aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEmil Renner Berthing <esmil@labitat.dk>2017-11-07 16:27:49 +0100
committerEmil Renner Berthing <esmil@labitat.dk>2017-11-12 14:56:32 +0100
commite8cdba85c48dcbbd42e6fcb5be3aa2912008cb84 (patch)
tree41ba5163cf6f110521f2ebc9035f77d2754796a0
downloadlabitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.tar.gz
labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.tar.xz
labitat-ansible-e8cdba85c48dcbbd42e6fcb5be3aa2912008cb84.zip
initial commit
-rw-r--r--.gitignore2
-rw-r--r--roles/fedora/tasks/dnf.yml46
-rw-r--r--roles/fedora/tasks/hostname.yml12
-rw-r--r--roles/fedora/tasks/locale.yml7
-rw-r--r--roles/fedora/tasks/main.yml14
-rw-r--r--roles/fedora/tasks/timezone.yml9
-rw-r--r--roles/fedora/templates/locale.conf.j23
-rw-r--r--roles/root_env/files/bash_profile.sh1
-rw-r--r--roles/root_env/files/bashrc.sh.j234
-rw-r--r--roles/root_env/tasks/main.yml11
-rwxr-xr-xroles/space_server/bootstrap.sh66
-rw-r--r--roles/space_server/defaults/main.yml32
-rw-r--r--roles/space_server/files/ansible/hosts11
-rw-r--r--roles/space_server/files/bird/bird.conf7
-rw-r--r--roles/space_server/files/bird/bird6.conf7
-rw-r--r--roles/space_server/files/bird/filter.conf31
-rw-r--r--roles/space_server/files/bird/peers4.conf11
-rw-r--r--roles/space_server/files/bird/peers6.conf11
-rw-r--r--roles/space_server/files/bird/protocols.conf15
-rw-r--r--roles/space_server/files/bird/symbol4.conf5
-rw-r--r--roles/space_server/files/bird/symbol6.conf5
-rw-r--r--roles/space_server/files/bird/templates.conf18
-rw-r--r--roles/space_server/files/blackhole/blackhole.service11
-rwxr-xr-xroles/space_server/files/blackhole/blackhole.sh6
-rw-r--r--roles/space_server/files/dhcpd/dhcpd.conf159
-rwxr-xr-xroles/space_server/files/kernel/90-loaderentry.install89
-rwxr-xr-xroles/space_server/files/kernel/95-syslinux-menu.install40
-rw-r--r--roles/space_server/files/named/named.conf81
-rw-r--r--roles/space_server/files/named/s.zone21
-rw-r--r--roles/space_server/files/networkd/network/10-lan.link5
-rw-r--r--roles/space_server/files/networkd/network/10-lan.network19
-rw-r--r--roles/space_server/files/networkd/network/10-lan10.netdev6
-rw-r--r--roles/space_server/files/networkd/network/10-lan10.network12
-rw-r--r--roles/space_server/files/networkd/network/10-lan11.netdev6
-rw-r--r--roles/space_server/files/networkd/network/10-lan11.network17
-rw-r--r--roles/space_server/files/networkd/network/10-lan12.netdev6
-rw-r--r--roles/space_server/files/networkd/network/10-lan12.network17
-rw-r--r--roles/space_server/files/networkd/network/10-lan13.netdev6
-rw-r--r--roles/space_server/files/networkd/network/10-lan13.network13
-rw-r--r--roles/space_server/files/networkd/network/10-lan14.netdev6
-rw-r--r--roles/space_server/files/networkd/network/10-lan14.network17
-rw-r--r--roles/space_server/files/networkd/network/10-lan15.netdev6
-rw-r--r--roles/space_server/files/networkd/network/10-lan15.network12
-rw-r--r--roles/space_server/files/networkd/network/10-lan20.netdev6
-rw-r--r--roles/space_server/files/networkd/network/10-lan20.network17
-rw-r--r--roles/space_server/files/networkd/network/10-lo.network6
-rw-r--r--roles/space_server/files/networkd/network/10-mgt.link5
-rw-r--r--roles/space_server/files/networkd/network/10-mgt.network19
-rw-r--r--roles/space_server/files/networkd/network/10-wan.link5
-rw-r--r--roles/space_server/files/networkd/network/10-wan.network15
-rw-r--r--roles/space_server/files/networkd/systemd-networkd-wait-online.service23
-rwxr-xr-xroles/space_server/files/nftables/nftables.conf248
-rw-r--r--roles/space_server/files/nftables/nftables.service30
-rw-r--r--roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpmbin0 -> 1112554 bytes
-rw-r--r--roles/space_server/files/radius/getusers.service10
-rw-r--r--roles/space_server/files/radius/getusers.timer12
-rw-r--r--roles/space_server/files/radius/mods-available/eap883
-rw-r--r--roles/space_server/files/radius/radiusd.conf779
-rw-r--r--roles/space_server/files/radius/sites-available/labitat84
-rw-r--r--roles/space_server/files/radvd/radvd.conf68
-rw-r--r--roles/space_server/files/sudo/sudoers96
-rw-r--r--roles/space_server/files/wait-online.conf2
-rw-r--r--roles/space_server/handlers/main.yml66
-rw-r--r--roles/space_server/meta/main.yml7
-rw-r--r--roles/space_server/tasks/ansible.yml30
-rw-r--r--roles/space_server/tasks/bird.yml68
-rw-r--r--roles/space_server/tasks/blackhole.yml32
-rw-r--r--roles/space_server/tasks/dhcpd.yml31
-rw-r--r--roles/space_server/tasks/gettys.yml25
-rw-r--r--roles/space_server/tasks/kernel.yml42
-rw-r--r--roles/space_server/tasks/main.yml41
-rw-r--r--roles/space_server/tasks/named.yml52
-rw-r--r--roles/space_server/tasks/networkd.yml48
-rw-r--r--roles/space_server/tasks/nftables.yml34
-rw-r--r--roles/space_server/tasks/radius.yml105
-rw-r--r--roles/space_server/tasks/radvd.yml40
-rw-r--r--roles/space_server/tasks/resolved.yml34
-rw-r--r--roles/space_server/tasks/sshd.yml32
-rw-r--r--roles/space_server/tasks/sudo.yml16
-rw-r--r--roles/space_server/tasks/timesyncd.yml15
-rw-r--r--roles/space_server/templates/cmdline.j25
-rw-r--r--roles/space_server/templates/fstab.j29
-rw-r--r--roles/space_server/templates/radius/clients.conf.j213
-rw-r--r--roles/space_server/templates/radius/getusers.sh.j210
-rw-r--r--roles/users/tasks/ast.yml16
-rw-r--r--roles/users/tasks/esmil.yml16
-rw-r--r--roles/users/tasks/main.yml11
-rw-r--r--space.yml15
88 files changed, 4034 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0e8b0fe
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*.retry
+/secrets.yml
diff --git a/roles/fedora/tasks/dnf.yml b/roles/fedora/tasks/dnf.yml
new file mode 100644
index 0000000..a0c0db9
--- /dev/null
+++ b/roles/fedora/tasks/dnf.yml
@@ -0,0 +1,46 @@
+---
+- name: Configure dnf.conf
+ ini_file:
+ path: /etc/dnf/dnf.conf
+ no_extra_spaces: yes
+ section: '{{ item.section }}'
+ option: '{{ item.option }}'
+ value: '{{ item.value }}'
+ with_items:
+ - section: main
+ option: 'install_weak_deps'
+ value: 'False'
+ - section: main
+ option: 'best'
+ value: 'True'
+ - section: main
+ option: 'deltarpm'
+ value: 'False'
+
+- name: Update all packages
+ dnf:
+ name: '*'
+ state: latest
+ tags:
+ - update
+ - packages
+
+- name: Remove packages
+ dnf:
+ name: '{{ item }}'
+ state: absent
+ with_items: '{{ packages.remove }}'
+ when: "'remove' in packages"
+ tags:
+ - packages
+
+- name: Install packages
+ dnf:
+ name: '{{ item }}'
+ state: latest
+ with_items: '{{ packages.install }}'
+ when: "'install' in packages"
+ tags:
+ - packages
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/fedora/tasks/hostname.yml b/roles/fedora/tasks/hostname.yml
new file mode 100644
index 0000000..5299270
--- /dev/null
+++ b/roles/fedora/tasks/hostname.yml
@@ -0,0 +1,12 @@
+---
+- name: Set hostname
+ hostname:
+ name: '{{ hostname }}'
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ copy:
+ dest: /etc/hostname
+ content: "{{ hostname }}\n"
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/fedora/tasks/locale.yml b/roles/fedora/tasks/locale.yml
new file mode 100644
index 0000000..61311e0
--- /dev/null
+++ b/roles/fedora/tasks/locale.yml
@@ -0,0 +1,7 @@
+---
+- name: Setting default locales
+ template:
+ src: locale.conf.j2
+ dest: /etc/locale.conf
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/fedora/tasks/main.yml b/roles/fedora/tasks/main.yml
new file mode 100644
index 0000000..2e163a4
--- /dev/null
+++ b/roles/fedora/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- import_tasks: dnf.yml
+ tags: dnf
+- import_tasks: timezone.yml
+ when: timezone is defined
+ tags: timezone
+- import_tasks: locale.yml
+ when: locale is defined
+ tags: locale
+- import_tasks: hostname.yml
+ when: hostname is defined
+ tags: hostname
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/fedora/tasks/timezone.yml b/roles/fedora/tasks/timezone.yml
new file mode 100644
index 0000000..05a9165
--- /dev/null
+++ b/roles/fedora/tasks/timezone.yml
@@ -0,0 +1,9 @@
+---
+- name: Create /etc/localtime
+ file:
+ path: '/etc/localtime'
+ state: link
+ src: '../usr/share/zoneinfo/{{ timezone }}'
+ force: yes
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/fedora/templates/locale.conf.j2 b/roles/fedora/templates/locale.conf.j2
new file mode 100644
index 0000000..f854bde
--- /dev/null
+++ b/roles/fedora/templates/locale.conf.j2
@@ -0,0 +1,3 @@
+{% for key, value in locale.items() %}
+{{ key }}={{ value }}
+{% endfor %}
diff --git a/roles/root_env/files/bash_profile.sh b/roles/root_env/files/bash_profile.sh
new file mode 100644
index 0000000..3ee6b29
--- /dev/null
+++ b/roles/root_env/files/bash_profile.sh
@@ -0,0 +1 @@
+. "$HOME/.bashrc"
diff --git a/roles/root_env/files/bashrc.sh.j2 b/roles/root_env/files/bashrc.sh.j2
new file mode 100644
index 0000000..bcc4ddb
--- /dev/null
+++ b/roles/root_env/files/bashrc.sh.j2
@@ -0,0 +1,34 @@
+# if not running interactively, don't do anything
+[[ $- != *i* ]] && return
+
+export PS1='\[\e[1;31m\]\u\[\e[00m\]@\[\e[0;31m\]\h\[\e[1;34m\]\w\[\e[00m\]\$ '
+unset PROMPT_COMMAND
+
+# directory listing
+eval "$(dircolors -b)"
+alias ls='ls --color=auto -F'
+alias ll='ls -Ahl'
+
+# some more alias to avoid making mistakes:
+alias rm='rm -ri'
+alias cp='cp -rid'
+alias mv='mv -i'
+
+# editor
+export EDITOR='vim'
+alias vi='vim'
+
+# network
+alias ip6='ip -6'
+{% if ansible_service_mgr == 'systemd' %}
+
+# systemd
+alias start='systemctl start'
+alias stop='systemctl stop'
+alias restart='systemctl restart'
+alias status='systemctl status'
+alias cgls='systemd-cgls'
+alias cgtop='systemd-cgtop'
+{% endif %}
+
+cd
diff --git a/roles/root_env/tasks/main.yml b/roles/root_env/tasks/main.yml
new file mode 100644
index 0000000..2a0e04f
--- /dev/null
+++ b/roles/root_env/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: root .bash_profile
+ copy:
+ src: files/bash_profile.sh
+ dest: /root/.bash_profile
+- name: root .bashrc
+ template:
+ src: files/bashrc.sh.j2
+ dest: /root/.bashrc
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/bootstrap.sh b/roles/space_server/bootstrap.sh
new file mode 100755
index 0000000..17f8c7a
--- /dev/null
+++ b/roles/space_server/bootstrap.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+#
+# This script assumes filesystems and syslinux are already
+# set up. If not here is a short, incomplete guide:
+#
+# Create a gpt partition table similar to this:
+# Disk /dev/sda: 14,9 GiB, 16013942784 bytes, 31277232 sectors
+# Units: sectors of 1 * 512 = 512 bytes
+# Sector size (logical/physical): 512 bytes / 512 bytes
+# I/O size (minimum/optimal): 512 bytes / 512 bytes
+# Disklabel type: gpt
+# Disk identifier: 45AA3BC2-C3B8-B24D-A5AF-59C9F2577554
+#
+# Device Start End Sectors Size Type
+# /dev/sda1 2048 1048575 1046528 511M EFI System
+# /dev/sda2 1048576 31277198 30228623 14,4G Linux filesystem
+#
+# Create boot filesystem:
+# mkfs.vfat -v -F32 -n BOOT /dev/sda1
+#
+# Create root filesystem:
+# mkfs.btrfs -m single -d single -L BTRFS /dev/sda2
+#
+# Install syslinux:
+# mount -o noatime,fmask=0133,dmask=0022,utf8 /dev/sda1 /boot
+# syslinux -d syslinux -i /dev/sda1
+# cp /usr/share/syslinux/{ldlinux,libutil,menu}.c32 /boot/syslinux/
+# dd bs=440 count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda
+#
+# Mount root filesystem:
+# mount -o noatime,ssd,compress=lzo /dev/sda2 /mnt
+#
+# Create and mount home subvolume:
+# btrfs subvolume create /mnt/home
+# mount -o noatime,ssd,compress=lzo,subvol=/home /dev/sda2 /home
+#
+# Clone the labitat-ansible git repo to /home/ansible
+# git clone <URL> /home/ansible
+#
+# Run this script
+
+set -e
+set -x
+
+release=26
+dest="/mnt/fedora$release"
+if [[ -e "$dest" ]]; then
+ echo "Destination '$dest' already exists. Aborting." >&2
+ exit 1
+fi
+
+btrfs subvolume create "$dest"
+
+dnf \
+ --assumeyes \
+ --installroot="$dest" \
+ --releasever=$release \
+ --disablerepo='*' \
+ --enablerepo=fedora \
+ --enablerepo=updates \
+ install dnf python2-dnf ansible
+
+systemd-nspawn -D "$dest" --bind /boot --bind /home -- \
+ ansible-playbook -i space, -c local /home/ansible/space.yml
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/defaults/main.yml b/roles/space_server/defaults/main.yml
new file mode 100644
index 0000000..eb582df
--- /dev/null
+++ b/roles/space_server/defaults/main.yml
@@ -0,0 +1,32 @@
+---
+hostname: 'space'
+locale:
+ LANG: 'da_DK.UTF-8'
+ LC_COLLATE: 'C'
+ LC_MESSAGES: 'C'
+timezone: 'Europe/Copenhagen'
+packages:
+ install:
+ - initscripts
+ - dosfstools
+ - btrfs-progs
+ - dnf
+ - python2-dnf
+ - 'dnf-command(leaves)'
+ - ansible
+ - vim-enhanced
+ - git
+ - diffutils
+ - htop
+ - man-db
+ - passwd
+ - syslinux
+ - systemd-container
+boot:
+ device: 'LABEL=BOOT'
+ options: 'noauto,noatime,iocharset=iso8859-15,utf8,tz=UTC,dmask=0022,fmask=0133,x-systemd.automount,x-systemd.device-timeout=5min,x-systemd.idle-timeout=5min'
+root:
+ device: 'LABEL=BTRFS'
+ options: 'noatime,ssd,compress=lzo'
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/files/ansible/hosts b/roles/space_server/files/ansible/hosts
new file mode 100644
index 0000000..3091e4a
--- /dev/null
+++ b/roles/space_server/files/ansible/hosts
@@ -0,0 +1,11 @@
+# This is the default ansible 'hosts' file.
