forked from DGNum/infrastructure
feat(ap01): enable fully RADIUS via internal RADIUS server
This adds two public keys. For the private keys, heh… Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
This commit is contained in:
parent
be1673c6aa
commit
c4d9d6d000
4 changed files with 118 additions and 13 deletions
18
keys/certs/dgnum-ap-server.crt
Normal file
18
keys/certs/dgnum-ap-server.crt
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC6TCCAdECFEbjeqNNzKWyfs2GJekipWK+yO4uMA0GCSqGSIb3DQEBCwUAMHMx
|
||||||
|
NDAyBgNVBAMMK0RHTnVtIFRlc3QgQVAgQ0EgLS0gRE8gTk9UIFVTRSBPUiBHRVQg
|
||||||
|
RklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwGA1UEBwwFUGFy
|
||||||
|
aXMxDjAMBgNVBAoMBURHTnVtMB4XDTI0MDgyNjE5MDQxMFoXDTI2MDgyNjE5MDQx
|
||||||
|
MFowdzE4MDYGA1UEAwwvREdOdW0gVGVzdCBBUCBzZXJ2ZXIgLS0gRE8gTk9UIFVT
|
||||||
|
RSBPUiBHRVQgRklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwG
|
||||||
|
A1UEBwwFUGFyaXMxDjAMBgNVBAoMBURHTnVtMIGbMBAGByqGSM49AgEGBSuBBAAj
|
||||||
|
A4GGAAQBDrTf0SH/YOkOfvOSnB3BbICb80jSsxwQH50y4jylbXcrUZnegLYjW/lF
|
||||||
|
QknuMBzzE5fnE9lAeOxqsn0ec+sL3zEBrV0LSG2LgxhAkahZS9U4Spt9Qc84U7cG
|
||||||
|
AFQ3GXDMTEb/COHJSu7sIfV4gFRVesFez30gb94lMxckkq/6nkXXaEUwDQYJKoZI
|
||||||
|
hvcNAQELBQADggEBAEfPHMAXwftYQ0lDYPlr9b+GZDl7/JAavEfBXKzj1U8O0sJz
|
||||||
|
daNOHEX3a5ZOaQoean2zmBLROgQpDlwsjAFNA9dg0ef2f4RgJvr/l2fspHwG0Uaq
|
||||||
|
4JEOKTj3htd8aZX2i6AR02UC2oxCtf7ZVa+a6NOeeKl53QPzjduPO60ruz8tD2Xr
|
||||||
|
YnQwVinQX0fJo7TmyQKDIxwld/Q5pMoDMfVlS71M/vISFfQ/Rx1PqYvBQyG1dvIA
|
||||||
|
qn9cNNVnjEGrk7zXjCfehMYiCtDZ+D3VyXeZ6A7YZNpc6RUj8rbWcOtKLayRFlwf
|
||||||
|
DTjV3/nPqV0M2nU6jXFBMfQ47VSfB7ibINt94xo=
|
||||||
|
-----END CERTIFICATE-----
|
23
keys/certs/dgnum-test-ap-ca.crt
Normal file
23
keys/certs/dgnum-test-ap-ca.crt
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDxzCCAq+gAwIBAgIUPuHEZeZoCidp+w5ME2CrkZEn3T8wDQYJKoZIhvcNAQEL
|
||||||
|
BQAwczE0MDIGA1UEAwwrREdOdW0gVGVzdCBBUCBDQSAtLSBETyBOT1QgVVNFIE9S
|
||||||
|
IEdFVCBGSVJFRDELMAkGA1UEBhMCRlIxDjAMBgNVBAgMBVBhcmlzMQ4wDAYDVQQH
|
||||||
|
DAVQYXJpczEOMAwGA1UECgwFREdOdW0wHhcNMjQwODI2MTg1ODQ4WhcNMjkwODI2
|
||||||
|
MTg1ODQ4WjBzMTQwMgYDVQQDDCtER051bSBUZXN0IEFQIENBIC0tIERPIE5PVCBV
|
||||||
|
U0UgT1IgR0VUIEZJUkVEMQswCQYDVQQGEwJGUjEOMAwGA1UECAwFUGFyaXMxDjAM
|
||||||
|
BgNVBAcMBVBhcmlzMQ4wDAYDVQQKDAVER051bTCCASIwDQYJKoZIhvcNAQEBBQAD
|
||||||
|
ggEPADCCAQoCggEBAKLgCNXLI6FQWJY5JQDqZcO1hmZpp0upT59/JvJXmEl4St1O
|
||||||
|
FF3frSAoFcgn2Bv3kYQQ6wEhD3S7JBxRmoDtx/7sqsXthNpBaymVdphb9XhnVOC2
|
||||||
|
NDBKV4WH06Hr06oKVfDSBhIldPJr1vfQLehOnz6uqK7walqPvid3tMv0lwt7mHZ9
|
||||||
|
qQpgC2C/tkHwD1kh1RszoIZKIQWDnSNXPhYnB3X/DMCUWIKiz6P/0rVANEDDZER6
|
||||||
|
b6eJRjv2l8jPlOt7CUTAOrsoJGCnSg2SV4lgr1u3mE/2AvmLdO0l5Dz0qCuQNbb3
|
||||||
|
uWqYUonooR8rox171On/Rd0zvtihycSDxofVJ+MCAwEAAaNTMFEwHQYDVR0OBBYE
