Compare commits

..

No commits in common. "radius" and "master" have entirely different histories.

51 changed files with 1521 additions and 2193 deletions

View file

@ -3,7 +3,6 @@ ask_vault_pass = True
roles_path = ./roles
retry_files_enabled = False
inventory = ./hosts
library = ./library
filter_plugins = ./filter_plugins
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S
nocows = 1

View file

@ -1,10 +0,0 @@
class FilterModule:
def filters(self):
return {
"enquote": enquote,
}
def enquote(text, quote='"'):
escaped = text.replace(quote, f"\\{quote}")
return f"{quote}{escaped}{quote}"

View file

@ -7,30 +7,11 @@ import dns.name
class FilterModule:
def filters(self):
return {
"add_origin": add_origin,
"add_origin_keys": add_origin_keys,
"ip_filter": ip_filter,
"remove_domain_suffix": remove_domain_suffix,
"ipaddr_sort": ipaddr_sort,
}
def ip_filter(addresses, networks):
if isinstance(addresses, dict):
return {k: ip_filter(v, networks) for k, v in addresses.items()}
ip_networks = [ipaddress.ip_network(n) for n in networks]
ip_addresses = [ipaddress.ip_address(a) for a in addresses]
return [str(a) for a in ip_addresses if any(a in n for n in ip_networks)]
def add_origin(name, origin="."):
return dns.name.from_text(name, dns.name.from_text(origin)).to_text()
def add_origin_keys(dct, origin="."):
return {add_origin(k, origin): v for k, v in dct.items()}
def remove_domain_suffix(name):
parent = dns.name.from_text(name).parent()
return parent.to_text()