+#
+# It should live in /etc/ansible/hosts
+#
+# - Comments begin with the '#' character
+# - Blank lines are ignored
+# - Groups of hosts are delimited by [header] elements
+# - You can enter hostnames or ip addresses
+# - A hostname/ip can be a member of multiple groups
+
+space ansible_connection=local
diff --git a/roles/space_server/files/bird/bird.conf b/roles/space_server/files/bird/bird.conf
new file mode 100644
index 0000000..2ae72f0
--- /dev/null
+++ b/roles/space_server/files/bird/bird.conf
@@ -0,0 +1,7 @@
+router id 185.38.175.0;
+
+include "bird/symbol4.conf";
+include "bird/filter.conf";
+include "bird/protocols.conf";
+include "bird/templates.conf";
+include "bird/peers4.conf";
diff --git a/roles/space_server/files/bird/bird6.conf b/roles/space_server/files/bird/bird6.conf
new file mode 100644
index 0000000..91b5405
--- /dev/null
+++ b/roles/space_server/files/bird/bird6.conf
@@ -0,0 +1,7 @@
+router id 185.38.175.0;
+
+include "bird/symbol6.conf";
+include "bird/filter.conf";
+include "bird/protocols.conf";
+include "bird/templates.conf";
+include "bird/peers6.conf";
diff --git a/roles/space_server/files/bird/filter.conf b/roles/space_server/files/bird/filter.conf
new file mode 100644
index 0000000..3edc053
--- /dev/null
+++ b/roles/space_server/files/bird/filter.conf
@@ -0,0 +1,31 @@
+function accept_default_route()
+{
+ if net = DEFAULT_ROUTE then {
+ accept;
+ }
+}
+
+function accept_prefixes(prefix set prefixes)
+{
+ if net ~ prefixes then {
+ accept;
+ }
+}
+
+filter fallback_filter {
+ reject "WARNING!! no filter set, all routes will be rejected";
+}
+
+filter transit_import
+{
+ accept_default_route();
+
+ reject;
+}
+
+filter transit_export
+{
+ accept_prefixes(LABITAT_PREFIXES);
+
+ reject;
+}
diff --git a/roles/space_server/files/bird/peers4.conf b/roles/space_server/files/bird/peers4.conf
new file mode 100644
index 0000000..6f0cc96
--- /dev/null
+++ b/roles/space_server/files/bird/peers4.conf
@@ -0,0 +1,11 @@
+template bgp fiberby from bgp_transit {
+}
+
+protocol bgp fiberby_tgc from fiberby {
+ preference 90;
+ neighbor 193.106.167.41 as 42541;
+}
+
+protocol bgp fiberby_inx from fiberby {
+ neighbor 193.106.167.42 as 42541;
+}
diff --git a/roles/space_server/files/bird/peers6.conf b/roles/space_server/files/bird/peers6.conf
new file mode 100644
index 0000000..ee1fbfe
--- /dev/null
+++ b/roles/space_server/files/bird/peers6.conf
@@ -0,0 +1,11 @@
+template bgp fiberby from bgp_transit {
+}
+
+protocol bgp fiberby_tgc from fiberby {
+ preference 90;
+ neighbor 2a03:5440:1:2935:1ab::1 as 42541;
+}
+
+protocol bgp fiberby_inx from fiberby {
+ neighbor 2a03:5440:1:2935:1ab::2 as 42541;
+}
diff --git a/roles/space_server/files/bird/protocols.conf b/roles/space_server/files/bird/protocols.conf
new file mode 100644
index 0000000..b84c6ac
--- /dev/null
+++ b/roles/space_server/files/bird/protocols.conf
@@ -0,0 +1,15 @@
+protocol device {
+ scan time 10;
+}
+
+protocol direct {
+}
+
+protocol kernel {
+ metric 64;
+ learn;
+ persist;
+ scan time 20;
+ import all;
+ export all;
+}
diff --git a/roles/space_server/files/bird/symbol4.conf b/roles/space_server/files/bird/symbol4.conf
new file mode 100644
index 0000000..80a8ed6
--- /dev/null
+++ b/roles/space_server/files/bird/symbol4.conf
@@ -0,0 +1,5 @@
+define DEFAULT_ROUTE = 0.0.0.0/0;
+
+define LABITAT_PREFIXES = [
+ 185.38.175.0/24
+];
diff --git a/roles/space_server/files/bird/symbol6.conf b/roles/space_server/files/bird/symbol6.conf
new file mode 100644
index 0000000..daed1b8
--- /dev/null
+++ b/roles/space_server/files/bird/symbol6.conf
@@ -0,0 +1,5 @@
+define DEFAULT_ROUTE = ::/0;
+
+define LABITAT_PREFIXES = [
+ 2a01:4260:1ab::/48
+];
diff --git a/roles/space_server/files/bird/templates.conf b/roles/space_server/files/bird/templates.conf
new file mode 100644
index 0000000..4334bd8
--- /dev/null
+++ b/roles/space_server/files/bird/templates.conf
@@ -0,0 +1,18 @@
+template bgp bgp_peer {
+ local as 205235;
+ import keep filtered;
+ import filter fallback_filter;
+ export filter fallback_filter;
+ import limit 1000 action block;
+ receive limit 1500 action disable;
+ export limit 100 action block;
+ hold time 60;
+}
+
+template bgp bgp_transit from bgp_peer {
+ preference 100;
+ import limit off;
+ receive limit off;
+ import filter transit_import;
+ export filter transit_export;
+}
diff --git a/roles/space_server/files/blackhole/blackhole.service b/roles/space_server/files/blackhole/blackhole.service
new file mode 100644
index 0000000..e32f642
--- /dev/null
+++ b/roles/space_server/files/blackhole/blackhole.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Blackhole routes
+Wants=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/etc/systemd/scripts/blackhole.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/space_server/files/blackhole/blackhole.sh b/roles/space_server/files/blackhole/blackhole.sh
new file mode 100755
index 0000000..695f0ea
--- /dev/null
+++ b/roles/space_server/files/blackhole/blackhole.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -e
+
+ip route add unreachable 185.38.175.0/24
+ip route add unreachable 2a01:4260:1ab::/48
diff --git a/roles/space_server/files/dhcpd/dhcpd.conf b/roles/space_server/files/dhcpd/dhcpd.conf
new file mode 100644
index 0000000..e443b30
--- /dev/null
+++ b/roles/space_server/files/dhcpd/dhcpd.conf
@@ -0,0 +1,159 @@
+#
+# DHCP Server Configuration file.
+# see /usr/share/doc/dhcp/dhcpd.conf.example
+# see dhcpd.conf(5) man page
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# option definitions common to all supported networks...
+#option domain-name "labitat.dk";
+default-lease-time 3600;
+max-lease-time 7200;
+min-lease-time 600;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility daemon;
+
+
+# Admin net
+subnet 10.42.0.0 netmask 255.255.255.0 {
+ range 10.42.0.50 10.42.0.250;
+ option routers 10.42.0.1;
+ option domain-name-servers 185.38.175.0;
+ #option ntp-servers 90.185.0.18;
+
+ host ap {
+ hardware ethernet 00:0f:23:94:43:0b;
+ fixed-address 10.42.0.2;
+ }
+
+ host doorputer {
+ hardware ethernet 00:b3:f6:00:36:be;
+ fixed-address 10.42.0.3;
+ }
+
+ host foodputer {
+ hardware ethernet 00:d0:59:37:5e:37;
+ fixed-address 10.42.0.4;
+ }
+
+ # 10.42.0.5: new ap1
+ # 10.42.0.6: new ap2
+
+ host switch {
+ hardware ethernet 00:1b:11:6f:42:f8;
+ fixed-address 10.42.0.9;
+ }
+
+ host spacewand {
+ hardware ethernet 00:1f:7b:b4:0e:00;
+ fixed-address 10.42.0.70;
+ }
+}
+
+
+# Wired net
+subnet 10.42.1.0 netmask 255.255.255.0 {
+ range dynamic-bootp 10.42.1.50 10.42.1.250;
+ option routers 10.42.1.1;
+ option domain-name-servers 185.38.175.0;
+ #option ntp-servers 90.185.0.18;
+ next-server 10.42.1.1;
+ filename "pxelinux.0";
+
+ host anna {
+ hardware ethernet 00:e0:c5:6e:d6:8d;
+ fixed-address 10.42.1.9;
+ }
+
+ # Arduino Ethernet Bootloader test
+ host flummer {
+ hardware ethernet 90:A2:DA:00:61:EE;
+ fixed-address 10.42.1.31;
+ filename "esmil/test.bin";
+ }
+
+ host arduino {
+ hardware ethernet 00:08:DC:00:00:4F;
+ fixed-address 10.42.1.31;
+ filename "esmil/setmac.bin";
+ }
+
+ host printbrother {
+ hardware ethernet 00:80:77:06:9f:26;
+ fixed-address 10.42.1.32;
+ }
+
+ # Infoscreen Raspberry Pi
+ host infotron {
+ hardware ethernet b8:27:eb:2c:5d:3a;
+ fixed-address 10.42.1.34;
+ }
+ host spacemon {
+ hardware ethernet b8:27:eb:24:f8:50;
+ fixed-address 10.42.1.35;
+ }
+ host jumbotron {
+ hardware ethernet b8:27:eb:d3:c1:62;
+ fixed-address 10.42.1.36;
+ }
+ host hplaserjet {
+ hardware ethernet 94:57:a5:ce:e2:6c;
+ fixed-address 10.42.1.37;
+ }
+
+ # fake IP til "hemmeligt projekt"
+ host tlet {
+ hardware ethernet 00:00:00:00:00:00;
+ fixed-address 10.42.1.42;
+ }
+
+ host labisound {
+ hardware ethernet 00:16:e6:f7:43:b0;
+ fixed-address 10.42.1.40;
+ }
+
+ #test riiiis april2014
+ host riiiisarduinoserverrebootertest {
+ fixed-address 10.42.1.49;
+ }
+
+}
+
+
+# Private wifi
+subnet 10.42.2.0 netmask 255.255.255.0 {
+ range 10.42.2.50 10.42.2.250;
+ option routers 10.42.2.1;
+ option domain-name-servers 185.38.175.0;
+ #option ntp-servers 90.185.0.18;
+ next-server 10.42.2.1;
+ filename "pxelinux.0";
+}
+
+# Free wifi
+subnet 10.42.3.0 netmask 255.255.255.0 {
+ range 10.42.3.50 10.42.3.250;
+ option routers 10.42.3.1;
+ option domain-name-servers 185.38.175.0;
+ #option ntp-servers 90.185.0.18;
+
+}
+
+# Password protected wifi
+subnet 10.42.4.0 netmask 255.255.255.0 {
+ range 10.42.4.50 10.42.4.250;
+ option routers 10.42.4.1;
+ option domain-name-servers 185.38.175.0;
+ #option ntp-servers 90.185.0.18;
+}
diff --git a/roles/space_server/files/kernel/90-loaderentry.install b/roles/space_server/files/kernel/90-loaderentry.install
new file mode 100755
index 0000000..d31529e
--- /dev/null
+++ b/roles/space_server/files/kernel/90-loaderentry.install
@@ -0,0 +1,89 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+COMMAND="$1"
+KERNEL_VERSION="$2"
+BOOT_DIR_ABS="$3"
+KERNEL_IMAGE="$4"
+
+if [[ -f /etc/machine-id ]]; then
+ read MACHINE_ID < /etc/machine-id
+fi
+
+if ! [[ $MACHINE_ID ]]; then
+ exit 1
+fi
+
+BOOT_DIR="/$MACHINE_ID/$KERNEL_VERSION"
+BOOT_ROOT=${BOOT_DIR_ABS%$BOOT_DIR}
+LOADER_ENTRY="$BOOT_ROOT/loader/entries/$MACHINE_ID-$KERNEL_VERSION.conf"
+MENU="$BOOT_ROOT/loader/${MACHINE_ID}.cfg"
+
+if [[ $COMMAND == remove ]]; then
+ exec rm -f "$LOADER_ENTRY"
+fi
+
+if ! [[ $COMMAND == add ]]; then
+ exit 1
+fi
+
+if ! [[ $KERNEL_IMAGE ]]; then
+ exit 1
+fi
+
+if [[ -f /etc/os-release ]]; then
+ . /etc/os-release
+elif [[ -f /usr/lib/os-release ]]; then
+ . /usr/lib/os-release
+fi
+
+if ! [[ $PRETTY_NAME ]]; then
+ PRETTY_NAME="Linux $KERNEL_VERSION"
+fi
+
+declare -a BOOT_OPTIONS
+
+if [[ -f /etc/kernel/cmdline ]]; then
+ read -r -d '' -a BOOT_OPTIONS < /etc/kernel/cmdline
+fi
+
+if ! [[ ${BOOT_OPTIONS[*]} ]]; then
+ read -r -d '' -a line < /proc/cmdline
+ for i in "${line[@]}"; do
+ [[ "${i#initrd=*}" != "$i" ]] && continue
+ BOOT_OPTIONS+=("$i")
+ done
+fi
+
+if ! [[ ${BOOT_OPTIONS[*]} ]]; then
+ echo "Could not determine the kernel command line parameters." >&2
+ echo "Please specify the kernel command line in /etc/kernel/cmdline!" >&2
+ exit 1
+fi
+
+cp "$KERNEL_IMAGE" "$BOOT_DIR_ABS/linux" &&
+ chown root:root "$BOOT_DIR_ABS/linux" &&
+ chmod 0644 "$BOOT_DIR_ABS/linux" || {
+ echo "Could not copy '$KERNEL_IMAGE to '$BOOT_DIR_ABS/linux'." >&2
+ exit 1
+}
+
+mkdir -p "${LOADER_ENTRY%/*}" || {
+ echo "Could not create loader entry directory '${LOADER_ENTRY%/*}'." >&2
+ exit 1
+}
+
+{
+ echo "MENU LABEL $PRETTY_NAME $KERNEL_VERSION"
+ echo "LINUX $BOOT_DIR/linux"
+ echo "APPEND ${BOOT_OPTIONS[*]}"
+ [[ -f $BOOT_DIR_ABS/initrd ]] && \
+ echo "INITRD $BOOT_DIR/initrd"
+ :
+} > "$LOADER_ENTRY" || {
+ echo "Could not create loader entry '$LOADER_ENTRY'." >&2
+ exit 1
+}
+
+exit 0
diff --git a/roles/space_server/files/kernel/95-syslinux-menu.install b/roles/space_server/files/kernel/95-syslinux-menu.install
new file mode 100755
index 0000000..06ddad7
--- /dev/null
+++ b/roles/space_server/files/kernel/95-syslinux-menu.install
@@ -0,0 +1,40 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+COMMAND="$1"
+KERNEL_VERSION="$2"
+BOOT_DIR_ABS="$3"
+KERNEL_IMAGE="$4"
+
+if [[ -f /etc/machine-id ]]; then
+ read MACHINE_ID < /etc/machine-id
+fi
+
+if ! [[ $MACHINE_ID ]]; then
+ exit 1
+fi
+
+BOOT_DIR="/$MACHINE_ID/$KERNEL_VERSION"
+BOOT_ROOT=${BOOT_DIR_ABS%$BOOT_DIR}
+MENU="$BOOT_ROOT/loader/${MACHINE_ID}.cfg"
+
+{
+ declare -a paths
+ len=0
+ for path in "$BOOT_ROOT/loader/entries/$MACHINE_ID"-*; do
+ paths[$((len++))]="$path"
+ done
+
+ i=0
+ while [[ $len -gt 0 ]]; do
+ path="${paths[$((--len))]}"
+ echo "LABEL $((++i))"
+ echo "INCLUDE ${path#$BOOT_ROOT}"
+ done
+} > "$MENU" || {
+ echo "Could not create aggregated menu '$MENU'." >&2
+ exit 1
+}
+
+exit 0
diff --git a/roles/space_server/files/named/named.conf b/roles/space_server/files/named/named.conf
new file mode 100644
index 0000000..d9b60d3
--- /dev/null
+++ b/roles/space_server/files/named/named.conf
@@ -0,0 +1,81 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+ listen-on port 53 {
+ 127.0.0.1;
+ 185.38.175.0;
+ };
+ listen-on-v6 port 53 {
+ ::1;
+ 2a01:4260:1ab::;
+ };
+ #dns64 fde2:52b4:4a19:ffff::/96 {
+ # clients { fde2:52b4:4a19:5::/64; };
+ #};
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ //allow-query { localhost; };
+
+ /*
+ - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+ - If you are building a RECURSIVE (caching) DNS server, you need to enable
+ recursion.
+ - If your recursive DNS server has a public IP address, you MUST enable access
+ control to limit queries to your legitimate users. Failing to do so will
+ cause your server to become part of large scale DNS amplification
+ attacks. Implementing BCP38 within your network would greatly
+ reduce such attack surface
+ */
+ recursion yes;
+
+ dnssec-enable yes;
+ dnssec-validation yes;
+
+ managed-keys-directory "/var/named/dynamic";
+
+ pid-file "/run/named/named.pid";
+ session-keyfile "/run/named/session.key";
+
+ /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+ include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+ channel default_debug {
+ file "data/named.run";
+ severity dynamic;
+ };
+ channel syslog {
+ syslog;
+ severity warning;
+ print-severity yes;
+ print-category yes;
+ };
+ category default{
+ syslog;
+ };
+};
+
+zone "." IN {
+ type hint;
+ file "named.ca";
+};
+
+zone "s" IN {
+ type master;
+ file "/etc/named/s.zone";
+ allow-transfer { none; };
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+
diff --git a/roles/space_server/files/named/s.zone b/roles/space_server/files/named/s.zone
new file mode 100644
index 0000000..3d96157
--- /dev/null
+++ b/roles/space_server/files/named/s.zone
@@ -0,0 +1,21 @@
+s. 600 IN SOA space.labitat.dk. xnybre.labitat.dk. 2015112001 7200 3600 604800 86400
+s. 600 IN NS space.labitat.dk.
+
+s. 600 IN A 10.42.1.1
+s. 600 IN AAAA fde2:52b4:4a19:1::1
+
+labitrack.s. 600 IN CNAME spacewand.labitat.dk.
+track.s. 600 IN CNAME spacewand.labitat.dk.