|
||||||
|
FIPUT3v8AoeBS6VbcEvgVc1dC38hMB8GA1UdIwQYMBaAFIPUT3v8AoeBS6VbcEvg
|
||||||
|
Vc1dC38hMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACX1aqYU
|
||||||
|
9PIwZ/dBS7cpsBsCm9M0ueInTlQpvv6xioKuPhIet40YgawTRakxniAr0WXHTBV5
|
||||||
|
a8ZQ4ff4uI+sdaxN7Ueufr4ltWVLuSc9DfIxjLVZ+41G6Ehy9Xc2zoDBfYURrXjd
|
||||||
|
ISvPSXIKjM0yuS/249C77HOdzwbliS65Io2zubQStGfSaZ3sLAfPJoig+QiVyOtG
|
||||||
|
sPoYzzrjXDBym+plfGTWqHv+gwo6DZarXrK4yaMn4hYkkf95NsY2ywwHzcy/4hsu
|
||||||
|
+bMm4IeCrB9uNOZtQrqW81/+4oxjGiKLbhnFPNQOg2pzb+iOJTPKVicAqKDSCnou
|
||||||
|
WXG5pjBKzojPvxU=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -15,11 +15,9 @@ let
|
||||||
svc = config.system.service;
|
svc = config.system.service;
|
||||||
secrets-1 = {
|
secrets-1 = {
|
||||||
ssid = "DGNum 2G prototype (N)";
|
ssid = "DGNum 2G prototype (N)";
|
||||||
wpa_passphrase = "diamond dogs";
|
|
||||||
};
|
};
|
||||||
secrets-2 = {
|
secrets-2 = {
|
||||||
ssid = "DGNum 5G prototype (AX)";
|
ssid = "DGNum 5G prototype (AX)";
|
||||||
wpa_passphrase = "diamond dogs";
|
|
||||||
};
|
};
|
||||||
baseParams = {
|
baseParams = {
|
||||||
country_code = "FR";
|
country_code = "FR";
|
||||||
|
@ -30,11 +28,14 @@ let
|
||||||
ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
|
ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
|
||||||
auth_algs = 1;
|
auth_algs = 1;
|
||||||
wpa = 2;
|
wpa = 2;
|
||||||
wpa_key_mgmt = "WPA-PSK";
|
|
||||||
wpa_pairwise = "TKIP CCMP";
|
wpa_pairwise = "TKIP CCMP";
|
||||||
rsn_pairwise = "CCMP";
|
rsn_pairwise = "CCMP";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
radiusKeyMgmt = {
|
||||||
|
wpa_key_mgmt = "WPA-EAP";
|
||||||
|
};
|
||||||
|
|
||||||
modernParams = {
|
modernParams = {
|
||||||
hw_mode = "a";
|
hw_mode = "a";
|
||||||
he_su_beamformer = 1;
|
he_su_beamformer = 1;
|
||||||
|
@ -54,13 +55,60 @@ let
|
||||||
he_oper_centr_freq_seg0_idx = 42;
|
he_oper_centr_freq_seg0_idx = 42;
|
||||||
require_vht = 1;
|
require_vht = 1;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
clientRadius = {
|
||||||
|
ieee8021x = 1;
|
||||||
|
eapol_version = 2;
|
||||||
|
use_pae_group_addr = 1;
|
||||||
|
dynamic_vlan = 0;
|
||||||
|
vlan_tagged_interface = "lan";
|
||||||
|
};
|
||||||
|
|
||||||
|
serverRadius = {
|
||||||
|
radius_server_clients = pkgs.writeText "clients" ''
|
||||||
|
0.0.0.0/0 dgnum
|
||||||
|
'';
|
||||||
|
radius_server_auth_port = 1812;
|
||||||
|
radius_server_ipv6 = 1;
|
||||||
|
};
|
||||||
|
|
||||||
|
localRadius = {
|
||||||
|
eap_server = 1;
|
||||||
|
eap_user_file = pkgs.writeText "user.db" ''
|
||||||
|
# anonymous login in phase 1
|
||||||
|
* PEAP
|
||||||
|
# password based in the secure tunnel in phase 2
|
||||||
|
"test" MSCHAPV2 "diamond dogs" [2]
|
||||||
|
'';
