DGNum/infrastructure
11
6
Fork 2
Code Issues 24 Pull requests 25 Projects 1 Releases Packages Wiki Activity Actions

feat(vault01/radius): ask dgsi for vlan id
All checks were successful
Check meta / check_meta (pull_request) Successful in 16s
Details
Check meta / check_dns (pull_request) Successful in 17s
Details
Check workflows / check_workflows (pull_request) Successful in 18s
Details
Run pre-commit on all files / pre-commit (push) Successful in 27s
Details
Build all the nodes / ap01 (pull_request) Successful in 34s
Details
Build all the nodes / netaccess01 (pull_request) Successful in 21s
Details
Build all the nodes / netcore01 (pull_request) Successful in 21s
Details
Build all the nodes / netcore02 (pull_request) Successful in 23s
Details
Build all the nodes / bridge01 (pull_request) Successful in 54s
Details
Build all the nodes / build01 (pull_request) Successful in 56s
Details
Build all the nodes / cof02 (pull_request) Successful in 59s
Details
Build all the nodes / geo02 (pull_request) Successful in 57s
Details
Build all the nodes / geo01 (pull_request) Successful in 58s
Details
Build the shell / build-shell (pull_request) Successful in 31s
Details
Build all the nodes / hypervisor01 (pull_request) Successful in 1m6s
Details
Build all the nodes / hypervisor03 (pull_request) Successful in 1m3s
Details
Build all the nodes / hypervisor02 (pull_request) Successful in 1m3s
Details
Run pre-commit on all files / pre-commit (pull_request) Successful in 28s
Details
Build all the nodes / rescue01 (pull_request) Successful in 1m8s
Details
Build all the nodes / tower01 (pull_request) Successful in 1m0s
Details
Build all the nodes / storage01 (pull_request) Successful in 1m6s
Details
Build all the nodes / compute01 (pull_request) Successful in 1m38s
Details
Build all the nodes / web02 (pull_request) Successful in 1m6s
Details
Build all the nodes / web03 (pull_request) Successful in 1m4s
Details
Build all the nodes / vault01 (pull_request) Successful in 1m32s
Details
Build all the nodes / web01 (pull_request) Successful in 1m37s
Details

Browse source
This commit is contained in:
catvayor 2025-03-12 14:48:23 +01:00
parent 1fcc0844ca
commit d149c4e323
Signed by: lbailly
GPG key ID: CE3E645251AC63F3
7 changed files with 63 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
REUSE.toml
View file

@ -20,7 +20,7 @@ precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
precedence = "closest"
[[annotations]]
@ -38,7 +38,7 @@ precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"]
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "machines/nixos/vault01/k-radius/packages/02-request-dgsi-vlan.patch"]
precedence = "closest"
[[annotations]]

2
default.nix
View file

@ -96,7 +96,6 @@ let
"machines/nixos/compute01/librenms/kanidm.patch"
"machines/nixos/compute01/stirling-pdf/*.patch"
"machines/nixos/vault01/k-radius/packages/01-python_path.patch"
"machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch"
"machines/nixos/web01/crabfit/*.patch"
"machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
"patches/lix/01-disable-installChecks.patch"
@ -127,6 +126,7 @@ let
"modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch"
"modules/nixos/extranix/0004-fix-indentation-of-ul.patch"
"modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"
"machines/nixos/vault01/k-radius/packages/02-request-dgsi-vlan.patch"
];
copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
}

13
machines/nixos/vault01/k-radius/default.nix
View file

@ -2,7 +2,7 @@
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
{ config, pkgs, ... }:
{
imports = [ ./module.nix ];
@ -39,17 +39,12 @@
# before they can authenticate via RADIUS.
radius_required_groups = [ "radius_access@sso.dgnum.eu" ];
# A mapping between Kanidm groups and VLANS
radius_groups = map (
{ vlan, ... }:
{
inherit vlan;
spn = "vlan_${toString vlan}@sso.dgnum.eu";
}
) config.networking.vlans-info;
dgsi_endpoint = "https://dgsi.dgnum.eu/isp/vlan";
};
authTokenFile = config.age.secrets."radius-auth_token_file".path;
dgsi_username = pkgs.writeText "username" "ISP - unsecure";
dgsi_password = pkgs.writeText "password" "ISP - unsecure";
};
age-secrets.autoMatch = [ "radius" ];

