feat(radius): Init config
This commit is contained in:
parent
3e763f419a
commit
f173138848
14 changed files with 426 additions and 0 deletions
|
@ -12,6 +12,7 @@ lib.extra.mkConfig {
|
||||||
# List of services to enable
|
# List of services to enable
|
||||||
"ds-fr"
|
"ds-fr"
|
||||||
"hedgedoc"
|
"hedgedoc"
|
||||||
|
"k-radius"
|
||||||
"kanidm"
|
"kanidm"
|
||||||
"mastodon"
|
"mastodon"
|
||||||
"nextcloud"
|
"nextcloud"
|
||||||
|
|
62
machines/compute01/k-radius/default.nix
Normal file
62
machines/compute01/k-radius/default.nix
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [ ./module.nix ];
|
||||||
|
|
||||||
|
services.k-radius = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
# URL to the Kanidm server
|
||||||
|
uri = "https://sso.dgnum.eu";
|
||||||
|
|
||||||
|
# verify the hostname of the Kanidm server
|
||||||
|
verify_hostnames = "true";
|
||||||
|
|
||||||
|
# Strict CA verification
|
||||||
|
verify_ca = "false";
|
||||||
|
verify_certificate = "false";
|
||||||
|
|
||||||
|
# Path to the kanidm ca
|
||||||
|
|
||||||
|
# Default vlans for groups that don't specify one.
|
||||||
|
radius_default_vlan = 99;
|
||||||
|
|
||||||
|
# A list of Kanidm groups which must be a member
|
||||||
|
# before they can authenticate via RADIUS.
|
||||||
|
radius_required_groups = [ "radius_access@sso.dgnum.eu" ];
|
||||||
|
|
||||||
|
# A mapping between Kanidm groups and VLANS
|
||||||
|
radius_groups = [
|
||||||
|
{
|
||||||
|
spn = "dgnum_members@idm.example.com";
|
||||||
|
vlan = 1;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
spn = "dgnum_clients@idm.example.com";
|
||||||
|
vlan = 2;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
authTokenFile = config.age.secrets."radius-auth_token_file".path;
|
||||||
|
privateKeyPasswordFile =
|
||||||
|
config.age.secrets."radius-private_key_password_file".path;
|
||||||
|
|
||||||
|
certs = builtins.listToAttrs (builtins.map (name:
|
||||||
|
lib.nameValuePair name
|
||||||
|
config.age.secrets."radius-${name}_pem_file".path) [
|
||||||
|
"ca"
|
||||||
|
"cert"
|
||||||
|
"dh"
|
||||||
|
"key"
|
||||||
|
]);
|
||||||
|
|
||||||
|
radiusClients = { };
|
||||||
|
};
|
||||||
|
|
||||||
|
dgn-secrets.matches."^radius-.*$" = { owner = "radius"; };
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 1812 ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ 1812 ];
|
||||||
|
}
|
181
machines/compute01/k-radius/module.nix
Normal file
181
machines/compute01/k-radius/module.nix
Normal file
|
@ -0,0 +1,181 @@
|
||||||
|
{ config, lib, pkgs, sources, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib) mkEnableOption mkIf mkOption types;
|
||||||
|
|
||||||
|
settingsFormat = pkgs.formats.toml { };
|
||||||
|
|
||||||
|
python3 = (import sources.nixos-python { }).python311;
|
||||||
|
|
||||||
|
pykanidm = pkgs.callPackage ./packages/pykanidm.nix { inherit python3; };
|
||||||
|
rlm_python =
|
||||||
|
pkgs.callPackage ./packages/rlm_python.nix { inherit python3 pykanidm; };
|
||||||
|
|
||||||
|
cfg = config.services.k-radius;
|
||||||
|
in {
|
||||||
|
options.services.k-radius = {
|
||||||
|
enable = mkEnableOption "a freeradius service linked to kanidm.";
|
||||||
|
|
||||||
|
settings = mkOption { inherit (settingsFormat) type; };
|
||||||
|
|
||||||
|
freeradius = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
default = pkgs.freeradius.overrideAttrs (old: {
|
||||||
|
buildInputs = (old.buildInputs or [ ])
|
