roles/freeradius: Role to deploy RADIUS with EAP-TLS
The *freeradius* role is used to install and configure FreeRADIUS. The configuration system for it is extremely complicated, with dozens of files in several directories. The default configuration has a plethora of options enabled that are not needed in most cases, so they are disabled here. Since the initial (and perhaps only) use case I have for RADIUS is WiFi authentication via certificates, only the EAP-TLS mechanism is enabled currently.
This commit is contained in:
92
roles/freeradius/tasks/main.yml
Normal file
92
roles/freeradius/tasks/main.yml
Normal file
@@ -0,0 +1,92 @@
|
||||
- name: load radius secrets
|
||||
include_vars: vault/radius
|
||||
|
||||
- name: ensure freeradius is installed
|
||||
package:
|
||||
name=freeradius
|
||||
state=present
|
||||
tags:
|
||||
- install
|
||||
|
||||
- name: ensure freeradius is configured
|
||||
template:
|
||||
src=radiusd.conf.j2
|
||||
dest=/etc/raddb/radiusd.conf
|
||||
mode=0640
|
||||
owner=root
|
||||
group=radiusd
|
||||
notify: restart radiusd
|
||||
- name: ensure freeradius default site is configured
|
||||
template:
|
||||
src=default.site.radiusd.conf.j2
|
||||
dest=/etc/raddb/sites-available/default
|
||||
mode=0640
|
||||
owner=root
|
||||
group=radiusd
|
||||
notify: restart radiusd
|
||||
|
||||
- name: ensure freeradius eap module is configured
|
||||
template:
|
||||
src=eap.mod.radiusd.conf.j2
|
||||
dest=/etc/raddb/mods-available/eap
|
||||
mode=0640
|
||||
owner=root
|
||||
group=radiusd
|
||||
notify: restart radiusd
|
||||
|
||||
- name: ensure unused modules are disabled
|
||||
file:
|
||||
name=/etc/raddb/mods-enabled/{{ item }}
|
||||
state=absent
|
||||
with_items: '{{ radiusd_disable_modules }}'
|
||||
notify: restart radiusd
|
||||
- name: ensure unused sites are disabled
|
||||
file:
|
||||
name=/etc/raddb/sites-enabled/{{ item }}
|
||||
state=absent
|
||||
with_items: '{{ radiusd_disable_sites }}'
|
||||
notify: restart radiusd
|
||||
|
||||
- name: ensure server certificate is installed
|
||||
copy:
|
||||
src={{ item }}
|
||||
dest=/etc/raddb/certs/{{ item|basename }}
|
||||
mode=0640
|
||||
owner=root
|
||||
group=radiusd
|
||||
with_fileglob: 'certs/{{ inventory_hostname }}/server.*'
|
||||
- name: ensure client ca certificate is installed
|
||||
copy:
|
||||
src=certs/{{ inventory_hostname }}/ca.crt
|
||||
dest=/etc/raddb/certs/ca.crt
|
||||
mode=0640
|
||||
owner=root
|
||||
group=radiusd
|
||||
- name: ensure dh paramaters are generated
|
||||
command:
|
||||
openssl dhparam -out /etc/raddb/certs/dhparam {{ radiusd_dhparm_size }}
|
||||
creates=/etc/raddb/certs/dhparam
|
||||
- name: ensure example certificates are removed
|
||||
file:
|
||||
path=/etc/raddb/certs/{{ item }}
|
||||
state=absent
|
||||
with_items: '{{ radiusd_example_cert_files }}'
|
||||
|
||||
- name: ensure freeradius clients are configured
|
||||
template:
|
||||
src=clients.conf.j2
|
||||
dest=/etc/raddb/clients.conf
|
||||
mode=0640
|
||||
owner=root
|
||||
group=radiusd
|
||||
notify: restart radiusd
|
||||
|
||||
- name: ensure radius is allowed in the firewall
|
||||
firewalld:
|
||||
service=radius
|
||||
permanent=no
|
||||
immediate=yes
|
||||
state=enabled
|
||||
notify: save firewalld configuration
|
||||
tags:
|
||||
- firewalld
|
||||
Reference in New Issue
Block a user