+
+doorputer.s. 600 IN A 10.42.0.3
+foodputer.s. 600 IN A 10.42.0.4
+
+lathe.s. 600 IN A 10.42.0.12
+
+anna.s. 600 IN A 10.42.1.9
+infotron.s. 600 IN A 10.42.1.34
+spacemon.s. 600 IN A 10.42.1.35
+jumbotron.s. 600 IN A 10.42.1.36
+sound.s. 600 IN A 10.42.1.80
+
+printbrother.s. 600 IN A 10.42.1.32
diff --git a/roles/space_server/files/networkd/network/10-lan.link b/roles/space_server/files/networkd/network/10-lan.link
new file mode 100644
index 0000000..996917e
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan.link
@@ -0,0 +1,5 @@
+[Match]
+Path=pci-0000:02:00.0
+
+[Link]
+Name=lan
diff --git a/roles/space_server/files/networkd/network/10-lan.network b/roles/space_server/files/networkd/network/10-lan.network
new file mode 100644
index 0000000..08b85aa
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan.network
@@ -0,0 +1,19 @@
+[Match]
+Name=lan
+
+#[Link]
+#ARP=no
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+LinkLocalAddressing=no
+LLMNR=no
+MulticastDNS=no
+VLAN=lan10
+VLAN=lan11
+VLAN=lan12
+VLAN=lan13
+VLAN=lan14
+VLAN=lan15
+VLAN=lan20
diff --git a/roles/space_server/files/networkd/network/10-lan10.netdev b/roles/space_server/files/networkd/network/10-lan10.netdev
new file mode 100644
index 0000000..655859d
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan10.netdev
@@ -0,0 +1,6 @@
+[NetDev]
+Name=lan10
+Kind=vlan
+
+[VLAN]
+Id=10
diff --git a/roles/space_server/files/networkd/network/10-lan10.network b/roles/space_server/files/networkd/network/10-lan10.network
new file mode 100644
index 0000000..18931e0
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan10.network
@@ -0,0 +1,12 @@
+[Match]
+Name=lan10
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+LinkLocalAddressing=no
+Address=10.42.0.1/24
+IPForward=yes
+LLMNR=yes
+MulticastDNS=yes
+LLDP=yes
diff --git a/roles/space_server/files/networkd/network/10-lan11.netdev b/roles/space_server/files/networkd/network/10-lan11.netdev
new file mode 100644
index 0000000..b99b50b
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan11.netdev
@@ -0,0 +1,6 @@
+[NetDev]
+Name=lan11
+Kind=vlan
+
+[VLAN]
+Id=11
diff --git a/roles/space_server/files/networkd/network/10-lan11.network b/roles/space_server/files/networkd/network/10-lan11.network
new file mode 100644
index 0000000..744eb3c
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan11.network
@@ -0,0 +1,17 @@
+[Match]
+Name=lan11
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+Address=10.42.1.1/24
+#Address=2a01:4260:1ab:b::1/64
+IPForward=yes
+LLMNR=yes
+MulticastDNS=yes
+LLDP=yes
+EmitLLDP=yes
+
+[Route]
+Destination=2a01:4260:1ab:b::/64
+PreferredSource=2a01:4260:1ab::
diff --git a/roles/space_server/files/networkd/network/10-lan12.netdev b/roles/space_server/files/networkd/network/10-lan12.netdev
new file mode 100644
index 0000000..7229fa1
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan12.netdev
@@ -0,0 +1,6 @@
+[NetDev]
+Name=lan12
+Kind=vlan
+
+[VLAN]
+Id=12
diff --git a/roles/space_server/files/networkd/network/10-lan12.network b/roles/space_server/files/networkd/network/10-lan12.network
new file mode 100644
index 0000000..23888bc
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan12.network
@@ -0,0 +1,17 @@
+[Match]
+Name=lan12
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+Address=10.42.2.1/24
+#Address=2a01:4260:1ab:c::1/64
+IPForward=yes
+LLMNR=yes
+MulticastDNS=yes
+LLDP=yes
+EmitLLDP=yes
+
+[Route]
+Destination=2a01:4260:1ab:c::/64
+PreferredSource=2a01:4260:1ab::
diff --git a/roles/space_server/files/networkd/network/10-lan13.netdev b/roles/space_server/files/networkd/network/10-lan13.netdev
new file mode 100644
index 0000000..ab05488
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan13.netdev
@@ -0,0 +1,6 @@
+[NetDev]
+Name=lan13
+Kind=vlan
+
+[VLAN]
+Id=13
diff --git a/roles/space_server/files/networkd/network/10-lan13.network b/roles/space_server/files/networkd/network/10-lan13.network
new file mode 100644
index 0000000..6151c0e
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan13.network
@@ -0,0 +1,13 @@
+[Match]
+Name=lan13
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+LinkLocalAddressing=no
+Address=10.42.3.1/24
+IPForward=yes
+LLMNR=yes
+MulticastDNS=yes
+LLDP=yes
+EmitLLDP=yes
diff --git a/roles/space_server/files/networkd/network/10-lan14.netdev b/roles/space_server/files/networkd/network/10-lan14.netdev
new file mode 100644
index 0000000..1956a88
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan14.netdev
@@ -0,0 +1,6 @@
+[NetDev]
+Name=lan14
+Kind=vlan
+
+[VLAN]
+Id=14
diff --git a/roles/space_server/files/networkd/network/10-lan14.network b/roles/space_server/files/networkd/network/10-lan14.network
new file mode 100644
index 0000000..b2ec991
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan14.network
@@ -0,0 +1,17 @@
+[Match]
+Name=lan14
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+Address=10.42.4.1/24
+#Address=2a01:4260:1ab:e::1/64
+IPForward=yes
+LLMNR=yes
+MulticastDNS=yes
+LLDP=yes
+EmitLLDP=yes
+
+[Route]
+Destination=2a01:4260:1ab:e::/64
+PreferredSource=2a01:4260:1ab::
diff --git a/roles/space_server/files/networkd/network/10-lan15.netdev b/roles/space_server/files/networkd/network/10-lan15.netdev
new file mode 100644
index 0000000..c31a650
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan15.netdev
@@ -0,0 +1,6 @@
+[NetDev]
+Name=lan15
+Kind=vlan
+
+[VLAN]
+Id=15
diff --git a/roles/space_server/files/networkd/network/10-lan15.network b/roles/space_server/files/networkd/network/10-lan15.network
new file mode 100644
index 0000000..7d1d7a7
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan15.network
@@ -0,0 +1,12 @@
+[Match]
+Name=lan15
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+Address=2a01:4260:1ab:f::1/64
+IPForward=ipv6
+LLMNR=yes
+MulticastDNS=yes
+LLDP=yes
+EmitLLDP=yes
diff --git a/roles/space_server/files/networkd/network/10-lan20.netdev b/roles/space_server/files/networkd/network/10-lan20.netdev
new file mode 100644
index 0000000..2b2e0d8
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan20.netdev
@@ -0,0 +1,6 @@
+[NetDev]
+Name=lan20
+Kind=vlan
+
+[VLAN]
+Id=20
diff --git a/roles/space_server/files/networkd/network/10-lan20.network b/roles/space_server/files/networkd/network/10-lan20.network
new file mode 100644
index 0000000..a47e0cb
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lan20.network
@@ -0,0 +1,17 @@
+[Match]
+Name=lan20
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+Address=185.38.175.65/26
+Address=2a01:4260:1ab:20::1/64
+IPForward=yes
+LLMNR=no
+MulticastDNS=no
+LLDP=yes
+EmitLLDP=no
+
+[Route]
+Destination=2a01:4260:1ab::cafe/128
+Gateway=2a01:4260:1ab:20::5
diff --git a/roles/space_server/files/networkd/network/10-lo.network b/roles/space_server/files/networkd/network/10-lo.network
new file mode 100644
index 0000000..d97da93
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-lo.network
@@ -0,0 +1,6 @@
+[Match]
+Name=lo
+
+[Network]
+Address=185.38.175.0/32
+Address=2a01:4260:1ab::/128
diff --git a/roles/space_server/files/networkd/network/10-mgt.link b/roles/space_server/files/networkd/network/10-mgt.link
new file mode 100644
index 0000000..715f409
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-mgt.link
@@ -0,0 +1,5 @@
+[Match]
+Path=pci-0000:03:00.0
+
+[Link]
+Name=mgt
diff --git a/roles/space_server/files/networkd/network/10-mgt.network b/roles/space_server/files/networkd/network/10-mgt.network
new file mode 100644
index 0000000..9da626e
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-mgt.network
@@ -0,0 +1,19 @@
+[Match]
+Name=mgt
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+Address=192.168.112.1/24
+#IPForward=ipv4
+DHCPServer=yes
+LLMNR=yes
+MulticastDNS=yes
+LLDP=yes
+EmitLLDP=yes
+
+[DHCPServer]
+DNS=192.168.112.1
+EmitDNS=yes
+EmitNTP=no
+EmitTimezone=yes
diff --git a/roles/space_server/files/networkd/network/10-wan.link b/roles/space_server/files/networkd/network/10-wan.link
new file mode 100644
index 0000000..47a7270
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-wan.link
@@ -0,0 +1,5 @@
+[Match]
+Path=pci-0000:01:00.0
+
+[Link]
+Name=wan
diff --git a/roles/space_server/files/networkd/network/10-wan.network b/roles/space_server/files/networkd/network/10-wan.network
new file mode 100644
index 0000000..4634150
--- /dev/null
+++ b/roles/space_server/files/networkd/network/10-wan.network
@@ -0,0 +1,15 @@
+[Match]
+Name=wan
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+Address=193.106.167.46/29
+Gateway=193.106.167.42
+Address=2a03:5440:1:2935:1ab::3/120
+Gateway=2a03:5440:1:2935:1ab::2
+IPForward=yes
+LLMNR=no
+MulticastDNS=no
+LLDP=yes
+EmitLLDP=no
diff --git a/roles/space_server/files/networkd/systemd-networkd-wait-online.service b/roles/space_server/files/networkd/systemd-networkd-wait-online.service
new file mode 100644
index 0000000..0f1e85a
--- /dev/null
+++ b/roles/space_server/files/networkd/systemd-networkd-wait-online.service
@@ -0,0 +1,23 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Wait for Network to be Configured
+Documentation=man:systemd-networkd-wait-online.service(8)
+DefaultDependencies=no
+Conflicts=shutdown.target
+Requisite=systemd-networkd.service
+After=systemd-networkd.service
+Before=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --ignore lan --ignore mgt
+RemainAfterExit=yes
+
+[Install]
+WantedBy=network-online.target
diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf
new file mode 100755
index 0000000..c9dc9d7
--- /dev/null
+++ b/roles/space_server/files/nftables/nftables.conf
@@ -0,0 +1,248 @@
+#!/usr/sbin/nft -f
+
+# our hosts
+define ap1 = 10.42.0.5
+define ap2 = 10.42.0.6
+define labitat = 185.38.172.72
+
+define spacewand4 = 185.38.175.70
+define spacewand6 = 2a01:4260:1ab::cafe
+
+# internal stuff
+define ext_if = wan
+define ext_ip4 = 185.38.175.0
+define ext_ip6 = 2a01:4260:1ab::
+define int_net4 = 10.42.0.0/16
+define ext_net4 = 185.38.175.0/24
+define ext_net6 = 2a01:4260:1ab::/48
+define link_net4 = 193.106.167.40/29
+define link_net6 = 2a03:5440:1:2935:1ab::/120
+
+define adm_if = lan10
+define adm_ip4 = 10.42.0.1
+define adm_net4 = 10.42.0.0/24
+
+define wire_if = lan11
+define wire_ip4 = 10.42.1.1
+define wire_net4 = 10.42.1.0/24
+define wire_net6 = 2a01:4260:1ab:b::/64
+
+define priv_if = lan12
+define priv_ip4 = 10.42.2.1
+define priv_net4 = 10.42.2.0/24
+define priv_net6 = 2a01:4260:1ab:c::/64
+
+define free_if = lan13
+define free_ip4 = 10.42.3.1
+define free_net4 = 10.42.3.0/24
+
+define pass_if = lan14
+define pass_ip4 = 10.42.4.1
+define pass_net4 = 10.42.4.0/24
+define pass_net6 = 2a01:4260:1ab:e::/64
+
+define serv_if = lan20
+define serv_ip4 = 185.38.175.65
+define serv_net4 = 185.38.175.64/24
+define serv_net6 = 2a01:4260:1ab:20::/64
+
+define avahi_ifs = { $wire_if, $priv_if, $pass_if }
+
+#define nat64_if = nat64
+#define nat64_net = 10.42.255.0/24
+#define nat64_net6 = fde2:52b4:4a19:ffff::/96
+
+table ip filter {
+ chain input {
+ type filter hook input priority 0;
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # no ping floods
+ ip protocol icmp limit rate 100/second accept
+ ip protocol icmp drop
+
+ iif lo accept
+
+ # infrastructure
+ iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
+ udp sport bootpc udp dport bootps iif != $ext_if counter accept # DHCP requests
+ iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept # RADIUS from AP
+ iif $ext_if ip saddr $labitat ip protocol 41 accept # IPv6 tunnel
+ iif $wire_if ip saddr $wire_net4 udp dport 69 accept # TFTP
+ iif $wire_if ip saddr $wire_net4 udp dport 123 accept # NTP
+
+ # allow ssh
+ tcp dport 22 accept
+
+ # dns
+ ip saddr $int_net4 tcp dport 53 accept
+ ip saddr $int_net4 udp dport 53 accept
+ ip saddr $ext_net4 tcp dport 53 accept
+ ip saddr $ext_net4 udp dport 53 accept
+
+ # Avahi
+ ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
+ ip protocol igmp iif $avahi_ifs accept # Allow IGMP here
+
+ iif $ext_if counter drop
+ udp dport { 137, 138, 5353 } drop # NetBIOS, Avahi
+ udp sport 17500 udp dport 17500 drop # Dropbox LANsync
+ ip protocol igmp drop # IGMP
+ #counter log prefix "in4: " drop
+ drop
+ }
+
+ chain forward {
+ type filter hook forward priority 0;
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # no ping floods
+ ip protocol icmp limit rate 100/second accept
+ ip protocol icmp drop
+
+ ip daddr $spacewand4 accept
+
+ ip saddr $labitat udp dport 161 counter accept # traffic stats
+
+ # no traffic to admin net
+ ip saddr $int_net4 ip daddr $adm_net4 drop
+
+ # local traffic
+ iif $adm_if ip saddr $adm_net4 accept
+ iif $wire_if ip saddr $wire_net4 accept
+ iif $priv_if ip saddr $priv_net4 accept
+ iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
+ iif $pass_if ip saddr $pass_net4 accept
+ iif $serv_if ip saddr $serv_net4 accept
+
+ #counter log prefix "fw4: " drop
+ drop
+ }
+}
+
+table ip nat {
+ chain portforward {
+ ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority -150;
+ goto portforward
+ }
+
+ chain output {
+ type nat hook output priority -150;
+ goto portforward
+ }
+
+ chain input {
+ type nat hook input priority -150;
+ # this chain is needed to make dnat from the output chain work
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority -150;
+ oif $ext_if snat $ext_ip4
+ }
+}
+
+table ip6 filter {
+ chain input {
+ type filter hook input priority 0;
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # no ping floods
+ ip6 nexthdr icmpv6 limit rate 100/second accept
+ ip6 nexthdr icmpv6 drop
+
+ iif lo accept
+
+ iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
+
+ # allow ssh
+ tcp dport 22 accept
+
+ # dns
+ ip6 saddr $ext_net6 tcp dport 53 accept
+ ip6 saddr $ext_net6 udp dport 53 accept
+
+ #counter log prefix "in6: " drop
+ drop
+ }
+
+ chain forward {
+ type filter hook forward priority 0;
+
+ ct state established,related accept
+ ct state invalid drop
+
+ # no ping floods
+ ip6 nexthdr icmpv6 limit rate 100/second accept
+ ip6 nexthdr icmpv6 drop
+
+ ip6 daddr $spacewand6 accept
+
+ iif $wire_if ip6 saddr $wire_net6 accept
+ iif $priv_if ip6 saddr $priv_net6 accept
+ iif $pass_if ip6 saddr $pass_net6 accept
+ iif $serv_if ip6 saddr $serv_net6 accept
+
+ #counter log prefix "fw6: " drop
+ drop
+ }
+}
+
+# Allow all by default
+# (couldn't get default-deny to work, and this script is better than nothing)
+
+#table ip6 filter {
+# chain input {
+# type filter hook input priority 0;
+# # Don't allow ULA net on outside
+# #ip6tables -A INPUT -j REJECT -i $ext_if6 -d $ula_net
+# iif $ext_if6 ip6 daddr $ula_net reject
+# #ip6tables -A INPUT -j REJECT -i $ext_if6 -s $ula_net
+# iif $ext_if6 ip6 saddr $ula_net reject
+#
+# accept
+# }
+#
+# chain output {
+# type filter hook output priority 0;
+# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -d $ula_net
+# oif $ext_if6 ip6 daddr $ula_net reject
+# #ip6tables -A OUTPUT -j REJECT -o $ext_if6 -s $ula_net
+# oif $ext_if6 ip6 saddr $ula_net reject
+#
+# accept
+# }
+#
+# chain forward {
+# type filter hook forward priority 0;
+# # Don't allow NAT64 for networks with IPv4
+# # (remember: free and admin don't have IPv6)
+# #ip6tables -A FORWARD -j REJECT -i $wire_if -d $nat64_net6
+# iif $wire_if ip6 daddr $nat64_net6 reject
+# #ip6tables -A FORWARD -j REJECT -i $priv_if -d $nat64_net6
+# iif $priv_if ip6 daddr $nat64_net6 reject
+# #ip6tables -A FORWARD -j REJECT -i $pass_if -d $nat64_net6
+# iif $pass_if ip6 daddr $nat64_net6 reject
+#
+# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -d $ula_net
+# iif $ext_if6 ip6 daddr $ula_net reject
+# #ip6tables -A FORWARD -j REJECT -i $ext_if6 -s $ula_net
+# iif $ext_if6 ip6 saddr $ula_net reject
+# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -d $ula_net
+# oif $ext_if6 ip6 daddr $ula_net reject
+# #ip6tables -A FORWARD -j REJECT -o $ext_if6 -s $ula_net
+# oif $ext_if6 ip6 saddr $ula_net reject
+#
+# accept
+# }
+#}
diff --git a/roles/space_server/files/nftables/nftables.service b/roles/space_server/files/nftables/nftables.service
new file mode 100644
index 0000000..f1c9028
--- /dev/null
+++ b/roles/space_server/files/nftables/nftables.service
@@ -0,0 +1,30 @@
+[Unit]
+Description=Netfilter Tables
+Documentation=man:nft(8)
+Requires=sys-devices-virtual-net-lan10.device
+Requires=sys-devices-virtual-net-lan11.device
+Requires=sys-devices-virtual-net-lan12.device
+Requires=sys-devices-virtual-net-lan13.device
+Requires=sys-devices-virtual-net-lan14.device
+Requires=sys-devices-virtual-net-lan15.device
+Requires=sys-devices-virtual-net-lan20.device
+After=sys-devices-virtual-net-lan10.device
+After=sys-devices-virtual-net-lan11.device
+After=sys-devices-virtual-net-lan12.device
+After=sys-devices-virtual-net-lan13.device
+After=sys-devices-virtual-net-lan14.device
+After=sys-devices-virtual-net-lan15.device
+After=sys-devices-virtual-net-lan20.device
+Before=network-online.target
+
+[Service]
+Type=oneshot
+ProtectSystem=full
+ProtectHome=true
+ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
+ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
+ExecStop=/sbin/nft flush ruleset
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm b/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm
new file mode 100644
index 0000000..145191c
--- /dev/null
+++ b/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm
Binary files differ
diff --git a/roles/space_server/files/radius/getusers.service b/roles/space_server/files/radius/getusers.service
new file mode 100644
index 0000000..7ac5082
--- /dev/null
+++ b/roles/space_server/files/radius/getusers.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Download radius users
+
+[Service]
+Type=oneshot
+ExecStart=/etc/raddb/getusers.sh
+User=root
+Group=radiusd
+ProtectSystem=yes
+ProtectHome=yes
diff --git a/roles/space_server/files/radius/getusers.timer b/roles/space_server/files/radius/getusers.timer
new file mode 100644
index 0000000..9ef4eb3
--- /dev/null
+++ b/roles/space_server/files/radius/getusers.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Download radius users every 10 minutes
+
+[Timer]
+Unit=getusers.service
+# Time to wait after booting before we run first time
+OnBootSec=10min
+# Time between running each consecutive time
+OnUnitActiveSec=10min
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/space_server/files/radius/mods-available/eap b/roles/space_server/files/radius/mods-available/eap
new file mode 100644
index 0000000..87593b0
--- /dev/null
+++ b/roles/space_server/files/radius/mods-available/eap
@@ -0,0 +1,883 @@
+# -*- text -*-
+##
+## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
+##
+## $Id: 2621e183c3d9eafacb03bbea57a4a1fb71bf0383 $
+
+#######################################################################
+#
+# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
+# is smart enough to figure this out on its own. The most
+# common side effect of setting 'Auth-Type := EAP' is that the
+# users then cannot use ANY other authentication method.
