Compare commits
No commits in common. "radius" and "master" have entirely different histories.
51 changed files with 1521 additions and 2193 deletions
|
@ -3,7 +3,6 @@ ask_vault_pass = True
|
|||
roles_path = ./roles
|
||||
retry_files_enabled = False
|
||||
inventory = ./hosts
|
||||
library = ./library
|
||||
filter_plugins = ./filter_plugins
|
||||
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S
|
||||
nocows = 1
|
||||
|
|
|
@ -1,10 +0,0 @@
|
|||
class FilterModule:
|
||||
def filters(self):
|
||||
return {
|
||||
"enquote": enquote,
|
||||
}
|
||||
|
||||
|
||||
def enquote(text, quote='"'):
|
||||
escaped = text.replace(quote, f"\\{quote}")
|
||||
return f"{quote}{escaped}{quote}"
|
|
@ -7,30 +7,11 @@ import dns.name
|
|||
class FilterModule:
|
||||
def filters(self):
|
||||
return {
|
||||
"add_origin": add_origin,
|
||||
"add_origin_keys": add_origin_keys,
|
||||
"ip_filter": ip_filter,
|
||||
"remove_domain_suffix": remove_domain_suffix,
|
||||
"ipaddr_sort": ipaddr_sort,
|
||||
}
|
||||
|
||||
|
||||
def ip_filter(addresses, networks):
|
||||
if isinstance(addresses, dict):
|
||||
return {k: ip_filter(v, networks) for k, v in addresses.items()}
|
||||
ip_networks = [ipaddress.ip_network(n) for n in networks]
|
||||
ip_addresses = [ipaddress.ip_address(a) for a in addresses]
|
||||
return [str(a) for a in ip_addresses if any(a in n for n in ip_networks)]
|
||||
|
||||
|
||||
def add_origin(name, origin="."):
|
||||
return dns.name.from_text(name, dns.name.from_text(origin)).to_text()
|
||||
|
||||
|
||||
def add_origin_keys(dct, origin="."):
|
||||
return {add_origin(k, origin): v for k, v in dct.items()}
|
||||
|
||||
|
||||
def remove_domain_suffix(name):
|
||||
parent = dns.name.from_text(name).parent()
|
||||
return parent.to_text()
|
||||
|
|
|
@ -1,257 +1,246 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
62373961613635353532306262363831376166643431323062383634366138653036373730353036
|
||||
6664653637356662343538306261353838306637663765320a336436333964643464613339366238
|
||||
66323438363935303839633534373464333236663536396233316162363439393030303637306462
|
||||
3661346138396534340a626164643334376137633738343130653531393630663030663234626433
|
||||
62623063623538323262643863373062323537663164623535343262346235323865613361643034
|
||||
37373562343366323134303836633634613837356165323566343062373730336639386137306164
|
||||
64366661343562623734396363346339643438613865653730396635636264666164623533656534
|
||||
39313462363539313866633663333639343766313338376162363135396235356133373837623930
|
||||
64316661316339343439383365303664393631643164623161613262613839346634333434653264
|
||||
65656466383063386163353135663632303665323238626139363330383363306130623535303834
|
||||
31636265623366326438373163633566626438383633326430303862353838383636363866326131
|
||||
64656366646534333739326264663330323836353266393063356134373366366235613534353636
|
||||
30633364343738393230623338663532623531303564613766326436336562633338313337396664
|
||||
65376135633334346261313835646361303362616535346538623634383338626363646637376261
|
||||
66383336363065353932656231343231613963303934643637656637323135376238376235383838
|
||||
35386333363033306332373030353332303635633164363135633431343566373338623437626331
|
||||
61653435653135663331313536386166336137636336333861656131613863386162343639363935
|
||||
39643763653633363663626266663036313961663062626333633666356363363961643231663033
|
||||
32386438646365613438343130313465383266623830666631653061313238643466326337663434
|
||||
63313664346564333163346230663331613363646566386135363063643730626435366233313130
|
||||
37343965653835636333363365653831393531326565316532663962326165366437326464663964
|
||||
65383036383261643066333938343634396337313034333466643436386665353137656661323134
|
||||
66666362393334343038353762396537346164356635373766393038656563643132363461356336
|
||||
30323063663232353431623731313564646339376364623639303231633935353730353866616131
|
||||
63343732653366613832393031646339383235616464656435653035316163313266613361646666
|
||||
31633662336332653738353661616137333537633831346137663363336235626433363834316438
|
||||
62646266383362613335376335376136663536623638353863323539393339353736336533656435
|
||||
62343263343839633837313966316538643133363764353661616136356139313630626163663233
|
||||
64363939343238623261656430653933333432383066373136313232623933616238323161316336
|
||||
36666165616661383637323832383138353963333063613566613538623430633561653532333830
|
||||
34366231323131346533616164646438366266326266616264333862343435633031333135396365
|
||||
33333331323939646431373630373334613935616337316631613065363337336136636238323066
|
||||
35653162303130373733353763623638623638323638333362653130663237396564333366616163
|
||||
35396435303133613861316464393837623837353734633331366435383263643264343164333235
|
||||
32353530373835643436633038366261386465373364303538353933346562663566663233326637
|
||||
33663165333366346630373035396237366332616435323231336333613031656161303431326633
|
||||
37386466353836646536656364343532356633343835666466353861323637643233343063323135
|
||||
32626563383433336165373363383236633936333039343731633439353331666564383166323738
|
||||
39313635636666383432623335396663386131336134613530323938316332663032663966656361
|
||||
65616334646337313637346436336232613531626434383030326164393366343366616235383439
|
||||
62303333356633656366373766666430636435303438383863343330396130396139616234313638
|
||||
31336632663661353030303736646130326565303932346432643066316434616134376135636662
|
||||
61393661633261303539393139346266303731333637363838313964616439386637633234326533
|
||||
32323130346235306236346566306563333563653333326633363831646238353766666136346333
|
||||
37666539313265353961343762303762333463646136386331393938663463646530633932393136
|
||||
38386437646135613764313764316162346364353031313566323134336239633832303930313463
|
||||
33636164373236373138613462393937333338643230663133383132616463313731393963633262
|
||||
31303239393939383433343138393733356238386136626463336532613661623362356530323666
|
||||
39633336613532383661636334393362663833306562663664303734393466343536386661663838
|
||||
65343263643063646666616334643936396530633861373733376635303230646461396239613435
|
||||
39373131393234343761346231636363303663383835366562643664353734653530393066653230
|
||||
34656466656364303163653862616437623636626537376338376631356266666338366439656262
|
||||
33383633653965386333343933323639303265653862323936376635343037656537626165636663
|
||||
38383034383833393038363136373835636537626664353863326165643436323730623665313037
|
||||
64323634633435323434313639343538313537313030383338656635336137366133613931346133
|
||||
62356131396637323361336265373731376638636465306365366461353338663738326362616435
|
||||
61316166363536323761323631653835643132356634633738343834343839613732643263323866
|
||||
64393636353730323139383965373864376163363963323830353538613234663566633437363061
|
||||
66313765356635643136653866633432343130303661633362386665363761306165646333356330
|
||||
34393233626131646430663538663465643233356338383330316634333032353939653334653233
|
||||
37356461323261653762363730383339393130613064386366393562383739616536626366633865
|
||||
39316161643438343762306537353762333463353237303063613933343239323765386666646539
|
||||
33336165323539323261366134353466313737636338363861336664346331643464313965633530
|
||||
37393538636535303431303762336335666361663364363130376564633763373036663330383130
|
||||
31316564643336373061343033333131643362663736376436643965333066613431343936303964
|
||||
63343030653030373537396566323663383061396666313835333732646339306134613762393865
|
||||
30626431303638346137653539333236633136663137306233663236326465663662376537666435
|
||||
31333663663833373463343163323737366536366163613733396332626230646131333662663866
|
||||
61346266396563646261353561616433613161666161363161396533313038366438366565343733
|
||||
33646462636461313639666332666338613066383862353362613563636162313238363261663762
|
||||
66613930333837643537326237633462343666323563383935366333353533386161363734623132
|
||||
37633739396161353731353234326565376564646433316638633130303033303863623166653438
|
||||
34663461643539643639383763666339643164343233343361653630373736393437633762323761
|
||||
63633264373639613439633338316166333135633436373133626434623261313333613734376366
|
||||
30366634633664383633643234663539363166656333653139366466346433323337383036393330
|
||||
38306564303131313130353765313465626537323032623233326261326565626535666337383237
|
||||
63616566623139343664343663663031306133333830386561383936313135616461636563656130
|
||||
61333531313230623063326537323537303363353232343436356161336164326133643734663134
|
||||
32616266303536373331396537643938636237363439353234326439363039633366613136326632
|
||||
65346533636563393665613130636437356134666262343336646236326430366636353234636564
|
||||
66356636666339353466656664633731376537353863613565306130316561313865393962336232
|
||||
65326661366661313434666564366131656539363030323233376666616330653338616536393230
|
||||
36646161373030343964346430613266306665636336303536363966326361373335313130316332
|
||||
33646236393935336662353237323639323239353030623233373766363566323461626332396164
|
||||
65303035653630376332356333313765313833396338363233326333626130323866386366613533
|
||||
35303562366437333538393363643366326530313365623331306235383965393331333936323432
|
||||
34396261666363313637633364356666323639316532636331626132643333373838383465663561
|
||||
65363636613736663434626130313265646438326537363736336134346432366432656133623262
|
||||
33623661323064333439303463623138383962356165356461373235616164333130663336383635
|
||||
36363835643466306339336338323230313036616665363863376262626361323738643561353761
|
||||
38353939653130306161666436373132623238366632353332353136623038616462376361626235
|
||||
31356464303136373766323261336132323434396561363066313062333061633437623362633861
|
||||
61306330323633323930336237643738613330366265386366306664343066326530613061306432
|
||||
65626130336337643233666235613530373237383234633833363962636134366661623333636237
|
||||
32373664376438313065623234626637303630356233356439656434306661663138323966303539
|
||||
64363937643334303936353663306464626335616262613135363464306135623738303631376562
|
||||
32386262663934653565316334353630356537363734396131323264353636663438636365396231
|
||||
62336664353938326434646261626466333030333133643265633439313339383661323162336666
|
||||
36616136303433396438363062646135616239663461343039646563653638363734333866326666
|
||||
39633639336530333637626631626132333066633464376137393937353166343663373564393438
|
||||
32326635326431396130653864666239343466636435303730306162336637333032643233633833
|
||||
33323165386135386131336430666437663365626266646466616132373133613536623365333766
|
||||
61363764303361393438373333616233393030373631323565373563343031326431396239393362
|
||||
35623039626435643637353161633037396130616332623733353138613835626539616166613831
|
||||
34306663303832646165336363393837626361316433316231646439343265323634383132303930
|
||||
38316661333462373033363135363038616136373239333961313039363735303333616561666631
|
||||
38386436326566616438306536316432343233613833663632396561313831326432323463626433
|
||||
66653733623935333031646632393936343130316565376662353866346632393736326235323430
|
||||
31636633633631313732346662356539626638343032383937346134326137623462316531376561
|
||||
35386565623661393865623035386534336537623932336533393230323239626132613432373964
|
||||
33656539393861626265646565383038396330323762353235666637383134353839666531623862
|
||||
39646437393665373035306564636335306136356463316464303566353938303535343235646466
|
||||
64306262356135373434643862636363396433663833333063383731613136663038313531353263
|
||||
64376131396337393634383136623732666531373136373631643336663766376436633538643461
|
||||
64633865346634616366616661323062653431303632313464316335386535363237356339616130
|
||||
34666131383164616664326331356337336637353664353965356332626437323430313565653236
|
||||
61323534633137376166383831366263366438623735376264356136353136343434613835373461
|
||||
38613139373335653935643663363438653139303037646366303530386339323634373665623032
|
||||
30656536373530383539376233316334333233353536633963323334313862353334613832363662
|
||||
64663939356465333435356231633832653764303862646433333563666237326463663931383238
|
||||
62303062663366363932666130373737643137303739383636616466316363396134376365346331
|
||||
64353566383066393737346162313264653736626239376134373964613162323231313462313262
|
||||
65376338333439363762323837373262633835643465313130316164643838656364313166616530
|
||||
35363436346137333862376632646235643332636662333464366337653064643036386533363030
|
||||
33393837323632646163383539343164653433623038306261356534623862636232333836363431
|
||||
36353831353637383864643130653838663164646232626637353031386561636535666236356665
|
||||
36376330333937646164303333643962383862336433313433626434636133343836313730346462
|
||||
39643535323063326364656439316232383430663364383961643961633431326464306639383038
|
||||
62356430373630373836326266376230373135326531336464663338303438323836376365636534
|
||||
36663532343035303738346564383166326665396363633239623863353662316336653765323632
|
||||
34336538663637643535636530666639353864643733376635626133666461613338343039623462
|
||||
38356338373732396635663733333465363433663436623938633565623964653765346165393334
|
||||
34373666623035353966323433663961333663303162623337306539653739663834356566353164
|
||||
65343738663161353964386237306234643836323365626133393134666566363961653836623634
|
||||
38356666396161633932363536663732376330343661343763623435663836303032396535616531
|
||||
34313730626334316139613839336430346163643933386366306464313266316530363934303032
|
||||
62353434346238386536306133366262643061623436636666643735643039613665316436616533
|
||||
30666332633764313063383663663830633430646365383532656236363039643633353736346338
|
||||
39323935333536643737396331623431633365343064373330386363313632663933386639376236
|
||||
62316333303663343933303237353738333739643036666365623834646665623733623239643265
|
||||
30373966336538616135666339303030626164316563326530383731333839383133366332346331
|
||||
37306238623132313235666434633135383034653264666134633566373436396133313764306335
|
||||
63346435393464623332386134303766363061333361643930363335636164353038626464303633
|
||||
64356437623536376662363566623465306634313534333930333066346532323066323335313934
|
||||
39663635646664616335393330383865313639393732613034303163363665316337356439656634
|
||||
39373163306539346433313765623665353461363866643431633236643137353362613337643266
|
||||
63376631316365326634386166666361343733623638613163666564653762663839356461633132
|
||||
31666437663535633037393432316463326237356634353631306464663337626136383933386263
|
||||
61373562323836343137356162363237366261376662613133623839393932366139636336396365
|
||||
61636237386463633635663338303364666462326436396265366563626130316637623630306263
|
||||
35386636613161636565356166666463336465643533386166663766306530623162616362376437
|
||||
30613466313963323236353533616130656532643130616366333064636435323132386431633532
|
||||
35393731623235396464336365326262373131366633333666363636616632653238616165343466
|
||||
34333032633062366239636634336563303031653037613237353064656433663361306230313236
|
||||
64306430633464306339636436306562376430646535663162383363666666366236653965613030
|
||||
65613836326661323338303964393763346336303065346263386462343661363635373337356130
|
||||
65323661336165613563663931343365663064613362633632333039663065633162343830356538
|
||||
37376566326331633236633235623537653332313464623564616433323134646135333436656563
|
||||
65393737623033316535643230386462333736353866306136313833303631353465363363653035
|
||||
61376563653266393062616163333164303035386464643536343931663464313831333065306261
|
||||
64393237396138363863323862393230393837363062393138663734383566616238323332333636
|
||||
34616634383561326337363739346337623362313131353362323461343335636265303262653836
|
||||
36383930303436353066356133636133646439346132636162303462346164663162666331643464
|
||||
63393765393634366431306663643863613666313063326231346637623936616431633332343738
|
||||
32663666616236346664636563346634323730653239643561343833623936323539303433623839
|
||||
37333031316331336435353764643861343134323934626433336666613466353538323332383339
|
||||
38353330313066626335356439663835626266623234356636613666383734356166656262373264
|
||||
33343336303164366635363162386161663930343836343238376133353839643539333166663566
|
||||
62316634633762303464363562303333633732326563646231313933363531343164333836616439
|
||||
36353935353532383439366534306564643061613062356433633338386133366535663631313762
|
||||
39373032396465393962373038623231313232343661353164393235326266613035613063343136
|
||||
63356337323363383761323138396333373066336664616665636434656362376661613034383437
|
||||
35336330663836363464643765643566663436326665313561656364353733356531363863623261
|
||||
30303138396562633564353764366239656636396632313235326237316538323765663336386632
|
||||
34326139313064643834393366316561653664313066383263623739373162643865643035373365
|
||||
64366335396132396330303339316361393439636363343034373736663565323230653963336435
|
||||
61306538613133313165376562616561663733313839366434376634343236313034306235383733
|
||||
38346666376530386231353534393863386566633235323762363635363062323762316130303865
|
||||
61313362623765613065303362663837376463393432663839373766326537356536666465386463
|
||||
34663266363261623735386565383466313732346366666635663366613032363762386637346636
|
||||
34386662626266656465393234306566373462633930323562336631306531663130656132353939
|
||||
35613730393762313931383532646530633836313961326461336131656631663137656635343238
|
||||
35383533323738316134656666393136633732323536363636646166393530373233613264373761
|
||||
39303463663130386338353637373739373331613739353561303636316665323533616634666639
|
||||
33303835336431376363336364646165626139353061633339616437326264646434626463383239
|
||||
39376332613766383232336339366332616334356630626463373435623165303832393465376334
|
||||
33343163356333663266386236356463356335333964333733386439623063656462613561323163
|
||||
34623937383765643461623035343930363336323863356461313034623733303734396238363463
|
||||
65383366366565323439316230383363366539666434656364633366333936376361326131313530
|
||||
38363161666439643236313063626564393932646536626361396234396333643165346638323037
|
||||
38633638646331333664633562353632316133303764316262653261303561366333663062623037
|
||||
62356565363433646435643231343231333863303439393335336633316638383863343438353262
|
||||
37616539306537613831373462323238363262623365366536653233366231343864643931653463
|
||||
61396238663064376166643537646132646665663565323939373632353665356337363538326238
|
||||
62323363346532613665653161366235303661363263363836313739326134373264396131633262
|
||||
32343135633436353038313335346338663934386436316262623731313334346230356630336333
|
||||
62353539383031393339623164333763306338346133383462653534346334346434633831353163
|
||||
32386436653863666533323233363663643933396636386334343962313038363933303263346135
|
||||
33613337653237323339313233346638393635366136373432353031653432376639663638353161
|
||||
30626536386465323136643764663661373863353965623431393562393630333333643631303030
|
||||
36383938666239336530643731653963383131623333393638366235383861306163303235353538
|
||||
65646264646339663264376161346563663965353837333331333739376336623934623335343234
|
||||
36633234326231393232356539383661353431363531653230386637386334613138373038326432
|
||||
36356633663565383035373934363132303633646563646236363866626531663534313964373732
|
||||
35623034623335396365653134316331346664633439643966363932356664666331306631373630
|
||||
66653565666562323366363732626234363165313932326630666537373462303539396139396431
|
||||
36653438613337356536643863376234386463363130636535396536363234616162663961326431
|
||||
36613034383234326239353337376633616364323564326563353239363739363430383230353162
|
||||
64343638623637303334396164343032363735643965393861363537663962316339303936396230
|
||||
32613937303931383665313464643862653561646539363039643038653838323434386337306235
|
||||
31636166623933616163363366386263663461316136393932313962343836393565623031366362
|
||||
34643237353264343665363566393534656436636138303835656534303763346661663338626664
|
||||
37656462393438653830343964646537363038376531636330653264306363303061653231356566
|
||||
36323864626233656431303737376131383634353337323633323132646338303766323933373930
|
||||
64613835643932336430626261323862636536356265313862383361336365373464313036396238
|
||||
62386664336362303565373736373735363061323963333664386366353139303562656465306632
|
||||
63376363343664346531653035656538356466626163366130666363666132663961353461363066
|
||||
31303335663839663365326539316362663935303237333234353431363063333163613461306539
|
||||
64313364363634643434643630613338353564656639626232343063623933323835623534613864
|
||||
31316162663137386534643036353238636231303336613334613663386462623365366439326232
|
||||
31623163396531336337663839376335376231326466633230376630343936663732356663376465
|
||||
39363965303331383265323263613964376361643465316430363565383235333430373566393635
|
||||
34343464323664373136656463663461663834656263303639313262626530383534346364306231
|
||||
31326565353535653637626166616365393230626539366562666538306235343561343439616661
|
||||
31356366666265353666343964303433303237636265666365393361353762303231366165626535
|
||||
32363230383231356264646363613030363538303161313534313932383865313166393132393235
|
||||
38333332653537663630303639653533343737346531393864613836666438656632303937313433
|
||||
39653136316366353133333537376361633961653735363064666665623135613565363564646263
|
||||
62643932336465363537363130626262333363303365336464656139643034363031356632613565
|
||||
61343138323734313537386466313463393836376363383562646537383237666635353936383637
|
||||
36393237333334633762376534623233376338623339613736613032333435303930626261343830
|
||||
66663531666566316637386637353136613632623563633664613739336134313432646534303530
|
||||
39366139326633383033353065306464316636646535383535663663366331633036393661326361
|
||||
32656330323365623739373765643835333830393033363836666439333337356465383364303431
|
||||
61336562613634663033643963376635393063623435663162643838663762303533353665646361
|
||||
62386662376163333637343934613763303363616135306230356135613561646630316330353438
|
||||
61633234316534353030616138343165633565643366613763653039636466343866376433646132
|
||||
63343930333933336338393361623866613765393164623838306637323863366263653133326634
|
||||
38653334653430643862383136373432643463343232613161306638336237376236633435653833
|
||||
64316363643838333965323163303236346238383964643132643836633161396565323437313636
|
||||
34623763353237313863646439343662326634613466653462323163666333633031626131383262
|
||||
64336662396134633334376362333165666430646561333730336635356433323234303862343130
|
||||
31393933326539336666386364643532363930336636626132396136623066386132656165343530
|
||||
39656430373039343634623064623930643037666565346164343632323839383038616630303332
|
||||
38383162646564643037386530386366306532303032643939373563306165363934633532656137
|
||||
66626635626130336563353737366531613862656231643265346630343633343632333233616162
|
||||
39623262646432313865333531383461346664383330393631636431333064306635316431633239
|
||||
66393035313763633635643438376235323537633734353961373635376139633234316334363563
|
||||
30386263376664646361333435363935363033636665393737333262636464313733656339316539
|
||||
65313830396233376464613631333664633635393235626232373133363466323230626363396238
|
||||
30353164663663643835653434386136613566363635393039653637623465616136353932663164
|
||||
66663763326665636138323366373931376137323334653363303038616363613763313261613836
|
||||
33323935616366366462636135366439613539643238393962623864386433373862326566633035
|
||||
38393332663131306337386632636464633938303561336537623363346465613033363861646361
|
||||
32653839326631323561363430343038666366613330313363363735353465333563663038376631
|
||||
62666635326438323564
|
||||
64313161633263303464663933363265373935633862653634643862343232643432343966376438
|
||||
6134633764383937373966346538306530316539303966320a363035303038616435383366656532
|
||||
39346463396563626166333362306464343836386365303836356461323663633831636562393039
|
||||
3832636432626238350a666566323435623834396166656233306639333830343130326265616234
|
||||
61666365663963643437386530363261306438376665386463376366363662656161316263303831
|
||||
61393136363934316462616131326463333736656136643038623061313363386538393833663637
|
||||
36373565333566306632313865646538633532393731313430633462666334323762653337383338
|
||||
63313433333835653366363061343839326131666139346563306366656365316663333438363837
|
||||
33323165353936343165646464306434303161313139653561346461653537616164623434376534
|
||||
33666662343734633766356230383761353239333632613031396365346536373432363433633564
|
||||
61633762393033343336373864653438336436613630366539333731383336346665313732396265
|
||||
32356138666135383562656366353131366436363464643630656130303437623131333239386363
|
||||
66373866393064306565306565386230373638633733326661333065633136633130323963323765
|
||||
30353262323835313365383562326363343965636634376133613331363133313030346561653931
|
||||
39363636636235646131353034663861336362383263613165323230366439383561653165363764
|
||||
65366130623362623539393461363832353435616266393036386439303834316635366438393936
|
||||
33383933366262636232383066663130383965306137356363363539633661373664613738336539
|
||||
31363131616135623039346465623530376533386263343836376662316562386530336266303062
|
||||
64386531303938623939653635313163633261336339366139666135323130653862346132646636
|
||||
30363065303235346331333434653331646333616337623562643564366435613938643235333664
|
||||
30626164373030303237656366623631396138333265383566333664663061613536666363623630
|
||||
61623362383439636239336234333161366635306432363230366630383836326330343932303863
|
||||
39393232373831363863333332636362396639663831656266336430313837666463336439353332
|
||||
63303036633433323439613535326663633332346565646338353761363733643766363132666365
|
||||
34303865656262303563323665363730663062626537363461646363636461633762663237366366
|
||||
64393133656464643065633634313261336662646435313735306266316132636530393631353830
|
||||
61303939373363323131316463333136326365333430626266376636356130396239323464353937
|
||||
64616232373532396334343433636332353530386662633164353235626361623164313039336666
|
||||
31636434666437393839393133633961373139313663616366373239386163623064373836376164
|
||||
62316638366366376134386231306435616138656461373633393339653532363434393834393430
|
||||
37363335623934306661333135343266663464623438353665613330356236323036363139643064
|
||||
62383934363465316338393065383935646134353230376131613935613431656333383565353134
|
||||
34643866353131653061623236306536363163373639396564336434653839346263303930633663
|
||||
39393935636235313431303032336361313730373238333732626465346662363038636361383631
|
||||
65393433346363366337383233646166306339653533646632623262376630383265393438326135
|
||||
31643039333835666338383762336163336337343532393063323165636531353361613731363065
|
||||
65303637396332613432663636326334646635346237396461636366356133303333306239393739
|
||||
34353966653662346230383865643231313239626533643761366162613164333132373636623237
|
||||
32356335643766646266646266633366363165373861306433316561363166363865303133633939
|
||||
34633132343438363034323638376666313061383965323566646463653163313235373364386666
|
||||
62393865373137343237306637363536383939303833663532396333313931336162333837613935
|
||||
66383266343735396337663936333162323738383264376533316536376563396333343263643931
|
||||
65646535363337373865353265306434356432353066656665366638353331366334366339613538
|
||||
32373637633564613861626538373365336362313434633137613966353861393462623862663330
|
||||
64386431373066306334383863366133333564373163386433313231363366393830343230323734
|
||||
61633962356637326538336663386330653563353763663236623539363630626363323237333237
|
||||
30656139626561313064323330373032323031343137366638303966313832646365666238326337
|
||||
63306363613361653933306234386163383837666430616663383664386563323839326232383761
|
||||
35373539626438356539393266653864353066633365383437623437356464383335383039343137
|
||||
61373539343631373932373033656233323964353666626162386537616333366562346265656238
|
||||
35396130356166303564303036383664656435626534303064653363316464616335303965376330
|
||||
61646638383138323265313631613037396561626162306661653231646230343139656135333236
|
||||
63303838316266333665636335663361656262353066666430656162323236633564313337353665
|
||||
35363565303736633564356632346632343832363934343962313030646132663566346664313632
|
||||
38393061613163356265643434626166393366366634343032626637333332316361663639623534
|
||||
62323239373639393337373537646232663531653835356165313264663561623633633830373734
|
||||
31336234613633666538373961626430316530346462343061323661353564323938353338373961
|
||||
64616637303734303333626166306330613238646265636136653939363936356165356232396436
|
||||
65353731633836363433616534636330663565643561363233396538386430393964353433616437
|
||||
36343936313936303165396236393463646363383338366238363961666530623335653234656139
|
||||
65346337663437623134376137326166323933613861663032623965643538343638376234316232
|
||||
36333065323234663263343630353739313661373536316162366532336438373263303730626464
|
||||
38613136393166626663636631363064303736666235333036616435373063363762666565363136
|
||||
38333966303831313333613831313132633062616235353365313533386236613338373130303836
|
||||
61326262313833306437366364316433393931353265326131653563656131333436376338613266
|
||||
39326632613366666136643137303635336631353230396435313537656366326239626362313833
|
||||
62653039343261613265306362323234623264366664306561663839306631663465303962386462
|
||||
39353934643562383762623937643034383534393962333466613636346637323235346438666636
|
||||
31613838313535666166663063373333653439313035346266666463623666613837313933623837
|
||||
63343565663739393764353761316432626237346234663032316131306262356233333439323961
|
||||
38646664383030303832646563393836643135303731306435383338623633626638306165386637
|
||||
65393238653464623032336437643838333932366131656332333165376261383539386466343139
|
||||
65613733383837323832303738363664653138613830376333363038383839623463623631666237
|
||||
63363263396533353763373934373034643763376665316638353435663635346135333265363235
|
||||
62663432343935343964626432353563313036303761393039386231343530663737633466643035
|
||||
65343835353037643539316439666666633866356530363237373230373439373133313337653237
|
||||
66613631373637313534353862653437393234363365323032393035376438616264336661616262
|
||||
37336435326135373065353564383637626637343532396331623334643139386364316431376435
|
||||
36356566363033636539363430356565373039363863396565643730656531346364626334393436
|
||||
33343839303538383530363231366166623233333730323163323432373831313639626337346230
|
||||
30333930333064393337616564386163623436613933623466353933393733346339383534633239
|
||||
30633365313364666566643533326163336330323232353533316633313739343035383465376330
|
||||
65356139386463633565366132383832643032333234633964373437633836343435393631396166
|
||||
34633439643764623936366536353931646132373539326238303761383339643661616266646130
|
||||
30393166393465326365393130636136336433623262346435353936306133616135653734383635
|
||||
65393530633836613937346430366337626365363361663533313837363063396538663766646566
|
||||
63373639653732353135343562353266316164303863336365303635653464393232613939396131
|
||||
30636361343932663233663566656131363938656161623966316366656561343166336532613666
|
||||
65613534663762353662353262623634616264373964316336626166353330303539356130646166
|
||||
63643435353765633766626165643465386331333637366562393861613834323464363932306430
|
||||
32643836646266643031396262626136313363623663366430376432373036643835653863323631
|
||||
30613164326430633664306630333632363931656135643465363439376263386561383534633666
|
||||
64323763656466343064396639313264386239356664663461333166626332326536623132333434
|
||||
62303261643164643330333662623935383037353338306135613737306563326336336162633138
|
||||
33623066373265663362303133363032343933306336396466383034636131333837313333326531
|
||||
39336163313633623639303462313763656632633030336236643030343262653366633939643536
|
||||
31636535393864663363353930363761623264343630396336396431663330323436613462633136
|
||||
37336464353730643566393432343762333336653932333366636265343663323462626232623635
|
||||
34346136333630363539633666316561376266373032373961313437653564636537656630303261
|
||||
37313639333233333365383763333061373730623939303530303832646365323739356564626137
|
||||
35633366393636376463393961333830343232363266633931613332643134643234303733373466
|
||||
35323831623931633436626636346431303965663639666566623433383736633834626330303265
|
||||
37353337656233663938663839373931623137666662623266336537383631626631306235363064
|
||||
33313564316438633139336261623736336336326239376630316335313631376132646563333430
|
||||
33656432643130643832343065353834633366363339353964623762666564633835633636313731
|
||||
63353637636165663136623736343234393038313235333363643237643566623766393838386635
|
||||
33646233623032653233336266636335666233353032303837663162303939383262373761623261
|
||||
35366661363966346233633739663635353361303264356534366235616164316138623730623632
|
||||
62316362623736396264366632373661373835393434343364353431316362666235616635633566
|
||||
64353530633334393737346663653562346335323065356665643132353738363132623031353664
|
||||
66666639326238386634363664356664343161386435323736316636343536326435303066353035
|
||||
37363731613138393333636562386363333932386362303139643262386237353863363764643139
|
||||
64616561373239346464623165616332623434303433626638376232333733646136376431626438
|
||||
66613134343639656331626630303030366133356636663735353466353834613430356265386162
|
||||
66613332663232623438636661306332613162666561353537313336643134663664306630636639
|
||||
61613363353264373831393962333631383236666130646333336431303735333165656438363432
|
||||
38396530333631636135653534393531326434306362396237366430383166323832336434376364
|
||||
38393431646338316232373431613930326532646333386435303034356564336665346133393866
|
||||
61643533643361646265313334633463616437393437653935613261366635616430313064346532
|
||||
32363831613565313836376338646466323130373032613863323037323566643164653132633735
|
||||
65636562653535626461396666643330386333663137613333643165656336633038323036373162
|
||||
31376338613862333334643561313332326237646565633934323032626662633631633033623063
|
||||
63306664656437663732323339383735306132616531373865323835633264333639336163366466
|
||||
33373433653839393638323034623835643531393266306331313563613265616633353763653438
|
||||
65363532653163303861383531356639316331343531666666636336373634636134633331366364
|
||||
62366230366435323435613964636533353236373935626632623536396664313264653031623062
|
||||
33366166343630313839366262313234346262343336386538336335393835646138666330656361
|
||||
61313936323838653832633130346539636363613838343363663431623063333933383466353938
|
||||
65383361333561383631643938613862343236346233363466333237316339616362366565306639
|
||||
39356563656132303463346138356435303038303165363935343266396462326365363262393336
|
||||
37396235366639623761366239386165613065626431633733306234343866663266633631656237
|
||||
63643430383433393835663635356265636635363137613064353066313338346436356632346265
|
||||
38393730336465396263373137383238653337396364643061303234666266663064663265383434
|
||||
36636138643432373633313038393737663735363838396164366234643533633762383062353831
|
||||
66326231363337323666386263373438656630346336663239643030386434636264666634393631
|
||||
39313364333761343532346165396365306463393037643935666363323630326664616638313338
|
||||
39396336653738353333343835363861643166376565346463303135376439336134666235623230
|
||||
32363031303732666133386164313437366164326539373564623236356432303132633436323563
|
||||
36323634373538376133613736633133356638323861636434646465643432636366376138636232
|
||||
63633830613462613831313938326339343632393038376639623131366364623536353338363439
|
||||
32613331623863336165636364616634303264356630303665383638663737343836663831363263
|
||||
63366562393734323030306436346534626530656465396535323835316139633562363830373437
|
||||
63626530326530383538623165356532303862353763326432373966626436303465373431373762
|
||||
38613539623164353732623636376630643465343839666531306438326633343362306665366132
|
||||
39396537366266353864656232616334336130333337306463313932393832653661343036396261
|
||||
64613461633433356334623631643861303133383963336635623138326139613564343838366565
|
||||
36343130353462333162313736636139306233366466626231306561626335396262663531333839
|
||||
61336437343137356335633764373730306466326133356331333530353537616661373062656438
|
||||
35356235666464656466323937353837623535643937383866666133383633396563333338633034
|
||||
38366531613164363966323137646237393135383164643230663331306335636432656565633636
|
||||
34343031633632346533353666353034666266666561346464306665386634313263323333653330
|
||||
66323033393531343633356466613837346164393332613037636465343230623731616361336338
|
||||
61373332373636646435353734386366613334323161626437396232613534613330613532323534
|
||||
65653065386432313733663165616333663666363733623162306536303833663136353334656466
|
||||
64353931363838613761663561666639373865393438396565626661343934353662363834636535
|
||||
65363664393433313036383438643864663339626331343230343337316437336634636363303563
|
||||
35373539383535353235633730386232363539616632336566376264393832383637663330613133
|
||||
37643261363966633138373935333438393536373938383265373261363232343030373539366335
|
||||
61633162663137643061363366653135323639363838626266386262666133306461333432313738
|
||||
30313332626166303630363839396663396564633961383863326663356230343938643833303933
|
||||
34333032353935323565346633363537656639613663356130383264373739636231363364613066
|
||||
36653664346434393933383337313630623131396461343930383537633536643365306564396665
|
||||
31353861643335353538623838393335326364393738376239623431306231363739656438626265
|
||||
37666532336661306262303761616238666239623265663231386165353437366631376234343035
|
||||
33393037316563373534373765616238616639303031346430623561663430393536303163613338
|
||||
65353062336164626335376235656235343637366438353334356436653266333062663838316263
|
||||
32623732306462356162623437393035626433336631643833626463656634366332613936346465
|
||||
34653331363133373635633330363564333264623566613432383439396537343963653239336265
|
||||
33326132663434363065646265646130333935303662623037363938313464366564323734333437
|
||||
36336335303738643634653164306332636130316161393335656536386131396662616366383139
|
||||
36663863343736666665363337663537326330323437346565346465326231366563643136366365
|
||||
37636361343961326261336437616266373962643765346438333766306537303137353764396330
|
||||
39626635373631353635313935363834363730386132376363663462653330623130663266373432
|
||||
65343237326535613535386363396236336536366165306463643162346638623638373433646163
|
||||
62613935363636353639623839396231393838303135346536383037353636613563323234626131
|
||||
64373666303436393861373164376564646235366131343433623733663832653039393738343537
|
||||
65323534343464613230346532623966616462353532373064623566626563336464326336393364
|
||||
39626237646431313135323036303065343138616632343237396136366332636132303037376132
|
||||
33623031623635653162616265316366663262373666636638386130643336383130643232643662
|
||||
34326663343562613962343033396332303261636230353331313730336630633461333736626333
|
||||
66636430643330383032646634396133626339623036333963396662313234623466366634636334
|
||||
33373762386662613966353664346239666133656435353365653536356331613632666132376264
|
||||
62613433366633663065306166396166633836306139376533396165393966323465303638373563
|
||||
63326330323161303065643365343363313338326238363137663139613463613434643834613662
|
||||
64663365633965653363633165653038333335333232633434323037643936646561376431626230
|
||||
66356138373136366134373533386634373061666330663364376336383433306331386162393633
|
||||
33636330643531396464313736363061303466393861613730323563626363643731333633366532
|
||||
64646130636234653566346533323962353332653335336239353630633535623935396638663366
|
||||
37383661343636613261623833653032373764653164346634663431653664636233323734666166
|
||||
36373664306566663930353338366431623563396166356638626166333165623263636336613138
|
||||
34343936393964666564306637346561393538383137663162663630336462656663316338376236
|
||||
63633666333263663734353861633164653132663334306664643133663736663766626639393236
|
||||
32653430333163313363343731666135656662363838366132383732346130313130363365656263
|
||||
32643533393163376264653632663262353966306630333064313932616262323134326361633764
|
||||
63383837303936616434616630653833653833623263623532306363373836323431393335623530
|
||||
34316562343035326265333164643163356230643639373431326431303538346363376332373434
|
||||
31313666313663343363353130306561646136393732663164393232636330663635346434343134
|
||||
33663138663336636430373763396435323138373633666438623234363631336232366635366532
|
||||
62616239663934653462656163326134303261376635323864633435383666363065656665303538
|
||||
62626538343638366236646136363232373437336630383739656438636465326531646664366462
|
||||
36353663626634386538336239623734323234393463313034303837363164363263623065613061
|
||||
38333162646232366339333662313965663336613238386530393162346266636532353433656136
|
||||
66326436323836376432313238613165373565643233333435393361636637653361616435393438
|
||||
32383763393561343734643438346635613663393736613839623263663866336165343235663933
|
||||
66623137616561313462653631613830363666653635336534643935373739353138363934656134
|
||||
35663063396162623432373534333463376231666466393963336231653939326663396336383735
|
||||
34633763336163313432616163313638623963306666643432306661393632346339373963633265
|
||||
32303862643661376433356661383335313365306534663534396638313531373538326236636363
|
||||
37626138333437393363323261336663653163643565303063313231346131376261653763356631
|
||||
62306262336337366134626632333663363139393131306666303235303761623665356431646234
|
||||
33666461663035303066353137623762653565353533613435663839396238336337333463636465
|
||||
38353135356634626137376232613330393235383432356436393030313564306537616363383136
|
||||
66356463373138313661373565326565343066643133633630313031303132313031663739316631
|
||||
66666631386163313034306532393862393930653931363235396662366262636466363464396466
|
||||
61303962303066633764393831396632626233343633313061323838623134373036393164633139
|
||||
30303861636335636131376334376239636235653233323435623262366132663934613661333135
|
||||
61386136326435363337316363666330363431613135663661303438383664663930656564373730
|
||||
32373731393666333364633835646431646662313232383136616238303264383438663766356462
|
||||
32346664376430663934626661663039656461383738626265346162393861346163656161323333
|
||||
39323666643031376530303230626166613233383731363766373634623430633635303963313466
|
||||
34646331363539636133373134353535356265393265393635323532323134643034343663636362
|
||||
38633261613433393634396234396265623063346138363133646532366638306632396464646432
|
||||
61373961383438386535336131393633303430346162613738343839653038303035303033626535
|
||||
37343030623530333332306265373539633735616634663666356437303862636338363866613861
|
||||
38346130336338373865343866306665616530313938616366346131376262346135323537663137
|
||||
39383366313766666234323234363937623264353532323033363966313135653163343036666262
|
||||
34393832613034383239393930383063336131356364303231323966303633333331633666373764
|
||||
65383137333965663234663933303231356165376233326233303035316536666563656363343933
|
||||
36633039666432643135636331353932633164633964623661373739633665313433306561303637
|
||||
62373534346562363132643063643732343462653838393635343266626535353864656437313434
|
||||
34376538303965616539626534613431623834376337643936613137323031323139393762636463
|
||||
66346664666361623636666533663037613434353135393862376633636233656330366136646434
|
||||
30653735323961383130393763333630306131376430363436623238646632363462383739653636
|
||||
37346566663039383866323639633565366338353438386461616239313639343766333661346435
|
||||
33316538366463383733346663316564656566656165396465393461363061613239666165346661
|
||||
62346639623163363762366431313831663135643062336363323336303737393437653863303665
|
||||
36643466336566336236353166333063633830646461626262333937316162353365353130353535
|
||||
30383164363532363532306364393236303537383139643431393962333063633162313033613561
|
||||
32323434336364343061386666616639336566373461633462393130336461303531353436623065
|
||||
65663430623066336533373662306566396263376562343936666166626666323964373334613835
|
||||
64633535303365643564626562643562636363363834353865353765356665643965663861366436
|
||||
63333736613232353130616466316637613966646139323565356537666331666564623832333439
|
||||
36376131663431616430616265323039646432393166613631313762613264313765323231663961
|
||||
65616636306362386534626130636261636566626365643630616135323634343935653033653433
|
||||
3061
|
||||
|
|
6
hosts
6
hosts
|
@ -69,7 +69,6 @@ switchs-manager.adm.auro.re
|
|||
ldap-replica-ovh.adm.auro.re
|
||||
prometheus-ovh.adm.auro.re
|
||||
prometheus-federate.adm.auro.re
|
||||
ns-2.auro.re
|
||||
|
||||
[ovh_testing_vm]
|
||||
#re2o-test.adm.auro.re
|
||||
|
@ -92,11 +91,6 @@ dns-fleming.adm.auro.re
|
|||
dns-fleming-backup.adm.auro.re
|
||||
ntp-1.int.infra.auro.re
|
||||
prometheus-fleming.adm.auro.re
|
||||
ns-master.int.infra.auro.re
|
||||
dns-1.int.infra.auro.re
|
||||
ns-1.auro.re
|
||||
ldap-1.int.infra.auro.re
|
||||
radius-1.isp.infra.auro.re
|
||||
#prometheus-fleming-fo.adm.auro.re
|
||||
radius-fleming.adm.auro.re
|
||||
dns-1.int.infra.auro.re
|
||||
|
|
|
@ -1,419 +0,0 @@
|
|||
#!/usr/bin/env python3
|
||||
import dataclasses
|
||||
import ipaddress
|
||||
import itertools
|
||||
import sys
|
||||
import typing
|
||||
from typing import Annotated, Any
|
||||
|
||||
import dns
|
||||
import dns.rdata
|
||||
import dns.rdataclass
|
||||
import dns.rdatatype
|
||||
import dns.rdtypes.ANY.CNAME
|
||||
import dns.rdtypes.ANY.MX
|
||||
import dns.rdtypes.ANY.NS
|
||||
import dns.rdtypes.ANY.PTR
|
||||
import dns.rdtypes.ANY.SOA
|
||||
import dns.rdtypes.ANY.SPF
|
||||
import dns.rdtypes.ANY.TXT
|
||||
import dns.rdtypes.IN.A
|
||||
import dns.rdtypes.IN.AAAA
|
||||
import dns.rdtypes.IN.SRV
|
||||
import dns.reversename
|
||||
import dns.serial
|
||||
import dns.zone
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.common.validation import check_type_list
|
||||
|
||||
|
||||
class RName(dns.name.Name):
|
||||
"""Domain name used to represent an e-mail address (see RFC 1035)."""
|
||||
|
||||
def __init__(self, address):
|
||||
try:
|
||||
local, domain = address.split("@")
|
||||
except ValueError:
|
||||
raise ValueError(
|
||||
"Invalid e-mail address format: {}".format(address)
|
||||
)
|
||||
super().__init__(
|
||||
(local,) + dns.name.from_text(domain, origin=dns.name.empty).labels
|
||||
)
|
||||
|
||||
|
||||
class MultiRecords:
|
||||
"""Annotation used to indicate that a field can be filled in more than
|
||||
once via a list, and that this will create as many records as values.
|
||||
"""
|
||||
|
||||
...
|
||||
|
||||
|
||||
@dataclasses.dataclass
|
||||
class A:
|
||||
address: str
|
||||
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
|
||||
|
||||
def rdata(self) -> dns.rdata.Rdata:
|
||||
return dns.rdtypes.IN.A.A(
|
||||
dns.rdataclass.IN.IN, dns.rdatatype.A, self.address
|
||||
)
|
||||
|
||||
|
||||
@dataclasses.dataclass
|
||||
class AAAA:
|
||||
address: str
|
||||
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
|
||||
|
||||
def rdata(self) -> dns.rdata.Rdata:
|
||||
return dns.rdtypes.IN.AAAA.AAAA(
|
||||
dns.rdataclass.IN.IN, dns.rdatatype.AAAA, self.address
|
||||
)
|
||||
|
||||
|
||||
@dataclasses.dataclass
|
||||
class PTR:
|
||||
target: dns.name.Name
|
||||
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
|
||||
|
||||
def rdata(self) -> dns.rdata.Rdata:
|
||||
return dns.rdtypes.ANY.PTR.PTR(
|
||||
dns.rdataclass.IN.IN, dns.rdatatype.PTR, self.target
|
||||
)
|
||||
|
||||
|
||||
@dataclasses.dataclass
|
||||
class CNAME:
|
||||
target: dns.name.Name
|
||||
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
|
||||
|
||||
def rdata(self) -> dns.rdata.Rdata:
|
||||
return dns.rdtypes.ANY.CNAME.CNAME(
|
||||
dns.rdataclass.IN.IN, dns.rdatatype.CNAME, self.target
|
||||
)
|
||||
|
||||
|
||||
@dataclasses.dataclass
|
||||
class MX:
|
||||
exchange: Annotated[dns.name.Name, MultiRecords]
|
||||
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
|
||||
preference: int = 10
|
||||
|
||||
def rdata(self) -> dns.rdata.Rdata:
|
||||
return dns.rdtypes.ANY.MX.MX(
|
||||
dns.rdataclass.IN.IN,
|
||||
dns.rdatatype.MX,
|
||||
self.preference,
|
||||
self.exchange,
|
||||
)
|
||||
|
||||
|
||||
@dataclasses.dataclass
|
||||
class NS:
|
||||
target: Annotated[dns.name.Name, MultiRecords]
|
||||
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
|
||||
|
||||
def rdata(self) -> dns.rdata.Rdata:
|
||||
return dns.rdtypes.ANY.NS.NS(
|
||||
dns.rdataclass.IN.IN, dns.rdatatype.NS, self.target
|
||||
)
|
||||
|
||||
|
||||
@dataclasses.dataclass
|
||||
class SPF:
|
||||
data: str
|
||||
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
|
||||
|
||||
def rdata(self) -> dns.rdata.Rdata:
|
||||
return dns.rdtypes.ANY.SPF.SPF(
|
||||
dns.rdataclass.IN.IN, dns.rdatatype.SPF, self.data
|
||||
)
|
||||
|
||||
|
||||
@dataclasses.dataclass
|
||||
class TXT:
|
||||
data: str
|
||||
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
|
||||
|
||||
def rdata(self) -> dns.rdata.Rdata:
|
||||
return dns.rdtypes.ANY.TXT.TXT(
|
||||
dns.rdataclass.IN.IN, dns.rdatatype.TXT, self.data
|
||||
)
|
||||
|
||||
|
||||
@dataclasses.dataclass
|
||||
class SRV:
|
||||
target: Annotated[dns.name.Name, MultiRecords]
|
||||
weight: int
|
||||
port: int
|
||||
priority: int = 10
|
||||
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
|
||||
|
||||
def rdata(self) -> dns.rdata.Rdata:
|
||||
return dns.rdtypes.IN.SRV.SRV(
|
||||
dns.rdataclass.IN.IN,
|
||||
dns.rdatatype.SRV,
|
||||
self.priority,
|
||||
self.weight,
|
||||
self.port,
|
||||
self.target,
|
||||
)
|
||||
|
||||
|
||||
@dataclasses.dataclass
|
||||
class SOA:
|
||||
mname: dns.name.Name
|
||||
rname: RName
|
||||
refresh: int
|
||||
retry: int
|
||||
expire: int
|
||||
minimum: int
|
||||
serial: int = 1
|
||||
name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty
|
||||
|
||||
def rdata(self) -> dns.rdata.Rdata:
|
||||
return dns.rdtypes.ANY.SOA.SOA(
|
||||
dns.rdataclass.IN.IN,
|
||||
dns.rdatatype.SOA,
|
||||
self.mname,
|
||||
self.rname,
|
||||
self.serial,
|
||||
self.refresh,
|
||||
self.retry,
|
||||
self.expire,
|
||||
self.minimum,
|
||||
)
|
||||
|
||||
|
||||
def has_annotation(ty, annotation):
|
||||
"""Is the type `ty` annotated with a given `annotation`."""
|
||||
return (
|
||||
typing.get_origin(ty) == typing.Annotated
|
||||
and annotation in typing.get_args(ty)[1:]
|
||||
)
|
||||
|
||||
|
||||
def annotated_origin(ty):
|
||||
"""Returns the origin of an annotated type `ty`."""
|
||||
assert typing.get_origin(ty) == typing.Annotated
|
||||
return typing.get_args(ty)[0]
|
||||
|
||||
|
||||
def is_multi_records(ty):
|
||||
"""Is the type `ty` annotated with `MultiRecords`."""
|
||||
return has_annotation(ty, MultiRecords)
|
||||
|
||||
|
||||
def spec_option_of_field(field):
|
||||
types = {
|
||||
str: "str",
|
||||
dns.name.Name: "str",
|
||||
RName: "str",
|
||||
int: "int",
|
||||
}
|
||||
if is_multi_records(field.type):
|
||||
option = {
|
||||
"type": "list",
|
||||
"elements": types[annotated_origin(field.type)],
|
||||
}
|
||||
else:
|
||||
option = {"type": types[field.type]}
|
||||
option["required"] = field.default is dataclasses.MISSING
|
||||
return option
|
||||
|
||||
|
||||
def spec_options_of_type(ty):
|
||||
"""Convert a `dataclass` type to Ansible `argument_spec` `options`'
|
||||
format."""
|
||||
return {
|
||||
field.name: spec_option_of_field(field)
|
||||
for field in dataclasses.fields(ty)
|
||||
}
|
||||
|
||||
|
||||
def coerce_dns_name(value: Any) -> dns.name.Name:
|
||||
"""Try to convert a `value` to `dns.name.Name`."""
|
||||
if not isinstance(value, dns.name.Name):
|
||||
return dns.name.from_text(value, origin=dns.name.empty)
|
||||
return value
|
||||
|
||||
|
||||
def product_dict(dct, keys=None):
|
||||
"""Compute the "cartesian product" of a dictionnary `dct`
|
||||
w.r.t some `keys` (if `keys` is None, then the product is computed
|
||||
on all the keys)."""
|
||||
if keys is None:
|
||||
keys = dct.keys()
|
||||
wrapped = {k: v if k in keys else [v] for k, v in dct.items()}
|
||||
for values in itertools.product(*wrapped.values()):
|
||||
yield dict(zip(wrapped.keys(), values))
|
||||
|
||||
|
||||
def make_hosts_records(hosts):
|
||||
for host, addrs in hosts.items():
|
||||
for addr in check_type_list(addrs):
|
||||
name = dns.name.from_text(host, origin=dns.name.empty)
|
||||
decoded = ipaddress.ip_address(addr)
|
||||
yield AAAA(addr, name) if decoded.version == 6 else A(addr, name)
|
||||
|
||||
|
||||
def make_reverse_hosts_records(hosts):
|
||||
for host, addrs in hosts.items():
|
||||
for addr in check_type_list(addrs):
|
||||
name = dns.name.from_text(host)
|
||||
reverse = dns.reversename.from_address(addr)
|
||||
yield PTR(name, reverse)
|
||||
|
||||
|
||||
def make_records(args, ty):
|
||||
# TODO: Ça n'est pas du tout élégant, mais :
|
||||
# 1. je n'ai pas réussi à spécifier dans `argument_spec` un type tiers
|
||||
# 2. Ansible positionne à `None` les entrées non passées à la tâche et
|
||||
# ce comportement ne semble pas modifiable
|
||||
types = {f.name: f.type for f in dataclasses.fields(ty)}
|
||||
coercers = {
|
||||
dns.name.Name: coerce_dns_name,
|
||||
RName: RName,
|
||||
}
|
||||
|
||||
def coerce_single(value, ty):
|
||||
if ty in coercers:
|
||||
return coercers[ty](value)
|
||||
return value
|
||||
|
||||
def coerce(name, value):
|
||||
if is_multi_records(types[name]):
|
||||
origin = annotated_origin(types[name])
|
||||
return [coerce_single(v, origin) for v in value]
|
||||
return coerce_single(value, types[name])
|
||||
|
||||
clean_args = {
|
||||
name: coerce(name, value)
|
||||
for name, value in args.items()
|
||||
if value is not None
|
||||
}
|
||||
|
||||
multi_keys = {k for k, v in types.items() if is_multi_records(v)}
|
||||
|
||||
for single_args in product_dict(clean_args, multi_keys):
|
||||
yield ty(**single_args)
|
||||
|
||||
|
||||
def zones_eq(lhs: dns.zone.Zone, rhs: dns.zone.Zone) -> bool:
|
||||
"""Returns a `bool` indicating whether two `dns.zone.Zone`s are equal
|
||||
w.r.t. their text representation."""
|
||||
return lhs.to_text(relativize=False, sorted=True) == rhs.to_text(
|
||||
relativize=False, sorted=True
|
||||
)
|
||||
|
||||
|
||||
def write_text_file(path, text, module):
|
||||
"""Naive text file write function with support for Ansible's diff and
|
||||
check modes."""
|
||||
diff_text = {
|
||||
"before_header": f"{path} (content)",
|
||||
"after_header": f"{path} (content)",
|
||||
"after": text,
|
||||
}
|
||||
|
||||
try:
|
||||
with open(path) as f:
|
||||
current = f.read()
|
||||
changed = text != current
|
||||
diff_text["before"] = current
|
||||
except Exception:
|
||||
changed = True
|
||||
diff_text["before"] = None
|
||||
|
||||
if changed and not module.check_mode:
|
||||
with open(path, "w") as f:
|
||||
f.write(text)
|
||||
|
||||
file_args = module.load_file_common_arguments(module.params)
|
||||
diff_attrs = {
|
||||
"before_header": f"{path} (attributes)",
|
||||
"after_header": f"{path} (attributes)",
|
||||
}
|
||||
|
||||
changed = module.set_file_attributes_if_different(
|
||||
file_args, changed, diff_attrs
|
||||
)
|
||||
|
||||
return changed, [diff_text, diff_attrs]
|
||||
|
||||
|
||||
def main() -> int:
|
||||
|
||||
record_types = {
|
||||
"ns": NS,
|
||||
"txt": TXT,
|
||||
"a": A,
|
||||
"aaaa": AAAA,
|
||||
"srv": SRV,
|
||||
"spf": SPF,
|
||||
"ptr": PTR,
|
||||
"cname": CNAME,
|
||||
"mx": MX,
|
||||
}
|
||||
|
||||
module_args = {
|
||||
"path": {"type": "str", "required": True},
|
||||
"origin": {"type": "str", "required": True},
|
||||
"soa": {
|
||||
"type": "dict",
|
||||
"required": True,
|
||||
"options": spec_options_of_type(SOA),
|
||||
},
|
||||
"hosts": {"type": "dict", "default": {}},
|
||||
"reverse_hosts": {"type": "dict", "default": {}},
|
||||
}
|
||||
|
||||
for name, ty in record_types.items():
|
||||
module_args[name] = {
|
||||
"type": "list",
|
||||
"default": [],
|
||||
"elements": "dict",
|
||||
"options": spec_options_of_type(ty),
|
||||
}
|
||||
|
||||
module = AnsibleModule(
|
||||
argument_spec=module_args,
|
||||
add_file_common_args=True,
|
||||
supports_check_mode=True,
|
||||
)
|
||||
|
||||
origin = dns.name.from_text(module.params["origin"])
|
||||
path = module.params["path"]
|
||||
|
||||
zone = dns.zone.Zone(origin)
|
||||
|
||||
records = itertools.chain(
|
||||
make_records(module.params["soa"], SOA),
|
||||
make_reverse_hosts_records(module.params["reverse_hosts"]),
|
||||
make_hosts_records(module.params["hosts"]),
|
||||
itertools.chain.from_iterable(
|
||||
itertools.chain.from_iterable(
|
||||
make_records(args, ty) for args in module.params[name]
|
||||
)
|
||||
for name, ty in record_types.items()
|
||||
),
|
||||
)
|
||||
|
||||
for record in records:
|
||||
node = zone.get_node(record.name, create=True)
|
||||
rdata = record.rdata()
|
||||
dataset = node.get_rdataset(rdata.rdclass, rdata.rdtype, create=True)
|
||||
dataset.add(rdata)
|
||||
|
||||
zone_text = zone.to_text(relativize=False, sorted=True)
|
||||
|
||||
changed, diff = write_text_file(path, zone_text, module)
|
||||
|
||||
module.exit_json(changed=changed, diff=diff)
|
||||
|
||||
return 0
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main())
|
|
@ -1,18 +0,0 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts:
|
||||
- radius-1.isp.infra.auro.re
|
||||
vars:
|
||||
radiusd__clients:
|
||||
localhost:
|
||||
addr: 127.0.0.1
|
||||
secret: abcdef
|
||||
wifi-ap-v4:
|
||||
addr: 10.102.0.0/16
|
||||
secret: abcdef
|
||||
wifi-ap-v6:
|
||||
addr: 2a09:6840:102::/56
|
||||
secret: abcdef
|
||||
roles:
|
||||
- freeradius
|
||||
...
|
|
@ -7,7 +7,6 @@
|
|||
- dhcp-2.isp.auro.re
|
||||
- isp-1.rtr.infra.auro.re
|
||||
- isp-2.rtr.infra.auro.re
|
||||
- radius-1.isp.infra.auro.re
|
||||
vars:
|
||||
# TODO: netbox
|
||||
ifupdown2__hosts:
|
||||
|
@ -19,14 +18,6 @@
|
|||
addresses:
|
||||
- 2a09:6840:128::203/56
|
||||
- 10.128.0.203/16
|
||||
radius-1.isp.infra.auro.re:
|
||||
ens18:
|
||||
gateways:
|
||||
- 2a09:6840:128::254
|
||||
- 10.128.0.254
|
||||
addresses:
|
||||
- 2a09:6840:128::208/56
|
||||
- 10.128.0.208/16
|
||||
dns-1.int.infra.auro.re:
|
||||
ens18:
|
||||
gateways:
|
||||
|
@ -209,7 +200,6 @@
|
|||
- dhcp-2.isp.auro.re
|
||||
- isp-1.rtr.infra.auro.re
|
||||
- isp-2.rtr.infra.auro.re
|
||||
- radius-1.isp.infra.auro.re
|
||||
vars:
|
||||
resolvconf__nameservers:
|
||||
- 2a09:6840:128::127
|
||||
|
|
17
playbooks/knot.yml
Executable file
17
playbooks/knot.yml
Executable file
|
@ -0,0 +1,17 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts: all
|
||||
roles: []
|
||||
|
||||
# WIP: Deploy authoritative DNS servers
|
||||
# - hosts: authoritative_dns
|
||||
# vars:
|
||||
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
|
||||
# service_name: dns
|
||||
# service_version: crans
|
||||
# service_config:
|
||||
# hostname: re2o-server.adm.auro.re
|
||||
# username: service-user
|
||||
# password: "{{ vault_serviceuser_passwd }}"
|
||||
# roles:
|
||||
# - re2o_service
|
|
@ -1,532 +0,0 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts: ns-master.int.infra.auro.re
|
||||
vars:
|
||||
knotd__listen:
|
||||
- address: 0.0.0.0
|
||||
- address: "::"
|
||||
knotd__keys:
|
||||
xfr:
|
||||
algorithm: hmac-sha512
|
||||
secret: "{{ vault_knotd_xfr_key }}"
|
||||
ksk-infra:
|
||||
algorithm: hmac-sha512
|
||||
secret: "{{ vault_knotd_ksk_infra_key }}"
|
||||
update-acme-challenge:
|
||||
algorithm: hmac-sha512
|
||||
secret: "{{ vault_certbot_dns_secret }}"
|
||||
knotd__remotes:
|
||||
xfr-ns-1:
|
||||
address: 10.128.0.199
|
||||
key: xfr
|
||||
xfr-ns-2:
|
||||
address: 10.128.0.109
|
||||
key: xfr
|
||||
ksk-infra:
|
||||
address: ::1
|
||||
key: ksk-infra
|
||||
knotd__policies:
|
||||
public:
|
||||
algorithm: ECDSAP256SHA256
|
||||
reproducible_signing: true
|
||||
# Je n'ai pas trouvé de façon de pousser les records automatiquement
|
||||
# sur .re, donc pour éviter d'oublier de le faire manuellement, la
|
||||
# KSK n'expire pas
|
||||
ksk_lifetime: 0
|
||||
zsk_lifetime: 30d
|
||||
nsec3: true
|
||||
infra:
|
||||
algorithm: ECDSAP256SHA256
|
||||
ksk_lifetime: 365d
|
||||
zsk_lifetime: 30d
|
||||
nsec3: on
|
||||
ds-push: ksk-infra
|
||||
cds-cdnskey-publish: rollover
|
||||
ksk-submission: infra
|
||||
ripe:
|
||||
algorithm: ECDSAP256SHA256
|
||||
ksk_lifetime: 365d
|
||||
zsk_lifetime: 30d
|
||||
nsec3: on
|
||||
ds-push: ksk-ripe
|
||||
cds-cdnskey-publish: rollover
|
||||
ksk-submission: ripe
|
||||
knotd__acl:
|
||||
xfr:
|
||||
addresses:
|
||||
- 10.128.0.199
|
||||
- 2a09:6840:128::199
|
||||
- 10.128.0.109
|
||||
- 2a09:6840:128::109
|
||||
action: transfer
|
||||
key: xfr
|
||||
ksk-infra:
|
||||
addresses:
|
||||
- 127.0.0.1
|
||||
- ::1
|
||||
key: ksk-infra
|
||||
action: update
|
||||
update_types:
|
||||
- DS
|
||||
update_owner: name
|
||||
update_owner_match: equal
|
||||
update_owner_name:
|
||||
- infra
|
||||
update-acme-challenge:
|
||||
addresses:
|
||||
- 10.128.0.0/16
|
||||
- 2a09:6840:128::/48
|
||||
key: update-acme-challenge
|
||||
action: update
|
||||
update_types:
|
||||
- TXT
|
||||
update_owner: name
|
||||
update_owner_match: equal
|
||||
update_owner_name:
|
||||
- _acme-challenge.auro.re.
|
||||
knotd__queryacl:
|
||||
local:
|
||||
addresses:
|
||||
- 10.0.0.0/8
|
||||
knotd__soa_rname: root@auro.re.
|
||||
# TODO: Netbox
|
||||
knotd__hosts:
|
||||
auro.re:
|
||||
proxy-ovh:
|
||||
- 92.222.211.195
|
||||
horus:
|
||||
- 92.23.218.136
|
||||
ns-1:
|
||||
- 45.66.111.30
|
||||
- 2a09:6840:111::30
|
||||
ns-2:
|
||||
- 92.222.211.194
|
||||
serge:
|
||||
- 92.222.211.196
|
||||
lama:
|
||||
- 185.230.78.220
|
||||
- 2a0c:700:12:0:67:e5ff:fee9:108
|
||||
vpn-ovh:
|
||||
- 92.222.211.197
|
||||
passerelle:
|
||||
- 45.66.111.254
|
||||
- 2a09:6840:111::254
|
||||
proxy:
|
||||
- 45.66.111.61
|
||||
- 2a09:6840:111::61
|
||||
camelot:
|
||||
- 45.66.111.59
|
||||
- 2a09:6840:111::59
|
||||
mail:
|
||||
- 45.66.111.62
|
||||
- 2a09:6840:111::62
|
||||
galene:
|
||||
- 45.66.111.65
|
||||
- 2a09:6840:111::65
|
||||
aclyas:
|
||||
- 45.66.111.231
|
||||
- 2a09:6840:111::231
|
||||
jitsi:
|
||||
- 45.66.111.55
|
||||
- 2a09:6840:111::55
|
||||
portail-fleming:
|
||||
- 10.13.0.247
|
||||
- 2a09:6840:13::247
|
||||
portail-pacaterie:
|
||||
- 10.23.0.247
|
||||
- 2a09:6840:23::247
|
||||
portail-rives:
|
||||
- 10.33.0.247
|
||||
- 2a09:6840:33::247
|
||||
portail-edc:
|
||||
- 10.43.0.247
|
||||
- 2a09:6840:43::247
|
||||
portail-gs:
|
||||
- 10.53.0.247
|
||||
- 2a09:6840:53::247
|
||||
adh.auro.re:
|
||||
hoffman:
|
||||
- 45.66.110.1
|
||||
- 2a09:6840:110:0:2d8:61ff:fe56:d7eb
|
||||
hindley:
|
||||
- 45.66.110.3
|
||||
- 2a09:6840:110:0:a6ba:dbff:fe03:1f36
|
||||
yberreby:
|
||||
- 45.66.110.5
|
||||
- 2a09:6840:110:0:d896:1dff:fe59:8381
|
||||
paon:
|
||||
- 45.66.110.10
|
||||
- 2a09:6840:110:0:231:92ff:fe1b:ae22
|
||||
lovelace:
|
||||
- 45.66.110.45
|
||||
- 2a09:6840:110:0:c634:6bff:feb5:7bcc
|
||||
switch-leo:
|
||||
- 45.66.110.103
|
||||
- 2a09:6840:110:0:82cc:9cff:fe82:ca3e
|
||||
haskell:
|
||||
- 45.66.110.112
|
||||
- 2a09:6840:110:0:f4ac:cbff:fe81:7f48
|
||||
lyshyga0:
|
||||
- 45.66.110.113
|
||||
- 2a09:6840:110:0:6af7:28ff:fe91:e8d9
|
||||
pz28910:
|
||||
- 45.66.110.114
|
||||
vinsing0:
|
||||
- 45.66.110.123
|
||||
- 2a09:6840:110:0:1e1b:dff:fe90:7d81
|
||||
osc-routeur:
|
||||
- 45.66.110.125
|
||||
- 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
|
||||
odroid:
|
||||
- 45.66.110.154
|
||||
- 2a09:6840:110:0:21e:6ff:fe49:e00
|
||||
amau0:
|
||||
- 45.66.110.164
|
||||
- 2a09:6840:110:0:3e7c:3fff:fec3:27d1
|
||||
regulus:
|
||||
- 45.66.110.180
|
||||
- 2a09:6840:110:0:2ef0:5dff:fe2a:1530
|
||||
toaster:
|
||||
- 45.66.110.188
|
||||
- 2a09:6840:110:0:5246:5dff:fe9a:f70
|
||||
rpijutax:
|
||||
- 45.66.110.190
|
||||
- 2a09:6840:110:0:ba27:ebff:fe76:a9bc
|
||||
lafeychine:
|
||||
- 45.66.110.200
|
||||
- 2a09:6840:110:0:46a5:6eff:fe71:1
|
||||
polaris:
|
||||
- 45.66.110.245
|
||||
- 2a09:6840:110:0:dea6:32ff:feb4:d033
|
||||
pz28:
|
||||
- 109.209.83.178
|
||||
knotd__zones:
|
||||
auro.re:
|
||||
dnssec_policy: public
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- update-acme-challenge
|
||||
- ksk-infra
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra
|
||||
ns:
|
||||
- target:
|
||||
- ns-1
|
||||
- ns-2
|
||||
- name: infra
|
||||
target:
|
||||
- ns-1
|
||||
- ns-2
|
||||
- name: isp
|
||||
target:
|
||||
- ns-1
|
||||
- ns-2
|
||||
- name: adm
|
||||
target:
|
||||
- serge
|
||||
- lama
|
||||
- name: ups
|
||||
target:
|
||||
- serge
|
||||
- lama
|
||||
- name: switch
|
||||
target:
|
||||
- serge
|
||||
- lama
|
||||
- name: borne
|
||||
target:
|
||||
- serge
|
||||
- lama
|
||||
mx:
|
||||
- exchange: mail
|
||||
preference: 5
|
||||
- exchange: proxy-ovh
|
||||
preference: 10
|
||||
spf:
|
||||
- data: v=spf1 mx -all
|
||||
a:
|
||||
- address: 92.222.211.195
|
||||
cname:
|
||||
- name:
|
||||
- element
|
||||
- riot
|
||||
- auth
|
||||
- rss
|
||||
- codimd
|
||||
- hedgedoc
|
||||
- kanboard
|
||||
- www
|
||||
- pad
|
||||
- privatebin
|
||||
- zero
|
||||
- paste
|
||||
- hétérogénéité
|
||||
target: proxy-ovh
|
||||
- name:
|
||||
- grafana
|
||||
- netbox
|
||||
- wiki
|
||||
- matrix
|
||||
- drone
|
||||
- gitea
|
||||
- re2o
|
||||
- nextcloud
|
||||
target: proxy
|
||||
- name: intranet
|
||||
target: re2o
|
||||
- name:
|
||||
- smtp
|
||||
- imap
|
||||
target: mail
|
||||
- name:
|
||||
- prometheus-paul.adh
|
||||
- pma-paul.adh
|
||||
- nextcloud-paul.adh
|
||||
- grafana-paul.adh
|
||||
- jellyfin.adh
|
||||
- monitoring.adh
|
||||
- beta-mpp.adh
|
||||
target: pz28.adh
|
||||
hosts: "{{ knotd__hosts['auro.re']
|
||||
| combine(knotd__hosts['adh.auro.re']
|
||||
| add_origin_keys('adh.auro.re.')) }}"
|
||||
infra.auro.re:
|
||||
dnssec_policy: infra
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
#queryacl: local
|
||||
soa:
|
||||
mname: ns-master.int
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
hosts:
|
||||
services-1.ceph:
|
||||
- 10.132.1.1
|
||||
- "2a09:6840:132:1:1::"
|
||||
services-2.ceph:
|
||||
- 10.132.1.2
|
||||
- "2a09:6840:132:1:2::"
|
||||
services-3.ceph:
|
||||
- 10.132.1.3
|
||||
- "2a09:6840:132:1:3::"
|
||||
ns-master.int:
|
||||
- 10.128.0.110
|
||||
- 2a09:6840:128:0::110
|
||||
ec-1.ups:
|
||||
- 10.131.4.1
|
||||
- 2a09:6840:131::4:1
|
||||
ec-2.ups:
|
||||
- 10.131.4.2
|
||||
- 2a09:6840:131::4:2
|
||||
ldap-1.int:
|
||||
- 10.128.0.10
|
||||
- 2a09:6840:128::10
|
||||
ntp-1.int:
|
||||
- 10.128.0.203
|
||||
- 2a09:6840:128::203
|
||||
dns-1.int:
|
||||
- 10.128.0.127
|
||||
- 2a09:6840:128::127
|
||||
isp-1.rtr:
|
||||
- 10.128.0.255
|
||||
- 2a09:6840:128::255
|
||||
isp-2.rtr:
|
||||
- 10.128.0.158
|
||||
- 2a09:6840:128::158
|
||||
radius-1.isp:
|
||||
- 10.128.0.208
|
||||
- 2a09:6840:128::208
|
||||
isp.auro.re:
|
||||
dnssec_policy: infra
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
#queryacl: local
|
||||
soa:
|
||||
mname: ns-master.int.auro.re.
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
hosts:
|
||||
dhcp-1:
|
||||
- 10.128.0.204
|
||||
- 2a09:6840:128::204
|
||||
dhcp-2:
|
||||
- 10.128.0.91
|
||||
- 2a09:6840:128::91
|
||||
108.66.45.in-addr.arpa:
|
||||
dnssec_policy: ripe
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra.auro.re.
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
109.66.45.in-addr.arpa:
|
||||
dnssec_policy: ripe
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra.auro.re.
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
110.66.45.in-addr.arpa:
|
||||
dnssec_policy: ripe
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra.auro.re.
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
reverse_hosts: "{{ knotd__hosts['adh.auro.re']
|
||||
| ip_filter(['45.66.110.0/24'])
|
||||
| add_origin_keys('adh.auro.re.') }}"
|
||||
111.66.45.in-addr.arpa:
|
||||
dnssec_policy: ripe
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra.auro.re.
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
reverse_hosts: "{{ knotd__hosts['auro.re']
|
||||
| ip_filter(['45.66.111.0/24'])
|
||||
| add_origin_keys('auro.re.') }}"
|
||||
0.4.8.6.9.0.a.2.ip6.arpa:
|
||||
dnssec_policy: ripe
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra.auro.re.
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
reverse_hosts: "{{ knotd__hosts['auro.re']
|
||||
| ip_filter(['2a09:6840::/32'])
|
||||
| add_origin_keys('auro.re.')
|
||||
| combine(knotd__hosts['adh.auro.re']
|
||||
| ip_filter(['2a09:6840::/32'])
|
||||
| add_origin_keys('adh.auro.re.')) }}"
|
||||
#reverse: "{{ nb_dns_reverse(ranges={'45.66.108.0/24'},
|
||||
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
|
||||
#hosts: "{{ nb_dns_hosts(vlans={'int', 'ceph', 'ext', 'bmc'},
|
||||
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
|
||||
#nb_dns__vlan_suffixes:
|
||||
# external-services: ext.infra.auro.re.
|
||||
# wifi-access-points: wifi.infra.auro.re.
|
||||
# monitoring: monit.infra.auro.re.
|
||||
# routers: rtr.infra.auro.re.
|
||||
# services-ceph: ceph.infra.auro.re.
|
||||
# ups: ups.infra.auro.re.
|
||||
# switchs: sw.infra.auro.re.
|
||||
# internal-services: int.infra.auro.re.
|
||||
# bmc: bmc.infra.auro.re.
|
||||
roles:
|
||||
- knotd
|
||||
|
||||
- hosts:
|
||||
- ns-1.auro.re
|
||||
- ns-2.auro.re
|
||||
vars:
|
||||
knotd__listen:
|
||||
- address: 0.0.0.0
|
||||
- address: "::"
|
||||
knotd__keys:
|
||||
xfr:
|
||||
algorithm: hmac-sha512
|
||||
secret: "{{ vault_knotd_xfr_key }}"
|
||||
knotd__remotes:
|
||||
xfr-master:
|
||||
address: 10.128.0.110
|
||||
key: xfr
|
||||
knotd__acl:
|
||||
notify-master:
|
||||
address:
|
||||
- 10.128.0.110
|
||||
- 2a09:6840:128::110
|
||||
key: xfr
|
||||
action: notify
|
||||
knotd__queryacl:
|
||||
local:
|
||||
addresses:
|
||||
- 10.0.0.0/8
|
||||
knotd__zones:
|
||||
auro.re:
|
||||
dnssec_validation: true
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
infra.auro.re:
|
||||
dnssec_validation: true
|
||||
acl:
|
||||
- notify-master
|
||||
#queryacl: local
|
||||
master: xfr-master
|
||||
isp.auro.re:
|
||||
dnssec_validation: true
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
108.66.45.in-addr.arpa:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
109.66.45.in-addr.arpa:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
110.66.45.in-addr.arpa:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
111.66.45.in-addr.arpa:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
0.4.8.6.9.0.a.2.ip6.arpa:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
roles:
|
||||
- knotd
|
||||
...
|
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts:
|
||||
- dns-1.int.infra.auro.re
|
||||
vars:
|
||||
kresd__listen:
|
||||
- address: 0.0.0.0
|
||||
port: 53
|
||||
kind: dns
|
||||
- address: "::"
|
||||
port: 53
|
||||
kind: dns
|
||||
- address: 0.0.0.0
|
||||
port: 853
|
||||
kind: tls
|
||||
- address: "::"
|
||||
port: 853
|
||||
kind: tls
|
||||
kresd__cache_size: 512
|
||||
roles:
|
||||
- kresd
|
||||
...
|
10
playbooks/radius.yml
Executable file
10
playbooks/radius.yml
Executable file
|
@ -0,0 +1,10 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
# Deploy Radius
|
||||
- hosts: radius-*.adm.auro.re
|
||||
vars:
|
||||
update_motd:
|
||||
unbound: FreeRADIUS est déployé.
|
||||
roles:
|
||||
- radius
|
||||
- update_motd
|
|
@ -1 +0,0 @@
|
|||
dnspython
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
collections:
|
||||
- name: community.general
|
||||
- name: community.postgresql
|
||||
- name: ansible.utils
|
||||
...
|
|
@ -1,30 +0,0 @@
|
|||
---
|
||||
radiusd__max_attributes: 200
|
||||
radiusd__status_server: true
|
||||
radiusd__clients: {}
|
||||
radiusd__enabled_modules_minimal:
|
||||
- always
|
||||
- attr_filter
|
||||
- cache_eap # TODO
|
||||
- dynamic_clients # TODO
|
||||
- eap # TODO
|
||||
- expiration # TODO
|
||||
- expr # TODO
|
||||
- linelog # TODO
|
||||
- logintime # TODO
|
||||
- realm # TODO
|
||||
- unpack # TODO
|
||||
- eap_inner
|
||||
- ldap
|
||||
- pap
|
||||
- utf8
|
||||
radiusd__enabled_modules: []
|
||||
radiusd__tls_cipher_list: DEFAULT
|
||||
radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
|
||||
radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
|
||||
radiusd__enabled_sites_minimal:
|
||||
- default
|
||||
- inner-tunnel
|
||||
radiusd__enabled_sites: []
|
||||
...
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
- name: Restart freeradius
|
||||
systemd:
|
||||
name: freeradius.service
|
||||
state: restarted
|
||||
...
|
|
@ -1,132 +0,0 @@
|
|||
---
|
||||
- name: Install freeradius
|
||||
apt:
|
||||
name: freeradius
|
||||
install_recommends: false
|
||||
|
||||
- name: Remove unused files
|
||||
file:
|
||||
path: "/etc/freeradius/3.0/{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- templates.conf
|
||||
- trigger.conf
|
||||
- README.rst
|
||||
- panic.gdb
|
||||
- experimental.conf
|
||||
- certs/ca.cnf
|
||||
- certs/bootstrap
|
||||
- certs/client.cnf
|
||||
- certs/inner-server.cnf
|
||||
- certs/server.cnf
|
||||
- certs/README
|
||||
- certs/Makefile
|
||||
- certs/xpextensions
|
||||
- policy.d/accounting
|
||||
- policy.d/rfc7542
|
||||
- policy.d/dhcp
|
||||
- policy.d/debug
|
||||
- policy.d/control
|
||||
- policy.d/abfab-tr
|
||||
- policy.d/moonshot-targeted-ids
|
||||
- policy.d/operator-name
|
||||
- mods-config/unbound/
|
||||
- mods-config/perl/
|
||||
- mods-config/python3/
|
||||
- mods-config/sql/
|
||||
- mods-config/files/
|
||||
- mods-config/preprocess/
|
||||
- mods-config/README.rst
|
||||
- users
|
||||
- hints
|
||||
- huntgroups
|
||||
|
||||
- name: Configure freeradius
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/freeradius/3.0/{{ item }}"
|
||||
owner: root
|
||||
group: freerad
|
||||
mode: u=rw,g=r,o=
|
||||
loop:
|
||||
- radiusd.conf
|
||||
#- proxy.conf
|
||||
- clients.conf
|
||||
- dictionary
|
||||
- mods-available/utf8
|
||||
- mods-available/always
|
||||
- mods-available/eap
|
||||
- mods-available/eap_inner
|
||||
- mods-config/attr_filter/access_challenge
|
||||
- mods-config/attr_filter/access_reject
|
||||
- sites-available/inner-tunnel
|
||||
- sites-available/default
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
- name: Enumerate available modules
|
||||
find:
|
||||
paths: /etc/freeradius/3.0/mods-available
|
||||
register: available_modules
|
||||
|
||||
- name: Disable modules
|
||||
file:
|
||||
path: "/etc/freeradius/3.0/mods-enabled/{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ available_modules.files
|
||||
| map(attribute='path')
|
||||
| map('basename')
|
||||
| difference(radiusd__enabled_modules_minimal
|
||||
| union(radiusd__enabled_modules)) }}"
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
- name: Enable modules
|
||||
file:
|
||||
src: "/etc/freeradius/3.0/mods-available/{{ item }}"
|
||||
dest: "/etc/freeradius/3.0/mods-enabled/{{ item }}"
|
||||
state: link
|
||||
owner: root
|
||||
group: freerad
|
||||
mode: u=rw,g=r,o=
|
||||
loop: "{{ radiusd__enabled_modules_minimal
|
||||
| union(radiusd__enabled_modules) }}"
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
- name: Enumerate available sites
|
||||
find:
|
||||
paths: /etc/freeradius/3.0/sites-available
|
||||
register: available_sites
|
||||
|
||||
- name: Disable sites
|
||||
file:
|
||||
path: "/etc/freeradius/3.0/sites-enabled/{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ available_sites.files
|
||||
| map(attribute='path')
|
||||
| map('basename')
|
||||
| difference(radiusd__enabled_sites_minimal
|
||||
| union(radiusd__enabled_sites)) }}"
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
- name: Enable sites
|
||||
file:
|
||||
src: "/etc/freeradius/3.0/sites-available/{{ item }}"
|
||||
dest: "/etc/freeradius/3.0/sites-enabled/{{ item }}"
|
||||
state: link
|
||||
owner: root
|
||||
group: freerad
|
||||
mode: u=rw,g=r,o=
|
||||
loop: "{{ radiusd__enabled_sites_minimal
|
||||
| union(radiusd__enabled_sites) }}"
|
||||
notify:
|
||||
- Restart freeradius
|
||||
|
||||
- name: Enable and start freeradius
|
||||
systemd:
|
||||
name: freeradius.service
|
||||
state: started
|
||||
enabled: true
|
||||
...
|
|
@ -1,16 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
{% for name, client in radiusd__clients.items() %}
|
||||
client {{ name }} {
|
||||
ipaddr = {{ client.addr }}
|
||||
shortname = {{ name }}
|
||||
proto = *
|
||||
require_message_authenticator = yes
|
||||
nastype = other
|
||||
secret = {{ client.secret }}
|
||||
{% if client.virtual_server is defined %}
|
||||
virtual_server = {{ client.virtual_server }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% endfor %}
|
|
@ -1 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
|
@ -1,37 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
always reject {
|
||||
rcode = reject
|
||||
}
|
||||
|
||||
always fail {
|
||||
rcode = fail
|
||||
}
|
||||
|
||||
always ok {
|
||||
rcode = ok
|
||||
}
|
||||
|
||||
always handled {
|
||||
rcode = handled
|
||||
}
|
||||
|
||||
always invalid {
|
||||
rcode = invalid
|
||||
}
|
||||
|
||||
always userlock {
|
||||
rcode = userlock
|
||||
}
|
||||
|
||||
always notfound {
|
||||
rcode = notfound
|
||||
}
|
||||
|
||||
always noop {
|
||||
rcode = noop
|
||||
}
|
||||
|
||||
always updated {
|
||||
rcode = updated
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
attr_filter attr_filter.access_reject {
|
||||
key = "%{User-Name}"
|
||||
filename = ${modconfdir}/${.:name}/access_reject
|
||||
}
|
||||
|
||||
attr_filter attr_filter.access_challenge {
|
||||
key = "%{User-Name}"
|
||||
filename = ${modconfdir}/${.:name}/access_challenge
|
||||
}
|
|
@ -1,59 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
eap {
|
||||
|
||||
default_eap_type = peap
|
||||
|
||||
type = peap
|
||||
type = ttls
|
||||
|
||||
ignore_unknown_eap_types = no
|
||||
|
||||
cisco_accounting_username_bug = no
|
||||
|
||||
timer_expire = 60
|
||||
max_sessions = ${max_requests}
|
||||
|
||||
tls-config tls-common {
|
||||
private_key_file = {{ radiusd__tls_private_key_file }}
|
||||
certificate_file = {{ radiusd__tls_certificate_file }}
|
||||
ca_file = {{ radiusd__tls_ca_file }}
|
||||
dh_file = ${certdir}/dh
|
||||
cipher_list = {{ radiusd__tls_cipher_list | enquote }}
|
||||
cipher_server_preferences = yes
|
||||
tls_min_version = "1.2"
|
||||
tls_max_version = "1.2" # TODO: 1.3
|
||||
# TODO
|
||||
# cache {
|
||||
# enable = yes
|
||||
# lifetime = 24
|
||||
# name = "eap"
|
||||
# persistdir = "${logdir}/tlscache"
|
||||
# store {
|
||||
# Tunnel-Private-Group-Id
|
||||
# }
|
||||
# }
|
||||
ocsp {
|
||||
enable = no
|
||||
}
|
||||
}
|
||||
|
||||
peap {
|
||||
tls = tls-common
|
||||
default_eap_type = gtc
|
||||
require_client_cert = no
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = no
|
||||
virtual_server = inner-tunnel
|
||||
}
|
||||
|
||||
ttls {
|
||||
tls = tls-common
|
||||
default_eap_type = pap
|
||||
require_client_cert = no
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = no
|
||||
virtual_server = inner-tunnel
|
||||
}
|
||||
|
||||
}
|
|
@ -1,14 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
eap inner-eap {
|
||||
|
||||
default_eap_type = gtc
|
||||
|
||||
type = gtc
|
||||
type = pap
|
||||
|
||||
gtc {
|
||||
auth_type = LDAP
|
||||
}
|
||||
|
||||
}
|
|
@ -1,50 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
ldap {
|
||||
|
||||
server = "ldap://ldap-1.int.infra.auro.re"
|
||||
|
||||
# TODO: quand on passera en prod, créer un utilisation dédié
|
||||
identity = "cn=Directory manager"
|
||||
password = "MotDePasseSuperComplique"
|
||||
|
||||
base_dn = "ou=users,dc=auro,dc=re"
|
||||
|
||||
user_dn = "LDAP-UserDn"
|
||||
|
||||
user {
|
||||
base_dn = "${..base_dn}"
|
||||
filter = "{{ '(uid=%{%{Stripped-User-Name}:-%{User-Name}})' }}"
|
||||
}
|
||||
|
||||
group {
|
||||
base_dn = "${..base_dn}"
|
||||
filter = "(objectClass=posixGroup)"
|
||||
membership_attribute = "memberOf"
|
||||
}
|
||||
|
||||
options {
|
||||
# TODO
|
||||
chase_referrals = no
|
||||
rebind = no
|
||||
res_timeout = 10
|
||||
srv_timelimit = 3
|
||||
net_timeout = 1
|
||||
idle = 60
|
||||
probes = 3
|
||||
interval = 3
|
||||
ldap_debug = 0x0028
|
||||
}
|
||||
|
||||
pool {
|
||||
start = ${thread[pool].start_servers}
|
||||
min = ${thread[pool].min_spare_servers}
|
||||
max = ${thread[pool].max_servers}
|
||||
spare = ${thread[pool].max_spare_servers}
|
||||
uses = 0
|
||||
retry_delay = 30
|
||||
lifetime = 0
|
||||
idle_timeout = 60
|
||||
}
|
||||
|
||||
}
|
|
@ -1,5 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
pap {
|
||||
normalise = no
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
utf8 {
|
||||
}
|
|
@ -1,10 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
DEFAULT
|
||||
EAP-Message =* ANY,
|
||||
State =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
Reply-Message =* ANY,
|
||||
Proxy-State =* ANY,
|
||||
Session-Timeout =* ANY,
|
||||
Idle-Timeout =* ANY
|
|
@ -1,10 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
DEFAULT
|
||||
EAP-Message =* ANY,
|
||||
State =* ANY,
|
||||
Message-Authenticator =* ANY,
|
||||
Error-Cause =* ANY,
|
||||
Reply-Message =* ANY,
|
||||
MS-CHAP-Error =* ANY,
|
||||
Proxy-State =* ANY
|
|
@ -1,23 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
proxy server {
|
||||
default_fallback = no
|
||||
dynamic = no
|
||||
}
|
||||
|
||||
{% for name, hs in radiusd__home_servers.items %}
|
||||
home_server {{ name }} {
|
||||
type = auth
|
||||
ipaddr = {{ hs.addr }}
|
||||
port = {{ hs.port | int }}
|
||||
}
|
||||
{% endfor %}
|
||||
|
||||
{% for name, realm in radiusd__realms.items() %}
|
||||
realm {{ name }} {
|
||||
auth_pool = auth_pool
|
||||
}
|
||||
{% endfor %}
|
||||
|
||||
realm LOCAL {
|
||||
}
|
|
@ -1,68 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
prefix = /usr
|
||||
exec_prefix = /usr
|
||||
sysconfigdir = /etc
|
||||
localstatedir = /var
|
||||
sbindir = ${exec_prefix}/sbin
|
||||
logdir = /var/log/freeradius
|
||||
raddbdir = /etc/freeradius/3.0
|
||||
radacctdir = ${logdir}/radacct
|
||||
name = freeradius
|
||||
confdir = ${raddbdir}
|
||||
modconfdir = ${confdir}/mods-config
|
||||
certdir = ${confdir}/certs
|
||||
cadir = ${confdir}/certs
|
||||
run_dir = ${localstatedir}/run/${name}
|
||||
db_dir = ${raddbdir}
|
||||
libdir = /usr/lib/freeradius
|
||||
pidfile = ${run_dir}/${name}.pid
|
||||
checkrad = ${sbindir}/checkrad
|
||||
|
||||
max_request_time = 30
|
||||
cleanup_delay = 5
|
||||
max_requests = 16384
|
||||
hostname_lookups = no
|
||||
correct_escapes = true
|
||||
|
||||
log {
|
||||
destination = syslog
|
||||
syslog_facility = daemon
|
||||
auth = yes
|
||||
}
|
||||
|
||||
security {
|
||||
user = freerad
|
||||
group = freerad
|
||||
allow_core_dumps = no
|
||||
max_attributes = {{ radiusd__max_attributes | int }}
|
||||
status_server = {{ radiusd__status_server | ternary("yes", "no") }}
|
||||
}
|
||||
|
||||
proxy_requests = yes
|
||||
|
||||
$INCLUDE proxy.conf
|
||||
|
||||
$INCLUDE clients.conf
|
||||
|
||||
thread pool {
|
||||
start_servers = 5
|
||||
max_servers = 32
|
||||
min_spare_servers = 3
|
||||
max_spare_servers = 10
|
||||
max_requests_per_server = 0
|
||||
auto_limit_acct = no
|
||||
}
|
||||
|
||||
modules {
|
||||
$INCLUDE mods-enabled/
|
||||
}
|
||||
|
||||
instantiate {
|
||||
}
|
||||
|
||||
policy {
|
||||
$INCLUDE policy.d/
|
||||
}
|
||||
|
||||
$INCLUDE sites-enabled/
|
|
@ -1,69 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server default {
|
||||
|
||||
listen {
|
||||
type = auth
|
||||
ipaddr = *
|
||||
port = 0
|
||||
limit {
|
||||
max_connections = 16
|
||||
lifetime = 0
|
||||
idle_timeout = 30
|
||||
}
|
||||
}
|
||||
|
||||
listen {
|
||||
type = auth
|
||||
ipv6addr = *
|
||||
port = 0
|
||||
limit {
|
||||
max_connections = 16
|
||||
lifetime = 0
|
||||
idle_timeout = 30
|
||||
}
|
||||
}
|
||||
|
||||
authorize {
|
||||
filter_username # TODO
|
||||
suffix
|
||||
eap
|
||||
}
|
||||
|
||||
authenticate {
|
||||
eap
|
||||
}
|
||||
|
||||
preacct {
|
||||
}
|
||||
|
||||
accounting {
|
||||
}
|
||||
|
||||
post-auth {
|
||||
if (session-state:User-Name && reply:User-Name \
|
||||
&& request:User-Name \
|
||||
&& (reply:User-Name == request:User-Name)) {
|
||||
update reply {
|
||||
&User-Name !* ANY
|
||||
}
|
||||
}
|
||||
update {
|
||||
&reply: += &session-state:
|
||||
}
|
||||
Post-Auth-Type REJECT {
|
||||
attr_filter.access_reject
|
||||
eap
|
||||
remove_reply_message_if_eap
|
||||
}
|
||||
remove_reply_message_if_eap
|
||||
}
|
||||
|
||||
pre-proxy {
|
||||
}
|
||||
|
||||
post-proxy {
|
||||
eap
|
||||
}
|
||||
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server inner-tunnel {
|
||||
|
||||
authorize {
|
||||
# Look for realm using the 'suffix' format (user@realm)
|
||||
suffix
|
||||
# Don't proxy requests from inner tunnel
|
||||
update control {
|
||||
&Proxy-To-Realm := LOCAL
|
||||
}
|
||||
# TODO: vérifier que le realm est soit vide, soit 'auro.re'
|
||||
# Must be before 'ldap', so that we don't query the LDAP server
|
||||
# for "internal" packets (cf. documentation for
|
||||
# sites-available/inner-tunnel)
|
||||
inner-eap {
|
||||
ok = return
|
||||
}
|
||||
ldap
|
||||
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
|
||||
if ((ok || updated) && User-Password) {
|
||||
update control {
|
||||
Auth-Type := ldap
|
||||
}
|
||||
}
|
||||
pap
|
||||
}
|
||||
|
||||
authenticate {
|
||||
inner-eap
|
||||
# Authenticate using 'Auth-Type = LDAP'
|
||||
# This is not recommended by FreeRADIUS (cf. documentation for
|
||||
# sites-available/default), but the password hashing scheme used
|
||||
# by 389DS is not yet supported by FreeRADIUS 3
|
||||
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
|
||||
ldap
|
||||
}
|
||||
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
---
|
||||
knotd__run_dir: /run/knot
|
||||
knotd__user: knot
|
||||
knotd__group: knot
|
||||
knotd__listen: []
|
||||
knotd__port: 53
|
||||
knotd__database_dir: /var/lib/knot
|
||||
knotd__keys: []
|
||||
knotd__remotes: []
|
||||
knotd__submissions: []
|
||||
knotd__policies: []
|
||||
knotd__reproducible_signing: true
|
||||
knotd__nsec3: true
|
||||
knotd__cds_cdnskey_publish: rollover
|
||||
knotd__acl: []
|
||||
knotd__acl_update_owner: name
|
||||
knotd__acl_update_owner_match: equal
|
||||
knotd__queryacl: {}
|
||||
knotd__zones_dir: "{{ knotd__database_dir }}/zones"
|
||||
knotd__semantic_checks: true
|
||||
knotd__serial_policy: increment
|
||||
knotd__zones: []
|
||||
knotd__soa_refresh: 1d
|
||||
knotd__soa_retry: 2h
|
||||
knotd__soa_expire: 1000h
|
||||
knotd__soa_minimum: 1d
|
||||
knotd__dnssec_validation: true
|
||||
...
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
- name: Restart knotd
|
||||
systemd:
|
||||
name: knot.service
|
||||
state: restarted
|
||||
|
||||
- name: Reload knotd
|
||||
systemd:
|
||||
name: knot.service
|
||||
state: reloaded
|
||||
...
|
|
@ -1,75 +0,0 @@
|
|||
---
|
||||
- name: Install knotd and dnspython
|
||||
apt:
|
||||
name:
|
||||
- knot
|
||||
- python3-dnspython
|
||||
|
||||
- name: Install config files
|
||||
template:
|
||||
src: knot.conf.j2
|
||||
dest: /etc/knot/knot.conf
|
||||
owner: root
|
||||
group: knot
|
||||
mode: u=rw,g=r,o=
|
||||
notify:
|
||||
- Restart knotd
|
||||
|
||||
- name: Create zones directory
|
||||
file:
|
||||
path: "{{ knotd__zones_dir }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: "{{ knotd__group }}"
|
||||
mode: u=rwx,g=rx,o=
|
||||
|
||||
- name: Create zone files
|
||||
dns_zone:
|
||||
path: "{{ knotd__zones_dir }}/{{ item.key }}.zone"
|
||||
owner: root
|
||||
group: "{{ knotd__group }}"
|
||||
mode: u=rw,g=r,o=
|
||||
origin: "{{ item.key }}"
|
||||
soa:
|
||||
mname: "{{ item.value.soa.mname }}"
|
||||
rname: "{{ item.value.soa.rname | default(knotd__soa_rname)
|
||||
| default(omit) }}"
|
||||
refresh: "{{ item.value.soa.refresh | default(knotd__soa_refresh)
|
||||
| community.general.to_seconds | int }}"
|
||||
retry: "{{ item.value.soa.retry | default(knotd__soa_retry)
|
||||
| community.general.to_seconds | int }}"
|
||||
expire: "{{ item.value.soa.expire | default(knotd__soa_expire)
|
||||
| community.general.to_seconds | int }}"
|
||||
minimum: "{{ item.value.soa.minimum | default(knotd__soa_minimum)
|
||||
| community.general.to_seconds | int }}"
|
||||
hosts: "{{ item.value.hosts | default(omit) }}"
|
||||
reverse_hosts: "{{ item.value.reverse_hosts | default(omit) }}"
|
||||
ns: "{{ item.value.ns | default(omit) }}"
|
||||
mx: "{{ item.value.mx | default(omit) }}"
|
||||
cname: "{{ item.value.cname | default(omit) }}"
|
||||
txt: "{{ item.value.txt | default(omit) }}"
|
||||
a: "{{ item.value.a | default(omit) }}"
|
||||
spf: "{{ item.value.spf | default(omit) }}"
|
||||
srv: "{{ item.value.srv | default(omit) }}"
|
||||
ptr: "{{ item.value.ptr | default(omit) }}"
|
||||
aaaa: "{{ item.value.aaaa | default(omit) }}"
|
||||
when: "item.value.master is not defined
|
||||
and (item.value.enabled | default(true))"
|
||||
loop: "{{ knotd__zones | dict2items }}"
|
||||
notify:
|
||||
- Reload knotd
|
||||
|
||||
- name: Remove disabled zone files
|
||||
file:
|
||||
path: "{{ knotd__zones_dir }}/{{ item.key }}.zone"
|
||||
state: absent
|
||||
when: "item.value.master is not defined
|
||||
and not (item.value.enabled | default(true))"
|
||||
loop: "{{ knotd__zones | dict2items }}"
|
||||
|
||||
- name: Enable and start knotd
|
||||
systemd:
|
||||
name: knot.service
|
||||
enabled: true
|
||||
state: started
|
||||
...
|
|
@ -1,144 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server:
|
||||
rundir: "{{ knotd__run_dir }}"
|
||||
user: {{ knotd__user }}:{{ knotd__group }}
|
||||
{% for listen in knotd__listen %}
|
||||
listen: {{ listen.address }}@{{ listen.port | default(knotd__port) }}
|
||||
{% endfor %}
|
||||
version: ""
|
||||
identity: ""
|
||||
|
||||
log:
|
||||
- target: syslog
|
||||
any: info
|
||||
|
||||
database:
|
||||
storage: "{{ knotd__database_dir }}"
|
||||
|
||||
{% if knotd__keys %}
|
||||
key:
|
||||
{% for id, key in knotd__keys.items() %}
|
||||
- id: {{ id }}
|
||||
algorithm: {{ key.algorithm }}
|
||||
secret: {{ key.secret }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if knotd__remotes %}
|
||||
remote:
|
||||
{% for id, remote in knotd__remotes.items() %}
|
||||
- id: {{ id }}
|
||||
address: {{ remote.address }}
|
||||
{% if remote.key is defined %}
|
||||
key: {{ remote.key }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if knotd__submissions %}
|
||||
submission:
|
||||
{% for id, submission in knotd__submissions.items() %}
|
||||
- id: {{ id }}
|
||||
parent: {{ submission.parent }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if knotd__policies %}
|
||||
policy:
|
||||
{% for id, policy in knotd__policies.items() %}
|
||||
- id: {{ id }}
|
||||
algorithm: {{ policy.algorithm }}
|
||||
{% if policy.algorithm.startswith("ECDSA") %}
|
||||
reproducible-signing: {{ policy.reproducible_signing
|
||||
| default(knotd__reproducible_signing)
|
||||
| ternary("on", "off") }}
|
||||
{% endif %}
|
||||
ksk-lifetime: {{ policy.ksk_lifetime }}
|
||||
zsk-lifetime: {{ policy.zsk_lifetime }}
|
||||
nsec3: {{ policy.nsec3
|
||||
| default(knotd__nsec3)
|
||||
| ternary("on", "off") }}
|
||||
{% if policy.ds_push is defined %}
|
||||
ds-push: {{ policy.ds_push }}
|
||||
{% endif %}
|
||||
cds-cdnskey-publish: {{ policy.cds_cdnskey_publish
|
||||
| default(knotd__cds_cdnskey_publish) }}
|
||||
{% if policy.ksk_submission is defined %}
|
||||
ksk-submission: {{ policy.ksk_submission }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if knotd__acl %}
|
||||
acl:
|
||||
{% for id, acl in knotd__acl.items() %}
|
||||
- id: {{ id }}
|
||||
{% if acl.addresses is defined %}
|
||||
address: [ {{ acl.addresses | join(", ") }} ]
|
||||
{% endif %}
|
||||
action: {{ acl.action }}
|
||||
{% if acl.action == "update" %}
|
||||
update-type: [ {{ acl.update_types | join(", ") }} ]
|
||||
update-owner: {{ acl.update_owner
|
||||
| default(knotd__acl_update_owner) }}
|
||||
update-owner-match: {{ acl.update_owner_match
|
||||
| default(knotd__acl_update_owner_match) }}
|
||||
update-owner-name: [ {{ acl.update_owner_name | join(", ") }} ]
|
||||
{% endif %}
|
||||
{% if acl.key is defined %}
|
||||
key: {{ acl.key }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if knotd__queryacl %}
|
||||
mod-queryacl:
|
||||
{% for id, acl in knotd__queryacl.items() %}
|
||||
- id: {{ id }}
|
||||
address: [ {{ acl.addresses | join(", ") }} ]
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
template:
|
||||
- id: default
|
||||
storage: "{{ knotd__zones_dir }}"
|
||||
file: "%s.zone"
|
||||
zonefile-sync: -1
|
||||
journal-content: changes
|
||||
journal-content: all
|
||||
serial-policy: {{ knotd__serial_policy }}
|
||||
|
||||
{% if knotd__zones %}
|
||||
zone:
|
||||
{% for domain, zone in knotd__zones.items() %}
|
||||
{% if zone.enabled | default(true) %}
|
||||
- domain: {{ domain }}
|
||||
{% if zone.notify is defined %}
|
||||
notify: [ {{ zone.notify | join(", ") }} ]
|
||||
{% endif %}
|
||||
{% if zone.acl is defined %}
|
||||
acl: [ {{ zone.acl | join(", ") }} ]
|
||||
{% endif %}
|
||||
{% if zone.queryacl is defined %}
|
||||
module: mod-queryacl/{{ zone.queryacl }}
|
||||
{% endif %}
|
||||
{% if zone.master is defined %}
|
||||
master: {{ zone.master }}
|
||||
zonefile-load: none
|
||||
{% else %}
|
||||
zonefile-load: difference-no-serial
|
||||
semantic-checks: {{ knotd__semantic_checks
|
||||
| ternary("on", "off") }}
|
||||
{% endif %}
|
||||
{% if zone.dnssec_policy is defined %}
|
||||
dnssec-policy: {{ zone.dnssec_policy }}
|
||||
dnssec-signing: on
|
||||
{% else %}
|
||||
dnssec-validation: {{ zone.dnssec_validation
|
||||
| default(knotd__dnssec_validation)
|
||||
| ternary("on", "off") }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
kresd__listen: []
|
||||
kresd__freebind: true
|
||||
kresd__cache_size: 128
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
- name: Restart kresd
|
||||
systemd:
|
||||
name: kresd@1.service
|
||||
state: restarted
|
|
@ -1,21 +0,0 @@
|
|||
---
|
||||
- name: Install knot-resolver
|
||||
apt:
|
||||
name: knot-resolver
|
||||
|
||||
- name: Configure kresd
|
||||
template:
|
||||
src: kresd.conf.j2
|
||||
dest: /etc/knot-resolver/kresd.conf
|
||||
owner: root
|
||||
group: knot-resolver
|
||||
mode: u=rw,g=r,o=
|
||||
notify:
|
||||
- Restart kresd
|
||||
|
||||
- name: Enable and start kresd
|
||||
systemd:
|
||||
name: kresd@1.service
|
||||
state: started
|
||||
enabled: true
|
||||
...
|
|
@ -1,21 +0,0 @@
|
|||
{{ ansible_managed | comment(decoration="-- ") }}
|
||||
|
||||
{% for listen in kresd__listen %}
|
||||
net.listen(
|
||||
{{ listen.address | enquote }},
|
||||
{{ listen.port | int }},
|
||||
{
|
||||
kind = {{ listen.kind | enquote }},
|
||||
freebind = {{ listen.freebind
|
||||
| default(kresd__freebind) }},
|
||||
}
|
||||
)
|
||||
{% endfor %}
|
||||
|
||||
modules = {
|
||||
'hints > iterate',
|
||||
'stats',
|
||||
'predict',
|
||||
}
|
||||
|
||||
cache.size = {{ kresd__cache_size | int }} * MB
|
263
roles/radius/tasks/main.yml
Normal file
263
roles/radius/tasks/main.yml
Normal file
|
@ -0,0 +1,263 @@
|
|||
---
|
||||
- name: Add backports repositories
|
||||
apt_repository:
|
||||
repo: "{{ item }} http://deb.debian.org/debian buster-backports main contrib non-free"
|
||||
loop:
|
||||
- "deb"
|
||||
- "deb-src"
|
||||
|
||||
- name: Ensure /var/www exists
|
||||
file:
|
||||
name: "/var/www"
|
||||
state: directory
|
||||
mode: 0755
|
||||
|
||||
- name: Clone re2o repo
|
||||
git:
|
||||
repo: "https://gitlab.federez.net/re2o/re2o.git"
|
||||
dest: "/var/www/re2o"
|
||||
version: "dev"
|
||||
force: true
|
||||
|
||||
- name: Template local re2o settings
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/var/www/re2o/re2o/{{ item }}"
|
||||
mode: 0644
|
||||
loop:
|
||||
- settings_local.py
|
||||
- local_routers.py
|
||||
|
||||
# What follows is a hideous abomination.
|
||||
# Blame freeradius-python3 on backports.
|
||||
|
||||
- name: try to install freeradius-python3 (this will fail on post-install)
|
||||
apt:
|
||||
name: freeradius-python3
|
||||
default_release: buster-backports
|
||||
update_cache: true
|
||||
ignore_errors: true
|
||||
|
||||
- name: fix freeradius-python3 postinstall script
|
||||
template:
|
||||
src: freeradius-python3.postinst.j2
|
||||
dest: /var/lib/dpkg/info/freeradius-python3.postinst
|
||||
mode: 0644
|
||||
|
||||
- name: reinstall broken package (this might fail too, for different reasons)
|
||||
apt:
|
||||
name: freeradius-python3
|
||||
default_release: buster-backports
|
||||
force: true
|
||||
ignore_errors: true
|
||||
|
||||
- name: Setup radius symlinks
|
||||
file:
|
||||
src: "/var/www/re2o/freeradius_utils/{{ item.local_prefix }}{{ item.filename }}"
|
||||
dest: "/etc/freeradius/3.0/{{ item.filename }}"
|
||||
state: link
|
||||
force: true
|
||||
loop:
|
||||
- local_prefix: ""
|
||||
filename: auth.py
|
||||
- local_prefix: freeradius3/
|
||||
filename: radiusd.conf
|
||||
- local_prefix: freeradius3/
|
||||
filename: mods-enabled/python
|
||||
- local_prefix: freeradius3/
|
||||
filename: mods-enabled/eap
|
||||
|
||||
- name: Configure freeradius
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/freeradius/3.0/{{ item }}"
|
||||
mode: 0640
|
||||
owner: freerad
|
||||
loop:
|
||||
- sites-enabled/default
|
||||
- sites-enabled/inner-tunnel
|
||||
|
||||
- name: Install Basic Clients/Proxy Files freeradius
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/freeradius/3.0/{{ item }}"
|
||||
mode: 0640
|
||||
owner: freerad
|
||||
loop:
|
||||
- clients.conf
|
||||
- proxy.conf
|
||||
when: "'aurore_vm' not in group_names"
|
||||
|
||||
- name: Install Clients FedeRez Radius-Aurore
|
||||
template:
|
||||
src: proxy-federez.conf.j2
|
||||
dest: /etc/freeradius/3.0/proxy.conf
|
||||
mode: 0640
|
||||
owner: freerad
|
||||
when: "'aurore_vm' in group_names"
|
||||
|
||||
- name: Install Proxy FedeRez Radius-Aurore
|
||||
template:
|
||||
src: clients-federez.conf.j2
|
||||
dest: /etc/freeradius/3.0/clients.conf
|
||||
mode: 0640
|
||||
owner: freerad
|
||||
when: "'aurore_vm' in group_names"
|
||||
|
||||
- name: Install radius requirements (except freeradius-python3)
|
||||
shell:
|
||||
cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
|
||||
chdir: /var/www/re2o/
|
||||
|
||||
- name: Install PyPi requirements for radius
|
||||
command: "pip3 install -r /var/www/re2o/pip_requirements.txt"
|
||||
|
||||
# End of hideousness (hopefully).
|
||||
|
||||
- name: Configure log rotation
|
||||
template:
|
||||
src: "freeradius-logrotate.j2"
|
||||
dest: "/etc/logrotate.d/freeradius"
|
||||
mode: 0644
|
||||
|
||||
|
||||
# Database setup
|
||||
|
||||
|
||||
- name: Install postgresql
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- postgresql-client-11=11.7-0+deb10u1
|
||||
force: true
|
||||
|
||||
- name: Install postgresql ansible module requirement(s)
|
||||
pip:
|
||||
name: psycopg2
|
||||
|
||||
- name: Create read-only user
|
||||
community.general.postgresql_user:
|
||||
name: re2o_ro
|
||||
password: "{{ radius_pg_re2o_ro_password }}"
|
||||
become_user: postgres
|
||||
|
||||
- name: Create replication user
|
||||
community.general.postgresql_user:
|
||||
name: replication
|
||||
password: "{{ radius_pg_replication_password }}"
|
||||
become_user: postgres
|
||||
|
||||
|
||||
- name: Nuking - Stop freeradius
|
||||
systemd:
|
||||
name: freeradius
|
||||
state: stopped
|
||||
when: nuke_radius|default(false)
|
||||
|
||||
- name: Nuking - Remove old subscription if it exists
|
||||
community.general.postgresql_subscription:
|
||||
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
|
||||
db: re2o
|
||||
state: absent
|
||||
become_user: postgres
|
||||
when: nuke_radius|default(false)
|
||||
ignore_errors: true
|
||||
|
||||
- name: Nuking - Destroy old local DB if it exists
|
||||
community.general.postgresql_db:
|
||||
name: re2o
|
||||
state: absent
|
||||
become_user: postgres
|
||||
when: nuke_radius|default(false)
|
||||
|
||||
- name: Create local DB
|
||||
community.general.postgresql_db:
|
||||
name: re2o
|
||||
owner: replication
|
||||
state: present
|
||||
encoding: "UTF8"
|
||||
lc_collate: 'fr_FR.UTF-8'
|
||||
lc_ctype: 'fr_FR.UTF-8'
|
||||
become_user: postgres
|
||||
|
||||
- name: Dump radius re2o PostgreSQL database schema from master
|
||||
community.general.postgresql_db:
|
||||
name: re2o
|
||||
state: dump
|
||||
target: /tmp/re2o-schema.sql
|
||||
target_opts: '-s'
|
||||
login_host: 10.128.0.22
|
||||
login_user: replication
|
||||
login_password: "{{ radius_pg_replication_password }}"
|
||||
|
||||
|
||||
- name: Restore DB
|
||||
tags:
|
||||
- restore
|
||||
community.general.postgresql_db:
|
||||
name: re2o
|
||||
state: restore
|
||||
target: /tmp/re2o-schema.sql
|
||||
target_opts: "-s"
|
||||
login_host: localhost
|
||||
login_user: replication
|
||||
login_password: "{{ radius_pg_replication_password }}"
|
||||
|
||||
|
||||
- name: Grant select permissions on all tables to read-only user
|
||||
tags:
|
||||
- perms
|
||||
community.general.postgresql_privs:
|
||||
database: re2o
|
||||
privs: SELECT
|
||||
objs: ALL_IN_SCHEMA
|
||||
schema: public
|
||||
roles: re2o_ro
|
||||
become_user: postgres
|
||||
|
||||
- name: Grant usage permission on schema to read-only user
|
||||
tags:
|
||||
- perms
|
||||
community.general.postgresql_privs:
|
||||
database: re2o
|
||||
privs: USAGE
|
||||
objs: public
|
||||
type: schema
|
||||
roles: re2o_ro
|
||||
become_user: postgres
|
||||
|
||||
- name: Set default privileges in schema
|
||||
tags:
|
||||
- perms
|
||||
community.general.postgresql_privs:
|
||||
database: re2o
|
||||
privs: SELECT
|
||||
schema: public
|
||||
objs: TABLES
|
||||
type: default_privs
|
||||
roles: re2o_ro
|
||||
become_user: postgres
|
||||
|
||||
|
||||
- name: Set up subscription to main database
|
||||
tags:
|
||||
- sub
|
||||
community.general.postgresql_subscription:
|
||||
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
|
||||
connparams:
|
||||
host: re2o-db.adm.auro.re
|
||||
user: replication
|
||||
password: "{{ radius_pg_replication_password }}"
|
||||
dbname: re2o
|
||||
db: re2o
|
||||
publications:
|
||||
- re2o_pub
|
||||
become_user: postgres
|
||||
|
||||
|
||||
- name: Restart freeradius, ensure enabled
|
||||
systemd:
|
||||
name: freeradius
|
||||
enabled: true
|
||||
state: restarted
|
||||
daemon_reload: true
|
22
roles/radius/templates/clients-federez.conf.j2
Normal file
22
roles/radius/templates/clients-federez.conf.j2
Normal file
|
@ -0,0 +1,22 @@
|
|||
client radius-aurore {
|
||||
ipaddr = 10.128.0.0
|
||||
netmask = 16
|
||||
secret = {{ radius_secret_aurore }}
|
||||
require_message_authenticator = no
|
||||
nastype = other
|
||||
virtual_server = radius-wifi
|
||||
}
|
||||
|
||||
# Parangon (federez)
|
||||
client parangon {
|
||||
ipaddr = 185.230.78.47
|
||||
secret = {{ radius_secret_federez }}
|
||||
virtual_server = radius-wifi
|
||||
}
|
||||
|
||||
# Dodecagon (federez)
|
||||
client dodecagon {
|
||||
ipaddr = 195.154.165.76
|
||||
secret = {{ radius_secret_federez }}
|
||||
virtual_server = radius-wifi
|
||||
}
|
18
roles/radius/templates/clients.conf.j2
Normal file
18
roles/radius/templates/clients.conf.j2
Normal file
|
@ -0,0 +1,18 @@
|
|||
client radius-filaire {
|
||||
ipaddr = 10.130.{{ apartment_block_id }}.0
|
||||
netmask = 24
|
||||
secret = {{ radius_secret_wired }}
|
||||
require_message_authenticator = no
|
||||
nastype = other
|
||||
virtual_server = radius-filaire
|
||||
}
|
||||
|
||||
|
||||
client aurore-wifi {
|
||||
ipaddr = 10.{{ subnet_ids.ap }}.0.0
|
||||
netmask = 16
|
||||
secret = {{ radius_secret_wifi }}
|
||||
require_message_authenticator = no
|
||||
nastype = other
|
||||
virtual_server = radius-wifi
|
||||
}
|
50
roles/radius/templates/freeradius-logrotate.j2
Normal file
50
roles/radius/templates/freeradius-logrotate.j2
Normal file
|
@ -0,0 +1,50 @@
|
|||
# The main server log
|
||||
/var/log/freeradius/radius.log {
|
||||
# common options
|
||||
daily
|
||||
rotate 365
|
||||
missingok
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
|
||||
copytruncate
|
||||
}
|
||||
|
||||
# (in order)
|
||||
# Session monitoring utilities
|
||||
# Session database modules
|
||||
# SQL log files
|
||||
/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log
|
||||
/var/log/freeradius/radutmp /var/log/freeradius/radwtmp
|
||||
/var/log/freeradius/sqllog.sql
|
||||
{
|
||||
# common options
|
||||
daily
|
||||
rotate 365
|
||||
missingok
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
|
||||
nocreate
|
||||
}
|
||||
|
||||
# There are different detail-rotating strategies you can use. One is
|
||||
# to write to a single detail file per IP and use the rotate config
|
||||
# below. Another is to write to a daily detail file per IP with:
|
||||
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
|
||||
# (or similar) in radiusd.conf, without rotation. If you go with the
|
||||
# second technique, you will need another cron job that removes old
|
||||
# detail files. You do not need to comment out the below for method #2.
|
||||
/var/log/freeradius/radacct/*/detail {
|
||||
# common options
|
||||
daily
|
||||
rotate 365
|
||||
missingok
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
|
||||
nocreate
|
||||
}
|
14
roles/radius/templates/freeradius-python3.postinst.j2
Normal file
14
roles/radius/templates/freeradius-python3.postinst.j2
Normal file
|
@ -0,0 +1,14 @@
|
|||
#!/bin/sh
|
||||
# vim:ts=2:sw=2:et
|
||||
|
||||
set -e
|
||||
|
||||
case "$1" in
|
||||
configure)
|
||||
invoke-rc.d freeradius restart
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
|
||||
exit 0
|
28
roles/radius/templates/local_routers.py.j2
Normal file
28
roles/radius/templates/local_routers.py.j2
Normal file
|
@ -0,0 +1,28 @@
|
|||
class DbRouter(object):
|
||||
"""
|
||||
A router to control all database operations on models in the
|
||||
auth application.
|
||||
"""
|
||||
def db_for_read(self, model, **hints):
|
||||
"""
|
||||
Attempts to read remote models go to local database.
|
||||
"""
|
||||
return 'local'
|
||||
|
||||
def db_for_write(self, model, **hints):
|
||||
"""
|
||||
Attempts to write remote models go to the remote database.
|
||||
"""
|
||||
return 'default'
|
||||
|
||||
def allow_relation(self, obj1, obj2, **hints):
|
||||
"""
|
||||
Allow relations involving the remote database
|
||||
"""
|
||||
return True
|
||||
|
||||
def allow_migrate(self, db, app_label, model_name=None, **hints):
|
||||
"""
|
||||
Allow migrations on the remote database
|
||||
"""
|
||||
return True
|
87
roles/radius/templates/proxy-federez.conf.j2
Normal file
87
roles/radius/templates/proxy-federez.conf.j2
Normal file
|
@ -0,0 +1,87 @@
|
|||
# -*- mode: conf-unix; coding: utf-8 -*-
|
||||
proxy server {
|
||||
default_fallback = no
|
||||
}
|
||||
|
||||
|
||||
realm LOCAL {
|
||||
|
||||
}
|
||||
|
||||
realm NULL {
|
||||
|
||||
}
|
||||
|
||||
#Proxy FedeRez #####
|
||||
|
||||
realm AUROREFEDEREZ {
|
||||
auth_pool = federez_radius_servers
|
||||
# nostrip
|
||||
}
|
||||
|
||||
home_server parangon_v4 {
|
||||
type = auth
|
||||
ipaddr = 185.230.78.47
|
||||
port = 1812
|
||||
secret = {{ radius_secret_federez }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server parangon_v6 {
|
||||
type = auth
|
||||
ipaddr = 2a0c:700:0:23:67:e5ff:fee9:5
|
||||
port = 1812
|
||||
secret = {{ radius_secret_federez }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server dodecagon_v4 {
|
||||
type = auth
|
||||
ipaddr = 195.154.165.76
|
||||
port = 1812
|
||||
secret = {{ radius_secret_federez }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server dodecagon_v6 {
|
||||
type = auth
|
||||
ipaddr = 2001:bc8:273e::1
|
||||
port = 1812
|
||||
secret = {{ radius_secret_federez }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server_pool federez_radius_servers {
|
||||
type = fail-over
|
||||
home_server = parangon_v4
|
||||
home_server = dodecagon_v4
|
||||
home_server = dodecagon_v6
|
||||
home_server = parangon_v6
|
||||
}
|
||||
|
||||
|
||||
|
54
roles/radius/templates/proxy.conf.j2
Normal file
54
roles/radius/templates/proxy.conf.j2
Normal file
|
@ -0,0 +1,54 @@
|
|||
# -*- mode: conf-unix; coding: utf-8 -*-
|
||||
proxy server {
|
||||
default_fallback = no
|
||||
}
|
||||
|
||||
|
||||
realm LOCAL {
|
||||
|
||||
}
|
||||
|
||||
realm NULL {
|
||||
|
||||
}
|
||||
|
||||
#Proxy FedeRez #####
|
||||
|
||||
realm AUROREFEDEREZ {
|
||||
auth_pool = aurore_central_radius_servers
|
||||
# nostrip
|
||||
}
|
||||
|
||||
home_server radius_aurore_v4 {
|
||||
type = auth
|
||||
ipaddr = 10.128.0.251
|
||||
port = 1812
|
||||
secret = {{ radius_secret_aurore }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server radius_aurore_v6 {
|
||||
type = auth
|
||||
ipaddr = 2a09:6840:128::251
|
||||
port = 1812
|
||||
secret = {{ radius_secret_aurore }}
|
||||
require_message_authenticator =yes
|
||||
response_window = 20
|
||||
zombie_period = 40
|
||||
revive_interval = 120
|
||||
status_check = status-server
|
||||
check_interval = 30
|
||||
num_answers_to_alive = 3
|
||||
}
|
||||
|
||||
home_server_pool aurore_central_radius_servers {
|
||||
type = fail-over
|
||||
home_server = radius_aurore_v4
|
||||
home_server = radius_aurore_v6
|
||||
}
|
129
roles/radius/templates/settings_local.py.j2
Normal file
129
roles/radius/templates/settings_local.py.j2
Normal file
|
@ -0,0 +1,129 @@
|
|||
# coding: utf-8
|
||||
# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
|
||||
# se veut agnostique au réseau considéré, de manière à être installable en
|
||||
# quelques clics.
|
||||
#
|
||||
# Copyright © 2017 Gabriel Détraz
|
||||
# Copyright © 2017 Goulven Kermarec
|
||||
# Copyright © 2017 Augustin Lemesle
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License along
|
||||
# with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
"""re2o.settings_locale
|
||||
The file with all the available options for a locale configuration of re2o
|
||||
"""
|
||||
|
||||
from __future__ import unicode_literals
|
||||
|
||||
# A secret key used by the server.
|
||||
SECRET_KEY = "{{ re2o_secret_key }}"
|
||||
|
||||
# The password to access the project database
|
||||
DB_PASSWORD = "{{ re2o_db_password }}"
|
||||
|
||||
# AES key for secret key encryption.
|
||||
# The length must be a multiple of 16
|
||||
AES_KEY = "{{ re2o_aes_key }}"
|
||||
|
||||
# Should the server run in debug mode ?
|
||||
# SECURITY WARNING: don't run with debug turned on in production!
|
||||
DEBUG = False
|
||||
|
||||
# A list of admins of the services. Receive mails when an error occurs
|
||||
ADMINS = [('AURORE', 'monitoring.aurore@lists.crans.org'),]
|
||||
|
||||
# The list of hostname the server will respond to.
|
||||
ALLOWED_HOSTS = ['{{ inventory_hostname }}']
|
||||
|
||||
# The time zone the server is runned in
|
||||
TIME_ZONE = 'Europe/Paris'
|
||||
|
||||
# The storage systems parameters to use
|
||||
DATABASES = {
|
||||
'default': {
|
||||
'ENGINE': 'django.db.backends.postgresql_psycopg2',
|
||||
'NAME': 're2o',
|
||||
'USER': 're2o',
|
||||
'PASSWORD': DB_PASSWORD,
|
||||
'HOST': 're2o-db.adm.auro.re',
|
||||
'TEST': {
|
||||
'CHARSET': 'utf8',
|
||||
'COLLATION': 'utf8_general_ci'
|
||||
}
|
||||
},
|
||||
'local': {
|
||||
'ENGINE': 'django.db.backends.postgresql_psycopg2',
|
||||
'NAME': 're2o',
|
||||
'USER': 're2o_ro',
|
||||
'PASSWORD': "{{ radius_pg_re2o_ro_password }}",
|
||||
'HOST': 'localhost',
|
||||
'TEST': {
|
||||
'CHARSET': 'utf8',
|
||||
'COLLATION': 'utf8_general_ci'
|
||||
}
|
||||
},
|
||||
'ldap': {
|
||||
'ENGINE': 'ldapdb.backends.ldap',
|
||||
'NAME': 'ldap://10.128.0.21/',
|
||||
'USER': 'cn=admin,dc=auro,dc=re',
|
||||
'TLS': False,
|
||||
'PASSWORD': '{{ ldap_admin_password }}',
|
||||
}
|
||||
}
|
||||
|
||||
# Security settings for secure https
|
||||
# Activate once https is correctly configured
|
||||
SECURE_CONTENT_TYPE_NOSNIFF = False
|
||||
SECURE_BROWSER_XSS_FILTER = False
|
||||
SESSION_COOKIE_SECURE = False
|
||||
CSRF_COOKIE_SECURE = False
|
||||
CSRF_COOKIE_HTTPONLY = False
|
||||
X_FRAME_OPTIONS = 'DENY'
|
||||
SESSION_COOKIE_AGE = 60 * 60 * 3
|
||||
|
||||
# The path where your organization logo is stored
|
||||
LOGO_PATH = "static_files/logo.png"
|
||||
|
||||
# The mail configuration for Re2o to send mails
|
||||
SERVER_EMAIL = 'no-reply@auro.re' # The mail address to use
|
||||
EMAIL_HOST = 'localhost' # The host to use
|
||||
EMAIL_PORT = 25 # The port to use
|
||||
|
||||
# Settings of the LDAP structure
|
||||
LDAP = {
|
||||
'base_user_dn': 'cn=Utilisateurs,dc=auro,dc=re',
|
||||
'base_userservice_dn': 'ou=service-users,dc=auro,dc=re',
|
||||
'base_usergroup_dn': 'ou=posix,ou=groups,dc=auro,dc=re',
|
||||
'base_userservicegroup_dn': 'ou=services,ou=groups,dc=auro,dc=re',
|
||||
'user_gid': 100,
|
||||
}
|
||||
|
||||
# A range of UID to use. Used in linux environement
|
||||
UID_RANGES = {
|
||||
'users': [21001, 30000],
|
||||
'service-users': [20000, 21000],
|
||||
}
|
||||
|
||||
# A range of GID to use. Used in linux environement
|
||||
GID_RANGES = {
|
||||
'posix': [501, 600],
|
||||
}
|
||||
|
||||
# Some optionnal Re2o Apps
|
||||
OPTIONNAL_APPS_RE2O = ()
|
||||
|
||||
# Some Django apps you want to add in you local project
|
||||
OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ()
|
||||
|
||||
LOCAL_ROUTERS = ["re2o.local_routers.DbRouter"]
|
239
roles/radius/templates/sites-enabled/default.j2
Normal file
239
roles/radius/templates/sites-enabled/default.j2
Normal file
|
@ -0,0 +1,239 @@
|
|||
######################################################################
|
||||
#
|
||||
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
|
||||
# "server" section, and configuration directives.
|
||||
#
|
||||
# Virtual hosts should be put into the "sites-available"
|
||||
# directory. Soft links should be created in the "sites-enabled"
|
||||
# directory to these files. This is done in a normal installation.
|
||||
#
|
||||
# If you are using 802.1X (EAP) authentication, please see also
|
||||
# the "inner-tunnel" virtual server. You will likely have to edit
|
||||
# that, too, for authentication to work.
|
||||
#
|
||||
# $Id: 083407596aa5074d665adac9606e7de655b634aa $
|
||||
#
|
||||
######################################################################
|
||||
#
|
||||
# Read "man radiusd" before editing this file. See the section
|
||||
# titled DEBUGGING. It outlines a method where you can quickly
|
||||
# obtain the configuration you want, without running into
|
||||
# trouble. See also "man unlang", which documents the format
|
||||
# of this file.
|
||||
#
|
||||
# This configuration is designed to work in the widest possible
|
||||
# set of circumstances, with the widest possible number of
|
||||
# authentication methods. This means that in general, you should
|
||||
# need to make very few changes to this file.
|
||||
#
|
||||
# The best way to configure the server for your local system
|
||||
# is to CAREFULLY edit this file. Most attempts to make large
|
||||
# edits to this file will BREAK THE SERVER. Any edits should
|
||||
# be small, and tested by running the server with "radiusd -X".
|
||||
# Once the edits have been verified to work, save a copy of these
|
||||
# configuration files somewhere. (e.g. as a "tar" file). Then,
|
||||
# make more edits, and test, as above.
|
||||
#
|
||||
# There are many "commented out" references to modules such
|
||||
# as ldap, sql, etc. These references serve as place-holders.
|
||||
# If you need the functionality of that module, then configure
|
||||
# it in radiusd.conf, and un-comment the references to it in
|
||||
# this file. In most cases, those small changes will result
|
||||
# in the server being able to connect to the DB, and to
|
||||
# authenticate users.
|
||||
#
|
||||
######################################################################
|
||||
|
||||
server default {
|
||||
listen {
|
||||
type = auth
|
||||
ipaddr = *
|
||||
port = 0
|
||||
|
||||
limit {
|
||||
max_connections = 16
|
||||
lifetime = 0
|
||||
idle_timeout = 30
|
||||
}
|
||||
}
|
||||
|
||||
listen {
|
||||
ipaddr = *
|
||||
port = 0
|
||||
type = acct
|
||||
|
||||
limit {
|
||||
}
|
||||
}
|
||||
|
||||
# IPv6 versions of the above - read their full config to understand options
|
||||
listen {
|
||||
type = auth
|
||||
ipv6addr = :: # any. ::1 == localhost
|
||||
port = 0
|
||||
limit {
|
||||
max_connections = 16
|
||||
lifetime = 0
|
||||
idle_timeout = 30
|
||||
}
|
||||
}
|
||||
|
||||
listen {
|
||||
ipv6addr = ::
|
||||
port = 0
|
||||
type = acct
|
||||
|
||||
limit {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
server radius-wifi {
|
||||
authorize {
|
||||
rewrite_calling_station_id
|
||||
|
||||
if (User-Name =~ /^(.*)@(.*)/){
|
||||
if (User-Name !~ /^(.*)@(.*)auro(.*)/){
|
||||
update control{
|
||||
Proxy-To-Realm := 'AUROREFEDEREZ'
|
||||
}
|
||||
}
|
||||
|
||||
if ("%{request:User-Name}" =~ /^(.*)@(.*)auro(.*)/){
|
||||
update request{
|
||||
Stripped-User-Name := "%{1}"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
filter_username
|
||||
|
||||
preprocess
|
||||
|
||||
suffix
|
||||
|
||||
eap {
|
||||
ok = return
|
||||
}
|
||||
|
||||
expiration
|
||||
logintime
|
||||
|
||||
pap
|
||||
|
||||
}
|
||||
|
||||
authenticate {
|
||||
Auth-Type PAP {
|
||||
pap
|
||||
}
|
||||
|
||||
Auth-Type CHAP {
|
||||
chap
|
||||
}
|
||||
|
||||
Auth-Type MS-CHAP {
|
||||
mschap
|
||||
}
|
||||
|
||||
mschap
|
||||
|
||||
digest
|
||||
|
||||
eap
|
||||
}
|
||||
|
||||
|
||||
preacct {
|
||||
preprocess
|
||||
|
||||
acct_unique
|
||||
|
||||
suffix
|
||||
files
|
||||
}
|
||||
|
||||
accounting {
|
||||
|
||||
detail
|
||||
|
||||
unix
|
||||
exec
|
||||
|
||||
}
|
||||
|
||||
session {
|
||||
}
|
||||
|
||||
post-auth {
|
||||
update {
|
||||
&reply: += &session-state:
|
||||
}
|
||||
|
||||
exec
|
||||
|
||||
|
||||
remove_reply_message_if_eap
|
||||
|
||||
Post-Auth-Type REJECT {
|
||||
-sql
|
||||
attr_filter.access_reject
|
||||
|
||||
eap
|
||||
|
||||
remove_reply_message_if_eap
|
||||
}
|
||||
}
|
||||
|
||||
pre-proxy {
|
||||
}
|
||||
|
||||
post-proxy {
|
||||
eap
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
server radius-filaire{
|
||||
authorize{
|
||||
|
||||
re2o
|
||||
expiration
|
||||
logintime
|
||||
pap
|
||||
}
|
||||
authenticate{
|
||||
Auth-Type PAP{
|
||||
pap
|
||||
}
|
||||
Auth-Type CHAP{
|
||||
chap
|
||||
}
|
||||
Auth-Type MS-CHAP{
|
||||
mschap
|
||||
}
|
||||
digest
|
||||
eap
|
||||
|
||||
}
|
||||
preacct{
|
||||
preprocess
|
||||
acct_unique
|
||||
suffix
|
||||
files
|
||||
}
|
||||
accounting{
|
||||
}
|
||||
session{
|
||||
}
|
||||
post-auth{
|
||||
re2o
|
||||
exec
|
||||
}
|
||||
pre-proxy{
|
||||
}
|
||||
post-proxy{
|
||||
eap
|
||||
}
|
||||
}
|
345
roles/radius/templates/sites-enabled/inner-tunnel.j2
Normal file
345
roles/radius/templates/sites-enabled/inner-tunnel.j2
Normal file
|
@ -0,0 +1,345 @@
|
|||
# -*- text -*-
|
||||
######################################################################
|
||||
#
|
||||
# This is a virtual server that handles *only* inner tunnel
|
||||
# requests for EAP-TTLS and PEAP types.
|
||||
#
|
||||
# $Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $
|
||||
#
|
||||
######################################################################
|
||||
|
||||
server inner-tunnel {
|
||||
|
||||
#
|
||||
# This next section is here to allow testing of the "inner-tunnel"
|
||||
# authentication methods, independently from the "default" server.
|
||||
# It is listening on "localhost", so that it can only be used from
|
||||
# the same machine.
|
||||
#
|
||||
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||
#
|
||||
# If it works, you have configured the inner tunnel correctly. To check
|
||||
# if PEAP will work, use:
|
||||
#
|
||||
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||
#
|
||||
# If that works, PEAP should work. If that command doesn't work, then
|
||||
#
|
||||
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
|
||||
#
|
||||
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
|
||||
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
|
||||
#
|
||||
listen {
|
||||
ipaddr = 127.0.0.1
|
||||
port = 18120
|
||||
type = auth
|
||||
}
|
||||
|
||||
|
||||
# Authorization. First preprocess (hints and huntgroups files),
|
||||
# then realms, and finally look in the "users" file.
|
||||
#
|
||||
# The order of the realm modules will determine the order that
|
||||
# we try to find a matching realm.
|
||||
#
|
||||
# Make *sure* that 'preprocess' comes before any realm if you
|
||||
# need to setup hints for the remote radius server
|
||||
authorize {
|
||||
if ("%{request:User-Name}" =~ /^(.*)@auro(.*)/){
|
||||
update request{
|
||||
Stripped-User-Name := "%{1}"
|
||||
}
|
||||
}
|
||||
#
|
||||
# Take a User-Name, and perform some checks on it, for spaces and other
|
||||
# invalid characters. If the User-Name appears invalid, reject the
|
||||
# request.
|
||||
#
|
||||
# See policy.d/filter for the definition of the filter_username policy.
|
||||
#
|
||||
filter_username
|
||||
|
||||
re2o
|
||||
|
||||
#
|
||||
# Do checks on outer / inner User-Name, so that users
|
||||
# can't spoof us by using incompatible identities
|
||||
#
|
||||
# filter_inner_identity
|
||||
|
||||
#
|
||||
# The chap module will set 'Auth-Type := CHAP' if we are
|
||||
# handling a CHAP request and Auth-Type has not already been set
|
||||
chap
|
||||
|
||||
#
|
||||
# If the users are logging in with an MS-CHAP-Challenge
|
||||
# attribute for authentication, the mschap module will find
|
||||
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
||||
# to the request, which will cause the server to then use
|
||||
# the mschap module for authentication.
|
||||
mschap
|
||||
|
||||
#
|
||||
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
||||
# using the system API's to get the password. If you want
|
||||
# to read /etc/passwd or /etc/shadow directly, see the
|
||||
# passwd module, above.
|
||||
#
|
||||
# unix
|
||||
|
||||
#
|
||||
# Look for IPASS style 'realm/', and if not found, look for
|
||||
# '@realm', and decide whether or not to proxy, based on
|
||||
# that.
|
||||
# IPASS
|
||||
|
||||
#
|
||||
# If you are using multiple kinds of realms, you probably
|
||||
# want to set "ignore_null = yes" for all of them.
|
||||
# Otherwise, when the first style of realm doesn't match,
|
||||
# the other styles won't be checked.
|
||||
#
|
||||
# Note that proxying the inner tunnel authentication means
|
||||
# that the user MAY use one identity in the outer session
|
||||
# (e.g. "anonymous", and a different one here
|
||||
# (e.g. "user@example.com"). The inner session will then be
|
||||
# proxied elsewhere for authentication. If you are not
|
||||
# careful, this means that the user can cause you to forward
|
||||
# the authentication to another RADIUS server, and have the
|
||||
# accounting logs *not* sent to the other server. This makes
|
||||
# it difficult to bill people for their network activity.
|
||||
#
|
||||
suffix
|
||||
# ntdomain
|
||||
|
||||
#
|
||||
# The "suffix" module takes care of stripping the domain
|
||||
# (e.g. "@example.com") from the User-Name attribute, and the
|
||||
# next few lines ensure that the request is not proxied.
|
||||
#
|
||||
# If you want the inner tunnel request to be proxied, delete
|
||||
# the next few lines.
|
||||
#
|
||||
update control {
|
||||
&Proxy-To-Realm := LOCAL
|
||||
}
|
||||
|
||||
#
|
||||
# This module takes care of EAP-MSCHAPv2 authentication.
|
||||
#
|
||||
# It also sets the EAP-Type attribute in the request
|
||||
# attribute list to the EAP type from the packet.
|
||||
#
|
||||
# The example below uses module failover to avoid querying all
|
||||
# of the following modules if the EAP module returns "ok".
|
||||
# Therefore, your LDAP and/or SQL servers will not be queried
|
||||
# for the many packets that go back and forth to set up TTLS
|
||||
# or PEAP. The load on those servers will therefore be reduced.
|
||||
#
|
||||
eap {
|
||||
ok = return
|
||||
}
|
||||
|
||||
#
|
||||
# Read the 'users' file
|
||||
#files
|
||||
|
||||
#
|
||||
# Look in an SQL database. The schema of the database
|
||||
# is meant to mirror the "users" file.
|
||||
#
|
||||
# See "Authorization Queries" in sql.conf
|
||||
#-sql
|
||||
|
||||
#
|
||||
# If you are using /etc/smbpasswd, and are also doing
|
||||
# mschap authentication, the un-comment this line, and
|
||||
# enable the "smbpasswd" module.
|
||||
# smbpasswd
|
||||
|
||||
#
|
||||
# The ldap module reads passwords from the LDAP database.
|
||||
#-ldap
|
||||
|
||||
#
|
||||
# Enforce daily limits on time spent logged in.
|
||||
# daily
|
||||
|
||||
expiration
|
||||
logintime
|
||||
|
||||
#
|
||||
# If no other module has claimed responsibility for
|
||||
# authentication, then try to use PAP. This allows the
|
||||
# other modules listed above to add a "known good" password
|
||||
# to the request, and to do nothing else. The PAP module
|
||||
# will then see that password, and use it to do PAP
|
||||
# authentication.
|
||||
#
|
||||
# This module should be listed last, so that the other modules
|
||||
# get a chance to set Auth-Type for themselves.
|
||||
#
|
||||
pap
|
||||
}
|
||||
|
||||
|
||||
# Authentication.
|
||||
#
|
||||
#
|
||||
# This section lists which modules are available for authentication.
|
||||
# Note that it does NOT mean 'try each module in order'. It means
|
||||
# that a module from the 'authorize' section adds a configuration
|
||||
# attribute 'Auth-Type := FOO'. That authentication type is then
|
||||
# used to pick the appropriate module from the list below.
|
||||
#
|
||||
|
||||
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
||||
# will figure it out on its own, and will do the right thing. The
|
||||
# most common side effect of erroneously setting the Auth-Type
|
||||
# attribute is that one authentication method will work, but the
|
||||
# others will not.
|
||||
#
|
||||
# The common reasons to set the Auth-Type attribute by hand
|
||||
# is to either forcibly reject the user, or forcibly accept him.
|
||||
#
|
||||
authenticate {
|
||||
#
|
||||
# PAP authentication, when a back-end database listed
|
||||
# in the 'authorize' section supplies a password. The
|
||||
# password can be clear-text, or encrypted.
|
||||
Auth-Type PAP {
|
||||
pap
|
||||
}
|
||||
|
||||
#
|
||||
# Most people want CHAP authentication
|
||||
# A back-end database listed in the 'authorize' section
|
||||
# MUST supply a CLEAR TEXT password. Encrypted passwords
|
||||
# won't work.
|
||||
Auth-Type CHAP {
|
||||
chap
|
||||
}
|
||||
|
||||
#
|
||||
# MSCHAP authentication.
|
||||
Auth-Type MS-CHAP {
|
||||
mschap
|
||||
}
|
||||
|
||||
#
|
||||
# For old names, too.
|
||||
#
|
||||
mschap
|
||||
|
||||
#
|
||||
# Allow EAP authentication.
|
||||
eap
|
||||
}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# There are no accounting requests inside of EAP-TTLS or PEAP
|
||||
# tunnels.
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
||||
# or rlm_sql module can handle this.
|
||||
# The rlm_sql module is *much* faster
|
||||
session {
|
||||
radutmp
|
||||
|
||||
#
|
||||
# See "Simultaneous Use Checking Queries" in sql.conf
|
||||
# sql
|
||||
}
|
||||
|
||||
|
||||
# Post-Authentication
|
||||
# Once we KNOW that the user has been authenticated, there are
|
||||
# additional steps we can take.
|
||||
#
|
||||
# Note that the last packet of the inner-tunnel authentication
|
||||
# MAY NOT BE the last packet of the outer session. So updating
|
||||
# the outer reply MIGHT work, and sometimes MIGHT NOT. The
|
||||
# exact functionality depends on both the inner and outer
|
||||
# authentication methods.
|
||||
#
|
||||
# If you need to send a reply attribute in the outer session,
|
||||
# the ONLY safe way is to set "use_tunneled_reply = yes", and
|
||||
# then update the inner-tunnel reply.
|
||||
post-auth {
|
||||
re2o
|
||||
|
||||
Post-Auth-Type REJECT {
|
||||
# log failed authentications in SQL, too.
|
||||
-sql
|
||||
attr_filter.access_reject
|
||||
|
||||
#
|
||||
# Let the outer session know which module failed, and why.
|
||||
#
|
||||
update outer.session-state {
|
||||
&Module-Failure-Message := &request:Module-Failure-Message
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# When the server decides to proxy a request to a home server,
|
||||
# the proxied request is first passed through the pre-proxy
|
||||
# stage. This stage can re-write the request, or decide to
|
||||
# cancel the proxy.
|
||||
#
|
||||
# Only a few modules currently have this method.
|
||||
#
|
||||
pre-proxy {
|
||||
# Uncomment the following line if you want to change attributes
|
||||
# as defined in the preproxy_users file.
|
||||
# files
|
||||
|
||||
# Uncomment the following line if you want to filter requests
|
||||
# sent to remote servers based on the rules defined in the
|
||||
# 'attrs.pre-proxy' file.
|
||||
# attr_filter.pre-proxy
|
||||
|
||||
# If you want to have a log of packets proxied to a home
|
||||
# server, un-comment the following line, and the
|
||||
# 'detail pre_proxy_log' section, above.
|
||||
# pre_proxy_log
|
||||
}
|
||||
|
||||
#
|
||||
# When the server receives a reply to a request it proxied
|
||||
# to a home server, the request may be massaged here, in the
|
||||
# post-proxy stage.
|
||||
#
|
||||
post-proxy {
|
||||
|
||||
# If you want to have a log of replies from a home server,
|
||||
# un-comment the following line, and the 'detail post_proxy_log'
|
||||
# section, above.
|
||||
# post_proxy_log
|
||||
|
||||
# Uncomment the following line if you want to filter replies from
|
||||
# remote proxies based on the rules defined in the 'attrs' file.
|
||||
# attr_filter.post-proxy
|
||||
|
||||
#
|
||||
# If you are proxying LEAP, you MUST configure the EAP
|
||||
# module, and you MUST list it here, in the post-proxy
|
||||
# stage.
|
||||
#
|
||||
# You MUST also use the 'nostrip' option in the 'realm'
|
||||
# configuration. Otherwise, the User-Name attribute
|
||||
# in the proxied request will not match the user name
|
||||
# hidden inside of the EAP packet, and the end server will
|
||||
# reject the EAP request.
|
||||
#
|
||||
eap
|
||||
}
|
||||
|
||||
} # inner-tunnel server block
|
Loading…
Reference in a new issue