To store settings and configuration we need one Git repository. The repository used for etc-files in CNaaS can be used, or a completely new one. In the lab installation of CNaaS NAC, we have the following files stored:
We must also store settings in Hiera, preferably as encrypted data using EYAML. The following data must be available:
To distribute the software Docker is used. First thing we must do is to create a volume to be used for the persistent FreeRADIUS configuration and Postgres database:
To create the volume for Postgres:
docker volume create --name=cnaas-postgres-data |
And for FreeRADIUS:
docker volume create --name=cnaas-radius-etc |
Below is an example of a docker-compose.yaml file which can be used to launch the containers needed.
version: '3.7' services: nac_api: image: docker.sunet.se/cnaas-nac/api ports: - 1443:443 networks: - cnaas environment: - RADIUS_SLAVE nac_radius: image: docker.sunet.se/cnaas-nac/radius ports: - 1812:1812/udp - 1813:1813/udp networks: - cnaas environment: - EDUROAM_R1_SECRET - EDUROAM_R2_SECRET - RADIUS_SERVER_SECRET - GITREPO_ETC - AD_DOMAIN - AD_USERNAME - AD_PASSWORD - AD_BASE_DN - NTLM_DOMAIN - AD_DNS_PRIMARY - AD_DNS_SECONDARY depends_on: - nac_api nac_postgres: build: image: docker.sunet.se/cnaas-nac/postgres volumes: - type: volume source: nac-postgres-data target: /var/lib/postgresql/data environment: - POSTGRES_USER - POSTGRES_PASSWORD - POSTGRES_DB ports: - 5432:5432 networks: - cnaas networks: cnaas: driver: bridge name: cnaas ipam: config: - subnet: 172.30.0.0/24 driver_opts: com.docker.network.bridge.name: br-cnaas volumes: nac-postgres-data: external: true |