DGNum/infrastructure
13
6
Fork 3
Code Issues 20 Pull requests 8 Projects 1 Releases Packages Wiki Activity Actions

feat(ap01): enable fully RADIUS via internal RADIUS server

Browse source 
This adds two public keys.

For the private keys, heh…

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
This commit is contained in:
Ryan Lahfa 2024-08-31 22:21:35 +02:00
parent be1673c6aa
commit c4d9d6d000
4 changed files with 118 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
keys/certs/dgnum-ap-server.crt Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC6TCCAdECFEbjeqNNzKWyfs2GJekipWK+yO4uMA0GCSqGSIb3DQEBCwUAMHMx
NDAyBgNVBAMMK0RHTnVtIFRlc3QgQVAgQ0EgLS0gRE8gTk9UIFVTRSBPUiBHRVQg
RklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwGA1UEBwwFUGFy
aXMxDjAMBgNVBAoMBURHTnVtMB4XDTI0MDgyNjE5MDQxMFoXDTI2MDgyNjE5MDQx
MFowdzE4MDYGA1UEAwwvREdOdW0gVGVzdCBBUCBzZXJ2ZXIgLS0gRE8gTk9UIFVT
RSBPUiBHRVQgRklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwG
A1UEBwwFUGFyaXMxDjAMBgNVBAoMBURHTnVtMIGbMBAGByqGSM49AgEGBSuBBAAj
A4GGAAQBDrTf0SH/YOkOfvOSnB3BbICb80jSsxwQH50y4jylbXcrUZnegLYjW/lF
QknuMBzzE5fnE9lAeOxqsn0ec+sL3zEBrV0LSG2LgxhAkahZS9U4Spt9Qc84U7cG
AFQ3GXDMTEb/COHJSu7sIfV4gFRVesFez30gb94lMxckkq/6nkXXaEUwDQYJKoZI
hvcNAQELBQADggEBAEfPHMAXwftYQ0lDYPlr9b+GZDl7/JAavEfBXKzj1U8O0sJz
daNOHEX3a5ZOaQoean2zmBLROgQpDlwsjAFNA9dg0ef2f4RgJvr/l2fspHwG0Uaq
4JEOKTj3htd8aZX2i6AR02UC2oxCtf7ZVa+a6NOeeKl53QPzjduPO60ruz8tD2Xr
YnQwVinQX0fJo7TmyQKDIxwld/Q5pMoDMfVlS71M/vISFfQ/Rx1PqYvBQyG1dvIA
qn9cNNVnjEGrk7zXjCfehMYiCtDZ+D3VyXeZ6A7YZNpc6RUj8rbWcOtKLayRFlwf
DTjV3/nPqV0M2nU6jXFBMfQ47VSfB7ibINt94xo=
-----END CERTIFICATE-----

23
keys/certs/dgnum-test-ap-ca.crt Normal file
View file

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDxzCCAq+gAwIBAgIUPuHEZeZoCidp+w5ME2CrkZEn3T8wDQYJKoZIhvcNAQEL
BQAwczE0MDIGA1UEAwwrREdOdW0gVGVzdCBBUCBDQSAtLSBETyBOT1QgVVNFIE9S
IEdFVCBGSVJFRDELMAkGA1UEBhMCRlIxDjAMBgNVBAgMBVBhcmlzMQ4wDAYDVQQH
DAVQYXJpczEOMAwGA1UECgwFREdOdW0wHhcNMjQwODI2MTg1ODQ4WhcNMjkwODI2
MTg1ODQ4WjBzMTQwMgYDVQQDDCtER051bSBUZXN0IEFQIENBIC0tIERPIE5PVCBV
U0UgT1IgR0VUIEZJUkVEMQswCQYDVQQGEwJGUjEOMAwGA1UECAwFUGFyaXMxDjAM
BgNVBAcMBVBhcmlzMQ4wDAYDVQQKDAVER051bTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKLgCNXLI6FQWJY5JQDqZcO1hmZpp0upT59/JvJXmEl4St1O
FF3frSAoFcgn2Bv3kYQQ6wEhD3S7JBxRmoDtx/7sqsXthNpBaymVdphb9XhnVOC2
NDBKV4WH06Hr06oKVfDSBhIldPJr1vfQLehOnz6uqK7walqPvid3tMv0lwt7mHZ9
qQpgC2C/tkHwD1kh1RszoIZKIQWDnSNXPhYnB3X/DMCUWIKiz6P/0rVANEDDZER6
b6eJRjv2l8jPlOt7CUTAOrsoJGCnSg2SV4lgr1u3mE/2AvmLdO0l5Dz0qCuQNbb3
uWqYUonooR8rox171On/Rd0zvtihycSDxofVJ+MCAwEAAaNTMFEwHQYDVR0OBBYE
FIPUT3v8AoeBS6VbcEvgVc1dC38hMB8GA1UdIwQYMBaAFIPUT3v8AoeBS6VbcEvg
Vc1dC38hMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACX1aqYU
9PIwZ/dBS7cpsBsCm9M0ueInTlQpvv6xioKuPhIet40YgawTRakxniAr0WXHTBV5
a8ZQ4ff4uI+sdaxN7Ueufr4ltWVLuSc9DfIxjLVZ+41G6Ehy9Xc2zoDBfYURrXjd
ISvPSXIKjM0yuS/249C77HOdzwbliS65Io2zubQStGfSaZ3sLAfPJoig+QiVyOtG
sPoYzzrjXDBym+plfGTWqHv+gwo6DZarXrK4yaMn4hYkkf95NsY2ywwHzcy/4hsu
+bMm4IeCrB9uNOZtQrqW81/+4oxjGiKLbhnFPNQOg2pzb+iOJTPKVicAqKDSCnou
WXG5pjBKzojPvxU=
-----END CERTIFICATE-----

75
machines/ap01/_configuration.nix
View file

@ -15,11 +15,9 @@ let
svc = config.system.service;
secrets-1 = {
ssid = "DGNum 2G prototype (N)";
wpa_passphrase = "diamond dogs";
};
secrets-2 = {
ssid = "DGNum 5G prototype (AX)";
wpa_passphrase = "diamond dogs";
};
baseParams = {
country_code = "FR";
@ -30,11 +28,14 @@ let
ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
auth_algs = 1;
wpa = 2;
wpa_key_mgmt = "WPA-PSK";
wpa_pairwise = "TKIP CCMP";
rsn_pairwise = "CCMP";
};
radiusKeyMgmt = {
wpa_key_mgmt = "WPA-EAP";
};
modernParams = {
hw_mode = "a";
he_su_beamformer = 1;
@ -54,13 +55,60 @@ let
he_oper_centr_freq_seg0_idx = 42;
require_vht = 1;
};
clientRadius = {
ieee8021x = 1;
eapol_version = 2;
use_pae_group_addr = 1;
dynamic_vlan = 0;
vlan_tagged_interface = "lan";
};
serverRadius = {
radius_server_clients = pkgs.writeText "clients" ''
0.0.0.0/0 dgnum
'';
radius_server_auth_port = 1812;
radius_server_ipv6 = 1;
};
localRadius = {
eap_server = 1;
eap_user_file = pkgs.writeText "user.db" ''
# anonymous login in phase 1
* PEAP
# password based in the secure tunnel in phase 2
"test" MSCHAPV2 "diamond dogs" [2]
'';
# DGNum CA certificate.
ca_cert = builtins.toFile "dgnum-test-ap-ca" (
builtins.readFile ../../keys/certs/dgnum-test-ap-ca.crt
);
# Server certificate for this AP.
server_cert = builtins.toFile "dgnum-ap-server" (
builtins.readFile ../../keys/certs/dgnum-ap-server.crt
);
private_key = builtins.toFile "dgnum-ap-server-pkey" (
builtins.readFile ../../keys/certs/dgnum-ap-server.key.pem
);
};
# externalRadius = {
# own_ip_addr = "";
# nas_identifier = "";
# auth_server_addr = "";
# auth_server_port = 1812;
# auth_server_shared_secret = "dgnum";
# };
mkWifiSta =
params: interface: secrets:
svc.hostapd.build {
inherit interface;
params = params // {
inherit (secrets) ssid wpa_passphrase;
};
package = pkgs.hostapd-radius;
params = params // secrets;
};
in
rec {
@ -72,6 +120,8 @@ rec {
"${modulesPath}/ntp"
"${modulesPath}/vlan"
"${modulesPath}/bridge"
"${modulesPath}/jitter-rng"
"${modulesPath}/pki"
../../modules/dgn-access-control.nix
# TODO: god that's so a fucking hack.
(import "${modulesPath}/../devices/zyxel-nwa50ax").module
@ -79,6 +129,13 @@ rec {
hostname = "ap01-prototype";
security.pki = {
installCACerts = true;
certificateFiles = [
../../keys/certs/dgnum-test-ap-ca.crt
];
};
# SSH keys are handled by the access control module.
dgn-access-control.enable = true;
users.root = {
@ -126,10 +183,12 @@ rec {
};
# wlan0 is the 2.4GHz interface.
services.hostap-1 = mkWifiSta baseParams config.hardware.networkInterfaces.wlan0 secrets-1;
services.hostap-1 = mkWifiSta (
baseParams // clientRadius // localRadius // serverRadius // radiusKeyMgmt
) config.hardware.networkInterfaces.wlan0 secrets-1;
# wlan1 is the 5GHz interface, e.g. AX capable.
services.hostap-2 = mkWifiSta (
baseParams // modernParams
baseParams // clientRadius // localRadius // serverRadius // radiusKeyMgmt // modernParams
) config.hardware.networkInterfaces.wlan1 secrets-2;
defaultProfile.packages = with pkgs; [