View file

@ -1,257 +1,246 @@
$ANSIBLE_VAULT;1.1;AES256
62373961613635353532306262363831376166643431323062383634366138653036373730353036
6664653637356662343538306261353838306637663765320a336436333964643464613339366238
66323438363935303839633534373464333236663536396233316162363439393030303637306462
3661346138396534340a626164643334376137633738343130653531393630663030663234626433
62623063623538323262643863373062323537663164623535343262346235323865613361643034
37373562343366323134303836633634613837356165323566343062373730336639386137306164
64366661343562623734396363346339643438613865653730396635636264666164623533656534
39313462363539313866633663333639343766313338376162363135396235356133373837623930
64316661316339343439383365303664393631643164623161613262613839346634333434653264
65656466383063386163353135663632303665323238626139363330383363306130623535303834
31636265623366326438373163633566626438383633326430303862353838383636363866326131
64656366646534333739326264663330323836353266393063356134373366366235613534353636
30633364343738393230623338663532623531303564613766326436336562633338313337396664
65376135633334346261313835646361303362616535346538623634383338626363646637376261
66383336363065353932656231343231613963303934643637656637323135376238376235383838
35386333363033306332373030353332303635633164363135633431343566373338623437626331
61653435653135663331313536386166336137636336333861656131613863386162343639363935
39643763653633363663626266663036313961663062626333633666356363363961643231663033
32386438646365613438343130313465383266623830666631653061313238643466326337663434
63313664346564333163346230663331613363646566386135363063643730626435366233313130
37343965653835636333363365653831393531326565316532663962326165366437326464663964
65383036383261643066333938343634396337313034333466643436386665353137656661323134
66666362393334343038353762396537346164356635373766393038656563643132363461356336
30323063663232353431623731313564646339376364623639303231633935353730353866616131
63343732653366613832393031646339383235616464656435653035316163313266613361646666
31633662336332653738353661616137333537633831346137663363336235626433363834316438
62646266383362613335376335376136663536623638353863323539393339353736336533656435
62343263343839633837313966316538643133363764353661616136356139313630626163663233
64363939343238623261656430653933333432383066373136313232623933616238323161316336
36666165616661383637323832383138353963333063613566613538623430633561653532333830
34366231323131346533616164646438366266326266616264333862343435633031333135396365
33333331323939646431373630373334613935616337316631613065363337336136636238323066
35653162303130373733353763623638623638323638333362653130663237396564333366616163
35396435303133613861316464393837623837353734633331366435383263643264343164333235
32353530373835643436633038366261386465373364303538353933346562663566663233326637
33663165333366346630373035396237366332616435323231336333613031656161303431326633
37386466353836646536656364343532356633343835666466353861323637643233343063323135
32626563383433336165373363383236633936333039343731633439353331666564383166323738
39313635636666383432623335396663386131336134613530323938316332663032663966656361
65616334646337313637346436336232613531626434383030326164393366343366616235383439
62303333356633656366373766666430636435303438383863343330396130396139616234313638
31336632663661353030303736646130326565303932346432643066316434616134376135636662
61393661633261303539393139346266303731333637363838313964616439386637633234326533
32323130346235306236346566306563333563653333326633363831646238353766666136346333
37666539313265353961343762303762333463646136386331393938663463646530633932393136
38386437646135613764313764316162346364353031313566323134336239633832303930313463
33636164373236373138613462393937333338643230663133383132616463313731393963633262
31303239393939383433343138393733356238386136626463336532613661623362356530323666
39633336613532383661636334393362663833306562663664303734393466343536386661663838
65343263643063646666616334643936396530633861373733376635303230646461396239613435
39373131393234343761346231636363303663383835366562643664353734653530393066653230
34656466656364303163653862616437623636626537376338376631356266666338366439656262
33383633653965386333343933323639303265653862323936376635343037656537626165636663
38383034383833393038363136373835636537626664353863326165643436323730623665313037
64323634633435323434313639343538313537313030383338656635336137366133613931346133
62356131396637323361336265373731376638636465306365366461353338663738326362616435
61316166363536323761323631653835643132356634633738343834343839613732643263323866
64393636353730323139383965373864376163363963323830353538613234663566633437363061
66313765356635643136653866633432343130303661633362386665363761306165646333356330
34393233626131646430663538663465643233356338383330316634333032353939653334653233
37356461323261653762363730383339393130613064386366393562383739616536626366633865
39316161643438343762306537353762333463353237303063613933343239323765386666646539
33336165323539323261366134353466313737636338363861336664346331643464313965633530
37393538636535303431303762336335666361663364363130376564633763373036663330383130
31316564643336373061343033333131643362663736376436643965333066613431343936303964
63343030653030373537396566323663383061396666313835333732646339306134613762393865
30626431303638346137653539333236633136663137306233663236326465663662376537666435
31333663663833373463343163323737366536366163613733396332626230646131333662663866
61346266396563646261353561616433613161666161363161396533313038366438366565343733
33646462636461313639666332666338613066383862353362613563636162313238363261663762
66613930333837643537326237633462343666323563383935366333353533386161363734623132
37633739396161353731353234326565376564646433316638633130303033303863623166653438
34663461643539643639383763666339643164343233343361653630373736393437633762323761
63633264373639613439633338316166333135633436373133626434623261313333613734376366
30366634633664383633643234663539363166656333653139366466346433323337383036393330
38306564303131313130353765313465626537323032623233326261326565626535666337383237
63616566623139343664343663663031306133333830386561383936313135616461636563656130
61333531313230623063326537323537303363353232343436356161336164326133643734663134
32616266303536373331396537643938636237363439353234326439363039633366613136326632
65346533636563393665613130636437356134666262343336646236326430366636353234636564
66356636666339353466656664633731376537353863613565306130316561313865393962336232
65326661366661313434666564366131656539363030323233376666616330653338616536393230
36646161373030343964346430613266306665636336303536363966326361373335313130316332
33646236393935336662353237323639323239353030623233373766363566323461626332396164
65303035653630376332356333313765313833396338363233326333626130323866386366613533
35303562366437333538393363643366326530313365623331306235383965393331333936323432
34396261666363313637633364356666323639316532636331626132643333373838383465663561
65363636613736663434626130313265646438326537363736336134346432366432656133623262
33623661323064333439303463623138383962356165356461373235616164333130663336383635
36363835643466306339336338323230313036616665363863376262626361323738643561353761
38353939653130306161666436373132623238366632353332353136623038616462376361626235
31356464303136373766323261336132323434396561363066313062333061633437623362633861
61306330323633323930336237643738613330366265386366306664343066326530613061306432
65626130336337643233666235613530373237383234633833363962636134366661623333636237
32373664376438313065623234626637303630356233356439656434306661663138323966303539
64363937643334303936353663306464626335616262613135363464306135623738303631376562
32386262663934653565316334353630356537363734396131323264353636663438636365396231
62336664353938326434646261626466333030333133643265633439313339383661323162336666
36616136303433396438363062646135616239663461343039646563653638363734333866326666
39633639336530333637626631626132333066633464376137393937353166343663373564393438
32326635326431396130653864666239343466636435303730306162336637333032643233633833
33323165386135386131336430666437663365626266646466616132373133613536623365333766
61363764303361393438373333616233393030373631323565373563343031326431396239393362
35623039626435643637353161633037396130616332623733353138613835626539616166613831
34306663303832646165336363393837626361316433316231646439343265323634383132303930
38316661333462373033363135363038616136373239333961313039363735303333616561666631
38386436326566616438306536316432343233613833663632396561313831326432323463626433
66653733623935333031646632393936343130316565376662353866346632393736326235323430
31636633633631313732346662356539626638343032383937346134326137623462316531376561
35386565623661393865623035386534336537623932336533393230323239626132613432373964
33656539393861626265646565383038396330323762353235666637383134353839666531623862
39646437393665373035306564636335306136356463316464303566353938303535343235646466
64306262356135373434643862636363396433663833333063383731613136663038313531353263
64376131396337393634383136623732666531373136373631643336663766376436633538643461
64633865346634616366616661323062653431303632313464316335386535363237356339616130
34666131383164616664326331356337336637353664353965356332626437323430313565653236
61323534633137376166383831366263366438623735376264356136353136343434613835373461
38613139373335653935643663363438653139303037646366303530386339323634373665623032
30656536373530383539376233316334333233353536633963323334313862353334613832363662
64663939356465333435356231633832653764303862646433333563666237326463663931383238
62303062663366363932666130373737643137303739383636616466316363396134376365346331
64353566383066393737346162313264653736626239376134373964613162323231313462313262
65376338333439363762323837373262633835643465313130316164643838656364313166616530
35363436346137333862376632646235643332636662333464366337653064643036386533363030
33393837323632646163383539343164653433623038306261356534623862636232333836363431
36353831353637383864643130653838663164646232626637353031386561636535666236356665
36376330333937646164303333643962383862336433313433626434636133343836313730346462
39643535323063326364656439316232383430663364383961643961633431326464306639383038
62356430373630373836326266376230373135326531336464663338303438323836376365636534
36663532343035303738346564383166326665396363633239623863353662316336653765323632
34336538663637643535636530666639353864643733376635626133666461613338343039623462
38356338373732396635663733333465363433663436623938633565623964653765346165393334
34373666623035353966323433663961333663303162623337306539653739663834356566353164
65343738663161353964386237306234643836323365626133393134666566363961653836623634
38356666396161633932363536663732376330343661343763623435663836303032396535616531
34313730626334316139613839336430346163643933386366306464313266316530363934303032
62353434346238386536306133366262643061623436636666643735643039613665316436616533
30666332633764313063383663663830633430646365383532656236363039643633353736346338
39323935333536643737396331623431633365343064373330386363313632663933386639376236
62316333303663343933303237353738333739643036666365623834646665623733623239643265
30373966336538616135666339303030626164316563326530383731333839383133366332346331
37306238623132313235666434633135383034653264666134633566373436396133313764306335
63346435393464623332386134303766363061333361643930363335636164353038626464303633
64356437623536376662363566623465306634313534333930333066346532323066323335313934
39663635646664616335393330383865313639393732613034303163363665316337356439656634
39373163306539346433313765623665353461363866643431633236643137353362613337643266
63376631316365326634386166666361343733623638613163666564653762663839356461633132
31666437663535633037393432316463326237356634353631306464663337626136383933386263
61373562323836343137356162363237366261376662613133623839393932366139636336396365
61636237386463633635663338303364666462326436396265366563626130316637623630306263
35386636613161636565356166666463336465643533386166663766306530623162616362376437
30613466313963323236353533616130656532643130616366333064636435323132386431633532
35393731623235396464336365326262373131366633333666363636616632653238616165343466
34333032633062366239636634336563303031653037613237353064656433663361306230313236
64306430633464306339636436306562376430646535663162383363666666366236653965613030
65613836326661323338303964393763346336303065346263386462343661363635373337356130
65323661336165613563663931343365663064613362633632333039663065633162343830356538
37376566326331633236633235623537653332313464623564616433323134646135333436656563
65393737623033316535643230386462333736353866306136313833303631353465363363653035
61376563653266393062616163333164303035386464643536343931663464313831333065306261
64393237396138363863323862393230393837363062393138663734383566616238323332333636
34616634383561326337363739346337623362313131353362323461343335636265303262653836
36383930303436353066356133636133646439346132636162303462346164663162666331643464
63393765393634366431306663643863613666313063326231346637623936616431633332343738
32663666616236346664636563346634323730653239643561343833623936323539303433623839
37333031316331336435353764643861343134323934626433336666613466353538323332383339
38353330313066626335356439663835626266623234356636613666383734356166656262373264
33343336303164366635363162386161663930343836343238376133353839643539333166663566
62316634633762303464363562303333633732326563646231313933363531343164333836616439
36353935353532383439366534306564643061613062356433633338386133366535663631313762
39373032396465393962373038623231313232343661353164393235326266613035613063343136
63356337323363383761323138396333373066336664616665636434656362376661613034383437
35336330663836363464643765643566663436326665313561656364353733356531363863623261
30303138396562633564353764366239656636396632313235326237316538323765663336386632
34326139313064643834393366316561653664313066383263623739373162643865643035373365
64366335396132396330303339316361393439636363343034373736663565323230653963336435
61306538613133313165376562616561663733313839366434376634343236313034306235383733
38346666376530386231353534393863386566633235323762363635363062323762316130303865
61313362623765613065303362663837376463393432663839373766326537356536666465386463
34663266363261623735386565383466313732346366666635663366613032363762386637346636
34386662626266656465393234306566373462633930323562336631306531663130656132353939
35613730393762313931383532646530633836313961326461336131656631663137656635343238
35383533323738316134656666393136633732323536363636646166393530373233613264373761
39303463663130386338353637373739373331613739353561303636316665323533616634666639
33303835336431376363336364646165626139353061633339616437326264646434626463383239
39376332613766383232336339366332616334356630626463373435623165303832393465376334
33343163356333663266386236356463356335333964333733386439623063656462613561323163
34623937383765643461623035343930363336323863356461313034623733303734396238363463
65383366366565323439316230383363366539666434656364633366333936376361326131313530
38363161666439643236313063626564393932646536626361396234396333643165346638323037
38633638646331333664633562353632316133303764316262653261303561366333663062623037
62356565363433646435643231343231333863303439393335336633316638383863343438353262
37616539306537613831373462323238363262623365366536653233366231343864643931653463
61396238663064376166643537646132646665663565323939373632353665356337363538326238
62323363346532613665653161366235303661363263363836313739326134373264396131633262
32343135633436353038313335346338663934386436316262623731313334346230356630336333
62353539383031393339623164333763306338346133383462653534346334346434633831353163
32386436653863666533323233363663643933396636386334343962313038363933303263346135
33613337653237323339313233346638393635366136373432353031653432376639663638353161
30626536386465323136643764663661373863353965623431393562393630333333643631303030
36383938666239336530643731653963383131623333393638366235383861306163303235353538
65646264646339663264376161346563663965353837333331333739376336623934623335343234
36633234326231393232356539383661353431363531653230386637386334613138373038326432
36356633663565383035373934363132303633646563646236363866626531663534313964373732
35623034623335396365653134316331346664633439643966363932356664666331306631373630
66653565666562323366363732626234363165313932326630666537373462303539396139396431
36653438613337356536643863376234386463363130636535396536363234616162663961326431
36613034383234326239353337376633616364323564326563353239363739363430383230353162
64343638623637303334396164343032363735643965393861363537663962316339303936396230
32613937303931383665313464643862653561646539363039643038653838323434386337306235
31636166623933616163363366386263663461316136393932313962343836393565623031366362
34643237353264343665363566393534656436636138303835656534303763346661663338626664
37656462393438653830343964646537363038376531636330653264306363303061653231356566
36323864626233656431303737376131383634353337323633323132646338303766323933373930
64613835643932336430626261323862636536356265313862383361336365373464313036396238
62386664336362303565373736373735363061323963333664386366353139303562656465306632
63376363343664346531653035656538356466626163366130666363666132663961353461363066
31303335663839663365326539316362663935303237333234353431363063333163613461306539
64313364363634643434643630613338353564656639626232343063623933323835623534613864
31316162663137386534643036353238636231303336613334613663386462623365366439326232
31623163396531336337663839376335376231326466633230376630343936663732356663376465
39363965303331383265323263613964376361643465316430363565383235333430373566393635
34343464323664373136656463663461663834656263303639313262626530383534346364306231
31326565353535653637626166616365393230626539366562666538306235343561343439616661
31356366666265353666343964303433303237636265666365393361353762303231366165626535
32363230383231356264646363613030363538303161313534313932383865313166393132393235
38333332653537663630303639653533343737346531393864613836666438656632303937313433
39653136316366353133333537376361633961653735363064666665623135613565363564646263
62643932336465363537363130626262333363303365336464656139643034363031356632613565
61343138323734313537386466313463393836376363383562646537383237666635353936383637
36393237333334633762376534623233376338623339613736613032333435303930626261343830
66663531666566316637386637353136613632623563633664613739336134313432646534303530
39366139326633383033353065306464316636646535383535663663366331633036393661326361
32656330323365623739373765643835333830393033363836666439333337356465383364303431
61336562613634663033643963376635393063623435663162643838663762303533353665646361
62386662376163333637343934613763303363616135306230356135613561646630316330353438
61633234316534353030616138343165633565643366613763653039636466343866376433646132
63343930333933336338393361623866613765393164623838306637323863366263653133326634
38653334653430643862383136373432643463343232613161306638336237376236633435653833
64316363643838333965323163303236346238383964643132643836633161396565323437313636
34623763353237313863646439343662326634613466653462323163666333633031626131383262
64336662396134633334376362333165666430646561333730336635356433323234303862343130
31393933326539336666386364643532363930336636626132396136623066386132656165343530
39656430373039343634623064623930643037666565346164343632323839383038616630303332
38383162646564643037386530386366306532303032643939373563306165363934633532656137
66626635626130336563353737366531613862656231643265346630343633343632333233616162
39623262646432313865333531383461346664383330393631636431333064306635316431633239
66393035313763633635643438376235323537633734353961373635376139633234316334363563
30386263376664646361333435363935363033636665393737333262636464313733656339316539
