From c4d9d6d000e31e11d2a5623d2fa30f6fa8c8905c Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sat, 31 Aug 2024 22:21:35 +0200 Subject: [PATCH] feat(ap01): enable fully RADIUS via internal RADIUS server MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This adds two public keys. For the private keys, heh… Signed-off-by: Ryan Lahfa --- keys/certs/dgnum-ap-server.crt | 18 ++++++++ keys/certs/dgnum-test-ap-ca.crt | 23 ++++++++++ machines/ap01/_configuration.nix | 75 ++++++++++++++++++++++++++++---- npins/sources.json | 15 ++++--- 4 files changed, 118 insertions(+), 13 deletions(-) create mode 100644 keys/certs/dgnum-ap-server.crt create mode 100644 keys/certs/dgnum-test-ap-ca.crt diff --git a/keys/certs/dgnum-ap-server.crt b/keys/certs/dgnum-ap-server.crt new file mode 100644 index 0000000..ede405e --- /dev/null +++ b/keys/certs/dgnum-ap-server.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6TCCAdECFEbjeqNNzKWyfs2GJekipWK+yO4uMA0GCSqGSIb3DQEBCwUAMHMx +NDAyBgNVBAMMK0RHTnVtIFRlc3QgQVAgQ0EgLS0gRE8gTk9UIFVTRSBPUiBHRVQg +RklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwGA1UEBwwFUGFy +aXMxDjAMBgNVBAoMBURHTnVtMB4XDTI0MDgyNjE5MDQxMFoXDTI2MDgyNjE5MDQx +MFowdzE4MDYGA1UEAwwvREdOdW0gVGVzdCBBUCBzZXJ2ZXIgLS0gRE8gTk9UIFVT +RSBPUiBHRVQgRklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwG +A1UEBwwFUGFyaXMxDjAMBgNVBAoMBURHTnVtMIGbMBAGByqGSM49AgEGBSuBBAAj +A4GGAAQBDrTf0SH/YOkOfvOSnB3BbICb80jSsxwQH50y4jylbXcrUZnegLYjW/lF +QknuMBzzE5fnE9lAeOxqsn0ec+sL3zEBrV0LSG2LgxhAkahZS9U4Spt9Qc84U7cG +AFQ3GXDMTEb/COHJSu7sIfV4gFRVesFez30gb94lMxckkq/6nkXXaEUwDQYJKoZI +hvcNAQELBQADggEBAEfPHMAXwftYQ0lDYPlr9b+GZDl7/JAavEfBXKzj1U8O0sJz +daNOHEX3a5ZOaQoean2zmBLROgQpDlwsjAFNA9dg0ef2f4RgJvr/l2fspHwG0Uaq +4JEOKTj3htd8aZX2i6AR02UC2oxCtf7ZVa+a6NOeeKl53QPzjduPO60ruz8tD2Xr +YnQwVinQX0fJo7TmyQKDIxwld/Q5pMoDMfVlS71M/vISFfQ/Rx1PqYvBQyG1dvIA +qn9cNNVnjEGrk7zXjCfehMYiCtDZ+D3VyXeZ6A7YZNpc6RUj8rbWcOtKLayRFlwf +DTjV3/nPqV0M2nU6jXFBMfQ47VSfB7ibINt94xo= +-----END CERTIFICATE----- diff --git a/keys/certs/dgnum-test-ap-ca.crt b/keys/certs/dgnum-test-ap-ca.crt new file mode 100644 index 0000000..48e9129 --- /dev/null +++ b/keys/certs/dgnum-test-ap-ca.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDxzCCAq+gAwIBAgIUPuHEZeZoCidp+w5ME2CrkZEn3T8wDQYJKoZIhvcNAQEL +BQAwczE0MDIGA1UEAwwrREdOdW0gVGVzdCBBUCBDQSAtLSBETyBOT1QgVVNFIE9S +IEdFVCBGSVJFRDELMAkGA1UEBhMCRlIxDjAMBgNVBAgMBVBhcmlzMQ4wDAYDVQQH +DAVQYXJpczEOMAwGA1UECgwFREdOdW0wHhcNMjQwODI2MTg1ODQ4WhcNMjkwODI2 +MTg1ODQ4WjBzMTQwMgYDVQQDDCtER051bSBUZXN0IEFQIENBIC0tIERPIE5PVCBV +U0UgT1IgR0VUIEZJUkVEMQswCQYDVQQGEwJGUjEOMAwGA1UECAwFUGFyaXMxDjAM +BgNVBAcMBVBhcmlzMQ4wDAYDVQQKDAVER051bTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAKLgCNXLI6FQWJY5JQDqZcO1hmZpp0upT59/JvJXmEl4St1O +FF3frSAoFcgn2Bv3kYQQ6wEhD3S7JBxRmoDtx/7sqsXthNpBaymVdphb9XhnVOC2 +NDBKV4WH06Hr06oKVfDSBhIldPJr1vfQLehOnz6uqK7walqPvid3tMv0lwt7mHZ9 +qQpgC2C/tkHwD1kh1RszoIZKIQWDnSNXPhYnB3X/DMCUWIKiz6P/0rVANEDDZER6 +b6eJRjv2l8jPlOt7CUTAOrsoJGCnSg2SV4lgr1u3mE/2AvmLdO0l5Dz0qCuQNbb3 +uWqYUonooR8rox171On/Rd0zvtihycSDxofVJ+MCAwEAAaNTMFEwHQYDVR0OBBYE +FIPUT3v8AoeBS6VbcEvgVc1dC38hMB8GA1UdIwQYMBaAFIPUT3v8AoeBS6VbcEvg +Vc1dC38hMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACX1aqYU +9PIwZ/dBS7cpsBsCm9M0ueInTlQpvv6xioKuPhIet40YgawTRakxniAr0WXHTBV5 +a8ZQ4ff4uI+sdaxN7Ueufr4ltWVLuSc9DfIxjLVZ+41G6Ehy9Xc2zoDBfYURrXjd +ISvPSXIKjM0yuS/249C77HOdzwbliS65Io2zubQStGfSaZ3sLAfPJoig+QiVyOtG +sPoYzzrjXDBym+plfGTWqHv+gwo6DZarXrK4yaMn4hYkkf95NsY2ywwHzcy/4hsu ++bMm4IeCrB9uNOZtQrqW81/+4oxjGiKLbhnFPNQOg2pzb+iOJTPKVicAqKDSCnou +WXG5pjBKzojPvxU= +-----END CERTIFICATE----- diff --git a/machines/ap01/_configuration.nix b/machines/ap01/_configuration.nix index 0284ae0..c894045 100644 --- a/machines/ap01/_configuration.nix +++ b/machines/ap01/_configuration.nix @@ -15,11 +15,9 @@ let svc = config.system.service; secrets-1 = { ssid = "DGNum 2G prototype (N)"; - wpa_passphrase = "diamond dogs"; }; secrets-2 = { ssid = "DGNum 5G prototype (AX)"; - wpa_passphrase = "diamond dogs"; }; baseParams = { country_code = "FR"; @@ -30,11 +28,14 @@ let ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]"; auth_algs = 1; wpa = 2; - wpa_key_mgmt = "WPA-PSK"; wpa_pairwise = "TKIP CCMP"; rsn_pairwise = "CCMP"; }; + radiusKeyMgmt = { + wpa_key_mgmt = "WPA-EAP"; + }; + modernParams = { hw_mode = "a"; he_su_beamformer = 1; @@ -54,13 +55,60 @@ let he_oper_centr_freq_seg0_idx = 42; require_vht = 1; }; + + clientRadius = { + ieee8021x = 1; + eapol_version = 2; + use_pae_group_addr = 1; + dynamic_vlan = 0; + vlan_tagged_interface = "lan"; + }; + + serverRadius = { + radius_server_clients = pkgs.writeText "clients" '' + 0.0.0.0/0 dgnum + ''; + radius_server_auth_port = 1812; + radius_server_ipv6 = 1; + }; + + localRadius = { + eap_server = 1; + eap_user_file = pkgs.writeText "user.db" '' + # anonymous login in phase 1 + * PEAP + # password based in the secure tunnel in phase 2 + "test" MSCHAPV2 "diamond dogs" [2] + ''; + + # DGNum CA certificate. + ca_cert = builtins.toFile "dgnum-test-ap-ca" ( + builtins.readFile ../../keys/certs/dgnum-test-ap-ca.crt + ); + # Server certificate for this AP. + server_cert = builtins.toFile "dgnum-ap-server" ( + builtins.readFile ../../keys/certs/dgnum-ap-server.crt + ); + private_key = builtins.toFile "dgnum-ap-server-pkey" ( + builtins.readFile ../../keys/certs/dgnum-ap-server.key.pem + ); + }; + + # externalRadius = { + # own_ip_addr = ""; + # nas_identifier = ""; + + # auth_server_addr = ""; + # auth_server_port = 1812; + # auth_server_shared_secret = "dgnum"; + # }; + mkWifiSta = params: interface: secrets: svc.hostapd.build { inherit interface; - params = params // { - inherit (secrets) ssid wpa_passphrase; - }; + package = pkgs.hostapd-radius; + params = params // secrets; }; in rec { @@ -72,6 +120,8 @@ rec { "${modulesPath}/ntp" "${modulesPath}/vlan" "${modulesPath}/bridge" + "${modulesPath}/jitter-rng" + "${modulesPath}/pki" ../../modules/dgn-access-control.nix # TODO: god that's so a fucking hack. (import "${modulesPath}/../devices/zyxel-nwa50ax").module @@ -79,6 +129,13 @@ rec { hostname = "ap01-prototype"; + security.pki = { + installCACerts = true; + certificateFiles = [ + ../../keys/certs/dgnum-test-ap-ca.crt + ]; + }; + # SSH keys are handled by the access control module. dgn-access-control.enable = true; users.root = { @@ -126,10 +183,12 @@ rec { }; # wlan0 is the 2.4GHz interface. - services.hostap-1 = mkWifiSta baseParams config.hardware.networkInterfaces.wlan0 secrets-1; + services.hostap-1 = mkWifiSta ( + baseParams // clientRadius // localRadius // serverRadius // radiusKeyMgmt + ) config.hardware.networkInterfaces.wlan0 secrets-1; # wlan1 is the 5GHz interface, e.g. AX capable. services.hostap-2 = mkWifiSta ( - baseParams // modernParams + baseParams // clientRadius // localRadius // serverRadius // radiusKeyMgmt // modernParams ) config.hardware.networkInterfaces.wlan1 secrets-2; defaultProfile.packages = with pkgs; [ diff --git a/npins/sources.json b/npins/sources.json index 84f9911..d37fced 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -9,6 +9,7 @@ }, "pre_releases": false, "version_upper_bound": null, + "release_prefix": null, "version": "0.15.0", "revision": "564595d0ad4be7277e07fa63b5a991b3c645655d", "url": "https://api.github.com/repos/ryantm/agenix/tarball/0.15.0", @@ -58,6 +59,7 @@ }, "pre_releases": false, "version_upper_bound": null, + "release_prefix": null, "version": "v1.6.0", "revision": "5eaf747af38dd272e1ab28a8ec4bd972424b07cf", "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.6.0", @@ -71,6 +73,7 @@ }, "pre_releases": false, "version_upper_bound": null, + "release_prefix": null, "version": "v1.2.1", "revision": "66979725afe2164491be38ffff78460cc9b0ffd7", "url": null, @@ -82,10 +85,10 @@ "type": "Git", "url": "https://git.dgnum.eu/DGNum/liminix.git" }, - "branch": "main", - "revision": "7206fea4b4e9a5e50be91cce39c09da602cdb694", + "branch": "strong-tftp", + "revision": "a906301aebab47f11b2d2e762af8b65b8fc1040a", "url": null, - "hash": "0dd7r80skjamx1sppsl6mdmjhr355lbmc72g0l0356xs67mg8w5p" + "hash": "0c744qyjhcf6s474r4g6z5jww2dzgl857q320d9lm153ambz7rjh" }, "linkal": { "type": "Git", @@ -118,6 +121,7 @@ }, "pre_releases": false, "version_upper_bound": null, + "release_prefix": null, "version": "0.1.6", "revision": "ffb3dfa4c146d48300bd4fa625acfe48e091a734", "url": null, @@ -142,6 +146,7 @@ }, "pre_releases": false, "version_upper_bound": null, + "release_prefix": null, "version": "v0.5.0", "revision": "e11ba20945f4a867f09d84343c37328288f274b4", "url": null, @@ -162,8 +167,8 @@ "nixpkgs": { "type": "Channel", "name": "nixpkgs-unstable", - "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.05pre622672.ad7efee13e0d/nixexprs.tar.xz", - "hash": "0ng26dp73sd5dffw8wl4pwfmrgp2p03xbp4l1lxwlhcw6874fk4l" + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre670424.5de1564aed41/nixexprs.tar.xz", + "hash": "1m31bsq9mawjgbxzg4mihk9blfm419451vdsk30llbrj4w4s159w" }, "pre-commit-hooks": { "type": "Git",