|
||||||
|
|
||||||
|
# DGNum CA certificate.
|
||||||
|
ca_cert = builtins.toFile "dgnum-test-ap-ca" (
|
||||||
|
builtins.readFile ../../keys/certs/dgnum-test-ap-ca.crt
|
||||||
|
);
|
||||||
|
# Server certificate for this AP.
|
||||||
|
server_cert = builtins.toFile "dgnum-ap-server" (
|
||||||
|
builtins.readFile ../../keys/certs/dgnum-ap-server.crt
|
||||||
|
);
|
||||||
|
private_key = builtins.toFile "dgnum-ap-server-pkey" (
|
||||||
|
builtins.readFile ../../keys/certs/dgnum-ap-server.key.pem
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
|
# externalRadius = {
|
||||||
|
# own_ip_addr = "";
|
||||||
|
# nas_identifier = "";
|
||||||
|
|
||||||
|
# auth_server_addr = "";
|
||||||
|
# auth_server_port = 1812;
|
||||||
|
# auth_server_shared_secret = "dgnum";
|
||||||
|
# };
|
||||||
|
|
||||||
mkWifiSta =
|
mkWifiSta =
|
||||||
params: interface: secrets:
|
params: interface: secrets:
|
||||||
svc.hostapd.build {
|
svc.hostapd.build {
|
||||||
inherit interface;
|
inherit interface;
|
||||||
params = params // {
|
package = pkgs.hostapd-radius;
|
||||||
inherit (secrets) ssid wpa_passphrase;
|
params = params // secrets;
|
||||||
};
|
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
rec {
|
rec {
|
||||||
|
@ -72,6 +120,8 @@ rec {
|
||||||
"${modulesPath}/ntp"
|
"${modulesPath}/ntp"
|
||||||
"${modulesPath}/vlan"
|
"${modulesPath}/vlan"
|
||||||
"${modulesPath}/bridge"
|
"${modulesPath}/bridge"
|
||||||
|
"${modulesPath}/jitter-rng"
|
||||||
|
"${modulesPath}/pki"
|
||||||
../../modules/dgn-access-control.nix
|
../../modules/dgn-access-control.nix
|
||||||
# TODO: god that's so a fucking hack.
|
# TODO: god that's so a fucking hack.
|
||||||
(import "${modulesPath}/../devices/zyxel-nwa50ax").module
|
(import "${modulesPath}/../devices/zyxel-nwa50ax").module
|
||||||
|
@ -79,6 +129,13 @@ rec {
|
||||||
|
|
||||||
hostname = "ap01-prototype";
|
hostname = "ap01-prototype";
|
||||||
|
|
||||||
|
security.pki = {
|
||||||
|
installCACerts = true;
|
||||||
|
certificateFiles = [
|
||||||
|
../../keys/certs/dgnum-test-ap-ca.crt
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
# SSH keys are handled by the access control module.
|
# SSH keys are handled by the access control module.
|
||||||
dgn-access-control.enable = true;
|
dgn-access-control.enable = true;
|
||||||
users.root = {
|
users.root = {
|
||||||
|
@ -126,10 +183,12 @@ rec {
|
||||||
};
|
};
|
||||||
|
|
||||||
# wlan0 is the 2.4GHz interface.
|
# wlan0 is the 2.4GHz interface.
|
||||||
services.hostap-1 = mkWifiSta baseParams config.hardware.networkInterfaces.wlan0 secrets-1;
|
services.hostap-1 = mkWifiSta (
|
||||||
|
baseParams // clientRadius // localRadius // serverRadius // radiusKeyMgmt
|
||||||
|
) config.hardware.networkInterfaces.wlan0 secrets-1;