+#
+eap {
+ # Invoke the default supported EAP type when
+ # EAP-Identity response is received.
+ #
+ # The incoming EAP messages DO NOT specify which EAP
+ # type they will be using, so it MUST be set here.
+ #
+ # For now, only one default EAP type may be used at a time.
+ #
+ # If the EAP-Type attribute is set by another module,
+ # then that EAP type takes precedence over the
+ # default type configured here.
+ #
+ default_eap_type = ttls
+
+ # A list is maintained to correlate EAP-Response
+ # packets with EAP-Request packets. After a
+ # configurable length of time, entries in the list
+ # expire, and are deleted.
+ #
+ timer_expire = 60
+
+ # There are many EAP types, but the server has support
+ # for only a limited subset. If the server receives
+ # a request for an EAP type it does not support, then
+ # it normally rejects the request. By setting this
+ # configuration to "yes", you can tell the server to
+ # instead keep processing the request. Another module
+ # MUST then be configured to proxy the request to
+ # another RADIUS server which supports that EAP type.
+ #
+ # If another module is NOT configured to handle the
+ # request, then the request will still end up being
+ # rejected.
+ ignore_unknown_eap_types = no
+
+ # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
+ # a User-Name attribute in an Access-Accept, it copies one
+ # more byte than it should.
+ #
+ # We can work around it by configurably adding an extra
+ # zero byte.
+ cisco_accounting_username_bug = no
+
+ #
+ # Help prevent DoS attacks by limiting the number of
+ # sessions that the server is tracking. For simplicity,
+ # this is taken from the "max_requests" directive in
+ # radiusd.conf.
+ max_sessions = ${max_requests}
+
+ # Supported EAP-types
+
+ #
+ # We do NOT recommend using EAP-MD5 authentication
+ # for wireless connections. It is insecure, and does
+ # not provide for dynamic WEP keys.
+ #
+ md5 {
+ }
+
+ #
+ # EAP-pwd -- secure password-based authentication
+ #
+# pwd {
+# group = 19
+
+ #
+# server_id = theserver@example.com
+
+ # This has the same meaning as for TLS.
+# fragment_size = 1020
+
+ # The virtual server which determines the
+ # "known good" password for the user.
+ # Note that unlike TLS, only the "authorize"
+ # section is processed. EAP-PWD requests can be
+ # distinguished by having a User-Name, but
+ # no User-Password, CHAP-Password, EAP-Message, etc.
+# virtual_server = "inner-tunnel"
+# }
+
+ # Cisco LEAP
+ #
+ # We do not recommend using LEAP in new deployments. See:
+ # http://www.securiteam.com/tools/5TP012ACKE.html
+ #
+ # Cisco LEAP uses the MS-CHAP algorithm (but not
+ # the MS-CHAP attributes) to perform it's authentication.
+ #
+ # As a result, LEAP *requires* access to the plain-text
+ # User-Password, or the NT-Password attributes.
+ # 'System' authentication is impossible with LEAP.
+ #
+ leap {
+ }
+
+ # Generic Token Card.
+ #
+ # Currently, this is only permitted inside of EAP-TTLS,
+ # or EAP-PEAP. The module "challenges" the user with
+ # text, and the response from the user is taken to be
+ # the User-Password.
+ #
+ # Proxying the tunneled EAP-GTC session is a bad idea,
+ # the users password will go over the wire in plain-text,
+ # for anyone to see.
+ #
+ gtc {
+ # The default challenge, which many clients
+ # ignore..
+ #challenge = "Password: "
+
+ # The plain-text response which comes back
+ # is put into a User-Password attribute,
+ # and passed to another module for
+ # authentication. This allows the EAP-GTC
+ # response to be checked against plain-text,
+ # or crypt'd passwords.
+ #
+ # If you say "Local" instead of "PAP", then
+ # the module will look for a User-Password
+ # configured for the request, and do the
+ # authentication itself.
+ #
+ auth_type = PAP
+ }
+
+ ## Common TLS configuration for TLS-based EAP types
+ #
+ # See raddb/certs/README for additional comments
+ # on certificates.
+ #
+ # If OpenSSL was not found at the time the server was
+ # built, the "tls", "ttls", and "peap" sections will
+ # be ignored.
+ #
+ # If you do not currently have certificates signed by
+ # a trusted CA you may use the 'snakeoil' certificates.
+ # Included with the server in raddb/certs.
+ #
+ # If these certificates have not been auto-generated:
+ # cd raddb/certs
+ # make
+ #
+ # These test certificates SHOULD NOT be used in a normal
+ # deployment. They are created only to make it easier
+ # to install the server, and to perform some simple
+ # tests with EAP-TLS, TTLS, or PEAP.
+ #
+ # See also:
+ #
+ # http://www.dslreports.com/forum/remark,9286052~mode=flat
+ #
+ # Note that you should NOT use a globally known CA here!
+ # e.g. using a Verisign cert as a "known CA" means that
+ # ANYONE who has a certificate signed by them can
+ # authenticate via EAP-TLS! This is likely not what you want.
+ tls-config tls-common {
+ private_key_password = whatever
+ private_key_file = ${certdir}/server.pem
+
+ # If Private key & Certificate are located in
+ # the same file, then private_key_file &
+ # certificate_file must contain the same file
+ # name.
+ #
+ # If ca_file (below) is not used, then the
+ # certificate_file below MUST include not
+ # only the server certificate, but ALSO all
+ # of the CA certificates used to sign the
+ # server certificate.
+ certificate_file = ${certdir}/server.pem
+
+ # Trusted Root CA list
+ #
+ # ALL of the CA's in this list will be trusted
+ # to issue client certificates for authentication.
+ #
+ # In general, you should use self-signed
+ # certificates for 802.1x (EAP) authentication.
+ # In that case, this CA file should contain
+ # *one* CA certificate.
+ #
+ ca_file = ${cadir}/ca.pem
+
+ # OpenSSL will automatically create certificate chains,
+ # unless we tell it to not do that. The problem is that
+ # it sometimes gets the chains right from a certificate
+ # signature view, but wrong from the clients view.
+ #
+ # When setting "auto_chain = no", the server certificate
+ # file MUST include the full certificate chain.
+ # auto_chain = yes
+
+ #
+ # If OpenSSL supports TLS-PSK, then we can use
+ # a PSK identity and (hex) password. When the
+ # following two configuration items are specified,
+ # then certificate-based configuration items are
+ # not allowed. e.g.:
+ #
+ # private_key_password
+ # private_key_file
+ # certificate_file
+ # ca_file
+ # ca_path
+ #
+ # For now, the identity is fixed, and must be the
+ # same on the client. The passphrase must be a hex
+ # value, and can be up to 256 hex digits.
+ #
+ # Future versions of the server may be able to
+ # look up the shared key (hexphrase) based on the
+ # identity.
+ #
+ # psk_identity = "test"
+ # psk_hexphrase = "036363823"
+
+ #
+ # For DH cipher suites to work, you have to
+ # run OpenSSL to create the DH file first:
+ #
+ # openssl dhparam -out certs/dh 2048
+ #
+ dh_file = ${certdir}/dh
+
+ #
+ # If your system doesn't have /dev/urandom,
+ # you will need to create this file, and
+ # periodically change its contents.
+ #
+ # For security reasons, FreeRADIUS doesn't
+ # write to files in its configuration
+ # directory.
+ #
+ # random_file = /dev/urandom
+
+ #
+ # This can never exceed the size of a RADIUS
+ # packet (4096 bytes), and is preferably half
+ # that, to accommodate other attributes in
+ # RADIUS packet. On most APs the MAX packet
+ # length is configured between 1500 - 1600
+ # In these cases, fragment size should be
+ # 1024 or less.
+ #
+ # fragment_size = 1024
+
+ # include_length is a flag which is
+ # by default set to yes If set to
+ # yes, Total Length of the message is
+ # included in EVERY packet we send.
+ # If set to no, Total Length of the
+ # message is included ONLY in the
+ # First packet of a fragment series.
+ #
+ # include_length = yes
+
+
+ # Check the Certificate Revocation List
+ #
+ # 1) Copy CA certificates and CRLs to same directory.
+ # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
+ # 'c_rehash' is OpenSSL's command.
+ # 3) uncomment the lines below.
+ # 5) Restart radiusd
+ # check_crl = yes
+
+ # Check if intermediate CAs have been revoked.
+ # check_all_crl = yes
+
+ ca_path = ${cadir}
+
+ #
+ # If check_cert_issuer is set, the value will
+ # be checked against the DN of the issuer in
+ # the client certificate. If the values do not
+ # match, the certificate verification will fail,
+ # rejecting the user.
+ #
+ # In 2.1.10 and later, this check can be done
+ # more generally by checking the value of the
+ # TLS-Client-Cert-Issuer attribute. This check
+ # can be done via any mechanism you choose.
+ #
+ # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+
+ #
+ # If check_cert_cn is set, the value will
+ # be xlat'ed and checked against the CN
+ # in the client certificate. If the values
+ # do not match, the certificate verification
+ # will fail rejecting the user.
+ #
+ # This check is done only if the previous
+ # "check_cert_issuer" is not set, or if
+ # the check succeeds.
+ #
+ # In 2.1.10 and later, this check can be done
+ # more generally by checking the value of the
+ # TLS-Client-Cert-CN attribute. This check
+ # can be done via any mechanism you choose.
+ #
+ # check_cert_cn = %{User-Name}
+ #
+ # Set this option to specify the allowed
+ # TLS cipher suites. The format is listed
+ # in "man 1 ciphers".
+ #
+ # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+ #
+ cipher_list = "PROFILE=SYSTEM"
+
+ # If enabled, OpenSSL will use server cipher list
+ # (possibly defined by cipher_list option above)
+ # for choosing right cipher suite rather than
+ # using client-specified list which is OpenSSl default
+ # behavior. Having it set to yes is a current best practice
+ # for TLS
+ cipher_server_preference = no
+
+ # Work-arounds for OpenSSL nonsense
+ # OpenSSL 1.0.1f and 1.0.1g do not calculate
+ # the EAP keys correctly. The fix is to upgrade
+ # OpenSSL, or disable TLS 1.2 here.
+ #
+ # For EAP-FAST, this MUST be set to "yes".
+ #
+# disable_tlsv1_2 = no
+
+ #
+
+ #
+ # Elliptical cryptography configuration
+ #
+ # Only for OpenSSL >= 0.9.8.f
+ #
+ ecdh_curve = "prime256v1"
+
+ #
+ # Session resumption / fast reauthentication
+ # cache.
+ #
+ # The cache contains the following information:
+ #
+ # session Id - unique identifier, managed by SSL
+ # User-Name - from the Access-Accept
+ # Stripped-User-Name - from the Access-Request
+ # Cached-Session-Policy - from the Access-Accept
+ #
+ # The "Cached-Session-Policy" is the name of a
+ # policy which should be applied to the cached
+ # session. This policy can be used to assign
+ # VLANs, IP addresses, etc. It serves as a useful
+ # way to re-apply the policy from the original
+ # Access-Accept to the subsequent Access-Accept
+ # for the cached session.
+ #
+ # On session resumption, these attributes are
+ # copied from the cache, and placed into the
+ # reply list.
+ #
+ # You probably also want "use_tunneled_reply = yes"
+ # when using fast session resumption.
+ #
+ cache {
+ #
+ # Enable it. The default is "no". Deleting the entire "cache"
+ # subsection also disables caching.
+ #
+ # As of version 3.0.14, the session cache requires the use
+ # of the "name" and "persist_dir" configuration items, below.
+ #
+ # The internal OpenSSL session cache has been permanently
+ # disabled.
+ #
+ # You can disallow resumption for a particular user by adding the
+ # following attribute to the control item list:
+ #
+ # Allow-Session-Resumption = No
+ #
+ # If "enable = no" below, you CANNOT enable resumption for just one
+ # user by setting the above attribute to "yes".
+ #
+ enable = no
+
+ #
+ # Lifetime of the cached entries, in hours. The sessions will be
+ # deleted/invalidated after this time.
+ #
+ lifetime = 24 # hours
+
+ #
+ # Internal "name" of the session cache. Used to
+ # distinguish which TLS context sessions belong to.
+ #
+ # The server will generate a random value if unset.
+ # This will change across server restart so you MUST
+ # set the "name" if you want to persist sessions (see
+ # below).
+ #
+ #name = "EAP module"
+
+ #
+ # Simple directory-based storage of sessions.
+ # Two files per session will be written, the SSL
+ # state and the cached VPs. This will persist session
+ # across server restarts.
+ #
+ # The default directory is ${logdir}, for historical
+ # reasons. You should ${db_dir} instead. And check
+ # the value of db_dir in the main radiusd.conf file.
+ # It should not point to ${raddb}
+ #
+ # The server will need write perms, and the directory
+ # should be secured from anyone else. You might want
+ # a script to remove old files from here periodically:
+ #
+ # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
+ #
+ # This feature REQUIRES "name" option be set above.
+ #
+ #persist_dir = "${logdir}/tlscache"
+ }
+
+ #
+ # As of version 2.1.10, client certificates can be
+ # validated via an external command. This allows
+ # dynamic CRLs or OCSP to be used.
+ #
+ # This configuration is commented out in the
+ # default configuration. Uncomment it, and configure
+ # the correct paths below to enable it.
+ #
+ # If OCSP checking is enabled, and the OCSP checks fail,
+ # the verify section is not run.
+ #
+ # If OCSP checking is disabled, the verify section is
+ # run on successful certificate validation.
+ #
+ verify {
+ # If the OCSP checks succeed, the verify section
+ # is run to allow additional checks.
+ #
+ # If you want to skip verify on OCSP success,
+ # uncomment this configuration item, and set it
+ # to "yes".
