From f1731388487215b072b2ea9e90004b0479a42c79 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 3 Dec 2023 17:35:07 +0100 Subject: [PATCH] feat(radius): Init config --- machines/compute01/_configuration.nix | 1 + machines/compute01/k-radius/default.nix | 62 ++++++ machines/compute01/k-radius/module.nix | 181 ++++++++++++++++++ .../compute01/k-radius/packages/pykanidm.nix | 34 ++++ .../k-radius/packages/python_path.patch | 13 ++ .../k-radius/packages/rlm_python.nix | 33 ++++ .../compute01/secrets/radius-auth_token_file | 27 +++ machines/compute01/secrets/radius-ca_pem_file | Bin 0 -> 2800 bytes .../compute01/secrets/radius-cert_pem_file | Bin 0 -> 2614 bytes machines/compute01/secrets/radius-dh_pem_file | 31 +++ .../compute01/secrets/radius-key_pem_file | Bin 0 -> 3233 bytes .../secrets/radius-private_key_password_file | 26 +++ machines/compute01/secrets/secrets.nix | 6 + npins/sources.json | 12 ++ 14 files changed, 426 insertions(+) create mode 100644 machines/compute01/k-radius/default.nix create mode 100644 machines/compute01/k-radius/module.nix create mode 100644 machines/compute01/k-radius/packages/pykanidm.nix create mode 100644 machines/compute01/k-radius/packages/python_path.patch create mode 100644 machines/compute01/k-radius/packages/rlm_python.nix create mode 100644 machines/compute01/secrets/radius-auth_token_file create mode 100644 machines/compute01/secrets/radius-ca_pem_file create mode 100644 machines/compute01/secrets/radius-cert_pem_file create mode 100644 machines/compute01/secrets/radius-dh_pem_file create mode 100644 machines/compute01/secrets/radius-key_pem_file create mode 100644 machines/compute01/secrets/radius-private_key_password_file diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix index 5736309..155f5fa 100644 --- a/machines/compute01/_configuration.nix +++ b/machines/compute01/_configuration.nix @@ -12,6 +12,7 @@ lib.extra.mkConfig { # List of services to enable "ds-fr" "hedgedoc" + "k-radius" "kanidm" "mastodon" "nextcloud" diff --git a/machines/compute01/k-radius/default.nix b/machines/compute01/k-radius/default.nix new file mode 100644 index 0000000..0ab6cdf --- /dev/null +++ b/machines/compute01/k-radius/default.nix @@ -0,0 +1,62 @@ +{ config, lib, ... }: + +{ + imports = [ ./module.nix ]; + + services.k-radius = { + enable = true; + + settings = { + # URL to the Kanidm server + uri = "https://sso.dgnum.eu"; + + # verify the hostname of the Kanidm server + verify_hostnames = "true"; + + # Strict CA verification + verify_ca = "false"; + verify_certificate = "false"; + + # Path to the kanidm ca + + # Default vlans for groups that don't specify one. + radius_default_vlan = 99; + + # A list of Kanidm groups which must be a member + # before they can authenticate via RADIUS. + radius_required_groups = [ "radius_access@sso.dgnum.eu" ]; + + # A mapping between Kanidm groups and VLANS + radius_groups = [ + { + spn = "dgnum_members@idm.example.com"; + vlan = 1; + } + { + spn = "dgnum_clients@idm.example.com"; + vlan = 2; + } + ]; + }; + + authTokenFile = config.age.secrets."radius-auth_token_file".path; + privateKeyPasswordFile = + config.age.secrets."radius-private_key_password_file".path; + + certs = builtins.listToAttrs (builtins.map (name: + lib.nameValuePair name + config.age.secrets."radius-${name}_pem_file".path) [ + "ca" + "cert" + "dh" + "key" + ]); + + radiusClients = { }; + }; + + dgn-secrets.matches."