIP/101,30,tT)
same = n,Hangup()
exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT)
same = n,Hangup()
; weinturm
exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT)
same = n,Hangup()
; Kleinturm
exten = _58X,1,Dial(PJSIP/''${EXTEN},30,tT)
same = n,Hangup()
; /weinturm
'';
"http.conf" = ''
[general]
enabled=yes
bindaddr=127.0.0.1
; Port to bind to for HTTP sessions (default is 8088)
;bindport=8088
tlsdisablev1=yes
tlsdisablev11=yes
tlsdisablev12=yes
tlsservercipherorder=yes
'';
"rtp.conf" = ''
[general]
rtpstart=${toString rtp.start}
rtpend=${toString rtp.end}
'';
"dnsmgr.conf" = ''
[general]
enable=yes
refreshinterval=60
'';
"prometheus.conf" = ''
[general]
enabled = yes
'';
};
useTheseDefaultConfFiles = [ ];
};
system.activationScripts.copyAsteriskFiles = lib.stringAfter [ "var" ] ''
rm -f /var/lib/asterisk/documentation/core-en_US.xml
mkdir -p /var/lib/asterisk/documentation
ln -s ${cfg.package}/var/lib/asterisk/static-http/core-en_US.xml /var/lib/asterisk/documentation/core-en_US.xml
'';
sops.secrets = (lib.listToAttrs (map
(name: lib.nameValuePair "asterisk-${name}" {
sopsFile = ../secrets.yaml;
owner = config.users.users.asterisk.name;
})
secretConfigFiles));
environment.etc = lib.mapAttrs'
(name: _: lib.nameValuePair
"asterisk/${name}.conf"
{ source = config.sops.secrets."asterisk-${name}".path; })
(lib.listToAttrs (map (name: lib.nameValuePair name { }) secretConfigFiles));
networking.firewall = {
allowedUDPPorts = [
5060
5062
];
allowedUDPPortRanges = [
{
from = rtp.start;
to = rtp.end;
}
];
};
}

109
machines/raven/services/colorchord.nix
View file

@ -1,109 +0,0 @@
{ inputs, lib, pkgs, ... }:
let
ledDevices = {
workbench-1 = {
leds = 87 * 2;
host = "wled-Workbench-1";
};
workbench-2 = {
leds = 87 * 2;
host = "wled-Workbench-2";
};
elektrodecke = {
leds = 87 * 2;
host = "wled-Elektrodecke";
};
traverse = {
leds = 235;
host = "wled-Traverse";
};
nhecke = {
leds = 75;
host = "wled-Nhecke";
};
printerbench = {
leds = 80;
host = "wled-Printerbench";
};
resedaraum = {
leds = 285;
host = "wled-Resedaraum";
loop = true;
};
};
soundDevices = {
sink = "alsa_output.usb-Burr-Brown_from_TI_USB_Audio_DAC-00.analog-stereo";
};
devicesProduct = lib.fold
(soundDevice: acc: acc // lib.mapAttrs'
(ledDevice: value: lib.nameValuePair "${ledDevice}-${soundDevice.name}" (value // {
source = soundDevice.id;
}))
ledDevices)
{ }
(lib.attrValues (lib.mapAttrs (n: v: { name = n; id = v; }) soundDevices));
in
{
environment.systemPackages = with pkgs; [
colorchord2
];
environment.etc = lib.mapAttrs'
(name: config: lib.nameValuePair
"colorchord/${name}.conf"
{
text = ''
# Basic
outdrivers = DisplayNetwork, OutputLinear
headless = 1
# Audio input
amplify = 10
samplerate = 48000
devrecord = ${config.source}
# Visualiser
cpu_autolimit = 1
satamp = 1
# LED config
leds = ${toString config.leds}
is_loop = ${if config ? loop && config.loop then "1" else "0"}
light_siding = 1.5
led_floor = 0.1
steady_bright = 1
fliprg = 0
# WLED
wled_realtime = 1
port = 19446
address = ${config.host}
wled_timeout = 2
skipfirst = 0
'';
})
devicesProduct;
systemd.user.services = builtins.listToAttrs (map
(soundDevice: lib.nameValuePair
"colorchord-${soundDevice}@"
{
partOf = [ "colorchord-${soundDevice}.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i-${soundDevice}.conf
'';
Restart = "always";
};
})
(lib.attrNames soundDevices));
systemd.user.targets = builtins.listToAttrs (map
(soundDevice: lib.nameValuePair
"colorchord-${soundDevice}"
{
wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices);
})
(lib.attrNames soundDevices));
}

11
machines/raven/services/default.nix
View file

@ -1,15 +1,6 @@
{
imports = [
./asterisk.nix
./colorchord.nix
./dnsmasq.nix
./dyndns.nix
./freeradius.nix
./grafana.nix
./labsync
./mailhog.nix
./prometheus.nix
./unifi-controller.nix
./wekan.nix
./labsync.nix
];
}

109
machines/raven/services/dnsmasq.nix
View file

@ -1,93 +1,36 @@
{ pkgs, ... }:
let
stateDir = "/var/lib/dnsmasq";
dnsmasqEventsConf = pkgs.writeText "dnsmasq-events.conf" ''
dhcp-leasefile=${stateDir}/dnsmasq-events.leases
bind-dynamic
listen-address=10.10.0.1
except-interface=lo
domain=events.fablab-nea.de
dhcp-range=10.10.0.20,10.10.15.254,24h
cache-size=10000
dns-forward-max=1000
no-hosts
'';
in
{
services.dnsmasq = {
enable = true;
settings = {
server = [
"142.250.185.78" # dns.as250.net
"2001:470:20::2" # ordns.he.net
"74.82.42.42" # ordns.he.net
];
bind-dynamic = true;
listen-address = [
"192.168.93.1"
"192.168.94.1"
];
interface = "lo";
expand-hosts = true;
domain = "lab.fablab-nea.de";
dhcp-range = [
"set:voice,192.168.93.20,192.168.93.254,4h"
"set:lab,192.168.94.20,192.168.94.254,4h"
];
dhcp-host = [
"00:30:42:1b:23:ed,192.168.93.21,rfp-01"
"00:30:42:1b:21:c1,192.168.93.22,rfp-02"
"00:30:42:1b:26:f6,192.168.93.23,rfp-03"
"00:30:42:1b:22:3b,192.168.93.24,rfp-04"
"00:30:42:1b:22:7c,192.168.93.25,rfp-05"
];
dhcp-option = [
"vendor:OpenMobility,10,192.168.93.21"
"vendor:OpenMobility,224,OpenMobilitySIP-DECT"
];
dhcp-boot = "lpxelinux.0,raven,192.168.94.1";
cache-size = 10000;
dns-forward-max = 1000;
auth-zone = "lab.fablab-nea.de,192.168.94.0/24";
auth-server = "lab.fablab-nea.de,78.47.224.251";
no-hosts = true;
addn-hosts = "${pkgs.writeText "hosts.dnsmasq" ''
192.168.94.1 raven labsync unifi
192.168.94.2 switch
192.168.94.3 schneiderscheune-weinturm-ap
192.168.94.4 schneiderscheune-weinturm-sta
192.168.94.5 wechselbruecke-router
192.168.94.6 wechselbruecke-ap
192.168.94.7 helferbereich-sta
192.168.94.8 helferbereich-switch
192.168.94.9 kleinturmbuehne-router
''}";
};
};
systemd.services."dnsmasq-events" = {
description = "dnsmasq daemon for public event network";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.dnsmasq ];
preStart = ''
mkdir -m 755 -p ${stateDir}
dnsmasq --test -C ${dnsmasqEventsConf}
extraConfig = ''
bind-dynamic
expand-hosts
domain=lab.fablab-nea.de
dhcp-range=192.168.94.20,192.168.94.254,5m
dhcp-boot=lpxelinux.0,raven,192.168.94.1
cache-size=10000
dns-forward-max=1000
auth-zone=lab.fablab-nea.de,192.168.94.0/24
auth-server=lab.fablab-nea.de,78.47.224.251
no-hosts
addn-hosts=${pkgs.writeText "hosts.dnsmasq" ''
192.168.94.1 raven labsync
192.168.94.2 switch
''}
'';
serviceConfig = {
Type = "dbus";
BusName = "uk.org.thekelleys.dnsmasq-events";
ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -k --enable-dbus --user=dnsmasq -C ${dnsmasqEventsConf}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
PrivateTmp = true;
ProtectSystem = true;
ProtectHome = true;
Restart = "on-failure";
};
servers = [
"142.250.185.78" # dns.as250.net
"2001:470:20::2" # ordns.he.net
"74.82.42.42" # ordns.he.net
];
};
networking.firewall = {

16
machines/raven/services/dyndns.nix
View file

@ -1,16 +0,0 @@
{ config, ... }:
{
sops.secrets.dyndns-password = {
sopsFile = ../secrets.yaml;
};
services.ddclient = {
enable = true;
interval = "1min";
server = "www.duckdns.org";
protocol = "duckdns";
username = "nouser";
passwordFile = config.sops.secrets.dyndns-password.path;
domains = [ "fablab-nea" ];
use = "web, web=freedns.afraid.org/dynamic/check.php";
};
}

17
machines/raven/services/freeradius.nix
View file

@ -1,17 +0,0 @@
# service for unifi wifi
# provides anonymous access via WPA2 enterprise (PEAP)
{ pkgs, ... }:
{
services.freeradius = {
enable = true;
configDir = "${pkgs.fablab.freeradius-anon-access}/raddb";
debug = true;
};
users.users.radius.group = "radius";
users.groups.radius = { };
networking.firewall.allowedUDPPorts = [
1812
1813
];
}

28
machines/raven/services/grafana.nix
View file

@ -1,28 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "grafana.fablab-nea.de";
srv = config.services.grafana.settings.server;
in
{
services.grafana = {
enable = true;
settings.server.domain = domain;
};
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${srv.http_addr}:${toString srv.http_port}";
recommendedProxySettings = true;
};
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
'';
};
}

31
machines/raven/services/labsync.nix Normal file
View file

@ -0,0 +1,31 @@
# legacy labsync, currently partly implemented in docker outside of this configuration
{
services.opentracker.enable = true;
services.nginx.virtualHosts."labsync.lab.fablab-nea.de" = {
locations = {
"/" = {
root = "/opt/docker/tftpgen/data";
extraConfig = ''
autoindex on;
'';
};
"/generator/".proxyPass = "http://127.0.0.1:8695/";
};
};
services.atftpd = {
enable = true;
root = "/opt/docker/tftpgen/tftp";
};
networking.firewall.allowedTCPPorts = [
6881 # aria2
6969 # opentracker
];
networking.firewall.allowedUDPPorts = [
6882 # aria2
69 # tftpd
6969 # opentracker
];
}

50
machines/raven/services/labsync/default.nix
View file

@ -1,50 +0,0 @@
# legacy labsync, currently partly implemented in docker outside of this configuration
{ pkgs, ... }:
let
generator_port = 8695;
in
{
services.opentracker.enable = true;
services.nginx.virtualHosts."labsync.fablab-nea.de" = {
addSSL = true;
enableACME = true;
locations = {
"/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/";
};
};
services.nginx.virtualHosts."labsync.lab.fablab-nea.de" = {
locations = {
"/" = {
root = "/opt/docker/tftpgen/data";
extraConfig = ''
autoindex on;
'';
};
"/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/";
};
};
services.atftpd = {
enable = true;
root = pkgs.runCommand "pxelinux-tftproot" { } ''
mkdir -p $out/pxelinux.cfg
cp ${pkgs.syslinux}/share/syslinux/{ldlinux.c32,libcom32.c32,libutil.c32,lpxelinux.0,vesamenu.c32} $out
cp ${./splash.png} $out/splash.png
cp ${./pxelinux.cfg} $out/pxelinux.cfg/default
# required to serve labsync/labsync.cfg, which is generated dynamically by a docker container
ln -s /opt/docker/tftpgen/data $out/labsync
'';
};
networking.firewall.allowedTCPPorts = [
6881 # aria2
6969 # opentracker
];
networking.firewall.allowedUDPPorts = [
6882 # aria2
69 # tftpd
6969 # opentracker
];
}

21
machines/raven/services/labsync/pxelinux.cfg
View file

@ -1,21 +0,0 @@
# default menu settings
menu width 100
menu height 24
menu title labsync
# can be overwriten by mounting another image; has to be 1024×768 in 16:9
menu background splash.png
menu color border * #00000000 #00000000 none
menu color sel * #ffffffff #76a1d0ff *
menu color hotsel 1;7;37;40 #ffffffff #76a1d0ff *
menu cmdlinerow 16
menu timeoutrow 16
menu tabmsgrow 18
# do not show “press tab to edit options…” entry (empty)
menu tabmsg
include labsync/labsync.cfg
default vesamenu.c32
# disable timeout (explicitly)
timeout 0

BIN
machines/raven/services/labsync/splash.png (Stored with Git LFS)
View file

Binary file not shown.