+ # skip_if_ocsp_ok = no
+
+ # A temporary directory where the client
+ # certificates are stored. This directory
+ # MUST be owned by the UID of the server,
+ # and MUST not be accessible by any other
+ # users. When the server starts, it will do
+ # "chmod go-rwx" on the directory, for
+ # security reasons. The directory MUST
+ # exist when the server starts.
+ #
+ # You should also delete all of the files
+ # in the directory when the server starts.
+ # tmpdir = /var/run/radiusd/tmp
+
+ # The command used to verify the client cert.
+ # We recommend using the OpenSSL command-line
+ # tool.
+ #
+ # The ${..ca_path} text is a reference to
+ # the ca_path variable defined above.
+ #
+ # The %{TLS-Client-Cert-Filename} is the name
+ # of the temporary file containing the cert
+ # in PEM format. This file is automatically
+ # deleted by the server when the command
+ # returns.
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ }
+
+ #
+ # OCSP Configuration
+ # Certificates can be verified against an OCSP
+ # Responder. This makes it possible to immediately
+ # revoke certificates without the distribution of
+ # new Certificate Revocation Lists (CRLs).
+ #
+ ocsp {
+ #
+ # Enable it. The default is "no".
+ # Deleting the entire "ocsp" subsection
+ # also disables ocsp checking
+ #
+ enable = no
+
+ #
+ # The OCSP Responder URL can be automatically
+ # extracted from the certificate in question.
+ # To override the OCSP Responder URL set
+ # "override_cert_url = yes".
+ #
+ override_cert_url = yes
+
+ #
+ # If the OCSP Responder address is not extracted from
+ # the certificate, the URL can be defined here.
+ #
+ url = "http://127.0.0.1/ocsp/"
+
+ #
+ # If the OCSP Responder can not cope with nonce
+ # in the request, then it can be disabled here.
+ #
+ # For security reasons, disabling this option
+ # is not recommended as nonce protects against
+ # replay attacks.
+ #
+ # Note that Microsoft AD Certificate Services OCSP
+ # Responder does not enable nonce by default. It is
+ # more secure to enable nonce on the responder than
+ # to disable it in the query here.
+ # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+ #
+ # use_nonce = yes
+
+ #
+ # Number of seconds before giving up waiting
+ # for OCSP response. 0 uses system default.
+ #
+ # timeout = 0
+
+ #
+ # Normally an error in querying the OCSP
+ # responder (no response from server, server did
+ # not understand the request, etc) will result in
+ # a validation failure.
+ #
+ # To treat these errors as 'soft' failures and
+ # still accept the certificate, enable this
+ # option.
+ #
+ # Warning: this may enable clients with revoked
+ # certificates to connect if the OCSP responder
+ # is not available. Use with caution.
+ #
+ # softfail = no
+ }
+ }
+
+ ## EAP-TLS
+ #
+ # As of Version 3.0, the TLS configuration for TLS-based
+ # EAP types is above in the "tls-config" section.
+ #
+ tls {
+ # Point to the common TLS configuration
+ tls = tls-common
+
+ #
+ # As part of checking a client certificate, the EAP-TLS
+ # sets some attributes such as TLS-Client-Cert-CN. This
+ # virtual server has access to these attributes, and can
+ # be used to accept or reject the request.
+ #
+ # virtual_server = check-eap-tls
+ }
+
+
+ ## EAP-TTLS
+ #
+ # The TTLS module implements the EAP-TTLS protocol,
+ # which can be described as EAP inside of Diameter,
+ # inside of TLS, inside of EAP, inside of RADIUS...
+ #
+ # Surprisingly, it works quite well.
+ #
+ ttls {
+ # Which tls-config section the TLS negotiation parameters
+ # are in - see EAP-TLS above for an explanation.
+ #
+ # In the case that an old configuration from FreeRADIUS
+ # v2.x is being used, all the options of the tls-config
+ # section may also appear instead in the 'tls' section
+ # above. If that is done, the tls= option here (and in
+ # tls above) MUST be commented out.
+ #
+ tls = tls-common
+
+ # The tunneled EAP session needs a default EAP type
+ # which is separate from the one for the non-tunneled
+ # EAP module. Inside of the TTLS tunnel, we recommend
+ # using EAP-MD5. If the request does not contain an
+ # EAP conversation, then this configuration entry is
+ # ignored.
+ #
+ default_eap_type = md5
+
+ # The tunneled authentication request does not usually
+ # contain useful attributes like 'Calling-Station-Id',
+ # etc. These attributes are outside of the tunnel,
+ # and normally unavailable to the tunneled
+ # authentication request.
+ #
+ # By setting this configuration entry to 'yes',
+ # any attribute which is NOT in the tunneled
+ # authentication request, but which IS available
+ # outside of the tunnel, is copied to the tunneled
+ # request.
+ #
+ # allowed values: {no, yes}
+ #
+ copy_request_to_tunnel = no
+
+ #
+ # As of version 3.0.5, this configuration item
+ # is deprecated. Instead, you should use
+ #
+ # update outer.session-state {
+ # ...
+ #
+ # }
+ #
+ # This will cache attributes for the final Access-Accept.
+ #
+ # The reply attributes sent to the NAS are usually
+ # based on the name of the user 'outside' of the
+ # tunnel (usually 'anonymous'). If you want to send
+ # the reply attributes based on the user name inside
+ # of the tunnel, then set this configuration entry to
+ # 'yes', and the reply to the NAS will be taken from
+ # the reply to the tunneled request.
+ #
+ # allowed values: {no, yes}
+ #
+ use_tunneled_reply = no
+
+ #
+ # The inner tunneled request can be sent
+ # through a virtual server constructed
+ # specifically for this purpose.
+ #
+ # If this entry is commented out, the inner
+ # tunneled request will be sent through
+ # the virtual server that processed the
+ # outer requests.
+ #
+ virtual_server = "inner-tunnel"
+
+ # This has the same meaning, and overwrites, the
+ # same field in the "tls" configuration, above.
+ # The default value here is "yes".
+ #
+ # include_length = yes
+
+ #
+ # Unlike EAP-TLS, EAP-TTLS does not require a client
+ # certificate. However, you can require one by setting the
+ # following option. You can also override this option by
+ # setting
+ #
+ # EAP-TLS-Require-Client-Cert = Yes
+ #
+ # in the control items for a request.
+ #
+ # require_client_cert = yes
+ }
+
+
+ ## EAP-PEAP
+ #
+
+ ##################################################
+ #
+ # !!!!! WARNINGS for Windows compatibility !!!!!
+ #
+ ##################################################
+ #
+ # If you see the server send an Access-Challenge,
+ # and the client never sends another Access-Request,
+ # then
+ #
+ # STOP!
+ #
+ # The server certificate has to have special OID's
+ # in it, or else the Microsoft clients will silently
+ # fail. See the "scripts/xpextensions" file for
+ # details, and the following page:
+ #
+ # http://support.microsoft.com/kb/814394/en-us
+ #
+ # For additional Windows XP SP2 issues, see:
+ #
+ # http://support.microsoft.com/kb/885453/en-us
+ #
+ #
+ # If is still doesn't work, and you're using Samba,
+ # you may be encountering a Samba bug. See:
+ #
+ # https://bugzilla.samba.org/show_bug.cgi?id=6563
+ #
+ # Note that we do not necessarily agree with their
+ # explanation... but the fix does appear to work.
+ #
+ ##################################################
+
+ #
+ # The tunneled EAP session needs a default EAP type
+ # which is separate from the one for the non-tunneled
+ # EAP module. Inside of the TLS/PEAP tunnel, we
+ # recommend using EAP-MS-CHAPv2.
+ #
+ peap {
+ # Which tls-config section the TLS negotiation parameters
+ # are in - see EAP-TLS above for an explanation.
+ #
+ # In the case that an old configuration from FreeRADIUS
+ # v2.x is being used, all the options of the tls-config
+ # section may also appear instead in the 'tls' section
+ # above. If that is done, the tls= option here (and in
+ # tls above) MUST be commented out.
+ #
+ tls = tls-common
+
+ # The tunneled EAP session needs a default
+ # EAP type which is separate from the one for
+ # the non-tunneled EAP module. Inside of the
+ # PEAP tunnel, we recommend using MS-CHAPv2,
+ # as that is the default type supported by
+ # Windows clients.
+ #
+ default_eap_type = mschapv2
+
+ # The PEAP module also has these configuration
+ # items, which are the same as for TTLS.
+ #
+ copy_request_to_tunnel = no
+
+ #
+ # As of version 3.0.5, this configuration item
+ # is deprecated. Instead, you should use
+ #
+ # update outer.session-state {
+ # ...
+ #
+ # }
+ #
+ # This will cache attributes for the final Access-Accept.
+ #
+ use_tunneled_reply = no
+
+ # When the tunneled session is proxied, the
+ # home server may not understand EAP-MSCHAP-V2.
+ # Set this entry to "no" to proxy the tunneled
+ # EAP-MSCHAP-V2 as normal MSCHAPv2.
+ #
+ # proxy_tunneled_request_as_eap = yes
+
+ #
+ # The inner tunneled request can be sent
+ # through a virtual server constructed
+ # specifically for this purpose.
+ #
+ # If this entry is commented out, the inner
+ # tunneled request will be sent through
+ # the virtual server that processed the
+ # outer requests.
+ #
+ virtual_server = "inner-tunnel"
+
+ # This option enables support for MS-SoH
+ # see doc/SoH.txt for more info.
+ # It is disabled by default.
+ #
+ # soh = yes
+
+ #
+ # The SoH reply will be turned into a request which
+ # can be sent to a specific virtual server:
+ #
+ # soh_virtual_server = "soh-server"
+
+ #
+ # Unlike EAP-TLS, PEAP does not require a client certificate.
+ # However, you can require one by setting the following
+ # option. You can also override this option by setting
+ #
+ # EAP-TLS-Require-Client-Cert = Yes
+ #
+ # in the control items for a request.
+ #
+ # require_client_cert = yes
+ }
+
+ #
+ # This takes no configuration.
+ #
+ # Note that it is the EAP MS-CHAPv2 sub-module, not
+ # the main 'mschap' module.
+ #
+ # Note also that in order for this sub-module to work,
+ # the main 'mschap' module MUST ALSO be configured.
+ #
+ # This module is the *Microsoft* implementation of MS-CHAPv2
+ # in EAP. There is another (incompatible) implementation
+ # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
+ # currently support.
+ #
+ mschapv2 {
+ # Prior to version 2.1.11, the module never
+ # sent the MS-CHAP-Error message to the
+ # client. This worked, but it had issues
+ # when the cached password was wrong. The
+ # server *should* send "E=691 R=0" to the
+ # client, which tells it to prompt the user
+ # for a new password.
+ #
+ # The default is to behave as in 2.1.10 and
+ # earlier, which is known to work. If you
+ # set "send_error = yes", then the error
+ # message will be sent back to the client.
+ # This *may* help some clients work better,
+ # but *may* also cause other clients to stop
+ # working.
+ #
+# send_error = no
+
+ # Server identifier to send back in the challenge.
+ # This should generally be the host name of the
+ # RADIUS server. Or, some information to uniquely
+ # identify it.
+# identity = "FreeRADIUS"
+ }
+
+ ## EAP-FAST
+ #
+ # The FAST module implements the EAP-FAST protocol
+ #
+# fast {
+ # Point to the common TLS configuration
+ #
+ # cipher_list though must include "ADH" for anonymous provisioning.
+ # This is not as straight forward as appending "ADH" alongside
+ # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+ # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
+ #
+# tls = tls-common
+
+ # PAC lifetime in seconds (default: seven days)
+ #
+# pac_lifetime = 604800
+
+ # Authority ID of the server
+ #
+ # if you are running a cluster of RADIUS servers, you should make
+ # the value chosen here (and for "pac_opaque_key") the same on all
+ # your RADIUS servers. This value should be unique to your
+ # installation. We suggest using a domain name.
+ #
+# authority_identity = "1234"
+
+ # PAC Opaque encryption key (must be exactly 32 bytes in size)
+ #
+ # This value MUST be secret, and MUST be generated using
+ # a secure method, such as via 'openssl rand -hex 32'
+ #
+# pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
+
+ # Same as for TTLS, PEAP, etc.
+ #
+# virtual_server = inner-tunnel
+# }
+}
diff --git a/roles/space_server/files/radius/radiusd.conf b/roles/space_server/files/radius/radiusd.conf
new file mode 100644
index 0000000..78990e5
--- /dev/null
+++ b/roles/space_server/files/radius/radiusd.conf
@@ -0,0 +1,779 @@
+# -*- text -*-
+##
+## radiusd.conf -- FreeRADIUS server configuration file - 3.0.15
+##
+## http://www.freeradius.org/
+## $Id: a83c1f6874e69df8692ebce57174bf0dd52fd502 $
+##
+
+######################################################################
+#
+# Read "man radiusd" before editing this file. See the section
+# titled DEBUGGING. It outlines a method where you can quickly
+# obtain the configuration you want, without running into
+# trouble.
+#
+# Run the server in debugging mode, and READ the output.
+#
+# $ radiusd -X
+#
+# We cannot emphasize this point strongly enough. The vast
+# majority of problems can be solved by carefully reading the
+# debugging output, which includes warnings about common issues,
+# and suggestions for how they may be fixed.
+#
+# There may be a lot of output, but look carefully for words like:
+# "warning", "error", "reject", or "failure". The messages there
+# will usually be enough to guide you to a solution.
+#
+# If you are going to ask a question on the mailing list, then
+# explain what you are trying to do, and include the output from
+# debugging mode (radiusd -X). Failure to do so means that all
+# of the responses to your question will be people telling you
+# to "post the output of radiusd -X".
+
+######################################################################
+#
+# The location of other config files and logfiles are declared
+# in this file.
+#
+# Also general configuration for modules can be done in this
+# file, it is exported through the API to modules that ask for
+# it.
+#
+# See "man radiusd.conf" for documentation on the format of this
+# file. Note that the individual configuration items are NOT
+# documented in that "man" page. They are only documented here,
+# in the comments.
+#
+# The "unlang" policy language can be used to create complex
+# if / else policies. See "man unlang" for details.
+#
+
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = /usr/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#
+# name of the running server. See also the "-n" command-line option.
+name = radiusd
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${confdir}/certs
+cadir = ${confdir}/certs
+run_dir = ${localstatedir}/run/${name}
+
+db_dir = ${localstatedir}/lib/radiusd
+
+#
+# libdir: Where to find the rlm_* modules.
+#
+# This should be automatically set at configuration time.
+#
+# If the server builds and installs, but fails at execution time
+# with an 'undefined symbol' error, then you can use the libdir
+# directive to work around the problem.
+#
+# The cause is usually that a library has been installed on your
+# system in a place where the dynamic linker CANNOT find it. When
+# executing as root (or another user), your personal environment MAY
+# be set up to allow the dynamic linker to find the library. When
+# executing as a daemon, FreeRADIUS MAY NOT have the same
+# personalized configuration.
+#
+# To work around the problem, find out which library contains that symbol,
+# and add the directory containing that library to the end of 'libdir',
+# with a colon separating the directory names. NO spaces are allowed.
+#
+# e.g. libdir = /usr/local/lib:/opt/package/lib
+#
+# You can also try setting the LD_LIBRARY_PATH environment variable
+# in a script which starts the server.
+#
+# If that does not work, then you can re-configure and re-build the
+# server to NOT use shared libraries, via:
+#
+# ./configure --disable-shared
+# make
+# make install
+#
+libdir = /usr/lib64/freeradius
+
+# pidfile: Where to place the PID of the RADIUS server.
+#
+# The server may be signalled while it's running by using this
+# file.
+#
+# This file is written when ONLY running in daemon mode.
+#
+# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
+#
+pidfile = ${run_dir}/${name}.pid
+
+#
+# correct_escapes: use correct backslash escaping
+#
+# Prior to version 3.0.5, the handling of backslashes was a little
+# awkward, i.e. "wrong". In some cases, to get one backslash into
+# a regex, you had to put 4 in the config files.
+#
+# Version 3.0.5 fixes that. However, for backwards compatibility,
+# the new method of escaping is DISABLED BY DEFAULT. This means
+# that upgrading to 3.0.5 won't break your configuration.
+#
+# If you don't have double backslashes (i.e. \\) in your configuration,
+# this won't matter to you. If you do have them, fix that to use only
+# one backslash, and then set "correct_escapes = true".
+#
+# You can check for this by doing:
+#
+# $ grep '\\\\' $(find raddb -type f -print)
+#
+correct_escapes = true
+
+# panic_action: Command to execute if the server dies unexpectedly.
+#
+# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
+# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
+# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
+#
+# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
+# PATTACH CAN BE USED AS AN ATTACK VECTOR.
+#
+# The panic action is a command which will be executed if the server
+# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
+# SIGABRT or SIGFPE.
+#
+# This can be used to start an interactive debugging session so
+# that information regarding the current state of the server can
+# be acquired.
+#
+# The following string substitutions are available:
+# - %e The currently executing program e.g. /sbin/radiusd
+# - %p The PID of the currently executing program e.g. 12345
+#
+# Standard ${} substitutions are also allowed.
+#
+# An example panic action for opening an interactive session in GDB would be:
+#
+#panic_action = "gdb %e %p"
+#
+# Again, don't use that on a production system.
+#
+# An example panic action for opening an automated session in GDB would be:
+#
+#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
+#
+# That command can be used on a production system.
+#
+
+# max_request_time: The maximum time (in seconds) to handle a request.
+#
+# Requests which take more time than this to process may be killed, and
+# a REJECT message is returned.
