From 3ca3ff8939dd0077a832a1954c7534bf41897bfd Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sat, 31 Aug 2024 22:38:35 +0200 Subject: [PATCH] feat(radius): add AP secret for RADIUS auth requests Signed-off-by: Ryan Lahfa --- machines/vault01/k-radius/default.nix | 9 ++++-- .../secrets/radius-ap-radius-secret_file | 32 +++++++++++++++++++ machines/vault01/secrets/secrets.nix | 1 + 3 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 machines/vault01/secrets/radius-ap-radius-secret_file diff --git a/machines/vault01/k-radius/default.nix b/machines/vault01/k-radius/default.nix index 1bf5ec4..ccfc23b 100644 --- a/machines/vault01/k-radius/default.nix +++ b/machines/vault01/k-radius/default.nix @@ -6,6 +6,13 @@ services.k-radius = { enable = true; + radiusClients = { + ap = { + ipaddr = "0.0.0.0/0"; + secret = config.age.secrets."radius-ap-radius-secret_file".path; + }; + }; + settings = { # URL to the Kanidm server uri = "https://sso.dgnum.eu"; @@ -50,8 +57,6 @@ "key" ] ); - - radiusClients = { }; }; age-secrets.autoMatch = [ "radius" ]; diff --git a/machines/vault01/secrets/radius-ap-radius-secret_file b/machines/vault01/secrets/radius-ap-radius-secret_file new file mode 100644 index 0000000..0bb33d8 --- /dev/null +++ b/machines/vault01/secrets/radius-ap-radius-secret_file @@ -0,0 +1,32 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA 2nFaxyP7O4GWU7U3wmET5sNrnFq72b9DEhiKEgWVrFk +l8uXfCBkTHogzVoUY0WOYhA99fodoT+N0HunacULydI +-> ssh-ed25519 QlRB9Q qDalihZE404oPOVHYQR5GIvozXNh4wNxhUa5Zwfz2DU +X8qvWf7qprbh0xu/uOHGsNLTQc8efYsgveH9R9kZZZw +-> ssh-ed25519 r+nK/Q mksHDhPoKKxQpk4sQPHapdq87EaJmgdmoVxMYjsAang +FTYHyxLp4nGOWJu1135yN/lQkGgAD9Jy4JJpMKFktrk +-> ssh-rsa krWCLQ +jEPt5eWP6NmpOikLhs1uPVo7kxHgg1y7WwdOPyR0z2vpFD2BWGlIi/BvnlE3OO5n +jtvDjAauWU0X2JarfdY9mY8MoPjT9qQ/ukxuVAHi5CoL/I1JCqcbuftssYY0B7Ab +SMfbyxjK8aIT1/4EQhMoWm0tuIylvgTBagL03Lw5mbyRqDkbpI/6YC9401YjT7Ts +dCDGIFAYM2BA7TuJiZr881ypUdU9rlm5rss1ZLMj90jyJPJC4SDYbzE0BoBat9l0 +dYUrYGhGgZ1cDd6D6mPf6H95muiGHIhxaE8c+LdK/rKCSH9Rf6mfn/Ab/xvnaDNn +GW/WD0EpmdzpWVPby68+KA +-> ssh-ed25519 /vwQcQ 5DoMxdoK+KiHXKwwOpb7/1FZIEzAa/2/1l8yyxey6iw +RzmUkqZQLM5/jDXG9fxhZmfAywgVMjH9Y3O66BnhCSQ +-> ssh-ed25519 0R97PA g+uW/jfwHB3m0AdWxb9vPRjeaowhEx1Uoc2R0CVStlA +m5XvSEVQ8DiA7BSTsxVn6S1zv92CpbyZxSgUI3ObE4c +-> ssh-ed25519 JGx7Ng BtdJpskbfPyywYeFbmQw3HGPTLv5ri6x4bFocr9l6H8 +88aFw+MCJLqMU/W/ikYDUZEAi0ImaPVbSc7cAZPbs/I +-> ssh-ed25519 5SY7Kg +JUMQfaxl7Orym43LVeqUyno0JfUbVnB+xv7smpdRhE +6K+Ewq1FhrXB2eYdljlsYpIfmVv49E4jSBsphgDpRJk +-> ssh-ed25519 p/Mg4Q AITnEN+Q41fEA2tkvVOKGCDZiuCXanG+qaiF5X4ukiA +NvP/HXOliNvi8tngH9PU90E616CPlh/QgkZ052H8wtk +-> ssh-ed25519 +mFdtQ RuaXIQNZ3s9C27XtpVTExJlAhYDYXRQni+Hwot0wrzU +WctqqoGS2hVfOZSU3ihCg5eI7PnxM7dkOJKM9DJ90Wk +-> ssh-ed25519 5rrg4g cAqJQ8z6T46YwzahtcTJxXZHklCGrupVCja5U/g+ZmM +wERu5T6rOi5/0qPSXeOnfA0Szg7/pbYFTW0Ys1yWq40 +-> ssh-ed25519 oRtTqQ NF73c0d1qM4nVt2bEdWTEDjDcz/ZMCObn/7cDZfkVGA +Mivm+WWVqAfNs5pLwGmINIsmxlEZi7m7bQIRxGkf3/Q +--- 8R1h+xsovrLq+5QI1CoTXc9TBTQugnROZpOAHWBwG1w +G"8&NF}xksy\.iקF}-ӚLb;{ \ No newline at end of file diff --git a/machines/vault01/secrets/secrets.nix b/machines/vault01/secrets/secrets.nix index e7c10fb..1120df5 100644 --- a/machines/vault01/secrets/secrets.nix +++ b/machines/vault01/secrets/secrets.nix @@ -10,4 +10,5 @@ lib.setDefault { inherit publicKeys; } [ "radius-key_pem_file" "radius-private_key_password_file" "eatonmon-password_file" + "radius-ap-radius-secret_file" ]