flake.lock: Update

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/624fd86460e482017ed9c3c3c55a3758c06a4e7f' (2024-09-19)
  → 'github:nix-community/disko/6d42596a35d34918a905e8539a44d3fc91f42b5b' (2024-09-24)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/10d5e0ecc32984c1bf1a9a46586be3451c42fd94' (2024-09-19)
  → 'github:nixos/nixos-hardware/d0cb432a9d28218df11cbd77d984a2a46caeb5ac' (2024-09-22)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/086b448a5d54fd117f4dc2dee55c9f0ff461bdc1' (2024-09-16)
  → 'github:nixos/nixpkgs/23cbb250f3bf4f516a2d0bf03c51a30900848075' (2024-09-22)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/99dc8785f6a0adac95f5e2ab05cc2e1bf666d172' (2024-09-16)
  → 'github:nixos/nixpkgs/9357f4f23713673f310988025d9dc261c20e70c6' (2024-09-21)

.gitattributes

@@ -0,0 +1,3 @@
+**/secrets.yaml diff=sops
+
+*.png filter=lfs diff=lfs merge=lfs -text

.sops.yaml

@@ -1,11 +1,19 @@
 keys:
-  - &jalr 7C207509562C208C4EC1676E87A8E5662DF00274
+  - &jalr 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
   - &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
-  - &raven 2855242612275730D456C3F0DBF3508960495F3C
+  - &raven age1fleny85nvjh6g4arn2tkpju0smq2s4hawwpmnyvgcf0sy65wd3ks4lcvfa
 creation_rules:
   - path_regex: secrets\.yaml$
     key_groups:
     - pgp:
       - *jalr
       - *simon
+      age:
+      - *raven
+  - path_regex: machines/raven/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *jalr
+      - *simon
+      age:
       - *raven

README.md

@@ -1 +1,8 @@
 # NixOS configurations of the FabLab Bad Windsheim
+
+## Quick start
+
+How to deploy to raven
+```
+nix run .#deploy/raven
+```

flake.lock

@@ -1,12 +1,51 @@
 {
   "nodes": {
-    "flake-utils": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1623875721,
-        "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
+        "lastModified": 1727196810,
+        "narHash": "sha256-xQzgXRlczZoFfrUdA4nD5qojCQVqpiIk82aYINQZd+U=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "6d42596a35d34918a905e8539a44d3fc91f42b5b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -15,6 +54,27 @@
         "type": "github"
       }
     },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "krops": {
       "inputs": {
         "flake-utils": [
@@ -25,11 +85,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1597485541,
-        "narHash": "sha256-+fqI9qh7zpC2WxinFZlaiDsbvMb/IJxFIiGfdA/xLps=",
+        "lastModified": 1644957911,
+        "narHash": "sha256-ggie/j7pdBqzDs4W7OiPmhqH9IGbXAbJxGqBdVxA8jA=",
         "owner": "Mic92",
         "repo": "krops",
-        "rev": "c3a1ffab03e8cfbb7ff532bdfa10b26b3dc76911",
+        "rev": "86fb3d2ee94fd8306231853b323ed8804edf26ec",
         "type": "github"
       },
       "original": {
@@ -38,21 +98,43 @@
         "type": "github"
       }
     },
-    "nix-pre-commit-hooks": {
+    "nix-github-actions": {
       "inputs": {
-        "flake-utils": [
-          "flake-utils"
-        ],
         "nixpkgs": [
+          "sbruder-overlay",
+          "poetry2nix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1624971177,
-        "narHash": "sha256-Amf/nBj1E77RmbSSmV+hg6YOpR+rddCbbVgo5C7BS0I=",
+        "lastModified": 1703863825,
+        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
+    "nix-pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1726745158,
+        "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "397f0713d007250a2c7a745e555fa16c5dc8cadb",
+        "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
         "type": "github"
       },
       "original": {
@@ -64,11 +146,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1625333638,
-        "narHash": "sha256-M6J9RN60XJyv6nUfDFCwnz5aVjhe8+GJnV8Q9VpdQQQ=",
+        "lastModified": 1727040444,
+        "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "41775780a0b6b32b3d32dcc32bb9bc6df809062d",
+        "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac",
         "type": "github"
       },
       "original": {
@@ -80,27 +162,59 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1626489334,
-        "narHash": "sha256-WcQDF/JB3yWfO7E37M6rlUCKkqcMwG2UiWz+2Vsib9Y=",
+        "lastModified": 1726969270,
+        "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b2f87e0043aaf3f0f05cc983bd6aa80a616b8352",
+        "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-21.05",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1720386169,
+        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_2": {
+      "locked": {
+        "lastModified": 1725762081,
+        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1626464457,
-        "narHash": "sha256-u2PCh/+8vQSLwf0mPpKHKQ8hAPB3l4uNZR3r0TdK2Lg=",
+        "lastModified": 1726937504,
+        "narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c6c4a3d45ab200f17805d2d86a1ff1cc7ca2b186",
+        "rev": "9357f4f23713673f310988025d9dc261c20e70c6",
         "type": "github"
       },
       "original": {
@@ -110,29 +224,87 @@
         "type": "github"
       }
     },
+    "poetry2nix": {
+      "inputs": {
+        "flake-utils": [
+          "sbruder-overlay",
+          "flake-utils"
+        ],
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "sbruder-overlay",
+          "nixpkgs"
+        ],
+        "systems": "systems_2",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1714509427,
+        "narHash": "sha256-YTcd6n7BeAVxBNhzOgUHMmsgBkfQ2Cz9ZcFotXrpEg8=",
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "rev": "184960be60652ca7f865123e8394ece988afb566",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
+        "disko": "disko",
         "flake-utils": "flake-utils",
         "krops": "krops",
         "nix-pre-commit-hooks": "nix-pre-commit-hooks",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "sbruder-overlay": "sbruder-overlay",
         "sops-nix": "sops-nix"
       }
     },
+    "sbruder-overlay": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nix-pre-commit-hooks": [
+          "nix-pre-commit-hooks"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "poetry2nix": "poetry2nix"
+      },
+      "locked": {
+        "lastModified": 1719952130,
+        "narHash": "sha256-j38XlExNwK4ycmoNEdH/dHUd1QGdNvD3gx/UuLY+04Q=",
+        "owner": "sbruder",
+        "repo": "nixpkgs-overlay",
+        "rev": "3487b8ce24d40cc898f3dba0a9af5e028e1d5844",
+        "type": "github"
+      },
+      "original": {
+        "owner": "sbruder",
+        "repo": "nixpkgs-overlay",
+        "type": "github"
+      }
+    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1625936460,
-        "narHash": "sha256-U6xlITKrYuhlHWe+poACaz4GJl3ZVN1BSUqZe2gFg+g=",
+        "lastModified": 1726524647,
+        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "ec2800174de5a7be8ec5b144819af2c7de77abe2",
+        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
         "type": "github"
       },
       "original": {
@@ -140,6 +312,57 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "sbruder-overlay",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1714058656,
+        "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,12 +1,15 @@
 {
   inputs = {
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+    disko.url = "github:nix-community/disko";
+
     flake-utils.url = "github:numtide/flake-utils";
 
     nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
     nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
-    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
+    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
 
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
 
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
 
@@ -18,6 +21,11 @@
 
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+
+    sbruder-overlay.url = "github:sbruder/nixpkgs-overlay";
+    sbruder-overlay.inputs.flake-utils.follows = "flake-utils";
+    sbruder-overlay.inputs.nix-pre-commit-hooks.follows = "nix-pre-commit-hooks";
+    sbruder-overlay.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs =
@@ -30,7 +38,10 @@
     }@inputs: flake-utils.lib.eachDefaultSystem
       (system:
       let
-        pkgs = nixpkgs.legacyPackages.${system};
+        pkgs = import nixpkgs {
+          inherit system;
+          overlays = [ self.overlays.default ];
+        };
         inherit (pkgs) lib;
       in
       rec {
@@ -45,7 +56,7 @@
           };
         };
 
-        devShell = pkgs.mkShell {
+        devShells.default = pkgs.mkShell {
           name = "fablab-nixos-config";
 
           buildInputs = (with pkgs; [
@@ -94,8 +105,15 @@
               ${pkgs.gnupg}/bin/gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }'
             '';
           });
+
+        packages = lib.filterAttrs
+          (n: v: lib.elem system v.meta.platforms)
+          (flake-utils.lib.flattenTree {
+            inherit (pkgs)
+              fablab;
+          });
       }) // {
-      overlay = import ./pkgs;
+      overlays.default = import ./pkgs;
 
       nixosConfigurations = nixpkgs.lib.mapAttrs
         (hostname: { system
@@ -128,6 +146,7 @@
             })
           ] ++ (with inputs; [
             sops-nix.nixosModules.sops
+            disko.nixosModules.disko
           ]) ++ extraModules;
         })
         (import ./machines inputs);

keys/machines/raven.asc

@@ -1,28 +1,28 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-xsFNBAAAAAABEADJuRGmEF1kSUg8qjGCk2/lBaDa2FYKM77dTRh7z9dHIABG+jy2
-3VdQPwT/M94Vipb1m7vkF5qd1DnYFuyOrM38ql/9gq16tihq9EKTsJulv8IcKjY8
-+nVD76srojho09G6Y94xcE0np0chZVSVyDQ/o8Bj4b4TYfGcDg8GljL+X8MRQz3Y
-W6E1oUjSraDS10DeApsBB//MtIMvzqjpvU7NfA6ny1zM6hrUnsDb+WLgouYONJI3
-ZZXuVSwmGYO8NkkdmTVSGA9iytwonceDT+GXt45agr0ry9i0txzji/HC8ma5nR1R
-WitDIhYHl6eRNfqAxGhABdi/dmOm4c7w3AZ2hEUMHXjYpj2LTG82G/zS7Iuvdxcb
-u+KptBWOXUe4ye54agQSTlCIbFKrDPKkk0gQACuJ5FZkp8VmoBL5gjW7TYOW06Re
-iRS7TBAroebnssUOr/OU4zs3WTMJQd5psj4EcVFniSteleDhjo85wxFTIerCDclw
-/cC2HU8yNn+6cDcA05MKC/ZusIopH1+WcfTt9wnEf9glRHT4NMuOgrDO/cZocRge
-hg2kKgN8kVffCt7z3rHCrDvtQB7vIsATyRHWdJBe2WtC+Lv74vuldyYrrCe6XOAl
-wCOTy6rRfQFijfa6zp/MBiXWv5Sy+jXnNbbgu9w6aZ4e40Uy6fft/zF1JwARAQAB
+xsFNBAAAAAABEAC5RX7E07G3dOlgwYW7D/Cgq7xD288JWNTotXAnGTPQbF04yx62
+EUEjQ3ggxcTz4t/7Sv9WOfbWBvlRy48rhW+zxN9de8ld9FhPW0hG6GKfgN88LCSG
+pVSY4WQ1wqry2ZF68n4YNdrXCZ6PG0EgbrTSSOHaxHVxiVsfZIGWrAUcTyIEhmka
+60tenlQVXj8c45WTRAXQ7kLpXLZAfYmetlyDhUMGj1c46+551GXWnxTYnGZGXS2X
+4gavMnGZWOG0mNtY0TPaDxfJ+1kgANUbtPc9UNIZuhWHuz/K6LdBybMKsDWv+8Of
+962TXj8NlEjRs+t1bhalSWl2zFZ0gI3/gQc8RM4fO7yBht5oFAlSh9fUBuFjyp0c
+KuCs1twQ32NNHlm2+RjVPUN+ITWKCRr0c05OGC2cE7M2ks44F/bMKRvH3v28biZC
+6bj00novLw8dSQzya34nZttA7htySJTbyt7H9aBCyZhs22TxRNIed3UrkmFZr4QH
+QiEzZ44SJ1QYOVtRVcAeLDRcyfJWjUqo7QxPnJS27iN4cjaeWkm6AFk+bsx2nIcb
+10vM6Y5rMcwcWTwZnEbqmhTvO+l661yQAR+RrdeVl+J2MQHZ6fsxbDFyW0YdaSnZ
+0geev9lqbg86nLIPdQANkFHtnYZIURliitxT9OahUce4xdUds3Iaep4pbwARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQ2/NQiWBJXzwCGw8CGQEAABfaEAAjGpldJ2VsitBFkb7oqa0R
-+JBLPlhPcdCFW7cDpzpaMoZ1DR04NR21vFg4IpIoxkqYWznepUPgYVE/SP56l/B0
-n7rapuIPg9VdxLSFoVNoFX7jXviBUsOrGKSXBp6hPugvh/0Vwt/L2F/9OsnWje3E
-jM2mgFOR63G/rGQMn4sCs4UEXUz1sSmrSacpFgKNYZoMx9aYMMR3bHKMqLWU3zkW
-ugRqjaxe9jOV73qhENSPYgMoXZEa1IahXC8aeV1Bznw2tQKD/ixMycN2W66/azAU
-kdyEUoBE+gCBw0JAgHWZ/jcmiycUD2eZ9Yju/rz2YaDvkpP0rx4Z1s6eF3af0k6K
-gMChTD0me8H1Cid7bAMdqcvd1hEmIGJviMXlSAZMJtDxF+QRzUAwP87M9lsu1BdR
-WFRi45tLwRUwp9H32oFwu3l+qi/DGSVP1B/PWcG6uEmdcp+HEp7cyclCv7obc+4f
-0ew0QPEkZ24aPWeH5mI/y4IJW8wC9cK8I0MYdNWUHLNKzTGEkqHIkY0hHfB8AmT7
-MNsSUBh0ozbLAZzYOWHXsRXndJ71OAg8auoxKWWmo7gE3BO1YDM4wxyTRDsmsQuY
-OPoh/8kmJpVKvOEzchxz/xHmIBXOwImAMCUTMC+P+PPtWPXbVyOv12ZrPZz7wpI9
-+Djsrk2spQ4me4x/Lri+eQ==
-=MFPD
+AQgAFgUCAAAAAAkQyPdlz4rR+JICGw8CGQEAACCnEABp7v2daTeTU3kZJb5M3Le7
+pQpY4VxnAQtekhm3zLoUtjYS4jJIIxCKDwKCVlQvGJG7YQtH/kr6P6AN25me/zOu
+vvPPTGwnfDN2yVNjV6f1odsLcDOdNHAh+/ZRhUd+nHNSxZ0ZNttHxNotgJJOCPxV
+HkJzYzHZkePvK1ICmxFyWR4XwM/yHiBnWguxJ40a/iA6RCsPt+DpWGlF/3+rX1nA
+tU7P+j1ENtkbZLUdRFHmNTBBwo9XEVsZ+U3r6gezncmA/D5OTq4MRS5yHSwAX0+o
+PWK5LJogTUn82fZ6+0I90bifHlUID1JVAtif76EUNwqQ9e5LcCbgzw0W34djLpKd
+vKWj2kp4FeqKlKCJD7xtqieC5F01rfgEjUKRYZMif9E6RBzvz4awC7KEw4k+LON2
+ApKz0S8QGSCTqfKCSJx8sevTvJ3dlDR9qiDv89pI7QaMr2VRgDeNFkS61X9Wb9kD
+AADJkXdjwYovknk2SiHyFjSjDWjRR42HhHudD3D3GtTGlbsE8AI9bpc5P6zaQRXZ
+IIFOu4/EytTS4BoJGhz0IOjQbhdvlug7DlUvxxUg64GQU3NOMYsQIfGffjf2yNyt
+ZUNlkTBqgdWiES1o1Z2wlAFe/X+qcZuouYRLiqjL7arSGNyahSPRPferuY8YbZqR
+xdV1XP8tYVK8ecb+OM2tsw==
+=ar+A
 -----END PGP PUBLIC KEY BLOCK-----

keys/users/jalr.asc

@@ -1,52 +1,23 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mQINBFalRtcBEADXqtNueywhXtjCy7WXAIzoxfmeCWe0+YzK79dHMz7TIqGQU1X4
-nYi9YJRAgIKvD/gY1i+hUoWrbc3s1YHKIbZsOqhHHuXSPgcpCG/xYWMroc6nsGT3
-iu2pbcxDAWRp0ib67SyCGwEQj/LLUpE0DkptZvUHOBgUGi8pohhbJJ1mAN0E7GJ3
-SjAeLKx59a4Q+S8HEKDJCmP6gCzixxIfS07ncG6TU4ppN8jaN/gEF40IIcTbds4C
-L+ieCdz9ZVtlDvGKtNiSlT7XHnbjPMuQBlbPZaiVuylQIkJlyLEjZduhLNueag2V
-NgcAfqt6HQCNnZ8B7K781rhb/rHtdk98lvOimOWUbNCXREEOHpoVIxZYYTnkVvLo
-YokUncWTMym+6Pelfc7RvtfrK1EjjbblTDn/+Wo5YlBYfI02Vr6RUg1CF4s/FwCc
-ogDtiG1eYAEpnHe9aV5lQrvJcgvmXF6cbIUnbaslApo0LH1uCYliInxuxKdOaxTT
-qRHgug25/SA5XEH3Sc/WFPCun4LFwEElxcrrE4OeWYiixBYU06GMem7GLa+VAf0E
-DxrzkGt16QODFyyJcWGQAp1SPxbBJ+E/QAe7KDK9vVocj31Ug4KA7LoqaLS6dW0e
-5VJRqtej/bOzI6zJYJYPGV4XejPPTMpg0se6EvMYw775M+qAajAbFnHRHQARAQAB
-tBxKYWtvYiBMZWNobmVyIDxtYWlsQGphbHIuZGU+iQJWBBMBCABAAhsjBwsJCAcD
-AgEGFQgCCQoLBBYCAwECHgECF4AWIQR8IHUJViwgjE7BZ26HqOVmLfACdAUCYA2o
-ywUJC0mVdAAKCRCHqOVmLfACdEJ+D/9iP3odbY9eNiiFw44BVKj/Y728V7p60/q2
-tCKtLSiF6DfPJ8z2zud6OcTUfn8NuD0bqs2peALhRi/MHRkJq7QuGVN6PNN/9fUa
-o9gpjGrwOHISnNkwCmEPJWJ60ZAh9XGJCY466IBAcvYurkq/qDx1BSyEi+makymf
-DP2UlyhmsspdOFAoN8+ggIRCWNr6mR1TAZO5O6ce7Wos3nxTlGD1MyPAirbKlAYv
-e8zqOHkhijdcKYzSIm/E/9y85aSvwDySOS69JpWEMsmGkXxq/VSv9CNzYEy/+ebR
-49aoIZgOr10uY4LLN5c0L+tLvVeSS1976dtwXwRECIplysCm0hZU9Wj9JmfOBACf
-Y2kIvMcTL+gREX5CKsvpPk1RChNrpELaOk/EY0hAhH4Nx2WSd6b6Kw/MagApVwNi
-zfMqOZsZmSd+RPHqn7hJWaI4hpN0HfjRFpVifjKQtR/Q25c1CzIllSkwGBXQ7AEM
-LpHoP1fEzk2Au0v+6q32bY8JCoLwChhcPxDZFzKepHOzgf+8QKq+ZB7KPxjWWAET
-lzmzgGhKmaQOnZZsBNYYj78opGXOMxkEThaHCBgKPDTBU6XPNgd/8LYUbai/JpA5
-wDOe6i5Z3c5TNXXOIMBpviUQ3BB1z4kd1YSV8DLPHwhY4q2d1oOGToKUZy39NvaZ
-Ds/rHILCQrkCDQRWpUbXARAAwxN80JhEojDcNiDRZOHVM7C4hQSdAOUI3upJpFVi
-0aJVRU5+w6yebh/2bMVUgL/UBFiEaKxgBtcy6snBsY5YzSZq6QneVhN0HLFyPAKX
-j2zrw2MQAaVtJ+ufihdqpxgWELVfY1ycP5rX6pHXAbQA6kw0lg3FNsUi7q/qIPoO
-8q8H656alz5fqvJcu1dBEbEQ+oWXUrROVcBkVjElX3Od2uKm2ZBQajcO5EEYj2Va
-QtsBTdzehGnrsssEtr7yZz4d85a3uWU3pJ900Ugn22MCBHS9EOk2IuEArgPFE7eV
-1S78D+QS7qjU71sJHsHoBeUg5uZoR0hNNnMWqokgYhHA9+A+Qt6KEBPLSb5Bp9Y0
-o5wqRBqjxaLPSGG1NryKkAKc3cvHiCwFW6DxsJzVML1aTH60R879256YCUmVMIUF
-pCGjUf3ZkZsFCMKuUDLsBE7Kn2CMVW7yNn1wLOfOhkRfGCtHQNLhIiwTTWD84iDQ
-DHQ5v5r2TfosbovSy+HGV0Bi0z3W5tk8x+aV3I67vk5BbSmp9bdC7MkfSuxOYdKA
-c3zexmuledVMyjVZvL2DwaJaXYD3YY+ZIUc6N/0Ox/65DllH347022luWUnXjkip
-vtM55ENKeGmk3z0368L4atubo2qV1l00UKs+2bdbz65uHDMgGebVBtNsExiO8pzd
-1asAEQEAAYkCPAQYAQgAJgIbDBYhBHwgdQlWLCCMTsFnboeo5WYt8AJ0BQJgDai6
-BQkLSZVjAAoJEIeo5WYt8AJ0BxIP/A70jXPM6QKtWGs7xi8n916aVK43ODgCVmDq
-vyduV5ywO8x8xljjVuAQm57Ei1thAGCmKzxn4rWmm81cVXBq/ZLRamrDSnP4rctZ
-qZfRdsUiLJUimOTxqOn0cDqrJs8trBIIE40M20LX3TlEWueDAhpuO1gndupSb94k
-U/PId1VZ1fyPz24tay/GgSfpBa7ZuXiSWr+QtQu2MlX9WXBo7gDo+BDUsZqyy4/w
-Gqm1i7NVElW1lJK+KOGCAHC7JcBIjGsfxS3+MjxI0HQ2MeQyDYiwhF0xHDTCLBgv
-nXAkFoCe2xB8q/+RZV1hfYGMDPILwFox6OZkpSRW/+a/j1fw+Hi4MidSoe7Xkxbr
-zZVTBiFFIUbg46PCxrBdNDtba26vcS4iUZVefqcGa2ZuHQrDYRdYyeqPCZ5z9PLp
-tVPYebApFnFSkd8pvcKkx6KPrItWBX5DFsGGTo6QzTg0s/w5WvqNWWHJ3NRFh1V/
-rz/E67uLfJGt3qOVyOkIKKOTzF473Wku9uTMz/BCaBRJ80VhGDYG7Vi5uvQwTte8
-CLhjpjF94XWhijOAIXXavCe+XhmX4QXBIjeDy4UtULi5uod2qCgT8hJRcRdC7T21
-x9o0CU3J3E0QdaVwulZJWEgT4JUTjBJwVRU6jwQNbq0l4FnRrcYULBcidCCAXXzR
-GUBE0eMh
-=PbMY
+mDMEZbmOERYJKwYBBAHaRw8BAQdAarCLR2RvxBnRODJY8WM98gCRbsHzXFTYTIoR
+ZlmbOQe0HEpha29iIExlY2huZXIgPGphbHJAamFsci5kZT6IjgQTFgoANhYhBDBE
+5x497/SbWGz1gJv0/MuQhU2pBQJluY4RAhsBBAsJCAcEFQoJCAUWAgMBAAIeBQIX
+gAAKCRCb9PzLkIVNqbmFAQDG8xNgbZsZx6N2ssVC9k98IUvuKuMZQ6Gju86EsnNY
+dgD/eSVRfAKCtIPSGtoLvE5zL80hk117R4f8rbMEvrmt9gm4MwRluY53FgkrBgEE
+AdpHDwEBB0DRonRUQIQSfkqX7yHFHewbEYnc/spaPufL6EnSPVLvZ4j1BBgWCgAm
+FiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jncCGwIFCQHhM4AAgQkQm/T8y5CF
+Tal2IAQZFgoAHRYhBDp0/wfiMHs2RqSZ6EYNR7hAgU8/BQJluY53AAoJEEYNR7hA
+gU8/HikBAPOziBknk+WcsKODsdViFedagVgtnjW8J6mJZRKNcD2fAP4/42g9wU2i
+KHKHypLlGdmgOVOpSGNcubkcPFcOOHH7AZevAQDUU/UNpIHe7R3rYq4sFT2iYa9T
+ZKpmOostoAzyYOViZwD/RA2suqGyrSe96JLnxwzy3LccYgV3VwEbHDWeUTvOCAy4
+OARluY6pEgorBgEEAZdVAQUBAQdAAXZvPoXdFpBhYS8KgCeXweUMlSwsCnXmgiDh
+neSFMwsDAQgHiH4EGBYKACYWIQQwROcePe/0m1hs9YCb9PzLkIVNqQUCZbmOqQIb
+DAUJAeEzgAAKCRCb9PzLkIVNqbmEAQDSBggKtjGkLuYtIHBBCfBF4Dx7odOapasa
+tYqZTU7twwD/VhDvRGPbTl7X7DYQ36bmyjTe6cZAj3/M0ueQhlTrJAW4MwRluY7E
+FgkrBgEEAdpHDwEBB0B95fmIsa7I4c3ttAko71CuEI/wTam0zYrYJNtL7sz3o4h+
+BBgWCgAmFiEEMETnHj3v9JtYbPWAm/T8y5CFTakFAmW5jsQCGyAFCQHhM4AACgkQ
+m/T8y5CFTamxRwD6A9TAs2Ac2VUQDCGgIEgUeULB2fZ1i0s0zydXctKJf7wBAL64
+utFE0ryrkFHMGY4xHMwZfvWosYH/qfLlKadnb3cK
+=WgEZ
 -----END PGP PUBLIC KEY BLOCK-----

machines/default.nix

@@ -4,7 +4,14 @@ let
 in
 {
   raven = {
-    targetHost = "10.105.255.242"; # FIXME
+    targetHost = "raven.fablab-nea.de";
+    system = "x86_64-linux";
+    extraModules = [
+      hardware.common-cpu-intel
+      hardware.common-pc-ssd
+    ];
+  };
+  party = {
     system = "x86_64-linux";
     extraModules = [
       hardware.common-cpu-intel

machines/party/configuration.nix

@@ -0,0 +1,45 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./services
+  ];
+
+  nixpkgs.config = { allowAliases = false; };
+
+  console.keyMap = "de";
+  services.xserver.layout = "de";
+
+  services.xserver.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
+  services.xserver.displayManager.gdm = {
+    enable = true;
+    autoSuspend = false;
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  users.users.party = {
+    isNormalUser = true;
+    password = "foobar";
+    extraGroups = [
+      "wheel"
+      "audio"
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    firefox
+    mpv
+    pavucontrol
+  ];
+
+  networking.firewall.enable = false;
+
+  services.openssh.enable = true;
+
+  networking.hostName = "party";
+
+  system.stateVersion = "21.11";
+}

machines/party/hardware-configuration.nix

@@ -0,0 +1,65 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    kernelModules = [ "kvm-intel" ];
+
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "ehci_pci"
+        "ahci"
+        "usb_storage"
+        "usbhid"
+        "sd_mod"
+      ];
+    };
+
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700";
+      fsType = "btrfs";
+      options = [
+        "subvol=root"
+        "discard=async"
+        "compress=zstd"
+      ];
+    };
+
+    "/home" = {
+      device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700";
+      fsType = "btrfs";
+      options = [
+        "subvol=home"
+        "discard=async"
+        "compress=zstd"
+      ];
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-uuid/740450af-f376-48d1-9a0c-25a035964700";
+      fsType = "btrfs";
+      options = [
+        "subvol=nix"
+        "discard=async"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/3e24b5cf-e59f-41b1-9eef-107f808b9242";
+      fsType = "ext2";
+    };
+  };
+}

machines/party/services/colorchord.nix

@@ -0,0 +1,89 @@
+{ inputs, lib, pkgs, ... }:
+let
+  ledDevices = {
+    kanister = {
+      leds = 43;
+      host = "wled-Kanister";
+    };
+    bar = {
+      leds = 300;
+      host = "wled-Bar";
+    };
+  };
+  soundDevices = {
+    sink = "alsa_output.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo.monitor";
+    source = "alsa_input.usb-BurrBrown_from_Texas_Instruments_USB_AUDIO_CODEC-00.analog-stereo";
+  };
+
+  devicesProduct = lib.fold
+    (soundDevice: acc: acc // lib.mapAttrs'
+      (ledDevice: value: lib.nameValuePair "${ledDevice}-${soundDevice.name}" (value // {
+        source = soundDevice.id;
+      }))
+      ledDevices)
+    { }
+    (lib.attrValues (lib.mapAttrs (n: v: { name = n; id = v; }) soundDevices));
+in
+{
+  environment.systemPackages = with pkgs; [
+    colorchord2
+  ];
+
+  environment.etc = lib.mapAttrs'
+    (name: config: lib.nameValuePair
+      "colorchord/${name}.conf"
+      {
+        text = ''
+          # Basic
+          outdrivers = DisplayNetwork, OutputLinear
+          headless = 1
+
+          # Audio input
+          amplify = 10
+          samplerate = 48000
+          devrecord = ${config.source}
+
+          # Visualiser
+          cpu_autolimit = 1
+          satamp = 1
+
+          # LED config
+          leds = ${toString config.leds}
+          is_loop = ${if config ? loop && config.loop then "1" else "0"}
+          light_siding = 1.5
+          led_floor = 0.1
+          steady_bright = 1
+          fliprg = 0
+
+          # WLED
+          wled_realtime = 1
+          port = 19446
+          address = ${config.host}
+          wled_timeout = 2
+          skipfirst = 0
+        '';
+      })
+    devicesProduct;
+
+  systemd.user.services = builtins.listToAttrs (map
+    (soundDevice: lib.nameValuePair
+      "colorchord-${soundDevice}@"
+      {
+        partOf = [ "colorchord-${soundDevice}.target" ];
+        serviceConfig = {
+          ExecStart = ''
+            ${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i-${soundDevice}.conf
+          '';
+          Restart = "always";
+        };
+      })
+    (lib.attrNames soundDevices));
+
+  systemd.user.targets = builtins.listToAttrs (map
+    (soundDevice: lib.nameValuePair
+      "colorchord-${soundDevice}"
+      {
+        wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices);
+      })
+    (lib.attrNames soundDevices));
+}

machines/party/services/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./colorchord.nix
+    ./dmx.nix
+  ];
+}

machines/party/services/dmx.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    qlcplus
+  ];
+
+  services.udev.extraRules = ''
+    # uDMX
+    SUBSYSTEM=="usb", ATTR{idVendor}=="16c0", ATTR{idProduct}=="05dc", GROUP="users", MODE="0660"
+  '';
+}

machines/raven/README.md

@@ -0,0 +1,15 @@
+# raven
+
+## Services
+
+### unifi-controller
+
+The unifi controller is used for managing the wireless network. It provides a [Web UI](https://raven.fablab-nea.de:8443).
+
+The following ports are opened in the firewall:
+
+ - `3478/udp` used for STUN
+ - `6789/tcp` used for UniFi mobile speed test
+ - `8080/tcp` used for application GUI/API as seen in a web browser
+ - `8880/tcp` used for HTTP portal redirection
+ - `10001/udp` used for device discovery

machines/raven/configuration.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ./hardware-configuration.nix
+    ./disko.nix
     ./services
   ];
 
@@ -13,38 +14,56 @@
   networking = {
     useDHCP = false;
     vlans = {
-      jt = {
-        id = 2;
-        interface = "enp0s25";
-      };
       labprod = {
         id = 1;
-        interface = "enp0s25";
+        interface = "eno1";
       };
-      labdev = {
+      voip = {
         id = 5;
-        interface = "enp0s25";
+        interface = "eno1";
+      };
+      pubevent = {
+        id = 6;
+        interface = "eno1";
       };
     };
     interfaces = {
-      labprod.useDHCP = true;
-      jt.useDHCP = true;
-      labdev.ipv4.addresses = [{
+      eno2.useDHCP = true;
+      labprod.ipv4.addresses = [{
         address = "192.168.94.1";
         prefixLength = 24;
       }];
+      pubevent.ipv4.addresses = [{
+        address = "10.10.0.1";
+        prefixLength = 20;
+      }];
+      voip.ipv4.addresses = [{
+        address = "192.168.93.1";
+        prefixLength = 24;
+      }];
     };
     nat = {
       enable = true;
-      externalInterface = "jt";
-      internalInterfaces = lib.singleton "labdev";
+      externalInterface = "eno2";
+      internalInterfaces = [
+        "labprod"
+        "pubevent"
+        "voip"
+      ];
     };
   };
 
   i18n.defaultLocale = "en_US.UTF-8";
   console.keyMap = "de";
 
-  security.sudo.wheelNeedsPassword = false;
+  security = {
+    sudo.wheelNeedsPassword = false;
+
+    acme = {
+      acceptTerms = true;
+      defaults.email = "accounts+letsencrypt.org@fablab-nea.de";
+    };
+  };
 
   users.users = {
     simon = {
@@ -54,7 +73,7 @@
     };
     jalr = {
       isNormalUser = true;
-      extraGroups = [ "wheel" "docker" ];
+      extraGroups = [ "wheel" "docker" "audio" ];
       openssh.authorizedKeys.keys = config.fablab.pubkeys.users.jalr;
     };
   };
@@ -63,5 +82,14 @@
 
   virtualisation.docker.enable = true;
 
-  system.stateVersion = "21.05";
+  services.nginx.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  # FIXME
+  networking.hosts = {
+    "192.168.94.1" = [ "raven.lab.fablab-nea.de" "labsync.lab.fablab-nea.de" ];
+  };
+
+  system.stateVersion = "24.05";
 }

machines/raven/disko.nix

@@ -0,0 +1,54 @@
+{
+  disko.devices = {
+    disk = {
+      nvme = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WD_Green_2.5_240GB_232497451701";
+        content = {
+          type = "gpt";
+          partitions = {
+            esp = {
+              type = "EF00";
+              size = "1024M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" "nodev" "nosuid" "noexec" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "raven-crypt";
+                settings = {
+                  allowDiscards = true;
+                };
+                extraFormatArgs = [ "--hash sha512 --use-random --pbkdf argon2id --iter-time 5000 --pbkdf-memory ${builtins.toString (4*1024*1024)} --pbkdf-parallel 4" ];
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  subvolumes = {
+                    "/root" = {
+                      mountpoint = "/";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
+                    "/home" = {
+                      mountpoint = "/home";
+                      mountOptions = [ "compress=zstd" "noatime" "nodev" "nosuid" ];
+                    };
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [ "compress=zstd" "noatime" "noatime" "nodev" ];
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

machines/raven/hardware-configuration.nix

@@ -19,26 +19,14 @@
         "aesni_intel"
         "cryptd"
       ];
-
-      luks.devices."cryptroot".device = "/dev/disk/by-uuid/ad04bc72-bc84-42e3-856f-152c162ad88c";
+      kernelModules = [ "dm-snapshot" ];
     };
 
     loader = {
       systemd-boot.enable = true;
+      systemd-boot.configurationLimit = 20;
       efi.efiSysMountPoint = "/boot";
       efi.canTouchEfiVariables = true;
     };
   };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/1ac13504-fb49-4739-a0e3-f87a3f840fb1";
-      fsType = "btrfs";
-      options = [ "discard=async" "noatime" "compress=zstd" ];
-    };
-    "/boot" = {
-      device = "/dev/disk/by-uuid/0FEA-FAF6";
-      fsType = "vfat";
-    };
-  };
 }

machines/raven/secrets.yaml

@@ -0,0 +1,57 @@
+dyndns-password: ENC[AES256_GCM,data:Nm6ed/SvRGnOZAXCt64HAf/0xpAoSwNCCZ9d+KM4Fc1tl+rY,iv:TbGGjG55mksyW2eOkMb5JBOMvePpLlTotmEjZoiWBbQ=,tag:vNA0GLM28OloR90elj4SEQ==,type:str]
+asterisk-pjsip: ENC[AES256_GCM,data:8nBg6SfWDOhuF4x5T0fz67jxXkIhzfX/FVbL98huIs9rdalGuKIOGeIBBYPzzH5cbLkfvG7ZW5p2r/I/jRoAKAu0airMJzZ2aHIFMjLUgzB+Rl5EbVF1kP8J8mwDVBMw1BFXELDNwnd+EniwWw1TwJcqWvZ3EhG00HIogzurn98l/FFMkNxWCXJ6msWBe6BHlGNpq/jPmyTVc2mlPXQ6uhqK4MWGe97tH3d+d7m7raXNjaTDruZLwKmNkONtVg5udzd1f2OP5GdoM9Tn+UHFkndqn0X6Dk3lH0dAoObRk9hDp57TnGZPrXNXktWroFk1QfsyobiB/Rj8uBRYa4BXHa/6OeQm1o/vRQhTY4e86N5fOdhwFHy/EQtp0sHa6kgiKHd8Koo/HOwAa69R44tKXvmJ/++cuBsfr71oLq+nrXIKcVv4ShmXV0kHNyaeSjCsWRcA57/FjS+uoaK/gKIGvX32TULAYGYHtIFhq43pL43PrS2j8qoDBrZQfkBXwUOW5iQr9c/aHloX7t/gDpFEi5XK7lFQsx/buamH9eWFkqhiDyu5EntSXXJb6UAbYmLREAyD/n3evyp6PTZak+TvhzLpXmol4L/IYOLqvbj8BS3ZfctqwPYtax3J0aglMsvbjCGWpiHywNt90SdPsMJi7s2KbQGbUmpOGWzq7TLByrT5MxXD//pmBXbSROxiKHTPyXpeg4SQuj0boDCIxcGG55rc5ouFMqJOJVdorIrgJ8Il1nTXHgzssuMP0/dFIYXj2gp9/XJ3S9N1acyNJCBhezeRS2PE0L3tCOHLY6IerQuW+1hmLEr8bMrzP6+70FvUb/FlfEfLwgq5AXPKE7l0cX9bn4pLAWkSreurpWE9xAIICJAkRNzcD2zMHaCiRnu4b5O+19ZnrfG1tVl0AQ6GckBFM5wcu0w6bA+YIaOngojUzPcMIynrXRdFEBB7rXiTi3JWN2nlJyTx9n+lXsgpgSf68mGcfEFdNp1hkFEUy65DEKiKQPK3aa0nVYPbAkfh/vcjkLO4X0gd0Ec+4XVda3ZyG2QzSYa2DQWmCYg3nwWg4eiKl4ppatp10soHfPSauRBLRrN5XmFtaH+Sp7Bwr565uVmyqYSgb+VTRY/25vK7VcT9rXpKX0PjOFOD9wFD2jQ4Ezs+tVieidZgvG2CjElxI8zmcsaZk93FUc4cw0lTy85cCo/IibTIlAd/uYrT+lxe47H51W2PtjovyZcH0XJW76BhJV6yMUron7qD9JTFGf3OagTgjoKh5InSsnxON52fy3GLUTvzO2vPg1c+iWg/mVYrPp1iCpK/G6LBh2k+Jj3OyQ8Z3GJZJ7khzI3E3MNOTvyXZJuXESMGTKmXWkHqvRrAvsW/CDBq3TmW0Jd0uMtFP+J4aL++BxAXKZLQ0g/RXwfOI/cQFQIPl3BePXl7VskxaFx5WWuKEbh9YMuF5FQ44vo386dvcDpfVNnRdFBOEltC7Ck6mJDUVPLAM3IhN+xQwobdWARR+baihGOUk9psP5boQrUvcBIx04RmXCLomHVD3Aw5jxh7N5TJ3BC2q6ZbkbpqwbH9UOg5PXrgXd8Eh6L+KhRjc6sl5itSsHK5iitWzfil8qcMpQPcLucZl+s1gISGlHaiE0MwkZj2fT9QZpw2+BmH1VU4tDpSotOue3H8MxK1j2mFnrEwi5sk5eHdBzBjyQ+SzmpbZTDk5eMlgfIKt8sErZ4ABI7iXQp3A8jusOYbZCQiBTPF/guhPOLuE3sWSBJLkpj4iHRrSVSAy/B1qy7fMlnVqqtXujXfy16pFG5IQKLUPGxyO5eotMuf5nkAigm5zn6q+eWpjDub9eBviXDjbemW4F7ncAdtiBzIWrak/hhp0fxMpzuh9h844Vou1brjKC9Xg5cf+IKyESjS8txHRSQhmZgab6iDv3X8Q0l0lRiKxzAOxM/2L14r6Gy03lMwaE1nUKgZjrtflrukeWgWA4EwDE69CdA7vbsX3zJ9d7cr+IlmiuTprldmV6EirJJaBNNdRealehhopGzDODIucUNp1PT3LQ/AidxOui6p6iP1PQG+TuIUtpM8AzxP3DbE+kMf9PNnb2E3JT5NrJz0BBWhhxr1KGBjniozh9CtSRq/JpfWYVLd8PA0P3abA1mW0A7IWaobI00qtPt1pcx/MtV5QzsQ5CPRVu10lFcF9AmKT3ekPySISkjcBtoe1FxO6j6cOqe6nbdx/lg0dnNBFBETVa8gAQwhmOAnqCURYDvbfjHjX99k0jwesiqxm1QH4PRjtbicd/JMiosWsiFBJohFI/0JIscxd0iZ8LvNPALWLeKfcqXulzjNKy4sB9QIxN75dGKaDZv2qInBDm9p8hDaqT+tdXsptXw2SkLfbRiWnim/r+VHKq0uYV9KlolmE4dOm/dWQ/6Ri4XBIFr5Ld9udSQ275GHZ5EHlcoPGEjZeNR6e0VMskcPH7tJXDEs4p/EoEWepVVWeuRidauFkcskSn2QMR7Yd+NAl2XxFYMiniGL0UzkZ5johxgw4WqopQua3Yff76f0oigR9VVHf1ZJlIC8IND1vLNRwbhVpW79SCeaHwp8jui18x//bn69eHMYjxRPvimnxRirSmjdCgCFAalgVtxfUt7WO8p2/Kzlu6kwPQrSMltLycNhkvrGinQcKGPtEkNfzCG4MAvyb3UW5rph/nui7ybCT0AnRW9xFpVURGuuGUhuKFMDhzBbiaB3i1cMdG+DJniwUc4rSg+o4YvrR3Q9w++hQUcfEbT3fJwoWCMOExCsu5O7vhZbdTd6tJzH9sxN72q4yDAXW5pqtnKU71AkWg87meuGv+W23s5IBJr42L0ubEXTEoZMBvjDVrVS+9yKptQz3pkPAIFaXoLUGlJw4XmtBL8wWSj08Zi3F+lnyR+YVFV19infI35Fi7keABHHCmWeNdrlgrcFR9bs/fxn/Oswwk+8gNXQBIGLIs3clnRd+4SggfLQvv1lud8ZBN8jV3j/czAnN8XdMtsqMGZJ31TvBWVuYmqijCpwbuA/hCXrbiyy+DG+6ZHO4sUpIBPB0uQ+TNfuR9FNNxImKZBaUAOMuQgBw3lWU5Weu2CnSfJdKlREX0mBk+1StDKSJmE40x9ACt17XGST+vu8lOwy8C/wjPzCfsVMCHxJURCGe6HMfYQAyclgfwE0knq82kOWulUPFjnIyjhHwr8xbTmm3e6j7wDkvaK5WHIIxamyv420b5Y/Mc0HqA5YrC6a/AWSuHpg6lpCuLP9femhiwtERyEgOWeOJOr5wj+ZgmhD8/RpeUJlCdjWjDB1zFdoF/9u3yNpxJxpqYTB87PkcgY1jRdTP1W9/oMpvsGF61TU1IOTnhVtUZZPWYmXvyv7bHf+wmPrDN8EnxU4gMRK0u2Knx9PPuYb/iDD8UkEgbBPo/oDrboMo4QVE8je76NlIEdPlsLCDWO7GitRvNkAfDqEFrWjh6LUeyIAKmjWgm2IKEBnwHcx1v/p6iU7rABtaDmZyq5hgnbDZtOFEVsZQEk0vYYQNyMuqfC6Kt/uukmZVePRKkGXwTPmNKr5vdUTZmbZa14j46pNiOTm6R/vVKZEzHYDwgpbSoK8yQ50QuuGU9aak+iYZB+CckEH+S3KLInzDSNsA99BthiHGhIpsbwR70gc783coYJoIipYieb//LaTvf8BDmafNKnOQVazP5T2pHeO4yePr1/dEN6x9fdFRVKv/Q73qVBm5S0Jqys6Oo81cdrmISboSLzxAm7V01dijQ6Juv+awBx0emFuUKDVgS8AfZ6pGhugwcJsAE8fKexMS2I29xGaBzeGeQzOYmlTA7RXngTXh/DaHEckgBXp84dcXjcrRiEG0wGRSvNMx1RffnUSoslLpgpMfwNYl0NMwbq+lt1ppH88tJnUXu0G3YyF+Me8lyYVlnQU9afd4u7nNTAamBlNx3QtMndWdK92X20kK2ij7kwefLc1pm6toOZE1vdSaIFXnpZCEh4of6vdNkFscpkxHtsURObPbtFsI4C8WXCypgWj3Po+YgbhMddKRu4BiQfQnopSHatFYYUM3xzTiuL496WwgCorp+Ak+wOhIE45o/iugS2xxfJIQKkMiP1JbzDw59qcaLdnRXOLqcv6nX6bMkwHuxNmVCTn2lk32FmraJdfyVhdTBPrCXx/TjoGISgEOc5w5oct1L7ERLiD6BCbxER2UkSsQb/rLoUYdfHh3bLXbZKLDGVRuf1JoImGHhtTE2R+o5o1dzWwNdHMGjVpMIV1ixxsFsMG27KhjIYUMBdrqVXH8wCXy2TOCxTqIhIOOg6lUMvEwUAh3ZaFRKGe3VaSRyVMcKE8dseHIS7MRq2g7jp9eyJkZqspBh6PEaPyTwYYv8f00VyHauZAV3UdWfWDsEZUYk194wiH2/j7O9+eF7jxPlmLuXUQGQBVTAFObpcoT988N24NalijJh/cuahhkSQYR1hMahBF5jwwVHS3vtN6pUwghTUV4HqeIrtur1cJRB6Qlm/YRgvcB1fX7xbhYyMUJUYEp1gK1xhY1c0A16V8HQPFheL8EV5tfsUT,iv:xh7XXUyLD68UDBBG5aKI/HWxjMZ0Tr4sLkIeQ8vQIso=,tag:FyLg1FhxUGjcNGD2sq4Oeg==,type:str]
+asterisk-ari: ENC[AES256_GCM,data:2+X/DRmRlnVraWWEBXWXJ9XpFnRdD0HDlofQ7jaxNpWRKNA1ZVf4DTtm6d232LXKde54ACMSUEyQWTu1mU6oQ7W5P2VSK2HZvHzSrnC0dJVKPrYEnBWfyA6sjKBULQSyW6j1/c/k,iv:jE/Y1A3i8embrwJqN8TBO0E8nr5WhGDKPH0gXgWnsMQ=,tag:j8PH6tDeo2YTCI2BnVY24w==,type:str]
+asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J5z1gz2o5cLIF73qCj+vApDzSHcz2gTzMEKwEV6H8ZsxJse27dNBIdVq1n18oSWWAMT1iOomxxzqESLhF+HTtBIEpBVi5y5zwMRXGh/72SxKY9TXv/KHxTMp8aBhNvoCn2ze1VOcBjyNxGda4gGgFAa4LNTzxQ1B6XpfgkjsH2uY0zaAd8rrsXPrPY6TNS7JxrBLKfKshTiJCElJJJA1pCcRe4/yMqCm14J5+n3FvEOnHC+BQHX+ohJYaBcrZblWF5rH/l25BnUgP4UC9ydk3LmQiLpH20+sTWZwi/FojeID0BahdrzOk0tNCTKwNtfFp2QzYvlQPdFRCINb5k1Pz9DNLx7bSv1mvkeGNbd1YdHvEnPwYrQmAae96kg+Vl8PVRqY7ZsMsktcOfqlw8k/W4DK0G6LBA5U9G7JryS5OeS3kMMo4vQzcjU8/eZMl/XwHB0806k63wI7j3wL9Z5+DGmdLX3z3RgtJunELTcayAwerRptuwidm69hbOhmWEwkCcrR42QNVuDD8Qxp/CnwnmwUawUFBOFIBjbQApT9miOmo3e7nY5fjbf4JUbJ9/0JbT7YtZOEU9ymACobX6fweOsYUoWTXprJDwZkln8omaAbP85g4XgGGoltdTk71OviSSfN3DCKfPwPop8GZ9UEBQN9rNUyllVRoTeaweqN2VJnD/ApWj8A22i66R1CPm6ebXLOjClahs/hCKTeYHXPiDjWb5xd9c0fQBlnHaWbVYLtGzBpf0p9oU7DE2KskzZE2TDat8qCdMeqBcpEwUVGqcqq4YWDPy593XZzpG91NYDAb6GbkYHiZw+OQStEFA4SbN4YdwPB0fZN0iW+IOQPfWgUiRj2wAUYRXRpxPQ2ZDh7Ie0oZbJvhx6ulEM8nKI4q4e3pkzF7KjT2z9KzinkhvjqlpU0vfCm4BFMUcKXVskQsiDA9gz4w0m7Ei4HbyDHoUGVCUDtv0W6IfjrEUsBasxcYkown20rip/CwKTPmKy26bz6iHgUAB6f71Ms8sdKr7gHdnzOK3OBm5I+gell6SsdDDfGgQdUHJwSu8XwwJdc7Faai7+wN1stfSglm4PwuoFIH9ucgVyXrAwLJIQ==,iv:QzVHcduZhvQalSgRWRDoTpc20cYLFwzqDedET/XnBWQ=,tag:mrkXZ3J3Hiy2Q7Y06LsBuA==,type:str]
+prometheus-htpasswd: ENC[AES256_GCM,data:kUU0TqnVxQ8jLfjUpBje3eGxJw+ItD/YSNhiny1XPM0PDksnOO8Ecbyqm9W5p3WZIFc+h/FH1AsyNdhXdAhbgMNNxjebq2PNbJr/DeMWTxuf1D9q5iYpDrFGuK6r65DeCPvwN1tlTKkzJnLCqy3LLWbziANplMpmoUL7Ay3S2r5UQNgl4QIL,iv:o23da3kSbMAiF6H3zgja95As89aDK/+jWofvw9ZIjj8=,tag:VPB9YD33Xuk8IKxoBVEXdQ==,type:str]
+unpoller-password: ENC[AES256_GCM,data:nvbKOzS657tfumP93kNAD2Edw3+BN3xQ,iv:FZ169TIyHrhazji+b2V4o0XvyzqwNelnR4TkKXuNqWg=,tag:62Y1LTlI+2KdSjq8dHiuSQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1fleny85nvjh6g4arn2tkpju0smq2s4hawwpmnyvgcf0sy65wd3ks4lcvfa
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBML0wrQWtGbjhEY1BpT0lU
+            OXZZTlF5SzlWSGc4dzgvYnJ1QUtRUDM4a0QwCmU2bEVRUEZFTEw3QW9MUm16QVFk
+            bmlwMmN5eldzRis4czJNTkpGUUkyd3cKLS0tIFZ3TWswMnBXOW5xOW8zbTNiUGtS
+            T2VuTEpzYmhESnJZTW5IS3orRk44ODAK/KBOctiKRH5y/zuI4sIKNK9nze6aDOmc
+            Eg7zjCXX3hvmowFt45rMKODJ56Dy6uJEgu6OWMWV2M87CphyHKA5fg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-08-04T10:58:16Z"
+    mac: ENC[AES256_GCM,data:yRoKVClRcbqFYM06F+83kU9s0KcoiYEx0fpr4DL39YoDDx3ZdX2aYqOEtPCGHKEccFanDsZSI4Q9jG2NEa9IykI9DDjQtci1pcNkt9VaWgPTTo2KzP086ncQHaKHyy109CjugeC2oQYIOBfSiO5b+/SP5fml2N3rhIGzROz2NRA=,iv:JR2MVuIxVhCDsx8kelTu86x4Snf6yqJ7s9vb/3bj24o=,tag:V9BadPHshitupxnAzYF3Nw==,type:str]
+    pgp:
+        - created_at: "2024-09-24T19:30:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DY/xpNY5WhB0SAQdAyqAyhamC5ViSdA1B1b8fI2iaSIAfyVJEe2ZaDyFI82Uw
+            NPvBXNKx4u0KTnMG6tl63Tb2/6sC4uhkp3n/pM+cxKIMfTXodIenddK5siPs8MQI
+            0l4BeIxec9DiNskvxTqnZ7jtVd7hWy494cDrr7Yb9J0GZWQ5mP2ZtqgcDkbzZnqb
+            E8glyIInDNAKedtpbE0waUWPwbA3XAgsQX6xijwe5q0j4Rqqc4rlvJuk9Xd7G+M9
+            =77Op
+            -----END PGP MESSAGE-----
+          fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
+        - created_at: "2024-09-24T19:30:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDgSONkM+d4AQ//VH43OoHprfVhgtPmGjP3dHvWxLkAtyEi2QOYWjGLGbuw
+            l5TAY8RAp3c34E0qp52a2a+GSJUwdxVusK4MSWGzzg0x1VKPFr5Dz11SRnjqyWuQ
+            sM7zo9AP1cIUoIaP4G/jnwYicEH+3ADjFEpNazfNw56cpjWL/1yQSKK4uk4x/m7e
+            AWWcRQHJa7j/sPuR2R24CQjZq6WfxoDDe2v1J+NTxBoZh16CJ8LDUWOCAgRDvEDn
+            d1WczY5cu0n/IAl8baKrvAtBoahEeF97lBmZ7BtXiFT2c6jvwjY0erj+BA0N4Jfc
+            WnJaU1y+a0RKxvH3AOo7R09NmvFtfWcUrFD6k5jLGhvbkuMd4+akEhDv98GeW77m
+            qjimf2gOLt0mR536JQP0pZ41O5hXLGVhPDESRWKMkeJcJ97+7wN9WkUnfW+AA0+y
+            TSqQ+KEsJMIYK1HCWJeW8oc+G+gEY7iutIxY+dL7NV8EzUWREhy0/1WzEIb3AfgH
+            XfzQufzXnKG844GUV0WKHiff7/Wmuhcz6+yFNLqdG2u7LM91eBB3B00ubFmfcz4U
+            OO4SopFeGHUo7xjQMDI3SzwPocRBsL3Fz+f2o5zsOGUPS/UebLwgN4UvaW0BKbZ5
+            zRiC0v5OKWRMxZVbhpmfvfYFEjkflVfYuiTul6ajnaXarO+S9Sp8r+RSkkJx7ZXS
+            XgHjN92PHYzz8O0ls8NxJiMFdG5ozfims6VN3sC98LjhRsaCb5oEwh8ZoB6WDb7y
+            0FeEsVM12vBGVF2oU8SVSJNnsgf4aMCTAPi+vdimq4UBKMEyxBwWkp62r2xXmoA=
+            =/jcl
+            -----END PGP MESSAGE-----
+          fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

machines/raven/services/asterisk.nix

@@ -0,0 +1,138 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.asterisk;
+  secretConfigFiles = [
+    "ari"
+    "pjsip"
+    "voicemail"
+  ];
+  rtp = {
+    start = 10000;
+    end = 10200;
+  };
+in
+{
+  services.asterisk = {
+    enable = true;
+    confFiles = {
+      "extensions.conf" = ''
+        [sipgate-in]
+        exten => _2430207e0,1,Noop(Processing an incoming call)
+        same => n,Dial(PJSIP/100,20,tT)
+        same  = n,VoiceMail(7929876@fablab,su)
+        same => n,Hangup()
+
+        exten => _3529,1,Noop(Processing an incoming call)
+        same => n,Dial(PJSIP/100,60,tT)
+        same => n,Hangup()
+
+        [dect]
+        exten = 99,1,Answer()
+        same = n,Wait(1)
+        same = n,VoiceMailMain(7929876@fablab)
+        same = n,Hangup()
+
+        exten = 98,1,Answer()
+        same = n,Wait(1)
+        same = n,Playback(der_dude_ist_nicht)
+        same = n,Hangup()
+
+        exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT)
+        same = n,Hangup()
+
+        ; Kassen
+        exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT)
+        same = n,Hangup()
+
+        ; weinturm
+        exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT)
+        same = n,Hangup()
+        ; /weinturm
+
+        exten => _XXX.,1,Noop(Processing an outgoing call)
+        same => n,Dial(PJSIP/''${EXTEN}@sipgate,tT)
+        same => n,Hangup()
+
+        [cisco]
+        exten = _1XX,1,Dial(PJSIP/''${EXTEN},30,tT)
+        same = n,Hangup()
+
+        exten = 420,1,Dial(PJSIP/101,30,tT)
+        same = n,Hangup()
+
+        exten = _4XX,1,Dial(PJSIP/''${EXTEN},30,tT)
+        same = n,Hangup()
+
+        ; weinturm
+        exten = 410,1,Dial(PJSIP/100&PJSIP/410,30,tT)
+        same = n,Hangup()
+
+        ; Kleinturm
+        exten = _58X,1,Dial(PJSIP/''${EXTEN},30,tT)
+        same = n,Hangup()
+
+        ; /weinturm
+      '';
+      "http.conf" = ''
+        [general]
+        enabled=yes
+        bindaddr=127.0.0.1
+
+        ; Port to bind to for HTTP sessions (default is 8088)
+        ;bindport=8088
+
+        tlsdisablev1=yes
+        tlsdisablev11=yes
+        tlsdisablev12=yes
+
+        tlsservercipherorder=yes
+      '';
+      "rtp.conf" = ''
+        [general]
+        rtpstart=${toString rtp.start}
+        rtpend=${toString rtp.end}
+      '';
+      "dnsmgr.conf" = ''
+        [general]
+        enable=yes
+        refreshinterval=60
+      '';
+      "prometheus.conf" = ''
+        [general]
+        enabled = yes
+      '';
+    };
+    useTheseDefaultConfFiles = [ ];
+  };
+
+  system.activationScripts.copyAsteriskFiles = lib.stringAfter [ "var" ] ''
+    rm -f /var/lib/asterisk/documentation/core-en_US.xml
+    mkdir -p /var/lib/asterisk/documentation
+    ln -s ${cfg.package}/var/lib/asterisk/static-http/core-en_US.xml /var/lib/asterisk/documentation/core-en_US.xml
+  '';
+
+  sops.secrets = (lib.listToAttrs (map
+    (name: lib.nameValuePair "asterisk-${name}" {
+      sopsFile = ../secrets.yaml;
+      owner = config.users.users.asterisk.name;
+    })
+    secretConfigFiles));
+  environment.etc = lib.mapAttrs'
+    (name: _: lib.nameValuePair
+      "asterisk/${name}.conf"
+      { source = config.sops.secrets."asterisk-${name}".path; })
+    (lib.listToAttrs (map (name: lib.nameValuePair name { }) secretConfigFiles));
+
+  networking.firewall = {
+    allowedUDPPorts = [
+      5060
+      5062
+    ];
+    allowedUDPPortRanges = [
+      {
+        from = rtp.start;
+        to = rtp.end;
+      }
+    ];
+  };
+}

machines/raven/services/colorchord.nix

@@ -0,0 +1,109 @@
+{ inputs, lib, pkgs, ... }:
+let
+  ledDevices = {
+    workbench-1 = {
+      leds = 87 * 2;
+      host = "wled-Workbench-1";
+    };
+    workbench-2 = {
+      leds = 87 * 2;
+      host = "wled-Workbench-2";
+    };
+    elektrodecke = {
+      leds = 87 * 2;
+      host = "wled-Elektrodecke";
+    };
+    traverse = {
+      leds = 235;
+      host = "wled-Traverse";
+    };
+    nhecke = {
+      leds = 75;
+      host = "wled-Nhecke";
+    };
+    printerbench = {
+      leds = 80;
+      host = "wled-Printerbench";
+    };
+    resedaraum = {
+      leds = 285;
+      host = "wled-Resedaraum";
+      loop = true;
+    };
+  };
+  soundDevices = {
+    sink = "alsa_output.usb-Burr-Brown_from_TI_USB_Audio_DAC-00.analog-stereo";
+  };
+
+  devicesProduct = lib.fold
+    (soundDevice: acc: acc // lib.mapAttrs'
+      (ledDevice: value: lib.nameValuePair "${ledDevice}-${soundDevice.name}" (value // {
+        source = soundDevice.id;
+      }))
+      ledDevices)
+    { }
+    (lib.attrValues (lib.mapAttrs (n: v: { name = n; id = v; }) soundDevices));
+in
+{
+  environment.systemPackages = with pkgs; [
+    colorchord2
+  ];
+
+  environment.etc = lib.mapAttrs'
+    (name: config: lib.nameValuePair
+      "colorchord/${name}.conf"
+      {
+        text = ''
+          # Basic
+          outdrivers = DisplayNetwork, OutputLinear
+          headless = 1
+
+          # Audio input
+          amplify = 10
+          samplerate = 48000
+          devrecord = ${config.source}
+
+          # Visualiser
+          cpu_autolimit = 1
+          satamp = 1
+
+          # LED config
+          leds = ${toString config.leds}
+          is_loop = ${if config ? loop && config.loop then "1" else "0"}
+          light_siding = 1.5
+          led_floor = 0.1
+          steady_bright = 1
+          fliprg = 0
+
+          # WLED
+          wled_realtime = 1
+          port = 19446
+          address = ${config.host}
+          wled_timeout = 2
+          skipfirst = 0
+        '';
+      })
+    devicesProduct;
+
+  systemd.user.services = builtins.listToAttrs (map
+    (soundDevice: lib.nameValuePair
+      "colorchord-${soundDevice}@"
+      {
+        partOf = [ "colorchord-${soundDevice}.target" ];
+        serviceConfig = {
+          ExecStart = ''
+            ${pkgs.colorchord2}/bin/colorchord /etc/colorchord/%i-${soundDevice}.conf
+          '';
+          Restart = "always";
+        };
+      })
+    (lib.attrNames soundDevices));
+
+  systemd.user.targets = builtins.listToAttrs (map
+    (soundDevice: lib.nameValuePair
+      "colorchord-${soundDevice}"
+      {
+        wants = map (ledDevice: "colorchord-${soundDevice}@${ledDevice}.service") (lib.attrNames ledDevices);
+      })
+    (lib.attrNames soundDevices));
+}

machines/raven/services/default.nix

@@ -1,5 +1,15 @@
 {
   imports = [
+    ./asterisk.nix
+    ./colorchord.nix
     ./dnsmasq.nix
+    ./dyndns.nix
+    ./freeradius.nix
+    ./grafana.nix
+    ./labsync
+    ./mailhog.nix
+    ./prometheus.nix
+    ./unifi-controller.nix
+    ./wekan.nix
   ];
 }

machines/raven/services/dnsmasq.nix

@@ -1,36 +1,93 @@
 { pkgs, ... }:
 
+let
+  stateDir = "/var/lib/dnsmasq";
+  dnsmasqEventsConf = pkgs.writeText "dnsmasq-events.conf" ''
+    dhcp-leasefile=${stateDir}/dnsmasq-events.leases
+    bind-dynamic
+    listen-address=10.10.0.1
+    except-interface=lo
+
+    domain=events.fablab-nea.de
+    dhcp-range=10.10.0.20,10.10.15.254,24h
+
+    cache-size=10000
+    dns-forward-max=1000
+
+    no-hosts
+  '';
+in
 {
   services.dnsmasq = {
     enable = true;
-
-    extraConfig = ''
-      bind-dynamic
-
-      expand-hosts
-      domain=lab.fablab-nea.de
-      dhcp-range=192.168.94.20,192.168.94.254,5m
-
-      dhcp-boot=lpxelinux.0,raven,192.168.94.1
-
-      cache-size=10000
-      dns-forward-max=1000
-
-      auth-zone=lab.fablab-nea.de,192.168.94.0/24
-      auth-server=lab.fablab-nea.de,78.47.224.251
-
-      no-hosts
-      addn-hosts=${pkgs.writeText "hosts.dnsmasq" ''
-        192.168.94.1 raven labsync
+    settings = {
+      server = [
+        "142.250.185.78" # dns.as250.net
+        "2001:470:20::2" # ordns.he.net
+        "74.82.42.42" # ordns.he.net
+      ];
+      bind-dynamic = true;
+      listen-address = [
+        "192.168.93.1"
+        "192.168.94.1"
+      ];
+      interface = "lo";
+      expand-hosts = true;
+      domain = "lab.fablab-nea.de";
+      dhcp-range = [
+        "set:voice,192.168.93.20,192.168.93.254,4h"
+        "set:lab,192.168.94.20,192.168.94.254,4h"
+      ];
+      dhcp-host = [
+        "00:30:42:1b:23:ed,192.168.93.21,rfp-01"
+        "00:30:42:1b:21:c1,192.168.93.22,rfp-02"
+        "00:30:42:1b:26:f6,192.168.93.23,rfp-03"
+        "00:30:42:1b:22:3b,192.168.93.24,rfp-04"
+        "00:30:42:1b:22:7c,192.168.93.25,rfp-05"
+      ];
+      dhcp-option = [
+        "vendor:OpenMobility,10,192.168.93.21"
+        "vendor:OpenMobility,224,OpenMobilitySIP-DECT"
+      ];
+      dhcp-boot = "lpxelinux.0,raven,192.168.94.1";
+      cache-size = 10000;
+      dns-forward-max = 1000;
+      auth-zone = "lab.fablab-nea.de,192.168.94.0/24";
+      auth-server = "lab.fablab-nea.de,78.47.224.251";
+      no-hosts = true;
+      addn-hosts = "${pkgs.writeText "hosts.dnsmasq" ''
+        192.168.94.1 raven labsync unifi
         192.168.94.2 switch
-      ''}
-    '';
+        192.168.94.3 schneiderscheune-weinturm-ap
+        192.168.94.4 schneiderscheune-weinturm-sta
+        192.168.94.5 wechselbruecke-router
+        192.168.94.6 wechselbruecke-ap
+        192.168.94.7 helferbereich-sta
+        192.168.94.8 helferbereich-switch
+        192.168.94.9 kleinturmbuehne-router
+      ''}";
+    };
+  };
 
-    servers = [
-      "142.250.185.78" # dns.as250.net
-      "2001:470:20::2" # ordns.he.net
-      "74.82.42.42" # ordns.he.net
-    ];
+  systemd.services."dnsmasq-events" = {
+    description = "dnsmasq daemon for public event network";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    path = [ pkgs.dnsmasq ];
+    preStart = ''
+      mkdir -m 755 -p ${stateDir}
+      dnsmasq --test -C ${dnsmasqEventsConf}
+    '';
+    serviceConfig = {
+      Type = "dbus";
+      BusName = "uk.org.thekelleys.dnsmasq-events";
+      ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -k --enable-dbus --user=dnsmasq -C ${dnsmasqEventsConf}";
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      PrivateTmp = true;
+      ProtectSystem = true;
+      ProtectHome = true;
+      Restart = "on-failure";
+    };
   };
 
   networking.firewall = {

machines/raven/services/dyndns.nix

@@ -0,0 +1,16 @@
+{ config, ... }:
+{
+  sops.secrets.dyndns-password = {
+    sopsFile = ../secrets.yaml;
+  };
+  services.ddclient = {
+    enable = true;
+    interval = "1min";
+    server = "www.duckdns.org";
+    protocol = "duckdns";
+    username = "nouser";
+    passwordFile = config.sops.secrets.dyndns-password.path;
+    domains = [ "fablab-nea" ];
+    use = "web, web=freedns.afraid.org/dynamic/check.php";
+  };
+}

machines/raven/services/freeradius.nix

@@ -0,0 +1,17 @@
+# service for unifi wifi
+# provides anonymous access via WPA2 enterprise (PEAP)
+{ pkgs, ... }:
+
+{
+  services.freeradius = {
+    enable = true;
+    configDir = "${pkgs.fablab.freeradius-anon-access}/raddb";
+    debug = true;
+  };
+  users.users.radius.group = "radius";
+  users.groups.radius = { };
+  networking.firewall.allowedUDPPorts = [
+    1812
+    1813
+  ];
+}

machines/raven/services/grafana.nix

@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+
+let
+  domain = "grafana.fablab-nea.de";
+  srv = config.services.grafana.settings.server;
+in
+{
+  services.grafana = {
+    enable = true;
+    settings.server.domain = domain;
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://${srv.http_addr}:${toString srv.http_port}";
+      recommendedProxySettings = true;
+    };
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-XSS-Protection "1; mode=block";
+      add_header X-Content-Type-Options "nosniff";
+    '';
+  };
+}

machines/raven/services/labsync/default.nix

@@ -0,0 +1,50 @@
+# legacy labsync, currently partly implemented in docker outside of this configuration
+{ pkgs, ... }:
+
+let
+  generator_port = 8695;
+in
+{
+  services.opentracker.enable = true;
+
+  services.nginx.virtualHosts."labsync.fablab-nea.de" = {
+    addSSL = true;
+    enableACME = true;
+    locations = {
+      "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/";
+    };
+  };
+  services.nginx.virtualHosts."labsync.lab.fablab-nea.de" = {
+    locations = {
+      "/" = {
+        root = "/opt/docker/tftpgen/data";
+        extraConfig = ''
+          autoindex on;
+        '';
+      };
+      "/generator/".proxyPass = "http://127.0.0.1:${toString generator_port}/";
+    };
+  };
+
+  services.atftpd = {
+    enable = true;
+    root = pkgs.runCommand "pxelinux-tftproot" { } ''
+      mkdir -p $out/pxelinux.cfg
+      cp ${pkgs.syslinux}/share/syslinux/{ldlinux.c32,libcom32.c32,libutil.c32,lpxelinux.0,vesamenu.c32} $out
+      cp ${./splash.png} $out/splash.png
+      cp ${./pxelinux.cfg} $out/pxelinux.cfg/default
+      # required to serve labsync/labsync.cfg, which is generated dynamically by a docker container
+      ln -s /opt/docker/tftpgen/data $out/labsync
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    6881 # aria2
+    6969 # opentracker
+  ];
+  networking.firewall.allowedUDPPorts = [
+    6882 # aria2
+    69 # tftpd
+    6969 # opentracker
+  ];
+}

machines/raven/services/labsync/pxelinux.cfg

@@ -0,0 +1,21 @@
+# default menu settings
+menu width 100
+menu height 24
+menu title labsync
+
+# can be overwriten by mounting another image; has to be 1024×768 in 16:9
+menu background splash.png
+menu color border	* #00000000 #00000000 none
+menu color sel		* #ffffffff #76a1d0ff *
+menu color hotsel	1;7;37;40 #ffffffff #76a1d0ff *
+menu cmdlinerow 16
+menu timeoutrow 16
+menu tabmsgrow 18
+# do not show “press tab to edit options…” entry (empty)
+menu tabmsg
+
+include labsync/labsync.cfg
+default vesamenu.c32
+
+# disable timeout (explicitly)
+timeout 0

machines/raven/services/mailhog.nix

@@ -0,0 +1,4 @@
+{ config, ... }:
+{
+  services.mailhog.enable = true;
+}

machines/raven/services/prometheus.nix

@@ -0,0 +1,144 @@
+{ config, lib, pkgs, ... }:
+
+let
+  domain = "prometheus.fablab-nea.de";
+  cfg = config.services.prometheus;
+  mkStaticTargets = targets: lib.singleton { inherit targets; };
+  mkStaticTarget = target: mkStaticTargets (lib.singleton target);
+in
+{
+  services.prometheus.exporters.node.enable = true;
+
+  services.prometheus = {
+    enable = true;
+    listenAddress = "127.0.0.1";
+    webExternalUrl = "https://${domain}";
+    globalConfig = {
+      scrape_interval = "15s";
+      evaluation_interval = "15s";
+    };
+    extraFlags = [
+      "--storage.tsdb.retention.time=90d"
+      "--web.enable-admin-api"
+    ];
+    alertmanagers = [
+      {
+        static_configs = mkStaticTarget "${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
+        path_prefix = "/alertmanager/";
+      }
+    ];
+    alertmanager = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      webExternalUrl = "https://${domain}/alertmanager";
+      configuration = {
+        global.resolve_timeout = "2m";
+
+        route = {
+          receiver = "matrix";
+          group_by = [ "alertname" ];
+          group_wait = "3m";
+        };
+
+        receivers = [
+          {
+            name = "matrix";
+            webhook_configs = lib.singleton {
+              url = "http://localhost/webhook";
+            };
+          }
+        ];
+      };
+    };
+    scrapeConfigs = [
+      {
+        job_name = "prometheus";
+        static_configs = mkStaticTargets [
+          "localhost:${toString cfg.port}"
+          "kleinturmbuehne-router:9100"
+        ];
+      }
+      {
+        job_name = "node";
+        static_configs = mkStaticTargets [
+          "127.0.0.1:9100"
+        ];
+      }
+      {
+        job_name = "asterisk";
+        metrics_path = "/";
+        static_configs = mkStaticTargets [
+          "127.0.0.1:8088"
+        ];
+      }
+      {
+        job_name = "mikrotik";
+        static_configs = mkStaticTargets [
+          "${cfg.exporters.mikrotik.listenAddress}:${toString cfg.exporters.mikrotik.port}"
+        ];
+      }
+      {
+        job_name = "unifi";
+        static_configs = mkStaticTargets [
+          "${cfg.exporters.unpoller.listenAddress}:${toString cfg.exporters.unpoller.port}"
+        ];
+      }
+    ];
+    rules =
+      let
+        mkAlert = { name, expr, for ? "1m", description ? null }: {
+          alert = name;
+          inherit expr for;
+          annotations = lib.optionalAttrs (description != null) { inherit description; };
+        };
+      in
+      [
+        (lib.generators.toYAML { } {
+          groups = lib.singleton {
+            name = "alert.rules";
+            rules = map mkAlert [
+              {
+                name = "InstanceDown";
+                expr = ''up == 0'';
+                description = "Instance {{ $labels.instance }} of job {{ $labels.job }} has been down for
+ more than 1 minutes.";
+              }
+            ];
+          };
+        })
+      ];
+  };
+
+  sops.secrets.prometheus-htpasswd = {
+    owner = "nginx";
+    sopsFile = ../secrets.yaml;
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    basicAuthFile = config.sops.secrets.prometheus-htpasswd.path;
+
+    locations = {
+      "/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
+
+      "/alertmanager/".proxyPass = "http://${cfg.alertmanager.listenAddress}:${toString cfg.alertmanager.port}";
+    };
+  };
+
+  services.prometheus.exporters.mikrotik = {
+    enable = true;
+    listenAddress = "127.0.0.1";
+    configuration = {
+      devices = [
+      ];
+      features = {
+        bgp = true;
+        dhcp = true;
+        routes = true;
+        optics = true;
+      };
+    };
+  };
+}

machines/raven/services/unifi-controller.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+
+let
+  promCfg = config.services.prometheus;
+in
+{
+  services.unifi = {
+    enable = true;
+    openFirewall = true;
+    unifiPackage = pkgs.unifi8;
+  };
+  networking.firewall.allowedTCPPorts = [ 8443 ];
+
+  sops.secrets.unpoller-password = {
+    #owner = promCfg.exporters.unpoller.user;
+    owner = config.services.prometheus.exporters.unpoller.user;
+    sopsFile = ../secrets.yaml;
+  };
+
+  services.prometheus.exporters.unpoller = {
+    enable = true;
+    controllers = [{
+      user = "unpoller";
+      pass = config.sops.secrets.unpoller-password.path;
+      verify_ssl = false;
+      hash_pii = true;
+    }];
+    log.prometheusErrors = true;
+  };
+}

machines/raven/services/wekan.nix

@@ -0,0 +1,123 @@
+{ config, lib, pkgs, ... }:
+let
+  serviceName = "wekan";
+  databaseName = "wekandb";
+  networkName = "wekan-tier";
+  port = 8001;
+  domain = "wekan.fablab-nea.de";
+  url = "https://${domain}";
+
+  directories = {
+    db = "/var/lib/wekan/db";
+    dbDump = "/var/lib/wekan/db-dump";
+    data = "/var/lib/wekan/data";
+  };
+in
+{
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers = {
+      "${serviceName}" = {
+        autoStart = true;
+        image = "ghcr.io/wekan/wekan:latest";
+        environment = {
+          WRITABLE_PATH = "/data";
+          MONGO_URL = "mongodb://${databaseName}:27017/wekan";
+          ROOT_URL = url;
+          #WITH_API = "true";
+          RICHER_CARD_COMMENT_EDITOR = "false";
+          CARD_OPENED_WEBHOOK_ENABLED = "false";
+          BIGEVENTS_PATTERN = "NONE";
+          BROWSER_POLICY_ENABLED = "true";
+        };
+        ports = [
+          "127.0.0.1:${toString port}:8080"
+        ];
+        dependsOn = [ databaseName ];
+        volumes = [
+          "/etc/localtime:/etc/localtime:ro"
+          "${directories.data}:/data:rw"
+        ];
+        extraOptions = [
+          "--network=${networkName}"
+          "--pull=newer"
+        ];
+      };
+      "${databaseName}" = {
+        autoStart = true;
+        image = "mongo:6";
+        cmd = [ "mongod" "--logpath" "/dev/null" "--oplogSize" "128" "--quiet" ];
+        volumes = [
+          "/etc/localtime:/etc/localtime:ro"
+          #"/etc/timezone:/etc/timezone:ro"
+          "${directories.db}:/data/db"
+          "${directories.dbDump}:/dump"
+        ];
+        extraOptions = [
+          "--network=${networkName}"
+          "--pull=newer"
+        ];
+      };
+    };
+  };
+
+  # Create the netowrk
+  systemd.services.init-filerun-network-and-files = {
+    description = "Create the network bridge ${networkName} for WeKan.";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig.Type = "oneshot";
+    script =
+      let podmancli = "${pkgs.podman}/bin/podman";
+      in ''
+        if ! ${podmancli} network ls --format '{{ .Name }}' | grep -qFx -- "${networkName}"; then
+          ${podmancli} network create "${networkName}"
+        else
+          echo "network already exists"
+        fi
+      '';
+  };
+
+  systemd.services.wekan-restart = {
+    description = "Restart Wekan services.";
+    serviceConfig = {
+      Type = "oneshot";
+    };
+    script = ''
+      ${pkgs.systemd}/bin/systemctl restart "podman-${databaseName}.service" "podman-${serviceName}.service"
+    '';
+  };
+
+  systemd.timers.wekan-restart = {
+    description = "Restart wekan containers";
+    after = [ "network.target" ];
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      Persistent = true;
+      OnCalendar = "*-*-* 04:00:00";
+      Unit = "wekan-restart.service";
+    };
+  };
+
+  system.activationScripts.makeWekanDirectories = lib.stringAfter [ "var" ] ''
+    mkdir -p "${directories.db}"
+    mkdir -p "${directories.dbDump}"
+    mkdir -p "${directories.data}"
+    chown 999:999 "${directories.data}"
+  '';
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-XSS-Protection "1; mode=block";
+      add_header X-Content-Type-Options "nosniff";
+    '';
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+    };
+  };
+}

modules/base.nix

@@ -1,3 +1,3 @@
 {
-  boot.cleanTmpDir = true;
+  boot.tmp.cleanOnBoot = true;
 }

modules/default.nix

@@ -2,7 +2,10 @@
   imports = [
     ./base.nix
     ./nix.nix
+    ./pipewire.nix
     ./pubkeys.nix
+    ./sops.nix
     ./tools.nix
+    ./unfree.nix
   ];
 }

modules/nix.nix

@@ -21,9 +21,6 @@ let
 in
 {
   nix = {
-    # flake support
-    package = pkgs.nixUnstable;
-
     extraOptions = ''
       experimental-features = nix-command flakes
     '';
@@ -37,20 +34,23 @@ in
       "nixpkgs-overlays=${overlaysCompat}"
     ];
 
-    # sudoers are trusted nix users
-    trustedUsers = [ "@wheel" ];
+    settings = {
+      # sudoers are trusted nix users
+      trusted-users = [ "@wheel" ];
 
-    # On-the-fly optimisation of nix store
-    autoOptimiseStore = true;
+      # On-the-fly optimisation of nix store
+      auto-optimise-store = true;
+    };
 
     # less noticeable nix builds
-    daemonNiceLevel = 10;
-    daemonIONiceLevel = 5;
+    daemonCPUSchedPolicy = "idle";
+    daemonIOSchedClass = "idle";
+    daemonIOSchedPriority = 7;
   };
 
   nixpkgs.overlays = with inputs; [
-    self.overlay
-
+    self.overlays.default
+    sbruder-overlay.overlays.default
     (final: prev: {
       unstable = import nixpkgs-unstable {
         inherit (config.nixpkgs)

modules/pipewire.nix

@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+
+{
+  sound.enable = true;
+  hardware.pulseaudio.enable = false;
+
+  services.pipewire = {
+    enable = true;
+    pulse = {
+      enable = true;
+    };
+    jack = {
+      enable = false;
+    };
+    alsa = {
+      enable = true;
+      support32Bit = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    pulseaudio # pacmd and pactl
+  ];
+}

modules/pubkeys.nix

@@ -3,11 +3,11 @@
 {
   options.fablab.pubkeys = with lib.types; {
     users = lib.mkOption {
-      type = attrsOf (listOf string);
+      type = attrsOf (listOf str);
       description = "pubkeys for a specific user";
     };
     groups = lib.mkOption {
-      type = attrsOf (listOf string);
+      type = attrsOf (listOf str);
       description = "pubkeys for a group of users";
     };
   };
@@ -16,7 +16,7 @@
     fablab.pubkeys = {
       users = {
         jalr = [
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0f7+Y4QSUsSvd360eq0Q/ESVfE/s0WxJIrzvW8cazTcmld8/rKxGQR2xrxApu7pzZlZC3LDbQrx3B6nNVEZi0dPUgkJz9oEKRY5vSJ6x0H9cZ0iFfTcCTz5znflqGaFI6E6W6Vtl+DzIrmkFgaR0wNmV9DCcYAJreW4E32t8dKsG1Pv347N0eAZs3shokPYr7dmGoNiKzTOn/ILQ1Hxppzqy1ch2h8k2KL0+FM6wO76ijivBzfMZRJW0DVYsmebO6Je5HglkzYXvrNUtcD2gIrNE0YKByjorTjjf3336S+0uBGxetzhnl+XA2PxHB/3n9AzYC4DI/Nb9wgLBo6Ql+EYaPLKnGl3JHvtcOyAfoNVPdNDfbZz+tfe8cBUt1IPTlm26RYKgwCnJvcBD6dk/5mxu1ogjSfgEIqihJaq3j3+NfIY1CUFx1U6ISG40SWEXF5xV1qW3NZg5FqqA8sOfWLlkON/yFkPJ2shXUXmiZtjXMWM6XLIO054EN7cpUxHGPspjgynU9XLc45c4k5lKF1xQv13B8n8dHNEL01MU21svfdGcpuOsRvzagLX51+rVRJObYP1bZudyYVDgsxB6B/TiBHw3Xl3mwEs4KVi/cqVsPpaG3hwqCreDlV+NeCVtb0qb1WJ2Sae83CA6NEcUvRbrwAnU/vEhJepfo6j7WSw== jalr@jalr-tp"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3l+Yixrsjhze20CSjvUK4Qj/BNqbTNitgk20vuzPej cardno:25_750_479"
         ];
         simon = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii"

modules/sops.nix

@@ -0,0 +1,3 @@
+{
+  sops.defaultSopsFile = ../secrets.yaml;
+}

modules/tools.nix

@@ -23,7 +23,6 @@
     compsize
     curl
     dnsutils
-    exa
     fd
     file
     git

modules/unfree.nix

@@ -0,0 +1,8 @@
+{ lib, ... }:
+
+{
+  nixpkgs.config.allowUnfreePredicate = (pkg: lib.elem (lib.getName pkg) [
+    "unifi-controller"
+    "mongodb"
+  ]);
+}

pkgs/default.nix

@@ -1 +1,7 @@
-final: prev: { }
+final: prev:
+let
+  inherit (prev) callPackage recurseIntoAttrs;
+in
+{
+  fablab = recurseIntoAttrs (callPackage ./fablab { });
+}

pkgs/fablab/default.nix

@@ -0,0 +1,6 @@
+{ callPackage }:
+
+{
+  freeradius-anon-access = callPackage ./freeradius-anon-access { };
+  mitgliedsantrag = callPackage ./mitgliedsantrag { };
+}

pkgs/fablab/freeradius-anon-access/default.nix

@@ -0,0 +1,18 @@
+{ lib, freeradius, stdenvNoCC, ... }:
+
+stdenvNoCC.mkDerivation {
+  name = "freeradius-anon-access";
+  src = ./.;
+  dontBuild = true;
+  installPhase = ''
+    mkdir $out
+    cp -r raddb $out
+    sed -i 's#@PREFIX@#${freeradius}#' $out/raddb/radiusd.conf
+  '';
+  nativeBuildInputs = [
+    freeradius
+  ];
+  meta = with lib; {
+    platforms = platforms.unix;
+  };
+}

pkgs/fablab/freeradius-anon-access/raddb/README.rst

@@ -0,0 +1,665 @@
+Upgrading to Version 3.0
+========================
+
+.. contents:: Sections
+   :depth: 2
+
+.. important:: 
+   The configuration for 3.0 is *largely* compatible with the 2.x.x
+   configuration.  However, it is NOT possible to simply use the 2.x.x
+   configuration as-is.  Instead, you should re-create it.
+
+Security
+--------
+
+A number of configuration items have moved into the "security"
+subsection of radiusd.conf.  If you use these, you should move them.
+Otherwise, they can be ignored.
+
+The list of moved options is::
+
+  chroot
+  user
+  group
+  allow_core_dumps
+  reject_delay
+  status_server
+
+These entries should be moved from "radiusd.conf" to the "security"
+subsection of that file.
+
+Naming
+------
+
+Many names used by configuration items were inconsistent in earlier
+versions of the server.  These names have been unified in version 3.0.
+
+If a file is being referenced or created the config item ``filename``
+is used.
+
+If a file is being created, the initial permissions are set by the
+``permissions`` config item.
+
+If a directory hierarchy needs to be created, the permissions are set
+by ``dir_permissions``.
+
+If an external host is referenced in the context of a module the
+``server`` config item is used.
+
+Unless the config item is a well recognised portmanteau
+(as ``filename`` is for example), it must be written as multiple
+distinct words separated by underscores ``_``.
+
+The configuration items ``file``, ``script_file``, ``module``,
+``detail``, ``detailfile``, ``attrsfile``, ``perm``, ``dirperm``,
+``detailperm``, and ``hostname`` are deprecated. As well as any false
+portmanteaus, and configuration items that used hyphens as word
+delimiters.  e.g. ``foo-bar`` has been changed to ``foo_bar``.  Please
+update your module configuration to use the new syntax.
+
+In most cases the server will tell you the replacement config item to
+use.  As always, run the server in debugging mode to see these
+messages.
+
+Modules Directory
+-----------------
+
+As of version 3.0, the ``modules/`` directory no longer exists.
+
+Instead, all "example" modules have been put into the
+``mods-available/`` directory.  Modules which can be loaded by the
+server are placed in the ``mods-enabled/`` directory.  All of the
+modules in that directory will be loaded.  This means that the
+``instantiate`` section of radiusd.conf is less important.  The only
+reason to list a module in the ``instantiate`` section is to force
+ordering when the modules are loaded.
+
+Modules can be enabled by creating a soft link.  For module ``foo``, do::
+
+  $ cd raddb/mods-enabled
+  $ ln -s ../mods-available/foo
+
+To create "local" versions of the modules, we suggest copying the file
+instead.  This leaves the original file (with documentation) in the
+``mods-available/`` directory.  Local changes should go into the
+``mods-enabled/`` directory.
+
+Module-specific configuration files are now in the ``mods-config/``
+directory.  This change allows for better organization, and means that
+there are fewer files in the main ``raddb`` directory.  See
+``mods-config/README.rst`` for more details.
+
+Changed Modules
+---------------
+
+The following modules have been changed.
+
+
+rlm_sql
+~~~~~~~
+
+The SQL configuration has been moved from ``sql.conf`` to
+``mods-available/sql``.  The ``sqlippool.conf`` file has also been
+moved to ``mods-available/sqlippool``.
+
+The SQL module configuration has been changed.  The old connection
+pool options are no longer accepted::
+
+  num_sql_socks
+  connect_failure_retry_delay
+  lifetime
+  max_queries
+
+Instead, a connection pool configuration is used.  This configuration
+contains all of the functionality of the previous configuration, but
+in a more generic form.  It also is used in multiple modules, meaning
+that there are fewer different configuration items.  The mapping
+between the configuration items is::
+
+  num_sql_socks			-> pool { max }
+  connect_failure_retry_delay	-> pool { retry_delay }
+  lifetime			-> pool { lifetime }
+  max_queries			-> pool { uses }
+
+The pool configuration adds a number of new configuration options,
+which allow the administrator to better control how FreeRADIUS uses
+SQL connection pools.
+
+The following parameters have been changed::
+
+  trace				-> removed
+  tracefile			-> logfile
+
+The logfile is intended to log SQL queries performed.  If you need to
+debug the server, use debugging mode.  If ``logfile`` is set, then
+*all* SQL queries will go to ``logfile``.
+
+You can now use a NULL SQL database::
+
+  driver = rlm_sql_null
+
+This is an empty driver which will always return "success".  It is
+intended to be used to replace the ``sql_log`` module, and to work in
+conjunction with the ``radsqlrelay`` program.  Simply take your normal
+configuration for raddb/mods-enabled/sql, and set::
+
+  driver = rlm_sql_null
+  ...
+  logfile = ${radacctdir}/sql.log
+
+All of the SQL queries will be logged to that file.  The connection
+pool does not need to be configured for the ``null`` SQL driver.  It
+can be left as-is, or deleted from the SQL configuration file.
+
+rlm_sql_sybase
+~~~~~~~~~~~~~~
+
+The ``rlm_sql_sybase`` module has been renamed to ``rlm_sql_freetds``
+and the old ``rlm_sql_freetds`` module has been removed.
+
+``rlm_sql_sybase`` used the newer ct-lib API, and ``rlm_sql_freetds``
+used an older API and was incomplete.
+
+The new ``rlm_sql_freetds`` module now also supports database
+selection on connection startup so ``use`` statements no longer
+have to be included in queries.
+
+sql/dialup.conf
+~~~~~~~~~~~~~~~
+
+Queries for post-auth and accounting calls have been re-arranged.  The
+SQL module will now expand the 'reference' configuration item in the
+appropriate sub-section, and resolve this to a configuration
+item. This behaviour is similar to rlm_linelog.  This dynamic
+expansion allows for a dynamic mapping between accounting types and
+SQL queries.  Previously, the mapping was fixed.  Any "new" accounting
+type was ignored by the module.  Now, support for any accounting type
+can be added by just adding a new target, as below.
+
+Queries from v2.x.x may be manually copied to the new v3.0
+``dialup.conf`` file (``raddb/mods-config/sql/main/<dialect>/queries.conf``).
+When doing this you may also need to update references to the
+accounting tables, as their definitions will now be outside of
+the subsection containing the query.
+
+The mapping from old "fixed" query to new "dynamic" query is as follows::
+
+  accounting_onoff_query		-> accounting.type.accounting-on.query
+  accounting_update_query		-> accounting.type.interim-update.query
+  accounting_update_query_alt		+> accounting.type.interim-update.query
+  accounting_start_query		-> accounting.type.start.query
+  accounting_start_query_alt		+> accounting.type.start.query
+  accounting_stop_query			-> accounting.type.stop.query
+  accounting_stop_query_alt		+> accounting.type.stop.query
+  postauth_query			-> post-auth.query
+
+Alternatively a 2.x.x config may be patched to work with the
+3.0 module by adding the following::
+
+  accounting {
+	reference = "%{tolower:type.%{Acct-Status-Type}.query}"
+	type {
+		accounting-on {
+			query = "${....accounting_onoff_query}"
+		}
+		accounting-off {
+			query = "${....accounting_onoff_query}"
+		}
+		start {
+			query = "${....accounting_start_query}"
+			query = "${....accounting_start_query_alt}"
+		}
+		interim-update {
+			query = "${....accounting_update_query}"
+			query = "${....accounting_update_query_alt}"
+		}
+		stop {
+			query = "${....accounting_stop_query}"
+			query = "${....accounting_stop_query_alt}"
+		}
+	}
+  }
+
+  post-auth {
+	query = "${..postauth_query}"
+  }
+
+In general, it is safer to migrate the configuration rather than
+trying to "patch" it, to make it look like a v2 configuration.
+
+Note that the sub-sections holding the queries are labelled
+``accounting-on``, and not ``accounting_on``.  The reason is that the
+names of these sections are taken directly from the
+``Accounting-Request`` packet, and the ``Acct-Status-Type`` field.
+The ``sql`` module looks at the value of that field, and then looks
+for a section of that name, in order to find the query to use.
+
+That process means that the server can be extended to support any new
+value of ``Acct-Status-Type``, simply by adding a named sub-section,
+and a query.  This behavior is preferable to that of v2, which had
+hard-coded queries for certain ``Acct-Status-Type`` values, and was
+ignored all other values.
+
+rlm_ldap
+~~~~~~~~
+
+The LDAP module configuration has been substantially changed.  Please
+read ``raddb/mods-available/ldap``.  It now uses a connection pool,
+just like the SQL module.
+
+Many of the configuration items remain the same, but they have been
+moved into subsections.  This change is largely cosmetic, but it makes
+the configuration clearer.  Instead of having a large set of random
+configuration items, they are now organized into logical groups.
+
+You will need to read your old LDAP configuration, and migrate it
+manually to the new configuration.  Simply copying the old
+configuration WILL NOT WORK.
+
+Users upgrading from 2.x.x who used to call the ldap module in
+``post-auth`` should now set ``edir_autz = yes``, and remove the ``ldap``
+module from the ``post-auth`` section.
+
+rlm_ldap and LDAP-Group
+~~~~~~~~~~~~~~~~~~~~~~~
+
+In 2.x.x the registration of the ``LDAP-Group`` pair comparison was done
+by the last instance of rlm_ldap to be instantiated. In 3.0 this has
+changed so that only the default ``ldap {}`` instance registers
+``LDAP-Group``.
+
+If ``<instance>-LDAP-Group`` is already used throughout your configuration
+no changes will be needed.
+
+rlm_ldap authentication
+~~~~~~~~~~~~~~~~~~~~~~~
+
+In 2.x.x the LDAP module had a ``set_auth_type`` configuration item,
+which forced ``Auth-Type := ldap``. This was removed in 3.x.x as it
+often did not work, and was not consistent with the rest of the
+server.  We generally recommend that LDAP should be used as a
+database, and that FreeRADIUS should do authentication.
+
+The only reason to use ``Auth-Type := ldap`` is when the LDAP server
+will not supply the "known good" password to FreeRADIUS, *and* where
+the Access-Request contains User-Password.  This situation happens
+only for Active Directory.  If you think you need to force ``Auth-Type
+:= ldap`` in other situations, you are very likely to be wrong.
+
+The following is an example of what should be inserted into the
+``authorize {}`` and ``authenticate {}`` sections of the relevant
+virtual-servers, to get functionality equivalent to v2.x::
+
+  authorize {
+    ...
+    ldap
+    if ((ok || updated) && User-Password) {
+      update control {
+	Auth-Type := ldap
+      }
+    }
+    ...
+  }
+  
+  authenticate {
+    ...
+    Auth-Type ldap {
+      ldap   
+    }
+    ...
+  }
+
+rlm_eap
+~~~~~~~
+
+The EAP configuration has been moved from ``eap.conf`` to
+``mods-available/eap``.  A new ``pwd`` subsection has been added for
+EAP-PWD.
+
+rlm_expiration & rlm_logintime
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The rlm_expiration and rlm_logintime modules no longer add a ``Reply-Message``,
+the same behaviour can be achieved checking the return code of the module and
+adding the ``Reply-Message`` with unlang::
+
+  expiration
+  if (userlock) {
+    update reply {
+      Reply-Message := "Your account has expired"
+    }
+  }
+
+rlm_unix
+~~~~~~~~
+
+The ``unix`` module does not have an ``authenticate`` section.  So you
+cannot set ``Auth-Type := System``.  The ``unix`` module has also been
+deleted from the examples in ``sites-available/``.  Listing it there
+has been deprecated for many years.
+
+The PAP module can do crypt authentication.  It should be used instead
+of Unix authentication.
+
+The Unix module still can pull the passwords from ``/etc/passwd``, or
+``/etc/shadow``.  This is done by listing it in the ``authorize``
+section, as is done in the examples in ``sites-available/``.  However,
+some systems using NIS or NSS will not supply passwords to the
+``unix`` module.  For those systems, we recommend putting users and
+passwords into a database, instead of relying on ``/etc/passwd``.
+
+rlm_preprocess
+~~~~~~~~~~~~~~
+
+In 2.x.x ``huntroups`` and ``users`` files were loaded from default locations
+without being configured explicitly. Since 3.x.x you need to set
+``huntgroups`` and ``users`` configuration item(s) in module section in order
+to get them being processed.
+
+New Modules
+-----------
+
+rlm_date
+~~~~~~~~
+
+Instances of rlm_date register an xlat method which can translate
+integer and date values to an arbitrarily formatted date time
+string, or an arbitrarily formated time string to an integer, 
+depending on the attribute type passed.
+
+rlm_rest
+~~~~~~~~
+
+The ``rest`` module is used to translate RADIUS requests into 
+RESTfull HTTP requests. Currently supported body types are JSON
+and POST.
+
+rlm_unpack
+~~~~~~~~~~
+
+The ``unpack`` module is used to turn data buried inside of binary
+attributes.  e.g. if we have ``Class = 0x00000001020304`` then::
+
+  Tmp-Integer-0 := "%{unpack:&Class 4 short}"
+
+will unpack octets 4 and 5 as a "short", which has value 0x0304.
+All integers are assumed to be in network byte order.
+
+rlm_yubikey
+~~~~~~~~~~~
+
+The ``yubikey`` module can be used to forward yubikey OTP token
+values to a Yubico validation server, or decrypt the token 
+using a PSK.
+
+Deleted Modules
+---------------
+
+The following modules have been deleted, and are no longer supported
+in Version 3.  If you are using one of these modules, your
+configuration can probably be changed to not need it.  Otherwise email
+the freeradius-devel list, and ask about the module.
+
+rlm_acct_unique
+~~~~~~~~~~~~~~~
+
+This module has been replaced by the "acct_unique" policy.  See
+raddb/policy.d/accounting.
+
+The method for calculating the value of acct_unique has changed.
+However, as this method was configurable, this change should not
+matter.  The only issue is in having a v2 and v3 server writing to the
+same database at the same time.  They will calculate different values
+for Acct-Unique-Id.
+
+rlm_acctlog
+~~~~~~~~~~~
+
+You should use rlm_linelog instead.  That module has a superset of the
+acctlog functionality.
+
+rlm_attr_rewrite
+~~~~~~~~~~~~~~~~
+
+The attr_rewrite module looked for an attribute, and then re-wrote it,
+or created a new attribute.  All of that can be done in "unlang".
+
+A sample configuration in "unlang" is::
+
+  if (request:Calling-Station-Id) {
+    update request {
+      Calling-Station-Id := "...."
+    }
+  }
+
+We suggest updating all uses of attr_rewrite to use unlang instead.
+
+rlm_checkval
+~~~~~~~~~~~~
+
+The checkval module compared two attributes.  All of that can be done in "unlang"::
+
+  if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
+    ok
+  }
+
+We suggest updating all uses of checkval to use unlang instead.
+
+rlm_dbm
+~~~~~~~
+
+No one seems to use it.  There is no sample configuration for it.
+There is no speed advantage to using it over the "files" module.
+Modern systems are fast enough that 10K entries can be read from the
+"users" file in about 10ms.  If you need more users than that, use a
+real database such as SQL.
+
+rlm_fastusers
+~~~~~~~~~~~~~
+
+No one seems to use it.  It has been deprecated since Version 2.0.0.
+The "files" module was rewritten so that the "fastusers" module was no
+longer necessary.
+
+rlm_policy
+~~~~~~~~~~
+
+No one seems to use it.  Almost all of its functionality is available
+via "unlang".
+
+rlm_sim_files
+~~~~~~~~~~~~~
+
+The rlm_sim_files module has been deleted.  It was never marked "stable",
+and was never used in a production environment.  There are better ways
+to test EAP.
+
+If you want similar functionality, see rlm_passwd.  It can read CSV
+files, and create attributes from them.
+
+rlm_sql_log
+~~~~~~~~~~~
+
+This has been replaced with the "null" sql driver.  See
+raddb/mods-available/sql for an example configuration.
+
+The main SQL module has more functionality than rlm_sql_log, and
+results in less code in the server.
+
+Other Functionality
+-------------------
+
+The following is a list of new / changed functionality.
+
+RadSec
+~~~~~~
+
+RadSec (or RADIUS over TLS) is now supported.  RADIUS over bare TCP
+is also supported, but is recommended only for secure networks.
+
+See ``sites-available/tls`` for complete details on using TLS.  The server
+can both receive incoming TLS connections, and also originate outgoing
+TLS connections.
+
+The TLS configuration is taken from the old EAP-TLS configuration.  It
+is largely identical to the old EAP-TLS configuration, so it should be
+simple to use and configure.  It re-uses much of the EAP-TLS code,
+so it is well-tested and reliable.
+
+Once RadSec is enabled, normal debugging mode will not work.  This is
+because the TLS code requires threading to work properly.  Instead of doing::
+
+  $ radiusd -X
+
+you will need to do::
+
+  $ radiusd -fxx -l stdout
+
+That's the price to pay for using RadSec.  This limitation may be
+lifted in a future version of the server.
+
+
+PAP and User-Password
+~~~~~~~~~~~~~~~~~~~~~
+
+From version 3.0 onwards the server no longer supports authenticating
+against a cleartext password in the 'User-Password' attribute. Any
+occurences of this (for instance, in the users file) should now be changed
+to 'Cleartext-Password' instead.
+
+e.g. change entries like this::
+
+  bob User-Password == "hello"
+
+to ones like this::
+
+  bob Cleartext-Password := "hello"
+
+
+If this is not done, authentication will likely fail.  The server will
+also print a helpful message in debugging mode.
+
+If it really is impossible to do this, the following unlang inserted above
+the call to the pap module may be used to copy User-Password to the correct
+attribute::
+
+  if (!control:Cleartext-Password && control:User-Password) {
+    update control {
+      Cleartext-Password := "%{control:User-Password}"
+    }
+  }
+
+However, this should only be seen as a temporary, not permanent, fix.
+It is better to fix your databases to use the correct configuration.
+
+Unlang
+~~~~~~
+
+The unlang policy language is compatible with v2, but has a number of
+new features.  See ``man unlang`` for complete documentation.
+
+ERRORS
+
+Many more errors are caught when the server is starting up.  Syntax
+errors in ``unlang`` are caught, and a helpful error message is
+printed.  The error message points to the exact place where the error
+occurred::
+
+  ./raddb/sites-enabled/default[230]: Parse error in condition
+  ERROR:  if (User-Name ! "bob") {
+  ERROR:                ^ Invalid operator
+
+``update`` sections are more generic.  Instead of doing ``update
+reply``, you can do the following::
+
+  update {
+	  reply:Class := 0x0000
+	  control:Cleartext-Password := "hello"
+  }
+
+This change means that you need fewer ``update`` sections.
+
+COMPARISONS
+
+Attribute comparisons can be done via the ``&`` operator.  When you
+needed to compare two attributes, the old comparison style was::
+
+  if (User-Name == "%{control:Tmp-String-0}") {
+
+This syntax is inefficient, as the ``Tmp-String-0`` attribute would be
+printed to an intermediate string, causing unnecessary work.  You can
+now instead compare the two attributes directly::
+
+  if (&User-Name == &control:Tmp-String-0) {
+
+See ``man unlang`` for more details.
+
+CASTS
+
+Casts are now permitted.  This allows you to force type-specific
+comparisons::
+
+  if (<ipaddr>"%{sql: SELECT...}" == 127.0.0.1) {
+
+This forces the string returned by the SELECT to be treated as an IP
+address, and compare to ``127.0.0.1``.  Previously, the comparison
+would have been done as a simple string comparison.
+
+NETWORKS
+
+IP networks are now supported::
+
+  if (127.0.0.1/32 == 127.0.0.1) {
+
+Will be ``true``.  The various comparison operators can be used to
+check IP network membership::
+
+  if (127/8 > 127.0.0.1) {
+
+Returns ``true``, because ``127.0.0.1`` is within the ``127/8``
+network.  However, the following comparison will return ``false``::
+
+  if (127/8 > 192.168.0.1) {
+
+because ``192.168.0.1`` is outside of the ``127/8`` network.
+
+OPTIMIZATION
+
+As ``unlang`` is now pre-compiled, many compile-time optimizations are
+done.  This means that the debug output may not be exactly the same as
+what is in the configuration files::
+
+  if (0 && (User-Name == "bob')) {
+
+The result will always be ``false``, as the ``if 0`` prevents the
+following ``&& ...`` from being evaluated.
+
+Not only that, but the entire contents of that section will be ignored
+entirely::
+
+  if (0) {
+      this_module_does_not_exist
+      and_this_one_does_not_exist_either
+  }
+
+In v2, that configuration would result in a parse error, as there is
+no module called ``this_module_does_not_exist``.  In v3, that text is
+ignored.  This ability allows you to have dynamic configurations where
+certain parts are used (or not) depending on compile-time configuration.
+
+Similarly, conditions which always evaluate to ``true`` will be
+optimized away::
+
+  if (1) {
+      files
+  }
+
+That configuration will never show the ``if (1)`` output in debugging mode.
+
+
+Dialup_admin
+------------
+
+The dialup_admin directory has been removed.  No one stepped forward
+to maintain it, and the code had not been changed in many years.
+

pkgs/fablab/freeradius-anon-access/raddb/certs/ca.conf

@@ -0,0 +1,24 @@
+[ req ]
+default_bits       = 1024
+distinguished_name = req_DN
+string_mask        = nombstr
+ 
+[ req_DN ]
+countryName                     = "1. Country Name             (2 letter code)"
+countryName_default             = DE
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = "2. State or Province Name   (full name)    "
+stateOrProvinceName_default     = Berlin
+localityName                    = "3. Locality Name            (eg, city)     "
+localityName_default            = Berlin
+0.organizationName              = "4. Organization Name        (eg, company)  "
+0.organizationName_default      = Mustermann
+organizationalUnitName          = "5. Organizational Unit Name (eg, section)  "
+organizationalUnitName_default  = Certificate Authority
+commonName                      = "6. Common Name              (eg, CA name)  "
+commonName_max                  = 64
+commonName_default              = Mustermann CA
+emailAddress                    = "7. Email Address            (eg, name@FQDN)"
+emailAddress_max                = 40
+emailAddress_default            = ca@mustermann.de

pkgs/fablab/freeradius-anon-access/raddb/certs/ca.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL
+BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
+cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
+QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
+FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0
+NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
+cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
+QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
+FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt
+tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD
+yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX
+H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud
+EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt
+YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg
+hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o
+dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o
+ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI
+hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX
+cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY
+hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg=
+-----END CERTIFICATE-----

pkgs/fablab/freeradius-anon-access/raddb/certs/ca.csr

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
+BgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2Vy
+dGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJ
+KoZIhvcNAQkBFhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD
+269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFn
+OyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABoAAw
+DQYJKoZIhvcNAQELBQADgYEAK+Fbl3mG7m0gBkekWwU4BvC92eMs93GYCtYQECu7
+/Dc0J2K1ItGC7JrRVlQvStbEFCw3cXzlbSec2v+8rvvIbn6MB+StRRYjPUiIYS3h
+qly2FpcAo3Cg5GcnNf4keDGBzClo37MF2wlT0DAQIVPHMlTbkfgAQYwQS+uKLBre
+TwM=
+-----END CERTIFICATE REQUEST-----

pkgs/fablab/freeradius-anon-access/raddb/certs/ca.ext

@@ -0,0 +1,9 @@
+extensions = x509v3
+ 
+[ x509v3 ]
+basicConstraints      = CA:true,pathlen:0
+crlDistributionPoints = URI:http://www.mustermann.de/ca/mustermann.crl
+nsCertType            = sslCA,emailCA,objCA
+nsCaPolicyUrl         = "http://www.mustermann.de/ca/policy.htm"
+nsCaRevocationUrl     = "http://www.mustermann.de/ca/heimpold.crl"
+nsComment             = "Mustermann CA"

pkgs/fablab/freeradius-anon-access/raddb/certs/ca.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5
+OFlD269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrE
+IvFnOyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQAB
+AoGAQaCF2idVGbRSVF3ae1qHGOj3Hive3WcReKg/8EittAPpNuP3tqiLUQ/WjxZr
+V1NTtZ4syvM+LXlDW186rU21iGpQqj9ce2zjxpWMco6GFf0qKBO1ZoYSyD6jW6ny
+M82TtCOVjH1LnyAz5AKRH6Wv5sG99gndK5AriEZEYrsnjQECQQDmK5EU5yVzz2o0
+X02Lolz0dRDy5J3x3hlaYKLoszMv4L04MAZ9XaMtGjqmKSOWsbMkIvp/d5A+2uJm
+42sULKC9AkEAwTN8+4Kd8d5qpNfaKiYU6x5I2qUwvkE6V7x+ttPoFzbzeHr5CM2z
+jkpA+x5u1fCtbl319zOb3ApVsrJ3o0+XqQJASeIgPxJ3jjY9RDR3YuQqbHoLh7xl
+CtedUcqFYKbtPmgotRmNa76b+4VY4C+CcgP2mhn0SOhrUBHY7OgBXkd5DQJBAIat
+ksFtAxdZGXRB+BYLp+dinBy2rKzjoX0JrDdcrtyH9N8WskU9x544CuZDB7ZhaTSX
+kV+6fTq9hZHlMNsKH8kCQQCGnlQIy3U3cN6E1O9UI4DRwPhSwl+xEfc3n0DB/Kcy
+faIPo3HnlNw/+4cIyc/7i1Ilkrj4zHtdrnAjP+OvZD7+
+-----END RSA PRIVATE KEY-----

pkgs/fablab/freeradius-anon-access/raddb/certs/ca.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL
+BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
+cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
+QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
+FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0
+NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
+cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
+QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
+FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt
+tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD
+yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX
+H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud
+EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt
+YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg
+hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o
+dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o
+ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI
+hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX
+cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY
+hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg=
+-----END CERTIFICATE-----

pkgs/fablab/freeradius-anon-access/raddb/certs/ca.serial

@@ -0,0 +1 @@
+03

pkgs/fablab/freeradius-anon-access/raddb/certs/client.conf

@@ -0,0 +1,24 @@
+[ req ]
+default_bits       = 1024
+distinguished_name = req_DN
+string_mask        = nombstr
+ 
+[ req_DN ]
+countryName                     = "1. Country Name             (2 letter code)"
+countryName_default             = DE
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = "2. State or Province Name   (full name)    "
+stateOrProvinceName_default     = Berlin
+localityName                    = "3. Locality Name            (eg, city)     "
+localityName_default            = Berlin
+0.organizationName              = "4. Organization Name        (eg, company)  "
+0.organizationName_default      = Mustermann
+organizationalUnitName          = "5. Organizational Unit Name (eg, section)  "
+#organizationalUnitName_default  =
+commonName                      = "6. Common Name              (eg, CA name)  "
+commonName_max                  = 64
+commonName_default              = Max Mustermann
+emailAddress                    = "7. Email Address            (eg, name@FQDN)"
+emailAddress_max                = 40
+emailAddress_default            = max@mustermann.de

pkgs/fablab/freeradius-anon-access/raddb/certs/client.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
+ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
+DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
+HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl
+cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt
+YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O
+I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4
+jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6
+ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4
+QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB
+R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0
+oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1
+/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw==
+-----END CERTIFICATE-----

pkgs/fablab/freeradius-anon-access/raddb/certs/client.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0G
+A1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0ZXJtYW5uMRcwFQYDVQQDEw5NYXgg
+TXVzdGVybWFubjEgMB4GCSqGSIb3DQEJARYRbWF4QG11c3Rlcm1hbm4uZGUwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANFPziPlydE+D1lKE+5Wh/aHDuQ4HBfF
+2PDWetE7um2d06newc3RZn+1JjpedX3t0u38eI5bJ2mOPj6bfdhVQBoM0/6ZE+rf
+l3EbjT69GqiAPYlA7ZlgMgz2TgO1lWwvyruMOnj2l3uHEZomY6hla9pxTjqJ7n8U
+HVVTUvZihoQ/AgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQBX3obDa6757IR9ejEb
+1cY0k6S1SioC8ufX0Z2veFKoDLXKHL4kCZ89ie74hBf7mqx6O9ZscASXNcyuKFBz
+uaae2MSoh+DBJH6I7j23PMhs9ziaSJYLmawja0sWK/J8RaR7JNjVAzb/eU2zBQlq
+GTc8H8je+e2+aRUFYNgdGxgQ0g==
+-----END CERTIFICATE REQUEST-----

pkgs/fablab/freeradius-anon-access/raddb/certs/client.ext

@@ -0,0 +1,5 @@
+extensions = x509v3
+ 
+[ x509v3 ]
+nsCertType = client,email,objsign
+keyUsage   = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

pkgs/fablab/freeradius-anon-access/raddb/certs/client.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN
+0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z
+YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB
+AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG
+FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+
+MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn
+s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF
+B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo
+fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q
+VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B
+aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi
+fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb
+tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8=
+-----END RSA PRIVATE KEY-----

pkgs/fablab/freeradius-anon-access/raddb/certs/client.pem.crt

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
+ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
+DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
+HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl
+cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt
+YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O
+I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4
+jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6
+ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4
+QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB
+R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0
+oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1
+/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN
+0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z
+YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB
+AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG
+FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+
+MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn
+s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF
+B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo
+fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q
+VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B
+aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi
+fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb
+tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8=
+-----END RSA PRIVATE KEY-----

pkgs/fablab/freeradius-anon-access/raddb/certs/dh

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAzQsuxnwr0ccOV+/wIsI4Kfj5eyBINjb5KjeFvdZec65Xj5IzJSqo
+kw2JaBhqN4Jtsq60doyev3tPtZn6YmBoVH/71CWOtibeZeSBjk67zQj7O0VKHHaG
+9OXyjGIyzUKtJl1VpD+mXvlrhZEjnnApf3fp4i8K8Ei7oHFu+6teEyei3qGKobEg
+Y+aYse5noocftCOj7QOpqLZU5BjYn+j1CVnivB3kCEuqYYTJJvyvVpTbWhAWTibY
+mZU2Sq7GCLn+hbX5R/d3hOAqISJXwloshipHv7pTvipEMF5Q9thbq/Lc8j+DQS1Y
+3KZMuq5+aDV2DVeVI5HSNv/uJJsN48hRkwIBAg==
+-----END DH PARAMETERS-----

pkgs/fablab/freeradius-anon-access/raddb/certs/server.conf

@@ -0,0 +1,24 @@
+[ req ]
+default_bits       = 1024
+distinguished_name = req_DN
+string_mask        = nombstr
+ 
+[ req_DN ]
+countryName                     = "1. Country Name             (2 letter code)"
+countryName_default             = DE
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = "2. State or Province Name   (full name)    "
+#stateOrProvinceName_default     =
+localityName                    = "3. Locality Name            (eg, city)     "
+localityName_default            = Berlin
+0.organizationName              = "4. Organization Name        (eg, company)  "
+0.organizationName_default      = Mustermann
+organizationalUnitName          = "5. Organizational Unit Name (eg, section)  "
+organizationalUnitName_default  = Server
+commonName                      = "6. Common Name              (eg, CA name)  "
+commonName_max                  = 64
+commonName_default              = www.mustermann.de
+emailAddress                    = "7. Email Address            (eg, name@FQDN)"
+emailAddress_max                = 40
+emailAddress_default            = webmaster@mustermann.de

pkgs/fablab/freeradius-anon-access/raddb/certs/server.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
+DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
+ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
+DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
+HhcNMjIwODAxMDEwNjQ1WhcNMjQwNzMxMDEwNjQ1WjCBiDELMAkGA1UEBhMCREUx
+DzANBgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEPMA0GA1UECxMG
+U2VydmVyMRowGAYDVQQDExF3d3cubXVzdGVybWFubi5kZTEmMCQGCSqGSIb3DQEJ
+ARYXd2VibWFzdGVyQG11c3Rlcm1hbm4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAOGRdBwkcWMlXj5ZIez2OjadgD7JBVqXS06rZopONcFil9O4OvFHSeMP
+mGDIeeggZvh1hpcpKq2+zgY6640zlTbXK7J0T8QUXs0XHDJd9uMI5nDovaG37tah
+G83YIPKmLBB87p511amdUviPc4QJGaGRJeYnAC4ou2RX/ko6y4yfAgMBAAGjTjBM
+MBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwKgYDVR0lBCMwIQYKKwYB
+BAGCNwoDAwYJYIZIAYb4QgQBBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOBgQAQ
+wU4rNIuiakUH60u9m983BHddCl81Fy4nf2BExbxXSW/B+yj3adHQ/0RF/xGCcVrI
+ORtGlyt8OW83VEfGFFpNPMR6XdxPMyoSUEFaEyVbYGQigQUXoa5k5vINmUD6bgxF
+5o5taGIFnfnjEncwRTHADFEIN5hKHjtIdXcNRue2kg==
+-----END CERTIFICATE-----

pkgs/fablab/freeradius-anon-access/raddb/certs/server.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHEwZCZXJsaW4xEzAR
+BgNVBAoTCk11c3Rlcm1hbm4xDzANBgNVBAsTBlNlcnZlcjEaMBgGA1UEAxMRd3d3
+Lm11c3Rlcm1hbm4uZGUxJjAkBgkqhkiG9w0BCQEWF3dlYm1hc3RlckBtdXN0ZXJt
+YW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhkXQcJHFjJV4+WSHs
+9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrxR0njD5hgyHnoIGb4dYaXKSqtvs4GOuuN
+M5U21yuydE/EFF7NFxwyXfbjCOZw6L2ht+7WoRvN2CDypiwQfO6eddWpnVL4j3OE
+CRmhkSXmJwAuKLtkV/5KOsuMnwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEADZZ5
++z8oUdzM0aDxMt2KyNSc8+NUkL4u+h38ZuDasHMXCncfWqp7I42qev1FHqKaI1Rn
+GWZsWd943kOeMjFgxGkQoesLsyuqRslyUHAACnqHit2ZKz51reiiakK7v/qYxiV6
+aZOZBv5s2eaG6iT1ea5f5j2SKKOyhuDwfs7q4hQ=
+-----END CERTIFICATE REQUEST-----

pkgs/fablab/freeradius-anon-access/raddb/certs/server.ext

@@ -0,0 +1,6 @@
+extensions = x509v3
+ 
+[ x509v3 ]
+nsCertType       = server
+keyUsage         = digitalSignature,nonRepudiation,keyEncipherment
+extendedKeyUsage = msSGC,nsSGC,serverAuth

pkgs/fablab/freeradius-anon-access/raddb/certs/server.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDhkXQcJHFjJV4+WSHs9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrx
+R0njD5hgyHnoIGb4dYaXKSqtvs4GOuuNM5U21yuydE/EFF7NFxwyXfbjCOZw6L2h
+t+7WoRvN2CDypiwQfO6eddWpnVL4j3OECRmhkSXmJwAuKLtkV/5KOsuMnwIDAQAB
+AoGAO1kEvp7MAnUDfc3/whPqrxHzexFyyioCU1l/aiY3uIDTR44yW+cQxqAEzHoS
+sQNNdFOfrMfVBc+s7zCzZvxKZpvapg2HGATkk9I8AFUTuSh7n3oUT/AZ1KGdd04G
+wS/6QsLR3G8c+0RB9DPWpMVgg1OlQ1U3ESB+eaeQ28/hLFECQQD6LRHnLfLrGlz9
+0htFV3JD19qPNmwRCEa/bHeK4dICuEikgpQZ18nbOCrfUvR4GltkQA8w6CMGmebJ
+5COHx+epAkEA5tG7fsnA8ut/AfA3HoBRi1YtoE4YLOE8b+Jdt72LDE6jaR9mBc0N
+gwxDBhdgZf9HTSaWB65j1V1sik8DqkjfBwJABE5SSJBZ5gIGJ7g+D+t5ZAGLGXvu
+UDy8Ov8674EDhFh3p503v1ofd054Lm/XFVoeyJLxr/3O3IY5mq/6jJO8QQJBANcC
+V51rYojmRZEQqseG0G7y/91r4aksxpeSTapyravxNNcfoHGW6RdBvM1XyTw557k+
+UFMnZ2fBdvH/WHKvHtECQEvLTxtmdxKMrndFJiTObeItdl/iHU9JujW4ib64CysI
+RdwEverbouogjHfyeDjazXIsgpIUSIbZNHL13bICpBg=
+-----END RSA PRIVATE KEY-----

pkgs/fablab/freeradius-anon-access/raddb/clients.conf

@@ -0,0 +1,4 @@
+client 0.0.0.0/0 {
+        secret                        = anonymous
+        require_message_authenticator = no
+}

pkgs/fablab/freeradius-anon-access/raddb/dictionary

@@ -0,0 +1,49 @@
+#
+#	This is the local dictionary file which can be
+#	edited by local administrators.  It will be loaded
+#	AFTER the main dictionary files are loaded.
+#
+#	As of version 3.0.2, FreeRADIUS will automatically
+#	load the main dictionary files from
+#
+#		${prefix}/share/freeradius/dictionary
+#
+#	It is no longer necessary for this file to $INCLUDE
+#	the main dictionaries.  However, if the $INCLUDE
+#	line is here, nothing bad will happen.
+#
+#	Any new/changed attributes MUST be placed in this file.
+#	The pre-defined dictionaries SHOULD NOT be edited.
+#
+#	See "man dictionary" for documentation on its format.
+#
+#	$Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $
+#
+
+#
+#	All local attributes and $INCLUDE's should go into
+#	this file.
+#
+
+#	If you want to add entries to the dictionary file,
+#	which are NOT going to be placed in a RADIUS packet,
+#	add them to the 'dictionary.local' file.
+#
+#	The numbers you pick should be between 3000 and 4000.
+#	These attributes will NOT go into a RADIUS packet.
+#
+#	If you want that, you will need to use VSAs.  This means
+#	requesting allocation of a Private Enterprise Code from
+#	http://iana.org.  We STRONGLY suggest doing that only if
+#	you are a vendor of RADIUS equipment.
+#
+#	See RFC 6158 for more details.
+#	http://ietf.org/rfc/rfc6158.txt
+#
+
+#
+#	These attributes are examples
+#
+#ATTRIBUTE	My-Local-String		3000	string
+#ATTRIBUTE	My-Local-IPAddr		3001	ipaddr
+#ATTRIBUTE	My-Local-Integer	3002	integer

pkgs/fablab/freeradius-anon-access/raddb/experimental.conf

@@ -0,0 +1,116 @@
+#
+#  This file contains the configuration for experimental modules.
+#
+#  By default, it is NOT included in the build.
+#
+#  $Id: 87d9744a4f0fa7b9b06b4908ddd6b7d2f1a7fd62 $
+#
+
+# Configuration for the Python module.
+#
+# Where radiusd is a Python module, radiusd.py, and the
+# function 'authorize' is called.  Here is a dummy piece
+# of code:
+#
+#	def authorize(params):
+#		print params
+#		return (5, ('Reply-Message', 'banned'))
+#
+# The RADIUS value-pairs are passed as a tuple of tuple
+# pairs as the first argument, e.g. (('attribute1',
+# 'value1'), ('attribute2', 'value2'))
+#
+# The function return is a tuple with the first element
+# being the return value of the function.
+# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
+# write the return values as Python symbols to avoid
+# confusion.
+#
+# The remaining tuple members are the string form of
+# value-pairs which are passed on to pairmake().
+#
+python {
+	mod_instantiate = radiusd_test
+	func_instantiate = instantiate
+
+	mod_authorize = radiusd_test
+	func_authorize = authorize
+
+	mod_accounting = radiusd_test
+	func_accounting = accounting
+
+	mod_pre_proxy = radiusd_test
+	func_pre_proxy = pre_proxy
+
+	mod_post_proxy = radiusd_test
+	func_post_proxy = post_proxy
+
+	mod_post_auth = radiusd_test
+	func_post_auth = post_auth
+
+	mod_recv_coa = radiusd_test
+	func_recv_coa = recv_coa
+
+	mod_send_coa = radiusd_test
+	func_send_coa = send_coa
+
+	mod_detach = radiusd_test
+	func_detach = detach
+}
+
+
+# Configuration for the example module.  Uncommenting it will cause it
+# to get loaded and initialised, but should have no real effect as long
+# it is not referenced in one of the autz/auth/preacct/acct sections
+example {
+	#  Boolean variable.
+	# allowed values: {no, yes}
+	boolean = yes
+
+	#  An integer, of any value.
+	integer = 16
+
+	#  A string.
+	string = "This is an example configuration string"
+
+	# An IP address, either in dotted quad (1.2.3.4) or hostname
+	# (example.com)
+	ipaddr = 127.0.0.1
+
+	# A subsection
+	mysubsection {
+		anotherinteger = 1000
+		# They nest
+		deeply nested {
+			string = "This is a different string"
+		}
+	}
+}
+
+#
+#  To create a dbm users file, do:
+#
+#   cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
+#
+#  Then add 'dbm' in 'authorize' section.
+#
+#  Note that even if the file has a ".db" or ".dbm" extension,
+#  you may have to specify it here without that extension.  This
+#  is because the DBM libraries "helpfully" add a ".db" to the
+#  filename, but don't check if it's already there.
+#
+dbm {
+	usersfile = ${confdir}/users_db
+}
+
+# Instantiate a couple instances of the idn module
+idn {
+}
+
+# ...more commonly known as...
+idn idna {
+}
+
+idn idna_lenient {
+	UseSTD3ASCIIRules = no
+}

pkgs/fablab/freeradius-anon-access/raddb/hints

@@ -0,0 +1 @@
+./mods-config/preprocess/hints

pkgs/fablab/freeradius-anon-access/raddb/huntgroups

@@ -0,0 +1 @@
+./mods-config/preprocess/huntgroups

pkgs/fablab/freeradius-anon-access/raddb/mods-available/always

@@ -0,0 +1,81 @@
+# -*- text -*-
+#
+#  $Id: b77d00c55d46741a3ca1cfc135dee4615466e912 $
+
+#
+#  The "always" module is here for debugging purposes, or
+#  for use in complex policies.
+#  Instance simply returns the same result, always, without
+#  doing anything.
+#
+#  rcode may be one of the following values:
+#  - reject   - Reject the user.
+#  - fail     - Simulate or indicate a failure.
+#  - ok       - Simulate or indicate a success.
+#  - handled  - Indicate that the request has been handled,
+#               stop processing, and send response if set.
+#  - invalid  - Indicate that the request is invalid.
+#  - userlock - Indicate that the user account has been
+#               locked out.
+#  - notfound - Indicate that a user account can't be found.
+#  - noop     - Simulate a no-op.
+#  - updated  - Indicate that the request has been updated.
+#
+#  If an instance is listed in a session {}  section, 
+#  this simulates a user having <integer> sessions.
+#  
+#  simulcount = <integer>
+#
+#  If an instance is listed in a session {}  section, 
+#  this simulates the user having multilink
+#  sessions.
+#
+#  mpp = <integer>
+#
+#  An xlat based on the instance name can be called to change the status
+#  returned by the instance, in this example "always db_status { ... }"
+#
+#  Force the module status to be alive or dead:
+#
+#  %{db_status:alive}
+#  %{db_status:dead}
+#
+#  Update the rcode returned by an alive module (a dead module returns fail):
+#
+#  %{db_status:ok}
+#  %{db_status:fail}
+#  %{db_status:notfound}
+#  ...
+#
+#  The above xlats expand to the current status of the module. To fetch the
+#  current status without affecting it call the xlat with an empty argument:
+#
+#  %{db_status:}
+#
+always reject {
+	rcode = reject
+}
+always fail {
+	rcode = fail
+}
+always ok {
+	rcode = ok
+}
+always handled {
+	rcode = handled
+}
+always invalid {
+	rcode = invalid
+}
+always userlock {
+	rcode = userlock
+}
+always notfound {
+	rcode = notfound
+}
+always noop {
+	rcode = noop
+}
+always updated {
+	rcode = updated
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter

@@ -0,0 +1,61 @@
+# -*- text -*-
+#
+#  $Id: a23d3c0f11267a6c0f1afca599f71a6a76c49a1a $
+
+#
+#  This file defines a number of instances of the "attr_filter" module.
+#
+
+# attr_filter - filters the attributes received in replies from
+# proxied servers, to make sure we send back to our RADIUS client
+# only allowed attributes.
+attr_filter attr_filter.post-proxy {
+	key = "%{Realm}"
+	filename = ${modconfdir}/${.:name}/post-proxy
+}
+
+# attr_filter - filters the attributes in the packets we send to
+# the RADIUS home servers.
+attr_filter attr_filter.pre-proxy {
+	key = "%{Realm}"
+	filename = ${modconfdir}/${.:name}/pre-proxy
+}
+
+# Enforce RFC requirements on the contents of Access-Reject
+# packets.  See the comments at the top of the file for
+# more details.
+#
+attr_filter attr_filter.access_reject {
+	key = "%{User-Name}"
+	filename = ${modconfdir}/${.:name}/access_reject
+}
+
+# Enforce RFC requirements on the contents of Access-Challenge
+# packets.  See the comments at the top of the file for
+# more details.
+#
+attr_filter attr_filter.access_challenge {
+	key = "%{User-Name}"
+	filename = ${modconfdir}/${.:name}/access_challenge
+}
+
+
+#  Enforce RFC requirements on the contents of the
+#  Accounting-Response packets.  See the comments at the
+#  top of the file for more details.
+#
+attr_filter attr_filter.accounting_response {
+	key = "%{User-Name}"
+	filename = ${modconfdir}/${.:name}/accounting_response
+}
+
+#
+#  Enforce CoA or Disconnect packets.
+#
+#  Note that you MUST edit the "coa" file below for your
+#  local configuration.  Add in any attributes needed by the NAS.
+#
+attr_filter attr_filter.coa {
+	key = "%{User-Name}"
+	filename = ${modconfdir}/${.:name}/coa
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap

@@ -0,0 +1,13 @@
+#
+#	Cache EAP responses for resiliency on intermediary proxy fail-over
+#
+cache cache_eap {
+	key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
+
+	ttl = 15
+
+	update reply {
+		reply: += &reply:
+		&control:State := &request:State
+	}
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap

@@ -0,0 +1,11 @@
+# -*- text -*-
+#
+#  $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
+
+# CHAP module
+#
+#  To authenticate requests containing a CHAP-Password attribute.
+#
+chap {
+	# no configuration
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/date

@@ -0,0 +1,35 @@
+#
+#  Registers xlat to convert between time formats.
+#
+#  xlat input string is an attribute name. If this attribute is of date
+#  or integer type, the date xlat will convert it to a time string in
+#  the format of the format config item.
+#
+#  If the attribute is a string type, date will attempt to parse it in
+#  the format specified by the format config item, and will expand
+#  to a Unix timestamp.
+#
+date {
+	format = "%b %e %Y %H:%M:%S %Z"
+
+	# Use UTC instead of local time.
+	#
+	#  default = no
+#	utc = yes
+}
+
+#
+#  The WISPr-Session-Terminate-Time attribute is of type "string",
+#  and not "date".  Use this expansion to create an attribute
+#  that holds an actual date:
+#
+#	Tmp-Date-0 := "%{wispr2date:&reply:WISPr-Session-Terminate-Time}"
+#
+date wispr2date {
+	format = "%Y-%m-%dT%H:%M:%S"
+
+	# Use UTC instead of local time.
+	#
+	#  default = no
+#	utc = yes
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail

@@ -0,0 +1,109 @@
+# -*- text -*-
+#
+#  $Id: ccf65f9c839a6d9ea35fae4d9cd208ddca1a0acd $
+
+# Write a detailed log of all accounting records received.
+#
+detail {
+	#  Note that we do NOT use NAS-IP-Address here, as
+	#  that attribute MAY BE from the originating NAS, and
+	#  NOT from the proxy which actually sent us the
+	#  request.
+	#
+	#  The following line creates a new detail file for
+	#  every radius client (by IP address or hostname).
+	#  In addition, a new detail file is created every
+	#  day, so that the detail file doesn't have to go
+	#  through a 'log rotation'
+	#
+	#  If your detail files are large, you may also want to add
+	#  a ':%H' (see doc/configuration/variables.rst) to the end
+	#  of it, to create a new detail file every hour, e.g.:
+	#
+	#   ..../detail-%Y%m%d:%H
+	#
+	#  This will create a new detail file for every hour.
+	#
+	#  If you are reading detail files via the "listen" section
+	#  (e.g. as in raddb/sites-available/robust-proxy-accounting),
+	#  you MUST use a unique directory for each combination of a
+	#  detail file writer, and reader.  That is, there can only
+	#  be ONE "listen" section reading detail files from a
+	#  particular directory.
+	#
+	#  The configuration below puts the detail files into separate
+	#  directories for each client.  If you are reading the detail
+	#  files via the "listen" section, just use one directory.
+	#
+	#  e.g. filename = ${radacctdir}/reader1/detail-%Y%m%d
+	#
+	#  AND use a separate directory (reader2, reader3, etc.) for each
+	#  reader.
+	#
+	filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
+
+	#
+	#  If you are using radrelay, delete the above line for "file",
+	#  and use this one instead:
+	#
+#	filename = ${radacctdir}/detail
+
+	#
+	#  Most file systems can handly nearly the full range of UTF-8
+	#  characters.  Ones that can deal with a limited range should
+	#  set this to "yes".
+	#
+	escape_filenames = no
+
+	#
+	#  The Unix-style permissions on the 'detail' file.
+	#
+	#  The detail file often contains secret or private
+	#  information about users.  So by keeping the file
+	#  permissions restrictive, we can prevent unwanted
+	#  people from seeing that information.
+	permissions = 0600
+
+	# The Unix group of the log file.
+	#
+	# The user that the server runs as must be in the specified
+	# system group otherwise this will fail to work.
+	#
+#	group = ${security.group}
+
+	#
+	#  Every entry in the detail file has a header which
+	#  is a timestamp.  By default, we use the ctime
+	#  format (see "man ctime" for details).
+	#
+	#  The header can be customised by editing this
+	#  string.  See "doc/configuration/variables.rst" for a
+	#  description of what can be put here.
+	#
+	header = "%t"
+
+	#
+	#  Uncomment this line if the detail file reader will be
+	#  reading this detail file.
+	#
+#	locking = yes
+
+	#
+	#  Log the Packet src/dst IP/port.  This is disabled by
+	#  default, as that information isn't used by many people.
+	#
+#	log_packet_header = yes
+
+	#
+	# Certain attributes such as User-Password may be
+	# "sensitive", so they should not be printed in the
+	# detail file.  This section lists the attributes
+	# that should be suppressed.
+	#
+	# The attributes should be listed one to a line.
+	#
+	#suppress {
+		# User-Password
+	#}
+
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log

@@ -0,0 +1,75 @@
+# -*- text -*-
+#
+#  $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $
+
+#
+#  More examples of doing detail logs.
+
+#
+#  Many people want to log authentication requests.
+#  Rather than modifying the server core to print out more
+#  messages, we can use a different instance of the 'detail'
+#  module, to log the authentication requests to a file.
+#
+#  You will also need to un-comment the 'auth_log' line
+#  in the 'authorize' section, below.
+#
+detail auth_log {
+	filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
+
+	#
+	#  This MUST be 0600, otherwise anyone can read
+	#  the users passwords!
+	permissions = 0600
+
+	# You may also strip out passwords completely
+	suppress {
+		User-Password
+	}
+}
+
+#
+#  This module logs authentication reply packets sent
+#  to a NAS.  Both Access-Accept and Access-Reject packets
+#  are logged.
+#
+#  You will also need to un-comment the 'reply_log' line
+#  in the 'post-auth' section, below.
+#
+detail reply_log {
+	filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
+
+	permissions = 0600
+}
+
+#
+#  This module logs packets proxied to a home server.
+#
+#  You will also need to un-comment the 'pre_proxy_log' line
+#  in the 'pre-proxy' section, below.
+#
+detail pre_proxy_log {
+	filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
+
+	#
+	#  This MUST be 0600, otherwise anyone can read
+	#  the users passwords!
+	permissions = 0600
+
+	# You may also strip out passwords completely
+	#suppress {
+		# User-Password
+	#}
+}
+
+#
+#  This module logs response packets from a home server.
+#
+#  You will also need to un-comment the 'post_proxy_log' line
+#  in the 'post-proxy' section, below.
+#
+detail post_proxy_log {
+	filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
+
+	permissions = 0600
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest

@@ -0,0 +1,13 @@
+# -*- text -*-
+#
+#  $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
+
+#
+#  The 'digest' module currently has no configuration.
+#
+#  "Digest" authentication against a Cisco SIP server.
+#  See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
+#  on performing digest authentication for Cisco SIP servers.
+#
+digest {
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients

@@ -0,0 +1,32 @@
+# -*- text -*-
+#
+#  $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $
+
+# This module loads RADIUS clients as needed, rather than when the server
+# starts.
+#
+#  There are no configuration entries for this module.  Instead, it
+#  relies on the "client" configuration.  You must:
+#
+#	1) link raddb/sites-enabled/dynamic_clients to
+#	   raddb/sites-available/dynamic_clients
+#
+#	2) Define a client network/mask (see top of the above file)
+#
+#	3) uncomment the "directory" entry in that client definition
+#
+#	4) list "dynamic_clients" in the "authorize" section of the
+#	   "dynamic_clients' virtual server.  The default example already
+#	   does this.
+#
+#	5) put files into the above directory, one per IP.
+#	   e.g. file "192.0.2.1" should contain a normal client definition
+#	   for a client with IP address 192.0.2.1.
+#
+#  For more documentation, see the file:
+#
+#	raddb/sites-available/dynamic-clients
+#
+dynamic_clients {
+
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo

@@ -0,0 +1,123 @@
+# -*- text -*-
+#
+#  $Id: ad3e15933f9e85c5566810432a5fec8f23d877c1 $
+
+#
+#  This is a more general example of the execute module.
+#
+#  This one is called "echo".
+#
+#  Attribute-Name = `%{echo:/path/to/program args}`
+#
+#  If you wish to execute an external program in more than
+#  one section (e.g. 'authorize', 'pre_proxy', etc), then it
+#  is probably best to define a different instance of the
+#  'exec' module for every section.
+#
+#  The return value of the program run determines the result
+#  of the exec instance call as follows:
+#  (See doc/configurable_failover for details)
+#
+#  < 0 : fail      the module failed
+#  = 0 : ok        the module succeeded
+#  = 1 : reject    the module rejected the user
+#  = 2 : fail      the module failed
+#  = 3 : ok        the module succeeded
+#  = 4 : handled   the module has done everything to handle the request
+#  = 5 : invalid   the user's configuration entry was invalid
+#  = 6 : userlock  the user was locked out
+#  = 7 : notfound  the user was not found
+#  = 8 : noop      the module did nothing
+#  = 9 : updated   the module updated information in the request
+#  > 9 : fail      the module failed
+#
+exec echo {
+	#
+	#  Wait for the program to finish.
+	#
+	#  If we do NOT wait, then the program is "fire and
+	#  forget", and any output attributes from it are ignored.
+	#
+	#  If we are looking for the program to output
+	#  attributes, and want to add those attributes to the
+	#  request, then we MUST wait for the program to
+	#  finish, and therefore set 'wait=yes'
+	#
+	# allowed values: {no, yes}
+	wait = yes
+
+	#
+	#  The name of the program to execute, and it's
+	#  arguments.  Dynamic translation is done on this
+	#  field, so things like the following example will
+	#  work.
+	#
+	program = "/bin/echo %{User-Name}"
+
+	#
+	#  The attributes which are placed into the
+	#  environment variables for the program.
+	#
+	#  Allowed values are:
+	#
+	#	request		attributes from the request
+	#	config		attributes from the configuration items list
+	#	reply		attributes from the reply
+	#	proxy-request	attributes from the proxy request
+	#	proxy-reply	attributes from the proxy reply
+	#
+	#  Note that some attributes may not exist at some
+	#  stages.  e.g. There may be no proxy-reply
+	#  attributes if this module is used in the
+	#  'authorize' section.
+	#
+	input_pairs = request
+
+	#
+	#  Where to place the output attributes (if any) from
+	#  the executed program.  The values allowed, and the
+	#  restrictions as to availability, are the same as
+	#  for the input_pairs.
+	#
+	output_pairs = reply
+
+	#
+	#  When to execute the program.  If the packet
+	#  type does NOT match what's listed here, then
+	#  the module does NOT execute the program.
+	#
+	#  For a list of allowed packet types, see
+	#  the 'dictionary' file, and look for VALUEs
+	#  of the Packet-Type attribute.
+	#
+	#  By default, the module executes on ANY packet.
+	#  Un-comment out the following line to tell the
+	#  module to execute only if an Access-Accept is
+	#  being sent to the NAS.
+	#
+	#packet_type = Access-Accept
+
+	#
+	#  Should we escape the environment variables?
+	#
+	#  If this is set, all the RADIUS attributes
+	#  are capitalised and dashes replaced with
+	#  underscores. Also, RADIUS values are surrounded
+	#  with double-quotes.
+	#
+	#  That is to say: User-Name=BobUser => USER_NAME="BobUser"
+	shell_escape = yes
+
+	#
+	#  How long should we wait for the program to finish?
+	#
+	#  Default is 10 seconds, which should be plenty for nearly
+	#  anything. Range is 1 to 30 seconds. You are strongly
+	#  encouraged to NOT increase this value. Decreasing can
+	#  be used to cause authentication to fail sooner when you
+	#  know it's going to fail anyway due to the time taken,
+	#  thereby saving resources.
+	#
+	#timeout = 10
+
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec

@@ -0,0 +1,29 @@
+# -*- text -*-
+#
+#  $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $
+
+#
+#  Execute external programs
+#
+#  This module is useful only for 'xlat'.  To use it,
+#  put 'exec' into the 'instantiate' section.  You can then
+#  do dynamic translation of attributes like:
+#
+#  Attribute-Name = `%{exec:/path/to/program args}`
+#
+#  The value of the attribute will be replaced with the output
+#  of the program which is executed.  Due to RADIUS protocol
+#  limitations, any output over 253 bytes will be ignored.
+#
+#  The RADIUS attributes from the user request will be placed
+#  into environment variables of the executed program, as
+#  described in "man unlang" and in doc/configuration/variables.rst
+#
+#  See also "echo" for more sample configuration.
+#
+exec {
+	wait = no
+	input_pairs = request
+	shell_escape = yes
+	timeout = 10
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration

@@ -0,0 +1,13 @@
+# -*- text -*-
+#
+#  $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $
+
+#
+# The expiration module. This handles the Expiration attribute
+# It should be included in the *end* of the authorize section
+# in order to handle user Expiration. It should also be included
+# in the instantiate section in order to register the Expiration
+# compare function
+#
+expiration {
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr

@@ -0,0 +1,146 @@
+# -*- text -*-
+#
+#  $Id: 43dbea35e41698f8ced22c1cf4ad128b08dee7ca $
+
+#
+#  This module performs mathematical calculations:
+#
+#	Attribute-Name = "%{expr:2 + 3 + &NAS-Port}"
+#
+#  It supports the following operators (in order of precedence)
+#
+#	&	binary AND
+#	|	binary OR
+#	<<	left shift
+#	>>	right shift
+#	+	addition
+#	-	subtraction
+#	*	multiply
+#	/	divide
+#	%%	remainder
+#	^	exponentiation
+#	(...)	sub-expression
+#
+#  Operator precedence follows the normal rules.
+#  Division by zero means that the entire expression is invalid.
+#
+#  Note that in versions before 3.0.5, the expression
+#  was parsed strictly left to right, and ignored operator
+#  precedence.
+#
+#  It also allows unary negation:	-1
+#  And twos complement:			~1
+#
+#  All calculations are done on signed 63-bit integers.
+#  e.g. int64_t.  This should be sufficient for all normal
+#  purposes.
+#
+#  Hex numbers are supported:		0xabcdef
+#
+#  As with all string expansions, you can nest the expansions:
+#
+#	%{expr: %{NAS-Port} + 1}
+#	%{expr: %{sql:SELECT ... } + 1}
+#
+#  Attribute references are supported for integer attributes.
+#  e.g. &NAS-Port.  The benefit of using attribute references
+#  is that the expression is calculated directly on the
+#  attribute.  It skips the step of "print to string, and then
+#  parse to number".  This means it's a little faster.
+#
+#  Otherwise, all numbers are decimal.
+#
+
+#
+#  The module also registers a few paircompare functions, and
+#  many string manipulation functions, including:
+#
+#  rand		get random number from 0 to n-1
+#		"%{rand:10}" == "9"
+#
+#  randstr	get random string built from character classes:
+#			c lowercase letters
+#			C uppercase letters
+#			n numbers
+#			a alphanumeric
+#			! punctuation
+#			. alphanumeric + punctuation
+#			s alphanumeric + "./"
+#			o characters suitable for OTP (easily confused removed)
+#			h binary data as lowercase hex
+#			H binary data as uppercase hex
+#
+#		"%{randstr:CCCC!!cccnnn}" == "IPFL>{saf874"
+#		"%{randstr:oooooooo}" == "rfVzyA4y"
+#		"%{randstr:hhhh}" == "68d60de3"
+#
+#  urlquote	quote special characters in URI
+#		"%{urlquote:http://example.org/}" == "http%3A%47%47example.org%47"
+#
+#  urlunquote	unquote URL special characters
+#		"%{urlunquote:http%%3A%%47%%47example.org%%47}" == "http://example.org/"
+#
+#  escape	escape string similar to rlm_sql safe_characters
+#		"%{escape:<img>foo.jpg</img>}" == "=60img=62foo.jpg=60/img=62" 
+#
+#  unescape	reverse of escape
+#		"%{unescape:=60img=62foo.jpg=60/img=62}" == "<img>foo.jpg</img>"
+#
+#  tolower	convert to lowercase
+#		"%{tolower:Bar}" == "bar"
+#
+#  toupper	convert to uppercase
+#		"%{toupper:Foo}" == "FOO"
+#
+#  md5		get md5sum hash
+#		"%{md5:foo}" == "acbd18db4cc2f85cedef654fccc4a4d8"
+#		
+#  sha1		get sha1 hash
+#		"%{sha1:foo}" == "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33"
+#
+#  sha256	get sha256 hash
+#		"%{sha256:foo}" == "2c26b46b68ffc68ff99b453c1d30413413422d706..."
+#
+#  sha512	get sha512 hash
+#		"%{sha512:foo}" == "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae29838..."
+#
+#  hmacmd5	generate HMAC-MD5 of string
+#		"%{hmacmd5:foo bar}" == "31b6db9e5eb4addb42f1a6ca07367adc"
+#
+#  hmacsha1	generate HMAC-SHA1 of string
+#		"%{hmacsha1:foo bar}" == "85d155c55ed286a300bd1cf124de08d87e914f3a"
+#
+#  crypt	encrypt with a salt: %{crypt:salt:password}
+#		"%{crypt:aa:foo}" == "aaKNIEDOaueR6"
+#		"%{crypt:$1$abcdefgh:foo}" == "$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0"
+#		"%{crypt:$5$%{randstr:aaaaaaaaaaaaaaaa}:foo}" == "$1$fu4P2fcAdo9gM..."
+#
+#  pairs	serialize attributes as comma-delimited string
+#		"%{pairs:request:}" == "User-Name = 'foo', User-Password = 'bar', ..."
+#
+#  base64	encode string as base64
+#		"%{base64:foo}" == "Zm9v"
+#
+#  base64tohex	convert base64 to hex
+#		"%{base64tohex:Zm9v}" == "666f6f"
+#
+#  explode	split an attribute into multiple new attributes based on a delimiter
+#		"%{explode:&ref <delim>}"
+#
+#  nexttime	calculate number of seconds until next n hour(s), day(s), week(s), year(s)
+#		if it were 16:18, %{nexttime:1h} would expand to 2520
+#
+#  lpad		left-pad a string
+#		if User-Name is "foo": "%{lpad:&User-Name 6 x}" == "xxxfoo"
+#
+#  rpad		right-pad a string
+#		if User-Name is "foo": "%{rpad:&User-Name 5 -}" == "foo--"
+#
+
+expr {
+	#
+	# Characters that will not be encoded by the %{escape}
+	# xlat function.
+	#
+	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/files

@@ -0,0 +1,30 @@
+# -*- text -*-
+#
+#  $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $
+
+# Livingston-style 'users' file
+#
+# See "man users" for more information.
+#
+files {
+	# Search for files in a subdirectory of mods-config which
+	# matches this instance of the files module.
+	moddir = ${modconfdir}/${.:instance}
+
+	# The default key attribute to use for matches.  The content
+	# of this attribute is used to match the "name" of the
+	# entry.
+	#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
+
+	#  The old "users" style file is now located here.
+	filename = ${moddir}/authorize
+
+	#  This is accepted for backwards compatibility
+	#  It will be removed in a future release.
+#	usersfile = ${moddir}/authorize
+
+	#  These are accepted for backwards compatibility.
+	#  They will be renamed in a future release.
+	acctusersfile = ${moddir}/accounting
+	preproxy_usersfile = ${moddir}/pre-proxy
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog

@@ -0,0 +1,161 @@
+# -*- text -*-
+#
+#  $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $
+
+#
+#  The "linelog" module will log one line of text to a file.
+#  Both the filename and the line of text are dynamically expanded.
+#
+#  We STRONGLY suggest that you do not use data from the
+#  packet as part of the filename.
+#
+linelog {
+	#
+	#  The file where the logs will go.
+	#
+	#  If the filename is "syslog", then the log messages will
+	#  go to syslog.
+	filename = ${logdir}/linelog
+
+	#
+	#  Most file systems can handly nearly the full range of UTF-8
+	#  characters.  Ones that can deal with a limited range should
+	#  set this to "yes".
+	#
+	escape_filenames = no
+
+	#
+	#  The Unix-style permissions on the log file.
+	#
+	#  Depending on format string, the log file may contain secret or
+	#  private information about users.  Keep the file permissions as
+	#  restrictive as possible.
+	permissions = 0600
+
+	#  The Unix group which owns the log file.
+	#
+	#  The user that freeradius runs as must be in the specified
+	#  group, otherwise it will not be possible to set the group.
+#	group = ${security.group}
+
+	#  Syslog facility (if logging via syslog).
+	#  Defaults to the syslog_facility config item in radiusd.conf.
+	#  Standard facilities are:
+	#  - kern        Messages generated by the kernel.  These cannot
+	#                be generated by any user processes.
+	#  - user        Messages generated by random user processes.
+	#                This is the default facility identifier if
+	#                none is specified.
+	#  - mail        The mail system.
+	#  - daemon      System daemons, such as routed(8), that are not
+	#                provided for explicitly by other facilities.
+	#  - auth        The authorization system: login(1), su(1),
+	#                getty(8), etc.
+	#  - lpr         The line printer spooling system: cups-lpd(8),
+	#                cupsd(8), etc.
+	#  - news        The network news system.
+	#  - uucp        The uucp system.
+	#  - cron        The cron daemon: cron(8).
+	#  - authpriv    The same as LOG_AUTH, but logged to a file
+	#                readable only by selected individuals.
+	#  - ftp         The file transfer protocol daemons: ftpd(8),
+	#                tftpd(8).
+	#  - local[0-7]  Reserved for local use.
+#	syslog_facility = daemon
+
+	#  Syslog severity (if logging via syslog). Defaults to info.
+	#  Possible values are:
+	#  - emergency   A panic condition.  This is normally broadcast
+	#                to all users.
+	#  - alert       A condition that should be corrected immediately,
+	#                such as a corrupted system database.
+	#  - critical    Critical conditions, e.g., hard device errors.
+	#  - error       Errors.
+	#  - warning     Warning messages.
+	#  - notice      Conditions that are not error conditions, but
+	#                should possibly be handled specially.
+	#  - info        Informational messages.
+	#  - debug       Messages that contain information normally of use
+	#                only when debugging a program.
+#	syslog_severity = info
+
+	#  If logging via syslog, the severity can be set here.
+	#  Defaults to info.
+	#
+	#  The default format string.
+	format = "This is a log message for %{User-Name}"
+
+	#
+	#  This next line can be omitted.  If it is omitted, then
+	#  the log message is static, and is always given by "format",
+	#  above.
+	#
+	#  If it is defined, then the string is dynamically expanded,
+	#  and the result is used to find another configuration entry
+	#  here, with the given name.  That name is then used as the
+	#  format string.
+	#
+	#  If the configuration entry cannot be found, then no log
+	#  message is printed.
+	#
+	#  i.e. You can have many log messages in one "linelog" module.
+	#  If this two-step expansion did not exist, you would have
+	#  needed to configure one "linelog" module for each log message.
+
+	#
+	#  Reference the Packet-Type (Access-Accept, etc.)  If it doesn't
+	#  exist, reference the "default" entry.
+	#
+	#  This is for "linelog" being used in the post-auth section
+	#  If you want to use it in "authorize", you need to change
+	#  the reference to "messages.%{%{Packet-Type}:-default}",
+	#  and then add the appropriate messages.
+	#
+	reference = "messages.%{%{reply:Packet-Type}:-default}"
+
+	#
+	#  The messages defined here are taken from the "reference"
+	#  expansion, above.
+	#
+	messages {
+		default = "Unknown packet type %{Packet-Type}"
+
+		Access-Accept = "Accepted user: %{User-Name}"
+		Access-Reject = "Rejected user: %{User-Name}"
+		Access-Challenge = "Sent challenge: %{User-Name}"
+	}
+}
+
+#
+#  Another example, for accounting packets.
+#
+linelog log_accounting {
+	#
+	#  Used if the expansion of "reference" fails.
+	#
+	format = ""
+
+	filename = ${logdir}/linelog-accounting
+
+	permissions = 0600
+
+	reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
+
+	#
+	#  Another example:
+	#
+	#
+	Accounting-Request {
+		Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
+		Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
+
+		#  Don't log anything for these packets.
+		Alive = ""
+
+		Accounting-On = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just came online"
+		Accounting-Off = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just went offline"
+
+		# don't log anything for other Acct-Status-Types.
+		unknown = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) sent unknown Acct-Status-Type %{Acct-Status-Type}"
+	}
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime

@@ -0,0 +1,23 @@
+# -*- text -*-
+#
+#  $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $
+
+# The logintime module. This handles the Login-Time,
+# Current-Time, and Time-Of-Day attributes.  It should be
+# included in the *end* of the authorize section in order to
+# handle Login-Time checks. It should also be included in the
+# instantiate section in order to register the Current-Time
+# and Time-Of-Day comparison functions.
+#
+# When the Login-Time attribute is set to some value, and the
+# user has been permitted to log in, a Session-Timeout is
+# calculated based on the remaining time.  See "doc/README".
+#
+logintime {
+	# The minimum timeout (in seconds) a user is allowed
+	# to have. If the calculated timeout is lower we don't
+	# allow the login. Some NAS do not handle values
+	# lower than 60 seconds well.
+	minimum_timeout = 60
+}
+

pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap

@@ -0,0 +1,253 @@
+# -*- text -*-
+#
+#  $Id: 1748d5747f5b2fda08a017ad3095d9b96b0c2ee0 $
+
+#
+#  Microsoft CHAP authentication
+#
+#  This module supports MS-CHAP and MS-CHAPv2 authentication.
+#  It also enforces the SMB-Account-Ctrl attribute.
+#
+mschap {
+	#
+	#  If you are using /etc/smbpasswd, see the 'passwd'
+	#  module for an example of how to use /etc/smbpasswd
+	#
+
+	#
+	#  If use_mppe is not set to no mschap, will
+	#  add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
+	#  MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
+	#
+#	use_mppe = no
+
+	#
+	#  If MPPE is enabled, require_encryption makes
+	#  encryption moderate
+	#
+#	require_encryption = yes
+
+	#
+	#  require_strong always requires 128 bit key
+	#  encryption
+	#
+#	require_strong = yes
+
+	#
+	#  This module can perform authentication itself, OR
+	#  use a Windows Domain Controller.  This configuration
+	#  directive tells the module to call the ntlm_auth
+	#  program, which will do the authentication, and return
+	#  the NT-Key.  Note that you MUST have "winbindd" and
+	#  "nmbd" running on the local machine for ntlm_auth
+	#  to work.  See the ntlm_auth program documentation
+	#  for details.
+	#
+	#  If ntlm_auth is configured below, then the mschap
+	#  module will call ntlm_auth for every MS-CHAP
+	#  authentication request.  If there is a cleartext
+	#  or NT hashed password available, you can set
+	#  "MS-CHAP-Use-NTLM-Auth := No" in the control items,
+	#  and the mschap module will do the authentication itself,
+	#  without calling ntlm_auth.
+	#
+	#  Be VERY careful when editing the following line!
+	#
+	#  You can also try setting the user name as:
+	#
+	#	... --username=%{mschap:User-Name} ...
+	#
+	#  In that case, the mschap module will look at the User-Name
+	#  attribute, and do prefix/suffix checks in order to obtain
+	#  the "best" user name for the request.
+	#
+	#  For Samba 4, you should also set the "ntlm auth" parameter
+	#  in the Samba configuration:
+	#
+	#	ntlm auth = yes
+	#
+	#  or
+	#
+	#	ntlm auth = mschapv2-and-ntlmv2-only
+	#
+	#  This will let Samba 4 accept the MS-CHAP authentication
+	#  method that is needed by FreeRADIUS.
+	#
+	#  Depending on the Samba version, you may also need to add:
+	#
+	#	--allow-mschapv2
+	#
+	#  to the command-line parameters.
+	#
+#	ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
+
+	#
+	#  The default is to wait 10 seconds for ntlm_auth to
+	#  complete.  This is a long time, and if it's taking that
+	#  long then you likely have other problems in your domain.
+	#  The length of time can be decreased with the following
+	#  option, which can save clients waiting if your ntlm_auth
+	#  usually finishes quicker. Range 1 to 10 seconds.
+	#
+#	ntlm_auth_timeout = 10
+
+	#
+	#  An alternative to using ntlm_auth is to connect to the
+	#  winbind daemon directly for authentication. This option
+	#  is likely to be faster and may be useful on busy systems,
+	#  but is less well tested.
+	#
+	#  Using this option requires libwbclient from Samba 4.2.1
+	#  or later to be installed. Make sure that ntlm_auth above is
+	#  commented out.
+	#
+#	winbind_username = "%{mschap:User-Name}"
+#	winbind_domain = "%{mschap:NT-Domain}"
+
+	#
+	#  When using single sign-on with a winbind connection and the
+	#  client uses a different casing for the username than the
+	#  casing is according to the backend, reauth may fail because
+	#  of some Windows internals. This switch tries to find the
+	#  user in the correct casing in the backend, and retry
+	#  authentication with that username.
+	#
+#	winbind_retry_with_normalised_username = no
+
+	#
+	#  Information for the winbind connection pool.  The configuration
+	#  items below are the same for all modules which use the new
+	#  connection pool.
+	#
+	pool {
+		#
+		#  Connections to create during module instantiation.
+		#  If the server cannot create specified number of
+		#  connections during instantiation it will exit.
+		#  Set to 0 to allow the server to start without the
+		#  winbind daemon being available.
+		#
+		start = ${thread[pool].start_servers}
+
+		#
+		#  Minimum number of connections to keep open
+		#
+		min = ${thread[pool].min_spare_servers}
+
+		#
+		#  Maximum number of connections
+		#
+		#  If these connections are all in use and a new one
+		#  is requested, the request will NOT get a connection.
+		#
+		#  Setting 'max' to LESS than the number of threads means
+		#  that some threads may starve, and you will see errors
+		#  like 'No connections available and at max connection limit'
+		#
+		#  Setting 'max' to MORE than the number of threads means
+		#  that there are more connections than necessary.
+		#
+		max = ${thread[pool].max_servers}
+
+		#
+		#  Spare connections to be left idle
+		#
+		#  NOTE: Idle connections WILL be closed if "idle_timeout"
+		#  is set.  This should be less than or equal to "max" above.
+		#
+		spare = ${thread[pool].max_spare_servers}
+
+		#
+		#  Number of uses before the connection is closed
+		#
+		#  0 means "infinite"
+		#
+		uses = 0
+
+		#
+		#  The number of seconds to wait after the server tries
+		#  to open a connection, and fails.  During this time,
+		#  no new connections will be opened.
+		#
+		retry_delay = 30
+
+		#
+		#  The lifetime (in seconds) of the connection
+		#
+		#  NOTE: A setting of 0 means infinite (no limit).
+		#
+		lifetime = 86400
+
+		#
+		#  The pool is checked for free connections every
+		#  "cleanup_interval".  If there are free connections,
+		#  then one of them is closed.
+		#
+		cleanup_interval = 300
+
+		#
+		#  The idle timeout (in seconds).  A connection which is
+		#  unused for this length of time will be closed.
+		#
+		#  NOTE: A setting of 0 means infinite (no timeout).
+		#
+		idle_timeout = 600
+
+		#
+		#  NOTE: All configuration settings are enforced.  If a
+		#  connection is closed because of "idle_timeout",
+		#  "uses", or "lifetime", then the total number of
+		#  connections MAY fall below "min".  When that
+		#  happens, it will open a new connection.  It will
+		#  also log a WARNING message.
+		#
+		#  The solution is to either lower the "min" connections,
+		#  or increase lifetime/idle_timeout.
+		#
+	}
+
+	passchange {
+		#
+		#  This support MS-CHAPv2 (not v1) password change
+		#  requests.  See doc/mschap.rst for more IMPORTANT
+		#  information.
+		#
+		#  Samba/ntlm_auth - if you are using ntlm_auth to
+		#  validate passwords, you will need to use ntlm_auth
+		#  to change passwords.  Uncomment the three lines
+		#  below, and change the path to ntlm_auth.
+		#
+#		ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
+#		ntlm_auth_username = "username: %{mschap:User-Name}"
+#		ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
+
+		#
+		#  To implement a local password change, you need to
+		#  supply a string which is then expanded, so that the
+		#  password can be placed somewhere.  e.g. passed to a
+		#  script (exec), or written to SQL (UPDATE/INSERT).
+		#  We give both examples here, but only one will be
+		#  used.
+		#
+#		local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
+		#
+#		local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
+	}
+
+	#
+	#  For Apple Server, when running on the same machine as
+	#  Open Directory.  It has no effect on other systems.
+	#
+#	use_open_directory = yes
+
+	#
+	#  On failure, set (or not) the MS-CHAP error code saying
+	#  "retries allowed".
+	#
+#	allow_retry = yes
+
+	#
+	#  An optional retry message.
+	#
+#	retry_msg = "Re-enter (or reset) the password"
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth

@@ -0,0 +1,18 @@
+#
+#  For testing ntlm_auth authentication with PAP.
+#
+#  If you have problems with authentication failing, even when the
+#  password is good, it may be a bug in Samba:
+#
+#	https://bugzilla.samba.org/show_bug.cgi?id=6563
+#
+#  Depending on the AD / Samba configuration, you may also need to add:
+#
+#	--allow-mschapv2
+#
+#  to the list of command-line options.
+#
+exec ntlm_auth {
+	wait = yes
+	program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap

@@ -0,0 +1,18 @@
+# -*- text -*-
+#
+#  $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $
+
+# PAP module to authenticate users based on their stored password
+#
+#  Supports multiple encryption/hash schemes.  See "man rlm_pap"
+#  for details.
+#
+#  For instructions on creating the various types of passwords, see:
+#
+#  http://www.openldap.org/faq/data/cache/347.html
+pap {
+	#  By default the server will use heuristics to try and automatically
+	#  handle base64 or hex encoded passwords. This behaviour can be
+	#  stopped by setting the following to "no".
+#	normalise = yes
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd

@@ -0,0 +1,55 @@
+# -*- text -*-
+#
+#  $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $
+
+# passwd module allows to do authorization via any passwd-like
+# file and to extract any attributes from these files.
+#
+#  See the "smbpasswd" and "etc_group" files for more examples.
+#
+# parameters are:
+#   filename - path to file
+#
+#   format - format for filename record. This parameters
+#            correlates record in the passwd file and RADIUS
+#            attributes.
+#
+#            Field marked as '*' is a key field. That is, the parameter
+#            with this name from the request is used to search for
+#            the record from passwd file
+#
+#            Attributes marked as '=' are added to reply_items instead
+#            of default configure_items
+#
+#	     Attributes marked as '~' are added to request_items
+#
+#            Field marked as ',' may contain a comma separated list
+#            of attributes.
+#
+#   hash_size - hashtable size.  Setting it to 0 is no longer permitted
+#		A future version of the server will have the module
+#		automatically determine the hash size.  Having it set
+#		manually should not be necessary.
+#
+#   allow_multiple_keys - if many records for a key are allowed
+#
+#   ignore_nislike - ignore NIS-related records
+#
+#   delimiter - symbol to use as a field separator in passwd file,
+#            for format ':' symbol is always used. '\0', '\n' are
+#	     not allowed
+#
+
+#  An example configuration for using /etc/passwd.
+#
+#  This is an example which will NOT WORK if you have shadow passwords,
+#  NIS, etc.  The "unix" module is normally responsible for reading
+#  system passwords.  You should use it instead of this example.
+#
+passwd etc_passwd {
+	filename = /etc/passwd
+	format = "*User-Name:Crypt-Password:"
+	hash_size = 100
+	ignore_nislike = no
+	allow_multiple_keys = no
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess

@@ -0,0 +1,62 @@
+# -*- text -*-
+#
+#  $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $
+
+# Preprocess the incoming RADIUS request, before handing it off
+# to other modules.
+#
+#  This module processes the 'huntgroups' and 'hints' files.
+#  In addition, it re-writes some weird attributes created
+#  by some NAS, and converts the attributes into a form which
+#  is a little more standard.
+#
+preprocess {
+	# Search for files in a subdirectory of mods-config which
+	# matches this instance of the preprocess module.
+	moddir = ${modconfdir}/${.:instance}
+
+	huntgroups = ${moddir}/huntgroups
+	hints = ${moddir}/hints
+
+	# This hack changes Ascend's weird port numbering
+	# to standard 0-??? port numbers so that the "+" works
+	# for IP address assignments.
+	with_ascend_hack = no
+	ascend_channels_per_line = 23
+
+	# Windows NT machines often authenticate themselves as
+	# NT_DOMAIN\username
+	#
+	# If this is set to 'yes', then the NT_DOMAIN portion
+	# of the user-name is silently discarded.
+	#
+	# This configuration entry SHOULD NOT be used.
+	# See the "realms" module for a better way to handle
+	# NT domains.
+	with_ntdomain_hack = no
+
+	# Specialix Jetstream 8500 24 port access server.
+	#
+	# If the user name is 10 characters or longer, a "/"
+	# and the excess characters after the 10th are
+	# appended to the user name.
+	#
+	# If you're not running that NAS, you don't need
+	# this hack.
+	with_specialix_jetstream_hack = no
+
+	# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
+	# with the attribute name *again* in the string, like:
+	#
+	#   H323-Attribute = "h323-attribute=value".
+	#
+	# If this configuration item is set to 'yes', then
+	# the redundant data in the the attribute text is stripped
+	# out.  The result is:
+	#
+	#  H323-Attribute = "value"
+	#
+	# If you're not running a Cisco or Quintum NAS, you don't
+	# need this hack.
+	with_cisco_vsa_hack = no
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp

@@ -0,0 +1,53 @@
+# -*- text -*-
+#
+#  $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $
+
+#  Write a 'utmp' style file, of which users are currently
+#  logged in, and where they've logged in from.
+#
+#  This file is used mainly for Simultaneous-Use checking,
+#  and also 'radwho', to see who's currently logged in.
+#
+radutmp {
+	#  Where the file is stored.  It's not a log file,
+	#  so it doesn't need rotating.
+	#
+	filename = ${logdir}/radutmp
+
+	#  The field in the packet to key on for the
+	#  'user' name,  If you have other fields which you want
+	#  to use to key on to control Simultaneous-Use,
+	#  then you can use them here.
+	#
+	#  Note, however, that the size of the field in the
+	#  'utmp' data structure is small, around 32
+	#  characters, so that will limit the possible choices
+	#  of keys.
+	#
+	#  You may want instead: %{%{Stripped-User-Name}:-%{User-Name}}
+	username = %{User-Name}
+
+
+	#  Whether or not we want to treat "user" the same
+	#  as "USER", or "User".  Some systems have problems
+	#  with case sensitivity, so this should be set to
+	#  'no' to enable the comparisons of the key attribute
+	#  to be case insensitive.
+	#
+	case_sensitive = yes
+
+	#  Accounting information may be lost, so the user MAY
+	#  have logged off of the NAS, but we haven't noticed.
+	#  If so, we can verify this information with the NAS,
+	#
+	#  If we want to believe the 'utmp' file, then this
+	#  configuration entry can be set to 'no'.
+	#
+	check_with_nas = yes
+
+	# Set the file permissions, as the contents of this file
+	# are usually private.
+	permissions = 0600
+
+	caller_id = "yes"
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm

@@ -0,0 +1,75 @@
+# -*- text -*-
+#
+#  $Id: 8ff95a9e9a652c2df9f992b0eb528084b6a7a2dc $
+
+# Realm module, for proxying.
+#
+#  You can have multiple instances of the realm module to
+#  support multiple realm syntaxes at the same time.  The
+#  search order is defined by the order that the modules are listed
+#  in the authorize and preacct sections.
+#
+#  Four config options:
+#	format	 -  must be "prefix" or "suffix"
+#			  The special cases of "DEFAULT"
+#			  and "NULL" are allowed, too.
+#	delimiter      -  must be a single character
+
+#  'realm/username'
+#
+#  Using this entry, IPASS users have their realm set to "IPASS".
+realm IPASS {
+	format = prefix
+	delimiter = "/"
+}
+
+#  'username@realm'
+#
+realm suffix {
+	format = suffix
+	delimiter = "@"
+
+	# The next configuration items are valid ONLY for a trust-router.
+	# For all other realms, they are ignored.
+#	trust_router = "localhost"
+#	tr_port = 12309
+#	rp_realm = "realm.example.com"
+#	default_community = "apc.communities.example.com"
+#	# if rekey_enabled is enabled, dynamic realms are automatically rekeyed
+#	# before they expire to avoid having to recreate them from scrach on
+#	# demand (implying lengthy authentications)
+#	rekey_enabled = no
+#	# if realm_lifetime is > 0, the rekey is scheduled to happen the
+#	# specified number of seconds after its creation or rekeying. Otherwise,
+#	# the key material expiration timestamp is used
+#	realm_lifetime = 0
+}
+
+#  'realm!username'
+#
+realm bangpath {
+	format = prefix
+	delimiter = "!"
+
+#	trust_router = "localhost"
+#	tr_port = 12309
+#	rp_realm = "realm.example.com"
+#	default_community = "apc.communities.example.com"
+#	rekey_enabled = no
+#	realm_lifetime = 0
+}
+
+#  'username%realm'
+#
+realm realmpercent {
+	format = suffix
+	delimiter = "%"
+}
+
+#
+#  'domain\user'
+#
+realm ntdomain {
+	format = prefix
+	delimiter = "\\"
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate

@@ -0,0 +1,42 @@
+#  Replicate packet(s) to a home server.
+#
+#  This module will open a new socket for each packet, and "clone"
+#  the incoming packet to the destination realm (i.e. home server).
+#  These packets are only sent to UDP home servers.  TCP and TLS
+#  are not supported.
+#
+#  Use it by setting "Replicate-To-Realm = name" in the control list,
+#  just like Proxy-To-Realm.  The configurations for the two attributes
+#  are identical.  The realm must exist, the home_server_pool must exist,
+#  and the home_server must exist.
+#
+#  The only difference is that the "replicate" module sends requests
+#  and does not expect a reply.  Any reply is ignored.
+#
+#  Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time.
+#
+#  To use this module, list "replicate" in the "authorize" or
+#  "accounting" section.  Then, ensure that Replicate-To-Realm is set.
+#  The contents of the "packet" attribute list will be sent to the
+#  home server.  The usual load-balancing, etc. features of the home
+#  server will be used.
+#
+#  "radmin" can be used to mark home servers alive/dead, in order to
+#  enable/disable replication to specific servers.
+#
+#  Packets can be replicated to multiple destinations.  Just set
+#  Replicate-To-Realm multiple times.  One packet will be sent for
+#  each of the Replicate-To-Realm attribute in the "control" list.
+#
+#  If no packets are sent, the module returns "noop".  If at least one
+#  packet is sent, the module returns "ok".  If an error occurs, the
+#  module returns "fail"
+#
+#  Note that replication does NOT change any of the packet statistics.
+#  If you use "radmin" to look at the statistics for a home server,
+#  the replicated packets will cause NO counters to increment.  This
+#  is not a bug, this is how replication works.
+#
+replicate {
+
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh

@@ -0,0 +1,4 @@
+# SoH module
+soh {
+	dhcp = yes
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp

@@ -0,0 +1,16 @@
+# -*- text -*-
+#
+#  $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $
+
+# "Safe" radutmp - does not contain caller ID, so it can be
+# world-readable, and radwho can work for normal users, without
+# exposing any information that isn't already exposed by who(1).
+#
+# This is another 'instance' of the radutmp module, but it is given
+# then name "sradutmp" to identify it later in the "accounting"
+# section.
+radutmp sradutmp {
+	filename = ${logdir}/sradutmp
+	permissions = 0644
+	caller_id = "no"
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp

@@ -0,0 +1,40 @@
+# -*- text -*-
+#
+#  $Id: 695365f7d2c05a34da935ea2a9ca0dec55518195 $
+
+#
+#  Time-based One-Time Passwords (TOTP)
+#
+#  Defined in RFC 6238, and used in Google Authenticator.
+#
+#  This module can only be used in the "authenticate" section.
+#
+#  The Base32-encoded secret should be placed into:
+#
+#	&control:TOTP-Secret
+#
+#  The TOTP password entered by the user should be placed into:
+#
+#	&request:TOTP-Password
+#
+#  The module will return "ok" if the passwords match, and "fail"
+#  if the passwords do not match.
+#
+#  Note that this module will NOT interact with Google.  The module is
+#  intended to be used where the local administrator knows the TOTP
+#  secret key, and user has an authenticator app on their phone.
+#
+#  Note also that while you can use the Google "chart" APIs to
+#  generate a QR code, doing this will give the secret to Google!
+#
+#  Administrators should instead install a tool such as "qrcode"
+#
+#	https://linux.die.net/man/1/qrencode
+#
+#  and then run that locally to get an image.
+#  
+#
+#  The module takes no configuration items.
+#
+totp {
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix

@@ -0,0 +1,25 @@
+# -*- text -*-
+#
+#  $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $
+
+# Unix /etc/passwd style authentication
+#
+#  This module calls the system functions to get the "known good"
+#  password.  This password is usually in the "crypt" form, and is
+#  incompatible with CHAP, MS-CHAP, PEAP, etc.
+#
+#  If passwords are in /etc/shadow, you will need to set the "group"
+#  configuration in radiusd.conf.  Look for "shadow", and follow the
+#  instructions there.
+#
+unix {
+	#
+	#  The location of the "wtmp" file.
+	#  The only use for 'radlast'.  If you don't use
+	#  'radlast', then you can comment out this item.
+	#
+	#  Note that the radwtmp file may get large!  You should
+	#  rotate it (cp /dev/null radwtmp), or just not use it.
+	#
+	radwtmp = ${logdir}/radwtmp
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack

@@ -0,0 +1,105 @@
+# -*- text -*-
+#
+#  $Id: 89ef1699a1af78374b1af0a3787a088af3ba320c $
+
+#
+#  This module is useful only for 'xlat'.
+#  To use it, add it to the raddb/mods-enabled/ directory.
+#
+#  Two xlat functions are provided by this module:
+#    - unpack
+#    - substring
+#
+#  Both are for use on the right-hand side of a variable assignment.
+#
+#  unpack
+#  ======
+#
+#  ... = "%{unpack:data 1 integer}"
+#
+#  The arguments are three fields:
+#
+#	data
+#		Either &Attribute-Name
+#		the name of the attribute to unpack.
+#		MUST be a "string" or "octets" type.
+#
+#		or 0xabcdef
+#		e.g. hex data.
+#
+#	1
+#		The offset into the string from which
+#		it starts unpacking.  The offset starts
+#		at zero, for the first attribute.
+#
+#	integer
+#		the data type to unpack at that offset.
+#		e.g. integer, ipaddr, byte, short, etc.
+#
+#  e.g. if we have Class = 0x0000000102030405, then
+#
+#	%{unpack:&Class 4 short}
+#
+#  will unpack octets 4 and 5 as a "short", which has
+#  value 0x0304.
+#
+#  This module is used when vendors put multiple fields
+#  into one attribute of type "octets".
+#
+#  The module can also be used to unpack substrings, by specifing a
+#  data type of "string(len)" or "octets(len)".  Where "len" is an
+#  actual number.  For example:
+#
+#	%{unpack:&User-Name 1 string(2)}
+#
+#  When given a User-Name of "hello", it will start taking the
+#  substring at offset 1 (i.e. "e"), and it will take two characters
+#  from that offset, i.e. "el".
+#
+#  As a special case, you can unpack an entire string by specifying
+#  the offset, and nothing for the length:
+#
+#	%{unpack:&User-Name 1 string()}
+#
+#  When "octets(len)" is used, the output is printed as hex.  e.g. for
+#  the above example with Class:
+#
+#	%{unpack:&Class 4 octets(4)}
+#
+#  Will return the hex string "02030405"
+#
+#
+#  substring
+#  =========
+#
+#  substring will return a substring of a string or attribute using
+#  the syntax
+#
+#	%{substring:data start len}
+#
+#	data
+#		Either an attribute name or string data.  String data
+#		can have leading or trailing spaces.  Only a single
+#		space before "start" is taken as the separator.
+#
+#  	start
+#		the zero based offset for the start of the substring.
+#		A negative value will count in from the end of the
+#		string.
+#
+#	len
+#		the number of characters to return.  A Negative value
+#		will remove that number of characters from the end.
+#		If len is more than the available number of characters
+#		then only the available number will be returned.
+#
+#  Examples:
+#
+#	"%{substring:foobar 2 3}" == "oba"
+#	"%{substring:foobar -3 2}" == "ba"
+#	"%{substring:foobar 1 -1}" == "ooba"
+#	if User-Name is "foobar" "%{substring:&User-Name 1 -2}" == "oob"
+#
+
+unpack {
+}

pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8

@@ -0,0 +1,14 @@
+#
+#  Enforces UTF-8 on strings coming in from the NAS.
+#
+#  An attribute of type "string" containing UTF-8 makes
+#  the module return NOOP.
+#
+#  An attribute of type "string" containing non-UTF-8 data
+#  makes the module return FAIL.
+#
+#  This module takes no configuration.
+#
+utf8 {
+
+}