+#
+# WARNING: If you notice that requests take a long time to be handled,
+# then this MAY INDICATE a bug in the server, in one of the modules
+# used to handle a request, OR in your local configuration.
+#
+# This problem is most often seen when using an SQL database. If it takes
+# more than a second or two to receive an answer from the SQL database,
+# then it probably means that you haven't indexed the database. See your
+# SQL server documentation for more information.
+#
+# Useful range of values: 5 to 120
+#
+max_request_time = 30
+
+# cleanup_delay: The time to wait (in seconds) before cleaning up
+# a reply which was sent to the NAS.
+#
+# The RADIUS request is normally cached internally for a short period
+# of time, after the reply is sent to the NAS. The reply packet may be
+# lost in the network, and the NAS will not see it. The NAS will then
+# re-send the request, and the server will respond quickly with the
+# cached reply.
+#
+# If this value is set too low, then duplicate requests from the NAS
+# MAY NOT be detected, and will instead be handled as separate requests.
+#
+# If this value is set too high, then the server will cache too many
+# requests, and some new requests may get blocked. (See 'max_requests'.)
+#
+# Useful range of values: 2 to 10
+#
+cleanup_delay = 5
+
+# max_requests: The maximum number of requests which the server keeps
+# track of. This should be 256 multiplied by the number of clients.
+# e.g. With 4 clients, this number should be 1024.
+#
+# If this number is too low, then when the server becomes busy,
+# it will not respond to any new requests, until the 'cleanup_delay'
+# time has passed, and it has removed the old requests.
+#
+# If this number is set too high, then the server will use a bit more
+# memory for no real benefit.
+#
+# If you aren't sure what it should be set to, it's better to set it
+# too high than too low. Setting it to 1000 per client is probably
+# the highest it should be.
+#
+# Useful range of values: 256 to infinity
+#
+max_requests = 16384
+
+# hostname_lookups: Log the names of clients or just their IP addresses
+# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
+#
+# The default is 'off' because it would be overall better for the net
+# if people had to knowingly turn this feature on, since enabling it
+# means that each client request will result in AT LEAST one lookup
+# request to the nameserver. Enabling hostname_lookups will also
+# mean that your server may stop randomly for 30 seconds from time
+# to time, if the DNS requests take too long.
+#
+# Turning hostname lookups off also means that the server won't block
+# for 30 seconds, if it sees an IP address which has no name associated
+# with it.
+#
+# allowed values: {no, yes}
+#
+hostname_lookups = no
+
+#
+# Logging section. The various "log_*" configuration items
+# will eventually be moved here.
+#
+log {
+ #
+ # Destination for log messages. This can be one of:
+ #
+ # files - log to "file", as defined below.
+ # syslog - to syslog (see also the "syslog_facility", below.
+ # stdout - standard output
+ # stderr - standard error.
+ #
+ # The command-line option "-X" over-rides this option, and forces
+ # logging to go to stdout.
+ #
+ destination = syslog
+
+ #
+ # Highlight important messages sent to stderr and stdout.
+ #
+ # Option will be ignored (disabled) if output if TERM is not
+ # an xterm or output is not to a TTY.
+ #
+ colourise = yes
+
+ #
+ # The logging messages for the server are appended to the
+ # tail of this file if destination == "files"
+ #
+ # If the server is running in debugging mode, this file is
+ # NOT used.
+ #
+ file = ${logdir}/radius.log
+
+ #
+ # Which syslog facility to use, if ${destination} == "syslog"
+ #
+ # The exact values permitted here are OS-dependent. You probably
+ # don't want to change this.
+ #
+ syslog_facility = daemon
+
+ # Log the full User-Name attribute, as it was found in the request.
+ #
+ # allowed values: {no, yes}
+ #
+ stripped_names = no
+
+ # Log authentication requests to the log file.
+ #
+ # allowed values: {no, yes}
+ #
+ auth = yes
+
+ # Log passwords with the authentication requests.
+ # auth_badpass - logs password if it's rejected
+ # auth_goodpass - logs password if it's correct
+ #
+ # allowed values: {no, yes}
+ #
+ auth_badpass = no
+ auth_goodpass = no
+
+ # Log additional text at the end of the "Login OK" messages.
+ # for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
+ # configurations above have to be set to "yes".
+ #
+ # The strings below are dynamically expanded, which means that
+ # you can put anything you want in them. However, note that
+ # this expansion can be slow, and can negatively impact server
+ # performance.
+ #
+# msg_goodpass = ""
+# msg_badpass = ""
+
+ # The message when the user exceeds the Simultaneous-Use limit.
+ #
+ msg_denied = "You are already logged in - access denied"
+}
+
+# The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# SECURITY CONFIGURATION
+#
+# There may be multiple methods of attacking on the server. This
+# section holds the configuration items which minimize the impact
+# of those attacks
+#
+security {
+ # chroot: directory where the server does "chroot".
+ #
+ # The chroot is done very early in the process of starting
+ # the server. After the chroot has been performed it
+ # switches to the "user" listed below (which MUST be
+ # specified). If "group" is specified, it switches to that
+ # group, too. Any other groups listed for the specified
+ # "user" in "/etc/group" are also added as part of this
+ # process.
+ #
+ # The current working directory (chdir / cd) is left
+ # *outside* of the chroot until all of the modules have been
+ # initialized. This allows the "raddb" directory to be left
+ # outside of the chroot. Once the modules have been
+ # initialized, it does a "chdir" to ${logdir}. This means
+ # that it should be impossible to break out of the chroot.
+ #
+ # If you are worried about security issues related to this
+ # use of chdir, then simply ensure that the "raddb" directory
+ # is inside of the chroot, end be sure to do "cd raddb"
+ # BEFORE starting the server.
+ #
+ # If the server is statically linked, then the only files
+ # that have to exist in the chroot are ${run_dir} and
+ # ${logdir}. If you do the "cd raddb" as discussed above,
+ # then the "raddb" directory has to be inside of the chroot
+ # directory, too.
+ #
+# chroot = /path/to/chroot/directory
+
+ # user/group: The name (or #number) of the user/group to run radiusd as.
+ #
+ # If these are commented out, the server will run as the
+ # user/group that started it. In order to change to a
+ # different user/group, you MUST be root ( or have root
+ # privileges ) to start the server.
+ #
+ # We STRONGLY recommend that you run the server with as few
+ # permissions as possible. That is, if you're not using
+ # shadow passwords, the user and group items below should be
+ # set to radius'.
+ #
+ # NOTE that some kernels refuse to setgid(group) when the
+ # value of (unsigned)group is above 60000; don't use group
+ # "nobody" on these systems!
+ #
+ # On systems with shadow passwords, you might have to set
+ # 'group = shadow' for the server to be able to read the
+ # shadow password file. If you can authenticate users while
+ # in debug mode, but not in daemon mode, it may be that the
+ # debugging mode server is running as a user that can read
+ # the shadow info, and the user listed below can not.
+ #
+ # The server will also try to use "initgroups" to read
+ # /etc/groups. It will join all groups where "user" is a
+ # member. This can allow for some finer-grained access
+ # controls.
+ #
+ user = radiusd
+ group = radiusd
+
+ # Core dumps are a bad thing. This should only be set to
+ # 'yes' if you're debugging a problem with the server.
+ #
+ # allowed values: {no, yes}
+ #
+ allow_core_dumps = no
+
+ #
+ # max_attributes: The maximum number of attributes
+ # permitted in a RADIUS packet. Packets which have MORE
+ # than this number of attributes in them will be dropped.
+ #
+ # If this number is set too low, then no RADIUS packets
+ # will be accepted.
+ #
+ # If this number is set too high, then an attacker may be
+ # able to send a small number of packets which will cause
+ # the server to use all available memory on the machine.
+ #
+ # Setting this number to 0 means "allow any number of attributes"
+ max_attributes = 200
+
+ #
+ # reject_delay: When sending an Access-Reject, it can be
+ # delayed for a few seconds. This may help slow down a DoS
+ # attack. It also helps to slow down people trying to brute-force
+ # crack a users password.
+ #
+ # Setting this number to 0 means "send rejects immediately"
+ #
+ # If this number is set higher than 'cleanup_delay', then the
+ # rejects will be sent at 'cleanup_delay' time, when the request
+ # is deleted from the internal cache of requests.
+ #
+ # As of Version 3.0.5, "reject_delay" has sub-second resolution.
+ # e.g. "reject_delay = 1.4" seconds is possible.
+ #
+ # Useful ranges: 1 to 5
+ reject_delay = 1
+
+ #
+ # status_server: Whether or not the server will respond
+ # to Status-Server requests.
+ #
+ # When sent a Status-Server message, the server responds with
+ # an Access-Accept or Accounting-Response packet.
+ #
+ # This is mainly useful for administrators who want to "ping"
+ # the server, without adding test users, or creating fake
+ # accounting packets.
+ #
+ # It's also useful when a NAS marks a RADIUS server "dead".
+ # The NAS can periodically "ping" the server with a Status-Server
+ # packet. If the server responds, it must be alive, and the
+ # NAS can start using it for real requests.
+ #
+ # See also raddb/sites-available/status
+ #
+ status_server = yes
+
+
+}
+
+# PROXY CONFIGURATION
+#
+# proxy_requests: Turns proxying of RADIUS requests on or off.
+#
+# The server has proxying turned on by default. If your system is NOT
+# set up to proxy requests to another server, then you can turn proxying
+# off here. This will save a small amount of resources on the server.
+#
+# If you have proxying turned off, and your configuration files say
+# to proxy a request, then an error message will be logged.
+#
+# To disable proxying, change the "yes" to "no", and comment the
+# $INCLUDE line.
+#
+# allowed values: {no, yes}
+#
+proxy_requests = no
+#$INCLUDE proxy.conf
+
+
+# CLIENTS CONFIGURATION
+#
+# Client configuration is defined in "clients.conf".
+#
+
+# The 'clients.conf' file contains all of the information from the old
+# 'clients' and 'naslist' configuration files. We recommend that you
+# do NOT use 'client's or 'naslist', although they are still
+# supported.
+#
+# Anything listed in 'clients.conf' will take precedence over the
+# information from the old-style configuration files.
+#
+$INCLUDE clients.conf
+
+
+# THREAD POOL CONFIGURATION
+#
+# The thread pool is a long-lived group of threads which
+# take turns (round-robin) handling any incoming requests.
+#
+# You probably want to have a few spare threads around,
+# so that high-load situations can be handled immediately. If you
+# don't have any spare threads, then the request handling will
+# be delayed while a new thread is created, and added to the pool.
+#
+# You probably don't want too many spare threads around,
+# otherwise they'll be sitting there taking up resources, and
+# not doing anything productive.
+#
+# The numbers given below should be adequate for most situations.
+#
+thread pool {
+ # Number of servers to start initially --- should be a reasonable
+ # ballpark figure.
+ start_servers = 5
+
+ # Limit on the total number of servers running.
+ #
+ # If this limit is ever reached, clients will be LOCKED OUT, so it
+ # should NOT BE SET TOO LOW. It is intended mainly as a brake to
+ # keep a runaway server from taking the system with it as it spirals
+ # down...
+ #
+ # You may find that the server is regularly reaching the
+ # 'max_servers' number of threads, and that increasing
+ # 'max_servers' doesn't seem to make much difference.
+ #
+ # If this is the case, then the problem is MOST LIKELY that
+ # your back-end databases are taking too long to respond, and
+ # are preventing the server from responding in a timely manner.
+ #
+ # The solution is NOT do keep increasing the 'max_servers'
+ # value, but instead to fix the underlying cause of the
+ # problem: slow database, or 'hostname_lookups=yes'.
+ #
+ # For more information, see 'max_request_time', above.
+ #
+ max_servers = 32
+
+ # Server-pool size regulation. Rather than making you guess
+ # how many servers you need, FreeRADIUS dynamically adapts to
+ # the load it sees, that is, it tries to maintain enough
+ # servers to handle the current load, plus a few spare
+ # servers to handle transient load spikes.
+ #
+ # It does this by periodically checking how many servers are
+ # waiting for a request. If there are fewer than
+ # min_spare_servers, it creates a new spare. If there are
+ # more than max_spare_servers, some of the spares die off.
+ # The default values are probably OK for most sites.
+ #
+ min_spare_servers = 3
+ max_spare_servers = 10
+
+ # When the server receives a packet, it places it onto an
+ # internal queue, where the worker threads (configured above)
+ # pick it up for processing. The maximum size of that queue
+ # is given here.
+ #
+ # When the queue is full, any new packets will be silently
+ # discarded.
+ #
+ # The most common cause of the queue being full is that the
+ # server is dependent on a slow database, and it has received
+ # a large "spike" of traffic. When that happens, there is
+ # very little you can do other than make sure the server
+ # receives less traffic, or make sure that the database can
+ # handle the load.
+ #
+# max_queue_size = 65536
+
+ # There may be memory leaks or resource allocation problems with
+ # the server. If so, set this value to 300 or so, so that the
+ # resources will be cleaned up periodically.
+ #
+ # This should only be necessary if there are serious bugs in the
+ # server which have not yet been fixed.
+ #
+ # '0' is a special value meaning 'infinity', or 'the servers never
+ # exit'
+ max_requests_per_server = 0
+
+ # Automatically limit the number of accounting requests.
+ # This configuration item tracks how many requests per second
+ # the server can handle. It does this by tracking the
+ # packets/s received by the server for processing, and
+ # comparing that to the packets/s handled by the child
+ # threads.
+ #
+
+ # If the received PPS is larger than the processed PPS, *and*
+ # the queue is more than half full, then new accounting
+ # requests are probabilistically discarded. This lowers the
+ # number of packets that the server needs to process. Over
+ # time, the server will "catch up" with the traffic.
+ #
+ # Throwing away accounting packets is usually safe and low
+ # impact. The NAS will retransmit them in a few seconds, or
+ # even a few minutes. Vendors should read RFC 5080 Section 2.2.1
+ # to see how accounting packets should be retransmitted. Using
+ # any other method is likely to cause network meltdowns.
+ #
+ auto_limit_acct = no
+}
+
+######################################################################
+#
+# SNMP notifications. Uncomment the following line to enable
+# snmptraps. Note that you MUST also configure the full path
+# to the "snmptrap" command in the "trigger.conf" file.
+#
+#$INCLUDE trigger.conf
+
+# MODULE CONFIGURATION
+#
+# The names and configuration of each module is located in this section.
+#
+# After the modules are defined here, they may be referred to by name,
+# in other sections of this configuration file.
+#
+modules {
+ #
+ # Each module has a configuration as follows:
+ #
+ # name [ instance ] {
+ # config_item = value
+ # ...
+ # }
+ #
+ # The 'name' is used to load the 'rlm_name' library
+ # which implements the functionality of the module.
+ #
+ # The 'instance' is optional. To have two different instances
+ # of a module, it first must be referred to by 'name'.
+ # The different copies of the module are then created by
+ # inventing two 'instance' names, e.g. 'instance1' and 'instance2'
+ #
+ # The instance names can then be used in later configuration
+ # INSTEAD of the original 'name'. See the 'radutmp' configuration
+ # for an example.
+ #
+
+ #
+ # As of 3.0, modules are in mods-enabled/. Files matching
+ # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
+ # initialized ONLY if they are referenced in a processing
+ # section, such as authorize, authenticate, accounting,
+ # pre/post-proxy, etc.
+ #
+ $INCLUDE mods-enabled/
+}
+
+# Instantiation
+#
+# This section orders the loading of the modules. Modules
+# listed here will get loaded BEFORE the later sections like
+# authorize, authenticate, etc. get examined.
+#
+# This section is not strictly needed. When a section like
+# authorize refers to a module, it's automatically loaded and
+# initialized. However, some modules may not be listed in any
+# of the following sections, so they can be listed here.
+#
+# Also, listing modules here ensures that you have control over
+# the order in which they are initialized. If one module needs
+# something defined by another module, you can list them in order
+# here, and ensure that the configuration will be OK.
+#
+# After the modules listed here have been loaded, all of the modules
+# in the "mods-enabled" directory will be loaded. Loading the
+# "mods-enabled" directory means that unlike Version 2, you usually
+# don't need to list modules here.
+#
+instantiate {
+ #
+ # We list the counter module here so that it registers
+ # the check_name attribute before any module which sets
+ # it
+# daily
+
+ # subsections here can be thought of as "virtual" modules.
+ #
+ # e.g. If you have two redundant SQL servers, and you want to
+ # use them in the authorize and accounting sections, you could
+ # place a "redundant" block in each section, containing the
+ # exact same text. Or, you could uncomment the following
+ # lines, and list "redundant_sql" in the authorize and
+ # accounting sections.
+ #
+ # The "virtual" module defined here can also be used with
+ # dynamic expansions, under a few conditions:
+ #
+ # * The section is "redundant", or "load-balance", or
+ # "redundant-load-balance"
+ # * The section contains modules ONLY, and no sub-sections
+ # * all modules in the section are using the same rlm_
+ # driver, e.g. They are all sql, or all ldap, etc.
+ #
+ # When those conditions are satisfied, the server will
+ # automatically register a dynamic expansion, using the
+ # name of the "virtual" module. In the example below,
+ # it will be "redundant_sql". You can then use this expansion
+ # just like any other:
+ #
+ # update reply {
+ # Filter-Id := "%{redundant_sql: ... }"
+ # }
+ #
+ # In this example, the expansion is done via module "sql1",
+ # and if that expansion fails, using module "sql2".