||||||
|
++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
|
configDir = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
default = "/var/lib/radius/raddb";
|
||||||
|
description =
|
||||||
|
"The path of the freeradius server configuration directory.";
|
||||||
|
};
|
||||||
|
|
||||||
|
authTokenFile = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
description = "File to the auth token for the service account.";
|
||||||
|
};
|
||||||
|
|
||||||
|
radiusClients = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule {
|
||||||
|
options = {
|
||||||
|
secret = mkOption { type = types.path; };
|
||||||
|
ipaddr = mkOption { type = types.str; };
|
||||||
|
};
|
||||||
|
});
|
||||||
|
default = { };
|
||||||
|
description = "A mapping of clients and their authentication tokens.";
|
||||||
|
};
|
||||||
|
|
||||||
|
certs = {
|
||||||
|
ca = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "The signing CA of the RADIUS certificate.";
|
||||||
|
};
|
||||||
|
dh = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description =
|
||||||
|
"The output of `openssl dhparam -in ca.pem -out dh.pem 2048`.";
|
||||||
|
};
|
||||||
|
cert = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "The certificate for the RADIUS server.";
|
||||||
|
};
|
||||||
|
key = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "The signing key for the RADIUS certificate.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
privateKeyPasswordFile = mkOption { type = types.path; };
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
users = {
|
||||||
|
users.radius = {
|
||||||
|
group = "radius";
|
||||||
|
description = "Radius daemon user";
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
groups.radius = { };
|
||||||
|
};
|
||||||
|
|
||||||
|
services.k-radius.settings = {
|
||||||
|
ca_path = cfg.certs.ca;
|
||||||
|
|
||||||
|
radius_cert_path = cfg.certs.cert;
|
||||||
|
radius_key_path = cfg.certs.key;
|
||||||
|
radius_dh_path = cfg.certs.dh;
|
||||||
|
radius_ca_path = cfg.certs.ca;
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.radius = {
|
||||||
|
description = "FreeRadius server";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
wants = [ "network.target" ];
|
||||||
|
|
||||||
|
preStart = ''
|
||||||
|
cp -R ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
|
||||||
|
cp -R ${rlm_python}/etc/raddb/* ${cfg.configDir}
|
||||||
|
|
||||||
|
chmod -R u+w ${cfg.configDir}
|
||||||
|
|
||||||
|
# disable auth via methods kanidm doesn't support
|
||||||
|
rm ${cfg.configDir}/mods-available/sql
|
||||||
|
rm ${cfg.configDir}/mods-enabled/{passwd,totp}
|
||||||
|
|
||||||
|
# enable the python and cache modules
|
||||||
|
ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3
|
||||||
|
ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls
|
||||||
|
|
||||||
|
# write the clients configuration
|
||||||
|
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
|
||||||
|
${builtins.concatStringsSep "\n" (builtins.attrValues (builtins.mapAttrs
|
||||||
|
(name:
|
||||||
|
{ secret, ipaddr }: ''
|
||||||
|
cat <<EOF >> ${cfg.configDir}/client.conf
|
||||||
|
client ${name} {
|
||||||
|
ipaddr = ${ipaddr}
|
||||||
|
secret = $(cat "${secret}")
|
||||||
|
proto = *
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
'') cfg.radiusClients))}
|
||||||
|
|
||||||
|
# Copy the kanidm configuration
|
||||||
|
cat <<EOF > /var/lib/radius/kanidm.toml
|
||||||
|
auth_token = "$(cat "${cfg.authTokenFile}")"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat ${
|
||||||
|
settingsFormat.generate "kanidm.toml" cfg.settings
|
||||||
|
} >> /var/lib/radius/kanidm.toml
|
||||||
|
chmod u+w /var/lib/radius/kanidm.toml
|
||||||
|
|
||||||
|
# Copy the certificates to the correct directory
|
||||||
|
rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs
|
||||||
|
|
||||||
|
cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem
|
||||||
|
|
||||||
|
${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs
|
||||||
|
|
||||||
|
cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem
|
||||||
|
|
||||||
|
cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem
|
||||||
|
|
||||||
|
# Write the password of the private_key in the eap module
|
||||||
|
sed -i ${cfg.configDir}/mods-available/eap \
|
||||||
|
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
|
||||||
|
|
||||||
|
# Check the configuration
|
||||||
|
# ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
|
||||||
|
'';
|
||||||
|
|
||||||
|
path = [ pkgs.openssl pkgs.gnused ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart =
|
||||||
|
"${cfg.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout";
|
||||||
|
ExecReload = [
|
||||||
|
"${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
|
||||||
|
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
|
||||||
|
];
|
||||||
|
User = "radius";
|
||||||
|
Group = "radius";
|
||||||
|
DynamicUser = true;
|
||||||
|
Restart = "on-failure";
|
||||||
|
RestartSec = 2;
|
||||||
|
LogsDirectory = "radius";
|
||||||
|
StateDirectory = "radius";
|
||||||
|
Environment = [
|
||||||
|
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
|
||||||
|
"PYTHONPATH=${rlm_python.pythonPath}"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
34
machines/compute01/k-radius/packages/pykanidm.nix
Normal file
34
machines/compute01/k-radius/packages/pykanidm.nix
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
{ lib, fetchFromGitHub, python3 }:
|
||||||
|
|
||||||
|
let
|
||||||
|
pname = "kanidm";
|
||||||
|
version = "0.0.3";
|
||||||
|
in python3.pkgs.buildPythonPackage {
|
||||||
|
inherit pname version;
|
||||||
|
format = "pyproject";
|
||||||
|
|
||||||
|
disabled = python3.pythonOlder "3.8";
|
||||||
|
|
||||||
|
src = (fetchFromGitHub {
|
||||||
|
owner = pname;
|
||||||
|
repo = pname;
|
||||||
|
# Latest 1.1.0-rc.15 tip
|
||||||
|
rev = "a5ca8018e3a636dbb0a79b3fd869db059d92979d";
|
||||||
|
hash = "sha256-PFGoeGn7a/lVR6rOmOKA3ydAoo3/+9RlkwBAKS22Psg=";
|
||||||
|
}) + "/pykanidm";
|
||||||
|
|
||||||
|
nativeBuildInputs = with python3.pkgs; [ poetry-core ];
|
||||||
|
|
||||||
|
propagatedBuildInputs = with python3.pkgs; [ aiohttp pydantic toml (authlib.overridePythonAttrs (_: { doCheck = false; })) ];
|
||||||
|
|
||||||
|
doCheck = false;
|
||||||
|
|
||||||
|
pythonImportsCheck = [ "kanidm" ];
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "Kanidm client library";
|
||||||
|
homepage = "https://github.com/kanidm/kanidm/tree/master/pykanidm";
|
||||||
|
license = licenses.mpl20;
|
||||||
|
maintainers = with maintainers; [ arianvp hexa ];
|
||||||
|
};
|
||||||
|
}
|
13
machines/compute01/k-radius/packages/python_path.patch
Normal file
13
machines/compute01/k-radius/packages/python_path.patch
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
diff --git a/rlm_python/mods-available/python3 b/rlm_python/mods-available/python3
|
||||||
|
index 978536f8a..90c71fca0 100644
|
||||||
|
--- a/rlm_python/mods-available/python3
|
||||||
|
+++ b/rlm_python/mods-available/python3
|
||||||
|
@@ -13,7 +13,7 @@ python3 {
|
||||||
|
# item is GLOBAL TO THE SERVER. That is, you cannot have two
|
||||||
|
# instances of the python module, each with a different path.
|
||||||
|
#
|
||||||
|
- python_path="/usr/lib64/python3.8:/usr/lib/python3.8:/usr/lib/python3.8/site-packages:/usr/lib64/python3.8/site-packages:/usr/lib64/python3.8/lib-dynload:/usr/local/lib/python3.8/site-packages:/etc/raddb/mods-config/python3/"
|
||||||
|
+ python_path="@kanidm_python@:/etc/raddb/mods-config/python3/"
|
||||||
|
|
||||||
|
module = "kanidm.radius"
|
||||||
|
# python_path = ${modconfdir}/${.:name}
|
33
machines/compute01/k-radius/packages/rlm_python.nix
Normal file
33
machines/compute01/k-radius/packages/rlm_python.nix
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
{ stdenv, fetchFromGitHub, python3, pykanidm }:
|
||||||
|
|
||||||
|
let pythonPath = with python3.pkgs; makePythonPath [ pykanidm ];
|
||||||
|
|
||||||
|
in stdenv.mkDerivation rec {
|
||||||
|
pname = "rlm_python";
|
||||||
|
version = "1.1.0-rc.15";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "kanidm";
|
||||||
|
repo = "kanidm";
|
||||||
|
rev = "v${version}";
|
||||||
|
hash = "sha256-0y8juXS61Z9zxOdsWAQ6lJurP+n855Nela6egYRecok=";
|
||||||
|
};
|
||||||
|
|
||||||
|
patches = [ ./python_path.patch ];
|
||||||
|
|
||||||
|
postPatch = ''
|
||||||
|
substituteInPlace rlm_python/mods-available/python3 \
|
||||||
|
--replace "@kanidm_python@" "${pythonPath}"
|
||||||
|
'';
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/etc/raddb/
|
||||||
|
cp -R rlm_python/{mods-available,sites-available} $out/etc/raddb/
|
||||||
|
'';
|
||||||
|
|
||||||
|
phases = [ "unpackPhase" "patchPhase" "installPhase" ];
|
||||||
|
|
||||||
|
passthru = { inherit pythonPath; };
|
||||||
|
|
||||||
|
preferLocalBuild = true;
|
||||||
|
}
|
27
machines/compute01/secrets/radius-auth_token_file
Normal file
27
machines/compute01/secrets/radius-auth_token_file
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 tDqJRg Zw3L9l8YoaYlsqDMSi9MPmjfHf0K4ExExEj9qt6p9i0
|
||||||
|
CsKbTHwLT6YNXn3nXugCD7jem/psV3ZFexKC6Uo+GOM
|
||||||
|
-> ssh-ed25519 jIXfPA fmzjn7g46a9Zp9w8N85+I65BRcAdWs/ZeEbSN9j5PRk
|
||||||
|
9WPJDDSbN5hcBBb/vBxhCHRgKh23DzICtvZjUHJwR/w
|
||||||
|
-> ssh-ed25519 QlRB9Q QRG0hb+Smxs9olTC4yGXO7KxCQqeFOSE0105y532FXE
|
||||||
|
4uRlorP/Lfcd+qQdUyS44B1ru1L2+3Lb2kyp2JGeEjc
|
||||||
|
-> ssh-ed25519 r+nK/Q hwsymX8ASjlURmYaMTWFxPhB1V0PMJPsK8vSG6q9Nzs
|
||||||
|
bCXlIirxSFAzAqwYUULYoiDtZg5RMZm0gOsIlWo/47U
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
pXXzKHhZ50dE+9/IdjVsWiqrY7dBVFnOWRXqFKYTg+mdnYINL8XO74/W1skekmLL
|
||||||
|
sQT7x8mdL5mvyk/cQetvip2ZUcnHiT880qNY1in95mxWRlya1qHIL1S12O0iL5/V
|
||||||
|
BeW0Zfxinqh5v5LZ5Trq5WjbGeqNSSB6PvoS1j5+H7HUfd8tupGKgpiQ37mr3CYY
|
||||||
|
eslGof3wpmsKOkUyi6UPiwe42hb8aYn1SSrpfkCEtiGNwxgpa4DgSZ9CPLGU/MLX
|
||||||
|
YexJjicOotu8bNPmyy5LxBILTqpyFdsXSNwQY2ECXdxdPjGrL/ghLkhZoCk95UAY
|
||||||
|
dW8VZGSeK4r2L2qdAhVeag
|
||||||
|
-> ssh-ed25519 /vwQcQ s8AcKrKptat5IUnEPJk/v3mCZiqBDzrYE8V+9oUYOE8
|
||||||
|
OUNHGCXSRPRY3CHxttbvEbDqKtN0HefTR2lEud6Xj2I
|
||||||
|
-> ssh-ed25519 0R97PA 0RTwsW6NisiieNsSwUpwIsnvNt97/PkrwoyDuvSUADo
|
||||||
|
4LAGhWShBr/Dys1lTYig4PDoR0umCaYgKVTgr8XSgag
|
||||||
|
-> ssh-ed25519 JGx7Ng oRAd/G3XFQbblG+GhkIsrqjmrzK7FzU9tT0EkufjNAo
|
||||||
|
KCG2lhRAuWkAaw9EWC1W1e5ilv+XL+Zf2Ce+F77xzSY
|
||||||
|
-> vt/lXLgK-grease ::9Q O6
|
||||||
|
hRl/Ntq/TpYAHTdmBgaTi1hP4v/VkB5EVsIRfcgNVaGrB5o
|
||||||
|
--- VWOKVRkF4ui59WRXsilY9KrsHChX1z+d5E68HVZ7K/4
|
||||||
|
¥TbæãŽ|ãzP÷ªß¬Fõÿ³”ç‡~b;ÌÑ2ÏxI^FÊâp½XÚZGÕ¸bxBŽ/½Më;
|
||||||
|
‡lý¬¯&þíàÚýrYÈ·ž/=òÔ
|
BIN
machines/compute01/secrets/radius-ca_pem_file
Normal file
BIN
machines/compute01/secrets/radius-ca_pem_file
Normal file
Binary file not shown.
BIN
machines/compute01/secrets/radius-cert_pem_file
Normal file
BIN
machines/compute01/secrets/radius-cert_pem_file
Normal file
Binary file not shown.
31
machines/compute01/secrets/radius-dh_pem_file
Normal file
31
machines/compute01/secrets/radius-dh_pem_file
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 tDqJRg R3h8Ph1ooMaR/bmz09yRzVRq1mR3L7o87wMhsysC5kU
|
||||||
|
Go50Us/u8CgZS7Up20RH8NlRS0+ESBw30wa8SZ5dqoo
|
||||||
|
-> ssh-ed25519 jIXfPA gMaMIQvUIu5bK5mRWP6SSZQArMzhg4bDZDcjwx9dyDY
|
||||||
|
Vv8H7oTBvogaoW4dhdm81TOe995CSGeBxB8LtFgJqwc
|
||||||
|
-> ssh-ed25519 QlRB9Q 1CxZ2F8EMykWDzrAzN6NSPtjLmMJ99zf8UWLyV3e+Ag
|
||||||
|
ak7M8/mCeQOMKFPllTsA79glffS/vu51vHIRT3F8qLE
|
||||||
|
-> ssh-ed25519 r+nK/Q qcuIACZn+1ofDpWW1IBmY0IIj4WZNQhxtUJlHgh11ws
|
||||||
|
OJhEfDQHkg3s5CCBcVfba9S4OG4hBjJIYkCoLAIFwOI
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
1XseIDq7c94X7Dpp1sC3oBLhZSd4w7UJ7QI03SGmqVTd3VVwP5IV430vrSIFETMI
|
||||||
|
LopkMvCtF1XpIJQ+nHoxsukG/0kefh5Iodmd6anQNp0iVU/tWkQzWbkHlVlkxJ2M
|
||||||
|
o3fMRAaVyH5GvQkIT5ndWma34vqwydAinM2mchi0hy0ibP5lkk8K7OtafNP4eYNh
|
||||||
|
m7necRRI8yCuE1wBRy8sBpo5mEqGj1uINxXiF6yUI05pCBXHG1qDiFkDHfw8va9k
|
||||||
|
Qitfwv2Clkk/hQG6aEYuruoXwq4SZxSCswMpP5Nz70I+e5YkZw8G50ICaVBXxuAP
|
||||||
|
ABByGBZ/QKLw66NpE7rbSA
|
||||||
|
-> ssh-ed25519 /vwQcQ 1P92WFx8+9DaL2dPwmX+Bva+h7Hy9qXszDTyPvd81kc
|
||||||
|
gLVhBlE4lAMcod32/Y8xzypVCDu4vRca3aem3OHiocU
|
||||||
|
-> ssh-ed25519 0R97PA rZblJRi2bYJig4HyzOXdtpUEEkGDlHS456aKlqxwGX4
|
||||||
|
qjIkEyHjDxzmf34bS7qWJ9lexMXu2QMmcD9RP4MpkYQ
|
||||||
|
-> ssh-ed25519 JGx7Ng IbCSvxAUY1gDTny5KurzONVaQwX/VgvNs1hAQ9iUQRE
|
||||||
|
5ivoGkzEHAyTl3gUE+9nVYclF8/aqnyOF3a81fZfbW0
|
||||||
|
-> t|-grease (u /1\q}65 ]@
|
||||||
|
Dd2SJgnQFUSDlS4eSkKUaGwve8Rsv/4MNEwGRJftdtTvxv80bRuNBEFe+ah4YhiV
|
||||||
|
LA3n6c+Te9Q
|
||||||
|
--- wWhpJpx4IHeC1Qo4nH6iuEB3e9l5b8U5xOnsX8BoBgQ
|
||||||
|
5¥t·Œ °ÒxÚ@<1E>`zÈÔgC’à Ѭ:4Œó¾&‡Spi8ñŸuæ"lÕ‚×)<29>:ìaŒÁÄ,4ÃsÌ*uÿ€ƒ±v#ÿ*ÎàÜÊ^ݶ‚Ø«%´Ñº98¾,yB‚Ù
|
||||||
|
"¶%Ç㤄†NÎÓ· íò¬} [Ñ¿Ó(äØ{<11>ý0ô—f²<66>„|Šà-—&qF kÖ¶¹µùÔÎLì,¹À„žD™áΩQÍ—½è<C2BD>4N}<7D>ÙÐJ´·‹ÇÓˆpç€]dUÏø¿<C3B8>I—:ÌôÑÉ
öì’°¦£‘sý¨õB#}¹
|
||||||
|
ÞÃXzð‰N4·>ñ5iSan`‰¹.‚õÃPcHØÉAéßÈÿµH=¥ËæÂ~ö(Pçô±Š$ ,¡ã‹ù¯ZЬÆwçÚ /×
|
||||||
|
Á–+rC$†ýê&ØJñ ; ÉvÞjæ‰ÎY¹,š*`ºGå=ã¯M¼ƒƒeäAQö<51>\D˜ÿ@¥j¾$gö{Q´lhIoÊÏ‚IM)};@ìNü½b‰<62>k5Dgüoþ'ItW(Ïk
|
||||||
|
ê6)ËŒä0£<30>tM¶É
Ó(Ûê¡<C3AA>n²k®Zu%m<17>¡bzÚõ–Š¿ÁìÍÿ
|
BIN
machines/compute01/secrets/radius-key_pem_file
Normal file
BIN
machines/compute01/secrets/radius-key_pem_file
Normal file
Binary file not shown.
26
machines/compute01/secrets/radius-private_key_password_file
Normal file
26
machines/compute01/secrets/radius-private_key_password_file
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 tDqJRg sTm4u+QVtvUqNgMJhufIljdH63oCmvfbRz6NRa2ZbwI
|
||||||
|
ZYjAINMp/ds7g+7Wjg26YRpRV+nznQPB1r7NzAHGfW0
|
||||||
|
-> ssh-ed25519 jIXfPA z4LS/Igwab0moIzxG9b06T5rZiODkdJyjaFepJVcxQ8
|
||||||
|
qNkDc+prvr1bNTSWJyygJj7yb8MOz2nR+Z8EMHUVVOs
|
||||||
|
-> ssh-ed25519 QlRB9Q 6TQ0Vp3KB5yDIEt029hIB3aCnDjTDP0JG6LN2J9gtjU
|
||||||
|
fZXeSxb7GJOJYvCr2nVf6BKf8QjaqOOuoi0I/xXV1qc
|
||||||
|
-> ssh-ed25519 r+nK/Q eW4wTH9PNd0mzVFsxwS4mEEn5gVUCpYA/g+ifeUB+00
|
||||||
|
kqED+vZVHn0SXTpgbaiMseI6vPCyTt5Gfu4pHxPvKp0
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
axyFJ/zhMoZ1mJLzWAbXbHjlAlLj7HraHyY6ddZBVibgRSEufdXsa8ABmdR6+EuM
|
||||||
|
ty37+/TZOBv11ew/D1C7vQ7B/1JXgej2TAAmYt4vN3lVZdgJI+tQGiOf1nsqfI64
|
||||||
|
p4ZbMi9G0wlzb+Z7Z5SLKo6HwharYI+vDEgh3Ua9Q+6bpZeXxxJHmkACikAI4xJV
|
||||||
|
3lLo1iTeyJy/9u/WoHmEOuqJLeZdhmPZBozxTdDTWz9wMHy+NotfXFaIFTyUpocu
|
||||||
|
OU19N95fyVyTRwmrGFcWs34O631Ejpo3oVLDvjXrFtV4HISSweB/YbU84EveFbz5
|
||||||
|
28gTWKdeOQcHJfmaeJV/Rg
|
||||||
|
-> ssh-ed25519 /vwQcQ cXNRE5eLKNh4lL7S7cMDfp79+TQyiJK3gTzYCuHeRHo
|
||||||
|
4bz0al2kf/S6VEhObpLxy8tvB1t/tBVdB1Gi/7XinD4
|
||||||
|
-> ssh-ed25519 0R97PA iGdUtE7KDRBNSXv1w0dJNPQWxAeDpIAePUU8t0qURV8
|
||||||
|
OUoeLNWl0rLt6+FNf5plNmQIgrULwIgEL/W4HFTYeB8
|
||||||
|
-> ssh-ed25519 JGx7Ng tPkAPvVDZOcP06+mrD5uK03dUJi4aMAvkoz21y9L6Ak
|
||||||
|
tcUItLMra+EIYH6MA1ULMpr8bkUql448jnurev8N5wk
|
||||||
|
-> \<?_-grease (+d_8zF H
|
||||||
|
|
||||||
|
--- /CiW5jTjVkXDOdwmb4P80FswPEpgTt2GZnqT7KlOvC0
|
||||||
|
›=þ%©»gæÆQ³-¼ffÄUC.qÅ͘·H<C2B7>µ—ìäÙ=Vý£žØú<C398>ŽRåN
|
|
@ -12,6 +12,12 @@ lib.setDefault { inherit publicKeys; } [
|
||||||
"outline-oidc_client_secret_file"
|
"outline-oidc_client_secret_file"
|
||||||
"outline-smtp_password_file"
|
"outline-smtp_password_file"
|
||||||
"outline-storage_secret_key_file"
|
"outline-storage_secret_key_file"
|
||||||
|
"radius-auth_token_file"
|
||||||
|
"radius-ca_pem_file"
|
||||||
|
"radius-cert_pem_file"
|
||||||
|
"radius-dh_pem_file"
|
||||||
|
"radius-key_pem_file"
|
||||||
|
"radius-private_key_password_file"
|
||||||
"satosa-env_file"
|
"satosa-env_file"
|
||||||
"vaultwarden-environment_file"
|
"vaultwarden-environment_file"
|
||||||
"zammad-secret_key_base_file"
|
"zammad-secret_key_base_file"
|
||||||
|
|
|
@ -114,6 +114,18 @@
|
||||||
"url": "https://releases.nixos.org/nixos/23.11/nixos-23.11.750.7c4c20509c43/nixexprs.tar.xz",
|
"url": "https://releases.nixos.org/nixos/23.11/nixos-23.11.750.7c4c20509c43/nixexprs.tar.xz",
|
||||||
"hash": "1gla4s4jmzyhxkp60d8vak5ia87ry89bc8s4mrirasd46lj8wqc6"
|
"hash": "1gla4s4jmzyhxkp60d8vak5ia87ry89bc8s4mrirasd46lj8wqc6"
|
||||||
},
|
},
|
||||||
|
"nixos-python": {
|
||||||
|
"type": "Git",
|
||||||
|
"repository": {
|
||||||
|
"type": "GitHub",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs"
|
||||||
|
},
|
||||||
|
"branch": "python-updates",
|
||||||
|
"revision": "b89d6c95e443b1114034ac65c974b2c91fb33db1",
|
||||||
|
"url": "https://github.com/NixOS/nixpkgs/archive/b89d6c95e443b1114034ac65c974b2c91fb33db1.tar.gz",
|
||||||
|
"hash": "106iz6i7b4pppwmhy9xn8ap403vvms0vhbr4z8siz0hffdqildl8"
|
||||||
|
},
|
||||||
"nixos-unstable": {
|
"nixos-unstable": {
|
||||||
"type": "Channel",
|
"type": "Channel",
|
||||||
"name": "nixos-unstable",
|
"name": "nixos-unstable",
|
||||||
|
|
Loading…
Reference in a new issue