^radius-.*$" = { owner = "radius"; }; + + networking.firewall.allowedTCPPorts = [ 1812 ]; + networking.firewall.allowedUDPPorts = [ 1812 ]; +} diff --git a/machines/compute01/k-radius/module.nix b/machines/compute01/k-radius/module.nix new file mode 100644 index 0000000..9c3e721 --- /dev/null +++ b/machines/compute01/k-radius/module.nix @@ -0,0 +1,181 @@ +{ config, lib, pkgs, sources, ... }: + +let + inherit (lib) mkEnableOption mkIf mkOption types; + + settingsFormat = pkgs.formats.toml { }; + + python3 = (import sources.nixos-python { }).python311; + + pykanidm = pkgs.callPackage ./packages/pykanidm.nix { inherit python3; }; + rlm_python = + pkgs.callPackage ./packages/rlm_python.nix { inherit python3 pykanidm; }; + + cfg = config.services.k-radius; +in { + options.services.k-radius = { + enable = mkEnableOption "a freeradius service linked to kanidm."; + + settings = mkOption { inherit (settingsFormat) type; }; + + freeradius = mkOption { + type = types.package; + default = pkgs.freeradius.overrideAttrs (old: { + buildInputs = (old.buildInputs or [ ]) + ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ]; + }); + }; + + configDir = mkOption { + type = types.path; + default = "/var/lib/radius/raddb"; + description = + "The path of the freeradius server configuration directory."; + }; + + authTokenFile = mkOption { + type = types.path; + description = "File to the auth token for the service account."; + }; + + radiusClients = mkOption { + type = types.attrsOf (types.submodule { + options = { + secret = mkOption { type = types.path; }; + ipaddr = mkOption { type = types.str; }; + }; + }); + default = { }; + description = "A mapping of clients and their authentication tokens."; + }; + + certs = { + ca = mkOption { + type = types.str; + description = "The signing CA of the RADIUS certificate."; + }; + dh = mkOption { + type = types.str; + description = + "The output of `openssl dhparam -in ca.pem -out dh.pem 2048`."; + }; + cert = mkOption { + type = types.str; + description = "The certificate for the RADIUS server."; + }; + key = mkOption { + type = types.str; + description = "The signing key for the RADIUS certificate."; + }; + }; + + privateKeyPasswordFile = mkOption { type = types.path; }; + }; + + config = mkIf cfg.enable { + users = { + users.radius = { + group = "radius"; + description = "Radius daemon user"; + isSystemUser = true; + }; + + groups.radius = { }; + }; + + services.k-radius.settings = { + ca_path = cfg.certs.ca; + + radius_cert_path = cfg.certs.cert; + radius_key_path = cfg.certs.key; + radius_dh_path = cfg.certs.dh; + radius_ca_path = cfg.certs.ca; + }; + + systemd.services.radius = { + description = "FreeRadius server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + wants = [ "network.target" ]; + + preStart = '' + cp -R ${cfg.freeradius}/etc/raddb/* ${cfg.configDir} + cp -R ${rlm_python}/etc/raddb/* ${cfg.configDir} + + chmod -R u+w ${cfg.configDir} + + # disable auth via methods kanidm doesn't support + rm ${cfg.configDir}/mods-available/sql + rm ${cfg.configDir}/mods-enabled/{passwd,totp} + + # enable the python and cache modules + ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3 + ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls + + # write the clients configuration + rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf + ${builtins.concatStringsSep "\n" (builtins.attrValues (builtins.mapAttrs + (name: + { secret, ipaddr }: '' + cat <> ${cfg.configDir}/client.conf + client ${name} { + ipaddr = ${ipaddr} + secret = $(cat "${secret}") + proto = * + } + EOF + '') cfg.radiusClients))} + + # Copy the kanidm configuration + cat < /var/lib/radius/kanidm.toml + auth_token = "$(cat "${cfg.authTokenFile}")" + EOF + + cat ${ + settingsFormat.generate "kanidm.toml" cfg.settings + } >> /var/lib/radius/kanidm.toml + chmod u+w /var/lib/radius/kanidm.toml + + # Copy the certificates to the correct directory + rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs + + cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem + + ${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs + + cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem + + cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem + + # Write the password of the private_key in the eap module + sed -i ${cfg.configDir}/mods-available/eap \ + -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/" + + # Check the configuration + # ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout + ''; + + path = [ pkgs.openssl pkgs.gnused ]; + + serviceConfig = { + ExecStart = + "${cfg.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout"; + ExecReload = [ + "${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout" + "${pkgs.coreutils}/bin/kill -HUP $MAINPID" + ]; + User = "radius"; + Group = "radius"; + DynamicUser = true; + Restart = "on-failure"; + RestartSec = 2; + LogsDirectory = "radius"; + StateDirectory = "radius"; + Environment = [ + "KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml" + "PYTHONPATH=${rlm_python.pythonPath}" + ]; + }; + }; + }; +} diff --git a/machines/compute01/k-radius/packages/pykanidm.nix b/machines/compute01/k-radius/packages/pykanidm.nix new file mode 100644 index 0000000..ac90aed --- /dev/null +++ b/machines/compute01/k-radius/packages/pykanidm.nix @@ -0,0 +1,34 @@ +{ lib, fetchFromGitHub, python3 }: + +let + pname = "kanidm"; + version = "0.0.3"; +in python3.pkgs.buildPythonPackage { + inherit pname version; + format = "pyproject"; + + disabled = python3.pythonOlder "3.8"; + + src = (fetchFromGitHub { + owner = pname; + repo = pname; + # Latest 1.1.0-rc.15 tip + rev = "a5ca8018e3a636dbb0a79b3fd869db059d92979d"; + hash = "sha256-PFGoeGn7a/lVR6rOmOKA3ydAoo3/+9RlkwBAKS22Psg="; + }) + "/pykanidm"; + + nativeBuildInputs = with python3.pkgs; [ poetry-core ]; + + propagatedBuildInputs = with python3.pkgs; [ aiohttp pydantic toml (authlib.overridePythonAttrs (_: { doCheck = false; })) ]; + + doCheck = false; + + pythonImportsCheck = [ "kanidm" ]; + + meta = with lib; { + description = "Kanidm client library"; + homepage = "https://github.com/kanidm/kanidm/tree/master/pykanidm"; + license = licenses.mpl20; + maintainers = with maintainers; [ arianvp hexa ]; + }; +} diff --git a/machines/compute01/k-radius/packages/python_path.patch b/machines/compute01/k-radius/packages/python_path.patch new file mode 100644 index 0000000..876fb16 --- /dev/null +++ b/machines/compute01/k-radius/packages/python_path.patch @@ -0,0 +1,13 @@ +diff --git a/rlm_python/mods-available/python3 b/rlm_python/mods-available/python3 +index 978536f8a..90c71fca0 100644 +--- a/rlm_python/mods-available/python3 ++++ b/rlm_python/mods-available/python3 +@@ -13,7 +13,7 @@ python3 { + # item is GLOBAL TO THE SERVER. That is, you cannot have two + # instances of the python module, each with a different path. + # +- python_path="/usr/lib64/python3.8:/usr/lib/python3.8:/usr/lib/python3.8/site-packages:/usr/lib64/python3.8/site-packages:/usr/lib64/python3.8/lib-dynload:/usr/local/lib/python3.8/site-packages:/etc/raddb/mods-config/python3/" ++ python_path="@kanidm_python@:/etc/raddb/mods-config/python3/" + + module = "kanidm.radius" + # python_path = ${modconfdir}/${.:name} diff --git a/machines/compute01/k-radius/packages/rlm_python.nix b/machines/compute01/k-radius/packages/rlm_python.nix new file mode 100644 index 0000000..c276978 --- /dev/null +++ b/machines/compute01/k-radius/packages/rlm_python.nix @@ -0,0 +1,33 @@ +{ stdenv, fetchFromGitHub, python3, pykanidm }: + +let pythonPath = with python3.pkgs; makePythonPath [ pykanidm ]; + +in stdenv.mkDerivation rec { + pname = "rlm_python"; + version = "1.1.0-rc.15"; + + src = fetchFromGitHub { + owner = "kanidm"; + repo = "kanidm"; + rev = "v${version}"; + hash = "sha256-0y8juXS61Z9zxOdsWAQ6lJurP+n855Nela6egYRecok="; + }; + + patches = [ ./python_path.patch ]; + + postPatch = '' + substituteInPlace rlm_python/mods-available/python3 \ + --replace "@kanidm_python@" "${pythonPath}" + ''; + + installPhase = '' + mkdir -p $out/etc/raddb/ + cp -R rlm_python/{mods-available,sites-available} $out/etc/raddb/ + ''; + + phases = [ "unpackPhase" "patchPhase" "installPhase" ]; + + passthru = { inherit pythonPath; }; + + preferLocalBuild = true; +} diff --git a/machines/compute01/secrets/radius-auth_token_file b/machines/compute01/secrets/radius-auth_token_file new file mode 100644 index 0000000..c162a63 --- /dev/null +++ b/machines/compute01/secrets/radius-auth_token_file @@ -0,0 +1,27 @@ +age-encryption.org/v1 +-> ssh-ed25519 tDqJRg Zw3L9l8YoaYlsqDMSi9MPmjfHf0K4ExExEj9qt6p9i0 +CsKbTHwLT6YNXn3nXugCD7jem/psV3ZFexKC6Uo+GOM +-> ssh-ed25519 jIXfPA fmzjn7g46a9Zp9w8N85+I65BRcAdWs/ZeEbSN9j5PRk +9WPJDDSbN5hcBBb/vBxhCHRgKh23DzICtvZjUHJwR/w +-> ssh-ed25519 QlRB9Q QRG0hb+Smxs9olTC4yGXO7KxCQqeFOSE0105y532FXE +4uRlorP/Lfcd+qQdUyS44B1ru1L2+3Lb2kyp2JGeEjc +-> ssh-ed25519 r+nK/Q hwsymX8ASjlURmYaMTWFxPhB1V0PMJPsK8vSG6q9Nzs +bCXlIirxSFAzAqwYUULYoiDtZg5RMZm0gOsIlWo/47U +-> ssh-rsa krWCLQ +pXXzKHhZ50dE+9/IdjVsWiqrY7dBVFnOWRXqFKYTg+mdnYINL8XO74/W1skekmLL +sQT7x8mdL5mvyk/cQetvip2ZUcnHiT880qNY1in95mxWRlya1qHIL1S12O0iL5/V +BeW0Zfxinqh5v5LZ5Trq5WjbGeqNSSB6PvoS1j5+H7HUfd8tupGKgpiQ37mr3CYY +eslGof3wpmsKOkUyi6UPiwe42hb8aYn1SSrpfkCEtiGNwxgpa4DgSZ9CPLGU/MLX +YexJjicOotu8bNPmyy5LxBILTqpyFdsXSNwQY2ECXdxdPjGrL/ghLkhZoCk95UAY +dW8VZGSeK4r2L2qdAhVeag +-> ssh-ed25519 /vwQcQ s8AcKrKptat5IUnEPJk/v3mCZiqBDzrYE8V+9oUYOE8 +OUNHGCXSRPRY3CHxttbvEbDqKtN0HefTR2lEud6Xj2I +-> ssh-ed25519 0R97PA 0RTwsW6NisiieNsSwUpwIsnvNt97/PkrwoyDuvSUADo +4LAGhWShBr/Dys1lTYig4PDoR0umCaYgKVTgr8XSgag +-> ssh-ed25519 JGx7Ng oRAd/G3XFQbblG+GhkIsrqjmrzK7FzU9tT0EkufjNAo +KCG2lhRAuWkAaw9EWC1W1e5ilv+XL+Zf2Ce+F77xzSY +-> vt/lXLgK-grease ::9Q O6 +hRl/Ntq/TpYAHTdmBgaTi1hP4v/VkB5EVsIRfcgNVaGrB5o +--- VWOKVRkF4ui59WRXsilY9KrsHChX1z+d5E68HVZ7K/4 +Tb|zP߬F ~b;2xI^FpXZGոbxB/M; +l&rYȷ/= \ No newline at end of file diff --git a/machines/compute01/secrets/radius-ca_pem_file b/machines/compute01/secrets/radius-ca_pem_file new file mode 100644 index 0000000000000000000000000000000000000000..f72b0c0daff400de7779d9f9f756fee4c9627bc6 GIT binary patch literal 2800 zcmZY9_ghnk8V7Jk3N?yK6%}hW6|vHYCpp=QVs>&ePR_}WGa-ANjFXe4y$UD}3Xaxs zUG%!IMby@T3tZsVx(aGrMc~nDUA5w(wLbTG`iu83_`L7?e7~>N<;ZtnMUiAE>Iq_F zf)N)Gqm%O|P;lIx@34a`7M(|lioy`;qIl>U2domY#SxHi(IRmpq~u$0n##n1A(;?{ zZ92cmX<-qr$!U}tm=<5cjYFW%WR|n>Bn(=jMG>>0$c*w~l`!ObU-QaM zP7R;p4g+S?Zlgz;QJEp&r9wpleoO@Gi>Xk*8LP6?_{VCyarJm@DOzZI%E_j`B31Un-Hxbzu%QQDmZ_eiLZ(CyWL{?RBFZ zNEVAp@b|R{6;l8RMHl1fEj+Ir&~Ut773>7r%w!5?=nXMm(#VTj4PMM6ap|}$pNlNT zAQxnEDFr-95$s~|5QomUa%@z{(0(IU8&;)@uCN`x%tiP*T4 zD?&X{m7b9ZnPl3yS_jy4DYh}?k`X?oNEM6}$wOKthQ%bHfk}1o1b_j-WI_?1G?8%= z*Gh+sMi6Is{0>13ilrcqPH7E+UVx$1Yjh}(2&EiOGcMO9ebUL25tN*2MC0V1u$;{$X;D&MU&$r*CDpAi6=NFd>{ z=n213qyr2Q+(M8Eri06d_-b9iTx2uDEVEJ#%aDJr{ZC7PSR5%rC~T+8gxKjJjnoY> zRdKml>P*q(1VT7y3M>IS5_Yi2>Pu1u1~EA(qDljFrr)JwtMpOG0)@;GliZG;BDj2np5QTbDAR+-U^@X?~E0SS+%KoP4oT2!>o>5D&`r0Z?qx+Y;&sgNOi9ANk%31RG!5Dv_ji4=TCW zrfxnA2y)ABdKu40BsG$j*LkhZ4?4=yzP-`9p>}|RR#`c3&7ywREXlLu16HrtX(O$9 zGMl~CboJ|#qhzTc^0aSHjXNM?;LFEL3V+@m%SZcGtQER?pIrW`XU(H(QRUcfFM8Ic z@90u7#q;RIZw1<%h8;Wiycx1@c2>iT7ggZmz>~4%73`CDZ%rHeD$nr^qrv0IIpXTE z2WdZ2*G@h(m}@gT`K=JRKvnuRJ?WV43=jX;+=P>WBHy5AJU7JOAUn ztN_L4d3$h~`7(O@s zt!*@8!J2h5Nmk~OY&h-dQqqC;l|6rBHAXU@b<5w}Hhm;rmelrGpZ$ZL{8af(yq??o z$IUcBY?(CUM#tuyUs{Kr{-p)jR&sgr=U3uU*!&X6+p9)Wr4?In@((6h7;@ zo3nGvzvmA7AZn}Y(FNa?`D9hrlTDAdE_fA4_kBBL!dI=my1%|f++a5}uW41Jog*#& zva{sso(pBz+Np*m`_EpErO)o__nQL3dF@%P*usr@vUE;!W@!eqGxB~`0lw#?eUC$wnz!)wQ`^hAoU{XApDD9woRD#PVy?cTY)e{W)ZQrh<5%CKMC zKJK-ge11l*eQcO-$o;%9X(z?KJNG}tH~i`u^`HK|Iy(v~sl#$BvF+Zw_wbnq$9n>4 znr_6W6{Kb+I%*<*0sQMEaJ0S0Ww$<7{PJ`*_v@zWYSX;>jt*!`eU8pBN3U5QCEEGN zrX(6OKl+JR(t2p=aRfgSXbYxaj}6~m1@kaf)}(o*B8oaF0JEk z%R7>_;Ci1ocY%xx|7zd7XJ$Wp?$r97Y+n|K@K5w+wQT5cPg*mR-@M(}Oit zE3l{Vh11McM>Ee?mJhM4965Pc7i9j8RV72OA6KNQ3E4#;qxJ(vACb;^uY1FhhxgWsh+u1TKrZIb@9c{q9&Tap;`VaCjv z_ZNH*xb>@Q_x#>DTJs9HKcjAP=94!k+(Y+2y;ZePaCz+!MWcJ=i<##r&D55ohZf4k zL^b(?$?4D6??+$212ejOG3{)>_NpBY!{f!@Zk)1j%qPU)%-aHg4tE+4xIIW(yhO1O z?l$dvB$Oo5>J^%XRp~FYd-!4ASkD5rGO{6)rljz>23?frM*Wj-g R4sR{YS$?N_Ui+~ve*@HjaOVI3 literal 0 HcmV?d00001 diff --git a/machines/compute01/secrets/radius-cert_pem_file b/machines/compute01/secrets/radius-cert_pem_file new file mode 100644 index 0000000000000000000000000000000000000000..9457b92c9ec956d8cb3de3358697eb1bf56d48be GIT binary patch literal 2614 zcmZY8`Cn9p8U}F03?0`jP_Jo25QqcKzM&##hFQ*RXU>^@Tw<0pXJ*c9%ywqxnhUuU zAqbIJxB^P%bqS-uwUji&3bYgxy+C5Pl~=`^CXx4te)0YV-_QHJ&tt*RJk)0k#sguO z-}kydh*6_-QeFW$6msUFb_SbG=aa)lB{Bpf%PICEgv}JOxnZ$`&>91{f)z9AIBt$3 zuJ(FF6hdzb7$a^%fRh3gKgt#b)hsaJcObjRH7G{0g03jkVKRK?3D9$ z9)_DnXQBLP*o4yUUY|y7x5N|)L!3oH!WbWNa752)um=(FVRFzTF@unzB+627sRAY( zp(!Dyzy=W^hF!@GMv({{7PzHyu|!9519sTY_hLbx-fRnk4iC)-*%5*n;35vO!eceC zRBR(5j>XXb(}EPAoC=dAW<^j4iuE=?FBix?I*-FsA}~cFEQldAIsiGKbHugIgqkKc zk#JDY!O$3JF0m`33^$O_8lyniTBH!5I6xpu3WGzaZ9%QnVf*{GV8}wog9f1jCP7{T z3-BWhmtM&Oqgp!PSBou#o5?{jhC*Ru#64WKFO~r0cnp+Fxm=Z+t<<|2VOXFQPjV2+6rfNQ;J5R)0jVK|n5mJxvyNMO0SQfwEAm6jd8AAsFYN5RdJ) zQ2iv6%z@M7B0#B8(+G-2sg>ANkS9PW0zMDZCkeSkQGY~f6bY$Rs~&fl%|Z{8qm8S$ zctoM`!U)NeNYD%hB!sI2YMqrpC{Y9{3R!7-nzIC!Yoiue=XAqFR2OC-h5%jV;1hH? z;&wy)7{g0ML6XmDFq=T_)6RNTf+Ayq9v%@D*&#iKQ~4?$;+44JztjGECDbSZ+hB44XNI)^3OeLg zyIF`JaVqH3vS5jb38)fOO@gq6s6x3sme4CnbPyJcF^|m}2zvppJRT7-?e;j6rgtR- zY855Q1Ni_OM3`bJ@T^8d_}r%}VOw-ApBOi)Sy6_?3rp}g2ckwj#subPP;~l$S?vVk zQmaxb#Yn;;wo1g1V5nBepcT0kw0J~oF<|nD+b`rxAV4n-5;~6)7R!leHJK#FRbgZ& zZnBufR9}fU4#7syX9OMf{V|QzDfXJNgx6|y$#9>EB!ZnGlTqf1hpjvfm*Lbi zEin_S;Xy3A(fRb(R!a;vntkz@M)^NY5FyySJS>P>LMRy|c_6PwDNN`I!edn1{9K=g zt#MgOp08Xf%slxI$|}!vv4i+{8#dk)A;=+mAJ;U36}K zZ~KZGenxxxmm~I7@f#K2=Y3w>yRU6dmbgQyU4M1y4woVSm0aC74NYm?9dBRSeL7`Q z-{|4&)`YKbIY?3zWRN^HkZ(uN6Eu21mE;f2(li-kz>be%1Gl>+hbraBB&eQ+HCgLJo`Xn7rJr6b)@_)+qZ&KCWM?GztX7y;+lG>+AH1^)AA4)n7LulyH&VFnC+gn&w-)anz2Mky&(#)ndyB`tfBtrTbMcX1 zkE>E@v$DTkrR(V$GtZamFK>9HT{$Jvexqe=Z(;r8=kFZe{eu`uK2)>2^rbyChb>%{ zxp%QDn9)A8Dr4fgLC5cYe2nQ{Wn)+O}cDUI&Q~lNMDpK9K=}qIO-5cR;4|f+w9*kx8UF<4Iv2oyErp=xH&O%o1 z;@7-|xp&>=!0gFYFCJ+5=^KpZYO5P%}iIa<$}}&NsiU$#1fsyXu>ob*#Pja(?`L&^$0vP6pTYO?`AHdE%l+ zvC}X1FuQwJqx~-rmmO<*vXM9f=u`SGt)&_!Cnf*mx+T}TXIEkSH`LiBvkpy}!JY4S zDEi*TH$=$wt+$75;L%An3|Z;~PUF^w2~P6|H)Ojnpw~xt(7@iRd6lWx&stoig%91+ zGB>6F_}04e2bbVz^>52X!=07uIzJr0)~;a-{MXzo=f3i4)-tI1LieeQg~io}PI6?a z$qhpr3u+vVKklX1!wbIrY8u)U-tXAFWq1~JKMGw@RBr8TnAO(bKW@puzrplf$J}d> zU*B@HWvdFDYo3(++_S;j^WEZKR)06rdh?}f-OP*Gwa&_dh54gK(#E6fdfzCT=U#O3 zG8fOi7cD#Ao$+>(e!p*8wZjIC#2H#j(Q$2NR zZR(C0*(s0FQ#Eg7+*+Q!tZuu4ue0#WBfrn;Fy1Izt~)U^I9l$N0t`q z`nYdf#XV4Ww?Mt=0A<|#8)v6aU73A4<>lpq$@h0AT|f4YZ}2ca_p{^a(hFNk!V5n_ zjy8p6RSmTThBUX2A5FQ%pA22xQ_E_}{kDCmclifPlhdYZPbBZioFr|dxMfa&ck`7!vj(>V1?b=DYzpM1&g?+I|%ai8y?VbL=0K ssh-ed25519 tDqJRg R3h8Ph1ooMaR/bmz09yRzVRq1mR3L7o87wMhsysC5kU +Go50Us/u8CgZS7Up20RH8NlRS0+ESBw30wa8SZ5dqoo +-> ssh-ed25519 jIXfPA gMaMIQvUIu5bK5mRWP6SSZQArMzhg4bDZDcjwx9dyDY +Vv8H7oTBvogaoW4dhdm81TOe995CSGeBxB8LtFgJqwc +-> ssh-ed25519 QlRB9Q 1CxZ2F8EMykWDzrAzN6NSPtjLmMJ99zf8UWLyV3e+Ag +ak7M8/mCeQOMKFPllTsA79glffS/vu51vHIRT3F8qLE +-> ssh-ed25519 r+nK/Q qcuIACZn+1ofDpWW1IBmY0IIj4WZNQhxtUJlHgh11ws +OJhEfDQHkg3s5CCBcVfba9S4OG4hBjJIYkCoLAIFwOI +-> ssh-rsa krWCLQ +1XseIDq7c94X7Dpp1sC3oBLhZSd4w7UJ7QI03SGmqVTd3VVwP5IV430vrSIFETMI +LopkMvCtF1XpIJQ+nHoxsukG/0kefh5Iodmd6anQNp0iVU/tWkQzWbkHlVlkxJ2M +o3fMRAaVyH5GvQkIT5ndWma34vqwydAinM2mchi0hy0ibP5lkk8K7OtafNP4eYNh +m7necRRI8yCuE1wBRy8sBpo5mEqGj1uINxXiF6yUI05pCBXHG1qDiFkDHfw8va9k +Qitfwv2Clkk/hQG6aEYuruoXwq4SZxSCswMpP5Nz70I+e5YkZw8G50ICaVBXxuAP +ABByGBZ/QKLw66NpE7rbSA +-> ssh-ed25519 /vwQcQ 1P92WFx8+9DaL2dPwmX+Bva+h7Hy9qXszDTyPvd81kc +gLVhBlE4lAMcod32/Y8xzypVCDu4vRca3aem3OHiocU +-> ssh-ed25519 0R97PA rZblJRi2bYJig4HyzOXdtpUEEkGDlHS456aKlqxwGX4 +qjIkEyHjDxzmf34bS7qWJ9lexMXu2QMmcD9RP4MpkYQ +-> ssh-ed25519 JGx7Ng IbCSvxAUY1gDTny5KurzONVaQwX/VgvNs1hAQ9iUQRE +5ivoGkzEHAyTl3gUE+9nVYclF8/aqnyOF3a81fZfbW0 +-> t|-grease (u /1\q}65 ]@ +Dd2SJgnQFUSDlS4eSkKUaGwve8Rsv/4MNEwGRJftdtTvxv80bRuNBEFe+ah4YhiV +LA3n6c+Te9Q +--- wWhpJpx4IHeC1Qo4nH6iuEB3e9l5b8U5xOnsX8BoBgQ +5t x@`zgC :4&‡Spi8u"lՂ):a,4s*uv#*^ݶ%Ѻ98,yB +"%㤄Nӷ } [ѿ({0f| -&qF k ֶL,DΩQ͗4N}Jӈp]dU I: 쒰sB #} +XzN4>5iSan`.PcHAH=~(P$,ZЬw / ++rC$&J;vjY,*`G=MeAQ\D@j$g{QlhIoςIM)};@Nbk5Dgo'ItW(k +6)ˌ0tM (ꡁnkZu%m bz \ No newline at end of file diff --git a/machines/compute01/secrets/radius-key_pem_file b/machines/compute01/secrets/radius-key_pem_file new file mode 100644 index 0000000000000000000000000000000000000000..51db599ffea6155fedd48fd4be080383542492f6 GIT binary patch literal 3233 zcmZA3=U0>m76)KsRAfXKG{zb;AfXL7y}Su+dhbkCz+vX)o!&bdj0mDJlpr7xETF-% z7NQ0;peBf*g29f7U~DM5vPLBl5MB2}zW4{+^PF3L=Ufd0CV^J1GhlZcY}REqCxrB( zVM(cQmrI`n>M(db8i2cL4vqwZJMGzE zEoO_C%!VP%Aj|CHQpEzENNS>a6#xiteH_uqK+tLcsCK zZogQ~;7SZuH6e$DAqZ^{!1X{hJ686-CN@hbfEb<=5IeYZshg#?xz$9xj$x6x?ChXU zF41!2Du`sI%j6z0)oPHUU@WA_f^qwJSP*YklK_{MZHL@G8;{_%It6%|27qiHok+q! zD53W?C&J1_is3<}j_Bo^4G4uAAfs}rXqi_@)tQ)96-TI7XcUPf0LMI?p^CbW_{ zrX0UbW;U51w9aqP;Xs2!%rjCXAe$uf7{oz}8p(UtKK&of>C(VWP6d@GhB?J*y^CXI zYKRaYFG1QZGO3TQ(2$sVE#L0ZfO>$6AcIZ>)q(^>bP6B9dYlB0#K071VDJQj1%`o` zSiB^|gBR;KLO087=J4oz2hYn^QWQohUm296g?^NnpFz~IEDW;3f*^o$J&zbv61-G9 zl@3$*A)*5*_7JQ{t(rzbI}l25P^_a8?G&!Zmjh`b15@Bt*zpd#SAw+*MN%!+o566H z#A;B6rdwfpogIM0SR56l0rUnIjp7F#D6~%{<=DMe7at)-<8dlbNLO0WD6v-V4v?4x zyq4%SL6Csz_Bdd8t&l`k7_k}v#8GKFxcFnjq21`oe}{D&sHN?Mx@;-Cg#di zJ|xo5(b+L7ztYPV^6(-UWYu7FIF^AOlw$>Srikj+8R+7Fru|P!kY1lyD~3}kwj3A3 zm}55Jf-*csE=37tISjx-(dlGPg-N7BYP}Sz8M-oU$xlZZ3G5JUVfr!U) zxp0CEHC-iggPH)rYeRVqO0n&I4J84H?@}Vckc`xTQ%*PH5nwEU~B`(QHh8aHI(7?IS5>hP^fnrxkNM$M>J|!ScDxyNNp(4L}S0N zahQIh0D@C(R;?>Xr^v;75CB3-Ww9MtJw}UH2Xjn3zn@2D5G8cJz>XH=)kkwOuwWl|gm0s#Od>ZO8rXGuWw`A7qWXdnsH zAVmO5_*$-2YS0>pY(1H)G25&(HXaYdfN~NO=fkMofP;Y&(Y%6yNGVa7$!H8m{cf#E zN$^}B5yDb%EWK42K-h9IT%MFeu@bm8YA(v`E#{-u`#8;C_|u~Pn=Vgij- zcg^tXs8~O=vTtpA#QfnkduVSOk2L(L@4vnLy7h+~c7*sj{)f;#y#@ce^V@~G4g3k^ z*~5=7ZgdUTy^I=-SUokcZ`x&lb?NA$%`5)Z`zC>KC7G7Jjw8>`xHvQcd@)@6-=Rz_ zl=tV+*YL4#PMp8XZ@)Ps>;9IKT0 zrzNiWrK%@&M-n2*9rsUs(X_pKK7*bKE9t~!mLgYP>}fnMEiE{>t%d)l#>eK#yQAhm zv&|gX@nUkz>hP8ai&c%2BY-of>x;rad}bzV8fMNQbv93mt8Q*=M-0r_3 zz$ftZRp{~|-rz|@TkOD?d~GN&vnT5AHp;RumN!kl-*cm|;^xe+y@RdY1C_Vqpb)b+I@e4@za4{fNZ*lqZ-t_sH{^*m)vT1b`aPy>V&syT zWC4luYi%<9=GMNl_3a5J_shLaGb_B~uZn(OP(m9&81@Qy4WIL9cEd0Evwwh!^LZIP z&ss)a4vjNchh;tkJbOB4tL~0`_n2^y#ozeV;)ke?(JJagX+wP3>M|9qULNyT>6FWV zq!_<_*~;iSz0`PTVP&~yW>{hV+phhdOW%x*-~7BvoAICC+?M&#A0{8D>b|_T3Uxe) zUUP3E{LMp2Vk=X0%p?n(gp<`tPd*--$Xq-<{p`-ElvinKKg~`dvy6Rd=L=Y;A-0&!I$Q>8DLPnLeb$>+`@!+lzYFF@1QX&diUmJy-l|BZ-ee;?$S1e7lDb_#Iv8>_|ho1JV@6ry8rJV zwma%YFJ|Q*vPR;Z8pf8pt=q0O9I2%eQ_|AEzt%RbwtT?Zi9tSJ81t)qSaLFDYSu7L z6CHD^Jp2Uk_SHFzdl`SQr*k+#u`UJHosF52dL_3zZ<(s7cb`0Ubos+ss(Z6mHUAbC zg(>Iir^IcyPp&;-EFL_TP@dejF0wju|KiGeq41ZlhB{c9fh`{k$0Bd9?4z#Q((+ST z+Uk+BwiD#%}}am>vgGPK>V8HZtNMu(cN z?atRLKDsbt+44zQXSZCea~|)!{NvC4e{cLeCiwIMle6~TW6~n+tr;IQN5o!;?Yoqv zTQlkY`Mn$qb~34EXEv!XBjKB|s$SA6bGu6vmsl|~@pAXox7+e!UOmpWoR1nTaJgqS zo_`RMh@3y{ds{GV@uZ2qUlem!_2=Iuc8tHN0k_{8=$eT6Tyo&S>IXv~bX*-ljqj{@ z#0)4B{}i02{unhqEilqMo{#QY)NwsnvbzjjP23BsY(YmQxwkF~>8p*IQ!SMMA8KB2 zQoNjY2fowbFFEHv+|~Z%_9pCS7q_l&{C@wV-_MFi=t1(!o{e>j|KOHzdT$Kv*k3Wn z48^|tk4nqL9XB#@;jnpG@gcggWgqopc83IHsXykog%;0(zj^f4I17wKj#GqW=II&x zC+bn&!h)yIKixGNxBWXu^5NE%Inr72@eg(u@_P#wbMwL}RmP;^S7pt+-{#mwjSX8JI@#{^?Z`zMhx;FG$|%BkQfu~yRSst=JNws9Yc}Q`SazhiQh2Us-ogFaQ&d;xjdshD z=+-yKcb&QUvbo}pXy|-e!sz6!#@`fqn04FodFdf7C(d1}rT=!YV8$8Y;gJg?^CO$~ z-n$+4HT>Qh(XmT#daBJfIHb(V8b9OO+M99ozfG@;yIA#o{~1(Wj!Rt;na$af5gKoN zgD5?);_ZPDZO=zLV+KEqCbKA0$mzprwF~oS#FgGL?rN-hI(PP!E7HBy0e@*maYW&? zd98=?Ks)v-(iw3)EX?rXg#LBubpc&5G^^_SMID6GsheZ>B@7NcJ$YdQJLh!&ycNu8 zfp6Vy{Je9zetdYsCf%l9u(g#S2wffWSKr*_&o(tC^Kq@onu_M*U6D&})T90f;T}|B literal 0 HcmV?d00001 diff --git a/machines/compute01/secrets/radius-private_key_password_file b/machines/compute01/secrets/radius-private_key_password_file new file mode 100644 index 0000000..679fc3c --- /dev/null +++ b/machines/compute01/secrets/radius-private_key_password_file @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-ed25519 tDqJRg sTm4u+QVtvUqNgMJhufIljdH63oCmvfbRz6NRa2ZbwI +ZYjAINMp/ds7g+7Wjg26YRpRV+nznQPB1r7NzAHGfW0 +-> ssh-ed25519 jIXfPA z4LS/Igwab0moIzxG9b06T5rZiODkdJyjaFepJVcxQ8 +qNkDc+prvr1bNTSWJyygJj7yb8MOz2nR+Z8EMHUVVOs +-> ssh-ed25519 QlRB9Q 6TQ0Vp3KB5yDIEt029hIB3aCnDjTDP0JG6LN2J9gtjU +fZXeSxb7GJOJYvCr2nVf6BKf8QjaqOOuoi0I/xXV1qc +-> ssh-ed25519 r+nK/Q eW4wTH9PNd0mzVFsxwS4mEEn5gVUCpYA/g+ifeUB+00 +kqED+vZVHn0SXTpgbaiMseI6vPCyTt5Gfu4pHxPvKp0 +-> ssh-rsa krWCLQ +axyFJ/zhMoZ1mJLzWAbXbHjlAlLj7HraHyY6ddZBVibgRSEufdXsa8ABmdR6+EuM +ty37+/TZOBv11ew/D1C7vQ7B/1JXgej2TAAmYt4vN3lVZdgJI+tQGiOf1nsqfI64 +p4ZbMi9G0wlzb+Z7Z5SLKo6HwharYI+vDEgh3Ua9Q+6bpZeXxxJHmkACikAI4xJV +3lLo1iTeyJy/9u/WoHmEOuqJLeZdhmPZBozxTdDTWz9wMHy+NotfXFaIFTyUpocu +OU19N95fyVyTRwmrGFcWs34O631Ejpo3oVLDvjXrFtV4HISSweB/YbU84EveFbz5 +28gTWKdeOQcHJfmaeJV/Rg +-> ssh-ed25519 /vwQcQ cXNRE5eLKNh4lL7S7cMDfp79+TQyiJK3gTzYCuHeRHo +4bz0al2kf/S6VEhObpLxy8tvB1t/tBVdB1Gi/7XinD4 +-> ssh-ed25519 0R97PA iGdUtE7KDRBNSXv1w0dJNPQWxAeDpIAePUU8t0qURV8 +OUoeLNWl0rLt6+FNf5plNmQIgrULwIgEL/W4HFTYeB8 +-> ssh-ed25519 JGx7Ng tPkAPvVDZOcP06+mrD5uK03dUJi4aMAvkoz21y9L6Ak +tcUItLMra+EIYH6MA1ULMpr8bkUql448jnurev8N5wk +-> \