+ #
+ # For best results, configure the "pool" subsection of the
+ # module so that "retry_delay" is non-zero. That will allow
+ # the redundant block to quickly ignore all "down" SQL
+ # databases. If instead we have "retry_delay = 0", then
+ # every time the redundant block is used, the server will try
+ # to open a connection to every "down" database, causing
+ # problems.
+ #
+ #redundant redundant_sql {
+ # sql1
+ # sql2
+ #}
+}
+
+######################################################################
+#
+# Policies are virtual modules, similar to those defined in the
+# "instantiate" section above.
+#
+# Defining a policy in one of the policy.d files means that it can be
+# referenced in multiple places as a *name*, rather than as a series of
+# conditions to match, and actions to take.
+#
+# Policies are something like subroutines in a normal language, but
+# they cannot be called recursively. They MUST be defined in order.
+# If policy A calls policy B, then B MUST be defined before A.
+#
+######################################################################
+policy {
+ $INCLUDE policy.d/
+}
+
+######################################################################
+#
+# Load virtual servers.
+#
+# This next $INCLUDE line loads files in the directory that
+# match the regular expression: /[a-zA-Z0-9_.]+/
+#
+# It allows you to define new virtual servers simply by placing
+# a file into the raddb/sites-enabled/ directory.
+#
+$INCLUDE sites-enabled/
+
+######################################################################
+#
+# All of the other configuration sections like "authorize {}",
+# "authenticate {}", "accounting {}", have been moved to the
+# the file:
+#
+# raddb/sites-available/default
+#
+# This is the "default" virtual server that has the same
+# configuration as in version 1.0.x and 1.1.x. The default
+# installation enables this virtual server. You should
+# edit it to create policies for your local site.
+#
+# For more documentation on virtual servers, see:
+#
+# raddb/sites-available/README
+#
+######################################################################
diff --git a/roles/space_server/files/radius/sites-available/labitat b/roles/space_server/files/radius/sites-available/labitat
new file mode 100644
index 0000000..cb1bb45
--- /dev/null
+++ b/roles/space_server/files/radius/sites-available/labitat
@@ -0,0 +1,84 @@
+server labitat {
+
+ listen {
+ type = auth
+ ipaddr = 10.42.0.1
+ port = 0
+
+ limit {
+ max_connections = 16
+ lifetime = 0
+ idle_timeout = 30
+ }
+ }
+
+ authorize {
+ filter_username
+ preprocess
+ auth_log
+
+ eap {
+ ok = return
+ }
+
+ files
+
+ expiration
+ logintime
+ pap
+ }
+
+ authenticate {
+ Auth-Type PAP {
+ pap
+ }
+
+ Auth-Type CHAP {
+ chap
+ }
+
+ Auth-Type MS-CHAP {
+ mschap
+ }
+
+ digest
+ eap
+ }
+
+ preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+ }
+
+ accounting {
+ unix
+ -sql
+ exec
+ attr_filter.accounting_response
+ }
+
+ session {
+ }
+
+ post-auth {
+ -sql
+ exec
+ remove_reply_message_if_eap
+
+ Post-Auth-Type REJECT {
+ -sql
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+ }
+
+ pre-proxy {
+ }
+
+ post-proxy {
+ eap
+ }
+}
diff --git a/roles/space_server/files/radvd/radvd.conf b/roles/space_server/files/radvd/radvd.conf
new file mode 100644
index 0000000..02749f3
--- /dev/null
+++ b/roles/space_server/files/radvd/radvd.conf
@@ -0,0 +1,68 @@
+# Wired
+interface lan11 {
+ AdvSendAdvert on;
+ MinRtrAdvInterval 3;
+ MaxRtrAdvInterval 6;
+ AdvLinkMTU 1500;
+ RDNSS 2a01:4260:1ab:: {};
+
+ prefix 2a01:4260:1ab:b::1/64 {
+ #AdvValidLifetime 0;
+ #AdvPreferredLifetime 0;
+ };
+};
+
+# Private Wifi
+interface lan12 {
+ AdvSendAdvert on;
+ MinRtrAdvInterval 3;
+ MaxRtrAdvInterval 6;
+ AdvLinkMTU 1500;
+ RDNSS 2a01:4260:1ab:: {};
+
+ prefix 2a01:4260:1ab:c::1/64 {
+ #AdvValidLifetime 0;
+ #AdvPreferredLifetime 0;
+ };
+};
+
+## Free Wifi
+#interface lan13 {
+# AdvSendAdvert on;
+# MinRtrAdvInterval 3;
+# MaxRtrAdvInterval 6;
+# AdvLinkMTU 1500;
+# RDNSS 2a01:4260:1ab:: {};
+#
+# prefix 2a01:4260:1ab:d::1/64 {
+# #AdvValidLifetime 0;
+# #AdvPreferredLifetime 0;
+# };
+#};
+
+# Password protected wifi
+interface lan14 {
+ AdvSendAdvert on;
+ MinRtrAdvInterval 3;
+ MaxRtrAdvInterval 6;
+ AdvLinkMTU 1500;
+ RDNSS 2a01:4260:1ab:: {};
+
+ prefix 2a01:4260:1ab:e::1/64 {
+ #AdvValidLifetime 0;
+ #AdvPreferredLifetime 0;
+ };
+};
+
+interface lan15 {
+ AdvSendAdvert on;
+ MinRtrAdvInterval 3;
+ MaxRtrAdvInterval 6;
+ AdvLinkMTU 1500;
+ RDNSS 2a01:4260:1ab:: {};
+
+ prefix 2a01:4260:1ab:f::1/64 {
+ #AdvValidLifetime 0;
+ #AdvPreferredLifetime 0;
+ };
+};
diff --git a/roles/space_server/files/sudo/sudoers b/roles/space_server/files/sudo/sudoers
new file mode 100644
index 0000000..069052c
--- /dev/null
+++ b/roles/space_server/files/sudo/sudoers
@@ -0,0 +1,96 @@
+## Sudoers allows particular users to run various commands as
+## the root user, without needing the root password.
+##
+## Examples are provided at the bottom of the file for collections
+## of related commands, which can then be delegated out to particular
+## users or groups.
+##
+## This file must be edited with the 'visudo' command.
+
+## Host Aliases
+## Groups of machines. You may prefer to use hostnames (perhaps using
+## wildcards for entire domains) or IP addresses instead.
+# Host_Alias FILESERVERS = fs1, fs2
+# Host_Alias MAILSERVERS = smtp, smtp2
+
+## User Aliases
+## These aren't often necessary, as you can use regular groups
+## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
+## rather than USERALIAS
+# User_Alias ADMINS = jsmith, mikem
+
+
+## Command Aliases
+## These are groups of related commands...
+
+## Networking
+# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
+
+## Installation and management of software
+# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
+
+## Services
+# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
+
+## Updating the locate database
+# Cmnd_Alias LOCATE = /usr/bin/updatedb
+
+## Storage
+# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
+
+## Delegating permissions
+# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
+
+## Processes
+# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
+
+## Drivers
+# Cmnd_Alias DRIVERS = /sbin/modprobe
+
+# Defaults specification
+
+#
+# Refuse to run if unable to disable echo on the tty.
+#
+Defaults !visiblepw
+
+Defaults env_reset
+Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
+Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+
+Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+## Next comes the main part: which users can run what software on
+## which machines (the sudoers file can be shared between multiple
+## systems).
+## Syntax:
+##
+## user MACHINE=COMMANDS
+##
+## The COMMANDS section may have other options added to it.
+##
+## Allow root to run any commands anywhere
+root ALL=(ALL) ALL
+
+## Allows members of the 'sys' group to run networking, software,
+## service management apps and more.
+# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
+
+## Allows people in group wheel to run all commands
+# %wheel ALL=(ALL) ALL
+
+## Same thing without a password
+%wheel ALL=(ALL) NOPASSWD: ALL
+
+## Allows members of the users group to mount and unmount the
+## cdrom as root
+# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
+
+## Allows members of the users group to shutdown this system
+# %users localhost=/sbin/shutdown -h now
+
+## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+#includedir /etc/sudoers.d
diff --git a/roles/space_server/files/wait-online.conf b/roles/space_server/files/wait-online.conf
new file mode 100644
index 0000000..758b827
--- /dev/null
+++ b/roles/space_server/files/wait-online.conf
@@ -0,0 +1,2 @@
+[Unit]
+After=network-online.target
diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml
new file mode 100644
index 0000000..7316999
--- /dev/null
+++ b/roles/space_server/handlers/main.yml
@@ -0,0 +1,66 @@
+---
+- name: reload nftables
+ systemd:
+ name: nftables.service
+ state: reloaded
+ when: "'container' not in ansible_env"
+
+- name: restart networkd
+ systemd:
+ name: systemd-networkd.service
+ state: restarted
+ when: "'container' not in ansible_env"
+
+- name: restart blackhole
+ systemd:
+ name: blackhole.service
+ state: restarted
+ when: "'container' not in ansible_env"
+
+- name: restart sshd
+ systemd:
+ name: sshd.service
+ state: restarted
+ when: "'container' not in ansible_env"
+
+- name: restart bird
+ systemd:
+ name: '{{ item }}.service'
+ state: restarted
+ with_items:
+ - bird
+ - bird6
+ when: "'container' not in ansible_env"
+
+- name: restart dhcpd
+ systemd:
+ name: dhcpd.service
+ state: restarted
+ when: "'container' not in ansible_env"
+
+- name: restart radvd
+ systemd:
+ name: radvd.service
+ state: restarted
+ when: "'container' not in ansible_env"
+
+- name: restart radiusd
+ systemd:
+ name: radiusd.service
+ state: restarted
+ when: "'container' not in ansible_env"
+
+- name: restart getusers
+ systemd:
+ name: getusers.timer
+ state: restarted
+ daemon_reload: yes
+ when: "'container' not in ansible_env"
+
+- name: restart named
+ systemd:
+ name: named.service
+ state: restarted
+ when: "'container' not in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/meta/main.yml b/roles/space_server/meta/main.yml
new file mode 100644
index 0000000..d2839f1
--- /dev/null
+++ b/roles/space_server/meta/main.yml
@@ -0,0 +1,7 @@
+---
+dependencies:
+ - role: fedora
+ - role: root_env
+ - role: users
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/ansible.yml b/roles/space_server/tasks/ansible.yml
new file mode 100644
index 0000000..5dc74e2
--- /dev/null
+++ b/roles/space_server/tasks/ansible.yml
@@ -0,0 +1,30 @@
+---
+- name: Create /etc/ansible/hosts
+ copy:
+ src: ansible/hosts
+ dest: '/etc/ansible/hosts'
+
+- name: Configure ansible
+ ini_file:
+ path: /etc/ansible/ansible.cfg
+ section: '{{ item.section }}'
+ option: '{{ item.option }}'
+ value: '{{ item.value }}'
+ with_items:
+ - section: defaults
+ option: 'gathering'
+ value: 'smart'
+ - section: defaults
+ option: 'fact_caching'
+ value: 'jsonfile'
+ - section: defaults
+ option: 'fact_caching_connection'
+ value: '/tmp/ansible'
+ - section: defaults
+ option: 'fact_caching_timeout'
+ value: '600'
+ - section: defaults
+ option: 'error_on_missing_handler'
+ value: 'True'
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/bird.yml b/roles/space_server/tasks/bird.yml
new file mode 100644
index 0000000..17f0a99
--- /dev/null
+++ b/roles/space_server/tasks/bird.yml
@@ -0,0 +1,68 @@
+---
+- name: Install bird and bird6 packages
+ dnf:
+ name: '{{ item }}'
+ state: latest
+ with_items:
+ - bird
+ - bird6
+ notify:
+ - restart bird
+ tags:
+ - packages
+
+- name: Make sure /etc/bird exists
+ file:
+ dest: '/etc/bird'
+ state: directory
+ mode: 0755
+- name: Create bird configuration
+ copy:
+ src: '{{ item }}'
+ dest: '/etc/bird/'
+ with_fileglob:
+ - 'bird/*'
+ notify:
+ - restart bird
+
+- name: Create bird.conf and bird6.conf symlinks
+ file:
+ path: '/etc/{{ item }}.conf'
+ state: link
+ src: 'bird/{{ item }}.conf'
+ force: yes
+ with_items:
+ - bird
+ - bird6
+
+# bird6 wants the link to have a link-local address
+# when starting, so wait for it
+- name: Create bird6 service drop-in directory
+ file:
+ dest: '/etc/systemd/system/bird6.service.d'
+ state: directory
+- name: Start bird6 after networks are configured
+ copy:
+ src: wait-online.conf
+ dest: '/etc/systemd/system/bird6.service.d/wait-online.conf'
+
+- name: Enable bird and bird6
+ systemd:
+ name: '{{ item }}.service'
+ enabled: yes
+ masked: no
+ state: started
+ with_items:
+ - bird
+ - bird6
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: 'systemctl enable {{ item }}.service'
+ args:
+ creates: '/etc/systemd/system/multi-user.target.wants/{{ item }}.service'
+ with_items:
+ - bird
+ - bird6
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/blackhole.yml b/roles/space_server/tasks/blackhole.yml
new file mode 100644
index 0000000..b62a7ca
--- /dev/null
+++ b/roles/space_server/tasks/blackhole.yml
@@ -0,0 +1,32 @@
+---
+- name: Create /etc/systemd/scripts
+ file:
+ dest: /etc/systemd/scripts
+ state: directory
+- name: Install blackhole script
+ copy:
+ src: blackhole/blackhole.sh
+ dest: '/etc/systemd/scripts/blackhole.sh'
+ mode: 0755
+ notify:
+ - restart blackhole
+
+- name: Install blackhole service
+ copy:
+ src: blackhole/blackhole.service
+ dest: '/etc/systemd/system/blackhole.service'
+
+- name: Enable blackhole service
+ systemd:
+ name: blackhole.service
+ enabled: yes
+ masked: no
+ state: started
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable blackhole.service
+ args:
+ creates: '/etc/systemd/system/multi-user.target.wants/blackhole.service'
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/dhcpd.yml b/roles/space_server/tasks/dhcpd.yml
new file mode 100644
index 0000000..c72fa75
--- /dev/null
+++ b/roles/space_server/tasks/dhcpd.yml
@@ -0,0 +1,31 @@
+---
+- name: Install dhcpd package
+ dnf:
+ name: dhcp-server
+ state: latest
+ notify:
+ - restart dhcpd
+ tags:
+ - packages
+
+- name: Configure dhcpd
+ copy:
+ src: dhcpd/dhcpd.conf
+ dest: '/etc/dhcp/dhcpd.conf'
+ notify:
+ - restart dhcpd
+
+- name: Enable dhcpd service
+ systemd:
+ name: dhcpd.service
+ enabled: yes
+ masked: no
+ state: started
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable dhcpd.service
+ args:
+ creates: '/etc/systemd/system/multi-user.target.wants/dhcpd.service'
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/gettys.yml b/roles/space_server/tasks/gettys.yml
new file mode 100644
index 0000000..bdf293a
--- /dev/null
+++ b/roles/space_server/tasks/gettys.yml
@@ -0,0 +1,25 @@
+---
+- name: Disable getty@tty1
+ systemd:
+ name: getty@tty1.service
+ enabled: no
+ state: stopped
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl disable getty@tty1.service
+ args:
+ removes: '/etc/systemd/system/getty.target.wants/getty@tty1.service'
+ when: "'container' in ansible_env"
+
+- name: Enable serial-getty@ttyS0
+ systemd:
+ name: serial-getty@ttyS0.service
+ enabled: yes
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable serial-getty@ttyS0.service
+ args:
+ creates: '/etc/systemd/system/getty.target.wants/serial-getty@ttyS0.service'
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/kernel.yml b/roles/space_server/tasks/kernel.yml
new file mode 100644
index 0000000..02e115c
--- /dev/null
+++ b/roles/space_server/tasks/kernel.yml
@@ -0,0 +1,42 @@
+---
+- name: Make sure /etc/kernel exists
+ file:
+ path: '/etc/kernel'
+ state: directory
+ mode: 0755
+- name: Make sure /etc/kernel/install.d exists
+ file:
+ path: '/etc/kernel/install.d'
+ state: directory
+ mode: 0755
+
+- name: Mask grubby
+ file:
+ path: '/etc/kernel/install.d/20-grubby.install'
+ state: link
+ src: '/dev/null'
+
+- name: Create syslinux loader entry
+ copy:
+ src: kernel/90-loaderentry.install
+ dest: '/etc/kernel/install.d/90-loaderentry.install'
+ mode: 0755
+- name: Create syslinux menu
+ copy:
+ src: kernel/95-syslinux-menu.install
+ dest: '/etc/kernel/install.d/95-syslinux-menu.install'
+ mode: 0755
+
+- name: Set kernel command line
+ template:
+ src: cmdline.j2