65313830396233376464613631333664633635393235626232373133363466323230626363396238
30353164663663643835653434386136613566363635393039653637623465616136353932663164
66663763326665636138323366373931376137323334653363303038616363613763313261613836
33323935616366366462636135366439613539643238393962623864386433373862326566633035
38393332663131306337386632636464633938303561336537623363346465613033363861646361
32653839326631323561363430343038666366613330313363363735353465333563663038376631
62666635326438323564
64313161633263303464663933363265373935633862653634643862343232643432343966376438
6134633764383937373966346538306530316539303966320a363035303038616435383366656532
39346463396563626166333362306464343836386365303836356461323663633831636562393039
3832636432626238350a666566323435623834396166656233306639333830343130326265616234
61666365663963643437386530363261306438376665386463376366363662656161316263303831
61393136363934316462616131326463333736656136643038623061313363386538393833663637
36373565333566306632313865646538633532393731313430633462666334323762653337383338
63313433333835653366363061343839326131666139346563306366656365316663333438363837
33323165353936343165646464306434303161313139653561346461653537616164623434376534
33666662343734633766356230383761353239333632613031396365346536373432363433633564
61633762393033343336373864653438336436613630366539333731383336346665313732396265
32356138666135383562656366353131366436363464643630656130303437623131333239386363
66373866393064306565306565386230373638633733326661333065633136633130323963323765
30353262323835313365383562326363343965636634376133613331363133313030346561653931
39363636636235646131353034663861336362383263613165323230366439383561653165363764
65366130623362623539393461363832353435616266393036386439303834316635366438393936
33383933366262636232383066663130383965306137356363363539633661373664613738336539
31363131616135623039346465623530376533386263343836376662316562386530336266303062
64386531303938623939653635313163633261336339366139666135323130653862346132646636
30363065303235346331333434653331646333616337623562643564366435613938643235333664
30626164373030303237656366623631396138333265383566333664663061613536666363623630
61623362383439636239336234333161366635306432363230366630383836326330343932303863
39393232373831363863333332636362396639663831656266336430313837666463336439353332
63303036633433323439613535326663633332346565646338353761363733643766363132666365
34303865656262303563323665363730663062626537363461646363636461633762663237366366
64393133656464643065633634313261336662646435313735306266316132636530393631353830
61303939373363323131316463333136326365333430626266376636356130396239323464353937
64616232373532396334343433636332353530386662633164353235626361623164313039336666
31636434666437393839393133633961373139313663616366373239386163623064373836376164
62316638366366376134386231306435616138656461373633393339653532363434393834393430
37363335623934306661333135343266663464623438353665613330356236323036363139643064
62383934363465316338393065383935646134353230376131613935613431656333383565353134
34643866353131653061623236306536363163373639396564336434653839346263303930633663
39393935636235313431303032336361313730373238333732626465346662363038636361383631
65393433346363366337383233646166306339653533646632623262376630383265393438326135
31643039333835666338383762336163336337343532393063323165636531353361613731363065
65303637396332613432663636326334646635346237396461636366356133303333306239393739
34353966653662346230383865643231313239626533643761366162613164333132373636623237
32356335643766646266646266633366363165373861306433316561363166363865303133633939
34633132343438363034323638376666313061383965323566646463653163313235373364386666
62393865373137343237306637363536383939303833663532396333313931336162333837613935
66383266343735396337663936333162323738383264376533316536376563396333343263643931
65646535363337373865353265306434356432353066656665366638353331366334366339613538
32373637633564613861626538373365336362313434633137613966353861393462623862663330
64386431373066306334383863366133333564373163386433313231363366393830343230323734
61633962356637326538336663386330653563353763663236623539363630626363323237333237
30656139626561313064323330373032323031343137366638303966313832646365666238326337
63306363613361653933306234386163383837666430616663383664386563323839326232383761
35373539626438356539393266653864353066633365383437623437356464383335383039343137
61373539343631373932373033656233323964353666626162386537616333366562346265656238
35396130356166303564303036383664656435626534303064653363316464616335303965376330
61646638383138323265313631613037396561626162306661653231646230343139656135333236
63303838316266333665636335663361656262353066666430656162323236633564313337353665
35363565303736633564356632346632343832363934343962313030646132663566346664313632
38393061613163356265643434626166393366366634343032626637333332316361663639623534
62323239373639393337373537646232663531653835356165313264663561623633633830373734
31336234613633666538373961626430316530346462343061323661353564323938353338373961
64616637303734303333626166306330613238646265636136653939363936356165356232396436
65353731633836363433616534636330663565643561363233396538386430393964353433616437
36343936313936303165396236393463646363383338366238363961666530623335653234656139
65346337663437623134376137326166323933613861663032623965643538343638376234316232
36333065323234663263343630353739313661373536316162366532336438373263303730626464
38613136393166626663636631363064303736666235333036616435373063363762666565363136
38333966303831313333613831313132633062616235353365313533386236613338373130303836
61326262313833306437366364316433393931353265326131653563656131333436376338613266
39326632613366666136643137303635336631353230396435313537656366326239626362313833
62653039343261613265306362323234623264366664306561663839306631663465303962386462
39353934643562383762623937643034383534393962333466613636346637323235346438666636
31613838313535666166663063373333653439313035346266666463623666613837313933623837
63343565663739393764353761316432626237346234663032316131306262356233333439323961
38646664383030303832646563393836643135303731306435383338623633626638306165386637
65393238653464623032336437643838333932366131656332333165376261383539386466343139
65613733383837323832303738363664653138613830376333363038383839623463623631666237
63363263396533353763373934373034643763376665316638353435663635346135333265363235
62663432343935343964626432353563313036303761393039386231343530663737633466643035
65343835353037643539316439666666633866356530363237373230373439373133313337653237
66613631373637313534353862653437393234363365323032393035376438616264336661616262
37336435326135373065353564383637626637343532396331623334643139386364316431376435
36356566363033636539363430356565373039363863396565643730656531346364626334393436
33343839303538383530363231366166623233333730323163323432373831313639626337346230
30333930333064393337616564386163623436613933623466353933393733346339383534633239
30633365313364666566643533326163336330323232353533316633313739343035383465376330
65356139386463633565366132383832643032333234633964373437633836343435393631396166
34633439643764623936366536353931646132373539326238303761383339643661616266646130
30393166393465326365393130636136336433623262346435353936306133616135653734383635
65393530633836613937346430366337626365363361663533313837363063396538663766646566
63373639653732353135343562353266316164303863336365303635653464393232613939396131
30636361343932663233663566656131363938656161623966316366656561343166336532613666
65613534663762353662353262623634616264373964316336626166353330303539356130646166
63643435353765633766626165643465386331333637366562393861613834323464363932306430
32643836646266643031396262626136313363623663366430376432373036643835653863323631
30613164326430633664306630333632363931656135643465363439376263386561383534633666
64323763656466343064396639313264386239356664663461333166626332326536623132333434
62303261643164643330333662623935383037353338306135613737306563326336336162633138
33623066373265663362303133363032343933306336396466383034636131333837313333326531
39336163313633623639303462313763656632633030336236643030343262653366633939643536
31636535393864663363353930363761623264343630396336396431663330323436613462633136
37336464353730643566393432343762333336653932333366636265343663323462626232623635
34346136333630363539633666316561376266373032373961313437653564636537656630303261
37313639333233333365383763333061373730623939303530303832646365323739356564626137
35633366393636376463393961333830343232363266633931613332643134643234303733373466
35323831623931633436626636346431303965663639666566623433383736633834626330303265
37353337656233663938663839373931623137666662623266336537383631626631306235363064
33313564316438633139336261623736336336326239376630316335313631376132646563333430
33656432643130643832343065353834633366363339353964623762666564633835633636313731
63353637636165663136623736343234393038313235333363643237643566623766393838386635
33646233623032653233336266636335666233353032303837663162303939383262373761623261
35366661363966346233633739663635353361303264356534366235616164316138623730623632
62316362623736396264366632373661373835393434343364353431316362666235616635633566
64353530633334393737346663653562346335323065356665643132353738363132623031353664
66666639326238386634363664356664343161386435323736316636343536326435303066353035
37363731613138393333636562386363333932386362303139643262386237353863363764643139
64616561373239346464623165616332623434303433626638376232333733646136376431626438
66613134343639656331626630303030366133356636663735353466353834613430356265386162
66613332663232623438636661306332613162666561353537313336643134663664306630636639
61613363353264373831393962333631383236666130646333336431303735333165656438363432
38396530333631636135653534393531326434306362396237366430383166323832336434376364
38393431646338316232373431613930326532646333386435303034356564336665346133393866
61643533643361646265313334633463616437393437653935613261366635616430313064346532
32363831613565313836376338646466323130373032613863323037323566643164653132633735
65636562653535626461396666643330386333663137613333643165656336633038323036373162
31376338613862333334643561313332326237646565633934323032626662633631633033623063
63306664656437663732323339383735306132616531373865323835633264333639336163366466
33373433653839393638323034623835643531393266306331313563613265616633353763653438
65363532653163303861383531356639316331343531666666636336373634636134633331366364
62366230366435323435613964636533353236373935626632623536396664313264653031623062
33366166343630313839366262313234346262343336386538336335393835646138666330656361
61313936323838653832633130346539636363613838343363663431623063333933383466353938
65383361333561383631643938613862343236346233363466333237316339616362366565306639
39356563656132303463346138356435303038303165363935343266396462326365363262393336
37396235366639623761366239386165613065626431633733306234343866663266633631656237
63643430383433393835663635356265636635363137613064353066313338346436356632346265
38393730336465396263373137383238653337396364643061303234666266663064663265383434
36636138643432373633313038393737663735363838396164366234643533633762383062353831
66326231363337323666386263373438656630346336663239643030386434636264666634393631
39313364333761343532346165396365306463393037643935666363323630326664616638313338
39396336653738353333343835363861643166376565346463303135376439336134666235623230
32363031303732666133386164313437366164326539373564623236356432303132633436323563
36323634373538376133613736633133356638323861636434646465643432636366376138636232
63633830613462613831313938326339343632393038376639623131366364623536353338363439
32613331623863336165636364616634303264356630303665383638663737343836663831363263
63366562393734323030306436346534626530656465396535323835316139633562363830373437
63626530326530383538623165356532303862353763326432373966626436303465373431373762
38613539623164353732623636376630643465343839666531306438326633343362306665366132
39396537366266353864656232616334336130333337306463313932393832653661343036396261
64613461633433356334623631643861303133383963336635623138326139613564343838366565
36343130353462333162313736636139306233366466626231306561626335396262663531333839
61336437343137356335633764373730306466326133356331333530353537616661373062656438
35356235666464656466323937353837623535643937383866666133383633396563333338633034
38366531613164363966323137646237393135383164643230663331306335636432656565633636
34343031633632346533353666353034666266666561346464306665386634313263323333653330
66323033393531343633356466613837346164393332613037636465343230623731616361336338
61373332373636646435353734386366613334323161626437396232613534613330613532323534
65653065386432313733663165616333663666363733623162306536303833663136353334656466
64353931363838613761663561666639373865393438396565626661343934353662363834636535
65363664393433313036383438643864663339626331343230343337316437336634636363303563
35373539383535353235633730386232363539616632336566376264393832383637663330613133
37643261363966633138373935333438393536373938383265373261363232343030373539366335
61633162663137643061363366653135323639363838626266386262666133306461333432313738
30313332626166303630363839396663396564633961383863326663356230343938643833303933
34333032353935323565346633363537656639613663356130383264373739636231363364613066
36653664346434393933383337313630623131396461343930383537633536643365306564396665
31353861643335353538623838393335326364393738376239623431306231363739656438626265
37666532336661306262303761616238666239623265663231386165353437366631376234343035
33393037316563373534373765616238616639303031346430623561663430393536303163613338
65353062336164626335376235656235343637366438353334356436653266333062663838316263
32623732306462356162623437393035626433336631643833626463656634366332613936346465
34653331363133373635633330363564333264623566613432383439396537343963653239336265
33326132663434363065646265646130333935303662623037363938313464366564323734333437
36336335303738643634653164306332636130316161393335656536386131396662616366383139
36663863343736666665363337663537326330323437346565346465326231366563643136366365
37636361343961326261336437616266373962643765346438333766306537303137353764396330
39626635373631353635313935363834363730386132376363663462653330623130663266373432
65343237326535613535386363396236336536366165306463643162346638623638373433646163
62613935363636353639623839396231393838303135346536383037353636613563323234626131
64373666303436393861373164376564646235366131343433623733663832653039393738343537
65323534343464613230346532623966616462353532373064623566626563336464326336393364
39626237646431313135323036303065343138616632343237396136366332636132303037376132
33623031623635653162616265316366663262373666636638386130643336383130643232643662
34326663343562613962343033396332303261636230353331313730336630633461333736626333
66636430643330383032646634396133626339623036333963396662313234623466366634636334
33373762386662613966353664346239666133656435353365653536356331613632666132376264
62613433366633663065306166396166633836306139376533396165393966323465303638373563
63326330323161303065643365343363313338326238363137663139613463613434643834613662
64663365633965653363633165653038333335333232633434323037643936646561376431626230
66356138373136366134373533386634373061666330663364376336383433306331386162393633
33636330643531396464313736363061303466393861613730323563626363643731333633366532
64646130636234653566346533323962353332653335336239353630633535623935396638663366
37383661343636613261623833653032373764653164346634663431653664636233323734666166
36373664306566663930353338366431623563396166356638626166333165623263636336613138
34343936393964666564306637346561393538383137663162663630336462656663316338376236
63633666333263663734353861633164653132663334306664643133663736663766626639393236
32653430333163313363343731666135656662363838366132383732346130313130363365656263
32643533393163376264653632663262353966306630333064313932616262323134326361633764
63383837303936616434616630653833653833623263623532306363373836323431393335623530
34316562343035326265333164643163356230643639373431326431303538346363376332373434
31313666313663343363353130306561646136393732663164393232636330663635346434343134
33663138663336636430373763396435323138373633666438623234363631336232366635366532
62616239663934653462656163326134303261376635323864633435383666363065656665303538
62626538343638366236646136363232373437336630383739656438636465326531646664366462
36353663626634386538336239623734323234393463313034303837363164363263623065613061
38333162646232366339333662313965663336613238386530393162346266636532353433656136
66326436323836376432313238613165373565643233333435393361636637653361616435393438
32383763393561343734643438346635613663393736613839623263663866336165343235663933
66623137616561313462653631613830363666653635336534643935373739353138363934656134
35663063396162623432373534333463376231666466393963336231653939326663396336383735
34633763336163313432616163313638623963306666643432306661393632346339373963633265
32303862643661376433356661383335313365306534663534396638313531373538326236636363
37626138333437393363323261336663653163643565303063313231346131376261653763356631
62306262336337366134626632333663363139393131306666303235303761623665356431646234
33666461663035303066353137623762653565353533613435663839396238336337333463636465
38353135356634626137376232613330393235383432356436393030313564306537616363383136
66356463373138313661373565326565343066643133633630313031303132313031663739316631
66666631386163313034306532393862393930653931363235396662366262636466363464396466
61303962303066633764393831396632626233343633313061323838623134373036393164633139
30303861636335636131376334376239636235653233323435623262366132663934613661333135
61386136326435363337316363666330363431613135663661303438383664663930656564373730
32373731393666333364633835646431646662313232383136616238303264383438663766356462
32346664376430663934626661663039656461383738626265346162393861346163656161323333
39323666643031376530303230626166613233383731363766373634623430633635303963313466
34646331363539636133373134353535356265393265393635323532323134643034343663636362
38633261613433393634396234396265623063346138363133646532366638306632396464646432
61373961383438386535336131393633303430346162613738343839653038303035303033626535
37343030623530333332306265373539633735616634663666356437303862636338363866613861
38346130336338373865343866306665616530313938616366346131376262346135323537663137
39383366313766666234323234363937623264353532323033363966313135653163343036666262
34393832613034383239393930383063336131356364303231323966303633333331633666373764
65383137333965663234663933303231356165376233326233303035316536666563656363343933
36633039666432643135636331353932633164633964623661373739633665313433306561303637
62373534346562363132643063643732343462653838393635343266626535353864656437313434
34376538303965616539626534613431623834376337643936613137323031323139393762636463
66346664666361623636666533663037613434353135393862376633636233656330366136646434
30653735323961383130393763333630306131376430363436623238646632363462383739653636
37346566663039383866323639633565366338353438386461616239313639343766333661346435
33316538366463383733346663316564656566656165396465393461363061613239666165346661
62346639623163363762366431313831663135643062336363323336303737393437653863303665
36643466336566336236353166333063633830646461626262333937316162353365353130353535
30383164363532363532306364393236303537383139643431393962333063633162313033613561
32323434336364343061386666616639336566373461633462393130336461303531353436623065
65663430623066336533373662306566396263376562343936666166626666323964373334613835
64633535303365643564626562643562636363363834353865353765356665643965663861366436
63333736613232353130616466316637613966646139323565356537666331666564623832333439
36376131663431616430616265323039646432393166613631313762613264313765323231663961
65616636306362386534626130636261636566626365643630616135323634343935653033653433
3061

6
hosts
View file

@ -69,7 +69,6 @@ switchs-manager.adm.auro.re
ldap-replica-ovh.adm.auro.re
prometheus-ovh.adm.auro.re
prometheus-federate.adm.auro.re
ns-2.auro.re
[ovh_testing_vm]
#re2o-test.adm.auro.re
@ -92,11 +91,6 @@ dns-fleming.adm.auro.re
dns-fleming-backup.adm.auro.re
ntp-1.int.infra.auro.re
prometheus-fleming.adm.auro.re
ns-master.int.infra.auro.re
dns-1.int.infra.auro.re
ns-1.auro.re
ldap-1.int.infra.auro.re
radius-1.isp.infra.auro.re
#prometheus-fleming-fo.adm.auro.re
radius-fleming.adm.auro.re
dns-1.int.infra.auro.re

View file

@ -1,419 +0,0 @@
#!/usr/bin/env python3
import dataclasses
import ipaddress
import itertools
import sys
import typing
from typing import Annotated, Any
import dns
import dns.rdata
import dns.rdataclass
import dns.rdatatype
import dns.rdtypes.ANY.CNAME
import dns.rdtypes.ANY.MX
import dns.rdtypes.ANY.NS
import dns.rdtypes.ANY.PTR
import dns.rdtypes.ANY.SOA
import dns.rdtypes.ANY.SPF
import dns.rdtypes.ANY.TXT
import dns.rdtypes.IN.A
import dns.rdtypes.IN.AAAA
import dns.rdtypes.IN.SRV
import dns.reversename
import dns.serial
import dns.zone
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.common.validation import check_type_list
class RName(dns.name.Name):
"""Domain name used to represent an e-mail address (see RFC 1035)."""
def __init__(self, address):
try:
local, domain = address.split("@")
except ValueError:
raise ValueError(
"Invalid e-mail address format: {}".format(address)
)
super().__init__(
(local,) + dns.name.from_text(domain, origin=dns.name.empty).labels
)
class MultiRecords:
"""Annotation used to indicate that a field can be filled in more than
once via a list, and that this will create as many records as values.
"""
...
@dataclasses.dataclass
class A:
address: str
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
def rdata(self) -> dns.rdata.Rdata:
return dns.rdtypes.IN.A.A(
dns.rdataclass.IN.IN, dns.rdatatype.A, self.address
)
@dataclasses.dataclass
class AAAA:
address: str
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
def rdata(self) -> dns.rdata.Rdata:
return dns.rdtypes.IN.AAAA.AAAA(
dns.rdataclass.IN.IN, dns.rdatatype.AAAA, self.address
)
@dataclasses.dataclass
class PTR:
target: dns.name.Name
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
def rdata(self) -> dns.rdata.Rdata:
return dns.rdtypes.ANY.PTR.PTR(
dns.rdataclass.IN.IN, dns.rdatatype.PTR, self.target
)
@dataclasses.dataclass
class CNAME:
target: dns.name.Name
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
def rdata(self) -> dns.rdata.Rdata:
return dns.rdtypes.ANY.CNAME.CNAME(
dns.rdataclass.IN.IN, dns.rdatatype.CNAME, self.target
)
@dataclasses.dataclass
class MX:
exchange: Annotated[dns.name.Name, MultiRecords]
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
preference: int = 10
def rdata(self) -> dns.rdata.Rdata:
return dns.rdtypes.ANY.MX.MX(
dns.rdataclass.IN.IN,
dns.rdatatype.MX,
self.preference,
self.exchange,
)
@dataclasses.dataclass
class NS:
target: Annotated[dns.name.Name, MultiRecords]
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
def rdata(self) -> dns.rdata.Rdata:
return dns.rdtypes.ANY.NS.NS(
dns.rdataclass.IN.IN, dns.rdatatype.NS, self.target
)
@dataclasses.dataclass
class SPF:
data: str
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
def rdata(self) -> dns.rdata.Rdata:
return dns.rdtypes.ANY.SPF.SPF(
dns.rdataclass.IN.IN, dns.rdatatype.SPF, self.data
)
@dataclasses.dataclass
class TXT:
data: str
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
def rdata(self) -> dns.rdata.Rdata:
return dns.rdtypes.ANY.TXT.TXT(
dns.rdataclass.IN.IN, dns.rdatatype.TXT, self.data
)
@dataclasses.dataclass
class SRV:
target: Annotated[dns.name.Name, MultiRecords]
weight: int
port: int
priority: int = 10
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
def rdata(self) -> dns.rdata.Rdata:
return dns.rdtypes.IN.SRV.SRV(
dns.rdataclass.IN.IN,
dns.rdatatype.SRV,
self.priority,
self.weight,
self.port,
self.target,
)
@dataclasses.dataclass
class SOA:
mname: dns.name.Name
rname: RName
refresh: int
retry: int
expire: int
minimum: int
serial: int = 1
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
def rdata(self) -> dns.rdata.Rdata:
return dns.rdtypes.ANY.SOA.SOA(
dns.rdataclass.IN.IN,
dns.rdatatype.SOA,
self.mname,
self.rname,
self.serial,
self.refresh,
self.retry,
self.expire,
self.minimum,
)
def has_annotation(ty, annotation):
"""Is the type `ty` annotated with a given `annotation`."""
return (
typing.get_origin(ty) == typing.Annotated
and annotation in typing.get_args(ty)[1:]
)
def annotated_origin(ty):
"""Returns the origin of an annotated type `ty`."""
assert typing.get_origin(ty) == typing.Annotated
return typing.get_args(ty)[0]
def is_multi_records(ty):
"""Is the type `ty` annotated with `MultiRecords`."""
return has_annotation(ty, MultiRecords)
def spec_option_of_field(field):
types = {
str: "str",
dns.name.Name: "str",
RName: "str",
int: "int",
}
if is_multi_records(field.type):
option = {
"type": "list",
"elements": types[annotated_origin(field.type)],
}
else:
option = {"type": types[field.type]}
option["required"] = field.default is dataclasses.MISSING
return option
def spec_options_of_type(ty):
"""Convert a `dataclass` type to Ansible `argument_spec` `options`'
format."""
return {
field.name: spec_option_of_field(field)
for field in dataclasses.fields(ty)
}
def coerce_dns_name(value: Any) -> dns.name.Name:
"""Try to convert a `value` to `dns.name.Name`."""
if not isinstance(value, dns.name.Name):
return dns.name.from_text(value, origin=dns.name.empty)
return value
def product_dict(dct, keys=None):
"""Compute the "cartesian product" of a dictionnary `dct`
w.r.t some `keys` (if `keys` is None, then the product is computed
on all the keys)."""
if keys is None:
keys = dct.keys()
wrapped = {k: v if k in keys else [v] for k, v in dct.items()}
for values in itertools.product(*wrapped.values()):
yield dict(zip(wrapped.keys(), values))
def make_hosts_records(hosts):
for host, addrs in hosts.items():
for addr in check_type_list(addrs):
name = dns.name.from_text(host, origin=dns.name.empty)
decoded = ipaddress.ip_address(addr)
yield AAAA(addr, name) if decoded.version == 6 else A(addr, name)
def make_reverse_hosts_records(hosts):
for host, addrs in hosts.items():
for addr in check_type_list(addrs):
name = dns.name.from_text(host)
reverse = dns.reversename.from_address(addr)
yield PTR(name, reverse)
def make_records(args, ty):
# TODO: Ça n'est pas du tout élégant, mais :
# 1. je n'ai pas réussi à spécifier dans `argument_spec` un type tiers
# 2. Ansible positionne à `None` les entrées non passées à la tâche et
# ce comportement ne semble pas modifiable
types = {f.name: f.type for f in dataclasses.fields(ty)}
coercers = {
dns.name.Name: coerce_dns_name,
RName: RName,
}
def coerce_single(value, ty):
if ty in coercers:
return coercers[ty](value)
return value
def coerce(name, value):
if is_multi_records(types[name]):
origin = annotated_origin(types[name])
return [coerce_single(v, origin) for v in value]
return coerce_single(value, types[name])
clean_args = {
name: coerce(name, value)
for name, value in args.items()
if value is not None
}
multi_keys = {k for k, v in types.items() if is_multi_records(v)}
for single_args in product_dict(clean_args, multi_keys):
yield ty(**single_args)
def zones_eq(lhs: dns.zone.Zone, rhs: dns.zone.Zone) -> bool:
"""Returns a `bool` indicating whether two `dns.zone.Zone`s are equal
w.r.t. their text representation."""
return lhs.to_text(relativize=False, sorted=True) == rhs.to_text(
relativize=False, sorted=True
)
def write_text_file(path, text, module):
"""Naive text file write function with support for Ansible's diff and
check modes."""
diff_text = {
"before_header": f"{path} (content)",
"after_header": f"{path} (content)",
"after": text,
}
try:
with open(path) as f:
current = f.read()
changed = text != current
diff_text["before"] = current
except Exception:
changed = True
diff_text["before"] = None
if changed and not module.check_mode:
with open(path, "w") as f:
f.write(text)
file_args = module.load_file_common_arguments(module.params)
diff_attrs = {
"before_header": f"{path} (attributes)",
"after_header": f"{path} (attributes)",
}
changed = module.set_file_attributes_if_different(
file_args, changed, diff_attrs
)
return changed, [diff_text, diff_attrs]
def main() -> int:
record_types = {
"ns": NS,
"txt": TXT,
"a": A,
"aaaa": AAAA,
"srv": SRV,
"spf": SPF,
"ptr": PTR,
"cname": CNAME,
"mx": MX,
}
module_args = {
"path": {"type": "str", "required": True},
"origin": {"type": "str", "required": True},
"soa": {
"type": "dict",
"required": True,
"options": spec_options_of_type(SOA),
},
"hosts": {"type": "dict", "default": {}},
"reverse_hosts": {"type": "dict", "default": {}},
}
for name, ty in record_types.items():
module_args[name] = {
"type": "list",
"default": [],
"elements": "dict",
"options": spec_options_of_type(ty),
}
module = AnsibleModule(
argument_spec=module_args,
add_file_common_args=True,
supports_check_mode=True,
)
origin = dns.name.from_text(module.params["origin"])
path = module.params["path"]
zone = dns.zone.Zone(origin)
records = itertools.chain(
make_records(module.params["soa"], SOA),
make_reverse_hosts_records(module.params["reverse_hosts"]),
make_hosts_records(module.params["hosts"]),
itertools.chain.from_iterable(
itertools.chain.from_iterable(
make_records(args, ty) for args in module.params[name]
)
for name, ty in record_types.items()
),
)
for record in records:
node = zone.get_node(record.name, create=True)
rdata = record.rdata()
dataset = node.get_rdataset(rdata.rdclass, rdata.rdtype, create=True)
dataset.add(rdata)
zone_text = zone.to_text(relativize=False, sorted=True)
changed, diff = write_text_file(path, zone_text, module)
module.exit_json(changed=changed, diff=diff)
return 0
if __name__ == "__main__":
sys.exit(main())

View file

@ -1,18 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- radius-1.isp.infra.auro.re
vars:
radiusd__clients:
localhost:
addr: 127.0.0.1
secret: abcdef
wifi-ap-v4:
addr: 10.102.0.0/16
secret: abcdef
wifi-ap-v6:
addr: 2a09:6840:102::/56
secret: abcdef
roles:
- freeradius
...

View file

@ -7,7 +7,6 @@
- dhcp-2.isp.auro.re
- isp-1.rtr.infra.auro.re
- isp-2.rtr.infra.auro.re
- radius-1.isp.infra.auro.re
vars:
# TODO: netbox
ifupdown2__hosts:
@ -19,14 +18,6 @@
addresses:
- 2a09:6840:128::203/56
- 10.128.0.203/16
radius-1.isp.infra.auro.re:
ens18:
gateways:
- 2a09:6840:128::254
- 10.128.0.254
addresses:
- 2a09:6840:128::208/56
- 10.128.0.208/16
dns-1.int.infra.auro.re:
ens18:
gateways:
@ -209,7 +200,6 @@
- dhcp-2.isp.auro.re
- isp-1.rtr.infra.auro.re
- isp-2.rtr.infra.auro.re
- radius-1.isp.infra.auro.re
vars:
resolvconf__nameservers:
- 2a09:6840:128::127

17
playbooks/knot.yml Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env ansible-playbook
---
- hosts: all
roles: []
# WIP: Deploy authoritative DNS servers
# - hosts: authoritative_dns
# vars:
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
# service_name: dns
# service_version: crans
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o_service

View file

@ -1,532 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts: ns-master.int.infra.auro.re
vars:
knotd__listen:
- address: 0.0.0.0
- address: "::"
knotd__keys:
xfr:
algorithm: hmac-sha512
secret: "{{ vault_knotd_xfr_key }}"
ksk-infra:
algorithm: hmac-sha512
secret: "{{ vault_knotd_ksk_infra_key }}"
update-acme-challenge:
algorithm: hmac-sha512
secret: "{{ vault_certbot_dns_secret }}"
knotd__remotes:
xfr-ns-1:
address: 10.128.0.199
key: xfr
xfr-ns-2:
address: 10.128.0.109
key: xfr
ksk-infra:
address: ::1
key: ksk-infra
knotd__policies:
public:
algorithm: ECDSAP256SHA256
reproducible_signing: true
# Je n'ai pas trouvé de façon de pousser les records automatiquement
# sur .re, donc pour éviter d'oublier de le faire manuellement, la
# KSK n'expire pas
ksk_lifetime: 0
zsk_lifetime: 30d
nsec3: true
infra:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-infra
cds-cdnskey-publish: rollover
ksk-submission: infra
ripe:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-ripe
cds-cdnskey-publish: rollover
ksk-submission: ripe
knotd__acl:
xfr:
addresses:
- 10.128.0.199
- 2a09:6840:128::199
- 10.128.0.109
- 2a09:6840:128::109
action: transfer
key: xfr
ksk-infra:
addresses:
- 127.0.0.1
- ::1
key: ksk-infra
action: update
update_types:
- DS
update_owner: name
update_owner_match: equal
update_owner_name:
- infra
update-acme-challenge:
addresses:
- 10.128.0.0/16
- 2a09:6840:128::/48
key: update-acme-challenge
action: update
update_types:
- TXT
update_owner: name
update_owner_match: equal
update_owner_name:
- _acme-challenge.auro.re.
knotd__queryacl:
local:
addresses:
- 10.0.0.0/8
knotd__soa_rname: root@auro.re.
# TODO: Netbox
knotd__hosts:
auro.re:
proxy-ovh:
- 92.222.211.195
horus:
- 92.23.218.136
ns-1:
- 45.66.111.30
- 2a09:6840:111::30
ns-2:
- 92.222.211.194
serge:
- 92.222.211.196
lama:
- 185.230.78.220
- 2a0c:700:12:0:67:e5ff:fee9:108
vpn-ovh:
- 92.222.211.197
passerelle:
- 45.66.111.254
- 2a09:6840:111::254
proxy:
- 45.66.111.61
- 2a09:6840:111::61
camelot:
- 45.66.111.59
- 2a09:6840:111::59
mail:
- 45.66.111.62
- 2a09:6840:111::62
galene:
- 45.66.111.65
- 2a09:6840:111::65
aclyas:
- 45.66.111.231
- 2a09:6840:111::231
jitsi:
- 45.66.111.55
- 2a09:6840:111::55
portail-fleming:
- 10.13.0.247
- 2a09:6840:13::247
portail-pacaterie:
- 10.23.0.247
- 2a09:6840:23::247
portail-rives:
- 10.33.0.247
- 2a09:6840:33::247
portail-edc:
- 10.43.0.247
- 2a09:6840:43::247
portail-gs:
- 10.53.0.247
- 2a09:6840:53::247
adh.auro.re:
hoffman:
- 45.66.110.1
- 2a09:6840:110:0:2d8:61ff:fe56:d7eb
hindley:
- 45.66.110.3
- 2a09:6840:110:0:a6ba:dbff:fe03:1f36
yberreby:
- 45.66.110.5
- 2a09:6840:110:0:d896:1dff:fe59:8381
paon:
- 45.66.110.10
- 2a09:6840:110:0:231:92ff:fe1b:ae22
lovelace:
- 45.66.110.45
- 2a09:6840:110:0:c634:6bff:feb5:7bcc
switch-leo:
- 45.66.110.103
- 2a09:6840:110:0:82cc:9cff:fe82:ca3e
haskell:
- 45.66.110.112
- 2a09:6840:110:0:f4ac:cbff:fe81:7f48
lyshyga0:
- 45.66.110.113
- 2a09:6840:110:0:6af7:28ff:fe91:e8d9
pz28910:
- 45.66.110.114
vinsing0:
- 45.66.110.123
- 2a09:6840:110:0:1e1b:dff:fe90:7d81
osc-routeur:
- 45.66.110.125
- 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
odroid:
- 45.66.110.154
- 2a09:6840:110:0:21e:6ff:fe49:e00
amau0:
- 45.66.110.164
- 2a09:6840:110:0:3e7c:3fff:fec3:27d1
regulus:
- 45.66.110.180
- 2a09:6840:110:0:2ef0:5dff:fe2a:1530
toaster:
- 45.66.110.188
- 2a09:6840:110:0:5246:5dff:fe9a:f70
rpijutax:
- 45.66.110.190
- 2a09:6840:110:0:ba27:ebff:fe76:a9bc
lafeychine:
- 45.66.110.200
- 2a09:6840:110:0:46a5:6eff:fe71:1
polaris:
- 45.66.110.245
- 2a09:6840:110:0:dea6:32ff:feb4:d033
pz28:
- 109.209.83.178
knotd__zones:
auro.re:
dnssec_policy: public
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- update-acme-challenge
- ksk-infra
- xfr
soa:
mname: ns-master.int.infra
ns:
- target:
- ns-1
- ns-2
- name: infra
target:
- ns-1
- ns-2
- name: isp
target:
- ns-1
- ns-2
- name: adm
target:
- serge
- lama
- name: ups
target:
- serge
- lama
- name: switch
target:
- serge
- lama
- name: borne
target:
- serge
- lama
mx:
- exchange: mail
preference: 5
- exchange: proxy-ovh
preference: 10
spf:
- data: v=spf1 mx -all
a:
- address: 92.222.211.195
cname:
- name:
- element
- riot
- auth
- rss
- codimd
- hedgedoc
- kanboard
- www
- pad
- privatebin
- zero
- paste
- hétérogénéité
target: proxy-ovh
- name:
- grafana
- netbox
- wiki
- matrix
- drone
- gitea
- re2o
- nextcloud
target: proxy
- name: intranet
target: re2o
- name:
- smtp
- imap
target: mail
- name:
- prometheus-paul.adh
- pma-paul.adh
- nextcloud-paul.adh
- grafana-paul.adh
- jellyfin.adh
- monitoring.adh
- beta-mpp.adh
target: pz28.adh
hosts: "{{ knotd__hosts['auro.re']
| combine(knotd__hosts['adh.auro.re']
| add_origin_keys('adh.auro.re.')) }}"
infra.auro.re:
dnssec_policy: infra
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
#queryacl: local
soa:
mname: ns-master.int
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
hosts:
services-1.ceph:
- 10.132.1.1
- "2a09:6840:132:1:1::"
services-2.ceph:
- 10.132.1.2
- "2a09:6840:132:1:2::"
services-3.ceph:
- 10.132.1.3
- "2a09:6840:132:1:3::"
ns-master.int:
- 10.128.0.110
- 2a09:6840:128:0::110
ec-1.ups:
- 10.131.4.1
- 2a09:6840:131::4:1
ec-2.ups:
- 10.131.4.2
- 2a09:6840:131::4:2
ldap-1.int:
- 10.128.0.10
- 2a09:6840:128::10
ntp-1.int:
- 10.128.0.203
- 2a09:6840:128::203
dns-1.int:
- 10.128.0.127
- 2a09:6840:128::127
isp-1.rtr:
- 10.128.0.255
- 2a09:6840:128::255
isp-2.rtr:
- 10.128.0.158
- 2a09:6840:128::158
radius-1.isp:
- 10.128.0.208
- 2a09:6840:128::208
isp.auro.re:
dnssec_policy: infra
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
#queryacl: local
soa:
mname: ns-master.int.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
hosts:
dhcp-1:
- 10.128.0.204
- 2a09:6840:128::204
dhcp-2:
- 10.128.0.91
- 2a09:6840:128::91
108.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
109.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
110.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
reverse_hosts: "{{ knotd__hosts['adh.auro.re']
| ip_filter(['45.66.110.0/24'])
| add_origin_keys('adh.auro.re.') }}"
111.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['45.66.111.0/24'])
| add_origin_keys('auro.re.') }}"
0.4.8.6.9.0.a.2.ip6.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['2a09:6840::/32'])
| add_origin_keys('auro.re.')
| combine(knotd__hosts['adh.auro.re']
| ip_filter(['2a09:6840::/32'])
| add_origin_keys('adh.auro.re.')) }}"
#reverse: "{{ nb_dns_reverse(ranges={'45.66.108.0/24'},
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
#hosts: "{{ nb_dns_hosts(vlans={'int', 'ceph', 'ext', 'bmc'},
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
#nb_dns__vlan_suffixes:
# external-services: ext.infra.auro.re.
# wifi-access-points: wifi.infra.auro.re.
# monitoring: monit.infra.auro.re.
# routers: rtr.infra.auro.re.
# services-ceph: ceph.infra.auro.re.
# ups: ups.infra.auro.re.
# switchs: sw.infra.auro.re.
# internal-services: int.infra.auro.re.
# bmc: bmc.infra.auro.re.
roles:
- knotd
- hosts:
- ns-1.auro.re
- ns-2.auro.re
vars:
knotd__listen:
- address: 0.0.0.0
- address: "::"
knotd__keys:
xfr:
algorithm: hmac-sha512
secret: "{{ vault_knotd_xfr_key }}"
knotd__remotes:
xfr-master:
address: 10.128.0.110
key: xfr
knotd__acl:
notify-master:
address:
- 10.128.0.110
- 2a09:6840:128::110
key: xfr
action: notify
knotd__queryacl:
local:
addresses:
- 10.0.0.0/8
knotd__zones:
auro.re:
dnssec_validation: true
acl:
- notify-master
master: xfr-master
infra.auro.re:
dnssec_validation: true
acl:
- notify-master
#queryacl: local
master: xfr-master
isp.auro.re:
dnssec_validation: true
acl:
- notify-master
master: xfr-master
108.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
109.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
110.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
111.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
0.4.8.6.9.0.a.2.ip6.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
roles:
- knotd
...

View file

@ -1,22 +0,0 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- dns-1.int.infra.auro.re
vars:
kresd__listen:
- address: 0.0.0.0
port: 53
kind: dns
- address: "::"
port: 53
kind: dns
- address: 0.0.0.0
port: 853
kind: tls
- address: "::"
port: 853
kind: tls
kresd__cache_size: 512
roles:
- kresd
...

10
playbooks/radius.yml Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env ansible-playbook
---
# Deploy Radius
- hosts: radius-*.adm.auro.re
vars:
update_motd:
unbound: FreeRADIUS est déployé.
roles:
- radius
- update_motd

View file

@ -1 +0,0 @@
dnspython

View file

@ -1,6 +0,0 @@
---
collections:
- name: community.general
- name: community.postgresql
- name: ansible.utils
...

View file

@ -1,30 +0,0 @@
---
radiusd__max_attributes: 200
radiusd__status_server: true
radiusd__clients: {}
radiusd__enabled_modules_minimal:
- always
- attr_filter
- cache_eap # TODO
- dynamic_clients # TODO
- eap # TODO
- expiration # TODO
- expr # TODO
- linelog # TODO
- logintime # TODO
- realm # TODO
- unpack # TODO
- eap_inner
- ldap
- pap
- utf8
radiusd__enabled_modules: []
radiusd__tls_cipher_list: DEFAULT
radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
radiusd__enabled_sites_minimal:
- default
- inner-tunnel
radiusd__enabled_sites: []
...

View file

@ -1,6 +0,0 @@
---
- name: Restart freeradius
systemd:
name: freeradius.service
state: restarted
...

View file

@ -1,132 +0,0 @@
---
- name: Install freeradius
apt:
name: freeradius
install_recommends: false
- name: Remove unused files
file:
path: "/etc/freeradius/3.0/{{ item }}"
state: absent
loop:
- templates.conf
- trigger.conf
- README.rst
- panic.gdb
- experimental.conf
- certs/ca.cnf
- certs/bootstrap
- certs/client.cnf
- certs/inner-server.cnf
- certs/server.cnf
- certs/README
- certs/Makefile
- certs/xpextensions
- policy.d/accounting
- policy.d/rfc7542
- policy.d/dhcp
- policy.d/debug
- policy.d/control
- policy.d/abfab-tr
- policy.d/moonshot-targeted-ids
- policy.d/operator-name
- mods-config/unbound/
- mods-config/perl/
- mods-config/python3/
- mods-config/sql/
- mods-config/files/
- mods-config/preprocess/
- mods-config/README.rst
- users
- hints
- huntgroups
- name: Configure freeradius
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
owner: root
group: freerad
mode: u=rw,g=r,o=
loop:
- radiusd.conf
#- proxy.conf
- clients.conf
- dictionary
- mods-available/utf8
- mods-available/always
- mods-available/eap
- mods-available/eap_inner
- mods-config/attr_filter/access_challenge
- mods-config/attr_filter/access_reject
- sites-available/inner-tunnel
- sites-available/default
notify:
- Restart freeradius
- name: Enumerate available modules
find:
paths: /etc/freeradius/3.0/mods-available
register: available_modules
- name: Disable modules
file:
path: "/etc/freeradius/3.0/mods-enabled/{{ item }}"
state: absent
loop: "{{ available_modules.files
| map(attribute='path')
| map('basename')
| difference(radiusd__enabled_modules_minimal
| union(radiusd__enabled_modules)) }}"
notify:
- Restart freeradius
- name: Enable modules
file:
src: "/etc/freeradius/3.0/mods-available/{{ item }}"
dest: "/etc/freeradius/3.0/mods-enabled/{{ item }}"
state: link
owner: root
group: freerad
mode: u=rw,g=r,o=
loop: "{{ radiusd__enabled_modules_minimal
| union(radiusd__enabled_modules) }}"
notify:
- Restart freeradius
- name: Enumerate available sites
find:
paths: /etc/freeradius/3.0/sites-available
register: available_sites
- name: Disable sites
file:
path: "/etc/freeradius/3.0/sites-enabled/{{ item }}"
state: absent
loop: "{{ available_sites.files
| map(attribute='path')
| map('basename')
| difference(radiusd__enabled_sites_minimal
| union(radiusd__enabled_sites)) }}"
notify:
- Restart freeradius
- name: Enable sites
file:
src: "/etc/freeradius/3.0/sites-available/{{ item }}"
dest: "/etc/freeradius/3.0/sites-enabled/{{ item }}"
state: link
owner: root
group: freerad
mode: u=rw,g=r,o=
loop: "{{ radiusd__enabled_sites_minimal
| union(radiusd__enabled_sites) }}"
notify:
- Restart freeradius
- name: Enable and start freeradius
systemd:
name: freeradius.service
state: started
enabled: true
...

View file

@ -1,16 +0,0 @@
{{ ansible_managed | comment }}
{% for name, client in radiusd__clients.items() %}
client {{ name }} {
ipaddr = {{ client.addr }}
shortname = {{ name }}
proto = *
require_message_authenticator = yes
nastype = other
secret = {{ client.secret }}
{% if client.virtual_server is defined %}
virtual_server = {{ client.virtual_server }}
{% endif %}
}
{% endfor %}

View file

@ -1 +0,0 @@
{{ ansible_managed | comment }}

View file

@ -1,37 +0,0 @@
{{ ansible_managed | comment }}
always reject {
rcode = reject
}
always fail {
rcode = fail
}
always ok {
rcode = ok
}
always handled {
rcode = handled
}
always invalid {
rcode = invalid
}
always userlock {
rcode = userlock
}
always notfound {
rcode = notfound
}
always noop {
rcode = noop
}
always updated {
rcode = updated
}

View file

@ -1,11 +0,0 @@
{{ ansible_managed | comment }}
attr_filter attr_filter.access_reject {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_reject
}
attr_filter attr_filter.access_challenge {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_challenge
}

View file

@ -1,59 +0,0 @@
{{ ansible_managed | comment }}
eap {
default_eap_type = peap
type = peap
type = ttls
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
timer_expire = 60
max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = {{ radiusd__tls_private_key_file }}
certificate_file = {{ radiusd__tls_certificate_file }}
ca_file = {{ radiusd__tls_ca_file }}
dh_file = ${certdir}/dh
cipher_list = {{ radiusd__tls_cipher_list | enquote }}
cipher_server_preferences = yes
tls_min_version = "1.2"
tls_max_version = "1.2" # TODO: 1.3
# TODO
# cache {
# enable = yes
# lifetime = 24
# name = "eap"
# persistdir = "${logdir}/tlscache"
# store {
# Tunnel-Private-Group-Id
# }
# }
ocsp {
enable = no
}
}
peap {
tls = tls-common
default_eap_type = gtc
require_client_cert = no
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
ttls {
tls = tls-common
default_eap_type = pap
require_client_cert = no
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
}

View file

@ -1,14 +0,0 @@
{{ ansible_managed | comment }}
eap inner-eap {
default_eap_type = gtc
type = gtc
type = pap
gtc {
auth_type = LDAP
}
}

View file

@ -1,50 +0,0 @@
{{ ansible_managed | comment }}
ldap {
server = "ldap://ldap-1.int.infra.auro.re"
# TODO: quand on passera en prod, créer un utilisation dédié
identity = "cn=Directory manager"
password = "MotDePasseSuperComplique"
base_dn = "ou=users,dc=auro,dc=re"
user_dn = "LDAP-UserDn"
user {
base_dn = "${..base_dn}"
filter = "{{ '(uid=%{%{Stripped-User-Name}:-%{User-Name}})' }}"
}
group {
base_dn = "${..base_dn}"
filter = "(objectClass=posixGroup)"
membership_attribute = "memberOf"
}
options {
# TODO
chase_referrals = no
rebind = no
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}

View file

@ -1,5 +0,0 @@
{{ ansible_managed | comment }}
pap {
normalise = no
}

View file

@ -1,4 +0,0 @@
{{ ansible_managed | comment }}
utf8 {
}

View file

@ -1,10 +0,0 @@
{{ ansible_managed | comment }}
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY

View file

@ -1,10 +0,0 @@
{{ ansible_managed | comment }}
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Error-Cause =* ANY,
Reply-Message =* ANY,
MS-CHAP-Error =* ANY,
Proxy-State =* ANY

View file

@ -1,23 +0,0 @@
{{ ansible_managed | comment }}
proxy server {
default_fallback = no
dynamic = no
}
{% for name, hs in radiusd__home_servers.items %}
home_server {{ name }} {
type = auth
ipaddr = {{ hs.addr }}
port = {{ hs.port | int }}
}
{% endfor %}
{% for name, realm in radiusd__realms.items() %}
realm {{ name }} {
auth_pool = auth_pool
}
{% endfor %}
realm LOCAL {
}

View file

@ -1,68 +0,0 @@
{{ ansible_managed | comment }}
prefix = /usr
exec_prefix = /usr
sysconfigdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius/3.0
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
checkrad = ${sbindir}/checkrad
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
hostname_lookups = no
correct_escapes = true
log {
destination = syslog
syslog_facility = daemon
auth = yes
}
security {
user = freerad
group = freerad
allow_core_dumps = no
max_attributes = {{ radiusd__max_attributes | int }}
status_server = {{ radiusd__status_server | ternary("yes", "no") }}
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
auto_limit_acct = no
}
modules {
$INCLUDE mods-enabled/
}
instantiate {
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/

View file

@ -1,69 +0,0 @@
{{ ansible_managed | comment }}
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = auth
ipv6addr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
authorize {
filter_username # TODO
suffix
eap
}
authenticate {
eap
}
preacct {
}
accounting {
}
post-auth {
if (session-state:User-Name && reply:User-Name \
&& request:User-Name \
&& (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
}
Post-Auth-Type REJECT {
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
remove_reply_message_if_eap
}
pre-proxy {
}
post-proxy {
eap
}
}

View file

@ -1,39 +0,0 @@
{{ ansible_managed | comment }}
server inner-tunnel {
authorize {
# Look for realm using the 'suffix' format (user@realm)
suffix
# Don't proxy requests from inner tunnel
update control {
&Proxy-To-Realm := LOCAL
}
# TODO: vérifier que le realm est soit vide, soit 'auro.re'
# Must be before 'ldap', so that we don't query the LDAP server
# for "internal" packets (cf. documentation for
# sites-available/inner-tunnel)
inner-eap {
ok = return
}
ldap
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
if ((ok || updated) && User-Password) {
update control {
Auth-Type := ldap
}
}
pap
}
authenticate {
inner-eap
# Authenticate using 'Auth-Type = LDAP'
# This is not recommended by FreeRADIUS (cf. documentation for
# sites-available/default), but the password hashing scheme used
# by 389DS is not yet supported by FreeRADIUS 3
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
ldap
}
}

View file

@ -1,28 +0,0 @@
---
knotd__run_dir: /run/knot
knotd__user: knot
knotd__group: knot
knotd__listen: []
knotd__port: 53
knotd__database_dir: /var/lib/knot
knotd__keys: []
knotd__remotes: []
knotd__submissions: []
knotd__policies: []
knotd__reproducible_signing: true
knotd__nsec3: true
knotd__cds_cdnskey_publish: rollover
knotd__acl: []
knotd__acl_update_owner: name
knotd__acl_update_owner_match: equal
knotd__queryacl: {}
knotd__zones_dir: "{{ knotd__database_dir }}/zones"
knotd__semantic_checks: true
knotd__serial_policy: increment
knotd__zones: []
knotd__soa_refresh: 1d
knotd__soa_retry: 2h
knotd__soa_expire: 1000h
knotd__soa_minimum: 1d
knotd__dnssec_validation: true
...

View file

@ -1,11 +0,0 @@
---
- name: Restart knotd
systemd:
name: knot.service
state: restarted
- name: Reload knotd
systemd:
name: knot.service
state: reloaded
...

View file

@ -1,75 +0,0 @@
---
- name: Install knotd and dnspython
apt:
name:
- knot
- python3-dnspython
- name: Install config files
template:
src: knot.conf.j2
dest: /etc/knot/knot.conf
owner: root
group: knot
mode: u=rw,g=r,o=
notify:
- Restart knotd
- name: Create zones directory
file:
path: "{{ knotd__zones_dir }}"
state: directory
owner: root
group: "{{ knotd__group }}"
mode: u=rwx,g=rx,o=
- name: Create zone files
dns_zone:
path: "{{ knotd__zones_dir }}/{{ item.key }}.zone"
owner: root
group: "{{ knotd__group }}"
mode: u=rw,g=r,o=
origin: "{{ item.key }}"
soa:
mname: "{{ item.value.soa.mname }}"
rname: "{{ item.value.soa.rname | default(knotd__soa_rname)
| default(omit) }}"
refresh: "{{ item.value.soa.refresh | default(knotd__soa_refresh)
| community.general.to_seconds | int }}"
retry: "{{ item.value.soa.retry | default(knotd__soa_retry)
| community.general.to_seconds | int }}"
expire: "{{ item.value.soa.expire | default(knotd__soa_expire)
| community.general.to_seconds | int }}"
minimum: "{{ item.value.soa.minimum | default(knotd__soa_minimum)
| community.general.to_seconds | int }}"
hosts: "{{ item.value.hosts | default(omit) }}"
reverse_hosts: "{{ item.value.reverse_hosts | default(omit) }}"
ns: "{{ item.value.ns | default(omit) }}"
mx: "{{ item.value.mx | default(omit) }}"
cname: "{{ item.value.cname | default(omit) }}"
txt: "{{ item.value.txt | default(omit) }}"
a: "{{ item.value.a | default(omit) }}"
spf: "{{ item.value.spf | default(omit) }}"
srv: "{{ item.value.srv | default(omit) }}"
ptr: "{{ item.value.ptr | default(omit) }}"
aaaa: "{{ item.value.aaaa | default(omit) }}"
when: "item.value.master is not defined
and (item.value.enabled | default(true))"
loop: "{{ knotd__zones | dict2items }}"
notify:
- Reload knotd
- name: Remove disabled zone files
file:
path: "{{ knotd__zones_dir }}/{{ item.key }}.zone"
state: absent
when: "item.value.master is not defined
and not (item.value.enabled | default(true))"
loop: "{{ knotd__zones | dict2items }}"
- name: Enable and start knotd
systemd:
name: knot.service
enabled: true
state: started
...

View file

@ -1,144 +0,0 @@
{{ ansible_managed | comment }}
server:
rundir: "{{ knotd__run_dir }}"
user: {{ knotd__user }}:{{ knotd__group }}
{% for listen in knotd__listen %}
listen: {{ listen.address }}@{{ listen.port | default(knotd__port) }}
{% endfor %}
version: ""
identity: ""
log:
- target: syslog
any: info
database:
storage: "{{ knotd__database_dir }}"
{% if knotd__keys %}
key:
{% for id, key in knotd__keys.items() %}
- id: {{ id }}
algorithm: {{ key.algorithm }}
secret: {{ key.secret }}
{% endfor %}
{% endif %}
{% if knotd__remotes %}
remote:
{% for id, remote in knotd__remotes.items() %}
- id: {{ id }}
address: {{ remote.address }}
{% if remote.key is defined %}
key: {{ remote.key }}
{% endif %}
{% endfor %}
{% endif %}
{% if knotd__submissions %}
submission:
{% for id, submission in knotd__submissions.items() %}
- id: {{ id }}
parent: {{ submission.parent }}
{% endfor %}
{% endif %}
{% if knotd__policies %}
policy:
{% for id, policy in knotd__policies.items() %}
- id: {{ id }}
algorithm: {{ policy.algorithm }}
{% if policy.algorithm.startswith("ECDSA") %}
reproducible-signing: {{ policy.reproducible_signing
| default(knotd__reproducible_signing)
| ternary("on", "off") }}
{% endif %}
ksk-lifetime: {{ policy.ksk_lifetime }}
zsk-lifetime: {{ policy.zsk_lifetime }}
nsec3: {{ policy.nsec3
| default(knotd__nsec3)
| ternary("on", "off") }}
{% if policy.ds_push is defined %}
ds-push: {{ policy.ds_push }}
{% endif %}
cds-cdnskey-publish: {{ policy.cds_cdnskey_publish
| default(knotd__cds_cdnskey_publish) }}
{% if policy.ksk_submission is defined %}
ksk-submission: {{ policy.ksk_submission }}
{% endif %}
{% endfor %}
{% endif %}
{% if knotd__acl %}
acl:
{% for id, acl in knotd__acl.items() %}
- id: {{ id }}
{% if acl.addresses is defined %}
address: [ {{ acl.addresses | join(", ") }} ]
{% endif %}
action: {{ acl.action }}
{% if acl.action == "update" %}
update-type: [ {{ acl.update_types | join(", ") }} ]
update-owner: {{ acl.update_owner
| default(knotd__acl_update_owner) }}
update-owner-match: {{ acl.update_owner_match
| default(knotd__acl_update_owner_match) }}
update-owner-name: [ {{ acl.update_owner_name | join(", ") }} ]
{% endif %}
{% if acl.key is defined %}
key: {{ acl.key }}
{% endif %}
{% endfor %}
{% endif %}
{% if knotd__queryacl %}
mod-queryacl:
{% for id, acl in knotd__queryacl.items() %}
- id: {{ id }}
address: [ {{ acl.addresses | join(", ") }} ]
{% endfor %}
{% endif %}
template:
- id: default
storage: "{{ knotd__zones_dir }}"
file: "%s.zone"
zonefile-sync: -1
journal-content: changes
journal-content: all
serial-policy: {{ knotd__serial_policy }}
{% if knotd__zones %}
zone:
{% for domain, zone in knotd__zones.items() %}
{% if zone.enabled | default(true) %}
- domain: {{ domain }}
{% if zone.notify is defined %}
notify: [ {{ zone.notify | join(", ") }} ]
{% endif %}
{% if zone.acl is defined %}
acl: [ {{ zone.acl | join(", ") }} ]
{% endif %}
{% if zone.queryacl is defined %}
module: mod-queryacl/{{ zone.queryacl }}
{% endif %}
{% if zone.master is defined %}
master: {{ zone.master }}
zonefile-load: none
{% else %}
zonefile-load: difference-no-serial
semantic-checks: {{ knotd__semantic_checks
| ternary("on", "off") }}
{% endif %}
{% if zone.dnssec_policy is defined %}
dnssec-policy: {{ zone.dnssec_policy }}
dnssec-signing: on
{% else %}
dnssec-validation: {{ zone.dnssec_validation
| default(knotd__dnssec_validation)
| ternary("on", "off") }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}

View file

@ -1,4 +0,0 @@
---
kresd__listen: []
kresd__freebind: true
kresd__cache_size: 128

View file

@ -1,5 +0,0 @@
---
- name: Restart kresd
systemd:
name: kresd@1.service
state: restarted

View file

@ -1,21 +0,0 @@
---
- name: Install knot-resolver
apt:
name: knot-resolver
- name: Configure kresd
template:
src: kresd.conf.j2
dest: /etc/knot-resolver/kresd.conf
owner: root
group: knot-resolver
mode: u=rw,g=r,o=
notify:
- Restart kresd
- name: Enable and start kresd
systemd:
name: kresd@1.service
state: started
enabled: true
...

View file

@ -1,21 +0,0 @@
{{ ansible_managed | comment(decoration="-- ") }}
{% for listen in kresd__listen %}
net.listen(
{{ listen.address | enquote }},
{{ listen.port | int }},
{
kind = {{ listen.kind | enquote }},
freebind = {{ listen.freebind
| default(kresd__freebind) }},
}
)
{% endfor %}
modules = {
'hints > iterate',
'stats',
'predict',
}
cache.size = {{ kresd__cache_size | int }} * MB

263
roles/radius/tasks/main.yml Normal file
View file

@ -0,0 +1,263 @@
---
- name: Add backports repositories
apt_repository:
repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
loop:
- "deb"
- "deb-src"
- name: Ensure /var/www exists
file:
name: "/var/www"
state: directory
mode: 0755
- name: Clone re2o repo
git:
repo: "https://gitlab.federez.net/re2o/re2o.git"
dest: "/var/www/re2o"
version: "dev"
force: true
- name: Template local re2o settings
template:
src: "{{ item }}.j2"
dest: "/var/www/re2o/re2o/{{ item }}"
mode: 0644
loop:
- settings_local.py
- local_routers.py
# What follows is a hideous abomination.
# Blame freeradius-python3 on backports.
- name: try to install freeradius-python3 (this will fail on post-install)
apt:
name: freeradius-python3
default_release: buster-backports
update_cache: true
ignore_errors: true
- name: fix freeradius-python3 postinstall script
template:
src: freeradius-python3.postinst.j2
dest: /var/lib/dpkg/info/freeradius-python3.postinst
mode: 0644
- name: reinstall broken package (this might fail too, for different reasons)
apt:
name: freeradius-python3
default_release: buster-backports
force: true
ignore_errors: true
- name: Setup radius symlinks
file:
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
dest: "/etc/freeradius/3.0/{{ item.filename }}"
state: link
force: true
loop:
- local_prefix: ""
filename: auth.py
- local_prefix: freeradius3/
filename: radiusd.conf
- local_prefix: freeradius3/
filename: mods-enabled/python
- local_prefix: freeradius3/
filename: mods-enabled/eap
- name: Configure freeradius
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
mode: 0640
owner: freerad
loop:
- sites-enabled/default
- sites-enabled/inner-tunnel
- name: Install Basic Clients/Proxy Files freeradius
template:
src: "{{ item }}.j2"
dest: "/etc/freeradius/3.0/{{ item }}"
mode: 0640
owner: freerad
loop:
- clients.conf
- proxy.conf
when: "'aurore_vm' not in group_names"
- name: Install Clients FedeRez Radius-Aurore
template:
src: proxy-federez.conf.j2
dest: /etc/freeradius/3.0/proxy.conf
mode: 0640
owner: freerad
when: "'aurore_vm' in group_names"
- name: Install Proxy FedeRez Radius-Aurore
template:
src: clients-federez.conf.j2
dest: /etc/freeradius/3.0/clients.conf
mode: 0640
owner: freerad
when: "'aurore_vm' in group_names"
- name: Install radius requirements (except freeradius-python3)
shell:
cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
chdir: /var/www/re2o/
- name: Install PyPi requirements for radius
command: "pip3 install -r /var/www/re2o/pip_requirements.txt"
# End of hideousness (hopefully).
- name: Configure log rotation
template:
src: "freeradius-logrotate.j2"
dest: "/etc/logrotate.d/freeradius"
mode: 0644
# Database setup
- name: Install postgresql
apt:
name:
- postgresql
- postgresql-client-11=11.7-0+deb10u1
force: true
- name: Install postgresql ansible module requirement(s)
pip:
name: psycopg2
- name: Create read-only user
community.general.postgresql_user:
name: re2o_ro
password: "{{ radius_pg_re2o_ro_password }}"
become_user: postgres
- name: Create replication user
community.general.postgresql_user:
name: replication
password: "{{ radius_pg_replication_password }}"
become_user: postgres
- name: Nuking - Stop freeradius
systemd:
name: freeradius
state: stopped
when: nuke_radius|default(false)
- name: Nuking - Remove old subscription if it exists
community.general.postgresql_subscription:
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
db: re2o
state: absent
become_user: postgres
when: nuke_radius|default(false)
ignore_errors: true
- name: Nuking - Destroy old local DB if it exists
community.general.postgresql_db:
name: re2o
state: absent
become_user: postgres
when: nuke_radius|default(false)
- name: Create local DB
community.general.postgresql_db:
name: re2o
owner: replication
state: present
encoding: "UTF8"
lc_collate: 'fr_FR.UTF-8'
lc_ctype: 'fr_FR.UTF-8'
become_user: postgres
- name: Dump radius re2o PostgreSQL database schema from master
community.general.postgresql_db:
name: re2o
state: dump
target: /tmp/re2o-schema.sql
target_opts: '-s'
login_host: 10.128.0.22
login_user: replication
login_password: "{{ radius_pg_replication_password }}"
- name: Restore DB
tags:
- restore
community.general.postgresql_db:
name: re2o
state: restore
target: /tmp/re2o-schema.sql
target_opts: "-s"
login_host: localhost
login_user: replication
login_password: "{{ radius_pg_replication_password }}"
- name: Grant select permissions on all tables to read-only user
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: SELECT
objs: ALL_IN_SCHEMA
schema: public
roles: re2o_ro
become_user: postgres
- name: Grant usage permission on schema to read-only user
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: USAGE
objs: public
type: schema
roles: re2o_ro
become_user: postgres
- name: Set default privileges in schema
tags:
- perms
community.general.postgresql_privs:
database: re2o
privs: SELECT
schema: public
objs: TABLES
type: default_privs
roles: re2o_ro
become_user: postgres
- name: Set up subscription to main database
tags:
- sub
community.general.postgresql_subscription:
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
connparams:
host: re2o-db.adm.auro.re
user: replication
password: "{{ radius_pg_replication_password }}"
dbname: re2o
db: re2o
publications:
- re2o_pub
become_user: postgres
- name: Restart freeradius, ensure enabled
systemd:
name: freeradius
enabled: true
state: restarted
daemon_reload: true

View file

@ -0,0 +1,22 @@
client radius-aurore {
ipaddr = 10.128.0.0
netmask = 16
secret = {{ radius_secret_aurore }}
require_message_authenticator = no
nastype = other
virtual_server = radius-wifi
}
# Parangon (federez)
client parangon {
ipaddr = 185.230.78.47
secret = {{ radius_secret_federez }}
virtual_server = radius-wifi
}
# Dodecagon (federez)
client dodecagon {
ipaddr = 195.154.165.76
secret = {{ radius_secret_federez }}
virtual_server = radius-wifi
}

View file

@ -0,0 +1,18 @@
client radius-filaire {
ipaddr = 10.130.{{ apartment_block_id }}.0
netmask = 24
secret = {{ radius_secret_wired }}
require_message_authenticator = no
nastype = other
virtual_server = radius-filaire
}
client aurore-wifi {
ipaddr = 10.{{ subnet_ids.ap }}.0.0
netmask = 16
secret = {{ radius_secret_wifi }}
require_message_authenticator = no
nastype = other
virtual_server = radius-wifi
}

View file

@ -0,0 +1,50 @@
# The main server log
/var/log/freeradius/radius.log {
# common options
daily
rotate 365
missingok
compress
delaycompress
notifempty
copytruncate
}
# (in order)
# Session monitoring utilities
# Session database modules
# SQL log files
/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log
/var/log/freeradius/radutmp /var/log/freeradius/radwtmp
/var/log/freeradius/sqllog.sql
{
# common options
daily
rotate 365
missingok
compress
delaycompress
notifempty
nocreate
}
# There are different detail-rotating strategies you can use. One is
# to write to a single detail file per IP and use the rotate config
# below. Another is to write to a daily detail file per IP with:
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
# (or similar) in radiusd.conf, without rotation. If you go with the
# second technique, you will need another cron job that removes old
# detail files. You do not need to comment out the below for method #2.
/var/log/freeradius/radacct/*/detail {
# common options
daily
rotate 365
missingok
compress
delaycompress
notifempty
nocreate
}

View file

@ -0,0 +1,14 @@
#!/bin/sh
# vim:ts=2:sw=2:et
set -e
case "$1" in
configure)
invoke-rc.d freeradius restart
;;
esac
exit 0

View file

@ -0,0 +1,28 @@
class DbRouter(object):
"""
A router to control all database operations on models in the
auth application.
"""
def db_for_read(self, model, **hints):
"""
Attempts to read remote models go to local database.
"""
return 'local'
def db_for_write(self, model, **hints):
"""
Attempts to write remote models go to the remote database.
"""
return 'default'
def allow_relation(self, obj1, obj2, **hints):
"""
Allow relations involving the remote database
"""
return True
def allow_migrate(self, db, app_label, model_name=None, **hints):
"""
Allow migrations on the remote database
"""
return True

View file

@ -0,0 +1,87 @@
# -*- mode: conf-unix; coding: utf-8 -*-
proxy server {
default_fallback = no
}
realm LOCAL {
}
realm NULL {
}
#Proxy FedeRez #####
realm AUROREFEDEREZ {
auth_pool = federez_radius_servers
# nostrip
}
home_server parangon_v4 {
type = auth
ipaddr = 185.230.78.47
port = 1812
secret = {{ radius_secret_federez }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server parangon_v6 {
type = auth
ipaddr = 2a0c:700:0:23:67:e5ff:fee9:5
port = 1812
secret = {{ radius_secret_federez }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server dodecagon_v4 {
type = auth
ipaddr = 195.154.165.76
port = 1812
secret = {{ radius_secret_federez }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server dodecagon_v6 {
type = auth
ipaddr = 2001:bc8:273e::1
port = 1812
secret = {{ radius_secret_federez }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server_pool federez_radius_servers {
type = fail-over
home_server = parangon_v4
home_server = dodecagon_v4
home_server = dodecagon_v6
home_server = parangon_v6
}

View file

@ -0,0 +1,54 @@
# -*- mode: conf-unix; coding: utf-8 -*-
proxy server {
default_fallback = no
}
realm LOCAL {
}
realm NULL {
}
#Proxy FedeRez #####
realm AUROREFEDEREZ {
auth_pool = aurore_central_radius_servers
# nostrip
}
home_server radius_aurore_v4 {
type = auth
ipaddr = 10.128.0.251
port = 1812
secret = {{ radius_secret_aurore }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server radius_aurore_v6 {
type = auth
ipaddr = 2a09:6840:128::251
port = 1812
secret = {{ radius_secret_aurore }}
require_message_authenticator =yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server_pool aurore_central_radius_servers {
type = fail-over
home_server = radius_aurore_v4
home_server = radius_aurore_v6
}

View file

@ -0,0 +1,129 @@
# coding: utf-8
# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
# se veut agnostique au réseau considéré, de manière à être installable en
# quelques clics.
#
# Copyright © 2017 Gabriel Détraz
# Copyright © 2017 Goulven Kermarec
# Copyright © 2017 Augustin Lemesle
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""re2o.settings_locale
The file with all the available options for a locale configuration of re2o
"""
from __future__ import unicode_literals
# A secret key used by the server.
SECRET_KEY = "{{ re2o_secret_key }}"
# The password to access the project database
DB_PASSWORD = "{{ re2o_db_password }}"
# AES key for secret key encryption.
# The length must be a multiple of 16
AES_KEY = "{{ re2o_aes_key }}"
# Should the server run in debug mode ?
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = False
# A list of admins of the services. Receive mails when an error occurs
ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'),]
# The list of hostname the server will respond to.
ALLOWED_HOSTS = ['{{ inventory_hostname }}']
# The time zone the server is runned in
TIME_ZONE = 'Europe/Paris'
# The storage systems parameters to use
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': 're2o',
'USER': 're2o',
'PASSWORD': DB_PASSWORD,
'HOST': 're2o-db.adm.auro.re',
'TEST': {
'CHARSET': 'utf8',
'COLLATION': 'utf8_general_ci'
}
},
'local': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': 're2o',
'USER': 're2o_ro',
'PASSWORD': "{{ radius_pg_re2o_ro_password }}",
'HOST': 'localhost',
'TEST': {
'CHARSET': 'utf8',
'COLLATION': 'utf8_general_ci'
}
},
'ldap': {
'ENGINE': 'ldapdb.backends.ldap',
'NAME': 'ldap://10.128.0.21/',
'USER': 'cn=admin,dc=auro,dc=re',
'TLS': False,
'PASSWORD': '{{ ldap_admin_password }}',
}
}
# Security settings for secure https
# Activate once https is correctly configured
SECURE_CONTENT_TYPE_NOSNIFF = False
SECURE_BROWSER_XSS_FILTER = False
SESSION_COOKIE_SECURE = False
CSRF_COOKIE_SECURE = False
CSRF_COOKIE_HTTPONLY = False
X_FRAME_OPTIONS = 'DENY'
SESSION_COOKIE_AGE = 60 * 60 * 3
# The path where your organization logo is stored
LOGO_PATH = "static_files/logo.png"
# The mail configuration for Re2o to send mails
SERVER_EMAIL = 'no-reply@auro.re' # The mail address to use
EMAIL_HOST = 'localhost' # The host to use
EMAIL_PORT = 25 # The port to use
# Settings of the LDAP structure
LDAP = {
'base_user_dn': 'cn=Utilisateurs,dc=auro,dc=re',
'base_userservice_dn': 'ou=service-users,dc=auro,dc=re',
'base_usergroup_dn': 'ou=posix,ou=groups,dc=auro,dc=re',
'base_userservicegroup_dn': 'ou=services,ou=groups,dc=auro,dc=re',
'user_gid': 100,
}
# A range of UID to use. Used in linux environement
UID_RANGES = {
'users': [21001, 30000],
'service-users': [20000, 21000],
}
# A range of GID to use. Used in linux environement
GID_RANGES = {
'posix': [501, 600],
}
# Some optionnal Re2o Apps
OPTIONNAL_APPS_RE2O = ()
# Some Django apps you want to add in you local project
OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ()
LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"]

View file

@ -0,0 +1,239 @@
######################################################################
#
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
# "server" section, and configuration directives.
#
# Virtual hosts should be put into the "sites-available"
# directory. Soft links should be created in the "sites-enabled"
# directory to these files. This is done in a normal installation.
#
# If you are using 802.1X (EAP) authentication, please see also
# the "inner-tunnel" virtual server. You will likely have to edit
# that, too, for authentication to work.
#
# $Id: 083407596aa5074d665adac9606e7de655b634aa $
#
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble. See also "man unlang", which documents the format
# of this file.
#
# This configuration is designed to work in the widest possible
# set of circumstances, with the widest possible number of
# authentication methods. This means that in general, you should
# need to make very few changes to this file.
#
# The best way to configure the server for your local system
# is to CAREFULLY edit this file. Most attempts to make large
# edits to this file will BREAK THE SERVER. Any edits should
# be small, and tested by running the server with "radiusd -X".
# Once the edits have been verified to work, save a copy of these
# configuration files somewhere. (e.g. as a "tar" file). Then,
# make more edits, and test, as above.
#
# There are many "commented out" references to modules such
# as ldap, sql, etc. These references serve as place-holders.
# If you need the functionality of that module, then configure
# it in radiusd.conf, and un-comment the references to it in
# this file. In most cases, those small changes will result
# in the server being able to connect to the DB, and to
# authenticate users.
#
######################################################################
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
# IPv6 versions of the above - read their full config to understand options
listen {
type = auth
ipv6addr = :: # any. ::1 == localhost
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
}
server radius-wifi {
authorize {
rewrite_calling_station_id
if (User-Name =~ /^(.*)@(.*)/){
if (User-Name !~ /^(.*)@(.*)auro(.*)/){
update control{
Proxy-To-Realm := 'AUROREFEDEREZ'
}
}
if ("%{request:User-Name}" =~ /^(.*)@(.*)auro(.*)/){
update request{
Stripped-User-Name := "%{1}"
}
}
}
filter_username
preprocess
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
exec
}
session {
}
post-auth {
update {
&reply: += &session-state:
}
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}
server radius-filaire{
authorize{
re2o
expiration
logintime
pap
}
authenticate{
Auth-Type PAP{
pap
}
Auth-Type CHAP{
chap
}
Auth-Type MS-CHAP{
mschap
}
digest
eap
}
preacct{
preprocess
acct_unique
suffix
files
}
accounting{
}
session{
}
post-auth{
re2o
exec
}
pre-proxy{
}
post-proxy{
eap
}
}

View file

@ -0,0 +1,345 @@
# -*- text -*-
######################################################################
#
# This is a virtual server that handles *only* inner tunnel
# requests for EAP-TTLS and PEAP types.
#
# $Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $
#
######################################################################
server inner-tunnel {
#
# This next section is here to allow testing of the "inner-tunnel"
# authentication methods, independently from the "default" server.
# It is listening on "localhost", so that it can only be used from
# the same machine.
#
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If it works, you have configured the inner tunnel correctly. To check
# if PEAP will work, use:
#
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If that works, PEAP should work. If that command doesn't work, then
#
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
#
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
#
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
if ("%{request:User-Name}" =~ /^(.*)@auro(.*)/){
update request{
Stripped-User-Name := "%{1}"
}
}
#
# Take a User-Name, and perform some checks on it, for spaces and other
# invalid characters. If the User-Name appears invalid, reject the
# request.
#
# See policy.d/filter for the definition of the filter_username policy.
#
filter_username
re2o
#
# Do checks on outer / inner User-Name, so that users
# can't spoof us by using incompatible identities
#
# filter_inner_identity
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module, above.
#
# unix
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
# Note that proxying the inner tunnel authentication means
# that the user MAY use one identity in the outer session
# (e.g. "anonymous", and a different one here
# (e.g. "user@example.com"). The inner session will then be
# proxied elsewhere for authentication. If you are not
# careful, this means that the user can cause you to forward
# the authentication to another RADIUS server, and have the
# accounting logs *not* sent to the other server. This makes
# it difficult to bill people for their network activity.
#
suffix
# ntdomain
#
# The "suffix" module takes care of stripping the domain
# (e.g. "@example.com") from the User-Name attribute, and the
# next few lines ensure that the request is not proxied.
#
# If you want the inner tunnel request to be proxied, delete
# the next few lines.
#
update control {
&Proxy-To-Realm := LOCAL
}
#
# This module takes care of EAP-MSCHAPv2 authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}
#
# Read the 'users' file
#files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
#-sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# enable the "smbpasswd" module.
# smbpasswd
#
# The ldap module reads passwords from the LDAP database.
#-ldap
#
# Enforce daily limits on time spent logged in.
# daily
expiration
logintime
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the appropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# For old names, too.
#
mschap
#
# Allow EAP authentication.
eap
}
######################################################################
#
# There are no accounting requests inside of EAP-TTLS or PEAP
# tunnels.
#
######################################################################
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Queries" in sql.conf
# sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
#
# Note that the last packet of the inner-tunnel authentication
# MAY NOT BE the last packet of the outer session. So updating
# the outer reply MIGHT work, and sometimes MIGHT NOT. The
# exact functionality depends on both the inner and outer
# authentication methods.
#
# If you need to send a reply attribute in the outer session,
# the ONLY safe way is to set "use_tunneled_reply = yes", and
# then update the inner-tunnel reply.
post-auth {
re2o
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
#
# Let the outer session know which module failed, and why.
#
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files
# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
}
} # inner-tunnel server block