{ config, lib, ... }: { imports = [ ./module.nix ]; services.k-radius = { enable = true; radiusClients = { ap = { ipaddr = "0.0.0.0/0"; secret = config.age.secrets."radius-ap-radius-secret_file".path; }; }; settings = { # URL to the Kanidm server uri = "https://sso.dgnum.eu"; # verify the hostname of the Kanidm server verify_hostnames = "true"; # Strict CA verification verify_ca = "false"; verify_certificate = "false"; # Path to the kanidm ca # Default vlans for groups that don't specify one. radius_default_vlan = 99; # A list of Kanidm groups which must be a member # before they can authenticate via RADIUS. radius_required_groups = [ "radius_access@sso.dgnum.eu" ]; # A mapping between Kanidm groups and VLANS radius_groups = [ { spn = "dgnum_members@sso.dgnum.eu"; vlan = 1; } { spn = "dgnum_clients@sso.dgnum.eu"; vlan = 2; } ]; }; authTokenFile = config.age.secrets."radius-auth_token_file".path; privateKeyPasswordFile = config.age.secrets."radius-private_key_password_file".path; certs = builtins.listToAttrs ( builtins.map (name: lib.nameValuePair name config.age.secrets."radius-${name}_pem_file".path) [ "ca" "cert" "dh" "key" ] ); }; age-secrets.autoMatch = [ "radius" ]; networking.firewall.allowedTCPPorts = [ 1812 ]; networking.firewall.allowedUDPPorts = [ 1812 ]; }