+ dest: '/etc/kernel/cmdline'
+
+- name: Install kernel
+ dnf:
+ name: kernel
+ state: latest
+ tags:
+ - packages
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml
new file mode 100644
index 0000000..98a0764
--- /dev/null
+++ b/roles/space_server/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+- name: fstab
+ template:
+ src: fstab.j2
+ dest: /etc/fstab
+ tags:
+ - fstab
+
+- import_tasks: ansible.yml
+ tags: ansible
+- import_tasks: sudo.yml
+ tags: sudo
+- import_tasks: kernel.yml
+ tags: kernel
+- import_tasks: gettys.yml
+ tags: gettys
+- import_tasks: timesyncd.yml
+ tags: timesyncd
+- import_tasks: resolved.yml
+ tags: resolved
+- import_tasks: networkd.yml
+ tags: networkd
+- import_tasks: nftables.yml
+ tags: nftables
+- import_tasks: blackhole.yml
+ tags: blackhole
+- import_tasks: sshd.yml
+ tags: sshd
+- import_tasks: bird.yml
+ tags: bird
+- import_tasks: dhcpd.yml
+ tags: dhcpd
+- import_tasks: radvd.yml
+ tags: radvd
+- import_tasks: radius.yml
+ tags: radius
+ when: radius_passwords is defined
+- import_tasks: named.yml
+ tags: named
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/named.yml b/roles/space_server/tasks/named.yml
new file mode 100644
index 0000000..d295058
--- /dev/null
+++ b/roles/space_server/tasks/named.yml
@@ -0,0 +1,52 @@
+---
+- name: Install bind package
+ dnf:
+ name: bind
+ state: latest
+ notify:
+ - restart named
+ tags:
+ - packages
+
+- name: Configure named
+ copy:
+ src: named/named.conf
+ dest: '/etc/named.conf'
+ mode: 0640
+ notify:
+ - restart named
+- name: Create s zone
+ copy:
+ src: named/s.zone
+ dest: '/etc/named/s.zone'
+ notify:
+ - restart named
+
+- name: Create service drop-in directory
+ file:
+ dest: '/etc/systemd/system/named.service.d'
+ state: directory
+- name: Start named after networks are configured
+ copy:
+ src: wait-online.conf
+ dest: '/etc/systemd/system/named.service.d/wait-online.conf'
+
+- name: Enable named service
+ systemd:
+ name: named.service
+ enabled: yes
+ masked: no
+ state: started
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable named.service
+ args:
+ creates: '/etc/systemd/system/multi-user.target.wants/named.service'
+ when: "'container' in ansible_env"
+
+- name: Use our own resolver
+ copy:
+ dest: /etc/resolv.conf
+ content: "nameserver 127.0.0.1\nnameserver ::1\n"
+
+# vim: set ts=2 sw=2 et ft=yaml:
diff --git a/roles/space_server/tasks/networkd.yml b/roles/space_server/tasks/networkd.yml
new file mode 100644
index 0000000..ef97844
--- /dev/null
+++ b/roles/space_server/tasks/networkd.yml
@@ -0,0 +1,48 @@
+---
+- name: Make sure directory exists
+ file:
+ dest: '/etc/systemd/network'
+ state: directory
+- name: Get current network config
+ shell: 'ls -1 /etc/systemd/network/'
+ check_mode: no
+ register: network_files_all
+- name: Configure network
+ copy:
+ src: '{{ item }}'
+ dest: '/etc/systemd/network/'
+ with_fileglob:
+ - 'networkd/network/*'
+ register: network_files
+ notify:
+ - restart networkd
+- name: Clean up old files
+ file:
+ path: '/etc/systemd/network/{{ item }}'
+ state: absent
+ with_items: '{{ network_files_all.stdout_lines }}'
+ when: "item not in network_files.results|map(attribute='path')|map('basename')"
+ notify:
+ - restart networkd
+
+# Unfortunately a drop-in file doesn't seem to work,
+# so overwrite the whole service file :/
+- name: Don't wait for lan and mgt interfaces to come online
+ copy:
+ src: networkd/systemd-networkd-wait-online.service
+ dest: '/etc/systemd/system/systemd-networkd-wait-online.service'
+
+- name: Enable systemd-networkd
+ systemd:
+ name: systemd-networkd.service
+ enabled: yes
+ masked: no
+ state: started
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable systemd-networkd.service
+ args:
+ creates: '/etc/systemd/system/multi-user.target.wants/systemd-networkd.service'
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/nftables.yml b/roles/space_server/tasks/nftables.yml
new file mode 100644
index 0000000..a7fb588
--- /dev/null
+++ b/roles/space_server/tasks/nftables.yml
@@ -0,0 +1,34 @@
+---
+- name: Install our nftables service
+ copy:
+ src: nftables/nftables.service
+ dest: '/etc/systemd/system/nftables.service'
+
+- name: Install nftables package
+ dnf:
+ name: nftables
+ state: latest
+ tags:
+ - packages
+
+- name: Configure nftables
+ copy:
+ src: nftables/nftables.conf
+ dest: '/etc/sysconfig/nftables.conf'
+ notify:
+ - reload nftables
+
+- name: Enable nftables service
+ systemd:
+ name: nftables.service
+ enabled: yes
+ masked: no
+ state: started
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable nftables.service
+ args:
+ creates: '/etc/systemd/system/multi-user.target.wants/nftables.service'
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml
new file mode 100644
index 0000000..3226d2e
--- /dev/null
+++ b/roles/space_server/tasks/radius.yml
@@ -0,0 +1,105 @@
+---
+- name: Install our freeradius-assha package
+ dnf:
+ name: '{{ item }}'
+ state: latest
+ with_fileglob:
+ - 'radius/freeradius-assha-*.fc{{ ansible_distribution_major_version }}.*.rpm'
+ notify:
+ - restart radiusd
+ tags:
+ - packages
+
+- name: Make sure curl and diffutils are installed
+ dnf:
+ name: '{{ item }}'
+ state: latest
+ with_items:
+ - curl
+ - diffutils
+ tags:
+ - packages
+
+- name: Disable default site
+ file:
+ path: '/etc/raddb/sites-enabled/default'
+ state: absent
+ notify:
+ - restart radiusd
+- name: Configure radiusd
+ copy:
+ src: 'radius/{{ item }}'
+ dest: '/etc/raddb/{{ item }}'
+ owner: root
+ group: radiusd
+ mode: 0640
+ with_items:
+ - radiusd.conf
+ - mods-available/eap
+ - sites-available/labitat
+ notify:
+ - restart radiusd
+- name: Configure radius clients
+ template:
+ src: 'radius/clients.conf.j2'
+ dest: '/etc/raddb/clients.conf'
+ owner: root
+ group: radiusd
+ mode: 0640
+ notify:
+ - restart radiusd
+- name: Enable labitat site
+ file:
+ path: '/etc/raddb/sites-enabled/labitat'
+ state: link
+ src: '../sites-available/labitat'
+ owner: root
+ group: radiusd
+ force: yes
+ notify:
+ - restart radiusd
+
+- name: Create getusers script
+ template:
+ src: 'radius/getusers.sh.j2'
+ dest: '/etc/raddb/getusers.sh'
+ owner: root
+ group: radiusd
+ mode: 0750
+- name: Create getusers service and timer
+ copy:
+ src: 'radius/{{ item }}'
+ dest: '/etc/systemd/system/{{ item }}'
+ with_items:
+ - getusers.service
+ - getusers.timer
+ notify:
+ - restart getusers
+
+- name: Enable getusers timer
+ systemd:
+ name: getusers.timer
+ enabled: yes
+ masked: no
+ state: started
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable getusers.timer
+ args:
+ creates: '/etc/systemd/system/timers.target.wants/getusers.timer'
+ when: "'container' in ansible_env"
+
+- name: Enable radiusd service
+ systemd:
+ name: radiusd.service
+ enabled: yes
+ masked: no
+ state: started
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable radiusd.service
+ args:
+ creates: '/etc/systemd/system/multi-user.target.wants/radiusd.service'
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/radvd.yml b/roles/space_server/tasks/radvd.yml
new file mode 100644
index 0000000..3c25c5c
--- /dev/null
+++ b/roles/space_server/tasks/radvd.yml
@@ -0,0 +1,40 @@
+---
+- name: Install radvd package
+ dnf:
+ name: radvd
+ state: latest
+ notify:
+ - restart radvd
+ tags:
+ - packages
+
+- name: Configure radvd
+ copy:
+ src: radvd/radvd.conf
+ dest: '/etc/radvd.conf'
+ notify:
+ - restart radvd
+
+- name: Create service drop-in directory
+ file:
+ dest: '/etc/systemd/system/radvd.service.d'
+ state: directory
+- name: Start radvd after networks are configured
+ copy:
+ src: wait-online.conf
+ dest: '/etc/systemd/system/radvd.service.d/wait-online.conf'
+
+- name: Enable radvd service
+ systemd:
+ name: radvd.service
+ enabled: yes
+ masked: no
+ state: started
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable radvd.service
+ args:
+ creates: '/etc/systemd/system/multi-user.target.wants/radvd.service'
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/resolved.yml b/roles/space_server/tasks/resolved.yml
new file mode 100644
index 0000000..d95d1d1
--- /dev/null
+++ b/roles/space_server/tasks/resolved.yml
@@ -0,0 +1,34 @@
+---
+#- name: Enable systemd-resolved
+# systemd:
+# name: systemd-resolved.service
+# enabled: yes
+# masked: no
+# state: started
+# when: "'container' not in ansible_env"
+#- name: '- when in nspawn'
+# command: systemctl enable systemd-resolved.service
+# args:
+# creates: '/etc/systemd/system/multi-user.target.wants/systemd-resolved.service'
+# when: "'container' in ansible_env"
+#
+#- name: Use systemd-resolved
+# lineinfile:
+# path: /etc/nsswitch.conf
+# regexp: '^hosts:'
+# line: 'hosts: files resolve [!UNAVAIL=return] dns myhostname'
+
+- name: Disable systemd-resolved
+ systemd:
+ name: systemd-resolved.service
+ enabled: no
+ masked: no
+ state: stopped
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl disable systemd-resolved.service
+ args:
+ removes: '/etc/systemd/system/multi-user.target.wants/systemd-resolved.service'
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/sshd.yml b/roles/space_server/tasks/sshd.yml
new file mode 100644
index 0000000..8eaa8fc
--- /dev/null
+++ b/roles/space_server/tasks/sshd.yml
@@ -0,0 +1,32 @@
+---
+- name: Install sshd package
+ dnf:
+ name: openssh-server
+ state: latest
+ notify:
+ - restart sshd
+ tags:
+ - packages
+
+- name: Configure sshd
+ lineinfile:
+ path: '/etc/ssh/sshd_config'
+ regexp: '^PasswordAuthentication'
+ line: 'PasswordAuthentication no'
+ notify:
+ - restart sshd
+
+- name: Enable sshd service
+ systemd:
+ name: sshd.service
+ enabled: yes
+ masked: no
+ state: started
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable sshd.service
+ args:
+ creates: '/etc/systemd/system/multi-user.target.wants/sshd.service'
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/sudo.yml b/roles/space_server/tasks/sudo.yml
new file mode 100644
index 0000000..b8497c3
--- /dev/null
+++ b/roles/space_server/tasks/sudo.yml
@@ -0,0 +1,16 @@
+---
+- name: Install sudo package
+ dnf:
+ name: sudo
+ state: latest
+ tags:
+ - packages
+
+- name: Install sudoers file
+ copy:
+ src: sudo/sudoers
+ dest: '/etc/sudoers'
+ mode: 0440
+ validate: visudo -cf %s
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/timesyncd.yml b/roles/space_server/tasks/timesyncd.yml
new file mode 100644
index 0000000..cf964e3
--- /dev/null
+++ b/roles/space_server/tasks/timesyncd.yml
@@ -0,0 +1,15 @@
+---
+- name: Enable systemd-timesyncd
+ systemd:
+ name: systemd-timesyncd.service
+ enabled: yes
+ masked: no
+ state: started
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable systemd-timesyncd.service
+ args:
+ creates: '/etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service'
+ when: "'container' in ansible_env"
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/templates/cmdline.j2 b/roles/space_server/templates/cmdline.j2
new file mode 100644
index 0000000..36b1e15
--- /dev/null
+++ b/roles/space_server/templates/cmdline.j2
@@ -0,0 +1,5 @@
+{% if ansible_distribution_release == 'Rawhide' %}
+console=ttyS0,115200n8 ro root={{ root.device }} rootfstype=btrfs ro rootflags={{ root.options|regex_replace('noatime,','') }},subvol=/rawhide rootwait audit=0
+{% else %}
+console=ttyS0,115200n8 ro root={{ root.device }} rootfstype=btrfs ro rootflags={{ root.options|regex_replace('noatime,','') }},subvol=/{{ ansible_distribution.lower() }}{{ ansible_distribution_version }} rootwait audit=0
+{% endif %}
diff --git a/roles/space_server/templates/fstab.j2 b/roles/space_server/templates/fstab.j2
new file mode 100644
index 0000000..ba4f69d
--- /dev/null
+++ b/roles/space_server/templates/fstab.j2
@@ -0,0 +1,9 @@
+{{ boot.device }} /boot vfat defaults,{{ boot.options }} 0 2
+
+{% if ansible_distribution_release == 'Rawhide' %}
+{{ root.device }} / btrfs defaults,{{ root.options }},subvol=/rawhide 0 1
+{% else %}
+{{ root.device }} / btrfs defaults,{{ root.options }},subvol=/{{ ansible_distribution.lower() }}{{ ansible_distribution_version }} 0 1
+{% endif %}
+{{ root.device }} /home btrfs defaults,{{ root.options }},subvol=/home 0 2
+{{ root.device }} /mnt btrfs defaults,{{ root.options }},subvol=/ 0 2
diff --git a/roles/space_server/templates/radius/clients.conf.j2 b/roles/space_server/templates/radius/clients.conf.j2
new file mode 100644
index 0000000..0e82666
--- /dev/null
+++ b/roles/space_server/templates/radius/clients.conf.j2
@@ -0,0 +1,13 @@
+client ap1 {
+ ipaddr = 10.42.0.5
+ netmask = 32
+ secret = {{ radius_passwords.ap1 }}
+ nas_type = other
+}
+
+client ap2 {
+ ipaddr = 10.42.0.6
+ netmask = 32
+ secret = {{ radius_passwords.ap2 }}
+ nas_type = other
+}
diff --git a/roles/space_server/templates/radius/getusers.sh.j2 b/roles/space_server/templates/radius/getusers.sh.j2
new file mode 100644
index 0000000..e77758b
--- /dev/null
+++ b/roles/space_server/templates/radius/getusers.sh.j2
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+if curl -s -4 -k '{{ radius_passwords.download_url }}' -o /etc/raddb/users.new; then
+ if ! diff -q /etc/raddb/users /etc/raddb/users.new >/dev/null; then
+ mv -f /etc/raddb/users.new /etc/raddb/mods-config/files/authorize
+ systemctl restart radiusd.service
+ fi
+else
+ rm -f /etc/raddb/users.new
+fi
diff --git a/roles/users/tasks/ast.yml b/roles/users/tasks/ast.yml
new file mode 100644
index 0000000..1c01717
--- /dev/null
+++ b/roles/users/tasks/ast.yml
@@ -0,0 +1,16 @@
+---
+- name: ast
+ user:
+ comment: 'Asbjørn Sloth Tønnesen'
+ name: ast
+ uid: 1001
+ group: users
+ groups:
+ - wheel
+
+- name: ast - authorized_keys
+ authorized_key:
+ user: ast
+ key: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyLX2AICoAhOSOnZth9PMlxqgPrw//J2wMtcHQUppqSjHGFkxIkOWnMUwbSZo/kFj2J8e8GJ7xwmC3tTblmJl+Ba1R77SEETJQpM1/TgWcCK5L7KpK/XP7yTCPMds1vczjgIIMA+DS9iuNQkqLSA5B6gdGfbfuPsMB/W8L2gqkVFMiE3zcrxGLwaPPW7fo9rA2Z7tMEZMFy9SB0u3mqY5aoBiI9P5U3rgn96SO8cs/JVnf99RfkJQWmBamZIH3vqwvC3uG+QgB0cQ9Sy9/I4Q75YQKnGPS+ySQVvo3nY9KpULAbHoVZyu3CtzDfXYOxgUXhJ/GerZZUbyHkrndhXteQ== asbjorn@asbjorn.it'
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/users/tasks/esmil.yml b/roles/users/tasks/esmil.yml
new file mode 100644
index 0000000..a6c8266
--- /dev/null
+++ b/roles/users/tasks/esmil.yml
@@ -0,0 +1,16 @@
+---
+- name: esmil
+ user:
+ comment: 'Emil Renner Berthing'
+ name: esmil
+ uid: 1000
+ group: users
+ groups:
+ - wheel
+
+- name: esmil - authorized_keys
+ authorized_key:
+ user: esmil
+ key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUS/4G4YgI7LeJll8BUHCcdkCK3klSxzhqEY3X2df5+ esmil@stitch'
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
new file mode 100644
index 0000000..327d5e2
--- /dev/null
+++ b/roles/users/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- import_tasks: esmil.yml
+ tags:
+ - users
+ - esmil
+- import_tasks: ast.yml
+ tags:
+ - users
+ - ast
+
+# vim: set ts=2 sw=2 et:
diff --git a/space.yml b/space.yml
new file mode 100644
index 0000000..a757a3d
--- /dev/null
+++ b/space.yml
@@ -0,0 +1,15 @@
+---
+- hosts: space
+ pre_tasks:
+ - include_vars: '{{ item }}'
+ with_first_found:
+ - files:
+ - /etc/ansible/secrets.yml
+ - secrets.yml
+ skip: true
+ tags:
+ - radius
+ roles:
+ - space_server
+
+# vim: set ts=2 sw=2 et: