diff options
author | Emil Renner Berthing <esmil@labitat.dk> | 2017-11-07 16:27:49 +0100 |
---|---|---|
committer | Emil Renner Berthing <esmil@labitat.dk> | 2017-11-12 14:56:32 +0100 |
commit | e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84 (patch) | |
tree | 41ba5163cf6f110521f2ebc9035f77d2754796a0 | |
download | labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.tar.gz labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.tar.xz labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.zip |
initial commit
88 files changed, 4034 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0e8b0fe --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*.retry +/secrets.yml diff --git a/roles/fedora/tasks/dnf.yml b/roles/fedora/tasks/dnf.yml new file mode 100644 index 0000000..a0c0db9 --- /dev/null +++ b/roles/fedora/tasks/dnf.yml @@ -0,0 +1,46 @@ +--- +- name: Configure dnf.conf + ini_file: + path: /etc/dnf/dnf.conf + no_extra_spaces: yes + section: '{{ item.section }}' + option: '{{ item.option }}' + value: '{{ item.value }}' + with_items: + - section: main + option: 'install_weak_deps' + value: 'False' + - section: main + option: 'best' + value: 'True' + - section: main + option: 'deltarpm' + value: 'False' + +- name: Update all packages + dnf: + name: '*' + state: latest + tags: + - update + - packages + +- name: Remove packages + dnf: + name: '{{ item }}' + state: absent + with_items: '{{ packages.remove }}' + when: "'remove' in packages" + tags: + - packages + +- name: Install packages + dnf: + name: '{{ item }}' + state: latest + with_items: '{{ packages.install }}' + when: "'install' in packages" + tags: + - packages + +# vim: set ts=2 sw=2 et: diff --git a/roles/fedora/tasks/hostname.yml b/roles/fedora/tasks/hostname.yml new file mode 100644 index 0000000..5299270 --- /dev/null +++ b/roles/fedora/tasks/hostname.yml @@ -0,0 +1,12 @@ +--- +- name: Set hostname + hostname: + name: '{{ hostname }}' + when: "'container' not in ansible_env" +- name: '- when in nspawn' + copy: + dest: /etc/hostname + content: "{{ hostname }}\n" + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/fedora/tasks/locale.yml b/roles/fedora/tasks/locale.yml new file mode 100644 index 0000000..61311e0 --- /dev/null +++ b/roles/fedora/tasks/locale.yml @@ -0,0 +1,7 @@ +--- +- name: Setting default locales + template: + src: locale.conf.j2 + dest: /etc/locale.conf + +# vim: set ts=2 sw=2 et: diff --git a/roles/fedora/tasks/main.yml b/roles/fedora/tasks/main.yml new file mode 100644 index 0000000..2e163a4 --- /dev/null +++ b/roles/fedora/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- import_tasks: dnf.yml + tags: dnf +- import_tasks: timezone.yml + when: timezone is defined + tags: timezone +- import_tasks: locale.yml + when: locale is defined + tags: locale +- import_tasks: hostname.yml + when: hostname is defined + tags: hostname + +# vim: set ts=2 sw=2 et: diff --git a/roles/fedora/tasks/timezone.yml b/roles/fedora/tasks/timezone.yml new file mode 100644 index 0000000..05a9165 --- /dev/null +++ b/roles/fedora/tasks/timezone.yml @@ -0,0 +1,9 @@ +--- +- name: Create /etc/localtime + file: + path: '/etc/localtime' + state: link + src: '../usr/share/zoneinfo/{{ timezone }}' + force: yes + +# vim: set ts=2 sw=2 et: diff --git a/roles/fedora/templates/locale.conf.j2 b/roles/fedora/templates/locale.conf.j2 new file mode 100644 index 0000000..f854bde --- /dev/null +++ b/roles/fedora/templates/locale.conf.j2 @@ -0,0 +1,3 @@ +{% for key, value in locale.items() %} +{{ key }}={{ value }} +{% endfor %} diff --git a/roles/root_env/files/bash_profile.sh b/roles/root_env/files/bash_profile.sh new file mode 100644 index 0000000..3ee6b29 --- /dev/null +++ b/roles/root_env/files/bash_profile.sh @@ -0,0 +1 @@ +. "$HOME/.bashrc" diff --git a/roles/root_env/files/bashrc.sh.j2 b/roles/root_env/files/bashrc.sh.j2 new file mode 100644 index 0000000..bcc4ddb --- /dev/null +++ b/roles/root_env/files/bashrc.sh.j2 @@ -0,0 +1,34 @@ +# if not running interactively, don't do anything +[[ $- != *i* ]] && return + +export PS1='\[\e[1;31m\]\u\[\e[00m\]@\[\e[0;31m\]\h\[\e[1;34m\]\w\[\e[00m\]\$ ' +unset PROMPT_COMMAND + +# directory listing +eval "$(dircolors -b)" +alias ls='ls --color=auto -F' +alias ll='ls -Ahl' + +# some more alias to avoid making mistakes: +alias rm='rm -ri' +alias cp='cp -rid' +alias mv='mv -i' + +# editor +export EDITOR='vim' +alias vi='vim' + +# network +alias ip6='ip -6' +{% if ansible_service_mgr == 'systemd' %} + +# systemd +alias start='systemctl start' +alias stop='systemctl stop' +alias restart='systemctl restart' +alias status='systemctl status' +alias cgls='systemd-cgls' +alias cgtop='systemd-cgtop' +{% endif %} + +cd diff --git a/roles/root_env/tasks/main.yml b/roles/root_env/tasks/main.yml new file mode 100644 index 0000000..2a0e04f --- /dev/null +++ b/roles/root_env/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: root .bash_profile + copy: + src: files/bash_profile.sh + dest: /root/.bash_profile +- name: root .bashrc + template: + src: files/bashrc.sh.j2 + dest: /root/.bashrc + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/bootstrap.sh b/roles/space_server/bootstrap.sh new file mode 100755 index 0000000..17f8c7a --- /dev/null +++ b/roles/space_server/bootstrap.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# +# This script assumes filesystems and syslinux are already +# set up. If not here is a short, incomplete guide: +# +# Create a gpt partition table similar to this: +# Disk /dev/sda: 14,9 GiB, 16013942784 bytes, 31277232 sectors +# Units: sectors of 1 * 512 = 512 bytes +# Sector size (logical/physical): 512 bytes / 512 bytes +# I/O size (minimum/optimal): 512 bytes / 512 bytes +# Disklabel type: gpt +# Disk identifier: 45AA3BC2-C3B8-B24D-A5AF-59C9F2577554 +# +# Device Start End Sectors Size Type +# /dev/sda1 2048 1048575 1046528 511M EFI System +# /dev/sda2 1048576 31277198 30228623 14,4G Linux filesystem +# +# Create boot filesystem: +# mkfs.vfat -v -F32 -n BOOT /dev/sda1 +# +# Create root filesystem: +# mkfs.btrfs -m single -d single -L BTRFS /dev/sda2 +# +# Install syslinux: +# mount -o noatime,fmask=0133,dmask=0022,utf8 /dev/sda1 /boot +# syslinux -d syslinux -i /dev/sda1 +# cp /usr/share/syslinux/{ldlinux,libutil,menu}.c32 /boot/syslinux/ +# dd bs=440 count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda +# +# Mount root filesystem: +# mount -o noatime,ssd,compress=lzo /dev/sda2 /mnt +# +# Create and mount home subvolume: +# btrfs subvolume create /mnt/home +# mount -o noatime,ssd,compress=lzo,subvol=/home /dev/sda2 /home +# +# Clone the labitat-ansible git repo to /home/ansible +# git clone <URL> /home/ansible +# +# Run this script + +set -e +set -x + +release=26 +dest="/mnt/fedora$release" +if [[ -e "$dest" ]]; then + echo "Destination '$dest' already exists. Aborting." >&2 + exit 1 +fi + +btrfs subvolume create "$dest" + +dnf \ + --assumeyes \ + --installroot="$dest" \ + --releasever=$release \ + --disablerepo='*' \ + --enablerepo=fedora \ + --enablerepo=updates \ + install dnf python2-dnf ansible + +systemd-nspawn -D "$dest" --bind /boot --bind /home -- \ + ansible-playbook -i space, -c local /home/ansible/space.yml + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/defaults/main.yml b/roles/space_server/defaults/main.yml new file mode 100644 index 0000000..eb582df --- /dev/null +++ b/roles/space_server/defaults/main.yml @@ -0,0 +1,32 @@ +--- +hostname: 'space' +locale: + LANG: 'da_DK.UTF-8' + LC_COLLATE: 'C' + LC_MESSAGES: 'C' +timezone: 'Europe/Copenhagen' +packages: + install: + - initscripts + - dosfstools + - btrfs-progs + - dnf + - python2-dnf + - 'dnf-command(leaves)' + - ansible + - vim-enhanced + - git + - diffutils + - htop + - man-db + - passwd + - syslinux + - systemd-container +boot: + device: 'LABEL=BOOT' + options: 'noauto,noatime,iocharset=iso8859-15,utf8,tz=UTC,dmask=0022,fmask=0133,x-systemd.automount,x-systemd.device-timeout=5min,x-systemd.idle-timeout=5min' +root: + device: 'LABEL=BTRFS' + options: 'noatime,ssd,compress=lzo' + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/files/ansible/hosts b/roles/space_server/files/ansible/hosts new file mode 100644 index 0000000..3091e4a --- /dev/null +++ b/roles/space_server/files/ansible/hosts @@ -0,0 +1,11 @@ +# This is the default ansible 'hosts' file. +# +# It should live in /etc/ansible/hosts +# +# - Comments begin with the '#' character +# - Blank lines are ignored +# - Groups of hosts are delimited by [header] elements +# - You can enter hostnames or ip addresses +# - A hostname/ip can be a member of multiple groups + +space ansible_connection=local diff --git a/roles/space_server/files/bird/bird.conf b/roles/space_server/files/bird/bird.conf new file mode 100644 index 0000000..2ae72f0 --- /dev/null +++ b/roles/space_server/files/bird/bird.conf @@ -0,0 +1,7 @@ +router id 185.38.175.0; + +include "bird/symbol4.conf"; +include "bird/filter.conf"; +include "bird/protocols.conf"; +include "bird/templates.conf"; +include "bird/peers4.conf"; diff --git a/roles/space_server/files/bird/bird6.conf b/roles/space_server/files/bird/bird6.conf new file mode 100644 index 0000000..91b5405 --- /dev/null +++ b/roles/space_server/files/bird/bird6.conf @@ -0,0 +1,7 @@ +router id 185.38.175.0; + +include "bird/symbol6.conf"; +include "bird/filter.conf"; +include "bird/protocols.conf"; +include "bird/templates.conf"; +include "bird/peers6.conf"; diff --git a/roles/space_server/files/bird/filter.conf b/roles/space_server/files/bird/filter.conf new file mode 100644 index 0000000..3edc053 --- /dev/null +++ b/roles/space_server/files/bird/filter.conf @@ -0,0 +1,31 @@ +function accept_default_route() +{ + if net = DEFAULT_ROUTE then { + accept; + } +} + +function accept_prefixes(prefix set prefixes) +{ + if net ~ prefixes then { + accept; + } +} + +filter fallback_filter { + reject "WARNING!! no filter set, all routes will be rejected"; +} + +filter transit_import +{ + accept_default_route(); + + reject; +} + +filter transit_export +{ + accept_prefixes(LABITAT_PREFIXES); + + reject; +} diff --git a/roles/space_server/files/bird/peers4.conf b/roles/space_server/files/bird/peers4.conf new file mode 100644 index 0000000..6f0cc96 --- /dev/null +++ b/roles/space_server/files/bird/peers4.conf @@ -0,0 +1,11 @@ +template bgp fiberby from bgp_transit { +} + +protocol bgp fiberby_tgc from fiberby { + preference 90; + neighbor 193.106.167.41 as 42541; +} + +protocol bgp fiberby_inx from fiberby { + neighbor 193.106.167.42 as 42541; +} diff --git a/roles/space_server/files/bird/peers6.conf b/roles/space_server/files/bird/peers6.conf new file mode 100644 index 0000000..ee1fbfe --- /dev/null +++ b/roles/space_server/files/bird/peers6.conf @@ -0,0 +1,11 @@ +template bgp fiberby from bgp_transit { +} + +protocol bgp fiberby_tgc from fiberby { + preference 90; + neighbor 2a03:5440:1:2935:1ab::1 as 42541; +} + +protocol bgp fiberby_inx from fiberby { + neighbor 2a03:5440:1:2935:1ab::2 as 42541; +} diff --git a/roles/space_server/files/bird/protocols.conf b/roles/space_server/files/bird/protocols.conf new file mode 100644 index 0000000..b84c6ac --- /dev/null +++ b/roles/space_server/files/bird/protocols.conf @@ -0,0 +1,15 @@ +protocol device { + scan time 10; +} + +protocol direct { +} + +protocol kernel { + metric 64; + learn; + persist; + scan time 20; + import all; + export all; +} diff --git a/roles/space_server/files/bird/symbol4.conf b/roles/space_server/files/bird/symbol4.conf new file mode 100644 index 0000000..80a8ed6 --- /dev/null +++ b/roles/space_server/files/bird/symbol4.conf @@ -0,0 +1,5 @@ +define DEFAULT_ROUTE = 0.0.0.0/0; + +define LABITAT_PREFIXES = [ + 185.38.175.0/24 +]; diff --git a/roles/space_server/files/bird/symbol6.conf b/roles/space_server/files/bird/symbol6.conf new file mode 100644 index 0000000..daed1b8 --- /dev/null +++ b/roles/space_server/files/bird/symbol6.conf @@ -0,0 +1,5 @@ +define DEFAULT_ROUTE = ::/0; + +define LABITAT_PREFIXES = [ + 2a01:4260:1ab::/48 +]; diff --git a/roles/space_server/files/bird/templates.conf b/roles/space_server/files/bird/templates.conf new file mode 100644 index 0000000..4334bd8 --- /dev/null +++ b/roles/space_server/files/bird/templates.conf @@ -0,0 +1,18 @@ +template bgp bgp_peer { + local as 205235; + import keep filtered; + import filter fallback_filter; + export filter fallback_filter; + import limit 1000 action block; + receive limit 1500 action disable; + export limit 100 action block; + hold time 60; +} + +template bgp bgp_transit from bgp_peer { + preference 100; + import limit off; + receive limit off; + import filter transit_import; + export filter transit_export; +} diff --git a/roles/space_server/files/blackhole/blackhole.service b/roles/space_server/files/blackhole/blackhole.service new file mode 100644 index 0000000..e32f642 --- /dev/null +++ b/roles/space_server/files/blackhole/blackhole.service @@ -0,0 +1,11 @@ +[Unit] +Description=Blackhole routes +Wants=network.target + +[Service] +Type=oneshot +ExecStart=/etc/systemd/scripts/blackhole.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/space_server/files/blackhole/blackhole.sh b/roles/space_server/files/blackhole/blackhole.sh new file mode 100755 index 0000000..695f0ea --- /dev/null +++ b/roles/space_server/files/blackhole/blackhole.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +set -e + +ip route add unreachable 185.38.175.0/24 +ip route add unreachable 2a01:4260:1ab::/48 diff --git a/roles/space_server/files/dhcpd/dhcpd.conf b/roles/space_server/files/dhcpd/dhcpd.conf new file mode 100644 index 0000000..e443b30 --- /dev/null +++ b/roles/space_server/files/dhcpd/dhcpd.conf @@ -0,0 +1,159 @@ +# +# DHCP Server Configuration file. +# see /usr/share/doc/dhcp/dhcpd.conf.example +# see dhcpd.conf(5) man page +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +#option domain-name "labitat.dk"; +default-lease-time 3600; +max-lease-time 7200; +min-lease-time 600; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility daemon; + + +# Admin net +subnet 10.42.0.0 netmask 255.255.255.0 { + range 10.42.0.50 10.42.0.250; + option routers 10.42.0.