4
machines/raven/services/mailhog.nix
View file

@ -1,4 +0,0 @@
{ config, ... }:
{
services.mailhog.enable = true;
}

144
machines/raven/services/prometheus.nix
View file

@ -1,144 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "prometheus.fablab-nea.de";
cfg = config.services.prometheus;
mkStaticTargets = targets: lib.singleton { inherit targets; };
mkStaticTarget = target: mkStaticTargets (lib.singleton target);
in
{
services.prometheus.exporters.node.enable = true;
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
webExternalUrl = "https://${domain}";
globalConfig = {
scrape_interval = "15s";
evaluation_interval = "15s";
};
extraFlags = [
"--storage.tsdb.retention.time=90d"
"--web.enable-admin-api"
];
alertmanagers = [
{
static_configs = mkStaticTarget "${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
path_prefix = "/alertmanager/";
}
];
alertmanager = {
enable = true;
listenAddress = "127.0.0.1";
webExternalUrl = "https://${domain}/alertmanager";
configuration = {
global.resolve_timeout = "2m";
route = {
receiver = "matrix";
group_by = [ "alertname" ];
group_wait = "3m";
};
receivers = [
{
name = "matrix";
webhook_configs = lib.singleton {
url = "http://localhost/webhook";
};
}
];
};
};
scrapeConfigs = [
{
job_name = "prometheus";
static_configs = mkStaticTargets [
"localhost:${toString cfg.port}"
"kleinturmbuehne-router:9100"
];
}
{
job_name = "node";
static_configs = mkStaticTargets [
"127.0.0.1:9100"
];
}
{
job_name = "asterisk";
metrics_path = "/";
static_configs = mkStaticTargets [
"127.0.0.1:8088"
];
}
{
job_name = "mikrotik";
static_configs = mkStaticTargets [
"${cfg.exporters.mikrotik.listenAddress}:${toString cfg.exporters.mikrotik.port}"
];
}
{
job_name = "unifi";
static_configs = mkStaticTargets [
"${cfg.exporters.unpoller.listenAddress}:${toString cfg.exporters.unpoller.port}"
];
}
];
rules =
let
mkAlert = { name, expr, for ? "1m", description ? null }: {
alert = name;
inherit expr for;
annotations = lib.optionalAttrs (description != null) { inherit description; };
};
in
[
(lib.generators.toYAML { } {
groups = lib.singleton {
name = "alert.rules";
rules = map mkAlert [
{
name = "InstanceDown";
expr = ''up == 0'';
description = "Instance {{ $labels.instance }} of job {{ $labels.job }} has been down for
more than 1 minutes.";
}
];
};
})
];
};
sops.secrets.prometheus-htpasswd = {
owner = "nginx";
sopsFile = ../secrets.yaml;
};
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.prometheus-htpasswd.path;
locations = {
"/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
"/alertmanager/".proxyPass = "http://${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
};
};
services.prometheus.exporters.mikrotik = {
enable = true;
listenAddress = "127.0.0.1";
configuration = {
devices = [
];
features = {
bgp = true;
dhcp = true;
routes = true;
optics = true;
};
};
};
}

30
machines/raven/services/unifi-controller.nix
View file

@ -1,30 +0,0 @@
{ config, pkgs, ... }:
let
promCfg = config.services.prometheus;
in
{
services.unifi = {
enable = true;
openFirewall = true;
unifiPackage = pkgs.unifi8;
};
networking.firewall.allowedTCPPorts = [ 8443 ];
sops.secrets.unpoller-password = {
#owner = promCfg.exporters.unpoller.user;
owner = config.services.prometheus.exporters.unpoller.user;
sopsFile = ../secrets.yaml;
};
services.prometheus.exporters.unpoller = {
enable = true;
controllers = [{
user = "unpoller";
pass = config.sops.secrets.unpoller-password.path;
verify_ssl = false;
hash_pii = true;
}];
log.prometheusErrors = true;
};
}

123
machines/raven/services/wekan.nix
View file

@ -1,123 +0,0 @@
{ config, lib, pkgs, ... }:
let
serviceName = "wekan";
databaseName = "wekandb";
networkName = "wekan-tier";
port = 8001;
domain = "wekan.fablab-nea.de";
url = "https://${domain}";
directories = {
db = "/var/lib/wekan/db";
dbDump = "/var/lib/wekan/db-dump";
data = "/var/lib/wekan/data";
};
in
{
virtualisation.oci-containers = {
backend = "podman";
containers = {
"${serviceName}" = {
autoStart = true;
image = "ghcr.io/wekan/wekan:latest";
environment = {
WRITABLE_PATH = "/data";
MONGO_URL = "mongodb://${databaseName}:27017/wekan";
ROOT_URL = url;
#WITH_API = "true";
RICHER_CARD_COMMENT_EDITOR = "false";
CARD_OPENED_WEBHOOK_ENABLED = "false";
BIGEVENTS_PATTERN = "NONE";
BROWSER_POLICY_ENABLED = "true";
};
ports = [
"127.0.0.1:${toString port}:8080"
];
dependsOn = [ databaseName ];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"${directories.data}:/data:rw"
];
extraOptions = [
"--network=${networkName}"
"--pull=newer"
];
};
"${databaseName}" = {
autoStart = true;
image = "mongo:6";
cmd = [ "mongod" "--logpath" "/dev/null" "--oplogSize" "128" "--quiet" ];
volumes = [
"/etc/localtime:/etc/localtime:ro"
#"/etc/timezone:/etc/timezone:ro"
"${directories.db}:/data/db"
"${directories.dbDump}:/dump"
];
extraOptions = [
"--network=${networkName}"
"--pull=newer"
];
};
};
};
# Create the netowrk
systemd.services.init-filerun-network-and-files = {
description = "Create the network bridge ${networkName} for WeKan.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script =
let podmancli = "${pkgs.podman}/bin/podman";
in ''
if ! ${podmancli} network ls --format '{{ .Name }}' | grep -qFx -- "${networkName}"; then
${podmancli} network create "${networkName}"
else
echo "network already exists"
fi
'';
};
systemd.services.wekan-restart = {
description = "Restart Wekan services.";
serviceConfig = {
Type = "oneshot";
};
script = ''
${pkgs.systemd}/bin/systemctl restart "podman-${databaseName}.service" "podman-${serviceName}.service"
'';
};
systemd.timers.wekan-restart = {
description = "Restart wekan containers";
after = [ "network.target" ];
wantedBy = [ "timers.target" ];
timerConfig = {
Persistent = true;
OnCalendar = "*-*-* 04:00:00";
Unit = "wekan-restart.service";
};
};
system.activationScripts.makeWekanDirectories = lib.stringAfter [ "var" ] ''
mkdir -p "${directories.db}"
mkdir -p "${directories.dbDump}"
mkdir -p "${directories.data}"
chown 999:999 "${directories.data}"
'';
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
'';
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
};
};
}

2
modules/base.nix
View file

@ -1,3 +1,3 @@
{
boot.tmp.cleanOnBoot = true;
boot.cleanTmpDir = true;
}

3
modules/default.nix
View file

@ -2,10 +2,7 @@
imports = [
./base.nix
./nix.nix
./pipewire.nix
./pubkeys.nix
./sops.nix
./tools.nix
./unfree.nix
];
}

22
modules/nix.nix
View file

@ -21,6 +21,9 @@ let
in
{
nix = {
# flake support
package = pkgs.nixUnstable;
extraOptions = ''
experimental-features = nix-command flakes
'';
@ -34,23 +37,20 @@ in
"nixpkgs-overlays=${overlaysCompat}"
];
settings = {
# sudoers are trusted nix users
trusted-users = [ "@wheel" ];
# sudoers are trusted nix users
trustedUsers = [ "@wheel" ];
# On-the-fly optimisation of nix store
auto-optimise-store = true;
};
# On-the-fly optimisation of nix store
autoOptimiseStore = true;
# less noticeable nix builds
daemonCPUSchedPolicy = "idle";
daemonIOSchedClass = "idle";
daemonIOSchedPriority = 7;
daemonNiceLevel = 10;
daemonIONiceLevel = 5;
};
nixpkgs.overlays = with inputs; [
self.overlays.default
sbruder-overlay.overlays.default
self.overlay
(final: prev: {
unstable = import nixpkgs-unstable {
inherit (config.nixpkgs)

24
modules/pipewire.nix
View file

@ -1,24 +0,0 @@
{ pkgs, ... }:
{
sound.enable = true;
hardware.pulseaudio.enable = false;
services.pipewire = {
enable = true;
pulse = {
enable = true;
};
jack = {
enable = false;
};
alsa = {
enable = true;
support32Bit = true;
};
};
environment.systemPackages = with pkgs; [
pulseaudio # pacmd and pactl
];
}

6
modules/pubkeys.nix
View file

@ -3,11 +3,11 @@
{
options.fablab.pubkeys = with lib.types; {
users = lib.mkOption {
type = attrsOf (listOf str);
type = attrsOf (listOf string);
description = "pubkeys for a specific user";
};
groups = lib.mkOption {
type = attrsOf (listOf str);
type = attrsOf (listOf string);
description = "pubkeys for a group of users";
};
};
@ -16,7 +16,7 @@
fablab.pubkeys = {
users = {
jalr = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3l+Yixrsjhze20CSjvUK4Qj/BNqbTNitgk20vuzPej cardno:25_750_479"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0f7+Y4QSUsSvd360eq0Q/ESVfE/s0WxJIrzvW8cazTcmld8/rKxGQR2xrxApu7pzZlZC3LDbQrx3B6nNVEZi0dPUgkJz9oEKRY5vSJ6x0H9cZ0iFfTcCTz5znflqGaFI6E6W6Vtl+DzIrmkFgaR0wNmV9DCcYAJreW4E32t8dKsG1Pv347N0eAZs3shokPYr7dmGoNiKzTOn/ILQ1Hxppzqy1ch2h8k2KL0+FM6wO76ijivBzfMZRJW0DVYsmebO6Je5HglkzYXvrNUtcD2gIrNE0YKByjorTjjf3336S+0uBGxetzhnl+XA2PxHB/3n9AzYC4DI/Nb9wgLBo6Ql+EYaPLKnGl3JHvtcOyAfoNVPdNDfbZz+tfe8cBUt1IPTlm26RYKgwCnJvcBD6dk/5mxu1ogjSfgEIqihJaq3j3+NfIY1CUFx1U6ISG40SWEXF5xV1qW3NZg5FqqA8sOfWLlkON/yFkPJ2shXUXmiZtjXMWM6XLIO054EN7cpUxHGPspjgynU9XLc45c4k5lKF1xQv13B8n8dHNEL01MU21svfdGcpuOsRvzagLX51+rVRJObYP1bZudyYVDgsxB6B/TiBHw3Xl3mwEs4KVi/cqVsPpaG3hwqCreDlV+NeCVtb0qb1WJ2Sae83CA6NEcUvRbrwAnU/vEhJepfo6j7WSw== jalr@jalr-tp"
];
simon = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii"