|
||||||
# wlan1 is the 5GHz interface, e.g. AX capable.
|
# wlan1 is the 5GHz interface, e.g. AX capable.
|
||||||
services.hostap-2 = mkWifiSta (
|
services.hostap-2 = mkWifiSta (
|
||||||
baseParams // modernParams
|
baseParams // clientRadius // localRadius // serverRadius // radiusKeyMgmt // modernParams
|
||||||
) config.hardware.networkInterfaces.wlan1 secrets-2;
|
) config.hardware.networkInterfaces.wlan1 secrets-2;
|
||||||
|
|
||||||
defaultProfile.packages = with pkgs; [
|
defaultProfile.packages = with pkgs; [
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
},
|
},
|
||||||
"pre_releases": false,
|
"pre_releases": false,
|
||||||
"version_upper_bound": null,
|
"version_upper_bound": null,
|
||||||
|
"release_prefix": null,
|
||||||
"version": "0.15.0",
|
"version": "0.15.0",
|
||||||
"revision": "564595d0ad4be7277e07fa63b5a991b3c645655d",
|
"revision": "564595d0ad4be7277e07fa63b5a991b3c645655d",
|
||||||
"url": "https://api.github.com/repos/ryantm/agenix/tarball/0.15.0",
|
"url": "https://api.github.com/repos/ryantm/agenix/tarball/0.15.0",
|
||||||
|
@ -58,6 +59,7 @@
|
||||||
},
|
},
|
||||||
"pre_releases": false,
|
"pre_releases": false,
|
||||||
"version_upper_bound": null,
|
"version_upper_bound": null,
|
||||||
|
"release_prefix": null,
|
||||||
"version": "v1.6.0",
|
"version": "v1.6.0",
|
||||||
"revision": "5eaf747af38dd272e1ab28a8ec4bd972424b07cf",
|
"revision": "5eaf747af38dd272e1ab28a8ec4bd972424b07cf",
|
||||||
"url": "https://api.github.com/repos/nix-community/disko/tarball/v1.6.0",
|
"url": "https://api.github.com/repos/nix-community/disko/tarball/v1.6.0",
|
||||||
|
@ -71,6 +73,7 @@
|
||||||
},
|
},
|
||||||
"pre_releases": false,
|
"pre_releases": false,
|
||||||
"version_upper_bound": null,
|
"version_upper_bound": null,
|
||||||
|
"release_prefix": null,
|
||||||
"version": "v1.2.1",
|
"version": "v1.2.1",
|
||||||
"revision": "66979725afe2164491be38ffff78460cc9b0ffd7",
|
"revision": "66979725afe2164491be38ffff78460cc9b0ffd7",
|
||||||
"url": null,
|
"url": null,
|
||||||
|
@ -82,10 +85,10 @@
|
||||||
"type": "Git",
|
"type": "Git",
|
||||||
"url": "https://git.dgnum.eu/DGNum/liminix.git"
|
"url": "https://git.dgnum.eu/DGNum/liminix.git"
|
||||||
},
|
},
|
||||||
"branch": "main",
|
"branch": "strong-tftp",
|
||||||
"revision": "7206fea4b4e9a5e50be91cce39c09da602cdb694",
|
"revision": "a906301aebab47f11b2d2e762af8b65b8fc1040a",
|
||||||
"url": null,
|
"url": null,
|
||||||
"hash": "0dd7r80skjamx1sppsl6mdmjhr355lbmc72g0l0356xs67mg8w5p"
|
"hash": "0c744qyjhcf6s474r4g6z5jww2dzgl857q320d9lm153ambz7rjh"
|
||||||
},
|
},
|
||||||
"linkal": {
|
"linkal": {
|
||||||
"type": "Git",
|
"type": "Git",
|
||||||
|
@ -118,6 +121,7 @@
|
||||||
},
|
},
|
||||||
"pre_releases": false,
|
"pre_releases": false,
|
||||||
"version_upper_bound": null,
|
"version_upper_bound": null,
|
||||||
|
"release_prefix": null,
|
||||||
"version": "0.1.6",
|
"version": "0.1.6",
|
||||||
"revision": "ffb3dfa4c146d48300bd4fa625acfe48e091a734",
|
"revision": "ffb3dfa4c146d48300bd4fa625acfe48e091a734",
|
||||||
"url": null,
|
"url": null,
|
||||||
|
@ -142,6 +146,7 @@
|
||||||
},
|
},
|
||||||
"pre_releases": false,
|
"pre_releases": false,
|
||||||
"version_upper_bound": null,
|
"version_upper_bound": null,
|
||||||
|
"release_prefix": null,
|
||||||
"version": "v0.5.0",
|
"version": "v0.5.0",
|
||||||
"revision": "e11ba20945f4a867f09d84343c37328288f274b4",
|
"revision": "e11ba20945f4a867f09d84343c37328288f274b4",
|
||||||
"url": null,
|
"url": null,
|
||||||
|
@ -162,8 +167,8 @@
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"type": "Channel",
|
"type": "Channel",
|
||||||
"name": "nixpkgs-unstable",
|
"name": "nixpkgs-unstable",
|
||||||
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.05pre622672.ad7efee13e0d/nixexprs.tar.xz",
|
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre670424.5de1564aed41/nixexprs.tar.xz",
|
||||||
"hash": "0ng26dp73sd5dffw8wl4pwfmrgp2p03xbp4l1lxwlhcw6874fk4l"
|
"hash": "1m31bsq9mawjgbxzg4mihk9blfm419451vdsk30llbrj4w4s159w"
|
||||||
},
|
},
|
||||||
"pre-commit-hooks": {
|
"pre-commit-hooks": {
|
||||||
"type": "Git",
|
"type": "Git",
|
||||||
|
|
Loading…
Reference in a new issue