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; + + host ap { + hardware ethernet 00:0f:23:94:43:0b; + fixed-address 10.42.0.2; + } + + host doorputer { + hardware ethernet 00:b3:f6:00:36:be; + fixed-address 10.42.0.3; + } + + host foodputer { + hardware ethernet 00:d0:59:37:5e:37; + fixed-address 10.42.0.4; + } + + # 10.42.0.5: new ap1 + # 10.42.0.6: new ap2 + + host switch { + hardware ethernet 00:1b:11:6f:42:f8; + fixed-address 10.42.0.9; + } + + host spacewand { + hardware ethernet 00:1f:7b:b4:0e:00; + fixed-address 10.42.0.70; + } +} + + +# Wired net +subnet 10.42.1.0 netmask 255.255.255.0 { + range dynamic-bootp 10.42.1.50 10.42.1.250; + option routers 10.42.1.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; + next-server 10.42.1.1; + filename "pxelinux.0"; + + host anna { + hardware ethernet 00:e0:c5:6e:d6:8d; + fixed-address 10.42.1.9; + } + + # Arduino Ethernet Bootloader test + host flummer { + hardware ethernet 90:A2:DA:00:61:EE; + fixed-address 10.42.1.31; + filename "esmil/test.bin"; + } + + host arduino { + hardware ethernet 00:08:DC:00:00:4F; + fixed-address 10.42.1.31; + filename "esmil/setmac.bin"; + } + + host printbrother { + hardware ethernet 00:80:77:06:9f:26; + fixed-address 10.42.1.32; + } + + # Infoscreen Raspberry Pi + host infotron { + hardware ethernet b8:27:eb:2c:5d:3a; + fixed-address 10.42.1.34; + } + host spacemon { + hardware ethernet b8:27:eb:24:f8:50; + fixed-address 10.42.1.35; + } + host jumbotron { + hardware ethernet b8:27:eb:d3:c1:62; + fixed-address 10.42.1.36; + } + host hplaserjet { + hardware ethernet 94:57:a5:ce:e2:6c; + fixed-address 10.42.1.37; + } + + # fake IP til "hemmeligt projekt" + host tlet { + hardware ethernet 00:00:00:00:00:00; + fixed-address 10.42.1.42; + } + + host labisound { + hardware ethernet 00:16:e6:f7:43:b0; + fixed-address 10.42.1.40; + } + + #test riiiis april2014 + host riiiisarduinoserverrebootertest { + fixed-address 10.42.1.49; + } + +} + + +# Private wifi +subnet 10.42.2.0 netmask 255.255.255.0 { + range 10.42.2.50 10.42.2.250; + option routers 10.42.2.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; + next-server 10.42.2.1; + filename "pxelinux.0"; +} + +# Free wifi +subnet 10.42.3.0 netmask 255.255.255.0 { + range 10.42.3.50 10.42.3.250; + option routers 10.42.3.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; + +} + +# Password protected wifi +subnet 10.42.4.0 netmask 255.255.255.0 { + range 10.42.4.50 10.42.4.250; + option routers 10.42.4.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; +} diff --git a/roles/space_server/files/kernel/90-loaderentry.install b/roles/space_server/files/kernel/90-loaderentry.install new file mode 100755 index 0000000..d31529e --- /dev/null +++ b/roles/space_server/files/kernel/90-loaderentry.install @@ -0,0 +1,89 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +COMMAND="$1" +KERNEL_VERSION="$2" +BOOT_DIR_ABS="$3" +KERNEL_IMAGE="$4" + +if [[ -f /etc/machine-id ]]; then + read MACHINE_ID < /etc/machine-id +fi + +if ! [[ $MACHINE_ID ]]; then + exit 1 +fi + +BOOT_DIR="/$MACHINE_ID/$KERNEL_VERSION" +BOOT_ROOT=${BOOT_DIR_ABS%$BOOT_DIR} +LOADER_ENTRY="$BOOT_ROOT/loader/entries/$MACHINE_ID-$KERNEL_VERSION.conf" +MENU="$BOOT_ROOT/loader/${MACHINE_ID}.cfg" + +if [[ $COMMAND == remove ]]; then + exec rm -f "$LOADER_ENTRY" +fi + +if ! [[ $COMMAND == add ]]; then + exit 1 +fi + +if ! [[ $KERNEL_IMAGE ]]; then + exit 1 +fi + +if [[ -f /etc/os-release ]]; then + . /etc/os-release +elif [[ -f /usr/lib/os-release ]]; then + . /usr/lib/os-release +fi + +if ! [[ $PRETTY_NAME ]]; then + PRETTY_NAME="Linux $KERNEL_VERSION" +fi + +declare -a BOOT_OPTIONS + +if [[ -f /etc/kernel/cmdline ]]; then + read -r -d '' -a BOOT_OPTIONS < /etc/kernel/cmdline +fi + +if ! [[ ${BOOT_OPTIONS[*]} ]]; then + read -r -d '' -a line < /proc/cmdline + for i in "${line[@]}"; do + [[ "${i#initrd=*}" != "$i" ]] && continue + BOOT_OPTIONS+=("$i") + done +fi + +if ! [[ ${BOOT_OPTIONS[*]} ]]; then + echo "Could not determine the kernel command line parameters." >&2 + echo "Please specify the kernel command line in /etc/kernel/cmdline!" >&2 + exit 1 +fi + +cp "$KERNEL_IMAGE" "$BOOT_DIR_ABS/linux" && + chown root:root "$BOOT_DIR_ABS/linux" && + chmod 0644 "$BOOT_DIR_ABS/linux" || { + echo "Could not copy '$KERNEL_IMAGE to '$BOOT_DIR_ABS/linux'." >&2 + exit 1 +} + +mkdir -p "${LOADER_ENTRY%/*}" || { + echo "Could not create loader entry directory '${LOADER_ENTRY%/*}'." >&2 + exit 1 +} + +{ + echo "MENU LABEL $PRETTY_NAME $KERNEL_VERSION" + echo "LINUX $BOOT_DIR/linux" + echo "APPEND ${BOOT_OPTIONS[*]}" + [[ -f $BOOT_DIR_ABS/initrd ]] && \ + echo "INITRD $BOOT_DIR/initrd" + : +} > "$LOADER_ENTRY" || { + echo "Could not create loader entry '$LOADER_ENTRY'." >&2 + exit 1 +} + +exit 0 diff --git a/roles/space_server/files/kernel/95-syslinux-menu.install b/roles/space_server/files/kernel/95-syslinux-menu.install new file mode 100755 index 0000000..06ddad7 --- /dev/null +++ b/roles/space_server/files/kernel/95-syslinux-menu.install @@ -0,0 +1,40 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +COMMAND="$1" +KERNEL_VERSION="$2" +BOOT_DIR_ABS="$3" +KERNEL_IMAGE="$4" + +if [[ -f /etc/machine-id ]]; then + read MACHINE_ID < /etc/machine-id +fi + +if ! [[ $MACHINE_ID ]]; then + exit 1 +fi + +BOOT_DIR="/$MACHINE_ID/$KERNEL_VERSION" +BOOT_ROOT=${BOOT_DIR_ABS%$BOOT_DIR} +MENU="$BOOT_ROOT/loader/${MACHINE_ID}.cfg" + +{ + declare -a paths + len=0 + for path in "$BOOT_ROOT/loader/entries/$MACHINE_ID"-*; do + paths[$((len++))]="$path" + done + + i=0 + while [[ $len -gt 0 ]]; do + path="${paths[$((--len))]}" + echo "LABEL $((++i))" + echo "INCLUDE ${path#$BOOT_ROOT}" + done +} > "$MENU" || { + echo "Could not create aggregated menu '$MENU'." >&2 + exit 1 +} + +exit 0 diff --git a/roles/space_server/files/named/named.conf b/roles/space_server/files/named/named.conf new file mode 100644 index 0000000..d9b60d3 --- /dev/null +++ b/roles/space_server/files/named/named.conf @@ -0,0 +1,81 @@ +// +// named.conf +// +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS +// server as a caching only nameserver (as a localhost DNS resolver only). +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// + +options { + listen-on port 53 { + 127.0.0.1; + 185.38.175.0; + }; + listen-on-v6 port 53 { + ::1; + 2a01:4260:1ab::; + }; + #dns64 fde2:52b4:4a19:ffff::/96 { + # clients { fde2:52b4:4a19:5::/64; }; + #}; + directory "/var/named"; + dump-file "/var/named/data/cache_dump.db"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + //allow-query { localhost; }; + + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + dnssec-enable yes; + dnssec-validation yes; + + managed-keys-directory "/var/named/dynamic"; + + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging { + channel default_debug { + file "data/named.run"; + severity dynamic; + }; + channel syslog { + syslog; + severity warning; + print-severity yes; + print-category yes; + }; + category default{ + syslog; + }; +}; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "s" IN { + type master; + file "/etc/named/s.zone"; + allow-transfer { none; }; +}; + +include "/etc/named.rfc1912.zones"; +include "/etc/named.root.key"; + diff --git a/roles/space_server/files/named/s.zone b/roles/space_server/files/named/s.zone new file mode 100644 index 0000000..3d96157 --- /dev/null +++ b/roles/space_server/files/named/s.zone @@ -0,0 +1,21 @@ +s. 600 IN SOA space.labitat.dk. xnybre.labitat.dk. 2015112001 7200 3600 604800 86400 +s. 600 IN NS space.labitat.dk. + +s. 600 IN A 10.42.1.1 +s. 600 IN AAAA fde2:52b4:4a19:1::1 + +labitrack.s. 600 IN CNAME spacewand.labitat.dk. +track.s. 600 IN CNAME spacewand.labitat.dk. + +doorputer.s. 600 IN A 10.42.0.3 +foodputer.s. 600 IN A 10.42.0.4 + +lathe.s. 600 IN A 10.42.0.12 + +anna.s. 600 IN A 10.42.1.9 +infotron.s. 600 IN A 10.42.1.34 +spacemon.s. 600 IN A 10.42.1.35 +jumbotron.s. 600 IN A 10.42.1.36 +sound.s. 600 IN A 10.42.1.80 + +printbrother.s. 600 IN A 10.42.1.32 diff --git a/roles/space_server/files/networkd/network/10-lan.link b/roles/space_server/files/networkd/network/10-lan.link new file mode 100644 index 0000000..996917e --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan.link @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:02:00.0 + +[Link] +Name=lan diff --git a/roles/space_server/files/networkd/network/10-lan.network b/roles/space_server/files/networkd/network/10-lan.network new file mode 100644 index 0000000..08b85aa --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan.network @@ -0,0 +1,19 @@ +[Match] +Name=lan + +#[Link] +#ARP=no + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +LLMNR=no +MulticastDNS=no +VLAN=lan10 +VLAN=lan11 +VLAN=lan12 +VLAN=lan13 +VLAN=lan14 +VLAN=lan15 +VLAN=lan20 diff --git a/roles/space_server/files/networkd/network/10-lan10.netdev b/roles/space_server/files/networkd/network/10-lan10.netdev new file mode 100644 index 0000000..655859d --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan10.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan10 +Kind=vlan + +[VLAN] +Id=10 diff --git a/roles/space_server/files/networkd/network/10-lan10.network b/roles/space_server/files/networkd/network/10-lan10.network new file mode 100644 index 0000000..18931e0 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan10.network @@ -0,0 +1,12 @@ +[Match] +Name=lan10 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.0.1/24 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes diff --git a/roles/space_server/files/networkd/network/10-lan11.netdev b/roles/space_server/files/networkd/network/10-lan11.netdev new file mode 100644 index 0000000..b99b50b --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan11.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan11 +Kind=vlan + +[VLAN] +Id=11 diff --git a/roles/space_server/files/networkd/network/10-lan11.network b/roles/space_server/files/networkd/network/10-lan11.network new file mode 100644 index 0000000..744eb3c --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan11.network @@ -0,0 +1,17 @@ +[Match] +Name=lan11 + +[Network] +DHCP=no +IPv6AcceptRA=no +Address=10.42.1.1/24 +#Address=2a01:4260:1ab:b::1/64 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[Route] +Destination=2a01:4260:1ab:b::/64 +PreferredSource=2a01:4260:1ab:: diff --git a/roles/space_server/files/networkd/network/10-lan12.netdev b/roles/space_server/files/networkd/network/10-lan12.netdev new file mode 100644 index 0000000..7229fa1 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan12.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan12 +Kind=vlan + +[VLAN] +Id=12 diff --git a/roles/space_server/files/networkd/network/10-lan12.network b/roles/space_server/files/networkd/network/10-lan12.network new file mode 100644 index 0000000..23888bc --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan12.network @@ -0,0 +1,17 @@ +[Match] +Name=lan12 + +[Network] +DHCP=no +IPv6AcceptRA=no +Address=10.42.2.1/24 +#Address=2a01:4260:1ab:c::1/64 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[Route] +Destination=2a01:4260:1ab:c::/64 +PreferredSource=2a01:4260:1ab:: diff --git a/roles/space_server/files/networkd/network/10-lan13.netdev b/roles/space_server/files/networkd/network/10-lan13.netdev new file mode 100644 index 0000000..ab05488 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan13.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan13 +Kind=vlan + +[VLAN] +Id=13 diff --git a/roles/space_server/files/networkd/network/10-lan13.network b/roles/space_server/files/networkd/network/10-lan13.network new file mode 100644 index 0000000..6151c0e --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan13.network @@ -0,0 +1,13 @@ +[Match] +Name=lan13 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.3.1/24 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes diff --git a/roles/space_server/files/networkd/network/10-lan14.netdev b/roles/space_server/files/networkd/network/10-lan14.netdev new file mode 100644 index 0000000..1956a88 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan14.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan14 +Kind=vlan + +[VLAN] +Id=14 diff --git a/roles/space_server/files/networkd/network/10-lan14.network b/roles/space_server/files/networkd/network/10-lan14.network new file mode 100644 index 0000000..b2ec991 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan14.network @@ -0,0 +1,17 @@ +[Match] +Name=lan14 + +[Network] +DHCP=no +IPv6AcceptRA=no +Address=10.42.4.1/24 +#Address=2a01:4260:1ab:e::1/64 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[Route] +Destination=2a01:4260:1ab:e::/64 +PreferredSource=2a01:4260:1ab:: diff --git a/roles/space_server/files/networkd/network/10-lan15.netdev b/roles/space_server/files/networkd/network/10-lan15.netdev new file mode 100644 index 0000000..c31a650 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan15.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan15 +Kind=vlan + +[VLAN] +Id=15 diff --git a/roles/space_server/files/networkd/network/10-lan15.network b/roles/space_server/files/networkd/network/10-lan15.network new file mode 100644 index 0000000..7d1d7a7 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan15.network @@ -0,0 +1,12 @@ +[Match] +Name=lan15 + +[Network] +DHCP=no +IPv6AcceptRA=no +Address=2a01:4260:1ab:f::1/64 +IPForward=ipv6 +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes diff --git a/roles/space_server/files/networkd/network/10-lan20.netdev b/roles/space_server/files/networkd/network/10-lan20.netdev new file mode 100644 index 0000000..2b2e0d8 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan20.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan20 +Kind=vlan + +[VLAN] +Id=20 diff --git a/roles/space_server/files/networkd/network/10-lan20.network b/roles/space_server/files/networkd/network/10-lan20.network new file mode 100644 index 0000000..a47e0cb --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lan20.network @@ -0,0 +1,17 @@ +[Match] +Name=lan20 + +[Network] +DHCP=no +IPv6AcceptRA=no +Address=185.38.175.65/26 +Address=2a01:4260:1ab:20::1/64 +IPForward=yes +LLMNR=no +MulticastDNS=no +LLDP=yes +EmitLLDP=no + +[Route] +Destination=2a01:4260:1ab::cafe/128 +Gateway=2a01:4260:1ab:20::5 diff --git a/roles/space_server/files/networkd/network/10-lo.network b/roles/space_server/files/networkd/network/10-lo.network new file mode 100644 index 0000000..d97da93 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-lo.network @@ -0,0 +1,6 @@ +[Match] +Name=lo + +[Network] +Address=185.38.175.0/32 +Address=2a01:4260:1ab::/128 diff --git a/roles/space_server/files/networkd/network/10-mgt.link b/roles/space_server/files/networkd/network/10-mgt.link new file mode 100644 index 0000000..715f409 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-mgt.link @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:03:00.0 + +[Link] +Name=mgt diff --git a/roles/space_server/files/networkd/network/10-mgt.network b/roles/space_server/files/networkd/network/10-mgt.network new file mode 100644 index 0000000..9da626e --- /dev/null +++ b/roles/space_server/files/networkd/network/10-mgt.network @@ -0,0 +1,19 @@ +[Match] +Name=mgt + +[Network] +DHCP=no +IPv6AcceptRA=no +Address=192.168.112.1/24 +#IPForward=ipv4 +DHCPServer=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[DHCPServer] +DNS=192.168.112.1 +EmitDNS=yes +EmitNTP=no +EmitTimezone=yes diff --git a/roles/space_server/files/networkd/network/10-wan.link b/roles/space_server/files/networkd/network/10-wan.link new file mode 100644 index 0000000..47a7270 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-wan.link @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:01:00.0 + +[Link] +Name=wan diff --git a/roles/space_server/files/networkd/network/10-wan.network b/roles/space_server/files/networkd/network/10-wan.network new file mode 100644 index 0000000..4634150 --- /dev/null +++ b/roles/space_server/files/networkd/network/10-wan.network @@ -0,0 +1,15 @@ +[Match] +Name=wan + +[Network] +DHCP=no +IPv6AcceptRA=no +Address=193.106.167.46/29 +Gateway=193.106.167.42 +Address=2a03:5440:1:2935:1ab::3/120 +Gateway=2a03:5440:1:2935:1ab::2 +IPForward=yes +LLMNR=no +MulticastDNS=no +LLDP=yes +EmitLLDP=no diff --git a/roles/space_server/files/networkd/systemd-networkd-wait-online.service b/roles/space_server/files/networkd/systemd-networkd-wait-online.service new file mode 100644 index 0000000..0f1e85a --- /dev/null +++ b/roles/space_server/files/networkd/systemd-networkd-wait-online.service @@ -0,0 +1,23 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Wait for Network to be Configured +Documentation=man:systemd-networkd-wait-online.service(8) +DefaultDependencies=no +Conflicts=shutdown.target +Requisite=systemd-networkd.service +After=systemd-networkd.service +Before=network-online.target + +[Service] +Type=oneshot +ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --ignore lan --ignore mgt +RemainAfterExit=yes + +[Install] +WantedBy=network-online.target diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf new file mode 100755 index 0000000..c9dc9d7 --- /dev/null +++ b/roles/space_server/files/nftables/nftables.conf @@ -0,0 +1,248 @@ +#!/usr/sbin/nft -f + +# our hosts +define ap1 = 10.42.0.5 +define ap2 = 10.42.0.6 +define labitat = 185.38.172.72 + +define spacewand4 = 185.38.175.70 +define spacewand6 = 2a01:4260:1ab::cafe + +# internal stuff +define ext_if = wan +define ext_ip4 = 185.38.175.0 +define ext_ip6 = 2a01:4260:1ab:: +define int_net4 = 10.42.0.0/16 +define ext_net4 = 185.38.175.0/24 +define ext_net6 = 2a01:4260:1ab::/48 +define link_net4 = 193.106.167.40/29 +define link_net6 = 2a03:5440:1:2935:1ab::/120 + +define adm_if = lan10 +define adm_ip4 = 10.42.0.1 +define adm_net4 = 10.42.0.0/24 + +define wire_if = lan11 +define wire_ip4 = 10.42.1.1 +define wire_net4 = 10.42.1.0/24 +define wire_net6 = 2a01:4260:1ab:b::/64 + +define priv_if = lan12 +define priv_ip4 = 10.42.2.1 +define priv_net4 = 10.42.2.0/24 +define priv_net6 = 2a01:4260:1ab:c::/64 + +define free_if = lan13 +define free_ip4 = 10.42.3.1 +define free_net4 = 10.42.3.0/24 + +define pass_if = lan14 +define pass_ip4 = 10.42.4.1 +define pass_net4 = 10.42.4.0/24 +define pass_net6 = 2a01:4260:1ab:e::/64 + +define serv_if = lan20 +define serv_ip4 = 185.38.175.65 +define serv_net4 = 185.38.175.64/24 +define serv_net6 = 2a01:4260:1ab:20::/64 + +define avahi_ifs = { $wire_if, $priv_if, $pass_if } + +#define nat64_if = nat64 +#define nat64_net = 10.42.255.0/24 +#define nat64_net6 = fde2:52b4:4a19:ffff::/96 + +table ip filter { + chain input { + type filter hook input priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip protocol icmp limit rate 100/second accept + ip protocol icmp drop + + iif lo accept + + # infrastructure + iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept + udp sport bootpc udp dport bootps iif != $ext_if counter accept # DHCP requests + iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept # RADIUS from AP + iif $ext_if ip saddr $labitat ip protocol 41 accept # IPv6 tunnel + iif $wire_if ip saddr $wire_net4 udp dport 69 accept # TFTP + iif $wire_if ip saddr $wire_net4 udp dport 123 accept # NTP + + # allow ssh + tcp dport 22 accept + + # dns + ip saddr $int_net4 tcp dport 53 accept + ip saddr $int_net4 udp dport 53 accept + ip saddr $ext_net4 tcp dport 53 accept + ip saddr $ext_net4 udp dport 53 accept + + # Avahi + ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept + ip protocol igmp iif $avahi_ifs accept # Allow IGMP here + + iif $ext_if counter drop + udp dport { 137, 138, 5353 } drop # NetBIOS, Avahi + udp sport 17500 udp dport 17500 drop # Dropbox LANsync + ip protocol igmp drop # IGMP + #counter log prefix "in4: " drop + drop + } + + chain forward { + type filter hook forward priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip protocol icmp limit rate 100/second accept + ip protocol icmp drop + + ip daddr $spacewand4 accept + + ip saddr $labitat udp dport 161 counter accept # traffic stats + + # no traffic to admin net + ip saddr $int_net4 ip daddr $adm_net4 drop + + # local traffic + iif $adm_if ip saddr $adm_net4 accept + iif $wire_if ip saddr $wire_net4 accept + iif $priv_if ip saddr $priv_net4 accept + iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept + iif $pass_if ip saddr $pass_net4 accept + iif $serv_if ip saddr $serv_net4 accept + + #counter log prefix "fw4: " drop + drop + } +} + +table ip nat { + chain portforward { + ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats + } + + chain prerouting { + type nat hook prerouting priority -150; + goto portforward + } + + chain output { + type nat hook output priority -150; + goto portforward + } + + chain input { + type nat hook input priority -150; + # this chain is needed to make dnat from the output chain work + } + + chain postrouting { + type nat hook postrouting priority -150; + oif $ext_if snat $ext_ip4 + } +} + +table ip6 filter { + chain input { + type filter hook input priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip6 nexthdr icmpv6 limit rate 100/second accept + ip6 nexthdr icmpv6 drop + + iif lo accept + + iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept + + # allow ssh + tcp dport 22 accept + + # dns + ip6 saddr $ext_net6 tcp dport 53 accept + ip6 saddr $ext_net6 udp dport 53 accept + + #counter log prefix "in6: " drop + drop + } + + chain forward { + type filter hook forward priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip6 nexthdr icmpv6 limit rate 100/second accept + ip6 nexthdr icmpv6 drop + + ip6 daddr $spacewand6 accept + + iif $wire_if ip6 saddr $wire_net6 accept + iif $priv_if ip6 saddr $priv_net6 accept + iif $pass_if ip6 saddr $pass_net6 accept + iif $serv_if ip6 saddr $serv_net6 accept + + #counter log prefix "fw6: " drop + drop + } +} + +# Allow all by default +# (couldn't get default-deny to work, and this script is better than nothing) + +#table ip6 filter { +# chain input { +# type filter hook input priority 0; +# # Don't allow ULA net on outside +# #ip6tables -A INPUT -j REJECT -i $ext_if6 -d $ula_net +# iif $ext_if6 ip6 daddr $ula_net reject +# #ip6tables -A INPUT -j REJECT -i $ext_if6 -s $ula_net +# iif $ext_if6 ip6 saddr $ula_net reject +# +# accept +# } +# +# chain output { +# type filter hook output priority 0; +# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -d $ula_net +# oif $ext_if6 ip6 daddr $ula_net reject +# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -s $ula_net +# oif $ext_if6 ip6 saddr $ula_net reject +# +# accept +# } +# +# chain forward { +# type filter hook forward priority 0; +# # Don't allow NAT64 for networks with IPv4 +# # (remember: free and admin don't have IPv6) +# #ip6tables -A FORWARD -j REJECT -i $wire_if -d $nat64_net6 +# iif $wire_if ip6 daddr $nat64_net6 reject +# #ip6tables -A FORWARD -j REJECT -i $priv_if -d $nat64_net6 +# iif $priv_if ip6 daddr $nat64_net6 reject +# #ip6tables -A FORWARD -j REJECT -i $pass_if -d $nat64_net6 +# iif $pass_if ip6 daddr $nat64_net6 reject +# +# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -d $ula_net +# iif $ext_if6 ip6 daddr $ula_net reject +# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -s $ula_net +# iif $ext_if6 ip6 saddr $ula_net reject +# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -d $ula_net +# oif $ext_if6 ip6 daddr $ula_net reject +# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -s $ula_net +# oif $ext_if6 ip6 saddr $ula_net reject +# +# accept +# } +#} diff --git a/roles/space_server/files/nftables/nftables.service b/roles/space_server/files/nftables/nftables.service new file mode 100644 index 0000000..f1c9028 --- /dev/null +++ b/roles/space_server/files/nftables/nftables.service @@ -0,0 +1,30 @@ +[Unit] +Description=Netfilter Tables +Documentation=man:nft(8) +Requires=sys-devices-virtual-net-lan10.device +Requires=sys-devices-virtual-net-lan11.device +Requires=sys-devices-virtual-net-lan12.device +Requires=sys-devices-virtual-net-lan13.device +Requires=sys-devices-virtual-net-lan14.device +Requires=sys-devices-virtual-net-lan15.device +Requires=sys-devices-virtual-net-lan20.device +After=sys-devices-virtual-net-lan10.device +After=sys-devices-virtual-net-lan11.device +After=sys-devices-virtual-net-lan12.device +After=sys-devices-virtual-net-lan13.device +After=sys-devices-virtual-net-lan14.device +After=sys-devices-virtual-net-lan15.device +After=sys-devices-virtual-net-lan20.device +Before=network-online.target + +[Service] +Type=oneshot +ProtectSystem=full +ProtectHome=true +ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf +ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' +ExecStop=/sbin/nft flush ruleset +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm b/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm Binary files differnew file mode 100644 index 0000000..145191c --- /dev/null +++ b/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm diff --git a/roles/space_server/files/radius/getusers.service b/roles/space_server/files/radius/getusers.service new file mode 100644 index 0000000..7ac5082 --- /dev/null +++ b/roles/space_server/files/radius/getusers.service @@ -0,0 +1,10 @@ +[Unit] +Description=Download radius users + +[Service] +Type=oneshot +ExecStart=/etc/raddb/getusers.sh +User=root +Group=radiusd +ProtectSystem=yes +ProtectHome=yes diff --git a/roles/space_server/files/radius/getusers.timer b/roles/space_server/files/radius/getusers.timer new file mode 100644 index 0000000..9ef4eb3 --- /dev/null +++ b/roles/space_server/files/radius/getusers.timer @@ -0,0 +1,12 @@ +[Unit] +Description=Download radius users every 10 minutes + +[Timer] +Unit=getusers.service +# Time to wait after booting before we run first time +OnBootSec=10min +# Time between running each consecutive time +OnUnitActiveSec=10min + +[Install] +WantedBy=timers.target diff --git a/roles/space_server/files/radius/mods-available/eap b/roles/space_server/files/radius/mods-available/eap new file mode 100644 index 0000000..87593b0 --- /dev/null +++ b/roles/space_server/files/radius/mods-available/eap @@ -0,0 +1,883 @@ +# -*- text -*- +## +## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) +## +## $Id: 2621e183c3d9eafacb03bbea57a4a1fb71bf0383 $ + +####################################################################### +# +# Whatever you do, do NOT set 'Auth-Type := EAP'. The server +# is smart enough to figure this out on its own. The most +# common side effect of setting 'Auth-Type := EAP' is that the +# users then cannot use ANY other authentication method. +# +eap { + # Invoke the default supported EAP type when + # EAP-Identity response is received. + # + # The incoming EAP messages DO NOT specify which EAP + # type they will be using, so it MUST be set here. + # + # For now, only one default EAP type may be used at a time. + # + # If the EAP-Type attribute is set by another module, + # then that EAP type takes precedence over the + # default type configured here. + # + default_eap_type = ttls + + # A list is maintained to correlate EAP-Response + # packets with EAP-Request packets. After a + # configurable length of time, entries in the list + # expire, and are deleted. + # + timer_expire = 60 + + # There are many EAP types, but the server has support + # for only a limited subset. If the server receives + # a request for an EAP type it does not support, then + # it normally rejects the request. By setting this + # configuration to "yes", you can tell the server to + # instead keep processing the request. Another module + # MUST then be configured to proxy the request to + # another RADIUS server which supports that EAP type. + # + # If another module is NOT configured to handle the + # request, then the request will still end up being + # rejected. + ignore_unknown_eap_types = no + + # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given + # a User-Name attribute in an Access-Accept, it copies one + # more byte than it should. + # + # We can work around it by configurably adding an extra + # zero byte. + cisco_accounting_username_bug = no + + # + # Help prevent DoS attacks by limiting the number of + # sessions that the server is tracking. For simplicity, + # this is taken from the "max_requests" directive in + # radiusd.conf. + max_sessions = ${max_requests} + + # Supported EAP-types + + # + # We do NOT recommend using EAP-MD5 authentication + # for wireless connections. It is insecure, and does + # not provide for dynamic WEP keys. + # + md5 { + } + + # + # EAP-pwd -- secure password-based authentication + # +# pwd { +# group = 19 + + # +# server_id = theserver@example.com + + # This has the same meaning as for TLS. +# fragment_size = 1020 + + # The virtual server which determines the + # "known good" password for the user. + # Note that unlike TLS, only the "authorize" + # section is processed. EAP-PWD requests can be + # distinguished by having a User-Name, but + # no User-Password, CHAP-Password, EAP-Message, etc. +# virtual_server = "inner-tunnel" +# } + + # Cisco LEAP + # + # We do not recommend using LEAP in new deployments. See: + # http://www.securiteam.com/tools/5TP012ACKE.html + # + # Cisco LEAP uses the MS-CHAP algorithm (but not + # the MS-CHAP attributes) to perform it's authentication. + # + # As a result, LEAP *requires* access to the plain-text + # User-Password, or the NT-Password attributes. + # 'System' authentication is impossible with LEAP. + # + leap { + } + + # Generic Token Card. + # + # Currently, this is only permitted inside of EAP-TTLS, + # or EAP-PEAP. The module "challenges" the user with + # text, and the response from the user is taken to be + # the User-Password. + # + # Proxying the tunneled EAP-GTC session is a bad idea, + # the users password will go over the wire in plain-text, + # for anyone to see. + # + gtc { + # The default challenge, which many clients + # ignore.. + #challenge = "Password: " + + # The plain-text response which comes back + # is put into a User-Password attribute, + # and passed to another module for + # authentication. This allows the EAP-GTC + # response to be checked against plain-text, + # or crypt'd passwords. + # + # If you say "Local" instead of "PAP", then + # the module will look for a User-Password + # configured for the request, and do the + # authentication itself. + # + auth_type = PAP + } + + ## Common TLS configuration for TLS-based EAP types + # + # See raddb/certs/README for additional comments + # on certificates. + # + # If OpenSSL was not found at the time the server was + # built, the "tls", "ttls", and "peap" sections will + # be ignored. + # + # If you do not currently have certificates signed by + # a trusted CA you may use the 'snakeoil' certificates. + # Included with the server in raddb/certs. + # + # If these certificates have not been auto-generated: + # cd raddb/certs + # make + # + # These test certificates SHOULD NOT be used in a normal + # deployment. They are created only to make it easier + # to install the server, and to perform some simple + # tests with EAP-TLS, TTLS, or PEAP. + # + # See also: + # + # http://www.dslreports.com/forum/remark,9286052~mode=flat + # + # Note that you should NOT use a globally known CA here! + # e.g. using a Verisign cert as a "known CA" means that + # ANYONE who has a certificate signed by them can + # authenticate via EAP-TLS! This is likely not what you want. + tls-config tls-common { + private_key_password = whatever + private_key_file = ${certdir}/server.pem + + # If Private key & Certificate are located in + # the same file, then private_key_file & + # certificate_file must contain the same file + # name. + # + # If ca_file (below) is not used, then the + # certificate_file below MUST include not + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. + certificate_file = ${certdir}/server.pem + + # Trusted Root CA list + # + # ALL of the CA's in this list will be trusted + # to issue client certificates for authentication. + # + # In general, you should use self-signed + # certificates for 802.1x (EAP) authentication. + # In that case, this CA file should contain + # *one* CA certificate. + # + ca_file = ${cadir}/ca.pem + + # OpenSSL will automatically create certificate chains, + # unless we tell it to not do that. The problem is that + # it sometimes gets the chains right from a certificate + # signature view, but wrong from the clients view. + # + # When setting "auto_chain = no", the server certificate + # file MUST include the full certificate chain. + # auto_chain = yes + + # + # If OpenSSL supports TLS-PSK, then we can use + # a PSK identity and (hex) password. When the + # following two configuration items are specified, + # then certificate-based configuration items are + # not allowed. e.g.: + # + # private_key_password + # private_key_file + # certificate_file + # ca_file + # ca_path + # + # For now, the identity is fixed, and must be the + # same on the client. The passphrase must be a hex + # value, and can be up to 256 hex digits. + # + # Future versions of the server may be able to + # look up the shared key (hexphrase) based on the + # identity. + # + # psk_identity = "test" + # psk_hexphrase = "036363823" + + # + # For DH cipher suites to work, you have to + # run OpenSSL to create the DH file first: + # + # openssl dhparam -out certs/dh 2048 + # + dh_file = ${certdir}/dh + + # + # If your system doesn't have /dev/urandom, + # you will need to create this file, and + # periodically change its contents. + # + # For security reasons, FreeRADIUS doesn't + # write to files in its configuration + # directory. + # + # random_file = /dev/urandom + + # + # This can never exceed the size of a RADIUS + # packet (4096 bytes), and is preferably half + # that, to accommodate other attributes in + # RADIUS packet. On most APs the MAX packet + # length is configured between 1500 - 1600 + # In these cases, fragment size should be + # 1024 or less. + # + # fragment_size = 1024 + + # include_length is a flag which is + # by default set to yes If set to + # yes, Total Length of the message is + # included in EVERY packet we send. + # If set to no, Total Length of the + # message is included ONLY in the + # First packet of a fragment series. + # + # include_length = yes + + + # Check the Certificate Revocation List + # + # 1) Copy CA certificates and CRLs to same directory. + # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. + # 'c_rehash' is OpenSSL's command. + # 3) uncomment the lines below. + # 5) Restart radiusd + # check_crl = yes + + # Check if intermediate CAs have been revoked. + # check_all_crl = yes + + ca_path = ${cadir} + + # + # If check_cert_issuer is set, the value will + # be checked against the DN of the issuer in + # the client certificate. If the values do not + # match, the certificate verification will fail, + # rejecting the user. + # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-Issuer attribute. This check + # can be done via any mechanism you choose. + # + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + + # + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # + # This check is done only if the previous + # "check_cert_issuer" is not set, or if + # the check succeeds. + # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-CN attribute. This check + # can be done via any mechanism you choose. + # + # check_cert_cn = %{User-Name} + # + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". + # + # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" + # + cipher_list = "PROFILE=SYSTEM" + + # If enabled, OpenSSL will use server cipher list + # (possibly defined by cipher_list option above) + # for choosing right cipher suite rather than + # using client-specified list which is OpenSSl default + # behavior. Having it set to yes is a current best practice + # for TLS + cipher_server_preference = no + + # Work-arounds for OpenSSL nonsense + # OpenSSL 1.0.1f and 1.0.1g do not calculate + # the EAP keys correctly. The fix is to upgrade + # OpenSSL, or disable TLS 1.2 here. + # + # For EAP-FAST, this MUST be set to "yes". + # +# disable_tlsv1_2 = no + + # + + # + # Elliptical cryptography configuration + # + # Only for OpenSSL >= 0.9.8.f + # + ecdh_curve = "prime256v1" + + # + # Session resumption / fast reauthentication + # cache. + # + # The cache contains the following information: + # + # session Id - unique identifier, managed by SSL + # User-Name - from the Access-Accept + # Stripped-User-Name - from the Access-Request + # Cached-Session-Policy - from the Access-Accept + # + # The "Cached-Session-Policy" is the name of a + # policy which should be applied to the cached + # session. This policy can be used to assign + # VLANs, IP addresses, etc. It serves as a useful + # way to re-apply the policy from the original + # Access-Accept to the subsequent Access-Accept + # for the cached session. + # + # On session resumption, these attributes are + # copied from the cache, and placed into the + # reply list. + # + # You probably also want "use_tunneled_reply = yes" + # when using fast session resumption. + # + cache { + # + # Enable it. The default is "no". Deleting the entire "cache" + # subsection also disables caching. + # + # As of version 3.0.14, the session cache requires the use + # of the "name" and "persist_dir" configuration items, below. + # + # The internal OpenSSL session cache has been permanently + # disabled. + # + # You can disallow resumption for a particular user by adding the + # following attribute to the control item list: + # + # Allow-Session-Resumption = No + # + # If "enable = no" below, you CANNOT enable resumption for just one + # user by setting the above attribute to "yes". + # + enable = no + + # + # Lifetime of the cached entries, in hours. The sessions will be + # deleted/invalidated after this time. + # + lifetime = 24 # hours + + # + # Internal "name" of the session cache. Used to + # distinguish which TLS context sessions belong to. + # + # The server will generate a random value if unset. + # This will change across server restart so you MUST + # set the "name" if you want to persist sessions (see + # below). + # + #name = "EAP module" + + # + # Simple directory-based storage of sessions. + # Two files per session will be written, the SSL + # state and the cached VPs. This will persist session + # across server restarts. + # + # The default directory is ${logdir}, for historical + # reasons. You should ${db_dir} instead. And check + # the value of db_dir in the main radiusd.conf file. + # It should not point to ${raddb} + # + # The server will need write perms, and the directory + # should be secured from anyone else. You might want + # a script to remove old files from here periodically: + # + # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; + # + # This feature REQUIRES "name" option be set above. + # + #persist_dir = "${logdir}/tlscache" + } + + # + # As of version 2.1.10, client certificates can be + # validated via an external command. This allows + # dynamic CRLs or OCSP to be used. + # + # This configuration is commented out in the + # default configuration. Uncomment it, and configure + # the correct paths below to enable it. + # + # If OCSP checking is enabled, and the OCSP checks fail, + # the verify section is not run. + # + # If OCSP checking is disabled, the verify section is + # run on successful certificate validation. + # + verify { + # If the OCSP checks succeed, the verify section + # is run to allow additional checks. + # + # If you want to skip verify on OCSP success, + # uncomment this configuration item, and set it + # to "yes". + # skip_if_ocsp_ok = no + + # A temporary directory where the client + # certificates are stored. This directory + # MUST be owned by the UID of the server, + # and MUST not be accessible by any other + # users. When the server starts, it will do + # "chmod go-rwx" on the directory, for + # security reasons. The directory MUST + # exist when the server starts. + # + # You should also delete all of the files + # in the directory when the server starts. + # tmpdir = /var/run/radiusd/tmp + + # The command used to verify the client cert. + # We recommend using the OpenSSL command-line + # tool. + # + # The ${..ca_path} text is a reference to + # the ca_path variable defined above. + # + # The %{TLS-Client-Cert-Filename} is the name + # of the temporary file containing the cert + # in PEM format. This file is automatically + # deleted by the server when the command + # returns. + # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + } + + # + # OCSP Configuration + # Certificates can be verified against an OCSP + # Responder. This makes it possible to immediately + # revoke certificates without the distribution of + # new Certificate Revocation Lists (CRLs). + # + ocsp { + # + # Enable it. The default is "no". + # Deleting the entire "ocsp" subsection + # also disables ocsp checking + # + enable = no + + # + # The OCSP Responder URL can be automatically + # extracted from the certificate in question. + # To override the OCSP Responder URL set + # "override_cert_url = yes". + # + override_cert_url = yes + + # + # If the OCSP Responder address is not extracted from + # the certificate, the URL can be defined here. + # + url = "http://127.0.0.1/ocsp/" + + # + # If the OCSP Responder can not cope with nonce + # in the request, then it can be disabled here. + # + # For security reasons, disabling this option + # is not recommended as nonce protects against + # replay attacks. + # + # Note that Microsoft AD Certificate Services OCSP + # Responder does not enable nonce by default. It is + # more secure to enable nonce on the responder than + # to disable it in the query here. + # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx + # + # use_nonce = yes + + # + # Number of seconds before giving up waiting + # for OCSP response. 0 uses system default. + # + # timeout = 0 + + # + # Normally an error in querying the OCSP + # responder (no response from server, server did + # not understand the request, etc) will result in + # a validation failure. + # + # To treat these errors as 'soft' failures and + # still accept the certificate, enable this + # option. + # + # Warning: this may enable clients with revoked + # certificates to connect if the OCSP responder + # is not available. Use with caution. + # + # softfail = no + } + } + + ## EAP-TLS + # + # As of Version 3.0, the TLS configuration for TLS-based + # EAP types is above in the "tls-config" section. + # + tls { + # Point to the common TLS configuration + tls = tls-common + + # + # As part of checking a client certificate, the EAP-TLS + # sets some attributes such as TLS-Client-Cert-CN. This + # virtual server has access to these attributes, and can + # be used to accept or reject the request. + # + # virtual_server = check-eap-tls + } + + + ## EAP-TTLS + # + # The TTLS module implements the EAP-TTLS protocol, + # which can be described as EAP inside of Diameter, + # inside of TLS, inside of EAP, inside of RADIUS... + # + # Surprisingly, it works quite well. + # + ttls { + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # + tls = tls-common + + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TTLS tunnel, we recommend + # using EAP-MD5. If the request does not contain an + # EAP conversation, then this configuration entry is + # ignored. + # + default_eap_type = md5 + + # The tunneled authentication request does not usually + # contain useful attributes like 'Calling-Station-Id', + # etc. These attributes are outside of the tunnel, + # and normally unavailable to the tunneled + # authentication request. + # + # By setting this configuration entry to 'yes', + # any attribute which is NOT in the tunneled + # authentication request, but which IS available + # outside of the tunnel, is copied to the tunneled + # request. + # + # allowed values: {no, yes} + # + copy_request_to_tunnel = no + + # + # As of version 3.0.5, this configuration item + # is deprecated. Instead, you should use + # + # update outer.session-state { + # ... + # + # } + # + # This will cache attributes for the final Access-Accept. + # + # The reply attributes sent to the NAS are usually + # based on the name of the user 'outside' of the + # tunnel (usually 'anonymous'). If you want to send + # the reply attributes based on the user name inside + # of the tunnel, then set this configuration entry to + # 'yes', and the reply to the NAS will be taken from + # the reply to the tunneled request. + # + # allowed values: {no, yes} + # + use_tunneled_reply = no + + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # + virtual_server = "inner-tunnel" + + # This has the same meaning, and overwrites, the + # same field in the "tls" configuration, above. + # The default value here is "yes". + # + # include_length = yes + + # + # Unlike EAP-TLS, EAP-TTLS does not require a client + # certificate. However, you can require one by setting the + # following option. You can also override this option by + # setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + # require_client_cert = yes + } + + + ## EAP-PEAP + # + + ################################################## + # + # !!!!! WARNINGS for Windows compatibility !!!!! + # + ################################################## + # + # If you see the server send an Access-Challenge, + # and the client never sends another Access-Request, + # then + # + # STOP! + # + # The server certificate has to have special OID's + # in it, or else the Microsoft clients will silently + # fail. See the "scripts/xpextensions" file for + # details, and the following page: + # + # http://support.microsoft.com/kb/814394/en-us + # + # For additional Windows XP SP2 issues, see: + # + # http://support.microsoft.com/kb/885453/en-us + # + # + # If is still doesn't work, and you're using Samba, + # you may be encountering a Samba bug. See: + # + # https://bugzilla.samba.org/show_bug.cgi?id=6563 + # + # Note that we do not necessarily agree with their + # explanation... but the fix does appear to work. + # + ################################################## + + # + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TLS/PEAP tunnel, we + # recommend using EAP-MS-CHAPv2. + # + peap { + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # + tls = tls-common + + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # PEAP tunnel, we recommend using MS-CHAPv2, + # as that is the default type supported by + # Windows clients. + # + default_eap_type = mschapv2 + + # The PEAP module also has these configuration + # items, which are the same as for TTLS. + # + copy_request_to_tunnel = no + + # + # As of version 3.0.5, this configuration item + # is deprecated. Instead, you should use + # + # update outer.session-state { + # ... + # + # } + # + # This will cache attributes for the final Access-Accept. + # + use_tunneled_reply = no + + # When the tunneled session is proxied, the + # home server may not understand EAP-MSCHAP-V2. + # Set this entry to "no" to proxy the tunneled + # EAP-MSCHAP-V2 as normal MSCHAPv2. + # + # proxy_tunneled_request_as_eap = yes + + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # + virtual_server = "inner-tunnel" + + # This option enables support for MS-SoH + # see doc/SoH.txt for more info. + # It is disabled by default. + # + # soh = yes + + # + # The SoH reply will be turned into a request which + # can be sent to a specific virtual server: + # + # soh_virtual_server = "soh-server" + + # + # Unlike EAP-TLS, PEAP does not require a client certificate. + # However, you can require one by setting the following + # option. You can also override this option by setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + # require_client_cert = yes + } + + # + # This takes no configuration. + # + # Note that it is the EAP MS-CHAPv2 sub-module, not + # the main 'mschap' module. + # + # Note also that in order for this sub-module to work, + # the main 'mschap' module MUST ALSO be configured. + # + # This module is the *Microsoft* implementation of MS-CHAPv2 + # in EAP. There is another (incompatible) implementation + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not + # currently support. + # + mschapv2 { + # Prior to version 2.1.11, the module never + # sent the MS-CHAP-Error message to the + # client. This worked, but it had issues + # when the cached password was wrong. The + # server *should* send "E=691 R=0" to the + # client, which tells it to prompt the user + # for a new password. + # + # The default is to behave as in 2.1.10 and + # earlier, which is known to work. If you + # set "send_error = yes", then the error + # message will be sent back to the client. + # This *may* help some clients work better, + # but *may* also cause other clients to stop + # working. + # +# send_error = no + + # Server identifier to send back in the challenge. + # This should generally be the host name of the + # RADIUS server. Or, some information to uniquely + # identify it. +# identity = "FreeRADIUS" + } + + ## EAP-FAST + # + # The FAST module implements the EAP-FAST protocol + # +# fast { + # Point to the common TLS configuration + # + # cipher_list though must include "ADH" for anonymous provisioning. + # This is not as straight forward as appending "ADH" alongside + # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is + # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used + # +# tls = tls-common + + # PAC lifetime in seconds (default: seven days) + # +# pac_lifetime = 604800 + + # Authority ID of the server + # + # if you are running a cluster of RADIUS servers, you should make + # the value chosen here (and for "pac_opaque_key") the same on all + # your RADIUS servers. This value should be unique to your + # installation. We suggest using a domain name. + # +# authority_identity = "1234" + + # PAC Opaque encryption key (must be exactly 32 bytes in size) + # + # This value MUST be secret, and MUST be generated using + # a secure method, such as via 'openssl rand -hex 32' + # +# pac_opaque_key = "0123456789abcdef0123456789ABCDEF" + + # Same as for TTLS, PEAP, etc. + # +# virtual_server = inner-tunnel +# } +} diff --git a/roles/space_server/files/radius/radiusd.conf b/roles/space_server/files/radius/radiusd.conf new file mode 100644 index 0000000..78990e5 --- /dev/null +++ b/roles/space_server/files/radius/radiusd.conf @@ -0,0 +1,779 @@ +# -*- text -*- +## +## radiusd.conf -- FreeRADIUS server configuration file - 3.0.15 +## +## http://www.freeradius.org/ +## $Id: a83c1f6874e69df8692ebce57174bf0dd52fd502 $ +## + +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. +# +# Run the server in debugging mode, and READ the output. +# +# $ radiusd -X +# +# We cannot emphasize this point strongly enough. The vast +# majority of problems can be solved by carefully reading the +# debugging output, which includes warnings about common issues, +# and suggestions for how they may be fixed. +# +# There may be a lot of output, but look carefully for words like: +# "warning", "error", "reject", or "failure". The messages there +# will usually be enough to guide you to a solution. +# +# If you are going to ask a question on the mailing list, then +# explain what you are trying to do, and include the output from +# debugging mode (radiusd -X). Failure to do so means that all +# of the responses to your question will be people telling you +# to "post the output of radiusd -X". + +###################################################################### +# +# The location of other config files and logfiles are declared +# in this file. +# +# Also general configuration for modules can be done in this +# file, it is exported through the API to modules that ask for +# it. +# +# See "man radiusd.conf" for documentation on the format of this +# file. Note that the individual configuration items are NOT +# documented in that "man" page. They are only documented here, +# in the comments. +# +# The "unlang" policy language can be used to create complex +# if / else policies. See "man unlang" for details. +# + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = /usr/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${confdir}/certs +cadir = ${confdir}/certs +run_dir = ${localstatedir}/run/${name} + +db_dir = ${localstatedir}/lib/radiusd + +# +# libdir: Where to find the rlm_* modules. +# +# This should be automatically set at configuration time. +# +# If the server builds and installs, but fails at execution time +# with an 'undefined symbol' error, then you can use the libdir +# directive to work around the problem. +# +# The cause is usually that a library has been installed on your +# system in a place where the dynamic linker CANNOT find it. When +# executing as root (or another user), your personal environment MAY +# be set up to allow the dynamic linker to find the library. When +# executing as a daemon, FreeRADIUS MAY NOT have the same +# personalized configuration. +# +# To work around the problem, find out which library contains that symbol, +# and add the directory containing that library to the end of 'libdir', +# with a colon separating the directory names. NO spaces are allowed. +# +# e.g. libdir = /usr/local/lib:/opt/package/lib +# +# You can also try setting the LD_LIBRARY_PATH environment variable +# in a script which starts the server. +# +# If that does not work, then you can re-configure and re-build the +# server to NOT use shared libraries, via: +# +# ./configure --disable-shared +# make +# make install +# +libdir = /usr/lib64/freeradius + +# pidfile: Where to place the PID of the RADIUS server. +# +# The server may be signalled while it's running by using this +# file. +# +# This file is written when ONLY running in daemon mode. +# +# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` +# +pidfile = ${run_dir}/${name}.pid + +# +# correct_escapes: use correct backslash escaping +# +# Prior to version 3.0.5, the handling of backslashes was a little +# awkward, i.e. "wrong". In some cases, to get one backslash into +# a regex, you had to put 4 in the config files. +# +# Version 3.0.5 fixes that. However, for backwards compatibility, +# the new method of escaping is DISABLED BY DEFAULT. This means +# that upgrading to 3.0.5 won't break your configuration. +# +# If you don't have double backslashes (i.e. \\) in your configuration, +# this won't matter to you. If you do have them, fix that to use only +# one backslash, and then set "correct_escapes = true". +# +# You can check for this by doing: +# +# $ grep '\\\\' $(find raddb -type f -print) +# +correct_escapes = true + +# panic_action: Command to execute if the server dies unexpectedly. +# +# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. +# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. +# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. +# +# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE +# PATTACH CAN BE USED AS AN ATTACK VECTOR. +# +# The panic action is a command which will be executed if the server +# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, +# SIGABRT or SIGFPE. +# +# This can be used to start an interactive debugging session so +# that information regarding the current state of the server can +# be acquired. +# +# The following string substitutions are available: +# - %e The currently executing program e.g. /sbin/radiusd +# - %p The PID of the currently executing program e.g. 12345 +# +# Standard ${} substitutions are also allowed. +# +# An example panic action for opening an interactive session in GDB would be: +# +#panic_action = "gdb %e %p" +# +# Again, don't use that on a production system. +# +# An example panic action for opening an automated session in GDB would be: +# +#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" +# +# That command can be used on a production system. +# + +# max_request_time: The maximum time (in seconds) to handle a request. +# +# Requests which take more time than this to process may be killed, and +# a REJECT message is returned. +# +# WARNING: If you notice that requests take a long time to be handled, +# then this MAY INDICATE a bug in the server, in one of the modules +# used to handle a request, OR in your local configuration. +# +# This problem is most often seen when using an SQL database. If it takes +# more than a second or two to receive an answer from the SQL database, +# then it probably means that you haven't indexed the database. See your +# SQL server documentation for more information. +# +# Useful range of values: 5 to 120 +# +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +# a reply which was sent to the NAS. +# +# The RADIUS request is normally cached internally for a short period +# of time, after the reply is sent to the NAS. The reply packet may be +# lost in the network, and the NAS will not see it. The NAS will then +# re-send the request, and the server will respond quickly with the +# cached reply. +# +# If this value is set too low, then duplicate requests from the NAS +# MAY NOT be detected, and will instead be handled as separate requests. +# +# If this value is set too high, then the server will cache too many +# requests, and some new requests may get blocked. (See 'max_requests'.) +# +# Useful range of values: 2 to 10 +# +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +# track of. This should be 256 multiplied by the number of clients. +# e.g. With 4 clients, this number should be 1024. +# +# If this number is too low, then when the server becomes busy, +# it will not respond to any new requests, until the 'cleanup_delay' +# time has passed, and it has removed the old requests. +# +# If this number is set too high, then the server will use a bit more +# memory for no real benefit. +# +# If you aren't sure what it should be set to, it's better to set it +# too high than too low. Setting it to 1000 per client is probably +# the highest it should be. +# +# Useful range of values: 256 to infinity +# +max_requests = 16384 + +# hostname_lookups: Log the names of clients or just their IP addresses +# e.g., www.freeradius.org (on) or 206.47.27.232 (off). +# +# The default is 'off' because it would be overall better for the net +# if people had to knowingly turn this feature on, since enabling it +# means that each client request will result in AT LEAST one lookup +# request to the nameserver. Enabling hostname_lookups will also +# mean that your server may stop randomly for 30 seconds from time +# to time, if the DNS requests take too long. +# +# Turning hostname lookups off also means that the server won't block +# for 30 seconds, if it sees an IP address which has no name associated +# with it. +# +# allowed values: {no, yes} +# +hostname_lookups = no + +# +# Logging section. The various "log_*" configuration items +# will eventually be moved here. +# +log { + # + # Destination for log messages. This can be one of: + # + # files - log to "file", as defined below. + # syslog - to syslog (see also the "syslog_facility", below. + # stdout - standard output + # stderr - standard error. + # + # The command-line option "-X" over-rides this option, and forces + # logging to go to stdout. + # + destination = syslog + + # + # Highlight important messages sent to stderr and stdout. + # + # Option will be ignored (disabled) if output if TERM is not + # an xterm or output is not to a TTY. + # + colourise = yes + + # + # The logging messages for the server are appended to the + # tail of this file if destination == "files" + # + # If the server is running in debugging mode, this file is + # NOT used. + # + file = ${logdir}/radius.log + + # + # Which syslog facility to use, if ${destination} == "syslog" + # + # The exact values permitted here are OS-dependent. You probably + # don't want to change this. + # + syslog_facility = daemon + + # Log the full User-Name attribute, as it was found in the request. + # + # allowed values: {no, yes} + # + stripped_names = no + + # Log authentication requests to the log file. + # + # allowed values: {no, yes} + # + auth = yes + + # Log passwords with the authentication requests. + # auth_badpass - logs password if it's rejected + # auth_goodpass - logs password if it's correct + # + # allowed values: {no, yes} + # + auth_badpass = no + auth_goodpass = no + + # Log additional text at the end of the "Login OK" messages. + # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" + # configurations above have to be set to "yes". + # + # The strings below are dynamically expanded, which means that + # you can put anything you want in them. However, note that + # this expansion can be slow, and can negatively impact server + # performance. + # +# msg_goodpass = "" +# msg_badpass = "" + + # The message when the user exceeds the Simultaneous-Use limit. + # + msg_denied = "You are already logged in - access denied" +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# SECURITY CONFIGURATION +# +# There may be multiple methods of attacking on the server. This +# section holds the configuration items which minimize the impact +# of those attacks +# +security { + # chroot: directory where the server does "chroot". + # + # The chroot is done very early in the process of starting + # the server. After the chroot has been performed it + # switches to the "user" listed below (which MUST be + # specified). If "group" is specified, it switches to that + # group, too. Any other groups listed for the specified + # "user" in "/etc/group" are also added as part of this + # process. + # + # The current working directory (chdir / cd) is left + # *outside* of the chroot until all of the modules have been + # initialized. This allows the "raddb" directory to be left + # outside of the chroot. Once the modules have been + # initialized, it does a "chdir" to ${logdir}. This means + # that it should be impossible to break out of the chroot. + # + # If you are worried about security issues related to this + # use of chdir, then simply ensure that the "raddb" directory + # is inside of the chroot, end be sure to do "cd raddb" + # BEFORE starting the server. + # + # If the server is statically linked, then the only files + # that have to exist in the chroot are ${run_dir} and + # ${logdir}. If you do the "cd raddb" as discussed above, + # then the "raddb" directory has to be inside of the chroot + # directory, too. + # +# chroot = /path/to/chroot/directory + + # user/group: The name (or #number) of the user/group to run radiusd as. + # + # If these are commented out, the server will run as the + # user/group that started it. In order to change to a + # different user/group, you MUST be root ( or have root + # privileges ) to start the server. + # + # We STRONGLY recommend that you run the server with as few + # permissions as possible. That is, if you're not using + # shadow passwords, the user and group items below should be + # set to radius'. + # + # NOTE that some kernels refuse to setgid(group) when the + # value of (unsigned)group is above 60000; don't use group + # "nobody" on these systems! + # + # On systems with shadow passwords, you might have to set + # 'group = shadow' for the server to be able to read the + # shadow password file. If you can authenticate users while + # in debug mode, but not in daemon mode, it may be that the + # debugging mode server is running as a user that can read + # the shadow info, and the user listed below can not. + # + # The server will also try to use "initgroups" to read + # /etc/groups. It will join all groups where "user" is a + # member. This can allow for some finer-grained access + # controls. + # + user = radiusd + group = radiusd + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. + # + # allowed values: {no, yes} + # + allow_core_dumps = no + + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 + + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # As of Version 3.0.5, "reject_delay" has sub-second resolution. + # e.g. "reject_delay = 1.4" seconds is possible. + # + # Useful ranges: 1 to 5 + reject_delay = 1 + + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept or Accounting-Response packet. + # + # This is mainly useful for administrators who want to "ping" + # the server, without adding test users, or creating fake + # accounting packets. + # + # It's also useful when a NAS marks a RADIUS server "dead". + # The NAS can periodically "ping" the server with a Status-Server + # packet. If the server responds, it must be alive, and the + # NAS can start using it for real requests. + # + # See also raddb/sites-available/status + # + status_server = yes + + +} + +# PROXY CONFIGURATION +# +# proxy_requests: Turns proxying of RADIUS requests on or off. +# +# The server has proxying turned on by default. If your system is NOT +# set up to proxy requests to another server, then you can turn proxying +# off here. This will save a small amount of resources on the server. +# +# If you have proxying turned off, and your configuration files say +# to proxy a request, then an error message will be logged. +# +# To disable proxying, change the "yes" to "no", and comment the +# $INCLUDE line. +# +# allowed values: {no, yes} +# +proxy_requests = no +#$INCLUDE proxy.conf + + +# CLIENTS CONFIGURATION +# +# Client configuration is defined in "clients.conf". +# + +# The 'clients.conf' file contains all of the information from the old +# 'clients' and 'naslist' configuration files. We recommend that you +# do NOT use 'client's or 'naslist', although they are still +# supported. +# +# Anything listed in 'clients.conf' will take precedence over the +# information from the old-style configuration files. +# +$INCLUDE clients.conf + + +# THREAD POOL CONFIGURATION +# +# The thread pool is a long-lived group of threads which +# take turns (round-robin) handling any incoming requests. +# +# You probably want to have a few spare threads around, +# so that high-load situations can be handled immediately. If you +# don't have any spare threads, then the request handling will +# be delayed while a new thread is created, and added to the pool. +# +# You probably don't want too many spare threads around, +# otherwise they'll be sitting there taking up resources, and +# not doing anything productive. +# +# The numbers given below should be adequate for most situations. +# +thread pool { + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 + + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 + + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 + + # When the server receives a packet, it places it onto an + # internal queue, where the worker threads (configured above) + # pick it up for processing. The maximum size of that queue + # is given here. + # + # When the queue is full, any new packets will be silently + # discarded. + # + # The most common cause of the queue being full is that the + # server is dependent on a slow database, and it has received + # a large "spike" of traffic. When that happens, there is + # very little you can do other than make sure the server + # receives less traffic, or make sure that the database can + # handle the load. + # +# max_queue_size = 65536 + + # There may be memory leaks or resource allocation problems with + # the server. If so, set this value to 300 or so, so that the + # resources will be cleaned up periodically. + # + # This should only be necessary if there are serious bugs in the + # server which have not yet been fixed. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 + + # Automatically limit the number of accounting requests. + # This configuration item tracks how many requests per second + # the server can handle. It does this by tracking the + # packets/s received by the server for processing, and + # comparing that to the packets/s handled by the child + # threads. + # + + # If the received PPS is larger than the processed PPS, *and* + # the queue is more than half full, then new accounting + # requests are probabilistically discarded. This lowers the + # number of packets that the server needs to process. Over + # time, the server will "catch up" with the traffic. + # + # Throwing away accounting packets is usually safe and low + # impact. The NAS will retransmit them in a few seconds, or + # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 + # to see how accounting packets should be retransmitted. Using + # any other method is likely to cause network meltdowns. + # + auto_limit_acct = no +} + +###################################################################### +# +# SNMP notifications. Uncomment the following line to enable +# snmptraps. Note that you MUST also configure the full path +# to the "snmptrap" command in the "trigger.conf" file. +# +#$INCLUDE trigger.conf + +# MODULE CONFIGURATION +# +# The names and configuration of each module is located in this section. +# +# After the modules are defined here, they may be referred to by name, +# in other sections of this configuration file. +# +modules { + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # for an example. + # + + # + # As of 3.0, modules are in mods-enabled/. Files matching + # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are + # initialized ONLY if they are referenced in a processing + # section, such as authorize, authenticate, accounting, + # pre/post-proxy, etc. + # + $INCLUDE mods-enabled/ +} + +# Instantiation +# +# This section orders the loading of the modules. Modules +# listed here will get loaded BEFORE the later sections like +# authorize, authenticate, etc. get examined. +# +# This section is not strictly needed. When a section like +# authorize refers to a module, it's automatically loaded and +# initialized. However, some modules may not be listed in any +# of the following sections, so they can be listed here. +# +# Also, listing modules here ensures that you have control over +# the order in which they are initialized. If one module needs +# something defined by another module, you can list them in order +# here, and ensure that the configuration will be OK. +# +# After the modules listed here have been loaded, all of the modules +# in the "mods-enabled" directory will be loaded. Loading the +# "mods-enabled" directory means that unlike Version 2, you usually +# don't need to list modules here. +# +instantiate { + # + # We list the counter module here so that it registers + # the check_name attribute before any module which sets + # it +# daily + + # subsections here can be thought of as "virtual" modules. + # + # e.g. If you have two redundant SQL servers, and you want to + # use them in the authorize and accounting sections, you could + # place a "redundant" block in each section, containing the + # exact same text. Or, you could uncomment the following + # lines, and list "redundant_sql" in the authorize and + # accounting sections. + # + # The "virtual" module defined here can also be used with + # dynamic expansions, under a few conditions: + # + # * The section is "redundant", or "load-balance", or + # "redundant-load-balance" + # * The section contains modules ONLY, and no sub-sections + # * all modules in the section are using the same rlm_ + # driver, e.g. They are all sql, or all ldap, etc. + # + # When those conditions are satisfied, the server will + # automatically register a dynamic expansion, using the + # name of the "virtual" module. In the example below, + # it will be "redundant_sql". You can then use this expansion + # just like any other: + # + # update reply { + # Filter-Id := "%{redundant_sql: ... }" + # } + # + # In this example, the expansion is done via module "sql1", + # and if that expansion fails, using module "sql2". + # + # For best results, configure the "pool" subsection of the + # module so that "retry_delay" is non-zero. That will allow + # the redundant block to quickly ignore all "down" SQL + # databases. If instead we have "retry_delay = 0", then + # every time the redundant block is used, the server will try + # to open a connection to every "down" database, causing + # problems. + # + #redundant redundant_sql { + # sql1 + # sql2 + #} +} + +###################################################################### +# +# Policies are virtual modules, similar to those defined in the +# "instantiate" section above. +# +# Defining a policy in one of the policy.d files means that it can be +# referenced in multiple places as a *name*, rather than as a series of +# conditions to match, and actions to take. +# +# Policies are something like subroutines in a normal language, but +# they cannot be called recursively. They MUST be defined in order. +# If policy A calls policy B, then B MUST be defined before A. +# +###################################################################### +policy { + $INCLUDE policy.d/ +} + +###################################################################### +# +# Load virtual servers. +# +# This next $INCLUDE line loads files in the directory that +# match the regular expression: /[a-zA-Z0-9_.]+/ +# +# It allows you to define new virtual servers simply by placing +# a file into the raddb/sites-enabled/ directory. +# +$INCLUDE sites-enabled/ + +###################################################################### +# +# All of the other configuration sections like "authorize {}", +# "authenticate {}", "accounting {}", have been moved to the +# the file: +# +# raddb/sites-available/default +# +# This is the "default" virtual server that has the same +# configuration as in version 1.0.x and 1.1.x. The default +# installation enables this virtual server. You should +# edit it to create policies for your local site. +# +# For more documentation on virtual servers, see: +# +# raddb/sites-available/README +# +###################################################################### diff --git a/roles/space_server/files/radius/sites-available/labitat b/roles/space_server/files/radius/sites-available/labitat new file mode 100644 index 0000000..cb1bb45 --- /dev/null +++ b/roles/space_server/files/radius/sites-available/labitat @@ -0,0 +1,84 @@ +server labitat { + + listen { + type = auth + ipaddr = 10.42.0.1 + port = 0 + + limit { + max_connections = 16 + lifetime = 0 + idle_timeout = 30 + } + } + + authorize { + filter_username + preprocess + auth_log + + eap { + ok = return + } + + files + + expiration + logintime + pap + } + + authenticate { + Auth-Type PAP { + pap + } + + Auth-Type CHAP { + chap + } + + Auth-Type MS-CHAP { + mschap + } + + digest + eap + } + + preacct { + preprocess + acct_unique + suffix + files + } + + accounting { + unix + -sql + exec + attr_filter.accounting_response + } + + session { + } + + post-auth { + -sql + exec + remove_reply_message_if_eap + + Post-Auth-Type REJECT { + -sql + attr_filter.access_reject + eap + remove_reply_message_if_eap + } + } + + pre-proxy { + } + + post-proxy { + eap + } +} diff --git a/roles/space_server/files/radvd/radvd.conf b/roles/space_server/files/radvd/radvd.conf new file mode 100644 index 0000000..02749f3 --- /dev/null +++ b/roles/space_server/files/radvd/radvd.conf @@ -0,0 +1,68 @@ +# Wired +interface lan11 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4260:1ab:: {}; + + prefix 2a01:4260:1ab:b::1/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; + +# Private Wifi +interface lan12 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4260:1ab:: {}; + + prefix 2a01:4260:1ab:c::1/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; + +## Free Wifi +#interface lan13 { +# AdvSendAdvert on; +# MinRtrAdvInterval 3; +# MaxRtrAdvInterval 6; +# AdvLinkMTU 1500; +# RDNSS 2a01:4260:1ab:: {}; +# +# prefix 2a01:4260:1ab:d::1/64 { +# #AdvValidLifetime 0; +# #AdvPreferredLifetime 0; +# }; +#}; + +# Password protected wifi +interface lan14 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4260:1ab:: {}; + + prefix 2a01:4260:1ab:e::1/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; + +interface lan15 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4260:1ab:: {}; + + prefix 2a01:4260:1ab:f::1/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; diff --git a/roles/space_server/files/sudo/sudoers b/roles/space_server/files/sudo/sudoers new file mode 100644 index 0000000..069052c --- /dev/null +++ b/roles/space_server/files/sudo/sudoers @@ -0,0 +1,96 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +# %wheel ALL=(ALL) ALL + +## Same thing without a password +%wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/roles/space_server/files/wait-online.conf b/roles/space_server/files/wait-online.conf new file mode 100644 index 0000000..758b827 --- /dev/null +++ b/roles/space_server/files/wait-online.conf @@ -0,0 +1,2 @@ +[Unit] +After=network-online.target diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml new file mode 100644 index 0000000..7316999 --- /dev/null +++ b/roles/space_server/handlers/main.yml @@ -0,0 +1,66 @@ +--- +- name: reload nftables + systemd: + name: nftables.service + state: reloaded + when: "'container' not in ansible_env" + +- name: restart networkd + systemd: + name: systemd-networkd.service + state: restarted + when: "'container' not in ansible_env" + +- name: restart blackhole + systemd: + name: blackhole.service + state: restarted + when: "'container' not in ansible_env" + +- name: restart sshd + systemd: + name: sshd.service + state: restarted + when: "'container' not in ansible_env" + +- name: restart bird + systemd: + name: '{{ item }}.service' + state: restarted + with_items: + - bird + - bird6 + when: "'container' not in ansible_env" + +- name: restart dhcpd + systemd: + name: dhcpd.service + state: restarted + when: "'container' not in ansible_env" + +- name: restart radvd + systemd: + name: radvd.service + state: restarted + when: "'container' not in ansible_env" + +- name: restart radiusd + systemd: + name: radiusd.service + state: restarted + when: "'container' not in ansible_env" + +- name: restart getusers + systemd: + name: getusers.timer + state: restarted + daemon_reload: yes + when: "'container' not in ansible_env" + +- name: restart named + systemd: + name: named.service + state: restarted + when: "'container' not in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/meta/main.yml b/roles/space_server/meta/main.yml new file mode 100644 index 0000000..d2839f1 --- /dev/null +++ b/roles/space_server/meta/main.yml @@ -0,0 +1,7 @@ +--- +dependencies: + - role: fedora + - role: root_env + - role: users + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/ansible.yml b/roles/space_server/tasks/ansible.yml new file mode 100644 index 0000000..5dc74e2 --- /dev/null +++ b/roles/space_server/tasks/ansible.yml @@ -0,0 +1,30 @@ +--- +- name: Create /etc/ansible/hosts + copy: + src: ansible/hosts + dest: '/etc/ansible/hosts' + +- name: Configure ansible + ini_file: + path: /etc/ansible/ansible.cfg + section: '{{ item.section }}' + option: '{{ item.option }}' + value: '{{ item.value }}' + with_items: + - section: defaults + option: 'gathering' + value: 'smart' + - section: defaults + option: 'fact_caching' + value: 'jsonfile' + - section: defaults + option: 'fact_caching_connection' + value: '/tmp/ansible' + - section: defaults + option: 'fact_caching_timeout' + value: '600' + - section: defaults + option: 'error_on_missing_handler' + value: 'True' + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/bird.yml b/roles/space_server/tasks/bird.yml new file mode 100644 index 0000000..17f0a99 --- /dev/null +++ b/roles/space_server/tasks/bird.yml @@ -0,0 +1,68 @@ +--- +- name: Install bird and bird6 packages + dnf: + name: '{{ item }}' + state: latest + with_items: + - bird + - bird6 + notify: + - restart bird + tags: + - packages + +- name: Make sure /etc/bird exists + file: + dest: '/etc/bird' + state: directory + mode: 0755 +- name: Create bird configuration + copy: + src: '{{ item }}' + dest: '/etc/bird/' + with_fileglob: + - 'bird/*' + notify: + - restart bird + +- name: Create bird.conf and bird6.conf symlinks + file: + path: '/etc/{{ item }}.conf' + state: link + src: 'bird/{{ item }}.conf' + force: yes + with_items: + - bird + - bird6 + +# bird6 wants the link to have a link-local address +# when starting, so wait for it +- name: Create bird6 service drop-in directory + file: + dest: '/etc/systemd/system/bird6.service.d' + state: directory +- name: Start bird6 after networks are configured + copy: + src: wait-online.conf + dest: '/etc/systemd/system/bird6.service.d/wait-online.conf' + +- name: Enable bird and bird6 + systemd: + name: '{{ item }}.service' + enabled: yes + masked: no + state: started + with_items: + - bird + - bird6 + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: 'systemctl enable {{ item }}.service' + args: + creates: '/etc/systemd/system/multi-user.target.wants/{{ item }}.service' + with_items: + - bird + - bird6 + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/blackhole.yml b/roles/space_server/tasks/blackhole.yml new file mode 100644 index 0000000..b62a7ca --- /dev/null +++ b/roles/space_server/tasks/blackhole.yml @@ -0,0 +1,32 @@ +--- +- name: Create /etc/systemd/scripts + file: + dest: /etc/systemd/scripts + state: directory +- name: Install blackhole script + copy: + src: blackhole/blackhole.sh + dest: '/etc/systemd/scripts/blackhole.sh' + mode: 0755 + notify: + - restart blackhole + +- name: Install blackhole service + copy: + src: blackhole/blackhole.service + dest: '/etc/systemd/system/blackhole.service' + +- name: Enable blackhole service + systemd: + name: blackhole.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable blackhole.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/blackhole.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/dhcpd.yml b/roles/space_server/tasks/dhcpd.yml new file mode 100644 index 0000000..c72fa75 --- /dev/null +++ b/roles/space_server/tasks/dhcpd.yml @@ -0,0 +1,31 @@ +--- +- name: Install dhcpd package + dnf: + name: dhcp-server + state: latest + notify: + - restart dhcpd + tags: + - packages + +- name: Configure dhcpd + copy: + src: dhcpd/dhcpd.conf + dest: '/etc/dhcp/dhcpd.conf' + notify: + - restart dhcpd + +- name: Enable dhcpd service + systemd: + name: dhcpd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable dhcpd.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/dhcpd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/gettys.yml b/roles/space_server/tasks/gettys.yml new file mode 100644 index 0000000..bdf293a --- /dev/null +++ b/roles/space_server/tasks/gettys.yml @@ -0,0 +1,25 @@ +--- +- name: Disable getty@tty1 + systemd: + name: getty@tty1.service + enabled: no + state: stopped + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl disable getty@tty1.service + args: + removes: '/etc/systemd/system/getty.target.wants/getty@tty1.service' + when: "'container' in ansible_env" + +- name: Enable serial-getty@ttyS0 + systemd: + name: serial-getty@ttyS0.service + enabled: yes + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable serial-getty@ttyS0.service + args: + creates: '/etc/systemd/system/getty.target.wants/serial-getty@ttyS0.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/kernel.yml b/roles/space_server/tasks/kernel.yml new file mode 100644 index 0000000..02e115c --- /dev/null +++ b/roles/space_server/tasks/kernel.yml @@ -0,0 +1,42 @@ +--- +- name: Make sure /etc/kernel exists + file: + path: '/etc/kernel' + state: directory + mode: 0755 +- name: Make sure /etc/kernel/install.d exists + file: + path: '/etc/kernel/install.d' + state: directory + mode: 0755 + +- name: Mask grubby + file: + path: '/etc/kernel/install.d/20-grubby.install' + state: link + src: '/dev/null' + +- name: Create syslinux loader entry + copy: + src: kernel/90-loaderentry.install + dest: '/etc/kernel/install.d/90-loaderentry.install' + mode: 0755 +- name: Create syslinux menu + copy: + src: kernel/95-syslinux-menu.install + dest: '/etc/kernel/install.d/95-syslinux-menu.install' + mode: 0755 + +- name: Set kernel command line + template: + src: cmdline.j2 + dest: '/etc/kernel/cmdline' + +- name: Install kernel + dnf: + name: kernel + state: latest + tags: + - packages + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml new file mode 100644 index 0000000..98a0764 --- /dev/null +++ b/roles/space_server/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: fstab + template: + src: fstab.j2 + dest: /etc/fstab + tags: + - fstab + +- import_tasks: ansible.yml + tags: ansible +- import_tasks: sudo.yml + tags: sudo +- import_tasks: kernel.yml + tags: kernel +- import_tasks: gettys.yml + tags: gettys +- import_tasks: timesyncd.yml + tags: timesyncd +- import_tasks: resolved.yml + tags: resolved +- import_tasks: networkd.yml + tags: networkd +- import_tasks: nftables.yml + tags: nftables +- import_tasks: blackhole.yml + tags: blackhole +- import_tasks: sshd.yml + tags: sshd +- import_tasks: bird.yml + tags: bird +- import_tasks: dhcpd.yml + tags: dhcpd +- import_tasks: radvd.yml + tags: radvd +- import_tasks: radius.yml + tags: radius + when: radius_passwords is defined +- import_tasks: named.yml + tags: named + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/named.yml b/roles/space_server/tasks/named.yml new file mode 100644 index 0000000..d295058 --- /dev/null +++ b/roles/space_server/tasks/named.yml @@ -0,0 +1,52 @@ +--- +- name: Install bind package + dnf: + name: bind + state: latest + notify: + - restart named + tags: + - packages + +- name: Configure named + copy: + src: named/named.conf + dest: '/etc/named.conf' + mode: 0640 + notify: + - restart named +- name: Create s zone + copy: + src: named/s.zone + dest: '/etc/named/s.zone' + notify: + - restart named + +- name: Create service drop-in directory + file: + dest: '/etc/systemd/system/named.service.d' + state: directory +- name: Start named after networks are configured + copy: + src: wait-online.conf + dest: '/etc/systemd/system/named.service.d/wait-online.conf' + +- name: Enable named service + systemd: + name: named.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable named.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/named.service' + when: "'container' in ansible_env" + +- name: Use our own resolver + copy: + dest: /etc/resolv.conf + content: "nameserver 127.0.0.1\nnameserver ::1\n" + +# vim: set ts=2 sw=2 et ft=yaml: diff --git a/roles/space_server/tasks/networkd.yml b/roles/space_server/tasks/networkd.yml new file mode 100644 index 0000000..ef97844 --- /dev/null +++ b/roles/space_server/tasks/networkd.yml @@ -0,0 +1,48 @@ +--- +- name: Make sure directory exists + file: + dest: '/etc/systemd/network' + state: directory +- name: Get current network config + shell: 'ls -1 /etc/systemd/network/' + check_mode: no + register: network_files_all +- name: Configure network + copy: + src: '{{ item }}' + dest: '/etc/systemd/network/' + with_fileglob: + - 'networkd/network/*' + register: network_files + notify: + - restart networkd +- name: Clean up old files + file: + path: '/etc/systemd/network/{{ item }}' + state: absent + with_items: '{{ network_files_all.stdout_lines }}' + when: "item not in network_files.results|map(attribute='path')|map('basename')" + notify: + - restart networkd + +# Unfortunately a drop-in file doesn't seem to work, +# so overwrite the whole service file :/ +- name: Don't wait for lan and mgt interfaces to come online + copy: + src: networkd/systemd-networkd-wait-online.service + dest: '/etc/systemd/system/systemd-networkd-wait-online.service' + +- name: Enable systemd-networkd + systemd: + name: systemd-networkd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable systemd-networkd.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/systemd-networkd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/nftables.yml b/roles/space_server/tasks/nftables.yml new file mode 100644 index 0000000..a7fb588 --- /dev/null +++ b/roles/space_server/tasks/nftables.yml @@ -0,0 +1,34 @@ +--- +- name: Install our nftables service + copy: + src: nftables/nftables.service + dest: '/etc/systemd/system/nftables.service' + +- name: Install nftables package + dnf: + name: nftables + state: latest + tags: + - packages + +- name: Configure nftables + copy: + src: nftables/nftables.conf + dest: '/etc/sysconfig/nftables.conf' + notify: + - reload nftables + +- name: Enable nftables service + systemd: + name: nftables.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable nftables.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/nftables.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml new file mode 100644 index 0000000..3226d2e --- /dev/null +++ b/roles/space_server/tasks/radius.yml @@ -0,0 +1,105 @@ +--- +- name: Install our freeradius-assha package + dnf: + name: '{{ item }}' + state: latest + with_fileglob: + - 'radius/freeradius-assha-*.fc{{ ansible_distribution_major_version }}.*.rpm' + notify: + - restart radiusd + tags: + - packages + +- name: Make sure curl and diffutils are installed + dnf: + name: '{{ item }}' + state: latest + with_items: + - curl + - diffutils + tags: + - packages + +- name: Disable default site + file: + path: '/etc/raddb/sites-enabled/default' + state: absent + notify: + - restart radiusd +- name: Configure radiusd + copy: + src: 'radius/{{ item }}' + dest: '/etc/raddb/{{ item }}' + owner: root + group: radiusd + mode: 0640 + with_items: + - radiusd.conf + - mods-available/eap + - sites-available/labitat + notify: + - restart radiusd +- name: Configure radius clients + template: + src: 'radius/clients.conf.j2' + dest: '/etc/raddb/clients.conf' + owner: root + group: radiusd + mode: 0640 + notify: + - restart radiusd +- name: Enable labitat site + file: + path: '/etc/raddb/sites-enabled/labitat' + state: link + src: '../sites-available/labitat' + owner: root + group: radiusd + force: yes + notify: + - restart radiusd + +- name: Create getusers script + template: + src: 'radius/getusers.sh.j2' + dest: '/etc/raddb/getusers.sh' + owner: root + group: radiusd + mode: 0750 +- name: Create getusers service and timer + copy: + src: 'radius/{{ item }}' + dest: '/etc/systemd/system/{{ item }}' + with_items: + - getusers.service + - getusers.timer + notify: + - restart getusers + +- name: Enable getusers timer + systemd: + name: getusers.timer + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable getusers.timer + args: + creates: '/etc/systemd/system/timers.target.wants/getusers.timer' + when: "'container' in ansible_env" + +- name: Enable radiusd service + systemd: + name: radiusd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable radiusd.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/radiusd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/radvd.yml b/roles/space_server/tasks/radvd.yml new file mode 100644 index 0000000..3c25c5c --- /dev/null +++ b/roles/space_server/tasks/radvd.yml @@ -0,0 +1,40 @@ +--- +- name: Install radvd package + dnf: + name: radvd + state: latest + notify: + - restart radvd + tags: + - packages + +- name: Configure radvd + copy: + src: radvd/radvd.conf + dest: '/etc/radvd.conf' + notify: + - restart radvd + +- name: Create service drop-in directory + file: + dest: '/etc/systemd/system/radvd.service.d' + state: directory +- name: Start radvd after networks are configured + copy: + src: wait-online.conf + dest: '/etc/systemd/system/radvd.service.d/wait-online.conf' + +- name: Enable radvd service + systemd: + name: radvd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable radvd.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/radvd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/resolved.yml b/roles/space_server/tasks/resolved.yml new file mode 100644 index 0000000..d95d1d1 --- /dev/null +++ b/roles/space_server/tasks/resolved.yml @@ -0,0 +1,34 @@ +--- +#- name: Enable systemd-resolved +# systemd: +# name: systemd-resolved.service +# enabled: yes +# masked: no +# state: started +# when: "'container' not in ansible_env" +#- name: '- when in nspawn' +# command: systemctl enable systemd-resolved.service +# args: +# creates: '/etc/systemd/system/multi-user.target.wants/systemd-resolved.service' +# when: "'container' in ansible_env" +# +#- name: Use systemd-resolved +# lineinfile: +# path: /etc/nsswitch.conf +# regexp: '^hosts:' +# line: 'hosts: files resolve [!UNAVAIL=return] dns myhostname' + +- name: Disable systemd-resolved + systemd: + name: systemd-resolved.service + enabled: no + masked: no + state: stopped + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl disable systemd-resolved.service + args: + removes: '/etc/systemd/system/multi-user.target.wants/systemd-resolved.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/sshd.yml b/roles/space_server/tasks/sshd.yml new file mode 100644 index 0000000..8eaa8fc --- /dev/null +++ b/roles/space_server/tasks/sshd.yml @@ -0,0 +1,32 @@ +--- +- name: Install sshd package + dnf: + name: openssh-server + state: latest + notify: + - restart sshd + tags: + - packages + +- name: Configure sshd + lineinfile: + path: '/etc/ssh/sshd_config' + regexp: '^PasswordAuthentication' + line: 'PasswordAuthentication no' + notify: + - restart sshd + +- name: Enable sshd service + systemd: + name: sshd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable sshd.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/sshd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/sudo.yml b/roles/space_server/tasks/sudo.yml new file mode 100644 index 0000000..b8497c3 --- /dev/null +++ b/roles/space_server/tasks/sudo.yml @@ -0,0 +1,16 @@ +--- +- name: Install sudo package + dnf: + name: sudo + state: latest + tags: + - packages + +- name: Install sudoers file + copy: + src: sudo/sudoers + dest: '/etc/sudoers' + mode: 0440 + validate: visudo -cf %s + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/timesyncd.yml b/roles/space_server/tasks/timesyncd.yml new file mode 100644 index 0000000..cf964e3 --- /dev/null +++ b/roles/space_server/tasks/timesyncd.yml @@ -0,0 +1,15 @@ +--- +- name: Enable systemd-timesyncd + systemd: + name: systemd-timesyncd.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable systemd-timesyncd.service + args: + creates: '/etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service' + when: "'container' in ansible_env" + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/templates/cmdline.j2 b/roles/space_server/templates/cmdline.j2 new file mode 100644 index 0000000..36b1e15 --- /dev/null +++ b/roles/space_server/templates/cmdline.j2 @@ -0,0 +1,5 @@ +{% if ansible_distribution_release == 'Rawhide' %} +console=ttyS0,115200n8 ro root={{ root.device }} rootfstype=btrfs ro rootflags={{ root.options|regex_replace('noatime,','') }},subvol=/rawhide rootwait audit=0 +{% else %} +console=ttyS0,115200n8 ro root={{ root.device }} rootfstype=btrfs ro rootflags={{ root.options|regex_replace('noatime,','') }},subvol=/{{ ansible_distribution.lower() }}{{ ansible_distribution_version }} rootwait audit=0 +{% endif %} diff --git a/roles/space_server/templates/fstab.j2 b/roles/space_server/templates/fstab.j2 new file mode 100644 index 0000000..ba4f69d --- /dev/null +++ b/roles/space_server/templates/fstab.j2 @@ -0,0 +1,9 @@ +{{ boot.device }} /boot vfat defaults,{{ boot.options }} 0 2 + +{% if ansible_distribution_release == 'Rawhide' %} +{{ root.device }} / btrfs defaults,{{ root.options }},subvol=/rawhide 0 1 +{% else %} +{{ root.device }} / btrfs defaults,{{ root.options }},subvol=/{{ ansible_distribution.lower() }}{{ ansible_distribution_version }} 0 1 +{% endif %} +{{ root.device }} /home btrfs defaults,{{ root.options }},subvol=/home 0 2 +{{ root.device }} /mnt btrfs defaults,{{ root.options }},subvol=/ 0 2 diff --git a/roles/space_server/templates/radius/clients.conf.j2 b/roles/space_server/templates/radius/clients.conf.j2 new file mode 100644 index 0000000..0e82666 --- /dev/null +++ b/roles/space_server/templates/radius/clients.conf.j2 @@ -0,0 +1,13 @@ +client ap1 { + ipaddr = 10.42.0.5 + netmask = 32 + secret = {{ radius_passwords.ap1 }} + nas_type = other +} + +client ap2 { + ipaddr = 10.42.0.6 + netmask = 32 + secret = {{ radius_passwords.ap2 }} + nas_type = other +} diff --git a/roles/space_server/templates/radius/getusers.sh.j2 b/roles/space_server/templates/radius/getusers.sh.j2 new file mode 100644 index 0000000..e77758b --- /dev/null +++ b/roles/space_server/templates/radius/getusers.sh.j2 @@ -0,0 +1,10 @@ +#!/bin/sh + +if curl -s -4 -k '{{ radius_passwords.download_url }}' -o /etc/raddb/users.new; then + if ! diff -q /etc/raddb/users /etc/raddb/users.new >/dev/null; then + mv -f /etc/raddb/users.new /etc/raddb/mods-config/files/authorize + systemctl restart radiusd.service + fi +else + rm -f /etc/raddb/users.new +fi diff --git a/roles/users/tasks/ast.yml b/roles/users/tasks/ast.yml new file mode 100644 index 0000000..1c01717 --- /dev/null +++ b/roles/users/tasks/ast.yml @@ -0,0 +1,16 @@ +--- +- name: ast + user: + comment: 'Asbjørn Sloth Tønnesen' + name: ast + uid: 1001 + group: users + groups: + - wheel + +- name: ast - authorized_keys + authorized_key: + user: ast + key: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyLX2AICoAhOSOnZth9PMlxqgPrw//J2wMtcHQUppqSjHGFkxIkOWnMUwbSZo/kFj2J8e8GJ7xwmC3tTblmJl+Ba1R77SEETJQpM1/TgWcCK5L7KpK/XP7yTCPMds1vczjgIIMA+DS9iuNQkqLSA5B6gdGfbfuPsMB/W8L2gqkVFMiE3zcrxGLwaPPW7fo9rA2Z7tMEZMFy9SB0u3mqY5aoBiI9P5U3rgn96SO8cs/JVnf99RfkJQWmBamZIH3vqwvC3uG+QgB0cQ9Sy9/I4Q75YQKnGPS+ySQVvo3nY9KpULAbHoVZyu3CtzDfXYOxgUXhJ/GerZZUbyHkrndhXteQ== asbjorn@asbjorn.it' + +# vim: set ts=2 sw=2 et: diff --git a/roles/users/tasks/esmil.yml b/roles/users/tasks/esmil.yml new file mode 100644 index 0000000..a6c8266 --- /dev/null +++ b/roles/users/tasks/esmil.yml @@ -0,0 +1,16 @@ +--- +- name: esmil + user: + comment: 'Emil Renner Berthing' + name: esmil + uid: 1000 + group: users + groups: + - wheel + +- name: esmil - authorized_keys + authorized_key: + user: esmil + key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUS/4G4YgI7LeJll8BUHCcdkCK3klSxzhqEY3X2df5+ esmil@stitch' + +# vim: set ts=2 sw=2 et: diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml new file mode 100644 index 0000000..327d5e2 --- /dev/null +++ b/roles/users/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- import_tasks: esmil.yml + tags: + - users + - esmil +- import_tasks: ast.yml + tags: + - users + - ast + +# vim: set ts=2 sw=2 et: diff --git a/space.yml b/space.yml new file mode 100644 index 0000000..a757a3d --- /dev/null +++ b/space.yml @@ -0,0 +1,15 @@ +--- +- hosts: space + pre_tasks: + - include_vars: '{{ item }}' + with_first_found: + - files: + - /etc/ansible/secrets.yml + - secrets.yml + skip: true + tags: + - radius + roles: + - space_server + +# vim: set ts=2 sw=2 et: |