3
modules/sops.nix
View file

@ -1,3 +0,0 @@
{
sops.defaultSopsFile = ../secrets.yaml;
}

1
modules/tools.nix
View file

@ -23,6 +23,7 @@
compsize
curl
dnsutils
exa
fd
file
git

8
modules/unfree.nix
View file

@ -1,8 +0,0 @@
{ lib, ... }:
{
nixpkgs.config.allowUnfreePredicate = (pkg: lib.elem (lib.getName pkg) [
"unifi-controller"
"mongodb"
]);
}

8
pkgs/default.nix
View file

@ -1,7 +1 @@
final: prev:
let
inherit (prev) callPackage recurseIntoAttrs;
in
{
fablab = recurseIntoAttrs (callPackage ./fablab { });
}
final: prev: { }

6
pkgs/fablab/default.nix
View file

@ -1,6 +0,0 @@
{ callPackage }:
{
freeradius-anon-access = callPackage ./freeradius-anon-access { };
mitgliedsantrag = callPackage ./mitgliedsantrag { };
}

18
pkgs/fablab/freeradius-anon-access/default.nix
View file

@ -1,18 +0,0 @@
{ lib, freeradius, stdenvNoCC, ... }:
stdenvNoCC.mkDerivation {
name = "freeradius-anon-access";
src = ./.;
dontBuild = true;
installPhase = ''
mkdir $out
cp -r raddb $out
sed -i 's#@PREFIX@#${freeradius}#' $out/raddb/radiusd.conf
'';
nativeBuildInputs = [
freeradius
];
meta = with lib; {
platforms = platforms.unix;
};
}

665
pkgs/fablab/freeradius-anon-access/raddb/README.rst
View file

@ -1,665 +0,0 @@
Upgrading to Version 3.0
========================
.. contents:: Sections
:depth: 2
.. important::
The configuration for 3.0 is *largely* compatible with the 2.x.x
configuration. However, it is NOT possible to simply use the 2.x.x
configuration as-is. Instead, you should re-create it.
Security
--------
A number of configuration items have moved into the "security"
subsection of radiusd.conf. If you use these, you should move them.
Otherwise, they can be ignored.
The list of moved options is::
chroot
user
group
allow_core_dumps
reject_delay
status_server
These entries should be moved from "radiusd.conf" to the "security"
subsection of that file.
Naming
------
Many names used by configuration items were inconsistent in earlier
versions of the server. These names have been unified in version 3.0.
If a file is being referenced or created the config item ``filename``
is used.
If a file is being created, the initial permissions are set by the
``permissions`` config item.
If a directory hierarchy needs to be created, the permissions are set
by ``dir_permissions``.
If an external host is referenced in the context of a module the
``server`` config item is used.
Unless the config item is a well recognised portmanteau
(as ``filename`` is for example), it must be written as multiple
distinct words separated by underscores ``_``.
The configuration items ``file``, ``script_file``, ``module``,
``detail``, ``detailfile``, ``attrsfile``, ``perm``, ``dirperm``,
``detailperm``, and ``hostname`` are deprecated. As well as any false
portmanteaus, and configuration items that used hyphens as word
delimiters. e.g. ``foo-bar`` has been changed to ``foo_bar``. Please
update your module configuration to use the new syntax.
In most cases the server will tell you the replacement config item to
use. As always, run the server in debugging mode to see these
messages.
Modules Directory
-----------------
As of version 3.0, the ``modules/`` directory no longer exists.
Instead, all "example" modules have been put into the
``mods-available/`` directory. Modules which can be loaded by the
server are placed in the ``mods-enabled/`` directory. All of the
modules in that directory will be loaded. This means that the
``instantiate`` section of radiusd.conf is less important. The only
reason to list a module in the ``instantiate`` section is to force
ordering when the modules are loaded.
Modules can be enabled by creating a soft link. For module ``foo``, do::
$ cd raddb/mods-enabled
$ ln -s ../mods-available/foo
To create "local" versions of the modules, we suggest copying the file
instead. This leaves the original file (with documentation) in the
``mods-available/`` directory. Local changes should go into the
``mods-enabled/`` directory.
Module-specific configuration files are now in the ``mods-config/``
directory. This change allows for better organization, and means that
there are fewer files in the main ``raddb`` directory. See
``mods-config/README.rst`` for more details.
Changed Modules
---------------
The following modules have been changed.
rlm_sql
~~~~~~~
The SQL configuration has been moved from ``sql.conf`` to
``mods-available/sql``. The ``sqlippool.conf`` file has also been
moved to ``mods-available/sqlippool``.
The SQL module configuration has been changed. The old connection
pool options are no longer accepted::
num_sql_socks
connect_failure_retry_delay
lifetime
max_queries
Instead, a connection pool configuration is used. This configuration
contains all of the functionality of the previous configuration, but
in a more generic form. It also is used in multiple modules, meaning
that there are fewer different configuration items. The mapping
between the configuration items is::
num_sql_socks -> pool { max }
connect_failure_retry_delay -> pool { retry_delay }
lifetime -> pool { lifetime }
max_queries -> pool { uses }
The pool configuration adds a number of new configuration options,
which allow the administrator to better control how FreeRADIUS uses
SQL connection pools.
The following parameters have been changed::
trace -> removed
tracefile -> logfile
The logfile is intended to log SQL queries performed. If you need to
debug the server, use debugging mode. If ``logfile`` is set, then
*all* SQL queries will go to ``logfile``.
You can now use a NULL SQL database::
driver = rlm_sql_null
This is an empty driver which will always return "success". It is
intended to be used to replace the ``sql_log`` module, and to work in
conjunction with the ``radsqlrelay`` program. Simply take your normal
configuration for raddb/mods-enabled/sql, and set::
driver = rlm_sql_null
...
logfile = ${radacctdir}/sql.log
All of the SQL queries will be logged to that file. The connection
pool does not need to be configured for the ``null`` SQL driver. It
can be left as-is, or deleted from the SQL configuration file.
rlm_sql_sybase
~~~~~~~~~~~~~~
The ``rlm_sql_sybase`` module has been renamed to ``rlm_sql_freetds``
and the old ``rlm_sql_freetds`` module has been removed.
``rlm_sql_sybase`` used the newer ct-lib API, and ``rlm_sql_freetds``
used an older API and was incomplete.
The new ``rlm_sql_freetds`` module now also supports database
selection on connection startup so ``use`` statements no longer
have to be included in queries.
sql/dialup.conf
~~~~~~~~~~~~~~~
Queries for post-auth and accounting calls have been re-arranged. The
SQL module will now expand the 'reference' configuration item in the
appropriate sub-section, and resolve this to a configuration
item. This behaviour is similar to rlm_linelog. This dynamic
expansion allows for a dynamic mapping between accounting types and
SQL queries. Previously, the mapping was fixed. Any "new" accounting
type was ignored by the module. Now, support for any accounting type
can be added by just adding a new target, as below.
Queries from v2.x.x may be manually copied to the new v3.0
``dialup.conf`` file (``raddb/mods-config/sql/main/<dialect>/queries.conf``).
When doing this you may also need to update references to the
accounting tables, as their definitions will now be outside of
the subsection containing the query.
The mapping from old "fixed" query to new "dynamic" query is as follows::
accounting_onoff_query -> accounting.type.accounting-on.query
accounting_update_query -> accounting.type.interim-update.query
accounting_update_query_alt +> accounting.type.interim-update.query
accounting_start_query -> accounting.type.start.query
accounting_start_query_alt +> accounting.type.start.query
accounting_stop_query -> accounting.type.stop.query
accounting_stop_query_alt +> accounting.type.stop.query
postauth_query -> post-auth.query
Alternatively a 2.x.x config may be patched to work with the
3.0 module by adding the following::
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "${....accounting_onoff_query}"
}
accounting-off {
query = "${....accounting_onoff_query}"
}
start {
query = "${....accounting_start_query}"
query = "${....accounting_start_query_alt}"
}
interim-update {
query = "${....accounting_update_query}"
query = "${....accounting_update_query_alt}"
}
stop {
query = "${....accounting_stop_query}"
query = "${....accounting_stop_query_alt}"
}
}
}
post-auth {
query = "${..postauth_query}"
}
In general, it is safer to migrate the configuration rather than
trying to "patch" it, to make it look like a v2 configuration.
Note that the sub-sections holding the queries are labelled
``accounting-on``, and not ``accounting_on``. The reason is that the
names of these sections are taken directly from the
``Accounting-Request`` packet, and the ``Acct-Status-Type`` field.
The ``sql`` module looks at the value of that field, and then looks
for a section of that name, in order to find the query to use.
That process means that the server can be extended to support any new
value of ``Acct-Status-Type``, simply by adding a named sub-section,
and a query. This behavior is preferable to that of v2, which had
hard-coded queries for certain ``Acct-Status-Type`` values, and was
ignored all other values.
rlm_ldap
~~~~~~~~
The LDAP module configuration has been substantially changed. Please
read ``raddb/mods-available/ldap``. It now uses a connection pool,
just like the SQL module.
Many of the configuration items remain the same, but they have been
moved into subsections. This change is largely cosmetic, but it makes
the configuration clearer. Instead of having a large set of random
configuration items, they are now organized into logical groups.
You will need to read your old LDAP configuration, and migrate it
manually to the new configuration. Simply copying the old
configuration WILL NOT WORK.
Users upgrading from 2.x.x who used to call the ldap module in
``post-auth`` should now set ``edir_autz = yes``, and remove the ``ldap``
module from the ``post-auth`` section.
rlm_ldap and LDAP-Group
~~~~~~~~~~~~~~~~~~~~~~~
In 2.x.x the registration of the ``LDAP-Group`` pair comparison was done
by the last instance of rlm_ldap to be instantiated. In 3.0 this has
changed so that only the default ``ldap {}`` instance registers
``LDAP-Group``.
If ``<instance>-LDAP-Group`` is already used throughout your configuration
no changes will be needed.
rlm_ldap authentication
~~~~~~~~~~~~~~~~~~~~~~~
In 2.x.x the LDAP module had a ``set_auth_type`` configuration item,
which forced ``Auth-Type := ldap``. This was removed in 3.x.x as it
often did not work, and was not consistent with the rest of the
server. We generally recommend that LDAP should be used as a
database, and that FreeRADIUS should do authentication.
The only reason to use ``Auth-Type := ldap`` is when the LDAP server
will not supply the "known good" password to FreeRADIUS, *and* where
the Access-Request contains User-Password. This situation happens
only for Active Directory. If you think you need to force ``Auth-Type
:= ldap`` in other situations, you are very likely to be wrong.
The following is an example of what should be inserted into the
``authorize {}`` and ``authenticate {}`` sections of the relevant
virtual-servers, to get functionality equivalent to v2.x::
authorize {
...
ldap
if ((ok || updated) && User-Password) {
update control {
Auth-Type := ldap
}
}
...
}
authenticate {
...
Auth-Type ldap {
ldap
}
...
}
rlm_eap
~~~~~~~
The EAP configuration has been moved from ``eap.conf`` to
``mods-available/eap``. A new ``pwd`` subsection has been added for
EAP-PWD.
rlm_expiration & rlm_logintime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The rlm_expiration and rlm_logintime modules no longer add a ``Reply-Message``,
the same behaviour can be achieved checking the return code of the module and
adding the ``Reply-Message`` with unlang::
expiration
if (userlock) {
update reply {
Reply-Message := "Your account has expired"
}
}
rlm_unix
~~~~~~~~
The ``unix`` module does not have an ``authenticate`` section. So you
cannot set ``Auth-Type := System``. The ``unix`` module has also been
deleted from the examples in ``sites-available/``. Listing it there
has been deprecated for many years.
The PAP module can do crypt authentication. It should be used instead
of Unix authentication.
The Unix module still can pull the passwords from ``/etc/passwd``, or
``/etc/shadow``. This is done by listing it in the ``authorize``
section, as is done in the examples in ``sites-available/``. However,
some systems using NIS or NSS will not supply passwords to the
``unix`` module. For those systems, we recommend putting users and
passwords into a database, instead of relying on ``/etc/passwd``.
rlm_preprocess
~~~~~~~~~~~~~~
In 2.x.x ``huntroups`` and ``users`` files were loaded from default locations
without being configured explicitly. Since 3.x.x you need to set
``huntgroups`` and ``users`` configuration item(s) in module section in order
to get them being processed.
New Modules
-----------
rlm_date
~~~~~~~~
Instances of rlm_date register an xlat method which can translate
integer and date values to an arbitrarily formatted date time
string, or an arbitrarily formated time string to an integer,
depending on the attribute type passed.
rlm_rest
~~~~~~~~
The ``rest`` module is used to translate RADIUS requests into
RESTfull HTTP requests. Currently supported body types are JSON
and POST.
rlm_unpack
~~~~~~~~~~
The ``unpack`` module is used to turn data buried inside of binary
attributes. e.g. if we have ``Class = 0x00000001020304`` then::
Tmp-Integer-0 := "%{unpack:&Class 4 short}"
will unpack octets 4 and 5 as a "short", which has value 0x0304.
All integers are assumed to be in network byte order.
rlm_yubikey
~~~~~~~~~~~
The ``yubikey`` module can be used to forward yubikey OTP token
values to a Yubico validation server, or decrypt the token
using a PSK.
Deleted Modules
---------------
The following modules have been deleted, and are no longer supported
in Version 3. If you are using one of these modules, your
configuration can probably be changed to not need it. Otherwise email
the freeradius-devel list, and ask about the module.
rlm_acct_unique
~~~~~~~~~~~~~~~
This module has been replaced by the "acct_unique" policy. See
raddb/policy.d/accounting.
The method for calculating the value of acct_unique has changed.
However, as this method was configurable, this change should not
matter. The only issue is in having a v2 and v3 server writing to the
same database at the same time. They will calculate different values
for Acct-Unique-Id.
rlm_acctlog
~~~~~~~~~~~
You should use rlm_linelog instead. That module has a superset of the
acctlog functionality.
rlm_attr_rewrite
~~~~~~~~~~~~~~~~
The attr_rewrite module looked for an attribute, and then re-wrote it,
or created a new attribute. All of that can be done in "unlang".
A sample configuration in "unlang" is::
if (request:Calling-Station-Id) {
update request {
Calling-Station-Id := "...."
}
}
We suggest updating all uses of attr_rewrite to use unlang instead.
rlm_checkval
~~~~~~~~~~~~
The checkval module compared two attributes. All of that can be done in "unlang"::
if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
ok
}
We suggest updating all uses of checkval to use unlang instead.
rlm_dbm
~~~~~~~
No one seems to use it. There is no sample configuration for it.
There is no speed advantage to using it over the "files" module.
Modern systems are fast enough that 10K entries can be read from the
"users" file in about 10ms. If you need more users than that, use a
real database such as SQL.
rlm_fastusers
~~~~~~~~~~~~~
No one seems to use it. It has been deprecated since Version 2.0.0.
The "files" module was rewritten so that the "fastusers" module was no
longer necessary.
rlm_policy
~~~~~~~~~~
No one seems to use it. Almost all of its functionality is available
via "unlang".
rlm_sim_files
~~~~~~~~~~~~~
The rlm_sim_files module has been deleted. It was never marked "stable",
and was never used in a production environment. There are better ways
to test EAP.
If you want similar functionality, see rlm_passwd. It can read CSV
files, and create attributes from them.
rlm_sql_log
~~~~~~~~~~~
This has been replaced with the "null" sql driver. See
raddb/mods-available/sql for an example configuration.
The main SQL module has more functionality than rlm_sql_log, and
results in less code in the server.
Other Functionality
-------------------
The following is a list of new / changed functionality.
RadSec
~~~~~~
RadSec (or RADIUS over TLS) is now supported. RADIUS over bare TCP
is also supported, but is recommended only for secure networks.
See ``sites-available/tls`` for complete details on using TLS. The server
can both receive incoming TLS connections, and also originate outgoing
TLS connections.
The TLS configuration is taken from the old EAP-TLS configuration. It
is largely identical to the old EAP-TLS configuration, so it should be
simple to use and configure. It re-uses much of the EAP-TLS code,
so it is well-tested and reliable.
Once RadSec is enabled, normal debugging mode will not work. This is
because the TLS code requires threading to work properly. Instead of doing::
$ radiusd -X
you will need to do::
$ radiusd -fxx -l stdout
That's the price to pay for using RadSec. This limitation may be
lifted in a future version of the server.
PAP and User-Password
~~~~~~~~~~~~~~~~~~~~~
From version 3.0 onwards the server no longer supports authenticating
against a cleartext password in the 'User-Password' attribute. Any
occurences of this (for instance, in the users file) should now be changed
to 'Cleartext-Password' instead.
e.g. change entries like this::
bob User-Password == "hello"
to ones like this::
bob Cleartext-Password := "hello"
If this is not done, authentication will likely fail. The server will
also print a helpful message in debugging mode.
If it really is impossible to do this, the following unlang inserted above
the call to the pap module may be used to copy User-Password to the correct
attribute::
if (!control:Cleartext-Password && control:User-Password) {
update control {
Cleartext-Password := "%{control:User-Password}"
}
}
However, this should only be seen as a temporary, not permanent, fix.
It is better to fix your databases to use the correct configuration.
Unlang
~~~~~~
The unlang policy language is compatible with v2, but has a number of
new features. See ``man unlang`` for complete documentation.
ERRORS
Many more errors are caught when the server is starting up. Syntax
errors in ``unlang`` are caught, and a helpful error message is
printed. The error message points to the exact place where the error
occurred::
./raddb/sites-enabled/default[230]: Parse error in condition
ERROR: if (User-Name ! "bob") {
ERROR: ^ Invalid operator
``update`` sections are more generic. Instead of doing ``update
reply``, you can do the following::
update {
reply:Class := 0x0000
control:Cleartext-Password := "hello"
}
This change means that you need fewer ``update`` sections.
COMPARISONS
Attribute comparisons can be done via the ``&`` operator. When you
needed to compare two attributes, the old comparison style was::
if (User-Name == "%{control:Tmp-String-0}") {
This syntax is inefficient, as the ``Tmp-String-0`` attribute would be
printed to an intermediate string, causing unnecessary work. You can
now instead compare the two attributes directly::
if (&User-Name == &control:Tmp-String-0) {
See ``man unlang`` for more details.
CASTS
Casts are now permitted. This allows you to force type-specific
comparisons::
if (<ipaddr>"%{sql: SELECT...}" == 127.0.0.1) {
This forces the string returned by the SELECT to be treated as an IP
address, and compare to ``127.0.0.1``. Previously, the comparison
would have been done as a simple string comparison.
NETWORKS
IP networks are now supported::
if (127.0.0.1/32 == 127.0.0.1) {
Will be ``true``. The various comparison operators can be used to
check IP network membership::
if (127/8 > 127.0.0.1) {
Returns ``true``, because ``127.0.0.1`` is within the ``127/8``
network. However, the following comparison will return ``false``::
if (127/8 > 192.168.0.1) {
because ``192.168.0.1`` is outside of the ``127/8`` network.
OPTIMIZATION
As ``unlang`` is now pre-compiled, many compile-time optimizations are
done. This means that the debug output may not be exactly the same as
what is in the configuration files::
if (0 && (User-Name == "bob')) {
The result will always be ``false``, as the ``if 0`` prevents the
following ``&& ...`` from being evaluated.
Not only that, but the entire contents of that section will be ignored
entirely::
if (0) {
this_module_does_not_exist
and_this_one_does_not_exist_either
}
In v2, that configuration would result in a parse error, as there is
no module called ``this_module_does_not_exist``. In v3, that text is
ignored. This ability allows you to have dynamic configurations where
certain parts are used (or not) depending on compile-time configuration.
Similarly, conditions which always evaluate to ``true`` will be
optimized away::
if (1) {
files
}
That configuration will never show the ``if (1)`` output in debugging mode.
Dialup_admin
------------
The dialup_admin directory has been removed. No one stepped forward
to maintain it, and the code had not been changed in many years.

24
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.conf
View file

@ -1,24 +0,0 @@
[ req ]
default_bits = 1024
distinguished_name = req_DN
string_mask = nombstr
[ req_DN ]
countryName = "1. Country Name (2 letter code)"
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name) "
stateOrProvinceName_default = Berlin
localityName = "3. Locality Name (eg, city) "
localityName_default = Berlin
0.organizationName = "4. Organization Name (eg, company) "
0.organizationName_default = Mustermann
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
organizationalUnitName_default = Certificate Authority
commonName = "6. Common Name (eg, CA name) "
commonName_max = 64
commonName_default = Mustermann CA
emailAddress = "7. Email Address (eg, name@FQDN)"
emailAddress_max = 40
emailAddress_default = ca@mustermann.de

22
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.crt
View file

@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL
BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0
NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt
tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD
yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX
H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud
EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt
YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg
hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o
dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o
ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI
hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX
cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY
hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg=
-----END CERTIFICATE-----

13
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.csr
View file

@ -1,13 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJ
KoZIhvcNAQkBFhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD
269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFn
OyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABoAAw
DQYJKoZIhvcNAQELBQADgYEAK+Fbl3mG7m0gBkekWwU4BvC92eMs93GYCtYQECu7
/Dc0J2K1ItGC7JrRVlQvStbEFCw3cXzlbSec2v+8rvvIbn6MB+StRRYjPUiIYS3h
qly2FpcAo3Cg5GcnNf4keDGBzClo37MF2wlT0DAQIVPHMlTbkfgAQYwQS+uKLBre
TwM=
-----END CERTIFICATE REQUEST-----

9
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.ext
View file

@ -1,9 +0,0 @@
extensions = x509v3
[ x509v3 ]
basicConstraints = CA:true,pathlen:0
crlDistributionPoints = URI:http://www.mustermann.de/ca/mustermann.crl
nsCertType = sslCA,emailCA,objCA
nsCaPolicyUrl = "http://www.mustermann.de/ca/policy.htm"
nsCaRevocationUrl = "http://www.mustermann.de/ca/heimpold.crl"
nsComment = "Mustermann CA"

15
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.key
View file

@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5
OFlD269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrE
IvFnOyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQAB
AoGAQaCF2idVGbRSVF3ae1qHGOj3Hive3WcReKg/8EittAPpNuP3tqiLUQ/WjxZr
V1NTtZ4syvM+LXlDW186rU21iGpQqj9ce2zjxpWMco6GFf0qKBO1ZoYSyD6jW6ny
M82TtCOVjH1LnyAz5AKRH6Wv5sG99gndK5AriEZEYrsnjQECQQDmK5EU5yVzz2o0
X02Lolz0dRDy5J3x3hlaYKLoszMv4L04MAZ9XaMtGjqmKSOWsbMkIvp/d5A+2uJm
42sULKC9AkEAwTN8+4Kd8d5qpNfaKiYU6x5I2qUwvkE6V7x+ttPoFzbzeHr5CM2z
jkpA+x5u1fCtbl319zOb3ApVsrJ3o0+XqQJASeIgPxJ3jjY9RDR3YuQqbHoLh7xl
CtedUcqFYKbtPmgotRmNa76b+4VY4C+CcgP2mhn0SOhrUBHY7OgBXkd5DQJBAIat
ksFtAxdZGXRB+BYLp+dinBy2rKzjoX0JrDdcrtyH9N8WskU9x544CuZDB7ZhaTSX
kV+6fTq9hZHlMNsKH8kCQQCGnlQIy3U3cN6E1O9UI4DRwPhSwl+xEfc3n0DB/Kcy
faIPo3HnlNw/+4cIyc/7i1Ilkrj4zHtdrnAjP+OvZD7+
-----END RSA PRIVATE KEY-----

22
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.pem
View file

@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL
BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0
NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt
tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD
yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX
H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud
EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt
YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg
hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o
dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o
ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI
hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX
cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY
hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg=
-----END CERTIFICATE-----

1
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.serial
View file

@ -1 +0,0 @@
03

24
pkgs/fablab/freeradius-anon-access/raddb/certs/client.conf
View file

@ -1,24 +0,0 @@
[ req ]
default_bits = 1024
distinguished_name = req_DN
string_mask = nombstr
[ req_DN ]
countryName = "1. Country Name (2 letter code)"
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name) "
stateOrProvinceName_default = Berlin
localityName = "3. Locality Name (eg, city) "
localityName_default = Berlin
0.organizationName = "4. Organization Name (eg, company) "
0.organizationName_default = Mustermann
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
#organizationalUnitName_default =
commonName = "6. Common Name (eg, CA name) "
commonName_max = 64
commonName_default = Max Mustermann
emailAddress = "7. Email Address (eg, name@FQDN)"
emailAddress_max = 40
emailAddress_default = max@mustermann.de

17
pkgs/fablab/freeradius-anon-access/raddb/certs/client.crt
View file

@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP
MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl
cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt
YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O
I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4
jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6
ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4
QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB
R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0
oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1
/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw==
-----END CERTIFICATE-----

12
pkgs/fablab/freeradius-anon-access/raddb/certs/client.csr
View file

@ -1,12 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0G
A1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0ZXJtYW5uMRcwFQYDVQQDEw5NYXgg
TXVzdGVybWFubjEgMB4GCSqGSIb3DQEJARYRbWF4QG11c3Rlcm1hbm4uZGUwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANFPziPlydE+D1lKE+5Wh/aHDuQ4HBfF
2PDWetE7um2d06newc3RZn+1JjpedX3t0u38eI5bJ2mOPj6bfdhVQBoM0/6ZE+rf
l3EbjT69GqiAPYlA7ZlgMgz2TgO1lWwvyruMOnj2l3uHEZomY6hla9pxTjqJ7n8U
HVVTUvZihoQ/AgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQBX3obDa6757IR9ejEb
1cY0k6S1SioC8ufX0Z2veFKoDLXKHL4kCZ89ie74hBf7mqx6O9ZscASXNcyuKFBz
uaae2MSoh+DBJH6I7j23PMhs9ziaSJYLmawja0sWK/J8RaR7JNjVAzb/eU2zBQlq
GTc8H8je+e2+aRUFYNgdGxgQ0g==
-----END CERTIFICATE REQUEST-----

5
pkgs/fablab/freeradius-anon-access/raddb/certs/client.ext
View file

@ -1,5 +0,0 @@
extensions = x509v3
[ x509v3 ]
nsCertType = client,email,objsign
keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

15
pkgs/fablab/freeradius-anon-access/raddb/certs/client.key
View file

@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN
0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z
YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB
AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG
FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+
MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn
s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF
B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo
fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q
VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B
aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi
fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb
tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8=
-----END RSA PRIVATE KEY-----

32
pkgs/fablab/freeradius-anon-access/raddb/certs/client.pem.crt
View file

@ -1,32 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP
MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl
cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt
YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O
I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4
jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6
ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4
QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB
R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0
oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1
/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN
0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z
YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB
AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG
FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+
MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn
s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF
B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo
fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q
VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B
aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi
fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb
tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8=
-----END RSA PRIVATE KEY-----

8
pkgs/fablab/freeradius-anon-access/raddb/certs/dh
View file

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAzQsuxnwr0ccOV+/wIsI4Kfj5eyBINjb5KjeFvdZec65Xj5IzJSqo
kw2JaBhqN4Jtsq60doyev3tPtZn6YmBoVH/71CWOtibeZeSBjk67zQj7O0VKHHaG
9OXyjGIyzUKtJl1VpD+mXvlrhZEjnnApf3fp4i8K8Ei7oHFu+6teEyei3qGKobEg
Y+aYse5noocftCOj7QOpqLZU5BjYn+j1CVnivB3kCEuqYYTJJvyvVpTbWhAWTibY
mZU2Sq7GCLn+hbX5R/d3hOAqISJXwloshipHv7pTvipEMF5Q9thbq/Lc8j+DQS1Y
3KZMuq5+aDV2DVeVI5HSNv/uJJsN48hRkwIBAg==
-----END DH PARAMETERS-----

24
pkgs/fablab/freeradius-anon-access/raddb/certs/server.conf
View file

@ -1,24 +0,0 @@
[ req ]
default_bits = 1024
distinguished_name = req_DN
string_mask = nombstr
[ req_DN ]
countryName = "1. Country Name (2 letter code)"
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name) "
#stateOrProvinceName_default =
localityName = "3. Locality Name (eg, city) "
localityName_default = Berlin
0.organizationName = "4. Organization Name (eg, company) "
0.organizationName_default = Mustermann
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
organizationalUnitName_default = Server
commonName = "6. Common Name (eg, CA name) "
commonName_max = 64
commonName_default = www.mustermann.de
emailAddress = "7. Email Address (eg, name@FQDN)"
emailAddress_max = 40
emailAddress_default = webmaster@mustermann.de

18
pkgs/fablab/freeradius-anon-access/raddb/certs/server.crt
View file

@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIC6zCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
HhcNMjIwODAxMDEwNjQ1WhcNMjQwNzMxMDEwNjQ1WjCBiDELMAkGA1UEBhMCREUx
DzANBgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEPMA0GA1UECxMG
U2VydmVyMRowGAYDVQQDExF3d3cubXVzdGVybWFubi5kZTEmMCQGCSqGSIb3DQEJ
ARYXd2VibWFzdGVyQG11c3Rlcm1hbm4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAOGRdBwkcWMlXj5ZIez2OjadgD7JBVqXS06rZopONcFil9O4OvFHSeMP
mGDIeeggZvh1hpcpKq2+zgY6640zlTbXK7J0T8QUXs0XHDJd9uMI5nDovaG37tah
G83YIPKmLBB87p511amdUviPc4QJGaGRJeYnAC4ou2RX/ko6y4yfAgMBAAGjTjBM
MBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwKgYDVR0lBCMwIQYKKwYB
BAGCNwoDAwYJYIZIAYb4QgQBBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOBgQAQ
wU4rNIuiakUH60u9m983BHddCl81Fy4nf2BExbxXSW/B+yj3adHQ/0RF/xGCcVrI
ORtGlyt8OW83VEfGFFpNPMR6XdxPMyoSUEFaEyVbYGQigQUXoa5k5vINmUD6bgxF
5o5taGIFnfnjEncwRTHADFEIN5hKHjtIdXcNRue2kg==
-----END CERTIFICATE-----

12
pkgs/fablab/freeradius-anon-access/raddb/certs/server.csr
View file

@ -1,12 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHEwZCZXJsaW4xEzAR
BgNVBAoTCk11c3Rlcm1hbm4xDzANBgNVBAsTBlNlcnZlcjEaMBgGA1UEAxMRd3d3
Lm11c3Rlcm1hbm4uZGUxJjAkBgkqhkiG9w0BCQEWF3dlYm1hc3RlckBtdXN0ZXJt
YW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhkXQcJHFjJV4+WSHs
9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrxR0njD5hgyHnoIGb4dYaXKSqtvs4GOuuN
M5U21yuydE/EFF7NFxwyXfbjCOZw6L2ht+7WoRvN2CDypiwQfO6eddWpnVL4j3OE
CRmhkSXmJwAuKLtkV/5KOsuMnwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEADZZ5
+z8oUdzM0aDxMt2KyNSc8+NUkL4u+h38ZuDasHMXCncfWqp7I42qev1FHqKaI1Rn
GWZsWd943kOeMjFgxGkQoesLsyuqRslyUHAACnqHit2ZKz51reiiakK7v/qYxiV6
aZOZBv5s2eaG6iT1ea5f5j2SKKOyhuDwfs7q4hQ=
-----END CERTIFICATE REQUEST-----

6
pkgs/fablab/freeradius-anon-access/raddb/certs/server.ext
View file

@ -1,6 +0,0 @@
extensions = x509v3
[ x509v3 ]
nsCertType = server
keyUsage = digitalSignature,nonRepudiation,keyEncipherment
extendedKeyUsage = msSGC,nsSGC,serverAuth

15
pkgs/fablab/freeradius-anon-access/raddb/certs/server.key
View file

@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDhkXQcJHFjJV4+WSHs9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrx
R0njD5hgyHnoIGb4dYaXKSqtvs4GOuuNM5U21yuydE/EFF7NFxwyXfbjCOZw6L2h
t+7WoRvN2CDypiwQfO6eddWpnVL4j3OECRmhkSXmJwAuKLtkV/5KOsuMnwIDAQAB
AoGAO1kEvp7MAnUDfc3/whPqrxHzexFyyioCU1l/aiY3uIDTR44yW+cQxqAEzHoS
sQNNdFOfrMfVBc+s7zCzZvxKZpvapg2HGATkk9I8AFUTuSh7n3oUT/AZ1KGdd04G
wS/6QsLR3G8c+0RB9DPWpMVgg1OlQ1U3ESB+eaeQ28/hLFECQQD6LRHnLfLrGlz9
0htFV3JD19qPNmwRCEa/bHeK4dICuEikgpQZ18nbOCrfUvR4GltkQA8w6CMGmebJ
5COHx+epAkEA5tG7fsnA8ut/AfA3HoBRi1YtoE4YLOE8b+Jdt72LDE6jaR9mBc0N
gwxDBhdgZf9HTSaWB65j1V1sik8DqkjfBwJABE5SSJBZ5gIGJ7g+D+t5ZAGLGXvu
UDy8Ov8674EDhFh3p503v1ofd054Lm/XFVoeyJLxr/3O3IY5mq/6jJO8QQJBANcC
V51rYojmRZEQqseG0G7y/91r4aksxpeSTapyravxNNcfoHGW6RdBvM1XyTw557k+
UFMnZ2fBdvH/WHKvHtECQEvLTxtmdxKMrndFJiTObeItdl/iHU9JujW4ib64CysI
RdwEverbouogjHfyeDjazXIsgpIUSIbZNHL13bICpBg=
-----END RSA PRIVATE KEY-----

4
pkgs/fablab/freeradius-anon-access/raddb/clients.conf
View file

@ -1,4 +0,0 @@
client 0.0.0.0/0 {
secret = anonymous
require_message_authenticator = no
}

49
pkgs/fablab/freeradius-anon-access/raddb/dictionary
View file

@ -1,49 +0,0 @@
#
# This is the local dictionary file which can be
# edited by local administrators. It will be loaded
# AFTER the main dictionary files are loaded.
#
# As of version 3.0.2, FreeRADIUS will automatically
# load the main dictionary files from
#
# ${prefix}/share/freeradius/dictionary
#
# It is no longer necessary for this file to $INCLUDE
# the main dictionaries. However, if the $INCLUDE
# line is here, nothing bad will happen.
#
# Any new/changed attributes MUST be placed in this file.
# The pre-defined dictionaries SHOULD NOT be edited.
#
# See "man dictionary" for documentation on its format.
#
# $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $
#
#
# All local attributes and $INCLUDE's should go into
# this file.
#
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them to the 'dictionary.local' file.
#
# The numbers you pick should be between 3000 and 4000.
# These attributes will NOT go into a RADIUS packet.
#
# If you want that, you will need to use VSAs. This means
# requesting allocation of a Private Enterprise Code from
# http://iana.org. We STRONGLY suggest doing that only if
# you are a vendor of RADIUS equipment.
#
# See RFC 6158 for more details.
# http://ietf.org/rfc/rfc6158.txt
#
#
# These attributes are examples
#
#ATTRIBUTE My-Local-String 3000 string
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer

116
pkgs/fablab/freeradius-anon-access/raddb/experimental.conf
View file

@ -1,116 +0,0 @@
#
# This file contains the configuration for experimental modules.
#
# By default, it is NOT included in the build.
#
# $Id: 87d9744a4f0fa7b9b06b4908ddd6b7d2f1a7fd62 $
#
# Configuration for the Python module.
#
# Where radiusd is a Python module, radiusd.py, and the
# function 'authorize' is called. Here is a dummy piece
# of code:
#
# def authorize(params):
# print params
# return (5, ('Reply-Message', 'banned'))
#
# The RADIUS value-pairs are passed as a tuple of tuple
# pairs as the first argument, e.g. (('attribute1',
# 'value1'), ('attribute2', 'value2'))
#
# The function return is a tuple with the first element
# being the return value of the function.
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
# write the return values as Python symbols to avoid
# confusion.
#
# The remaining tuple members are the string form of
# value-pairs which are passed on to pairmake().
#
python {
mod_instantiate = radiusd_test
func_instantiate = instantiate
mod_authorize = radiusd_test
func_authorize = authorize
mod_accounting = radiusd_test
func_accounting = accounting
mod_pre_proxy = radiusd_test
func_pre_proxy = pre_proxy
mod_post_proxy = radiusd_test
func_post_proxy = post_proxy
mod_post_auth = radiusd_test
func_post_auth = post_auth
mod_recv_coa = radiusd_test
func_recv_coa = recv_coa
mod_send_coa = radiusd_test
func_send_coa = send_coa
mod_detach = radiusd_test
func_detach = detach
}
# Configuration for the example module. Uncommenting it will cause it
# to get loaded and initialised, but should have no real effect as long
# it is not referenced in one of the autz/auth/preacct/acct sections
example {
# Boolean variable.
# allowed values: {no, yes}
boolean = yes
# An integer, of any value.
integer = 16
# A string.
string = "This is an example configuration string"
# An IP address, either in dotted quad (1.2.3.4) or hostname
# (example.com)
ipaddr = 127.0.0.1
# A subsection
mysubsection {
anotherinteger = 1000
# They nest
deeply nested {
string = "This is a different string"
}
}
}
#
# To create a dbm users file, do:
#
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
#
# Then add 'dbm' in 'authorize' section.
#
# Note that even if the file has a ".db" or ".dbm" extension,
# you may have to specify it here without that extension. This
# is because the DBM libraries "helpfully" add a ".db" to the
# filename, but don't check if it's already there.
#
dbm {
usersfile = ${confdir}/users_db
}
# Instantiate a couple instances of the idn module
idn {
}
# ...more commonly known as...
idn idna {
}
idn idna_lenient {
UseSTD3ASCIIRules = no
}

1
pkgs/fablab/freeradius-anon-access/raddb/hints
View file

@ -1 +0,0 @@
./mods-config/preprocess/hints

1
pkgs/fablab/freeradius-anon-access/raddb/huntgroups
View file

@ -1 +0,0 @@
./mods-config/preprocess/huntgroups

81
pkgs/fablab/freeradius-anon-access/raddb/mods-available/always
View file

@ -1,81 +0,0 @@
# -*- text -*-
#
# $Id: b77d00c55d46741a3ca1cfc135dee4615466e912 $
#
# The "always" module is here for debugging purposes, or
# for use in complex policies.
# Instance simply returns the same result, always, without
# doing anything.
#
# rcode may be one of the following values:
# - reject - Reject the user.
# - fail - Simulate or indicate a failure.
# - ok - Simulate or indicate a success.
# - handled - Indicate that the request has been handled,
# stop processing, and send response if set.
# - invalid - Indicate that the request is invalid.
# - userlock - Indicate that the user account has been
# locked out.
# - notfound - Indicate that a user account can't be found.
# - noop - Simulate a no-op.
# - updated - Indicate that the request has been updated.
#
# If an instance is listed in a session {} section,
# this simulates a user having <integer> sessions.
#
# simulcount = <integer>
#
# If an instance is listed in a session {} section,
# this simulates the user having multilink
# sessions.
#
# mpp = <integer>
#
# An xlat based on the instance name can be called to change the status
# returned by the instance, in this example "always db_status { ... }"
#
# Force the module status to be alive or dead:
#
# %{db_status:alive}
# %{db_status:dead}
#
# Update the rcode returned by an alive module (a dead module returns fail):
#
# %{db_status:ok}
# %{db_status:fail}
# %{db_status:notfound}
# ...
#
# The above xlats expand to the current status of the module. To fetch the
# current status without affecting it call the xlat with an empty argument:
#
# %{db_status:}
#
always reject {
rcode = reject
}
always fail {
rcode = fail
}
always ok {
rcode = ok
}
always handled {
rcode = handled
}
always invalid {
rcode = invalid
}
always userlock {
rcode = userlock
}
always notfound {
rcode = notfound
}
always noop {
rcode = noop
}
always updated {
rcode = updated
}

61
pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter
View file

@ -1,61 +0,0 @@
# -*- text -*-
#
# $Id: a23d3c0f11267a6c0f1afca599f71a6a76c49a1a $
#
# This file defines a number of instances of the "attr_filter" module.
#
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
key = "%{Realm}"
filename = ${modconfdir}/${.:name}/post-proxy
}
# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
key = "%{Realm}"
filename = ${modconfdir}/${.:name}/pre-proxy
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_reject {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_reject
}
# Enforce RFC requirements on the contents of Access-Challenge
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_challenge {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_challenge
}
# Enforce RFC requirements on the contents of the
# Accounting-Response packets. See the comments at the
# top of the file for more details.
#
attr_filter attr_filter.accounting_response {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/accounting_response
}
#
# Enforce CoA or Disconnect packets.
#
# Note that you MUST edit the "coa" file below for your
# local configuration. Add in any attributes needed by the NAS.
#
attr_filter attr_filter.coa {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/coa
}

13
pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap
View file

@ -1,13 +0,0 @@
#
# Cache EAP responses for resiliency on intermediary proxy fail-over
#
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
update reply {
reply: += &reply:
&control:State := &request:State
}
}

11
pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap
View file

@ -1,11 +0,0 @@
# -*- text -*-
#
# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
# no configuration
}

35
pkgs/fablab/freeradius-anon-access/raddb/mods-available/date
View file

@ -1,35 +0,0 @@
#
# Registers xlat to convert between time formats.
#
# xlat input string is an attribute name. If this attribute is of date
# or integer type, the date xlat will convert it to a time string in
# the format of the format config item.
#
# If the attribute is a string type, date will attempt to parse it in
# the format specified by the format config item, and will expand
# to a Unix timestamp.
#
date {
format = "%b %e %Y %H:%M:%S %Z"
# Use UTC instead of local time.
#
# default = no
# utc = yes
}
#
# The WISPr-Session-Terminate-Time attribute is of type "string",
# and not "date". Use this expansion to create an attribute
# that holds an actual date:
#
# Tmp-Date-0 := "%{wispr2date:&reply:WISPr-Session-Terminate-Time}"
#
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
# Use UTC instead of local time.
#
# default = no
# utc = yes
}

109
pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail
View file

@ -1,109 +0,0 @@
# -*- text -*-
#
# $Id: ccf65f9c839a6d9ea35fae4d9cd208ddca1a0acd $
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want to add
# a ':%H' (see doc/configuration/variables.rst) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
# The configuration below puts the detail files into separate
# directories for each client. If you are reading the detail
# files via the "listen" section, just use one directory.
#
# e.g. filename = ${radacctdir}/reader1/detail-%Y%m%d
#
# AND use a separate directory (reader2, reader3, etc.) for each
# reader.
#
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
#
# If you are using radrelay, delete the above line for "file",
# and use this one instead:
#
# filename = ${radacctdir}/detail
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = no
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
permissions = 0600
# The Unix group of the log file.
#
# The user that the server runs as must be in the specified
# system group otherwise this will fail to work.
#
# group = ${security.group}
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customised by editing this
# string. See "doc/configuration/variables.rst" for a
# description of what can be put here.
#
header = "%t"
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
# locking = yes
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
# log_packet_header = yes
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
}

75
pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log
View file

@ -1,75 +0,0 @@
# -*- text -*-
#
# $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $
#
# More examples of doing detail logs.
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
detail auth_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
permissions = 0600
# You may also strip out passwords completely
suppress {
User-Password
}
}
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
detail reply_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
permissions = 0600
}
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
detail pre_proxy_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
permissions = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
}
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
detail post_proxy_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
permissions = 0600
}

13
pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest
View file

@ -1,13 +0,0 @@
# -*- text -*-
#
# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}

32
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients
View file

@ -1,32 +0,0 @@
# -*- text -*-
#
# $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $
# This module loads RADIUS clients as needed, rather than when the server
# starts.
#
# There are no configuration entries for this module. Instead, it
# relies on the "client" configuration. You must:
#
# 1) link raddb/sites-enabled/dynamic_clients to
# raddb/sites-available/dynamic_clients
#
# 2) Define a client network/mask (see top of the above file)
#
# 3) uncomment the "directory" entry in that client definition
#
# 4) list "dynamic_clients" in the "authorize" section of the
# "dynamic_clients' virtual server. The default example already
# does this.
#
# 5) put files into the above directory, one per IP.
# e.g. file "192.0.2.1" should contain a normal client definition
# for a client with IP address 192.0.2.1.
#
# For more documentation, see the file:
#
# raddb/sites-available/dynamic-clients
#
dynamic_clients {
}

1082
pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap
View file

File diff suppressed because it is too large Load diff

123
pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo
View file

@ -1,123 +0,0 @@
# -*- text -*-
#
# $Id: ad3e15933f9e85c5566810432a5fec8f23d877c1 $
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
# The return value of the program run determines the result
# of the exec instance call as follows:
# (See doc/configurable_failover for details)
#
# < 0 : fail the module failed
# = 0 : ok the module succeeded
# = 1 : reject the module rejected the user
# = 2 : fail the module failed
# = 3 : ok the module succeeded
# = 4 : handled the module has done everything to handle the request
# = 5 : invalid the user's configuration entry was invalid
# = 6 : userlock the user was locked out
# = 7 : notfound the user was not found
# = 8 : noop the module did nothing
# = 9 : updated the module updated information in the request
# > 9 : fail the module failed
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
#
# Should we escape the environment variables?
#
# If this is set, all the RADIUS attributes
# are capitalised and dashes replaced with
# underscores. Also, RADIUS values are surrounded
# with double-quotes.
#
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
shell_escape = yes
#
# How long should we wait for the program to finish?
#
# Default is 10 seconds, which should be plenty for nearly
# anything. Range is 1 to 30 seconds. You are strongly
# encouraged to NOT increase this value. Decreasing can
# be used to cause authentication to fail sooner when you
# know it's going to fail anyway due to the time taken,
# thereby saving resources.
#
#timeout = 10
}

29
pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec
View file

@ -1,29 +0,0 @@
# -*- text -*-
#
# $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in "man unlang" and in doc/configuration/variables.rst
#
# See also "echo" for more sample configuration.
#
exec {
wait = no
input_pairs = request
shell_escape = yes
timeout = 10
}

13
pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration
View file

@ -1,13 +0,0 @@
# -*- text -*-
#
# $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $
#
# The expiration module. This handles the Expiration attribute
# It should be included in the *end* of the authorize section
# in order to handle user Expiration. It should also be included
# in the instantiate section in order to register the Expiration
# compare function
#
expiration {
}

146
pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr
View file

@ -1,146 +0,0 @@
# -*- text -*-
#
# $Id: 43dbea35e41698f8ced22c1cf4ad128b08dee7ca $
#
# This module performs mathematical calculations:
#
# Attribute-Name = "%{expr:2 + 3 + &NAS-Port}"
#
# It supports the following operators (in order of precedence)
#
# & binary AND
# | binary OR
# << left shift
# >> right shift
# + addition
# - subtraction
# * multiply
# / divide
# %% remainder
# ^ exponentiation
# (...) sub-expression
#
# Operator precedence follows the normal rules.
# Division by zero means that the entire expression is invalid.
#
# Note that in versions before 3.0.5, the expression
# was parsed strictly left to right, and ignored operator
# precedence.
#
# It also allows unary negation: -1
# And twos complement: ~1
#
# All calculations are done on signed 63-bit integers.
# e.g. int64_t. This should be sufficient for all normal
# purposes.
#
# Hex numbers are supported: 0xabcdef
#
# As with all string expansions, you can nest the expansions:
#
# %{expr: %{NAS-Port} + 1}
# %{expr: %{sql:SELECT ... } + 1}
#
# Attribute references are supported for integer attributes.
# e.g. &NAS-Port. The benefit of using attribute references
# is that the expression is calculated directly on the
# attribute. It skips the step of "print to string, and then
# parse to number". This means it's a little faster.
#
# Otherwise, all numbers are decimal.
#
#
# The module also registers a few paircompare functions, and
# many string manipulation functions, including:
#
# rand get random number from 0 to n-1
# "%{rand:10}" == "9"
#
# randstr get random string built from character classes:
# c lowercase letters
# C uppercase letters
# n numbers
# a alphanumeric
# ! punctuation
# . alphanumeric + punctuation
# s alphanumeric + "./"
# o characters suitable for OTP (easily confused removed)
# h binary data as lowercase hex
# H binary data as uppercase hex
#
# "%{randstr:CCCC!!cccnnn}" == "IPFL>{saf874"
# "%{randstr:oooooooo}" == "rfVzyA4y"
# "%{randstr:hhhh}" == "68d60de3"
#
# urlquote quote special characters in URI
# "%{urlquote:http://example.org/}" == "http%3A%47%47example.org%47"
#
# urlunquote unquote URL special characters
# "%{urlunquote:http%%3A%%47%%47example.org%%47}" == "http://example.org/"
#
# escape escape string similar to rlm_sql safe_characters
# "%{escape:<img>foo.jpg</img>}" == "=60img=62foo.jpg=60/img=62"
#
# unescape reverse of escape
# "%{unescape:=60img=62foo.jpg=60/img=62}" == "<img>foo.jpg</img>"
#
# tolower convert to lowercase
# "%{tolower:Bar}" == "bar"
#
# toupper convert to uppercase
# "%{toupper:Foo}" == "FOO"
#
# md5 get md5sum hash
# "%{md5:foo}" == "acbd18db4cc2f85cedef654fccc4a4d8"
#
# sha1 get sha1 hash
# "%{sha1:foo}" == "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33"
#
# sha256 get sha256 hash
# "%{sha256:foo}" == "2c26b46b68ffc68ff99b453c1d30413413422d706..."
#
# sha512 get sha512 hash
# "%{sha512:foo}" == "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae29838..."
#
# hmacmd5 generate HMAC-MD5 of string
# "%{hmacmd5:foo bar}" == "31b6db9e5eb4addb42f1a6ca07367adc"
#
# hmacsha1 generate HMAC-SHA1 of string
# "%{hmacsha1:foo bar}" == "85d155c55ed286a300bd1cf124de08d87e914f3a"
#
# crypt encrypt with a salt: %{crypt:salt:password}
# "%{crypt:aa:foo}" == "aaKNIEDOaueR6"
# "%{crypt:$1$abcdefgh:foo}" == "$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0"
# "%{crypt:$5$%{randstr:aaaaaaaaaaaaaaaa}:foo}" == "$1$fu4P2fcAdo9gM..."
#
# pairs serialize attributes as comma-delimited string
# "%{pairs:request:}" == "User-Name = 'foo', User-Password = 'bar', ..."
#
# base64 encode string as base64
# "%{base64:foo}" == "Zm9v"
#
# base64tohex convert base64 to hex
# "%{base64tohex:Zm9v}" == "666f6f"
#
# explode split an attribute into multiple new attributes based on a delimiter
# "%{explode:&ref <delim>}"
#
# nexttime calculate number of seconds until next n hour(s), day(s), week(s), year(s)
# if it were 16:18, %{nexttime:1h} would expand to 2520
#
# lpad left-pad a string
# if User-Name is "foo": "%{lpad:&User-Name 6 x}" == "xxxfoo"
#
# rpad right-pad a string
# if User-Name is "foo": "%{rpad:&User-Name 5 -}" == "foo--"
#
expr {
#
# Characters that will not be encoded by the %{escape}
# xlat function.
#
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}

30
pkgs/fablab/freeradius-anon-access/raddb/mods-available/files
View file

@ -1,30 +0,0 @@
# -*- text -*-
#
# $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $
# Livingston-style 'users' file
#
# See "man users" for more information.
#
files {
# Search for files in a subdirectory of mods-config which
# matches this instance of the files module.
moddir = ${modconfdir}/${.:instance}
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
# The old "users" style file is now located here.
filename = ${moddir}/authorize
# This is accepted for backwards compatibility
# It will be removed in a future release.
# usersfile = ${moddir}/authorize
# These are accepted for backwards compatibility.
# They will be renamed in a future release.
acctusersfile = ${moddir}/accounting
preproxy_usersfile = ${moddir}/pre-proxy
}

161
pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog
View file

@ -1,161 +0,0 @@
# -*- text -*-
#
# $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $
#
# The "linelog" module will log one line of text to a file.
# Both the filename and the line of text are dynamically expanded.
#
# We STRONGLY suggest that you do not use data from the
# packet as part of the filename.
#
linelog {
#
# The file where the logs will go.
#
# If the filename is "syslog", then the log messages will
# go to syslog.
filename = ${logdir}/linelog
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = no
#
# The Unix-style permissions on the log file.
#
# Depending on format string, the log file may contain secret or
# private information about users. Keep the file permissions as
# restrictive as possible.
permissions = 0600
# The Unix group which owns the log file.
#
# The user that freeradius runs as must be in the specified
# group, otherwise it will not be possible to set the group.
# group = ${security.group}
# Syslog facility (if logging via syslog).
# Defaults to the syslog_facility config item in radiusd.conf.
# Standard facilities are:
# - kern Messages generated by the kernel. These cannot
# be generated by any user processes.
# - user Messages generated by random user processes.
# This is the default facility identifier if
# none is specified.
# - mail The mail system.
# - daemon System daemons, such as routed(8), that are not
# provided for explicitly by other facilities.
# - auth The authorization system: login(1), su(1),
# getty(8), etc.
# - lpr The line printer spooling system: cups-lpd(8),
# cupsd(8), etc.
# - news The network news system.
# - uucp The uucp system.
# - cron The cron daemon: cron(8).
# - authpriv The same as LOG_AUTH, but logged to a file
# readable only by selected individuals.
# - ftp The file transfer protocol daemons: ftpd(8),
# tftpd(8).
# - local[0-7] Reserved for local use.
# syslog_facility = daemon
# Syslog severity (if logging via syslog). Defaults to info.
# Possible values are:
# - emergency A panic condition. This is normally broadcast
# to all users.
# - alert A condition that should be corrected immediately,
# such as a corrupted system database.
# - critical Critical conditions, e.g., hard device errors.
# - error Errors.
# - warning Warning messages.
# - notice Conditions that are not error conditions, but
# should possibly be handled specially.
# - info Informational messages.
# - debug Messages that contain information normally of use
# only when debugging a program.
# syslog_severity = info
# If logging via syslog, the severity can be set here.
# Defaults to info.
#
# The default format string.
format = "This is a log message for %{User-Name}"
#
# This next line can be omitted. If it is omitted, then
# the log message is static, and is always given by "format",
# above.
#
# If it is defined, then the string is dynamically expanded,
# and the result is used to find another configuration entry
# here, with the given name. That name is then used as the
# format string.
#
# If the configuration entry cannot be found, then no log
# message is printed.
#
# i.e. You can have many log messages in one "linelog" module.
# If this two-step expansion did not exist, you would have
# needed to configure one "linelog" module for each log message.
#
# Reference the Packet-Type (Access-Accept, etc.) If it doesn't
# exist, reference the "default" entry.
#
# This is for "linelog" being used in the post-auth section
# If you want to use it in "authorize", you need to change
# the reference to "messages.%{%{Packet-Type}:-default}",
# and then add the appropriate messages.
#
reference = "messages.%{%{reply:Packet-Type}:-default}"
#
# The messages defined here are taken from the "reference"
# expansion, above.
#
messages {
default = "Unknown packet type %{Packet-Type}"
Access-Accept = "Accepted user: %{User-Name}"
Access-Reject = "Rejected user: %{User-Name}"
Access-Challenge = "Sent challenge: %{User-Name}"
}
}
#
# Another example, for accounting packets.
#
linelog log_accounting {
#
# Used if the expansion of "reference" fails.
#
format = ""
filename = ${logdir}/linelog-accounting
permissions = 0600
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
#
# Another example:
#
#
Accounting-Request {
Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
# Don't log anything for these packets.
Alive = ""
Accounting-On = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just came online"
Accounting-Off = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just went offline"
# don't log anything for other Acct-Status-Types.
unknown = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) sent unknown Acct-Status-Type %{Acct-Status-Type}"
}
}

23
pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime
View file

@ -1,23 +0,0 @@
# -*- text -*-
#
# $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $
# The logintime module. This handles the Login-Time,
# Current-Time, and Time-Of-Day attributes. It should be
# included in the *end* of the authorize section in order to
# handle Login-Time checks. It should also be included in the
# instantiate section in order to register the Current-Time
# and Time-Of-Day comparison functions.
#
# When the Login-Time attribute is set to some value, and the
# user has been permitted to log in, a Session-Timeout is
# calculated based on the remaining time. See "doc/README".
#
logintime {
# The minimum timeout (in seconds) a user is allowed
# to have. If the calculated timeout is lower we don't
# allow the login. Some NAS do not handle values
# lower than 60 seconds well.
minimum_timeout = 60
}

253
pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap
View file

@ -1,253 +0,0 @@
# -*- text -*-
#
# $Id: 1748d5747f5b2fda08a017ad3095d9b96b0c2ee0 $
#
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
#
#
# If use_mppe is not set to no mschap, will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
# use_mppe = no
#
# If MPPE is enabled, require_encryption makes
# encryption moderate
#
# require_encryption = yes
#
# require_strong always requires 128 bit key
# encryption
#
# require_strong = yes
#
# This module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# If ntlm_auth is configured below, then the mschap
# module will call ntlm_auth for every MS-CHAP
# authentication request. If there is a cleartext
# or NT hashed password available, you can set
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
# and the mschap module will do the authentication itself,
# without calling ntlm_auth.
#
# Be VERY careful when editing the following line!
#
# You can also try setting the user name as:
#
# ... --username=%{mschap:User-Name} ...
#
# In that case, the mschap module will look at the User-Name
# attribute, and do prefix/suffix checks in order to obtain
# the "best" user name for the request.
#
# For Samba 4, you should also set the "ntlm auth" parameter
# in the Samba configuration:
#
# ntlm auth = yes
#
# or
#
# ntlm auth = mschapv2-and-ntlmv2-only
#
# This will let Samba 4 accept the MS-CHAP authentication
# method that is needed by FreeRADIUS.
#
# Depending on the Samba version, you may also need to add:
#
# --allow-mschapv2
#
# to the command-line parameters.
#
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
#
# The default is to wait 10 seconds for ntlm_auth to
# complete. This is a long time, and if it's taking that
# long then you likely have other problems in your domain.
# The length of time can be decreased with the following
# option, which can save clients waiting if your ntlm_auth
# usually finishes quicker. Range 1 to 10 seconds.
#
# ntlm_auth_timeout = 10
#
# An alternative to using ntlm_auth is to connect to the
# winbind daemon directly for authentication. This option
# is likely to be faster and may be useful on busy systems,
# but is less well tested.
#
# Using this option requires libwbclient from Samba 4.2.1
# or later to be installed. Make sure that ntlm_auth above is
# commented out.
#
# winbind_username = "%{mschap:User-Name}"
# winbind_domain = "%{mschap:NT-Domain}"
#
# When using single sign-on with a winbind connection and the
# client uses a different casing for the username than the
# casing is according to the backend, reauth may fail because
# of some Windows internals. This switch tries to find the
# user in the correct casing in the backend, and retry
# authentication with that username.
#
# winbind_retry_with_normalised_username = no
#
# Information for the winbind connection pool. The configuration
# items below are the same for all modules which use the new
# connection pool.
#
pool {
#
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# winbind daemon being available.
#
start = ${thread[pool].start_servers}
#
# Minimum number of connections to keep open
#
min = ${thread[pool].min_spare_servers}
#
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
#
max = ${thread[pool].max_servers}
#
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
#
spare = ${thread[pool].max_spare_servers}
#
# Number of uses before the connection is closed
#
# 0 means "infinite"
#
uses = 0
#
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
#
retry_delay = 30
#
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
#
lifetime = 86400
#
# The pool is checked for free connections every
# "cleanup_interval". If there are free connections,
# then one of them is closed.
#
cleanup_interval = 300
#
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
#
idle_timeout = 600
#
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
#
}
passchange {
#
# This support MS-CHAPv2 (not v1) password change
# requests. See doc/mschap.rst for more IMPORTANT
# information.
#
# Samba/ntlm_auth - if you are using ntlm_auth to
# validate passwords, you will need to use ntlm_auth
# to change passwords. Uncomment the three lines
# below, and change the path to ntlm_auth.
#
# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
# ntlm_auth_username = "username: %{mschap:User-Name}"
# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
#
# To implement a local password change, you need to
# supply a string which is then expanded, so that the
# password can be placed somewhere. e.g. passed to a
# script (exec), or written to SQL (UPDATE/INSERT).
# We give both examples here, but only one will be
# used.
#
# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
#
# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
}
#
# For Apple Server, when running on the same machine as
# Open Directory. It has no effect on other systems.
#
# use_open_directory = yes
#
# On failure, set (or not) the MS-CHAP error code saying
# "retries allowed".
#
# allow_retry = yes
#
# An optional retry message.
#
# retry_msg = "Re-enter (or reset) the password"
}

18
pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth
View file

@ -1,18 +0,0 @@
#
# For testing ntlm_auth authentication with PAP.
#
# If you have problems with authentication failing, even when the
# password is good, it may be a bug in Samba:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
# Depending on the AD / Samba configuration, you may also need to add:
#
# --allow-mschapv2
#
# to the list of command-line options.
#
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}

18
pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap
View file

@ -1,18 +0,0 @@
# -*- text -*-
#
# $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption/hash schemes. See "man rlm_pap"
# for details.
#
# For instructions on creating the various types of passwords, see:
#
# http://www.openldap.org/faq/data/cache/347.html
pap {
# By default the server will use heuristics to try and automatically
# handle base64 or hex encoded passwords. This behaviour can be
# stopped by setting the following to "no".
# normalise = yes
}

55
pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd
View file

@ -1,55 +0,0 @@
# -*- text -*-
#
# $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these files.
#
# See the "smbpasswd" and "etc_group" files for more examples.
#
# parameters are:
# filename - path to file
#
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is a key field. That is, the parameter
# with this name from the request is used to search for
# the record from passwd file
#
# Attributes marked as '=' are added to reply_items instead
# of default configure_items
#
# Attributes marked as '~' are added to request_items
#
# Field marked as ',' may contain a comma separated list
# of attributes.
#
# hash_size - hashtable size. Setting it to 0 is no longer permitted
# A future version of the server will have the module
# automatically determine the hash size. Having it set
# manually should not be necessary.
#
# allow_multiple_keys - if many records for a key are allowed
#
# ignore_nislike - ignore NIS-related records
#
# delimiter - symbol to use as a field separator in passwd file,
# for format ':' symbol is always used. '\0', '\n' are
# not allowed
#
# An example configuration for using /etc/passwd.
#
# This is an example which will NOT WORK if you have shadow passwords,
# NIS, etc. The "unix" module is normally responsible for reading
# system passwords. You should use it instead of this example.
#
passwd etc_passwd {
filename = /etc/passwd
format = "*User-Name:Crypt-Password:"
hash_size = 100
ignore_nislike = no
allow_multiple_keys = no
}

62
pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess
View file

@ -1,62 +0,0 @@
# -*- text -*-
#
# $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NAS, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
# Search for files in a subdirectory of mods-config which
# matches this instance of the preprocess module.
moddir = ${modconfdir}/${.:instance}
huntgroups = ${moddir}/huntgroups
hints = ${moddir}/hints
# This hack changes Ascend's weird port numbering
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}

53
pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp
View file

@ -1,53 +0,0 @@
# -*- text -*-
#
# $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $
# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{%{Stripped-User-Name}:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
permissions = 0600
caller_id = "yes"
}

75
pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm
View file

@ -1,75 +0,0 @@
# -*- text -*-
#
# $Id: 8ff95a9e9a652c2df9f992b0eb528084b6a7a2dc $
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxes at the same time. The
# search order is defined by the order that the modules are listed
# in the authorize and preacct sections.
#
# Four config options:
# format - must be "prefix" or "suffix"
# The special cases of "DEFAULT"
# and "NULL" are allowed, too.
# delimiter - must be a single character
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
format = prefix
delimiter = "/"
}
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
# The next configuration items are valid ONLY for a trust-router.
# For all other realms, they are ignored.
# trust_router = "localhost"
# tr_port = 12309
# rp_realm = "realm.example.com"
# default_community = "apc.communities.example.com"
# # if rekey_enabled is enabled, dynamic realms are automatically rekeyed
# # before they expire to avoid having to recreate them from scrach on
# # demand (implying lengthy authentications)
# rekey_enabled = no
# # if realm_lifetime is > 0, the rekey is scheduled to happen the
# # specified number of seconds after its creation or rekeying. Otherwise,
# # the key material expiration timestamp is used
# realm_lifetime = 0
}
# 'realm!username'
#
realm bangpath {
format = prefix
delimiter = "!"
# trust_router = "localhost"
# tr_port = 12309
# rp_realm = "realm.example.com"
# default_community = "apc.communities.example.com"
# rekey_enabled = no
# realm_lifetime = 0
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
}

42
pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate
View file

@ -1,42 +0,0 @@
# Replicate packet(s) to a home server.
#
# This module will open a new socket for each packet, and "clone"
# the incoming packet to the destination realm (i.e. home server).
# These packets are only sent to UDP home servers. TCP and TLS
# are not supported.
#
# Use it by setting "Replicate-To-Realm = name" in the control list,
# just like Proxy-To-Realm. The configurations for the two attributes
# are identical. The realm must exist, the home_server_pool must exist,
# and the home_server must exist.
#
# The only difference is that the "replicate" module sends requests
# and does not expect a reply. Any reply is ignored.
#
# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time.
#
# To use this module, list "replicate" in the "authorize" or
# "accounting" section. Then, ensure that Replicate-To-Realm is set.
# The contents of the "packet" attribute list will be sent to the
# home server. The usual load-balancing, etc. features of the home
# server will be used.
#
# "radmin" can be used to mark home servers alive/dead, in order to
# enable/disable replication to specific servers.
#
# Packets can be replicated to multiple destinations. Just set
# Replicate-To-Realm multiple times. One packet will be sent for
# each of the Replicate-To-Realm attribute in the "control" list.
#
# If no packets are sent, the module returns "noop". If at least one
# packet is sent, the module returns "ok". If an error occurs, the
# module returns "fail"
#
# Note that replication does NOT change any of the packet statistics.
# If you use "radmin" to look at the statistics for a home server,
# the replicated packets will cause NO counters to increment. This
# is not a bug, this is how replication works.
#
replicate {
}

4
pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh
View file

@ -1,4 +0,0 @@
# SoH module
soh {
dhcp = yes
}

16
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp
View file

@ -1,16 +0,0 @@
# -*- text -*-
#
# $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
permissions = 0644
caller_id = "no"
}

40
pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp
View file

@ -1,40 +0,0 @@
# -*- text -*-
#
# $Id: 695365f7d2c05a34da935ea2a9ca0dec55518195 $
#
# Time-based One-Time Passwords (TOTP)
#
# Defined in RFC 6238, and used in Google Authenticator.
#
# This module can only be used in the "authenticate" section.
#
# The Base32-encoded secret should be placed into:
#
# &control:TOTP-Secret
#
# The TOTP password entered by the user should be placed into:
#
# &request:TOTP-Password
#
# The module will return "ok" if the passwords match, and "fail"
# if the passwords do not match.
#
# Note that this module will NOT interact with Google. The module is
# intended to be used where the local administrator knows the TOTP
# secret key, and user has an authenticator app on their phone.
#
# Note also that while you can use the Google "chart" APIs to
# generate a QR code, doing this will give the secret to Google!
#
# Administrators should instead install a tool such as "qrcode"
#
# https://linux.die.net/man/1/qrencode
#
# and then run that locally to get an image.
#
#
# The module takes no configuration items.
#
totp {
}

25
pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix
View file

@ -1,25 +0,0 @@
# -*- text -*-
#
# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $
# Unix /etc/passwd style authentication
#
# This module calls the system functions to get the "known good"
# password. This password is usually in the "crypt" form, and is
# incompatible with CHAP, MS-CHAP, PEAP, etc.
#
# If passwords are in /etc/shadow, you will need to set the "group"
# configuration in radiusd.conf. Look for "shadow", and follow the
# instructions there.
#
unix {
#
# The location of the "wtmp" file.
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
# Note that the radwtmp file may get large! You should
# rotate it (cp /dev/null radwtmp), or just not use it.
#
radwtmp = ${logdir}/radwtmp
}

105
pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack
View file

@ -1,105 +0,0 @@
# -*- text -*-
#
# $Id: 89ef1699a1af78374b1af0a3787a088af3ba320c $
#
# This module is useful only for 'xlat'.
# To use it, add it to the raddb/mods-enabled/ directory.
#
# Two xlat functions are provided by this module:
# - unpack
# - substring
#
# Both are for use on the right-hand side of a variable assignment.
#
# unpack
# ======
#
# ... = "%{unpack:data 1 integer}"
#
# The arguments are three fields:
#
# data
# Either &Attribute-Name
# the name of the attribute to unpack.
# MUST be a "string" or "octets" type.
#
# or 0xabcdef
# e.g. hex data.
#
# 1
# The offset into the string from which
# it starts unpacking. The offset starts
# at zero, for the first attribute.
#
# integer
# the data type to unpack at that offset.
# e.g. integer, ipaddr, byte, short, etc.
#
# e.g. if we have Class = 0x0000000102030405, then
#
# %{unpack:&Class 4 short}
#
# will unpack octets 4 and 5 as a "short", which has
# value 0x0304.
#
# This module is used when vendors put multiple fields
# into one attribute of type "octets".
#
# The module can also be used to unpack substrings, by specifing a
# data type of "string(len)" or "octets(len)". Where "len" is an
# actual number. For example:
#
# %{unpack:&User-Name 1 string(2)}
#
# When given a User-Name of "hello", it will start taking the
# substring at offset 1 (i.e. "e"), and it will take two characters
# from that offset, i.e. "el".
#
# As a special case, you can unpack an entire string by specifying
# the offset, and nothing for the length:
#
# %{unpack:&User-Name 1 string()}
#
# When "octets(len)" is used, the output is printed as hex. e.g. for
# the above example with Class:
#
# %{unpack:&Class 4 octets(4)}
#
# Will return the hex string "02030405"
#
#
# substring
# =========
#
# substring will return a substring of a string or attribute using
# the syntax
#
# %{substring:data start len}
#
# data
# Either an attribute name or string data. String data
# can have leading or trailing spaces. Only a single
# space before "start" is taken as the separator.
#
# start
# the zero based offset for the start of the substring.
# A negative value will count in from the end of the
# string.
#
# len
# the number of characters to return. A Negative value
# will remove that number of characters from the end.
# If len is more than the available number of characters
# then only the available number will be returned.
#
# Examples:
#
# "%{substring:foobar 2 3}" == "oba"
# "%{substring:foobar -3 2}" == "ba"
# "%{substring:foobar 1 -1}" == "ooba"
# if User-Name is "foobar" "%{substring:&User-Name 1 -2}" == "oob"
#
unpack {
}

14
pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8
View file

@ -1,14 +0,0 @@
#
# Enforces UTF-8 on strings coming in from the NAS.
#
# An attribute of type "string" containing UTF-8 makes
# the module return NOOP.
#
# An attribute of type "string" containing non-UTF-8 data
# makes the module return FAIL.
#
# This module takes no configuration.
#
utf8 {
}

Some files were not shown because too many files have changed in this diff Show more