11
machines/nixos/vault01/k-radius/module.nix
View file

@ -75,6 +75,16 @@ in
description = "File to the auth token for the service account.";
};
dgsi_username = mkOption {
type = path;
description = "File to the username for DGSI.";
};
dgsi_password = mkOption {
type = path;
description = "File to the password for DGSI.";
};
extra-mods = mkOption {
type = attrsOf path;
default = { };
@ -188,6 +198,7 @@ in
# Copy the kanidm configuration
cat <<EOF > /var/lib/radius/kanidm.toml
auth_token = "$(cat "${cfg.authTokenFile}")"
dgsi_token = "$(echo -n "$(cat "${cfg.dgsi_username}"):$(cat "${cfg.dgsi_password}")" | base64)"
EOF
cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml

16
machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch
View file

@ -1,16 +0,0 @@
diff --git a/kanidm/radius/utils.py b/kanidm/radius/utils.py
index cbd3fe1f0..41fbd05c4 100644
--- a/kanidm/radius/utils.py
+++ b/kanidm/radius/utils.py
@@ -25,11 +25,6 @@ def check_vlan(
raise ValueError("Need to pass this a kanidm_client")
for radius_group in kanidm_client.config.radius_groups:
- logging.debug(
- "Checking vlan group '%s' against user group %s",
- radius_group.spn,
- group.spn,
- )
if radius_group.spn == group.spn:
logging.info("returning new vlan: %s", radius_group.vlan)
return radius_group.vlan

44
machines/nixos/vault01/k-radius/packages/02-request-dgsi-vlan.patch Normal file
View file

@ -0,0 +1,44 @@
diff --git a/kanidm/radius/__init__.py b/kanidm/radius/__init__.py
index b44a6ff50..60c7efe7c 100644
--- a/kanidm/radius/__init__.py
+++ b/kanidm/radius/__init__.py
@@ -1,12 +1,14 @@
""" kanidm RADIUS module """
import asyncio
from aiohttp.client_exceptions import ClientConnectorError
+import base64
from functools import reduce
import json
import logging
import os
from pathlib import Path
import sys
+import requests
from typing import Any, Dict, Optional, Union
from kanidm.exceptions import NoMatchingEntries
@@ -146,13 +148,14 @@ def authorize(
logging.info("User %s doesn't have a group from the required list.", name)
return radiusd.RLM_MODULE_REJECT
- # look up them in config for group vlan if possible.
- # TODO: work out the typing on this, WTF.
- uservlan: int = reduce(
- check_vlan,
- tok.groups,
- kanidm_client.config.radius_default_vlan,
- )
+ dgsi_info = requests.get(kanidm_client.config.dgsi_endpoint + "/" + name, headers={
+ "Authorization": "Basic " + kanidm_client.config.dgsi_token
+ })
+ if dgsi_info.status != 200:
+ logging.error("dgsi: error getting vlan of %s : %s.", name, dgsi_info.status)
+ return radiusd.RLM_MODULE_FAIL
+ else:
+ uservlan: int = int(dgsi_info.text)
if uservlan == int(0):
logging.info("Invalid uservlan of 0")
--
2.48.1

2
machines/nixos/vault01/k-radius/packages/pykanidm.nix
View file

@ -26,7 +26,7 @@ buildPythonPackage rec {
};
patches = [
./02-remove-noisy-logs.patch
./02-request-dgsi-vlan.patch
];
sourceRoot = "source/pykanidm";