15
npins/sources.json
View file

@ -9,6 +9,7 @@
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "0.15.0",
"revision": "564595d0ad4be7277e07fa63b5a991b3c645655d",
"url": "https://api.github.com/repos/ryantm/agenix/tarball/0.15.0",
@ -58,6 +59,7 @@
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "v1.6.0",
"revision": "5eaf747af38dd272e1ab28a8ec4bd972424b07cf",
"url": "https://api.github.com/repos/nix-community/disko/tarball/v1.6.0",
@ -71,6 +73,7 @@
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "v1.2.1",
"revision": "66979725afe2164491be38ffff78460cc9b0ffd7",
"url": null,
@ -82,10 +85,10 @@
"type": "Git",
"url": "https://git.dgnum.eu/DGNum/liminix.git"
},
"branch": "main",
"revision": "7206fea4b4e9a5e50be91cce39c09da602cdb694",
"branch": "strong-tftp",
"revision": "a906301aebab47f11b2d2e762af8b65b8fc1040a",
"url": null,
"hash": "0dd7r80skjamx1sppsl6mdmjhr355lbmc72g0l0356xs67mg8w5p"
"hash": "0c744qyjhcf6s474r4g6z5jww2dzgl857q320d9lm153ambz7rjh"
},
"linkal": {
"type": "Git",
@ -118,6 +121,7 @@
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "0.1.6",
"revision": "ffb3dfa4c146d48300bd4fa625acfe48e091a734",
"url": null,
@ -142,6 +146,7 @@
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "v0.5.0",
"revision": "e11ba20945f4a867f09d84343c37328288f274b4",
"url": null,
@ -162,8 +167,8 @@
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.05pre622672.ad7efee13e0d/nixexprs.tar.xz",
"hash": "0ng26dp73sd5dffw8wl4pwfmrgp2p03xbp4l1lxwlhcw6874fk4l"
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre670424.5de1564aed41/nixexprs.tar.xz",
"hash": "1m31bsq9mawjgbxzg4mihk9blfm419451vdsk30llbrj4w4s159w"
},
"pre-commit-hooks": {
"type": "Git",